Please check my Config

SSuzaku · August 9, 2024, 4:11am

hello everyone, i’m a beginner with mikrotik. can anyone check my config to make sure it is secure enough? there’s no problem on the config tested it. just need to know if it is good enough for production

# 2024-08-09 10:51:46 by RouterOS 7.15.3
# software id = GJNT-D4PZ
#
# model = L009UiGS-2HaxD
# serial number = ***
/interface bridge
add name=br-local port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] name=ether1-biznet
set [ find default-name=ether2 ] name=ether2-indibiz
/interface wireguard
add listen-port=13231 mtu=1420 name=WG-Mikrotik-Griya
/interface list
add name=WAN1
add name=LAN
add name=WAN2
/interface wifi channel
add frequency=2412,2432,2472 name=ch-2ghz width=20mhz
/interface wifi security
add authentication-types=wpa-psk disabled=no name=Default
/interface wifi
set [ find default-name=wifi1 ] channel=ch-2ghz channel.band=2ghz-ax \
    .frequency=2412 .skip-dfs-channels=disabled .width=20/40mhz \
    configuration.country=Indonesia .mode=ap .ssid=Mikrotik datapath.bridge=\
    br-local disabled=no name=Mikrotik security=Default \
    security.authentication-types=wpa2-psk,wpa3-psk .connect-priority=0
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
add auth-algorithms=sha256 disabled=yes enc-algorithms=aes-256-cbc name=IKEV2 \
    pfs-group=modp2048
/ip pool
add name=pool1 ranges=192.168.10.50-192.168.10.125
add name="wireless pool" ranges=192.168.11.2-192.168.11.50
/ip dhcp-server
add address-pool=pool1 interface=br-local lease-time=4w2d name=dhcp1
/port
set 0 name=serial0
/queue type
add cake-ack-filter=filter cake-flowmode=dual-srchost cake-mpu=64 cake-nat=\
    yes cake-overhead=18 cake-overhead-scheme=docsis kind=cake name=cake-up
add cake-diffserv=besteffort cake-flowmode=dual-dsthost cake-mpu=64 \
    cake-overhead=18 cake-overhead-scheme=docsis kind=cake name=cake-down
add fq-codel-limit=1000 fq-codel-quantum=300 fq-codel-target=12ms kind=\
    fq-codel name=fq-codel
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
    name=zt1 port=9993
/zerotier interface
add allow-default=no allow-global=yes allow-managed=yes disabled=no instance=\
    zt1 name=zerotier1 network=<edit>
/container config
set registry-url=https://ghcr.io tmpdir=disk1/pull
/ip smb
set enabled=no
/interface bridge port
add bridge=br-local interface=ether3 internal-path-cost=10 path-cost=10
add bridge=br-local interface=ether4 internal-path-cost=10 path-cost=10
add bridge=br-local interface=ether5 internal-path-cost=10 path-cost=10
add bridge=br-local interface=ether6 internal-path-cost=10 path-cost=10
add bridge=br-local interface=ether7 internal-path-cost=10 path-cost=10
add bridge=br-local interface=ether8 internal-path-cost=10 path-cost=10
add bridge=*1B interface=*1A
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add interface=ether1-biznet list=WAN1
add interface=ether2-indibiz list=WAN2
add interface=br-local list=LAN
/interface wireguard peers
add allowed-address=\
    192.168.32.3/32,192.168.10.0/24,192.168.168.0/24,10.0.0.0/24 \
    client-address=192.168.32.3/32 client-dns=9.9.9.9 client-endpoint=\
    <server1>.sn.mynetname.net comment=ZFOLD5 interface=WG-Mikrotik-Griya \
    is-responder=yes name=Zfold5 persistent-keepalive=25s public-key=\
    "***"
add allowed-address=192.168.32.5/32,192.168.10.0/24 client-address=\
    192.168.32.5/32 client-dns=9.9.9.9 client-endpoint=\
    <server2>.sn.mynetname.net comment=BTSSOFT interface=WG-Mikrotik-Griya \
    is-responder=yes name=Wendra persistent-keepalive=25s private-key=\
    "***" public-key=\
    "***"
add allowed-address=192.168.32.2/32,192.168.168.0/24 client-address=\
    192.168.32.2/32 client-dns=9.9.9.9 client-endpoint=\
    <server3>.sn.mynetname.net client-keepalive=15s comment="To WG Home" \
    endpoint-address=ec190fb08140.sn.mynetname.net endpoint-port=13231 \
    interface=WG-Mikrotik-Griya is-responder=yes name=Home public-key=\
    "***"
/ip address
add address=192.168.10.1/24 comment="To Local Lan" interface=br-local \
    network=192.168.10.0
add address=192.168.2.2/24 comment="Indibiz KONEKSI UTAMA LAN2" interface=\
    ether2-indibiz network=192.168.2.0
add address=192.168.1.3/24 comment="Biznet KONEKSI CADANGAN LAN1" interface=\
    ether1-biznet network=192.168.1.0
add address=192.168.32.1/24 comment=WIREGUARD interface=WG-Mikrotik-Griya \
    network=192.168.32.0
add address=172.17.0.1/16 interface=*1B network=172.17.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-server lease
add address=192.168.10.99 comment=Server-LAN1 mac-address=D8:BB:C1:54:21:ED
add address=192.168.10.100 comment=Server-LAN2 mac-address=F0:A7:31:D6:C1:41
add address=192.168.10.124 client-id=1:4c:bd:8f:9a:13:63 comment=\
    "Hikvision CCTV" mac-address=4C:BD:8F:9A:13:63 server=dhcp1
add address=192.168.10.101 comment=Eric mac-address=F0:BF:97:14:43:E5
add address=192.168.10.111 comment=ServerKasir mac-address=D8:5E:D3:31:81:D8
add address=192.168.10.84 client-id=1:0:e:53:2e:21:75 comment="CCTV AVTECH" \
    mac-address=00:0E:53:2E:21:75 server=dhcp1
add address=192.168.10.83 client-id=1:0:e:53:2f:a5:f3 comment="CCTV AVTECH" \
    mac-address=00:0E:53:2F:A5:F3 server=dhcp1
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes cache-size=50000KiB doh-max-concurrent-queries=\
    100 doh-max-server-connections=20 max-concurrent-queries=250 \
    max-concurrent-tcp-sessions=50 servers=9.9.9.9 use-doh-server=\
    https://dns.google/dns-query verify-doh-cert=yes
/ip firewall filter
add action=accept chain=forward comment="Zerotier PASS" in-interface=\
    zerotier1
add action=accept chain=input in-interface=zerotier1
add action=accept chain=input comment="Accept WireGuard Traffic" dst-port=\
    13231 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="Block Traffic From Non Custom Port" \
    src-address-list=block
add action=drop chain=forward src-address-list=block
add action=add-src-to-address-list address-list=block address-list-timeout=\
    17w1d chain=input comment="TRAP TELNET" dst-port=23 protocol=tcp
add action=add-src-to-address-list address-list=block address-list-timeout=\
    17w1d chain=input comment="TRAP FTP" dst-port=21 protocol=tcp
add action=add-dst-to-address-list address-list=block address-list-timeout=\
    none-dynamic chain=input comment="TRAP MSSQL" dst-port=1443,28900 \
    protocol=tcp
add action=add-dst-to-address-list address-list=block address-list-timeout=\
    none-dynamic chain=input comment="TRAP L2TP traffic" dst-port=\
    500,1701,4500 protocol=tcp
add action=drop chain=output comment="Test Failover" disabled=yes \
    dst-address=1.1.1.1 protocol=icmp
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
/ip firewall nat
add action=accept chain=input comment="ZT ACCEPT 9993" protocol=udp src-port=\
    9993
add action=masquerade chain=srcnat out-interface=zerotier1
add action=accept chain=srcnat out-interface=WG-Mikrotik-Griya
add action=masquerade chain=srcnat comment="To internet LAN1"
add action=dst-nat chain=dstnat comment="WG To VNC" dst-port=6201 \
    in-interface=WG-Mikrotik-Griya protocol=tcp to-addresses=192.168.10.100 \
    to-ports=6201
add action=dst-nat chain=dstnat comment="WG To CCTV Hikvison" dst-port=5053 \
    in-interface=WG-Mikrotik-Griya protocol=tcp to-addresses=192.168.10.124 \
    to-ports=5053
add action=dst-nat chain=dstnat comment="WG > CCTV AVTECH" dst-port=5051 \
    in-interface=WG-Mikrotik-Griya protocol=tcp to-addresses=192.168.10.83 \
    to-ports=5051
add action=dst-nat chain=dstnat dst-port=5052 in-interface=WG-Mikrotik-Griya \
    protocol=tcp to-addresses=192.168.10.84 to-ports=5052
add action=dst-nat chain=dstnat comment="ZT To VNC" dst-port=6201 \
    in-interface=zerotier1 protocol=tcp to-addresses=192.168.10.100 to-ports=\
    6201
add action=dst-nat chain=dstnat comment="CCTV Hikvison" dst-port=5053 \
    in-interface=zerotier1 protocol=tcp to-addresses=192.168.10.124 to-ports=\
    5053
add action=dst-nat chain=dstnat comment="CCTV AVTECH" dst-port=5051 \
    in-interface=zerotier1 protocol=tcp to-addresses=192.168.10.83 to-ports=\
    5051
add action=dst-nat chain=dstnat dst-port=5052 in-interface=zerotier1 \
    protocol=tcp to-addresses=192.168.10.84 to-ports=5052
add action=dst-nat chain=dstnat comment=MSSQL dst-port=28900 in-interface=\
    zerotier1 protocol=tcp to-addresses=192.168.10.100 to-ports=28900
add action=dst-nat chain=dstnat comment=MSSQL dst-port=28900 in-interface=\
    WG-Mikrotik-Griya protocol=tcp to-addresses=192.168.10.100 to-ports=28900
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip ipsec identity
# Peer does not exist
add disabled=yes peer=*1
/ip ipsec policy
add disabled=yes dst-address=10.10.20.0/24 peer=*1 proposal=IKEV2 \
    src-address=10.10.10.0/24 tunnel=yes
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-128
/ip nat-pmp
set enabled=yes
/ip nat-pmp interfaces
add interface=zerotier1 type=external
/ip route
add comment=Indibiz disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    192.168.2.1 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=Biznet disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
    192.168.1.1 routing-table=main scope=31 suppress-hw-offload=no \
    target-scope=11
add comment="Connection to MK2" disabled=no distance=1 dst-address=\
    192.168.4.0/24 gateway=192.168.10.78 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="Route to Home LAN by ZT" disabled=no distance=1 dst-address=\
    192.168.168.0/24 gateway=10.147.20.2 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="Route to Home LAN By WireGuard" disabled=no distance=1 \
    dst-address=192.168.168.0/24 gateway=192.168.32.2 routing-table=main \
    scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=zerotier1 type=external
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=forward in-interface=zerotier1
add action=accept chain=input in-interface=zerotier1
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
/ipv6 firewall nat
add action=accept chain=input protocol=udp src-port=9993
add action=masquerade chain=srcnat out-interface=zerotier1
/system clock
set time-zone-name=Asia/Jakarta
/system identity
set name=MandiriTik
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes broadcast-addresses=192.168.10.1 enabled=yes multicast=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
/system routerboard settings
set enter-setup-on=delete-key
/system scheduler
add interval=2m name=ScheduleWGToggle on-event=\
    "/system script run ToggleWGPeer" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2024-07-29 start-time=15:50:00
add interval=1m name="Update DDNS" on-event=\
    "/system script run test\r\
    \n/system script run ForceUpdateddns" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2024-07-31 start-time=21:26:44
/system script
add dont-require-permissions=no name=ToggleWGPeer owner=TommyKing policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    local wgcheckip 192.168.32.1\r\
    \n:local endpointip <server1>.sn.mynetname.net\r\
    \n#:log info \"wg check-ip \$wgcheckip \"\r\
    \n:if ([/ping \$wgcheckip interval=1 count=5] =0) do={\r\
    \n  :log info \"WG down \$wgcheckip\"\r\
    \n  /interface/wireguard/peers/disable [find endpoint-address=\$endpointip\
    ];\r\
    \n  :delay 60\r\
    \n  /interface/wireguard/peers/enable [find endpoint-address=\$endpointip]\
    ;\r\
    \n  :log info \"WG up again \$wgcheckip\"\r\
    \n}"
add dont-require-permissions=no name=ForceUpdateddns owner=TommyKing policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "/ip cloud force-update"
add dont-require-permissions=no name=test owner=TommyKing policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
    get current external IP\r\
    \n:global currentIP [:resolve *.sn.mynetname.net server=208.67.2\
    22.222];\r\
    \n:global resolvedIP;\r\
    \n\r\
    \n# Determine if DNS update is needed\r\
    \n:if (\$currentIP != \$resolvedIP) do={\r\
    \n:log info (\"Mynetname update needed: Current-IP: \$currentIP Resolved-I\
    P: \$resolvedIP\")\r\
    \n/ip cloud force-update\r\
    \n:global resolvedIP [:resolve *.sn.mynetname.net server=208.67.\
    222.222];\r\
    \n} else={\r\
    \n:log info (\"Mynetname: No update needed (\$currentIP=\$resolvedIP)\")\r\
    \n}"
/tool bandwidth-server
set enabled=no
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add disabled=no down-script=\
    "/ip route disable [find comment=\"Indibiz\"]\r\
    \n" host=1.1.1.1 http-codes="" interval=5s name=test1 test-script="" \
    type=icmp up-script="/ip route enable [find comment=\"Indibiz\"]"

holvoetn · August 9, 2024, 5:45am

Quick comments:

change WG port. This is the default from Help pages. Not that it will cause any trouble for anyone not knowing public key but better use 2 locks on the door then 1.
why the long lease times on DHCP server ? Just wondering.
Your ZT network ID is exposed in the export. I removed it from config export (better: change it !)
you have an unused/invalid bridge port entry. Clean up.
add bridge=*1B interface=*1A
your WG endpoint URLs were visible in export. I removed them from config export (also in script).
In the context of “allow what’s allowed, drop all the rest”, adding addresses to address list for external parties trying to access your device via certain ports is waste of resources. If’ it’s not allowed, it get’s dropped and be done with it.
not existing peer in IPSEC part (identity, policy, …). Cleanup.

Personally I would reorder firewall rules so input stays with input and forward with forward.
Much easier to see then what’s happening where.
Unless you really have a reason to put certain rules above others ? Performance (rules are evaluated top to bottom so rules used more then others can be placed higher while still observing logical sequence) ?

SSuzaku · August 9, 2024, 6:31am

Quick comments:

change WG port. This is the default from Help pages. Not that it will cause any trouble for anyone not knowing public key but better use 2 locks on the door then 1.

why the long lease times on DHCP server ? Just wondering.

Your ZT network ID is exposed in the export. I removed it from config export (better: change it !)

you have an unused/invalid bridge port entry. Clean up.
add bridge=*1B interface=*1A

your WG endpoint URLs were visible in export. I removed them from config export (also in script).

In the context of “allow what’s allowed, drop all the rest”, adding addresses to address list for external parties trying to access your device via certain ports is waste of resources. If’ it’s not allowed, it get’s dropped and be done with it.

not existing peer in IPSEC part (identity, policy, …). Cleanup.

Personally I would reorder firewall rules so input stays with input and forward with forward.
Much easier to see then what’s happening where.
Unless you really have a reason to put certain rules above others ? Performance (rules are evaluated top to bottom so rules used more then others can be placed higher while still observing logical sequence) ?

Thank You,

WG port Changed
Changed to 1h. I just test it, because i got some dhcp issue when i did it earlier.
Changed it. Thank you for removing it.
cleaned up
5 thank you one more time.
so i just disable the block traffic from ports, as it automatically gets dropped?
yeah i configured it in order of testing , i will reorder it again,

# 2024-08-09 13:59:21 by RouterOS 7.15.3
# software id = GJNT-D4PZ
#
# model = L009UiGS-2HaxD
# serial number = ***
/interface bridge
add name=br-local port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] name=ether1-biznet
set [ find default-name=ether2 ] name=ether2-indibiz
/interface wireguard
add listen-port=50535 mtu=1420 name=WG-Mikrotik-Griya
/interface list
add name=WAN1
add name=LAN
add name=WAN2
/interface wifi channel
add frequency=2412,2432,2472 name=ch-2ghz width=20mhz
/interface wifi security
add authentication-types=wpa-psk disabled=no name=Default
/interface wifi
set [ find default-name=wifi1 ] channel=ch-2ghz channel.band=2ghz-ax \
    .frequency=2412 .skip-dfs-channels=disabled .width=20/40mhz \
    configuration.country=Indonesia .mode=ap .ssid=Mikrotik datapath.bridge=\
    br-local disabled=no name=Mikrotik security=Default \
    security.authentication-types=wpa2-psk,wpa3-psk .connect-priority=0
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=pool1 ranges=192.168.10.50-192.168.10.125
add name="wireless pool" ranges=192.168.11.2-192.168.11.50
/ip dhcp-server
add address-pool=pool1 interface=br-local lease-time=1h name=dhcp1
/port
set 0 name=serial0
/queue type
add cake-ack-filter=filter cake-flowmode=dual-srchost cake-mpu=64 cake-nat=\
    yes cake-overhead=18 cake-overhead-scheme=docsis kind=cake name=cake-up
add cake-diffserv=besteffort cake-flowmode=dual-dsthost cake-mpu=64 \
    cake-overhead=18 cake-overhead-scheme=docsis kind=cake name=cake-down
add fq-codel-limit=1000 fq-codel-quantum=300 fq-codel-target=12ms kind=\
    fq-codel name=fq-codel
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
    name=zt1 port=9993
/zerotier interface
add allow-default=no allow-global=yes allow-managed=yes disabled=no instance=\
    zt1 name=zerotier1 network=***
/container config
set registry-url=https://ghcr.io tmpdir=disk1/pull
/ip smb
set enabled=no
/interface bridge port
add bridge=br-local interface=ether3 internal-path-cost=10 path-cost=10
add bridge=br-local interface=ether4 internal-path-cost=10 path-cost=10
add bridge=br-local interface=ether5 internal-path-cost=10 path-cost=10
add bridge=br-local interface=ether6 internal-path-cost=10 path-cost=10
add bridge=br-local interface=ether7 internal-path-cost=10 path-cost=10
add bridge=br-local interface=ether8 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add interface=ether1-biznet list=WAN1
add interface=ether2-indibiz list=WAN2
add interface=br-local list=LAN
/interface wireguard peers
add allowed-address=\
    192.168.32.3/32,192.168.10.0/24,192.168.168.0/24,10.0.0.0/24 \
    client-address=192.168.32.3/32 client-dns=9.9.9.9 client-endpoint=\
    ***.sn.mynetname.net comment=ZFOLD5 interface=WG-Mikrotik-Griya \
    is-responder=yes name=Zfold5 persistent-keepalive=25s public-key=\
    "***"
add allowed-address=192.168.32.5/32,192.168.10.0/24 client-address=\
    192.168.32.5/32 client-dns=9.9.9.9 client-endpoint=\
    ***.sn.mynetname.net comment=BTSSOFT interface=WG-Mikrotik-Griya \
    is-responder=yes name=Wendra persistent-keepalive=25s private-key=\
    "****" public-key=\
    "***"
add allowed-address=192.168.32.2/32,192.168.168.0/24 client-address=\
    192.168.32.2/32 client-dns=9.9.9.9 client-endpoint=\
    ***.sn.mynetname.net client-keepalive=15s comment="To WG Home" \
    endpoint-address=***.sn.mynetname.net endpoint-port=50535 \
    interface=WG-Mikrotik-Griya is-responder=yes name=Home public-key=\
    "***"
/ip address
add address=192.168.10.1/24 comment="To Local Lan" interface=br-local \
    network=192.168.10.0
add address=192.168.2.2/24 comment="Indibiz KONEKSI UTAMA LAN2" interface=\
    ether2-indibiz network=192.168.2.0
add address=192.168.1.3/24 comment="Biznet KONEKSI CADANGAN LAN1" interface=\
    ether1-biznet network=192.168.1.0
add address=192.168.32.1/24 comment=WIREGUARD interface=WG-Mikrotik-Griya \
    network=192.168.32.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-server lease
add address=192.168.10.99 comment=Server-LAN1 mac-address=D8:BB:C1:54:21:ED
add address=192.168.10.100 comment=Server-LAN2 mac-address=F0:A7:31:D6:C1:41
add address=192.168.10.124 client-id=1:4c:bd:8f:9a:13:63 comment=\
    "Hikvision CCTV" mac-address=4C:BD:8F:9A:13:63 server=dhcp1
add address=192.168.10.101 comment=Eric mac-address=F0:BF:97:14:43:E5
add address=192.168.10.111 comment=ServerKasir mac-address=D8:5E:D3:31:81:D8
add address=192.168.10.84 client-id=1:0:e:53:2e:21:75 comment="CCTV AVTECH" \
    mac-address=00:0E:53:2E:21:75 server=dhcp1
add address=192.168.10.83 client-id=1:0:e:53:2f:a5:f3 comment="CCTV AVTECH" \
    mac-address=00:0E:53:2F:A5:F3 server=dhcp1
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes cache-size=50000KiB doh-max-concurrent-queries=\
    100 doh-max-server-connections=20 max-concurrent-queries=250 \
    max-concurrent-tcp-sessions=50 servers=9.9.9.9 use-doh-server=\
    https://dns.google/dns-query verify-doh-cert=yes
	
/ip firewall filter
add action=accept chain=input in-interface=zerotier1
add action=accept chain=forward comment="Zerotier PASS" in-interface=\
    zerotier1
add action=accept chain=input comment="Accept WireGuard Traffic" dst-port=\
    50535 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
	add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
/ip firewall nat
add action=accept chain=input comment="ZT ACCEPT 9993" protocol=udp src-port=\
    9993
add action=accept chain=srcnat out-interface=WG-Mikrotik-Griya
add action=masquerade chain=srcnat out-interface=zerotier1
add action=masquerade chain=srcnat comment="To internet LAN1"
add action=dst-nat chain=dstnat comment="WG To VNC" dst-port=6201 \
    in-interface=WG-Mikrotik-Griya protocol=tcp to-addresses=192.168.10.100 \
    to-ports=6201
add action=dst-nat chain=dstnat comment="WG To CCTV Hikvison" dst-port=5053 \
    in-interface=WG-Mikrotik-Griya protocol=tcp to-addresses=192.168.10.124 \
    to-ports=5053
add action=dst-nat chain=dstnat comment="WG > CCTV AVTECH" dst-port=5051 \
    in-interface=WG-Mikrotik-Griya protocol=tcp to-addresses=192.168.10.83 \
    to-ports=5051
add action=dst-nat chain=dstnat dst-port=5052 in-interface=WG-Mikrotik-Griya \
    protocol=tcp to-addresses=192.168.10.84 to-ports=5052
add action=dst-nat chain=dstnat comment="ZT To VNC" dst-port=6201 \
    in-interface=zerotier1 protocol=tcp to-addresses=192.168.10.100 to-ports=\
    6201
add action=dst-nat chain=dstnat comment="CCTV Hikvison" dst-port=5053 \
    in-interface=zerotier1 protocol=tcp to-addresses=192.168.10.124 to-ports=\
    5053
add action=dst-nat chain=dstnat comment="CCTV AVTECH" dst-port=5051 \
    in-interface=zerotier1 protocol=tcp to-addresses=192.168.10.83 to-ports=\
    5051
add action=dst-nat chain=dstnat dst-port=5052 in-interface=zerotier1 \
    protocol=tcp to-addresses=192.168.10.84 to-ports=5052
add action=dst-nat chain=dstnat comment=MSSQL dst-port=28900 in-interface=\
    zerotier1 protocol=tcp to-addresses=192.168.10.100 to-ports=28900
add action=dst-nat chain=dstnat comment=MSSQL dst-port=28900 in-interface=\
    WG-Mikrotik-Griya protocol=tcp to-addresses=192.168.10.100 to-ports=28900
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-128
/ip nat-pmp
set enabled=yes
/ip nat-pmp interfaces
add interface=zerotier1 type=external
/ip route
add comment=Indibiz disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    192.168.2.1 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=Biznet disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
    192.168.1.1 routing-table=main scope=31 suppress-hw-offload=no \
    target-scope=11
add comment="Connection to MK2" disabled=no distance=1 dst-address=\
    192.168.4.0/24 gateway=192.168.10.78 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="Route to Home LAN By WireGuard" disabled=no distance=1 \
    dst-address=192.168.168.0/24 gateway=192.168.32.2 routing-table=main \
    scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=zerotier1 type=external
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=forward in-interface=zerotier1
add action=accept chain=input in-interface=zerotier1
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
/ipv6 firewall nat
add action=accept chain=input protocol=udp src-port=9993
add action=masquerade chain=srcnat out-interface=zerotier1
/ppp l2tp-secret
add
/ppp profile
add dns-server=8.8.8.8 local-address=*3 name=L2tp-profile remote-address=*3
/ppp secret
add name=Tommy profile=L2tp-profile service=l2tp
/system clock
set time-zone-name=Asia/Jakarta
/system identity
set name=MandiriTik
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes broadcast-addresses=192.168.10.1 enabled=yes multicast=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
/system routerboard settings
set enter-setup-on=delete-key
/system scheduler
add interval=2m name=ScheduleWGToggle on-event=\
    "/system script run ToggleWGPeer" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2024-07-29 start-time=15:50:00
add interval=1m name="Update DDNS" on-event=\
    "/system script run test\r\
    \n/system script run ForceUpdateddns" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2024-07-31 start-time=21:26:44
/system script
add dont-require-permissions=no name=ToggleWGPeer owner=TommyKing policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    local wgcheckip 192.168.32.1\r\
    \n:local endpointip ***.sn.mynetname.net\r\
    \n#:log info \"wg check-ip \$wgcheckip \"\r\
    \n:if ([/ping \$wgcheckip interval=1 count=5] =0) do={\r\
    \n  :log info \"WG down \$wgcheckip\"\r\
    \n  /interface/wireguard/peers/disable [find endpoint-address=\$endpointip\
    ];\r\
    \n  :delay 60\r\
    \n  /interface/wireguard/peers/enable [find endpoint-address=\$endpointip]\
    ;\r\
    \n  :log info \"WG up again \$wgcheckip\"\r\
    \n}"
add dont-require-permissions=no name=ForceUpdateddns owner=TommyKing policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "/ip cloud force-update"
add dont-require-permissions=no name=test owner=TommyKing policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
    get current external IP\r\
    \n:global currentIP [:resolve ***.sn.mynetname.net server=208.67.2\
    22.222];\r\
    \n:global resolvedIP;\r\
    \n\r\
    \n# Determine if DNS update is needed\r\
    \n:if (\$currentIP != \$resolvedIP) do={\r\
    \n:log info (\"Mynetname update needed: Current-IP: \$currentIP Resolved-I\
    P: \$resolvedIP\")\r\
    \n/ip cloud force-update\r\
    \n:global resolvedIP [:resolve ***.sn.mynetname.net server=208.67.\
    222.222];\r\
    \n} else={\r\
    \n:log info (\"Mynetname: No update needed (\$currentIP=\$resolvedIP)\")\r\
    \n}"
/tool bandwidth-server
set enabled=no
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add disabled=no down-script=\
    "/ip route disable [find comment=\"Indibiz\"]\r\
    \n" host=1.1.1.1 http-codes="" interval=5s name=test1 test-script="" \
    type=icmp up-script="/ip route enable [find comment=\"Indibiz\"]"

holvoetn · August 9, 2024, 7:16am

If it’s not allowed, it should be dropped anyhow.
You can speed up some things by using explicit drop statements in raw filter rules (those are the very first to be evaluated and are much faster) but personally I wouldn’t bother.

But looking closely at it, I seem to miss a final drop rule in input chain ?
Equally so on forward chain.
See why I made that comment on ordering rules ?

You may want to look at default firewall rules. It’s pretty good out of the box.
https://help.mikrotik.com/docs/display/ROS/Building+Advanced+Firewall
(it seems they removed the basic firewall page on Help pages ?)
Don’t bother too much with the address lists nor IP6 part.

Base part e.g. for input where everything needs to be build around then:

/ip firewall filter
  add action=accept chain=input comment="defconf: accept ICMP after RAW" protocol=icmp
  add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
  add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN

That last line is the catch-all. Everything which is not allowed before coming from outside LAN, gets dropped.
Make sure to add your VPN interfaces as accept where appropriate before that drop rule.

Same strategy to be applied for forward.

Worst case, make a backup, reset your device to default and see how firewall is build.
Export that config for reference.
You can always restore your backup then so all your config comes back.

I re-ordered your rules so you can see it how it is now.

/ip firewall filter
add action=accept chain=input in-interface=zerotier1
add action=accept chain=input comment="Accept WireGuard Traffic" dst-port=\
    13231 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="Block Traffic From Non Custom Port" \
    src-address-list=block
	
	WHERE IS DROP ALL THE REST RULE ?
	

add action=accept chain=forward comment="Zerotier PASS" in-interface=\
    zerotier1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward src-address-list=block
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes

	
	WHERE IS DROP ALL THE REST RULE ?
	

add action=add-src-to-address-list address-list=block address-list-timeout=\
    17w1d chain=input comment="TRAP TELNET" dst-port=23 protocol=tcp
add action=add-src-to-address-list address-list=block address-list-timeout=\
    17w1d chain=input comment="TRAP FTP" dst-port=21 protocol=tcp
add action=add-dst-to-address-list address-list=block address-list-timeout=\
    none-dynamic chain=input comment="TRAP MSSQL" dst-port=1443,28900 \
    protocol=tcp
add action=add-dst-to-address-list address-list=block address-list-timeout=\
    none-dynamic chain=input comment="TRAP L2TP traffic" dst-port=\
    500,1701,4500 protocol=tcp

add action=drop chain=output comment="Test Failover" disabled=yes \
    dst-address=1.1.1.1 protocol=icmp

SSuzaku · August 9, 2024, 10:18am

so i just disable the block traffic from ports, as it automatically gets dropped?

If it’s not allowed, it should be dropped anyhow.
You can speed up some things by using explicit drop statements in raw filter rules (those are the very first to be evaluated and are much faster) but personally I wouldn’t bother.

But looking closely at it, I seem to miss a final drop rule in input chain ?
Equally so on forward chain.
See why I made that comment on ordering rules ?

You may want to look at default firewall rules. It’s pretty good out of the box.
https://help.mikrotik.com/docs/display/ROS/Building+Advanced+Firewall
(it seems they removed the basic firewall page on Help pages ?)
Don’t bother too much with the address lists nor IP6 part.

Base part e.g. for input where everything needs to be build around then:
/ip firewall filter
  add action=accept chain=input comment="defconf: accept ICMP after RAW" protocol=icmp
  add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
  add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
That last line is the catch-all. Everything which is not allowed before coming from outside LAN, gets dropped.
Make sure to add your VPN interfaces as accept where appropriate before that drop rule.

Same strategy to be applied for forward.

Worst case, make a backup, reset your device to default and see how firewall is build.
Export that config for reference.
You can always restore your backup then so all your config comes back.

I re-ordered your rules so you can see it how it is now.
/ip firewall filter
add action=accept chain=input in-interface=zerotier1
add action=accept chain=input comment="Accept WireGuard Traffic" dst-port=\
    13231 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="Block Traffic From Non Custom Port" \
    src-address-list=block
	
	WHERE IS DROP ALL THE REST RULE ?
	

add action=accept chain=forward comment="Zerotier PASS" in-interface=\
    zerotier1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward src-address-list=block
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes

	
	WHERE IS DROP ALL THE REST RULE ?
	

add action=add-src-to-address-list address-list=block address-list-timeout=\
    17w1d chain=input comment="TRAP TELNET" dst-port=23 protocol=tcp
add action=add-src-to-address-list address-list=block address-list-timeout=\
    17w1d chain=input comment="TRAP FTP" dst-port=21 protocol=tcp
add action=add-dst-to-address-list address-list=block address-list-timeout=\
    none-dynamic chain=input comment="TRAP MSSQL" dst-port=1443,28900 \
    protocol=tcp
add action=add-dst-to-address-list address-list=block address-list-timeout=\
    none-dynamic chain=input comment="TRAP L2TP traffic" dst-port=\
    500,1701,4500 protocol=tcp

add action=drop chain=output comment="Test Failover" disabled=yes \
    dst-address=1.1.1.1 protocol=icmp

ah this rule

add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN

i put it in the first time i configure the mikrotik, but my wireguard connection can’t go in, when it is active that is why i delete it.. any idea why this rules broke wireguard on connecting to Winbox? if i disable it. wireguard can connect. ZT is fine

holvoetn · August 9, 2024, 10:34am

Because your wireguard interface is not accepted. Simple.

2 options:

add a specific rule to accept input via wireguard as interface
or
add wireguard to LAN interface list (most will do this since wireguard is VPN and conceptually, VPN should be the same trust level as LAN).

SSuzaku · August 9, 2024, 10:45am

thank you. it works

# 2024-08-09 17:40:43 by RouterOS 7.15.3
# software id = GJNT-D4PZ
#
# model = L009UiGS-2HaxD
# serial number = ***
/interface bridge
add name=br-local port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] name=ether1-biznet
set [ find default-name=ether2 ] name=ether2-indibiz
/interface wireguard
add listen-port=50535 mtu=1420 name=WG-Mikrotik-Griya
/interface list
add name=WAN1
add name=LAN
add name=WAN2
/interface wifi channel
add frequency=2412,2432,2472 name=ch-2ghz width=20mhz
/interface wifi security
add authentication-types=wpa-psk disabled=no name=Default
/interface wifi
set [ find default-name=wifi1 ] channel=ch-2ghz channel.band=2ghz-ax \
    .frequency=2412 .skip-dfs-channels=disabled .width=20/40mhz \
    configuration.country=Indonesia .mode=ap .ssid=Mikrotik datapath.bridge=\
    br-local disabled=no name=Mikrotik security=Default \
    security.authentication-types=wpa2-psk,wpa3-psk .connect-priority=0
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=pool1 ranges=192.168.10.50-192.168.10.125
add name="wireless pool" ranges=192.168.11.2-192.168.11.50
/ip dhcp-server
add address-pool=pool1 interface=br-local lease-time=1h name=dhcp1
/port
set 0 name=serial0
/queue type
add cake-ack-filter=filter cake-flowmode=dual-srchost cake-mpu=64 cake-nat=\
    yes cake-overhead=18 cake-overhead-scheme=docsis kind=cake name=cake-up
add cake-diffserv=besteffort cake-flowmode=dual-dsthost cake-mpu=64 \
    cake-overhead=18 cake-overhead-scheme=docsis kind=cake name=cake-down
add fq-codel-limit=1000 fq-codel-quantum=300 fq-codel-target=12ms kind=\
    fq-codel name=fq-codel
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
    name=zt1 port=9993
/zerotier interface
add allow-default=no allow-global=yes allow-managed=yes disabled=no instance=\
    zt1 name=zerotier1 network=****
/container config
set registry-url=https://ghcr.io tmpdir=disk1/pull
/ip smb
set enabled=no
/interface bridge port
add bridge=br-local interface=ether3 internal-path-cost=10 path-cost=10
add bridge=br-local interface=ether4 internal-path-cost=10 path-cost=10
add bridge=br-local interface=ether5 internal-path-cost=10 path-cost=10
add bridge=br-local interface=ether6 internal-path-cost=10 path-cost=10
add bridge=br-local interface=ether7 internal-path-cost=10 path-cost=10
add bridge=br-local interface=ether8 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface l2tp-server server
/interface list member
add interface=ether1-biznet list=WAN1
add interface=ether2-indibiz list=WAN2
add interface=br-local list=LAN
add interface=WG-Mikrotik-Griya list=LAN
/interface wireguard peers
add allowed-address=\
    192.168.32.3/32,192.168.10.0/24,192.168.168.0/24,10.0.0.0/24 \
    client-address=192.168.32.3/32 client-dns=9.9.9.9 client-endpoint=\
    ***.sn.mynetname.net comment=ZFOLD5 interface=WG-Mikrotik-Griya \
    is-responder=yes name=Zfold5 persistent-keepalive=25s public-key=\
    "***"
add allowed-address=192.168.32.5/32,192.168.10.0/24 client-address=\
    192.168.32.5/32 client-dns=9.9.9.9 client-endpoint=\
    ***.sn.mynetname.net comment=BTSSOFT interface=WG-Mikrotik-Griya \
    is-responder=yes name=Wendra persistent-keepalive=25s private-key=\
    "***" public-key=\
    "***"
add allowed-address=192.168.32.2/32,192.168.168.0/24 client-address=\
    192.168.32.2/32 client-dns=9.9.9.9 client-endpoint=\
    ***.sn.mynetname.net client-keepalive=15s comment="To WG Home" \
    endpoint-address=***.sn.mynetname.net endpoint-port=50535 \
    interface=WG-Mikrotik-Griya is-responder=yes name=Home public-key=\
    "***"
/ip address
add address=192.168.10.1/24 comment="To Local Lan" interface=br-local \
    network=192.168.10.0
add address=192.168.2.2/24 comment="Indibiz KONEKSI UTAMA LAN2" interface=\
    ether2-indibiz network=192.168.2.0
add address=192.168.1.3/24 comment="Biznet KONEKSI CADANGAN LAN1" interface=\
    ether1-biznet network=192.168.1.0
add address=192.168.32.1/24 comment=WIREGUARD interface=WG-Mikrotik-Griya \
    network=192.168.32.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-server lease
add address=192.168.10.99 comment=Server-LAN1 mac-address=D8:BB:C1:54:21:ED
add address=192.168.10.100 comment=Server-LAN2 mac-address=F0:A7:31:D6:C1:41
add address=192.168.10.124 client-id=1:4c:bd:8f:9a:13:63 comment=\
    "Hikvision CCTV" mac-address=4C:BD:8F:9A:13:63 server=dhcp1
add address=192.168.10.101 comment=Eric mac-address=F0:BF:97:14:43:E5
add address=192.168.10.111 comment=ServerKasir mac-address=D8:5E:D3:31:81:D8
add address=192.168.10.84 client-id=1:0:e:53:2e:21:75 comment="CCTV AVTECH" \
    mac-address=00:0E:53:2E:21:75 server=dhcp1
add address=192.168.10.83 client-id=1:0:e:53:2f:a5:f3 comment="CCTV AVTECH" \
    mac-address=00:0E:53:2F:A5:F3 server=dhcp1
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes cache-size=50000KiB doh-max-concurrent-queries=\
    100 doh-max-server-connections=20 max-concurrent-queries=250 \
    max-concurrent-tcp-sessions=50 servers=9.9.9.9 use-doh-server=\
    https://dns.google/dns-query verify-doh-cert=yes
/ip firewall filter
add action=accept chain=input comment="ZT PASS" in-interface=zerotier1
add action=accept chain=forward in-interface=zerotier1
add action=accept chain=input comment="Accept WireGuard Traffic" dst-port=\
    50535 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
/ip firewall nat
add action=accept chain=input comment="ZT ACCEPT 9993" protocol=udp src-port=\
    9993
add action=accept chain=srcnat out-interface=WG-Mikrotik-Griya
add action=masquerade chain=srcnat out-interface=zerotier1
add action=masquerade chain=srcnat comment="To internet LAN1"
add action=dst-nat chain=dstnat comment="WG To VNC" dst-port=6201 \
    in-interface=WG-Mikrotik-Griya protocol=tcp to-addresses=192.168.10.100 \
    to-ports=6201
add action=dst-nat chain=dstnat comment="WG To CCTV Hikvison" dst-port=5053 \
    in-interface=WG-Mikrotik-Griya protocol=tcp to-addresses=192.168.10.124 \
    to-ports=5053
add action=dst-nat chain=dstnat comment="WG > CCTV AVTECH" dst-port=5051 \
    in-interface=WG-Mikrotik-Griya protocol=tcp to-addresses=192.168.10.83 \
    to-ports=5051
add action=dst-nat chain=dstnat dst-port=5052 in-interface=WG-Mikrotik-Griya \
    protocol=tcp to-addresses=192.168.10.84 to-ports=5052
add action=dst-nat chain=dstnat comment="ZT To VNC" dst-port=6201 \
    in-interface=zerotier1 protocol=tcp to-addresses=192.168.10.100 to-ports=\
    6201
add action=dst-nat chain=dstnat comment="CCTV Hikvison" dst-port=5053 \
    in-interface=zerotier1 protocol=tcp to-addresses=192.168.10.124 to-ports=\
    5053
add action=dst-nat chain=dstnat comment="CCTV AVTECH" dst-port=5051 \
    in-interface=zerotier1 protocol=tcp to-addresses=192.168.10.83 to-ports=\
    5051
add action=dst-nat chain=dstnat dst-port=5052 in-interface=zerotier1 \
    protocol=tcp to-addresses=192.168.10.84 to-ports=5052
add action=dst-nat chain=dstnat comment=MSSQL dst-port=28900 in-interface=\
    zerotier1 protocol=tcp to-addresses=192.168.10.100 to-ports=28900
add action=dst-nat chain=dstnat comment=MSSQL dst-port=28900 in-interface=\
    WG-Mikrotik-Griya protocol=tcp to-addresses=192.168.10.100 to-ports=28900
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-128
/ip nat-pmp
set enabled=yes
/ip nat-pmp interfaces
add interface=zerotier1 type=external
/ip route
add comment=Indibiz disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    192.168.2.1 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=Biznet disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
    192.168.1.1 routing-table=main scope=31 suppress-hw-offload=no \
    target-scope=11
add comment="Connection to MK2" disabled=no distance=1 dst-address=\
    192.168.4.0/24 gateway=192.168.10.78 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="Route to Home LAN By WireGuard" disabled=no distance=1 \
    dst-address=192.168.168.0/24 gateway=192.168.32.2 routing-table=main \
    scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=zerotier1 type=external
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=forward in-interface=zerotier1
add action=accept chain=input in-interface=zerotier1
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
/ipv6 firewall nat
add action=accept chain=input protocol=udp src-port=9993
add action=masquerade chain=srcnat out-interface=zerotier1
/ppp l2tp-secret
/ppp profile
/ppp secret
/system clock
set time-zone-name=Asia/Jakarta
/system identity
set name=MandiriTik
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes broadcast-addresses=192.168.10.1 enabled=yes multicast=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
/system routerboard settings
set enter-setup-on=delete-key
/system scheduler
add interval=2m name=ScheduleWGToggle on-event=\
    "/system script run ToggleWGPeer" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2024-07-29 start-time=15:50:00
add interval=1m name="Update DDNS" on-event=\
    "/system script run test\r\
    \n/system script run ForceUpdateddns" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2024-07-31 start-time=21:26:44
/system script
add dont-require-permissions=no name=ToggleWGPeer owner=TommyKing policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    local wgcheckip 192.168.32.1\r\
    \n:local endpointip ***.sn.mynetname.net\r\
    \n#:log info \"wg check-ip \$wgcheckip \"\r\
    \n:if ([/ping \$wgcheckip interval=1 count=5] =0) do={\r\
    \n  :log info \"WG down \$wgcheckip\"\r\
    \n  /interface/wireguard/peers/disable [find endpoint-address=\$endpointip\
    ];\r\
    \n  :delay 60\r\
    \n  /interface/wireguard/peers/enable [find endpoint-address=\$endpointip]\
    ;\r\
    \n  :log info \"WG up again \$wgcheckip\"\r\
    \n}"
add dont-require-permissions=no name=ForceUpdateddns owner=TommyKing policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "/ip cloud force-update"
add dont-require-permissions=no name=test owner=TommyKing policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
    get current external IP\r\
    \n:global currentIP [:resolve ***.sn.mynetname.net server=208.67.2\
    22.222];\r\
    \n:global resolvedIP;\r\
    \n\r\
    \n# Determine if DNS update is needed\r\
    \n:if (\$currentIP != \$resolvedIP) do={\r\
    \n:log info (\"Mynetname update needed: Current-IP: \$currentIP Resolved-I\
    P: \$resolvedIP\")\r\
    \n/ip cloud force-update\r\
    \n:global resolvedIP [:resolve ***.sn.mynetname.net server=208.67.\
    222.222];\r\
    \n} else={\r\
    \n:log info (\"Mynetname: No update needed (\$currentIP=\$resolvedIP)\")\r\
    \n}"
/tool bandwidth-server
set enabled=no
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add disabled=no down-script=\
    "/ip route disable [find comment=\"Indibiz\"]\r\
    \n" host=1.1.1.1 http-codes="" interval=5s name=test1 test-script="" \
    type=icmp up-script="/ip route enable [find comment=\"Indibiz\"]"