There are some redundant accepts for indivual ports, just to be sure I dont kill clients during changing more global accept/drop rules.
# 2024-01-14 20:52:12 by RouterOS 7.13
# software id = censored
#
# model = CCR2116-12G-4S+
# serial number = censored
/interface bridge
add fast-forward=no name=bridge-home-88
add arp=proxy-arp fast-forward=no name=bridge-servers-78
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] name=sfp-sfpplus1-LAN
set [ find default-name=sfp-sfpplus2 ] name=sfp-sfpplus2-WAN
/interface pppoe-client
add add-default-route=yes disabled=no interface=sfp-sfpplus2-WAN max-mru=1492 \
max-mtu=1492 mrru=1500 name=pppoe-out1 user=\
censored_user
/interface wireguard
add disabled=yes listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge-home-88 name=vlan-home-88 vlan-id=88
add interface=bridge-servers-78 name=vlan-servers-78 vlan-id=78
/interface list
add comment=defconf name=LAN
add comment=defconf name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.88.2-192.168.88.254
add name=dhcp_pool1 ranges=192.168.78.2-192.168.78.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge-home-88 lease-time=1d name=dhcp1
add address-pool=dhcp_pool1 interface=bridge-servers-78 lease-time=1d name=\
dhcp2
/port
set 0 name=serial0
/ppp profile
add dns-server=8.8.8.8 local-address=192.168.78.1 name=L2TP remote-address=\
dhcp_pool1
/system logging action
add name=remotekiwi remote=192.168.78.27 target=remote
/interface bridge port
add bridge=bridge-servers-78 interface=ether2 pvid=78
add bridge=bridge-servers-78 interface=ether3 pvid=78
add bridge=bridge-servers-78 interface=ether4 pvid=78
add bridge=bridge-servers-78 interface=ether5 pvid=78
add bridge=bridge-servers-78 interface=ether6 pvid=78
add bridge=bridge-servers-78 interface=ether7 pvid=78
add bridge=bridge-servers-78 interface=ether8 pvid=78
add bridge=bridge-servers-78 interface=ether9 pvid=78
add bridge=bridge-servers-78 interface=ether10 pvid=78
add bridge=bridge-home-88 interface=ether11 pvid=88
add bridge=bridge-home-88 interface=ether12 pvid=88
add bridge=bridge-home-88 interface=sfp-sfpplus1-LAN pvid=88
add bridge=bridge-home-88 interface=ether1 pvid=88
/ip firewall connection tracking
set loose-tcp-tracking=no tcp-unacked-timeout=1m udp-stream-timeout=30s
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set rp-filter=loose tcp-syncookies=yes
/interface l2tp-server server
set allow-fast-path=yes use-ipsec=required
/interface list member
add interface=bridge-home-88 list=LAN
add interface=bridge-servers-78 list=LAN
add interface=sfp-sfpplus2-WAN list=WAN
add interface=pppoe-out1 list=WAN
/interface wireguard peers
add allowed-address=192.168.68.150/32 disabled=yes interface=wireguard1 \
public-key="aaaaaaaaaaaaaaaaa"
/ip address
add address=192.168.88.1/24 interface=bridge-home-88 network=192.168.88.0
add address=192.168.78.1/24 interface=bridge-servers-78 network=192.168.78.0
add address=192.168.68.1/24 disabled=yes interface=wireguard1 network=\
192.168.68.0
/ip dhcp-server lease
add address=192.168.88.19 client-id=1:9c:6b:0:b:95:15 comment=aaaa \
mac-address=9C:6B:00:0B:95:15 server=dhcp1
add address=192.168.78.253 client-id=1:9c:6b:0:b:92:1e comment=aaa \
mac-address=9C:6B:00:0B:92:1E server=dhcp2
add address=192.168.78.21 client-id=1:0:c:29:77:75:cb comment=aaaa \
mac-address=00:0C:29:77:75:CB server=dhcp2
add address=192.168.78.15 client-id=\
ff:9f:6e:85:24:0:2:0:0:ab:11:f3:d9:d1:53:f4:c6:2b:ed comment=\
aaaaaaa mac-address=00:0C:29:81:4A:91 server=dhcp2
add address=192.168.78.250 client-id=1:0:c:29:13:ef:cf comment=aaa \
mac-address=00:0C:29:13:EF:CF server=dhcp2
add address=192.168.78.249 client-id=\
ff:29:c9:f5:c7:0:1:0:1:2c:bd:10:cf:0:c:29:c9:f5:c7 comment=aaaaa \
mac-address=00:0C:29:C9:F5:C7 server=dhcp2
add address=192.168.78.27 client-id=1:0:c:29:dd:fa:e6 comment=aaaa \
mac-address=00:0C:29:DD:FA:E6 server=dhcp2
add address=192.168.78.31 client-id=1:0:c:29:75:c9:1d comment=\
Cermi_workstation mac-address=00:0C:29:75:C9:1D server=dhcp2
add address=192.168.88.5 client-id=1:8:d1:f9:2d:4e:ef comment=\
"Tasmota bridge" mac-address=08:D1:F9:2D:4E:EF server=dhcp1
add address=192.168.88.16 client-id=1:20:f8:3b:0:2e:fe comment=\
"home assistant" mac-address=20:F8:3B:00:2E:FE server=dhcp1
/ip dhcp-server network
add address=192.168.78.0/24 dns-server=192.168.78.1 gateway=192.168.78.1
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall address-list
add list=ddos-attackers
add list=ddos-targets
add address=185.227.171.225 comment=aaaae list=allowed_people
add address=90.180.18.73 comment=aaaa list=allowed_people
add address=109.81.170.106 comment=aaaa list=allowed_people
add address=46.16.123.71 comment=aaaa list=allowed_people
add address=217.75.215.155 comment=aaaa list=allowed_people
add address=46.13.165.115 comment=aaaa list=allowed_people
add address=86.49.230.14 comment=aaa list=allowed_people
add address=89.187.144.87 comment=aaaa list=allowed_people
add address=89.103.155.29 comment=aaaa list=allowed_people
add address=109.81.91.239 comment=aaaa list=allowed_people
add address=46.23.60.179 comment=aaa list=allowed_people
add address=178.143.69.99 comment=aaaa list=allowed_people
add address=86.49.112.197 comment=aaaa list=allowed_people
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=\
bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=\
bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=\
bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=\
not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=144.217.157.4 comment="aaaaa" list=secure
add address=70.32.23.81 comment="aaaaaa" list=secure
add address=88.212.6.0/24 comment=aaaaa list=allowed_people
add address=1.1.1.1 list=secure_dns
add address=8.8.8.8 list=secure_dns
add address=212.111.4.206 comment=aaaaa list=allowed_people
add address=94.228.83.136 comment=aaaaa list=allowed_people
add list=bad_attempts
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
/ip firewall filter
add action=accept chain=input comment=\
"Accepting established, related, untracked connections" connection-state=\
established,related,untracked
add action=accept chain=forward connection-state=\
established,related,untracked
add action=fasttrack-connection chain=forward connection-state=\
established,related hw-offload=yes
add action=accept chain=input comment=wireguard dst-port=13231 protocol=udp
add action=accept chain=input comment=L2TP disabled=yes dst-port=\
500,1701,4500 protocol=udp
add action=accept chain=input comment="accept local" in-interface-list=LAN
add action=accept chain=forward in-interface-list=LAN
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
dst-address-list=no_forward_ipv4
add action=jump chain=forward comment="All new jump to detect-ddos" \
connection-state=new jump-target=detect-ddos src-address=!192.168.0.0/16
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-targets \
address-list-timeout=25m chain=detect-ddos
add action=add-src-to-address-list address-list=ddos-attackers \
address-list-timeout=25m chain=detect-ddos
add action=jump chain=forward comment="SYN Flood protect" connection-state=\
new jump-target=SYN-Protect protocol=tcp src-address=!192.168.0.0/16 \
tcp-flags=syn
add action=drop chain=forward comment=\
"Drop tries to reach not public addresses from LAN" disabled=yes \
dst-address-list=not_in_internet in-interface=bridge-home-88 \
out-interface=!bridge-home-88
add action=add-src-to-address-list address-list=port:aaaa \
address-list-timeout=1m chain=input comment="Start of port knocking" \
dst-port=aaaa log=yes log-prefix=_endor_knock protocol=tcp
add action=add-src-to-address-list address-list=port:bbbb \
address-list-timeout=1m chain=input dst-port=bbbb log=yes log-prefix=\
_endor_knock protocol=tcp src-address-list=port:aaaa
add action=add-src-to-address-list address-list=bad_attempts \
address-list-timeout=none-dynamic chain=input dst-port=bbbb log=yes \
log-prefix=_endor_bad_knock protocol=tcp src-address-list=!port:aaaa
add action=add-src-to-address-list address-list=bad_attempts \
address-list-timeout=none-dynamic chain=input dst-port=eeee log=yes \
log-prefix=_endor_bad_knock protocol=tcp src-address-list=!port:bbbb
add action=add-src-to-address-list address-list=port:eeee \
address-list-timeout=1m chain=input dst-port=eeee log=yes log-prefix=\
_endor_knock protocol=tcp src-address-list=port:bbbb
add action=add-src-to-address-list address-list=bad_attempts \
address-list-timeout=none-dynamic chain=input dst-port=dddd log=yes \
log-prefix=_endor_bad_knock_last protocol=tcp src-address-list=!port:eeee
add action=add-src-to-address-list address-list=secure address-list-timeout=\
1m chain=input dst-port=dddd log=yes log-prefix=_endor_knock_last \
protocol=tcp src-address-list=port:eeee
add action=accept chain=forward comment="Accepting POL just to be sure" \
dst-port=cccc protocol=tcp
add action=accept chain=input dst-port=cccc protocol=tcp
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
protocol=icmp
add action=drop chain=forward in-interface-list=!LAN
add action=drop chain=input in-interface-list=!LAN
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
protocol=icmp
add action=accept chain=icmp comment=\
"host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
protocol=icmp
add action=drop chain=icmp comment="deny all other types"
add action=accept chain=SYN-Protect connection-state=new limit=150,5:packet \
protocol=tcp tcp-flags=syn
add action=drop chain=SYN-Protect connection-state=new protocol=tcp \
tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=dst-nat chain=dstnat comment=censored dst-port=cccc \
in-interface=pppoe-out1 protocol=tcp src-address-list=secure \
to-addresses=192.168.78.21 to-ports=cccc
add action=dst-nat chain=dstnat comment=censored dst-port=ffff \
in-interface=pppoe-out1 protocol=tcp src-address-list=secure \
to-addresses=192.168.78.21 to-ports=cccc
add action=dst-nat chain=dstnat comment=censored dst-port=kkkk \
in-interface=pppoe-out1 protocol=tcp src-address-list=allowed_people \
to-addresses=192.168.78.21 to-ports=3389
add action=dst-nat chain=dstnat comment=censored dst-port=13003 \
in-interface=pppoe-out1 protocol=tcp src-address-list=allowed_people \
to-addresses=192.168.78.21 to-ports=3306
add action=dst-nat chain=dstnat comment="az bude neco treba" disabled=yes \
dst-port=13004 in-interface=pppoe-out1 protocol=tcp src-address-list=\
allowed_people to-addresses=192.168.78.21 to-ports=23
add action=dst-nat chain=dstnat comment=censored dst-port=jjjj \
in-interface=pppoe-out1 protocol=tcp src-address-list=allowed_people \
to-addresses=192.168.78.21 to-ports=2597
add action=dst-nat chain=dstnat comment=censored_shadow dst-port=\
kkkk in-interface=pppoe-out1 protocol=tcp src-address-list=allowed_people \
to-addresses=192.168.78.21 to-ports=2598
add action=dst-nat chain=dstnat comment=censored dst-port=mmmm \
in-interface=pppoe-out1 protocol=tcp src-address-list=allowed_people \
to-addresses=192.168.78.21 to-ports=23
add action=dst-nat chain=dstnat comment=censored dst-port=nnnn \
in-interface=pppoe-out1 protocol=tcp src-address-list=allowed_people \
to-addresses=192.168.78.27 to-ports=24
add action=dst-nat chain=dstnat comment=censored dst-port=gggg \
in-interface=pppoe-out1 protocol=tcp src-address-list=allowed_people \
to-addresses=192.168.78.27 to-ports=3389
add action=dst-nat chain=dstnat comment=censored dst-port=hhhh \
in-interface=pppoe-out1 protocol=tcp src-address-list=allowed_people \
to-addresses=192.168.78.27 to-ports=8080
add action=dst-nat chain=dstnat comment=censored dst-port=hhhh \
in-interface=pppoe-out1 protocol=tcp src-address-list=allowed_people \
to-addresses=192.168.78.31 to-ports=3389
add action=dst-nat chain=dstnat comment=censored dst-port=iiii\
in-interface=pppoe-out1 protocol=tcp src-address-list=secure \
to-addresses=192.168.78.31 to-ports=5010
add action=dst-nat chain=dstnat comment=censored dst-address=\
mypublicip dst-port=80 in-interface=pppoe-out1 protocol=tcp \
to-addresses=192.168.78.15 to-ports=80
/ip firewall raw
add action=drop chain=prerouting src-address-list=ddos-attackers
add action=drop chain=prerouting dst-port=65372 protocol=tcp
add action=accept chain=prerouting comment=\
"accept only google and cloudfare DNS" protocol=udp src-address-list=\
secure_dns src-port=53
add action=accept chain=prerouting comment="defconf: accept DHCP discover" \
disabled=yes dst-address=255.255.255.255 dst-port=67 in-interface-list=\
LAN protocol=udp src-address=0.0.0.0 src-port=68
add action=accept chain=prerouting comment=wireguard dst-port=13231 protocol=\
udp
add action=accept chain=prerouting comment=L2TP disabled=yes dst-port=\
500,1701,4500 protocol=udp
add action=drop chain=prerouting comment="drop DNS (UDP) krome zevnitr" \
in-interface-list=!LAN protocol=udp
add action=accept chain=prerouting comment=\
"defconf: enable for transparent firewall" disabled=yes
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
in-interface=pppoe-out1 src-address-list=not_global_ipv4
add action=drop chain=prerouting comment=\
"defconf: drop forward to local lan from WAN" dst-address=192.168.0.0/16 \
in-interface-list=WAN
add action=drop chain=prerouting comment=\
"defconf: drop local if not from default IP range" in-interface-list=LAN \
src-address=!192.168.0.0/16 src-address-list=""
add action=jump chain=prerouting comment="jump to TCP chain" disabled=yes \
jump-target=tcp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" \
jump-target=tcp protocol=tcp
add action=jump chain=prerouting comment="defconf: jump to bad TCP chain" \
jump-target=bad_tcp protocol=tcp
add action=accept chain=tcp protocol=tcp src-address-list=allowed_people
add action=accept chain=tcp dst-port=80 protocol=tcp
add action=accept chain=tcp dst-port=443 protocol=tcp
add action=accept chain=tcp dst-port=aaaa protocol=tcp
add action=accept chain=tcp dst-port=eeee protocol=tcp
add action=accept chain=tcp dst-port=dddd protocol=tcp
add action=accept chain=tcp dst-port=bbbb protocol=tcp
add action=accept chain=tcp dst-port=ffff protocol=tcp
add action=accept chain=tcp dst-port=iiiiprotocol=tcp
add action=accept chain=tcp dst-port=cccc protocol=tcp
add action=accept chain=tcp dst-address=192.168.0.0/16 in-interface=\
pppoe-out1
add action=accept chain=prerouting comment=\
"defconf: accept everything else from WAN" in-interface-list=WAN
add action=accept chain=prerouting comment=\
"defconf: accept everything else from LAN" in-interface-list=LAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 \
protocol=tcp
/ip firewall service-port
set ftp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.88.0/24
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=demostenes profile=L2TP service=l2tp
/system clock
set time-zone-name=Europe/Prague
/system logging
add action=remotekiwi topics=info
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key
/tool graphing
set store-every=24hours
/tool graphing interface
add allow-address=192.168.0.0/16 interface=pppoe-out1
add allow-address=192.168.0.0/16 interface=bridge-servers-78
/tool graphing queue
add allow-address=192.168.0.0/16
/tool graphing resource
add allow-address=192.168.0.0/16
I am trying to add wireguard VPN, so far I am able to connect, but i cant route to anything (probably some issues with adresses and bridges and vlans). What is suprising, that according to windows client I am able to log in even if wireguard and its peer are disabled. And I dont see such connection in connections list.