Optimization of rules and resources

contactosama · August 19, 2023, 1:51pm

Can anyone please help me to optimize my router security rules and resources, below is the configuration of my router

2023-08-19 18:46:42 by RouterOS 7.11

software id = Y8W5-N

model = RB750Gr3

serial number =

/interface bridge
add arp=reply-only name=LAN
/interface ethernet
set [ find default-name=ether1 ] disabled=yes
set [ find default-name=ether2 ] mac-address=4C:5E:0C:E7:80:AC
set [ find default-name=ether3 ] mac-address=00:19:66:CA:8B:C7
set [ find default-name=ether4 ] comment=XVR
set [ find default-name=ether5 ] comment=LAN
/interface list
add name=WAN
add name=LAN-LIST
add name=ETH-WAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] disabled=yes
/ip pool
add name=dhcp ranges=192.168.1.2-192.168.1.254
/ip dhcp-server
add add-arp=yes address-pool=dhcp allow-dual-stack-queue=no bootp-support=
none client-mac-limit=50 conflict-detection=no interface=LAN lease-time=
1h name=dhcp1
/port
set 0 name=serial0
/interface pppoe-client
add disabled=no interface=ether2 name=Connect-Primary profile=
default-encryption user=usnet057
add disabled=no interface=ether3 name=Fariya-Secondary profile=
default-encryption user=usnet021
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
add disabled=no name=default-v3 version=3
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
add disabled=yes instance=default-v3 name=backbone-v3
/system logging action
add email-start-tls=yes email-to=contactosama@yahoo.com,hina.osama@yahoo.com
name=email target=email
/interface bridge port
add bpdu-guard=yes bridge=LAN ingress-filtering=no interface=ether4
add bpdu-guard=yes bridge=LAN ingress-filtering=no interface=ether5
add bridge=*9 disabled=yes interface=ether3
/ip neighbor discovery-settings
set discover-interface-list=none protocol=“”
/ip settings
set rp-filter=strict tcp-syncookies=yes
/ipv6 settings
set disable-ipv6=yes forward=no max-neighbor-entries=8192
/interface list member
add interface=Connect-Primary list=WAN
add interface=Fariya-Secondary list=WAN
add interface=LAN list=LAN-LIST
add interface=ether4 list=LAN-LIST
add interface=ether5 list=LAN-LIST
add interface=ether2 list=ETH-WAN
add interface=ether3 list=ETH-WAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.1.1/24 interface=LAN network=192.168.1.0
add address=192.168.100.2 disabled=yes interface=ether2 network=192.168.100.1
add address=10.10.10.1/29 disabled=yes interface=LAN network=10.10.10.0
/ip cloud
set update-time=no
/ip dhcp-server lease
add address=10.11.12.14 block-access=yes client-id=1:c:9d:92:a7:d0:9e
mac-address=0C:9D:92:A7:D0:9E server=dhcp1
add address=10.11.12.13 block-access=yes client-id=1:18:3d:a2:72:4f:0
mac-address=18:3D:A2:72:4F:00 server=dhcp1
add address=192.168.1.254 allow-dual-stack-queue=no mac-address=
14:91:82:BB:00:74 server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d cache-size=4096KiB
doh-max-concurrent-queries=2000 doh-max-server-connections=1000
max-concurrent-queries=2500 max-concurrent-tcp-sessions=1500 servers=
94.140.14.14,94.140.15.15 use-doh-server=
https://dns.adguard-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=94.140.14.14 name=dns.adguard.com
add address=94.140.15.15 name=dns.adguard.com
add address=94.140.14.14 name=dns.adguard-dns.com
add address=94.140.15.15 name=dns.adguard-dns.com
/ip firewall filter
add action=drop chain=input connection-state=invalid
add action=drop chain=forward connection-state=invalid
add action=fasttrack-connection chain=forward comment=Fasttrack
connection-state=established,related disabled=yes hw-offload=yes
add action=drop chain=forward comment=“Tiktok Rules” content=tiktokv.com
disabled=yes
add action=drop chain=forward content=tiktokcdn.com disabled=yes
add action=drop chain=forward content=tiktok disabled=yes
add action=drop chain=input dst-port=4444 in-interface=Connect-Primary log=
yes protocol=tcp
add action=drop chain=input dst-port=444 in-interface=Connect-Primary log=yes
protocol=tcp
add action=drop chain=input dst-port=4444 in-interface=Fariya-Secondary log=
yes protocol=tcp
add action=drop chain=input dst-port=444 in-interface=Fariya-Secondary log=
yes protocol=tcp
add action=accept chain=input connection-state=established protocol=icmp
add action=drop chain=input in-interface-list=WAN protocol=icmp
add action=drop chain=input in-interface-list=ETH-WAN protocol=icmp
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface=ether2
add action=redirect chain=dstnat dst-port=53 in-interface=LAN protocol=tcp
to-addresses=192.168.1.1 to-ports=53
add action=redirect chain=dstnat dst-port=53 in-interface=LAN protocol=udp
to-addresses=192.168.1.1 to-ports=53
add action=masquerade chain=srcnat out-interface=Connect-Primary
add action=masquerade chain=srcnat out-interface=Fariya-Secondary
/ip firewall raw
add action=drop chain=prerouting dst-port=5678 in-interface=Connect-Primary
log=yes log-prefix=NeighbourDiscoveryPackets_Connect-Primary protocol=udp
add action=drop chain=prerouting dst-port=5678 in-interface=Fariya-Secondary
log=yes log-prefix=NeighbourDiscoveryPackets_Fariya-Secondary protocol=
udp
add action=drop chain=prerouting dst-port=53 in-interface=Connect-Primary
protocol=tcp
add action=drop chain=prerouting dst-port=53 in-interface=Connect-Primary
protocol=udp
add action=drop chain=prerouting dst-port=53 in-interface=Fariya-Secondary
protocol=tcp
add action=drop chain=prerouting dst-port=53 in-interface=Fariya-Secondary
protocol=udp
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set pptp disabled=yes
/ip hotspot service-port
set ftp disabled=yes
/ip ipsec policy
set 0 disabled=yes
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=8.8.4.4/32 gateway=
113.203.205.254 pref-src=“” routing-table=main scope=30
suppress-hw-offload=no target-scope=10
add check-gateway=ping comment=ISP2-Backup disabled=no distance=2
dst-address=0.0.0.0/0 gateway=4.4.4.4 pref-src=“” routing-table=main
scope=30 suppress-hw-offload=no target-scope=10
add comment=ISP1 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=8.8.4.4
pref-src=“” routing-table=main scope=30 suppress-hw-offload=no
target-scope=30
add comment=ECMP disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=
4.4.4.4 pref-src=“” routing-table=main scope=30 suppress-hw-offload=no
target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set www-ssl certificate=root-cert disabled=no port=444
set api disabled=yes
set winbox port=4444
set api-ssl disabled=yes
/routing bfd configuration
add disabled=no
/system clock
set time-zone-name=Asia/Karachi
/system console
set [ find ] disabled=yes
/system identity
set name=“Creative Chameleon”
/system logging
set 0 action=disk
set 1 action=email
set 2 action=email
set 3 action=email
add action=email topics=health
add action=email topics=system
add disabled=yes topics=dns
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=time.cloudflare.com
add address=time.google.com
/system scheduler
add disabled=yes interval=1d name=reboot-6am on-event=“/system reboot”
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-date=2021-08-12 start-time=06:00:00
add interval=1d name=“scheduler to send backup on email” on-event=
“/system script run Automated-Backup” policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-date=2022-05-03 start-time=06:00:00
add disabled=yes interval=1d name=“fariya card check” on-event=
“/system script run Script to check fariya Card” policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-date=2023-05-09 start-time=00:10:00

/tool bandwidth-server
set enabled=no
/tool e-mail
set address=smtp.stackmail.com from=mikrotik@mikrocyber.org port=465 tls=yes
user=mikrotik@mikrocyber.org
/tool graphing
set store-every=hour
/tool graphing interface
add interface=Connect-Primary
add interface=Fariya-Secondary
add interface=LAN
/tool mac-server
set allowed-interface-list=LAN-LIST
/tool mac-server mac-winbox
set allowed-interface-list=LAN-LIST
/tool mac-server ping
set enabled=no
/tool netwatch
add comment=ISP1 disabled=no down-script=
“/ip route disable [find comment=ISP1]” host=8.8.4.4 http-codes=“”
interval=10s packet-count=1 test-script=“” timeout=1s type=icmp
up-script=“/ip route enable [find comment=ISP1]”