Code: Select all
# sep/23/2022 20:11:43 by RouterOS 7.4
# software id = QX7H-822A
#
# model = RB2011UiAS
/interface bridge
add admin-mac=08:55:31:4F:0F:09 auto-mac=no comment=defconf name=\
"Starlink Bridge"
add admin-mac=08:55:31:4F:0F:09 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=08:55:31:4F:0F:08 name=WAN1
set [ find default-name=ether2 ] mac-address=08:55:31:4F:0F:09 name=\
WAN2_STARLINK
set [ find default-name=sfp1 ] disabled=yes mac-address=08:55:31:4F:0F:07 \
name=WAN3_SFP
set [ find default-name=ether3 ] mac-address=08:55:31:4F:0F:0A
set [ find default-name=ether4 ] mac-address=08:55:31:4F:0F:0B
set [ find default-name=ether5 ] mac-address=08:55:31:4F:0F:0C
set [ find default-name=ether6 ] mac-address=08:55:31:4F:0F:0D
set [ find default-name=ether7 ] mac-address=08:55:31:4F:0F:0E
set [ find default-name=ether8 ] mac-address=08:55:31:4F:0F:0F
set [ find default-name=ether9 ] mac-address=08:55:31:4F:0F:10
set [ find default-name=ether10 ] mac-address=08:55:31:4F:0F:11 poe-out=off
/interface vlan
add interface=bridge name=vlan20 vlan-id=20
add interface=bridge name=vlan40 vlan-id=40
add interface=bridge name=vlan60 vlan-id=60
add interface=bridge name=vlan80 vlan-id=80
add interface=bridge name=vlan100 vlan-id=100
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk mode=dynamic-keys \
supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.10.0.100-10.10.100.100
add name=vlan40_pool ranges=10.40.40.20-10.40.255.250
add name=vlan60_pool ranges=10.60.60.20-10.60.255.250
add name=vlan80_pool ranges=10.80.80.20-10.80.255.250
add name=vlan20_pool ranges=10.20.20.20-10.20.255.250
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=1d name=defconf
add address-pool=vlan40_pool interface=vlan40 lease-time=1d name=vlan40_dhcp
add address-pool=vlan60_pool interface=vlan60 lease-time=1d name=vlan60_dhcp
add address-pool=vlan80_pool interface=vlan80 lease-time=1d name=vlan80_dhcp
add address-pool=vlan20_pool interface="Starlink Bridge" lease-time=1d name=\
vlan20_dhcp
/port
set 0 baud-rate=115200 name=serial0
/queue simple
add max-limit=20M/20M name="VLAN 80" target=10.80.0.0/16
add max-limit=10M/10M name="VLAN 60" target=10.60.0.0/16
add max-limit=10M/10M name="VLAN40" target=10.40.0.0/16
/queue type
add kind=pcq name=vlan40-pcq pcq-classifier=dst-address \
pcq-dst-address6-mask=64 pcq-rate=1M pcq-src-address6-mask=64
add kind=pcq name=Download pcq-classifier=dst-address pcq-dst-address6-mask=\
64 pcq-rate=2M pcq-src-address6-mask=64
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add disabled=no fib name=ToStarlink
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9
add bridge=bridge comment=defconf ingress-filtering=no interface=*C
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge="Starlink Bridge" interface=ether10
add bridge="Starlink Bridge" interface=vlan20
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=WAN1 list=WAN
add interface=WAN2_STARLINK list=WAN
add interface=WAN3_SFP list=WAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=10.10.0.1/16 comment=defconf interface=bridge network=10.10.0.0
add address=10.40.0.1/16 interface=vlan40 network=10.40.0.0
add address=10.60.0.1/16 interface=vlan60 network=10.60.0.0
add address=10.80.0.1/16 interface=vlan80 network=10.80.0.0
add address=10.20.0.1/16 interface=vlan20 network=10.20.0.0
add address=100.94.216.66/10 disabled=yes interface=WAN2_STARLINK network=\
100.64.0.0
/ip dhcp-client
add comment="WAN1_DHCP Client" interface=WAN1
add comment="WAN2_DHCP Client" default-route-distance=2 interface=\
WAN2_STARLINK
add comment="WAN3 SFP_DHCP Client" interface=WAN3_SFP
/ip dhcp-server network
add address=10.10.0.0/16 comment=defconf dns-server=10.10.0.1 gateway=\
10.10.0.1 netmask=16
add address=10.20.0.0/16 comment="Google DNS" dns-server=8.8.8.8,8.8.4.4 \
gateway=10.20.0.1
add address=10.40.0.0/16 comment="Google DNS" dns-server=8.8.8.8,8.8.4.4 \
gateway=10.40.0.1
add address=10.60.0.0/16 comment="Google DNS" dns-server=8.8.8.8,8.8.4.4 \
gateway=10.60.0.1
add address=10.80.0.0/16 comment="Google DNS" dns-server=8.8.8.8,8.8.4.4 \
gateway=10.80.0.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=30m
/ip dns static
add address=10.10.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=drop chain=forward comment=\
"Block UDP on port 80 for Starlink to load full web pages correctly." \
dst-port=80 out-interface=WAN2_STARLINK protocol=udp
add action=drop chain=forward comment=\
"Block UDP on port 80 for Starlink to load full web pages correctly." \
dst-port=443 out-interface=WAN2_STARLINK protocol=udp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=input dst-port=80 protocol=tcp
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=ToStarlink \
passthrough=yes src-address=10.20.0.0/16
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip route
add check-gateway=ping comment="Static Route To Starlink" disabled=no \
distance=1 dst-address=0.0.0.0/0 gateway=100.64.0.1 pref-src=0.0.0.0 \
routing-table=ToStarlink suppress-hw-offload=no
/lcd interface pages
set 0 interfaces="WAN3_SFP,WAN1,WAN2_STARLINK,ether3,ether4,ether5,ether6,ethe\
r7,ether8,ether9,ether10"
/system clock
set time-zone-name=Europe/London
/system identity
set name="MikroTik"
/system ntp client
set mode=broadcast
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN