API tools faq
paste
kovacsr89

vlan alap config

kovacsr89
Nov 9th, 2023
15
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.13 KB | None | 0 0
raw download clone embed print report
  1. /interface bridge
  2. add admin-mac=BRIDGE_MACCIM auto-mac=no name=bridge
  3. /interface wireless
  4. set [ find default-name=wlan1 ] band=2ghz-b/g/n country=hungary disabled=no \
  5. distance=indoors mode=ap-bridge radio-name="" security-profile=main ssid=\
  6. SSID24 wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
  7. set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
  8. 20/40/80mhz-XXXX country=hungary disabled=no distance=indoors \
  9. mode=ap-bridge radio-name="" security-profile=main ssid=SSID50 \
  10. wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
  11. /interface vlan
  12. add interface=bridge name=vlan_guest vlan-id=100
  13. /interface wireless security-profiles
  14. add authentication-types=wpa2-psk mode=dynamic-keys name=main \
  15. supplicant-identity=MikroTik wpa2-pre-shared-key=WIFIJELSZO123
  16. add authentication-types=wpa2-psk mode=dynamic-keys name=guest \
  17. supplicant-identity=MikroTik wpa2-pre-shared-key=GUESTJELSZO123
  18. /interface wireless
  19. add disabled=no keepalive-frames=disabled mac-address=WLAN24_MACCIM \
  20. master-interface=wlan1 multicast-buffering=disabled name=wlan1_guest \
  21. security-profile=guest ssid=SSID24_GUEST vlan-id=100 vlan-mode=use-tag \
  22. wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
  23. add disabled=no keepalive-frames=disabled mac-address=WLAN50_MACCIM \
  24. master-interface=wlan2 multicast-buffering=disabled name=wlan2_guest \
  25. security-profile=guest ssid=SSID50_GUEST vlan-id=100 vlan-mode=use-tag \
  26. wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
  27. /ip pool
  28. add name=pool_dhcp ranges=192.168.10.10-192.168.10.254
  29. add name=pool_guest ranges=192.168.100.10-192.168.100.254
  30. /ip dhcp-server
  31. add address-pool=pool_dhcp interface=bridge lease-time=1d name=dhcp
  32. add address-pool=pool_guest interface=vlan_guest lease-time=1d name=\
  33. dhcp_guest
  34. /interface bridge port
  35. add bridge=bridge interface=ether1
  36. add bridge=bridge interface=wlan1
  37. add bridge=bridge interface=wlan2
  38. add bridge=bridge interface=wlan1_guest
  39. add bridge=bridge interface=wlan2_guest
  40. /ip neighbor discovery-settings
  41. set discover-interface-list=none
  42. /ipv6 settings
  43. set disable-ipv6=yes
  44. /interface list member
  45. add interface=bridge list=LAN
  46. add interface=ether1 list=WAN
  47. add interface=vlan_guest list=LAN
  48. /ip address
  49. add address=192.168.10.1/24 interface=bridge network=192.168.10.0
  50. add address=192.168.100.1/24 interface=vlan_guest network=192.168.100.0
  51. /ip dns
  52. set allow-remote-requests=yes
  53. /ip firewall address-list
  54. add address=192.168.10.0/24 list=Subnets
  55. add address=192.168.100.0/24 list=Subnets
  56. /ip firewall filter
  57. add action=accept chain=input comment=\
  58. "defconf: accept established,related,untracked" connection-state=\
  59. established,related,untracked
  60. add action=drop chain=input comment="defconf: drop invalid" connection-state=\
  61. invalid
  62. add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
  63. add action=accept chain=input comment=\
  64. "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
  65. add action=drop chain=input comment="defconf: drop all not coming from LAN" \
  66. src-address-list=!Subnets
  67. add action=accept chain=forward comment="defconf: accept in ipsec policy" \
  68. ipsec-policy=in,ipsec
  69. add action=accept chain=forward comment="defconf: accept out ipsec policy" \
  70. ipsec-policy=out,ipsec
  71. add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
  72. connection-state=established,related hw-offload=yes
  73. add action=accept chain=forward comment=\
  74. "defconf: accept established,related, untracked" connection-state=\
  75. established,related,untracked
  76. add action=drop chain=forward comment="defconf: drop invalid" \
  77. connection-state=invalid
  78. add action=drop chain=forward comment=\
  79. "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
  80. connection-state=new in-interface=ether1
  81. add action=drop chain=forward comment="subnets insulation" dst-address-list=\
  82. Subnets src-address-list=Subnets
  83. /ip firewall nat
  84. add action=masquerade chain=srcnat comment="defconf: masquerade" \
  85. ipsec-policy=out,none out-interface=ether1 src-address-list=Subnets
  86. /ip service
  87. set telnet disabled=yes
  88. set ftp disabled=yes
  89. set www address=192.168.10.0/24
  90. set ssh address=192.168.10.0/24
  91. set api disabled=yes
  92. set winbox address=192.168.10.0/24
  93. set api-ssl disabled=yes
  94. /ipv6 firewall address-list
  95. add address=::/128 comment="defconf: unspecified address" disabled=yes list=\
  96. bad_ipv6
  97. add address=::1/128 comment="defconf: lo" disabled=yes list=bad_ipv6
  98. add address=fec0::/10 comment="defconf: site-local" disabled=yes list=\
  99. bad_ipv6
  100. add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" disabled=yes \
  101. list=bad_ipv6
  102. add address=::/96 comment="defconf: ipv4 compat" disabled=yes list=bad_ipv6
  103. add address=100::/64 comment="defconf: discard only " disabled=yes list=\
  104. bad_ipv6
  105. add address=2001:db8::/32 comment="defconf: documentation" disabled=yes list=\
  106. bad_ipv6
  107. add address=2001:10::/28 comment="defconf: ORCHID" disabled=yes list=bad_ipv6
  108. add address=3ffe::/16 comment="defconf: 6bone" disabled=yes list=bad_ipv6
  109. /ipv6 firewall filter
  110. add action=accept chain=input comment=\
  111. "defconf: accept established,related,untracked" connection-state=\
  112. established,related,untracked disabled=yes
  113. add action=drop chain=input comment="defconf: drop invalid" connection-state=\
  114. invalid disabled=yes
  115. add action=accept chain=input comment="defconf: accept ICMPv6" disabled=yes \
  116. protocol=icmpv6
  117. add action=accept chain=input comment="defconf: accept UDP traceroute" \
  118. disabled=yes port=33434-33534 protocol=udp
  119. add action=accept chain=input comment=\
  120. "defconf: accept DHCPv6-Client prefix delegation." disabled=yes dst-port=\
  121. 546 protocol=udp src-address=fe80::/10
  122. add action=accept chain=input comment="defconf: accept IKE" disabled=yes \
  123. dst-port=500,4500 protocol=udp
  124. add action=accept chain=input comment="defconf: accept ipsec AH" disabled=yes \
  125. protocol=ipsec-ah
  126. add action=accept chain=input comment="defconf: accept ipsec ESP" disabled=\
  127. yes protocol=ipsec-esp
  128. add action=accept chain=input comment=\
  129. "defconf: accept all that matches ipsec policy" disabled=yes \
  130. ipsec-policy=in,ipsec
  131. add action=drop chain=input comment=\
  132. "defconf: drop everything else not coming from LAN" disabled=yes \
  133. in-interface-list=!LAN
  134. add action=accept chain=forward comment=\
  135. "defconf: accept established,related,untracked" connection-state=\
  136. established,related,untracked disabled=yes
  137. add action=drop chain=forward comment="defconf: drop invalid" \
  138. connection-state=invalid disabled=yes
  139. add action=drop chain=forward comment=\
  140. "defconf: drop packets with bad src ipv6" disabled=yes src-address-list=\
  141. bad_ipv6
  142. add action=drop chain=forward comment=\
  143. "defconf: drop packets with bad dst ipv6" disabled=yes dst-address-list=\
  144. bad_ipv6
  145. add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
  146. disabled=yes hop-limit=equal:1 protocol=icmpv6
  147. add action=accept chain=forward comment="defconf: accept ICMPv6" disabled=yes \
  148. protocol=icmpv6
  149. add action=accept chain=forward comment="defconf: accept HIP" disabled=yes \
  150. protocol=139
  151. add action=accept chain=forward comment="defconf: accept IKE" disabled=yes \
  152. dst-port=500,4500 protocol=udp
  153. add action=accept chain=forward comment="defconf: accept ipsec AH" disabled=\
  154. yes protocol=ipsec-ah
  155. add action=accept chain=forward comment="defconf: accept ipsec ESP" disabled=\
  156. yes protocol=ipsec-esp
  157. add action=accept chain=forward comment=\
  158. "defconf: accept all that matches ipsec policy" disabled=yes \
  159. ipsec-policy=in,ipsec
  160. add action=drop chain=forward comment=\
  161. "defconf: drop everything else not coming from LAN" disabled=yes \
  162. in-interface-list=!LAN
  163. /system clock
  164. set time-zone-name=Europe/Budapest
  165. /system identity
  166. set name=kovacsr-backup
  167. /system ntp client
  168. set enabled=yes
  169. /system ntp client servers
  170. add address=time.google.com
  171. /tool bandwidth-server
  172. set enabled=no
  173. /tool mac-server
  174. set allowed-interface-list=none
  175. /tool mac-server mac-winbox
  176. set allowed-interface-list=none
  177. /tool mac-server ping
  178. set enabled=no
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!