/ip firewall address-list
add address=GGG.GGG.GGG.178 list=remote-office
add address=MMM.MMM.MMM.66 list=remote-office
add address=192.168.100.0/24 comment=VPN list=office-networks
add address=192.168.10.0/24 list=office-networks
add address=192.168.1.0/24 list=office-networks
add address=AAA.AAA.AAA.AAA list=remote-office
/ip firewall filter
add action=drop chain=input connection-state=invalid
add action=drop chain=input connection-state=invalid src-address-list=black-list
add action=drop chain=forward connection-state=invalid
add action=accept chain=input in-interface-list=WAN protocol=icmp
add action=accept chain=input connection-state=established,related
add action=accept chain=forward connection-state=established,related
add action=accept chain=input in-interface-list=!WAN src-address=192.168.10.0/24
add action=accept chain=forward src-address-list=office-networks
add action=accept chain=forward src-address-list=remote-office
add actiadd action=accept chain=input protocol=ipsec-esp
add action=accept chain=input comment=VPN dst-port=1701,500,4500 protocol=udp
add action=accept chain=forward comment=fxo disabled=yes dst-address=192.168.10.151 dst-port=23,80,23000-23003 protocol=tcp
add action=accept chain=input in-interface-list=!WAN src-address-list=office-networks
add action=accept chain=input in-interface-list=!WAN src-address-list=remote-office
add action=drop chain=forward
add action=drop chain=input log-prefix=TT
/ip firewall mangle
add action=mark-connection chain=input connection-mark=no-mark in-interface=RT new-connection-mark=ISP1-IN passthrough=yes
add action=mark-connection chain=input connection-mark=no-mark in-interface=eth2-wan new-connection-mark=ISP2-IN passthrough=yes
add action=mark-routing chain=output connection-mark=ISP1-IN new-routing-mark=ISP1-ROUTE passthrough=no
add action=mark-routing chain=output connection-mark=ISP2-IN new-routing-mark=ISP2-ROUTE passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=RT
add action=masquerade chain=srcnat out-interface=eth2-wan
add action=dst-nat chain=dstnat dst-port=35023 protocol=tcp to-addresses=192.168.10.151 to-ports=23
add action=dst-nat chain=dstnat dst-port=35080 protocol=tcp to-addresses=192.168.10.151 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-port=23000-23003 protocol=udp to-addresses=192.168.10.151
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes ports=5060,5061,23000,23001 sip-timeout=10m
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
[triada@gh-pcn-rt] > ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 RT 1
1 A S 0.0.0.0/0 eth2-wan 2
2 ADS 0.0.0.0/0 RT 1
3 DS 0.0.0.0/0 GGG.GGG.GGG.254 1
4 A S 0.0.0.0/32 eth2-wan 2
5 X S 0.0.0.0/32 RT 1
6 ADC GGG.GGG.GGG.1/32 GGG.GGG.GGG.GGG RT 0
7 ADC GGG.GGG.GGG.0/24 GGG.GGG.GGG.178 eth2-wan 0
8 A S MMM.MMM.MMM.66/32 GGG.GGG.GGG.GGG RT 1
9 A S AAA.AAA.AAA.72/32 GGG.GGG.GGG.GGG RT 1
10 S 192.168.1.0/24 192.168.10.1 l2tp-triada 1
11 ADC 192.168.10.0/24 192.168.10.1 default-br 0