Last active
April 15, 2023 06:45
-
-
Save heinrichnak/a227152942c86991547db02a502f328c to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# jan/02/1970 00:33:11 by RouterOS 7.8 | |
# software id = UZ6A-3MG3 | |
# | |
# model = RB750Gr3 | |
# serial number = 6F3907213292 | |
/interface bridge | |
add admin-mac=64:D1:54:A1:5F:F0 auto-mac=no comment=defconf name=bridge | |
/interface list | |
add comment=defconf name=WAN | |
add comment=defconf name=LAN | |
/interface wireless security-profiles | |
set [ find default=yes ] supplicant-identity=MikroTik | |
/ip hotspot profile | |
set [ find default=yes ] html-directory=hotspot | |
/ip pool | |
add name=default-dhcp ranges=192.168.88.10-192.168.88.254 | |
/ip dhcp-server | |
add address-pool=default-dhcp interface=bridge name=defconf | |
/port | |
set 0 name=serial0 | |
/interface bridge port | |
add bridge=bridge comment=defconf interface=ether2 | |
add bridge=bridge comment=defconf interface=ether3 | |
add bridge=bridge comment=defconf interface=ether4 | |
add bridge=bridge comment=defconf interface=ether5 | |
/ip neighbor discovery-settings | |
set discover-interface-list=LAN | |
/interface list member | |
add comment=defconf interface=bridge list=LAN | |
add comment=defconf interface=ether1 list=WAN | |
/ip address | |
add address=192.168.88.1/24 comment=defconf interface=bridge network=\ | |
192.168.88.0 | |
/ip dhcp-client | |
add comment=defconf interface=ether1 | |
/ip dhcp-server network | |
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\ | |
192.168.88.1 | |
/ip dns | |
set allow-remote-requests=yes | |
/ip dns static | |
add address=192.168.88.1 comment=defconf name=router.lan | |
/ip firewall filter | |
add action=accept chain=input comment=\ | |
"defconf: accept established,related,untracked" connection-state=\ | |
established,related,untracked | |
add action=drop chain=input comment="defconf: drop invalid" connection-state=\ | |
invalid | |
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp | |
add action=accept chain=input comment=\ | |
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 | |
add action=drop chain=input comment="defconf: drop all not coming from LAN" \ | |
in-interface-list=!LAN | |
add action=accept chain=forward comment="defconf: accept in ipsec policy" \ | |
ipsec-policy=in,ipsec | |
add action=accept chain=forward comment="defconf: accept out ipsec policy" \ | |
ipsec-policy=out,ipsec | |
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ | |
connection-state=established,related hw-offload=yes | |
add action=accept chain=forward comment=\ | |
"defconf: accept established,related, untracked" connection-state=\ | |
established,related,untracked | |
add action=drop chain=forward comment="defconf: drop invalid" \ | |
connection-state=invalid | |
add action=drop chain=forward comment=\ | |
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ | |
connection-state=new in-interface-list=WAN | |
/ip firewall nat | |
add action=masquerade chain=srcnat comment="defconf: masquerade" \ | |
ipsec-policy=out,none out-interface-list=WAN | |
/ipv6 firewall address-list | |
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6 | |
add address=::1/128 comment="defconf: lo" list=bad_ipv6 | |
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6 | |
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6 | |
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6 | |
add address=100::/64 comment="defconf: discard only " list=bad_ipv6 | |
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6 | |
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6 | |
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6 | |
/ipv6 firewall filter | |
add action=accept chain=input comment=\ | |
"defconf: accept established,related,untracked" connection-state=\ | |
established,related,untracked | |
add action=drop chain=input comment="defconf: drop invalid" connection-state=\ | |
invalid | |
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\ | |
icmpv6 | |
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\ | |
33434-33534 protocol=udp | |
add action=accept chain=input comment=\ | |
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\ | |
udp src-address=fe80::/10 | |
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \ | |
protocol=udp | |
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\ | |
ipsec-ah | |
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\ | |
ipsec-esp | |
add action=accept chain=input comment=\ | |
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec | |
add action=drop chain=input comment=\ | |
"defconf: drop everything else not coming from LAN" in-interface-list=\ | |
!LAN | |
add action=accept chain=forward comment=\ | |
"defconf: accept established,related,untracked" connection-state=\ | |
established,related,untracked | |
add action=drop chain=forward comment="defconf: drop invalid" \ | |
connection-state=invalid | |
add action=drop chain=forward comment=\ | |
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6 | |
add action=drop chain=forward comment=\ | |
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6 | |
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \ | |
hop-limit=equal:1 protocol=icmpv6 | |
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\ | |
icmpv6 | |
add action=accept chain=forward comment="defconf: accept HIP" protocol=139 | |
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\ | |
500,4500 protocol=udp | |
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\ | |
ipsec-ah | |
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\ | |
ipsec-esp | |
add action=accept chain=forward comment=\ | |
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec | |
add action=drop chain=forward comment=\ | |
"defconf: drop everything else not coming from LAN" in-interface-list=\ | |
!LAN | |
/tool mac-server | |
set allowed-interface-list=LAN | |
/tool mac-server mac-winbox | |
set allowed-interface-list=LAN | |
/tool sniffer | |
set filter-interface=ether1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment