Aurora

From Wildsong
Revision as of 19:37, 2 November 2015 by Brian Wilson (talk | contribs)
Jump to navigationJump to search

Aurora is an RB2011 router used as the firewall / gateway for Vastra-PBX.com and Wildsong.biz (the co-located rack at CDS Wireless)

  • Public: 50.255.34.10/28 (Vastra) and 50.255.34.11/28 (Wildsong)
  • Private: http://192.168.2.1/
  • Password: ask Brian W for it.

How to talk to Aurora

White list

There is a whitelist of good guys allowed unlimited access through the front door. Currently it's

/ip firewall address-list
add address=50.152.179.48 comment="2015-03-20 Brian Brown at home" list=whitelist
add address=67.180.204.170 comment="2015-03-19 Brian Wilson at home" list=whitelist
add address=74.95.200.202 comment="2015-04-18 Brian Wilson at Novato Library" list=whitelist
add address=50.255.34.1 comment="cdswireless network" list=whitelist

Services

  1. WEB: Aurora's web is on port 8888 (inside and out) http://vastra2.vastra-pbx.com:8888/
  2. SSH: 50.255.34.10 ports are shifted for SSH, for security and to support 3 computers on one IP address!
    1. Aurora on port 24 e.g. ssh -p 24 vastra-pbx.com
    2. Dart is on port 26
    3. Vastra2 is on port 28
  3. Winbox: OPEN via whitelist on default port
  4. RouterOS API: OPEN via whitelist on default port

Yikes my home IP address changed! I can't get in!

If your home IP address changes then you have to connect via SSH and update the whitelist. Commands:

  1. putty to 50.255.34.10 port 24
  2. log in with admin and the secret password
  3. Type this command: /ip firewall address-list
  4. Type this command: set 1 address=Your new address
  • set 0 for Brian Wilson
  • set 1 for Brian Brown

History

2015-Mar-21 Added full NAT for 50.255.34.11 (HuPI.ORG) 2015-Mar-20 Additional firewall configuration. Moved Comcast interface from a gig port to a fast port. 2015-Mar-19 Deployed

Config notes

Port assignments

2015-Jul-02

Ports 1 - 9 are bridged Port 10 is isolated

gigabit
sfp
ether1 vastra2 192.168.2.235
ether2 dart 192.168.2.236
ether3 dhcp 192.168.2.x
ether4 dhcp 192.168.2.x
ether5 Brian W's office dhcp 192.168.2.x
fast
ether6 vastra2 IPMI management port dhcp 192.168.2.x
ether7 gs-fxo1 192.168.2.225 located at back of CDS rack
ether8 GS BT-100 phone dhcp 192.168.2.x
ether9 dart IPMI management port dhcp 192.168.89.x
ether10 Internet via Comcast static 50.255.34.10


DHCP serves up addresses in the 192.168.2.x/24 range.

Aurora does DNS and uses Opendns.org for resolving. It has local static IP addresses for our servers.

Aurora listens for SSH connections from outside only on port 24 On the inside, it also listens for WINBOX and port 80.

Client sites

Wildsong

Wildsong.BIZ needs only web support right now, so I use Dart as a proxy server for it. Wildsong.BIZ lives in a KVM virtual machine that does not have any public IP address of its own.

/ip firewall nat
add comment="Wildsong- SSH" chain=dstnat action=dst-nat dst-address=50.255.34.10 dst-port=30 to-addresses=192.168.2.238 to-ports=22 protocol=tcp

HuPI.ORG

HuPI.ORG does need full email support, so it's in a separate IP address and the firewall rules I added are:

/ip address
add address=50.255.34.11/28 interface=ether10-gateway
/ip firewall nat
add action=dst-nat chain=dstnat comment="HuPI.ORG web"  dst-address=50.255.34.11 protocol=tcp to-addresses=192.168.2.239 dst-port=80 to-ports=80
add action=dst-nat chain=dstnat comment="HuPI.ORG mail" dst-address=50.255.34.11 protocol=tcp to-addresses=192.168.2.239 dst-port=25  to-ports=25
add action=dst-nat chain=dstnat comment="HuPI.ORG mail" dst-address=50.255.34.11 protocol=tcp to-addresses=192.168.2.239 dst-port=587 to-ports=587
add action=dst-nat chain=dstnat comment="HuPI.ORG ssh"  dst-address=50.255.34.11 protocol=tcp to-addresses=192.168.2.239 dst-port=22 to-ports=22
add action=src-nat chain=srcnat comment="HuPI.ORG outbound" src-address=192.168.2.239 to-addresses=50.255.34.11

See also http://wiki.mikrotik.com/wiki/NAT_Tutorial

Export

# jul/02/2015 15:43:01 by RouterOS 6.29.1
# software id = JR0G-VH0Y
#
/interface bridge
add admin-mac=4C:5E:0C:DD:42:61 auto-mac=no mtu=1500 name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] comment=vastra2
set [ find default-name=ether2 ] comment=dart
set [ find default-name=ether5 ] comment="Brian Wilson office via Ortronics in CDS rack"
set [ find default-name=ether6 ] comment="vastra2 management port" name=ether6-master-local
set [ find default-name=ether7 ] master-port=ether6-master-local name=ether7-slave-local
set [ find default-name=ether8 ] master-port=ether6-master-local name=ether8-slave-local
set [ find default-name=ether9 ] master-port=ether6-master-local name=ether9-slave-local
set [ find default-name=ether10 ] comment="Internet via Comcast" name=ether10-gateway
/ip neighbor discovery
set ether1 comment=vastra2 discover=no
set ether2 comment=dart
set ether5 comment="Brian Wilson office via Ortronics in CDS rack"
set ether6-master-local comment="vastra2 management port"
set ether10-gateway comment="Internet via Comcast"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=LAN-pool ranges=192.168.2.100-192.168.2.199
add name=SB-LAN-TEST ranges=192.168.89.100-192.168.89.199
/ip dhcp-server
add address-pool=LAN-pool disabled=no interface=bridge-local lease-time=30m name=lan
add address-pool=SB-LAN-TEST interface=ether9-slave-local name=SB-PBX
/port
set 0 name=serial0
/ppp profile
set [ find name=default ] name=default
set [ find name=default-encryption ] name=default-encryption
/snmp community
set [ find default=yes ] name=wildsong
/interface bridge port
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=sfp1
add bridge=bridge-local interface=ether1
add bridge=bridge-local interface=ether6-master-local
/interface l2tp-server server
set authentication=mschap2 enabled=yes max-mru=1460 max-mtu=1460
/ip address
add address=192.168.2.1/24 comment="LAN configuration" interface=bridge-local network=192.168.2.0
add address=50.255.34.10/28 comment="Comcast (Vastra)" interface=ether10-gateway network=50.255.34.0
add address=192.168.89.1/24 comment="Test for Stonebridge L2TP" disabled=yes interface=ether9-slave-local network=192.168.89.0
add address=50.255.34.11/28 comment="Comcast interface for HuPI.ORG" interface=ether10-gateway network=50.255.34.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=no interface=ether1
add add-default-route=no comment="Stonebridge STAGE 1 test" dhcp-options=hostname,clientid interface=ether6-master-local use-peer-dns=no
/ip dhcp-server lease
add address=192.168.2.50 client-id=1:c:4d:e9:d4:38:d4 comment="PLOVER, MacBookPro BWilson (Thunderbolt en4)" mac-address=0C:4D:E9:D4:38:D4 server=lan
add address=192.168.2.236 comment="Dart, the big RAID server which responds as wiki.vastra-pbx.com and others" mac-address=00:25:90:7F:97:F0 server=lan
add address=192.168.2.240 client-id=1:0:25:90:f7:37:72 comment="vastra2 management console" mac-address=00:25:90:F7:37:72 server=lan
add address=50.0.0.2 client-id=1:4c:5e:c:c2:3:15 comment="HOME1 WAN" mac-address=4C:5E:0C:C2:03:15 server=SB-PBX
add address=192.168.2.238 mac-address=52:54:00:4D:8E:C6 server=lan
add address=192.168.2.239 mac-address=52:54:00:42:A6:E0 server=lan
add address=192.168.2.235 comment="vastra2 eth0" mac-address=0C:C4:7A:30:A4:84
/ip dhcp-server network
add address=192.168.2.0/24 comment="Vastra/Wildsong private LAN" dns-server=192.168.2.1 domain=wildsong.biz gateway=192.168.2.1 netmask=24
add address=192.168.89.0/24 comment="SB PBX lan" gateway=192.168.89.1 netmask=24 ntp-server=192.168.89.1
/ip dns
set allow-remote-requests=yes servers=208.67.222.222,208.67.220.220
/ip dns static
add address=192.168.2.236 name=wiki.vastra-pbx.com
add address=192.168.2.236 name=dart.vastra-pbx.com
add address=192.168.2.235 name=vastra2
add address=192.168.2.235 name=vastra2.vastra-pbx.com
add address=192.168.2.1 comment="This router" name=aurora.vastra-pbx.com
add address=192.168.2.238 name=quail.wildsong.biz
add address=192.168.2.239 name=hub.hupi.org
add address=192.168.2.236 comment="dart redirects" name=blog.wildsong.biz
add address=192.168.2.236 comment="dart redirects" name=wiki.wildsong.biz
add address=192.168.2.236 comment="dart redirects" name=wildsong.biz
add address=192.168.2.236 name=svn.vastra-pbx.com
add address=192.168.2.236 name=geoserver.geo-ceg.org
add address=192.168.2.236 name=dart.geo-ceg.org
add address=192.168.2.236 name=geoexplorer.geo-ceg.org
add address=192.168.2.236 name=ldap.vastra-pbx.com
add address=192.168.2.236 name=ldap-master.vastra-pbx.com
add address=192.168.2.240 comment="Vastra Management Console" name=vastra2-ipmi
add address=192.168.2.240 comment="Vastra management console" name=vastra-ipmi.vastra-pbx.com.
/ip firewall address-list
add address=67.180.204.170 comment=";2015-03-19 Brian Wilson at home" list=whitelist
add address=50.152.179.48 comment="2015-03-20 Brian Brown at home" list=whitelist
add address=192.168.2.0/24 comment="Allow all local traffic" list=whitelist
add address=50.255.34.1 comment="cdswireless network" list=whitelist
add address=74.95.200.202 comment=";2015-04-18 Brian Wilson at Novato Library" list=whitelist
/ip firewall filter
add chain=input comment="INPUT- accept ping requests" protocol=icmp
add chain=input comment="INPUT- allow established connections" connection-state=established
add chain=input comment="INPUT- allow related connections" connection-state=related
add chain=input comment="Allow access to Aurora from a list of trusted outside IP addresses" src-address-list=whitelist
add chain=forward comment="STONEBRIDGE - allow inbound access only from trusted addresses." disabled=yes out-interface=ether9-slave-local src-address-list=whitelist
add action=drop chain=forward comment="STONEBRIDGE - block new connections outbound" connection-state=new disabled=yes in-interface=ether9-slave-local
add action=drop chain=input comment="STONEBRIDGE - block access to router from SB-LAN" disabled=yes in-interface=ether9-slave-local
add chain=forward comment="FORWARD- allow established connections" connection-state=established
add chain=forward comment="FORWARD- allow related connections" connection-state=related
add action=drop chain=forward comment="FORWARD- drop invalid" connection-state=invalid
add chain=input comment="INPUT- Accept L2TP connection" port=1701,500,4500 protocol=udp
add action=drop chain=input comment="Drop ssh brute forcers" dst-port=24 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input comment="Dont let them try again for 10 days" connection-state=new dst-port=24 \
    protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=24 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=24 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=24 protocol=tcp
add chain=input comment="INPUT- Allow SSH connections" port=24 protocol=tcp
add chain=input comment="Web Proxy" port=8080 protocol=tcp src-address-list=whitelist
add action=drop chain=input comment="INPUT- Drop everything else from outside" in-interface=ether10-gateway
/ip firewall nat
add action=dst-nat chain=dstnat comment="vastra2 SIP" dst-address=50.255.34.10 dst-port=5060 protocol=udp to-addresses=192.168.2.235 to-ports=5060
add action=dst-nat chain=dstnat comment="vastra2 RTP" dst-address=50.255.34.10 dst-port=10000-19999 protocol=udp to-addresses=192.168.2.235 to-ports=10000-19999
add action=dst-nat chain=dstnat comment="vastra2 SSH" dst-address=50.255.34.10 dst-port=28 protocol=tcp to-addresses=192.168.2.235 to-ports=22
add action=dst-nat chain=dstnat comment="vastra2 IAX" dst-address=50.255.34.10 dst-port=4569 protocol=udp to-addresses=192.168.2.235 to-ports=4569
add action=dst-nat chain=dstnat comment="vastra2 Asterisk ARI" dst-address=50.255.34.10 dst-port=8088 protocol=tcp src-address-list=whitelist to-addresses=192.168.2.235 to-ports=\
    8088
add action=dst-nat chain=dstnat comment="vastra2 Asterisk AMI" dst-address=50.255.34.10 dst-port=5038 protocol=tcp src-address-list=whitelist to-addresses=192.168.2.235 to-ports=\
    5038
add action=dst-nat chain=dstnat comment="Dart SSH" dst-address=50.255.34.10 dst-port=26 protocol=tcp to-addresses=192.168.2.236 to-ports=22
add action=dst-nat chain=dstnat comment="Dart HTTP" dst-address=50.255.34.10 dst-port=80 protocol=tcp to-addresses=192.168.2.236 to-ports=80
add action=dst-nat chain=dstnat comment="Dart Tomcat7 (WHITELIST)" dst-address=50.255.34.10 dst-port=8080 protocol=tcp src-address-list=whitelist to-addresses=192.168.2.236 \
    to-ports=8080
add action=dst-nat chain=dstnat comment="Dart FTP" dst-address=50.255.34.10 dst-port=20 protocol=tcp to-addresses=192.168.2.236 to-ports=20
add action=dst-nat chain=dstnat comment="Dart FTP" dst-address=50.255.34.10 dst-port=21 protocol=tcp to-addresses=192.168.2.236 to-ports=21
add action=dst-nat chain=dstnat comment="Dart XMPP" dst-address=50.255.34.10 dst-port=5222 protocol=tcp to-addresses=192.168.2.236 to-ports=5222
add action=dst-nat chain=dstnat comment="Dart XMPP SSL" dst-address=50.255.34.10 dst-port=5223 protocol=tcp to-addresses=192.168.2.236 to-ports=5223
add action=dst-nat chain=dstnat comment="Dart XMPP server-to-server" dst-address=50.255.34.10 dst-port=5269 protocol=tcp to-addresses=192.168.2.236 to-ports=5269
add action=dst-nat chain=dstnat comment="Dart MySQL (WHITELIST)" dst-address=50.255.34.10 dst-port=3306 protocol=tcp src-address-list=whitelist to-addresses=192.168.2.236 \
    to-ports=3306
add action=dst-nat chain=dstnat comment="Dart PostgreSQL (WHITELIST)" dst-address=50.255.34.10 dst-port=5432 protocol=tcp src-address-list=whitelist to-addresses=192.168.2.236 \
    to-ports=5432
add action=dst-nat chain=dstnat comment="Dart LDAP" dst-address=50.255.34.10 dst-port=10389 protocol=tcp src-address-list=whitelist to-addresses=192.168.2.236 to-ports=10389
add action=dst-nat chain=dstnat comment="HuPI.ORG web" dst-address=50.255.34.11 dst-port=80 protocol=tcp to-addresses=192.168.2.239 to-ports=80
add action=dst-nat chain=dstnat comment="HuPI.ORG mail" dst-address=50.255.34.11 dst-port=25 protocol=tcp to-addresses=192.168.2.239 to-ports=25
add action=dst-nat chain=dstnat comment="HuPI.ORG mail" dst-address=50.255.34.11 dst-port=587 protocol=tcp to-addresses=192.168.2.239 to-ports=587
add action=dst-nat chain=dstnat comment="HuPI.ORG ssh" dst-address=50.255.34.11 dst-port=22 protocol=tcp to-addresses=192.168.2.239 to-ports=22
add action=src-nat chain=srcnat comment="HuPI.ORG outbound" src-address=192.168.2.239 to-addresses=50.255.34.11
add action=dst-nat chain=dstnat comment="Wildsong- SSH" dst-address=50.255.34.10 dst-port=30 protocol=tcp to-addresses=192.168.2.238 to-ports=22
add action=masquerade chain=srcnat comment="Outbound NAT for 50.255.34.10 (this rule has to be last)" out-interface=ether10-gateway
add action=dst-nat chain=dstnat comment="vastra2 HTTP on port 81" dst-address=50.255.34.10 dst-port=81 protocol=tcp to-addresses=192.168.2.235 to-ports=81
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip proxy
set enabled=yes max-cache-size=none
/ip route
add comment="Comcast Gateway" distance=1 gateway=50.255.34.14
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8888
set ssh port=24
set api-ssl disabled=yes
/lcd
set backlight-timeout=never default-screen=informative-slideshow time-interval=hour
/lcd pin
set pin-number=4321
/ppp secret
add local-address=10.50.0.1 name=home1 password=aaa0009919 remote-address=10.50.0.2 routes="192.168.90.0/24 10.50.0.2 1" service=l2tp
add local-address=10.50.0.1 name=home2 password=aaa0009910 remote-address=10.50.0.3 routes="192.168.91.0/24 10.50.0.3 1" service=l2tp
/snmp
set [email protected] enabled=yes location="725 Farmers Lane"
/system clock
set time-zone-autodetect=no time-zone-name=America/Los_Angeles
/system identity
set name=aurora
/system ntp client
set enabled=yes primary-ntp=64.142.1.20 secondary-ntp=65.98.2.82
/system ntp server
set enabled=yes
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=ether10-gateway
add interface=sfp1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=ether10-gateway
add interface=sfp1
add interface=bridge-local
/tool romon port
add disabled=no
# mar/21/2015 17:00:36 by RouterOS 6.27
# software id = JR0G-VH0Y
#
/interface bridge
add admin-mac=4C:5E:0C:DD:42:61 auto-mac=no mtu=1500 name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] comment=vastra2
set [ find default-name=ether2 ] comment=dart
set [ find default-name=ether5 ] comment=\
    "Brian Wilson office via Ortronics in CDS rack"
set [ find default-name=ether6 ] name=ether6-master-local
set [ find default-name=ether7 ] master-port=ether6-master-local name=\
    ether7-slave-local
set [ find default-name=ether8 ] master-port=ether6-master-local name=\
    ether8-slave-local
set [ find default-name=ether9 ] name=ether9-SB-TEST
set [ find default-name=ether10 ] comment="Internet via Comcast" name=\
    ether10-gateway
/ip neighbor discovery
set ether1 comment=vastra2 discover=no
set ether2 comment=dart
set ether5 comment="Brian Wilson office via Ortronics in CDS rack"
set ether10-gateway comment="Internet via Comcast"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=LAN-pool ranges=192.168.2.100-192.168.2.199
add name=SB-LAN-TEST ranges=192.168.89.100-192.168.89.199
/ip dhcp-server
add address-pool=LAN-pool disabled=no interface=bridge-local lease-time=30m \
    name=lan
add address-pool=SB-LAN-TEST disabled=no interface=ether9-SB-TEST name=SB-PBX
/port
set 0 name=serial0
/snmp community
set [ find default=yes ] name=wildsong
/interface bridge port
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=sfp1
add bridge=bridge-local interface=ether1
add bridge=bridge-local interface=ether6-master-local
/interface l2tp-server server
set authentication=mschap2 enabled=yes max-mru=1460 max-mtu=1460
/ip address
add address=192.168.2.1/24 comment="LAN configuration" interface=bridge-local \
    network=192.168.2.0
add address=50.255.34.10/28 comment="Comcast (Vastra)" interface=\
    ether10-gateway network=50.255.34.0
add address=192.168.89.1/24 comment="Test for Stonebridge L2TP" interface=\
    ether9-SB-TEST network=192.168.89.0
add address=50.255.34.11/28 comment="Comcast interface for HuPI.ORG" \
    interface=ether10-gateway network=50.255.34.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=\
    no interface=ether1
add add-default-route=no comment="Stonebridge STAGE 1 test" dhcp-options=\
    hostname,clientid disabled=no interface=ether6-master-local use-peer-dns=\
    no
/ip dhcp-server lease
add address=192.168.2.50 client-id=1:c:4d:e9:d4:38:d4 comment=\
    "PLOVER, MacBookPro BWilson (Thunderbolt en4)" mac-address=\
    0C:4D:E9:D4:38:D4 server=lan
add address=192.168.2.236 comment="Dart, the big RAID server which responds as\
    \_wiki.vastra-pbx.com and others" mac-address=00:25:90:7F:97:F0 server=\
    lan
add address=50.0.0.2 client-id=1:4c:5e:c:c2:3:15 comment="HOME1 WAN" \
    mac-address=4C:5E:0C:C2:03:15 server=SB-PBX
add address=192.168.89.2 comment="vastra on SB test" mac-address=\
    0C:C4:7A:30:A4:87 server=SB-PBX
add address=192.168.2.238 mac-address=52:54:00:4D:8E:C6 server=lan
add address=192.168.2.239 mac-address=52:54:00:42:A6:E0 server=lan
/ip dhcp-server network
add address=192.168.2.0/24 comment="Vastra/Wildsong private LAN" dns-server=\
    192.168.2.1 domain=wildsong.biz gateway=192.168.2.1 netmask=24
add address=192.168.89.0/24 comment="SB PBX lan" gateway=192.168.89.1 \
    netmask=24 ntp-server=192.168.89.1
/ip dns
set allow-remote-requests=yes servers=208.67.222.222,208.67.220.220
/ip dns static
add address=192.168.2.236 name=wiki.vastra-pbx.com
add address=192.168.2.236 name=dart.vastra-pbx.com
add address=192.168.2.235 name=vastra2.vastra-pbx.com
add address=192.168.2.1 comment="This router" name=aurora.vastra-pbx.com
add address=192.168.2.238 name=quail.wildsong.biz
add address=192.168.2.239 name=hub.hupi.org
/ip firewall address-list
add address=67.180.204.170 comment=";2015-03-19 Brian Wilson at home" list=\
    whitelist
add address=50.152.179.48 comment="2015-03-20 Brian Brown at home" list=\
    whitelist
add address=192.168.2.0/24 comment="Allow all local traffic" list=whitelist
/ip firewall filter
add chain=input comment="INPUT- accept ping requests" protocol=icmp
add chain=input comment="INPUT- allow established connections" \
    connection-state=established
add chain=input comment="INPUT- allow related connections" connection-state=\
    related
add chain=input comment=\
    "Allow access to Aurora from a list of trusted outside IP addresses" \
    src-address-list=whitelist
add chain=forward comment=\
    "STONEBRIDGE - allow inbound access only from trusted addresses." \
    out-interface=ether9-SB-TEST src-address-list=whitelist
add action=drop chain=forward comment=\
    "STONEBRIDGE - block new connections outbound" connection-state=new \
    in-interface=ether9-SB-TEST
add action=drop chain=input comment=\
    "STONEBRIDGE - block access to router from SB-LAN" in-interface=\
    ether9-SB-TEST
add chain=forward comment="FORWARD- allow established connections" \
    connection-state=established
add chain=forward comment="FORWARD- allow related connections" \
    connection-state=related
add action=drop chain=forward comment="FORWARD- drop invalid" \
    connection-state=invalid
add chain=input comment="INPUT- Accept L2TP connection" port=1701,500,4500 \
    protocol=udp
add action=drop chain=input comment="Drop ssh brute forcers" dst-port=24 \
    protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input comment=\
    "Dont let them try again for 10 days" connection-state=new dst-port=24 \
    protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input connection-state=new dst-port=24 \
    protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=24 \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=24 \
    protocol=tcp
add chain=input comment="INPUT- Allow SSH connections" port=24 protocol=tcp
add chain=input comment="Web Proxy" port=8080 protocol=tcp src-address-list=\
    whitelist
add action=drop chain=input comment=\
    "INPUT- Drop everything else from outside" in-interface=ether10-gateway
/ip firewall nat
add action=dst-nat chain=dstnat comment="bwilson - vastra2 SIP" dst-address=\
    50.255.34.10 dst-port=5060 protocol=udp to-addresses=192.168.2.235 \
    to-ports=5060
add action=dst-nat chain=dstnat comment="bwilson - vastra2 RTP" dst-address=\
    50.255.34.10 dst-port=10000-19999 protocol=udp to-addresses=192.168.2.235 \
    to-ports=10000-19999
add action=dst-nat chain=dstnat comment="bwilson - vastra2 SSH" dst-address=\
    50.255.34.10 dst-port=28 protocol=tcp to-addresses=192.168.2.235 \
    to-ports=22
add action=dst-nat chain=dstnat comment="bwilson - dart SSH" dst-address=\
    50.255.34.10 dst-port=26 protocol=tcp to-addresses=192.168.2.236 \
    to-ports=22
add action=dst-nat chain=dstnat comment="bwilson - dart HTTP" dst-address=\
    50.255.34.10 dst-port=80 protocol=tcp to-addresses=192.168.2.236 \
    to-ports=80
add action=dst-nat chain=dstnat comment="HuPI.ORG web" dst-address=\
    50.255.34.11 dst-port=80 protocol=tcp to-addresses=192.168.2.239 \
    to-ports=80
add action=dst-nat chain=dstnat comment="HuPI.ORG mail" dst-address=\
    50.255.34.11 dst-port=25 protocol=tcp to-addresses=192.168.2.239 \
    to-ports=25
add action=dst-nat chain=dstnat comment="HuPI.ORG mail" dst-address=\
    50.255.34.11 dst-port=587 protocol=tcp to-addresses=192.168.2.239 \
    to-ports=587
add action=dst-nat chain=dstnat comment="HuPI.ORG ssh" dst-address=\
    50.255.34.11 dst-port=22 protocol=tcp to-addresses=192.168.2.239 \
    to-ports=22
add action=src-nat chain=srcnat comment="HuPI.ORG outbound" src-address=\
    192.168.2.239 to-addresses=50.255.34.11
add action=dst-nat chain=dstnat comment="Wildsong- SSH" dst-address=\
    50.255.34.10 dst-port=30 protocol=tcp to-addresses=192.168.2.238 \
    to-ports=22
add action=masquerade chain=srcnat comment=\
    "Outbound NAT for 50.255.34.10 (this rule has to be last)" out-interface=\
    ether10-gateway
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip proxy
set enabled=yes max-cache-size=none
/ip route
add comment="Comcast Gateway" distance=1 gateway=50.255.34.14
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8888
set ssh port=24
set api-ssl disabled=yes
/lcd
set backlight-timeout=never default-screen=informative-slideshow
/lcd pin
set pin-number=4321
/ppp secret
add local-address=10.50.0.1 name=home1 password=aaa0009919 remote-address=\
    10.50.0.2 routes="192.168.90.0/24 10.50.0.2 1" service=l2tp
add local-address=10.50.0.1 name=home2 password=aaa0009910 remote-address=\
    10.50.0.3 routes="192.168.91.0/24 10.50.0.3 1" service=l2tp
/snmp
set [email protected] enabled=yes location="725 Farmers Lane"
/system clock
set time-zone-autodetect=no time-zone-name=America/Los_Angeles
/system identity
set name=aurora
/system ntp client
set enabled=yes primary-ntp=64.142.1.20 secondary-ntp=65.98.2.82
/system ntp server
set enabled=yes
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-SB-TEST
add interface=ether10-gateway
add interface=sfp1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-SB-TEST
add interface=ether10-gateway
add interface=sfp1
add interface=bridge-local

Captured with this command: ssh 192.168.2.1 export > aurora.cfg