/ip firewall address-list add comment="facebook" list="facebook" address=31.13.24.0/21
/ip firewall address-list add comment="facebook" list="facebook" address=31.13.64.0/18
/ip firewall address-list add comment="facebook" list="facebook" address=45.64.40.0/22
/ip firewall address-list add comment="facebook" list="facebook" address=66.220.144.0/20
/ip firewall address-list add comment="facebook" list="facebook" address=69.63.176.0/20
/ip firewall address-list add comment="facebook" list="facebook" address=69.171.224.0/19
/ip firewall address-list add comment="facebook" list="facebook" address=74.119.76.0/22
/ip firewall address-list add comment="facebook" list="facebook" address=103.4.96.0/22
/ip firewall address-list add comment="facebook" list="facebook" address=129.134.0.0/17
/ip firewall address-list add comment="facebook" list="facebook" address=157.240.0.0/17
/ip firewall address-list add comment="facebook" list="facebook" address=173.252.64.0/18
/ip firewall address-list add comment="facebook" list="facebook" address=179.60.192.0/22
/ip firewall address-list add comment="facebook" list="facebook" address=185.60.216.0/22
/ip firewall address-list add comment="facebook" list="facebook" address=204.15.20.0/22

/ipv6 firewall address-list add comment="facebook v6" list="facebookv6" address=2620:0:1c00::/40
/ipv6 firewall address-list add comment="facebook v6" list="facebookv6" address=2a03:2880::/32

/ip   firewall filter add chain=forward src-address=LAN-Address dst-address-list=facebook action=drop
/ipv6 firewall filter add chain=forward src-address=LAN-Address dst-address-list=facebookv6 action=drop

Zdroj: ipinfo.io

1. Interfaces > Add > PPP Client
   1. Name: somepppout
   2. L2 MTU / Max MTU / Max MRU: 1500
   3. Port: usbX
   4. Data channel: 0
   5. Info channel: 1
   6. APN: internet.t-mobile.cz
2. PPP
   1. Phone: *99#
   2. Dial command: ATDT
   3. User: gprs
   4. Password: gprs
   5. User peer DNS: Yes
   6. Add default route: Yes
   7. Allow: PAP only (CHAP, MSCHAP1, MSCHAP2 unticked)

1. PPP > Profile > Add
   1. Name: someprofile
   2. Local address: local IP of the router
   3. Remote address: pool from which the remote clients will get IP addresses
   4. DNS server: optional?
   5. Protocols > Use Encryption: Yes
2. PPP > PPTP Server (button)
   1. Enabled
   2. Default profile: someprofile
3. PPP > Secrets
   1. Name: someusername
   2. Password: somepassword
   3. Service: PPTP
   4. Profile: someprofile
4. In Firewall, allow:
   1. 1752/TCP
   2. 47/IP (GRE)
5. On LAN interface, allow:
   1. ARP: proxy-arp
   2. Note: if bridged, then do this on the bridge instead of LAN interface.

1. Disconnect the bridge between etherX-*-local (Interface properties - remove the Master port).
2. Mark the packets from LAN subnets (e.g. 192.168.10.0/24 a 192.168.20.0/24):

   /ip firewall mangle add action=mark-routing chain=prerouting \
       new-routing-mark=routing_mark_office src-address=192.168.10.0/24
   /ip firewall mangle add action=mark-routing chain=prerouting \
       new-routing-mark=routing_mark_guests src-address=192.168.20.0/24 

3. Set up routing for packets marked with mangle:

   /ip route add gateway=ether1-wan1 routing-mark=routing_mark_office
   /ip route add gateway=ether2-wan2 routing-mark=routing_mark_guests 

   Note: Gateway can also be a PPPoE connection (in case of DSL).

4. Set up masquerade for the second wan interface (assuming that masquerade was set up only for the ether1-wan1).

/ip firewall filter
  add chain=forward  connection-state=established,related              action=fasttrack-connection  comment="Fasttrack"
  add chain=forward  connection-state=established,related,untracked    action=accept                comment="Allow ESTABLISHED, RELATED, UNTRACKED (FORWARD)"
  add chain=forward  connection-state=invalid                          action=drop disabled=yes     comment="Drop INVALID (FORWARD)"
  add chain=forward  connection-nat-state=!dstnat  \
                     connection-state=new \
                     in-interface-list=WAN                             action=drop disabled=yes     comment="Drop all from WAN not DST-NATted (FORWARD)" 
  add chain=input    connection-state=invalid                          action=drop disabled=yes     comment="Drop INVALID (INPUT)"
  add chain=input    connection-state=established,related,untracked    action=accept                comment="Allow ESTABLISHED, RELATED, UNTRACKED (INPUT)"
  add chain=input    protocol=icmp                                     action=accept                comment="Allow ICMP (INPUT)"
  add chain=input    in-interface-list=!LAN                            action=drop disabled=yes     comment="Drop all not coming from LAN (INPUT)"

/ipv6 firewall filter
add chain=forward connection-state=established                action=accept             comment="Allow ESTABLISHED (FORWARD)"
add chain=forward connection-state=related                    action=accept             comment="Allow RELATED (FORWARD)"
add chain=forward in-interface-list=WAN protocol=icmpv6       action=accept             comment="Allow ICMPv6 (FORWARD)"
add chain=forward in-interface-list=WAN                       action=drop disabled=yes  comment="Drop everything else (FORWARD)"
add chain=input   connection-state=established                action=accept             comment="Allow ESTABLISHED (INPUT)"
add chain=input   connection-state=related                    action=accept             comment="Allow RELATED (INPUT)"
add chain=input   in-interface-list=WAN protocol=icmpv6       action=accept             comment="Allow ICMPv6 (INPUT)"
add chain=input   in-interface-list=WAN protocol=udp port=546 action=accept             comment="Allow DHCPv6 (INPUT)"
add chain=input   in-interface-list=WAN                       action=drop disabled=yes  comment="Drop everything else (INPUT)"

• Zdroj

1) Povolit IPsec na firewallu

/ip firewall filter
add chain=input protocol=udp in-interface=ether1 dst-port=500,1701,4500 action=accept
add chain=input protocol=ipsec-esp in-interface=ether1 action=accept
add chain=input protocol=ipsec-ah  in-interface=ether1 action=accept

2) Vytvořit IP Pool - ze stejného rozsahu jako LAN (tj. třeba zkrátit ten stávající).

3) Vytvořit PPP profil

/ppp profiles
add name=my-l2tp-profile local-address=192.168.88.254 remote-address=vpnpool dns-server=192.168.88.1 change-tcp-mss=yes interface-list=LAN

local-address = IP adresa routeru, kterou bude mít v rámci VPN, musí být mimo pool! (tj. pokud je VPN pool třeba 100-200, tak router bude mít třeba 201)
remote-address = Pool vytvořený v kroku 2
dns-server = buď adresa routeru nebo jiného DNS serveru ve vzdálené síti
interface-list=LAN = po vytvoření spojení se VPN vloží do interface listu LAN (kvůli firewallu)

4) Zapnout L2TP server

/interface l2tp-server server
set enabled=yes default-profile=my-l2tp-profile use-ipsec=yes ipsec-secret=spolecneheslo  authentication=mschap1,mschap2

ipsec-secret = shared secret, společné pro všechny klienty

5) Vytvořit profil pro uživatele (“secret”)

/ppp secret add name=mojekrasnejmeno password=mojekrasneheslo service=l2tp profile=my-l2tp-profile

name = uživatelské jméno, které uživatel bude zadávat při konfiguraci VPN
password = uživatelské heslo
profile = profil L2TP, který jsme vytvořili v kroku 3

6) Zapnout arp-proxy na bridge (aby router odpovídal klientům na ARP dotazy i skrze tunel)

/interface bridge1 set arp=proxy-arp

X.X.X.X = skutečná veřejná adresa
L.L.L.L = LAN adresa od ISP, na kterou je veřejná adresa NATována

1) Přidat dummy interface s dummy MAC adresou (aby router věděl o své veřejce)
2) Nastavit prerouting tak, aby příchozí pakety vůči routeru vypadaly, že přišly na veřejnou adresu.

/interface bridge
  add admin-mac=02:00:00:00:00:01 auto-mac=no name=bridge-pubip protocol-mode=none
/ip address
  add address=L.L.L.L/24 interface=ether1
  add address=X.X.X.X/32 interface=bridge-pubip
/ip firewall nat
  add action=dst-nat chain=dstnat dst-address=L.L.L.L dst-port=500,4500 protocol=udp to- 
  addresses=X.X.X.X
  add action=dst-nat chain=dstnat dst-address=L.L.L.L protocol=ipsec-esp to-addresses=X.X.X.X

Výchozí setup:

/ip route
add gateway=10.0.1.1 distance=1 check-gateway=ping  comment=Primary
add gateway=10.0.2.1 distance=2                     comment=Secondary

Rekurzivní failover:

/ip route
add dst-address=8.8.8.8/32 gateway=10.0.1.1 scope=10                        comment="Validate Primary"
add                        gateway=8.8.8.8  distance=1 check-gateway=ping   comment=Primary
add                        gateway=10.0.2.1 distance=2                      comment=Secondary

Vysvětlení:

• U výchozího setupu je problém, že MikroTik zjišťuje dostupnost Internetu jen pomocí pingu brány (tj. první hop). Pokud upadne Internet někde dále za prvním hopem, MikroTik toto nepozná a bránu (a tudíž routu) neshodí.
• U rekurzivního přístupu se pro účely přístupu na Internet vybere spolehlivá a dostupná IP adresa v Internetu (tj. jako příklad Google DNS). Jako výchozí routa se pak použije právě tato IP, tj. dokud je Google DNS dostupné přes první rozhraní, směruje se Internet přes něj. Jakmile Google DNS přes GW1 dostupné není (linka spadla), routa se automaticky shodí a použije se GW2.
• Nevýhoda: Google DNS NEbude dostupné přes GW2.
• Zdroj

/ ip firewall filter 
add chain=input in-interface=ether1-wan protocol=tcp dst-port=22 \
    connection-state=new connection-limit=5/1m;1:packet \
    action=add-src-to-address-list address-list=ssh_logins \
    address-list-timeout=12h comment="" disabled=no 
add chain=input protocol=tcp dst-port=22 src-address-list=!ssh_logins \
    action=accept comment="" disabled=no