RouterBoard RB 2011 example full setup

1. # sep/04/2019 19:07:08 by RouterOS 6.43.8
2. # model = 2011UiAS-2HnD
3. # you need some customization for your hardware (port count, port names, etc....).
4. # If you have static WAN IP then setup it in `/ip address`, then replace 'pppoe-wan_OR_sfp-wan'
5. # with wan interface name (in my case `sfp-wan`) , disable or remove dhcp-client lines and pppoe-client too.
6. # if you have PPP user&pass with dynamic IP from your ISP then replace `pppoe-wan_OR_sfp-wan` with `pppoe-wan` ,
7. # remove line from `/ip address` that add WAN_IP (this'll be done dynamically by dhcp-client)
8. # don't remember if anything else :P
9. /interface bridge
10. add fast-forward=no name=LAN
11. /interface ethernet
12. set [ find default-name=ether1 ] name=eth1
13. set [ find default-name=ether2 ] name=eth2
14. set [ find default-name=ether3 ] name=eth3
15. set [ find default-name=ether4 ] name=eth4
16. set [ find default-name=ether5 ] name=eth5
17. set [ find default-name=ether6 ] name=eth6
18. set [ find default-name=ether7 ] name=eth7
19. set [ find default-name=ether8 ] name=eth8
20. set [ find default-name=ether9 ] name=eth9
21. set [ find default-name=ether10 ] name=eth10
22. set [ find default-name=sfp1 ] name=sfp-wan
23. /interface pppoe-client
24. add comment="PPPoE WAN" disabled=no interface=sfp-wan keepalive-timeout=30 name=pppoe-wan password=passowrd user=luser
25. /interface list
26. add exclude=dynamic name=discover
27. add name=mac-winbox
28. /ip pool
29. add name=dhcp-pool ranges=192.168.0.2-192.168.0.80
30. /ip dhcp-server
31. add address-pool=dhcp-pool authoritative=after-2sec-delay disabled=no interface=LAN lease-time=9h name=dhcp-lan
32. /queue simple
33. add burst-limit=1M/1M burst-threshold=1M/1M burst-time=1s/1s max-limit=1M/1M name=queue1 target=192.168.0.101/32 time=8h-18h,mon,tue,wed,thu,fri
34. add burst-limit=1M/1M burst-threshold=1M/1M burst-time=1s/1s max-limit=1M/1M name=queue2 target=192.168.0.102/32 time=8h-18h,mon,tue,wed,thu,fri
35. /interface bridge port
36. add bridge=LAN interface=eth1
37. add bridge=LAN interface=eth5
38. add bridge=LAN interface=eth2
39. add bridge=LAN interface=eth3
40. add bridge=LAN interface=eth4
41. add bridge=LAN disabled=no interface=mac-winbox
42. /ip neighbor discovery-settings
43. set discover-interface-list=discover
44. /interface list member
45. add interface=eth1 list=discover
46. add interface=eth2 list=discover
47. add interface=eth3 list=discover
48. add interface=eth4 list=discover
49. add interface=eth5 list=discover
50. add interface=eth7 list=discover
51. add interface=eth8 list=discover
52. add interface=eth9 list=discover
53. add interface=eth10 list=discover
54. add interface=LAN list=discover
55. add interface=LAN list=mac-winbox
56. add interface=eth5 list=mac-winbox
57. /ip address
58. add address=192.168.0.1/24 comment="ROUTER ADDRESS" interface=LAN network=192.168.0.0
59. add address=WAIN_IP/WAN_MASK comment="ROUTER ADDRESS" interface=WAN_INTERFACE network=WAN_NETWORK
60. /ip dhcp-client
61. add dhcp-options=hostname,clientid disabled=no interface=sfp-wan
62. /ip dhcp-server network
63. add address=192.168.0.0/24 gateway=192.168.0.1
64. /ip dns
65. set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
66. /ip dns static
67. add address=192.168.0.105 name=some-server
68. /ip firewall address-list
69. add address=192.168.0.0/24 list=safe
70. /ip firewall filter
71. add action=accept chain=input comment="accept established connection packets" connection-state=established
72. add action=accept chain=input comment="accept related connection packets" connection-state=related
73. add action=drop chain=input comment="drop invalid packets" connection-state=invalid
74. add action=accept chain=input comment="Allow access to router from known network (addresses): safe" src-address-list=safe
75. add action=drop chain=input comment="detect and drop port scan connections" protocol=tcp psd=21,3s,3,1
76. add action=tarpit chain=input comment="suppress DoS attack" connection-limit=3,32 log=yes log-prefix=DoS-TARPIT protocol=tcp src-address-list=black_list
77. add action=add-src-to-address-list address-list=black_list address-list-timeout=1d chain=input comment="detect DoS attack" connection-limit=10,32 protocol=tcp
78. add action=jump chain=input comment="jump: ICMP" jump-target=ICMP protocol=icmp
79. add action=jump chain=input comment="jump: services" jump-target=services
80. add action=accept chain=input comment="Allow Broadcast Traffic" dst-address-type=broadcast
81. add action=log chain=input disabled=yes log-prefix=Filter:
82. add action=jump chain=forward comment="Go to chain for banning computers access" jump-target=internet_ban
83. add action=drop chain=input comment="Drop anything else"
84. add action=accept chain=ICMP comment="0:0 and limit for 5p/sec" icmp-options=0:0-255 limit=5,5:packet protocol=icmp
85. add action=accept chain=ICMP comment="3:3 and limit for 5pac/s" icmp-options=3:3 limit=5,5:packet protocol=icmp
86. add action=accept chain=ICMP comment="3:4 and limit for 5pac/s" icmp-options=3:4 limit=5,5:packet protocol=icmp
87. add action=accept chain=ICMP comment="8:0 and limit for 5pac/s" icmp-options=8:0-255 limit=5,5:packet protocol=icmp
88. add action=accept chain=ICMP comment="11:0 and limit for 5pac/s" icmp-options=11:0-255 limit=5,5:packet protocol=icmp
89. add action=drop chain=ICMP comment="Drop everything else" protocol=icmp
90. add action=accept chain=services comment="accept localhost" dst-address=127.0.0.1 src-address=127.0.0.1
91. add action=accept chain=services comment="allow MACwinbox " dst-port=20561 in-interface=LAN protocol=udp
92. add action=accept chain=services comment="Bandwidth server" disabled=yes dst-port=2000 protocol=tcp
93. add action=accept chain=services comment=" MT Discovery Protocol" dst-port=5678 in-interface=LAN protocol=udp
94. add action=accept chain=services comment="allow SNMP" dst-port=161 in-interface=LAN protocol=tcp
95. add action=accept chain=services comment="Allow BGP" disabled=yes dst-port=179 protocol=tcp
96. add action=accept chain=services comment="allow BGP" disabled=yes dst-port=5000-5100 protocol=udp
97. add action=accept chain=services comment="Allow NTP" disabled=yes dst-port=123 protocol=udp
98. add action=accept chain=services comment="Allow PPTP" disabled=yes dst-port=1723 protocol=tcp
99. add action=accept chain=services comment="allow PPTP and EoIP" disabled=yes protocol=gre
100. add action=accept chain=services comment="allow OpenVPN" dst-port=25885 protocol=tcp
101. add action=accept chain=services comment="allow DNS request" dst-port=53 in-interface=LAN protocol=tcp
102. add action=accept chain=services comment="Allow DNS request" dst-port=53 in-interface=LAN protocol=udp
103. add action=accept chain=services comment=UPnP dst-port=1900 in-interface=LAN protocol=udp
104. add action=accept chain=services comment=UPnP dst-port=2828 in-interface=LAN protocol=tcp
105. add action=accept chain=services comment="allow DHCP" disabled=yes dst-port=67-68 protocol=udp
106. add action=accept chain=services comment="allow Web Proxy" disabled=yes dst-port=8080 protocol=tcp
107. add action=accept chain=services comment="allow IPIP" disabled=yes protocol=ipencap
108. add action=accept chain=services comment="allow https for Hotspot" disabled=yes dst-port=443 protocol=tcp
109. add action=accept chain=services comment="allow Socks for Hotspot" disabled=yes dst-port=1080 protocol=tcp
110. add action=accept chain=services comment="allow IPSec connections" disabled=yes dst-port=500 protocol=udp
111. add action=accept chain=services comment="allow IPSec" disabled=yes protocol=ipsec-esp
112. add action=accept chain=services comment="allow IPSec" disabled=yes protocol=ipsec-ah
113. add action=accept chain=services comment="allow RIP" disabled=yes dst-port=520-521 protocol=udp
114. add action=accept chain=services comment="allow OSPF" disabled=yes protocol=ospf
115. add action=accept chain=services comment="Allow remote WinBox IP" disabled=yes dst-port=8291 protocol=tcp
116. add action=return chain=services comment="end: SERVICES"
117. add action=reject chain=internet_ban comment="BAN: -PC-NAME- internet" disabled=yes reject-with=icmp-net-prohibited src-mac-address=11:22:33:44:55:66
118. add action=return chain=internet_ban comment="END BAN LIST"
119. /ip firewall nat
120. add action=masquerade chain=srcnat out-interface=pppoe-wan_OR_sfp-wan
121. add action=dst-nat chain=dstnat comment="RDP SERVER" dst-address-type=local dst-port=12345 protocol=tcp to-addresses=192.168.0.105 to-ports=3389
122. /ip firewall service-port
123. set ftp disabled=yes
124. set tftp disabled=yes
125. set irc disabled=yes
126. set h323 disabled=yes
127. set sip disabled=yes
128. set pptp disabled=yes
129. set udplite disabled=yes
130. set dccp disabled=yes
131. set sctp disabled=yes
132. /ip route
133. add distance=1 gateway=pppoe-wan_OR_sfp-wan
134. /ip service
135. set telnet disabled=yes
136. set ftp address=192.168.0.0/24 disabled=yes
137. set www address=192.168.0.0/24
138. set ssh address=192.168.0.0/24
139. set www-ssl certificate=ROUTER
140. set api address=192.168.0.0/24 disabled=yes
141. set winbox address=192.168.0.0/24
142. set api-ssl address=192.168.0.0/24,192.168.2.0/24 disabled=yes
143. /ip upnp
144. set enabled=yes show-dummy-rule=no
145. /ip upnp interfaces
146. add type=internal
147. add interface=pppoe-wan_OR_sfp-wan type=external
148. /system clock
149. set time-zone-name=Europe/Warsaw
150. /system identity
151. set name=ROUTER
152. /system logging
153. add topics=route,debug,!calc
154. add disabled=yes topics=pppoe
155. add topics=wireless,debug
156. /system ntp client
157. set enabled=yes primary-ntp=194.146.251.100 secondary-ntp=194.146.251.101 server-dns-names=pl.pool.ntp.org
158. /tool bandwidth-server
159. set enabled=no