Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # dec/07/2022 08:31:21 by RouterOS 7.5
- # software id = W5M1-5E8A
- #
- # model = RB760iGS
- /interface bridge
- add admin-mac=DC:2C:6E:7B:07:88 auto-mac=no comment=defconf name=bridge
- /interface ethernet
- set [ find default-name=ether2 ] comment="Wifi APs"
- set [ find default-name=ether3 ] comment=Cameras
- set [ find default-name=ether5 ] poe-out=off
- /interface wireguard
- add listen-port=51820 mtu=1420 name=wireguard1
- /interface vlan
- add interface=ether2 name=vlan10 vlan-id=10
- add interface=ether2 name=vlan30 vlan-id=30
- add interface=ether2 name=vlan107 vlan-id=107
- /interface list
- add comment=defconf name=WAN
- add comment=defconf name=LAN
- /interface lte apn
- set [ find default=yes ] ip-type=ipv4 use-network-apn=no
- /interface wireless security-profiles
- set [ find default=yes ] supplicant-identity=MikroTik
- /ip pool
- add name=dhcp ranges=192.168.88.10-192.168.88.254
- add name=dhcp_pool1 ranges=192.168.10.2-192.168.10.254
- add name=dhcp_pool2 ranges=192.168.107.2-192.168.107.254
- add name=dhcp_pool3 ranges=192.168.30.2-192.168.30.254
- add name=ovpn-pool ranges=192.168.77.2-192.168.77.254
- /ip dhcp-server
- add address-pool=dhcp interface=bridge name=defconf
- add address-pool=dhcp_pool1 conflict-detection=no interface=vlan10 name=dhcp1
- add address-pool=dhcp_pool2 interface=vlan107 name=dhcp2
- add address-pool=dhcp_pool3 interface=vlan30 name=dhcp3
- /port
- set 0 name=serial0
- /snmp community
- set [ find default=yes ] addresses=192.168.88.226/32
- add addresses=192.168.88.226/32 disabled=yes name=librenms
- /system logging action
- set 3 remote=192.168.88.211
- /interface bridge port
- add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
- add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
- add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
- add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
- add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
- /ip neighbor discovery-settings
- set discover-interface-list=LAN
- /ipv6 settings
- set disable-ipv6=yes max-neighbor-entries=8192
- /interface detect-internet
- set detect-interface-list=all internet-interface-list=WAN
- /interface list member
- add comment=defconf interface=bridge list=LAN
- add comment=defconf interface=ether1 list=WAN
- /interface ovpn-server server
- set auth=sha1 certificate=*6 cipher=aes256 enabled=yes netmask=29 \
- require-client-certificate=yes
- /interface wireguard peers
- add allowed-address=10.0.0.2/32 endpoint-address="" interface=wireguard1 \
- public-key="whateverA"
- add allowed-address=10.0.0.3/32 endpoint-address="" interface=wireguard1 \
- public-key="whateverB"
- add allowed-address=10.0.0.4/32 endpoint-address="" interface=wireguard1 \
- public-key="whateverC"
- add allowed-address=10.0.0.5/32 endpoint-address="" interface=wireguard1 \
- public-key="whateverD"
- /ip address
- add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
- 192.168.88.0
- add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
- add address=192.168.30.1/24 interface=vlan30 network=192.168.30.0
- add address=192.168.107.1/24 interface=vlan107 network=192.168.107.0
- add address=10.0.0.1/24 interface=wireguard1 network=10.0.0.0
- /ip dhcp-client
- add comment=defconf interface=ether1 use-peer-dns=no
- /ip dhcp-server lease
- add address=192.168.88.252 client-id=1:e0:63:da:c8:14:11 mac-address=\
- E0:63:DA:C8:14:11 server=defconf
- add address=192.168.88.253 client-id=1:74:ac:b9:2c:42:c1 mac-address=\
- 74:AC:B9:2C:42:C1 server=defconf
- add address=192.168.88.223 client-id=1:e0:63:da:7c:2c:13 mac-address=\
- E0:63:DA:7C:2C:13 server=defconf
- add address=192.168.88.211 client-id=1:0:11:32:cb:cc:91 mac-address=\
- 00:11:32:CB:CC:91 server=defconf
- add address=192.168.107.23 mac-address=32:4A:26:0F:6F:E8 server=dhcp2
- add address=192.168.88.226 client-id=\
- ff:b6:22:f:eb:0:2:0:0:ab:11:e9:53:e:c0:c5:1:62:7a mac-address=\
- 00:23:24:54:23:96 server=defconf
- add address=192.168.88.185 mac-address=6C:CD:D6:BC:81:48 server=defconf
- /ip dhcp-server network
- add address=192.168.10.0/24 gateway=192.168.10.1
- add address=192.168.30.0/24 dns-server=192.168.88.211,192.168.88.234 gateway=\
- 192.168.30.1
- add address=192.168.50.0/29 comment=vpn dns-server=192.168.88.211 gateway=\
- 192.168.88.1 netmask=29
- add address=192.168.88.0/24 comment=defconf dns-server=\
- 192.168.88.211,192.168.88.234 domain=home.lan gateway=192.168.88.1
- add address=192.168.107.0/24 dns-server=192.168.88.211,9.9.9.9 gateway=\
- 192.168.107.1
- /ip dns
- set allow-remote-requests=yes servers=192.168.88.226,9.9.9.9
- /ip dns static
- add address=192.168.88.1 comment=defconf name=router.home.lan
- /ip firewall address-list
- add address=192.168.88.211 list="DNS Servers"
- add address=192.168.88.226 list="DNS Servers"
- add address=192.168.107.0/24 comment="Untrusted Addresses" list=\
- "Untrusted IoT"
- add address=192.168.88.0/24 comment="Trusted Addresses" list=\
- "Trusted normal LAN"
- add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
- add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
- add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
- add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
- add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
- add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
- add address=224.0.0.0/4 comment=Multicast list=not_in_internet
- add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
- add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
- add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
- add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
- add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
- add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
- add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
- add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
- not_in_internet
- add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
- add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
- add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
- add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
- add address=192.168.88.1 disabled=yes list="DNS Servers"
- add address=192.168.30.0/24 list="Untrusted NoT"
- add address=172.19.0.8 list="Untrusted IoT"
- /ip firewall filter
- add action=accept chain=input comment="allow wireguard handshake" dst-port=\
- 51820 log=yes log-prefix=wg: protocol=udp
- add action=accept chain=input comment="allow WireGuard traffic" protocol=udp \
- src-address=10.0.0.0/24
- add action=accept chain=input comment=\
- "defconf: accept established,related,untracked" connection-state=\
- established,related,untracked
- add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
- connection-state=established,related hw-offload=yes
- add action=drop chain=input comment="defconf: drop invalid" connection-state=\
- invalid
- add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp
- add action=drop chain=input dst-port=53 in-interface=ether1 protocol=tcp
- add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
- add action=drop chain=input comment="defconf: drop all not coming from LAN" \
- in-interface-list=!LAN
- add action=accept chain=forward comment="defconf: accept in ipsec policy" \
- ipsec-policy=in,ipsec
- add action=accept chain=forward comment="defconf: accept out ipsec policy" \
- ipsec-policy=out,ipsec
- add action=accept chain=forward comment=\
- "defconf: accept established,related, untracked" connection-state=\
- established,related,untracked
- add action=drop chain=forward comment="defconf: drop invalid" \
- connection-state=invalid
- add action=drop chain=forward comment=\
- "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
- connection-state=new in-interface-list=WAN
- add action=accept chain=forward comment="Allow LAN to VLAN107" \
- dst-address-list="Untrusted IoT" src-address-list="Trusted normal LAN"
- add action=accept chain=forward dst-address-list="Untrusted NoT" \
- src-address-list="Trusted normal LAN"
- add action=accept chain=forward dst-address-list="DNS Servers" \
- src-address-list="Untrusted NoT"
- add action=accept chain=forward comment="Drop VLAN107 to LAN" \
- dst-address-list="DNS Servers" src-address-list="Untrusted IoT"
- add action=accept chain=forward dst-address=192.168.88.226 src-address-list=\
- "Untrusted NoT"
- add action=accept chain=forward dst-address=192.168.88.0/24 dst-port=1900 \
- protocol=udp src-address=192.168.107.0/24
- add action=accept chain=forward dst-address=192.168.88.211 protocol=tcp \
- src-address=192.168.107.253
- add action=drop chain=forward comment="Drop VLAN107 to LAN" dst-address=\
- !192.168.88.211 dst-address-list="Trusted normal LAN" protocol=tcp \
- src-address-list="Untrusted IoT"
- add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
- log=yes log-prefix=invalid
- add action=drop chain=forward comment=\
- "Drop tries to reach not public addresses from LAN" dst-address-list=\
- not_in_internet in-interface=bridge log-prefix=!public_from_LAN \
- out-interface=!bridge
- add action=drop chain=forward comment=\
- "Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat \
- connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
- add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
- protocol=icmp
- add action=drop chain=forward comment=\
- "Drop packets from LAN that do not have LAN IP" in-interface=bridge log=\
- yes log-prefix=LAN_!LAN src-address=!192.168.88.0/24
- add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
- icmp
- add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
- protocol=icmp
- add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
- protocol=icmp
- add action=accept chain=icmp comment=\
- "host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
- add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
- protocol=icmp
- add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
- protocol=icmp
- add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
- protocol=icmp
- add action=drop chain=icmp comment="deny all other types"
- /ip firewall mangle
- add action=mark-connection chain=prerouting disabled=yes dst-address=\
- 192.168.88.1 dst-port=53 layer7-protocol=*2 new-connection-mark=\
- local-dns-forward protocol=tcp
- add action=mark-connection chain=prerouting disabled=yes dst-address=\
- 192.168.88.1 dst-port=53 layer7-protocol=*4 log=yes new-connection-mark=\
- local-dns-forward passthrough=yes protocol=udp
- /ip firewall nat
- add action=masquerade chain=srcnat comment="defconf: masquerade" \
- ipsec-policy=out,none out-interface-list=WAN
- add action=dst-nat chain=dstnat dst-port=53 in-interface-list=LAN log-prefix=\
- dns-cap protocol=udp src-address-list="!DNS Servers" to-addresses=\
- 192.168.88.226 to-ports=53
- add action=dst-nat chain=dstnat dst-address-list="!DNS Servers" dst-port=53 \
- in-interface-list=LAN log-prefix=DNS-Capture protocol=tcp \
- src-address-list="!DNS Servers" to-addresses=192.168.88.226
- add action=masquerade chain=srcnat dst-address=192.168.88.226 dst-port=53 \
- log-prefix=DNS-Capture protocol=udp src-address=192.168.88.0/24 \
- src-address-list="!DNS Servers"
- add action=masquerade chain=srcnat dst-address=192.168.88.226 dst-port=53 \
- log-prefix=DNS-Capture2 protocol=tcp src-address=192.168.88.0/24
- /ip service
- set telnet disabled=yes
- set ftp disabled=yes
- set winbox disabled=yes
- /snmp
- set contact=Admin enabled=yes engine-id=2 location=home trap-generators=\
- interfaces trap-interfaces=bridge
- /system clock
- set time-zone-name=America/New_York
- /tool mac-server
- set allowed-interface-list=LAN
- /tool mac-server mac-winbox
- set allowed-interface-list=LAN
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement