[MikroTik-apparatuur] Ervaringen & Discussie

/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.88.0/24 \
    out-interface-list=LAN src-address=192.168.88.0/24

/ip firewall nat
add action=dst-nat chain=dstnat dst-address=!192.168.88.0/24 \
    dst-address-type=local dst-port=80,443 protocol=tcp \
    to-addresses=192.168.88.123

/ip/firewall/nat
add action=masquerade chain=srcnat comment="Hairpin, srcnat" dst-address=192.168.88.10 out-interface-list=LAN protocol=tcp \
    src-address=192.168.88.0/24
add action=dst-nat chain=dstnat comment="Hairpin NAT 22, dst" dst-address-list=externalip dst-port=22 in-interface-list=LAN \
    protocol=tcp to-addresses=192.168.88.10

/ip dhcp-client
add interface=ether1.100 script=":if (\$bound=1) do={\r\
    \n    /system script run ipv4check\r\
    \n}"

:local oldip [/ip firewall address-list get [find list="externalip"] address];
:local newip [/ip address get [find interface="ether1.100"] address];
:local newip [:pick $newip 0 [:find $newip "/"]];

:if ($newip != $oldip) do={
    :put "ip address $old changed to $newip";
    /ip firewall address-list set [find list="externalip"] address=$newip
}

# 2024-01-17 23:23:31 by RouterOS 7.13.2
# software id = JK68-FPXY
#
# model = RB4011iGS+5HacQ2HnD
/caps-man channel
add band=5ghz-a/n/ac extension-channel=Ceee frequency=5180,5260,5500 name=5g
add band=2ghz-b/g/n extension-channel=XX frequency=2412,2432,2472 name=2g
/interface bridge
add arp=proxy-arp igmp-snooping=yes name=bridge-local port-cost-mode=short \
    protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp l2mtu=1598 loop-protect=off \
    name=ether1-gateway
set [ find default-name=ether2 ] l2mtu=1598
/interface wireless
# managed by CAPsMAN
# channel: 5260/20-Ceee/ac/DP(20dBm)+5630/80/DP(24dBm), SSID: H369A820BA5, local forwarding
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country=netherlands disabled=no frequency=auto mode=\
    ap-bridge radio-name=B869F4BE9F4B skip-dfs-channels=all ssid=H369A820BA5 \
    station-roaming=enabled wireless-protocol=802.11 wps-mode=disabled
# managed by CAPsMAN
# channel: 2412/20-Ce/gn(27dBm), SSID: H369A820BA5, local forwarding
set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    country=netherlands disabled=no mode=ap-bridge ssid=H369A820BA5 \
    station-roaming=enabled wireless-protocol=802.11 wps-mode=disabled
/interface wireless nstreme
# managed by CAPsMAN
# channel: 5260/20-Ceee/ac/DP(20dBm)+5630/80/DP(24dBm), SSID: H369A820BA5, local forwarding
set wlan1 enable-polling=no
# managed by CAPsMAN
# channel: 2412/20-Ce/gn(27dBm), SSID: H369A820BA5, local forwarding
set wlan2 enable-polling=no
/interface vlan
add interface=ether1-gateway name=vlan1.4 vlan-id=4
add interface=ether1-gateway name=vlan1.6 vlan-id=6
/caps-man datapath
add bridge=bridge-local client-to-client-forwarding=yes local-forwarding=yes \
    name=BridgeDP
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=Draadloos
/caps-man configuration
add channel=5g datapath=BridgeDP distance=indoors name="5ghz Config" \
    security=Draadloos ssid=H369A820BA5
add channel=2g datapath=BridgeDP distance=indoors name="2.4ghz Config" \
    security=Draadloos ssid=H369A820BA5
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip dhcp-client option
add code=60 name=option60-vendorclass value="'IPTV_RG'"
/ip dhcp-server option
add code=60 name=option60-vendorclass value="'IPTV_RG'"
add code=28 name=option28-broadcast value="'192.168.2.255'"
/ip dhcp-server option sets
add name=IPTV options=option60-vendorclass,option28-broadcast
/ip pool
add name=dhcp ranges=192.168.2.40-192.168.2.99
/ip dhcp-server
add address-pool=dhcp interface=bridge-local lease-time=1h30m name=dhcp-thuis
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
add name=default-ipv6 only-one=yes remote-ipv6-prefix-pool=*0 \
    use-compression=yes use-upnp=no
/interface pppoe-client
add add-default-route=yes allow=pap disabled=no interface=vlan1.6 \
    keepalive-timeout=20 max-mru=1500 max-mtu=1500 name=pppoe profile=\
    default-ipv6 user=88-D2-74-82-0B@internet
/routing bgp template
set default disabled=yes output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
add disabled=no name=default-v3 version=3
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
add disabled=yes instance=default-v3 name=backbone-v3
/user group
add name=homeassistant policy="read,test,api,!local,!telnet,!ssh,!ftp,!reboot,\
    !write,!policy,!winbox,!password,!web,!sniff,!sensitive,!romon,!rest-api"
/caps-man manager
# bad package path
set enabled=yes package-path=/upgrade upgrade-policy=require-same-version
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=a,ac,an \
    master-configuration="5ghz Config" name-format=prefix name-prefix=WifiAP
add action=create-dynamic-enabled hw-supported-modes=b,gn \
    master-configuration="2.4ghz Config" name-format=prefix name-prefix=\
    WifiAP
/interface bridge port
add bridge=bridge-local ingress-filtering=no interface=ether2 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-local ingress-filtering=no interface=ether3 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-local ingress-filtering=no interface=ether4 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-local ingress-filtering=no interface=ether5 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-local ingress-filtering=no interface=ether6 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-local ingress-filtering=no interface=ether7 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-local ingress-filtering=no interface=ether8 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-local ingress-filtering=no interface=ether9 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-local ingress-filtering=no interface=ether10 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-local ingress-filtering=no interface=wlan1 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-local ingress-filtering=no interface=wlan2 \
    internal-path-cost=10 path-cost=10
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set max-neighbor-entries=8192
/interface list member
add interface=ether1-gateway list=WAN
add interface=bridge-local list=LAN
add interface=vlan1.6 list=WAN
add interface=vlan1.4 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireless cap
# 
set caps-man-addresses=127.0.0.1 enabled=yes interfaces=wlan1,wlan2
/ip address
add address=192.168.2.1/24 interface=bridge-local network=192.168.2.0
/ip dhcp-client
add add-default-route=special-classless default-route-distance=210 \
    dhcp-options=option60-vendorclass disabled=yes interface=vlan1.4 \
    use-peer-dns=no use-peer-ntp=no
add interface=ether1-gateway
/ip dhcp-server config
set store-leases-disk=15m
/ip dhcp-server lease
add address=192.168.2.10 allow-dual-stack-queue=no comment="Decoder 1" \
    dhcp-option-set=IPTV disabled=yes mac-address=00:02:9B:DF:46:97 server=\
    dhcp-thuis
add address=192.168.2.20 client-id=1:e0:3f:49:14:5c:b4 mac-address=\
    E0:3F:49:14:5C:B4 server=dhcp-thuis
add address=192.168.2.11 client-id=1:1c:5a:6b:f6:16:d5 comment="TV Woonkamer" \
    mac-address=1C:5A:6B:F6:16:D5 server=dhcp-thuis
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.2.3 domain=thuis.local gateway=\
    192.168.2.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d servers=\
    208.67.222.222,208.67.220.220
/ip dns static
add address=127.0.0.1 regexp="[.](local)"
add address=127.0.0.1 regexp="[.](test)"
/ip firewall address-list
add address=213.75.112.0/21 list=KPN-RoutedIPTV
add address=217.166.0.0/16 list=KPN-RoutedIPTV
add address=10.142.64.0/18 list=KPN-RoutedIPTV
add address=84.247.8.94 comment=SRV03 list=Servers
add address=149.210.171.142 comment=SRV02 list=Servers
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
    established,related disabled=yes hw-offload=yes
add action=reject chain=forward disabled=yes in-interface=ether1-gateway \
    protocol=tcp reject-with=icmp-port-unreachable
add action=reject chain=forward disabled=yes in-interface=ether1-gateway \
    protocol=udp reject-with=icmp-port-unreachable
add action=accept chain=input connection-state=established,related disabled=\
    yes
add action=accept chain=input connection-state=related disabled=yes
add action=accept chain=input disabled=yes in-interface=ether1-gateway \
    protocol=igmp
add action=accept chain=input disabled=yes in-interface=vlan1.4 protocol=udp
add action=drop chain=input disabled=yes in-interface-list=!LAN
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input in-interface=pppoe protocol=icmp
add action=accept chain=input disabled=yes dst-address=224.0.0.0/8 protocol=\
    igmp
add action=accept chain=input disabled=yes dst-address=224.0.0.0/8 \
    in-interface=vlan1.4 protocol=igmp
add action=accept chain=input disabled=yes dst-address=224.0.0.0/8 \
    in-interface=vlan1.4 protocol=udp
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward in-interface=vlan1.4 protocol=udp
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Needed for internet" \
    out-interface=pppoe src-address=192.168.0.0/16 to-addresses=0.0.0.0
add action=masquerade chain=srcnat disabled=yes dst-address-list=\
    KPN-RoutedIPTV out-interface=vlan1.4
add action=masquerade chain=srcnat dst-address=192.168.2.3 out-interface=\
    bridge-local protocol=tcp src-address=192.168.2.0/24
add action=dst-nat chain=dstnat dst-address=77.164.153.69 dst-port=443 \
    protocol=tcp to-addresses=192.168.2.3 to-ports=443
add action=dst-nat chain=dstnat dst-address=77.164.153.69 dst-port=80 \
    protocol=tcp to-addresses=192.168.2.3 to-ports=80
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip traffic-flow
set cache-entries=4k
/ip upnp
set enabled=yes show-dummy-rule=no
/ip upnp interfaces
add interface=bridge-local type=internal
add interface=pppoe type=external
/ipv6 address
# duplicate address detected
add from-pool=*0 interface=bridge-local
/ipv6 dhcp-client
add add-default-route=yes interface=pppoe pool-name=*0 pool-prefix-length=48 \
    request=prefix use-peer-dns=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ipv6 nd
set [ find default=yes ] advertise-dns=no
add advertise-mac-address=no hop-limit=64 interface=bridge-local
/routing bfd configuration
add disabled=no
/routing igmp-proxy
set quick-leave=yes
/routing igmp-proxy interface
add alternative-subnets=217.166.0.0/16,213.75.0.0/16,10.29.0.0/18 interface=\
    vlan1.4 upstream=yes
add interface=bridge-local
/system clock
set time-zone-name=Europe/Amsterdam
/system leds
add interface=wlan2 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le\
    d,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system note
set show-at-login=no
/system resource irq rps
set sfp-sfpplus1 disabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

# 2024-01-23 15:39:16 by RouterOS 7.13.2
# software id = 
#
/caps-man channel
add control-channel-width=20mhz extension-channel=disabled frequency=2412,2437,2462 name="2.4 ghz"
add control-channel-width=20mhz extension-channel=disabled frequency=5500,5520,5540,5560,5580,5600,5620,5640,5660,5680,5700,5720,5745,5765,5785,5805,5825,5845,5865 name=5ghz
/interface bridge
add name=bridge1 port-cost-mode=short protocol-mode=none
add comment="Guest Network" name=bridge2 port-cost-mode=short protocol-mode=none
add comment="Guest Network NIC 2" name=local port-cost-mode=short protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
/caps-man interface
add configuration.country=belgium .installation=indoor disabled=no mac-address=00:00:00:00:00:00 master-interface=none name=WIFIMGMT radio-mac=00:00:00:00:00:00 radio-name=""
/caps-man datapath
add bridge=bridge1 client-to-client-forwarding=yes comment="PROD Network" local-forwarding=yes name=datapath1
add bridge=bridge1 client-to-client-forwarding=yes comment="Guest Network" local-forwarding=yes name=datapath2
/caps-man rates
add basic=6Mbps,12Mbps,24Mbps name=Rate supported=12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
/caps-man security
add authentication-types=wpa-psk,wpa2-psk comment="Normal Config wifi *knip*" name="wifi *knip* PROD"
add authentication-types=wpa-psk,wpa2-psk comment="wifi *knip* Guest" encryption="" name="wifi Guest"
/caps-man configuration
add channel="2.4 ghz" comment="WIFI *knip*" country=belgium datapath=datapath1 distance=dynamic installation=any mode=ap multicast-helper=full name="Wifi *knip* 2,4 Ghz" rates=Rate security="wifi *knip* PROD" ssid=*knip*
add channel=5ghz comment="WIFI 5 Ghz" country=belgium datapath=datapath1 distance=dynamic installation=any mode=ap multicast-helper=full name="WIFI 5 Ghz" rates=Rate security="wifi *knip* PROD" ssid=*knip*
add channel="2.4 ghz" country=belgium datapath=datapath1 installation=any multicast-helper=full name=Guest24 rates=Rate security="wifi Guest" ssid=Guest_*knip*
add channel=5ghz country=belgium datapath=datapath1 installation=any mode=ap multicast-helper=full name=Guest5 rates=Rate security="wifi Guest" ssid=Guest_*knip*
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.2.3-192.168.2.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge2 lease-time=8h name=dhcp1 relay=192.168.2.1 server-address=192.168.2.2
/port
set 0 name=serial0
set 1 name=serial1
/snmp community
set [ find default=yes ] name=ZXj6y7mee91ew0 write-access=yes
/caps-man access-list
add action=reject allow-signal-out-of-range=10s comment=XboxOne disabled=no mac-address=2C:54:91:67:C2:9D signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat
add action=reject allow-signal-out-of-range=10s comment="Iphone Adrea" disabled=no mac-address=70:31:7F:DE:69:2E signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat
add action=reject allow-signal-out-of-range=10s comment="Iphone Tanya" disabled=no mac-address=5C:50:D9:B1:94:58 signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat
add action=reject allow-signal-out-of-range=10s comment=Chromecast disabled=no mac-address=AC:67:84:42:EC:69 signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat
add action=reject allow-signal-out-of-range=10s disabled=no mac-address=2A:E8:9F:C2:FE:C9 signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled comment="Wifi 2,4 Ghz" hw-supported-modes=gn,g master-configuration="Wifi *knip* 2,4 Ghz" slave-configurations=Guest24
add action=create-dynamic-enabled comment="Wifi 5 Ghz" hw-supported-modes=ac,an,a master-configuration="WIFI 5 Ghz" slave-configurations=Guest5
/interface bridge port
add bridge=bridge1 comment="PROD Network" interface=ether1 internal-path-cost=10 path-cost=10
add bridge=local comment="Guest Network" interface=ether2 internal-path-cost=10 path-cost=10
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=WAN
/ip address
add address=172.23.15.233/20 interface=ether1 network=172.23.0.0
add address=192.168.2.2/24 comment=Guest_*knip* interface=ether2 network=192.168.2.0
/ip dhcp-client
add disabled=yes interface=bridge1
/ip dhcp-relay
add dhcp-server=172.23.0.200 disabled=no interface=bridge1 name=poseidon.*knip*-group.com
add dhcp-server=192.168.2.1 disabled=no interface=bridge2 name=Guest_*knip*
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.2.1
/ip dns
set servers=172.23.0.200,172.23.0.210,10.127.0.240
/snmp
set contact="IT *knip*" enabled=yes location="IT *knip*"
/system clock
set time-zone-name=Europe/Brussels
/system identity
set name=RouterOs7.*knip*-group.com
/system logging
set 3 action=memory
add topics=system
add topics=wireless,debug
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address="server 1.be.pool.ntp.org"
add address=pool.ntp.org
/tool e-mail
set from=wifimgmt@*knip*-group.com server=10.127.0.123
/tool graphing interface
add
/tool traffic-monitor
add interface=ether1 name=tmon1

set query-interval=30s query-response-interval=10s quick-leave=yes
/routing igmp-proxy interface
add alternative-subnets="" disabled=no interface=Bridge-LAN threshold=1 \
    upstream=no
add alternative-subnets=10.0.0.0/8,213.75.0.0/16,217.166.0.0/16 disabled=no \
    interface=bridge-wan-vlan4 threshold=1 upstream=yes

# 2024-01-28 10:29:24 by RouterOS 7.14beta7
# software id = XXXXXX
#
# model = L009UiGS
# serial number = XXXXXX
/interface bridge
add admin-mac=XXXXXXX auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface list
add name=LAN
/ip smb smb-user
set [ find default=yes ] read-only=yes
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3 pvid=99
add bridge=bridge interface=ether4 pvid=99
add bridge=bridge interface=ether5
add bridge=bridge interface=ether6
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8 pvid=20
add bridge=bridge interface=sfp1
add bridge=bridge interface=ether1
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=14336
/ipv6 settings
set max-neighbor-entries=7168
/interface bridge vlan
add bridge=bridge tagged=ether1,sfp1 untagged=ether4,ether3 vlan-ids=99
add bridge=bridge tagged=ether1,sfp1 vlan-ids=10
add bridge=bridge tagged=ether1,sfp1 untagged=ether8 vlan-ids=20
/interface list member
add interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=sfp1 list=LAN
add interface=ether8 list=LAN
add interface=ether7 list=LAN
add interface=ether6 list=LAN
/ip dhcp-client
add interface=bridge
/ipv6 nd
add hop-limit=64 interface=bridge
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name="XXXX"
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.XX.XX
/system package update
set channel=testing
/system routerboard settings
set enter-setup-on=delete-key
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

/interface bridge vlan
add bridge=bridge tagged=ether2,sfp1 untagged=ether4,ether3 vlan-ids=99
add bridge=bridge tagged=ether2,sfp1 vlan-ids=10
add bridge=bridge tagged=ether2,sfp1 untagged=ether8 vlan-ids=20

# 2024-02-01 10:23:53 by RouterOS 7.13.3
# software id = RK76-XCNJ
#
# model = CCR2004-16G-2S+
# serial number = HF1090S67E0
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=sfp-sfpplus2 ] disabled=yes
/interface vlan
add interface=sfp-sfpplus1 name=Odido_INTA vlan-id=300
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=172.10.10.100-172.10.10.254
add name=dhcp_pool1 ranges=172.10.10.100-172.10.10.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=bridge1 lease-time=1h name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge1 interface=ether1 multicast-router=disabled trusted=yes
add bridge=bridge1 ingress-filtering=no interface=ether2 multicast-router=disabled trusted=yes
add bridge=bridge1 ingress-filtering=no interface=ether3 internal-path-cost=10 multicast-router=disabled path-cost=10 trusted=yes
add bridge=bridge1 ingress-filtering=no interface=ether4 internal-path-cost=10 multicast-router=disabled path-cost=10 trusted=yes
add bridge=bridge1 ingress-filtering=no interface=ether5 internal-path-cost=10 multicast-router=disabled path-cost=10 trusted=yes
add bridge=bridge1 interface=ether6 internal-path-cost=10 path-cost=10 trusted=yes
add bridge=bridge1 ingress-filtering=no interface=ether7 internal-path-cost=10 multicast-router=disabled path-cost=10 trusted=yes
add bridge=bridge1 interface=ether8 internal-path-cost=10 path-cost=10 trusted=yes
/interface bridge settings
set allow-fast-path=no
/interface detect-internet
set wan-interface-list=all
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether15 network=192.168.88.0
add address=172.10.10.1/24 interface=bridge1 network=172.10.10.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-client
add interface=Odido_INTA use-peer-ntp=no
/ip dhcp-server lease
add address=172.10.10.2 mac-address=F0:87:56:8C:FB:37 server=dhcp1
add address=172.10.10.40 client-id=1:0:a5:54:ca:48:60 mac-address=00:A5:54:CA:48:60 server=dhcp1
add address=172.10.10.22 client-id=1:24:a4:2c:39:34:16 mac-address=24:A4:2C:39:34:16 server=dhcp1
add address=172.10.10.20 client-id=1:24:a4:2c:39:33:66 mac-address=24:A4:2C:39:33:66 server=dhcp1
add address=172.10.10.21 client-id=1:24:a4:2c:39:33:78 mac-address=24:A4:2C:39:33:78 server=dhcp1
add address=172.10.10.10 client-id=1:0:3:2d:52:89:90 mac-address=00:03:2D:52:89:90 server=dhcp1
add address=172.10.10.3 client-id=1:6c:3c:8c:14:33:57 mac-address=6C:3C:8C:14:33:57 server=dhcp1
add address=172.10.10.41 client-id=1:0:a5:54:ca:48:83 mac-address=00:A5:54:CA:48:83 server=dhcp1
/ip dhcp-server network
add address=172.10.10.0/24 dns-server=172.10.10.1 gateway=172.10.10.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=172.10.10.10 name=cdrouter.cpelab.local
/ip firewall address-list
add address=192.168.0.0/16 list=Bogon
add address=10.0.0.0/8 list=Bogon
add address=172.16.0.0/12 list=Bogon
add address=127.0.0.0/8 list=Bogon
add address=0.0.0.0/8 list=Bogon
add address=169.254.0.0/16 list=Bogon
add address=192.168.88.0/24 list=Remote_Access
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat out-interface=Odido_INTA
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Amsterdam
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.nl.pool.ntp.org
/system routerboard settings
set enter-setup-on=delete-key

/ip firewall
add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"

/interface detect-internet
set wan-interface-list=all

/interface list
add name=WAN
add name=LAN
/interface list member
add interface=bridge1 list=LAN
add interface=Odido_INTA list=WAN

# 2024-02-01 13:19:53 by RouterOS 7.13.3
# software id = RK76-XCNJ
#
# model = CCR2004-16G-2S+
# serial number = HF1090S67E0
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] disabled=yes
set [ find default-name=sfp-sfpplus2 ] disabled=yes
/interface vlan
add interface=ether16 name=Odido_INTA vlan-id=300
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=172.10.10.100-172.10.10.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=bridge1 lease-time=1h name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge1 interface=ether1 multicast-router=disabled trusted=yes
add bridge=bridge1 ingress-filtering=no interface=ether2 multicast-router=disabled trusted=yes
add bridge=bridge1 ingress-filtering=no interface=ether3 multicast-router=disabled trusted=yes
add bridge=bridge1 ingress-filtering=no interface=ether4 multicast-router=disabled trusted=yes
add bridge=bridge1 ingress-filtering=no interface=ether5 multicast-router=disabled trusted=yes
add bridge=bridge1 interface=ether6 trusted=yes
add bridge=bridge1 ingress-filtering=no interface=ether7 multicast-router=disabled trusted=yes
add bridge=bridge1 interface=ether8 trusted=yes
/ip firewall connection tracking
set enabled=yes
/interface list member
add interface=bridge1 list=LAN
add interface=Odido_INTA list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether15 network=192.168.88.0
add address=172.10.10.1/24 interface=bridge1 network=172.10.10.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-client
add interface=Odido_INTA use-peer-ntp=no
/ip dhcp-server lease
add address=172.10.10.2 mac-address=F0:87:56:8C:FB:37 server=dhcp1
add address=172.10.10.40 client-id=1:0:a5:54:ca:48:60 mac-address=00:A5:54:CA:48:60 server=dhcp1
add address=172.10.10.22 client-id=1:24:a4:2c:39:34:16 mac-address=24:A4:2C:39:34:16 server=dhcp1
add address=172.10.10.20 client-id=1:24:a4:2c:39:33:66 mac-address=24:A4:2C:39:33:66 server=dhcp1
add address=172.10.10.21 client-id=1:24:a4:2c:39:33:78 mac-address=24:A4:2C:39:33:78 server=dhcp1
add address=172.10.10.10 client-id=1:0:3:2d:52:89:90 mac-address=00:03:2D:52:89:90 server=dhcp1
add address=172.10.10.3 client-id=1:6c:3c:8c:14:33:57 mac-address=6C:3C:8C:14:33:57 server=dhcp1
add address=172.10.10.41 client-id=1:0:a5:54:ca:48:83 mac-address=00:A5:54:CA:48:83 server=dhcp1
/ip dhcp-server network
add address=172.10.10.0/24 dns-server=172.10.10.1 domain=cpelab.local gateway=172.10.10.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=172.10.10.10 name=cdrouter.cpelab.local
/ip firewall address-list
add address=192.168.0.0/16 disabled=yes list=Bogon
add address=10.0.0.0/8 disabled=yes list=Bogon
add address=172.16.0.0/12 disabled=yes list=Bogon
add address=127.0.0.0/8 disabled=yes list=Bogon
add address=0.0.0.0/8 disabled=yes list=Bogon
add address=169.254.0.0/16 disabled=yes list=Bogon
add address=192.168.88.0/24 disabled=yes list=Remote_Access
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=Odido_INTA
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Amsterdam
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.nl.pool.ntp.org
/system routerboard settings
set enter-setup-on=delete-key

                status: running
              duration: 1m6s
            tx-current: 956.7Mbps
  tx-10-second-average: 955.1Mbps
      tx-total-average: 921.3Mbps
            rx-current: 876.4Mbps
  rx-10-second-average: 875.9Mbps
      rx-total-average: 906.6Mbps
          lost-packets: 0
           random-data: no
             direction: both
               tx-size: 1500
               rx-size: 1500
      connection-count: 20
        local-cpu-load: 54%
       remote-cpu-load: 53%

  ;;; results can be limited by cpu, note that traffic generation/termination performance might not be representative of forwarding performance
                status: running
              duration: 20s
            tx-current: 951.3Mbps
  tx-10-second-average: 958.4Mbps
      tx-total-average: 939.2Mbps
            rx-current: 449.2Mbps
  rx-10-second-average: 426.5Mbps
      rx-total-average: 579.1Mbps
          lost-packets: 3833
           random-data: yes
             direction: both
               tx-size: 1500
               rx-size: 1500
      connection-count: 20
        local-cpu-load: 97%
       remote-cpu-load: 59%

/interface bridge
add admin-mac=XXXXXXXX auto-mac=no comment=defconf name=bridge vlan-filtering=yes

/interface vlan
add interface=ether1 name=vlan-eth-odido vlan-id=300
add interface=bridge name=vlan-guest vlan-id=99
add interface=bridge name=vlan-lan vlan-id=37
add interface=sfp-sfpplus1 name=vlan-sfp-odido vlan-id=300

/interface bonding
add mode=balance-xor name=bonding-trunk slaves=ether7,ether8

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MAC-SERVER

/ip pool
add name=dhcp-pool-lan ranges=10.13.37.125-10.13.37.240
add name=dhcp-pool-guest ranges=10.13.99.10-10.13.99.254

/ip dhcp-server
add address-pool=dhcp-pool-lan interface=vlan-lan name=dhcp-lan
add address-pool=dhcp-pool-guest interface=vlan-guest name=dhcp-guest

/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=37
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=37
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=37
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=37
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether6 pvid=37
add bridge=bridge frame-types=admit-only-vlan-tagged interface=bonding-trunk pvid=37

/interface bridge vlan
add bridge=bridge tagged=bonding-trunk,bridge vlan-ids=37
add bridge=bridge tagged=bonding-trunk,bridge vlan-ids=99

/interface list member
add comment=defconf interface=bridge list=LAN
add interface=vlan-lan list=LAN
add interface=vlan-guest list=LAN
add interface=wireguard list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=vlan-eth-odido list=WAN
add interface=vlan-sfp-odido list=WAN
add interface=bridge list=MAC-SERVER
add interface=vlan-lan list=MAC-SERVER

/interface wireguard
add listen-port=51820 mtu=1420 name=wireguard  private-key="PRIVATEKEY" public-key="yXLIPuGHRWRZHyrsRXocGVMl5Y10sjEbo2tCHPUvIG8="

/interface wireguard peers
add allowed-address=10.13.69.2/32 interface=wireguard preshared-key="PRESHAREDKEY" public-key="GUnQOJhlMKOVQ6aIRzhqyz0FXCktB0Kd3Xo4j4bxyyU="

/ip address
add address=10.13.37.1/24 interface=vlan-lan network=10.13.37.0
add address=10.13.99.1/24 interface=vlan-guest network=10.13.99.0
add address=10.13.69.1/24 interface=wireguard network=10.13.69.0

/ip dhcp-client
add interface=vlan-eth-odido
add interface=vlan-sfp-odido

/ip dhcp-server network
add address=10.13.37.0/24 dns-server=10.13.37.110 gateway=10.13.37.1
add address=10.13.99.0/24 dns-server=1.1.1.1 gateway=10.13.99.1

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Accept connection from LAN network" in-interface=vlan-lan
add action=accept chain=input comment="allow WireGuard" dst-port=51820 protocol=udp
add action=accept chain=input comment="allow WireGuard traffic" src-address=10.13.69.0/24
add action=reject chain=input comment="Reject for internal debugging" in-interface-list=LAN reject-with=icmp-admin-prohibited
add action=drop chain=input comment="defconf: drop all"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="Allow local network(s) to connect to WAN" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow port forwarding" connection-nat-state=dstnat
add action=reject chain=forward comment="Reject for internal debugging" in-interface-list=LAN reject-with=icmp-admin-prohibited
add action=drop chain=forward comment="Drop all"

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

68
2024-03-16 10:14:20
memory
wireless, info
94:45:60:44:92:EF@wifi2 disconnected, SA Query timeout, signal strength -92

69
2024-03-16 10:14:20
memory
wireless, info
94:45:60:44:92:EF@wifi1 connected, signal strength -78

70
2024-03-16 10:14:44
memory
wireless, info
94:45:60:44:92:EF@wifi1 disconnected, connection lost, signal strength -68

71
2024-03-16 10:14:48
memory
wireless, info
94:45:60:44:92:EF@wifi1 connected, signal strength -57

72
2024-03-16 10:14:48
memory
system, info, account
user admin logged out from 192.168.88.254 via web

73
2024-03-16 10:15:06
memory
wireless, info
94:45:60:44:92:EF@wifi1 disconnected, connection lost, signal strength -60

74
2024-03-16 10:15:09
memory
wireless, info
94:45:60:44:92:EF@wifi1 connected, signal strength -62

75
2024-03-16 10:15:27
memory
wireless, info
94:45:60:44:92:EF@wifi1 disconnected, connection lost, signal strength -63

76
2024-03-16 10:15:31
memory
wireless, info
94:45:60:44:92:EF@wifi1 connected, signal strength -65

77
2024-03-16 10:15:49
memory
wireless, info
94:45:60:44:92:EF@wifi1 disconnected, connection lost, signal strength -68

78
2024-03-16 10:16:06
memory
wireless, info
94:45:60:44:92:EF@wifi1 connected, signal strength -65

79
2024-03-16 10:16:28
memory
wireless, info
94:45:60:44:92:EF@wifi1 disconnected, SA Query timeout, signal strength -52

80
2024-03-16 10:16:28
memory
wireless, info
94:45:60:44:92:EF@wifi2 connected, signal strength -64

[h3]# 2024-03-17 11:58:11 by RouterOS 7.14.1
# software id = 0I2U-1WL1
#
# model = RBwAPG-5HacD2HnD
# serial number = XXX
/interface bridge
add admin-mac=48:A9:8A:35:0A:EC auto-mac=no comment=defconf name=bridge
/interface wifi
set [ find default-name=wifi1 ] configuration.country=Belgium .mode=ap .ssid=\
    MikroTik_32 disabled=no security.authentication-types=wpa2-psk \
    .connect-priority=0
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac \
    configuration.country=Belgium .mode=ap .ssid=MikroTik_32 disabled=no \
    security.authentication-types=wpa2-psk .connect-priority=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=*4
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Brussels
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN[/h3]

/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254