[admin@router] > /export # apr/29/2022 23:32:56 by RouterOS 7.2.1 # software id = 83CT-MQM9 # # model = RB4011iGS+ # serial number = AAAF0A4A2105 /interface bridge add admin-mac=74:4D:28:27:8E:D0 auto-mac=no comment=defconf igmp-snooping=yes name=bridge-lan /interface ethernet set [ find default-name=ether10 ] name=routed-port /interface vlan add interface=sfp-sfpplus1 name=vlan-isp vlan-id=102 add interface=sfp-sfpplus1 name=vlan-tv vlan-id=101 add interface=sfp-sfpplus1 name=vlan-voip vlan-id=100 /interface list add comment=defconf name=WAN add comment=defconf name=LAN /ip dhcp-client option add code=60 name=vendor-class-identifier value=0x46542D503334313042 /ip dhcp-server option add code=43 name=q22 value="'Altibox-TMS-Server-Address:https://tmc.services.altibox.net:37020/acs'" /ip pool add name=dhcp ranges=10.11.12.50-10.11.12.200 /ip dhcp-server add address-pool=dhcp interface=bridge-lan lease-time=23h59m name=lan /interface bridge port add bridge=bridge-lan comment=defconf ingress-filtering=no interface=ether2 add bridge=bridge-lan comment=defconf ingress-filtering=no interface=ether3 add bridge=bridge-lan comment=defconf ingress-filtering=no interface=ether4 add bridge=bridge-lan comment=defconf ingress-filtering=no interface=ether5 add bridge=bridge-lan comment=defconf ingress-filtering=no interface=ether6 add bridge=bridge-lan comment=defconf ingress-filtering=no interface=ether7 add bridge=bridge-lan comment=defconf ingress-filtering=no interface=ether8 add bridge=bridge-lan comment=defconf ingress-filtering=no interface=ether9 add bridge=bridge-lan ingress-filtering=no interface=ether1 /interface list member add comment=defconf interface=bridge-lan list=LAN add comment=defconf interface=vlan-isp list=WAN /ip address add address=10.11.12.1/24 comment=defconf interface=ether1 network=10.11.12.0 /ip dhcp-client add add-default-route=special-classless default-route-distance=100 dhcp-options=vendor-class-identifier interface=vlan-voip use-peer-dns=no use-peer-ntp=no add add-default-route=special-classless default-route-distance=100 dhcp-options=vendor-class-identifier interface=vlan-tv use-peer-dns=no use-peer-ntp=no add dhcp-options=vendor-class-identifier interface=vlan-isp add disabled=yes interface=sfp-sfpplus1 /ip dhcp-server network add address=10.11.12.0/24 comment=defconf dhcp-option=q22 dns-server=10.11.12.1 gateway=10.11.12.1 netmask=24 ntp-server=\ 92.220.229.76,109.247.114.45,45.14.53.68,92.220.229.77 /ip dhcp-server vendor-class-id add address-pool=dhcp name=q22 server=lan vid=Q22 /ip firewall address-list add address=10.11.12.2-10.11.12.254 list=allowed_to_router /ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=accept chain=input in-interface=vlan-tv protocol=igmp add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes add action=accept chain=forward connection-state=established,related add action=accept chain=input src-address-list=allowed_to_router add action=accept chain=input comment="WAN to router" connection-state=established,related in-interface-list=WAN add action=accept chain=input src-address-list=allowed_to_router add action=drop chain=input in-interface-list=WAN /ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=vlan-isp add action=masquerade chain=srcnat out-interface=vlan-tv add action=masquerade chain=srcnat out-interface=vlan-voip /ipv6 address add address=::1 from-pool=ipv6-pd interface=bridge-lan /ipv6 dhcp-client add add-default-route=yes comment="Altibox pd" interface=vlan-isp pool-name=ipv6-pd prefix-hint=::/56 request=address,prefix use-peer-dns=no /ipv6 firewall address-list add address=::/128 comment="defconf: unspecified address" list=bad_ipv6 add address=::1/128 comment="defconf: lo" list=bad_ipv6 add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6 add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6 add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6 add address=100::/64 comment="defconf: discard only " list=bad_ipv6 add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6 add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6 add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6 add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6 add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6 add address=::/104 comment="defconf: other" list=bad_ipv6 add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6 /ipv6 firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6 add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10 add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6 add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6 add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6 add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6 add action=accept chain=forward comment="defconf: accept HIP" protocol=139 add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN /ipv6 nd set [ find default=yes ] interface=bridge-lan other-configuration=yes /routing igmp-proxy set quick-leave=yes /routing igmp-proxy interface add alternative-subnets=0.0.0.0/0 interface=vlan-tv upstream=yes add interface=bridge-lan /system clock set time-zone-name=Europe/Oslo /system ntp client set enabled=yes /system ntp client servers add address=ntp.altibox.no [admin@mikrotik] >