Created
December 14, 2022 01:21
-
-
Save 0xF6/bfa2721177c35a343f66f6211630c752 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# dec/14/2022 04:17:05 by RouterOS 7.7rc1 | |
# software id = XH5D-E1DZ | |
# | |
# model = RB2011UiAS-2HnD | |
# serial number = HCN087QV7D1 | |
/interface bridge add admin-mac=18:FD:74:20:D9:C2 auto-mac=no comment=defconf name=bridge | |
/interface wireless set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid="BlackBox 2G" wireless-protocol=802.11 | |
/interface list add comment=defconf name=WAN | |
/interface list add comment=defconf name=LAN | |
/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik | |
/ip dhcp-server option add code=1 name=test | |
/ip dhcp-server option sets add name=test | |
/ip pool add name=dhcp ranges=192.168.88.10-192.168.88.254 | |
/ip dhcp-server add add-arp=yes address-pool=dhcp always-broadcast=yes dhcp-option-set=test interface=bridge lease-time=50m name=dhcp1 | |
/port set 0 name=serial0 | |
/interface bridge port add bridge=bridge comment=defconf interface=ether2 | |
/interface bridge port add bridge=bridge comment=defconf interface=ether3 | |
/interface bridge port add bridge=bridge comment=defconf interface=ether4 | |
/interface bridge port add bridge=bridge comment=defconf interface=ether5 | |
/interface bridge port add bridge=bridge comment=defconf interface=ether6 | |
/interface bridge port add bridge=bridge comment=defconf interface=ether7 | |
/interface bridge port add bridge=bridge comment=defconf interface=ether8 | |
/interface bridge port add bridge=bridge comment=defconf interface=ether9 | |
/interface bridge port add bridge=bridge comment=defconf interface=ether10 | |
/interface bridge port add bridge=bridge comment=defconf interface=sfp1 | |
/interface bridge port add bridge=bridge comment=defconf interface=wlan1 | |
/ip neighbor discovery-settings set discover-interface-list=LAN | |
/interface list member add comment=defconf interface=bridge list=LAN | |
/interface list member add comment=defconf interface=ether1 list=WAN | |
/ip address add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0 | |
/ip arp add address=192.168.88.156 interface=bridge published=yes | |
/ip arp add address=192.168.88.183 interface=bridge mac-address=50:EB:F6:BD:A3:88 | |
/ip dhcp-client add comment=defconf interface=ether1 | |
/ip dhcp-server lease add address=192.168.88.159 client-id=1:24:18:c6:dc:2a:36 mac-address=24:18:C6:DC:2A:36 server=dhcp1 | |
/ip dhcp-server lease add address=192.168.88.162 mac-address=EC:FA:BC:B1:4A:A1 server=dhcp1 | |
/ip dhcp-server lease add address=192.168.88.183 client-id=1:50:eb:f6:bd:a3:88 dhcp-option-set=test mac-address=50:EB:F6:BD:A3:88 server=dhcp1 | |
/ip dhcp-server lease add address=192.168.88.178 client-id=1:2c:c8:1b:1c:fb:5a mac-address=2C:C8:1B:1C:FB:5A server=dhcp1 | |
/ip dhcp-server lease add address=192.168.88.170 client-id=1:30:ab:6a:2e:fb:cd dhcp-option-set=test mac-address=30:AB:6A:2E:FB:CD server=dhcp1 | |
/ip dhcp-server network add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1 netmask=24 | |
/ip dns set allow-remote-requests=yes use-doh-server=https://dns.google/dns-query | |
/ip dns static add address=192.168.88.1 comment=defconf name=router.lan | |
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked | |
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid | |
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp | |
/ip firewall filter add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 | |
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN | |
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec | |
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec | |
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes | |
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked | |
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid | |
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN | |
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN | |
/ipv6 address add from-pool=poolv6 interface=bridge | |
/ipv6 dhcp-client add add-default-route=yes interface=ether1 pool-name=poolv6 request=prefix use-interface-duid=yes | |
/ipv6 firewall address-list add address=::/128 comment="defconf: unspecified address" list=bad_ipv6 | |
/ipv6 firewall address-list add address=::1/128 comment="defconf: lo" list=bad_ipv6 | |
/ipv6 firewall address-list add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6 | |
/ipv6 firewall address-list add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6 | |
/ipv6 firewall address-list add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6 | |
/ipv6 firewall address-list add address=100::/64 comment="defconf: discard only " list=bad_ipv6 | |
/ipv6 firewall address-list add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6 | |
/ipv6 firewall address-list add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6 | |
/ipv6 firewall address-list add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6 | |
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked | |
/ipv6 firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid | |
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6 | |
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp | |
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10 | |
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp | |
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah | |
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp | |
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec | |
/ipv6 firewall filter add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN | |
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked | |
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid | |
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6 | |
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6 | |
/ipv6 firewall filter add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6 | |
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6 | |
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept HIP" protocol=139 | |
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp | |
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah | |
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp | |
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec | |
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN | |
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked | |
/ipv6 firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid | |
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6 | |
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp | |
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10 | |
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp | |
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah | |
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp | |
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec | |
/ipv6 firewall filter add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN | |
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked | |
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid | |
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6 | |
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6 | |
/ipv6 firewall filter add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6 | |
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6 | |
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept HIP" protocol=139 | |
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp | |
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah | |
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp | |
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec | |
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN | |
/lcd set backlight-timeout=never default-screen=stats read-only-mode=yes touch-screen=disabled | |
/system clock set time-zone-name=Europe/Moscow | |
/system package update set channel=testing | |
/tool mac-server set allowed-interface-list=LAN | |
/tool mac-server mac-winbox set allowed-interface-list=LAN |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment