Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # jun/10/2022 21:49:58 by RouterOS 7.2.3
- # software id = FRGK-QJ56
- #
- # model = RB4011iGS+
- # serial number = D4440DCF80DB
- /interface bridge
- add admin-mac=08:55:31:A1:08:FD auto-mac=no fast-forward=no igmp-snooping=yes name=bridge
- /interface ethernet
- set [ find default-name=sfp-sfpplus1 ] mac-address=98:0D:67:D5:1F:D8
- /interface wireguard
- add listen-port=13231 mtu=1420 name=wireguard1
- /interface vlan
- add interface=sfp-sfpplus1 name=INET vlan-id=102
- add interface=sfp-sfpplus1 name=IPTV vlan-id=101
- add interface=sfp-sfpplus1 name=RoaS-Trunk vlan-id=10
- add interface=sfp-sfpplus1 name=VOIP vlan-id=100
- /interface list
- add name=WAN
- add name=LAN
- /ip dhcp-client option
- add code=60 name=vendor-class-identifier value=0x46542D503334313042
- /ip dhcp-server option
- add code=43 name=q22 value="'Altibox-TMS-Server-Address:https://tmc.services.altibox.net:37020/acs'"
- /ip pool
- add name=dhcp ranges=192.168.1.20-192.168.1.254
- /ip dhcp-server
- add address-pool=dhcp interface=RoaS-Trunk lease-time=23h59m59s name=LAN
- /ip neighbor discovery-settings
- set discover-interface-list=LAN
- /ip settings
- set max-neighbor-entries=8192
- /ipv6 settings
- set max-neighbor-entries=8192
- /interface detect-internet
- set lan-interface-list=LAN wan-interface-list=WAN
- /interface list member
- add interface=INET list=WAN
- add interface=RoaS-Trunk list=LAN
- /interface ovpn-server server
- set auth=sha1,md5
- /interface wireguard peers
- add allowed-address=192.168.100.3/32 comment=mobil interface=wireguard1 public-key=\
- "snip"
- /ip address
- add address=192.168.1.1/24 interface=RoaS-Trunk network=192.168.1.0
- add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
- add address=192.168.88.1/24 interface=ether10 network=192.168.88.0
- /ip dhcp-client
- add add-default-route=special-classless default-route-distance=100 dhcp-options=vendor-class-identifier interface=VOIP \
- use-peer-dns=no use-peer-ntp=no
- add add-default-route=special-classless default-route-distance=100 dhcp-options=vendor-class-identifier interface=IPTV \
- use-peer-dns=no use-peer-ntp=no
- add dhcp-options=vendor-class-identifier interface=INET use-peer-dns=no
- /ip dhcp-server network
- add address=192.168.1.0/24 dhcp-option=q22 dns-server=192.168.1.11 gateway=192.168.1.1 netmask=24 ntp-server=\
- 162.159.200.123,192.36.143.130,162.159.200.1,185.35.202.197
- /ip dhcp-server vendor-class-id
- add address-pool=dhcp name=q22 server=LAN vid=Q22
- /ip dns
- set allow-remote-requests=yes servers=192.168.1.11
- /ip dns static
- add address=192.168.1.1 comment=defconf name=router.lan
- /ip firewall address-list
- add address=sn.mynetname.net list=WAN-IP
- add address=192.168.1.2-192.168.1.254 list=allowed_to_router
- /ip firewall filter
- add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
- add action=drop chain=input comment="drop invalid" connection-state=invalid
- add action=accept chain=input comment="accept IPTV IGMP" in-interface=IPTV protocol=igmp
- add action=accept chain=input comment="accept ICMP" protocol=icmp
- add action=accept chain=input comment="accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
- add action=accept chain=input comment="Accept wireguard " dst-port=13231 protocol=udp
- add action=accept chain=input comment="WAN to router" connection-state=established,related disabled=yes in-interface-list=WAN
- add action=accept chain=input disabled=yes src-address-list=allowed_to_router
- add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN
- add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
- add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
- add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
- add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
- established,related,untracked
- add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
- add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
- in-interface-list=WAN
- /ip firewall nat
- add action=masquerade chain=srcnat comment="HairPin NAT" dst-address=192.168.1.0/24 src-address=192.168.1.0/24
- add action=masquerade chain=srcnat comment=NAT out-interface=INET src-address=192.168.1.0/24
- add action=masquerade chain=srcnat out-interface=IPTV
- add action=masquerade chain=srcnat out-interface=VOIP
- add action=dst-nat chain=dstnat comment="PiHole DNS Nat" dst-address=!192.168.1.11 dst-port=53 in-interface=!INET protocol=udp \
- src-address=!192.168.1.11 to-addresses=192.168.1.11
- add action=dst-nat chain=dstnat dst-address=!192.168.1.11 dst-port=53 in-interface=!INET protocol=tcp src-address=!192.168.1.11 \
- to-addresses=192.168.1.11
- add action=masquerade chain=srcnat comment="DNS Forwarding" dst-address=192.168.1.11 dst-port=53 protocol=udp src-address=\
- 192.168.1.0/24
- add action=masquerade chain=srcnat dst-address=192.168.1.11 dst-port=53 protocol=tcp src-address=192.168.1.0/24
- add action=dst-nat chain=dstnat comment="NAS Port Forward" dst-port=5000 in-interface-list=LAN protocol=tcp to-addresses=\
- 192.168.1.5
- add action=dst-nat chain=dstnat comment="Plex Port Forward" dst-port=32400 in-interface-list=LAN protocol=tcp to-addresses=\
- 192.168.1.5
- /ipv6 address
- add address=::1 from-pool=ipv6-pd interface=RoaS-Trunk
- /ipv6 dhcp-client
- add add-default-route=yes comment="Altibox pd" interface=INET pool-name=ipv6-pd prefix-hint=::/56 request=address,prefix \
- use-peer-dns=no
- /ipv6 firewall address-list
- add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
- add address=::1/128 comment="defconf: lo" list=bad_ipv6
- add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
- add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
- add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
- add address=100::/64 comment="defconf: discard only " list=bad_ipv6
- add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
- add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
- add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
- add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
- add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
- add address=::/104 comment="defconf: other" list=bad_ipv6
- add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
- /ipv6 firewall filter
- add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
- established,related,untracked
- add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
- add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
- add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
- add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=\
- fe80::/10
- add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
- add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
- add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
- add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
- add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
- add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=\
- established,related,untracked
- add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
- add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
- add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
- add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
- add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
- add action=accept chain=forward comment="defconf: accept HIP" protocol=139
- add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
- add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
- add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
- add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
- add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
- /ipv6 nd
- set [ find default=yes ] interface=RoaS-Trunk other-configuration=yes
- /routing igmp-proxy
- set quick-leave=yes
- /routing igmp-proxy interface
- add alternative-subnets=0.0.0.0/0 interface=IPTV upstream=yes
- add interface=RoaS-Trunk
- /system clock
- set time-zone-name=Europe/Oslo
- /system ntp client
- set enabled=yes
- /system ntp client servers
- add address=ntp.altibox.no
- /system resource irq rps
- set sfp-sfpplus1 disabled=no
- /tool mac-server
- set allowed-interface-list=LAN
- /tool mac-server mac-winbox
- set allowed-interface-list=LAN
- /tool romon
- set enabled=yes
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement