working config

1. # 2024-04-24 15:38:45 by RouterOS 7.14.3
2. # software id = B10P-R5ZW
3. #
4. # model = RB4011iGS+
5. # serial number = XXXXXXXX
6. /interface bridge
7. add name=bridge1 vlan-filtering=yes
8. /interface ethernet
9. set [ find default-name=ether1 ] disabled=yes
10. set [ find default-name=ether2 ] disabled=yes
11. set [ find default-name=ether3 ] disabled=yes
12. set [ find default-name=ether4 ] disabled=yes
13. set [ find default-name=ether5 ] disabled=yes
14. set [ find default-name=ether6 ] disabled=yes
15. set [ find default-name=ether7 ] disabled=yes
16. set [ find default-name=ether8 ] disabled=yes
17. set [ find default-name=ether10 ] disabled=yes poe-out=off
18. /interface vlan
19. add interface=bridge1 name=vlan99 vlan-id=99
20. /interface list
21. add name=wan
22. add name=lan
23. /interface wireless security-profiles
24. set [ find default=yes ] supplicant-identity=MikroTik
25. /port
26. set 0 name=serial0
27. set 1 name=serial1
28. /zerotier
29. set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" disabled=yes disabled=yes name=zt1 port=9993
30. /ip smb
31. set enabled=no
32. /interface bridge port
33. add bridge=bridge1 interface=sfp-sfpplus1
34. /ip neighbor discovery-settings
35. set discover-interface-list=!dynamic
36. /ipv6 settings
37. set disable-ipv6=yes forward=no max-neighbor-entries=3072
38. /interface bridge vlan
39. add bridge=bridge1 tagged=sfp-sfpplus1,bridge1 vlan-ids=99
40. /interface list member
41. add interface=ether9 list=lan
42. add interface=bridge1 list=lan
43. add interface=vlan99 list=wan
44. /ip address
45. add address=192.168.0.81/16 comment=backdoor interface=ether9 network=192.168.0.0
46. add address=192.168.0.1/16 interface=bridge1 network=192.168.0.0
47. /ip cloud
48. set ddns-enabled=yes ddns-update-interval=5m
49. /ip dhcp-client
50. add interface=vlan99 use-peer-dns=no use-peer-ntp=no
51. /ip dns
52. set servers=192.168.0.51
53. /ip firewall filter
54. add action=fasttrack-connection chain=input comment="accept established or related" connection-state=established,related hw-offload=yes
55. add action=accept chain=input comment="accept established or related" connection-state=established,related
56. add action=drop chain=input comment="drop invalid" connection-state=invalid
57. add action=drop chain=input comment="drop input from outside the lan" in-interface-list=!lan
58. add action=fasttrack-connection chain=forward comment="accept established or related" connection-state=established,related hw-offload=yes
59. add action=accept chain=forward comment="accept established or related" connection-state=established,related
60. add action=drop chain=forward comment="drop invalid" connection-state=invalid
61. add action=drop chain=forward comment="drop forwards from outside the wan no dstnat" connection-nat-state=!dstnat connection-state=new in-interface-list=!lan
62. /ip firewall nat
63. add action=masquerade chain=srcnat out-interface-list=wan
64. /ip service
65. set telnet disabled=yes
66. set ftp disabled=yes
67. set www disabled=yes
68. set ssh address=192.168.0.0/16
69. set api address=192.168.0.0/16
70. set winbox address=192.168.0.0/16
71. set api-ssl disabled=yes
72. /system clock
73. set time-zone-name=America/Chicago
74. /system identity
75. set name=rb4011
76. /system note
77. set show-at-login=no
78. /system ntp client
79. set enabled=yes
80. /system ntp server
81. set enabled=yes
82. /system ntp client servers
83. add address=216.239.35.0
84. add address=216.239.35.4
85. add address=216.239.35.8
86. add address=216.239.35.12
87. /system routerboard settings
88. set auto-upgrade=yes
89. /tool mac-server
90. set allowed-interface-list=none
91. /tool mac-server mac-winbox
92. set allowed-interface-list=lan
93. /tool mac-server ping
94. set enabled=no