Created
February 13, 2025 21:01
-
-
Save mircea-pavel-anton/11852c0978c974d36ce0e28945878ef8 to your computer and use it in GitHub Desktop.
Mikrotik RB5009 Default Configuration
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [admin@MikroTik] > export | |
| /disk | |
| set usb1 media-interface=none media-sharing=no | |
| /interface bridge | |
| add admin-mac=48:A9:8A:BD:AB:D5 auto-mac=no comment=defconf name=bridge | |
| /interface list | |
| add comment=defconf name=WAN | |
| add comment=defconf name=LAN | |
| /ip pool | |
| add name=default-dhcp ranges=192.168.88.10-192.168.88.254 | |
| /disk settings | |
| set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes | |
| /interface bridge port | |
| add bridge=bridge comment=defconf interface=ether2 | |
| add bridge=bridge comment=defconf interface=ether3 | |
| add bridge=bridge comment=defconf interface=ether4 | |
| add bridge=bridge comment=defconf interface=ether5 | |
| add bridge=bridge comment=defconf interface=ether6 | |
| add bridge=bridge comment=defconf interface=ether7 | |
| add bridge=bridge comment=defconf interface=ether8 | |
| add bridge=bridge comment=defconf interface=sfp-sfpplus1 | |
| /ip neighbor discovery-settings | |
| set discover-interface-list=LAN | |
| /interface list member | |
| add comment=defconf interface=bridge list=LAN | |
| add comment=defconf interface=ether1 list=WAN | |
| /ip address | |
| add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0 | |
| /ip dhcp-client | |
| add comment=defconf interface=ether1 | |
| /ip dhcp-server | |
| add address-pool=default-dhcp interface=bridge name=defconf | |
| /ip dhcp-server network | |
| add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1 | |
| /ip dns | |
| set allow-remote-requests=yes | |
| /ip dns static | |
| add address=192.168.88.1 comment=defconf name=router.lan type=A | |
| /ip firewall filter | |
| add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked | |
| add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid | |
| add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp | |
| add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 | |
| add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN | |
| add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec | |
| add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec | |
| add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes | |
| add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked | |
| add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid | |
| add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \ | |
| in-interface-list=WAN | |
| /ip firewall nat | |
| add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN | |
| /ipv6 firewall address-list | |
| add address=::/128 comment="defconf: unspecified address" list=bad_ipv6 | |
| add address=::1/128 comment="defconf: lo" list=bad_ipv6 | |
| add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6 | |
| add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6 | |
| add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6 | |
| add address=100::/64 comment="defconf: discard only " list=bad_ipv6 | |
| add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6 | |
| add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6 | |
| add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6 | |
| /ipv6 firewall filter | |
| add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked | |
| add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid | |
| add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6 | |
| add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp | |
| add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10 | |
| add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp | |
| add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah | |
| add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp | |
| add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec | |
| add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN | |
| add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked | |
| add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid | |
| add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6 | |
| add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6 | |
| add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6 | |
| add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6 | |
| add action=accept chain=forward comment="defconf: accept HIP" protocol=139 | |
| add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp | |
| add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah | |
| add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp | |
| add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec | |
| add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN | |
| /system note | |
| set show-at-login=no | |
| /system routerboard settings | |
| set auto-upgrade=yes | |
| /tool mac-server | |
| set allowed-interface-list=LAN | |
| /tool mac-server mac-winbox | |
| set allowed-interface-list=LAN |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment