API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Dec 7th, 2022
122
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 11.96 KB | None | 0 0
raw download clone embed print report
  1. # dec/07/2022 08:31:21 by RouterOS 7.5
  2. # software id = W5M1-5E8A
  3. #
  4. # model = RB760iGS
  5. /interface bridge
  6. add admin-mac=DC:2C:6E:7B:07:88 auto-mac=no comment=defconf name=bridge
  7. /interface ethernet
  8. set [ find default-name=ether2 ] comment="Wifi APs"
  9. set [ find default-name=ether3 ] comment=Cameras
  10. set [ find default-name=ether5 ] poe-out=off
  11. /interface wireguard
  12. add listen-port=51820 mtu=1420 name=wireguard1
  13. /interface vlan
  14. add interface=ether2 name=vlan10 vlan-id=10
  15. add interface=ether2 name=vlan30 vlan-id=30
  16. add interface=ether2 name=vlan107 vlan-id=107
  17. /interface list
  18. add comment=defconf name=WAN
  19. add comment=defconf name=LAN
  20. /interface lte apn
  21. set [ find default=yes ] ip-type=ipv4 use-network-apn=no
  22. /interface wireless security-profiles
  23. set [ find default=yes ] supplicant-identity=MikroTik
  24. /ip pool
  25. add name=dhcp ranges=192.168.88.10-192.168.88.254
  26. add name=dhcp_pool1 ranges=192.168.10.2-192.168.10.254
  27. add name=dhcp_pool2 ranges=192.168.107.2-192.168.107.254
  28. add name=dhcp_pool3 ranges=192.168.30.2-192.168.30.254
  29. add name=ovpn-pool ranges=192.168.77.2-192.168.77.254
  30. /ip dhcp-server
  31. add address-pool=dhcp interface=bridge name=defconf
  32. add address-pool=dhcp_pool1 conflict-detection=no interface=vlan10 name=dhcp1
  33. add address-pool=dhcp_pool2 interface=vlan107 name=dhcp2
  34. add address-pool=dhcp_pool3 interface=vlan30 name=dhcp3
  35. /port
  36. set 0 name=serial0
  37. /snmp community
  38. set [ find default=yes ] addresses=192.168.88.226/32
  39. add addresses=192.168.88.226/32 disabled=yes name=librenms
  40. /system logging action
  41. set 3 remote=192.168.88.211
  42. /interface bridge port
  43. add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
  44. add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
  45. add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
  46. add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
  47. add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
  48. /ip neighbor discovery-settings
  49. set discover-interface-list=LAN
  50. /ipv6 settings
  51. set disable-ipv6=yes max-neighbor-entries=8192
  52. /interface detect-internet
  53. set detect-interface-list=all internet-interface-list=WAN
  54. /interface list member
  55. add comment=defconf interface=bridge list=LAN
  56. add comment=defconf interface=ether1 list=WAN
  57. /interface ovpn-server server
  58. set auth=sha1 certificate=*6 cipher=aes256 enabled=yes netmask=29 \
  59. require-client-certificate=yes
  60. /interface wireguard peers
  61. add allowed-address=10.0.0.2/32 endpoint-address="" interface=wireguard1 \
  62. public-key="whateverA"
  63. add allowed-address=10.0.0.3/32 endpoint-address="" interface=wireguard1 \
  64. public-key="whateverB"
  65. add allowed-address=10.0.0.4/32 endpoint-address="" interface=wireguard1 \
  66. public-key="whateverC"
  67. add allowed-address=10.0.0.5/32 endpoint-address="" interface=wireguard1 \
  68. public-key="whateverD"
  69. /ip address
  70. add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
  71. 192.168.88.0
  72. add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
  73. add address=192.168.30.1/24 interface=vlan30 network=192.168.30.0
  74. add address=192.168.107.1/24 interface=vlan107 network=192.168.107.0
  75. add address=10.0.0.1/24 interface=wireguard1 network=10.0.0.0
  76. /ip dhcp-client
  77. add comment=defconf interface=ether1 use-peer-dns=no
  78. /ip dhcp-server lease
  79. add address=192.168.88.252 client-id=1:e0:63:da:c8:14:11 mac-address=\
  80. E0:63:DA:C8:14:11 server=defconf
  81. add address=192.168.88.253 client-id=1:74:ac:b9:2c:42:c1 mac-address=\
  82. 74:AC:B9:2C:42:C1 server=defconf
  83. add address=192.168.88.223 client-id=1:e0:63:da:7c:2c:13 mac-address=\
  84. E0:63:DA:7C:2C:13 server=defconf
  85. add address=192.168.88.211 client-id=1:0:11:32:cb:cc:91 mac-address=\
  86. 00:11:32:CB:CC:91 server=defconf
  87. add address=192.168.107.23 mac-address=32:4A:26:0F:6F:E8 server=dhcp2
  88. add address=192.168.88.226 client-id=\
  89. ff:b6:22:f:eb:0:2:0:0:ab:11:e9:53:e:c0:c5:1:62:7a mac-address=\
  90. 00:23:24:54:23:96 server=defconf
  91. add address=192.168.88.185 mac-address=6C:CD:D6:BC:81:48 server=defconf
  92. /ip dhcp-server network
  93. add address=192.168.10.0/24 gateway=192.168.10.1
  94. add address=192.168.30.0/24 dns-server=192.168.88.211,192.168.88.234 gateway=\
  95. 192.168.30.1
  96. add address=192.168.50.0/29 comment=vpn dns-server=192.168.88.211 gateway=\
  97. 192.168.88.1 netmask=29
  98. add address=192.168.88.0/24 comment=defconf dns-server=\
  99. 192.168.88.211,192.168.88.234 domain=home.lan gateway=192.168.88.1
  100. add address=192.168.107.0/24 dns-server=192.168.88.211,9.9.9.9 gateway=\
  101. 192.168.107.1
  102. /ip dns
  103. set allow-remote-requests=yes servers=192.168.88.226,9.9.9.9
  104. /ip dns static
  105. add address=192.168.88.1 comment=defconf name=router.home.lan
  106. /ip firewall address-list
  107. add address=192.168.88.211 list="DNS Servers"
  108. add address=192.168.88.226 list="DNS Servers"
  109. add address=192.168.107.0/24 comment="Untrusted Addresses" list=\
  110. "Untrusted IoT"
  111. add address=192.168.88.0/24 comment="Trusted Addresses" list=\
  112. "Trusted normal LAN"
  113. add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
  114. add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
  115. add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
  116. add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
  117. add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
  118. add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
  119. add address=224.0.0.0/4 comment=Multicast list=not_in_internet
  120. add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
  121. add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
  122. add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
  123. add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
  124. add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
  125. add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
  126. add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
  127. add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
  128. not_in_internet
  129. add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
  130. add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
  131. add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
  132. add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
  133. add address=192.168.88.1 disabled=yes list="DNS Servers"
  134. add address=192.168.30.0/24 list="Untrusted NoT"
  135. add address=172.19.0.8 list="Untrusted IoT"
  136. /ip firewall filter
  137. add action=accept chain=input comment="allow wireguard handshake" dst-port=\
  138. 51820 log=yes log-prefix=wg: protocol=udp
  139. add action=accept chain=input comment="allow WireGuard traffic" protocol=udp \
  140. src-address=10.0.0.0/24
  141. add action=accept chain=input comment=\
  142. "defconf: accept established,related,untracked" connection-state=\
  143. established,related,untracked
  144. add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
  145. connection-state=established,related hw-offload=yes
  146. add action=drop chain=input comment="defconf: drop invalid" connection-state=\
  147. invalid
  148. add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp
  149. add action=drop chain=input dst-port=53 in-interface=ether1 protocol=tcp
  150. add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
  151. add action=drop chain=input comment="defconf: drop all not coming from LAN" \
  152. in-interface-list=!LAN
  153. add action=accept chain=forward comment="defconf: accept in ipsec policy" \
  154. ipsec-policy=in,ipsec
  155. add action=accept chain=forward comment="defconf: accept out ipsec policy" \
  156. ipsec-policy=out,ipsec
  157. add action=accept chain=forward comment=\
  158. "defconf: accept established,related, untracked" connection-state=\
  159. established,related,untracked
  160. add action=drop chain=forward comment="defconf: drop invalid" \
  161. connection-state=invalid
  162. add action=drop chain=forward comment=\
  163. "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
  164. connection-state=new in-interface-list=WAN
  165. add action=accept chain=forward comment="Allow LAN to VLAN107" \
  166. dst-address-list="Untrusted IoT" src-address-list="Trusted normal LAN"
  167. add action=accept chain=forward dst-address-list="Untrusted NoT" \
  168. src-address-list="Trusted normal LAN"
  169. add action=accept chain=forward dst-address-list="DNS Servers" \
  170. src-address-list="Untrusted NoT"
  171. add action=accept chain=forward comment="Drop VLAN107 to LAN" \
  172. dst-address-list="DNS Servers" src-address-list="Untrusted IoT"
  173. add action=accept chain=forward dst-address=192.168.88.226 src-address-list=\
  174. "Untrusted NoT"
  175. add action=accept chain=forward dst-address=192.168.88.0/24 dst-port=1900 \
  176. protocol=udp src-address=192.168.107.0/24
  177. add action=accept chain=forward dst-address=192.168.88.211 protocol=tcp \
  178. src-address=192.168.107.253
  179. add action=drop chain=forward comment="Drop VLAN107 to LAN" dst-address=\
  180. !192.168.88.211 dst-address-list="Trusted normal LAN" protocol=tcp \
  181. src-address-list="Untrusted IoT"
  182. add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
  183. log=yes log-prefix=invalid
  184. add action=drop chain=forward comment=\
  185. "Drop tries to reach not public addresses from LAN" dst-address-list=\
  186. not_in_internet in-interface=bridge log-prefix=!public_from_LAN \
  187. out-interface=!bridge
  188. add action=drop chain=forward comment=\
  189. "Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat \
  190. connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
  191. add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
  192. protocol=icmp
  193. add action=drop chain=forward comment=\
  194. "Drop packets from LAN that do not have LAN IP" in-interface=bridge log=\
  195. yes log-prefix=LAN_!LAN src-address=!192.168.88.0/24
  196. add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
  197. icmp
  198. add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
  199. protocol=icmp
  200. add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
  201. protocol=icmp
  202. add action=accept chain=icmp comment=\
  203. "host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
  204. add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
  205. protocol=icmp
  206. add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
  207. protocol=icmp
  208. add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
  209. protocol=icmp
  210. add action=drop chain=icmp comment="deny all other types"
  211. /ip firewall mangle
  212. add action=mark-connection chain=prerouting disabled=yes dst-address=\
  213. 192.168.88.1 dst-port=53 layer7-protocol=*2 new-connection-mark=\
  214. local-dns-forward protocol=tcp
  215. add action=mark-connection chain=prerouting disabled=yes dst-address=\
  216. 192.168.88.1 dst-port=53 layer7-protocol=*4 log=yes new-connection-mark=\
  217. local-dns-forward passthrough=yes protocol=udp
  218. /ip firewall nat
  219. add action=masquerade chain=srcnat comment="defconf: masquerade" \
  220. ipsec-policy=out,none out-interface-list=WAN
  221. add action=dst-nat chain=dstnat dst-port=53 in-interface-list=LAN log-prefix=\
  222. dns-cap protocol=udp src-address-list="!DNS Servers" to-addresses=\
  223. 192.168.88.226 to-ports=53
  224. add action=dst-nat chain=dstnat dst-address-list="!DNS Servers" dst-port=53 \
  225. in-interface-list=LAN log-prefix=DNS-Capture protocol=tcp \
  226. src-address-list="!DNS Servers" to-addresses=192.168.88.226
  227. add action=masquerade chain=srcnat dst-address=192.168.88.226 dst-port=53 \
  228. log-prefix=DNS-Capture protocol=udp src-address=192.168.88.0/24 \
  229. src-address-list="!DNS Servers"
  230. add action=masquerade chain=srcnat dst-address=192.168.88.226 dst-port=53 \
  231. log-prefix=DNS-Capture2 protocol=tcp src-address=192.168.88.0/24
  232. /ip service
  233. set telnet disabled=yes
  234. set ftp disabled=yes
  235. set winbox disabled=yes
  236. /snmp
  237. set contact=Admin enabled=yes engine-id=2 location=home trap-generators=\
  238. interfaces trap-interfaces=bridge
  239. /system clock
  240. set time-zone-name=America/New_York
  241. /tool mac-server
  242. set allowed-interface-list=LAN
  243. /tool mac-server mac-winbox
  244. set allowed-interface-list=LAN
  245.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!