Вот, держи:
[admin@FMT-ROUTER] > /export hide-sensitive
# mar/19/2018 12:21:20 by RouterOS 6.42rc35
# software id = S6JE-ES6Y
#
# model = RouterBOARD 3011UiAS
/interface bridge
add admin-mac=CC:2D:E0:40:25:0F arp=proxy-arp auto-mac=no comment=defconf name=LAN
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp name=INTERNET
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether6 ] name=ether6-master
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des lifetime=8h30m
/ip pool
add name=dhcp ranges=192.168.2.10-192.168.2.254
add name=pool-ovpn ranges=10.255.255.2-10.255.255.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=LAN name=defconf
/ppp profile
add local-address=10.255.255.1 name=Openvpn remote-address=pool-ovpn
set *FFFFFFFE local-address=192.168.2.1 remote-address=dhcp use-compression=yes
/routing ospf area
add area-id=0.0.0.255 name=area255
/interface bridge port
add bridge=LAN comment=defconf interface=ether2-master
add bridge=LAN comment=defconf interface=ether6-master
add bridge=LAN comment=defconf hw=no interface=sfp1
add bridge=LAN interface=ether3
add bridge=LAN interface=ether4
add bridge=LAN interface=ether5
add bridge=LAN interface=ether7
add bridge=LAN interface=ether8
add bridge=LAN interface=ether9
add bridge=LAN interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface l2tp-server server
set allow-fast-path=yes authentication=chap,mschap2 enabled=yes use-ipsec=yes
/interface list member
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=sfp1 list=discover
add interface=ether6-master list=discover
add interface=ether7 list=discover
add interface=ether8 list=discover
add interface=ether9 list=discover
add interface=ether10 list=discover
add interface=LAN list=discover
add interface=LAN list=mactel
add interface=LAN list=mac-winbox
add interface=INTERNET list=WAN
/interface ovpn-server server
set certificate=myCa cipher=aes256 default-profile=Openvpn enabled=yes netmask=32 port=8080
/interface pptp-server server
set authentication=chap,mschap2 enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.2.1/24 comment=defconf interface=ether2-master network=192.168.2.0
add address=x.x.x.x/25 interface=INTERNET network=x.x.x.x
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=INTERNET
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf dns-server=8.8.8.8 gateway=192.168.2.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,4.2.2.2
/ip dns static
add address=192.168.2.1 name=router
/ip firewall filter
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=input dst-port=8080 protocol=tcp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=INTERNET
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=INTERNET
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=INTERNET
add action=accept chain=dstnat dst-port=8291 protocol=tcp
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
/ip ipsec peer
add address=0.0.0.0/0 dh-group=modp1024 dpd-interval=disable-dpd enc-algorithm=aes-256,aes-192,aes-128 exchange-mode=main-l2tp generate-policy=port-override hash-algorithm=md5 send-initial-contact=no
/ip route
add distance=1 gateway=x.x.x.x
add distance=1 dst-address=192.168.0.0/24 gateway=10.255.255.4
add distance=1 dst-address=192.168.1.0/24 gateway=10.255.255.3
add distance=1 dst-address=192.168.5.0/24 gateway=10.255.255.2
/ip service
set www address=0.0.0.0/0
set winbox address=0.0.0.0/0
/ppp secret
add name=vpn
add name=Openvpn-MLM profile=Openvpn remote-address=10.255.255.2
add name=Openvpn-WYN profile=Openvpn remote-address=10.255.255.3
add name=Openvpn-INS profile=Openvpn remote-address=10.255.255.4
/routing ospf network
add area=area255 network=10.255.255.0/24
add area=area255 network=192.168.5.0/24
/system clock
set time-zone-name=America/Chicago
/system identity
set name=FMT-ROUTER
/system ntp client
set enabled=yes primary-ntp=129.6.15.28 secondary-ntp=129.6.15.30
/system package update
set channel=release-candidate
/system routerboard settings
set boot-protocol=dhcp silent-boot=no
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
[admin@FMT-ROUTER] >
