# 2025-01-08 17:16:18 by RouterOS 7.16.2 # # model = RB5009UPr+S+ /container mounts add dst=/config name=br_conf src=\ /usb1/containers/github/bonjour-reflector/conf add dst=/opt/adguardhome/work name=adgh_work src=\ /usb1/containers/dockers/adguardhome/work add dst=/opt/adguardhome/conf name=adgh_conf src=\ /usb1/containers/dockers/adguardhome/conf /disk set usb1 media-interface=none media-sharing=no /interface bridge add name=bridge1 vlan-filtering=yes add name=dockers /interface ethernet set [ find default-name=ether1 ] name=ether1_WAN set [ find default-name=ether2 ] comment=ds9 set [ find default-name=ether3 ] comment="Ubiquiti Unifi U6 Enterprise" set [ find default-name=ether4 ] comment="switch - desktop - VLAN4" set [ find default-name=ether5 ] comment="switch - VLAN2" set [ find default-name=ether6 ] disabled=yes set [ find default-name=sfp-sfpplus1 ] disabled=yes /interface veth add address=127.1.0.10/32 disabled=yes gateway=127.1.0.1 gateway6="" name=\ veth1-reflector add address=192.168.14.2/24 gateway=192.168.14.1 gateway6="" name=\ veth2-adguard /interface vlan add comment="Wi-Fi 2.4GHz - IoT" interface=bridge1 name=vlan2 vlan-id=2 add comment="management VLAN" interface=bridge1 name=vlan4 vlan-id=4 add interface=bridge1 name=vlan14 vlan-id=14 /interface list add comment=defconf name=WAN add comment=defconf name=LAN add name=non_mgmt_int add comment="interfaces allowed for mDNS traffic" name=mdns_int /ip pool add name=dhcp_pool4 ranges=192.168.4.25-192.168.4.253 add name=vpn_pool ranges=10.168.4.25-10.168.4.254 add name=dhcp_pool2 ranges=192.168.2.200-192.168.2.254 add name=dhcp_pool3 ranges=192.168.14.25-192.168.14.254 /ip dhcp-server add address-pool=dhcp_pool2 interface=vlan2 lease-time=4d name=dhcp2 add address-pool=dhcp_pool3 interface=vlan14 lease-time=4d name=dhcp3 add address-pool=dhcp_pool4 interface=vlan4 lease-time=4d name=dhcp4 /ip smb users set [ find default=yes ] disabled=yes add name=itunes /ppp profile add dns-server=192.168.14.2 local-address=10.168.4.1 name=vpn_profile \ remote-address=vpn_pool use-encryption=yes /system logging action add disk-file-count=20 disk-file-name=usb1/RB5009UPr+S+IN/log \ disk-lines-per-file=4096 name=usb target=disk add disk-file-count=20 disk-file-name=usb1/RB5009UPr+S+IN/auth.log \ disk-lines-per-file=4096 name=auth target=disk /container add comment=\ "AdGuardHome - backup container using same config as main container" \ interface=veth2-adguard logging=yes mounts=adgh_work,adgh_conf root-dir=\ usb1/containers/dockers/adguardhome/adgh-2 workdir=/opt/adguardhome/work add comment="AdGuardHome - main container" interface=veth2-adguard logging=\ yes mounts=adgh_work,adgh_conf root-dir=\ usb1/containers/dockers/adguardhome/adgh-1 start-on-boot=yes workdir=\ /opt/adguardhome/work add comment="bonjour-reflector - backup container using same config as main co\ ntainer" interface=veth1-reflector logging=yes mounts=br_conf root-dir=\ usb1/containers/github/bonjour-reflector/br-2 workdir=/ add comment="bonjour-reflector - main container" interface=veth1-reflector \ logging=yes mounts=br_conf root-dir=\ usb1/containers/github/bonjour-reflector/br-1 start-on-boot=yes workdir=/ /container config set registry-url=https://ghcr.io tmpdir=usb1-part1/containers/tmp /ip smb set domain=startrek enabled=yes interfaces=vlan4 /interface bridge port add bridge=bridge1 comment=defconf interface=ether2 pvid=4 add bridge=bridge1 comment=defconf interface=ether3 pvid=4 add bridge=bridge1 comment=defconf interface=ether4 pvid=4 add bridge=bridge1 comment=defconf interface=ether5 pvid=2 add bridge=bridge1 comment=defconf interface=ether8 pvid=2 add bridge=bridge1 disabled=yes edge=yes frame-types=admit-only-vlan-tagged \ ingress-filtering=no interface=veth1-reflector learn=yes \ multicast-router=permanent point-to-point=yes pvid=999 add bridge=dockers interface=veth2-adguard add bridge=bridge1 comment=defconf interface=ether7 pvid=4 /ip firewall connection tracking set udp-timeout=10s /ip settings set rp-filter=loose /ipv6 settings set disable-ipv6=yes /interface bridge vlan # veth1-reflector not a bridge port add bridge=bridge1 tagged=bridge1,ether3,veth1-reflector untagged=\ ether5,ether8 vlan-ids=2 # veth1-reflector not a bridge port add bridge=bridge1 tagged=bridge1,ether3,veth1-reflector vlan-ids=14 # veth1-reflector not a bridge port add bridge=bridge1 tagged=bridge1,veth1-reflector untagged=\ ether2,ether3,ether4,ether7 vlan-ids=4 /interface list member add comment=defconf interface=bridge1 list=LAN add comment=defconf interface=ether1_WAN list=WAN add disabled=yes interface=wireguard1 list=LAN add interface=vlan4 list=LAN add interface=vlan2 list=non_mgmt_int add interface=vlan14 list=non_mgmt_int add interface=vlan2 list=mdns_int add interface=vlan4 list=mdns_int add interface=vlan14 list=mdns_int /interface ovpn-server server set auth=sha1 certificate=vpn_server-cert cipher=aes256-cbc default-profile=\ vpn_profile require-client-certificate=yes /ip address add address=192.168.2.1/24 interface=vlan2 network=192.168.2.0 add address=192.168.4.1/24 comment="management VLAN" interface=vlan4 \ network=192.168.4.0 add address=192.168.14.1/24 interface=dockers network=192.168.14.0 add address=10.168.4.1/24 interface=wireguard1 network=10.168.4.0 add address=192.168.14.1/24 interface=vlan14 network=192.168.14.0 /ip arp add address=192.168.4.254 comment="used to broadcast WoL packet to clients on\ \_VLAN4 - https://networkingpills.wordpress.com/2020/06/14/wake-on-lan-fr\ om-public-network-mikrotik-practical-example/" interface=vlan4 \ mac-address=FF:FF:FF:FF:FF:FF /ip cloud set ddns-enabled=yes /ip dhcp-client add comment=defconf interface=ether1_WAN use-peer-dns=no /ip dhcp-server alert add disabled=no interface=bridge1 on-alert=\ ":log error message=\"Rogue DHCP Server detected\"" valid-server=\ 78:9A:18:A2:E2:C6 /ip dhcp-server network add address=192.168.2.0/24 dns-server=192.168.14.2 gateway=192.168.2.1 add address=192.168.4.0/24 dns-server=192.168.14.2,8.8.8.8,8.8.4.4 gateway=\ 192.168.4.1 add address=192.168.14.0/24 dns-server=192.168.14.2 gateway=192.168.14.1 /ip dns set allow-remote-requests=yes mdns-repeat-ifaces=vlan4,vlan14,vlan2 \ servers=192.168.14.2,8.8.8.8,8.8.4.4 /ip firewall address-list add address=0.0.0.0/8 comment=\ "defconf: RFC6890 - IPv4 addresses that cannot be forwarded" list=\ no_forward_ipv4 add address=169.254.0.0/16 comment=\ "defconf: RFC6890 - IPv4 addresses that cannot be forwarded" list=\ no_forward_ipv4 add address=224.0.0.0/4 comment="defconf: multicast - IPv4 addresses that cann\ ot be forwarded, however disable this if you intend to use multicast forwa\ rding" list=no_forward_ipv4 add address=255.255.255.255 comment=\ "defconf: RFC6890 - IPv4 addresses that cannot be forwarded" list=\ no_forward_ipv4 add address=127.0.0.0/8 comment="defconf: RFC6890 - IPv4 addresses that cannot\ \_be used as src/dst/forwarded, etc." list=bad_ipv4 add address=192.0.0.0/24 comment="defconf: RFC6890 - IPv4 addresses that canno\ t be used as src/dst/forwarded, etc." list=bad_ipv4 add address=192.0.2.0/24 comment="defconf: RFC6890 documentation - IPv4 addres\ ses that cannot be used as src/dst/forwarded, etc." list=bad_ipv4 add address=198.51.100.0/24 comment="defconf: RFC6890 documentation - IPv4 add\ resses that cannot be used as src/dst/forwarded, etc." list=bad_ipv4 add address=203.0.113.0/24 comment="defconf: RFC6890 documentation - IPv4 addr\ esses that cannot be used as src/dst/forwarded, etc." list=bad_ipv4 add address=240.0.0.0/4 comment="defconf: RFC6890 reserved - IPv4 addresses th\ at cannot be used as src/dst/forwarded, etc." list=bad_ipv4 add address=0.0.0.0/8 comment=\ "defconf: RFC6890 - IPv4 addresses that cannot be routed globally" list=\ not_global_ipv4 add address=10.0.0.0/8 comment=\ "defconf: RFC6890 - IPv4 addresses that cannot be routed globally" list=\ not_global_ipv4 add address=100.64.0.0/10 comment=\ "defconf: RFC6890 - IPv4 addresses that cannot be routed globally" list=\ not_global_ipv4 add address=169.254.0.0/16 comment=\ "defconf: RFC6890 - IPv4 addresses that cannot be routed globally" list=\ not_global_ipv4 add address=172.16.0.0/12 comment=\ "defconf: RFC6890 - IPv4 addresses that cannot be routed globally" list=\ not_global_ipv4 add address=192.0.0.0/29 comment=\ "defconf: RFC6890 - IPv4 addresses that cannot be routed globally" list=\ not_global_ipv4 add address=192.168.0.0/16 comment=\ "defconf: RFC6890 - IPv4 addresses that cannot be routed globally" list=\ not_global_ipv4 add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark - IPv4 addresses\ \_that cannot be routed globally" list=not_global_ipv4 add address=255.255.255.255 comment=\ "defconf: RFC6890 - IPv4 addresses that cannot be routed globally" list=\ not_global_ipv4 add address=224.0.0.0/4 comment=\ "defconf: multicast - IPv4 addresses that cannot be source address" list=\ bad_src_ipv4 add address=255.255.255.255 comment=\ "defconf: RFC6890 - IPv4 addresses that cannot be source address" list=\ bad_src_ipv4 add address=0.0.0.0/8 comment=\ "defconf: RFC6890 - IPv4 addresses that cannot be destination address" \ list=bad_dst_ipv4 add address=224.0.0.0/4 comment=\ "defconf: RFC6890 - IPv4 addresses that cannot be destination address" \ list=bad_dst_ipv4 add address=192.168.2.0/24 comment=\ "VLAN addresses that are not part of the management VLAN" list=\ non_mgmt_addr add address=192.168.14.0/24 comment=\ "VLAN addresses that are not part of the management VLAN" list=\ non_mgmt_addr /ip firewall filter add action=drop chain=input comment="Drop traffic to the router from IPv4 addr\ esses contained in the non-mgmt firewall address list" src-address-list=\ non_mgmt_addr add action=accept chain=input comment="defconf: accept ICMP after RAW" \ protocol=icmp add action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untracked add action=accept chain=input comment="Allow WireGuard traffic" src-address=\ 10.168.4.0/24 add action=accept chain=input comment="Allow mDNS from specific interfaces" \ dst-address=224.0.0.251 dst-port=5353 in-interface-list=mdns_int \ log-prefix=mDNS protocol=udp src-port=5353 add action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalid add action=accept chain=input comment=\ "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 add action=drop chain=input comment="defconf: drop all not coming from LAN" \ in-interface-list=!LAN add action=accept chain=forward comment="Allow OpenVPN clients to access LAN" \ disabled=yes in-interface=all-ppp in-interface-list=!WAN add action=accept chain=forward comment="defconf: accept in ipsec policy - if \ IPsec tunnels are used on the router this rule should be enabled" \ disabled=yes ipsec-policy=in,ipsec add action=accept chain=forward comment="defconf: accept out ipsec policy - if\ \_IPsec tunnels are used on the router this rule should be enabled" \ disabled=yes ipsec-policy=out,ipsec add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ connection-state=established,related hw-offload=yes add action=accept chain=forward comment=\ "defconf: accept established,related, untracked" connection-state=\ established,related,untracked add action=accept chain=forward comment="Accept *SMB traffic from clients not \ on VLAN2 that are in the SMB_clients firewall address list to servers on \ VLAN4 that are in the SMB_servers firewall address" dst-address-list=\ SMB_servers dst-port=445 in-interface=!vlan2 out-interface=vlan4 \ protocol=tcp src-address-list=SMB_clients add action=accept chain=forward comment="Accept *syncthing* traffic from clien\ ts not on VLAN2 that are in the syncthing_clients firewall address list t\ o servers on VLAN4 that are in the syncthing_servers firewall address lis\ t" dst-address-list=syncthing_servers dst-port=22000 in-interface=!vlan2 \ out-interface=vlan4 protocol=udp src-address-list=syncthing_clients add action=accept chain=forward comment="Accept *syncthing* traffic from clien\ ts not on VLAN2 that are in the syncthing_clients firewall address list t\ o servers on VLAN4 that are in the syncthing_servers firewall address lis\ t" dst-address-list=syncthing_servers dst-port=22000 in-interface=!vlan2 \ out-interface=vlan4 protocol=tcp src-address-list=syncthing_clients add action=accept chain=forward comment="Accept *iSyncr* traffic from clients \ not on VLAN2 that are in the iSyncr_clients address list to servers on VL\ AN44 that are in the iSyncr_servers firewall address list" \ dst-address-list=iSyncr_servers dst-port=34000 in-interface=!vlan2 \ out-interface=vlan4 protocol=tcp src-address-list=iSyncr_clients add action=accept chain=forward comment="Accept *WoL* packets traffic from non\ -VLAN2 in WoL_clients address list to servers on VLAN4" disabled=yes \ dst-address=192.168.4.254 dst-port=9 in-interface=!vlan2 out-interface=\ vlan4 protocol=udp src-address-list=WoL_clients add action=accept chain=forward comment="Accept *WoL* packets traffic from non\ -VLAN2 in WoL_clients address list to servers on VLAN4" disabled=yes \ in-interface-list=mdns_int out-interface=vlan2 add action=accept chain=forward comment="Accept *WoL* packets traffic from non\ -VLAN2 in WoL_clients address list to servers on VLAN4" disabled=yes \ out-interface=vlan2 protocol=udp add action=accept chain=forward comment="Accept *WoL* packets traffic from non\ -VLAN2 in WoL_clients address list to servers on VLAN4" dst-address=\ 192.168.2.0/24 src-address=192.168.4.0/24 add action=accept chain=forward comment="Accept *WoL* packets traffic from non\ -VLAN2 in WoL_clients address list to servers on VLAN4" disabled=yes \ dst-address=192.168.2.0/24 src-address=192.168.14.0/24 add action=drop chain=forward comment=\ "Drop traffic from interfaces in the non-mgmt interface list to VLAN4 " \ in-interface-list=non_mgmt_int out-interface=vlan4 add action=drop chain=forward comment="Drop traffic from VLAN2 to VLAN14" \ in-interface=vlan2 out-interface=vlan14 add action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalid add action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new in-interface-list=WAN add action=drop chain=forward comment="defconf: drop bad forward IPs" \ src-address-list=no_forward_ipv4 add action=drop chain=forward comment="defconf: drop bad forward IPs" \ dst-address-list=no_forward_ipv4 /ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" \ ipsec-policy=out,none out-interface-list=WAN add action=accept chain=srcnat comment=\ "defconf: accept all that matches IPSec policy" disabled=yes \ ipsec-policy=out,ipsec add action=dst-nat chain=dstnat comment="[1/4] following 4 lines force all DNS\ \_traffic to AdGuard Home DNS and block WAN traffic to port 53" disabled=\ yes dst-address=!192.168.14.2 dst-port=53 in-interface=!ether1_WAN \ protocol=udp src-address=!192.168.14.2 to-addresses=192.168.14.2 add action=dst-nat chain=dstnat comment="[2/4] for more details see https://ww\ w.reddit.com/r/pihole/comments/aj9mxd/force_all_dns_traffic_to_go_through_\ pihole_using/\?rdt=35355" disabled=yes dst-address=!192.168.14.2 \ dst-port=53 in-interface=!ether1_WAN protocol=tcp src-address=\ !192.168.14.2 to-addresses=192.168.14.2 add action=masquerade chain=srcnat comment="[3/4]" disabled=yes dst-address=\ 192.168.14.2 dst-port=53 protocol=udp add action=masquerade chain=srcnat comment="[4/4]" disabled=yes dst-address=\ 192.168.14.2 dst-port=53 protocol=tcp /ip firewall raw add action=accept chain=prerouting comment=\ "defconf: enable for transparent firewall" add action=accept chain=prerouting comment="defconf: accept DHCP discover" \ dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=\ udp src-address=0.0.0.0 src-port=68 add action=drop chain=prerouting comment="defconf: drop bogon IP's" \ src-address-list=bad_ipv4 add action=drop chain=prerouting comment="defconf: drop bogon IP's" \ dst-address-list=bad_ipv4 add action=drop chain=prerouting comment="defconf: drop bogon IP's" \ src-address-list=bad_src_ipv4 add action=drop chain=prerouting comment="defconf: drop bogon IP's" \ dst-address-list=bad_dst_ipv4 add action=drop chain=prerouting comment="defconf: drop non global from WAN" \ in-interface-list=WAN src-address-list=not_global_ipv4 add action=drop chain=prerouting comment=\ "defconf: drop forward to local lan from WAN" dst-address=192.168.4.0/24 \ in-interface-list=WAN add action=drop chain=prerouting comment=\ "defconf: drop local if not from default IP range" in-interface-list=LAN \ src-address=!192.168.4.0/24 add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 \ protocol=udp add action=jump chain=prerouting comment="defconf: jump to ICMP chain" \ jump-target=icmp4 protocol=icmp add action=jump chain=prerouting comment="defconf: jump to TCP chain" \ jump-target=bad_tcp protocol=tcp add action=accept chain=prerouting comment=\ "defconf: accept everything else from LAN" in-interface-list=LAN add action=accept chain=prerouting comment=\ "defconf: accept everything else from WAN" in-interface-list=WAN add action=drop chain=prerouting comment="defconf: drop the rest" add action=drop chain=bad_tcp comment=\ "defconf: TCP flag filter - drop TCP packets known to be invalid" \ protocol=tcp tcp-flags=!fin,!syn,!rst,!ack add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 \ protocol=tcp add action=accept chain=icmp4 comment="defconf: ICMP filtering - echo reply" \ icmp-options=0:0 limit=5,10:packet protocol=icmp add action=accept chain=icmp4 comment=\ "defconf: ICMP filtering - net unreachable" icmp-options=3:0 protocol=\ icmp add action=accept chain=icmp4 comment=\ "defconf: ICMP filtering - host unreachable" icmp-options=3:1 protocol=\ icmp add action=accept chain=icmp4 comment=\ "defconf: ICMP filtering - protocol unreachable" icmp-options=3:2 \ protocol=icmp add action=accept chain=icmp4 comment=\ "defconf: ICMP filtering - port unreachable" icmp-options=3:3 protocol=\ icmp add action=accept chain=icmp4 comment=\ "defconf: ICMP filtering - fragmentation needed" icmp-options=3:4 \ protocol=icmp add action=accept chain=icmp4 comment="defconf: ICMP filtering - echo" \ icmp-options=8:0 limit=5,10:packet protocol=icmp add action=accept chain=icmp4 comment=\ "defconf: ICMP filtering - time exceeded " icmp-options=11:0-255 \ protocol=icmp add action=drop chain=icmp4 comment=\ "defconf: ICMP filtering - drop other icmp" protocol=icmp /ip ipsec profile set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5 /ip service set telnet disabled=yes set ftp disabled=yes set www disabled=yes set ssh address=192.168.4.0/24 set api disabled=yes set winbox address=192.168.4.0/24 set api-ssl disabled=yes /ip smb shares set [ find default=yes ] directory=/pub add directory=usb1/itunes name=itunes valid-users=itunes /ip ssh set host-key-type=ed25519 strong-crypto=yes /ipv6 firewall address-list add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast - IPv6 a\ ddresses that cannot be forwarded" list=no_forward_ipv6 add address=ff00::/8 comment="defconf: multicast - IPv6 addresses that cannot \ be forwarded. Disable this if you intend to use multicast forwarding." \ list=no_forward_ipv6 add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6 add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6 add address=::1/128 comment="defconf: RFC6890 lo - IPv6 addresses that cannot \ be used as src/dst/forwarded, etc." list=bad_ipv6 add address=::ffff:0.0.0.0/96 comment="defconf: RFC6890 IPv4 mapped - IPv6 add\ resses that cannot be used as src/dst/forwarded, etc." list=bad_ipv6 add address=2001::/23 comment="defconf: RFC6890 - IPv6 addresses that cannot b\ e used as src/dst/forwarded, etc." list=bad_ipv6 add address=2001:db8::/32 comment="defconf: RFC6890 documentation - IPv6 addre\ sses that cannot be used as src/dst/forwarded, etc." list=bad_ipv6 add address=2001:10::/28 comment="defconf: RFC6890 orchid - IPv6 addresses tha\ t cannot be used as src/dst/forwarded, etc." list=bad_ipv6 add address=::/96 comment="defconf: ipv4 compat - IPv6 addresses that cannot b\ e used as src/dst/forwarded, etc." list=bad_ipv6 add address=100::/64 comment="defconf: RFC6890 Discard-only - IPv6 addresses t\ hat cannot be routed globally." list=not_global_ipv6 add address=2001::/32 comment=\ "defconf: RFC6890 TEREDO - IPv6 addresses that cannot be routed globally" \ list=not_global_ipv6 add address=2001:2::/48 comment="defconf: RFC6890 Benchmark - IPv6 addresses t\ hat cannot be routed globally" list=not_global_ipv6 add address=fc00::/7 comment="defconf: RFC6890 Unique-Local - IPv6 addresses t\ hat cannot be routed globally" list=not_global_ipv6 add address=::/128 comment=\ "defconf: unspecified - addresses as an invalid destination address" \ list=bad_dst_ipv6 add address=::/128 comment=\ "defconf: unspecified - addresses as an invalid source address" list=\ bad_src_ipv6 add address=ff00::/8 comment=\ "defconf: multicast - addresses as an invalid source address" list=\ bad_src_ipv6 /ipv6 firewall filter add action=accept chain=input comment="defconf: accept ICMPv6 after RAW" \ protocol=icmpv6 add action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untracked add action=accept chain=input comment="defconf: accept UDP traceroute" port=\ 33434-33534 protocol=udp add action=accept chain=input comment=\ "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\ udp src-address=fe80::/10 add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \ protocol=udp add action=accept chain=input comment="defconf: accept IPSec AH" protocol=\ ipsec-ah add action=accept chain=input comment="defconf: accept IPSec ESP" protocol=\ ipsec-esp add action=drop chain=input comment="defconf: drop all not coming from LAN" \ in-interface-list=!LAN add action=accept chain=forward comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalid add action=drop chain=forward comment="defconf: drop bad forward IPs" \ src-address-list=no_forward_ipv6 add action=drop chain=forward comment="defconf: drop bad forward IPs" \ dst-address-list=no_forward_ipv6 add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \ hop-limit=equal:1 protocol=icmpv6 add action=accept chain=forward comment="defconf: accept ICMPv6 after RAW" \ protocol=icmpv6 add action=accept chain=forward comment="defconf: accept HIP" protocol=139 add action=accept chain=forward comment="defconf: accept IKE" dst-port=\ 500,4500 protocol=udp add action=accept chain=forward comment="defconf: accept IPSec AH" protocol=\ ipsec-ah add action=accept chain=forward comment="defconf: accept IPsec ESP" protocol=\ ipsec-esp add action=accept chain=forward comment=\ "defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec add action=drop chain=forward comment=\ "defconf: drop everything else not coming from LAN" in-interface-list=\ !LAN /ipv6 firewall raw add action=accept chain=prerouting comment=\ "defconf: enable for transparent firewall" disabled=yes add action=accept chain=prerouting comment="defconf: RFC4291, section 2.7.1" \ dst-address=ff02::1:ff00:0/104 icmp-options=135 protocol=icmpv6 \ src-address=::/128 add action=drop chain=prerouting comment="defconf: drop bogon IP's" \ src-address-list=bad_ipv6 add action=drop chain=prerouting comment="defconf: drop bogon IP's" \ dst-address-list=bad_ipv6 add action=drop chain=prerouting comment=\ "defconf: drop packets with bad SRC ipv6" src-address-list=bad_src_ipv6 add action=drop chain=prerouting comment=\ "defconf: drop packets with bad dst ipv6" dst-address-list=bad_dst_ipv6 add action=drop chain=prerouting comment="defconf: drop non global from WAN" \ in-interface-list=WAN src-address-list=not_global_ipv6 add action=jump chain=prerouting comment="defconf: jump to ICMPv6 chain" \ jump-target=icmp6 protocol=icmpv6 add action=accept chain=prerouting comment=\ "defconf: accept local multicast scope" dst-address=ff02::/16 add action=drop chain=prerouting comment=\ "defconf: drop other multicast destinations" dst-address=ff00::/8 add action=accept chain=prerouting comment=\ "defconf: accept everything else from WAN" in-interface-list=WAN add action=accept chain=prerouting comment=\ "defconf: accept everything else from LAN" in-interface-list=LAN add action=drop chain=prerouting comment="defconf: drop the rest" add action=accept chain=icmp6 comment=\ "defconf: ICMP filtering - rfc4890 drop ll if hop-limit!=255" \ dst-address=fe80::/10 hop-limit=not-equal:255 protocol=icmpv6 add action=accept chain=icmp6 comment=\ "defconf: ICMP filtering - dst unreachable" icmp-options=1:0-255 \ protocol=icmpv6 add action=accept chain=icmp6 comment=\ "defconf: ICMP filtering - packet too big" icmp-options=2:0-255 protocol=\ icmpv6 add action=accept chain=icmp6 comment=\ "defconf: ICMP filtering - limit exceeded" icmp-options=3:0-1 protocol=\ icmpv6 add action=accept chain=icmp6 comment="defconf: ICMP filtering - bad header" \ icmp-options=4:0-2 protocol=icmpv6 add action=accept chain=icmp6 comment=\ "defconf: ICMP filtering - Mobile home agent address discovery" \ icmp-options=144:0-255 protocol=icmpv6 add action=accept chain=icmp6 comment=\ "defconf: ICMP filtering - Mobile home agent address discovery" \ icmp-options=145:0-255 protocol=icmpv6 add action=accept chain=icmp6 comment=\ "defconf: ICMP filtering - Mobile prefix solic" icmp-options=146:0-255 \ protocol=icmpv6 add action=accept chain=icmp6 comment=\ "defconf: ICMP filtering - Mobile prefix advert" icmp-options=147:0-255 \ protocol=icmpv6 add action=accept chain=icmp6 comment=\ "defconf: ICMP filtering - echo request limit 5,10" icmp-options=\ 128:0-255 limit=5,10:packet protocol=icmpv6 add action=accept chain=icmp6 comment=\ "defconf: ICMP filtering - echo reply limit 5,10" icmp-options=129:0-255 \ limit=5,10:packet protocol=icmpv6 add action=accept chain=icmp6 comment=\ "defconf: ICMP filtering - rfc4890 router solic limit 5,10 only LAN" \ hop-limit=equal:255 icmp-options=133:0-255 in-interface-list=LAN limit=\ 5,10:packet protocol=icmpv6 add action=accept chain=icmp6 comment=\ "defconf: ICMP filtering - rfc4890 router advert limit 5,10 only LAN" \ hop-limit=equal:255 icmp-options=134:0-255 in-interface-list=LAN limit=\ 5,10:packet protocol=icmpv6 add action=accept chain=icmp6 comment=\ "defconf: ICMP filtering - rfc4890 neighbor solic limit 5,10 only LAN" \ hop-limit=equal:255 icmp-options=135:0-255 in-interface-list=LAN limit=\ 5,10:packet protocol=icmpv6 add action=accept chain=icmp6 comment=\ "defconf: ICMP filtering - rfc4890 neighbor advert limit 5,10 only LAN" \ hop-limit=equal:255 icmp-options=136:0-255 in-interface-list=LAN limit=\ 5,10:packet protocol=icmpv6 add action=accept chain=icmp6 comment=\ "defconf: ICMP filtering - rfc4890 inverse ND solic limit 5,10 only LAN" \ hop-limit=equal:255 icmp-options=141:0-255 in-interface-list=LAN limit=\ 5,10:packet protocol=icmpv6 add action=accept chain=icmp6 comment=\ "defconf: ICMP filtering - rfc4890 inverse ND advert limit 5,10 only LAN" \ hop-limit=equal:255 icmp-options=142:0-255 in-interface-list=LAN limit=\ 5,10:packet protocol=icmpv6 add action=drop chain=icmp6 comment=\ "defconf: ICMP filtering - drop other icmp" protocol=icmpv6 /ppp secret add name=pixel7pro profile=vpn_profile service=ovpn add name=gl-axt1800 profile=vpn_profile service=ovpn /system logging add action=usb topics=warning add action=usb topics=info add action=usb topics=error add action=usb topics=critical add action=auth topics=account /system note set show-at-login=no /system ntp client set enabled=yes /system ntp client servers add address=0.us.pool.ntp.org add address=1.us.pool.ntp.org add address=2.us.pool.ntp.org add address=3.us.pool.ntp.org /tool bandwidth-server set enabled=no /tool mac-server set allowed-interface-list=LAN /tool mac-server mac-winbox set allowed-interface-list=LAN /tool mac-server ping set enabled=no