Here we go. the value xx.xx.xx.xx represents my WAN ip. ( just for security purpose).
/interface print detail
0 R name="WAN" type="ether" mtu=1500
1 R name="LAN" type="ether" mtu=1500 l2mtu=1600
2 X name="wlan1" type="wlan" mtu=1500
3 R name="bridge1" type="bridge" mtu=1500 l2mtu=65535
/ip address print detail
0 address=xx.xx.xx.xx6/30 network=xx.xx.xx.xx4 broadcast=xx.xx.xx.xx7
interface=WAN actual-interface=WAN
1 address=10.10.99.1/24 network=10.10.99.0 broadcast=10.10.99.255
interface=LAN actual-interface=LAN
2 address=10.10.101.1/30 network=10.10.101.0 broadcast=10.10.101.3
interface=bridge1 actual-interface=bridge1
/ip route print detail
0 A S dst-address=0.0.0.0/0 gateway=xx.xx.xx.xx5
gateway-status=xx.xx.xx.xx5 reachable WAN distance=1 scope=30
target-scope=10
1 ADC dst-address=10.10.99.0/24 pref-src=10.10.99.1 gateway=LAN
gateway-status=LAN reachable distance=0 scope=10
2 ADC dst-address=10.10.101.0/30 pref-src=10.10.101.1 gateway=bridge1
gateway-status=bridge1 reachable distance=0 scope=10
3 ADC dst-address=xx.xx.xx.xx4/30 pref-src=xx.xx.xx.xx6 gateway=WAN
gateway-status=WAN reachable distance=0 scope=10
/ip firewall export
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=drop chain=hs-input comment="BLOCK P2P IN HOTSPOT" disabled=no \
in-interface=LAN p2p=all-p2p
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=drop chain=forward comment="drop invalid connections" \
connection-state=invalid disabled=no
add action=accept chain=forward comment="allow established connections" \
connection-state=established disabled=no
add action=accept chain=forward comment="allow related connections" \
connection-state=related disabled=no
add action=drop chain=virus comment=Worm disabled=no dst-port=1433-1434 \
protocol=tcp
add action=drop chain=virus comment="Drop Blaster Worm" disabled=no dst-port=\
135-139 protocol=tcp
add action=add-src-to-address-list address-list="SUSPECTED HACKER" \
address-list-timeout=1w3d chain=input comment="SUSPECTED HACKERS" \
connection-limit=4,32 disabled=no dst-address=10.10.99.1 protocol=tcp \
src-port=8291,3128,80,20,21,22,23,443,3989
add action=add-src-to-address-list address-list="SUSPECTED HACKER" \
address-list-timeout=4w2d chain=input comment="SUSPECTED HACKERS" \
connection-limit=3,32 disabled=no in-interface=WAN protocol=tcp src-port=\
8291,3128,80,20,21,22,23,443,3989
add action=drop chain=input comment="SUSPECTED HACKERS DROP" \
connection-limit=2,32 disabled=no in-interface=WAN protocol=tcp \
src-address-list="SUSPECTED HACKER" src-port=\
8291,3128,80,20,21,22,23,443,3989
add action=drop chain=forward comment="DROP ALL P2P" disabled=no p2p=all-p2p
add action=drop chain=virus comment="Drop Messenger Worm" disabled=no \
dst-port=135-139 protocol=udp
add action=drop chain=virus comment="Drop Blaster Worm" disabled=no dst-port=\
445 protocol=tcp
add action=drop chain=virus comment="Drop Blaster Worm" disabled=no dst-port=\
445 protocol=udp
add action=drop chain=virus comment=________ disabled=no dst-port=593 \
protocol=tcp
add action=drop chain=virus comment=________ disabled=no dst-port=1024-1030 \
protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" disabled=no dst-port=1080 \
protocol=tcp
add action=drop chain=virus comment=________ disabled=no dst-port=1214 \
protocol=tcp
add action=drop chain=virus comment="ndm requester" disabled=no dst-port=1363 \
protocol=tcp
add action=drop chain=virus comment="ndm server" disabled=no dst-port=1364 \
protocol=tcp
add action=drop chain=virus comment="screen cast" disabled=no dst-port=1368 \
protocol=tcp
add action=drop chain=virus comment=hromgrafx disabled=no dst-port=1373 \
protocol=tcp
add action=drop chain=virus comment=cichlid disabled=no dst-port=1377 \
protocol=tcp
add action=drop chain=virus comment="Bagle Virus" disabled=no dst-port=2745 \
protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" disabled=no dst-port=2283 \
protocol=tcp
add action=drop chain=virus comment="Drop Beagle" disabled=no dst-port=2535 \
protocol=tcp
add action=drop chain=virus comment="Drop Beagle.C-K" disabled=no dst-port=\
2745 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" disabled=no dst-port=\
3127-3128 protocol=tcp
add action=drop chain=virus comment="Drop Backdoor OptixPro" disabled=no \
dst-port=3410 protocol=tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=4444 protocol=\
tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=4444 protocol=\
udp
add action=drop chain=virus comment="Drop Sasser" disabled=no dst-port=5554 \
protocol=tcp
add action=drop chain=virus comment="Drop Beagle.B" disabled=no dst-port=8866 \
protocol=tcp
add action=drop chain=virus comment="Drop Dabber.A-B" disabled=no dst-port=\
9898 protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" disabled=no dst-port=\
10000 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom.B" disabled=no dst-port=\
10080 protocol=tcp
add action=drop chain=virus comment="Drop NetBus" disabled=no dst-port=12345 \
protocol=tcp
add action=drop chain=virus comment="Drop Kuang2" disabled=no dst-port=17300 \
protocol=tcp
add action=drop chain=virus comment="Drop SubSeven" disabled=no dst-port=\
27374 protocol=tcp
add action=drop chain=virus comment="Drop PhatBot, Agobot, Gaobot" disabled=\
no dst-port=65506 protocol=tcp
add action=accept chain=forward comment="Allow HTTP" disabled=no dst-port=80 \
protocol=tcp
add action=accept chain=forward comment="Allow SMTP" disabled=no dst-port=25 \
protocol=tcp
add action=accept chain=forward comment="allow TCP" disabled=no protocol=tcp
add action=accept chain=forward comment="allow ping" disabled=no protocol=\
icmp
add action=accept chain=forward comment="allow udp" disabled=no protocol=udp
add action=drop chain=forward comment="drop everything else" disabled=no
add action=add-src-to-address-list address-list=suspectedspambot \
address-list-timeout=2d chain=forward comment=\
"More than 10 simultaneous connections looks spammy" connection-limit=\
10,32 disabled=no dst-port=25 protocol=tcp
add action=drop chain=forward comment=\
"Drop traffic from those on the suspect list" disabled=no dst-port=25 \
protocol=tcp src-address-list=suspectedspambot
add action=drop chain=input comment="Stupid Hacker" disabled=no in-interface=\
WAN protocol=tcp src-address=203.129.192.9 src-port=\
8291,3128,80,20,21,22,23,443,3989
/ip firewall mangle
add action=mark-connection chain=forward comment="MY CONNECTION MARK" \
connection-mark=!heavy_traffic_conn disabled=no new-connection-mark=\
all_conn passthrough=yes
add action=mark-connection chain=forward comment="" connection-bytes=\
3000000-0 connection-mark=all_conn connection-rate=20k-20M disabled=no \
new-connection-mark=heavy_traffic_conn passthrough=yes protocol=tcp
add action=mark-connection chain=forward comment="" connection-bytes=\
3000000-0 connection-mark=all_conn connection-rate=20k-20M disabled=no \
new-connection-mark=heavy_traffic_conn passthrough=yes protocol=udp
add action=mark-packet chain=forward comment="MY PACKET MARK" \
connection-mark=heavy_traffic_conn disabled=no new-packet-mark=\
heavy_traffic passthrough=no
add action=mark-packet chain=forward comment="" connection-mark=all_conn \
disabled=no new-packet-mark=other_traffic passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
disabled=no src-address=10.10.99.0/24
add action=accept chain=pre-hotspot comment="" disabled=yes dst-address=\
xx.xx.xx.xx4 hotspot=auth src-address=10.10.99.31
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=redirect chain=dstnat comment="Transparent DNS TCP" disabled=no \
dst-port=53 protocol=tcp src-address=10.10.99.0/24 to-ports=53
add action=redirect chain=dstnat comment="Transparent DNS UDP" disabled=no \
dst-port=53 protocol=udp src-address=10.10.99.0/24 to-ports=53
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
[collins465@Collins Lab] >
/ip hotspot export
/ip hotspot profile
set default dns-name="" hotspot-address=0.0.0.0 html-directory=hotspot \
http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=cookie,http-chap \
name=default rate-limit="" smtp-server=0.0.0.0 split-user-domain=no \
use-radius=no
add dns-name=www.cyndys.com hotspot-address=10.10.99.1 html-directory=hotspot \
http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=\
mac,cookie,http-chap mac-auth-password="" name=hsprof1 nas-port-type=\
wireless-802.11 radius-accounting=yes radius-default-domain="" \
radius-interim-update=received radius-location-id="" \
radius-location-name="" radius-mac-format=XX:XX:XX:XX:XX:XX rate-limit="" \
smtp-server=0.0.0.0 split-user-domain=no use-radius=yes
/ip hotspot
add address-pool=hs-pool-2 addresses-per-mac=2 disabled=no idle-timeout=5m \
interface=LAN keepalive-timeout=none name=hotspot1 profile=hsprof1
/ip hotspot user profile
set default advertise=no idle-timeout=none keepalive-timeout=2m name=default \
open-status-page=always shared-users=1 status-autorefresh=1m \
transparent-proxy=yes
/ip hotspot service-port
set ftp disabled=no ports=21
/ip hotspot user
add comment="Collins Laptop" disabled=no mac-address=F0:4D:A2:90:D7:46 name=\
F0:4D:A2:90:D7:46 password="" profile=default
add comment="" disabled=no name=xxxxxxx password=xxxxxx profile=default
add comment=OPERATOR disabled=no mac-address=00:1D:92:F2:6A:E8 name=\
00:1D:92:F2:6A:E8 password="" profile=default
add comment=COM-4 disabled=no mac-address=00:11:0A:34:E3:7C name=\
00:11:0A:34:E3:7C password="" profile=default
add comment=COM-12 disabled=no mac-address=00:C0:4F:09:1C:34 name=\
00:C0:4F:09:1C:34 password="" profile=default
add comment=COM-19 disabled=no mac-address=00:06:5B:74:E5:0C name=\
00:06:5B:74:E5:0C password="" profile=default
add comment=12B disabled=no mac-address=00:16:EC:31:3B:45 name=\
00:16:EC:31:3B:45 password="" profile=default
add comment=COM-14 disabled=no mac-address=00:16:EC:31:35:D2 name=\
00:16:EC:31:35:D2 password="" profile=default
add comment=COM-13 disabled=no mac-address=00:14:2A:95:FC:36 name=\
00:14:2A:95:FC:36 password="" profile=default
add comment=COM-10 disabled=no mac-address=00:1B:B9:AF:01:95 name=\
00:1B:B9:AF:01:95 password="" profile=default
add comment=COM-24 disabled=no mac-address=00:08:74:AC:19:2F name=\
00:08:74:AC:19:2F password="" profile=default
add comment=COM-8 disabled=no mac-address=00:02:44:36:86:AF name=\
00:02:44:36:86:AF password="" profile=default
add comment=COM-7 disabled=no mac-address=00:16:EC:31:30:A1 name=\
00:16:EC:31:30:A1 password="" profile=default
add comment=COM-25 disabled=no mac-address=00:C0:4F:04:51:E7 name=\
00:C0:4F:04:51:E7 password="" profile=default
add comment=COM-15 disabled=no mac-address=00:0B:DB:63:B5:40 name=\
00:0B:DB:63:B5:40 password="" profile=default
add comment=COM-22 disabled=no mac-address=00:06:5B:56:E2:9E name=\
00:06:5B:56:E2:9E password="" profile=default
add comment=COM-1 disabled=no mac-address=00:16:EC:32:45:41 name=\
00:16:EC:32:45:41 password="" profile=default
add comment=COM-23 disabled=no mac-address=00:0D:56:D3:0C:60 name=\
00:0D:56:D3:0C:60 password="" profile=default
add comment=COM-16 disabled=no mac-address=00:08:74:A7:84:7C name=\
00:08:74:A7:84:7C password="" profile=default
add comment=COM-17 disabled=no mac-address=00:16:EC:35:44:1D name=\
00:16:EC:35:44:1D password="" profile=default
add comment=COM-20 disabled=no mac-address=00:08:74:0A:CF:46 name=\
00:08:74:0A:CF:46 password="" profile=default
add comment=COM-28 disabled=no mac-address=00:19:21:00:42:15 name=\
00:19:21:00:42:15 password="" profile=default
add comment=COM-21 disabled=no mac-address=00:06:5B:A3:E1:BA name=\
00:06:5B:A3:E1:BA password="" profile=default
[collins465@Collins Lab]
/ip proxy export
/ip proxy
set always-from-cache=no cache-administrator="Collins 08060191465" \
cache-hit-dscp=4 cache-on-disk=yes enabled=no max-cache-size=100000KiB \
max-client-connections=1000 max-fresh-time=1w max-server-connections=1000 \
parent-proxy=0.0.0.0 parent-proxy-port=0 port=8080 serialize-connections=\
no src-address=0.0.0.0
/ip proxy access
add action=deny comment="" disabled=no dst-host=*btjunkie*
add action=deny comment="" disabled=no dst-host=*thepiratebay*
add action=deny comment="" disabled=no path=*.torrent*
add action=allow comment="ALLOWED ACCESS" disabled=no src-address=\
10.10.99.0/24
add action=deny comment="BLOCKED ACCESS" disabled=no