# jun/11/2020 15:03:44 by RouterOS 6.47# software id = 8VAQ-SIN4## model =

1. # jun/11/2020 15:03:44 by RouterOS 6.47
2. # software id = 8VAQ-SIN4
3. #
4. # model = RouterBOARD 962UiGS-5HacT2HnT
5. # serial number = 908C0990A7B2
6. /interface bridge
7. add name=bridgeLAN
8. add name=bridgeWAN
9. /interface ethernet
10. set [ find default-name=ether3 ] loop-protect=on
11. set [ find default-name=ether5 ] loop-protect=on
12. /interface wireless
13. set [ find default-name=wlan1 ] ssid=MikroTik
14. set [ find default-name=wlan2 ] ssid=MikroTik
15. /interface list
16. add name=WAN
17. add name=LAN
18. /interface wireless security-profiles
19. set [ find default=yes ] supplicant-identity=MikroTik
20. /ip pool
21. add name=dhcp ranges=192.168.0.10-192.168.0.20
22. /ip dhcp-server
23. add address-pool=dhcp disabled=no interface=bridgeLAN name=LAN
24. /interface bridge port
25. add bridge=bridgeWAN interface=ether4
26. add bridge=bridgeLAN interface=ether5
27. add bridge=bridgeLAN interface=ether3
28. add bridge=bridgeLAN interface=ether2
29. /interface list member
30. add interface=ether4 list=WAN
31. add interface=ether3 list=LAN
32. add interface=ether5 list=LAN
33. add interface=ether2 list=LAN
34. /ip address
35. add address=195.68.152.xx/27 interface=bridgeWAN network=195.68.xx.xx
36. add address=192.168.0.1/24 interface=bridgeLAN network=192.168.0.0
37. /ip dhcp-server network
38. add address=192.168.0.0/24 dns-server=8.8.8.8 gateway=192.168.0.1
39. /ip dns
40. set allow-remote-requests=yes servers=8.8.8.8
41. /ip firewall address-list
42. add address=195.208.xxx.xxx list=ITB
43. add address=172.16.16.1 list=ITB
44. /ip firewall filter
45. add action=accept chain=input disabled=yes
46. add action=accept chain=forward disabled=yes
47. add action=accept chain=input comment="ITB: Allow managment" \
48. src-address-list=ITB
49. add action=drop chain=input comment="ITB: Disable incoming DNS" dst-port=53 \
50. in-interface=bridgeWAN protocol=udp
51. add action=accept chain=input comment="ITB: Allow VPN support" dst-port=\
52. 1701,1723,4500,500 protocol=udp
53. add action=accept chain=input comment="ITB: Allow GRE support" protocol=gre
54. add action=drop chain=input comment="ITB: Drop PSD" src-address-list=PSD
55. add action=accept chain=forward comment="ITB: Allow access to sistematika" \
56. src-address-list=Sistematika
57. add action=accept chain=input comment=\
58. "defconf: accept established,related,untracked" connection-state=\
59. established,related,untracked
60. add action=drop chain=input comment="defconf: drop invalid" connection-state=\
61. invalid
62. add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
63. add action=drop chain=input comment="defconf: drop all not coming from LAN" \
64. in-interface-list=!LAN
65. add action=accept chain=forward comment="defconf: accept in ipsec policy" \
66. ipsec-policy=in,ipsec
67. add action=accept chain=forward comment="defconf: accept out ipsec policy" \
68. ipsec-policy=out,ipsec
69. add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
70. connection-state=established,related
71. add action=accept chain=forward comment=\
72. "defconf: accept established,related, untracked" connection-state=\
73. established,related,untracked
74. add action=drop chain=forward comment="defconf: drop invalid" \
75. connection-state=invalid
76. add action=drop chain=forward comment=\
77. "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
78. connection-state=new in-interface-list=WAN
79. /ip firewall mangle
80. add action=change-mss chain=forward new-mss=1408 passthrough=yes protocol=tcp \
81. tcp-flags=syn tcp-mss=1401-65535
82. add action=add-src-to-address-list address-list=PSD address-list-timeout=\
83. none-dynamic chain=prerouting comment="ITB: PSD" in-interface-list=WAN \
84. protocol=tcp psd=21,3s,3,1
85. /ip firewall nat
86. add action=dst-nat chain=dstnat dst-port=6589 protocol=tcp to-addresses=\
87. 192.168.0.100 to-ports=3389
88. add action=masquerade chain=srcnat out-interface=bridgeWAN
89. add action=src-nat chain=srcnat disabled=yes dst-address=192.168.0.100 \
90. to-addresses=192.168.0.1
91. /ip firewall service-port
92. set ftp disabled=yes
93. set tftp disabled=yes
94. set irc disabled=yes
95. set h323 disabled=yes
96. set sip disabled=yes
97. set pptp disabled=yes
98. set udplite disabled=yes
99. set dccp disabled=yes
100. set sctp disabled=yes
101. /ip route
102. add distance=1 gateway=195.68.xxx.xx
103. /system clock
104. set time-zone-name=Asia/Yekaterinburg
105. /system routerboard settings
106. set auto-upgrade=yes