Hello everyone,
I’m currently working on improving the configuration of my MikroTik L009. Below, I’m sharing the current setup (see config at the end of this post) and I would really appreciate any advice or suggestions – especially regarding the firewall setup and PPPoE behavior.
An experienced user already gave me a few pointers, but didn’t provide step-by-step guidance. Here’s a summary of the feedback I received:
• I’m using a PPPoE client but then assigning a public IP manually to the WAN interface – I was told this IP should be dynamically provided by the ISP via PPPoE.
• Firewall should be reviewed:
– Use /interface/list
– Default chains are set to accept, so I should add drop rules at the end
– dst-nat rules should go in the “forward” chain, not “input”
– Use /ip/firewall/address-list for handling src-address and dst-address
– Disable unused services in /ip/services (e.g. ftp, api, etc.)
– Enable NTP client or /ip/cloud to set time
– Create a new full-access user for LAN and disable the default “admin” user
Here are my main questions:
- What is the correct way to let the PPPoE client automatically receive the public IP from my provider?
- Could someone help me write a proper and secure base firewall configuration (following MikroTik best practices)?
- Are there any clear security flaws in my current setup?
- Is there anything else you would recommend improving?
Current configuration:
1970-01-02 05:52:52 by RouterOS 7.16.1 software id = UH7J-1EMC model = L009UiGS serial number = HGA09RDSHDJ
/interface bridge add name=LAN-BRIDGE /interface ethernet set [ find default-name=ether1 ] comment=WAN /interface pppoe-client add add-default-route=yes disabled=no interface=ether1 name=WAN use-peer-dns=yes user=r000004249@rsdh.intred.it /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /ip pool add name=dhcp_poolrange ranges=10.0.0.100-10.0.0.199 /port set 0 name=serial0 /interface bridge port add bridge=LAN-BRIDGE interface=ether2 add bridge=LAN-BRIDGE interface=ether3 add bridge=LAN-BRIDGE interface=ether4 add bridge=LAN-BRIDGE interface=ether5 add bridge=LAN-BRIDGE interface=ether6 add bridge=LAN-BRIDGE interface=ether7 /ip address add address=10.0.0.69/24 interface=LAN-BRIDGE network=10.0.0.0 add address=31.171.138.195 comment="IP Pubblico Intred" interface=WAN network=31.171.138.195 /ip dhcp-server add address-pool=dhcp_poolrange interface=LAN-BRIDGE lease-time=2h name=dhcp1 /ip dhcp-server network add address=10.0.0.0/24 gateway=10.0.0.69 /ip dns set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip firewall filter (add your current filter rules here...)
/ip firewall nat (add your current NAT rules here...)
/system clock set time-zone-name=Europe/Rome /system note set show-at-login=no /system routerboard settings set enter-setup-on=delete-key