# 2024-04-07 10:24:21 by RouterOS 7.14.2 # software id = XQIW-3XIL # # model = RB5009UPr+S+ # serial number = HFxxxxxxxxxxxx /interface bridge add name=LAN-bridge /interface ethernet set [ find default-name=ether1 ] mac-address=D0:57:XX:XX:XX:XX name=\ "ether1 - ONT (ISP)" poe-out=off set [ find default-name=ether2 ] name=ether2-LAN /interface vlan add interface="ether1 - ONT (ISP)" name=Fibre_ByTel_vl100 vlan-id=100 /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /ip dhcp-client option add code=60 name=vendorid value=0x42594754454c494144 /ip pool add name=dhcp_pool_lan ranges=192.168.1.10-192.168.1.250 /ip dhcp-server add address-pool=dhcp_pool_lan interface=LAN-bridge name=dhcp_lan /interface bridge port add bridge=LAN-bridge interface=ether2-LAN add bridge=LAN-bridge interface=ether3 add bridge=LAN-bridge interface=ether4 add bridge=LAN-bridge interface=ether5 add bridge=LAN-bridge interface=ether6 add bridge=LAN-bridge interface=ether7 add bridge=LAN-bridge interface=ether8 /ip address add address=192.168.1.1/24 comment=LAN_USR interface=LAN-bridge network=\ 192.168.1.0 /ip dhcp-client add dhcp-options=vendorid interface=Fibre_ByTel_vl100 /ip dhcp-server lease add address=192.168.1.20 mac-address=D0:05:XX:XX:XX:X server=dhcp_lan /ip dhcp-server network add address=192.168.1.0/24 dns-server=192.168.1.1 domain=domain.home gateway=\ 192.168.1.1 netmask=24 /ip dns set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4 /ip firewall address-list add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet add address=224.0.0.0/4 comment=Multicast list=not_in_internet add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\ not_in_internet add address=212.195.48.0/24 list=VODReplay add address=212.195.244.0/24 list=VODReplay add address=62.34.201.0/24 list=VODReplay add address=194.158.119.0/24 list=VODReplay add address=195.36.152.0/24 list=VODReplay add address=192.168.0.0/24 list=MyNetworks add address=192.168.1.0/24 list=MyNetworks add address=192.168.254.0/30 list=MyNetworks add address=193.251.97.0/24 list=TV add address=89.86.97.0/24 list=TV add address=176.165.8.0/24 list=TV add address=89.86.96.0/24 list=TV /ip firewall filter add action=add-src-to-address-list address-list=Syn_Flooder \ address-list-timeout=1d chain=input comment="Add Syn Flood IP to the list" \ connection-limit=30,32 protocol=tcp tcp-flags=syn add action=add-src-to-address-list address-list=Port_Scanner \ address-list-timeout=1w chain=input comment="Port Scanner Detect" protocol=\ tcp psd=21,3s,3,1 add action=tarpit chain=input comment="Drop to syn flood list" protocol=tcp \ src-address-list=Syn_Flooder add action=tarpit chain=input comment="Drop to port scan list" protocol=tcp \ src-address-list=Port_Scanner add action=accept chain=input comment="--- Accept Established / Related" \ connection-state=established,related in-interface=Fibre_ByTel_vl100 add action=accept chain=input comment="--- Accept IGMP for IPTV Multicast" \ in-interface=Fibre_ByTel_vl100 protocol=igmp add action=accept chain=input comment="--- Accept IP Flow for IGMP Proxy" \ dst-port=8202,8200 in-interface=Fibre_ByTel_vl100 protocol=udp \ src-address-list=TV add action=drop chain=input comment="--- Deny All / Drop -- INPUT" \ src-address-list=!MyNetworks add action=fasttrack-connection chain=forward comment=\ "--- FastTrack Forwarding Established / Related" connection-state=\ established,related hw-offload=yes add action=accept chain=forward comment="--- Accept Established / Related" \ connection-state=established,related add action=accept chain=forward comment="--- Accept IP Flow for IGMP Proxy" \ dst-port=8200,8202 protocol=udp src-address-list=TV add action=accept chain=forward comment="--- Accept IP flow for VOD" dst-port=\ 20000-30000 in-interface=Fibre_ByTel_vl100 protocol=udp src-address-list=\ VODReplay add action=accept chain=forward comment=\ "--- Accept Outgoing Client/DMZ Traffic Out to Internet" out-interface=\ Fibre_ByTel_vl100 src-address-list=MyNetworks add action=drop chain=forward comment="--- Deny All / Drop -- FORWARD" /ip firewall nat add action=masquerade chain=srcnat out-interface=Fibre_ByTel_vl100 src-address=\ 192.168.1.0/24 add action=masquerade chain=srcnat out-interface=Fibre_ByTel_vl100 \ src-address-list=MyNetworks add action=dst-nat chain=dstnat dst-port=20000-30000 in-interface=\ Fibre_ByTel_vl100 protocol=udp src-address-list=VODReplay to-addresses=\ 192.168.1.20 /ipv6 address add address=::254 from-pool=Pool_Bbox-V6 interface=ether2-LAN /ipv6 dhcp-client add interface=Fibre_ByTel_vl100 pool-name=Pool_Bbox-V6 pool-prefix-length=60 \ request=prefix /system clock set time-zone-name=Europe/Paris /system note set show-at-login=no [admin@MikroTik] >