Sat Dec 19, 2020 11:57 am
export hide-sensitive
# dec/19/2020 22:43:02 by RouterOS 6.45.9
# software id =
#
# model = RB4011iGS+
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge protocol-mode=none
add comment="bridge access point 9 - upstairs" name=bridge-ap9
add name=bridge-ap10
/interface vlan
add comment="eth1 not part of the bridge" interface=ether1 loop-protect=on name=vlan-isp vlan-id=10
/interface pppoe-client
add add-default-route=yes comment=isp disabled=no interface=vlan-isp keepalive-timeout=disabled name=pppoe-isp use-peer-dns=yes user=
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.0.10-192.168.0.199
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn ranges=192.168.89.2-192.168.89.253
add name=ipsec ranges=192.168.30.2-192.168.30.253
add name=pool-ap9 ranges=192.168.1.200-192.168.1.253
add name=pool-ap10 ranges=192.168.2.200-192.168.2.253
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=pool-ap9 disabled=no interface=bridge-ap9 name=dhcp-ap9
add address-pool=pool-ap10 disabled=no interface=bridge-ap10 name=dhcp-ap10
/queue tree
add max-limit=450M name=AP9 parent=bridge-ap9
add bucket-size=0.01 max-limit=450M name=AP10 parent=bridge-ap10
add name=DNS-AP10 packet-mark=dns-ap10 parent=AP10 priority=1
/queue type
set 0 kind=sfq
add kind=red name=redCustom red-avg-packet=1514
/queue tree
add max-limit=450M name=iNetEgress parent=pppoe-isp queue=default
add name=DNS packet-mark=dns parent=iNetEgress priority=1 queue=default
add name="TCP SYN,ACK" packet-mark=tcp-syn-ack parent=iNetEgress priority=2 queue=default
add name=VoIP packet-mark=voip parent=iNetEgress priority=3 queue=default
add name="Google Hangouts" packet-mark=gvc parent=iNetEgress priority=4 queue=default
add name=Interactive packet-mark=interactive parent=iNetEgress priority=5 queue=default
add name="HTTP, HTTPS" packet-mark=http-https parent=iNetEgress priority=6 queue=pcq-upload-default
add name=Default packet-mark=no-mark parent=iNetEgress priority=7 queue=pcq-upload-default
add bucket-size=0.01 max-limit=440M name=no-mark packet-mark=no-mark parent=AP10 queue=pcq-download-default
add name=no-mark-ap9 packet-mark=no-mark parent=AP9 queue=pcq-download-default
add name="TCP SYN,ACK-AP10" packet-mark=tcp-syn-ack-ap10 parent=AP10 priority=2 queue=default
add name="HTTP, HTTPS-AP10" packet-mark=http-https-ap10 parent=AP10 priority=6 queue=pcq-upload-default
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge-ap9 comment=defconf interface=ether9
add bridge=bridge-ap10 comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes use-ip-firewall-for-pppoe=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-isp list=WAN
add interface=bridge-ap9 list=LAN
add interface=bridge-ap10 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=ether2 network=192.168.88.0
add address=192.168.0.2/24 comment=lan interface=bridge network=192.168.0.0
add address=192.168.1.2/24 comment=ap9 interface=bridge-ap9 network=192.168.1.0
add address=192.168.2.2/24 comment=ap10 interface=bridge-ap10 network=192.168.2.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.0.10 mac-address=XX:XX:XX:XX:XX:XX server=defconf
add address=192.168.2.253 address-lists=WF client-id= comment="x" mac-address=XX:XX:XX:XX:XX:XX server=dhcp-ap10
add address=192.168.2.230 client-id=x mac-address= server=dhcp-ap10
add address=192.168.1.211 client-id=x mac-address= server=dhcp-ap9
add address=192.168.2.209 client-id=x mac-address= server=dhcp-ap10
add address=192.168.1.207 address-lists=WF client-id= mac-address= server=dhcp-ap9
/ip dhcp-server network
add address=192.168.0.0/24 comment="default configuration" dns-server=192.168.0.2 gateway=192.168.0.2 netmask=16
add address=192.168.1.0/24 comment=ap-9 dns-server=192.168.0.2 gateway=192.168.1.2 netmask=24
add address=192.168.1.211/32 comment="" dns-server=192.168.0.2 gateway=192.168.1.2
add address=192.168.2.0/24 comment=ap-10 dns-server=192.168.0.2 gateway=192.168.2.2 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add address=8.8.8.8 comment=Google1 name=Google1
add address=8.8.4.4 comment=Google2 name=Google2
add address=192.168.0.2 name=router
add address=208.67.222.222 comment=OpenDNS1 name=OpenDNS1
add address=208.67.220.220 name=OpenDNS2
add address=9.9.9.9 comment="Quad9 DNS" name=Quad9
add address=1.1.1.1 comment="Cloud Flair DNS server" name=cloudflair
add address=192.168.1.207 regexp=googlesyndication* ttl=1m
add address=192.168.1.207 comment=double-click.net regexp=doubleclick* ttl=1m
add address=192.168.2.253 regexp=securepubads* ttl=1m
add address=192.168.2.253 regexp="amazon\\\\-adsystem*" ttl=1m
add address=192.168.2.253 regexp=moatads* ttl=1m
add address=192.168.2.253 regexp=responsiveads* ttl=1m
add address=192.168.2.253 regexp=buysellads* ttl=1m
add address=192.168.2.253 regexp=taboola* ttl=1m
add address=192.168.2.253 regexp=outbrain* ttl=1m
add address=192.168.2.253 regexp=outbrainimg* ttl=1m
add address=192.168.1.207 regexp=gravytrain5* ttl=1m
add address=127.0.0.1 disabled=yes name=gravytrain5.live
add address=127.0.0.1 disabled=yes regexp=facebook*
/ip firewall address-list
add address=192.168.1.200-192.168.1.253 list=addr-list-ap9
add address=192.168.0.10-192.168.0.199 list=addr-list-lan
add address=192.168.2.200-192.168.2.253 list=addr-list-ap10
add address=192.168.0.0/16 list=addr-list-local
/ip firewall filter
add action=accept chain=input comment="1: defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="2: defconf: drop invalid" connection-state=invalid log=yes
add action=accept chain=input comment="3: defconf: accept ICMP" disabled=yes protocol=icmp
add action=accept chain=input comment="4: defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="5: defconf: drop all not coming from LAN" in-interface-list=!LAN log=yes
add action=drop chain=input comment="6: protection - 139 and 445 : SMB" dst-port=21-23,53,80,443,2000,6129,137-139,445,8291 log=yes log-prefix="firewall drop" protocol=tcp src-address-list=\
!addr-list-local
add action=drop chain=input comment="7: protection" dst-port=53,137-138 log=yes log-prefix="firewall drop" protocol=udp src-address-list=!addr-list-local
add action=accept chain=forward comment="8: defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="9: defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="10: defconf: fasttrack" connection-state=established,related disabled=yes
add action=accept chain=forward comment="11: defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="12: defconf: drop invalid" connection-state=invalid log=yes
add action=drop chain=forward comment="13: defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes
/ip firewall mangle
add action=change-mss chain=forward disabled=yes new-mss=1300 out-interface=pppoe-isp passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1301-65535
add action=mark-connection chain=output comment="DNS, UDP" connection-state=new dst-port=53 new-connection-mark=dns out-interface=pppoe-isp passthrough=no protocol=udp
add action=mark-connection chain=postrouting comment="DNS, UDP" connection-state=new dst-port=53 new-connection-mark=dns-ap10 passthrough=no protocol=udp src-address-list=addr-list-ap10
add action=mark-connection chain=output comment=" DNS, TCP" connection-state=new dst-port=53 new-connection-mark=dns out-interface=pppoe-isp passthrough=no protocol=tcp
add action=mark-connection chain=forward comment="DNS, UDP" connection-state=new dst-port=53 new-connection-mark=dns out-interface=pppoe-isp passthrough=no protocol=udp
add action=mark-connection chain=postrouting comment="DNS, UDP" connection-state=new dst-port=53 new-connection-mark=dns-ap10 passthrough=no protocol=udp src-address-list=addr-list-ap10
add action=mark-connection chain=forward comment="DNS, TCP" connection-state=new dst-port=53 new-connection-mark=dns out-interface=pppoe-isp passthrough=no protocol=tcp
add action=mark-connection chain=forward comment="Generic Voice Traffic, DSCP EF 46" connection-state=new dscp=46 new-connection-mark=voip out-interface=pppoe-isp passthrough=no
add action=mark-connection chain=forward comment="Google Hangouts Audio/Video, DSCP 40" connection-state=new dscp=40 new-connection-mark=gvc out-interface=pppoe-isp passthrough=no
add action=mark-connection chain=forward comment="Google Hangouts, UDP DstPort" connection-state=new dst-port=19302-19309 new-connection-mark=gvc out-interface=pppoe-isp passthrough=no protocol=udp
add action=mark-connection chain=forward comment="Google Hangouts, TCP DstPort" connection-state=new dst-port=19305-19309 new-connection-mark=gvc out-interface=pppoe-isp passthrough=no protocol=tcp
add action=mark-connection chain=forward comment=SSH connection-state=new dst-port=22 new-connection-mark=ssh out-interface=pppoe-isp passthrough=no protocol=tcp
add action=mark-connection chain=forward comment="HTTP, HTTPS" connection-state=new dst-port=80,443 new-connection-mark=http-https out-interface=pppoe-isp passthrough=no protocol=tcp
add action=mark-connection chain=postrouting comment="HTTP, HTTPS" connection-mark=http-https connection-state=new dst-port=80,443 new-connection-mark=http-https-ap10 passthrough=no protocol=tcp \
src-address-list=addr-list-ap10
add action=mark-connection chain=forward comment="btsync targeted TCP traffic" connection-state=new new-connection-mark=p2p out-interface=pppoe-isp passthrough=no port=4242 protocol=tcp
add action=mark-connection chain=forward comment="btsync targeted UDP traffic" connection-state=new new-connection-mark=p2p out-interface=pppoe-isp passthrough=no port=4242 protocol=udp
add action=mark-packet chain=postrouting comment=DNS connection-mark=dns new-packet-mark=dns out-interface=pppoe-isp passthrough=no
add action=mark-packet chain=postrouting comment=DNS connection-mark=dns-ap10 dst-address-list=addr-list-ap10 new-packet-mark=dns-ap10 passthrough=no
add action=mark-packet chain=forward comment="TCP SYN" new-packet-mark=tcp-syn-ack out-interface=pppoe-isp passthrough=no protocol=tcp tcp-flags=syn
add action=mark-packet chain=forward comment="TCP SYN" new-packet-mark=tcp-syn-ack-ap10 out-interface=bridge-ap10 passthrough=no protocol=tcp tcp-flags=syn
add action=mark-packet chain=forward comment="TCP ACK" new-packet-mark=tcp-syn-ack out-interface=pppoe-isp packet-size=0-123 passthrough=no protocol=tcp tcp-flags=ack
add action=mark-packet chain=forward comment="TCP ACK" new-packet-mark=tcp-syn-ack-ap10 out-interface=bridge-ap10 packet-size=0-123 passthrough=no protocol=tcp tcp-flags=ack
add action=mark-packet chain=forward comment=VoIP connection-mark=voip new-packet-mark=voip out-interface=pppoe-isp passthrough=no
add action=mark-packet chain=forward comment="Google Hangouts" connection-mark=gvc new-packet-mark=gvc out-interface=pppoe-isp passthrough=no
add action=mark-packet chain=forward comment=SSH connection-mark=ssh new-packet-mark=interactive out-interface=pppoe-isp passthrough=no
add action=mark-packet chain=forward comment="HTTP, HTTPS" connection-mark=http-https new-packet-mark=http-https out-interface=pppoe-isp passthrough=no
add action=mark-packet chain=postrouting comment="HTTP, HTTPS" connection-mark=http-https-ap10 new-packet-mark=http-https-ap10 out-interface=bridge-ap10 passthrough=no
add action=mark-connection chain=prerouting comment=ICMP connection-state=new new-connection-mark=icmp-ap10 passthrough=yes protocol=icmp
add action=mark-packet chain=prerouting connection-mark=icmp new-packet-mark=icmp passthrough=no
add action=mark-connection chain=postrouting connection-state=new new-connection-mark=icmp passthrough=yes protocol=icmp
add action=mark-packet chain=postrouting connection-mark=icmp new-packet-mark=icmp passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.0.0/16
add action=masquerade chain=srcnat comment="defconf: masquerade - wrong also need nat between interfaces" disabled=yes ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.0.0/16,0.0.0.0/0
set ssh address=192.168.0.0/16,0.0.0.0/0
set www-ssl certificate=RB4011 disabled=no
set api address=192.168.0.0/16,0.0.0.0/0
set winbox address=192.168.0.0/16,0.0.0.0/0
set api-ssl address=192.168.0.0/16,0.0.0.0/0
/system clock
set time-zone-autodetect=no time-zone-name=Pacific/Auckland
/system ntp client
set enabled=yes primary-ntp=196.10.54.57 secondary-ntp=196.26.5.10
/system package update
set channel=long-term
/system scheduler
add comment="Reboot at 4AM every day" interval=1d name="schedule reboot" on-event="/system reboot" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=dec/10/2019 \
start-time=06:00:00
add disabled=yes interval=1d name=D0 on-event="/system script run DisablePPPoE" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=dec/10/2019 start-time=00:30:00
add disabled=yes interval=1d name=D1 on-event="/system script run DisablePPPoE" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=dec/10/2019 start-time=01:00:00
add disabled=yes interval=1d name="PPPoE Enable" on-event="/system script run EnablePPPoE" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=dec/10/2019 start-time=\
06:10:00
add disabled=yes interval=1d name=D2 on-event="/system script run DisablePPPoE" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=sep/16/2020 start-time=02:00:00
add disabled=yes interval=1d name=D3 on-event="/system script run DisablePPPoE" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=sep/16/2020 start-time=02:30:00
add disabled=yes interval=1d name=D4 on-event="/system script run DisablePPPoE" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=sep/16/2020 start-time=03:00:00
add disabled=yes interval=1d name=D5 on-event="/system script run DisablePPPoE" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=sep/16/2020 start-time=03:30:00
add disabled=yes interval=1d name=D6 on-event="/system script run DisablePPPoE" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=sep/16/2020 start-time=04:00:00
add disabled=yes interval=1d name=D7 on-event="/system script run DisablePPPoE" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=sep/16/2020 start-time=04:30:00
add disabled=yes interval=1d name=D8 on-event="/system script run DisablePPPoE" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=sep/16/2020 start-time=05:00:00
add disabled=yes interval=1d name=D9 on-event="/system script run DisablePPPoE" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=sep/16/2020 start-time=05:30:00
/system script
add comment="Enable the Internet" dont-require-permissions=no name=EnablePPPoE owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
"interface pppoe-client enable pppoe-isp"
add comment="Disable the Internet" dont-require-permissions=no name=DisablePPPoE owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
"interface pppoe-client disable pppoe-isp"
/tool graphing interface
add interface=pppoe-isp
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set file-limit=50000KiB file-name=dup.pcap filter-interface=pppoe-isp streaming-server=192.168.2.253
Last edited by
WayneF on Sat Dec 19, 2020 8:29 pm, edited 1 time in total.