/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you need \
this subnet before enable it" disabled=yes list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you ne\
ed this subnet before enable it" disabled=yes list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you n\
eed this subnet before enable it" disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=192.168.0.0/24 list=support
add address=192.168.1.1 list=modem1
/ip firewall filter
add action=drop chain=forward out-interface=pppoe-out1 src-address=\
192.168.0.246
add action=drop chain=forward out-interface=pppoe-out2 src-address=\
192.168.0.246
add action=drop chain=forward out-interface=pppoe-out1 src-address=\
192.168.0.247
add action=drop chain=forward out-interface=pppoe-out3 src-address=\
192.168.0.181
add action=drop chain=forward out-interface=pppoe-out1 src-address=\
192.168.0.181
add action=drop chain=forward out-interface=pppoe-out3 src-address=\
192.168.0.247
add action=drop chain=forward out-interface=pppoe-out2 src-address=\
192.168.0.249
add action=drop chain=forward out-interface=pppoe-out3 src-address=\
192.168.0.249
add action=add-src-to-address-list address-list=Syn_Flooder \
address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" \
connection-limit=30,32 protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" src-address-list=\
Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
address-list-timeout=1w chain=input comment="Port Scanner Detect" protocol=\
tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" src-address-list=\
Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=ICMP \
protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except to \
support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT\
\_ADDRESS LIST" disabled=yes dst-port=8291 protocol=tcp src-address-list=\
!support
add action=jump chain=forward comment="Jump for icmp forward flow" jump-target=\
ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
bogons
add action=add-src-to-address-list address-list=spammers address-list-timeout=\
3h chain=forward comment="Add Spammers to the list for 3 hours" \
connection-limit=30,32 dst-port=25,587 limit=30/1m,0
acket protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment="Accept to established connections" \
connection-state=established
add action=accept chain=input comment="Accept to related connections" \
connection-state=related
add action=accept chain=input comment="Full access to SUPPORT address list" \
src-address-list=support
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS RU\
LE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" disabled=yes
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" \
icmp-options=8:0 limit=1,5
acket protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
protocol=icmp
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=to_wan1 passthrough=\
no src-address=192.168.0.249
add action=mark-routing chain=prerouting new-routing-mark=to_wan2 passthrough=\
no src-address=192.168.0.247
add action=mark-routing chain=prerouting new-routing-mark=to_wan2 passthrough=\
no src-address=192.168.0.181
add action=mark-routing chain=prerouting new-routing-mark=to_wan3 passthrough=\
no src-address=192.168.0.246
add action=accept chain=prerouting in-interface=pppoe-out1
add action=accept chain=prerouting in-interface=pppoe-out2
add action=accept chain=prerouting in-interface=pppoe-out3
add action=mark-connection chain=prerouting dst-address-type=!local \
new-connection-mark=wan1_conn passthrough=yes per-connection-classifier=\
both-addresses-and-ports:3/0
add action=mark-connection chain=prerouting dst-address-type=!local \
new-connection-mark=wan2_conn passthrough=yes per-connection-classifier=\
both-addresses-and-ports:3/1
add action=mark-connection chain=prerouting dst-address-type=!local \
new-connection-mark=wan3_conn passthrough=yes per-connection-classifier=\
both-addresses-and-ports:3/2
add action=mark-routing chain=prerouting connection-mark=wan1_conn \
new-routing-mark=to_wan1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=wan2_conn \
new-routing-mark=to_wan2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=wan3_conn \
new-routing-mark=to_wan3 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether2
add action=masquerade chain=srcnat out-interface=ether3
add action=masquerade chain=srcnat comment="Masquerade Dhcp Network" \
src-address=192.168.0.0/24
add action=dst-nat chain=dstnat log=yes port=15100-15201 protocol=udp \
to-addresses=192.168.0.240 to-ports=15100-15201
/ip firewall service-port
set sip ports=5060,5061,5070,5080 sip-direct-media=no
/ip route
add check-gateway=ping distance=1 gateway=pppoe-out1 routing-mark=to_wan1
add check-gateway=ping distance=1 gateway=pppoe-out2 routing-mark=to_wan2
add check-gateway=ping distance=1 gateway=pppoe-out3 routing-mark=to_wan3
add check-gateway=ping distance=1 gateway=pppoe-out1
add distance=2 gateway=pppoe-out2
add distance=3 gateway=pppoe-out3
/ip address
add address=192.168.0.1/24 comment=LAN interface=Local network=192.168.0.0
add address=10.0.0.2/8 comment=Speedport1 interface=ether1 network=10.0.0.0
add address=192.168.2.50/24 comment=Speedport2 interface=ether2 network=192.168.2.0
add address=192.168.3.2/24 comment=Speedport3 interface=ether3 network=192.168.3.0
Bookmarks