Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
RouterOS / MikroTik router configuration export to connect to the Orange/Sosh Livebox 4 fiber ONT (IPv4 + IPv6)
# jan/13/2020 08:34:56 by RouterOS 6.46.1
# notes: \
# - wan to orange ont on ether1; \
# - lan to ap/switch on ether2; \
# - ipv4 + ipv6 w/ fw rules; \
# - using routeros dns cache for lan, proxying to the dns servers advertised by orange's dhcpv4 server; \
# - direct plug your computer w/ wireshark to your livebox 4 fiber ethernet port and reboot it, inspect the dhcpv4 packat in wireshark and extract the value of 'authsend'; \
# - the cos tag needs to be set to 6 to be accepted by the ont dhcpv4/v6 server (from default 0), this may not be required depending on your ont, check for the cos flag sent by your livebox 4 when sniffing its traffic
# model = RB750Gr3
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge-lan protocol-mode=none
add name=bridge-wan protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan speed=1Gbps
set [ find default-name=ether2 ] name=ether2-lan speed=1Gbps
set [ find default-name=ether3 ] disabled=yes name=ether3-noop speed=1Gbps
set [ find default-name=ether4 ] disabled=yes name=ether4-noop speed=1Gbps
set [ find default-name=ether5 ] disabled=yes name=ether5-noop speed=1Gbps
/interface vlan
add comment="ONT Internet" interface=ether1-wan name=vlan832-internet vlan-id=832
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip dhcp-client option
add code=77 name=userclass value=0x2b46535644534c5f6c697665626f782e496e7465726e65742e736f66746174686f6d652e4c697665626f7834
add code=60 name=vendor-class-identifier value=0x736167656d
/ip pool
add name=dhcp-lan ranges=
/ip dhcp-server
add address-pool=dhcp-lan disabled=no interface=bridge-lan lease-time=1w name=defconf
/ipv6 dhcp-client option
add code=15 name=userclass value=0x002b46535644534c5f6c697665626f782e496e7465726e65742e736f66746174686f6d652e6c697665626f7834
add code=16 name=vendor-class-identifier value=0x0000040e0005736167656d
/queue interface
set ether1-wan queue=ethernet-default
set ether2-lan queue=ethernet-default
set ether3-noop queue=ethernet-default
set ether4-noop queue=ethernet-default
set ether5-noop queue=ethernet-default
/interface bridge filter
add action=set-priority chain=output comment="CoS should be 6 for Orange DHCPv4" dst-port=67 ip-protocol=udp mac-protocol=ip new-priority=6 out-interface=vlan832-internet passthrough=yes
add action=set-priority chain=output dst-port=547 ip-protocol=udp mac-protocol=ipv6 new-priority=6 out-interface=vlan832-internet
/interface bridge port
add bridge=bridge-lan comment=defconf interface=ether2-lan
add bridge=bridge-lan comment=defconf disabled=yes interface=ether3-noop
add bridge=bridge-lan comment=defconf disabled=yes interface=ether4-noop
add bridge=bridge-lan comment=defconf disabled=yes interface=ether5-noop
add bridge=bridge-wan interface=vlan832-internet
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set rp-filter=strict
/ipv6 settings
set accept-redirects=no accept-router-advertisements=yes
/interface list member
add comment=defconf interface=ether1-wan list=WAN
add comment=defconf interface=bridge-lan list=LAN
/ip address
add address= comment=defconf interface=bridge-lan network=
/ip cloud
set update-time=no
/ip dhcp-client
add dhcp-options=vendor-class-identifier,clientid,userclass,authsend disabled=no interface=bridge-wan
/ip dhcp-server network
add address= comment=defconf dns-server= domain=home gateway= netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d max-concurrent-queries=200 max-concurrent-tcp-sessions=50 query-server-timeout=3s
/ip dns static
add address= name=router.lan
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT LAN to WAN" out-interface=bridge-wan
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=remote strong-crypto=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge-wan type=external
add interface=bridge-lan type=internal
/ipv6 address
add address=::1 from-pool=dhcp-wan interface=bridge-lan
/ipv6 dhcp-client
add add-default-route=yes dhcp-options=authsend,userclass,vendor-class-identifier interface=bridge-wan pool-name=dhcp-wan request=prefix
/ipv6 firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input in-interface-list=LAN
add action=accept chain=input protocol=icmpv6
add action=accept chain=input dst-port=546 in-interface=bridge-wan protocol=udp src-address=fe80::ba0:bab/128
add action=drop chain=input
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward in-interface-list=LAN
add action=accept chain=forward protocol=icmpv6
add action=drop chain=forward
/ipv6 nd
set [ find default=yes ] advertise-dns=no
/system clock
set time-zone-name=Europe/Paris
/system identity
set name="MikroTik Router"
/system note
set note="XXX XXX <> - Authorized administrators only. Access to this device is monitored."
/system ntp client
set enabled=yes,,,
/system resource irq rps
set ether1-wan disabled=no
set ether2-lan disabled=no
set ether3-noop disabled=no
set ether4-noop disabled=no
set ether5-noop disabled=no
/system watchdog
set watchdog-timer=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no

This comment has been minimized.

Copy link
Owner Author

@valeriansaliou valeriansaliou commented Jan 15, 2020

My setup is as follows:

  • Sosh (by Orange) fiber subscription, 300Mbps symmetric;
  • Orange ONT (Huawei), plugged on the MikroTik router eth1 port;
  • MikroTik RB750Gr3:;
  • RouterOS version v6.46.1 on the MikroTik (older versions may not work with IPv6, due to the DHCPv6 client);
  • Apple Time Capsule Gen 4 used in bridge mode as a switch + WiFi AP, plugged on the MikroTik router eth2 port;
  • Eaton 550VA ~300W UPS.

Requirements before setup:

  • Livebox 4 (not in use in final setup, but please get this configured and working first with your fti/ ; you'll need it to sniff its DHCPv4 authentication traffic with the ONT in order to get the hex-encoded credentials sent in authsend by your final Mikrotik router).


  • Replace the Livebox 4 with my own router, get it to work with both IPv4 and IPv6.

Notes on the configuration example provided:

  • Make sure you replace all "XX", "XXX" and "XXXXXXX..." sequences.
  • Also, user / password configuration is not included, so please configure your RouterOS user first w/ a secure password.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment