In essence, I am trying to cut all down to the bare minimum, while keeping some security and manageability of ROS via Dude.
Any comments appreciated!
Full config:
Code: Select all
/interface bridge
/system package
disable advanced-tools
disable hotspot
disable ipv6
disable mpls
disable ppp
disable routing
disable security
disable wireless
add admin-mac=00:etc auto-mac=no comment=defconf name=bridge
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=ether11
add bridge=bridge comment=defconf interface=ether12
add bridge=bridge comment=defconf interface=ether13
add bridge=bridge comment=defconf interface=ether14
add bridge=bridge comment=defconf interface=ether15
add bridge=bridge comment=defconf interface=ether16
add bridge=bridge comment=defconf interface=ether17
add bridge=bridge comment=defconf interface=ether18
add bridge=bridge comment=defconf interface=ether19
add bridge=bridge comment=defconf interface=ether20
add bridge=bridge comment=defconf interface=ether21
add bridge=bridge comment=defconf interface=ether22
add bridge=bridge comment=defconf interface=ether23
add bridge=bridge comment=defconf interface=ether24
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=sfp-sfpplus2
/ip dhcp-client
add disabled=no interface=bridge
/ip firewall filter
add action=drop chain=input comment="Drop invalid packets" connection-state=invalid log=yes log-prefix="DROP INVALID"
add action=accept chain=input comment="Allow established, related" connection-state=established,related
add action=accept chain=input comment="Allow IP range" src-address=10.10.10.0/24
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=drop chain=input comment="Drop all" log=yes log-prefix="DROP ALL OTHER"
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.10.10.0/24
set ssh port=22
set api disabled=yes
set winbox address=10.10.10.0/24
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name="SWITCH 4"
/system ntp client
set enabled=yes
/system package update
set channel=long-term
/system routerboard settings
set boot-os=router-os
/tool graphing interface
add
/tool graphing queue
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=none
/tool mac-server ping
set enabled=no