Created
December 29, 2022 09:13
-
-
Save kermorgant/6c037ed3c2377c338c5463ab77455926 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# dec/29/2022 10:48:03 by RouterOS 7.6 | |
# model = RB3011UiAS | |
/caps-man channel | |
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \ | |
frequency=2412 name=channel1 | |
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \ | |
frequency=2437 name=channel6 | |
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \ | |
frequency=2462 name=channel11 | |
add band=5ghz-a/n/ac name=5ghz | |
/interface bridge | |
add admin-mac=18:FD:74:B3:0A:7D auto-mac=no comment=defconf name=bridge | |
/interface ethernet | |
set [ find default-name=ether10 ] poe-out=off | |
/interface wireguard | |
add listen-port=13231 mtu=1420 name=wireguard1 | |
/interface vlan | |
add interface=bridge name=vlan1-main vlan-id=101 | |
add interface=bridge name=vlan2-kids vlan-id=102 | |
add interface=bridge name=vlan3-guest vlan-id=103 | |
add interface=bridge name=vlan4-iot vlan-id=104 | |
add interface=bridge name=vlan5-work vlan-id=105 | |
/caps-man datapath | |
add bridge=bridge client-to-client-forwarding=yes name=datapath1 vlan-id=101 \ | |
vlan-mode=use-tag | |
add bridge=bridge client-to-client-forwarding=yes name=datapath2 vlan-id=102 \ | |
vlan-mode=use-tag | |
add bridge=bridge name=datapath3 vlan-id=103 vlan-mode=use-tag | |
add bridge=bridge name=datapath4 vlan-id=104 vlan-mode=use-tag | |
add bridge=bridge client-to-client-forwarding=yes name=datapath5 vlan-id=105 \ | |
vlan-mode=use-tag | |
/caps-man security | |
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=\ | |
security-main | |
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=\ | |
security-kids | |
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=\ | |
security-guest | |
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=\ | |
security-iot | |
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=\ | |
security-work | |
/caps-man configuration | |
add country=finland datapath=datapath1 mode=ap name=cfg1 security=\ | |
security-main ssid=mt | |
add country=finland datapath=datapath1 name=cfg1-5ghz security=security-main \ | |
ssid=mt-5g | |
add country=finland datapath=datapath2 mode=ap name=cfg2-kids security=\ | |
security-kids ssid=mt-kids | |
add country=finland datapath=datapath3 name=cfg3-guest security=\ | |
security-guest ssid=mt-guest | |
add country=finland datapath=datapath4 name=cfg4-iot security=security-iot \ | |
ssid=mt-iot | |
add country=finland datapath=datapath5 mode=ap name=cfg5-work security=\ | |
security-work ssid=mt-work | |
add country=finland datapath=datapath5 name=cfg5-work-5ghz security=\ | |
security-work ssid=mt-work-5g | |
/interface ethernet switch port | |
set 1 default-vlan-id=101 vlan-header=always-strip vlan-mode=secure | |
set 2 default-vlan-id=101 vlan-header=always-strip vlan-mode=secure | |
set 3 default-vlan-id=101 vlan-header=always-strip vlan-mode=secure | |
set 4 default-vlan-id=101 vlan-header=always-strip vlan-mode=secure | |
set 5 default-vlan-id=101 vlan-header=always-strip vlan-mode=secure | |
set 6 default-vlan-id=101 vlan-header=always-strip vlan-mode=secure | |
set 7 default-vlan-id=101 vlan-header=always-strip vlan-mode=secure | |
set 8 default-vlan-id=101 vlan-header=always-strip vlan-mode=secure | |
set 9 default-vlan-id=101 vlan-header=add-if-missing vlan-mode=secure | |
set 10 vlan-mode=secure | |
set 11 vlan-mode=secure | |
/interface list | |
add comment=defconf name=WAN | |
add comment=defconf name=LAN | |
/interface lte apn | |
set [ find default=yes ] ip-type=ipv4 use-network-apn=no | |
/interface wireless security-profiles | |
set [ find default=yes ] supplicant-identity=MikroTik | |
/ip pool | |
add name=default-dhcp ranges=192.168.88.10-192.168.88.254 | |
add name=vlan1-main-pool ranges=10.1.1.10-10.1.1.254 | |
add name=vlan2-kids-pool ranges=10.1.2.10-10.1.2.254 | |
add name=vlan3-guest-pool ranges=10.1.3.10-10.1.3.254 | |
add name=vlan4-iot-pool ranges=10.1.4.10-10.1.4.254 | |
add name=vlan5-work-pool ranges=10.1.5.10-10.1.5.254 | |
/ip dhcp-server | |
add address-pool=vlan1-main-pool interface=vlan1-main name=dhcp-vlan1-main | |
add address-pool=vlan2-kids-pool interface=vlan2-kids name=dhcp-vlan2-kids | |
add address-pool=vlan3-guest-pool interface=vlan3-guest name=dhcp-vlan3-guest | |
add address-pool=vlan4-iot-pool interface=vlan4-iot lease-time=23h59m name=\ | |
dhcp-vlan4-iot | |
add address-pool=vlan5-work-pool interface=vlan5-work name=dhcp-vlan5-work | |
/port | |
set 0 name=serial0 | |
/routing table | |
add disabled=no fib name=vpn1 | |
/caps-man manager | |
set ca-certificate=auto certificate=auto enabled=yes | |
/caps-man manager interface | |
add disabled=no interface=ether10 | |
/caps-man provisioning | |
add action=create-dynamic-enabled master-configuration=cfg1 name-format=\ | |
prefix-identity name-prefix=cap slave-configurations=\ | |
cfg2-kids,cfg3-guest,cfg4-iot,cfg5-work | |
/interface bridge port | |
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 | |
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 | |
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 | |
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 | |
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6 | |
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7 | |
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8 | |
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9 | |
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10 | |
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1 | |
/ip neighbor discovery-settings | |
set discover-interface-list=LAN | |
/ip settings | |
set max-neighbor-entries=8192 | |
/ipv6 settings | |
set disable-ipv6=yes max-neighbor-entries=8192 | |
/interface ethernet switch vlan | |
add independent-learning=yes ports=\ | |
ether6,ether7,ether8,ether9,ether10,switch2-cpu switch=switch2 vlan-id=\ | |
101 | |
add independent-learning=yes ports=ether2,ether3,ether4,ether5,switch1-cpu \ | |
switch=switch1 vlan-id=101 | |
add independent-learning=no ports=ether10 switch=switch2 vlan-id=102 | |
add independent-learning=no ports=ether10 switch=switch2 vlan-id=103 | |
add independent-learning=no ports=ether10 switch=switch2 vlan-id=104 | |
add independent-learning=no ports=ether10 switch=switch2 vlan-id=105 | |
/interface list member | |
add comment=defconf interface=bridge list=LAN | |
add comment=defconf interface=ether1 list=WAN | |
add interface=vlan1-main list=LAN | |
add interface=vlan3-guest list=LAN | |
add interface=vlan4-iot list=LAN | |
add interface=vlan5-work list=LAN | |
add interface=vlan2-kids list=LAN | |
/interface ovpn-server server | |
set auth=sha1,md5 | |
/interface wireguard peers | |
add allowed-address=172.21.119.1/32,0.0.0.0/0 endpoint-address=a.b.c.d \ | |
endpoint-port=13231 interface=wireguard1 persistent-keepalive=25s \ | |
public-key="hjwsdgjhgwdkgfljwdhgfjlhwegjlhglsdkjhvlksadhvls=" | |
/ip address | |
add address=10.1.1.1/24 interface=vlan1-main network=10.1.1.0 | |
add address=10.1.2.1/24 interface=vlan2-kids network=10.1.2.0 | |
add address=10.1.3.1/24 interface=vlan3-guest network=10.1.3.0 | |
add address=10.1.4.1/24 interface=vlan4-iot network=10.1.4.0 | |
add address=10.1.5.1/24 interface=vlan5-work network=10.1.5.0 | |
add address=172.21.119.201/24 interface=wireguard1 network=172.21.119.0 | |
/ip dhcp-client | |
add comment=defconf interface=ether1 | |
/ip dhcp-server lease | |
add address=10.1.1.10 client-id=1:74:4d:28:76:2d:ad mac-address=\ | |
74:4D:28:76:2D:AD server=dhcp-vlan1-main | |
/ip dhcp-server network | |
add address=10.1.1.0/24 dns-server=10.1.1.1 gateway=10.1.1.1 ntp-server=\ | |
10.1.1.1 | |
add address=10.1.2.0/24 comment="Cloudflare DNS for families" dns-server=\ | |
1.1.1.3,1.0.0.3 gateway=10.1.2.1 | |
add address=10.1.3.0/24 dns-server=10.1.3.1 gateway=10.1.3.1 | |
add address=10.1.4.0/24 dns-server=10.1.4.1 gateway=10.1.4.1 | |
add address=10.1.5.0/24 comment="work network / external cloudflare DNS" \ | |
dns-server=1.1.1.1 gateway=192.168.5.1 | |
/ip dns | |
set allow-remote-requests=yes | |
/ip dns static | |
add address=192.168.88.1 comment=defconf name=router.lan | |
/ip firewall address-list | |
add address=10.1.1.254 comment=laptop-p14 disabled=yes list=vpn1-client | |
add address=10.1.0.0/16 list=mt-local | |
add address=10.1.1.253 list=vpn1-client | |
add address=172.21.119.0/24 comment="vpn users" list=admins | |
add address=10.1.4.0/24 list=iot_devices | |
/ip firewall filter | |
add action=accept chain=forward in-interface=wireguard1 | |
add action=accept chain=input in-interface=wireguard1 | |
add action=accept chain=input comment=\ | |
"defconf: accept established,related,untracked" connection-state=\ | |
established,related,untracked | |
add action=drop chain=input comment="defconf: drop invalid" connection-state=\ | |
invalid log=yes log-prefix="DROP INVALID" | |
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp | |
add action=accept chain=input comment=\ | |
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 \ | |
log=yes log-prefix="CAP TRAFFIC" | |
add action=accept chain=input comment="CAP to CAPSMAN" log=yes log-prefix=\ | |
"ACCEPT CAP" src-address=10.1.1.10 | |
add action=accept chain=input comment="Accept wireguard" dst-port=13231 \ | |
protocol=udp | |
add action=drop chain=input comment="defconf: drop all not coming from LAN" \ | |
in-interface-list=!LAN log=yes log-prefix="DROP / not from LAN" | |
add action=accept chain=forward comment="defconf: accept in ipsec policy" \ | |
ipsec-policy=in,ipsec | |
add action=accept chain=forward comment="defconf: accept out ipsec policy" \ | |
ipsec-policy=out,ipsec | |
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ | |
connection-state=established,related hw-offload=yes | |
add action=accept chain=forward comment=\ | |
"defconf: accept established,related, untracked" connection-state=\ | |
established,related,untracked | |
add action=accept chain=forward dst-address-list=iot_devices \ | |
src-address-list=admins | |
add action=drop chain=forward comment="defconf: drop invalid" \ | |
connection-state=invalid log=yes log-prefix="DROP INVALID 2" | |
add action=drop chain=forward comment=\ | |
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ | |
connection-state=new in-interface-list=WAN log=yes log-prefix="DROP LAST" | |
/ip firewall mangle | |
add action=mark-routing chain=prerouting dst-address-list=!mt-local \ | |
new-routing-mark=vpn1 passthrough=yes src-address-list=vpn1-client | |
/ip firewall nat | |
add action=masquerade chain=srcnat comment="defconf: masquerade" \ | |
ipsec-policy=out,none out-interface-list=WAN routing-mark=!vpn1 | |
/ip route | |
add gateway=wireguard1 routing-table=vpn1 | |
/ip service | |
set telnet disabled=yes | |
set ftp disabled=yes | |
set www-ssl certificate=ServerCA disabled=no | |
set winbox disabled=yes | |
/lcd | |
set time-interval=daily | |
/routing rule | |
add action=lookup-only-in-table disabled=no routing-mark=vpn1 table=vpn1 | |
/system clock | |
set time-zone-name=Europe/Helsinki | |
/system identity | |
set name=MT-RB3011 | |
/system ntp client | |
set enabled=yes | |
/system ntp server | |
set enabled=yes multicast=yes | |
/system ntp client servers | |
add address=0.fi.pool.ntp.org | |
add address=1.fi.pool.ntp.org | |
add address=2.fi.pool.ntp.org | |
add address=3.fi.pool.ntp.org | |
/tool mac-server | |
set allowed-interface-list=LAN | |
/tool mac-server mac-winbox | |
set allowed-interface-list=LAN |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment