I have no access to any other LAN device.
"allow LAN" = yes
Code: Select all
# 2024-04-11 21:37:04 by RouterOS 7.14.1
# software id = SKU-FU
#
# model = RB4011iGS+
# serial number = D4NKSERIAL4U
/interface bridge
add admin-mac=b0:l0:c5:55:77:d0 auto-mac=no comment=defconf name=bridge \
port-cost-mode=short
/interface ethernet
set [ find default-name=ether10 ] name=ether10-Management
/interface wireguard
add comment=back-to-home-vpn listen-port=33603 mtu=1420 name=back-to-home-vpn
/interface vlan
add interface=ether5 name=ether5-911 vlan-id=911
/interface pppoe-client
add add-default-route=yes allow=pap disabled=no interface=ether5-911 \
keepalive-timeout=60 name=pppoe-wan user=\
hardluck@isp.com
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Neighbours
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=6 force=yes name=AdGuard_99 value="'192.168.50.99'"
/ip ipsec policy group
add name=vpn
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-192,aes-128,3des
/ip ipsec proposal
add enc-algorithms=aes-256-cbc name=vpn pfs-group=none
/ip kid-control
add fri=7h-1d mon=7h-23h name=-00- sat=7h-1d sun=7h-23h thu=7h-23h tue=\
7h-23h wed=7h-23h
add fri=7h-1d mon=7h-23h name=-00- sat=7h-1d sun=7h-23h thu=7h-23h tue=\
7h-23h wed=7h-23h
add fri=7h-1d mon=7h-23h name=-00- sat=7h-1d sun=7h-23h thu=7h-23h tue=\
7h-23h wed=7h-23h
add name=TEST tue=7h-20h
/ip pool
add name=dhcp ranges=192.168.50.150-192.168.50.200
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
add address-pool=dhcp interface=ether10-Management name=Management-DHCP
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
set 1 name=serial1
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing table
add fib name=""
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus1 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9 \
internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge tagged=ether9 untagged=ether10-Management vlan-ids=10
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add interface=bridge list=LAN
add interface=pppoe-wan list=WAN
add interface=ether10-Management list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.50.1/24 interface=bridge network=192.168.50.0
add address=192.168.100.1/24 interface=ether10-Management network=\
192.168.100.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes ddns-update-interval=10m \
update-time=no
/ip cloud advanced
set use-local-address=yes
/ip cloud back-to-home-users
add allow-lan=yes comment=" samsung SM-S916B" name=\
"MikroTik_RB4011 | RB4011iGS+" private-key=\
"80088008800880088008800880088008800880088008=" public-key=\
"80088008800880088008800880088008800880088008="
/ip dhcp-server network
add address=192.168.50.0/24 comment=defconf dns-server=1.1.1.3,1.0.0.3 \
gateway=192.168.50.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.3,1.0.0.3
/ip firewall address-list
add address=192.168.50.2-192.168.50.254 list=allowed_to_router
add address=192.168.216.2-192.168.216.10 list=\
back-to-home-lan-restricted-peers
add address=192.168.100.0/24 list=Management
/ip firewall filter
add action=jump chain=forward comment="jump to kid-control rules" \
jump-target=kid-control
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="IP's Allowed to Router" \
src-address-list=allowed_to_router
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=\
"Established, Related to FastTrack" connection-state=established,related \
hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=\
LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" \
connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip ipsec policy
set 0 disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes port=2369
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ppp profile
set *FEEEEEEEE local-address=192.168.89.1 remote-address=*2
/ppp secret
add name=vpn
/system clock
set time-zone-name=Europe/London
/system identity
set name=MikroTik_RB4011
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes multicast=yes
/system ntp client servers
add address=51.89.151.183
add address=178.62.250.107
/system resource irq rps
set sfp-sfpplus1 disabled=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=Neighbours