/interface bridge
add admin-mac=08:XX:XX:XX:XX:EE auto-mac=no comment=defconf name=bridge \
protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan
set [ find default-name=ether2 ] name=ether2-salon
set [ find default-name=ether3 ] name=ether3-nas
set [ find default-name=ether4 ] name=ether4-pcdespacho
set [ find default-name=ether5 ] name=ether5-portatil
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=spain disabled=no \
distance=indoors frequency=2462 installation=indoor mode=ap-bridge name=\
wlan1-2G ssid=XXXXXXX wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX country=spain disabled=no distance=indoors frequency=\
5500 mode=ap-bridge name=wlan2-5G ssid=XXXXXXX wireless-protocol=\
802.11
/interface vlan
add interface=ether1-wan name=vlan20 vlan-id=20
/interface pppoe-client
add ac-name=ftth add-default-route=yes disabled=no interface=vlan20 max-mru=\
1492 max-mtu=1492 name=pppoe-out1 password=XXXXXXXX service-name=ftth \
user=XXXXXXXXXXXX@digi
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=\
XXXXXXXX wpa2-pre-shared-key=XXXXXXXX
/ip ipsec peer
add exchange-mode=ike2 name=ike2-peer passive=yes
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=ikev2-pool ranges=192.168.66.10-192.168.66.20
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge lease-time=3d \
name=defconf
/ip ipsec mode-config
add address-pool=ikev2-pool address-prefix-length=32 name=ike2-config
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-salon
add bridge=bridge comment=defconf interface=ether3-nas
add bridge=bridge comment=defconf interface=ether4-pcdespacho
add bridge=bridge comment=defconf interface=ether5-portatil
add bridge=bridge comment=defconf interface=wlan1-2G
add bridge=bridge comment=defconf interface=wlan2-5G
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-wan list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1-wan
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,2620:119:35::35
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=XXXXXXXXXXXX.sn.mynetname.net list=public-ip
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Allow IPSec" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="accept vpn encrypted input traffic" \
ipsec-policy=in,ipsec src-address=192.168.66.0/24
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=hairpin-nat dst-address=\
192.168.88.0/24 src-address=192.168.88.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=NAS-Admin dst-address-list=public-ip \
dst-port=5000,5001 protocol=tcp to-addresses=192.168.88.247
add action=masquerade chain=srcnat comment=masquerade-ovpn src-address=\
192.168.66.0/24
/ip ipsec identity
add auth-method=digital-signature certificate=vpn-server comment=PC \
generate-policy=port-strict match-by=certificate mode-config=ike2-config \
peer=ike2-peer remote-certificate=vpn-client
add auth-method=digital-signature certificate=vpn-server comment=Android \
generate-policy=port-strict match-by=certificate mode-config=ike2-config \
peer=ike2-peer remote-certificate=vpn-client-android
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.88.0/24,192.168.66.0/24
set api-ssl disabled=yes
/ipv6 address
add address=::1 from-pool=pool6 interface=bridge
/ipv6 dhcp-client
add add-default-route=yes interface=pppoe-out1 pool-name=pool6 request=prefix \
script=":delay 5s;\r\
\n/ipv6 address remove [find advertise=yes] \r\
\n/ipv6 address add interface=bridge address=::1/64 from-pool=pool6 advert\
ise=yes"
/ipv6 firewall filter
add action=drop chain=input comment="Drop (invalid)" connection-state=invalid
add action=accept chain=input comment="Accept (established, related)" \
connection-state=established,related
add action=accept chain=input comment="Accept DHCP (10/sec)" in-interface=\
pppoe-out1 limit=10,20:packet protocol=udp src-port=547
add action=drop chain=input comment="Drop DHCP (>10/sec)" in-interface=\
pppoe-out1 protocol=udp src-port=547
add action=accept chain=input comment="Accept external ICMP (10/sec)" \
in-interface=pppoe-out1 limit=10,20:packet protocol=icmpv6
add action=drop chain=input comment="Drop external ICMP (>10/sec)" \
in-interface=pppoe-out1 protocol=icmpv6
add action=accept chain=input comment="Accept internal ICMP" in-interface=\
!pppoe-out1 protocol=icmpv6
add action=drop chain=input comment="Drop external" in-interface=pppoe-out1
add action=reject chain=input comment="Reject everything else"
add action=accept chain=output comment="Accept all"
add action=drop chain=forward comment="Drop (invalid)" connection-state=\
invalid
add action=accept chain=forward comment="Accept (established, related)" \
connection-state=established,related
add action=accept chain=forward comment="Accept external ICMP (20/sec)" \
in-interface=pppoe-out1 limit=20,50:packet protocol=icmpv6
add action=drop chain=forward comment="Drop external ICMP (>20/sec)" \
in-interface=pppoe-out1 protocol=icmpv6
add action=accept chain=forward comment="Accept internal" in-interface=\
!pppoe-out1
add action=accept chain=forward comment="Accept outgoing" out-interface=\
pppoe-out1
add action=drop chain=forward comment="Drop external" in-interface=pppoe-out1
add action=reject chain=forward comment="Reject everything else"
/ipv6 nd
set [ find default=yes ] disabled=yes
add interface=bridge
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Madrid
/system ntp client
set enabled=yes primary-ntp=150.214.94.5 secondary-ntp=176.119.210.243
/system routerboard settings
set auto-upgrade=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN