Czy ktoś z osób znających się na konfiguracji Mikrotika może mi zerknąć na mój konfig zobaczyć czy jest ok?
Robiłem porządki (miałem pomieszane różne bridge i vlany, zrobiłem teraz wszystko "jak powinno być"
Niestety całkowicie nie czaję reguł firewalla :/
Czy możecie mi to obejrzeć i zaproponować jakieś rozwiązanie?
Zależmy mi, żeby było zabezpieczenie brutalforce (jak ktoś próbuje się logować do routera złym hasłem np ponad 5 razy to go blokuje na jakiś czas), oraz żeby aktualnie stworzone vlan:
vlan10 - wszystko siebie widzi w tym vlan
vlan20 - tutaj bedę miał serwer (HP T640) z Proxmox, na nim Home Assistant, PiHole, OpenMediaVault
Będę chciał jakoś ogarnąć konfigurację, że niektóre VA mają osobne Vlan.
Dodatkowo, że HA będzie miał kontakt z zewnątrz (powiadomienia i sterowanie), ale sam panel administracyjny już będzie ograniczony do LAN/VPN.
vlan30 - tylko dostęp do internetu
vlan40 - tylko dostęp do internetu i do konkretnej VA na serwerze (np Home Assistant)
Jak to ogarnąć?
Aktualna konfiguracja już na VLAN:
Dodano po 2 [godziny] 36 [minuty]:
Trochę podłubałem i mam coś takiego aktualnie:
Robiłem porządki (miałem pomieszane różne bridge i vlany, zrobiłem teraz wszystko "jak powinno być"
Niestety całkowicie nie czaję reguł firewalla :/
Czy możecie mi to obejrzeć i zaproponować jakieś rozwiązanie?
Zależmy mi, żeby było zabezpieczenie brutalforce (jak ktoś próbuje się logować do routera złym hasłem np ponad 5 razy to go blokuje na jakiś czas), oraz żeby aktualnie stworzone vlan:
vlan10 - wszystko siebie widzi w tym vlan
vlan20 - tutaj bedę miał serwer (HP T640) z Proxmox, na nim Home Assistant, PiHole, OpenMediaVault
Będę chciał jakoś ogarnąć konfigurację, że niektóre VA mają osobne Vlan.
Dodatkowo, że HA będzie miał kontakt z zewnątrz (powiadomienia i sterowanie), ale sam panel administracyjny już będzie ograniczony do LAN/VPN.
vlan30 - tylko dostęp do internetu
vlan40 - tylko dostęp do internetu i do konkretnej VA na serwerze (np Home Assistant)
Jak to ogarnąć?
Aktualna konfiguracja już na VLAN:
# 2025-12-31 22:15:41 by RouterOS 7.20.6
# software id = ZPLJ-X62M
#
# model = RBD52G-5HacD2HnD
# serial number = XXX
/interface bridge
add admin-mac=74:4D:28:9D:36:CB auto-mac=no comment=defconf name=bridge \
port-cost-mode=short vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n country=poland \
default-authentication=no disabled=no frequency=auto mode=ap-bridge name=\
wlan1-priv2G ssid=Dom station-roaming=enabled wireless-protocol=802.11 \
wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX country=poland default-authentication=no disabled=no \
frequency=5200 installation=indoor mode=ap-bridge name=wlan2-priv5G ssid=\
Dom-5G station-roaming=enabled wps-mode=disabled
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] comment="Server HP T640"
set [ find default-name=ether3 ] comment="Mac Mini M1"
set [ find default-name=ether4 ] comment="Fire TV Stick 4K MAX"
set [ find default-name=ether5 ] comment=Guest-LAN-Strong
/interface vlan
add interface=bridge name=vlan10-home vlan-id=10
add interface=bridge name=vlan20-srv vlan-id=20
add interface=bridge name=vlan30-guest vlan-id=30
add interface=bridge name=vlan40-iot vlan-id=40
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=TRUSTED
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk disable-pmkid=yes \
eap-methods="" management-protection=allowed mode=dynamic-keys \
supplicant-identity=MikroTik
add authentication-types=wpa2-psk disable-pmkid=yes eap-methods="" \
management-protection=allowed mode=dynamic-keys name=profile-gosc \
supplicant-identity=MikroTik
add authentication-types=wpa2-psk disable-pmkid=yes eap-methods="" \
management-protection=allowed mode=dynamic-keys name=profile-IoT \
supplicant-identity=""
/interface wireless
add default-forwarding=no keepalive-frames=disabled mac-address=\
76:4D:28:9D:36:D1 master-interface=wlan1-priv2G multicast-buffering=\
disabled name=wlan-goscie2Ghz security-profile=profile-gosc ssid=\
Dom-Goscie-2G wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add default-forwarding=no keepalive-frames=disabled mac-address=\
76:4D:28:9D:36:D0 master-interface=wlan2-priv5G multicast-buffering=\
disabled name=wlan-goscie5Ghz security-profile=profile-gosc ssid=\
Dom-gosc-5G station-roaming=enabled wds-cost-range=0 wds-default-cost=0 \
wps-mode=disabled
add mac-address=76:4D:28:9D:36:CF master-interface=wlan1-priv2G name=wlan-iot \
security-profile=profile-IoT ssid=Dom-IoT wps-mode=disabled
/ip pool
add name=dhcp_pool4 ranges=192.168.10.100-192.168.10.200
add name=dhcp_pool5 ranges=192.168.20.100-192.168.20.200
add name=dhcp_pool6 ranges=192.168.30.100-192.168.30.254
add name=dhcp_pool7 ranges=192.168.40.100-192.168.40.254
/ip dhcp-server
add address-pool=dhcp_pool4 interface=vlan10-home lease-time=3d name=\
DHCP-Home
add address-pool=dhcp_pool5 interface=vlan20-srv lease-time=3d name=DHCP-Serv
add address-pool=dhcp_pool6 interface=vlan30-guest lease-time=1d name=\
HDCP-GuestV
add address-pool=dhcp_pool7 interface=vlan40-iot lease-time=1d name=DHCP-IoT
/ip smb users
set [ find default=yes ] disabled=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \
path-cost=10 pvid=20
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 \
path-cost=10 pvid=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \
path-cost=10 pvid=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 \
path-cost=10 pvid=30
add bridge=bridge comment=defconf interface=wlan1-priv2G internal-path-cost=\
10 path-cost=10 pvid=10
add bridge=bridge comment=defconf interface=wlan2-priv5G internal-path-cost=\
10 path-cost=10 pvid=10
add bridge=bridge interface=wlan-goscie5Ghz internal-path-cost=10 path-cost=\
10 pvid=30
add bridge=bridge interface=wlan-goscie2Ghz internal-path-cost=10 path-cost=\
10 pvid=30
add bridge=bridge interface=wlan-iot pvid=40
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=\
ether3,ether4,wlan1-priv2G,wlan2-priv5G vlan-ids=10
add bridge=bridge tagged=bridge untagged=ether2 vlan-ids=20
add bridge=bridge tagged=bridge untagged=\
ether5,wlan-goscie2Ghz,wlan-goscie5Ghz vlan-ids=30
add bridge=bridge tagged=bridge untagged=wlan-iot vlan-ids=40
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-WAN list=WAN
add interface=bridge list=TRUSTED
add interface=vlan10-home list=LAN
add interface=vlan20-srv list=LAN
add interface=vlan30-guest list=LAN
add interface=vlan40-iot list=LAN
/interface ovpn-server server
add auth=sha1,md5 mac-address=FE:DB:A2:A4:2D:E4 name=ovpn-server1
/interface wireless access-list
add interface=wlan2-priv5G mac-address=20:DF:B9:AA:89:B2
add interface=wlan2-priv5G mac-address=00:05:CD:BA:B9:E6
add interface=wlan2-priv5G mac-address=4C:63:71:1C:54:B3
add mac-address=4C:63:71:1C:54:B3
add comment="Fitbit Versa 2" forwarding=no interface=wlan1-priv2G \
mac-address=F0:51:EA:30:A7:3D
add comment="Poco X6 PRO" mac-address=B4:05:A1:D0:8F:14 vlan-id=10
add mac-address=74:4D:28:9D:36:CD
add mac-address=F0:A7:31:D5:89:0E
add disabled=yes forwarding=no mac-address=A8:CA:77:C0:95:22
add comment="Gamepad Amazon LUNA" interface=wlan2-priv5G mac-address=\
94:3A:91:53:49:0F
add comment="Samsung HW-Q930F" mac-address=28:07:08:F4:D6:50
add comment="Tapo C225" interface=wlan1-priv2G mac-address=98:03:8E:19:25:D4
/ip address
add address=192.168.10.1/24 interface=vlan10-home network=192.168.10.0
add address=192.168.20.1/24 interface=vlan20-srv network=192.168.20.0
add address=192.168.30.1/24 interface=vlan30-guest network=192.168.30.0
add address=192.168.40.1/24 interface=vlan40-iot network=192.168.40.0
/ip dhcp-client
add comment=defconf interface=ether1-WAN use-peer-dns=no use-peer-ntp=no
/ip dhcp-server
add address-pool=*1 disabled=yes interface=bridge lease-time=2d name=defconf
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.30.1 gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=192.168.40.1 gateway=192.168.40.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.2 use-doh-server=\
https://security.cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=9.9.9.9 disabled=yes name=dns.quad9.net type=A
add address=149.112.112.112 disabled=yes name=dns.quad9.net type=A
add address=194.242.2.2 disabled=yes name="Mullvad DNS" type=A
add address=1.1.1.1 disabled=yes name="Cloudflare standard" type=A
add address=1.1.1.2 name="Cludflare DNS Malware" type=A
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=reject chain=forward comment=\
"Odrzucaj komunikacje w podsieciach klienckich" in-interface-list=LAN \
out-interface-list=!WAN reject-with=icmp-net-prohibited
add action=add-src-to-address-list address-list=black_list \
address-list-timeout=1d chain=input comment="Brute Force Protection" \
connection-state=new dst-port=8291 protocol=tcp src-address-list=\
ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=8291 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=8291 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=8291 \
protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=redirect chain=dstnat dst-port=53 protocol=tcp
add action=redirect chain=dstnat dst-port=53 protocol=udp
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set ftp disabled=yes
set ssh disabled=yes
set telnet disabled=yes
set www address=192.168.10.0/24
set winbox address=192.168.10.0/24
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/routing bfd configuration
add disabled=no
/system clock
set time-zone-name=Europe/Warsaw
/system ntp client
set enabled=yes
/system ntp client servers
add address=153.19.250.123
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
Dodano po 2 [godziny] 36 [minuty]:
Trochę podłubałem i mam coś takiego aktualnie:
# 2026-01-01 01:11:23 by RouterOS 7.20.6
# software id = ZPLJ-X62M
#
# model = RBD52G-5HacD2HnD
# serial number = zzz
/interface bridge
add admin-mac=74:4D:28:9D:36:CB auto-mac=no comment=defconf name=bridge \
port-cost-mode=short vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n country=poland \
default-authentication=no disabled=no frequency=auto mode=ap-bridge name=\
wlan1-priv2G ssid=Dom station-roaming=enabled wireless-protocol=802.11 \
wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX country=poland default-authentication=no disabled=no \
frequency=5200 installation=indoor mode=ap-bridge name=wlan2-priv5G ssid=\
Dom-5G station-roaming=enabled wps-mode=disabled
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] comment="Server HP T640"
set [ find default-name=ether3 ] comment="Mac Mini M1"
set [ find default-name=ether4 ] comment="Fire TV Stick 4K MAX"
set [ find default-name=ether5 ] comment=Guest-LAN-Strong
/interface vlan
add interface=bridge name=vlan10-home vlan-id=10
add interface=bridge name=vlan20-srv vlan-id=20
add interface=bridge name=vlan30-guest vlan-id=30
add interface=bridge name=vlan40-iot vlan-id=40
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=TRUSTED
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk disable-pmkid=yes \
eap-methods="" management-protection=allowed mode=dynamic-keys \
supplicant-identity=MikroTik
add authentication-types=wpa2-psk disable-pmkid=yes eap-methods="" \
management-protection=allowed mode=dynamic-keys name=profile-gosc \
supplicant-identity=MikroTik
add authentication-types=wpa2-psk disable-pmkid=yes eap-methods="" \
management-protection=allowed mode=dynamic-keys name=profile-IoT \
supplicant-identity=""
/interface wireless
add default-forwarding=no keepalive-frames=disabled mac-address=\
76:4D:28:9D:36:D1 master-interface=wlan1-priv2G multicast-buffering=\
disabled name=wlan-goscie2Ghz security-profile=profile-gosc ssid=\
Dom-Goscie-2G wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add default-forwarding=no keepalive-frames=disabled mac-address=\
76:4D:28:9D:36:D0 master-interface=wlan2-priv5G multicast-buffering=\
disabled name=wlan-goscie5Ghz security-profile=profile-gosc ssid=\
Dom-gosc-5G station-roaming=enabled wds-cost-range=0 wds-default-cost=0 \
wps-mode=disabled
add mac-address=76:4D:28:9D:36:CF master-interface=wlan1-priv2G name=wlan-iot \
security-profile=profile-IoT ssid=Dom-IoT wps-mode=disabled
/ip pool
add name=dhcp_pool4 ranges=192.168.10.100-192.168.10.200
add name=dhcp_pool5 ranges=192.168.20.100-192.168.20.200
add name=dhcp_pool6 ranges=192.168.30.100-192.168.30.254
add name=dhcp_pool7 ranges=192.168.40.100-192.168.40.254
/ip dhcp-server
add address-pool=dhcp_pool4 interface=vlan10-home lease-time=3d name=\
DHCP-Home
add address-pool=dhcp_pool5 interface=vlan20-srv lease-time=3d name=DHCP-Serv
add address-pool=dhcp_pool6 interface=vlan30-guest lease-time=1d name=\
HDCP-GuestV
add address-pool=dhcp_pool7 interface=vlan40-iot lease-time=1d name=DHCP-IoT
/ip smb users
set [ find default=yes ] disabled=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \
path-cost=10 pvid=20
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 \
path-cost=10 pvid=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \
path-cost=10 pvid=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 \
path-cost=10 pvid=30
add bridge=bridge comment=defconf interface=wlan1-priv2G internal-path-cost=\
10 path-cost=10 pvid=10
add bridge=bridge comment=defconf interface=wlan2-priv5G internal-path-cost=\
10 path-cost=10 pvid=10
add bridge=bridge interface=wlan-goscie5Ghz internal-path-cost=10 path-cost=\
10 pvid=30
add bridge=bridge interface=wlan-goscie2Ghz internal-path-cost=10 path-cost=\
10 pvid=30
add bridge=bridge interface=wlan-iot pvid=40
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=\
ether3,ether4,wlan1-priv2G,wlan2-priv5G vlan-ids=10
add bridge=bridge tagged=bridge untagged=ether2 vlan-ids=20
add bridge=bridge tagged=bridge untagged=\
ether5,wlan-goscie2Ghz,wlan-goscie5Ghz vlan-ids=30
add bridge=bridge tagged=bridge untagged=wlan-iot vlan-ids=40
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-WAN list=WAN
add interface=bridge list=TRUSTED
add interface=vlan10-home list=LAN
add interface=vlan20-srv list=LAN
add interface=vlan30-guest list=LAN
add interface=vlan40-iot list=LAN
/interface ovpn-server server
add auth=sha1,md5 mac-address=FE:DB:A2:A4:2D:E4 name=ovpn-server1
/interface wireless access-list
add interface=wlan2-priv5G mac-address=20:DF:B9:AA:89:B2
add interface=wlan2-priv5G mac-address=00:05:CD:BA:B9:E6
add interface=wlan2-priv5G mac-address=4C:63:71:1C:54:B3
add mac-address=4C:63:71:1C:54:B3
add comment="Fitbit Versa 2" forwarding=no interface=wlan1-priv2G \
mac-address=F0:51:EA:30:A7:3D
add comment="Poco X6 PRO" mac-address=B4:05:A1:D0:8F:14 vlan-id=10
add mac-address=74:4D:28:9D:36:CD
add mac-address=F0:A7:31:D5:89:0E
add disabled=yes forwarding=no mac-address=A8:CA:77:C0:95:22
add comment="Gamepad Amazon LUNA" interface=wlan2-priv5G mac-address=\
94:3A:91:53:49:0F
add comment="Samsung HW-Q930F" mac-address=28:07:08:F4:D6:50
add comment="Tapo C225" interface=wlan1-priv2G mac-address=98:03:8E:19:25:D4
/ip address
add address=192.168.10.1/24 interface=vlan10-home network=192.168.10.0
add address=192.168.20.1/24 interface=vlan20-srv network=192.168.20.0
add address=192.168.30.1/24 interface=vlan30-guest network=192.168.30.0
add address=192.168.40.1/24 interface=vlan40-iot network=192.168.40.0
/ip dhcp-client
add comment=defconf interface=ether1-WAN use-peer-dns=no use-peer-ntp=no
/ip dhcp-server
add address-pool=*1 disabled=yes interface=bridge lease-time=2d name=defconf
/ip dhcp-server lease
add address=192.168.10.101 client-id=1:98:3:8e:19:25:d4 mac-address=\
98:03:8E:19:25:D4 server=DHCP-Home
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.30.1 gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=192.168.40.1 gateway=192.168.40.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.2 use-doh-server=\
https://security.cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=9.9.9.9 disabled=yes name=dns.quad9.net type=A
add address=149.112.112.112 disabled=yes name=dns.quad9.net type=A
add address=194.242.2.2 disabled=yes name="Mullvad DNS" type=A
add address=1.1.1.1 disabled=yes name="Cloudflare standard" type=A
add address=1.1.1.2 name="Cludflare DNS Malware" type=A
/ip firewall address-list
add list=login_stage1
add list=login_stage2
add list=login_stage3
add list=login_stage4
/ip firewall filter
add action=drop chain=input comment="BF: DROP blacklist" src-address-list=\
login_blacklist
add action=accept chain=input comment="INPUT: established,related" \
connection-state=established,related
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked disabled=yes
add action=drop chain=input comment="INPUT: drop invalid" connection-state=\
invalid
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid disabled=yes
add action=accept chain=input comment="INPUT: ICMP" disabled=yes protocol=\
icmp
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
protocol=icmp
add action=accept chain=input comment="INPUT: DNS UDP from LAN" dst-port=53 \
in-interface-list=LAN protocol=udp
add action=accept chain=input disabled=yes dst-port=53 in-interface-list=LAN \
protocol=udp
add action=accept chain=input comment="INPUT: DNS TCP from LAN" dst-port=53 \
in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN
add action=accept chain=input comment="INPUT: WinBox/WWW from HOME" dst-port=\
8291,80,443 in-interface=vlan10-home protocol=tcp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=drop chain=input comment="INPUT: drop WAN" in-interface-list=WAN
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=drop chain=input comment="INPUT: drop rest"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=reject chain=forward comment=\
"Odrzucaj komunikacje w podsieciach klienckich" disabled=yes \
in-interface-list=LAN out-interface-list=!WAN reject-with=\
icmp-net-prohibited
add action=add-src-to-address-list address-list=black_list \
address-list-timeout=1d chain=input comment="Brute Force Protection" \
connection-state=new disabled=yes dst-port=8291 protocol=tcp \
src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new disabled=yes \
dst-port=8291 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new disabled=yes \
dst-port=8291 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new disabled=yes \
dst-port=8291 protocol=tcp
add action=fasttrack-connection chain=forward comment="FORWARD: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="FORWARD: established,related" \
connection-state=established,related
add action=drop chain=forward comment="FORWARD: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="HOME -> ANY" in-interface=\
vlan10-home
add action=accept chain=forward comment="SRV -> HOME" in-interface=vlan20-srv \
out-interface=vlan10-home
add action=accept chain=forward comment="LAN -> WAN" in-interface-list=LAN \
out-interface-list=WAN
add action=drop chain=forward comment="BLOCK external DNS UDP" dst-port=53 \
out-interface-list=WAN protocol=udp
add action=drop chain=forward comment="BLOCK external DNS TCP" dst-port=53 \
out-interface-list=WAN protocol=tcp
add action=drop chain=forward comment="BLOCK GUEST -> LAN" in-interface=\
vlan30-guest out-interface-list=LAN
add action=drop chain=forward comment="BLOCK IoT -> LAN" in-interface=\
vlan40-iot out-interface-list=LAN
add action=drop chain=forward comment="BLOCK inter-VLAN default" \
in-interface-list=LAN out-interface-list=LAN
add action=drop chain=forward comment="BLOCK WAN -> LAN" connection-state=new \
in-interface-list=WAN
add action=add-src-to-address-list address-list=login_stage1 \
address-list-timeout=1m chain=input comment="BF stage 1" \
connection-state=new dst-port=8291,80,443,22 protocol=tcp
add action=add-src-to-address-list address-list=login_stage2 \
address-list-timeout=1m chain=input comment="BF stage 2" \
connection-state=new dst-port=8291,80,443,22 protocol=tcp \
src-address-list=login_stage1
add action=add-src-to-address-list address-list=login_stage3 \
address-list-timeout=1m chain=input comment="BF stage 3" \
connection-state=new dst-port=8291,80,443,22 protocol=tcp \
src-address-list=login_stage2
add action=add-src-to-address-list address-list=login_stage4 \
address-list-timeout=1m chain=input comment="BF stage 4" \
connection-state=new dst-port=8291,80,443,22 protocol=tcp \
src-address-list=login_stage3
add action=add-src-to-address-list address-list=login_blacklist \
address-list-timeout=1d chain=input comment="BF BLACKLIST (5th try)" \
connection-state=new dst-port=8291,80,443,22 protocol=tcp \
src-address-list=login_stage4
add action=add-src-to-address-list address-list=login_stage1 \
address-list-timeout=1m chain=input comment="BF stage 1" \
connection-state=new dst-port=8291,80,443,22 protocol=tcp
add action=add-src-to-address-list address-list=login_stage2 \
address-list-timeout=1m chain=input comment="BF stage 2" \
connection-state=new dst-port=8291,80,443,22 protocol=tcp \
src-address-list=login_stage1
add action=add-src-to-address-list address-list=login_stage3 \
address-list-timeout=1m chain=input comment="BF stage 3" \
connection-state=new dst-port=8291,80,443,22 protocol=tcp \
src-address-list=login_stage2
add action=add-src-to-address-list address-list=login_stage4 \
address-list-timeout=1m chain=input comment="BF stage 4" \
connection-state=new dst-port=8291,80,443,22 protocol=tcp \
src-address-list=login_stage3
add action=add-src-to-address-list address-list=login_blacklist \
address-list-timeout=1d chain=input comment="BF BLACKLIST (5th try)" \
connection-state=new dst-port=8291,80,443,22 protocol=tcp \
src-address-list=login_stage4
add action=accept chain=input comment="INPUT: ICMP limited" limit=10,20 \
protocol=icmp
add action=add-src-to-address-list address-list=login_blacklist \
address-list-timeout=1d chain=input comment="BF BLACKLIST (5th try)" \
connection-state=new dst-port=8291,80,443,22 protocol=tcp \
src-address-list=login_stage4
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=redirect chain=dstnat dst-port=53 protocol=tcp
add action=redirect chain=dstnat dst-port=53 protocol=udp
add action=redirect chain=dstnat comment="DNS redirect ALL VLANs UDP" \
dst-port=53 in-interface-list=LAN protocol=udp
add action=redirect chain=dstnat comment="DNS redirect ALL VLANs TCP" \
dst-port=53 in-interface-list=LAN protocol=tcp
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set ftp disabled=yes
set ssh disabled=yes
set telnet disabled=yes
set www address=192.168.10.0/24
set winbox address=192.168.10.0/24
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/routing bfd configuration
add disabled=no
/system clock
set time-zone-name=Europe/Warsaw
/system ntp client
set enabled=yes
/system ntp client servers
add address=153.19.250.123
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
