SergANT/network
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
network/mikrotik/base-config/README.md
Sergei Bobkov 6ddbc86f76 Added this repo
2024-09-19 13:36:34 +03:00

7.5 KiB
Raw Blame History

It is examples base configuration for Mikrotik.

Please always check these options for base config new device:

  1. Add user new user with admin priv:
    /user add name="admin2" password="PASSWORD" group=full
  2. Set NTP server:
    /system ntp client set enabled=yes primary-ntp=80.240.216.155 secondary-ntp=85.21.78.23

    /system ntp client set enabled=yes
    /system ntp client servers
    add address=0.pool.ntp.org
    add address=1.pool.ntp.org

    /system ntp server set enabled=no

  3. Set Time Zone:
    /system clock set time-zone-name=Europe/Moscow

  4. Disabled unuse service:
    { :local ver [/system resource get version]; :global vermajor [:pick $ver 0 [:find $ver "."]] }
    :if ($vermajor = 7) do={ /ipv6 settings set disable-ipv6=yes }
    :if ($vermajor = 6) do={ /system package disable ipv6 }'

    /ip neighbor discovery-settings set discover-interface-list=interfaces-MAC-MGMT
    /tool mac-server set allowed-interface-list=none
    /tool mac-server mac-winbox set allowed-interface-list=interfaces-MAC-MGMT
    /tool mac-server ping set enabled=no

    /ip smb set enabled=no

    /ip service set www disabled=yes
    /ip service set api disabled=yes
    /ip service set api-ssl disabled=yes
    /ip service set ftp disabled=yes
    /ip service set telnet disabled=yes
    /ip service set winbox disabled=no
    /ip service set ssh disabled=no

    /tool bandwidth-server set enabled=no
    /tool romon set enabled=no

    /ip ssh set strong-crypto=yes host-key-size=4096 forwarding-enabled=both always-allow-password-login=yes

    /ip settings set tcp-syncookies=yes

    /ip proxy set enabled=no
    /ip socks set enabled=no
    /ip upnp set enabled=no
    /ip cloud set ddns-enabled=no update-time=no

  5. For security add blackhole routes and deny BOGON networks

    /ip route add comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" distance=249 dst-address=10.0.0.0/8 blackhole
    /ip route add comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" distance=249 dst-address=169.254.0.0/16 blackhole
    /ip route add comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" distance=249 dst-address=172.16.0.0/12 blackhole
    /ip route add comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" distance=249 dst-address=192.168.0.0/16 blackhole

    /ip firewall address-list add address=0.0.0.0/8 list=all-bogon comment="List addr BOGON networks"
    /ip firewall address-list add address=127.0.0.0/16 list=all-bogon comment="List addr BOGON networks"
    /ip firewall address-list add address=10.0.0.0/8 list=all-bogon comment="List addr BOGON networks"
    /ip firewall address-list add address=172.16.0.0/12 list=all-bogon comment="List addr BOGON networks"
    /ip firewall address-list add address=192.168.0.0/16 list=all-bogon comment="List addr BOGON networks"
    /ip firewall address-list add address=169.254.0.0/16 list=all-bogon comment="List addr BOGON networks"
    /ip firewall address-list add address=192.0.2.0/24 list=all-bogon comment="List addr BOGON networks"
    /ip firewall address-list add address=198.51.100.0/24 list=all-bogon comment="List addr BOGON networks"
    /ip firewall address-list add address=203.0.113.0/24 list=all-bogon comment="List addr BOGON networks"
    /ip firewall address-list add address=198.18.0.0/15 list=all-bogon comment="List addr BOGON networks"
    /ip firewall address-list add address=192.88.99.0/24 list=all-bogon comment="List addr BOGON networks"
    /ip firewall address-list add address=100.64.0.0/10 list=all-bogon comment="List addr BOGON networks"
    /ip firewall address-list add address=240.0.0.0/4 list=all-bogon comment="List addr BOGON networks"
    /ip firewall address-list add address=224.0.0.0/4 list=all-bogon comment="List addr BOGON networks"
    /ip firewall address-list add address=255.255.255.255 list=all-bogon comment="List addr BOGON networks"

    /ip firewall filter add action=drop chain=input comment="deny INPUT Invalid connections FID=SERVICE-RULES" connection-state=invalid
    /ip firewall filter add action=drop chain=forward comment="deny FORWARD Invalid connections FID=SERVICE-RULES" connection-state=invalid
    /ip firewall filter add action=drop chain=input comment="deny INPUT outside ->> ME [ BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" in-interface=ether1-outside src-address-list=all-bogon
    /ip firewall filter add action=drop chain=output comment="deny OUTPUT from ME -->> outside [ BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" dst-address-list=all-bogon out-interface=ether1-outside
    /ip firewall filter add action=drop chain=forward comment="deny FORWARD from outside -->> inside [ BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" in-interface=ether1-outside src-address-list=all-bogon
    /ip firewall filter add action=drop chain=forward comment="deny FORWARD from inside -->> outside [ BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" dst-address-list=all-bogon out-interface=ether1-outside
    /ip firewall filter add action=drop chain=forward comment="deny FORWARD from inside -->> outside FID=SERVICE-RULES FID=SERVICE-RULES" connection-nat-state=!dstnat connection-state=new in-interface=ether1-outside

    /ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset
    /ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" connection-state=new protocol=udp reject-with=icmp-port-unreachable
    /ip firewall filter add action=drop chain=input comment="deny INPUT all" connection-state=""
    /ip firewall filter add action=reject chain=forward comment="deny FORWARD any -->> any TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset
    /ip firewall filter add action=reject chain=forward comment="deny FORWARD any -->> any UDP reject-with tcp-reset" connection-state=new log-prefix=reject_fw_udp protocol=udp reject-with=icmp-port-unreachable
    /ip firewall filter add action=drop chain=forward comment="deny FORWARD all" connection-state=""

  6. For config bridge:
    /interface bridge add name=bridge-1
    /interface bridge port add bridge=bridge-1 hw=yes interface=ether2
    /interface bridge port add bridge=bridge-1 hw=yes interface=ether3
    /interface bridge port add bridge=bridge-1 hw=yes interface=ether4
    /interface bridge port add bridge=bridge-1 hw=yes interface=ether5

    У портов есть 3 варианта настроек:
    admit all — Аналог гибридного порта, пропускать весь трафик (все теги vlan, в т.ч. native Vlan)
    admit only VLAN tagged — Аналог Trunk, пропускать только тэгированный трафик (все теги Vlan указанные в VLANs)
    admit only untagged and priority tagged — Аналог Access, пропускать указанный PVID Vlan


  7. For backup
    export terse file=gw02-21.04.20

    console clear-history

    For CHR:
    4 vCPU / 4 RAM / 512MB IDE HDD

    vmkfstools -i chr-6.46.6.vmdk MikroTik-CHR.vmdk -d thin
    vmkfstools -X 512M MikroTik-CHR.vmdk