# dec/21/2021 07:13:27 by RouterOS 7.1
# software id = BM4W-X3GK
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number =
/interface bridge
add admin-mac=xx.xx.xx.xx auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether3 ] advertise=\
100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=sfp1 ] disabled=yes
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=\
20/40mhz-XX country=no_country_set disabled=no distance=indoors \
frequency=auto frequency-mode=manual-txpower installation=indoor mode=\
ap-bridge ssid=xxx station-roaming=enabled wireless-protocol=802.11 \
wps-mode=disabled
set [ find default-name=wlan2 ] antenna-gain=0 band=5ghz-a/n/ac \
channel-width=20/40/80mhz-XXXX country=no_country_set disabled=no \
frequency=5765 frequency-mode=manual-txpower installation=outdoor mode=\
ap-bridge ssid=xxx station-roaming=enabled wireless-protocol=802.11 \
wps-mode=disabled
/interface wireguard
add listen-port=13231 mtu=1420 name=Home
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 user=\
xxxxxxxxx
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
group-key-update=1h mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=pinet ranges=192.168.188.20-192.168.188.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
add address-pool=pinet interface=ether5 name=pinetDHCP
/routing bgp template
set default as=65530 disabled=no name=default output.network=bgp-networks
/routing ospf instance
add name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add fib name=to_ISP1
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192 rp-filter=loose
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=ether5 list=LAN
add interface=Home list=LAN
/interface wireguard peers
add interface=Home public-key="xxxxxxxxx"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=192.168.188.1/24 comment=pinet interface=ether5 network=\
192.168.188.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.188.25 \
gateway=192.168.88.1
add address=192.168.188.0/24 comment=pinet gateway=192.168.188.1 netmask=24
add address=192.168.188.25/32 comment=route dns-server=192.168.88.1 gateway=\
192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=2d query-server-timeout=100ms \
query-total-timeout=5s servers=1.1.1.1,1.0.0.1 use-doh-server=\
https://cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=192.168.88.1 name=router.lan
add address=104.16.248.249 name=cloudflare-dns.com
add address=104.16.249.249 name=cloudflare-dns.com
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
add address=192.168.188.20-192.168.188.254 list=allowed_to_router
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow Wireguard" dst-port=13231 \
protocol=udp
add action=accept chain=input comment="Allow ADMIN to Router" \
in-interface-list=LAN src-address-list=allowed_to_router
add action=accept chain=input in-interface-list=LAN port=53 protocol=tcp
add action=accept chain=input in-interface-list=LAN port=53 protocol=udp
add action=drop chain=input
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment=" Allow Port Forwarding - DSTNAT" \
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="ENABLE LAN to WAN" \
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward dst-address=192.168.188.0/24 src-address=\
192.168.88.0/24
add action=accept chain=forward dst-address=192.168.88.0/24 src-address=\
192.168.188.0/24
add action=drop chain=forward comment="Drop All Else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=pihole_bypass disabled=yes \
dst-address=192.168.188.25 dst-port=53 protocol=udp to-addresses=\
192.168.88.1
add action=dst-nat chain=dstnat comment=pihole_bypass disabled=yes \
dst-address=192.168.188.25 dst-port=53 protocol=tcp to-addresses=\
192.168.88.1
/ip route
add check-gateway=ping disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=\
104.16.248.249 pref-src="" routing-table=to_ISP1 scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=\
pppoe-out1 pref-src="" routing-table=to_ISP1 scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
104.16.249.249 routing-table=to_ISP1
add disabled=yes distance=1 dst-address=104.16.248.249/32 gateway=pppoe-out1 \
pref-src="" routing-table=main scope=10 suppress-hw-offload=no \
target-scope=10
add disabled=yes distance=1 dst-address=104.16.249.249/32 gateway=pppoe-out1 \
pref-src="" routing-table=main scope=10 suppress-hw-offload=no \
target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=xxxx
set api disabled=yes
set winbox address=192.168.88.0/24
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=remote strong-crypto=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=pppoe-out1 type=external
add interface=ether5 type=internal
/system clock
set time-zone-name=Asia/Dhaka
/system logging
add topics=wireless,debug
add disabled=yes topics=dns
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
add address=3.pool.ntp.org
/system package update
set channel=long-term
/system scheduler
add interval=2d name=reboot on-event="system reboot" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=jun/07/2020 start-time=05:05:00
add interval=30s name=bypass on-event=":local piholeDown [/ip firewall nat pri\
nt count-only where comment~\"pihole_bypass\" && disabled]\r\
\n:local piholeDNS \"192.168.188.25\"\r\
\n:local testDomain \"www.google.com\"\r\
\n\r\
\n:if (\$piholeDown > 0 ) do={\r\
\n :do {\r\
\n :resolve \$testDomain server \$piholeDNS\r\
\n } on-error={\r\
\n /ip firewall nat enable [find comment=pihole_bypass];\r\
\n }\r\
\n} else={\r\
\n :do {\r\
\n :resolve \$testDomain server \$piholeDNS\r\
\n /ip firewall nat disable [find comment=pihole_bypass];\r\
\n } on-error={}\r\
\n}" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=may/21/2021 start-time=05:31:03
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
Interface: iphone
Public key: xxxxxx
Addresses: 192.168.88.20/24,2001 (note these are different subnet masks than in the server config)
DNS servers: as desired - if you want to use the wireguard server for dns, specify 192.168.66.1
Peer:
Public key - mikrotik public key
Endpoint - mydyndns.whatever:13231
Allowed IPs: 0.0.0.0/0, ::/0