not sure if this is the kind of very broad, open-ended question that will get tomatoes thrown at me in here (stackoverflow ptsd?) but I'll give it a shot.
TL;DR
is this ok as a default/starting configuration?
Code: Select all
# 2024-04-22 14:23:28 by RouterOS 7.14.3
# software id = *****
#
# model = CCR2004-1G-12S+2XS
# serial number = *****
/interface bridge
add name=lan
/interface ethernet
set [ find default-name=sfp28-2 ] fec-mode=fec91
/interface list
add name=LAN
/ip pool
add name=dhcp_pool0 ranges=192.168.100.100-192.168.100.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=lan name=dhcp1
/ipv6 dhcp-server
add address-pool=v6pool interface=lan name=v6server
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=lan interface=sfp28-1
add bridge=lan interface=sfp-sfpplus1
add bridge=lan interface=sfp-sfpplus2
add bridge=lan interface=sfp-sfpplus3
add bridge=lan interface=sfp-sfpplus4
add bridge=lan interface=sfp-sfpplus5
add bridge=lan interface=sfp-sfpplus6
add bridge=lan interface=sfp-sfpplus7
add bridge=lan interface=sfp-sfpplus8
add bridge=lan interface=sfp-sfpplus9
add bridge=lan interface=sfp-sfpplus10
add bridge=lan interface=sfp-sfpplus11
add bridge=lan interface=sfp-sfpplus12
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set accept-router-advertisements=yes
/interface list member
add interface=ether1 list=LAN
add interface=lan list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether1 network=\
192.168.88.0
add address=192.168.100.1/24 interface=lan network=192.168.100.0
/ip dhcp-client
add interface=sfp28-2
/ip dhcp-server network
add address=192.168.100.0/24 gateway=192.168.100.1
/ip firewall address-list
add address=192.168.100.2-192.168.100.254 list=allowed_to_router
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
/ip firewall filter
add action=accept chain=input comment="Established, Related" \
connection-state=established,related
add action=accept chain=input comment=icmp protocol=icmp
add action=accept chain=input comment="Allowed local subnets" \
src-address-list=allowed_to_router
add action=drop chain=input
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Established, Related, Untracked" \
connection-state=established,related,untracked
add action=accept chain=forward comment="Traffic out" out-interface=sfp28-2
add action=accept chain=forward comment=dstnat connection-nat-state=dstnat
add action=drop chain=forward comment="Drop everything else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=sfp28-2
add action=masquerade chain=srcnat comment="hairpin (lo nat)" dst-address=\
!192.168.100.1 src-address=192.168.100.0/24
add action=dst-nat chain=dstnat comment=WebServer dst-address=!192.168.100.1 \
dst-address-type=local dst-port=80,443 protocol=tcp to-addresses=\
192.168.100.2
add action=dst-nat chain=dstnat comment="Minecraft TCP" dst-address=\
!192.168.100.1 dst-address-type=local dst-port=25565 protocol=tcp \
to-addresses=192.168.100.2 to-ports=25565
add action=dst-nat chain=dstnat comment="Minecraft UDP" dst-address=\
!192.168.100.1 dst-address-type=local dst-port=25565 protocol=udp \
to-addresses=192.168.100.2 to-ports=25565
/ip route
add disabled=no distance=1 dst-address=192.168.2.0/24 gateway=192.168.100.2 \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet address=192.168.100.0/24 disabled=yes
set ftp address=192.168.100.0/24 disabled=yes
set www address=192.168.100.0/24 disabled=yes
set ssh address=192.168.100.0/24 port=65535
set www-ssl address=192.168.100.0/24
set api address=192.168.100.0/24 disabled=yes
set winbox address=192.168.100.0/24
set api-ssl address=192.168.100.0/24 disabled=yes
/ipv6 address
add from-pool=v6pool interface=lan
/ipv6 dhcp-client
add add-default-route=yes interface=sfp28-2 pool-name=v6pool \
pool-prefix-length=56 request=address,prefix
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=forward comment="init7 default" connection-state=\
established,related disabled=yes in-interface=sfp28-2 out-interface=lan
add action=drop chain=forward comment="init7 default" disabled=yes \
in-interface=sfp28-2 out-interface=lan
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="drop everything not coming from LAN" \
in-interface=!lan
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface=!lan
/ipv6 nd
set [ find default=yes ] interface=lan managed-address-configuration=yes mtu=\
1500 other-configuration=yes
/system clock
set time-zone-name=Europe/Zurich
/system health settings
set fan-min-speed-percent=0%
/system note
set show-at-login=no
/system package update
set channel=testing
/system routerboard settings
set enter-setup-on=delete-key
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
I'm just setting up my first Mikrotik router. CCR2004-1G-12S+2XS
The starting configuration came from my new ISP (init7, Switzerland).
They shared a conf file in their setup quick guide: https://www.init7.net/de/support/router ... _fr_02.pdf (English starts on page 3)
Then I took a look at: And i tried to cherry-pick rules that weren't already in my starting conf.
The ipv6 worries me the most, since that's still pretty much rocket science for me. I'm very much clueless about it, but my ISP gives me a static ipv6 /48 subnet with my subscription, so I guess it's time to start looking into it.
With my previous ISP (Swisscom, Switzerland) I had a very simple/dumb proprietary router they gave me with their fiber subscription.
So for my lab subnet I had a pfSense in dual NAT. I have that already configured and working, so I left it on for now and I just hooked it up to this new Mikrotik.
Because of that, I'm not too worried about basic hardening rules, since I (should) have those covered in my pfSense setup.
Still, I'm planning to eventually drop the dual NAT, and would be nice to not have a complete mess in RouterOS when that happens.
Thanks for the help, and if this kind of "here, you sort it out for me" questions are not OK in this forum, I apologize. Let me know and I'll delete this thread.
