Code: Select all
/interface ethernet
set [ find default-name=ether8 ] comment=OOB
/interface list
add name=MACWinbox
add name=Discovery
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=ether8 lease-time=1h name=dhcp1
/ip neighbor discovery-settings
set discover-interface-list=Discovery
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=ether8 list=MACWinbox
add interface=ether8 list=Discovery
add interface=ether1 list=Discovery
/ip address
add address=192.168.88.1/24 comment=OOB interface=ether8 network=192.168.88.0
add address=XXX.XXX.30.33/28 comment=LAN interface=ether1 network=XXX.XXX.30.32
add address=XXX.XXX.73.58 comment=WAN disabled=yes interface=sfp-sfpplus1 \
network=XXX.XXX.73.58
/ip cloud
set update-time=no
/ip dhcp-client
add interface=sfp-sfpplus1
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1
/ip dns
set servers=212.23.3.100,212.23.6.100
/ip firewall address-list
add address=192.168.88.0/24 list=WinboxAllowed
add address=185.128.57.233 list=WinboxAllowed
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
not_in_internet
/ip firewall filter
add action=accept chain=input comment=\
"Allow Remote Management by SSH and Winbox from Trusted Address List" \
dst-port=22,8291 protocol=tcp src-address-list=WinboxAllowed
add action=jump chain=input jump-target=icmp4 protocol=icmp
add action=accept chain=input comment="Allow DNS & DHCP from OOB" dst-port=\
53,67,68 in-interface=ether8 protocol=udp
add action=drop chain=input comment="Drop All other INPUT traffic"
add action=drop chain=forward comment=\
"Drop invalid public addresses from being forward to WAN" \
dst-address-list=not_in_internet out-interface=sfp-sfpplus1
add action=accept chain=forward comment=\
"Allow traffic from ether1 forward out sfp-sfpplus1" in-interface=ether1 \
out-interface=sfp-sfpplus1
add action=accept chain=forward comment=\
"Allow traffic from OOB (ether8) forward out sfp-sfpplus1" in-interface=\
ether8 out-interface=sfp-sfpplus1
add action=accept chain=forward comment=\
"Allow traffic from sfp-sfpplus1 forward out ether1" in-interface=\
sfp-sfpplus1 out-interface=ether1
add action=drop chain=forward comment="Drop All other forward"
add action=accept chain=icmp4 comment=\
"ICMP: Echo reply 0:0 and limit for 5pac/s" icmp-options=0:0 limit=\
5,5:packet protocol=icmp
add action=accept chain=icmp4 comment="ICMP: Destination unreachable" \
icmp-options=3:0-1 limit=5,5:packet protocol=icmp
add action=accept chain=icmp4 comment=\
"ICMP: Port unreachable and limit for 5pac/s" icmp-options=3:3 limit=\
5,5:packet protocol=icmp
add action=accept chain=icmp4 comment=\
"ICMP: Fragmentation neeeded and limit for 5pac/s" icmp-options=3:4 \
limit=5,5:packet protocol=icmp
add action=accept chain=icmp4 comment=\
"ICMP: Echo request - 8:0 and limit for 5pac/s" icmp-options=8:0 limit=\
5,5:packet protocol=icmp
add action=accept chain=icmp4 comment=\
"ICMP: Time exceeded 11:0 and limit for 5pac/s" icmp-options=11:0 limit=\
5,5:packet protocol=icmp
add action=drop chain=icmp4 comment="Drop everything else" protocol=icmp
/ip firewall nat
add action=masquerade chain=srcnat comment=\
"NAT Traffic with src-address of OOB network" out-interface=sfp-sfpplus1 \
src-address=192.168.88.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-autodetect=no time-zone-name=Europe/London
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.uk.pool.ntp.org
add address=1.uk.pool.ntp.org
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=MACWinbox
/tool mac-server mac-winbox
set allowed-interface-list=MACWinbox