Código:
# feb/26/2022 16:16:12 by RouterOS 7.1.1
# software id = 112E-YX6Y
#
# model = RouterBOARD 750G r3
# serial number = xxxxxxxxxxxx
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz frequency=2412 name=channel1
/interface bridge
add admin-mac=6C:3B:6B:2F:8A:38 auto-mac=no comment=defconf name=bridge
/interface eoip
add local-address=10.10.20.1 mac-address=02:5F:C8:CC:EE:B3 mtu=1500 name=\
eoip-tunnel-wg-sts remote-address=10.10.20.2 tunnel-id=0
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard-RW
add disabled=yes listen-port=13232 mtu=1420 name=wireguard-STS
add disabled=yes listen-port=13233 mtu=1420 name=wireguard-STS-EOIP
/interface vlan
add interface=ether1 name=internet vlan-id=20
/caps-man datapath
add bridge=bridge client-to-client-forwarding=yes name=datapath1
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
name=security1
/caps-man configuration
add channel=channel1 country=spain datapath=datapath1 installation=any mode=\
ap name=cfg1 security=security1 ssid=MASFIBRA-7550
/caps-man interface
add channel=channel1 configuration=cfg1 datapath=datapath1 disabled=no \
mac-address=00:00:00:00:00:00 master-interface=none name=cap1 radio-mac=\
00:00:00:00:00:00 radio-name="" security=security1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.100.2-192.168.100.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp,rest-api"
/caps-man access-list
add action=accept allow-signal-out-of-range=10s disabled=no signal-range=\
-75..0 ssid-regexp=""
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=cfg1 name-format=\
identity
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge interface=eoip-tunnel-wg-sts
add bridge=bridge interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=internet list=WAN
/interface wireguard peers
add allowed-address=10.10.0.2/32 comment="Movil de Toni" endpoint-port=13231 \
interface=wireguard-RW public-key=\
"\"F56wGXkmKTphl1RNOoVsofzzVCWGrIty6T+Qr2AoMHs=\""
add allowed-address=10.10.10.2/32,192.168.10.0/24 endpoint-address=\
xxxxxxxxxxxx.sn.mynetname.net endpoint-port=13232 interface=wireguard-STS \
public-key="\"P5piUZC7kJPuZkzxYrt3fYlIh8chYKWHWIDseOv8TgY=\""
add allowed-address=10.10.20.2/32 endpoint-address=\
xxxxxxxxxxxx.sn.mynetname.net endpoint-port=13233 interface=\
wireguard-STS-EOIP public-key=\
"\"tNfiIqWkFoWUz0qKnlTKDRjIsxiQa/vbo69DHBWgeHk=\""
/ip address
add address=192.168.100.1/24 interface=bridge network=192.168.100.0
add address=10.10.0.1/30 interface=wireguard-RW network=10.10.0.0
add address=10.10.10.1/30 interface=wireguard-STS network=10.10.10.0
add address=10.10.20.1/30 interface=wireguard-STS-EOIP network=10.10.20.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client
add comment=defconf interface=internet
/ip dhcp-server lease
add address=192.168.100.13 client-id=1:30:5:5c:ca:7a:6b mac-address=\
30:05:5C:CA:7A:6B server=defconf
/ip dhcp-server network
add address=192.168.100.0/24 comment=defconf dns-server=\
192.168.100.34,192.168.100.1 domain=local gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=10.10.0.3 list=gorrones
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Puerto de wireguard-RW" dst-port=13231 \
in-interface=ether1 protocol=udp
add action=accept chain=input comment="Puerto de wireguard-STS" disabled=yes \
dst-port=13232 in-interface=ether1 protocol=udp
add action=accept chain=input comment="Puerto de wireguard-STS-EOIP" \
disabled=yes dst-port=13233 in-interface=ether1 protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=reject chain=forward comment="bloquea wireward a lista gorrones" \
out-interface-list=!WAN reject-with=icmp-net-prohibited src-address-list=\
gorrones
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no distance=1 dst-address=192.168.10.0/24 gateway=10.10.10.2 \
pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
/ip service
set telnet disabled=yes
set ftp address=192.168.100.0/24
set ssh address=192.168.100.0/24
set api disabled=yes
set winbox address=192.168.100.0/24
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=Router_750GR3
/system ntp server
set enabled=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Después de seguir las intrucciones de este hilo, he quitado el router Sagemcom F@st 5657 por una ont Noika G010-GP
Funciona perfecto y un "armatoste" menos, porque es gigante xD
Tengo Pi-hole como servidor DNS en una ip de la red local
Pongo mi export a ver qué opináis, sobre todo por las reglas de Firewall, por si debería añadir alguna más después de este cambio.
He desabilitado el user admin, he creado uno nuevo con otro nombre y permisos full.
He limitado el acceso a ftp,ss y winbox a mi rango de direcciones local, he dejado el acceso a www como estaba

Gracias a los que hacéis que estas cosas sean mucho más asequibles.
Prueba de velocidad por si se puede sacar alguna conclusión

Última edición: