# Interfaces /interface ethernet set [ find default-name=ether1 ] name=ether1-WAN /interface ethernet set [ find default-name=ether2 ] name=ether2-LAN /interface ethernet set [ find default-name=ether3 ] name=ether3-LAN /interface ethernet set [ find default-name=ether4 ] name=ether4-LAN /interface ethernet set [ find default-name=ether5 ] name=ether5-LAN # Bridge /interface bridge add name=bridge-LAN # Bridge Ports /interface bridge port add bridge=bridge-LAN interface=ether2-LAN /interface bridge port add bridge=bridge-LAN interface=ether3-LAN /interface bridge port add bridge=bridge-LAN interface=ether4-LAN /interface bridge port add bridge=bridge-LAN interface=ether5-LAN # List /interface list add name=WAN /interface list add name=LAN # List members /interface list member add interface=ether1-WAN list=WAN /interface list member add interface=bridge-LAN list=LAN /interface list member add interface= pppoe-out1 list=WAN # LAN IP address /ip address add address=192.168.0.1/24 interface=bridge-LAN network=192.168.0.0 # DHCP-server for LAN /ip pool add name=pool-LAN0 ranges=192.168.0.5-192.168.0.99 /ip dhcp-server add address-pool=pool-LAN0 disabled=no interface=bridge-LAN name=dhcp-LAN0 lease-time=8h /ip dhcp-server network add address=192.168.0.0/24 gateway=192.168.0.1 dns-server=192.168.0.1 #DNS /ip dns set allow-remote-requests=yes servers=8.8.8.8 # NAT /ip firewall nat add action=masquerade chain=srcnat comment="NAT masquerade for Internet" out-interface-list=WAN # Firewall – base rules. ip firewall filter add action=accept chain=input comment="Accept established & related" connection-state=established,related ip firewall filter add action=drop chain=input comment="Drop invalid" connection-state=invalid ip firewall filter add action=drop chain=input comment="Drop all not from LAN" in-interface-list=!LAN ip firewall filter add action=accept chain=forward comment="Accept estableshed & related" connection-state=established,related ip firewall filter add action=drop chain=forward comment="Drop invalid" connection-state=invalid ip firewall filter add action=drop chain=forward comment="Drop all WAN not DSTNAT" connection-nat-state=!dstnat in-interface-list=WAN # Services /ip service set telnet disabled=yes /ip service set ftp disabled=yes /ip service set www disabled=yes /ip service set api disabled=yes /ip service set api-ssl disabled=yes # NTP /system ntp client set enabled=yes primary-ntp=88.147.254.230 secondary-ntp=88.147.254.232 # Users /user add name=Yotunheim password="N$hg2f!ywr34b*" group=full /user remove admin # Neighbor discovery security /ip neighbor discovery-settings set discover-interface-list=LAN /tool mac-server set allowed-interface-list=LAN /tool mac-server mac-winbox set allowed-interface-list=LAN /tool mac-server ping set enabled=no # Firewall – remote management /ip firewall address-list add address=192.168.0.0/24 list=TRUST-LIST-MANAGEMET /ip firewall filter add action=accept chain=input comment="Accept remote management" port=22,8291 protocol=tcp src-address-list=TRUST-LIST-MANAGEMET