Hi everyone
I went through the forum and set up my router based on what I have read. I would however be very grateful if any forum guru could verify whehther I got it right. I am particularly concerned whether:
1. My Wifi Setup is correctly configured and safe
2. My IPv4 rules are correctly cofigured and my IPv6 settings correctly disabled, so my router is safe to use
My entire config is as follows (any help would be greatly appreciated):
# 2024-11-19 16:30:13 by RouterOS 7.15.3
# software id = KSYB-YVIV
#
# model = C53UiG+5HPaxD2HPaxD
/interface bridge
add name=Bridge-LAN
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] disabled=yes name=ether2-LAN
set [ find default-name=ether3 ] disabled=yes name=ether3-LAN
set [ find default-name=ether4 ] disabled=yes name=ether4-LAN
set [ find default-name=ether5 ] disabled=yes name=ether5-LAN
/interface list
add name=WAN
add name=LAN
/interface wifi configuration
add channel.band=2ghz-ax .width=20/40mhz-eC country=Germany disabled=no \
mode=ap name="2.4ghz Config" security.authentication-types=wpa3-psk .wps=\
disable ssid=TestNet
add channel.band=5ghz-ax .width=20/40mhz-eC country=Germany disabled=no \
mode=ap name="5ghz Config" security.authentication-types=wpa3-psk .wps=\
disable ssid=TestNet5G
/interface wifi
set [ find default-name=wifi1 ] configuration="5ghz Config" \
configuration.mode=ap name=Wifi1-5ghz security.authentication-types=\
wpa3-psk .wps=disable
set [ find default-name=wifi2 ] configuration="2.4ghz Config" \
configuration.mode=ap disabled=no name=Wifi2-2.4ghz \
security.authentication-types=wpa3-psk
/ip pool
add name=dhcp_pool1 ranges=192.168.0.20-192.168.0.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=Bridge-LAN name=dhcp1
/interface bridge port
add bridge=Bridge-LAN interface=ether2-LAN
add bridge=Bridge-LAN interface=ether3-LAN
add bridge=Bridge-LAN interface=ether4-LAN
add bridge=Bridge-LAN interface=ether5-LAN
add bridge=Bridge-LAN interface=Wifi2-2.4ghz
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set rp-filter=strict tcp-syncookies=yes
/ipv6 settings
set accept-redirects=no accept-router-advertisements=no disable-ipv6=yes \
forward=no
/interface list member
add interface=ether1-WAN list=WAN
add interface=Bridge-LAN list=LAN
/ip address
add address=192.168.0.1/24 interface=Bridge-LAN network=192.168.0.0
/ip cloud
set update-time=no
/ip dhcp-client
add interface=ether1-WAN
/ip dhcp-server lease
add address=192.168.0.15 client-id=1:XX:XX:XX:XX:XX:XX comment=XAdmin \
mac-address=XX:XX:XX:XX:XX:XX server=dhcp1
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=192.168.0.15 comment=XAdmin list=Authorized
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="admin access" src-address-list=\
Authorized
add action=accept chain=input comment="users to services" dst-port=53 \
in-interface-list=LAN protocol=udp
add action=accept chain=input comment="users to services" dst-port=53 \
in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment=\
"accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=\
LAN out-interface-list=WAN
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes port=2421
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ipv6 firewall filter
add action=drop chain=input comment="Drop all IPv6 ICMP traffic" protocol=\
icmpv6
add action=drop chain=input comment="Drop all other IPv6 traffic"
add action=drop chain=forward comment="Drop all IPv6 forward traffic"
add action=drop chain=output comment="Drop all IPv6 output traffic"
/ipv6 nd
set [ find default=yes ] disabled=yes
/system clock
set time-zone-name=Europe/Brussels
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
add address=3.pool.ntp.org
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no