Code: Select all
# model = CCR1009-7G-1C-1S+
/interface bridge
add comment=Management name=br-vlan1-Management
add comment=Guest name=br-vlan10-Guest
add comment=Office name=br-vlan20-Office
add comment=Video name=br-vlan30-Video
/interface ethernet
set [ find default-name=combo1 ] name=combo-WAN comment=DSL
set [ find default-name=ether1 ] name=ether1-O-Switch
set [ find default-name=ether2 ] name=ether2-WAN comment=StarLink
set [ find default-name=ether3 ] name=ether3-Office
set [ find default-name=ether4 ] name=ether4-Office
set [ find default-name=ether5 ] name=ether5-Office
set [ find default-name=ether6 ] name=ether6-Video
set [ find default-name=ether7 ] name=ether7-Management
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface vlan
add comment=Management interface=ether1-O-Switch name=vl-1-O-Switch-Management vlan-id=1
add comment=Guest interface=ether1-O-Switch name=vl-10-O-Switch-Guest vlan-id=10
add comment=Office interface=ether1-O-Switch name=vl-20-O-Switch-Office vlan-id=20
add comment=Video interface=ether1-O-Switch name=vl-30-O-Switch-Video vlan-id=30
/interface list
add name=WAN
add name=LAN
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/ip pool
add name=dhcp_pool1 ranges=192.168.1.20-192.168.1.50
add name=dhcp_pool10 ranges=192.168.10.25-192.168.11.254
add name=dhcp_pool20 ranges=192.168.20.2-192.168.20.50
add name=dhcp_pool30 ranges=192.168.30.2-192.168.30.50
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=br-vlan1-Management lease-time=1d name=dhcp1
add address-pool=dhcp_pool10 disabled=no interface=br-vlan10-Guest lease-time=4h name=dhcp10
add address-pool=dhcp_pool20 disabled=no interface=br-vlan20-Office lease-time=1d name=dhcp20
add address-pool=dhcp_pool30 disabled=no interface=br-vlan30-Video lease-time=1d name=dhcp30
/interface bridge port
add bridge=br-vlan1-Management interface=vl-1-O-Switch-Management
add bridge=br-vlan10-Guest interface=vl-10-O-Switch-Guest
add bridge=br-vlan20-Office interface=vl-20-O-Switch-Office
add bridge=br-vlan30-Video interface=vl-30-O-Switch-Video
add bridge=br-vlan20-Office interface=ether3-Office
add bridge=br-vlan20-Office interface=ether4-Office
add bridge=br-vlan20-Office interface=ether5-Office
add bridge=br-vlan30-Video interface=ether6-Video
add bridge=br-vlan1-Management interface=ether7-Management
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=combo-WAN list=WAN comment=DSL
add interface=br-vlan1-Management list=LAN
add interface=br-vlan10-Guest list=LAN
add interface=br-vlan20-Office list=LAN
add interface=br-vlan30-Video list=LAN
add interface=ether2-WAN list=WAN comment=StarLink
add interface=ether3-Office list=discover
add interface=ether4-Office list=discover
add interface=ether5-Office list=discover
add interface=ether6-Video list=discover
add interface=ether7-Management list=discover
add interface=sfp-sfpplus1 list=discover
add interface=br-vlan1-Management list=discover
add interface=br-vlan10-Guest list=discover
add interface=br-vlan20-Office list=discover
add interface=br-vlan30-Video list=discover
add interface=br-vlan1-Management list=mactel
add interface=br-vlan10-Guest list=mactel
add interface=br-vlan20-Office list=mactel
add interface=br-vlan30-Video list=mactel
add interface=br-vlan1-Management list=mac-winbox
add interface=br-vlan10-Guest list=mac-winbox
add interface=br-vlan20-Office list=mac-winbox
add interface=br-vlan30-Video list=mac-winbox
/ip address
add address=192.168.1.1/24 comment=Management interface=br-vlan1-Management network=192.168.1.0
add address=192.168.10.1/23 comment=Guest interface=br-vlan10-Guest network=192.168.10.0
add address=192.168.20.1/24 comment=Office interface=br-vlan20-Office network=192.168.20.0
add address=192.168.30.1/24 comment=Video interface=br-vlan30-Video network=192.168.30.0
#Static IP from DSL Modem
add address=1.2.3.66/29 comment=Static-DSL interface=combo-WAN network=1.2.3.64
/ip cloud
set ddns-enabled=yes
#Dynamic IP from Starlink on bridge mode
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether2-WAN
/ip dhcp-server network
add address=192.168.1.0/24 comment=Management dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1
add address=192.168.10.0/23 comment=Guest dns-server=8.8.8.8,8.8.4.4 gateway=192.168.10.1
add address=192.168.20.0/24 comment=Office dns-server=8.8.8.8,8.8.4.4 gateway=192.168.20.1
add address=192.168.30.0/24 comment=Video dns-server=8.8.8.8,8.8.4.4 gateway=192.168.30.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=Bogons
add address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=Bogons
add address=224.0.0.0/4 comment="MC, Class D, IANA" list=Bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=Bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=Bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=Bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=Bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=Bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=Bogons
add address=193.70.81.119 comment=BANIP list=BANIP
add address=185.153.196.93 comment=BANIP list=BANIP
add address=174.99.221.66 comment="BitTorrent Torrent Hash" list=BANIP
add address=172.16.0.0/12 comment=RFC6890 list=Bogons
add address=100.64.0.0/10 comment=RFC6890 list=Bogons
add address=240.0.0.0/4 comment=RFC6890 list=Bogons
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward connection-state=established,related
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="L2TP Server over IPSec" port=1701,500,4500 protocol=udp
add action=accept chain=input comment="L2TP Server over IPSec" protocol=ipsec-esp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=drop chain=input comment="Block Bit Torrent Port" dst-port=44822 protocol=tcp
add action=drop chain=input comment="Block Bit Torrent Port" dst-port=54116 protocol=tcp
add action=add-src-to-address-list address-list=Torrent-Conn address-list-timeout=2m chain=forward comment="Block Bit Torrent" layer7-protocol=layer7-bittorrent-exp src-address=192.168.10.0/23 src-address-list=!allow-bit
add action=drop chain=forward comment="Block Bit Torrent" dst-port=!0-1024,9791,5900,5800,3389,14147,5222,59905,500,1701,4500 protocol=tcp src-address-list=Torrent-Conn
add action=drop chain=forward comment="Block Bit Torrent" dst-port=!0-1024,9791,5900,5800,3389,14147,5222,59905,500,1701,4500 protocol=udp src-address-list=Torrent-Conn
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Block torrent wwws" layer7-protocol=torrent-wwws
add action=drop chain=forward comment="Block torrent dns" dst-port=53 layer7-protocol=torrent-dns protocol=udp
add action=drop chain=forward comment="Drop to bogon list from src-address" src-address-list=Bogons
add action=drop chain=forward comment="Drop to bogon list from dst-address" dst-address-list=Bogons
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 gateway=1.2.3.70 routing-mark=RouteTable--DSL
/ip route rule
add interface=combo-WAN routing-mark=RouteTable--DSL table=RouteTable--DSL
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=1234
set api-ssl disabled=yes
/system clock
set time-zone-name=America/Chicago
/system identity
set name=CCR1009-7G