Aplicar em todos os roteadores.
Os prefixos públicos do cliente devem ser adicionados nas listas REDE-GERAL e REDE-PUBLICA. As redes de gerência do cliente devem ser adicionadas na lista REDE-SUPORTE.
/ip firewall address-list add address=10.0.0.0/8 comment=!::PREFIXO-PRIVADO list=REDE-GERAL
/ip firewall address-list add address=172.16.0.0/12 comment=!::PREFIXO-PRIVADO list=REDE-GERAL
/ip firewall address-list add address=192.168.0.0/16 comment=!::PREFIXO-PRIVADO list=REDE-GERAL
/ip firewall address-list add address=100.64.0.0/10 comment=!::PREFIXO-PRIVADO list=REDE-GERAL
/ip firewall address-list add address=99.70.0.0/22 comment=!::PREFIXO-PUBLICO disabled=yes list=REDE-GERAL
#
/ip firewall address-list add address=10.0.0.0/8 comment=!::PREFIXO-PRIVADO list=REDE-PRIVADA
/ip firewall address-list add address=172.16.0.0/12 comment=!::PREFIXO-PRIVADO list=REDE-PRIVADA
/ip firewall address-list add address=192.168.0.0/16 comment=!::PREFIXO-PRIVADO list=REDE-PRIVADA
/ip firewall address-list add address=100.64.0.0/10 comment=!::PREFIXO-PRIVADO list=REDE-PRIVADA
#
/ip firewall address-list add address=99.70.0.0/22 comment=!::PREFIXO-PUBLICO disabled=yes list=REDE-PUBLICA
#
/ip firewall address-list add address=10.0.0.0/8 comment=!::PREFIXO-PRIVADO list=REDE-SUPORTE
/ip firewall address-list add address=45.70.144.0/22 comment=!::SMART-LAYER list=REDE-SUPORTE
/ip firewall address-list add address=esc-gyn.smartlayer.net.br comment=!::SMART-LAYER list=REDE-SUPORTE
#
/ip firewall filter add action=accept chain=input comment=!::ACCEPT-ESTABLISHED/RELATED connection-state=established,related
/ip firewall filter add action=accept chain=input comment=!::ACCEPT-REDE-SUPORTE src-address-list=REDE-SUPORTE
/ip firewall filter add action=accept chain=input comment=!::ACCEPT-BGP-PEERS port=179 protocol=tcp src-address-list=BGP-PEERS
/ip firewall filter add action=accept chain=input comment=!::ACCEPT-ICMP limit=100,5:packet protocol=icmp
/ip firewall filter add action=accept chain=input comment=!::ACCEPT-OSPF dst-address-list=REDE-GERAL protocol=ospf src-address-list=REDE-GERAL
/ip firewall filter add action=accept chain=input comment=!::ACCEPT-RIP disabled=yes dst-address-list=REDE-PRIVADA port=520,521 protocol=udp src-address-list=REDE-PRIVADA
/ip firewall filter add action=accept chain=input comment=!::ACCEPT-WINBOX dst-port=8291 protocol=tcp src-address-list=REDE-GERAL
/ip firewall filter add action=accept chain=input comment=!::ACCEPT-OVPN-UDP disabled=yes dst-port=20124 protocol=udp
/ip firewall filter add action=accept chain=input comment=!::ACCEPT-OVPN-TCP disabled=yes dst-port=20124 protocol=tcp
/ip firewall filter add action=drop chain=input comment=!::DROP-GERAL disabled=yes
#
/ip firewall raw add action=notrack chain=output comment=!::NOTRACK-OSPF protocol=ospf
/ip firewall raw add action=notrack chain=output comment=!::NOTRACK-RIP port=520,521 protocol=udp
/ip firewall raw add action=notrack chain=output comment=!::NOTRACK-BGP dst-port=179 protocol=tcp
#
/ip firewall raw add action=drop chain=prerouting comment=!::DROP-OSPF-LOCAL dst-address-type=multicast protocol=ospf src-address-type=local
#
/ip firewall raw add action=add-src-to-address-list address-list=PORTKNOCKING-FASE-1 address-list-timeout=9s chain=prerouting comment=!::PORT-KNOCKING-FASE-1 dst-address-type=local dst-port=2412 protocol=tcp
/ip firewall raw add action=add-src-to-address-list address-list=PORTKNOCKING-FASE-2 address-list-timeout=9s chain=prerouting comment=!::PORT-KNOCKING-FASE-2 dst-address-type=local dst-port=1224 protocol=tcp src-address-list=PORT-KNOCKING-FASE-1
/ip firewall raw add action=add-src-to-address-list address-list=REDE-SUPORTE address-list-timeout=3h chain=prerouting comment=!::PORT-KNOCKING-FASE-3 dst-address-type=local dst-port=1147 protocol=tcp src-address-list=PORT-KNOCKING-FASE-2
#
/ip firewall nat add action=accept chain=srcnat comment=!::BYPASS-NAT disabled=yes dst-address-list=BYPASS-NAT
#
/ip firewall nat add action=masquerade chain=srcnat comment=!::MASQUERADE-ACESSO-LOCAL disabled=yes dst-address-list=MASQUERADE-ACESSO-LOCAL
/ip firewall raw add action=accept chain=prerouting comment=!::MASQUERADE-ACESSO-LOCAL dst-address-list=MASQUERADE-ACESSO-LOCAL
#