# nov/29/2018 21:56:28 by RouterOS 6.40.8## model = RouterBOARD 962UiGS-5Hac

1. # nov/29/2018 21:56:28 by RouterOS 6.40.8
2. #
3. # model = RouterBOARD 962UiGS-5HacT2HnT
4. /interface bridge
5. add admin-mac=CC:2D:E0:A9:A6:69 auto-mac=no comment=defconf name=bridge
6. /interface ethernet
7. set [ find default-name=ether1 ] advertise=1000M-half,1000M-full speed=1Gbps
8. set [ find default-name=ether2 ] advertise=1000M-half,1000M-full name=\
9. ether2-master
10. set [ find default-name=ether3 ] advertise=1000M-half,1000M-full master-port=\
11. ether2-master
12. set [ find default-name=ether4 ] advertise=1000M-half,1000M-full master-port=\
13. ether2-master
14. set [ find default-name=ether5 ] advertise=1000M-half,1000M-full master-port=\
15. ether2-master
16. /interface pppoe-client
17. add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
18. password=Random8390Password91 use-peer-dns=yes user=kevlar
19. /interface wireless
20. set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
21. disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=\
22. Military_Base_2 wireless-protocol=802.11
23. set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
24. 20/40/80mhz-Ceee disabled=no distance=indoors frequency=auto mode=\
25. ap-bridge ssid=Military_Base_5 wireless-protocol=802.11
26. /ip neighbor discovery
27. set ether1 discover=no
28. /interface list
29. add comment=defconf name=WAN
30. add comment=defconf name=LAN
31. /interface wireless security-profiles
32. set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
33. dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=kevlar7420 \
34. wpa2-pre-shared-key=kevlar7420
35. /ip ipsec policy group
36. add name=policy_group1
37. /ip ipsec proposal
38. set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-256-ctr,3des
39. /ip pool
40. add name=dhcp ranges=192.168.88.1-192.168.88.40
41. add name=vpn_pool ranges=192.168.88.230-192.168.88.250
42. /ip dhcp-server
43. add address-pool=dhcp disabled=no interface=bridge name=defconf
44. /ppp profile
45. add change-tcp-mss=yes local-address=vpn_pool name=l2tp remote-address=\
46. vpn_pool use-upnp=yes
47. /interface bridge port
48. add bridge=bridge comment=defconf interface=ether2-master
49. add bridge=bridge comment=defconf interface=sfp1
50. add bridge=bridge comment=defconf interface=wlan1
51. add bridge=bridge comment=defconf interface=wlan2
52. /interface l2tp-server server
53. set authentication=mschap1,mschap2 default-profile=l2tp ipsec-secret=\
54. "8390KevLaR(!oFFipsec" use-ipsec=yes
55. /interface list member
56. add comment=defconf interface=bridge list=LAN
57. add comment=defconf interface=ether1 list=WAN
58. /ip address
59. add address=192.168.88.50/24 comment=defconf interface=ether2-master network=\
60. 192.168.88.0
61. /ip dhcp-client
62. add comment=defconf dhcp-options=hostname,clientid interface=ether1
63. /ip dhcp-server lease
64. add address=192.168.88.105 always-broadcast=yes client-id=1:c0:b6:f9:13:27:4d \
65. mac-address=C0:B6:F9:13:27:4D server=defconf use-src-mac=yes
66. add address=192.168.88.101 always-broadcast=yes client-id=1:8:f6:9c:15:c1:57 \
67. mac-address=08:F6:9C:15:C1:57 server=defconf use-src-mac=yes
68. add address=192.168.88.102 always-broadcast=yes client-id=1:90:60:f1:3a:44:f5 \
69. mac-address=90:60:F1:3A:44:F5 server=defconf
70. add address=192.168.88.104 always-broadcast=yes client-id=1:c8:d9:d2:7c:49:52 \
71. mac-address=C8:D9:D2:7C:49:52 server=defconf
72. add address=192.168.88.103 client-id=1:50:8f:4c:58:52:f6 mac-address=\
73. 50:8F:4C:58:52:F6 server=defconf
74. add address=192.168.88.254 mac-address=00:15:5D:00:96:06 server=defconf
75. /ip dhcp-server network
76. add address=192.168.88.0/24 comment=defconf gateway=192.168.88.50 netmask=24
77. /ip dns
78. set servers=77.88.8.8
79. /ip dns static
80. add address=192.168.88.50 name=router.lan
81. /ip firewall address-list
82. add address=kevlar.ml list=wan-ip
83. /ip firewall filter
84. add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
85. connection-state=established,related
86. add action=accept chain=forward comment="defconf: accept in ipsec policy" \
87. ipsec-policy=in,ipsec
88. add action=accept chain=forward comment="defconf: accept out ipsec policy" \
89. ipsec-policy=out,ipsec
90. add action=accept chain=forward comment=\
91. "defconf: accept established,related, untracked" connection-state=\
92. established,related,untracked
93. add action=accept chain=input dst-port=202 protocol=tcp
94. add action=accept chain=input dst-port=1194 protocol=udp
95. add action=accept chain=input disabled=yes protocol=icmp
96. add action=accept chain=input connection-state=established
97. add action=accept chain=input connection-state=related
98. add action=drop chain=forward comment="defconf: drop invalid" \
99. connection-state=invalid
100. add action=drop chain=forward comment=\
101. "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
102. connection-state=new in-interface-list=WAN
103. add action=drop chain=input in-interface=pppoe-out1
104. add action=drop chain=input comment="drop ping packets" in-interface-list=WAN \
105. log=yes log-prefix=ping_drop_ protocol=icmp
106. /ip firewall nat
107. add action=masquerade chain=srcnat comment="defconf: masquerade" \
108. ipsec-policy=out,none out-interface-list=WAN
109. add action=masquerade chain=srcnat out-interface=pppoe-out1
110. add action=netmap chain=dstnat dst-port=28202 protocol=tcp to-addresses=\
111. 192.168.88.254 to-ports=22
112. add action=netmap chain=dstnat comment="dmz for vpn server" dst-port=1194 \
113. log=yes log-prefix=ovpn_ protocol=udp to-addresses=192.168.88.254 \
114. to-ports=1194
115. add action=dst-nat chain=dstnat comment="web - server - 80" in-interface=\
116. pppoe-out1 log=yes log-prefix="web - titan - 80 -" protocol=tcp \
117. to-addresses=192.168.88.151
118. /ip firewall service-port
119. set ftp ports=32
120. set tftp disabled=yes
121. set irc disabled=yes
122. set h323 disabled=yes
123. set sip disabled=yes
124. set dccp disabled=yes
125. set sctp disabled=yes
126. /ip ipsec peer
127. add address=0.0.0.0/0 enc-algorithm=aes-256,aes-128,3des exchange-mode=\
128. main-l2tp generate-policy=port-override passive=yes \
129. policy-template-group=policy_group1 secret="8390KevLaR(!oFF"
130. /ip service
131. set telnet disabled=yes
132. set ftp disabled=yes
133. set www disabled=yes port=79
134. set ssh disabled=yes
135. set www-ssl port=4443
136. set api disabled=yes
137. set winbox address=192.168.88.0/24
138. set api-ssl disabled=yes
139. /ip upnp
140. set enabled=yes
141. /ip upnp interfaces
142. add interface=bridge type=internal
143. add interface=pppoe-out1 type=external
144. /ppp secret
145. add name=kevlar password="8390KevLaR(!oFF" profile=l2tp service=l2tp
146. /system clock
147. set time-zone-name=Asia/Yekaterinburg
148. /tool mac-server
149. set [ find default=yes ] disabled=yes
150. add interface=bridge
151. /tool mac-server mac-winbox
152. set [ find default=yes ] disabled=yes
153. add interface=bridge