Heavy grazie, ecco l'export
# sep/30/2022 18:43:08 by RouterOS 7.5
# software id = 432Z-MUG8
#
# model = CCR1009-7G-1C-1S+
# serial number = 79AD06955BFE
/interface pptp-client
add connect-to=it-mil.vpnunlimitedapp.com name="VPN Unlimited IT" user=KS1-cb803f35659ac544b8598caa86c36e30:####
add connect-to=it1.zoogvpn.com mrru=1600 name="ZoogVPN PPTP IT" user=####
/interface bridge
add dhcp-snooping=yes igmp-snooping=yes igmp-version=3 mld-version=2 multicast-querier=yes multicast-router=permanent name=bridge1-LAN protocol-mode=none
/interface ethernet
set [ find default-name=combo1 ] auto-negotiation=no disabled=yes name=combo1-GPON
set [ find default-name=ether1 ] loop-protect=on name=ether1-GPON rx-flow-control=auto speed=100Mbps tx-flow-control=auto
set [ find default-name=ether2 ] name=ether2-LTE-Wind-Huawei rx-flow-control=auto speed=100Mbps tx-flow-control=auto
set [ find default-name=ether3 ] name=ether3-LTE-Alpsim rx-flow-control=auto speed=100Mbps tx-flow-control=auto
set [ find default-name=ether4 ] name=ether4-VodafoneStation rx-flow-control=auto speed=100Mbps tx-flow-control=auto
set [ find default-name=ether5 ] name=ether5-LAN rx-flow-control=auto speed=100Mbps tx-flow-control=auto
set [ find default-name=ether6 ] name=ether6-LAN-Airport rx-flow-control=auto speed=100Mbps tx-flow-control=auto
set [ find default-name=ether7 ] name=ether7-LAN-SkyQ rx-flow-control=auto speed=100Mbps tx-flow-control=auto
set [ find default-name=sfp-sfpplus1 ] advertise=1000M-full auto-negotiation=no disabled=yes speed=1Gbps
/interface ovpn-server
add disabled=yes name=ovpn-in1 user=####
/interface l2tp-server
add disabled=yes name=l2tp-in1 user=####
/interface l2tp-client
add allow-fast-path=yes connect-to=it-mil01.unlocator.com name="Unlocator VPN IT" use-ipsec=yes use-peer-dns=yes user=####.larocca@mac.com
/interface wireguard
add disabled=yes listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=ether1-GPON name="Pianeta Fibra FTTH VLAN" vlan-id=835
/interface pppoe-client
add add-default-route=yes disabled=no interface="Pianeta Fibra FTTH VLAN" name="Pianeta Fibra PPPoE" user=sef003957
/interface lte apn
set [ find default=yes ] apn=internet.wind authentication=chap ip-type=ipv4 name=wind use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-client option
add code=60 name=fastweb value="'Technicolor_DGA4131FWB/dslforum.org'"
/ip firewall layer7-protocol
add name=BITTORRENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrape\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"
add name=BITTORRENT_ANNOUNCE regexp=^get.+announce.
add name=Paypal regexp=.paypal.com+.
add name=whatsmyip regexp=.whatsmyip+.
/ip hotspot profile
add hotspot-address=192.168.88.1 name=hsprof1
/ip ipsec mode-config
add connection-mark=NordVPN name=NordVPN responder=no
/ip ipsec peer
add disabled=yes name=peer_9 passive=yes
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256 hash-algorithm=sha256
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha512 name=NordVPN proposal-check=claim
/ip ipsec peer
add address=it147.nordvpn.com disabled=yes exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 enc-algorithms=aes-256-cbc,aes-256-gcm,aes-192-cbc,aes-192-gcm,aes-128-cbc,aes-128-gcm,blowfish,twofish pfs-group=none
add auth-algorithms=sha512,sha256,sha1 enc-algorithms=aes-256-cbc name=NordVPN pfs-group=none
/ip pool
add name=dhcp_pool0 ranges=192.168.2.60-192.168.2.250
add name=pool1 ranges=192.168.1.100-192.168.1.250
add name=hs-pool-11 ranges=192.168.88.2-192.168.88.254
add name="SkyQ Pool" ranges=192.168.5.50-192.168.5.59
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1-LAN lease-time=1h name=dhcp1
add address-pool="SkyQ Pool" interface=ovpn-in1 name="SkyQ DHCP"
add address-pool="SkyQ Pool" interface=ether7-LAN-SkyQ lease-time=1h name=dhcp_skyq
/ipv6 dhcp-server
add address-pool=pf_ip6_pool interface=bridge1-LAN name=pf_ip6_server
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
add change-tcp-mss=yes local-address=192.168.5.15 name=server only-one=no remote-address="SkyQ Pool" use-compression=no use-encryption=yes use-ipv6=no use-upnp=no
/interface sstp-client
add authentication=mschap2 connect-to=milan.hide.me name="Hide.me VPN SSTP IT" profile=default-encryption user=kalimaa@mikrotikit
add authentication=mschap2 connect-to=87.101.95.203 name="Hide.me VPN SSTP US" profile=default-encryption user=kalimaa@mikrotikus
/queue simple
add disabled=yes max-limit=10M/0 name=Synology target=192.168.2.149/32
add burst-limit=10M/70M burst-time=5s/5s disabled=yes max-limit=5M/50M name=P2P packet-marks=P2P target=bridge1-LAN,bridge1-LAN
add disabled=yes max-limit=10M/0 name=Asgaard queue=default/default target=192.168.2.125/32,192.168.2.150/32 total-queue=default
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
add disabled=no name=default-v3 version=3
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
add disabled=yes instance=default-v3 name=backbone-v3
/routing table
add fib name=Fibra
add fib name="My Connection"
add fib name="VPN IT"
add fib name="ExpressVPN IT"
add fib name="VPN US"
add fib name="Hide.me IT"
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,rest-api
/interface bridge port
add bridge=bridge1-LAN hw=no ingress-filtering=no interface=ether6-LAN-Airport
add bridge=bridge1-LAN fast-leave=yes ingress-filtering=no interface=ether5-LAN learn=yes multicast-router=permanent
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set accept-redirects=yes accept-source-route=yes max-neighbor-entries=8192 tcp-syncookies=yes
/ipv6 settings
set max-neighbor-entries=8192
/interface l2tp-server server
set default-profile=server enabled=yes use-ipsec=yes
/interface ovpn-server server
set auth=sha1 certificate="OVPN server" cipher=aes256 default-profile=server enabled=yes mode=ethernet
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set enabled=yes
/ip address
add address=192.168.88.1/24 interface=bridge1-LAN network=192.168.88.0
add address=192.168.2.1/24 interface=bridge1-LAN network=192.168.2.0
add address=192.168.3.1/24 interface=ether1-GPON network=192.168.3.0
add address=192.168.1.3/24 disabled=yes interface=combo1-GPON network=192.168.1.0
add address=192.168.5.15/24 interface=ovpn-in1 network=192.168.5.0
add address=192.168.5.49 interface=ether7-LAN-SkyQ network=192.168.5.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add add-default-route=no !dhcp-options interface=ether2-LTE-Wind-Huawei use-peer-dns=no use-peer-ntp=no
add add-default-route=no interface=ether3-LTE-Alpsim use-peer-dns=no
/ip dhcp-server lease
add address=192.168.2.2 always-broadcast=yes comment=GigasetPhone mac-address=7C:2F:80:84:F1:E9 server=dhcp1
add address=192.168.2.149 always-broadcast=yes comment=SynologyDS415 lease-time=1d mac-address=00:11:32:38:34:F7 server=dhcp1
add address=192.168.2.152 always-broadcast=yes client-id=1:a4:2b:b0:15:ea:d7 mac-address=A4:2B:B0:15:EA:D7 server=dhcp1
add address=192.168.2.171 comment="Netgear Switch" lease-time=1d mac-address=8C:3B:AD:22:B7:38 server=dhcp1
add address=192.168.2.150 client-id=1:28:f0:76:b:57:6a mac-address=28:F0:76:0B:57:6A server=dhcp1
add address=192.168.2.129 always-broadcast=yes comment=SMA lease-time=2d mac-address=00:40:AD:97:0C:DD server=dhcp1
add address=192.168.2.3 client-id=1:0:d:65:1c:f8:f mac-address=00:0D:65:1C:F8:0F server=dhcp1
add address=192.168.2.125 client-id=1:38:c9:86:22:b3:c0 mac-address=38:C9:86:22:B3:C0 server=dhcp1
add address=192.168.2.67 client-id=1:0:8a:76:f3:38:e0 mac-address=00:8A:76:F3:38:E0 server=dhcp1
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=208.67.222.222,208.67.220.220 gateway=192.168.2.1 netmask=24 ntp-server=192.168.2.1
add address=192.168.5.0/24 dns-server=208.67.222.222,208.67.220.220 gateway=192.168.5.49 netmask=24
add address=192.168.88.0/24 comment="hotspot network" gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=208.67.222.222,208.67.220.220
/ip firewall address-list
add address=paypal.com list=paypal
add address=whatsmyip.com list=whatsmyip
add address=www.paypal.com list=paypal
add address=paypalobjects.com list=paypal
add address=151.54.225.66 list=Blocklist
add address=api.paypal.com list=paypal
add address=api-3t.paypal.com list=paypal
add address=api-aa.paypal.com list=paypal
add address=api-aa-3t.paypal.com list=paypal
add address=svcs.paypal.com list=paypal
add address=accounts.paypal.com list=paypal
add address=batch.paypal.com list=paypal
add address=disputes.paypal.com list=paypal
add address=notify.paypal.com list=paypal
add address=reports.paypal.com list=paypal
add address=ipnpb.paypal.com list=paypal
add address=mobile.paypal.com list=paypal
add address=m.paypal.com list=paypal
add address=pointofsale.paypal.com list=paypal
add address=www.paypalobjects.com list=paypal
add address=192.168.2.112 list="VPN Exlusion List"
add address=192.168.2.127 list="VPN Exlusion List"
add address=192.168.2.2 list="VPN Exlusion List"
add address=192.168.2.110 list="VPN Exlusion List"
add address=192.168.2.182 list="VPN Exlusion List"
add address=192.168.2.88 list="VPN Exlusion List"
add address=192.168.2.104 list="VPN Exlusion List"
add address=192.168.2.108 list="VPN Exlusion List"
add address=192.168.2.3 list="VPN Exlusion List"
add address=192.168.2.78 list="VPN Exlusion List"
add address=192.168.2.62 list="VPN Exlusion List"
add address=192.168.2.103 list="VPN Exlusion List"
add address=192.168.2.0/24 list="VPN List"
add address=192.168.2.67 list="VPN Exlusion List"
add address=192.168.2.102 list="VPN Exlusion List"
add address=192.168.2.61 list="VPN Exlusion List"
add address=192.168.2.68 list="VPN Exlusion List"
add address=192.168.2.93 list="VPN Exlusion List"
add address=8.8.8.8 list="Unlocator Block"
add address=8.8.4.4 list="Unlocator Block"
add address=37.77.184.0 list="Unlocator Block"
add address=45.57.0.0 list="Unlocator Block"
add address=185.2.220.0 list="Unlocator Block"
add address=198.45.48.0 list="Unlocator Block"
add address=192.168.2.79 disabled=yes list=NordVPN
add address=192.168.2.149 disabled=yes list=NordVPN
add address=192.168.2.0/24 disabled=yes list=NordVPN
add address=#### list=WAN-IP
/ip firewall filter
add action=accept chain=input in-interface=bridge1-LAN
add action=drop chain=forward disabled=yes dst-address-list="Unlocator Block"
add action=accept chain=input dst-port=1194 protocol=tcp
add action=accept chain=input comment="IPSec ESP" protocol=ipsec-esp
add action=accept chain=input comment="IPSec NAT-T" dst-port=4500 protocol=udp
add action=accept chain=input comment="IPSec L2TP" dst-port=1701 protocol=udp
add action=accept chain=input comment="IPSec ISAKMP" dst-port=500 protocol=udp
add action=accept chain=input comment="Accept Established and Related" connection-state=established,related
add action=accept chain=input dst-port=5001,80,443,32400 protocol=tcp
add action=accept chain=input dst-port=8080,8443,8291 in-interface=bridge1-LAN protocol=tcp
# ovpn-in1 not ready
add action=accept chain=input dst-port=8080,8443,8291 in-interface=ovpn-in1 protocol=tcp
add action=accept chain=input dst-port=16881,26881,51767 protocol=tcp
add action=accept chain=input dst-port=5060,5090,9000-9398 protocol=tcp
add action=drop chain=input dst-port=25,143,993 protocol=tcp
add action=drop chain=input dst-port=22,8291,8080,8443 protocol=tcp
add action=drop chain=input comment="Drop Invalid" connection-state=invalid
add action=drop chain=input comment="Default Drop" connection-state=""
/ip firewall mangle
add action=change-mss chain=forward disabled=yes new-mss=1300 out-interface="Pianeta Fibra PPPoE" passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1301-65535
add action=route chain=prerouting disabled=yes dst-port=53 passthrough=no protocol=udp route-dst=81.17.17.170 src-address=192.168.2.146
add action=route chain=prerouting comment="Only DNS Unlocator" disabled=yes dst-port=53 passthrough=no protocol=udp route-dst=8.8.8.8 src-address=192.168.2.50
add action=mark-packet chain=prerouting comment="Torrent Announce" layer7-protocol=BITTORRENT_ANNOUNCE new-packet-mark=P2P passthrough=yes
add action=mark-packet chain=prerouting comment=Torrent layer7-protocol=BITTORRENT new-packet-mark=P2P passthrough=yes
add action=mark-routing chain=prerouting comment="Win 10 Pro Parallels" disabled=yes new-routing-mark="My Connection" passthrough=no src-address=192.168.2.144
add action=mark-routing chain=prerouting comment="vpn exclusion" disabled=yes new-routing-mark=main passthrough=no src-address-list="VPN Exlusion List"
add action=mark-connection chain=prerouting comment="entire network to vpn" disabled=yes new-connection-mark=NordVPN passthrough=yes src-address=192.168.2.0/24
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=Fibra passthrough=no src-address=192.168.2.125
add action=mark-routing chain=prerouting disabled=yes new-routing-mark="VPN IT" passthrough=yes src-address=192.168.2.0/24
add action=mark-routing chain=prerouting disabled=yes new-routing-mark="VPN IT" packet-mark=P2P passthrough=no
/ip firewall nat
add action=accept chain=dstnat dst-port=4500,1701,500 protocol=udp to-addresses=192.168.2.149
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=192.168.2.149 out-interface=bridge1-LAN src-address=192.168.2.0/24
add action=masquerade chain=srcnat out-interface=combo1-GPON
add action=masquerade chain=srcnat out-interface=ether1-GPON
add action=masquerade chain=srcnat out-interface=ether2-LTE-Wind-Huawei
add action=masquerade chain=srcnat out-interface=ether3-LTE-Alpsim
add action=masquerade chain=srcnat out-interface=ether7-LAN-SkyQ
add action=masquerade chain=srcnat out-interface="Pianeta Fibra PPPoE"
# ovpn-in1 not ready
add action=masquerade chain=srcnat out-interface=ovpn-in1
add action=dst-nat chain=dstnat comment="voip x siemens" dst-port=5060,5090,9000-9398 protocol=tcp to-addresses=192.168.2.2
add action=dst-nat chain=dstnat comment=synology dst-address-list=WAN-IP dst-port=5000,5001 protocol=tcp to-addresses=192.168.2.149
add action=dst-nat chain=dstnat dst-port=5000,5001 protocol=tcp to-addresses=192.168.2.149
add action=dst-nat chain=dstnat comment="synology web" dst-address-list=WAN-IP dst-port=80 protocol=tcp to-addresses=192.168.2.149
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=443,8443 protocol=tcp to-addresses=192.168.2.149
add action=dst-nat chain=dstnat comment="synology mail" disabled=yes dst-port=25,465,587,143,993 in-interface="Pianeta Fibra PPPoE" protocol=tcp to-addresses=192.168.2.149
add action=dst-nat chain=dstnat comment="synology plex" dst-address-list=WAN-IP dst-port=32400 protocol=tcp to-addresses=192.168.2.149
add action=dst-nat chain=dstnat dst-port=32400 protocol=tcp to-addresses=192.168.2.149
add action=dst-nat chain=dstnat comment="synology bittorrent" dst-port=16881,26881 protocol=tcp to-addresses=192.168.2.149
add action=dst-nat chain=dstnat comment="qBittorent Asgaard" dst-port=51767 protocol=tcp to-addresses=192.168.2.125
/ip firewall service-port
set h323 disabled=yes
set sip disabled=yes sip-timeout=10m
/ip hotspot user
add name=admin
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN peer=NordVPN policy-template-group=NordVPN username=M9dQx1LuxRCVr8huWGLonS8U
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes
/ip route
add check-gateway=arp disabled=yes distance=1 dst-address=0.0.0.0/0 gateway="Pianeta Fibra PPPoE" pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10 vrf-interface="Pianeta Fibra PPPoE"
add check-gateway=ping disabled=yes distance=3 dst-address=0.0.0.0/0 gateway=192.168.0.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=yes distance=2 dst-address=0.0.0.0/0 gateway=192.168.8.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address="" gateway=192.168.0.1 routing-table=main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set www port=8080
set www-ssl disabled=no port=8443
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip traffic-flow
set interfaces=ether3-LTE-Alpsim
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge1-LAN type=internal
add interface=*A type=external
/ipv6 address
add address=::1 from-pool=pf_ip6_pool interface=bridge1-LAN
/ipv6 dhcp-client
add add-default-route=yes interface="Pianeta Fibra PPPoE" pool-name=pf_ip6_pool prefix-hint=::/56 request=prefix
/ipv6 firewall filter
add action=accept chain=input connection-state=established,related
add action=accept chain=input dst-port=22,8291,8080,8443 in-interface=bridge1-LAN protocol=tcp
add action=drop chain=input dst-port=22,8291,8080,8443 protocol=tcp
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=drop chain=input disabled=yes
/ipv6 nd
set [ find default=yes ] advertise-dns=no
/lcd
set time-interval=daily
/ppp secret
add name=#### profile=server
/routing igmp-proxy interface
add
/system clock
set time-zone-name=Europe/Rome
/system logging
add prefix=ipsec topics=ipsec
add topics=lte
/system ntp client
set enabled=yes
/system ntp client servers
add address=193.204.114.233
add address=188.213.165.209
/system scheduler
add disabled=yes interval=1d name=LTE-Night on-event=night policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=jul/14/2017 start-time=00:01:00
add disabled=yes interval=1d name=LTE-Day on-event=day policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=jul/14/2017 start-time=07:58:00
/system script
add dont-require-permissions=no name=fibra_up owner=admin policy=read,write source="ip route set [/ip route find where !routing-mark and dst-address=0.0.0.0/0] gateway=\"Vodafone PPPoE\""
add dont-require-permissions=no name=fibra_down owner=admin policy=read,write source="ip route set [/ip route find where !routing-mark and dst-address=0.0.0.0/0] gateway=192.168.8.1"
add dont-require-permissions=no name=night owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
":ip route set [/ip route find where !routing-mark and dst-address=0.0.0.0/0] gateway=192.168.3.1;\r\
\n:foreach i in=[/ip firewall connection find dst-address~\":5060\" protocol~\"udp\"] do={\r\
\n/ip firewall connection remove \$i\r\
\n}"
add dont-require-permissions=no name=day owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
":ip route set [/ip route find where !routing-mark and dst-address=0.0.0.0/0] gateway=pppoe-fibra;\r\
\n:foreach i in=[/ip firewall connection find dst-address~\":5060\" protocol~\"udp\"] do={\r\
\n/ip firewall connection remove \$i\r\
\n}"
add dont-require-permissions=no name=clear-SIP owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":foreach i in=[/ip firewall connection find dst-address~\":5060\" protocol~\"udp\"] do={\r\
\n/ip firewall connection remove \$i\r\
\n}"
/tool graphing interface
add
/tool netwatch
add disabled=no down-script="fibra_down\
\nclear-SIP" host=208.67.222.222 interval=1s timeout=1s500ms type=simple up-script="fibra_up\
\nclear-SIP"