I'm having a hard time trying to configure the below on my RB5009UG+S+IN (router) & CRS326-24G-2S+RM (switch) :
Can someone kindly show me how to do it properly; this is my current router's config:
Code: Select all
#| Interface(s)
#-------------------------------------------------------------------------------
/interface list add name=LAN comment="local area network"
/interface list add name=WAN comment="wide area network"
/interface ethernet
set [ find default-name=ether1 ] comment="link to ONT, HG8240H5"
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] comment="link to SWI, CRS326-24G-2S+RM"
/interface vlan
add name=vlan500 vlan-id=500 interface=ether1
/interface pppoe-client
add name=pppoe-out1 max-mru=1492 max-mtu=1492 interface=vlan500 \
user="username@unifi" password="dummypassword" keepalive-timeout=5 add-default-route=yes disabled=no \
comment="unifi authentication"
/interface bridge
add name=bridge1 disabled=no auto-mac=yes protocol-mode=rstp
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=sfp-sfpplus1
/interface list member add list=LAN interface=bridge1
/interface list member add list=WAN interface=pppoe-out1
#| DHCP
#-------------------------------------------------------------------------------
/ip pool
add name="dhcp_pool1" ranges=10.17.77.2-10.17.77.99 comment="static reserve"
add name="dhcp_pool2" ranges=10.17.77.100-10.17.77.199 comment="dynamic reserve"
/ip dhcp-server
add name=dhcp_main interface=bridge1 lease-time=1h address-pool="dhcp_pool2" disabled=no
/ip dhcp-server network
add address=10.17.77.0/24 gateway=10.17.77.1 dns-server=10.17.77.1 domain=\
mikrotik-rtr.lan wins-server=10.17.77.1
/ip address
add address=10.17.77.1/24 interface=bridge1
/ip dns{
set allow-remote-requests=yes cache-max-ttl=1d cache-size=81920KiB \
max-concurrent-queries=1000 max-concurrent-tcp-sessions=40 servers=\
9.9.9.9,149.112.112.112,2620:fe::fe,2620:fe::9
static add address=10.17.77.1 name=mikrotik-rtr.lan comment="RB5009UG+S+IN"
static add address=10.17.77.10 name=archerax73-ap.lan comment="Archer AX73"
static add address=10.17.77.20 name=Reevans-MacBook-Pro.local comment="Reevan's MacBook Pro"
static add address=10.17.77.21 name=Shirleys-MacBook-Pro.local comment="Shirley's MacBook Pro"
}
#| IPv6
#-------------------------------------------------------------------------------
/ipv6 nd
set [ find default=yes ] disabled=yes
add interface=bridge1 ra-interval=20s-1m mtu=1492 \
dns=fd10:bad:a55::1 other-configuration=yes
/ipv6 nd prefix default
set preferred-lifetime=12h valid-lifetime=1d
/ipv6 dhcp-client
add interface=pppoe-out1 request=prefix pool-name=pppoe_pool6 \
use-peer-dns=no rapid-commit=yes add-default-route=yes
/ipv6 address
add address=::1 from-pool=pppoe_pool6 advertise=yes interface=bridge1
add address=fd10:bad:a55::1 advertise=no interface=bridge1
/ip firewall nat add chain=srcnat out-interface-list=WAN ipsec-policy=out,none action=masquerade comment="defconf: masquerade"
#| IPv4 Firewall
#-------------------------------------------------------------------------------
/ip firewall {
filter add chain=input action=accept connection-state=established,related,untracked comment="accept established,related,untracked"
filter add chain=input action=drop connection-state=invalid comment="drop invalid"
filter add chain=input action=accept protocol=icmp comment="accept ICMP"
filter add chain=input action=accept dst-address=127.0.0.1 comment="accept to local loopback (for CAPsMAN)"
filter add chain=input action=drop in-interface-list=!LAN comment="drop all not coming from LAN"
filter add chain=forward action=accept ipsec-policy=in,ipsec comment="accept in ipsec policy"
filter add chain=forward action=accept ipsec-policy=out,ipsec comment="accept out ipsec policy"
filter add chain=forward action=fasttrack-connection connection-state=established,related comment="fasttrack"
filter add chain=forward action=accept connection-state=established,related,untracked comment="accept established,related, untracked"
filter add chain=forward action=drop connection-state=invalid comment="drop invalid"
filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="drop all from WAN not DSTNATed"
nat add chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none comment="masquerade"
nat add chain=dstnat action=dst-nat protocol=udp dst-port=53 to-address=10.17.77.1 to-ports=53 comment="transparent dns proxy, udp"
nat add chain=dstnat action=dst-nat protocol=tcp dst-port=53 to-address=10.17.77.1 to-ports=53 comment="transparent dns proxy, tcp"
}
#| IPv6 Firewall
#-------------------------------------------------------------------------------
/ipv6 firewall {
address-list add list=bad_ipv6 address=::/128 comment="unspecified address"
address-list add list=bad_ipv6 address=::1 comment="lo"
address-list add list=bad_ipv6 address=fec0::/10 comment="site-local"
address-list add list=bad_ipv6 address=::ffff:0:0/96 comment="ipv4-mapped"
address-list add list=bad_ipv6 address=::/96 comment="ipv4 compat"
address-list add list=bad_ipv6 address=100::/64 comment="discard only "
address-list add list=bad_ipv6 address=2001:db8::/32 comment="documentation"
address-list add list=bad_ipv6 address=2001:10::/28 comment="ORCHID"
address-list add list=bad_ipv6 address=3ffe::/16 comment="6bone"
filter add chain=input action=accept connection-state=established,related,untracked comment="accept established,related,untracked"
filter add chain=input action=drop connection-state=invalid comment="drop invalid"
filter add chain=input action=accept protocol=icmpv6 comment="accept ICMPv6"
filter add chain=input action=accept protocol=udp port=33434-33534 comment="accept UDP traceroute"
filter add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/10 comment="accept DHCPv6-Client prefix delegation."
filter add chain=input action=accept protocol=udp dst-port=500,4500 comment="accept IKE"
filter add chain=input action=accept protocol=ipsec-ah comment="accept ipsec AH"
filter add chain=input action=accept protocol=ipsec-esp comment="accept ipsec ESP"
filter add chain=input action=accept ipsec-policy=in,ipsec comment="accept all that matches ipsec policy"
filter add chain=input action=drop in-interface-list=!LAN comment="drop everything else not coming from LAN"
filter add chain=forward action=accept connection-state=established,related,untracked comment="accept established,related,untracked"
filter add chain=forward action=drop connection-state=invalid comment="drop invalid"
filter add chain=forward action=drop src-address-list=bad_ipv6 comment="drop packets with bad src ipv6"
filter add chain=forward action=drop dst-address-list=bad_ipv6 comment="drop packets with bad dst ipv6"
filter add chain=forward action=drop protocol=icmpv6 hop-limit=equal:1 comment="rfc4890 drop hop-limit=1"
filter add chain=forward action=accept protocol=icmpv6 comment="accept ICMPv6"
filter add chain=forward action=accept protocol=139 comment="accept HIP"
filter add chain=forward action=accept protocol=udp dst-port=500,4500 comment="accept IKE"
filter add chain=forward action=accept protocol=ipsec-ah comment="accept ipsec AH"
filter add chain=forward action=accept protocol=ipsec-esp comment="accept ipsec ESP"
filter add chain=forward action=accept ipsec-policy=in,ipsec comment="accept all that matches ipsec policy"
filter add chain=forward action=drop in-interface-list=!LAN comment="drop everything else not coming from LAN"
nat add chain=dstnat action=dst-nat protocol=udp dst-port=53 to-address=fd10:bad:a55::1/128 to-ports=53 comment="transparent dns proxy, udp"
nat add chain=dstnat action=dst-nat protocol=tcp dst-port=53 to-address=fd10:bad:a55::1/128 to-ports=53 comment="transparent dns proxy, tcp"
}
#| Automated system configuration backup, every 1d
#-------------------------------------------------------------------------------
/system scheduler
add interval=1d name=sys_conf_backup on-event=sys_conf_backup policy=\
read,write,policy,test start-date=jan/01/1970 start-time=00:00:00
/system script{
add dont-require-permissions=no name=sys_conf_backup owner=admin policy=\
read,write,policy,test source=":log info \"initiating system configuration\
\_backup\"\r\
\n:delay 1s\r\
\n/system backup\r\
\n save name=\"\" password=\"dummypassword\"\r\
\n:log info \"completed system configuration backup\""
}
#| MISC Config
#-------------------------------------------------------------------------------
/ip dhcp-server lease
add address=10.17.77.10 client-id=1:c0:6:c3:3b:41:74 mac-address=\
C0:06:C3:3B:41:74 server=dhcp_main
add address=10.17.77.20 client-id=1:b0:de:28:ec:e9:5d mac-address=\
B0:DE:28:EC:E9:5D server=dhcp_main
add address=10.17.77.21 client-id=1:3c:22:fb:b5:a6:39 mac-address=\
3C:22:FB:B5:A6:39 server=dhcp_main
/ip neighbor discovery-settings set discover-interface-list=LAN
/ip service
set api disabled=yes
set api-ssl disabled=yes
set ftp disabled=yes
set telnet disabled=yes
/ip ssh set strong-crypto=yes
/system clock set time-zone-name=Asia/Kuala_Lumpur
/system identity set name=mikrotik-rtr.lan
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN
/tool romon set enabled=yes secrets="dummypassword"
/user set admin password="dummypassword"
Regards,
Reev