From 7c3e480540f253ebd25520e261ecadd184d25bb8 Mon Sep 17 00:00:00 2001 From: Daniel Mason Date: Wed, 18 Sep 2024 19:46:28 +1200 Subject: [PATCH] Add Mikrotik default conf --- mikrotik-dhcp-novlan.conf | 143 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 143 insertions(+) create mode 100644 mikrotik-dhcp-novlan.conf diff --git a/mikrotik-dhcp-novlan.conf b/mikrotik-dhcp-novlan.conf new file mode 100644 index 0000000..0519943 --- /dev/null +++ b/mikrotik-dhcp-novlan.conf @@ -0,0 +1,143 @@ +# 2024-09-18 19:38:27 by RouterOS 7.16rc4 +# +# WAN on ether1 - No VLAN +# Optional changes: +# - Change DHCP IP range (Default 192.168.66.0/24) +# - Change WAN interface (Default ether1) +# - Confirm WAN interface is not in LAN bridge +# +# model = RB5009UG+S+ +/interface list +add comment=defconf name=WAN +add comment=defconf name=LAN + +/ip pool +add name=dhcp ranges=192.168.66.100-192.168.66.0.254 + +/ip dhcp-server +add address-pool=dhcp interface=bridge name=defconf + +/ip neighbor discovery-settings +set discover-interface-list=LAN + +/ipv6 settings +set accept-router-advertisements=yes + +/interface list member +add comment=WAN interface=ether1 list=WAN +add comment=LAN interface=bridge list=LAN + +/ip address +add address=192.168.66.1/24 comment=defconf interface=bridge network=192.168.66.0 + +/ip dhcp-client +add comment=defconf interface=ether1 + +/ip dhcp-server network +add address=192.168.66.1/24 comment=defconf gateway=192.168.66.1 netmask=24 + +/ip dns +set allow-remote-requests=yes + +/ip firewall filter +add action=accept chain=input comment=\ + "defconf: accept established,related,untracked" connection-state=\ + established,related,untracked +add action=drop chain=input comment="defconf: drop invalid" connection-state=\ + invalid +add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp +add action=accept chain=input comment=\ + "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 +add action=drop chain=input comment="defconf: drop all not coming from LAN" \ + in-interface-list=!LAN + +add action=accept chain=forward comment="defconf: accept in ipsec policy" \ + ipsec-policy=in,ipsec +add action=accept chain=forward comment="defconf: accept out ipsec policy" \ + ipsec-policy=out,ipsec +add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ + connection-state=established,related hw-offload=yes +add action=accept chain=forward comment=\ + "defconf: accept established,related, untracked" connection-state=\ + established,related,untracked +add action=drop chain=forward comment="defconf: drop invalid" \ + connection-state=invalid +add action=drop chain=forward comment=\ + "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ + connection-state=new in-interface-list=WAN + +/ip firewall nat +add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\ + out,none out-interface-list=WAN + +/ipv6 address +add address=::1 from-pool=pool-ipv6 interface=bridge + +/ipv6 dhcp-client +add interface=ether1 pool-name=pool-ipv6 request=prefix use-interface-duid=yes \ + use-peer-dns=no + +/ipv6 firewall address-list +add address=::/128 comment="defconf: unspecified address" list=bad_ipv6 +add address=::1/128 comment="defconf: lo" list=bad_ipv6 +add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6 +add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6 +add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6 +add address=100::/64 comment="defconf: discard only " list=bad_ipv6 +add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6 +add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6 +add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6 + +/ipv6 firewall filter +add action=accept chain=input comment=\ + "defconf: accept established,related,untracked" connection-state=\ + established,related,untracked +add action=drop chain=input comment="defconf: drop invalid" connection-state=\ + invalid +add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6 +add action=accept chain=input comment="defconf: accept UDP traceroute" port=\ + 33434-33534 protocol=udp +add action=accept chain=input comment=\ + "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\ + udp src-address=fe80::/10 +add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \ + protocol=udp +add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\ + ipsec-ah +add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\ + ipsec-esp +add action=accept chain=input comment=\ + "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec +add action=drop chain=input comment=\ + "defconf: drop everything else not coming from LAN" in-interface-list=!LAN +add action=accept chain=forward comment=\ + "defconf: accept established,related,untracked" connection-state=\ + established,related,untracked +add action=drop chain=forward comment="defconf: drop invalid" \ + connection-state=invalid +add action=drop chain=forward comment=\ + "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6 +add action=drop chain=forward comment=\ + "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6 +add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \ + hop-limit=equal:1 protocol=icmpv6 +add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\ + icmpv6 +add action=accept chain=forward comment="defconf: accept HIP" protocol=139 +add action=accept chain=forward comment="defconf: accept IKE" dst-port=\ + 500,4500 protocol=udp +add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\ + ipsec-ah +add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\ + ipsec-esp +add action=accept chain=forward comment=\ + "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec +add action=drop chain=forward comment=\ + "defconf: drop everything else not coming from LAN" in-interface-list=!LAN + +/ipv6 nd +set [ find default=yes ] hop-limit=64 interface=\ + bridge ra-preference=high + +/system clock +set time-zone-name=Pacific/Auckland