Vraag

vrijdag 7 februari 2025 13:05

Acties:
  • 0 Henk 'm!
  • Dyrand
  • Registratie: Maart 2012
  • Laatst online: 22-09 10:20

Dyrand

Topicstarter
Goedemiddag tweakers!

Ik heb mijzelf uitgedaagd om meer van netwerken te leren en zodoende een Mikrotik RB2011 aangeschaft. Nu heb ik de configuratie met hulp van inet (denk ik) aardig voor elkaar, echter krijg mijn LAN geen netwerkaccess. Ik kan vanaf de mikrotik pingen naar IP's (9.9.9.9, 1.1.1.1, 8,8,8,8) en naar domain names (google.com, etc.).

Hulp wordt zeer gewaardeerd en ik ben vooral benieuwd wat ik over het hoofd gezien heb en waarom het nu niet werkt.

Hieronder mijn config:

code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172

# 2025-02-07 12:58:05 by RouterOS 7.17.1
# software id = YZ6A-Z91J
#
# model = RB2011UiAS
# serial number = #
/interface bridge
add arp=proxy-arp name=bridge-lan protocol-mode=none
/interface ethernet
set [ find default-name=sfp1 ] disabled=yes
/interface wireguard
add disabled=yes listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=ether1 name=vlan300 vlan-id=300
/ip dhcp-client option
add code=60 name=option60-vendorclass value="'IPTV_RG'"
/ip pool
add name=pool-dhcp-lan ranges=10.0.94.50-10.0.94.99
/ip dhcp-server
add address-pool=pool-dhcp-lan interface=bridge-lan lease-time=2h name=\
    dhcp-lan
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge-lan interface=ether2
add bridge=bridge-lan interface=ether3
add bridge=bridge-lan interface=ether4
add bridge=bridge-lan interface=ether5
add bridge=bridge-lan interface=ether6
add bridge=bridge-lan interface=ether7
add bridge=bridge-lan interface=ether8
add bridge=bridge-lan interface=ether9
add bridge=bridge-lan interface=ether10
/ip address
add address=10.0.94.254/24 interface=bridge-lan network=10.0.94.0
/ip dhcp-client
# Interface not active
add default-route-distance=210 dhcp-options=option60-vendorclass interface=\
    vlan300 use-peer-dns=no
/ip dhcp-server network
add address=10.0.94.0/24 dns-server=10.0.94.253 domain=muizelaar.me gateway=\
    10.0.94.254 netmask=24
/ip dns
set servers=10.0.94.253,9.9.9.9
/ip firewall address-list
add address=10.0.94.0/24 list=support
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
    d this subnet before enable it" list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
    need this subnet before enable it" list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you\
    \_need this subnet before enable it" list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
    bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment=\
    "MC, Class D, IANA # Check if you need this subnet before enable it" \
    list=bogons
/ip firewall filter
add action=add-src-to-address-list address-list=Syn_Flooder \
    address-list-timeout=30m chain=input comment=\
    "Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
    tcp-flags=syn
add action=add-src-to-address-list address-list=Port_Scanner \
    address-list-timeout=1w chain=input comment="Port Scanner Detect" \
    protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=spammers \
    address-list-timeout=3h chain=forward comment=\
    "Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=\
    25,587 limit=30/1m,0 protocol=tcp
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment="Accept to established connections" \
    connection-state=established
add action=accept chain=input comment="Accept to related connections" \
    connection-state=related
add action=accept chain=input comment="Full access to SUPPORT address list" \
    src-address-list=support
add action=accept chain=ICMP comment=\
    "Echo request - Avoiding Ping Flood, adjust the limit as needed" \
    icmp-options=8:0 limit=2,5 protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
    3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=jump chain=input comment="Jump for icmp input flow" jump-target=\
    ICMP protocol=icmp
add action=jump chain=forward comment="Jump for icmp forward flow" \
    jump-target=ICMP protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
    protocol=icmp
add action=drop chain=input comment="Drop to port scan list" \
    src-address-list=Port_Scanner
add action=drop chain=input comment="Block all access to the winbox - except t\
    o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP\
    PORT ADDRESS LIST" dst-port=8080 protocol=tcp src-address-list=!support
add action=drop chain=input comment="Block all access to the winbox - except t\
    o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP\
    PORT ADDRESS LIST" dst-port=8291 protocol=tcp src-address-list=!support
add action=drop chain=input comment="Block all access to the winbox - except t\
    o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP\
    PORT ADDRESS LIST" dst-port=22 protocol=tcp src-address-list=!support
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
    bogons
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
    protocol=tcp src-address-list=spammers
add action=drop chain=input comment="Drop to syn flood list" \
    src-address-list=Syn_Flooder
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS \
    RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat src-address=10.0.94.0/24
add action=dst-nat chain=dstnat comment=proxy dst-port=80 in-interface=ether1 \
    protocol=tcp src-address=0.0.0.0 to-addresses=10.0.94.201 to-ports=80
add action=dst-nat chain=dstnat comment=proxy dst-port=443 in-interface=\
    ether1 protocol=tcp src-address=0.0.0.0 to-addresses=10.0.94.201 \
    to-ports=443
add action=dst-nat chain=dstnat comment=valheim dst-port=2456 in-interface=\
    ether1 protocol=udp src-address=0.0.0.0 to-addresses=10.0.94.200 \
    to-ports=2456
add action=dst-nat chain=dstnat comment=valheim dst-port=2457 in-interface=\
    ether1 protocol=udp src-address=0.0.0.0 to-addresses=10.0.94.200 \
    to-ports=2457
add action=dst-nat chain=dstnat comment=wireguard dst-port=51820 \
    in-interface=ether1 protocol=tcp src-address=0.0.0.0 to-addresses=\
    10.0.94.252 to-ports=51820
/ip route
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=ether1 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8080
set www-ssl port=8443
set api disabled=yes
set api-ssl disabled=yes
/lcd
set default-screen=informative-slideshow enabled=no read-only-mode=yes \
    touch-screen=disabled
/lcd interface
set sfp1 disabled=yes
set ether2 disabled=yes
set ether3 disabled=yes
set ether4 disabled=yes
set ether5 disabled=yes
set ether6 disabled=yes
set ether7 disabled=yes
set ether8 disabled=yes
set ether9 disabled=yes
set ether10 disabled=yes
/system clock
set time-zone-name=Europe/Amsterdam
/system clock manual
set time-zone=+01:00
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
add address=3.pool.ntp.org

Beste antwoord (via Dyrand op 07-02-2025 14:00)

vrijdag 7 februari 2025 13:22

  • lier
  • Registratie: Januari 2004
  • Laatst online: 10:21

lier

MikroTik nerd

Zou je aan kunnen geven welke provider je hebt? Je doet iets met VLAN 300 (Odido?) en iets met IPTV. Misschien kan je bij de basis beginnen (en bijvoorbeeld niet gelijk de firewall aanpassen).

Ga terug naar de default config, voeg vlan 300 toe aan ether01 en pas de /interface/list aan van ether01 naar vlan. En van daaruit verder.

Eerst het probleem, dan de oplossing

Alle reacties

vrijdag 7 februari 2025 13:12

Acties:
  • 0 Henk 'm!
  • DJP!
  • Registratie: Mei 2012
  • Laatst online: 12:09

DJP!

Dyrand schreef op vrijdag 7 februari 2025 @ 13:05:
Goedemiddag tweakers!

Ik heb mijzelf uitgedaagd om meer van netwerken te leren en zodoende een Mikrotik RB2011 aangeschaft. Nu heb ik de configuratie met hulp van inet (denk ik) aardig voor elkaar, echter krijg mijn LAN geen netwerkaccess. Ik kan vanaf de mikrotik pingen naar IP's (9.9.9.9, 1.1.1.1, 8,8,8,8) en naar domain names (google.com, etc.).

Hulp wordt zeer gewaardeerd en ik ben vooral benieuwd wat ik over het hoofd gezien heb en waarom het nu niet werkt.

Hieronder mijn config:

code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172

# 2025-02-07 12:58:05 by RouterOS 7.17.1
# software id = YZ6A-Z91J
#
# model = RB2011UiAS
# serial number = #
/interface bridge
add arp=proxy-arp name=bridge-lan protocol-mode=none
/interface ethernet
set [ find default-name=sfp1 ] disabled=yes
/interface wireguard
add disabled=yes listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=ether1 name=vlan300 vlan-id=300
/ip dhcp-client option
add code=60 name=option60-vendorclass value="'IPTV_RG'"
/ip pool
add name=pool-dhcp-lan ranges=10.0.94.50-10.0.94.99
/ip dhcp-server
add address-pool=pool-dhcp-lan interface=bridge-lan lease-time=2h name=\
    dhcp-lan
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge-lan interface=ether2
add bridge=bridge-lan interface=ether3
add bridge=bridge-lan interface=ether4
add bridge=bridge-lan interface=ether5
add bridge=bridge-lan interface=ether6
add bridge=bridge-lan interface=ether7
add bridge=bridge-lan interface=ether8
add bridge=bridge-lan interface=ether9
add bridge=bridge-lan interface=ether10
/ip address
add address=10.0.94.254/24 interface=bridge-lan network=10.0.94.0
/ip dhcp-client
# Interface not active
add default-route-distance=210 dhcp-options=option60-vendorclass interface=\
    vlan300 use-peer-dns=no
/ip dhcp-server network
add address=10.0.94.0/24 dns-server=10.0.94.253 domain=muizelaar.me gateway=\
    10.0.94.254 netmask=24
/ip dns
set servers=10.0.94.253,9.9.9.9
/ip firewall address-list
add address=10.0.94.0/24 list=support
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
    d this subnet before enable it" list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
    need this subnet before enable it" list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you\
    \_need this subnet before enable it" list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
    bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment=\
    "MC, Class D, IANA # Check if you need this subnet before enable it" \
    list=bogons
/ip firewall filter
add action=add-src-to-address-list address-list=Syn_Flooder \
    address-list-timeout=30m chain=input comment=\
    "Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
    tcp-flags=syn
add action=add-src-to-address-list address-list=Port_Scanner \
    address-list-timeout=1w chain=input comment="Port Scanner Detect" \
    protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=spammers \
    address-list-timeout=3h chain=forward comment=\
    "Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=\
    25,587 limit=30/1m,0 protocol=tcp
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment="Accept to established connections" \
    connection-state=established
add action=accept chain=input comment="Accept to related connections" \
    connection-state=related
add action=accept chain=input comment="Full access to SUPPORT address list" \
    src-address-list=support
add action=accept chain=ICMP comment=\
    "Echo request - Avoiding Ping Flood, adjust the limit as needed" \
    icmp-options=8:0 limit=2,5 protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
    3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=jump chain=input comment="Jump for icmp input flow" jump-target=\
    ICMP protocol=icmp
add action=jump chain=forward comment="Jump for icmp forward flow" \
    jump-target=ICMP protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
    protocol=icmp
add action=drop chain=input comment="Drop to port scan list" \
    src-address-list=Port_Scanner
add action=drop chain=input comment="Block all access to the winbox - except t\
    o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP\
    PORT ADDRESS LIST" dst-port=8080 protocol=tcp src-address-list=!support
add action=drop chain=input comment="Block all access to the winbox - except t\
    o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP\
    PORT ADDRESS LIST" dst-port=8291 protocol=tcp src-address-list=!support
add action=drop chain=input comment="Block all access to the winbox - except t\
    o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP\
    PORT ADDRESS LIST" dst-port=22 protocol=tcp src-address-list=!support
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
    bogons
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
    protocol=tcp src-address-list=spammers
add action=drop chain=input comment="Drop to syn flood list" \
    src-address-list=Syn_Flooder
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS \
    RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat src-address=10.0.94.0/24
add action=dst-nat chain=dstnat comment=proxy dst-port=80 in-interface=ether1 \
    protocol=tcp src-address=0.0.0.0 to-addresses=10.0.94.201 to-ports=80
add action=dst-nat chain=dstnat comment=proxy dst-port=443 in-interface=\
    ether1 protocol=tcp src-address=0.0.0.0 to-addresses=10.0.94.201 \
    to-ports=443
add action=dst-nat chain=dstnat comment=valheim dst-port=2456 in-interface=\
    ether1 protocol=udp src-address=0.0.0.0 to-addresses=10.0.94.200 \
    to-ports=2456
add action=dst-nat chain=dstnat comment=valheim dst-port=2457 in-interface=\
    ether1 protocol=udp src-address=0.0.0.0 to-addresses=10.0.94.200 \
    to-ports=2457
add action=dst-nat chain=dstnat comment=wireguard dst-port=51820 \
    in-interface=ether1 protocol=tcp src-address=0.0.0.0 to-addresses=\
    10.0.94.252 to-ports=51820
/ip route
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=ether1 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8080
set www-ssl port=8443
set api disabled=yes
set api-ssl disabled=yes
/lcd
set default-screen=informative-slideshow enabled=no read-only-mode=yes \
    touch-screen=disabled
/lcd interface
set sfp1 disabled=yes
set ether2 disabled=yes
set ether3 disabled=yes
set ether4 disabled=yes
set ether5 disabled=yes
set ether6 disabled=yes
set ether7 disabled=yes
set ether8 disabled=yes
set ether9 disabled=yes
set ether10 disabled=yes
/system clock
set time-zone-name=Europe/Amsterdam
/system clock manual
set time-zone=+01:00
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
add address=3.pool.ntp.org
code:
1
2
3

/ip route
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=ether1 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10


Moet deze niet geënabled zijn?

vrijdag 7 februari 2025 13:16

Acties:
  • 0 Henk 'm!
  • Dyrand
  • Registratie: Maart 2012
  • Laatst online: 22-09 10:20

Dyrand

Topicstarter
Zodra ik dat doe gaat een automagisch gegenereerde route op blauw: DST. 0.0.0.0/0 > Gateway IP van ODIDO, ik kan dan ook niets meer pingen vanuit de mikrotik.

vrijdag 7 februari 2025 13:22

Acties:
  • Beste antwoord
  • +1 Henk 'm!
  • lier
  • Registratie: Januari 2004
  • Laatst online: 10:21

lier

MikroTik nerd

Zou je aan kunnen geven welke provider je hebt? Je doet iets met VLAN 300 (Odido?) en iets met IPTV. Misschien kan je bij de basis beginnen (en bijvoorbeeld niet gelijk de firewall aanpassen).

Ga terug naar de default config, voeg vlan 300 toe aan ether01 en pas de /interface/list aan van ether01 naar vlan. En van daaruit verder.

Eerst het probleem, dan de oplossing

vrijdag 7 februari 2025 13:28

Acties:
  • 0 Henk 'm!
  • Dyrand
  • Registratie: Maart 2012
  • Laatst online: 22-09 10:20

Dyrand

Topicstarter
Ik heb ODIDO en als ik plat vlan300 activeer op Ether1, gebeurt er weinig. Ik heb daarna deze link gevolgd van netwerkje.com https://netwerkje.com/routed-iptv om zo de option60 mee te geven, dit gaf daarin succes in de vorm van een dhcp lease bij odido. Ik heb geen IPTV in mijn abbo zitten, alleen inet.

Ik ga nu gelijk een basisconfig terugzetten en het kaal proberen met vlan300 op ether1.

vrijdag 7 februari 2025 13:51

Acties:
  • 0 Henk 'm!
  • Dyrand
  • Registratie: Maart 2012
  • Laatst online: 22-09 10:20

Dyrand

Topicstarter
De default config heeft gewerkt met een basic vlan300 op ether1 echter moest alsnog de IPTV tag meegeven in de DHCP options zonder options deed niets en een kale option60 ook niet :/.

Hartelijk dank lier!

Ik zal de config hier nog plaatsen voor evt. anderen die tegen eenzelfde issue aan lopen.

code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144

# 1970-01-02 00:14:24 by RouterOS 7.17.1
# software id = YZ6A-Z91J
#
# model = RB2011UiAS
# serial number = #
/interface bridge
add admin-mac=4C:5E:0C:51:E3:9E auto-mac=no comment=defconf name=bridge
/interface vlan
add interface=ether1 name=vlan300 vlan-id=300
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip dhcp-client option
add code=60 name=option60 value="'IPTV_RG'"
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=vlan300 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf default-route-distance=210 dhcp-options=option60 \
    interface=vlan300 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Pagina: 1
Reageer

Apple iPhone 17 LG OLED evo G5 Google Pixel 10 Samsung Galaxy S25 Star Wars: Outlaws Nintendo Switch 2 Apple AirPods Pro (2e generatie) Sony PlayStation 5 Pro

Tweakers is onderdeel van DPG Media B.V.
Alle rechten voorbehouden - Auteursrecht © 1998 - 2025 Hosting door TrueFullstaq