CCR2004 config

1. # jan/17/2021 09:10:13 by RouterOS 6.48
2. # software id = 9S4Z-ANEJ
3. #
4. # model = CCR2004-1G-12S+2XS
5. # serial number = D4F0********
6. /interface bridge
7. add arp=proxy-arp name=bridge
8. /interface ethernet
9. set [ find default-name=sfp-sfpplus9 ] auto-negotiation=no
10. set [ find default-name=sfp-sfpplus10 ] auto-negotiation=no
11. set [ find default-name=sfp-sfpplus11 ] auto-negotiation=no
12. set [ find default-name=sfp-sfpplus12 ] auto-negotiation=no
13. /interface pppoe-client
14. add add-default-route=yes disabled=no interface=sfp-sfpplus1 max-mru=1492 \
15. max-mtu=1492 name=pppoe-telekom password=******** use-peer-dns=yes user=\
16. ********@t-online.hu
17. /interface bonding
18. add name=bonding1 slaves=sfp-sfpplus11,sfp-sfpplus12
19. add name=bonding2 slaves=sfp-sfpplus9,sfp-sfpplus10
20. /interface list
21. add name=WAN
22. add name=LAN
23. /ip pool
24. add name=dhcp ranges=192.168.1.10-192.168.1.200
25. add name=vpn ranges=192.168.89.2-192.168.89.255
26. /ip dhcp-server
27. add address-pool=dhcp disabled=no interface=bridge lease-time=1d name=dhcp
28. /ppp profile
29. set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
30. /interface bridge port
31. add bridge=bridge interface=ether1
32. add bridge=bridge interface=sfp-sfpplus2
33. add bridge=bridge interface=sfp-sfpplus3
34. add bridge=bridge interface=sfp-sfpplus4
35. add bridge=bridge interface=sfp-sfpplus5
36. add bridge=bridge interface=sfp-sfpplus6
37. add bridge=bridge interface=sfp-sfpplus7
38. add bridge=bridge interface=sfp-sfpplus8
39. add bridge=bridge interface=sfp28-1
40. add bridge=bridge interface=sfp28-2
41. add bridge=bridge interface=bonding1
42. add bridge=bridge interface=bonding2
43. /interface list member
44. add interface=pppoe-telekom list=WAN
45. add interface=bridge list=LAN
46. /interface pptp-server server
47. set enabled=yes max-mru=1400 max-mtu=1400
48. /ip address
49. add address=192.168.1.2/24 interface=bridge network=192.168.1.0
50. /ip cloud
51. set ddns-enabled=yes
52. /ip dhcp-server lease
53. add address=192.168.1.220 mac-address=B4:6C:47:6C:2C:87 server=dhcp
54. add address=192.168.1.100 mac-address=B8:6B:23:53:7F:8E server=dhcp
55. add address=192.168.1.10 mac-address=E0:63:DA:8F:69:C6 server=dhcp
56. add address=192.168.1.101 mac-address=68:AB:1E:E0:C6:1C server=dhcp
57. add address=192.168.1.110 mac-address=80:0A:80:56:9B:9E server=dhcp
58. /ip dhcp-server network
59. add address=192.168.1.0/24 dns-server=192.168.1.2 gateway=192.168.1.2 \
60. netmask=24
61. /ip dns
62. set allow-remote-requests=yes
63. /ip firewall address-list
64. add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
65. add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
66. d this subnet before enable it" list=bogons
67. add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
68. add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
69. add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
70. need this subnet before enable it" list=bogons
71. add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you\
72. \_need this subnet before enable it" disabled=yes list=bogons
73. add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
74. add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
75. bogons
76. add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
77. add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
78. add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
79. add address=224.0.0.0/4 comment=\
80. "MC, Class D, IANA # Check if you need this subnet before enable it" \
81. list=bogons
82. /ip firewall filter
83. add action=add-src-to-address-list address-list=Syn_Flooder \
84. address-list-timeout=30m chain=input comment=\
85. "Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
86. src-address=!192.168.0.0/16 tcp-flags=syn
87. add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
88. protocol=udp
89. add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
90. add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
91. add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
92. add action=drop chain=input comment="Drop to syn flood list" \
93. src-address-list=Syn_Flooder
94. add action=add-src-to-address-list address-list=Port_Scanner \
95. address-list-timeout=1w chain=input comment="Port Scanner Detect" \
96. protocol=tcp psd=21,3s,3,1
97. add action=drop chain=input comment="Drop to port scan list" \
98. src-address-list=Port_Scanner
99. add action=jump chain=input comment="Jump for icmp input flow" jump-target=\
100. ICMP protocol=icmp
101. add action=jump chain=forward comment="Jump for icmp forward flow" \
102. jump-target=ICMP protocol=icmp
103. add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
104. bogons
105. add action=add-src-to-address-list address-list=spammers \
106. address-list-timeout=3h chain=forward comment=\
107. "Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=\
108. 25,587 limit=30/1m,0:packet protocol=tcp
109. add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
110. protocol=tcp src-address-list=spammers
111. add action=accept chain=input comment="Accept to established connections" \
112. connection-state=established
113. add action=accept chain=input comment="Accept to related connections" \
114. connection-state=related
115. add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS \
116. RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" src-address=\
117. !192.168.0.0/16
118. add action=accept chain=ICMP comment=\
119. "Echo request - Avoiding Ping Flood, adjust the limit as needed" \
120. icmp-options=8:0 limit=2,5:packet protocol=icmp
121. add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
122. icmp
123. add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
124. protocol=icmp
125. add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
126. 3:0-1 protocol=icmp
127. add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
128. add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
129. add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
130. protocol=icmp
131. /ip firewall mangle
132. add action=change-mss chain=forward new-mss=1448 out-interface=pppoe-telekom \
133. passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1448
134. /ip firewall nat
135. add action=masquerade chain=srcnat out-interface=pppoe-telekom src-address=\
136. 192.168.1.0/24
137. add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
138. 192.168.89.0/24
139. /ip service
140. set telnet disabled=yes
141. set ftp disabled=yes
142. set www address=192.168.0.0/16
143. set ssh address=192.168.0.0/16
144. set api disabled=yes
145. set winbox address=192.168.0.0/16
146. set api-ssl disabled=yes
147. /ppp secret
148. add name=vpn password=********
149. /system clock
150. set time-zone-name=Europe/Budapest
151. /system identity
152. set name=kovacsr-router
153. /tool mac-server
154. set allowed-interface-list=LAN
155. /tool mac-server mac-winbox
156. set allowed-interface-list=LAN