So I’ve made an effort to give you a working config that is also, for the most part, secure. It will need tweaking depending on your exact networking needs. There are also a few parts where you’ll need to insert information, such as defining NTP servers for your switch. Note that I’ve made some changes to make the config a little easier to follow, such as renaming some ports. Also, do you need your SFP ports slave to your WAN/outbound interface? Assuming not, I’ve moved them to be internal and slave to your master internal interface.
Also, I’ve made port 8 part of the Management VLAN, so your PC should pick up a DHCP address in the 192.168.88.x subnet and be able to access the management interface directly. However, I’ve also included a firewall rule that allows forwarding between internal networks, so you ought to be able to plug into any other port (getting a 192.168.7.x address) and reach the Management address as well. This rule can easily be modified to deny the 192.168.7.x subnet access to the management interface, in which case you’ll need to be plugged into port 8.
I’ve also added comments to the firewall rules so you clearly see their purpose. Modify as needed for your environment, but be careful you don’t lock yourself out. I’d recommend configuring the switch via the RJ-45 serial port.
/interface ethernet
set [ find default-name=ether1 ] mac-address=F8:1A:67:xx:xx:xx name=ether1-WAN
set [ find default-name=ether3 ] arp=disabled master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
set [ find default-name=ether5 ] master-port=ether2
set [ find default-name=ether6 ] master-port=ether2
set [ find default-name=ether7 ] master-port=ether2
set [ find default-name=ether8 ] master-port=ether2
set [ find default-name=sfp9 ] master-port=ether2
set [ find default-name=sfp10 ] master-port=ether2
set [ find default-name=sfp11 ] master-port=ether2
set [ find default-name=sfp12 ] master-port=ether2
/interface vlan
add interface=ether2 name=Management vlan-id=100
add interface=ether2 name=Clients vlan-id=200
/interface ethernet switch vlan
add ports=ether2,ether3,ether4,ether5,ether6,ether7,switch1-cpu vlan-id=200
add ports=ether8,switch1-cpu vlan-id=100
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 customer-vlan-format=untagged-or-tagged new-customer-vid=200 ports=\
ether2,ether3,ether4,ether5,ether6,ether7 sa-learning=yes
add customer-vid=0 customer-vlan-format=untagged-or-tagged new-customer-vid=100 ports=\
ether8 sa-learning=yes
/interface ethernet switch egress-vlan-tag
add tagged-ports=switch1-cpu vlan-id=100
add tagged-ports=switch1-vpu vlan-id=200
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp_pool1 ranges=192.168.7.1-192.168.7.253
add name=dhcp_pool_mgmt ranges=192.168.88.2-192.168.88.254
/ip dhcp-server network
add address=192.168.7.0/24 gateway=192.168.7.254 dns-server=10.10.73.1,213.xx.xx.xx
add address=192.168.88.0/24 gateway=192.168.88.1 dns-server=10.10.73.1,213.xx.xx.xx
/ip dhcp-server
add address-pool=dhcp_pool1 always-broadcast=yes disabled=no interface=Clients name=dhcp1
add address-pool=dhcp_pool_mgmt disabled=no interface=Management name=dhcp_mgmt
/ip address
add address=192.168.88.1/24 comment=defconf interface=Management network=192.168.88.0
add address=10.10.73.52/24 interface=ether1-WAN network=10.10.73.0
add address=192.168.7.254/24 interface=Clients network=192.168.7.0
/ip dns
set servers=10.10.73.1,213.xx.xx.xx
/ip firewall nat
add chain=srcnat action=masquerade out-interface=ether1-WAN
add chain=dstnat in-interface=ether1-master dst-port=1667 protocol=tcp action=dst-nat to-addresses=192.168.7.104 \
to-ports=1667
add chain=dstnat in-interface=ether1-master dst-port=2312 protocol=tcp action=dst-nat to-addresses=192.168.7.104 \
to-ports=2312
add chain=dstnat in-interface=ether1-master dst-port=3343 protocol=tcp action=dst-nat to-addresses=192.168.7.104 \
to-ports=3343
add chain=input in-interface=ether1-WAN connection-state=established,related action=accept \
comment="Accept inbound related/established"
add chain=input in-interface=ether1-WAN src-address=<n.t.p.server1>,<n.t.p.server2> protocol=udp dst-port=123 action=accept \
comment="Accept inbound NTP responses from defined NTP Servers"
add chain=input in-interface=ether1-WAN action=drop comment="Drop unsolicited inbound traffic from WAN"
add chain=input in-interface=!ether1-WAN protocol=icmp action=accept comment="Accept icmp on internal interfaces"
add chain=input in-interface=!ether1-WAN dst-address=192.168.88.1 protocol=tcp dst-port=8291 action=accept \
comment="Accept Winbox Management traffic from internal interfaces only"
add chain=input in-interface=!ether1_WAN protocol=udp dst-port=67 action=accept comment="Accept internal DHCP requests"
add chain=input in-interface=!ether1-WAN action=drop comment="Drop all remaining inbound traffic"
add chain=forward connection-state=related,established action=fasttrack-connection \
comment="FastTrack Related/Established connections"
add chain=forward connection-state=related,established action=accept comment="Accept non-FastTrack Rel/Est connections"
add chain=forward in-interface=!ether1-WAN out-interface=!ether1-WAN action=accept \
comment="Accept forwarding between internal networks"
add chain=forward out-interface=ether1-WAN action=accept comment="Accept outbound connection from internal networks"
add chain=forward in-interface=ether1-WAN dst-address=192.168.7.104 dst-port=1667,2312,3343 protocol=tcp action=accept \
comment="Accept post-nat port forwarding"
add chain=forward action=drop comment="Drop all remaining traffic"
/ip route
add distance=1 gateway=10.10.73.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe
/system ntp client
set enabled=yes primary-ntp=xx.xx.xx.xx secondary-ntp=xx.xx.xx.xx
/system routerboard settings
set protected-routerboot=disabled
