Hello @GNUBYTE,
j'ai un CCR2004-1G-12S+2XS.
voici ma conf
[admin@MikroTik] > export
# 2023-11-13 17:44:27 by RouterOS 7.12
# software id = RRWR-IYNF
#
# model = CCR2004-1G-12S+2XS
/interface bridge
add admin-mac=8C:C5:B4:11:22:CC auto-mac=no name=br-wan
/interface ethernet
set [ find default-name=sfp-sfpplus7 ] comment="Routeur TV local" name=ether7-TV
set [ find default-name=sfp-sfpplus8 ] comment=Livebox name=ether8-LB
set [ find default-name=sfp-sfpplus10 ] auto-negotiation=no comment=WAN-ONU-2500GBaseX name=ether10-WAN speed=\
2.5G-baseT
set [ find default-name=sfp-sfpplus12 ] comment=LAN name=ether12-LAN
set [ find default-name=sfp-sfpplus1 ] disabled=yes
set [ find default-name=sfp-sfpplus2 ] disabled=yes
set [ find default-name=sfp-sfpplus3 ] disabled=yes
set [ find default-name=sfp-sfpplus4 ] disabled=yes
set [ find default-name=sfp-sfpplus5 ] disabled=yes
set [ find default-name=sfp-sfpplus6 ] disabled=yes
set [ find default-name=sfp-sfpplus9 ] disabled=yes
set [ find default-name=sfp-sfpplus11 ] disabled=yes
set [ find default-name=sfp28-1 ] disabled=yes
set [ find default-name=sfp28-2 ] disabled=yes
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=ether12-LAN name=vlan10 vlan-id=10
add disabled=yes interface=ether12-LAN name=vlan300 vlan-id=300
add comment="Internet ONT" interface=ether10-WAN loop-protect-disable-time=0s loop-protect-send-interval=1s \
name=vlan832-internet vlan-id=832
add comment=Tv-Stream interface=ether10-WAN loop-protect-disable-time=0s loop-protect-send-interval=1s name=\
vlan840-TV-Stream vlan-id=840
/interface list
add name=WAN
add name=LAN
add name=orange_tv
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-client option
add code=60 name=vendor-class-identifier value=0x736167656d
add code=77 name=userclass value=\
0x2b46535644534c5f6c697665626f782e496e7465726e65742e736f66746174686f6d652e4c697665626f7833
add code=90 name=authsend value="toto"
/ip dhcp-server option
add code=120 name=SIP value=\
0x00067362637433670350555406616363657373116f72616e67652d6d756c74696d65646961036e657400
add code=119 name="domain search" value="'CLE.access.orange-multimedia.net'"
add code=15 name="domain name" value="'orange.fr'"
add code=125 name="vendor specific" value=\
0x00000de9280412365363356234050f444D32303135363239323931353231012345677665626f78204669627265
add code=6 name=dns value="'80.10.246.134''81.253.149.5'"
add code=90 name="option 90" value=0x0000000000000000000000
/ip dhcp-server option sets
add name=TV options="vendor specific,dns,SIP,option 90"
add name=TEL options="SIP,domain search,domain name,vendor specific,option 90"
/ip pool
add name=pool_lan ranges=10.28.201.10-10.28.201.90
add name=pool-TV ranges=192.168.2.100-192.168.2.200
/ip dhcp-server
add address-pool=pool_lan interface=ether12-LAN lease-time=1w name=LAN
add address-pool=pool-TV interface=ether7-TV name=LAN-TV
/ipv6 dhcp-client option
add code=16 name=class-identifier value=0x0000040e0005736167656d
add code=11 name=authsend value="toto"
add code=15 name=userclass value=\
0x002b46535644534c5f6c697665626f782e496e7465726e65742e736f66746174686f6d652e6c697665626f78340a
/queue interface
set ether7-TV queue=ethernet-default
set ether8-LB queue=ethernet-default
set ether10-WAN queue=ethernet-default
set ether12-LAN queue=ethernet-default
/interface bridge filter
add action=set-priority chain=output comment="cos 6 vlan832 dhcpv4" dst-port=67 ip-protocol=udp log=yes \
log-prefix="Set CoS6 on DHCP request" mac-protocol=ip new-priority=6 out-interface=vlan832-internet \
passthrough=yes
add action=set-priority chain=output comment="cos 6 vlan832 dhcpv6" log=yes mac-protocol=ipv6 new-priority=6 \
out-interface=vlan832-internet passthrough=yes
/interface bridge port
add bridge=br-wan interface=vlan832-internet
/ip address
add address=10.28.201.244/24 comment=defconf disabled=yes interface=ether1 network=10.28.201.0
add address=10.28.201.243/24 interface=ether12-LAN network=10.28.201.0
add address=192.168.1.15/24 disabled=yes interface=ether10-WAN network=192.168.1.0
add address=192.168.2.1/24 interface=ether7-TV network=192.168.2.0
add address=192.168.255.254 interface=vlan840-TV-Stream network=192.168.255.254
add address=10.13.13.1/24 interface=wireguard1 network=10.13.13.0
/ip dhcp-client
add dhcp-options=hostname,clientid,authsend,userclass,vendor-class-identifier interface=br-wan
/ip dhcp-server lease
/ip dhcp-server network
add address=10.28.201.0/24 dns-server=10.28.201.155 gateway=10.28.201.240 netmask=24
add address=192.168.2.0/24 dns-server=80.10.246.134,81.253.149.5,80.10.246.130,81.253.149.1 gateway=192.168.2.1 \
netmask=24
/ip dns
set servers=8.8.8.8
/ip firewall address-list
add address=10.28.201.0/24 list=support
add address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B" disabled=yes list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C" disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A" disabled=yes list=bogons
add address=10.28.209.0/24 list=support
/ip firewall filter
add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment=\
"Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment=\
"Port Scanner Detect" protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=ICMP protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except to support list # DO NOT ENABLE THI\
S RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT ADDRESS LIST" dst-port=8291 protocol=tcp src-address-list=\
!support
add action=jump chain=forward comment="Jump for icmp forward flow" jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=bogons
add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment=\
"Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=25,587 limit=30/1m,0:packet log=yes \
protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 log=yes protocol=tcp \
src-address-list=spammers
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment="Accept to established connections" connection-state=established
add action=accept chain=input comment="Accept to related connections" connection-state=related
add action=accept chain=input comment="Full access to SUPPORT address list" src-address-list=support
add action=accept chain=forward comment="Allow Forward Multicast Orange" dst-address=224.0.0.0/4 dst-port=\
8200,8202 in-interface=vlan840-TV-Stream protocol=udp
add action=accept chain=input comment="Allow Input Multicast Orange" dst-port=8200,8202 in-interface=\
vlan840-TV-Stream protocol=udp
add action=accept chain=input comment="Allow Input IGMP Protocol" in-interface=vlan840-TV-Stream protocol=igmp
add action=accept chain=forward comment="Allow Forward IGMP Protocol from vlan840" dst-address=224.0.0.0/4 \
in-interface=vlan840-TV-Stream protocol=igmp
add action=accept chain=forward comment="Allow Forward IGMP Protocol from decodeur" dst-address=224.0.0.0/4 \
in-interface=ether7-TV log=yes protocol=igmp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=\
ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input \
connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input \
connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input \
connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input \
connection-state=new dst-port=22 protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22 protocol=tcp src-address-list=\
ssh_blacklist
add action=accept chain=input comment="allow wireguard" dst-port=13231 protocol=udp
add action=accept chain=input comment="Allow wireguard traffic" src-address=10.13.13.0/24
add action=drop chain=input comment="BLOQUE TOUTES LES CONNEXIONS ENTRANTES (exception avant)"
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" icmp-options=8:0 limit=1,5:packet \
protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP protocol=icmp
/ip firewall mangle
add action=set-priority chain=output comment=\
"Les trames des messages IGMP doivent etre emises vers l'upstream avec CoS 5 pour etre prises en compte." \
log=yes new-priority=5 out-interface=vlan840-TV-Stream passthrough=yes src-address-type=local
add action=change-dscp chain=output comment="Set dscp to 40 for packets with priority 5sent to Orange" \
new-dscp=40 out-interface=vlan840-TV-Stream passthrough=no priority=5
/ip firewall nat
add action=masquerade chain=srcnat out-interface=br-wan to-addresses=0.0.0.0
add action=dst-nat chain=dstnat dst-port=80 in-interface=br-wan protocol=tcp to-addresses=10.28.201.155 \
to-ports=80
add action=dst-nat chain=dstnat dst-port=443 in-interface=br-wan protocol=tcp to-addresses=10.28.201.155 \
to-ports=443
add action=dst-nat chain=dstnat dst-port=993 in-interface=br-wan protocol=tcp to-addresses=10.28.201.155 \
to-ports=993
add action=dst-nat chain=dstnat dst-port=587 in-interface=br-wan protocol=tcp to-addresses=10.28.201.155 \
to-ports=587
add action=dst-nat chain=dstnat dst-port=25 in-interface=br-wan protocol=tcp to-addresses=10.28.201.155 \
to-ports=25
add action=dst-nat chain=dstnat dst-port=32400 in-interface=br-wan protocol=tcp to-addresses=10.28.201.108 \
to-ports=32400
/ip firewall raw
add action=drop chain=prerouting in-interface=br-wan src-address-list=blacklist
add action=accept chain=prerouting dst-address=224.0.0.0/4 dst-port=8200,8202 in-interface=vlan840-TV-Stream \
protocol=udp
add action=accept chain=prerouting dst-address=224.0.0.0/4 in-interface=vlan840-TV-Stream protocol=igmp
add action=accept chain=prerouting in-interface=vlan840-TV-Stream protocol=igmp
add action=accept chain=prerouting in-interface=ether7-TV protocol=igmp
/ip route
add disabled=no distance=1 dst-address=10.28.209.0/24 gateway=10.28.201.240 pref-src="" routing-table=main \
scope=10 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
/routing igmp-proxy
set query-interval=1m quick-leave=yes
/routing igmp-proxy interface
add interface=ether7-TV
add alternative-subnets=193.0.0.0/8,81.0.0.0/8,172.0.0.0/8,80.0.0.0/8 interface=vlan840-TV-Stream upstream=yes
/system clock
set time-zone-name=Europe/Paris
/system logging
add topics=e-mail
add topics=debug
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key
/tool bandwidth-server
set authenticate=no enabled=no
/tool graphing interface
add
/tool graphing resource
add
/tool sniffer
set filter-interface=vlan840-TV-Stream,vlan840-TV-Stream filter-ip-protocol=igmp
[admin@MikroTik] >
j'au du supprimé une partie de conf ipv6 (je ne m'en sers pas encore) ,ça depassé les 2000 caracteres