Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # dec/19/2022 15:46:23 by RouterOS 7.6
- # software id = Y4CQ-VY5Y
- #
- # model = C52iG-5HaxD2HaxD
- # serial number = NNNNNNNNNNN
- /interface bridge
- add admin-mac=NN:NN:NN:NN:NN:NN auto-mac=no comment=defconf name=bridge
- /interface ethernet
- set [ find default-name=ether1 ] name=ether1-ONT
- /interface wifiwave2
- set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac \
- configuration.country=Poland .mode=ap .ssid=MikroTik-C35A1A
- set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac \
- configuration.country=Poland .mode=ap .ssid=NNNNNNNNNN disabled=no
- /interface vlan
- add interface=ether1-ONT name=vlan35 vlan-id=35
- /interface pppoe-client
- add add-default-route=yes allow=pap,chap disabled=no interface=vlan35 name=\
- pppoe-Orange user=NNNNNNNNNNN
- /interface list
- add comment=defconf name=WAN
- add comment=defconf name=LAN
- /ip pool
- add name=dhcp ranges=192.168.0.10-192.168.0.35
- /ip dhcp-server
- add address-pool=dhcp interface=bridge lease-time=1d name=defconf
- /port
- set 0 name=serial0
- /ppp profile
- set *0 use-ipv6=no
- /interface bridge port
- add bridge=bridge comment=defconf interface=ether2
- add bridge=bridge comment=defconf interface=ether3
- add bridge=bridge comment=defconf interface=ether4
- add bridge=bridge comment=defconf interface=ether5
- add bridge=bridge comment=defconf interface=wifi1
- add bridge=bridge comment=defconf interface=wifi2
- /ip neighbor discovery-settings
- set discover-interface-list=LAN lldp-med-net-policy-vlan=1
- /ipv6 settings
- set disable-ipv6=yes
- /interface list member
- add comment=defconf interface=bridge list=LAN
- add comment=defconf interface=ether1-ONT list=WAN
- add interface=pppoe-Orange list=WAN
- /ip address
- add address=192.168.0.1/24 comment=defconf interface=bridge network=\
- 192.168.0.0
- /ip dhcp-client
- add comment=defconf disabled=yes interface=ether1-ONT use-peer-dns=no
- /ip dhcp-server network
- add address=192.168.0.0/24 comment=defconf dns-server=192.168.0.1 gateway=\
- 192.168.0.1 netmask=24
- /ip dns
- set allow-remote-requests=yes use-doh-server=\
- https://doh.cleanbrowsing.org/doh/adult-filter/
- /ip dns static
- add address=192.168.0.1 comment=defconf name=router.lan
- add address=185.228.168.10 name=doh.cleanbrowsing.org
- add address=185.228.168.168 name=doh.cleanbrowsing.org
- /ip firewall filter
- add action=accept chain=input comment=\
- "defconf: accept established,related,untracked" connection-state=\
- established,related,untracked
- add action=drop chain=input comment="defconf: drop invalid" connection-state=\
- invalid
- add action=drop chain=input comment="defconf: accept ICMP" protocol=icmp
- add action=accept chain=input comment=\
- "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
- add action=drop chain=input comment="defconf: drop all not coming from LAN" \
- in-interface-list=!LAN
- add action=accept chain=forward comment="defconf: accept in ipsec policy" \
- ipsec-policy=in,ipsec
- add action=accept chain=forward comment="defconf: accept out ipsec policy" \
- ipsec-policy=out,ipsec
- add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
- connection-state=established,related hw-offload=yes
- add action=accept chain=forward comment=\
- "defconf: accept established,related, untracked" connection-state=\
- established,related,untracked
- add action=drop chain=forward comment="defconf: drop invalid" \
- connection-state=invalid
- add action=drop chain=forward comment=\
- "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
- connection-state=new in-interface-list=WAN
- add action=drop chain=forward dst-address=!192.168.0.1 dst-port=\
- 53 protocol=tcp
- add action=drop chain=forward dst-address=!192.168.0.1 dst-port=\
- 53 protocol=udp
- /ip firewall nat
- add action=masquerade chain=srcnat comment="defconf: masquerade" \
- ipsec-policy=out,none out-interface-list=WAN
- add action=redirect chain=dstnat dst-port=53 protocol=tcp
- add action=redirect chain=dstnat dst-port=53 protocol=udp
- /ip service
- set telnet disabled=yes
- set ftp disabled=yes
- set www disabled=yes
- set ssh disabled=yes
- set api disabled=yes
- set api-ssl disabled=yes
- /ipv6 firewall address-list
- add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
- add address=::1/128 comment="defconf: lo" list=bad_ipv6
- add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
- add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
- add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
- add address=100::/64 comment="defconf: discard only " list=bad_ipv6
- add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
- add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
- add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
- /ipv6 firewall filter
- add action=accept chain=input comment=\
- "defconf: accept established,related,untracked" connection-state=\
- established,related,untracked
- add action=drop chain=input comment="defconf: drop invalid" connection-state=\
- invalid
- add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
- icmpv6
- add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
- 33434-33534 protocol=udp
- add action=accept chain=input comment=\
- "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
- udp src-address=fe80::/10
- add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
- protocol=udp
- add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
- ipsec-ah
- add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
- ipsec-esp
- add action=accept chain=input comment=\
- "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
- add action=drop chain=input comment=\
- "defconf: drop everything else not coming from LAN" in-interface-list=\
- !LAN
- add action=accept chain=forward comment=\
- "defconf: accept established,related,untracked" connection-state=\
- established,related,untracked
- add action=drop chain=forward comment="defconf: drop invalid" \
- connection-state=invalid
- add action=drop chain=forward comment=\
- "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
- add action=drop chain=forward comment=\
- "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
- add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
- hop-limit=equal:1 protocol=icmpv6
- add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
- icmpv6
- add action=accept chain=forward comment="defconf: accept HIP" protocol=139
- add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
- 500,4500 protocol=udp
- add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
- ipsec-ah
- add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
- ipsec-esp
- add action=accept chain=forward comment=\
- "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
- add action=drop chain=forward comment=\
- "defconf: drop everything else not coming from LAN" in-interface-list=\
- !LAN
- /system clock
- set time-zone-name=Europe/Warsaw
- /system ntp client
- set enabled=yes
- /system ntp client servers
- add address=europe.pool.ntp.org
- /tool bandwidth-server
- set enabled=no
- /tool mac-server
- set allowed-interface-list=LAN
- /tool mac-server mac-winbox
- set allowed-interface-list=LAN
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement