API tools faq
paste
Guest User

Mikrotik.conf

a guest
Nov 26th, 2025
56
0
132 days
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 13.54 KB | Source Code | 0 0
raw download clone embed print report
  1.  
  2. /interface bridge
  3. add name=br-lan
  4. /interface vlan
  5. add interface=sfp-sfpplus12 name=vlan0 vlan-id=20
  6. /interface macvlan
  7. add interface=vlan0 mac-address="REDACTEDMAC1" mode=private name=vlan1
  8. add interface=vlan0 mac-address="REDACTEDMAC2" mode=private name=vlan2
  9. add interface=vlan0 mac-address="REDACTEDMAC3" mode=private name=vlan3
  10. add interface=vlan0 mac-address="REDACTEDMAC4" mode=private name=vlan4
  11. add interface=vlan0 mac-address="REDACTEDMAC5" mode=private name=vlan5
  12. add interface=vlan0 mac-address="REDACTEDMAC6" mode=private name=vlan6
  13. /interface list
  14. add name=LAN
  15. add name=WAN
  16. /ip dhcp-server
  17. add interface=sfp-sfpplus4 name=dhcp1
  18. /ip pool
  19. add comment="dhcp (mainly wifi)" name=dhcp_pool0 ranges=192.168.1.192/26
  20. /ip dhcp-server
  21. add address-pool=dhcp_pool0 interface=br-lan name=dhcpLan
  22. /port
  23. set 0 name=serial0
  24. /routing table
  25. add disabled=no fib name=6
  26. add disabled=no fib name=1
  27. /interface bridge port
  28. add bridge=br-lan interface=sfp-sfpplus1
  29. add bridge=br-lan interface=sfp-sfpplus2
  30. add bridge=br-lan interface=sfp-sfpplus3
  31. add bridge=br-lan interface=sfp-sfpplus5
  32. add bridge=br-lan interface=sfp-sfpplus6
  33. add bridge=br-lan interface=sfp-sfpplus7
  34. add bridge=br-lan interface=sfp-sfpplus8
  35. add bridge=br-lan interface=sfp-sfpplus9
  36. add bridge=br-lan interface=sfp-sfpplus10
  37. add bridge=br-lan interface=sfp-sfpplus11
  38. add bridge=br-lan interface=sfp28-1
  39. add bridge=br-lan interface=sfp28-2
  40. /interface list member
  41. add interface=br-lan list=LAN
  42. add interface=ether1 list=LAN
  43. add interface=vlan0 list=WAN
  44. add interface=vlan2 list=WAN
  45. add interface=vlan3 list=WAN
  46. add interface=vlan4 list=WAN
  47. add interface=vlan5 list=WAN
  48. add interface=vlan6 list=WAN
  49. add interface=vlan1 list=WAN
  50. add interface=sfp-sfpplus4 list=LAN
  51. /ip address
  52. add address=192.168.88.1/24 comment=defconf interface=ether1 network=\
  53.     192.168.88.0
  54. add address=192.168.1.1/20 interface=br-lan network=192.168.0.0
  55. add address="REDACTEDPUBLICIP1.2" interface=sfp-sfpplus4 network="REDACTEDPUBLICIP1.2"
  56. /ip dhcp-client
  57. add comment="ip dhcp 0" interface=vlan0 use-peer-dns=no
  58. add add-default-route=no comment="ip dhcp 1" interface=vlan1 use-peer-dns=no
  59. add add-default-route=no comment="ip dhcp 2" interface=vlan2
  60. add add-default-route=no comment="ip dhcp 3" interface=vlan3
  61. add add-default-route=no comment="ip dhcp 4" interface=vlan4
  62. add add-default-route=no comment="ip dhcp 5" interface=vlan5
  63. add add-default-route=no comment="ip dhcp 6" interface=vlan6 use-peer-dns=no
  64. /ip dhcp-server lease
  65. add address="REDACTEDPUBLICIP1.192" mac-address="REDACTEDMACSERVER1" server=dhcp1
  66. /ip dhcp-server network
  67. add address="REDACTEDPUBLICIP1.192"/32 dns-server=9.9.9.9 gateway="REDACTEDPUBLICIP1.2"
  68. add address=192.168.1.192/26 dns-server=9.9.9.9 gateway=192.168.1.1 netmask=\
  69.     24
  70. /ip dns
  71. set allow-remote-requests=yes servers=\
  72.     9.9.9.9,149.112.112.112,2620:fe::fe,2620:fe::9 verify-doh-cert=yes
  73. /ip firewall filter
  74. add action=accept chain=forward src-address="REDACTEDPUBLICIP1.192"
  75. add action=accept chain=forward dst-address="REDACTEDPUBLICIP1.192"
  76. add action=drop chain=input comment="drop huawei mac" src-mac-address=\
  77.     "REDACTEDHUAWEIMAC"
  78. add action=drop chain=forward comment="drop huawei mac" src-mac-address=\
  79.     "REDACTEDHUAWEIMAC"
  80. add action=accept chain=input comment=\
  81.     "defconf: accept established,related,untracked" connection-state=\
  82.     established,related,untracked
  83. add action=drop chain=input comment="defconf: drop invalid" connection-state=\
  84.     invalid
  85. add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
  86. add action=accept chain=input comment=\
  87.     "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
  88. add action=drop chain=input comment="defconf: drop all not coming from LAN" \
  89.     in-interface-list=!LAN
  90. add action=accept chain=forward comment="defconf: accept in ipsec policy" \
  91.     ipsec-policy=in,ipsec
  92. add action=accept chain=forward comment="defconf: accept out ipsec policy" \
  93.     ipsec-policy=out,ipsec
  94. add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
  95.     connection-state=established,related hw-offload=yes
  96. add action=drop chain=forward comment="defconf: drop invalid" \
  97.     connection-state=invalid
  98. add action=accept chain=forward comment=\
  99.     "defconf: accept established,related, untracked" connection-state=\
  100.     established,related,untracked
  101. add action=drop chain=forward comment=\
  102.     "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
  103.     connection-state=new in-interface-list=WAN
  104. /ip firewall nat
  105. add action=src-nat chain=srcnat comment=vlan6dhcp out-interface-list=WAN \
  106.     src-address=192.168.1.192/26 to-addresses="REDACTEDPUBLICIP6"
  107. add action=src-nat chain=srcnat comment=vlan0 out-interface-list=WAN \
  108.     src-address=192.168.1.0/24 to-addresses="REDACTEDPUBLICIP0"
  109. add action=src-nat chain=srcnat comment=vlan6 out-interface-list=WAN \
  110.     src-address=192.168.2.0/24 to-addresses="REDACTEDPUBLICIP6"
  111. add action=dst-nat chain=dstnat comment=transmission dst-port="REDACTEDPORT" \
  112.     in-interface=vlan0 protocol=tcp to-addresses=192.168.1.101
  113. add action=dst-nat chain=dstnat comment=transmission dst-port="REDACTEDPORT" \
  114.     in-interface=vlan0 protocol=udp to-addresses=192.168.1.101
  115. add action=dst-nat chain=dstnat dst-port=7421 in-interface=\
  116.     vlan0 protocol=tcp to-addresses=192.168.1.60
  117. add action=dst-nat chain=dstnat dst-port=7422 in-interface=\
  118.     vlan0 protocol=tcp to-addresses=192.168.1.60
  119. add action=dst-nat chain=dstnat comment=tor1 dst-port="REDACTEDPORT" in-interface=vlan0 \
  120.     protocol=tcp to-addresses=192.168.1.62
  121. add action=dst-nat chain=dstnat comment=tor2 dst-port="REDACTEDPORT" in-interface=vlan0 \
  122.     protocol=tcp to-addresses=192.168.1.62
  123. add action=dst-nat chain=dstnat comment=tor3 dst-port="REDACTEDPORT" in-interface=vlan0 \
  124.     protocol=tcp to-addresses=192.168.1.62
  125. add action=dst-nat chain=dstnat comment=tor4 dst-port="REDACTEDPORT" in-interface=vlan0 \
  126.     protocol=tcp to-addresses=192.168.1.62
  127. add action=dst-nat chain=dstnat comment=tor5 dst-port="REDACTEDPORT" in-interface=vlan0 \
  128.     protocol=tcp to-addresses=192.168.1.62
  129. add action=dst-nat chain=dstnat comment=tor6 dst-port="REDACTEDPORT" in-interface=vlan0 \
  130.     protocol=tcp to-addresses=192.168.1.62
  131. add action=dst-nat chain=dstnat comment=tor7 dst-port="REDACTEDPORT" in-interface=vlan0 \
  132.     protocol=tcp to-addresses=192.168.1.62
  133. add action=dst-nat chain=dstnat comment=tor8 dst-port="REDACTEDPORT" in-interface=vlan0 \
  134.     protocol=tcp to-addresses=192.168.1.62
  135. add action=dst-nat chain=dstnat comment=test22 disabled=yes dst-port=22 \
  136.     in-interface=vlan0 protocol=tcp to-addresses=192.168.1.62
  137. /ip route
  138. add disabled=no distance=2 dst-address=0.0.0.0/0 gateway="REDACTEDPUBLICIP6".1 \
  139.     routing-table=6 scope=30 suppress-hw-offload=no target-scope=10
  140. add disabled=no distance=1 dst-address=192.168.0.0/20 gateway=br-lan \
  141.     routing-table=6 scope=10 suppress-hw-offload=no
  142. add disabled=no distance=2 dst-address=0.0.0.0/0 gateway="REDACTEDPUBLICIP1".1 \
  143.     routing-table=1 scope=30 suppress-hw-offload=no target-scope=10
  144. add disabled=yes distance=1 dst-address=192.168.0.0/20 gateway=br-lan \
  145.     routing-table=1 scope=10 suppress-hw-offload=no target-scope=10
  146. add disabled=no distance=1 dst-address="REDACTEDPUBLICIP1.2"/32 gateway=sfp-sfpplus4 \
  147.     routing-table=1 scope=10 suppress-hw-offload=no target-scope=10
  148. add disabled=yes distance=1 dst-address="REDACTEDPUBLICIP1.192"/32 gateway=\
  149.     sfp-sfpplus4 routing-table=1 scope=10 suppress-hw-offload=no \
  150.     target-scope=10
  151. add disabled=yes distance=1 dst-address="REDACTEDPUBLICIP1.192"/32 gateway=\
  152.     sfp-sfpplus4 routing-table=main scope=10 suppress-hw-offload=no \
  153.     target-scope=10
  154. /ip service
  155. set telnet disabled=yes
  156. set ftp disabled=yes
  157. set www disabled=yes
  158. set ssh disabled=yes
  159. set api disabled=yes
  160. set api-ssl disabled=yes
  161. /ipv6 address
  162. add  comment="V6 1st bloc" from-pool=dhcpv6 \
  163.     interface=br-lan
  164. add comment="V6 2nd blocSFP4" from-pool=dhcpv6 interface=sfp-sfpplus4
  165. /ipv6 dhcp-client
  166. add add-default-route=yes comment="dhcp client ipv6" interface=vlan0 \
  167.     pool-name=dhcpv6 prefix-hint=::/56 request=prefix
  168. /ipv6 firewall address-list
  169. add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
  170. add address=::1/128 comment="defconf: lo" list=bad_ipv6
  171. add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
  172. add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
  173. add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
  174. add address=100::/64 comment="defconf: discard only" list=bad_ipv6
  175. add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
  176. add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
  177. add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
  178. /ipv6 firewall filter
  179. add action=accept chain=input comment=\
  180.     "defconf: accept established,related,untracked" connection-state=\
  181.     established,related,untracked
  182. add action=drop chain=forward comment="drop huawei mac" src-mac-address=\
  183.     "REDACTEDHUAWEIMAC"
  184. add action=drop chain=input comment="drop huawei mac" src-mac-address=\
  185.     "REDACTEDHUAWEIMAC"
  186. add action=drop chain=input comment="defconf: drop invalid" connection-state=\
  187.     invalid
  188. add action=accept chain=forward comment="accept transmission" dst-address=\
  189.     "REDACTEDIPV6-1"/128 dst-port="REDACTEDPORT" \
  190.     in-interface-list=WAN protocol=tcp
  191. add action=accept chain=forward comment="accept transmission" dst-address=\
  192.     "REDACTEDIPV6-1"/128 dst-port="REDACTEDPORT" \
  193.     in-interface-list=WAN protocol=udp
  194. add action=accept chain=forward comment="accept bitcoin" dst-address=\
  195.     "REDACTEDIPV6-2"/128 dst-port=8333 \
  196.     in-interface-list=WAN protocol=tcp
  197. add action=accept chain=forward comment="accept monero" dst-address=\
  198.     "REDACTEDIPV6-2"/128 dst-port=18080 \
  199.     in-interface-list=WAN protocol=tcp
  200. add action=accept chain=forward comment="accept tor1" dst-address=\
  201.     "REDACTEDIPV6-3"/128 dst-port="REDACTEDPORT" \
  202.     in-interface-list=WAN protocol=tcp
  203. add action=accept chain=forward comment="accept tor2" dst-address=\
  204.     "REDACTEDIPV6-3"/128 dst-port="REDACTEDPORT" \
  205.     in-interface-list=WAN protocol=tcp
  206. add action=accept chain=forward comment="accept tor3" dst-address=\
  207.     "REDACTEDIPV6-3"/128 dst-port="REDACTEDPORT" \
  208.     in-interface-list=WAN protocol=tcp
  209. add action=accept chain=forward comment="accept tor4" dst-address=\
  210.     "REDACTEDIPV6-3"/128 dst-port="REDACTEDPORT" \
  211.     in-interface-list=WAN protocol=tcp
  212. add action=accept chain=forward comment="accept tor5" dst-address=\
  213.     "REDACTEDIPV6-3"/128 dst-port="REDACTEDPORT" \
  214.     in-interface-list=WAN protocol=tcp
  215. add action=accept chain=forward comment="accept tor6" dst-address=\
  216.     "REDACTEDIPV6-3"/128 dst-port="REDACTEDPORT" \
  217.     in-interface-list=WAN protocol=tcp
  218. add action=accept chain=forward comment="accept tor7" dst-address=\
  219.     "REDACTEDIPV6-3"/128 dst-port="REDACTEDPORT" \
  220.     in-interface-list=WAN protocol=tcp
  221. add action=accept chain=forward comment="accept tor8" dst-address=\
  222.     "REDACTEDIPV6-3"/128 dst-port="REDACTEDPORT" \
  223.     in-interface-list=WAN protocol=tcp
  224. add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
  225.     icmpv6
  226. add action=accept chain=input comment="defconf: accept UDP traceroute" \
  227.     dst-port=33434-33534 protocol=udp
  228. add action=accept chain=input comment=\
  229.     "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
  230.     udp src-address=fe80::/10
  231. add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
  232.     protocol=udp
  233. add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
  234.     ipsec-ah
  235. add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
  236.     ipsec-esp
  237. add action=accept chain=input comment=\
  238.     "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
  239. add action=drop chain=input comment=\
  240.     "defconf: drop everything else not coming from LAN" in-interface-list=\
  241.     !LAN
  242. add action=accept chain=forward comment=\
  243.     "defconf: accept established,related,untracked" connection-state=\
  244.     established,related,untracked
  245. add action=drop chain=forward comment="defconf: drop invalid" \
  246.     connection-state=invalid
  247. add action=drop chain=forward comment=\
  248.     "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
  249. add action=drop chain=forward comment=\
  250.     "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
  251. add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
  252.     hop-limit=equal:1 protocol=icmpv6
  253. add action=accept chain=forward comment="defconf: accept UDP traceroute" \
  254.     dst-port=33434-33534 protocol=udp
  255. add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
  256.     icmpv6
  257. add action=accept chain=forward comment="defconf: accept HIP" protocol=139
  258. add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
  259.     500,4500 protocol=udp
  260. add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
  261.     ipsec-ah
  262. add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
  263.     ipsec-esp
  264. add action=accept chain=forward comment=\
  265.     "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
  266. add action=drop chain=forward comment=\
  267.     "defconf: drop everything else not coming from LAN" in-interface-list=\
  268.     !LAN
  269. /routing rule
  270. add action=lookup comment=6 disabled=no src-address=192.168.2.0/24 table=6
  271. add action=lookup comment="6 for wifi" disabled=no src-address=\
  272.     192.168.1.192/26 table=6
  273. add action=lookup disabled=no src-address="REDACTEDPUBLICIP1.192"/32 table=1
  274.  
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!