Mikrotik Help

1. # feb/25/2023 09:38:36 by RouterOS 7.5
2. # software id = E2VU-HLQW
3. #
4. # model = RB3011UiAS
5. # serial number = XXX
6. /interface bridge
7. add admin-mac=XXX auto-mac=no comment=defconf name=bridge
8. /interface wireguard
9. add listen-port=13231 mtu=1420 name=wireguard1
10. /interface vlan
11. add interface=ether2 name=Guest100 vlan-id=100
12. add interface=ether3 name=Guest101 vlan-id=101
13. add interface=ether5 name=phone vlan-id=10
14. /interface list
15. add comment=defconf name=WAN
16. add comment=defconf name=LAN
17. /interface lte apn
18. set [ find default=yes ] ip-type=ipv4 use-network-apn=no
19. /interface wireless security-profiles
20. set [ find default=yes ] supplicant-identity=MikroTik
21. /ip ipsec profile
22. set [ find default=yes ] enc-algorithm=aes-256,aes-128,3des hash-algorithm=\
23. sha256
24. /ip ipsec proposal
25. set [ find default=yes ] auth-algorithms=sha256,sha1
26. /ip pool
27. add name=dhcp ranges=192.168.2.3-192.168.2.254
28. add name=dhcp_pool2 ranges=172.16.0.2-172.16.0.254
29. /ip dhcp-server
30. add address-pool=dhcp interface=bridge lease-time=23h name=defconf
31. add address-pool=dhcp_pool2 interface=Guest100 lease-time=6h name=dhcp1
32. /port
33. set 0 name=serial0
34. /routing ospf instance
35. add disabled=no name=default-v2
36. /routing ospf area
37. add disabled=yes instance=default-v2 name=backbone-v2
38. /interface bridge port
39. add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
40. add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
41. add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
42. add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
43. add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
44. add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
45. add bridge=bridge comment=defconf ingress-filtering=no interface=ether9
46. add bridge=bridge comment=defconf ingress-filtering=no interface=ether10
47. add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
48. /ip neighbor discovery-settings
49. set discover-interface-list=LAN
50. /ip settings
51. set max-neighbor-entries=8192
52. /ipv6 settings
53. set disable-ipv6=yes max-neighbor-entries=8192
54. /interface l2tp-server server
55. set default-profile=*1 use-ipsec=yes
56. /interface list member
57. add comment=defconf interface=bridge list=LAN
58. add comment=defconf interface=ether1 list=WAN
59. add interface=ether5 list=LAN
60. add interface=phone list=LAN
61. add interface=wireguard1 list=LAN
62. add interface=*10 list=LAN
63. /interface ovpn-server server
64. set auth=sha1,md5 certificate=OpenVpnServer enabled=yes
65. /interface wireguard peers
66. add allowed-address=192.168.4.0/24 comment=SUM endpoint-address="" \
67. interface=wireguard1 public-key=\
68. "XXX"
69. add allowed-address=192.168.11.0/24,192.168.10.0/24 comment=FIN \
70. endpoint-address="" interface=wireguard1 public-key=\
71. "XXX"
72. add comment=AdminPC endpoint-address="" interface=wireguard1 public-key=\
73. "XXX"
74. add allowed-address=192.168.20.0/24,192.168.30.0/24,192.168.31.0/24 comment=\
75. JP endpoint-address="" interface=wireguard1 public-key=\
76. "XXX"
77. /ip address
78. add address=192.168.2.1/24 comment=defconf interface=ether2 network=\
79. 192.168.2.0
80. add address=PUBIP/30 interface=ether1 network=PUBGW
81. add address=192.168.1.1/24 interface=ether5 network=192.168.1.0
82. add address=192.168.98.1/24 interface=wireguard1 network=192.168.98.0
83. add address=192.168.99.1/24 interface=wireguard1 network=192.168.99.0
84. add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
85. add address=192.168.101.1/24 interface=wireguard1 network=192.168.101.0
86. add address=172.16.0.1/24 comment="Guest Temp" interface=Guest100 network=\
87. 172.16.0.0
88. /ip arp
89. add address=192.168.2.251 interface=bridge mac-address=00:15:5D:02:FE:02
90. add address=192.168.2.252 interface=bridge mac-address=00:15:5D:02:FE:01
91. add address=192.168.2.253 interface=bridge mac-address=00:15:5D:02:FE:05
92. add address=192.168.1.249 interface=ether5 mac-address=00:30:4D:F3:E5:56
93. add address=192.168.1.250 interface=ether5 mac-address=00:30:4D:F3:E6:82
94. add
95. /ip dhcp-client
96. add comment=defconf disabled=yes interface=ether1
97. /ip dhcp-server lease
98. add address=192.168.2.254 client-id=\
99. ff:4b:7:61:2f:0:2:0:0:ab:11:b5:6c:70:b8:cd:34:2e:df mac-address=\
100. 00:15:5D:02:FE:00 server=defconf
101. add address=192.168.2.229 client-id=1:2c:a5:9c:c3:3c:b2 mac-address=\
102. 2C:A5:9C:C3:3C:B2 server=defconf
103. add address=192.168.2.230 client-id=1:2c:a5:9c:b8:95:e7 mac-address=\
104. 2C:A5:9C:B8:95:E7 server=defconf
105. add address=192.168.2.248 client-id=1:f0:1f:af:ce:34:34 mac-address=\
106. F0:1F:AF:CE:34:34 server=defconf
107. add address=192.168.2.250 client-id=1:0:15:5d:97:51:2 mac-address=\
108. 00:15:5D:97:51:02 server=defconf
109. /ip dhcp-server network
110. add address=172.16.0.0/24 dns-server=1.1.1.3,1.0.0.3 gateway=172.16.0.1
111. add address=192.168.2.0/24 comment=defconf dns-server=\
112. 192.168.2.252,192.168.2.253,1.1.1.1 domain=mb.echomeless.org gateway=\
113. 192.168.2.1 netmask=24
114. /ip dns
115. set allow-remote-requests=yes servers=192.168.2.252,192.168.2.253,1.1.1.1
116. /ip dns static
117. add address=192.168.2.1 comment=defconf name=router.lan
118. /ip firewall filter
119. add action=accept chain=input comment="Accept Wireguard" dst-port=13231 \
120. protocol=udp
121. add action=accept chain=input dst-port=80 protocol=tcp
122. add action=accept chain=input dst-port=3478 protocol=udp
123. add action=accept chain=input dst-port=50443 protocol=tcp
124. add action=accept chain=input dst-port=443 protocol=tcp
125. add action=accept chain=input comment=\
126. "defconf: accept established,related,untracked" connection-state=\
127. established,related,untracked
128. add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
129. add action=accept chain=input comment=\
130. "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
131. add action=accept chain=forward disabled=yes in-interface=wireguard1 \
132. out-interface=*10
133. add action=drop chain=input comment="defconf: drop invalid" connection-state=\
134. invalid
135. add action=drop chain=input comment="defconf: drop all not coming from LAN" \
136. in-interface-list=!LAN
137. add action=accept chain=forward comment="defconf: accept in ipsec policy" \
138. ipsec-policy=in,ipsec
139. add action=accept chain=forward comment="defconf: accept out ipsec policy" \
140. ipsec-policy=out,ipsec
141. add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
142. connection-state=established,related hw-offload=yes
143. add action=accept chain=forward comment=\
144. "defconf: accept established,related, untracked" connection-state=\
145. established,related,untracked
146. add action=drop chain=forward comment="defconf: drop invalid" \
147. connection-state=invalid
148. add action=drop chain=forward comment=\
149. "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
150. connection-state=new in-interface-list=WAN
151. /ip firewall nat
152. add action=masquerade chain=srcnat comment="defconf: masquerade" \
153. ipsec-policy=out,none out-interface-list=WAN
154. add action=dst-nat chain=dstnat dst-address=PUBIP dst-port=59002 \
155. protocol=tcp to-addresses=192.168.1.250 to-ports=59002
156. add action=dst-nat chain=dstnat dst-address=PUBIP dst-port=59001 \
157. protocol=udp to-addresses=192.168.1.249 to-ports=59001
158. add action=dst-nat chain=dstnat dst-address=PUBIP dst-port=59002 \
159. protocol=udp to-addresses=192.168.1.249 to-ports=59002
160. add action=dst-nat chain=dstnat disabled=yes dst-address=PUBIP \
161. dst-port=8022 log=yes log-prefix=SSHD protocol=tcp to-addresses=\
162. 192.168.2.250 to-ports=8022
163. add action=dst-nat chain=dstnat dst-address=PUBIP dst-port=80 \
164. protocol=tcp to-addresses=192.168.2.249 to-ports=80
165. add action=dst-nat chain=dstnat dst-address=PUBIP dst-port=443 \
166. protocol=tcp to-addresses=192.168.2.249 to-ports=443
167. add action=dst-nat chain=dstnat dst-address=PUBIP dst-port=3478 \
168. protocol=udp to-addresses=192.168.2.249 to-ports=3478
169. add action=dst-nat chain=dstnat dst-address=PUBIP dst-port=50443 \
170. protocol=tcp to-addresses=192.168.2.249 to-ports=50443
171. /ip firewall service-port
172. set sip disabled=yes
173. /ip route
174. add disabled=no dst-address=0.0.0.0/0 gateway=PUBGW
175. add disabled=no distance=1 dst-address=192.168.10.0/24 gateway=wireguard1 \
176. pref-src="" routing-table=main suppress-hw-offload=no
177. add disabled=no dst-address=192.168.11.0/24 gateway=wireguard1 routing-table=\
178. main suppress-hw-offload=no
179. add disabled=no distance=1 dst-address=192.168.20.0/24 gateway=wireguard1 \
180. pref-src="" routing-table=main suppress-hw-offload=no
181. add disabled=no distance=1 dst-address=192.168.30.0/24 gateway=wireguard1 \
182. pref-src="" routing-table=main suppress-hw-offload=no
183. add disabled=no distance=1 dst-address=192.168.31.0/24 gateway=wireguard1 \
184. pref-src="" routing-table=main suppress-hw-offload=no
185. add disabled=no distance=1 dst-address=192.168.4.0/24 gateway=wireguard1 \
186. pref-src="" routing-table=main suppress-hw-offload=no
187. /ip traffic-flow target
188. add dst-address=XXX port=1234 version=5
189. /system clock
190. set time-zone-name=America/New_York
191. /system scheduler
192. add name=schedule1 on-event="/system reboot" policy=\
193. ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
194. start-date=jan/11/2022 start-time=00:01:20
195. /tool mac-server
196. set allowed-interface-list=LAN
197. /tool mac-server mac-winbox
198. set allowed-interface-list=LAN
199. /tool sniffer
200. set filter-interface=ether5 filter-ip-address=PUBIP/32 filter-port=\
201. 59001,59002
202.