# nov/04/2018 17:54:02 by RouterOS 6.42.7 # software id = 2EKJ-ABRT # # model = 951G-2HnD # serial number = /interface bridge add fast-forward=no name=LAN-Bridge /interface ethernet set [ find default-name=ether1 ] name=LAN1 set [ find default-name=ether2 ] name=LAN2 set [ find default-name=ether3 ] name=LAN3 set [ find default-name=ether4 ] name=LAN4 set [ find default-name=ether5 ] mac-address=00:XX:XX:XX:XX:XX name=LAN5-WAN /interface pptp-client add comment="Telegram VPN" connect-to=host.vpnbook.com disabled=no name=\ TelegramVPN password=removed user=vpnbook /interface list add name=LAN-Bridge-Only-List add name=WiFi-Only-List add name=WAN-Only-List /ip dhcp-server option add code=66 name=option-66 value="s'192.168.2.1'" /ip pool add name=My-DHCP-Pool ranges=192.168.2.11-192.168.2.254 /ip dhcp-server add address-pool=My-DHCP-Pool authoritative=after-2sec-delay disabled=no \ interface=LAN-Bridge lease-time=1d name=My-DHCP-Server /snmp community set [ find default=yes ] addresses=0.0.0.0/0 /interface bridge port add bridge=LAN-Bridge interface=LAN1 add bridge=LAN-Bridge interface=LAN2 add bridge=LAN-Bridge interface=LAN3 add bridge=LAN-Bridge interface=LAN4 add bridge=LAN-Bridge interface=WiFi /ip neighbor discovery-settings set discover-interface-list=LAN-Bridge-Only-List /interface list member add interface=LAN-Bridge list=LAN-Bridge-Only-List add interface=WiFi list=WiFi-Only-List add interface=LAN5-WAN list=WAN-Only-List /ip address add address=192.168.2.1/24 interface=LAN-Bridge network=192.168.2.0 /ip dhcp-client add add-default-route=no dhcp-options=hostname,clientid disabled=no \ interface=LAN5-WAN /ip dhcp-server network add address=192.168.2.0/24 dhcp-option=option-66 dns-server=192.168.2.1 \ gateway=192.168.2.1 netmask=24 ntp-server=192.168.2.1 /ip dns set allow-remote-requests=yes /ip firewall address-list add address=91.108.4.0/22 list=Telegram add address=91.108.8.0/22 list=Telegram add address=91.108.12.0/22 list=Telegram add address=91.108.16.0/22 list=Telegram add address=91.108.56.0/22 list=Telegram add address=149.154.160.0/22 list=Telegram add address=149.154.164.0/22 list=Telegram add address=149.154.168.0/22 list=Telegram add address=149.154.172.0/22 list=Telegram add address=149.154.167.0/24 list=Telegram /ip firewall filter add action=accept chain=input comment="Allow ESTAB: IN" connection-state=\ established in-interface=LAN5-WAN add action=accept chain=forward comment="Allow ESTAB: FW" connection-state=\ established in-interface=LAN5-WAN add action=accept chain=input comment="Allow RELATED: IN" connection-state=\ related in-interface=LAN5-WAN add action=accept chain=forward comment="Allow RELATED: FW" connection-state=\ related in-interface=LAN5-WAN add action=accept chain=input comment="Allow ICMP (Ping): IN" dst-address=\ 89.XXX.XXX.XXX in-interface=LAN5-WAN protocol=icmp tcp-flags="" add action=drop chain=input comment="Drop TCP:8291 (WinBox): IN" dst-port=\ 8291 in-interface=LAN5-WAN protocol=tcp add action=drop chain=input comment="Drop TCP:22 (SSH): IN" dst-port=22 \ in-interface=LAN5-WAN protocol=tcp add action=drop chain=input comment="Drop TCP:23 (Telnet): IN" dst-port=23 \ in-interface=LAN5-WAN protocol=tcp add action=drop chain=input comment="Drop DNS Requests from Inet" dst-port=53 \ in-interface=LAN5-WAN protocol=udp add action=drop chain=input comment="Drop MikroTik bandwidth-test server" \ dst-port=2000 in-interface=LAN5-WAN protocol=tcp add action=drop chain=input comment="Drop BOGON packets: IN" in-interface=\ LAN5-WAN src-address-list=BOGON add action=drop chain=input comment="Drop invalid packets: IN" \ connection-state=invalid in-interface=LAN5-WAN protocol=tcp add action=drop chain=input comment="Drop all: IN" connection-state="" \ in-interface=LAN5-WAN add action=drop chain=forward comment="Drop all: FW" connection-state="" \ in-interface=LAN5-WAN log-prefix="" /ip firewall mangle add action=mark-routing chain=output comment="Mark Telegram" \ dst-address-list=Telegram dst-address-type="" new-routing-mark=\ mark_telegram out-interface=TelegramVPN passthrough=no /ip firewall nat add action=masquerade chain=srcnat comment="Allow Internet access from LAN" \ out-interface=LAN5-WAN src-address=192.168.2.0/24 add action=masquerade chain=srcnat out-interface=TelegramVPN src-address=\ 192.168.2.1 /ip firewall service-port set ftp disabled=yes set tftp disabled=yes set irc disabled=yes set h323 disabled=yes set sip disabled=yes set pptp disabled=yes set udplite disabled=yes set dccp disabled=yes set sctp disabled=yes /ip route add comment="Telegram to TelegramVPN" distance=1 gateway=TelegramVPN \ pref-src=192.168.2.1 routing-mark=mark_telegram add distance=2 gateway=89.xxx.xxx.xxx /ip service set telnet disabled=yes set ftp disabled=yes set www disabled=yes set api disabled=yes set api-ssl disabled=yes /ip smb set enabled=yes interfaces=LAN-Bridge /ip smb shares set [ find default=yes ] disabled=yes add directory=/USB name=USBShare /ip smb users add name=smbuser password=123 read-only=no /ip tftp add real-filename=USB/avaya req-filename=.* /system clock set time-zone-name=Europe/Moscow /system identity set name=Mikrot /system ntp client /system ntp server set enabled=yes multicast=yes /system routerboard settings set silent-boot=no /system watchdog set watchdog-timer=no /tool graphing set store-every=hour /tool graphing interface add interface=LAN-Bridge /tool mac-server set allowed-interface-list=none /tool mac-server mac-winbox set allowed-interface-list=LAN-Bridge-Only-List /tool mac-server ping set enabled=no /tool netwatch add disabled=yes host=192.168.3.6 interval=5s