# nov/15/2021 15:06:55 by RouterOS 6.49
# software id = EB15-RN2S
#
# model = RBD52G-5HacD2HnD
# serial number = C6140E1FC34D
/interface bridge
add admin-mac=2C:C8:1B:CB:07:27 arp=proxy-arp auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=no_country_set disabled=no distance=\
indoors frequency=2462 installation=indoor mode=ap-bridge ssid=SweetHome wireless-protocol=\
802.11 wmm-support=enabled
set [ find default-name=wlan2 ] band=5ghz-n/ac channel-width=20/40/80mhz-XXXX country=australia \
disabled=no distance=indoors frequency=5745 frequency-mode=manual-txpower installation=\
outdoor mode=ap-bridge preamble-mode=long ssid=SweetHome5 wireless-protocol=802.11 \
wmm-support=enabled
/interface 6to4
add comment="Hurricane Electric IPv6 Tunnel Broker" !keepalive local-address=95.220.56.140 mtu=\
1280 name=sit1 remote-address=216.66.87.14
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys \
supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-128 hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=\
aes-256-cbc,aes-256-ctr,aes-128-cbc,aes-128-ctr
/ip pool
add name=dhcp_pool5 ranges=192.168.1.2-192.168.1.100
add name=L2TP ranges=10.0.10.0/27
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool5 disabled=no interface=bridge lease-time=15h5m name=dhcp1
/ppp profile
add change-tcp-mss=yes local-address=L2TP name=L2TP remote-address=L2TP
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip settings
set tcp-syncookies=yes
/ipv6 settings
set accept-router-advertisements=yes
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set authentication=mschap2 caller-id-type=number default-profile=L2TP use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireless access-list
add comment="Stacks ipad" interface=wlan2 mac-address=CE:62:86:9B:0F:F6
add comment="Iphone 12 pro max" interface=wlan2 mac-address=8A:BA:2A:D1:0D:0B
add comment="LG TV" interface=wlan2 mac-address=20:3D:BD:70:7D:A6
add comment="Iphone 11" interface=wlan2 mac-address=EE:D8:04:87:A3:60
add comment=macbook interface=wlan2 mac-address=50:ED:3C:39:6E:28
add comment="Mi Hub" interface=wlan1 mac-address=04:CF:8C:8F:B8:0C
add comment="Air purifier" interface=wlan1 mac-address=7C:49:EB:8A:3D:52
add comment="main camera" interface=wlan1 mac-address=64:90:C1:4B:D6:78
add comment="Cubic camera" interface=wlan1 mac-address=78:11:DC:76:4F:C6
add comment="Philips lamp" interface=wlan1 mac-address=40:31:3C:E8:ED:2E
add comment="BLE Hub" interface=wlan1 mac-address=5C:E5:0C:D2:7C:D7
add comment=Yamaha interface=wlan1 mac-address=00:22:6C:2B:67:3D
add comment=Alice interface=wlan1 mac-address=6C:21:A2:3B:33:4A
add comment=Ballu interface=wlan1 mac-address=C8:F7:42:EC:D5:A5
add comment="My kindle" interface=wlan1 mac-address=10:AE:60:6A:32:AD
add comment="Kitchen TV" interface=wlan1 mac-address=84:A4:66:C0:8F:40
add comment="Apple watch 7" interface=wlan2 mac-address=76:D1:C0:E4:D6:96
add comment=Ipad interface=wlan2 mac-address=76:E8:11:B3:18:D0
add comment=Humidifier interface=wlan1 mac-address=04:CF:8C:AD:36:F8
/ip accounting
set account-local-traffic=yes enabled=yes
/ip accounting web-access
set accessible-via-web=yes
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=192.168.1.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.1.6 client-id=1:68:b5:99:72:b5:be comment=freenas mac-address=\
68:B5:99:72:B5:BE
add address=192.168.1.19 client-id=1:68:b5:99:5d:8c:c4 comment=transmission mac-address=\
68:B5:99:5D:8C:C4
add address=192.168.1.18 client-id=1:6a:b5:99:14:fa:a comment=plex mac-address=6A:B5:99:14:FA:0A
add address=192.168.1.15 client-id=1:6a:b5:99:5:d0:1b comment=tor disabled=yes mac-address=\
6A:B5:99:05:D0:1B
add address=192.168.1.7 client-id=1:6a:b5:99:49:46:d2 comment=vpn mac-address=6A:B5:99:49:46:D2
add address=192.168.1.8 client-id=1:68:b5:99:be:89:d comment=wireguard mac-address=\
68:B5:99:BE:89:0D
add address=192.168.1.71 client-id=1:0:0:aa:b0:b7:ea comment=Xerox mac-address=00:00:AA:B0:B7:EA \
server=dhcp1
add address=192.168.1.58 client-id=1:6a:b5:99:5c:68:45 comment=adguard mac-address=\
6A:B5:99:5C:68:45 server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.58 gateway=192.168.1.1 netmask=24
/ip dns
set servers=192.168.1.58
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall address-list
add list=ssh_blacklist
add list=ssh_stage3
add list=ssh_stage2
add list=ssh_stage1
add address=104.131.17.148 list=vuescan_block
add address=13.227.211.152 list=vuescan_block
add address=162.243.24.127 list=vuescan_block
/ip firewall filter
add action=accept chain=input comment="accept establish & related" connection-state=\
established,related
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp \
src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=\
input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input \
connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input \
connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input \
connection-state=new dst-port=22 protocol=tcp
add action=accept chain=input disabled=yes dst-port=1701,500,4500 in-interface=ether1 protocol=\
udp
add action=accept chain=input disabled=yes in-interface=ether1 protocol=ipsec-esp
add action=drop chain=forward comment="Scaner outgoing drop" dst-address-list=vuescan_block \
in-interface=bridge src-address=192.168.1.0/24
add action=accept chain=input comment="ipv6 encap" in-interface=ether1 protocol=ipv6-encap \
src-address=216.66.87.14
add action=accept chain=output comment="ipv6 encap" dst-address=216.66.87.14 out-interface=ether1 \
protocol=ipv6-encap
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none \
out-interface-list=WAN
add action=dst-nat chain=dstnat comment=Nextcloud dst-port=443 in-interface=ether1 protocol=tcp \
to-addresses=192.168.1.22 to-ports=443
add action=dst-nat chain=dstnat comment=vpn dst-port=500 in-interface=ether1 protocol=udp \
to-addresses=192.168.1.7 to-ports=500
add action=dst-nat chain=dstnat comment=vpn dst-port=4500 in-interface=ether1 protocol=udp \
to-addresses=192.168.1.7 to-ports=4500
add action=dst-nat chain=dstnat comment=wireguard dst-port=51820 in-interface=ether1 protocol=udp \
to-addresses=192.168.1.8 to-ports=51820
add action=dst-nat chain=dstnat comment=tor disabled=yes dst-address=0.0.0.0 dst-port=9001 \
in-interface=ether1 protocol=tcp to-addresses=192.168.1.15 to-ports=9001
add action=masquerade chain=srcnat comment="internet exit for vpn" disabled=yes out-interface=\
ether1 src-address=10.0.10.0/27
add action=dst-nat chain=dstnat comment="torrent port" dst-port=51413 in-interface=ether1 \
protocol=tcp to-addresses=192.168.1.19 to-ports=51413
add action=dst-nat chain=dstnat comment="torrent port" dst-port=51413 in-interface=ether1 \
protocol=udp to-addresses=192.168.1.19 to-ports=51413
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.1.0/24
set ssh address=77.108.90.0/24,192.168.1.0/24
set api address=192.168.1.0/24
set winbox address=192.168.1.0/24
set api-ssl address=192.168.1.0/24
/ip ssh
set forwarding-enabled=both strong-crypto=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ipv6 address
add address=2001:470:1f1a:522::2 advertise=no interface=sit1
add address=2001:470:1f1b:522::1 interface=bridge
/ipv6 firewall filter
add action=drop chain=input connection-state=invalid in-interface=ether1
add action=accept chain=input connection-state=established,related in-interface=ether1
add action=accept chain=forward connection-state=established,related in-interface=ether1
add action=accept chain=input dst-port=546 in-interface=ether1 protocol=udp
add action=accept chain=forward in-interface=bridge out-interface=ether1
add action=accept chain=input in-interface=ether1 protocol=icmpv6
add action=accept chain=forward in-interface=ether1 protocol=icmpv6
add action=drop chain=input in-interface=ether1 log=yes
add action=drop chain=forward in-interface=ether1
/ipv6 firewall mangle
add action=change-mss chain=forward comment="mss mtu correction" in-interface=sit1 new-mss=1220 \
passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1221-65535
add action=change-mss chain=forward comment="mss mtu correction" new-mss=1220 out-interface=sit1 \
passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1221-65535
/ipv6 nd
set [ find default=yes ] disabled=yes
add interface=bridge
/ipv6 route
add distance=1 dst-address=2000::/3 gateway=2001:470:1f1a:522::1
/ppp secret
add name=iphone profile=L2TP service=l2tp
/system clock
set time-zone-name=Europe/Moscow
/tool e-mail
set address=77.88.21.158 from=
vicar1982@yandex.ru port=465 start-tls=yes user=vicar1982
/tool netwatch
add comment="Adguard DNS failover" down-script="/ip dhcp-server network set 0 dns-server=8.8.8.8" \
host=192.168.1.58 up-script="/ip dhcp-server network set 0 dns-server=192.168.1.58"
add comment="6in4 dynamic ip update" down-script="# Update Hurricane Electric IPv6 Tunnel Client I\
Pv4 address\r\
\n\r\
\n:local HEtunnelinterface \"sit1\"\r\
\n:local HEtunnelid \"670087\"\r\
\n:local HEuserid \"username\"\r\
\n:local HEmd5pass \"GHQsgdfvsdsdfsdfsdfKRc-crsgsgI-f9o\"\r\
\n:local HEupdatehost \"ipv4.tunnelbroker.net\"\r\
\n:local HEupdatepath \"/nic/update\"\r\
\n:local WANinterface \"ether1\"\r\
\n:local outputfile (\"HE-\" . \$HEtunnelid . \".txt\")\r\
\n\r\
\n# Internal processing below...\r\
\n# ----------------------------------\r\
\n:local HEipv4addr\r\
\n\r\
\n# Get WAN interface IP address\r\
\n:set HEipv4addr [/ip address get [/ip address find interface=\$WANinterface] address]\r\
\n:set HEipv4addr [:pick [:tostr \$HEipv4addr] 0 [:find [:tostr \$HEipv4addr] \"/\"]]\r\
\n\r\
\n:if ([:len \$HEipv4addr] = 0) do={\r\
\n :log error (\"Could not get IP for interface \" . \$WANinterface)\r\
\n :error (\"Could not get IP for interface \" . \$WANinterface)\r\
\n}\r\
\n\r\
\n# Update the HEtunnelinterface with WAN IP\r\
\n/interface 6to4 {\r\
\n :if ([get (\$HEtunnelinterface) local-address] != \$HEipv4addr) do={\r\
\n :log info (\"Updating \" . \$HEtunnelinterface . \" local-address with new IP \" . \$H\
Eipv4addr . \"...\")\r\
\n set (\$HEtunnelinterface) local-address=\$HEipv4addr\r\
\n }\r\
\n}\r\
\n\r\
\n:log info (\"Updating IPv6 Tunnel \" . \$HEtunnelid . \" Client IPv4 address to new IP \" . \
\$HEipv4addr . \"...\")\r\
\n/tool fetch mode=https \\\r\
\n host=(\$HEupdatehost) \\\r\
\n url=(\"https://\" . \$HEupdatehost . \$HEupdatepath . \\\r\
\n \"\?hostname=\" . \$HEtunnelid . \\\r\
\n \"&myip=\" . \$HEipv4addr) \\\r\
\n user=(\$HEuserid) \\\r\
\n password=(\$HEmd5pass) \\\r\
\n dst-path=(\$outputfile)\r\
\n \r\
\n:log info ([/file get (\$outputfile) contents])\r\
\n/file remove (\$outputfile)" host=2001:470:1f1a:522::1 interval=5m