checking with https://www.yougetsignal.com/tools/open-ports/
Code: Select all
# jan/19/2021 17:21:30 by RouterOS 6.48
# software id = KHGZ-XSDL
#
# model = RB4011iGS+
# serial number = D4440C8F743A
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] advertise=\
100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether2 ] advertise=\
100M-half,100M-full,1000M-half,1000M-full comment=Mamad
set [ find default-name=ether3 ] advertise=\
100M-half,100M-full,1000M-half,1000M-full comment=Parents
set [ find default-name=ether4 ] advertise=\
100M-half,100M-full,1000M-half,1000M-full comment=Games
set [ find default-name=ether6 ] advertise=\
100M-half,100M-full,1000M-half,1000M-full comment="Living room"
set [ find default-name=ether7 ] advertise=\
100M-half,100M-full,1000M-half,1000M-full comment=Kids
set [ find default-name=ether8 ] advertise=\
100M-half,100M-full,1000M-half,1000M-full comment=Wifi
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=sfp-sfpplus1 name=pppoe-out1 \
user=noamaa11@054
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall layer7-protocol
add
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.40
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=dhcp
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=ether8
/ip neighbor discovery-settings
set discover-interface-list=none
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=pppoe-out1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
/ip arp
add address=192.168.1.12 comment=AngelPC interface=bridge1 mac-address=\
54:B2:03:93:81:DD
add address=192.168.1.13 comment=NanoHD interface=bridge1 mac-address=\
74:AC:B9:5D:7E:D4
add address=192.168.1.16 comment=Xbox interface=bridge1 mac-address=\
2C:54:91:FA:69:53
add address=192.168.1.15 comment="Noam Phone" interface=bridge1 mac-address=\
A8:9C:ED:8A:EC:FC
add address=192.168.1.17 comment="Sima Phone" interface=bridge1 mac-address=\
A8:9C:ED:C9:A3:C6
add address=192.168.1.10 comment=TV interface=bridge1 mac-address=\
B8:BC:5B:43:66:F4
add address=192.168.1.14 comment="Vacuum cleaner" interface=bridge1 \
mac-address=64:90:C1:1B:5F:BB
add address=192.168.1.11 comment="Xiaomi box s" interface=bridge1 \
mac-address=00:0E:C6:A5:EB:AC
/ip cloud
set update-time=no
/ip dhcp-server lease
add address=192.168.1.12 client-id=1:54:b2:3:93:81:dd mac-address=\
54:B2:03:93:81:DD server=dhcp
add address=192.168.1.13 client-id=1:74:ac:b9:5d:7e:d4 mac-address=\
74:AC:B9:5D:7E:D4 server=dhcp
add address=192.168.1.14 client-id=1:64:90:c1:1b:5f:bb mac-address=\
64:90:C1:1B:5F:BB server=dhcp
add address=192.168.1.11 client-id=1:0:e:c6:a5:eb:ac mac-address=\
00:0E:C6:A5:EB:AC server=dhcp
add address=192.168.1.16 client-id=1:2c:54:91:fa:69:53 mac-address=\
2C:54:91:FA:69:53 server=dhcp
add address=192.168.1.15 client-id=1:a8:9c:ed:8a:ec:fc mac-address=\
A8:9C:ED:8A:EC:FC server=dhcp
add address=192.168.1.17 client-id=1:a8:9c:ed:c9:a3:c6 mac-address=\
A8:9C:ED:C9:A3:C6 server=dhcp
add address=192.168.1.10 client-id=1:b8:bc:5b:43:66:f4 mac-address=\
B8:BC:5B:43:66:F4 server=dhcp
/ip dhcp-server network
add address=192.168.1.0/24 domain=angel gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes use-doh-server=https://1.1.1.1/dns-query \
verify-doh-cert=yes
/ip dns static
add address=192.168.1.13 name=nanohd.angel
add address=192.168.1.12 name=angel_pc.angel
add address=192.168.1.15 name=noam_phone.angel
add address=104.16.248.249 disabled=yes name=cloudflare-dns.com
add address=104.16.249.249 disabled=yes name=cloudflare-dns.com
/ip firewall address-list
add address=192.168.1.10-192.168.1.40 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
not_in_internet
/ip firewall filter
add action=accept chain=input comment="default configuration" \
connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input log=yes
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related
add action=accept chain=forward comment="Established, Related" \
connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
log=yes log-prefix=invalid
add action=drop chain=forward comment=\
"Drop tries to reach not public addresses from LAN" dst-address-list=\
not_in_internet in-interface=bridge1 log=yes log-prefix=!public_from_LAN \
out-interface=!bridge1
add action=drop chain=forward comment=\
"Drop incoming packets that are not NATted" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN log=yes log-prefix=!NAT
add action=drop chain=forward comment=\
"Drop incoming from internet which is not public IP" in-interface-list=\
WAN log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=\
"Drop packets from LAN that do not have LAN IP" in-interface=bridge1 log=\
yes log-prefix=LAN_!LAN src-address=!192.168.1.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment=BDS in-interface-list=WAN log=yes \
protocol=udp to-addresses=192.168.1.12 to-ports=19132
add action=dst-nat chain=dstnat comment=BDS in-interface-list=WAN log=yes \
protocol=tcp to-addresses=192.168.1.12 to-ports=19132
add action=dst-nat chain=dstnat comment=Xbox dst-port=3074 in-interface-list=\
WAN protocol=tcp to-addresses=192.168.1.16 to-ports=3074
add action=dst-nat chain=dstnat comment=Xbox dst-port=3074 in-interface-list=\
WAN protocol=udp to-addresses=192.168.1.16 to-ports=3074
add action=dst-nat chain=dstnat comment=Xbox dst-port=53 in-interface-list=\
WAN protocol=udp to-addresses=192.168.1.16 to-ports=3074
add action=dst-nat chain=dstnat comment=Xbox dst-port=4500 in-interface-list=\
WAN protocol=udp to-addresses=192.168.1.16 to-ports=3074
add action=dst-nat chain=dstnat comment=Xbox dst-port=3544 in-interface-list=\
WAN protocol=udp to-addresses=192.168.1.16 to-ports=3074
add action=dst-nat chain=dstnat comment=Xbox dst-port=500 in-interface-list=\
WAN protocol=udp to-addresses=192.168.1.16 to-ports=3074
add action=dst-nat chain=dstnat comment=Xbox dst-port=88 in-interface-list=\
WAN protocol=udp to-addresses=192.168.1.16 to-ports=3074
add action=dst-nat chain=dstnat comment=Xbox dst-port=53 in-interface-list=\
WAN protocol=tcp to-addresses=192.168.1.16 to-ports=3074
add action=dst-nat chain=dstnat comment=Xbox dst-port=80 in-interface-list=\
WAN protocol=tcp to-addresses=192.168.1.16 to-ports=3074
add action=redirect chain=dstnat dst-port=53 protocol=tcp
add action=redirect chain=dstnat dst-port=53 protocol=udp
add action=masquerade chain=srcnat dst-address=192.168.1.0/24 src-address=\
192.168.1.0/24
add action=dst-nat chain=dstnat dst-address=!192.168.1.1 dst-address-type=\
local dst-port=19132 protocol=tcp to-addresses=192.168.1.12
add action=dst-nat chain=dstnat dst-address=!192.168.1.1 dst-address-type=\
local dst-port=19132 protocol=udp to-addresses=192.168.1.12
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=22123
set api disabled=yes
set winbox address=192.168.1.0/24
set api-ssl disabled=yes
/ip smb
set allow-guests=no interfaces=bridge1
/ip smb shares
set [ find default=yes ] disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Asia/Jerusalem
/system ntp client
set enabled=yes server-dns-names=time.cloudflare.com
/system scheduler
add interval=1w name="Package upgrade" on-event=\
"system package update install" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=sep/18/2018 start-time=00:00:00
add interval=1w name="Routerboard Upgrade" on-event=":global Var1\r\
\n:global Var2\r\
\n:set Var1 \"\$[/system package get system version]\"\r\
\n:set Var2 \"\$[/system routerboard get current-firmware]\"\r\
\n:if (\$Var1>\$Var2) do={/system routerboard upgrade;\r\
\n/system reboot;\r\
\n}" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=sep/18/2018 start-time=01:00:00
/tool bandwidth-server
set allocate-udp-ports-from=5000 authenticate=no enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/tool sniffer
set filter-port=19132