Code: Select all
/interface bridge
add admin-mac=B8:69:F4:B0:51:BB auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether5 ] poe-out=forced-on
/interface vlan
add interface=bridge name=VLan85 vlan-id=85
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.66.10-192.168.66.250
add name=dhcp_pool2 ranges=192.168.23.10-192.168.23.200
add name=dhcp_pool3 ranges=192.168.188.50-192.168.188.254
add name=dhcp_pool4 ranges=192.168.150.50-192.168.150.250
add name=dhcp_pool5 ranges=192.168.130.2-192.168.130.254
add name=dhcp_pool6 ranges=192.168.85.2-192.168.85.250
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
add address-pool=dhcp_pool6 interface=VLan85 name=Vlan85
/port
set 0 name=serial0
/queue simple
add max-limit=50M/50M name=queue queue=pcq-upload-default/pcq-download-default target=192.168.66.0/24
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=66
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf interface=ether5 trusted=yes
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge tagged=bridge,ether5 vlan-ids=130
add bridge=bridge tagged=bridge,ether5 vlan-ids=85
/interface detect-internet
set wan-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.85.1/24 interface=VLan85 network=192.168.85.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=192.168.85.0/24 gateway=192.168.85.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=12.1.35.167 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward connection-state=established,related dst-address=192.168.60.0/24 protocol=icmp src-address=192.168.23.0/24
add action=drop chain=forward dst-address=192.168.23.0/24 src-address=192.168.66.0/24
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/system clock
set time-zone-name=America/New_York
/system package update
set channel=testing
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN