/interface bridge
add admin-mac=48:A9:8A:8E:E8:83 auto-mac=no ingress-filtering=no name=bridge1 \
port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN poe-out=off
set [ find default-name=ether2 ] comment=PC
set [ find default-name=ether3 ] comment=Switch
set [ find default-name=ether4 ] comment=WorkNTB
/interface vlan
add comment="Main network" interface=bridge1 name=vlan10 vlan-id=10
add comment="Server backend network (no internet)" interface=bridge1 name=\
vlan15 vlan-id=15
add comment="VM internet access" interface=bridge1 name=vlan30 vlan-id=30
add comment="Guest network" interface=bridge1 name=vlan40 vlan-id=40
add comment=Hosting interface=bridge1 name=vlan50 vlan-id=50
add comment="IoT network (no internet)" interface=bridge1 name=vlan70 \
vlan-id=70
/interface list
add name=WAN
add name=LAN
/ip pool
add name=pool10 ranges=10.10.10.100-10.10.10.254
add name=pool40 ranges=10.10.40.10-10.10.40.254
add name=pool70 ranges=10.10.70.10-10.10.70.254
add name=pool15 ranges=10.10.15.10-10.10.15.254
add name=pool30 ranges=10.10.30.10-10.10.30.254
add name=pool50 ranges=10.10.50.10-10.10.50.254
/ip dhcp-server
add address-pool=pool10 interface=vlan10 lease-time=10m name=dhcp10
add address-pool=pool40 interface=vlan40 lease-time=10m name=dhcp40
add address-pool=pool70 interface=vlan70 lease-time=10m name=dhcp70
add address-pool=pool15 interface=vlan15 lease-time=1h name=dhcp15
add address-pool=pool30 interface=vlan30 name=dhcp30
add address-pool=pool50 interface=vlan50 name=dhcp50
/ip smb users
set [ find default=yes ] disabled=yes
/queue simple
add max-limit=10M/50M name=VLAN40 target=vlan40
/system logging action
add bsd-syslog=yes name=LogToNAS remote=10.10.10.25 src-address=\
10.10.10.1 target=remote
/user group
add name=homeassistant policy="read,test,api,!local,!telnet,!ssh,!ftp,!reboot,\
!write,!policy,!winbox,!password,!web,!sniff,!sensitive,!romon,!rest-api"
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
name=zt1 port=9993
/zerotier interface
add allow-default=no allow-global=no allow-managed=no disabled=no instance=\
zt1 name=zerotier1 network=xxx1
add allow-default=no allow-global=yes allow-managed=yes disabled=no instance=\
zt1 name=zerotier2 network=xxx2
add allow-default=no allow-global=no allow-managed=yes disabled=no instance=\
zt1 name=zerotier3-games network=xxx3
/interface bridge port
add bridge=bridge1 interface=ether5 internal-path-cost=10 path-cost=10 pvid=\
10
add bridge=bridge1 interface=ether4 internal-path-cost=10 path-cost=10 pvid=\
40
add bridge=bridge1 interface=ether3 internal-path-cost=10 path-cost=10 pvid=\
10
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=\
WiFi-5GHz-Generic internal-path-cost=10 path-cost=10
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=\
WiFi-2.4GHz-GenericIoT internal-path-cost=10 path-cost=10
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=\
WiFi-5GHz-GenericGuest internal-path-cost=10 path-cost=10
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=\
WiFi-2.4GHz-GenericGuest internal-path-cost=10 path-cost=10
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=\
WiFi-5GHz-GenericIoT internal-path-cost=10 path-cost=10
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=\
WiFi-2.4GHz-Generic internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=ether2 internal-path-cost=10 path-cost=10 pvid=\
10
/ip firewall connection tracking
set udp-timeout=10s
/ipv6 settings
set accept-router-advertisements=yes max-neighbor-entries=16384
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,WiFi-5GHz-Generic,WiFi-2.4GHz-Generic \
untagged=ether3,ether2,ether5 vlan-ids=10
add bridge=bridge1 tagged=\
bridge1,WiFi-5GHz-GenericGuest,WiFi-2.4GHz-GenericGuest,ether3 untagged=\
ether4 vlan-ids=40
add bridge=bridge1 tagged=\
bridge1,ether3,WiFi-5GHz-GenericIoT,WiFi-2.4GHz-GenericIoT vlan-ids=70
add bridge=bridge1 tagged=bridge1,ether3 vlan-ids=15
add bridge=bridge1 tagged=bridge1,ether3 vlan-ids=30
add bridge=bridge1 tagged=bridge1,ether3 vlan-ids=50
/interface list member
add interface=ether1 list=WAN
add interface=vlan10 list=LAN
/ip address
add address=10.10.10.1/24 interface=vlan10 network=10.10.10.0
add address=10.10.40.1/24 interface=vlan40 network=10.10.40.0
add address=10.10.70.1/24 interface=vlan70 network=10.10.70.0
add address=10.10.15.1/24 interface=vlan15 network=10.10.15.0
add address=10.10.80.1/24 interface=*18 network=10.10.80.0
add address=10.10.90.1/24 interface=*1C network=10.10.90.0
add address=10.10.30.1/24 interface=vlan30 network=10.10.30.0
add address=10.10.50.1/24 interface=vlan50 network=10.10.50.0
add address=10.10.20.1/24 interface=*1D network=10.10.20.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=10.10.30.63,10.10.10.25 gateway=\
10.10.10.1
add address=10.10.15.0/24 dns-none=yes
add address=10.10.30.0/24 dns-server=10.10.30.63,10.10.10.25 gateway=\
10.10.30.1 ntp-server=10.10.30.1
add address=10.10.40.0/24 dns-server=10.10.30.63,10.10.10.25 gateway=\
10.10.40.1
add address=10.10.50.0/24 dns-server=10.10.30.63,10.10.10.25 gateway=\
10.10.50.1
add address=10.10.70.0/24 dns-server=9.9.9.9 gateway=10.10.70.1 ntp-server=\
10.10.70.1
/ip firewall address-list
add address=10.10.10.0/24 list="Admin access"
add address=10.10.10.1 list="Admin panel"
add address=10.10.10.25 list="DNS servers"
add address=10.10.30.63 list="DNS servers"
add address=10.10.10.0/24 list="DNS access"
add address=10.10.40.0/24 list="DNS access"
add address=10.10.30.0/24 list="DNS access"
add address=10.10.10.0/24 list=WebAccess
add address=10.10.30.0/24 list=WebAccess
add address=10.10.40.0/24 list=WebAccess
add address=10.10.10.62 list=WebServer
add address=10.10.70.25 comment="3D Printer" list="IoT - WAN access"
add address=10.10.70.18 comment="Shelly Plug - 001" disabled=yes list=\
"IoT - WAN access"
add address=10.0.60.0/24 list=WebAccess
add address=10.10.70.17 comment="Shelly Plug - 002" disabled=yes list=\
"IoT - WAN access"
/ip firewall filter
add action=accept chain=input comment="allow admin access from HomeVLAN" \
dst-address-list="Admin panel" dst-port=22,8291 protocol=tcp \
src-address-list="Admin access"
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related hw-offload=yes in-interface=vlan10
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related hw-offload=yes in-interface=vlan30
add action=accept chain=forward comment="established, related" \
connection-state=established,related
add action=accept chain=input comment="accept established, related" \
connection-state=established,related
add action=accept chain=forward comment="Allow access to ReverseProxy server" \
dst-address-list=WebServer dst-port=80,443 protocol=tcp src-address-list=\
WebAccess
add action=accept chain=forward comment=\
"allow access to DNS from allowed VLANs - UDP" dst-address-list=\
"DNS servers" dst-port=53 protocol=udp src-address-list="DNS access"
add action=accept chain=forward comment=\
"allow access to DNS from allowed VLANs -TCP" dst-address-list=\
"DNS servers" dst-port=53,853 protocol=tcp src-address-list="DNS access"
add action=accept chain=forward comment="Allow internet for VLAN30" \
connection-state=new in-interface=vlan30 out-interface-list=WAN
add action=accept chain=forward comment="Allow BC for VLAN30" \
connection-state=new dst-address=10.0.10.0/24 in-interface=vlan30
add action=accept chain=forward comment="Allow internet for VLAN40" \
connection-state=new in-interface=vlan40 out-interface-list=WAN
add action=drop chain=forward comment="Drop everything from VLAN 40" \
in-interface=vlan40
add action=accept chain=forward comment="WAN select IoT devices" \
out-interface-list=WAN src-address-list="IoT - WAN access"
add action=drop chain=forward comment="Drop everything from VLAN 70" \
in-interface=vlan70
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=drop chain=input comment="drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=zerotier3-games
/ip proxy
set parent-proxy=0.0.0.0
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=\
10.10.10.0/24,10.0.10.0/24,10.100.0.0/24,10.147.19.0/24,10.10.15.0/24
set ssh address=\
10.10.10.0/24,10.0.10.0/24,10.100.0.0/24,10.147.19.0/24,10.10.15.0/24
set api disabled=yes
set winbox address=\
10.10.10.0/24,10.0.10.0/24,10.100.0.0/24,10.147.19.0/24,10.10.15.0/24
set api-ssl address=10.10.30.0/24 certificate=\
"Self signed certificate for API"
/ip smb shares
set [ find default=yes ] directory=/pub
/ip upnp interfaces
add interface=vlan10 type=internal
add interface=ether1 type=external
/ipv6 address
add address=::1 from-pool=isp-pool6 interface=vlan10
/ipv6 dhcp-client
add add-default-route=yes interface=ether1 pool-name=isp-pool6 prefix-hint=\
::/60 request=address,prefix use-peer-dns=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/ipv6 nd
set [ find default=yes ] disabled=yes interface=bridge1 ra-interval=20s-1m
add dns=2620:fe::fe,2620:fe::9 interface=vlan10 ra-interval=20s-1m
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Bratislava
/system identity
set name=GenericRouter
/system logging
add action=LogToNAS prefix=BA-GenericRouter topics=info
add action=LogToNAS prefix=BA-GenericRouter topics=critical
add action=LogToNAS prefix=BA-GenericRouter topics=error
add action=LogToNAS prefix=BA-GenericRouter topics=warning
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes use-local-clock=yes
/system ntp client servers
add address=10.10.10.25
add address=pool.ntp.org
/tool romon
set enabled=yes