I have deleted all the setup for vlan except for what's in the firewall, hoping maybe someone knew a fast fix, but here it is
aug/18/2019 11:03:53 by RouterOS 6.45.3
software id = xxxxxxxx
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] advertise="10M-half,10M-full,100M-half,100M-f
ull,1000M-half,1000M-full,2500M-full,5000M-full,10000M-full"
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=xxxx
/ip pool
add name=dhcp ranges=192.168.2.10-192.168.2.254
/ip dhcp-server
add add-arp=yes address-pool=dhcp disabled=no interface=ether1-WAN
lease-time=1w name=dhcp-WAN
add add-arp=yes address-pool=dhcp disabled=no interface=bridge1 lease-time=1w
name=dhcp
/system logging action
add name=debug target=memory
add email-to=xxxxxxxxx name=email target=email
add disk-file-name=downloads/auth.log name=auth target=disk
add disk-file-name=downloads/syslog.log name=syslog target=disk
/tool user-manager customer
set admin access=
own-routers,own-users,own-profiles,own-limits,config-payment-gw
/dude
set enabled=yes
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
/ip neighbor discovery-settings
set discover-interface-list=none
/interface bridge vlan
add bridge=bridge1 untagged=ether3 vlan-ids=2
/interface list member
add interface=ether1-WAN list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.2.1/24 interface=ether2 network=192.168.2.0
/ip cloud
set update-time=no
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1-WAN
/ip dhcp-server lease
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=
8.8.8.8,108.166.149.2,1.1.1.1,8.8.4.4,1.0.0.1 gateway=192.168.2.1
netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8,1.0.0.1,8.8.4.4
/ip firewall address-list
add address=192.168.2.0/24 comment="Safe Networks" list="nat list"
/ip firewall filter
add chain=input comment="Accept Established / Related Input"
connection-state=established,related
add action=drop chain=input comment="Drop Invalid Packets" disabled=yes
log-prefix="Input Drop"
add action=fasttrack-connection chain=forward comment=
"FastTrack Established / Related Forward" connection-state=
established,related
add chain=forward comment="Accept Established / Related Forward"
connection-state=established,related
add action=accept chain=input comment="Allow access from home network"
protocol=tcp src-address-list="nat list"
add chain=forward comment="Allow client LAN traffic out WAN" out-interface=
ether1-WAN src-address=192.168.2.0/24
add action=accept chain=forward comment="IOT VLAN" out-interface=ether1-WAN
src-address=10.10.10.0/24
add action=accept chain=input comment=
"Accept DHCP requests on VLAN interfaces" dst-port=67 in-interface=
all-vlan protocol=udp src-port=68
add action=drop chain=forward comment="Drop Invalid Connections" disabled=yes
log-prefix="Input Drop"
add action=add-dst-to-address-list address-list="nat list"
address-list-timeout=none-dynamic chain=forward connection-nat-state=
dstnat dst-address-list="!nat list" in-interface=ether1-WAN log=yes
src-address-list=""
add action=drop chain=output comment="IOT Vuln Block" dst-port=32100 log=yes
log-prefix=IOT_Vuln--> out-interface=ether1-WAN protocol=udp
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=
22,23,2200 protocol=tcp src-address-list=ssh_blacklist
add action=tarpit chain=input comment="drop winbox brute forcers" log=yes
log-prefix=Winbox--> protocol=tcp src-address-list=Blacklist_Winbox
add action=add-src-to-address-list address-list=Blacklist_Winbox
address-list-timeout=1w chain=input dst-port=8291,1723 in-interface=
ether1-WAN protocol=tcp src-address-list=Winbox_attempt2
add action=add-src-to-address-list address-list=Winbox_attempt2
address-list-timeout=30m chain=input dst-port=8291,1723 in-interface=
ether1-WAN protocol=tcp src-address-list=Winbox_attempt1
add action=add-src-to-address-list address-list=Winbox_attempt1
address-list-timeout=5m chain=input dst-port=8291,1723 in-interface=
ether1-WAN protocol=tcp src-address=!192.168.0.0/24
add action=drop chain=input comment="drop FTP brute forcers" dst-port=21
protocol=tcp
add action=accept chain=output content="530 Login Incorrect" dst-limit=
1/1m,9,dst-address/1m
add action=add-dst-to-address-list address-list=ftp_blacklist
address-list-timeout=4w2d chain=output content="530 Login Incorrect"
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=jump chain=input comment="jump to chain ICMP" jump-target=ICMP
protocol=icmp
add action=accept chain=ICMP comment="0:0 and limit for 5pac/s" icmp-options=
0:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="3:3 and limit for 5pac/s" icmp-options=
3:3 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="3:4 and limit for 5pac/s" icmp-options=
3:4 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="8:0 and limit for 5pac/s" icmp-options=
8:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="11:0 and limit for 5pac/s"
icmp-options=11:0-255 limit=5,5 protocol=icmp
add action=accept chain=input comment="Allow IPSec NAT" dst-port=4500
protocol=udp
add action=accept chain=input comment="Allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="Allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="Allow pptp" dst-port=1721 protocol=tcp
add action=accept chain=input comment="Allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment="Accept localhost" dst-address=
127.0.0.1 src-address=127.0.0.1
add action=accept chain=input comment="Accept broadcast traffic"
dst-address-type=broadcast
add action=drop chain=input comment="Block DNS from External WAN" dst-port=53
in-interface=ether1-WAN protocol=tcp
add action=drop chain=input dst-port=53 in-interface=ether1-WAN protocol=udp
add action=drop chain=forward dst-port=53 out-interface=!ether1-WAN protocol=
tcp
add action=drop chain=forward dst-port=53 out-interface=!ether1-WAN protocol=
udp
add action=accept chain=services comment="Allow NTP" dst-port=123 protocol=
udp
add action=accept chain=services comment="Allow DNS request" dst-port=53
in-interface=bridge1 protocol=tcp
add action=accept chain=services comment="Allow DNS request" dst-port=53
in-interface=bridge1 protocol=udp
add action=accept chain=input comment=
"Accept DNS requests (UDP) from VLAN interfaces" dst-port=53
in-interface=all-vlan protocol=udp
add action=accept chain=input comment=
"Accept DNS requests (TCP) from VLAN interfaces" dst-port=53
in-interface=all-vlan protocol=tcp
add action=drop chain=ICMP comment="Drop everything else" protocol=icmp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-WAN
/ip firewall raw
add action=accept chain=prerouting dst-address-list=Exempt-dst
src-address-list=Exempt_src
add action=drop chain=prerouting comment="Blacklist IP's" log=yes log-prefix=
BL----> src-address-list=Black_list
add action=drop chain=prerouting comment="sbl malc0de" log=yes log-prefix=
SBL---> src-address-list="sbl malc0de"
add action=drop chain=prerouting comment="sbl malc0de" dst-address-list=
"sbl malc0de" log=yes log-prefix=SBL.dst---> src-address-list=""
add action=drop chain=prerouting comment="sbl dshield" log=yes log-prefix=
SBL---> src-address-list="sbl dshield"
add action=drop chain=prerouting comment="sbl dshield" dst-address-list=
"sbl dshield" log=yes log-prefix=SBL.dst--->
add action=drop chain=prerouting comment="sbl spamhaus" log=yes log-prefix=
SBL---> src-address-list="sbl spamhaus"
add action=drop chain=prerouting comment="sbl spamhaus" dst-address-list=
"sbl spamhaus" log=yes log-prefix=SBL.dst---> src-address-list=""
add action=drop chain=prerouting comment="sbl blocklist.de" log=yes
log-prefix=SBL---> src-address-list="sbl blocklist.de"
add action=drop chain=prerouting comment="sbl blocklist.de" dst-address-list=
"sbl blocklist.de" log=yes log-prefix=SBL.dst---> src-address-list=""
/ip service
set telnet disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=America/Chicago
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set bridge1 disabled=yes display-time=5s
set ether1-WAN disabled=yes display-time=5s
set ether2 disabled=yes display-time=5s
set ether3 disabled=yes display-time=5s
/system logging
add action=email topics=critical
add topics=e-mail,debug
add action=email topics=error
add action=disk topics=info,firewall
add topics=script
add action=email topics=warning
add action=disk topics=firewall
add action=syslog topics=system
add action=auth topics=account
/system ntp client
set enabled=yes primary-ntp=72.30.35.88 secondary-ntp=208.67.75.242
/system scheduler
add name=Startup_Download_Blacklist on-event=":delay 25 \r
\n/system script run Blacklist_SquidBlacklist_Download_drop.malicious.rsc"
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-time=startup
add name=Startup_Import_Blacklist on-event=":delay 75 \r
\n/system script run \r
\nBlacklist_SquidBlacklist_Import_drop.malicious.rsc" policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-time=startup
add interval=12h name=Download_Blacklist on-event=
"/system script run Blacklist_SquidBlacklist_Download_drop.malicious.rsc"
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-date=aug/17/2019 start-time=02:01:00
add interval=12h name=Import_Blacklist on-event="/system script run \r
\nBlacklist_SquidBlacklist_Import_drop.malicious.rsc" policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-date=aug/17/2019 start-time=02:02:30
add interval=1d name="Daily Backup" on-event="Daily Backup" policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-date=aug/17/2019 start-time=02:00:00
add interval=1d name="Daily Backup to email" on-event="Email Backup" policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-date=aug/17/2019 start-time=02:05:00
add interval=2w name=Reboot on-event=Reboot policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-date=aug/26/2019 start-time=03:03:00
add name="Reboot report" on-event=
":delay 30 /system script run Router Reboot Report" policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-time=startup
add interval=6h name="NO-IP update" on-event="NO-IP Update" policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-date=aug/17/2019 start-time=11:00:00
add interval=6h name="NO-IP updated to list" on-event="resolve hosts" policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-date=aug/17/2019 start-time=11:00:30
/system script
add dont-require-permissions=no name="Daily Backup" owner=xxxxxxpolicy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=
"/system backup save name=backups/email_backup"
add dont-require-permissions=no name=
Blacklist_SquidBlacklist_Download_drop.malicious.rsc owner=admin policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":
log warning "START - Download blacklist (drop.malicious.rsc) updates.";
\r
\n/tool fetch address=www.squidblacklist.org host=www.squidblacklist.org m
ode=http src-path=/downloads/drop.malicious.rsc dst-path=/disk1/blacklists
/drop.malicious.rsc\r
\n:log warning "END - Download blacklist (drop.malicious.rsc) updates.";
"
add dont-require-permissions=no name=
Blacklist_SquidBlacklist_Import_drop.malicious.rsc owner=admin policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":
log warning "START - Import blacklist (drop.malicious.rsc) update.";\r
\nimport /disk1/blacklists/drop.malicious.rsc\r
\n:log warning "END - Import blacklist (drop.malicious.rsc) update.";"
add dont-require-permissions=no name="Email Backup" owner=Michelle policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/
tool e-mail send file=backups/email_backup.backup to="xxxxxxxxx" body="Home Backup file attached" \ subject="$[/system identity g
et name] Backup file $[/system clock get time] $[/system clock get date]
""
add dont-require-permissions=no name="NO-IP Update" owner=Administrator
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
source="# No-IP account credentials.\r
\n:local noipUsername "xxxxxxxx"\r
\n:local noipPassword "xxxxxxxx"\r
\n\r
\n# Set the hostname or label of network to be updated.\r
\n# Hostnames with spaces are unsupported. Replace the value in the quotat
ions below with your host names.\r
\n# To specify multiple hosts, separate them with commas.\r
\n:local noipHostname "xxxxxxxxx"\r
\n\r
\n# The interface name with the assigned dynamic IP address (usually the W
AN interface).\r
\n:local wanInterface "ether1-WAN"\r
\n\r
\n# Log destination\r
\n:local logDestination "/downloads/"\r
\n\r
\n#-----------------------------------------------------------------------
--------------------------------------------------\r
\n\r
\n:log warning message="START: No-IP DDNS Update"\r
\n\r
\n:if ([/interface get $wanInterface value-name=running] = true) do={\r
\n\r
\n# Get the previous IP via DNS resolution.\r
\n :local previousIP [:resolve "$noipHostname"]\r
\n\r
\n# Get the current IP on the WAN interface.\r
\n :local currentIP [/ip address get [find interface="$wanInterface"
_disabled=no] address]\r
\n\r
\n# Strip net mask from IP address.\r
\n :for i from=([:len $currentIP] - 1) to=0 do={\r
\n :if ([:pick $currentIP $i] = "/") do={\r
\n :set currentIP [:pick $currentIP 0 $i]\r
\n }\r
\n }\r
\n\r
\n :log info "No-IP: DNS IP ($previousIP), interface IP ($currentIP)
"\r
\n \r
\n :if ($currentIP != $previousIP) do={\r
\n :log info "No-IP: Current IP $currentIP is not equal to previo
us IP, update needed"\r
\n\r
\n# The update URL. The "\3F" is hex for question mark (?). This
_is required since ? is a special character in the command.\r
\n :local url "http://dynupdate.no-ip.com/nic/update\\3Fmyip=\$cur\
rentIP"\r
\n :local noipHostnames\r
\n :set noipHostnames [:toarray $noipHostname]\r
\n :foreach hostname in=$noipHostnames do={\r
\n :log info "No-IP: Sending update for $hostname"\r
\n /tool fetch url=($url . "&hostname=$hostname") user=$no
ipUsername password=$noipPassword mode=http dst-path=($logDestination .
"no-ip_ddns_update-" . $hostname . ".txt")\r
\n :log info "No-IP: Host $hostname updated on No-IP with IP
$currentIP"\r
\n }\r
\n } else={\r
\n :log info "No-IP: Previous IP $previousIP is equal to current
IP, no update needed"\r
\n }\r
\n\r
\n} else={\r
\n :log info "No-IP: $wanInterface is not currently running, unable t
o verify and/or update IP."\r
\n }\r
\n \r
\n:log warning message="END: No-IP DDNS Update""
add dont-require-permissions=no name="resolve hosts" owner=Michelle policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":
local hosts {"xxxxxxxxx"}\r
\n:foreach k,v in=$hosts do={\r
\n :log info "Doing $v"\r
\n :local listname $v\r
\n :resolve $v\r
\n :local iscname [/ip dns cache all find where name=$v and type="CNAME
"]\r
\n :if ($iscname != "") do={\r
\n :local newname [/ip dns cache all get $iscname data]\r
\n :log info "$v is CNAME to $newname"\r
\n :set v $newname\r
\n }\r
\n :resolve $v\r
\n /ip firewall address-list remove [/ip firewall address-list find where
_list=$listname]\r
\n :foreach i in=[/ip dns cache all find where name=$v and type="A"] d
o={\r
\n :local ipaddr [/ip dns cache all get $i data]\r
\n /ip firewall address-list add list=$listname address=$ipaddr comme
nt=$v\r
\n :log info "IP address: $ipaddr"\r
\n }\r
\n /ipv6 firewall address-list remove [/ipv6 firewall address-list find w
here list=$listname]\r
\n :foreach i in=[/ip dns cache all find where name=$v and type="AAAA"
] do={\r
\n :local ipaddr [/ip dns cache all get $i data]\r
\n /ipv6 firewall address-list add list=$listname address=$ipaddr com
ment=$v\r
\n :log info "IPv6 address: $ipaddr"\r
\n }\r
\n}\r
\n:log info "end""
add dont-require-permissions=no name=Reboot owner=xxx policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=
"/system reboot"
add dont-require-permissions=no name="Router Reboot Report" owner=xxx
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
source=":delay 1\r
\n \r
\n:local reportBody ""\r
\n \r
\n:local deviceName [/system identity get name]\r
\n:local deviceDate [/system clock get date]\r
\n:local deviceTime [/system clock get time]\r
\n:local rosVersion [/system package get system version]\r
\n \r
\n:set reportBody ($reportBody . "Router Reboot Report for $deviceName
\n")\r
\n:set reportBody ($reportBody . "Report generated on $deviceDate at $
deviceTime\n\n")\r
\n \r
\n:set reportBody ($reportBody . "Hardware Model: HP t620 Plus\n")\r
\n:set reportBody ($reportBody . "RouterOS Version: $rosVersion\n")\r
\n\r
\n :set reportBody ($reportBody . "\n\n=== Critical Log Events ===\n
" )\r
\n \r
\n:local x\r
\n:local ts\r
\n:local msg\r
\nforeach i in=([/log find where topics~"critical"]) do={\r
\n:set $ts [/log get $i time]\r
\n:set $msg [/log get $i message]\r
\n:set $reportBody ($reportBody . $ts . " " . $msg . "\n" )\r
\n}\r
\n \r
\n:set reportBody ($reportBody . "\n=== end of report ===\n")\r
\n \r
\n/tool e-mail send subject="$deviceName Home Router Reboot Report" to=
"xxxxxxxxxxx" body=$reportBody"
/tool bandwidth-server
set enabled=no
/tool e-mail
set address=xxxxxxxxxxxxx from=xxxxxxxxxxxxxx password=
xxxxxxxxxxxxxxx port=587 start-tls=yes user=xxxxxxxxxxxxxxx
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/tool user-manager database
set db-path=user-manager
