# dec/30/2021 01:34:04 by RouterOS 7.1.1# software id = WLS8-IV2L## model

1. # dec/30/2021 01:34:04 by RouterOS 7.1.1
2. # software id = WLS8-IV2L
3. #
4. # model = RBD53iG-5HacD2HnD
5. # serial number = xxxxxxx
6. /interface bridge
7. add admin-mac=xx:55:31:xx:5C:xx auto-mac=no comment=defconf name=bridge
8. /interface wireless
9. set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
10. country=germany distance=indoors frequency=auto mode=ap-bridge ssid=\
11. revenge_of_the_cats wireless-protocol=802.11
12. set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
13. 20/40/80mhz-XXXX country=germany distance=indoors installation=indoor \
14. mode=ap-bridge ssid=revenge_of_the_cats_5g wireless-protocol=802.11
15. /interface wireguard
16. add disabled=yes listen-port=13231 mtu=1420 name=wireguard1
17. /interface list
18. add comment=defconf name=WAN
19. add comment=defconf name=LAN
20. /interface lte apn
21. set [ find default=yes ] ip-type=ipv4
22. /interface wireless security-profiles
23. set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
24. dynamic-keys supplicant-identity=MikroTik
25. /ip pool
26. add name=dhcp ranges=10.0.0.2-10.0.255.254
27. /ip dhcp-server
28. add address-pool=dhcp interface=bridge name=defconf
29. /routing table
30. add fib name=""
31. /zerotier
32. set zt1 identity="xxxxxxxxxxxx" name=zt1 \
33. port=9993
34. /zerotier interface
35. add disable-running-check=yes instance=zt1 mac-address=xx:75:89:95:B6:46 \
36. name=zerotier1 network=xxxxxx
37. /interface bridge port
38. add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
39. add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
40. add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
41. add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
42. add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
43. add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
44. /ip neighbor discovery-settings
45. set discover-interface-list=LAN
46. /ipv6 settings
47. set disable-ipv6=yes max-neighbor-entries=8192
48. /interface list member
49. add comment=defconf interface=bridge list=LAN
50. add comment=defconf interface=ether1 list=WAN
51. /interface wireguard peers
52. add allowed-address=10.1.0.2/24 interface=wireguard1 public-key=\
53. "xxxxxxxxxxxxxxxxxxxxxx"
54. add allowed-address=10.1.0.3/24 interface=wireguard1 public-key=\
55. "xxxxxxxxxxxxxxx"
56. /ip address
57. add address=10.0.0.1/16 comment=defconf interface=bridge network=10.0.0.0
58. add address=10.1.0.1/24 interface=wireguard1 network=10.1.0.0
59. /ip dhcp-client
60. add comment=defconf interface=ether1 use-peer-dns=no
61. /ip dhcp-server network
62. add address=10.0.0.0/16 comment=defconf gateway=10.0.0.1
63. /ip dns
64. set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
65. /ip dns static
66. add address=10.0.0.1 comment=defconf name=router.lan
67. /ip firewall filter
68. add action=accept chain=forward in-interface=zerotier1
69. add action=accept chain=input in-interface=zerotier1
70. add action=accept chain=input comment=\
71. "defconf: accept established,related,untracked" connection-state=\
72. established,related,untracked
73. add action=drop chain=input comment="defconf: drop invalid" connection-state=\
74. invalid
75. add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
76. add action=accept chain=input comment=\
77. "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
78. add action=accept chain=input comment="Allow Wireguard" dst-port=13231 \
79. protocol=udp
80. add action=drop chain=input comment="defconf: drop all not coming from LAN" \
81. in-interface-list=!LAN
82. add action=accept chain=forward comment="defconf: accept in ipsec policy" \
83. ipsec-policy=in,ipsec
84. add action=accept chain=forward comment="defconf: accept out ipsec policy" \
85. ipsec-policy=out,ipsec
86. add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
87. connection-state=established,related hw-offload=yes
88. add action=accept chain=forward comment=\
89. "defconf: accept established,related, untracked" connection-state=\
90. established,related,untracked
91. add action=drop chain=forward comment="defconf: drop invalid" \
92. connection-state=invalid
93. add action=drop chain=forward comment=\
94. "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
95. connection-state=new in-interface-list=WAN
96. add action=drop chain=input src-address=18.195.122.69
97. add action=drop chain=input src-address=154.180.32.45
98. add action=drop chain=input src-address=193.242.145.101
99. add action=drop chain=input src-address=45.134.26.34
100. add action=drop chain=input src-address=199.195.253.174
101. add action=drop chain=input src-address=183.82.146.80
102. add action=drop chain=input src-address=193.242.145.101
103. /ip firewall nat
104. add action=masquerade chain=srcnat comment="defconf: masquerade" \
105. ipsec-policy=out,none out-interface-list=WAN
106. add action=dst-nat chain=dstnat disabled=yes dst-port=5001 in-interface=\
107. ether1 protocol=tcp to-addresses=10.0.0.112 to-ports=5001
108. /system clock
109. set time-zone-name=Europe/Berlin
110. /system leds settings
111. set all-leds-off=immediate
112. /system routerboard settings
113. set cpu-frequency=auto
114. /tool mac-server
115. set allowed-interface-list=LAN
116. /tool mac-server mac-winbox
117. set allowed-interface-list=LAN