Hello everybody,
I am using an RB5009 and I’ve decided to redo some things on my config, and as requested I will now post my whole config with some censoring.
Hopefully this helps, any suggestions are welcome.
/interface bridge
add mtu=1500 name=trunk vlan-filtering=yes
/interface ethernet
# poe-out status: no_valid_psu
set [ find default-name=ether8 ] name=ether8-gateway
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether8-gateway max-mru=1480 \
max-mtu=1480 name=WAN1 user=CENSORED
/interface vlan
add interface=trunk name=v88-Primary vlan-id=88
/interface list
add name=WAN-Interfaces
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=v88-Primary ranges=192.168.1.100-192.168.1.250
/ip dhcp-server
add address-pool=v88-Primary authoritative=after-2sec-delay interface=\
v88-Primary lease-time=3d name=v88-Primary
/ppp profile
set *0 on-up="/system script run ppp-up"
/interface bridge port
add bridge=trunk frame-types=admit-only-untagged-and-priority-tagged \
interface=ether2 pvid=88
add bridge=trunk frame-types=admit-only-untagged-and-priority-tagged \
interface=ether3 pvid=88
add bridge=trunk frame-types=admit-only-untagged-and-priority-tagged \
interface=ether4 pvid=88
add bridge=trunk frame-types=admit-only-untagged-and-priority-tagged \
interface=ether5 pvid=88
add bridge=trunk frame-types=admit-only-untagged-and-priority-tagged \
interface=ether6 pvid=88
add bridge=trunk frame-types=admit-only-untagged-and-priority-tagged \
interface=ether7 pvid=88
add bridge=trunk frame-types=admit-only-untagged-and-priority-tagged \
interface=ether1 pvid=88
/ip firewall connection tracking
set enabled=yes generic-timeout=20m tcp-time-wait-timeout=20s \
udp-stream-timeout=5m udp-timeout=20s
/ip neighbor discovery-settings
set discover-interface-list=mac-winbox
/ip settings
set allow-fast-path=no
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=trunk tagged=trunk vlan-ids=88
/interface list member
add interface=v88-Primary list=mac-winbox
add interface=WAN1 list=WAN-Interfaces
add interface=ether8-gateway list=WAN-Interfaces
/ip address
add address=192.168.1.1/24 interface=v88-Primary network=192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1 \
netmask=24
/ip dns
set allow-remote-requests=yes use-doh-server=https://1.1.1.1/dns-query \
verify-doh-cert=yes
/ip firewall address-list
add address=192.168.1.0/24 list=ACL
add address=CENSORED list=ACL
add address=CENSORED list="VoIP QoS Servers"
add address=CENSORED list=ACL
/ip firewall filter
add action=jump chain=forward comment=\
"Jump packets going to v88-Primary interface to v88-Primary chain." \
jump-target=v88-Primary out-interface=v88-Primary
add action=accept chain=input comment=\
"Accept established, related and untracked packets." connection-state=\
established,related,untracked
add action=drop chain=input comment="Drop invalid packets." connection-state=\
invalid
add action=accept chain=input comment=\
"Accept ping packets from ACL address list." protocol=icmp \
src-address-list=ACL
add action=accept chain=input comment=\
"Accept Webfig/Winbox access from ACL address list." dst-port=80,8291 \
in-interface-list=WAN-Interfaces protocol=tcp src-address-list=ACL
add action=accept chain=input comment="Accept internal DNS requests." \
dst-port=53 in-interface-list=!WAN-Interfaces protocol=udp
add action=accept chain=input comment="Accept internal DNS requests." \
dst-port=53 in-interface-list=!WAN-Interfaces protocol=tcp
add action=accept chain=input comment=\
"Accept connections from v88-Primary VLAN." in-interface=v88-Primary
add action=drop chain=input comment="Drop remaining packets."
add action=accept chain=v88-Primary comment=\
"Accept established, related and untracked packets." connection-state=\
established,related,untracked
add action=drop chain=v88-Primary comment="Drop invalid packets." \
connection-state=invalid
add action=accept chain=v88-Primary comment="Accept port forwarding." \
connection-nat-state=dstnat connection-state=new
add action=drop chain=v88-Primary comment="Drop remaining packets."
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN1
/ip firewall service-port
set h323 disabled=yes
set sip disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
/system clock
set time-zone-autodetect=no time-zone-name=CENSORED
/system identity
set name="CENSORED"
/system logging
add action=disk topics=critical
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=CENSORED
/system scheduler
add interval=1h name=CENSORED-router-update-device on-event=\
CENSORED-router-update-device policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2024-06-07 start-time=08:04:02
add interval=1h name=CENSORED-update-interfaces on-event=CENSORED-update-interfaces \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2024-06-07 start-time=08:04:02
/system script
add dont-require-permissions=no name=ppp-up owner=CENSORED policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
ip firewall connection remove [ find ]\r\
\n\r\
\n/system script run CENSORED-router-update-device\r\
\n\r\
\n"
add dont-require-permissions=no name=CENSORED-router-update-device owner=CENSORED \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source=":local clouddns [/ip cloud get dns-name] \
\n:local serial [/system routerboard get serial-number]\
\n\
\n:local model [/system resource get board-name]\
\n:local osversion [/system resource get version]\
\n\
\n:local sshport ([/ip service get ssh port])\
\n:local winboxport ([/ip service get winbox port])\
\n:local httpport ([/ip service get www port])\
\n\
\n\
\n:local poststring \"hostname=\$clouddns&serial=\$serial&ssh_port=\$sshpo\
rt&winbox_port=\$winboxport&http_port=\$httpport&model=\$model&os_version=\
\$osversion\"\
\n:log info \$poststring\
\n/tool fetch CENSORED
a3c-58ef-919a-213d3b33e40f http-method=post http-data=\$poststring"
add dont-require-permissions=no name=CENSORED-update-interfaces owner=CENSORED \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source=":local clouddns [/ip cloud get dns-name]\r\
\n:local serial [/system routerboard get serial-number]\r\
\n\r\
\n:local wanname \"WAN1\"\r\
\n:local wanip \"\"\r\
\n:local wanmac \"\"\r\
\n:local webproxystatus [/ip proxy get enabled]\r\
\n:local failoverwanname \"ether2-4g\"\r\
\n:local failoverwanip \"\"\r\
\n:local failoverwanmac \"\"\r\
\n:local arp \"\"\r\
\n:local addresses ([/ip address find where interface=\$wanname ] )\r\
\nforeach line in=\$addresses do={\r\
\n :set wanip [/ip address get \$line address];\r\
\n :set wanmac [/interface get \$wanname mac-address];\r\
\n}\r\
\n:local addresses ([/ip address find where interface=\$failoverwanname ] \
)\r\
\nforeach line in=\$addresses do={\r\
\n :set failoverwanip [/ip address get \$line address];\r\
\n :set failoverwanmac [/interface get \$failoverwanname mac-address];\r\
\n}\r\
\n:local arps ([/ip arp find ] )\r\
\nforeach line in=\$arps do={\r\
\n :set arp (\$arp . [/ip arp get \$line address ] . \" \" . [/ip arp get \
\$line mac-address ] . \" \" . [/ip arp get \$line interface ] . \",\")\r\
\n \r\
\n}\r\
\n:local poststring \"hostname=\$clouddns&serial=\$serial&webproxy_enabled\
=\$webproxystatus&primary_wan_name=\$wanname&primary_wan_int_mac=\$wanmac&\
primary_wan_ip=\$wanip&failover_wan_ip=\$failoverwanip&failover_wan_mac=\$\
failoverwanmac&failover_wan_name=\$failoverwanname&arp_table=\$arp\"\r\
\n:put \$poststring\r\
\n/tool fetch CENSORED
a3c-58ef-919a-213d3b33e40f http-method=post http-data=\$poststring"
/tool mac-server
set allowed-interface-list=mac-winbox
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox