My configuration:
Code: Select all
/export hide-sensitive
# aug/05/2021 17:17:37 by RouterOS 6.48.3
# software id = UX4J-2Z99
#
# model = 951G-2HnD
# serial number = 642F073E725C
/interface bridge
add admin-mac=64:D1:54:A0:FE:38 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
country=romania distance=indoors frequency=auto installation=indoor mode=\
ap-bridge ssid=MikroTik-A0FE3C wireless-protocol=802.11
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
use-peer-dns=yes user=IS282663601
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik
/ip kid-control
add fri=0s-1d mon=0s-1d name=system-dummy sat=0s-1d sun=0s-1d thu=0s-1d tue=\
0s-1d tur-fri=0s-1d tur-mon=0s-1d tur-sat=0s-1d tur-sun=0s-1d tur-thu=0s-1d \
tur-tue=0s-1d tur-wed=0s-1d wed=0s-1d
/ip pool
add name=dhcp ranges=192.168.15.10-192.168.15.254
add name=vpn ranges=192.168.16.2-192.168.16.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.16.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=none
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.15.1/24 comment=defconf interface=bridge network=\
192.168.15.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.15.254 mac-address=A0:43:B0:32:00:A4 server=defconf
add address=192.168.15.253 client-id=1:1c:3b:f3:93:e1:ea mac-address=\
1C:3B:F3:93:E1:EA server=defconf
add address=192.168.15.251 client-id=1:92:60:ab:92:37:58 mac-address=\
92:60:AB:92:37:58 server=defconf
add address=192.168.15.252 client-id=1:a8:a1:59:51:54:98 mac-address=\
A8:A1:59:51:54:98 server=defconf
add address=192.168.15.249 mac-address=E8:68:E7:4D:9A:76 server=defconf
/ip dhcp-server network
add address=192.168.15.0/24 comment=defconf gateway=192.168.15.1 netmask=24
/ip dns static
add address=192.168.15.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.15.2-192.168.15.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
not_in_internet
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=\
udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment="allow winbox" dst-port=8291 protocol=tcp
add action=accept chain=input comment="allow ssh" dst-port=22 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input comment="default configuration" connection-state=\
established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related
add action=accept chain=forward comment="Established, Related" \
connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
log=yes log-prefix=invalid
add action=drop chain=forward comment=\
"Drop tries to reach not public addresses from LAN" dst-address-list=\
not_in_internet in-interface=bridge log=yes log-prefix=!public_from_LAN \
out-interface=!bridge
add action=drop chain=forward comment=\
"Drop incoming packets that are not NATted" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=drop chain=forward comment=\
"Drop incoming from internet which is not public IP" in-interface=ether1 \
log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=\
"Drop packets from LAN that do not have LAN IP" in-interface=bridge log=yes \
log-prefix=LAN_!LAN src-address=!192.168.15.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.16.0/24
/ip kid-control device
add mac-address=A8:A1:59:51:54:98 name="DESKTOP-58VOIBT;1"
add mac-address=92:60:AB:92:37:58 name="OnePlus-7T-Pro;2"
add mac-address=A0:43:B0:32:00:A4 name="RM4-32-00-a4;6"
add mac-address=1C:3B:F3:93:E1:EA name="Archer_C80;5"
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=\
192.168.15.252/32,192.168.15.251/32,192.168.16.207/32,192.168.16.208/32
set api disabled=yes
set winbox address=\
192.168.15.252/32,192.168.15.251/32,192.168.16.207/32,192.168.16.208/32
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ppp secret
add disabled=yes name=vpn
add local-address=192.168.16.1 name=mihaifp remote-address=192.168.16.207
add local-address=192.168.16.1 name=simonah remote-address=192.168.16.210
add local-address=192.168.16.1 name=horeab remote-address=192.168.16.211
add local-address=192.168.16.1 name=dianab remote-address=192.168.16.212
add local-address=192.168.16.1 name=artcore remote-address=192.168.16.208
add local-address=192.168.16.1 name=garajpc remote-address=192.168.16.213
add local-address=192.168.16.1 name=etaj1pc remote-address=192.168.16.214
/system clock
set time-zone-name=Europe/Bucharest
/system scheduler
add name="LEDs off" on-event="system leds settings set all-leds-off=immediate" \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=aug/04/2021 start-time=22:00:00
add name="LEDs on" on-event="system leds settings set all-leds-off=never" \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=aug/04/2021 start-time=06:00:00
/system script
add dont-require-permissions=no name=wol-pc owner=mihai policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
"tool wol interface=bridge mac=A8:A1:59:51:54:98"
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
Thanks!