When I re-connect my laptop LAN port connection, all connections are restored, receive addresses in their DHCP ranges and have internet access restored, communications are as expected.
all vlans and network traffic can communicate with each other and access internet as needed.
Everything was normal, until only recently this week. Recently, I upgraded to 7.8. All was working well, until I went messing with SFP settings after realizing I hadn’t checked to see if I was getting 10GB from both interfaces to and from Aruba S2500. Set all settings back to the way they were before (working fine at 1GB) I changed them, but problem persisted.
I also had made some firewall rule changes which included alterations to Address Lists. Aside from a firewall config that needs revisiting at a later point, I’m not too clear as to why this is happening.
I’ve even most firewall rules in the meantime in Filter rules and Raw in the meantime. Problem still persists. Unplug LAN from laptop, down goes everything. Very frustrating.
Export of my config.
Code: Select all
# mar/25/2023 12:50:42 by RouterOS 7.8
# software id = L2GF-7Z2L
#
# model = RB4011iGS+
# serial number = *
/interface bridge
add admin-mac=* auto-mac=no comment=defconf name=bridge \
protocol-mode=mstp vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=LAN
set [ find default-name=sfp-sfpplus1 ] loop-protect=on speed=1Gbps
/interface vlan
add comment="VLAN for Mgmt" interface=bridge name=MGMT vlan-id=99
add comment=Hypervisor interface=bridge name=VLAN10 vlan-id=10
add comment=Servers interface=bridge name=VLAN20 vlan-id=20
add comment=Data interface=bridge name=VLAN30 vlan-id=30
add comment=Work interface=bridge name=VLAN50 vlan-id=50
add comment="Untrusted LAN" interface=bridge name=VLAN60 vlan-id=60
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Work
add name=VLAN
add name=Winbox
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group
add name=vpn
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256 hash-algorithm=sha256 name=vpn
/ip ipsec peer
add exchange-mode=ike2 name=vpn passive=yes profile=vpn
/ip ipsec proposal
add enc-algorithms=aes-256-cbc name=vpn pfs-group=none
/ip pool
add name="default VLAN" ranges=192.168.88.10-192.168.88.254
add name=VLAN50 ranges=192.168.50.100-192.168.50.150
add name=VLAN60 ranges=192.168.60.100-192.168.60.150
add name=MGMT ranges=192.168.99.20-192.168.99.100
add name=VLAN30 ranges=192.168.30.100-192.168.30.150
add name=VLAN10 ranges=192.168.10.100-192.168.10.150
add name=VLAN20 ranges=192.168.20.100-192.168.20.150
/ip dhcp-server
add address-pool="default VLAN" interface=bridge name=defconf
add address-pool=VLAN50 interface=VLAN50 name=VLAN50
add address-pool=VLAN60 interface=VLAN60 name=VLAN60
add address-pool=MGMT interface=MGMT name=MGMT
add address-pool=VLAN30 interface=VLAN30 name=VLAN30
add address-pool=VLAN10 interface=VLAN10 name=VLAN10
add address-pool=VLAN20 interface=VLAN20 name=VLAN20
/port
set 0 name=serial0
set 1 name=serial1
/queue simple
add disabled=yes name=PS4 target=VLAN50,VLAN50
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
add disabled=no name=default-v3 version=3
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
add disabled=yes instance=default-v3 name=backbone-v3
/interface bridge port
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether2
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether3 pvid=30
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether4 pvid=60
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether6 pvid=60
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether7 pvid=30
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether9 pvid=99
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged ingress-filtering=no interface=\
ether10
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
interface=sfp-sfpplus1
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether5 pvid=50
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether8
/ip firewall connection tracking
set enabled=yes
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set max-neighbor-entries=8192 tcp-syncookies=yes
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge comment="VLAN 99" tagged=bridge,sfp-sfpplus1,ether8 \
untagged=ether9 vlan-ids=99
add bridge=bridge comment="VLAN 50" tagged=bridge,sfp-sfpplus1,ether8 \
vlan-ids=50
add bridge=bridge comment="VLAN 60" tagged=bridge,sfp-sfpplus1,ether8 \
vlan-ids=60
add bridge=bridge tagged=bridge,sfp-sfpplus1,ether8 untagged=ether7,ether3 \
vlan-ids=30
add bridge=bridge tagged=bridge,sfp-sfpplus1,ether8 vlan-ids=10
add bridge=bridge tagged=bridge,sfp-sfpplus1,ether8 vlan-ids=20
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=VLAN50 list=VLAN
add interface=VLAN60 list=VLAN
add interface=VLAN30 list=VLAN
add interface=VLAN10 list=VLAN
add interface=VLAN20 list=VLAN
add interface=bridge list=Winbox
add interface=MGMT list=Winbox
add interface=VLAN30 list=Winbox
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=192.168.99.1/24 comment=MGMT interface=MGMT network=192.168.99.0
add address=192.168.50.1/24 comment=WORK interface=VLAN50 network=\
192.168.50.0
add address=192.168.60.1/24 comment="Untrusted LAN" interface=VLAN60 network=\
192.168.60.0
add address=192.168.30.1/24 comment=Data interface=VLAN30 network=\
192.168.30.0
add address=192.168.10.1/24 comment=Hyper interface=VLAN10 network=\
192.168.10.0
add address=192.168.20.1/24 comment=Servers interface=VLAN20 network=\
192.168.20.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.30.103 client-id=1:74:d8:3e:8b:f4:89 mac-address=\
74:D8:3E:8B:F4:89 server=VLAN30
add address=192.168.30.109 client-id=1:9c:3d:cf:c:8f:c0 mac-address=\
9C:3D:CF:0C:8F:C0 server=VLAN30
add address=192.168.50.100 client-id=1:d8:bb:c1:7a:37:81 mac-address=\
D8:BB:C1:7A:37:81 server=VLAN50
add address=192.168.88.254 client-id=1:0:2b:67:c9:3f:7 mac-address=\
00:2B:67:C9:3F:07 server=defconf
/ip dhcp-server network
add address=192.168.10.0/24 comment=Hyper gateway=192.168.10.1
add address=192.168.20.0/24 comment=Server gateway=192.168.20.1
add address=192.168.30.0/24 comment=Data gateway=192.168.30.1
add address=192.168.50.0/24 comment=Work gateway=192.168.50.1
add address=192.168.60.0/24 comment="Untrusted LAN" gateway=192.168.60.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
add address=192.168.99.0/24 comment=MGMT gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1 use-doh-server=\
https://cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=104.16.248.249 name=cloudflare-dns.com
add address=104.16.249.249 name=cloudflare-dns.com
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6 to4 relay Anycast [RFC 3068]" list=\
not_in_internet
add list=ddos-attackers
add list=ddos-target
add address=1.0.1.0/24 comment=CHINA list=CountryIPBlocks
...
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_src_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890" list=bad_src_ipv4
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.51.100.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=240.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=\
not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.99.0/24 list=MGMT_address
add address=192.168.99.2-192.168.99.254 list=allowed_to_router
add address=192.168.50.1-192.168.50.254 list=WORK
add address=192.168.60.1-192.168.60.254 list=VLAN60
add address=192.168.30.1-192.168.30.254 comment="DATA (Lan+Wifi)" list=VLAN30
add address=192.168.88.1-192.168.88.254 list=BRIDGE
add address=192.168.88.1 list="BRIDGE IP"
add address=192.168.99.1 list="BRIDGE MGMT IP"
add address=192.168.99.2 list="ARUBAS SWITCH"
add address=192.168.99.0/24 list="MGMT VLAN"
add address=192.168.30.103 list=allowed_to_router
add address=192.168.20.1-192.168.20.254 list=VLAN20
add address=192.168.10.1-192.168.88.10.254 list=VLAN10
add address=192.168.88.0/24 list=MGMT_address
add address=192.168.10.0/24 list=LAN
add address=192.168.20.0/24 list=LAN
add address=192.168.30.0/24 list=LAN
add address=192.168.50.0/24 list=LAN
add address=192.168.60.0.24 list=LAN
add address=192.168.88.0/24 list=LAN
add address=192.168.99.0/24 list=LAN
add address=tiktok.com comment=TikTok.com list=tiktok
add address=147.160.176.0/24 comment=TikTok.com list=tiktok
add address=147.160.177.0/24 comment=TikTok.com list=tiktok
add address=147.160.178.0/24 comment=TikTok.com list=tiktok
add address=147.160.179.0/24 comment=TikTok.com list=tiktok
add address=147.160.180.0/24 comment=TikTok.com list=tiktok
add address=147.160.181.0/24 comment=TikTok.com list=tiktok
add address=147.160.182.0/24 comment=TikTok.com list=tiktok
add address=147.160.183.0/24 comment=TikTok.com list=tiktok
add address=147.160.184.0/24 comment=TikTok.com list=tiktok
add address=147.160.185.0/24 comment=TikTok.com list=tiktok
add address=147.160.187.0/24 comment=TikTok.com list=tiktok
add address=147.160.188.0/24 comment=TikTok.com list=tiktok
add address=147.160.189.0/24 comment=TikTok.com list=tiktok
add address=147.160.190.0/24 comment=TikTok.com list=tiktok
add address=147.160.191.0/24 comment=TikTok.com list=tiktok
add address=103.136.221.0/24 comment=TikTok.com list=tiktok
add address=103.136.220.0/24 comment=TikTok.com list=tiktok
add address=103.136.220.0/23 comment=TikTok.com list=tiktok
add address=192.64.14.0/24 comment=TikTok.com list=tiktok
add address=199.103.24.0/24 comment=TikTok.com list=tiktok
add address=199.103.25.0/24 comment=TikTok.com list=tiktok
add address=130.44.212.0/24 comment=TikTok.com list=tiktok
add address=130.44.213.0/24 comment=TikTok.com list=tiktok
add address=130.44.214.0/24 comment=TikTok.com list=tiktok
add address=130.44.215.0/24 comment=TikTok.com list=tiktok
add address=139.177.224.0/24 comment=TikTok.com list=tiktok
add address=139.177.225.0/24 comment=TikTok.com list=tiktok
add address=139.177.226.0/24 comment=TikTok.com list=tiktok
add address=139.177.254.0/24 comment=TikTok.com list=tiktok
add address=139.177.255.0/24 comment=TikTok.com list=tiktok
add address=192.168.88.254 list=allowed_to_router
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input dst-port=8291 log=yes log-prefix=Winbox \
protocol=tcp src-address-list=allowed_to_router
add action=accept chain=input dst-port=8844 protocol=tcp src-address-list=\
allowed_to_router
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN log=yes log-prefix=\
"defconf: drop all not coming from LAN"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked disabled=yes
add action=accept chain=forward comment="VLAN Internet Access only!" \
connection-state=new disabled=yes in-interface-list=VLAN \
out-interface-list=WAN
add action=drop chain=forward disabled=yes dst-address-list=!WORK \
src-address-list=WORK
add action=accept chain=forward comment="VLAN30 to Aruba Switch Admin page" \
disabled=yes dst-address-list="MGMT VLAN" dst-port=4343 log=yes \
log-prefix="Aruba Web Interface" protocol=tcp src-address-list=\
allowed_to_router
add action=accept chain=input comment=\
"IP addresses that are allowed to access the router" disabled=yes log=yes \
log-prefix=Winbox src-address-list=allowed_to_router
add action=accept chain=forward comment="VLAN30 to ProxMox Mgmt interface" \
disabled=yes dst-address-list=VLAN20 dst-port=8006 protocol=tcp \
src-address-list=VLAN30
add action=accept chain=forward comment="VLAN30 to ProxMox Mgmt interface" \
disabled=yes dst-address-list=VLAN20 dst-port=8006 protocol=tcp \
src-address-list=BRIDGE
add action=accept chain=forward comment="VLAN30 to ProxMox ssh by IP" \
disabled=yes dst-address-list=VLAN20 dst-port=22 protocol=tcp \
src-address-list=BRIDGE
add action=accept chain=forward comment="VLAN30 to ProxMox ssh by IP" \
disabled=yes dst-address-list=VLAN20 dst-port=22 protocol=tcp \
src-address-list=VLAN30
add action=accept chain=forward disabled=yes dst-address-list=\
"BRIDGE MGMT IP" dst-port=8443 protocol=tcp src-address-list=VLAN30
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
disabled=yes dst-address-list=not_in_internet
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
disabled=yes log=yes log-prefix="defconf: drop bad forward IPs" \
src-address-list=not_in_internet
add action=drop chain=forward comment=\
"Drop tries to reach not public addresses from LAN" disabled=yes \
dst-address-list=not_in_internet in-interface=bridge log=yes log-prefix=\
!Public_from_LAN out-interface=!bridge
add action=drop chain=input comment="defconf: drop invalid for input chain" \
connection-state=invalid disabled=yes log=yes log-prefix=\
"defconf: drop invalid input chain"
add action=drop chain=input comment="DROP ALL" disabled=yes log=yes \
log-prefix="DROP ALL"
add action=drop chain=forward comment=\
"Drop incoming from internet which is not public IP" disabled=yes \
in-interface=ether1 log=yes log-prefix=\
"Drop incoming from internet which is not public IP" src-address-list=\
not_in_internet
add action=drop chain=forward comment=\
"defconf: drop invalid for forward chain" connection-state=invalid \
disabled=yes log=yes log-prefix="drop invalid for forward chain"
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface-list=WAN log=yes \
log-prefix=!NAT
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip firewall raw
add action=accept chain=prerouting comment="defconf: accept DHCP discover" \
dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=\
udp src-address=0.0.0.0 src-port=68
add action=accept chain=prerouting comment="defconf: enable for transparent fi\
rewall to quickly disable RAW filtering without disabling all RAW rules"
add action=drop chain=prerouting disabled=yes dst-address-list=ddos-target \
log=yes log-prefix="DDoS Raw drop" src-address-list=ddos-attackers
add action=drop chain=prerouting log=yes log-prefix=\
"CountryBlockIP - China Iran" src-address-list=CountryIPBlocks
add action=drop chain=prerouting comment="defconf: drop bogon IP's" disabled=\
yes src-address-list=not_in_internet
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
dst-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
in-interface-list=WAN src-address-list=not_global_ipv4
add action=drop chain=prerouting comment=\
"defconf: drop forward to local lan from WAN" dst-address=192.168.88.0/24 \
in-interface-list=WAN
add action=drop chain=prerouting comment=\
"defconf: drop local if not from default IP range" disabled=yes \
in-interface-list=LAN src-address=!192.168.88.0/24
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 \
protocol=udp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" \
disabled=yes jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" \
jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment=\
"defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment=\
"defconf: accept everything else from WAN" in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop the rest" disabled=\
yes
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=\
tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=\
tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=\
tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=\
tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=\
tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=\
tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 \
protocol=tcp
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 \
limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: net unreachable" \
icmp-options=3:0 protocol=icmp
add action=accept chain=icmp4 comment="defconf: host unreachable" \
icmp-options=3:1 protocol=icmp
add action=accept chain=icmp4 comment="defconf: protocol unreachable" \
icmp-options=3:2 protocol=icmp
add action=accept chain=icmp4 comment="defconf: port unreachable" \
icmp-options=3:3 protocol=icmp
add action=accept chain=icmp4 comment="defconf: fragmentation needed" \
icmp-options=3:4 protocol=icmp
add action=accept chain=icmp4 comment="defconf: echo" icmp-options=8:0 limit=\
5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: time exceeded " icmp-options=\
11:0-255 protocol=icmp
add action=drop chain=icmp4 comment="defconf: drop other icmp" protocol=icmp
/ip ipsec identity
add auth-method=digital-signature certificate="Home server2" comment=\
"Home client2" generate-policy=port-strict match-by=certificate \
mode-config=vpn peer=vpn policy-template-group=vpn remote-certificate=\
"Home client2"
add auth-method=digital-signature certificate="Home server" comment=\
"Home client1" generate-policy=port-strict match-by=certificate \
mode-config=vpn peer=vpn policy-template-group=vpn remote-certificate=\
"Home client1"
/ip ipsec mode-config
add address-pool=*D name=vpn
/ip ipsec policy
add dst-address=0.0.0.0/0 group=vpn proposal=vpn src-address=0.0.0.0/0 \
template=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=20022
set www-ssl address=192.168.30.103/32,192.168.88.254/32,192.168.88.0/24 \
certificate=https-cert disabled=no port=8844 tls-version=only-1.2
set api disabled=yes
set winbox address=192.168.88.0/24,192.168.99.0/24,192.168.30.103/32
set api-ssl disabled=yes
/ip ssh
set host-key-size=4096 strong-crypto=yes
/ip traffic-flow
set interfaces=VLAN50
/ipv6 firewall address-list
add address=fd12:672e:6f65:8899::/64 list=allowed
add address=fe80::/16 list=allowed
add address=fe02::/48 list=allowed
add address=ff02::/16 comment=multicast list=allowed
add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=\
no_forward_ipv6
add address=ff00::/8 comment="defconf: multicast" list=no_forward_ipv6
add address=::1/128 comment="defconf: RFC6890 lo" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: RFC6890 IPv4 mapped" list=\
bad_ipv6
add address=2001::/23 comment="defconf: RFC6890" list=bad_ipv6
add address=2001:db8::/32 comment="defconf: RFC6890 documentation" list=\
bad_ipv6
add address=2001:10::/28 comment="defconf: RFC6890 orchid" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: RFC6890 Discard-only" list=\
not_global_ipv6
add address=2001::/32 comment="defconf: RFC6890 TEREDO" list=not_global_ipv6
add address=2001:2::/48 comment="defconf: RFC6890 Benchmark" list=\
not_global_ipv6
add address=fc00::/7 comment="defconf: RFC6890 Unique-Local" list=\
not_global_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_dst_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: allow established, related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid log=yes log-prefix=ipv6,invalid
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
src-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
dst-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=input comment="accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \
src-address=fe80::/16
add action=drop chain=input disabled=yes in-interface=ether1 log=yes \
log-prefix=dropLL_from_public src-address=fe80::/16
add action=accept chain=input comment="allow allowed addresses" \
src-address-list=allowed
add action=drop chain=input disabled=yes
add action=accept chain=forward comment=established,related connection-state=\
established,related
add action=accept chain=forward comment="defconf: accepts icmpv6 after raw" \
in-interface=!ether1 protocol=icmpv6
add action=drop chain=forward disabled=yes log-prefix=IPV6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept IPSec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept IPSec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
/ipv6 firewall raw
add action=accept chain=prerouting comment=\
"defconf: enable for transparent firewall"
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
src-address-list=bad_ipv6
/system clock
set time-zone-name=America/Chicago
/system identity
set name=RB4011
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.north-america.pool.ntp.org
add address=1.north-america.pool.ntp.org
/system resource irq rps
set sfp-sfpplus1 disabled=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=Winbox
/tool mac-server ping
set enabled=no
Humbly,