configs...
client
Code: Select all
# dec/30/2022 <mac address> by RouterOS 7.6
# software id = 1FCH-PMGC
#
# model = RBM33G
# serial number = whatever
/interface bridge
add fast-forward=no name=bridge
add name=bridge-580
/interface lte
set [ find default-name=lte1 ] allow-roaming=no band=3,7 disabled=yes network-mode=lte
/interface ipip
add name=ipip-tunnel1 remote-address=xx.xx.xx.xx
/interface wireguard
add listen-port=51821 mtu=1420 name=mineWG
add listen-port=13231 mtu=1420 name=wireguard-pp
/interface vlan
add interface=ether2 name=ether1-580 vlan-id=580
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] apn=drei.at authentication=pap default-route-distance=1 ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=psychoiho supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=xx.xx.xx.xx-xx.xx.xx.xx
add name=native ranges=xx.xx.xx.xx-xx.xx.xx.xx
add name=vlan-05 ranges=xx.xx.xx.xx-xx.xx.xx.xx
add name=vlan-99 ranges=xx.xx.xx.xx-xx.xx.xx.xx
add name=pool1 ranges=xx.xx.xx.xx-xx.xx.xx.xx
/ip dhcp-server
add add-arp=yes address-pool=native interface=bridge lease-time=1h name=native
/port
set 0 name=serial0
set 1 name=serial1
/queue type
add fq-codel-ecn=no fq-codel-interval=50ms fq-codel-limit=1024 fq-codel-quantum=300 fq-codel-target=20ms kind=fq-codel name="fq codel"
add cake-ack-filter=filter cake-autorate-ingress=yes cake-diffserv=diffserv4 cake-flowmode=flows cake-nat=yes cake-overhead=25 cake-rtt=30ms cake-rtt-scheme=\
regional kind=cake name=cake
add kind=pfifo name=default-big pfifo-limit=500
/queue simple
add burst-limit=55M/999M burst-threshold=50M/900M burst-time=5s/5s disabled=yes dst=ether1 limit-at=0/900M max-limit=50M/900M name=queue1 queue=\
"fq codel/default-big" target=xx.xx.xx.xx/16 total-queue=default
/queue tree
add burst-limit=45M burst-threshold=35M burst-time=1s limit-at=30M max-limit=35M name=egress packet-mark=no-mark parent=ether1 queue="fq codel"
add burst-limit=250M burst-threshold=225M burst-time=1s disabled=yes limit-at=200M max-limit=220M name=ingress packet-mark=no-mark parent=bridge queue="fq codel"
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing table
add fib name=""
add disabled=no fib name=pleven
/system logging action
set 3 remote=xx.xx.xx.xx
/caps-man manager
set enabled=yes
/interface bridge filter
# no interface
add action=drop chain=forward comment=DHCP dst-port=67-68 in-interface=*1C ip-protocol=udp mac-protocol=ip
add action=drop chain=input comment="isolate vlan 580 from xx.xx.xx.xx/24" disabled=yes dst-address=xx.xx.xx.xx/24 in-bridge=bridge-580 mac-protocol=ip
/interface bridge port
add bridge=bridge ingress-filtering=no interface=ether2
add bridge=bridge ingress-filtering=no interface=*9
add bridge=bridge-580 interface=ether1-580
add bridge=bridge interface=ether3
/ip firewall connection tracking
set enabled=yes tcp-established-timeout=1h
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set accept-redirects=yes accept-source-route=yes rp-filter=loose
/ipv6 settings
set accept-redirects=no disable-ipv6=yes forward=no max-neighbor-entries=8192
/interface detect-internet
set lan-interface-list=LAN wan-interface-list=WAN
/interface list member
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether1 list=WAN
add interface=mineWG list=LAN
add interface=bridge list=LAN
add interface=wireguard-pp list=WAN
add interface=lte1 list=WAN
/interface lte settings
set mode=mbim
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=xx.xx.xx.xx/32 comment=samsunga interface=mineWG public-key="0dmvOJCac4UpbCsonRZe0cWHdz9Z4yDNjLcJld9+yXQ="
add allowed-address=xx.xx.xx.xx/32 comment=hackmack interface=mineWG public-key="hGxvXEGf50vuADtMpE/us8t8crx2nT9a0CdSE1oj9HQ="
add allowed-address=xx.xx.xx.xx/32,xx.xx.xx.xx/24 comment="hetzner danov.biz " endpoint-address=danov.biz endpoint-port=51871 interface=mineWG persistent-keepalive=20s \
public-key="uKmLcRMJT1YOUCgsds8v2KmPSY+ccrS2scR3LCUvekA="
add allowed-address=xx.xx.xx.xx/32 comment="15 mbpro" interface=mineWG public-key="FqJ390Owg0BnH8HFOc1Z9ipW2liWaJJ5zWU+voeu5yw="
add allowed-address=xx.xx.xx.xx/16 comment=front-balancer-2 endpoint-address=xx.xx.xx.xx endpoint-port=51820 interface=wireguard-pp persistent-keepalive=20s \
public-key="PqZ49a4pi9ENsRCOKVvmGk8A4Gargeh0ALV2iKA8Fjs="
add allowed-address=xx.xx.xx.xx/16 comment=front-balancer disabled=yes endpoint-address=xx.xx.xx.xx endpoint-port=51820 interface=wireguard-pp \
persistent-keepalive=15s public-key="PpFrmR0QnOsgUu0TK1fiWj0Qd4AA1lQGFfq1piBjlwg="
add allowed-address=xx.xx.xx.xx/32 comment=Fabrikata endpoint-address=c5d10de057de.sn.mynetname.net endpoint-port=51821 interface=mineWG persistent-keepalive=20s \
public-key="HmnE7+Pkq+BVyFKh6vKZSdEw5qQruAAyGIgzVfvcOks="
add allowed-address=xx.xx.xx.xx/32,xx.xx.xx.xx/24 comment="pleven home" endpoint-address=xx.xx.xx.xx endpoint-port=51821 interface=mineWG persistent-keepalive=\
20s public-key="mu+MA/IsacDGyubGZzAT7EO/1M18PyUA9BmIGxi3fxA="
add allowed-address=xx.xx.xx.xx/32 comment=iPhone interface=mineWG public-key="3tdsqf3R1qpcZsgv4ggi3FS/Oz/wBjg2JPt09jMdy3k="
add allowed-address=xx.xx.xx.xx/32 comment=Bodganchovci endpoint-address=a2fd0cb1dad7.sn.mynetname.net endpoint-port=51871 interface=mineWG persistent-keepalive=15s \
public-key="YfZFSu0TVNth81L80w3MyH2Jg4joVh1MEiCDIIVvaVc="
add allowed-address=xx.xx.xx.xx/32 comment=shinobi endpoint-address=xx.xx.xx.xx endpoint-port=51871 interface=mineWG public-key=\
"dI0H82rOyFQtRq+5Nj6exoV7mIZ8Pjtt/1JkICI8r2c="
/interface wireless access-list
add comment="j work" mac-address=<mac address> vlan-id=99 vlan-mode=use-tag
add allow-signal-out-of-range=5s disabled=yes signal-range=-75..120 vlan-mode=no-tag
add authentication=no disabled=yes forwarding=no signal-range=-120..-75 vlan-mode=no-tag
/interface wireless connect-list
add disabled=yes interface=*10 security-profile=psychoiho
add disabled=yes interface=*12 security-profile=psychoiho
/interface wireless sniffer
set streaming-enabled=yes streaming-server=xx.xx.xx.xx
/interface wireless snooper
set multiple-channels=no receive-errors=yes
/ip address
add address=xx.xx.xx.xx/24 interface=bridge network=xx.xx.xx.xx
add address=xx.xx.xx.xx/24 interface=mineWG network=xx.xx.xx.xx
add address=xx.xx.xx.xx interface=wireguard-pp network=xx.xx.xx.xx
add address=xx.xx.xx.xx/24 interface=ipip-tunnel1 network=xx.xx.xx.xx
add address=xx.xx.xx.xx/24 interface=bridge-580 network=xx.xx.xx.xx
add address=xx.xx.xx.xx/24 interface=ether1 network=xx.xx.xx.xx
add address=xx.xx.xx.xx/24 interface=bridge network=xx.xx.xx.xx
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client
add disabled=yes interface=bridge
add interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=xx.xx.xx.xx client-id=<mac address> disabled=yes mac-address=<mac address> server=native
add address=xx.xx.xx.xx client-id=<mac address> mac-address=<mac address> server=native
add address=xx.xx.xx.xx disabled=yes mac-address=<mac address> server=native
add address=xx.xx.xx.xx client-id=<mac address> comment="Eli Kindle" mac-address=<mac address> server=native
add address=xx.xx.xx.xx comment="Joro Kindle" mac-address=<mac address> server=native use-src-mac=yes
add address=xx.xx.xx.xx client-id=<mac address> comment="Jeny Kindle" mac-address=<mac address> server=native
add address=xx.xx.xx.xx client-id=<mac address> mac-address=<mac address> server=native
add address=xx.xx.xx.xx client-id=<mac address> mac-address=<mac address> server=native
add address=xx.xx.xx.xx client-id=<mac address> mac-address=<mac address> server=native
add address=pool1 client-id=<mac address> mac-address=<mac address> server=native
add address=pool1 client-id=<mac address> mac-address=<mac address> server=native
add address=pool1 client-id=<mac address> mac-address=<mac address> server=native
add address=xx.xx.xx.xx client-id=<mac address> mac-address=<mac address> server=native
add address=xx.xx.xx.xx client-id=<mac address> mac-address=<mac address> server=native
/ip dhcp-server network
add address=xx.xx.xx.xx/24 comment="was xx.xx.xx.xx" dns-server=xx.xx.xx.xx gateway=xx.xx.xx.xx ntp-server=xx.xx.xx.xx
add address=xx.xx.xx.xx/24 comment="no adblock" dns-server=xx.xx.xx.xx gateway=xx.xx.xx.xx netmask=24
add address=xx.xx.xx.xx/24 dns-server=xx.xx.xx.xx,xx.xx.xx.xx,xx.xx.xx.xx gateway=xx.xx.xx.xx netmask=24
add address=xx.xx.xx.xx/24 dns-server=xx.xx.xx.xx,xx.xx.xx.xx,xx.xx.xx.xx gateway=xx.xx.xx.xx
/ip dns
set allow-remote-requests=yes cache-size=40096KiB max-concurrent-queries=500 max-concurrent-tcp-sessions=50 query-server-timeout=3s servers=xx.xx.xx.xx \
verify-doh-cert=yes
/ip dns static
add address=xx.xx.xx.xx name=mx.danov.biz
add forward-to=xx.xx.xx.xx regexp="^.*\\.weint\$" type=FWD
add address=xx.xx.xx.xx name=cloudflare-dns.com
/ip firewall address-list
add address=xx.xx.xx.xx/8 comment=RFC6890 list=not_in_internet
add address=xx.xx.xx.xx/12 comment=RFC6890 list=not_in_internet
add address=xx.xx.xx.xx/16 comment=RFC6890 list=not_in_internet
add address=xx.xx.xx.xx/8 comment=RFC6890 list=not_in_internet
add address=xx.xx.xx.xx/16 comment=RFC6890 list=not_in_internet
add address=xx.xx.xx.xx/8 comment=RFC6890 list=not_in_internet
add address=xx.xx.xx.xx/4 comment=Multicast list=not_in_internet
add address=xx.xx.xx.xx/15 comment=RFC6890 list=not_in_internet
add address=xx.xx.xx.xx/24 comment=RFC6890 list=not_in_internet
add address=xx.xx.xx.xx/24 comment=RFC6890 list=not_in_internet
add address=xx.xx.xx.xx/24 comment=RFC6890 list=not_in_internet
add address=xx.xx.xx.xx/24 comment=RFC6890 list=not_in_internet
add address=xx.xx.xx.xx/10 comment=RFC6890 list=not_in_internet
add address=xx.xx.xx.xx/4 comment=RFC6890 list=not_in_internet
add address=xx.xx.xx.xx/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
add address=xx.xx.xx.xx/16 list="my LAN"
add address=a2fd0c77e0ed.sn.mynetname.net list="WAN addresses"
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-nat-state=srcnat connection-state=established,related in-interface=bridge-580
add action=reject chain=forward connection-state="" in-interface=bridge-580 out-interface=!ipip-tunnel1 reject-with=icmp-network-unreachable
add action=accept chain=forward comment="Established, Related" connection-state=established,related,untracked
add action=accept chain=input dst-port=51821,13231 in-interface-list=WAN protocol=udp
add action=accept chain=input disabled=yes in-interface-list=WAN protocol=icmp
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log-prefix="FW Invalid Drop"
add action=drop chain=forward comment="Drop incoming packets that are not NATted" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes \
log-prefix=!NAT:
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" disabled=yes in-interface-list=WAN log=yes log-prefix=!public \
src-address-list=not_in_internet
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" disabled=yes in-interface-list=LAN src-address-list="my LAN"
add action=drop chain=input dst-port=8080,53,1080,80,443,8291 in-interface-list=WAN protocol=tcp
add action=drop chain=input connection-state=!established,related,untracked in-interface-list=WAN log-prefix="\?\?"
/ip firewall mangle
add action=change-ttl chain=postrouting comment="avoid throttling\?" disabled=yes new-ttl=<mac address> out-interface=lte1 passthrough=yes
add action=change-ttl chain=postrouting comment="avoid throttling\?" disabled=yes new-ttl=<mac address> out-interface=ether1 passthrough=yes
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
add action=mark-packet chain=postrouting new-packet-mark=out out-interface=ether1 passthrough=yes
add action=mark-packet chain=prerouting in-interface=ether1 new-packet-mark=ingress passthrough=yes
add action=mark-routing chain=prerouting in-interface=bridge-580 new-routing-mark=pleven passthrough=yes
add action=mark-connection chain=prerouting connection-state=new disabled=yes dst-port=993,143,691 new-connection-mark=IMAP passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="also apple push and similar" connection-state=new disabled=yes dst-port=5223 new-connection-mark=XMPP \
passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting connection-state=new disabled=yes dst-port=19305 new-connection-mark=Hangouts passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting connection-state=new disabled=yes dst-port=5222,5228 new-connection-mark="Google misc" passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting connection-state=new disabled=yes dst-port=8291,8728,8729 new-connection-mark=Mikrotik passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting connection-state=new disabled=yes dst-port=19305 new-connection-mark=Hangouts passthrough=yes protocol=udp
add action=mark-connection chain=prerouting connection-state=new disabled=yes dst-port=3478-3481 new-connection-mark="MS Teams" passthrough=yes protocol=udp
add action=mark-connection chain=prerouting connection-state=new disabled=yes dst-port=80,443 new-connection-mark=HTTP passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting connection-state=new disabled=yes dst-port=1900 new-connection-mark=UPnP passthrough=yes protocol=udp
add action=mark-connection chain=prerouting connection-state=new disabled=yes dst-port=445 new-connection-mark=Samba passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment=VOIP disabled=yes new-connection-mark=VOIP passthrough=yes port=5060-5062,10000-10050 protocol=udp
add action=mark-connection chain=prerouting comment=DNS connection-state=new disabled=yes new-connection-mark=DNS passthrough=yes port=53 protocol=udp
add action=mark-connection chain=postrouting connection-state=new disabled=yes new-connection-mark=DNS passthrough=yes port=53 protocol=udp
add action=mark-packet chain=prerouting connection-mark=DNS disabled=yes new-packet-mark=DNS passthrough=no
add action=mark-packet chain=postrouting connection-mark=DNS disabled=yes new-packet-mark=DNS passthrough=no
add action=mark-connection chain=postrouting content=amazonaws disabled=yes new-connection-mark=aws passthrough=yes
add action=mark-connection chain=postrouting disabled=yes dst-port=443,80 new-connection-mark=quic passthrough=yes protocol=udp
add action=mark-connection chain=postrouting disabled=yes dst-port=4000,4001 new-connection-mark=IBKR passthrough=yes protocol=tcp src-address=xx.xx.xx.xx
add action=change-mss chain=forward comment="WG performance experiment" new-mss=1380 out-interface=mineWG passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=\
1381-65535
add action=add-dst-to-address-list address-list="WAN addresses" address-list-timeout=none-dynamic chain=input comment=\
"MUST BE LAST!!!!!!!!!!! capture the WAN IP on every new connection" connection-state=new in-interface-list=WAN log-prefix="WAN IP:" protocol=tcp
/ip firewall nat
add action=dst-nat chain=dstnat comment="WG hairpin when the zte shit is NOT in bridge mode" dst-address-list="WAN addresses" dst-port=51821 protocol=udp \
src-address=xx.xx.xx.xx/24 to-addresses=xx.xx.xx.xx to-ports=51821
add action=masquerade chain=srcnat comment=defconf out-interface-list=WAN
add action=masquerade chain=srcnat dst-address=xx.xx.xx.xx out-interface=mineWG
add action=masquerade chain=srcnat dst-address=xx.xx.xx.xx/24 out-interface=mineWG src-address=xx.xx.xx.xx/24
add action=masquerade chain=srcnat dst-address=xx.xx.xx.xx out-interface=mineWG
add action=masquerade chain=srcnat comment="without this iphone -> wie -> bogdanchovci does not work" dst-address=xx.xx.xx.xx out-interface=mineWG
add action=masquerade chain=srcnat dst-address=xx.xx.xx.xx out-interface=mineWG
add action=masquerade chain=srcnat out-interface=ipip-tunnel1
add action=masquerade chain=srcnat dst-address=xx.xx.xx.xx/24 src-address=xx.xx.xx.xx/24
add action=masquerade chain=srcnat dst-address=xx.xx.xx.xx/24 src-address=xx.xx.xx.xx/16
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set sip disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip proxy
set enabled=yes max-cache-size=2048KiB src-address=xx.xx.xx.xx
/ip proxy access
add src-address=xx.xx.xx.xx/16
add action=deny src-address=xx.xx.xx.xx
/ip route
add disabled=no distance=1 dst-address=xx.xx.xx.xx/24 gateway=mineWG pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=xx.xx.xx.xx/16 gateway=wireguard-pp pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=xx.xx.xx.xx/0 gateway=ipip-tunnel1 pref-src="" routing-table=pleven scope=30 suppress-hw-offload=no target-scope=10
add disabled=no dst-address=xx.xx.xx.xx/24 gateway=bridge routing-table=pleven suppress-hw-offload=no
add disabled=yes distance=1 dst-address=xx.xx.xx.xx/0 gateway=xx.xx.xx.xx pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=xx.xx.xx.xx/24 gateway=xx.xx.xx.xx pref-src=xx.xx.xx.xx routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
/ip service
set telnet address=xx.xx.xx.xx/24 disabled=yes
set ftp disabled=yes
set www address=xx.xx.xx.xx/24,xx.xx.xx.xx/16
set ssh address=xx.xx.xx.xx/24 disabled=yes
set api address=xx.xx.xx.xx/24,xx.xx.xx.xx/16 disabled=yes
set winbox address=xx.xx.xx.xx/16,xx.xx.xx.xx/16
set api-ssl address=xx.xx.xx.xx/24,xx.xx.xx.xx/16 disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=*7 type=external
add interface=*6 type=internal
add interface=*8 type=internal
/snmp
set enabled=yes trap-generators=temp-exception,start-trap,interfaces trap-interfaces=all trap-version=2
/system clock
set time-zone-name=Europe/Vienna
/system identity
set name=RBM33G#1
/system leds
add leds=,,,,,,,,,user-led type=off
/system logging
set 0 topics=info,!dhcp
set 3 action=memory
add topics=firewall
add topics=wireless
add topics=lte
add action=remote disabled=yes topics=lte
add topics=system
add disabled=yes topics=dns
add topics=script
add disabled=yes topics=wireguard
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes enabled=yes manycast=yes multicast=yes use-local-clock=yes
/system ntp client servers
add address=europe.pool.ntp.org
/system routerboard settings
set auto-upgrade=yes
/system scheduler
add interval=3m name=watch-WG on-event=\
":global myFunc [:parse [/system script get watch-WG-pp source]]\r\
\n\r\
\n\$myFunc wgcheckip=xx.xx.xx.xx endpointip=\"danov.biz\"\r\
\n" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=dec/16/2021 start-time=<mac address>
add interval=3m name=watch-pp-wg on-event=\
":global myFunc [:parse [/system script get watch-WG-pp source]]\r\
\n\r\
\n\$myFunc wgcheckip=xx.xx.xx.xx endpointip=xx.xx.xx.xx\r\
\n" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=dec/16/2021 start-time=<mac address>
add interval=3m name=watch-pleven-wg on-event=\
":global myFunc [:parse [/system script get watch-WG-pp source]]\r\
\n\r\
\n\$myFunc wgcheckip=xx.xx.xx.xx endpointip=cc210e9e2427.sn.mynetname.net\r\
\n" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=dec/16/2021 start-time=<mac address>
add interval=3m name=watch-fac-wg on-event=\
":global myFunc [:parse [/system script get watch-WG-pp source]]\r\
\n\r\
\n\$myFunc wgcheckip=xx.xx.xx.xx endpointip=c5d10de057de.sn.mynetname.net\r\
\n" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=dec/16/2021 start-time=<mac address>
add interval=3m name=watch-bogd on-event=\
":global myFunc [:parse [/system script get watch-WG-pp source]]\r\
\n\r\
\n\$myFunc wgcheckip=xx.xx.xx.xx endpointip=a2fd0cb1dad7.sn.mynetname.net" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=\
dec/16/2021 start-time=<mac address>
/system script
add dont-require-permissions=no name=watch-WG owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":if ([/ping xx.xx.xx.xx inte\
rval=1 count=5] =0) do={\r\
\n :log info \"WG down\"\r\
\n /interface disable mineWG;\r\
\n :delay 5\r\
\n /interface enable mineWG;\r\
\n :log info \"WG up again\"\r\
\n}\r\
\n"
add dont-require-permissions=no name=watch-WG-pp owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#:log info \"wg check-i\
p \$wgcheckip \"\r\
\n\r\
\<mac address> ([/ping \$wgcheckip interval=1 count=5] =0) do={\r\
\n :log info \"WG down \$wgcheckip\"\r\
\n /interface/wireguard/peers/disable [find endpoint-address=\$endpointip];\r\
\n :delay 60\r\
\n /interface/wireguard/peers/enable [find endpoint-address=\$endpointip];\r\
\n :log info \"WG up again \$wgcheckip\"\r\
\n}\r\
\n"
/tool bandwidth-server
set authenticate=no
/tool graphing interface
add allow-address=xx.xx.xx.xx/24 interface=*7
/tool graphing queue
add allow-address=xx.xx.xx.xx/24
/tool graphing resource
add allow-address=xx.xx.xx.xx/24
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add disabled=no down-script=":log warn \"INET is down\"" host=xx.xx.xx.xx interval=10s timeout=1s type=simple
add comment=srvy disabled=no host=xx.xx.xx.xx interval=5s timeout=1s type=simple
add comment=danov disabled=no host=xx.xx.xx.xx interval=1m timeout=100ms type=simple
add comment=front-balancer disabled=no host=xx.xx.xx.xx interval=1m timeout=1s type=simple
add comment=front-balancer-2 disabled=no host=xx.xx.xx.xx interval=1m timeout=1s type=simple
add disabled=no host=xx.xx.xx.xx interval=1m timeout=1s type=simple
add disabled=no host=xx.xx.xx.xx interval=1m timeout=1s type=simple
add disabled=no host=xx.xx.xx.xx interval=1m timeout=1s type=simple
add disabled=no host=xx.xx.xx.xx interval=1m timeout=1s type=simple
add disabled=no host=xx.xx.xx.xx interval=1m timeout=1s type=simple
add disabled=no down-script=":log warning \"WAN is down\"" host=xx.xx.xx.xx interval=5s timeout=100ms type=simple
add disabled=no host=xx.xx.xx.xx interval=1m timeout=1s type=simple
add disabled=no host=xx.xx.xx.xx interval=1m timeout=1s type=simple
add disabled=no host=xx.xx.xx.xx interval=1m timeout=1s type=simple
/tool romon
set enabled=yes
/tool sms
set port=*7 receive-enabled=yes
/tool sniffer
set filter-ip-address=xx.xx.xx.xx/32 filter-operator-between-entries=and filter-stream=yes memory-limit=500KiB streaming-enabled=yes streaming-server=\
xx.xx.xx.xx
Code: Select all
# dec/30/2022 <mac address> by RouterOS 7.6
# software id = BCWV-TL8G
#
# model = RB750Gr3
# serial number = xxxx
/interface bridge
add admin-mac=<mac address> auto-mac=no comment=defconf name=bridge
/interface eoip
add arp=disabled disabled=yes mac-address=<mac address> name=eoip-tunnel-52 remote-address=xx.xx.xx.xx tunnel-id=52
add disabled=yes mac-address=<mac address> name=eoip-tunnel1 remote-address=xx.xx.xx.xx tunnel-id=1
/interface ipip
add name=ipip-tunnel1 remote-address=xx.xx.xx.xx
/interface wireguard
add listen-port=51821 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=xx.xx.xx.xx-xx.xx.xx.xx
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/queue type
add fq-codel-limit=1024 fq-codel-quantum=300 kind=fq-codel name="fq codel"
/queue simple
add burst-limit=95M/200M burst-time=3s/3s max-limit=95M/200M name=queue1 target=xx.xx.xx.xx/16,xx.xx.xx.xx/8 total-queue="fq codel"
/routing table
add fib name=""
add fib name=opti-local
/interface bridge filter
add action=drop chain=forward in-interface=eoip-tunnel-52 ip-protocol=udp mac-protocol=ip src-port=67-68
add action=drop chain=forward dst-port=67-68 ip-protocol=udp mac-protocol=ip out-interface=eoip-tunnel-52
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge interface=eoip-tunnel1
add bridge=bridge interface=eoip-tunnel-52
/ip firewall connection tracking
set enabled=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set accept-source-route=yes rp-filter=loose
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=eoip-tunnel1 list=LAN
add interface=ipip-tunnel1 list=LAN
add interface=wireguard1 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=xx.xx.xx.xx/32,xx.xx.xx.xx/32 comment=wie endpoint-address=a2fd0c77e0ed.sn.mynetname.net endpoint-port=51821 interface=wireguard1 \
persistent-keepalive=20s public-key="OrNS1nsHA4Ks6xy/UKuZTkNT3VRCk+cDVyUBDHn97jI="
add allowed-address=xx.xx.xx.xx/32 comment=factory endpoint-address=c5d10de057de.sn.mynetname.net endpoint-port=51821 interface=wireguard1 persistent-keepalive=20s \
public-key="HmnE7+Pkq+BVyFKh6vKZSdEw5qQruAAyGIgzVfvcOks="
add allowed-address=xx.xx.xx.xx/32,xx.xx.xx.xx/32 comment=danov.biz endpoint-address=danov.biz endpoint-port=51871 interface=wireguard1 persistent-keepalive=15s \
public-key="uKmLcRMJT1YOUCgsds8v2KmPSY+ccrS2scR3LCUvekA="
add allowed-address=xx.xx.xx.xx/32 comment=samsunga interface=wireguard1 public-key="0dmvOJCac4UpbCsonRZe0cWHdz9Z4yDNjLcJld9+yXQ="
add allowed-address=xx.xx.xx.xx/32 comment=macbook interface=wireguard1 public-key="MobwnvcWMHz0c5EJfIThPgeF5ybRWkv22PQUVKVMUxA="
add allowed-address=xx.xx.xx.xx/32 comment=bogdanchovci endpoint-address=a2fd0cb1dad7.sn.mynetname.net endpoint-port=51871 interface=wireguard1 public-key=\
"YfZFSu0TVNth81L80w3MyH2Jg4joVh1MEiCDIIVvaVc="
/ip address
add address=xx.xx.xx.xx/24 interface=wireguard1 network=xx.xx.xx.xx
add address=xx.xx.xx.xx/24 interface=bridge network=xx.xx.xx.xx
add address=xx.xx.xx.xx/24 interface=eoip-tunnel1 network=xx.xx.xx.xx
add address=xx.xx.xx.xx/24 interface=ipip-tunnel1 network=xx.xx.xx.xx
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf dhcp-options=clientid interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=xx.xx.xx.xx/24 comment=defconf dns-server=xx.xx.xx.xx gateway=xx.xx.xx.xx netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=1h servers=xx.xx.xx.xx,xx.xx.xx.xx verify-doh-cert=yes
/ip dns static
add address=xx.xx.xx.xx name=mx.danov.biz
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=input comment="defconf: accept ICMP" log-prefix=ICMP protocol=icmp
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=input dst-port=51821 in-interface-list=WAN protocol=udp
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log-prefix=FINV
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log-prefix=\
NDST
add action=drop chain=input dst-port=8291,8080,53,1080,443,80 in-interface=ether1 protocol=tcp
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=input connection-state=!established,related,untracked in-interface=ether1 log-prefix=Nstate
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
add action=mark-routing chain=prerouting dst-address=xx.xx.xx.xx/23 in-interface=bridge new-routing-mark=opti-local passthrough=yes
add action=mark-routing chain=output disabled=yes dst-address=xx.xx.xx.xx/23 new-routing-mark=opti-local passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat dst-address=xx.xx.xx.xx/24
/ip firewall service-port
set ftp disabled=yes
/ip proxy
set enabled=yes
/ip proxy access
add src-address=xx.xx.xx.xx
add action=deny
/ip route
add disabled=no distance=1 dst-address=xx.xx.xx.xx/23 gateway=xx.xx.xx.xx pref-src="" routing-table=opti-local scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=xx.xx.xx.xx/16,xx.xx.xx.xx/8
set ssh disabled=yes
set api disabled=yes
set winbox address=xx.xx.xx.xx/16,xx.xx.xx.xx/8
set api-ssl disabled=yes
/ip socks
set enabled=yes max-connections=500 version=5
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1 type=external
/routing rule
add action=lookup disabled=no routing-mark=opti-local table=opti-local
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Sofia
/system identity
set name=Pleven
/system logging
set 0 topics=info,!dhcp
add topics=wireguard
/system routerboard settings
set auto-upgrade=yes
/system scheduler
add interval=1d name="Reboot Router Daily" on-event="/system reboot" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=jan/01/1970 \
start-time=<mac address>
add interval=5m name=watch-WIE on-event="/system script run watch-WIE" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=\
dec/10/2021 start-time=<mac address>
/system script
add dont-require-permissions=no name=watch-WIE owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":if ([/ping xx.xx.xx.xx inter\
val=1 count=5] =0) do={\r\
\n :log info \"WIE WG down\"\r\
\n /interface disable wireguard1;\r\
\n :delay 30\r\
\n /interface enable wireguard1;\r\
\n :log info \"WG up again\"\r\
\n}\r\
\n"
/tool bandwidth-server
set authenticate=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add disabled=no host=xx.xx.xx.xx interval=1m timeout=1s type=simple
add disabled=no host=xx.xx.xx.xx interval=1m timeout=1s type=simple
add disabled=no host=xx.xx.xx.xx interval=1m timeout=1s type=simple
/tool romon
set enabled=yes
/tool romon port
add disabled=no forbid=yes interface=ether1
/tool sniffer
set filter-direction=rx filter-ip-protocol=tcp filter-operator-between-entries=and filter-port=http-alt