[MT]: Default settings template

1. # MIKROTIK DEFAULT SETTINGS
2. # Configuration reset with skip-defaults=yes
3. # Links:
4. # [1]: https://www.manitonetworks.com/networking/2017/7/25/mikrotik-router-hardening#reverse-path-filtering
5. # [2]: https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router#Bandwidth_server
6.  
7. # [INTERFACES]
8. # 1. ether1,ether2 - EXTERNAL LINKS
9. # 2. ether3 - EMERGENCY ACCESS INTERFACE
10. # 3. all other interfaces - BRIDGED LOCAL LINKS (lan-bridge)
11.  
12. # [IFACE-LIST]
13. # 1. Lists
14. /interface list add comment="userconf: contains external interfaces" name=external
15. /interface list add comment="userconf: contains emergency interfaces" name=emergency
16. /interface list add comment="userconf: contains internal interfaces" name=internal
17. /interface list add comment="userconf: contains mdp interfaces" include=emergency name=mdp
18. /interface list add comment="userconf: contains wan interfaces" include=external name=wan
19. /interface list add comment="userconf: contains wan interfaces" name=lan
20. /interface list add comment="userconf: contains vpn interfaces" name=vpn
21. # 2. Members
22. # 2.1 External
23. /interface list member add interface=ether1 list=external
24. /interface list member add interface=ether2 list=external
25. # 2.2 Emergency access
26. /interface list member add interface=ether3 list=emergency
27. # 2.3 Internal (all other ethernet interfaces)
28. /interface list member add interface=etherX list=internal
29. # 2.5 Wan interfaces (ppp-clients and other)
30. /interface list member add interface=wan1 list=wan
31. /interface list member add interface=wan2 list=wan
32. # 2.6 Lan interfaces (all internal ethernet interfaces & probably wireless)
33. /interface list member add interface=lan-bridge list=lan
34. # 2.7 Neighbour discovery interfaces (if needed - i'm NOT use command bellow)
35. /interface list member add interface=lan-bridge list=mdp
36. # 2.8 VPN interfaces
37. /interface list member add interface=vpn0 list=vpn
38.  
39. # [IP SETTINGS]
40. # 1. Change default timeouts
41. /ip firewall connection tracking set generic-timeout=3m tcp-established-timeout=2h tcp-max-retrans-timeout=2m tcp-unacked-timeout=2m
42. # 2. Use rp-filter & disable all icmp redirects
43. /ip settings set rp-filter=strict secure-redirects=no send-redirects=no
44. # 3. Management (SSH only, WINBOX on emergency)
45. # Require:
46. # <EMERGENCY-NETWORK>: alias should be configured on emergency port
47. /ip ssh set forwarding-enabled=no strong-crypto=yes
48. /ip service set ssh address="" disabled=no port=22
49. /ip service set winbox address="<EMERGENCY-NETWORK>" disabled=no port=8291
50. /ip service set telnet disabled=yes
51. /ip service set www disabled=yes
52. /ip service set www-ssl disabled=yes
53. /ip service set api disabled=yes
54. /ip service set api-ssl disabled=yes
55.  
56. # [SERVICES]
57. # 1. SNMP
58. # Require:
59. # A. <SNMP-COMMUNITY>: min. length 20 symbols
60. # B. <SNMP-CONTACT>: should be valid email address
61. # C. <SNMP-LOCATION>: should be valid location
62. # D. <SNMP-NMS-HOST>: NMS internal host (if any used)
63. # 1.1 Disable read-access on default communities
64. /snmp community set [ find default=yes ] read-access=no
65. # 1.2 SNMPv3 access-only
66. /snmp community add addresses=::/0 authentication-password=<SNMP-COMMUNITY> authentication-protocol=SHA1 encryption-password=<SNMP-COMMUNITY> encryption-protocol=AES name=<SNMP-COMMUNITY> security=authorized
67. /snmp set contact=<SNMP-CONTACT> location="<SNMP-LOCATION>" trap-community=<SNMP-COMMUNITY> trap-generators=start-trap,interfaces,temp-exception trap-interfaces=all trap-target=<SNMP-NMS-HOST> trap-version=2
68. # 1.3 Disable unused services
69. /tool mac-server set allowed-interface-list=none
70. /tool mac-server mac-winbox set allowed-interface-list=none
71. /tool mac-server ping set enabled=no
72. /tool romon set secrets=<SNMP-COMMUNITY>
73. /tool romon port set [ find default=yes ] forbid=yes
74. /tool bandwidth-server set enabled=no max-sessions=2
75. /lcd set enabled=no
76. /ip cloud set ddns-enabled=no ddns-update-interval=none update-time=no
77. /ip upnp set enabled=no
78. /ip proxy set enabled=no
79. /ip socks set enabled=no
80. /ip upnp set enabled=no
81. # 1.4 System name
82. # Require:
83. # A. <HOSTNAME>: router hostname
84. /system identity set name=<HOSTNAME>
85. # 1.5 System time
86. # Require:
87. # A. <TIMEZONE>: timezone name
88. /system clock set time-zone-autodetect=no time-zone-name=<TIMEZONE>
89. /system ntp client set enabled=yes server-dns-names=0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
90. # 1.6 Sytem logging
91. /system logging action set 0 memory-lines=2048
92. /system logging set 3 action=memory
93. # Custom topics here
94. /system logging add topics=ipsec,!debug
95. /system logging add topics=stp,!debug
96. /system logging add topics=bridge,!debug
97. /system logging add topics=wireless,debug
98. # 1.7 System upgrade and watchdog
99. /system package update set channel=long-term
100. /system routerboard settings set auto-upgrade=yes
101. /system watchdog set watch-address=127.0.0.1
102. # 1.8 Email client (valid setting should be provided)
103. /tool e-mail set address=<MAIL-ACCOUNT> from="<MAIL-DESC> <<MAIL-ACCOUNT>>" password=<MAIL-PASSWORD> port=465 start-tls=tls-only user=<MAIL-ACCOUNT>
104. # 1.9 Neighbour discovery
105. /ip neighbor discovery-settings set discover-interface-list=mdp
106. /ipv6 nd set [find] disabled=yes
107. # 2. DNS (!! should be filtered on wan interface list !!)
108. /ip dns set allow-remote-requests=yes cache-max-ttl=1h cache-size=8192KiB servers=8.8.8.8,8.8.4.4
109. /ip dns static add address=192.168.1.1 name=router.local