# oct/04/2017 21:20:46 by RouterOS 6.40.3
# software id = UIR9-M60B
#
# model = RouterBOARD 3011UiAS
# serial number = 111111111111111
/interface bridge
add admin-mac=6C:11:6B:1D:11:11 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master_SERVER
set [ find default-name=ether3 ] master-port=ether2-master_SERVER name=\
ether3-server-bind
set [ find default-name=ether4 ] master-port=ether2-master_SERVER name=\
ether4-server-bind
set [ find default-name=ether5 ] master-port=ether2-master_SERVER name=\
ether5-server-bind
set [ find default-name=ether6 ] name=ether6-master_SERVER2
set [ find default-name=ether7 ] master-port=ether6-master_SERVER2
set [ find default-name=ether8 ] master-port=ether6-master_SERVER2
set [ find default-name=ether9 ] master-port=ether6-master_SERVER2
set [ find default-name=ether10 ] master-port=ether6-master_SERVER2
set [ find default-name=sfp1 ] name=sfp1_WAN
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master_SERVER
add bridge=bridge comment=defconf interface=ether6-master_SERVER2
add bridge=bridge comment=defconf disabled=yes interface=sfp1_WAN
add bridge=bridge interface=ether1
/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes use-ip-firewall-for-pppoe=yes \
use-ip-firewall-for-vlan=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=sfp1_WAN list=WAN
add comment="SERVER 1 LAN" disabled=yes interface=ether2-master_SERVER list=\
LAN
add comment="SERVER 2 LAN" disabled=yes interface=ether6-master_SERVER2 list=\
LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=104.231.157.22/8 interface=ether1 network=104.0.0.0
/ip cloud
set update-time=no
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=sfp1_WAN
/ip dhcp-server network
add address=104.0.0.0/8 gateway=104.231.157.22 netmask=8
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=104.231.157.22
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall address-list
add address=104.231.157.22 list=my_ip_address
/ip firewall filter
add action=add-src-to-address-list address-list=port_scanners \
address-list-timeout=none-dynamic chain=input comment="QUICK SCANNING" \
connection-limit=100,32 disabled=yes limit=0,5:packet psd=21,3s,3,1 \
src-address-type="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=input disabled=yes protocol=icmp reject-with=\
icmp-network-unreachable src-address-list=port_scanners
add action=accept chain=forward comment=\
"Accept connections from outside to port 80" disabled=yes dst-port=80 \
in-interface=sfp1_WAN log=yes protocol=tcp
add action=accept chain=forward comment=\
"Accept connections from outside to port 443" disabled=yes dst-port=443 \
in-interface=sfp1_WAN log=yes protocol=tcp
add action=accept chain=input comment="Filter Rules" connection-state=\
established,related
add action=accept chain=input protocol=icmp
add action=accept chain=input in-interface=bridge
add action=drop chain=input
add action=fasttrack-connection chain=forward connection-state=\
established,related
add action=accept chain=forward out-interface=sfp1_WAN
add action=accept chain=forward connection-nat-state=dstnat
add action=drop chain=forward disabled=yes
add action=accept chain=forward connection-state=established,related
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface=sfp1_WAN
add action=dst-nat chain=dstnat comment="Port 80 Open" dst-address=\
!192.168.88.0/24 dst-address-type=local dst-port=80 log=yes protocol=tcp \
to-addresses=192.168.88.248 to-ports=80
add action=masquerade chain=srcnat comment="Access WAN from Local LAN" \
dst-port=80 out-interface=bridge protocol=tcp src-address=192.168.88.0/24 \
to-addresses=192.168.88.248 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-port=80 protocol=tcp \
src-address=192.168.88.248 to-addresses=104.231.157.26
add action=dst-nat chain=dstnat comment="443 Port Open" disabled=yes \
dst-port=443 log=yes protocol=tcp to-addresses=192.168.88.248 to-ports=\
443
add action=dst-nat chain=dstnat comment=SFTP dst-port=22 protocol=tcp \
to-addresses=192.168.88.248 to-ports=22
/ip firewall service-port
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip service
set www-ssl disabled=no
/system clock
set time-zone-name=America/New_York
/system identity
set name=HomeLab
/system script
add name=script1 owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
"/interface ethernet\r\
\nset 0 name=LAN\r\
\nset 1 name=WAN"
add name=script2 owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
"/interface bridge\r\
\nadd name=bridge-wan"
add name=script3 owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
interface bridge port\r\
\nadd interface=WAN bridge=bridge-wan\r\
\nadd interface=LAN bridge=bridge-lan"
add name=script4 owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
interface bridge settings\r\
\nset allow-fast-path=no use-ip-firewall=yes use-ip-firewall-for-pppoe=yes\
\_use-ip-firewall-for-vlan=yes"
add name=script5 owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
ip firewall address-list\r\
\nadd address=104.231.157.22 list=my_ip_address"
add name=script6 owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
ip firewall filter\r\
\nadd chain=input comment=\"Allow access to router from known network\" sr\
c-address-list=my_ip_address\r\
\nadd action=drop chain=input comment=\"Disallow weird packets\" connectio\
n-state=invalid\r\
\nadd chain=input comment=\"Allow LAN access to router and Internet\" conn\
ection-state=new in-interface=LAN\r\
\nadd chain=input comment=\"Allow connections that originated from LAN\" c\
onnection-state=established\r\
\nadd chain=input comment=\"Allow connections that originated from LAN\" c\
onnection-state=related\r\
\nadd chain=input comment=\"Allow ping ICMP from anywhere\" protocol=icmp\
\r\
\nadd action=drop chain=input comment=\"Disallow anything from anywhere on\
\_any interface\"\r\
\nadd action=drop chain=forward comment=\"Disallow weird packets\" connect\
ion-state=invalid\r\
\nadd chain=forward comment=\"Allow LAN access to router and Internet\" co\
nnection-state=new in-bridge-port=LAN\r\
\nadd chain=forward comment=\"Allow connections that originated from LAN\"\
\_connection-state=established\r\
\nadd chain=forward comment=\"Allow connections that originated from LAN\"\
\_connection-state=related\r\
\nadd chain=forward comment=\"Open port 80 for Web Server\" dst-address=19\
2.168.88.248 dst-port=80 protocol=tcp\r\
\nadd action=drop chain=forward"
add name=script7 owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
ip firewall service-port\r\
\nset ftp disabled=yes\r\
\nset tftp disabled=yes\r\
\nset irc disabled=yes\r\
\nset h323 disabled=yes\r\
\nset sip disabled=yes\r\
\nset pptp disabled=yes"
add name=script8 owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
ip firewall\r\
\nfilter add chain=input action=accept protocol=icmp comment=\"defconf: ac\
cept ICMP\"\r\
\n filter add chain=input action=accept connection-state=established,relat\
ed comment=\"defconf: accept established,related\"\r\
\n filter add chain=input action=drop in-interface=ether1 comment=\"defcon\
f: drop all from WAN\"\r\
\nfilter add chain=forward action=fasttrack-connection connection-state=es\
tablished,related comment=\"defconf: fasttrack\"\r\
\nfilter add chain=forward action=accept connection-state=established,rela\
ted comment=\"defconf: accept established,related\""
add name=script9 owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
ip firewall filter\r\
\nadd action=accept chain=forward dst-port=943 in-interface=bridge protoco\
l=tcp\r\
\nadd action=fasttrack-connection chain=forward comment=\"defconf: fasttra\
ck\" \r\
\n connection-state=established,related\r\
\nadd action=accept chain=forward comment=\"defconf: accept established,re\
lated\" \r\
\n connection-state=established,related\r\
\nadd action=drop chain=forward comment=\"defconf: drop invalid\" \r\
\n connection-state=invalid\r\
\nadd action=drop chain=forward comment=\r\
\n \"defconf: drop all from WAN not DSTNATed\" connection-nat-state=!d\
stnat \r\
\n connection-state=new in-interface=sfp1\r\
\nadd action=accept chain=input protocol=icmp\r\
\nadd action=accept chain=input connection-state=established\r\
\nadd action=drop chain=input in-interface=esfp1\r\
\n/ip firewall nat\r\
\nadd action=masquerade chain=srcnat comment=\"defconf: masquerade\" \r\
\n out-interface=sfp1\r\
\nadd action=masquerade chain=srcnat out-interface=bridge\r\
\nadd action=dst-nat chain=dstnat dst-address=104.231.157.22 dst-port=943 \
log=\r\
\n yes log-prefix=\"tcp 943:\" protocol=tcp to-addresses=192.168.88.248\
\r\
\nadd action=dst-nat chain=dstnat dst-address=104.231.157.22 dst-port=1194\
\_\r\
\n protocol=udp to-addresses=192.168.88.248\r\
\nadd action=dst-nat chain=dstnat dst-address=104.231.157.22 dst-port=443 \
\r\
\n protocol=tcp to-addresses=192.168.88.248\r\
\nadd action=accept chain=srcnat dst-address=192.168.88.0/24 src-address=\
\r\
\n 192.168.88.0/24"
add name=script10 owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
ip firewall nat\r\
\nadd action=accept chain=forward disabled=no dst-port=80 protocol=tcp\r\
\nadd action=accept chain=forward disabled=no dst-port=80 protocol=udp"
add name=script11 owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
ip firewall filter\r\
\nadd action=add-src-to-address-list address-list=port_scanners address-li\
st-timeout=5m10s chain=input comment=\"QUICK SCANNING\" psd=21,3s,3,1\r\
\nADD chain=input protocol=icmp reject-with=icmp-host-reachable src-addres\
s-list=port_scanners action=reject"
/tool e-mail
set address=74.125.136.108 from=<HomeLab> port=587 start-tls=yes user=\
liberty01
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether1
add interface=ether2-master_SERVER
add interface=ether6-master_SERVER2
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether1
add interface=ether2-master_SERVER
add interface=ether6-master_SERVER2