# apr/30/2020 21:12:10 by RouterOS 6.45.8
# software id = xxx
#
# model = 2011UiAS-2HnD
# serial number = xxx
/interface bridge
add fast-forward=no name=BRIDGE
/interface ethernet
set [ find default-name=ether5 ] name=BAD
set [ find default-name=ether2 ] name=DC01
set [ find default-name=ether3 ] name=Duo2
set [ find default-name=ether6 ] name=Epson
set [ find default-name=ether1 ] name=G1
set [ find default-name=ether9 ] name=HP
set [ find default-name=ether4 ] name=NetGear
set [ find default-name=sfp1 ] disabled=yes name=Optika
set [ find default-name=ether8 ] name=Panasonic
set [ find default-name=ether10 ] name=ZYXEL poe-out=off
set [ find default-name=ether7 ] name=eGreat
/interface pppoe-client
add add-default-route=yes disabled=no interface=ZYXEL keepalive-timeout=disabled max-mru=1492 max-mtu=1492 name=WIA use-peer-dns=yes user=user
/interface wireless
set [ find default-name=wlan1 ] ampdu-priorities=0,1,2,3,4,5,6,7 band=2ghz-b/g/n country="czech republic" disabled=no distance=indoors frequency=2437 mode=ap-bridge name=WLAN ssid=TEST wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
/interface list
add name=BRIDGELIST
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk disable-pmkid=yes eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk disable-pmkid=yes eap-methods="" mode=static-keys-required name=legacy static-algo-0=40bit-wep supplicant-identity=""
/interface wireless
add default-forwarding=no disabled=no keepalive-frames=disabled mac-address=MAC master-interface=WLAN multicast-buffering=disabled name=VWLAN security-profile=legacy ssid=legacy wps-mode=disabled
/ip pool
add name=Pool ranges=192.168.242.51-192.168.242.100
add name=PoolL ranges=192.168.241.1-192.168.241.50
/ip dhcp-server
add add-arp=yes address-pool=Pool disabled=no interface=BRIDGE lease-time=3d name=DHCP
add add-arp=yes address-pool=PoolL disabled=no interface=VWLAN lease-time=3d name=DHCPL
/interface bridge port
add bridge=BRIDGE interface=G1
add bridge=BRIDGE interface=DC01
add bridge=BRIDGE interface=Duo2
add bridge=BRIDGE interface=NetGear
add bridge=BRIDGE interface=BAD
add bridge=BRIDGE interface=Epson
add bridge=BRIDGE interface=eGreat
add bridge=BRIDGE interface=Panasonic
add bridge=BRIDGE interface=HP
add bridge=BRIDGE interface=WLAN
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set rp-filter=strict
/interface list member
add interface=BRIDGE list=LAN
add interface=VWLAN list=LAN
add interface=ZYXEL list=LAN
add interface=G1 list=BRIDGELIST
add interface=DC01 list=BRIDGELIST
add interface=Duo2 list=BRIDGELIST
add interface=NetGear list=BRIDGELIST
add interface=BAD list=BRIDGELIST
add interface=Epson list=BRIDGELIST
add interface=eGreat list=BRIDGELIST
add interface=Panasonic list=BRIDGELIST
add interface=HP list=BRIDGELIST
add interface=WLAN list=BRIDGELIST
/ip address
add address=192.168.242.254/24 interface=BRIDGE network=192.168.242.0
add address=192.168.240.254/24 interface=ZYXEL network=192.168.240.0
add address=192.168.241.254/24 interface=VWLAN network=192.168.241.0
/ip dhcp-server lease
add address=192.168.242.55 mac-address=MAC1 server=DHCP
add address=192.168.242.60 mac-address=MAC2 server=DHCP
/ip dhcp-server network
add address=192.168.241.0/24 dns-server=192.168.241.254 gateway=192.168.241.254 netmask=24
add address=192.168.242.0/24 dns-server=192.168.242.254 gateway=192.168.242.254 netmask=24 wins-server=192.168.242.10
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,208.67.222.222,208.67.220.220
/ip firewall address-list
add address=WANIP comment=Internet list=public-add
add address=192.168.242.0/24 comment="Admin access to RB" list=Spravce
add address=192.168.240.0-192.168.242.255 comment="LAN + Zyxel + Legacy Wifi" list=internal-nets
add address=0.0.0.0/8 comment="RFC6890 Self-Identification - This host on this network" list=not_in_internet
add address=127.0.0.0/8 comment="RFC6890 Loopback" list=not_in_internet
add address=169.254.0.0/16 comment="RFC6890 Link Local" list=not_in_internet
add address=10.0.0.0/8 comment="RFC6890 Private - CLASS A" list=not_in_internet
add address=172.16.0.0/12 comment="RFC6890 Private - CLASS B" list=not_in_internet
add address=192.168.0.0-192.168.239.255 comment="RFC6890 Private - CLASS C1" list=not_in_internet
add address=192.168.243.0-192.168.255.255 comment="RFC6890 Private - CLASS C2" list=not_in_internet
add address=224.0.0.0/4 comment="Multicast, Class D, IANA" list=not_in_internet
add address=192.0.2.0/24 comment="RFC6890 Reserved - IANA - TestNet1" list=not_in_internet
add address=198.51.100.0/24 comment="RFC6890 Reserved - IANA - TestNet2" list=not_in_internet
add address=203.0.113.0/24 comment="RFC6890 Reserved - IANA - TestNet3" list=not_in_internet
add address=192.88.99.0/24 comment="RFC6890 6to4 Relay Anycast" list=not_in_internet
add address=198.18.0.0/15 comment="RFC6890 Network Interconnect Device Benchmark Testing" list=not_in_internet
add address=100.64.0.0/10 comment="RFC6890 Shared Address Space" list= not_in_internet
add address=192.0.0.0/24 comment="RFC6890 Reserved - IANA - IETF Protocol Assignments" list=not_in_internet
add address=240.0.0.0/4 comment="RFC6890 Reserved for Future Use" list=not_in_internet
/ip firewall filter
add action=passthrough chain=input comment="Input counter"
add action=tarpit chain=input comment="Tarpit port-scan address list" protocol=tcp src-address-list=port-scan
add action=add-src-to-address-list address-list=syn-flood address-list-timeout=30m chain=input comment="Add Syn Flooders to syn-flood address list" connection-limit=30,32 protocol=tcp tcp-flags=syn
add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=input comment="Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=input comment="Drop RFC6890 and multicast inbound" in-interface=WIA src-address-list=not_in_internet
add action=drop chain=input comment="Drop our addressing inbound - spoofed" in-interface=WIA src-address-list=public-add
add action=drop chain=input comment="Drop all access to the winbox - except list" dst-port=8291 protocol=tcp src-address-list=!internal-nets
add action=drop chain=input comment="Drop new from WIA" connection-state=new in-interface=WIA
add chain=input comment="Established, Related" connection-state=established,related
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment="From LAN" in-interface=!WIA src-address-list=internal-nets
add action=accept chain=input comment="Allow DHCP" dst-port=67 in-interface=BRIDGE protocol=udp src-port=68
add action=accept chain=input comment="Allow DHCP" dst-port=67 in-interface=VWLAN protocol=udp src-port=68
add action=drop chain=input comment="Drop all packets which are not destined to routers IP address" dst-address-type=!local
add action=drop chain=input comment="Drop all packets which don't have unicast source IP address" src-address-type=!unicast
add action=log chain=input comment="Log everything else" log-prefix=Log
add action=drop chain=input comment="Drop everything else" disabled=yes
add action=passthrough chain=forward comment="Forward counter"
add action=log chain=forward log=yes log-prefix="From Boogie" src-address=192.168.241.1
add action=log chain=forward dst-address=192.168.241.1 log=yes log-prefix="To Boogie"
add action=drop chain=forward comment="Drop access from VWLAN to LAN" in-interface=VWLAN out-interface=!WIA
add action=drop chain=forward comment="Drop RFC6890 and multicast inbound" in-interface=WIA src-address-list=not_in_internet
add action=drop chain=forward comment="Drop RFC6890 and multicast inbound" in-interface=WIA src-address-list=internal-nets
add action=drop chain=forward comment="Drop our addressing inbound - spoofed" in-interface=WIA src-address-list=public-add
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface-list=LAN out-interface-list=!LAN
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface=BRIDGE src-address=!192.168.242.0/24
add action=drop chain=forward comment="Drop packets from ZYXEL that do not have ZYXEL IP" in-interface=ZYXEL src-address=!192.168.240.0/24
add action=drop chain=forward comment="Drop packets from VWLAN that do not have VWLAN IP" in-interface=VWLAN src-address=!192.168.241.0/24
add action=drop chain=forward comment="Drop incoming packets that are not NATted" connection-nat-state=!dstnat connection-state=new in-interface=WIA
add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment="Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=forward comment="Drop bogon list" dst-address-list=not_in_internet
add action=drop chain=forward comment="Drop Windows ports" port=135-139 protocol=tcp
add action=log chain=forward comment="Drop new from WIA" connection-state=new in-interface=WIA
add action=fasttrack-connection chain=forward comment="Fasttrack Established, Related" connection-state=established,related
add action=accept chain=forward comment="Established, Related, Untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=accept chain=forward comment="From LAN" in-interface=!WIA src-address-list=internal-nets
add action=log chain=forward comment="Log everything else" log-prefix=Log
add action=drop chain=forward comment="Drop everything else" disabled=yes
add action=passthrough chain=output comment="Output counter"
add chain=output comment="Established, Related" connection-state=established,related
add action=drop chain=output comment="Drop invalid" connection-state=invalid
add chain=output comment="DNS query" dst-port=53 out-interface=WIA protocol=tcp
add chain=output comment="DNS query" dst-port=53 out-interface=WIA protocol=udp
add chain=output comment="NTP query" dst-port=123 out-interface=WIA protocol=udp
add action=log chain=output comment="Log everything else" log-prefix=Log
add action=drop chain=output comment="Drop everything else" disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WIA
/ip firewall raw
add action=drop chain=prerouting comment="Drop inbound FTP, SSH, Telnet, http, Winbox" dst-port=21,22,23,80,8291 protocol=tcp src-address-list=!Spravce
add action=jump chain=prerouting comment="From LAN Jump for ICMP input flow" in-interface=!WIA jump-target=ICMP protocol=icmp
add action=jump chain=prerouting comment="Accept up to 50 pings in 5 seconds and jump for ICMP input flow" in-interface=WIA jump-target=ICMP limit=50/5s,5:packet protocol=icmp
add action=add-src-to-address-list address-list=icmp-attack address-list-timeout=12h chain=prerouting comment="Add all other ICMP input into icmp-attack address list" in-interface=WIA protocol=icmp
add action=drop chain=prerouting comment="Drop excessive ICMP traffic" protocol=icmp src-address-list=icmp-attack
add action=drop chain=prerouting comment="Drop port-scan address list" src-address-list=port-scan
add action=add-src-to-address-list address-list=port-scan address-list-timeout=2w chain=prerouting comment="Add port scannes to port-scan list" in-interface=WIA protocol=tcp psd=21,3s,3,1 src-address-list=!internal-nets
add action=add-src-to-address-list address-list=port-scan address-list-timeout=2w chain=prerouting comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=port-scan address-list-timeout=2w chain=prerouting comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=port-scan address-list-timeout=2w chain=prerouting comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=port-scan address-list-timeout=2w chain=prerouting comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=port-scan address-list-timeout=2w chain=prerouting comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=port-scan address-list-timeout=2w chain=prerouting comment="NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=prerouting comment="Drop syn-flood address list" src-address-list=syn-flood
add action=drop chain=prerouting comment="Avoid spammers action" dst-port=25,587 protocol=tcp src-address-list=spammers
add action=drop chain=prerouting comment="TCP flags and Port 0 attacks" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=prerouting comment="Drop FIN,SYN" protocol=tcp tcp-flags=fin,syn
add action=drop chain=prerouting comment="Drop FIN,RST" protocol=tcp tcp-flags=fin,rst
add action=drop chain=prerouting comment="Drop FIN,!ACK" protocol=tcp tcp-flags=fin,!ack
add action=drop chain=prerouting comment="Drop FIN,URG" protocol=tcp tcp-flags=fin,urg
add action=drop chain=prerouting comment="Drop SYN,RST" protocol=tcp tcp-flags=syn,rst
add action=drop chain=prerouting comment="Drop RST,URG" protocol=tcp tcp-flags=rst,urg
add action=drop chain=prerouting comment="Drop src Port 0 TCP" protocol=tcp src-port=0
add action=drop chain=prerouting comment="Drop dst Port 0 TCP" dst-port=0 protocol=tcp
add action=drop chain=prerouting comment="Drop src Port 0 UDP" protocol=udp src-port=0
add action=drop chain=prerouting comment="Drop dst Port 0 UDP" dst-port=0 protocol=udp
add action=drop chain=prerouting comment="Drop DNS queries from the internet" dst-port=53 in-interface=WIA protocol=udp
add action=drop chain=prerouting comment="Drop DNS queries from the internet" dst-port=53 in-interface=WIA protocol=tcp
add action=drop chain=prerouting comment="Drop RFC6890 and multicast inbound" in-interface=WIA src-address-list=not_in_internet
add action=drop chain=prerouting comment="Drop our addressing inbound - spoofed" in-interface=WIA src-address-list=public-add
add action=drop chain=prerouting comment="Drop bogon list" dst-address-list=not_in_internet
add action=drop chain=prerouting comment="Drop packets from LAN that do not have LAN IP" in-interface=BRIDGE src-address=!192.168.242.0/24
add action=drop chain=prerouting comment="Drop packets from ZYXEL that do not have ZYXEL IP" in-interface=ZYXEL src-address=!192.168.240.0/24
add action=drop chain=prerouting comment="Drop packets from VWLAN that do not have VWLAN IP" in-interface=VWLAN src-address=!192.168.241.0/24
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface-list=LAN out-interface-list=!LAN
add action=drop chain=forward comment="Drop Windows ports" port=135-139 protocol=tcp
add action=drop chain=ICMP comment="Drop excessive ICMP traffic" protocol=icmp src-address-list=icmp-attack
add chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp
add chain=ICMP comment="Net unreachable" icmp-options=3:0 protocol=icmp
add chain=ICMP comment="Host unreachable" icmp-options=3:1 protocol=icmp
add chain=ICMP comment="Host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add chain=ICMP comment="Allow source quench" icmp-options=4:0 protocol=icmp
add chain=ICMP comment="Allow echo request" icmp-options=8:0 protocol=icmp
add chain=ICMP comment="Allow time exceed" icmp-options=11:0 protocol=icmp
add chain=ICMP comment="Allow parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=ICMP comment="Drop all other types"
/ip service
set telnet address=192.168.242.0/24 disabled=yes
set ftp address=192.168.242.0/24 disabled=yes
set www address=192.168.242.0/24
set ssh address=192.168.242.0/24 disabled=yes
set www-ssl address=192.168.242.0/24
set api address=192.168.242.0/24 disabled=yes
set winbox address=192.168.242.0/24
set api-ssl address=192.168.242.0/24 disabled=yes
/ip smb
set allow-guests=no domain=XXX
/ip ssh
set forwarding-enabled=remote strong-crypto=yes
/lcd
set backlight-timeout=1h default-screen=interfaces read-only-mode=yes time-interval=hour
/lcd pin
set hide-pin-number=yes pin-number=xxx
/lcd interface
set Optika disabled=yes
set G1 disabled=yes
set DC01 disabled=yes
set Duo2 disabled=yes
set NetGear disabled=yes
set BAD disabled=yes
set Epson disabled=yes
set eGreat disabled=yes
set Panasonic disabled=yes
set HP disabled=yes
add interface=WIA max-speed=100.0Mbps
/lcd interface pages
set 0 interfaces=WIA,WLAN,ZYXEL
/system clock
set time-zone-name=Europe/Prague
/system identity
set name=RB2011
/system leds
add interface=WIA leds="" type=interface-status
/system logging
add disabled=yes topics=pppoe
/system ntp client
set enabled=yes server-dns-names=cz.pool.ntp.org
/system package update
set channel=long-term
/tool bandwidth-server
set enabled=no
/tool graphing interface
add allow-address=192.168.242.0/24 interface=WIA store-on-disk=no
add allow-address=192.168.242.0/24 interface=WLAN store-on-disk=no
/tool graphing resource
add allow-address=192.168.242.0/24 store-on-disk=no
/tool mac-server
set allowed-interface-list=BRIDGELIST
/tool mac-server mac-winbox
set allowed-interface-list=BRIDGELIST
/tool mac-server ping
set enabled=no
add action=drop chain=forward comment="Drop RFC6890 and multicast inbound" in-interface=WIA src-address-list=internal-nets
and the offending address was not pingable anymore and after the DHCP lease timed out, it was gone.
It was 192.168.241.1 on the interface VWLAN.