-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathmikrotik-new.rsc
279 lines (237 loc) · 12.5 KB
/
mikrotik-new.rsc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
# dennyhalim.com relative secured mikrotik config kickstarter
# only partial tested
# only use this to completely re-configure your mikrotik
# ether1 WAN / internet, dhcp client, drop all
# ether2 LAN ip 10.20.30.1 , dhcp server, accept input
# servers ip 10.20.30.1-10.20.30.15 ( 10.20.30.0/28 )
# wlan1 10.20.31.1
# wlan_guest1 10.200.31.1
# WARNING: this will reset your router config!
# do backup before proceed!
# automatic setup, run these commands:
# /tool fetch url=https://raw.githubusercontent.com/dennyhalim/cfg/master/mikrotik-new.rsc
/system backup save #there will be auto-before-reset.backup
/export file=[/system identity get name]
/system package update set channel=long-term
# manually run these, it will also reboot your router
# /system package update install
# /system reset-configuration no-defaults=yes #run-after-reset=mikrotik-new.rsc
# /import file=mikrotik-new.rsc verbose=yes
# or, manually copy-paste into mikrotik terminal
# after configured, change all passwords, keys, email, server_ip etc.
# test everything works.
#log system and accounts
/system logging
add action=disk topics=account
add action=disk topics=system
#only enable packages and services you need
/tool bandwidth-server set enabled=no
#/system package
#disable calea
#disable gps
#disable ipv6
#disable mpls
#disable multicast
#disable tr069-client
#disable ups
#disable user-manager
/ip service
set api disabled=yes
set api-ssl disabled=yes
set ftp disabled=yes port=21001
set telnet disabled=yes port=23001
set ssh disabled=no port=22001
set www disabled=no port=8001
set www-ssl disabled=no port=631
#wireless config
/ip hotspot user profile set [find default=yes] rate-limit=1M/4M
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=\
dynamic-keys wpa2-pre-shared-key=DennyHalim
add authentication-types=wpa2-psk mode=dynamic-keys name=wlan_guest1 \
wpa2-pre-shared-key=dennyhalim.com
/interface wireless
set [ find default-name=wlan1 ] disabled=no mode=ap-bridge wps-mode=disabled \
ssid=dennyhalim.com wireless-protocol=802.11 default-ap-tx-limit=4M
add disabled=no master-interface=wlan1 name=\
wlan_guest1 security-profile=wlan_guest1 ssid="Wifi Guests" default-forwarding=no default-ap-tx-limit=1M
/interface bridge filter
add action=drop chain=forward in-interface=wlan_guest1
add action=drop chain=forward out-interface=wlan_guest1
/ip settings
set icmp-rate-limit=1
#set tcp-syncookies=yes
/ip neighbor discovery
set ether1 discover=no
set wlan_guest1 discover=no
/ip address
add address=10.20.30.1/24 interface=ether2 network=10.20.30.0
add address=10.20.31.1/24 interface=wlan1 network=10.20.31.0
add address=10.200.31.1/24 interface=wlan_guest1 network=10.200.31.0
#if yourwan ip is static change disabled=yes and add wan ip
/ip dhcp-client add interface=ether1 use-peer-dns=no dhcp-options=hostname,clientid disabled=no
/ip pool
add name=pool_ether2 ranges=10.20.30.101-10.20.30.200
add name=wlan1 ranges=10.20.31.101-10.20.31.200
add name=wlan1_guest1 ranges=10.200.31.101-10.200.31.200
/ip dhcp-server
add add-arp=yes address-pool=pool_ether2 authoritative=after-2sec-delay \
disabled=no interface=ether2 name=dhcp_ether2
add address-pool=wlan1 disabled=no interface=wlan1 name=wlan1
add address-pool=wlan1_guest1 disabled=no interface=wlan_guest1 name=wlan_guest1
#/ip dhcp-server network
#add address=10.20.30.0/24 gateway=10.20.30.1
/ip firewall nat
#servers ip 10.20.30.1-10.20.30.15 might access dns directly. others get redirected.
# add chain=dstnat action=redirect protocol=udp src-address=!10.20.30.0/28 dst-port=53 nth=2,2 disabled=yes comment=redirect_to_local
add chain=dstnat action=dst-nat protocol=udp src-address=!10.20.30.0/28 dst-port=53 to-addresses=185.228.168.10 to-port=5353 nth=2,2 disabled=no comment=redirect_to_cleanbrowsing
add chain=dstnat action=dst-nat protocol=udp src-address=!10.20.30.0/28 dst-port=53 to-addresses=185.228.168.11 to-port=5353 nth=2,2 disabled=no comment=redirect_to_cleanbrowsing
add chain=dstnat action=dst-nat protocol=udp src-address=!10.20.30.0/28 dst-port=53 to-addresses=208.67.222.123 to-port=443 nth=2,2 disabled=yes comment=redirect_to_opendns
add chain=dstnat action=dst-nat protocol=udp src-address=!10.20.30.0/28 dst-port=53 to-addresses=208.67.222.123 to-port=443 nth=2,2 disabled=yes comment=redirect_to_opendns
#more secured? nat only certain ports (currently only for browsing and email.)
add chain=srcnat action=masquerade src-address=10.20.30.0/24 out-interface=ether1 protocol=tcp dst-port=80,443,110,995,143,993,587,465
#enter dest-port to allow connections to certain udp ports
# add chain=srcnat action=masquerade src-address=10.20.30.0/24 protocol=udp dst-port=
#servers allowed all ports
add chain=srcnat action=masquerade src-address=10.20.30.0/28 out-interface=ether1
#change to disabled=no to nat all ports
add chain=srcnat action=masquerade src-address=10.20.30.0/24 out-interface=ether1 disabled=yes
##FIREWALL
#first, drop ddos and bad stuffs
#https://wiki.mikrotik.com/wiki/DDoS_Detection_and_Blocking
/ip settings set rp-filter=loose
/ip firewall mangle add action=mark-routing chain=prerouting dst-address-list=ddosed new-routing-mark=ddoser-route-mark passthrough=no src-address-list=ddoser
/ip route add distance=254 routing-mark=ddoser-route-mark type=blackhole
#/ip firewall address-list
#add address=yourip list=allowremote #only allow remote from listed ip
/ipv6 firewall filter
add action=accept chain=input src-address-list=allowremote
add chain=forward connection-state=new action=jump jump-target=block-ddos
add chain=forward connection-state=new src-address-list=ddoser dst-address-list=ddosed action=drop
add chain=block-ddos dst-limit=50,50,src-and-dst-addresses/10s action=return
add chain=block-ddos action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m
add chain=block-ddos action=add-src-to-address-list address-list=ddoser address-list-timeout=10m
add action=drop chain=forward in-interface=wlan_guest1 out-interface=!ether1
add action=drop chain=input comment="Drop Invalid Input" \
connection-state=invalid
add action=drop chain=forward comment="Drop Invalid Forward" \
connection-state=invalid
#add chain=forward protocol=tcp tcp-flags=syn connection-limit=200,32 action=drop comment="too much connections"
add action=drop chain=input in-interface=wlan_guest1
#drop all from WAN
add action=drop chain=input in-interface=ether1
add action=drop chain=input #protocol=!icmp
/ip firewall filter
#https://paper.bobylive.com/Network/Mikrotik_Denial_of_Service_Attack.pdf
#add chain=prerouting action=accept protocol=tcp dst-limit=25/1s,25,dst-address/10s
#block most attacked ports
add action=drop chain=forward protocol=tcp dst-port=23,25
add chain=forward connection-state=new action=jump jump-target=block-ddos
add chain=forward connection-state=new src-address-list=ddoser dst-address-list=ddosed action=drop
add chain=block-ddos dst-limit=50,50,src-and-dst-addresses/10s action=return
add chain=block-ddos action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m
add chain=block-ddos action=add-src-to-address-list address-list=ddoser address-list-timeout=10m
add action=accept chain=input comment="allow remote" dst-port=\
22,80,8291 log-prefix=remoting protocol=tcp
#first, drop bad stuffs
add action=drop chain=forward in-interface=wlan_guest1 out-interface=!ether1
add action=drop chain=input comment="Drop Invalid Input" \
connection-state=invalid
add action=drop chain=forward comment="Drop Invalid Forward" \
connection-state=invalid
#add chain=forward protocol=tcp tcp-flags=syn connection-limit=200,32 action=drop comment="too much connections"
#allowances
add chain=forward action=fasttrack-connection connection-state=established,related
add chain=forward action=accept connection-state=established,related
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input connection-state=established,related
add action=accept chain=forward connection-state=established,related
#add action=drop chain=input src-address-type=broadcast
#add action=drop chain=input dst-address-type=broadcast
add action=drop chain=input dst-address=255.255.255.255
add action=drop chain=input dst-address=10.20.30.255
### dont forget to replace the interfaces names
add action=accept chain=input comment="allow from lan" in-interface=ether2
#add action=accept chain=input comment="allow from vlan" in-interface=vlan1
#add action=accept chain=input comment=capman in-interface=capman1
#add action=accept chain=forward comment="Allow new connections through router coming in LAN interface" \
# connection-state=new in-interface=ether2
add action=drop chain=input in-interface=wlan_guest1
#drop all from WAN
add action=drop chain=input in-interface=ether1
#drop everything else
### WARNING: THIS MIGHT BLOCK YOURSELF ###
### !! move it to most bottom !! ###
### enable it only if you're certain ###
add action=drop chain=input disabled=yes
#malware blocking dns
# https://adguard-dns.io/kb/general/dns-providers/
/ip dns
set allow-remote-requests=yes servers=\
199.85.126.20,199.85.127.20,9.9.9.9,208.67.222.123,208.67.220.123,199.85.126.20,199.85.127.20
/ip dns static
#your own wpad
#add ttl=1h address=your.wpad.server regexp=^wpad.*
#force strict safe search
add ttl=1h address=216.239.38.120 regexp=^www.google.co*
add ttl=1h address=204.79.197.220 name=www.bing.com
#216.239.38.119 www.youtube.com m.youtube.com youtubei.googleapis.com youtube.googleapis.com youtube-nocookie.com
#blocking advertising and other junks
add ttl=1h address=127.0.0.127 regexp=doubleclick.net
add ttl=1h address=127.0.0.127 regexp=data.microsoft.com
add ttl=1h address=127.0.0.127 regexp=telemetry.microsoft.com
add ttl=1h address=127.0.0.127 regexp=atdmt.com
add ttl=1h address=127.0.0.127 regexp=facebook.net disabled=yes
add ttl=1h address=127.0.0.127 regexp=connect.facebook
add ttl=1h address=127.0.0.127 regexp=pixel.facebook.com
add ttl=1h address=127.0.0.127 regexp=ads.twitter.com
add ttl=1h address=127.0.0.127 regexp=platform.twitter.com
add ttl=1h address=127.0.0.127 name=www.googleadservices.com
add ttl=1h address=127.0.0.127 name=www.googlesyndication.com
add ttl=1h address=127.0.0.127 name=www.google-analytics.com
add ttl=1h address=127.0.0.127 name=www.googletagservices.com
add ttl=1h address=127.0.0.127 name=www.googletagmanager.com
#block streaming / video
add ttl=1h address=127.0.0.127 regexp=tiktok
add ttl=1h address=127.0.0.127 regexp=youtube disabled=yes
add ttl=1h address=127.0.0.127 regexp=spotify disabled=yes
add ttl=1h address=127.0.0.127 regexp=tv disabled=yes
add ttl=1h address=127.0.0.127 regexp=\.fm disabled=yes
add ttl=1h address=127.0.0.127 regexp=live disabled=yes
add ttl=1h address=127.0.0.127 regexp=radio disabled=yes
add ttl=1h address=127.0.0.127 regexp=video disabled=yes
add ttl=1h address=127.0.0.127 regexp=stream disabled=yes
add ttl=1h address=127.0.0.127 regexp=^player disabled=yes
add ttl=1h address=127.0.0.127 regexp=akamaihd.net disabled=yes
add ttl=1h address=127.0.0.127 regexp=akamaistream.net disabled=yes
#example blocking facebook, youtube, etc
add ttl=1h address=127.0.0.127 regexp=xxx
add ttl=1h address=127.0.0.127 regexp=coin
add ttl=1h address=127.0.0.127 regexp=play disabled=yes
add ttl=1h address=127.0.0.127 regexp=games disabled=yes
add ttl=1h address=127.0.0.127 regexp=pr0n disabled=yes
add ttl=1h address=127.0.0.127 regexp=fbcdn disabled=yes
add ttl=1h address=127.0.0.127 regexp=facebook disabled=yes
add ttl=1h address=127.0.0.127 regexp=youtube disabled=yes
/ip cloud
set ddns-enabled=yes
get dns-name
/tool e-mail
set address=your_mail_server from=<[email protected]>
/system script
add name=autobackup source=\
":global name=backupfile value=([/system identity get name].\".rsc\")\r\
\n/system backup cloud remove-file number=0\r\
\n/system backup cloud upload-file action=create-and-upload password=replacethispassword12345!@#$%\r\
\n/export file=\$backupfile\r\
\n:delay 20s\r\
\n/tool e-mail send to=\"[email protected]\" subject=(\$backupfile) file=\$backupfile\r\
\n/tool fetch address=your_ftp_server_ip src-path=\$backupfile user=your_ftp_username \
mode=ftp password=your_ftp_password dst-path=\"/home/your_ftp_username/\$backupfile\" upload=yes\r\n"
/system scheduler
add interval=3h name=ipcloud on-event="/ip cloud force-update\r\n"
add interval=10d name=autobackup on-event=autobackup
/system ntp client set primary-ntp=87.124.126.49 secondary-ntp=204.9.54.119 enabled=yes \
server-dns-names=0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
#/system script run autobackup
/system reboot