/ip firewall address-list
add address=172.22.0.0/16 comment="Voneus VPN" list=allow-management
add address=185.134.196.128/28 comment=FAELIX list=allow-management
add address=46.227.200.128/28 comment=FAELIX list=allow-management
add address=100.64.0.0/10 comment=RFC6598 list=customer-private
add address=46.227.207.251 comment=core.librenms.lon.faelix.twh.voneus.net list=allow-snmp
add address=46.227.207.250 comment=fttp.librenms.lon.faelix.twh.voneus.net list=allow-snmp
add address=46.227.203.248 comment=fwa.librenms.lon.faelix.twh.voneus.net list=allow-snmp
add address=46.227.203.91 comment=librenms01.man.faelix.man.voneus.net list=allow-snmp
add address=185.134.197.214 comment=oob.librenms.gen.faelix.che.voneus.net list=allow-snmp
add address=185.134.197.197 comment=overlord.librenms.gen.faelix.che.voneus.net list=allow-snmp
add address=46.227.203.249 comment=systems.librenms.lon.faelix.twh.voneus.net list=allow-snmp
add address=46.227.202.238 comment=vnms.librenms.man.faelix.man.voneus.net list=allow-snmp
add address=192.0.2.1 comment=placeholder disabled=yes list=no-cgnat-to
add address=192.0.2.2 comment=example disabled=yes list=provisioning

/ipv6 firewall address-list
add address=2001:db9::/32 comment="Voneus VPN" disabled=yes list=allow-management
add address=2a01:9e00:a217:fa00::/56 comment=FAELIX list=allow-management
add address=2a01:9e01:a217:fa00::/56 comment=FAELIX list=allow-management
add address=2001:db9::/32 comment="Voneus VPN" disabled=yes list=allow-management
{% for prefix in 'accept-ipv6-40-48-from-aggregation'|get_netbox_tagged_prefixes %}{% if prefix.prefix|ipv6 %}
add address={{ prefix.prefix }} comment="{{ prefix.description }}" list=customer-public
{% endif %}{% endfor %}
{% for prefix in 'accept-ipv6-40-48-from-aggregation'|get_netbox_tagged_aggregates %}{% if prefix.prefix|ipv6 %}
add address={{ prefix.prefix }} comment="{{ prefix.description }}" list=customer-public
{% endif %}{% endfor %}
{% for prefix in 'accept-ipv6-48-52-from-aggregation'|get_netbox_tagged_prefixes %}{% if prefix.prefix|ipv6 %}
add address={{ prefix.prefix }} comment="{{ prefix.description }}" list=customer-public
{% endif %}{% endfor %}
{% for prefix in 'accept-ipv6-48-52-from-aggregation'|get_netbox_tagged_aggregates %}{% if prefix.prefix|ipv6 %}
add address={{ prefix.prefix }} comment="{{ prefix.description }}" list=customer-public
{% endif %}{% endfor %}
add address=2001:db9::/32 comment=example disabled=yes list=provisioning

/ip firewall filter
add action=fasttrack-connection chain=forward comment="forward existing connections" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="forward existing connections" connection-state=established,related
add action=accept chain=forward comment="forward customer traffic to uplinks and linknets" in-interface-list=customer-and-linknet out-interface-list=uplink-and-linknet
add action=accept chain=forward comment="forward traffic arriving from management interfaces" in-interface-list=mgmt
add action=accept chain=forward comment="forward IPsec encapsulated traffic" disabled=yes in-interface-list=uplink-and-linknet ipsec-policy=in,ipsec
add action=accept chain=forward comment="forward DNAT traffic" connection-nat-state=dstnat disabled=yes in-interface-list=uplink-and-linknet
add action=drop chain=forward comment="prevent customers from reaching protected subnets" in-interface-list=customer-and-linknet src-address-list=block-customer
add action=drop chain=forward comment="prevent customers from reaching protected subnets" dst-address-list=block-customer in-interface-list=customer-and-linknet
add chain=forward comment="forward traffic between linknets" in-interface-list=linknet out-interface-list=linknet
add action=drop chain=forward comment="block traffic from uplinks and linknets" in-interface-list=uplink-and-linknet
add action=fasttrack-connection chain=input comment="allow established connections to router's control plane" connection-state=established,related hw-offload=yes
add action=accept chain=input comment="allow established connections to router's control plane" connection-state=established,related
add action=accept chain=input comment="allow DNS" dst-port=53 in-interface-list=customer-and-linknet-and-provisioning-cpe protocol=tcp
add action=accept chain=input comment="allow DNS" dst-port=53 in-interface-list=customer-and-linknet-and-provisioning-cpe protocol=udp
add action=accept chain=input comment="allow SNMP" dst-port=161 in-interface-list=uplink-and-linknet protocol=udp src-address-list=allow-snmp
add action=accept chain=input comment="allow NTP" dst-port=123 in-interface-list=customer-and-linknet-and-provisioning-cpe protocol=udp
add action=accept chain=input comment="allow management interfaces to access router's control plane" in-interface-list=mgmt
add action=accept chain=input comment="allow public management IPs access to router's control plane" in-interface-list=uplink-and-linknet src-address-list=allow-management
add action=accept chain=input comment="allow IPsec" disabled=yes in-interface-list=uplink-and-linknet protocol=ipsec-esp src-address-list=allow-ipsec
add action=accept chain=input comment="allow IPsec" disabled=yes dst-port=500,4500 in-interface-list=uplink-and-linknet protocol=udp src-address-list=allow-ipsec
add action=accept chain=input comment="allow IPsec" disabled=yes in-interface-list=uplink-and-linknet ipsec-policy=in,ipsec
add action=accept chain=input comment="allow BGP on uplinks and linknets" dst-port=179 in-interface-list=uplink-and-linknet protocol=tcp
add action=accept chain=input comment="allow ICMP" protocol=icmp
add action=accept chain=input comment="allow UDP traceroute" port=33434-33534 protocol=udp
add action=drop chain=input comment="protect router's control plane"
/ip firewall nat
add action=return chain=srcnat src-address-list=public-addresses
add action=return chain=srcnat dst-address-list=no-cgnat-to
add action=same chain=srcnat out-interface-list=uplink same-not-by-dst=yes src-address-list=customer-private to-addresses=185.66.206.1-185.66.206.3
add action=masquerade chain=srcnat out-interface-list=uplink src-address-list=customer-private
add chain=dstnat comment="redirect NTP to local NTP server for provisioning" dst-port=123 protocol=udp src-address-list=provisioning to-addresses=127.0.0.1

/ipv6 firewall filter
add action=accept chain=forward comment="forward existing connections" connection-state=established,related
add action=accept chain=forward comment="forward customer traffic to uplinks and linknets" in-interface-list=customer-and-linknet out-interface-list=uplink-and-linknet
add action=accept chain=forward comment="forward traffic arriving from management interfaces" in-interface-list=mgmt
add action=accept chain=forward comment="forward IPsec encapsulated traffic" disabled=yes in-interface-list=uplink-and-linknet ipsec-policy=in,ipsec
add action=drop chain=forward comment="prevent customers from reaching protected subnets" in-interface-list=customer-and-linknet src-address-list=block-customer
add action=drop chain=forward comment="prevent customers from reaching protected subnets" dst-address-list=block-customer in-interface-list=customer-and-linknet
add chain=forward comment="forward traffic between linknets" in-interface-list=linknet out-interface-list=linknet
add action=accept chain=forward comment="forward ICMPv6" protocol=icmp
add action=drop chain=forward comment="block traffic from uplinks and linknets" in-interface-list=uplink-and-linknet
add action=accept chain=input comment="allow established connections to router's control plane" connection-state=established,related
add action=accept chain=input comment="allow DNS" dst-port=53 in-interface-list=customer-and-linknet protocol=tcp
add action=accept chain=input comment="allow DNS" dst-port=53 in-interface-list=customer-and-linknet protocol=udp
add action=accept chain=input comment="allow SNMP" dst-port=161 in-interface-list=uplink-and-linknet protocol=udp src-address-list=allow-snmp
add action=accept chain=input comment="allow NTP" dst-port=123 in-interface-list=customer-and-linknet protocol=udp
add action=accept chain=input comment="allow management interfaces to access router's control plane" in-interface-list=mgmt
add action=accept chain=input comment="allow public management IPs access to router's control plane" in-interface-list=uplink-and-linknet src-address-list=allow-management
add action=accept chain=input comment="allow IPsec" disabled=yes in-interface-list=uplink-and-linknet protocol=ipsec-esp src-address-list=allow-ipsec
add action=accept chain=input comment="allow IPsec" disabled=yes dst-port=500,4500 in-interface-list=uplink-and-linknet protocol=udp src-address-list=allow-ipsec
add action=accept chain=input comment="allow IPsec" disabled=yes in-interface-list=uplink-and-linknet ipsec-policy=in,ipsec
add action=accept chain=input comment="allow BGP on uplinks and linknets" dst-port=179 in-interface-list=uplink-and-linknet protocol=tcp
add action=accept chain=input comment="allow ICMP" protocol=icmpv6
add action=accept chain=input comment="allow UDP traceroute" port=33434-33534 protocol=udp
add action=drop chain=input comment="protect router's control plane"