En la ONT no necesitas configurar nada, la configuración va en el router. En el sub de mikrotik puedes encontrarla.
www.adslzone.net
Tienes también el hilo de configuraciones ISP para RouterOS v7. Échale un vistazo. Encontrarás información de lo que necesitas.
MANUAL: Mikrotik, configuraciones básicas ISPs - RouterOS v7 | Mikrotik
Hola, creo que ya sabéis de qué va esto. Vamos a intentar recopilar las configuraciones básicas para echar a andar un mikrotik en las principales.... Entra ahora y participa en este hilo sobre MANUAL: Mikrotik, configuraciones básicas ISPs - RouterOS v7
Saludos.
@AdriG21
Tengo el router en la V7. Solo tengo un Deco. Os dejo el export, aunque como ya digo soy muy nuevo en el tema de routers y seguramente todo pueda estar mucho mejor configurado. Saludos
# may/25/2022 19:58:33 by RouterOS 7.3.1
# software id = 51BJ-P21B
#
# model = RBD52G-5HacD2HnD
# serial number = E5780F13XXXX
/interface bridge
add name=bridge1
/interface vlan
add interface=ether1 name=vlan6 vlan-id=6
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan6 name=pppoe-out1 user=adslppp@telefonicanetpa
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Wifi supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX country=spain disabled=no frequency=auto installation=indoor mode=ap-bridge mtu=2000 security-profile=Wifi ssid=\
"MikroTik 2.4Ghz" wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=spain disabled=no frequency=auto installation=indoor mode=ap-bridge mtu=2000 security-profile=Wifi \
ssid="MikroTik 5Ghz" wireless-protocol=802.11 wps-mode=disabled
/ip pool
add name=dhcp_pool2 ranges=10.220.1.20-10.220.1.200
/ip dhcp-server
add address-pool=dhcp_pool2 interface=bridge1 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=wlan2
add bridge=bridge1 interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=all wan-interface-list=all
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
add interface=pppoe-out1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=10.220.1.1/24 interface=bridge1 network=10.220.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=yes interface=ether1
/ip dhcp-server network
add address=0.0.0.0/24 gateway=0.0.0.0 netmask=24
add address=10.220.1.0/24 gateway=10.220.1.1 netmask=24
/ip dns
set servers=1.1.1.1,8.8.8.8
/ip firewall address-list
add address=10.220.1.0/24 list=LAN
add address=download.mikrotik.com list=Updates
/ip firewall filter
add action=drop chain=input connection-state=new dst-port=53 in-interface=pppoe-out1 protocol=tcp
add action=drop chain=input connection-state=new dst-port=53 in-interface=pppoe-out1 protocol=udp
add action=accept chain=input comment=IN_CONN_ESTABLISHED_Y_RELATED connection-state=established,related
add action=drop chain=input comment=IN_DROP_CONN_INVALID connection-state=invalid
add action=accept chain=input comment=IN_CONN_LAN src-address-list=LAN
add action=drop chain=input comment="DROP ALL Execpto DSTNAT" connection-nat-state=dstnat
add action=accept chain=forward comment=FW_CONN_ESTABLISHED_Y_RELATED connection-state=established,related
add action=drop chain=forward comment=FW_INVALID_DROP connection-state=invalid
add action=accept chain=forward comment=FW_CONN_LAN src-address-list=LAN
add action=drop chain=forward comment="FW_DROP_Excepto DSTNAT" connection-nat-state=dstnat
add action=drop chain=input src-address=154.88.26.232
add action=drop chain=input src-address=170.106.115.253
add action=drop chain=input src-address=170.106.115.39
add action=drop chain=input src-address=170.106.173.40
add action=drop chain=input src-address=180.215.130.109
add action=drop chain=input src-address=154.88.26.230
add action=drop chain=input src-address=154.88.26.231
add action=drop chain=input src-address=223.71.167.165
add action=drop chain=input src-address=146.88.240.4
add action=drop chain=input src-address=118.26.110.65
add action=drop chain=input src-address=156.251.172.108
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=dst-nat chain=dstnat disabled=yes dst-port=25565 in-interface=pppoe-out1 log=yes protocol=tcp to-addresses=10.220.1.18 to-ports=25565
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 nd
set [ find default=yes ] disabled=yes
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=*2
/system clock
set time-zone-name=Europe/Madrid
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN# jan/02/1970 00:03:41 by RouterOS 7.3.1
# software id = 51BJ-P21B
#
# model = RBD52G-5HacD2HnD
# serial number = E5780F13XXXX
/interface bridge
add admin-mac=DC:2C:6E:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge ssid=MikroTik-08D65D wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX \
country=spain disabled=no distance=indoors frequency=auto installation=\
indoor mode=ap-bridge ssid=MikroTik wireless-protocol=802.11
/interface vlan
add interface=ether1 name="vlan Internet" vlan-id=6
/interface pppoe-client
add add-default-route=yes disabled=no interface="vlan Internet" name=pppoe-out1 \
use-peer-dns=yes user=adslppp@telefonicanetpa
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" \
src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" \
dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN####################################################
# MOVISTAR TRIPLE VLAN, TODO EN UN BRIDGE (HW = OFF)
####################################################
# Extraer la IP siguiente de la tabla de VLANs del
# router de Movistar, la que va sobre la vlan 2
:local iptv 10.192.230.50
####################################################
# Activamos el IGMP Snooping en el bridge
# Con este método, prescindimos del hardware offloading
/interface/bridge
set 0 igmp-snooping=yes
# Añadimos las VLANs asociadas al puerto WAN
# Dar de alta las VLANs: 3 VoIP, 2 IPTV
# Suponemos ONT/Router modo bridge, en ether1
/interface/vlan
add interface=ether1 name=vlan2-iptv vlan-id=2
add interface=ether1 name=vlan3-telefono vlan-id=3
# Añadimos una nueva lista donde meteremos las vlans 2 y 3
/interface/list
add comment=vlans-iptv-voip name=VLANs2&3
# Metemos cada interfaz en su lista correspondiente
/interface/list/member
add interface=vlan2-iptv list=VLANs2&3
add interface=vlan3-telefono list=VLANs2&3
# Añadimos la opción especial para el dhcp del desco
# para entregar la dirección del servidor de imagenio
/ip/dhcp-server/option
add code=240 name=opch-imagenio value=\
"':::::239.0.2.29:22222'"
# Abrimos un agujero en el pool principal, para encajar la IPTV,
# y añadimos un nuevo pool para ella.
/ip/pool
set [find name=default-dhcp] ranges=192.168.88.10-192.168.88.247
add name=iptv-dhcp ranges=192.168.88.249-192.168.88.254
# Añadimos un nuevo vendor class para identificar a los descos
# y le decimos que les asigne su sub-pool para IPTV
/ip/dhcp-server/vendor-class-id
add address-pool=iptv-dhcp name=descos vid="[IAL]" server=defconf
# Damos de alta una nueva red para el servidor dhcp del deco,
# con el DNS concreto de telefónica y el servidor de Imagenio
# entregados con la opción 240 del DHCP (personalizada)
# 192.168.88.248/29 = subred de hosts 192.168.88.249 - 254
/ip/dhcp-server/network
add address=192.168.88.248/29 comment=iptv-network \
dhcp-option=opch-imagenio dns-server=172.26.23.3 \
gateway=192.168.88.1 netmask=24
# Crear un cliente DHCP para la vlan del teléfono, sin ruta por defecto.
# La ruta necesaria con distancia 120 la creará RIP, dinámicamente.
/ip/dhcp-client
add interface=vlan3-telefono add-default-route=no \
use-peer-ntp=no use-peer-dns=no
# Declaramos la IP de la IPTV estática, ya que de momento
# no podemos obtenerla de manera dinámica.
/ip/address
add address="$iptv/9" interface=vlan2-iptv
# Aceptar el tráfico en el input del firewall, para que RIP funcione.
# Origen la VLANs2&3, destino la dirección multicast 224.0.0.9,
# puerto 520 y tipo de tráfico UDP (RIPv2, RFC-2453). La colocamos
# delante de la regla general de DROP que hay en el chain de input
# Además, aceptamos el tráfico multicast IGMP de la vlan iptv.
/ip/firewall/filter
add action=accept chain=input comment="voip: accept rip multicast traffic" \
in-interface-list=VLANs2&3 dst-address=224.0.0.9 dst-port=520 protocol=udp \
place-before=[find where comment="defconf: drop all not coming from LAN"]
add action=accept chain=input comment="iptv: accept multicast igmp traffic" \
in-interface=vlan2-iptv protocol=igmp \
place-before=[find where comment="defconf: drop all not coming from LAN"]
# Además del masquerade a la lista WAN (defconf), añadimos los masquerade
# para la vlan de teléfono y netmap para la iptv, a la IP del IPTV que hemos
# extraído del router movistar
# NOTA: prueba EXPERIMENTAL con netmap. Si no te funciona, dime y lo sustituimos
# por una regla de masquerade + dst-nat a la IP del desco.
/ip/firewall/nat
add action=masquerade chain=srcnat comment=masq-voip out-interface=vlan3-telefono
add action=netmap chain=srcnat comment=netmap-iptv out-interface=vlan2-iptv \
src-address=192.168.88.248/29 to-addresses=$iptv
# Configuramos el IGMP-proxy:
# aplica sobre la vlan2-iptv como upstrem
# y sobre el propio bridge
/routing/igmp-proxy
set query-interval=30s quick-leave=yes
/routing/igmp-proxy/interface
add alternative-subnets=0.0.0.0/0 interface=vlan2-iptv upstream=yes
add interface=bridge
# Activamos RIP para VoIP e IPTV
/routing/rip/instance
add afi=ipv4 disabled=no name=rip
/routing rip interface-template
add instance=rip interfaces=vlan2-iptv,vlan3-telefono mode=passiveimport fichero.rsc
Vale. Fíjate en la IP que se le ha asignado al desco. la puedes ver en IP -> DHCP Server Leases. Una vez localizada, le das doble click y la marcas como estática con el botón Make Static. Hecho esto, te vas a IP firewall NAT y borras la regla que tiene como acción el netmap, y creas lo siguiente:
/ip firewall nat
add action=masquerade chain=srcnat comment=\
"masq. IPTV" out-interface-list=vlan2-iptv
add action=dst-nat chain=dstnat comment="VOD Movistar 1 Desco" dst-address-type=local \
in-interface=vlan2-iptv to-addresses=192.168.88.XXEso es, out-interfce, en lugar de out-interface-list. Tendrías tres reglas de masquerade (la general de la lista LAN y las dos específicas de las vlans de teléfono y tv) + el mapeo con el dst-nat haciendo al desco.
Qué ip coge el desco? Trinca el pool del rango superior, el del /29 del DHCP condicional? Sino, pasa export y lo vemos.
# jul/01/2022 18:36:15 by RouterOS 7.3.1
# software id = 51BJ-P21B
#
# model = RBD52G-5HacD2HnD
# serial number = E5780F13XXXX
/interface bridge
add admin-mac=DC:2C:XX:XX:XX:XX auto-mac=no comment=defconf igmp-snooping=yes \
name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge ssid=MikroTik-08D65D wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX \
country=spain disabled=no distance=indoors frequency=auto installation=\
indoor mode=ap-bridge ssid=MikroTik-08D65E wireless-protocol=802.11
/interface vlan
add interface=ether1 name=VLANInternet vlan-id=6
add interface=ether1 name=vlan2-iptv vlan-id=2
add interface=ether1 name=vlan3-telefono vlan-id=3
/interface pppoe-client
add add-default-route=yes disabled=no interface=VLANInternet name=pppoe-out1 \
use-peer-dns=yes user=adslppp@telefonicanetpa
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment=vlans-iptv-voip name=VLANs2&3
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=240 name=opch-imagenio value="':::::239.0.2.29:22222'"
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=iptv-dhcp ranges=192.168.88.249-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/routing rip instance
add afi=ipv4 disabled=no name=rip
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=*B list=WAN
add interface=vlan2-iptv list=VLANs2&3
add interface=vlan3-telefono list=VLANs2&3
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=10.88.167.235/9 interface=vlan2-iptv network=10.0.0.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
add add-default-route=no interface=vlan3-telefono use-peer-dns=no use-peer-ntp=\
no
/ip dhcp-server lease
add address=192.168.88.254 client-id="61:72:72:69:73:5f:53:54:49:48:32:30:37:2d:\
30:2e:30:5f:32:38:35:37:30:35:35:33:32:34:36:35" mac-address=\
50:95:51:7B:71:C1 server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
add address=192.168.88.248/29 comment=iptv-network dhcp-option=opch-imagenio \
dns-server=172.26.23.3 gateway=192.168.88.1 netmask=24
/ip dhcp-server vendor-class-id
add address-pool=iptv-dhcp name=descos server=defconf vid="[IAL]"
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="voip: accept rip multicast traffic" \
dst-address=224.0.0.9 dst-port=520 in-interface-list=VLANs2&3 protocol=udp
add action=accept chain=input comment="iptv: accept multicast igmp traffic" \
in-interface=vlan2-iptv protocol=igmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=masq-voip out-interface=\
vlan3-telefono
add action=masquerade chain=srcnat comment="masq. IPTV" out-interface=\
vlan2-iptv
add action=dst-nat chain=dstnat comment="VOD Movistar 1 Desco" \
dst-address-type=local in-interface=vlan2-iptv to-addresses=192.168.88.254
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" \
src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" \
dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/routing igmp-proxy
set query-interval=30s quick-leave=yes
/routing igmp-proxy interface
add alternative-subnets=0.0.0.0/0 interface=vlan2-iptv upstream=yes
add interface=bridge
/routing rip interface-template
add instance=rip interfaces=vlan2-iptv,vlan3-telefono mode=passive
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Madrid
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN