Hi Everyone!
Enabling ipv6 allows user to use internet even without login.
After searching multiple forums I just found that after adding a few firewall rules you can prevent user from accessing internet from ipv6 from working until user logs in, there are few bugs but it works.
Now only issue here is that I can’t restrict bandwidth and this feature is important.
FYI
strehi
February 19, 2024, 5:04pm
2
Hi,
After searching multiple forums I just found that after adding a few firewall rules you can prevent user from accessing internet from ipv6 from working until user logs in, there are few bugs but it works.
Could you share your config?
Thanks
# 2024-07-20 16:15:51 by RouterOS 7.15.2
# software id = WYZJ-T0LD
#
# model = C52iG-5HaxD2HaxD
# serial number = HEP08XH7VN4
/interface bridge
add admin-mac=48:A9:8A:FD:2A:07 auto-mac=no comment=defconf name=bridge \
port-cost-mode=short
add name=hotspot port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] poe-out=off
/interface wifi
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac \
configuration.country=Pakistan .mode=ap .ssid=MikroTik-hAP-ax2-6G name=\
wifi1-5ghz security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac \
configuration.mode=ap .ssid=MikroTik-hAP-ax2-4G name=wifi2-2ghz \
security.authentication-types=wpa2-psk,wpa3-psk
add configuration.mode=ap .ssid=BTHHub5A-4G interworking.hotspot20=no \
.internet=yes .network-type=private .wan-status=reserved mac-address=\
4A:A9:8A:FD:2A:0C master-interface=wifi2-2ghz name=wifi3 \
security.authentication-types="" .encryption=""
add configuration.mode=ap .ssid=Admin interworking.hotspot20=yes mac-address=\
4A:A9:8A:FD:2A:0B master-interface=wifi2-2ghz mtu=1500 name=wifi4 \
security.authentication-types=wpa-psk,wpa2-psk
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 max-mru=1500 max-mtu=\
1480 name=Storm-Fiber-35Mbps-25Mbps user=3044888128@stormfiber.com
/interface wireguard
add comment=back-to-home-vpn listen-port=60676 mtu=1420 name=back-to-home-vpn
/interface vlan
add interface=ether5 name=vlan7-IOT-Linksys-Supply vlan-id=7
add interface=ether4 name=vlan55-IoT-BT-WiFi vlan-id=55
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add include=LAN,dynamic,static name=LAN+WLAN
/interface wifi configuration
add country=Pakistan disabled=yes mode=ap name=cfg1 ssid=BTHHUB5A-2G
/ip hotspot profile
add dns-name=server.com hotspot-address=172.16.1.1 login-by=\
mac,http-chap,mac-cookie mac-auth-mode=mac-as-username-and-password name=\
hs1
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=hs-pool-10 ranges=172.16.0.1-172.16.1.0,172.16.1.2-172.16.3.254
add name=Ahsan ranges=172.16.2.2-172.16.2.95
add name=uperwaly ranges=172.16.1.192/28
add name=dani ranges=172.16.1.160/27
add name=default ranges=172.16.1.128/27
add name=guest ranges=172.16.1.96/27
add name=hamza ranges=172.16.1.80/28
add name=dhcp_pool7 ranges=172.16.0.2-172.16.0.254
add name=elite ranges=172.16.1.208/28
add name=semi-blocked ranges=172.16.1.64/29
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=miamivpn_pool ranges=192.168.222.2-192.168.222.222
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
add address-pool=dhcp_pool7 interface=hotspot lease-time=1d name=dhcp1
/ip hotspot
add address-pool=dhcp_pool7 addresses-per-mac=1 disabled=no interface=hotspot \
name=hotspot1 profile=hs1
/ip hotspot user profile
set [ find default=yes ] add-mac-cookie=no address-list=default address-pool=\
default shared-users=2
add address-list=uperwaly address-pool=uperwaly !idle-timeout name=Uperwaly \
shared-users=2
add address-list=Hamza address-pool=hamza !idle-timeout name=hamza \
shared-users=4
add address-list=dani address-pool=dani !idle-timeout keepalive-timeout=5m \
name=dani
add address-list=Ahsan address-pool=Ahsan !idle-timeout name=AhsanAhsan \
shared-users=2 transparent-proxy=yes
add add-mac-cookie=no address-list=Guest address-pool=guest !idle-timeout \
!mac-cookie-timeout name=guest101 shared-users=4
add add-mac-cookie=no address-list=smi-blkd address-pool=semi-blocked \
!idle-timeout !mac-cookie-timeout name=semi-blocked
add address-pool=elite !idle-timeout !keepalive-timeout \
mac-cookie-timeout=1w name=Elite shared-users=4 transparent-proxy=\
yes
/ip smb users
set [ find default=yes ] disabled=yes
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/queue simple
add dst=192.168.88.0/24 limit-at=512k/512k max-limit=10M/10M name=test \
target=vlan55-IoT-BT-WiFi
/queue type
add kind=pcq name=pcq-d-Ahsan-12M pcq-classifier=dst-address pcq-rate=12M
add kind=pcq name=pcq-u-hamza-5M pcq-classifier=src-address pcq-rate=5M
add kind=pcq name=pcq-d-dani-8M pcq-classifier=dst-address pcq-rate=7M
add kind=pcq name=pcq-d-guest-4M pcq-classifier=dst-address pcq-rate=4M
add kind=pcq name=pcq-d-hamza-5M pcq-classifier=dst-address pcq-rate=5M
add kind=pcq name=pcq-d-uprwaly-4M pcq-classifier=dst-address pcq-rate=4M
add kind=pcq name=pcq-d-default-2M pcq-classifier=dst-address pcq-rate=2M
add kind=pcq name=pcq-u-dani-8M pcq-classifier=src-address pcq-rate=8M
add kind=pcq name=pcq-u-uprwaly-4M pcq-classifier=src-address pcq-rate=4M
add kind=pcq name=pcq-u-guest-7M pcq-classifier=src-address pcq-rate=4M
add kind=pcq name=pcq-u-default-2M pcq-classifier=src-address pcq-rate=2M
add kind=pcq name=pcq-u-Ahsan-7M pcq-burst-rate=22M pcq-classifier=\
src-address pcq-rate=7M
/queue tree
add name=global-in parent=global queue=default
add name=global-out parent=global queue=default
add limit-at=14M max-limit=30M name=upload_admin-ssid packet-mark=up_pkt_asid \
parent=global-out priority=1
add limit-at=12M max-limit=30M name=download-Ahsan packet-mark=dw_pkt_a \
parent=global-in priority=6
add limit-at=512k max-limit=768k name=download_semiblock packet-mark=\
dw_pkt_sb parent=global-in priority=7
add disabled=yes limit-at=5M max-limit=7M name=upload_elite \
packet-mark=up_pkt_ue parent=global-out priority=2
add disabled=yes limit-at=12M max-limit=14M name=download_elite \
packet-mark=dw_pkt_ue parent=global-in priority=4
add limit-at=512k max-limit=768k name=upload_semiblock packet-mark=up_pkt_sb \
parent=global-out priority=7
add limit-at=8M max-limit=10M name=upload_dani packet-mark=up_pkt_da parent=\
global-out priority=3 queue=pcq-u-dani-8M
add limit-at=6M max-limit=8M name=download_hamzaa packet-mark=dw_pkt_h \
parent=global-in priority=2 queue=pcq-d-hamza-5M
add limit-at=7M max-limit=9M name=download_uprwale packet-mark=dw_pkt_u \
parent=global-in priority=5 queue=pcq-d-uprwaly-4M
add limit-at=3M max-limit=8M name=download_guest_ packet-mark=dw_pkt_g \
parent=global-in priority=7 queue=pcq-d-guest-4M
add limit-at=2M max-limit=4M name=download_default_ packet-mark=dw_pkt_df \
parent=global-in queue=default
add burst-limit=15M burst-threshold=15M burst-time=10s limit-at=10M \
max-limit=12M name=download_dani packet-mark=dw_pkt_da parent=global-in \
priority=3 queue=pcq-d-dani-8M
add limit-at=3M max-limit=8M name=upload_guest packet-mark=up_pkt_g parent=\
global-out priority=7 queue=pcq-u-hamza-5M
add limit-at=4M max-limit=7M name=upload_hamza packet-mark=up_pkt_h parent=\
global-out priority=4 queue=pcq-d-hamza-5M
add limit-at=3M max-limit=6M name=upload_uprwale packet-mark=up_pkt_u parent=\
global-out priority=5 queue=pcq-u-uprwaly-4M
add limit-at=2M max-limit=4M name=upload_default_ packet-mark=up_pkt_df \
parent=global-out priority=6 queue=pcq-upload-default
add limit-at=12M max-limit=30M name=download_admin-ssid packet-mark=\
dw_pkt_asid parent=global-in priority=6
/ip smb
set enabled=no
/interface bridge filter
add action=accept chain=forward mac-protocol=ipv6
add action=drop chain=forward
# in/out-bridge-port matcher not possible when interface (ether1) is not slave
add action=jump chain=input in-interface=ether1 jump-target=input-wan
add action=accept chain=input-wan mac-protocol=pppoe-discovery
add action=accept chain=input-wan mac-protocol=pppoe
add action=drop chain=input-wan
# in/out-bridge-port matcher not possible when interface (ether1) is not slave
add action=jump chain=output jump-target=output-wan out-interface=ether1
add action=accept chain=output-wan mac-protocol=pppoe-discovery
add action=accept chain=output-wan mac-protocol=pppoe
add action=drop chain=output-wan
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \
path-cost=10
add bridge=hotspot comment=defconf interface=ether3 internal-path-cost=10 \
path-cost=10
add bridge=hotspot comment=defconf interface=ether4 internal-path-cost=10 \
path-cost=10
add bridge=hotspot comment=defconf interface=ether5 internal-path-cost=10 \
path-cost=10
add bridge=*15 comment=defconf interface=wifi1-5ghz internal-path-cost=10 \
path-cost=10
add bridge=*15 comment=defconf interface=wifi2-2ghz internal-path-cost=10 \
path-cost=10
add bridge=bridge interface=vlan7-IOT-Linksys-Supply
add bridge=bridge interface=vlan55-IoT-BT-WiFi
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set accept-router-advertisements=yes max-neighbor-entries=8192
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=hotspot list=LAN+WLAN
add interface=bridge list=LAN+WLAN
add interface=Storm-Fiber-35Mbps-25Mbps list=WAN
/interface wifi cap
set caps-man-addresses="" discovery-interfaces=hotspot enabled=yes
/interface wifi capsman
set interfaces=all package-path="" require-peer-certificate=no \
upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=yes master-configuration=cfg1
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=172.16.1.1/22 comment="hotspot network" interface=hotspot \
network=172.16.0.0
add address=192.168.1.224 interface=ether1 network=192.168.1.1
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes ddns-update-interval=10m
/ip cloud back-to-home-users
add allow-lan=yes comment=" samsung SM-A546E" name=hAP-ax2 private-key=\
"wKBj4FYf/g$Jd+Ov0$+zAjsa$7yt+JLXpEsaszO9lukyS6hxdEA=" public-key=\
"+a81Dqqhxxaasm+yxazanFLBVCQa8LX8saJ8PMo75IW4GYIjTU="
/ip dhcp-client
add comment=defconf interface=ether1
add default-route-distance=5 disabled=yes interface=*13
/ip dhcp-server network
add address=172.16.0.0/22 comment="hotspot network" dns-server=172.16.1.1 \
gateway=172.16.1.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes servers=103.86.96.103,103.86.99.103 \
verify-doh-cert=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add address=172.16.1.1 name=wifi.login ttl=5m
/ip firewall address-list
add address=172.168.77.224-172.16.1.250 list=Ahsan
add address=172.16.1.192/28 list=uperwaly
add address=172.16.1.160/27 list=dani
add address=172.16.1.128/27 list=default
add address=172.16.1.96/27 list=Guest
add address=172.16.1.80/28 list=Hamza
add address=172.16.0.1-172.16.1.207 disabled=yes list=lteblock
add address=172.16.1.208/28 list=elite
add address=172.16.1.64/29 list=smi-blkd
add address=192.168.88.0/24 disabled=yes list=admin-ssid
/ip firewall filter
add action=accept chain=input comment="allow Wireguard" dst-port=443 \
protocol=udp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment="ipv6 traffic" dst-port=546 protocol=\
udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN+WLAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=input connection-state=established,related,new \
dst-port=8291 protocol=tcp
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
/ip firewall mangle
add action=change-ttl chain=postrouting comment="Disable Hotspot sharing" \
new-ttl=set:1 out-interface=hotspot passthrough=yes
add action=mark-connection chain=forward comment=Ahsan dst-address-list=\
Ahsan in-interface-list=WAN new-connection-mark=du_hotspot_a \
passthrough=yes
add action=mark-packet chain=forward comment=Ahsan-Download connection-mark=\
du_hotspot_a dst-address-list=Ahsan new-packet-mark=dw_pkt_a \
passthrough=no
add action=mark-packet chain=forward comment=Ahsan-Upload connection-mark=\
du_hotspot_a new-packet-mark=up_pkt_a passthrough=no src-address-list=\
Ahsan
add action=mark-connection chain=forward comment=admin-ssid dst-address-list=\
admin-ssid in-interface-list=WAN new-connection-mark=du_hotspot_asid \
passthrough=yes
add action=mark-packet chain=forward comment=Admin-SSID-Download \
connection-mark=du_hotspot_asid dst-address-list=admin-ssid \
new-packet-mark=dw_pkt_asid passthrough=no
add action=mark-packet chain=forward comment=Admin-SSID-Upload \
connection-mark=du_hotspot_asid new-packet-mark=up_pkt_asid passthrough=\
no src-address-list=admin-ssid
add action=mark-connection chain=forward comment=Ahsan dst-address-list=\
Ahsan_elite in-interface-list=WAN new-connection-mark=du_hotspot_ue \
passthrough=yes
add action=mark-packet chain=forward comment=Elite-Download connection-mark=\
du_hotspot_ue dst-address-list=elite new-packet-mark=dw_pkt_ue \
passthrough=no
add action=mark-packet chain=forward comment=elite-Upload connection-mark=\
du_hotspot_ue new-packet-mark=up_pkt_ue passthrough=no src-address-list=\
elite
add action=mark-connection chain=forward comment=Guest dst-address-list=Guest \
in-interface-list=WAN new-connection-mark=dw_hotspot_g passthrough=yes
add action=mark-packet chain=forward comment=Guest-Download connection-mark=\
dw_hotspot_g dst-address-list=Guest new-packet-mark=dw_pkt_g passthrough=\
no
add action=mark-packet chain=forward comment=Guest-Upload connection-mark=\
dw_hotspot_g new-packet-mark=up_pkt_g passthrough=no src-address-list=\
Guest
add action=mark-connection chain=forward comment=Hamza dst-address-list=Hamza \
in-interface-list=WAN new-connection-mark=dw_hotspot_h passthrough=yes
add action=mark-packet chain=forward comment=Hamza-upload connection-mark=\
dw_hotspot_h new-packet-mark=up_pkt_h passthrough=no src-address-list=\
Hamza
add action=mark-packet chain=forward comment=Hamza-Download connection-mark=\
dw_hotspot_h dst-address-list=Hamza new-packet-mark=dw_pkt_h passthrough=\
no
add action=mark-connection chain=forward comment=Uperwaly dst-address-list=\
uperwaly in-interface-list=WAN new-connection-mark=dw_hotspot_u \
passthrough=yes
add action=mark-packet chain=forward comment=Uperwaly-Upload connection-mark=\
dw_hotspot_u new-packet-mark=up_pkt_u passthrough=no src-address-list=\
uperwaly
add action=mark-packet chain=forward comment=Uperwaly-Download \
connection-mark=dw_hotspot_u dst-address-list=uperwaly new-packet-mark=\
dw_pkt_u passthrough=no
add action=mark-connection chain=forward comment=Dani dst-address-list=dani \
in-interface-list=WAN new-connection-mark=dw_hotspot_da passthrough=yes
add action=mark-packet chain=forward comment=Dani-Download connection-mark=\
dw_hotspot_da dst-address-list=dani new-packet-mark=dw_pkt_da \
passthrough=no
add action=mark-packet chain=forward comment=Dani-Upload connection-mark=\
dw_hotspot_da new-packet-mark=up_pkt_da passthrough=no src-address-list=\
dani
add action=mark-connection chain=forward comment=Default dst-address-list=\
default in-interface-list=WAN new-connection-mark=dw_hotspot_df \
passthrough=yes
add action=mark-packet chain=forward comment=Default-Download \
connection-mark=dw_hotspot_df dst-address-list=default new-packet-mark=\
dw_pkt_df passthrough=no
add action=mark-packet chain=forward comment=default-Upload connection-mark=\
dw_hotspot_df new-packet-mark=up_pkt_df passthrough=no src-address-list=\
default
add action=mark-connection chain=forward comment=Semi-Blocked \
dst-address-list=smi-blkd in-interface-list=WAN new-connection-mark=\
dw_hotspot_sb passthrough=yes
add action=mark-packet chain=forward comment=Semi-Blocked-Download \
connection-mark=dw_hotspot_sb dst-address-list=smi-blkd new-packet-mark=\
dw_pkt_sb passthrough=no
add action=mark-packet chain=forward comment=semi-blocked-Upload \
connection-mark=dw_hotspot_sb new-packet-mark=up_pkt_sb passthrough=no \
src-address-list=smi-blkd
/ip firewall nat
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
out-interface-list=WAN
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
ipsec-policy=out,none out-interface-list=WAN src-address=192.168.88.0/24
add action=masquerade chain=srcnat disabled=yes out-interface=*13 \
src-address-list=elite
add action=masquerade chain=srcnat disabled=yes out-interface=*13 \
src-address-list=Ahsan
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
/ip hotspot ip-binding
add address=172.16.0.77 mac-address=C8:CA:AC:AC:CA:CA to-address=172.16.3.252 \
type=bypassed
/ip hotspot user
add name=ahsan profile=guest101
add name=khursheed profile=Ahsan
add name=Sabiha profile=Ahsan
add name=hamza profile=hamza
add disabled=yes name=ismail1 profile=Uperwaly
add name=guest101 profile=guest101
add name=laptop profile=Ahsan
add name=dani11 profile=dani
add name=bhatti1 profile=dani
add name=bwp profile=dani
add name=abid333 profile=dani
add comment=Ahsan-Android-TV-Box disabled=yes name=C4:2A:FE:70:45:86 profile=\
Ahsan
add name=bhatti2 profile=dani
add comment=Ahsan-Android-TV-Box-WiFi disabled=yes name=E0:76:D0:22:19:38 \
profile=Ahsan
add name=suleman profile=Uperwaly
add comment=Ahsan-PC-LAN name=EC:B1:D7:60:8A:D9 profile=guest101
add comment=Ahsan-PC-WiFi disabled=yes name=90:F6:52:CA:FE:95 profile=\
Ahsan
add name=talha profile=dani
add name=rehan profile=dani
add name=bwp2 profile=dani
add comment=Dani-Home-SameerHome-Mobile name=bwp1 profile=dani
add name=mubeen profile=dani
add name=E0:01:C7:BD:95:11 profile=Elite
add name=dani443 profile=dani server=hotspot1
/ip proxy
set cache-administrator="Ahsan Khursheed"
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=0.0.0.0/0
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ipv6 address
add address=::1 disabled=yes from-pool=v6pool interface=bridge
add address=::1 disabled=yes from-pool=v6pool interface=\
vlan7-IOT-Linksys-Supply
add address=::1 disabled=yes from-pool=v6pool interface=vlan55-IoT-BT-WiFi
/ipv6 dhcp-client
add add-default-route=yes interface=Storm-Fiber-35Mbps-25Mbps pool-name=\
v6pool pool-prefix-length=56 request=prefix
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" disabled=yes list=\
bad_ipv6
add address=::1/128 comment="defconf: lo" disabled=yes list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" disabled=yes list=\
bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" disabled=yes \
list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" disabled=yes list=bad_ipv6
add address=100::/64 comment="defconf: discard only " disabled=yes list=\
bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" disabled=yes list=\
bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" disabled=yes list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" disabled=yes list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" disabled=yes src-address-list=\
bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" disabled=yes dst-address-list=\
bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
disabled=yes hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" disabled=yes \
in-interface-list=!LAN
/ipv6 nd
set [ find default=yes ] dns=2606:4700:4700::1111,2001:4860:4860::8888 \
hop-limit=64 interface=bridge
add disabled=yes interface=hotspot mtu=1472
add hop-limit=64 interface=vlan55-IoT-BT-WiFi
/ppp secret
add name=vpn
/system clock
set time-zone-autodetect=no time-zone-name=Asia/Karachi
/system logging
set 0 topics=info,!wireguard
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN+WLAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN+WLAN
/tool sniffer
set file-name=Ahsan filter-mac-address=A0:A3:B3:FD:25:08/FF:FF:FF:FF:FF:FF