# oct/15/2022 16:21:08 by RouterOS 7.5
# model = RB4011iGS+
/interface bridge
add admin-mac=08:55:31:40:3D:0C auto-mac=no comment="defconf Converge" name=\
88bridge
add comment="defconf New Lan" name=172bridge
add comment=":defconf PLDT" name=178bridge
add comment="defconf Server Network" name=sapnetwork_bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-ConvergeBiz
set [ find default-name=ether2 ] arp=disabled
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface pppoe-client
add allow=chap,mschap1,mschap2 dial-on-demand=yes disabled=no interface=\
ether2 keepalive-timeout=30 name=PLDTEnterprise user=IMAXS213
/interface wireguard
add listen-port=51820 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment=WIFI name=WIFI
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server
add add-arp=yes interface=88bridge lease-time=52w1d name=defconfHOME
add add-arp=yes interface=178bridge lease-time=52w1d name=defconENT
add add-arp=yes interface=sapnetwork_bridge lease-time=52w1d name=defonserver
/ip pool
add name=home-dhcp ranges=192.168.88.20-192.168.88.254
add name=enterprise-dhcp ranges=192.168.178.10-192.168.178.254
add name=newlan ranges=172.16.0.20-172.16.1.254
/ip dhcp-server
add add-arp=yes address-pool=newlan disabled=yes interface=172bridge \
lease-time=52w1d name=defconNewlan
/port
set 0 name=serial0
set 1 name=serial1
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=yes name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add fib name=88_Subnet
add fib name=178_Subnet
add fib name=172_Subnet
add fib name=LAN1_TO_WAN1
add fib name=LAN2_TO_WAN2
add disabled=no fib name=use-WG
add disabled=no fib name=wg-iterf
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,rest-api"
/interface bridge port
add bridge=88bridge comment=defconf88 ingress-filtering=no interface=ether4
add bridge=sapnetwork_bridge comment="defconf Server Network" \
ingress-filtering=no interface=ether10
add bridge=88bridge ingress-filtering=no interface=ether5
add bridge=178bridge comment=defconf178 ingress-filtering=no interface=ether6
add bridge=178bridge ingress-filtering=no interface=ether7
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set max-neighbor-entries=8192 tcp-syncookies=yes
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=88bridge list=LAN
add comment=defconf interface=ether1-ConvergeBiz list=WAN
add interface=ether2 list=WAN
add interface=178bridge list=LAN
add interface=PLDTEnterprise list=WAN
add interface=172bridge list=LAN
add interface=sapnetwork_bridge list=LAN
add interface=wireguard1 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=192.168.100.2/32 interface=wireguard1 public-key=\
"TEST"
/ip address
add address=192.168.88.1/24 comment=defconf interface=88bridge network=\
192.168.88.0
add address=192.168.178.1/24 interface=178bridge network=192.168.178.0
add address=192.168.0.1/24 comment=defconf interface=sapnetwork_bridge \
network=192.168.0.0
add address=172.16.0.1/23 interface=172bridge network=172.16.0.0
add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
/ip cloud
set ddns-enabled=yes update-time=no
/ip dhcp-client
add comment=defconf interface=ether1-ConvergeBiz use-peer-dns=no
add add-default-route=no comment="defconf FOR CONVERGE" disabled=yes \
interface=ether3 use-peer-dns=no
/ip dhcp-server network
add address=172.16.0.0/23 dns-server=172.16.0.1 gateway=172.16.0.1
add address=192.168.0.0/24 dns-server=192.168.0.2 gateway=192.168.0.1 \
netmask=24
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
add address=192.168.178.0/24 dns-server=192.168.178.1 gateway=192.168.178.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.0.116 name=SAPSERVER ttl=1d5s
add address=192.168.0.117 name=HOSTSERVER ttl=1d5s
add address=192.168.178.122 name=SALESSERVER ttl=1d5s
/ip firewall filter
add action=accept chain=input comment="allow WireGuard traffic" src-address=\
192.168.100.0/24
add action=accept chain=input comment="allow WireGuard" dst-port=51820 log=\
yes log-prefix=accepted_wg_con protocol=udp
add action=reject chain=forward comment="blck facebook" disabled=yes \
layer7-protocol=block_facebook log-prefix=Block protocol=tcp reject-with=\
tcp-reset src-address-list=!fb_aclist
add action=accept chain=forward comment="ALLOW PORT FORWARDING WEBSERVER" \
connection-nat-state=dstnat disabled=yes dst-address=192.168.178.122 \
dst-port=9991 in-interface=PLDTEnterprise protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP after RAW" \
protocol=icmp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input src-address-list=allowed_to_router
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN log-prefix=NotLAN
add action=accept chain=forward comment=\
"defconf: accept all that matches IPSec policy" disabled=yes \
ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment=\
"defconf:FastTrack accept established,related Priority Sites" \
connection-mark=priority-conn connection-state=established,related \
disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"Drop tries to reach not public addresses from LAN" dst-address-list=\
not_in_internet in-interface=88bridge log-prefix=!public_from_LAN \
out-interface=!88bridge
add action=drop chain=forward comment=\
"Drop tries to reach not public addresses from LAN" dst-address-list=\
not_in_internet in-interface=178bridge log-prefix=!public_from_LAN \
out-interface=!178bridge
add action=drop chain=forward comment=\
"Drop tries to reach not public addresses from LAN" dst-address-list=\
not_in_internet in-interface=sapnetwork_bridge log-prefix=\
!public_from_LAN out-interface=!sapnetwork_bridge
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
protocol=icmp
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
dst-address-list=no_forward_ipv4
add action=accept chain=icmp comment="echo reply" disabled=yes icmp-options=\
0:0 protocol=icmp
add action=accept chain=icmp comment="net unreachable" disabled=yes \
icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="host unreachable" disabled=yes \
icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment=\
"host unreachable fragmentation required" disabled=yes icmp-options=3:4 \
protocol=icmp
add action=accept chain=icmp comment="allow echo request" disabled=yes \
icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" disabled=yes \
icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" disabled=yes \
icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types" disabled=yes
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-target \
address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddos-attackers \
address-list-timeout=10m chain=detect-ddos
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s \
protocol=tcp tcp-flags=syn,ack
/ip firewall mangle
add action=mark-connection chain=prerouting comment=\
"browsing-con for Priority websites " connection-bytes=0-1000000 \
disabled=yes dst-address-list=Priority dst-port=80,443 \
new-connection-mark=priority-conn passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting comment="Priority TCP Pckt" \
connection-mark=priority-conn disabled=yes new-packet-mark=priority_pckt \
passthrough=no
add action=mark-connection chain=prerouting comment="ZOOM TCP" disabled=yes \
dst-address-list=zoom_ip dst-port=80,443,8801,8802,5091 \
new-connection-mark=tcp_zoom passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting comment="ZoomTCP Pckt" \
connection-mark=tcp_zoom disabled=yes new-packet-mark=zoom_pckt \
passthrough=no
add action=mark-connection chain=prerouting comment="ZOOM UDP" disabled=yes \
dst-address-list=zoom_ip dst-port=3478,3479,8801-8810,20000-64000 \
new-connection-mark=udp_zoom passthrough=yes protocol=udp
add action=mark-packet chain=prerouting comment="ZoomUDP Pckt" \
connection-mark=udp_zoom disabled=yes new-packet-mark=zoom_pckt \
passthrough=no
add action=mark-routing chain=prerouting comment="LAN1 TO WAN 1" disabled=yes \
new-routing-mark=LAN1_TO_WAN1 passthrough=yes src-address-list=\
"88 Network"
add action=mark-routing chain=prerouting comment="LAN2 TO WAN 2" disabled=yes \
new-routing-mark=LAN2_TO_WAN2 passthrough=yes src-address-list=\
"178 Network"
/ip firewall nat
add action=accept chain=srcnat disabled=yes out-interface=PLDTEnterprise \
src-address=192.168.100.1
add action=masquerade chain=srcnat comment="defconf: All masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip firewall raw
add action=accept chain=prerouting comment=\
"defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: accept DHCP discover" \
disabled=yes dst-address=255.255.255.255 dst-port=67 in-interface-list=\
LAN protocol=udp src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
dst-address-list=bad_ipv4 log-prefix=badipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
in-interface-list=WAN src-address-list=not_global_ipv4
add action=drop chain=prerouting comment=\
"defconf: drop forward to local lan from WAN" dst-address=192.168.88.0/24 \
in-interface-list=WAN
add action=drop chain=prerouting comment=\
"defconf: drop forward to local lan from WAN" dst-address=\
192.168.178.0/24 in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 \
protocol=udp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" \
jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" \
jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment=\
"defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment=\
"defconf: accept everything else from WAN" in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 \
protocol=tcp
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 \
limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: net unreachable" \
icmp-options=3:0 protocol=icmp
add action=accept chain=icmp4 comment="defconf: host unreachable" \
icmp-options=3:1 protocol=icmp
add action=accept chain=icmp4 comment="defconf: protocol unreachable" \
icmp-options=3:2 protocol=icmp
add action=accept chain=icmp4 comment="defconf: port unreachable" \
icmp-options=3:3 protocol=icmp
add action=accept chain=icmp4 comment="defconf: fragmentation needed" \
icmp-options=3:4 protocol=icmp
add action=accept chain=icmp4 comment="defconf: echo" icmp-options=8:0 limit=\
5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: time exceeded " icmp-options=\
11:0-255 protocol=icmp
add action=drop chain=icmp4 comment="defconf: drop other icmp" protocol=icmp
add action=drop chain=prerouting comment="Defconf: dropping ddos attacker" \
dst-address-list=ddos-target src-address-list=ddos-attackers
/ip firewall service-port
set ftp disabled=yes
set sip disabled=yes
/ip route
add comment=CONVERGE disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
192.168.1.254 pref-src="" routing-table=88_Subnet scope=30 \
suppress-hw-offload=no target-scope=10
add comment="PLDT ENTERPRISE" disabled=no distance=1 dst-address=0.0.0.0/0 \
gateway=PLDTEnterprise pref-src="" routing-table=178_Subnet scope=30 \
suppress-hw-offload=no target-scope=10
add comment="REROUTE 88" disabled=yes distance=1 dst-address=0.0.0.0/0 \
gateway=PLDTEnterprise pref-src="" routing-table=88_Subnet scope=30 \
suppress-hw-offload=no target-scope=10
add comment="NEW LAN NETWORK" disabled=yes dst-address=0.0.0.0/0 gateway=\
PLDTEnterprise routing-table=172_Subnet
add comment="REROUTE 178" disabled=yes distance=1 dst-address=0.0.0.0/0 \
gateway=192.168.1.254 pref-src="" routing-table=178_Subnet scope=30 \
suppress-hw-offload=no target-scope=10
add comment=USE-WG disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
PLDTEnterprise pref-src="" routing-table=use-WG scope=30 \
suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=89
set ssh disabled=yes
set www-ssl disabled=no port=449
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ip traffic-flow
set active-flow-timeout=5m interfaces=88bridge
/ipv6 firewall address-list
add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=\
no_forward_ipv6
add address=ff00::/8 comment="defconf: multicast" list=no_forward_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept ICMPv6 after RAW" \
protocol=icmpv6
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/16
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept IPSec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept IPSec ESP" protocol=\
ipsec-esp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
src-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
dst-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6 after RAW" \
protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/routing rule
add action=lookup-only-in-table comment=88_Subnet disabled=no src-address=\
192.168.88.0/24 table=88_Subnet
add action=lookup-only-in-table comment=178_Subnet disabled=no src-address=\
192.168.178.0/24 table=178_Subnet
add action=lookup-only-in-table disabled=no src-address=172.16.0.0/23 table=\
172_Subnet
add action=lookup-only-in-table disabled=no src-address=192.168.100.2/32 \
table=use-WG
add action=lookup-only-in-table disabled=no src-address=192.168.100.1/24 \
table=wg-iterf
/system clock
set time-zone-name=Asia/Manila
/system clock manual
set dst-delta=+08:00 dst-end="jan/01/2029 00:00:00" dst-start=\
"jan/01/2022 00:00:00" time-zone=+08:00
/system identity
set name=Graphic
/system resource irq rps
set sfp-sfpplus1 disabled=no
/system scheduler
add name=Reboot on-event="system reboot" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=sep/10/2022 start-time=08:00:00
/tool bandwidth-server
set enabled=no
/tool graphing interface
add allow-address=192.168.88.0/24 interface=88bridge store-on-disk=no
add allow-address=192.168.178.0/24 interface=178bridge store-on-disk=no
add interface=PLDTEnterprise store-on-disk=no
add interface=ether1-ConvergeBiz store-on-disk=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN