# dec/19/2022 15:46:23 by RouterOS 7.6# software id = Y4CQ-VY5Y## model =

1. # dec/19/2022 15:46:23 by RouterOS 7.6
2. # software id = Y4CQ-VY5Y
3. #
4. # model = C52iG-5HaxD2HaxD
5. # serial number = NNNNNNNNNNN
6. /interface bridge
7. add admin-mac=NN:NN:NN:NN:NN:NN auto-mac=no comment=defconf name=bridge
8. /interface ethernet
9. set [ find default-name=ether1 ] name=ether1-ONT
10. /interface wifiwave2
11. set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac \
12. configuration.country=Poland .mode=ap .ssid=MikroTik-C35A1A
13. set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac \
14. configuration.country=Poland .mode=ap .ssid=NNNNNNNNNN disabled=no
15. /interface vlan
16. add interface=ether1-ONT name=vlan35 vlan-id=35
17. /interface pppoe-client
18. add add-default-route=yes allow=pap,chap disabled=no interface=vlan35 name=\
19. pppoe-Orange user=NNNNNNNNNNN
20. /interface list
21. add comment=defconf name=WAN
22. add comment=defconf name=LAN
23. /ip pool
24. add name=dhcp ranges=192.168.0.10-192.168.0.35
25. /ip dhcp-server
26. add address-pool=dhcp interface=bridge lease-time=1d name=defconf
27. /port
28. set 0 name=serial0
29. /ppp profile
30. set *0 use-ipv6=no
31. /interface bridge port
32. add bridge=bridge comment=defconf interface=ether2
33. add bridge=bridge comment=defconf interface=ether3
34. add bridge=bridge comment=defconf interface=ether4
35. add bridge=bridge comment=defconf interface=ether5
36. add bridge=bridge comment=defconf interface=wifi1
37. add bridge=bridge comment=defconf interface=wifi2
38. /ip neighbor discovery-settings
39. set discover-interface-list=LAN lldp-med-net-policy-vlan=1
40. /ipv6 settings
41. set disable-ipv6=yes
42. /interface list member
43. add comment=defconf interface=bridge list=LAN
44. add comment=defconf interface=ether1-ONT list=WAN
45. add interface=pppoe-Orange list=WAN
46. /ip address
47. add address=192.168.0.1/24 comment=defconf interface=bridge network=\
48. 192.168.0.0
49. /ip dhcp-client
50. add comment=defconf disabled=yes interface=ether1-ONT use-peer-dns=no
51. /ip dhcp-server network
52. add address=192.168.0.0/24 comment=defconf dns-server=192.168.0.1 gateway=\
53. 192.168.0.1 netmask=24
54. /ip dns
55. set allow-remote-requests=yes use-doh-server=\
56. https://doh.cleanbrowsing.org/doh/adult-filter/
57. /ip dns static
58. add address=192.168.0.1 comment=defconf name=router.lan
59. add address=185.228.168.10 name=doh.cleanbrowsing.org
60. add address=185.228.168.168 name=doh.cleanbrowsing.org
61. /ip firewall filter
62. add action=accept chain=input comment=\
63. "defconf: accept established,related,untracked" connection-state=\
64. established,related,untracked
65. add action=drop chain=input comment="defconf: drop invalid" connection-state=\
66. invalid
67. add action=drop chain=input comment="defconf: accept ICMP" protocol=icmp
68. add action=accept chain=input comment=\
69. "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
70. add action=drop chain=input comment="defconf: drop all not coming from LAN" \
71. in-interface-list=!LAN
72. add action=accept chain=forward comment="defconf: accept in ipsec policy" \
73. ipsec-policy=in,ipsec
74. add action=accept chain=forward comment="defconf: accept out ipsec policy" \
75. ipsec-policy=out,ipsec
76. add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
77. connection-state=established,related hw-offload=yes
78. add action=accept chain=forward comment=\
79. "defconf: accept established,related, untracked" connection-state=\
80. established,related,untracked
81. add action=drop chain=forward comment="defconf: drop invalid" \
82. connection-state=invalid
83. add action=drop chain=forward comment=\
84. "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
85. connection-state=new in-interface-list=WAN
86. add action=drop chain=forward dst-address=!192.168.0.1 dst-port=\
87. 53 protocol=tcp
88. add action=drop chain=forward dst-address=!192.168.0.1 dst-port=\
89. 53 protocol=udp
90. /ip firewall nat
91. add action=masquerade chain=srcnat comment="defconf: masquerade" \
92. ipsec-policy=out,none out-interface-list=WAN
93. add action=redirect chain=dstnat dst-port=53 protocol=tcp
94. add action=redirect chain=dstnat dst-port=53 protocol=udp
95. /ip service
96. set telnet disabled=yes
97. set ftp disabled=yes
98. set www disabled=yes
99. set ssh disabled=yes
100. set api disabled=yes
101. set api-ssl disabled=yes
102. /ipv6 firewall address-list
103. add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
104. add address=::1/128 comment="defconf: lo" list=bad_ipv6
105. add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
106. add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
107. add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
108. add address=100::/64 comment="defconf: discard only " list=bad_ipv6
109. add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
110. add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
111. add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
112. /ipv6 firewall filter
113. add action=accept chain=input comment=\
114. "defconf: accept established,related,untracked" connection-state=\
115. established,related,untracked
116. add action=drop chain=input comment="defconf: drop invalid" connection-state=\
117. invalid
118. add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
119. icmpv6
120. add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
121. 33434-33534 protocol=udp
122. add action=accept chain=input comment=\
123. "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
124. udp src-address=fe80::/10
125. add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
126. protocol=udp
127. add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
128. ipsec-ah
129. add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
130. ipsec-esp
131. add action=accept chain=input comment=\
132. "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
133. add action=drop chain=input comment=\
134. "defconf: drop everything else not coming from LAN" in-interface-list=\
135. !LAN
136. add action=accept chain=forward comment=\
137. "defconf: accept established,related,untracked" connection-state=\
138. established,related,untracked
139. add action=drop chain=forward comment="defconf: drop invalid" \
140. connection-state=invalid
141. add action=drop chain=forward comment=\
142. "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
143. add action=drop chain=forward comment=\
144. "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
145. add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
146. hop-limit=equal:1 protocol=icmpv6
147. add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
148. icmpv6
149. add action=accept chain=forward comment="defconf: accept HIP" protocol=139
150. add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
151. 500,4500 protocol=udp
152. add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
153. ipsec-ah
154. add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
155. ipsec-esp
156. add action=accept chain=forward comment=\
157. "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
158. add action=drop chain=forward comment=\
159. "defconf: drop everything else not coming from LAN" in-interface-list=\
160. !LAN
161. /system clock
162. set time-zone-name=Europe/Warsaw
163. /system ntp client
164. set enabled=yes
165. /system ntp client servers
166. add address=europe.pool.ntp.org
167. /tool bandwidth-server
168. set enabled=no
169. /tool mac-server
170. set allowed-interface-list=LAN
171. /tool mac-server mac-winbox
172. set allowed-interface-list=LAN
173.