API tools faq
paste
Advertisement
Guest User

RB4011 RoaS

a guest
Jun 10th, 2022
68
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 9.38 KB | None | 0 0
raw download clone embed print report
  1. # jun/10/2022 21:49:58 by RouterOS 7.2.3
  2. # software id = FRGK-QJ56
  3. #
  4. # model = RB4011iGS+
  5. # serial number = D4440DCF80DB
  6. /interface bridge
  7. add admin-mac=08:55:31:A1:08:FD auto-mac=no fast-forward=no igmp-snooping=yes name=bridge
  8.  
  9. /interface ethernet
  10. set [ find default-name=sfp-sfpplus1 ] mac-address=98:0D:67:D5:1F:D8
  11.  
  12. /interface wireguard
  13. add listen-port=13231 mtu=1420 name=wireguard1
  14.  
  15. /interface vlan
  16. add interface=sfp-sfpplus1 name=INET vlan-id=102
  17. add interface=sfp-sfpplus1 name=IPTV vlan-id=101
  18. add interface=sfp-sfpplus1 name=RoaS-Trunk vlan-id=10
  19. add interface=sfp-sfpplus1 name=VOIP vlan-id=100
  20.  
  21. /interface list
  22. add name=WAN
  23. add name=LAN
  24.  
  25. /ip dhcp-client option
  26. add code=60 name=vendor-class-identifier value=0x46542D503334313042
  27.  
  28. /ip dhcp-server option
  29. add code=43 name=q22 value="'Altibox-TMS-Server-Address:https://tmc.services.altibox.net:37020/acs'"
  30.  
  31. /ip pool
  32. add name=dhcp ranges=192.168.1.20-192.168.1.254
  33.  
  34. /ip dhcp-server
  35. add address-pool=dhcp interface=RoaS-Trunk lease-time=23h59m59s name=LAN
  36.  
  37. /ip neighbor discovery-settings
  38. set discover-interface-list=LAN
  39.  
  40. /ip settings
  41. set max-neighbor-entries=8192
  42.  
  43. /ipv6 settings
  44. set max-neighbor-entries=8192
  45.  
  46. /interface detect-internet
  47. set lan-interface-list=LAN wan-interface-list=WAN
  48.  
  49. /interface list member
  50. add interface=INET list=WAN
  51. add interface=RoaS-Trunk list=LAN
  52.  
  53. /interface ovpn-server server
  54. set auth=sha1,md5
  55.  
  56. /interface wireguard peers
  57. add allowed-address=192.168.100.3/32 comment=mobil interface=wireguard1 public-key=\
  58. "snip"
  59.  
  60. /ip address
  61. add address=192.168.1.1/24 interface=RoaS-Trunk network=192.168.1.0
  62. add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
  63. add address=192.168.88.1/24 interface=ether10 network=192.168.88.0
  64.  
  65. /ip dhcp-client
  66. add add-default-route=special-classless default-route-distance=100 dhcp-options=vendor-class-identifier interface=VOIP \
  67. use-peer-dns=no use-peer-ntp=no
  68. add add-default-route=special-classless default-route-distance=100 dhcp-options=vendor-class-identifier interface=IPTV \
  69. use-peer-dns=no use-peer-ntp=no
  70. add dhcp-options=vendor-class-identifier interface=INET use-peer-dns=no
  71.  
  72. /ip dhcp-server network
  73. add address=192.168.1.0/24 dhcp-option=q22 dns-server=192.168.1.11 gateway=192.168.1.1 netmask=24 ntp-server=\
  74. 162.159.200.123,192.36.143.130,162.159.200.1,185.35.202.197
  75.  
  76. /ip dhcp-server vendor-class-id
  77. add address-pool=dhcp name=q22 server=LAN vid=Q22
  78.  
  79. /ip dns
  80. set allow-remote-requests=yes servers=192.168.1.11
  81.  
  82. /ip dns static
  83. add address=192.168.1.1 comment=defconf name=router.lan
  84.  
  85. /ip firewall address-list
  86. add address=sn.mynetname.net list=WAN-IP
  87. add address=192.168.1.2-192.168.1.254 list=allowed_to_router
  88.  
  89. /ip firewall filter
  90. add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
  91. add action=drop chain=input comment="drop invalid" connection-state=invalid
  92. add action=accept chain=input comment="accept IPTV IGMP" in-interface=IPTV protocol=igmp
  93. add action=accept chain=input comment="accept ICMP" protocol=icmp
  94. add action=accept chain=input comment="accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
  95. add action=accept chain=input comment="Accept wireguard " dst-port=13231 protocol=udp
  96. add action=accept chain=input comment="WAN to router" connection-state=established,related disabled=yes in-interface-list=WAN
  97. add action=accept chain=input disabled=yes src-address-list=allowed_to_router
  98. add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN
  99. add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
  100. add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
  101. add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
  102. add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
  103. established,related,untracked
  104. add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
  105. add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
  106. in-interface-list=WAN
  107.  
  108. /ip firewall nat
  109. add action=masquerade chain=srcnat comment="HairPin NAT" dst-address=192.168.1.0/24 src-address=192.168.1.0/24
  110. add action=masquerade chain=srcnat comment=NAT out-interface=INET src-address=192.168.1.0/24
  111. add action=masquerade chain=srcnat out-interface=IPTV
  112. add action=masquerade chain=srcnat out-interface=VOIP
  113. add action=dst-nat chain=dstnat comment="PiHole DNS Nat" dst-address=!192.168.1.11 dst-port=53 in-interface=!INET protocol=udp \
  114. src-address=!192.168.1.11 to-addresses=192.168.1.11
  115. add action=dst-nat chain=dstnat dst-address=!192.168.1.11 dst-port=53 in-interface=!INET protocol=tcp src-address=!192.168.1.11 \
  116. to-addresses=192.168.1.11
  117. add action=masquerade chain=srcnat comment="DNS Forwarding" dst-address=192.168.1.11 dst-port=53 protocol=udp src-address=\
  118. 192.168.1.0/24
  119. add action=masquerade chain=srcnat dst-address=192.168.1.11 dst-port=53 protocol=tcp src-address=192.168.1.0/24
  120. add action=dst-nat chain=dstnat comment="NAS Port Forward" dst-port=5000 in-interface-list=LAN protocol=tcp to-addresses=\
  121. 192.168.1.5
  122. add action=dst-nat chain=dstnat comment="Plex Port Forward" dst-port=32400 in-interface-list=LAN protocol=tcp to-addresses=\
  123. 192.168.1.5
  124.  
  125. /ipv6 address
  126. add address=::1 from-pool=ipv6-pd interface=RoaS-Trunk
  127.  
  128. /ipv6 dhcp-client
  129. add add-default-route=yes comment="Altibox pd" interface=INET pool-name=ipv6-pd prefix-hint=::/56 request=address,prefix \
  130. use-peer-dns=no
  131.  
  132. /ipv6 firewall address-list
  133. add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
  134. add address=::1/128 comment="defconf: lo" list=bad_ipv6
  135. add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
  136. add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
  137. add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
  138. add address=100::/64 comment="defconf: discard only " list=bad_ipv6
  139. add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
  140. add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
  141. add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
  142. add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
  143. add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
  144. add address=::/104 comment="defconf: other" list=bad_ipv6
  145. add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
  146.  
  147. /ipv6 firewall filter
  148. add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
  149. established,related,untracked
  150. add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
  151. add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
  152. add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
  153. add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=\
  154. fe80::/10
  155. add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
  156. add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
  157. add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
  158. add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
  159. add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
  160. add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=\
  161. established,related,untracked
  162. add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
  163. add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
  164. add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
  165. add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
  166. add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
  167. add action=accept chain=forward comment="defconf: accept HIP" protocol=139
  168. add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
  169. add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
  170. add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
  171. add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
  172. add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
  173.  
  174. /ipv6 nd
  175. set [ find default=yes ] interface=RoaS-Trunk other-configuration=yes
  176.  
  177. /routing igmp-proxy
  178. set quick-leave=yes
  179.  
  180. /routing igmp-proxy interface
  181. add alternative-subnets=0.0.0.0/0 interface=IPTV upstream=yes
  182. add interface=RoaS-Trunk
  183.  
  184. /system clock
  185. set time-zone-name=Europe/Oslo
  186.  
  187. /system ntp client
  188. set enabled=yes
  189.  
  190. /system ntp client servers
  191. add address=ntp.altibox.no
  192.  
  193. /system resource irq rps
  194. set sfp-sfpplus1 disabled=no
  195.  
  196. /tool mac-server
  197. set allowed-interface-list=LAN
  198.  
  199. /tool mac-server mac-winbox
  200. set allowed-interface-list=LAN
  201.  
  202. /tool romon
  203. set enabled=yes
  204.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!