Please check my settings.
Thank you.
Code: Select all
# 2024-02-12 18:45:17 by RouterOS 7.12
# software id = 4NGD-NHR9
#
# model = RBD53iG-5HacD2HnD
# serial number = <edit>
/interface bridge
add admin-mac=AA:AA:AA:AA:AA:AA auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Prdel \
supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
country="czech republic" disabled=no distance=indoors frequency=2427 \
installation=indoor mode=ap-bridge security-profile=Prdel ssid=MT24 \
wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX country="czech republic" disabled=no distance=indoors \
frequency=5260 installation=indoor mode=ap-bridge security-profile=Prdel \
ssid=MT50 wireless-protocol=802.11 wps-mode=disabled
/ip pool
add name=default-dhcp ranges=192.168.88.20-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=5m name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=192.168.77.2/32 comment="Mobil Jenda" interface=\
wireguard1 public-key="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa="
add allowed-address=192.168.77.3/32 comment="Notebook HP" interface=\
wireguard1 public-key="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa="
add allowed-address=192.168.77.4/32 comment="Mobil M\ED\9Aa" interface=\
wireguard1 public-key="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=192.168.77.1/24 interface=wireguard1 network=192.168.77.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=passthrough chain=comment-test comment=\
"-- SECTION -- test and info rules"
add action=passthrough chain=comment-established comment=\
"-- SECTION -- established rules"
add chain=forward comment="allow established forward" connection-state=\
established
add chain=forward comment="povol related forward" connection-state=related
add chain=input comment="Allow esatblished connections forward" \
connection-state=established
add chain=input comment="Allow related connections input" connection-state=\
related
add chain=output comment="Allow esatblished connections output" \
connection-state=established
add chain=output comment="Allow related connections output" connection-state=\
related
add action=passthrough chain=comment-drop comment="-- SECTION -- drop rules"
add action=log chain=input comment="Drop invalid connections" \
connection-state=invalid log-prefix=drop_invalid
add action=drop chain=input comment="Drop invalid connections" \
connection-state=invalid
add action=log chain=output comment="Drop invalid connections" \
connection-state=invalid log-prefix=drop_invalid
add action=drop chain=output comment="Drop invalid connections" \
connection-state=invalid
add action=log chain=forward comment="drop all BANNED IPs" log-prefix=\
drop_banned src-address-list=all_banned
add action=drop chain=forward comment="drop all BANNED IPs" src-address-list=\
all_banned
add action=log chain=input comment="Block broadcasts packets" disabled=yes \
dst-address=255.255.255.255 log-prefix=255
add action=drop chain=input comment="Block broadcasts packets" dst-address=\
255.255.255.255
add action=drop chain=input comment="Block broadcasts packets" \
dst-address-type=broadcast,multicast
add action=passthrough chain=comment-VOIP comment="-- SECTION -- VOIP rules"
add action=passthrough chain=comment-DDOS comment=\
"-- SECTION -- block ddos rules"
add action=log chain=input comment="drop ssh brute forcers for 10days" \
dst-port=22 log-prefix=drop-ssh-brute protocol=tcp src-address-list=\
ssh_blacklist
add action=drop chain=input comment="drop ssh brute forcers for 10days" \
dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input comment="ssh black_list" \
connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=20m chain=input comment="ssh black_list" \
connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=10m chain=input comment="ssh black_list" \
connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=5m chain=input comment="ssh black_list" \
connection-state=new dst-port=22 protocol=tcp
add action=jump chain=forward comment=Jump_to_block-ddos disabled=yes \
dst-port=!53,514 jump-target=block-ddos protocol=udp
add action=jump chain=input comment=Jump_to_block-ddos disabled=yes dst-port=\
!53,514 jump-target=block-ddos protocol=udp
add action=return chain=block-ddos disabled=yes limit=16,32:packet
add action=log chain=block-ddos disabled=yes log-prefix=DDOS_ATTACK:
add action=drop chain=block-ddos disabled=yes limit=16,32:packet
add action=jump chain=input comment=Jump_to_block-ddos disabled=yes dst-port=\
!53 jump-target=block-ddos protocol=udp
add action=passthrough chain=comment-important-basic comment=\
"-- SECTION -- important and basic rules"
add action=accept chain=input dst-port=8291,22 in-interface=!ether1 protocol=\
tcp
add chain=output comment="allow router DNS queries" dst-port=53 protocol=tcp
add chain=output comment="allow router DNS queries" dst-port=53 protocol=udp
add action=accept chain=input comment="allow router DNS queries" dst-port=53 \
in-interface=!ether1 protocol=udp
add action=accept chain=input comment="allow router DNS queries" dst-port=53 \
in-interface=!ether1 protocol=tcp
add action=accept chain=forward comment="allow router DNS queries" dst-port=\
53 in-interface=!ether1 protocol=udp
add action=accept chain=forward comment="allow router DNS queries" dst-port=\
53 in-interface=!ether1 protocol=tcp
add chain=output comment="allow router NTP queries" dst-port=123 protocol=udp
add action=accept chain=forward comment="allow router NTP queries" dst-port=\
123 in-interface=!ether1 protocol=udp
add chain=output comment="allow ping z routeru" protocol=icmp
add action=accept chain=forward comment="povol PING forward" in-interface=\
!ether1 protocol=icmp
add action=accept chain=input comment="povol PING input" in-interface=!ether1 \
limit=10,50:packet protocol=icmp
add action=passthrough chain=comment-VPNs comment="-- SECTION -- VPNs rules"
add action=accept chain=input comment=wireguard dst-port=13231 protocol=udp
add action=accept chain=input comment=wireguard src-address=192.168.77.0/24
add action=accept chain=forward comment=wireguard src-address=192.168.77.0/24
add action=accept chain=input comment="allow input PPTP" disabled=yes \
dst-port=1723 protocol=tcp src-port=1024-65535
add action=accept chain=input comment="allow input IPSEC" disabled=yes \
dst-port=500 protocol=udp src-port=1024-65535
add action=accept chain=input comment="allow input IPSEC" disabled=yes \
dst-port=4500 protocol=udp src-port=1024-65535
add action=accept chain=input comment="allow input L2TP" disabled=yes \
dst-port=1701 protocol=udp src-port=1024-65535
add action=accept chain=input comment="allow input PPTP" disabled=yes \
protocol=gre
add action=accept chain=input comment="allow input IPSEC-esp" disabled=yes \
protocol=ipsec-esp
add action=passthrough chain=comment-PUBLIC-DMZ comment=\
"-- SECTION -- public DMZ, webserver etc rules"
add action=passthrough chain=comment-INET-access comment=\
"-- SECTION -- Internet access RULES"
add action=accept chain=forward comment="povolene vse z LAN" in-interface=\
bridge out-interface=ether1
add chain=forward comment="povolene sluzby obecne TCP z LAN" disabled=yes \
out-interface=ether1 protocol=tcp
add chain=forward comment="povolene sluzby obecne UDP z LAN" disabled=yes \
out-interface=ether1 protocol=udp src-address-list=!servers_RANGE_vlan
add action=passthrough chain=comment-OTHER comment=\
"-- SECTION -- other rules"
add action=passthrough chain=comment-DROP-FINAL comment=\
"-- SECTION -- FINAL DROPs"
add action=log chain=forward comment="Drop everything all FORWARD" \
log-prefix=DROP_forward
add action=drop chain=forward comment="Drop everything all FORWARD"
add action=log chain=input comment="Drop everything all INPUT" log-prefix=\
DROP_input
add action=drop chain=input comment="Drop everything all INPUT"
add action=log chain=output comment="Drop everything all OUTPUT" log-prefix=\
DROP_output
add action=drop chain=output comment="Drop everything all OUTPUT"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set sip disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl disabled=no
set api disabled=yes
set api-ssl disabled=yes
/ip upnp interfaces
add forced-ip=123.456.789.000 interface=ether1 type=external
add interface=bridge type=internal
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/Prague
/system logging
add topics=firewall
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.cz.pool.ntp.org
add address=1.cz.pool.ntp.org
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN