Lan is 192.168.200.1/24
wired Eth 4 192.168.6.1/24
wireless 192.168.50.1/24
here is my config
Code: Select all
# feb/16/1970 19:26:39 by RouterOS 7.3.1
# software id = BD8G-SELR
#
# model = RB941-2nD
# serial number = <CENSORED>
/interface bridge
add admin-mac=DC:2C:6E:61:CC:0F auto-mac=no comment=defconf name=bridge
add name=bridge-wireless
add name=bridge2
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
country="united states" default-authentication=no disabled=no distance=\
indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
"St.paul Luthuran church" wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik
/ip dhcp-server
add interface=bridge name="Stadic only"
/ip pool
add name=dhcp ranges=192.168.200.10-192.168.200.254
add name=pool2 ranges=192.168.6.2-192.168.6.254
add name=pool-wirteless ranges=192.168.50.2-192.168.50.254
/ip dhcp-server
add address-pool=dhcp disabled=yes interface=bridge name=server1
add address-pool=pool2 interface=bridge2 name=dhcp2
add address-pool=pool-wirteless interface=bridge-wireless name=\
server-wireless
/queue simple
add max-limit=500k/2M name=Wireless target=192.168.50.0/24
add max-limit=1M/4M name="eth2 6.1/24" target=192.168.6.0/24
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge2 comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=pwr-line1
add bridge=bridge-wireless interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.200.1/24 comment=defconf interface=bridge network=\
192.168.200.0
add address=192.168.254.3/24 interface=ether1 network=192.168.254.0
add address=192.168.6.1/24 interface=bridge2 network=192.168.6.0
add address=192.168.50.1/24 interface=bridge-wireless network=192.168.50.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.200.3 comment="Church computer" mac-address=\
EC:A8:6B:94:8E:9E server="Stadic only"
add address=192.168.200.10 comment="Austins Cell phone" disabled=yes \
mac-address=A8:76:50:1B:85:38 server="Stadic only"
add address=192.168.200.4 comment="church printer" mac-address=\
00:21:B7:AF:8A:BE server="Stadic only"
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf dns-server=9.9.9.9,149.112.112.112 \
gateway=192.168.200.1 netmask=16
add address=192.168.6.0/24 dns-server=9.9.9.9,149.112.112.112 gateway=\
192.168.6.1 netmask=24
add address=192.168.50.0/24 dns-server=9.9.9.9,149.112.112.112 gateway=\
192.168.50.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9,149.112.112.112
/ip dns static
add address=192.168.200.1 comment=defconf name=router.lan
/ip firewall filter
add action=drop chain=forward comment="do not enable BLOCKED THRU ROUTER" \
disabled=yes dst-port=!80,443,53,8291 protocol=tcp
add action=drop chain=forward comment="do not enable BLOCKED THRU ROUTER" \
disabled=yes dst-port=!53 protocol=udp
add action=drop chain=input comment="allow only HTTP HTTPS DNS " dst-port=\
!80,443,53 protocol=tcp
add action=drop chain=input comment="ALLOW ONLY DNS" dst-port=53 protocol=udp
add action=drop chain=output dst-port=!80,443,53 protocol=tcp
add action=drop chain=output comment="ALLOW ONLY DNS OUT TO INTERNET" \
dst-port=!53 protocol=udp
add action=drop chain=output comment="blocked OUT TO INTERNET" dst-port=\
0-65535 protocol=tcp
add action=drop chain=output comment="blocked OUT TO INTERNET" dst-port=\
0-65535 protocol=udp
add action=drop chain=input comment="blocked to internet" dst-port=0-65535 \
protocol=tcp
add action=drop chain=input comment="blocked to internet" dst-port=0-65535 \
protocol=udp
add action=drop chain=forward comment="block guset from lan " dst-address=\
192.168.200.0/24 src-address=192.168.50.0/24
add action=drop chain=forward comment="ETH2 SEPERATE DHCP 6.1" dst-address=\
192.168.200.0/24 src-address=192.168.6.0/24
add action=drop chain=forward protocol=ggp
add action=drop chain=forward protocol=st
add action=drop chain=forward protocol=igmp
add action=drop chain=forward protocol=egp
add action=drop chain=forward protocol=ipencap
add action=drop chain=forward protocol=pup
add action=drop chain=forward protocol=hmp
add action=drop chain=forward protocol=xns-idp
add action=drop chain=forward protocol=rdp
add action=drop chain=forward protocol=iso-tp4
add action=drop chain=forward protocol=dccp
add action=drop chain=forward protocol=xtp
add action=drop chain=forward protocol=ddp
add action=drop chain=forward protocol=idpr-cmtp
add action=drop chain=forward protocol=rsvp
add action=drop chain=forward protocol=ipv6-encap
add action=drop chain=forward protocol=gre
add action=drop chain=forward protocol=ipsec-esp
add action=drop chain=forward protocol=ipsec-ah
add action=drop chain=forward protocol=rspf
add action=drop chain=forward protocol=vmtp
add action=drop chain=forward protocol=ospf
add action=drop chain=forward protocol=ipip
add action=drop chain=forward protocol=etherip
add action=drop chain=forward protocol=encap
add action=drop chain=forward protocol=pim
add action=drop chain=forward protocol=vrrp
add action=drop chain=forward protocol=l2tp
add action=drop chain=forward protocol=sctp
add action=drop chain=forward protocol=udp-lite
add action=drop chain=input protocol=icmp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.254.254
/ip service
set www disabled=yes
set www-ssl disabled=no
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/system clock
set time-zone-name=America/Chicago
/system ntp client
set mode=broadcast
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN