Last active
August 8, 2024 18:25
-
-
Save kcleong/426ae7a5c3c5ecb4870bb82966e80ef4 to your computer and use it in GitHub Desktop.
KPN fiber Mikrotik config (working set-up for IPv4, IPv6, and KPN TV+ box)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # 2024-08-08 20:21:39 by RouterOS 7.15.2 | |
| # software id = BNE6-LLMM | |
| # | |
| # model = RB5009UPr+S+ | |
| # serial number = HF50964FXXX | |
| /interface bridge | |
| add arp=proxy-arp igmp-snooping=yes multicast-querier=yes name=local | |
| /interface ethernet | |
| set [ find default-name=sfp-sfpplus1 ] mtu=1512 | |
| /interface vlan | |
| add comment=TV interface=sfp-sfpplus1 name=vlan1.4 vlan-id=4 | |
| add comment=WAN interface=sfp-sfpplus1 mtu=1508 name=vlan1.6 vlan-id=6 | |
| /interface pppoe-client | |
| add add-default-route=yes allow=pap disabled=no interface=vlan1.6 keepalive-timeout=20 max-mru=1500 max-mtu=1500 name=pppoe-kpn user=kpn | |
| /interface list | |
| add comment=defconf name=WAN | |
| add comment=defconf name=LAN | |
| /interface wireless security-profiles | |
| set [ find default=yes ] supplicant-identity=MikroTik | |
| /ip dhcp-client option | |
| add code=60 name=option60-vendorclass value="'IPTV_RG'" | |
| /ip dhcp-server option | |
| add code=60 name=option60-vendorclass value="'IPTV_RG'" | |
| add code=28 name=option28-broadcast value="'192.168.22.255'" | |
| add code=6 force=yes name=option6-dns value="'195.121.1.34''195.121.1.66'" | |
| /ip dhcp-server option sets | |
| add name=IPTV options=option60-vendorclass,option28-broadcast,option6-dns | |
| /ip pool | |
| add name=dhcp_pool0 ranges=192.168.22.50-192.168.22.200 | |
| /ip dhcp-server | |
| add address-pool=dhcp_pool0 interface=local lease-time=4h name=dhcp1 | |
| /port | |
| set 0 baud-rate=9600 data-bits=8 flow-control=none name=usb1 parity=none stop-bits=1 | |
| /interface ppp-client | |
| add apn=internet name=ppp-out1 port=usb1 | |
| /interface detect-internet | |
| set detect-interface-list=all | |
| /interface list member | |
| add interface=pppoe-kpn list=WAN | |
| add interface=local list=LAN | |
| /ip address | |
| add address=192.168.22.1/24 interface=local network=192.168.22.0 | |
| /ip dhcp-client | |
| add default-route-distance=210 dhcp-options=option60-vendorclass interface=vlan1.4 use-peer-dns=no use-peer-ntp=no | |
| /ip dhcp-server lease | |
| add address=192.168.22.197 client-id=1:c4:eb:42:65:d7:60 comment="KPN TV decoder" dhcp-option-set=IPTV mac-address=C4:EB:42:65:D7:60 \ | |
| server=dhcp1 | |
| /ip dhcp-server network | |
| add address=192.168.22.0/24 dns-server=192.168.22.1 gateway=192.168.22.1 | |
| /ip dns | |
| set allow-remote-requests=yes servers=45.90.28.40,45.90.30.40 | |
| /ip firewall filter | |
| add action=fasttrack-connection chain=forward comment="fast-track for established,related" connection-state=established,related \ | |
| hw-offload=yes | |
| add action=accept chain=input comment="accept established,related" connection-state=established,related | |
| add action=accept chain=input comment="IPTV IGMP" dst-address=224.0.0.0/4 in-interface=vlan1.4 protocol=igmp | |
| add action=drop chain=input connection-state=invalid | |
| add action=accept chain=input comment="allow ICMP" in-interface=pppoe-kpn protocol=icmp | |
| add action=drop chain=input comment="block everything else" in-interface=pppoe-kpn | |
| add action=fasttrack-connection chain=forward comment="fast-track for established,related" connection-state=established,related disabled=\ | |
| yes hw-offload=yes | |
| add action=accept chain=forward comment="accept established,related" connection-state=established,related | |
| add action=drop chain=forward connection-state=invalid | |
| add action=drop chain=forward comment="drop access to clients behind NAT from WAN" connection-nat-state=!dstnat connection-state=new \ | |
| in-interface=pppoe-kpn | |
| /ip firewall nat | |
| add action=masquerade chain=srcnat out-interface=pppoe-kpn | |
| add action=masquerade chain=srcnat comment=IPTV dst-address=213.75.112.0/21 out-interface=vlan1.4 | |
| add action=masquerade chain=srcnat comment=IPTV dst-address=217.166.0.0/16 out-interface=vlan1.4 | |
| add action=masquerade chain=srcnat comment=IPTV dst-address=10.207.0.0/20 out-interface=vlan1.4 | |
| /ipv6 address | |
| add address=::1 from-pool=kpn-ipv6-pool interface=local | |
| /ipv6 dhcp-client | |
| add interface=pppoe-kpn pool-name=kpn-ipv6-pool pool-prefix-length=48 request=prefix use-peer-dns=no | |
| /ipv6 firewall address-list | |
| add address=::/128 comment="defconf: unspecified address" list=bad_ipv6 | |
| add address=::1/128 comment="defconf: lo" list=bad_ipv6 | |
| add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6 | |
| add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6 | |
| add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6 | |
| add address=100::/64 comment="defconf: discard only " list=bad_ipv6 | |
| add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6 | |
| add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6 | |
| add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6 | |
| /ipv6 firewall filter | |
| add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked | |
| add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid | |
| add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6 | |
| add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp | |
| add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10 | |
| add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp | |
| add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah | |
| add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp | |
| add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec | |
| add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN | |
| add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked | |
| add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid | |
| add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6 | |
| add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6 | |
| add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6 | |
| add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6 | |
| add action=accept chain=forward comment="defconf: accept HIP" protocol=139 | |
| add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp | |
| add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah | |
| add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp | |
| add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec | |
| add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN | |
| /ipv6 nd | |
| set [ find default=yes ] advertise-dns=no advertise-mac-address=no dns=2a07:a8c0::95:b961,2a07:a8c1::95:b961 hop-limit=64 interface=local | |
| /routing igmp-proxy | |
| set quick-leave=yes | |
| /routing igmp-proxy interface | |
| add interface=local | |
| add alternative-subnets=0.0.0.0/0 interface=vlan1.4 upstream=yes | |
| /snmp | |
| set enabled=yes | |
| /system clock | |
| set time-zone-name=Europe/Amsterdam | |
| /system note | |
| set show-at-login=no | |
| /system ntp client | |
| set enabled=yes | |
| /system ntp client servers | |
| add address=1.pool.ntp.org | |
| add address=2.pool.ntp.org |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment