/interface bridge add name=bridge-local /interface ethernet set [ find default-name=ether1 ] name=ether1-master set [ find default-name=ether2 ] master-port=ether1-master name=ether2-slave set [ find default-name=ether3 ] master-port=ether1-master name=ether3-slave set [ find default-name=ether4 ] master-port=ether1-master name=ether4-slave set [ find default-name=ether5 ] name=ether5-support /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik add authentication-types=wpa2-psk group-key-update=1h management-protection=\ allowed mode=dynamic-keys name=profile-mt-mobiel wpa2-pre-shared-key=\ 775a1e77194059ed # WMM-support doet verder niets zonder nadere configuratie maar ik heb wel # eens last gehad van flippende iPhones zonder wmm-support=enabled /interface wireless set [ find default-name=wlan1 ] band=2ghz-onlyn country=netherlands disabled=\ no distance=indoors frequency=auto frequency-mode=regulatory-domain mode=\ ap-bridge security-profile=profile-mt-mobiel ssid=mt-mobiel_nomap \ wmm-support=enabled wps-mode=disabled /ip pool add name=pool-88 ranges=192.168.88.192/27 add name=pool-10 ranges=192.168.10.192/27 /ip dhcp-server add address-pool=pool-88 disabled=no interface=ether5-support lease-time=2h \ name=server-support add address-pool=pool-10 disabled=no interface=bridge-local lease-time=2h \ name=server-local /port set 0 baud-rate=auto name=usb1 /interface ppp-client add allow=pap apn=internet.tele2.nl data-channel=2 default-route-distance=1 \ dial-on-demand=no disabled=no info-channel=3 modem-init="AT+CFUN=1" name=\ ppp-bliep pin=0000 port=usb1 /ip neighbor discovery set ppp-bliep discover=no /certificate settings set crl-download=no /interface bridge port add bridge=bridge-local interface=wlan1 add bridge=bridge-local interface=ether1-master /ip settings set allow-fast-path=no rp-filter=strict /ip address add address=192.168.88.1/24 interface=ether5-support network=192.168.88.0 add address=192.168.10.1/24 interface=bridge-local network=192.168.10.0 /ip cloud set update-time=no /ip dhcp-server config set store-leases-disk=never /ip dhcp-server network add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1 add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 /ip dns set allow-remote-requests=yes cache-max-ttl=8h /ip firewall address-list add address=0.0.0.0/8 comment=self-identification list=bogons add address=127.0.0.0/16 comment=loopback list=bogons add address=169.254.0.0/16 comment=link-local list=bogons add address=192.0.2.0/24 comment="reserved - IANA testnet 1" list=bogons add address=198.51.100.0/24 comment="reserved - IANA testnet 2" list=bogons add address=203.0.113.0/24 comment="reserved - IANA testnet 3" list=bogons add address=192.88.99.0/24 comment="6to4 relay anycast" list=bogons add address=198.18.0.0/15 comment="NIDB testing" list=bogons add address=224.0.0.0/4 comment=multicast list=bogons add address=100.64.0.0/10 comment=\ "shared address space for CG-NAT (disable als ISP hiervan gebruikmaakt)" \ list=bogons /ip firewall filter add action=drop chain=input comment=bogons in-interface=ppp-bliep \ src-address-list=bogons add action=jump chain=input comment=icmp jump-target=icmp protocol=icmp add action=accept chain=input comment=established connection-state=\ established add action=accept chain=input comment=related connection-state=related add action=drop chain=input comment=invalid connection-state=invalid add action=drop chain=input comment="late dns replies" protocol=udp src-port=\ 53 add action=accept chain=input comment=support in-interface=ether5-support add action=accept chain=input comment=dhcp-server dst-port=67 in-interface=\ bridge-local protocol=udp add action=accept chain=input comment="dns (udp)" dst-port=53 in-interface=\ bridge-local protocol=udp add action=accept chain=input comment="dns (tcp)" dst-port=53 in-interface=\ bridge-local protocol=tcp add action=accept chain=input comment=ntp dst-port=123 in-interface=\ bridge-local protocol=udp add action=drop chain=input comment="drop overig" add action=jump chain=forward comment=icmp jump-target=icmp protocol=icmp add action=accept chain=forward comment=established connection-state=\ established add action=accept chain=forward comment=related connection-state=related add action=drop chain=forward comment=invalid connection-state=invalid add action=drop chain=forward comment="late dns replies" protocol=udp \ src-port=53 add action=drop chain=forward comment=bogons dst-address-list=bogons add action=accept chain=forward comment=support in-interface=ether5-support add action=drop chain=forward comment="wan not dstnatted" \ connection-nat-state=!dstnat connection-state=new in-interface=ppp-bliep \ log=yes add action=drop chain=forward comment="drop overig wan" in-interface=\ ppp-bliep add action=accept chain=forward comment="accept overig" add action=accept chain=icmp comment="icmp - type 0: echo reply (stateful)" \ connection-state=established,related icmp-options=0:0-255 protocol=icmp add action=accept chain=icmp comment="icmp - type 3: destination unreachable" \ icmp-options=3:0-255 protocol=icmp add action=accept chain=icmp comment=\ "icmp - type 8: echo request (limit 5/sec)" icmp-options=8:0-255 limit=\ 5,5:packet protocol=icmp add action=accept chain=icmp comment="icmp - type 11: time exceeded" \ icmp-options=11:0-255 protocol=icmp add action=log chain=icmp comment=\ "icmp - log de packets die gedropt gaan worden (limit 2/sec)" limit=\ 2,2:packet log-prefix=drop protocol=icmp add action=drop chain=icmp comment="icmp - drop overig" protocol=icmp /ip firewall nat add action=masquerade chain=srcnat out-interface=ppp-bliep /ip route add comment="rfc1918 class a (disable wanneer ISP dit misbruikt voor CG-NAT)" \ disabled=yes distance=1 dst-address=10.0.0.0/8 type=unreachable add comment="rfc1918 class b" distance=1 dst-address=172.16.0.0/12 type=\ unreachable add comment="rfc1918 class c" distance=1 dst-address=192.168.0.0/16 type=\ unreachable /ip service set telnet disabled=yes set ftp disabled=yes set api disabled=yes set api-ssl disabled=yes /ip ssh set strong-crypto=yes /system clock set time-zone-autodetect=no time-zone-name=Europe/Amsterdam /system identity set name=mobiel /system leds add interface=ppp-bliep leds=user-led type=interface-activity /system ntp client set enabled=yes server-dns-names=europe.pool.ntp.org /system routerboard settings set silent-boot=yes /tool mac-server set [ find default=yes ] disabled=yes /tool mac-server mac-winbox set [ find default=yes ] disabled=yes add disabled=yes interface=ppp-bliep add interface=ether5-support