Thx in advance for all the help and especially suggestions for changes I should make or add.
Cheers from Denmark and sorry if I've pasted the wrong info
Code: Select all
# feb/25/2023 08:00:54 by RouterOS 7.7
# software id = MWKQ-T6XU
#
# model = RB5009UG+S+
# serial number = xxxxxxxxx
/interface bridge
add name=Bridge_VLAN20_IoT
add name=Bridge_VLAN30_Guest
add admin-mac=xxxxxxxxxxxxx auto-mac=no name=LAN_Bridge
/interface ethernet
set [ find default-name=ether2 ] mac-address=xxxxxxxxxxxxx
/interface wireguard
add listen-port=13231 mtu=1420 name="WireGuard MikroTik"
/interface vlan
add interface=ether5 name=VLAN20_Eth5_IoT vlan-id=20
add interface=ether5 name=VLAN30_Eth5_Guest vlan-id=30
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name="DHCP LAN" ranges=10.0.0.100-10.0.0.254
add name="DHCP VLAN20" ranges=10.0.20.150-10.0.20.254
add name="DHCP VLAN30" ranges=10.0.30.150-10.0.30.254
/ip dhcp-server
add address-pool="DHCP VLAN20" interface=Bridge_VLAN20_IoT lease-time=1d \
name="DHCP VLAN20"
add address-pool="DHCP VLAN30" interface=Bridge_VLAN30_Guest lease-time=1d \
name="DHCP VLAN30"
add address-pool="DHCP LAN" interface=LAN_Bridge lease-time=1d name=\
"DHCP Standard"
/interface bridge port
add bridge=Bridge_VLAN20_IoT comment=defconf interface=ether3
add bridge=LAN_Bridge comment=defconf interface=ether4
add bridge=LAN_Bridge comment=defconf interface=ether5
add bridge=LAN_Bridge comment=defconf interface=ether6
add bridge=Bridge_VLAN20_IoT comment=defconf interface=ether7
add bridge=LAN_Bridge comment=defconf interface=ether8
add bridge=Bridge_VLAN20_IoT interface=VLAN20_Eth5_IoT
add bridge=Bridge_VLAN30_Guest interface=VLAN30_Eth5_Guest
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=LAN_Bridge list=LAN
add interface=ether2 list=WAN
add interface="WireGuard MikroTik" list=LAN
/interface wireguard peers
add allowed-address=172.22.0.2/32 interface="WireGuard MikroTik" public-key=\
"xxxxxxxxxxxxxxxxxxxxxxxxx"
add allowed-address=172.22.0.3/32 interface="WireGuard MikroTik" public-key=\
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
/ip address
add address=10.0.0.1/24 comment="DHCP Standard" interface=LAN_Bridge network=\
10.0.0.0
add address=10.0.20.1/24 comment="VLAN IoT" interface=Bridge_VLAN20_IoT \
network=10.0.20.0
add address=10.0.30.1/24 comment="VLAN Guest" interface=Bridge_VLAN30_Guest \
network=10.0.30.0
add address=172.22.0.1/24 comment=WireGuard interface="WireGuard MikroTik" \
network=172.22.0.0
/ip dhcp-client
add dhcp-options=clientid,hostname interface=ether2 use-peer-dns=no
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.10 gateway=10.0.0.1
add address=10.0.20.0/24 dns-server=10.0.0.10 gateway=10.0.20.1
add address=10.0.30.0/24 dns-server=10.0.0.10 gateway=10.0.30.1
/ip dns
set allow-remote-requests=yes servers=10.0.0.10
/ip firewall address-list
add address=10.0.0.0/24 list=AllowWinBox
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=WireGuard dst-port=13231 protocol=udp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
dst-address=127.0.0.1
add action=add-src-to-address-list address-list=Blacklist \
address-list-timeout=1d chain=input dst-port=666 in-interface-list=WAN \
log=yes protocol=tcp
add action=drop chain=input comment="Drop connections from blacklist" \
in-interface-list=WAN src-address-list=Blacklist
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=input comment="Allow WinBox from LAN" dst-port=8291 \
in-interface-list=LAN log-prefix=winbox protocol=tcp src-address-list=\
AllowWinBox
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="Allow access to print from VLAN30" \
dst-address=10.0.0.3 src-address=10.0.30.0/24
add action=accept chain=forward comment=\
"Allow access from HMHPhone to Phillips Hue" dst-address=10.0.0.4 \
src-address=10.0.20.249
add action=accept chain=forward comment=\
"Allow DNS requests from VLAN20 --> 10.0.0.10" dst-address=10.0.0.10 \
dst-port=53 in-interface=Bridge_VLAN20_IoT out-interface=LAN_Bridge \
protocol=udp src-address=10.0.20.0/24
add action=accept chain=forward comment=\
"Allow DNS requests from VLAN30 --> 10.0.0.10" dst-address=10.0.0.10 \
dst-port=53 in-interface=Bridge_VLAN30_Guest out-interface=LAN_Bridge \
protocol=udp src-address=10.0.30.0/24
add action=drop chain=forward comment="Drop external DNS requests" dst-port=\
53 log=yes log-prefix="DNS Drop" protocol=tcp src-address=!10.0.0.10
add action=drop chain=forward comment="Drop external DNS requests" dst-port=\
53 log=yes log-prefix="DNS Drop" protocol=udp src-address=!10.0.0.10
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
disabled=yes ipsec-policy=out,ipsec
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip firewall raw
add action=drop chain=prerouting comment=Russia log=yes log-prefix=IPRussia \
src-address-list=IPScope-Russia
add action=drop chain=prerouting comment=Belarus log=yes log-prefix=IPRussia \
src-address-list=IPScope-Belarus
add action=drop chain=prerouting comment=Turkey log=yes log-prefix=IPTurkey \
src-address-list=IPScope-Turkey
add action=drop chain=prerouting comment=Iran log=yes log-prefix=IPIran \
src-address-list=IPScope-Iran
add action=drop chain=prerouting comment=China log=yes log-prefix=IPChina \
src-address-list=IPScope-China
add action=drop chain=prerouting comment=Brazil log=yes log-prefix=IPBrazil \
src-address-list=IPScope-Brazil
add action=drop chain=prerouting comment=Iraq log=yes log-prefix=IPBrazil \
src-address-list=IPScope-Iraq
add action=drop chain=prerouting comment=Sudan log=yes log-prefix=IPSudan \
src-address-list=IPScope-Sudan
add action=drop chain=prerouting comment="South Sudan" log=yes log-prefix=\
IPSouthSudan src-address-list=IPScope-SouthSudan
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip route
add disabled=no dst-address=10.0.0.10 gateway=10.0.0.6 routing-table=main \
suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set www-ssl disabled=no
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Copenhagen
/system identity
set name=
/system ntp client
set enabled=yes
/system ntp client servers
add address=time.google.com
/system package update
set channel=testing
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN