Code: Select all
# feb/06/2018 00:45:37 by RouterOS 6.41.1
# software id = RFDS-HPT0
#
# model = CRS125-24G-1S-2HnD
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
country="united states" disabled=no distance=indoors frequency=auto mode=\
ap-bridge ssid=HA wireless-protocol=802.11
/interface bridge
add admin-mac=D4:CA:6D:CE:29:23 auto-mac=no comment=defconf name=bridge \
protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name="1 - Portal - AP"
set [ find default-name=ether2 ] name="2 - Mike - PC"
set [ find default-name=ether3 ] name="3 - Erin - PC"
set [ find default-name=ether4 ] name="4 - Vaughn - PC"
set [ find default-name=ether5 ] name="5 - Rayne - PC"
set [ find default-name=ether6 ] name="6 - Schwartz - PC"
set [ find default-name=ether7 ] name="7 - Bedroom - Roku 3"
set [ find default-name=ether8 ] name="8 - Insteon Hub - HA"
set [ find default-name=ether9 ] name="9 - Bloomsky Storm - HA"
set [ find default-name=ether10 ] name="10 - Brother MFC9320CW - Printer"
set [ find default-name=ether11 ] name="11 - Workbench - Swirch"
set [ find default-name=ether12 ] name="12 - Workbench Test - PC"
set [ find default-name=ether13 ] name="13 - Unused"
set [ find default-name=ether14 ] name="14 - APC PDU - Network"
set [ find default-name=ether15 ] name="15 - Unused"
set [ find default-name=ether16 ] name="16 - Unused"
set [ find default-name=ether17 ] name="17 - Unused"
set [ find default-name=ether18 ] name="18 - Unused"
set [ find default-name=ether19 ] name="19 - Unused"
set [ find default-name=ether20 ] name="20 - Unused"
set [ find default-name=ether21 ] name="21 - Unused"
set [ find default-name=ether22 ] name="22 - LivingRoom - Switch"
set [ find default-name=ether23 ] name="23 - Understairs - Switch"
set [ find default-name=ether24 ] name="24 - ErinOffice - Switch"
set [ find default-name=sfp1 ] name="WAN - SFP1"
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=hidden\
wpa2-pre-shared-key=hidden
/ip pool
add name=dhcp_pool4 ranges=10.54.25.150-10.54.25.180
/ip dhcp-server
add address-pool=dhcp_pool4 disabled=no interface=bridge lease-time=8h name=\
dhcp1
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=bridge comment=defconf interface="2 - Mike - PC"
add bridge=bridge comment=defconf interface="3 - Erin - PC"
add bridge=bridge comment=defconf interface="4 - Vaughn - PC"
add bridge=bridge comment=defconf interface="5 - Rayne - PC"
add bridge=bridge comment=defconf interface="6 - Schwartz - PC"
add bridge=bridge comment=defconf interface="7 - Bedroom - Roku 3"
add bridge=bridge comment=defconf interface="8 - Insteon Hub - HA"
add bridge=bridge comment=defconf interface="9 - Bloomsky Storm - HA"
add bridge=bridge comment=defconf interface="20 - Unused"
add bridge=bridge comment=defconf interface="21 - Unused"
add bridge=bridge comment=defconf interface="22 - LivingRoom - Switch"
add bridge=bridge comment=defconf interface="23 - Understairs - Switch"
add bridge=bridge comment=defconf interface="24 - ErinOffice - Switch"
add bridge=bridge comment=defconf disabled=yes interface="WAN - SFP1"
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface="1 - Portal - AP"
/interface list member
add comment=defconf interface=bridge list=LAN
add interface="WAN - SFP1" list=WAN
/ip address
add address=10.54.25.1/24 interface=bridge network=10.54.25.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
"WAN - SFP1"
/ip dhcp-server lease
add address=10.54.25.2 comment=Portal mac-address=00:78:CD:00:21:F4
...
lots of leases
...
/ip dhcp-server network
add address=10.54.25.0/24 comment=defconf dns-server=\
10.54.25.1,8.8.8.8,4.4.4.4 domain=hidden.local gateway=10.54.25.1 \
netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,4.4.4.4
/ip dns static
add address=10.54.25.1 name=router.lan
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=NotPublic
add address=10.0.0.0/8 comment=RFC6890 list=NotPublic
add address=100.64.0.0/10 comment=RFC6890 list=NotPublic
add address=127.0.0.0/8 comment=RFC6890 list=NotPublic
add address=169.254.0.0/16 comment=RFC6890 list=NotPublic
add address=172.16.0.0/12 comment=RFC6890 list=NotPublic
add address=192.0.0.0/24 comment=RFC6890 list=NotPublic
add address=192.0.2.0/24 comment=RFC6890 list=NotPublic
add address=192.168.0.0/16 comment=RFC6890 list=NotPublic
add address=192.88.99.0/24 comment=RFC3068 list=NotPublic
add address=198.18.0.0/15 comment=RFC6890 list=NotPublic
add address=198.51.100.0/24 comment=RFC6890 list=NotPublic
add address=203.0.113.0/24 comment=RFC6890 list=NotPublic
add address=224.0.0.0/4 comment=RFC4601 list=NotPublic
add address=240.0.0.0/4 comment=RFC6890 list=NotPublic
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=input comment="defconf: accept ICMP Limited MH Works" \
dst-limit=20,20,dst-address/1m40s limit=20,20:packet protocol=icmp
add action=accept chain=input comment="Allow LAN to Router MH Works" \
src-address=10.54.25.0/24
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=forward comment="Allow all Port Forwards MH" \
connection-nat-state=dstnat
add action=accept chain=input comment="Allow WinBox Remote Access MH Works" \
dst-port=8291 protocol=tcp
add action=accept chain=input comment="Allow SSH Remote Access MH Works" \
disabled=yes dst-port=222 protocol=tcp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=drop chain=forward comment="drop undesired TCP MH" dst-port=\
135-139,445,1434,4444 protocol=tcp
add action=drop chain=forward comment="drop undesired UDP MH" dst-port=\
135-139,445,1434,4444 protocol=udp
add action=drop chain=forward comment="Drop Bogons" dst-address-list=\
NotPublic src-address-list=NotPublic
add action=drop chain=input dst-port=53 in-interface="WAN - SFP1" protocol=\
udp
add action=drop chain=input dst-port=53 in-interface="WAN - SFP1" protocol=\
tcp
add action=drop chain=forward comment="Drop all packets from public internet w\
hich should not exist in public network MH" in-interface="WAN - SFP1" \
src-address-list=NotPublic
add action=drop chain=forward comment="Drop all packets from local network to \
internet which should not exist in public network MH" dst-address-list=\
NotPublic in-interface=bridge
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=\
"Manually Entered - 10.54.25.66 SSL for LetsEncrypt" dst-port=443 \
in-interface-list=WAN protocol=tcp to-addresses=10.54.25.66
add action=dst-nat chain=dstnat comment=\
"Manually Entered - 10.54.25.8 Vid Cams" dst-address=!10.54.25.1 \
dst-address-type=local dst-port=8000 log=yes protocol=tcp to-addresses=\
10.54.25.8 to-ports=8000
add action=dst-nat chain=dstnat comment=\
"Manually Entered - 10.54.25.66 Grafana" dst-address=!10.54.25.1 \
dst-address-type=local dst-port=3000 protocol=tcp to-addresses=\
10.54.25.66 to-ports=3000
add action=dst-nat chain=dstnat comment=\
"Manually Entered - 10.54.25.3 Mike RDP" dst-port=3389 in-interface-list=\
WAN protocol=tcp to-addresses=10.54.25.3 to-ports=3389
add action=masquerade chain=srcnat comment="Hairpin for Cams" dst-address=\
10.54.25.8 dst-port=8000 out-interface-list=LAN protocol=tcp src-address=\
10.54.25.0/24
add action=masquerade chain=srcnat comment="Hairpin for Grafana" dst-address=\
10.54.25.66 dst-port=3000 out-interface-list=LAN protocol=tcp \
src-address=10.54.25.0/24
add action=masquerade chain=srcnat out-interface=all-ppp
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=222
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface="WAN - SFP1" type=external
/lcd
set backlight-timeout=30s color-scheme=light
/lcd pin
set pin-number=9252
/lcd interface pages
set 0 interfaces=wlan1
/system clock
set time-zone-name=America/Denver
/system identity
set name=BlackWidow
/system ntp client
set enabled=yes primary-ntp=204.2.134.164 secondary-ntp=45.76.244.193
/system routerboard settings
set silent-boot=yes
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no