# It is examples base configuration for Mikrotik.<br/>
Please always check these options for base config new device:

 1. Add user new user with admin priv:<br/>
`/user add name="admin2" password="PASSWORD" group=full`<br/>
 2. Set NTP server:<br/>
`/system ntp client set enabled=yes primary-ntp=80.240.216.155 secondary-ntp=85.21.78.23`<br/>
<br/>
`/system ntp client set enabled=yes`<br/>
`/system ntp client servers`<br/>
`add address=0.pool.ntp.org`<br/>
`add address=1.pool.ntp.org`<br/>
<br/>
`/system ntp server set enabled=no`<br/>
<br/>
3. Set Time Zone:<br/>
`/system clock set time-zone-name=Europe/Moscow`<br/>
<br/>
4. Disabled unuse service:<br/>
`{ :local ver [/system resource get version]; :global vermajor [:pick $ver 0 [:find $ver "."]] }`<br/>
`:if ($vermajor = 7) do={ /ipv6 settings set disable-ipv6=yes }`<br/>
`:if ($vermajor = 6) do={ /system package disable ipv6 }'`<br/>
<br/>
`/ip neighbor discovery-settings set discover-interface-list=interfaces-MAC-MGMT`<br/>
`/tool mac-server set allowed-interface-list=none`<br/>
`/tool mac-server mac-winbox set allowed-interface-list=interfaces-MAC-MGMT`<br/>
`/tool mac-server ping set enabled=no`<br/>
<br/>
`/ip smb set enabled=no`<br/>
<br/>
`/ip service set www     disabled=yes`<br/>
`/ip service set api     disabled=yes`<br/>
`/ip service set api-ssl disabled=yes`<br/>
`/ip service set ftp     disabled=yes`<br/>
`/ip service set telnet  disabled=yes`<br/>
`/ip service set winbox  disabled=no`<br/>
`/ip service set ssh     disabled=no`<br/>
<br/>
`/tool bandwidth-server set enabled=no`<br/>
`/tool romon set enabled=no`<br/>
<br/>
`/ip ssh set strong-crypto=yes host-key-size=4096 forwarding-enabled=both always-allow-password-login=yes`<br/>
<br/>
`/ip settings set tcp-syncookies=yes`<br/>
<br/>
`/ip proxy set enabled=no`<br/>
`/ip socks set enabled=no`<br/>
`/ip upnp set enabled=no`<br/>
`/ip cloud set ddns-enabled=no update-time=no`<br/>
<br/>
5. For security add blackhole routes and deny BOGON networks<br/>
<br/>
`/ip route add comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" distance=249 dst-address=10.0.0.0/8 blackhole`<br/>
`/ip route add comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" distance=249 dst-address=169.254.0.0/16 blackhole`<br/>
`/ip route add comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" distance=249 dst-address=172.16.0.0/12 blackhole`<br/>
`/ip route add comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" distance=249 dst-address=192.168.0.0/16 blackhole`<br/>
<br/>
`/ip firewall address-list add address=0.0.0.0/8 list=all-bogon  comment="List addr BOGON networks"`<br/>
`/ip firewall address-list add address=127.0.0.0/16 list=all-bogon comment="List addr BOGON networks"`<br/>
`/ip firewall address-list add address=10.0.0.0/8 list=all-bogon comment="List addr BOGON networks"`<br/>
`/ip firewall address-list add address=172.16.0.0/12 list=all-bogon comment="List addr BOGON networks"`<br/>
`/ip firewall address-list add address=192.168.0.0/16 list=all-bogon comment="List addr BOGON networks"`<br/>
`/ip firewall address-list add address=169.254.0.0/16 list=all-bogon comment="List addr BOGON networks"`<br/>
`/ip firewall address-list add address=192.0.2.0/24 list=all-bogon comment="List addr BOGON networks"`<br/>
`/ip firewall address-list add address=198.51.100.0/24 list=all-bogon comment="List addr BOGON networks"`<br/>
`/ip firewall address-list add address=203.0.113.0/24 list=all-bogon comment="List addr BOGON networks"`<br/>
`/ip firewall address-list add address=198.18.0.0/15 list=all-bogon comment="List addr BOGON networks"`<br/>
`/ip firewall address-list add address=192.88.99.0/24 list=all-bogon comment="List addr BOGON networks"`<br/>
`/ip firewall address-list add address=100.64.0.0/10 list=all-bogon comment="List addr BOGON networks"`<br/>
`/ip firewall address-list add address=240.0.0.0/4 list=all-bogon comment="List addr BOGON networks"`<br/>
`/ip firewall address-list add address=224.0.0.0/4 list=all-bogon comment="List addr BOGON networks"`<br/>
`/ip firewall address-list add address=255.255.255.255 list=all-bogon comment="List addr BOGON networks"`<br/>
<br/>
`/ip firewall filter add action=drop chain=input comment="deny INPUT Invalid connections FID=SERVICE-RULES" connection-state=invalid`<br/>
`/ip firewall filter add action=drop chain=forward comment="deny FORWARD Invalid connections FID=SERVICE-RULES" connection-state=invalid`<br/>
`/ip firewall filter add action=drop chain=input comment="deny INPUT outside ->> ME [ BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" in-interface=ether1-outside src-address-list=all-bogon`<br/>
`/ip firewall filter add action=drop chain=output comment="deny OUTPUT from ME -->> outside [ BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" dst-address-list=all-bogon out-interface=ether1-outside`<br/>
`/ip firewall filter add action=drop chain=forward comment="deny FORWARD from outside -->> inside [ BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" in-interface=ether1-outside src-address-list=all-bogon`<br/>
`/ip firewall filter add action=drop chain=forward comment="deny FORWARD from inside -->> outside [ BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" dst-address-list=all-bogon out-interface=ether1-outside`<br/>
`/ip firewall filter add action=drop chain=forward comment="deny FORWARD from inside -->> outside FID=SERVICE-RULES  FID=SERVICE-RULES" connection-nat-state=!dstnat connection-state=new in-interface=ether1-outside`<br/>
`/ip firewall filter add action=accept chain=input comment="allow INPUT from lo -->> ME " in-interface=lo`<br/>
<br/>
`/ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset`<br/>
`/ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" connection-state=new protocol=udp reject-with=icmp-port-unreachable`<br/>
`/ip firewall filter add action=drop chain=input comment="deny INPUT all" connection-state=""`<br/>
`/ip firewall filter add action=reject chain=forward comment="deny FORWARD any -->> any TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset`<br/>
`/ip firewall filter add action=reject chain=forward comment="deny FORWARD any -->> any UDP reject-with tcp-reset" connection-state=new protocol=udp reject-with=icmp-port-unreachable`<br/>
`/ip firewall filter add action=drop chain=forward comment="deny FORWARD all" connection-state=""`<br/>
<br/>
6. For config bridge:<br/>
`/interface bridge add name=bridge-1`<br/>
`/interface bridge port add bridge=bridge-1 hw=yes interface=ether2`<br/>
`/interface bridge port add bridge=bridge-1 hw=yes interface=ether3`<br/>
`/interface bridge port add bridge=bridge-1 hw=yes interface=ether4`<br/>
`/interface bridge port add bridge=bridge-1 hw=yes interface=ether5`<br/>
<br/>
У портов есть 3 варианта настроек:<br/>
`admit all — Аналог гибридного порта, пропускать весь трафик (все теги vlan, в т.ч. native Vlan)`<br/>
`admit only VLAN tagged — Аналог Trunk, пропускать только тэгированный трафик (все теги Vlan указанные в VLAN’s)`<br/>
`admit only untagged and priority tagged — Аналог Access, пропускать указанный PVID Vlan`<br/>
<br/>
<br/>
7. For backup<br/>
`export terse file=gw02-21.04.20`<br/>
<br/>
`console clear-history`<br/>
<br/>
For CHR:<br/>
4 vCPU / 4 RAM / 512MB IDE HDD<br/>
<br/>
vmkfstools -i chr-6.46.6.vmdk MikroTik-CHR.vmdk -d thin<br/>
vmkfstools -X 512M MikroTik-CHR.vmdk<br/>