RB4011

####################################################################################################
# Aaron Gustafson’s Basic MikroTik Firewall — Rev 3.0 (Free Version)
####################################################################################################
# Author: Aaron Gustafson
# Contact: [email protected]
# MikroTik Forum Username: Agustafson
#
# License:
# This script is provided for public use and may be used, modified, and redistributed freely.
# Attribution is appreciated but not required.
#
# RouterOS Requirement:
# This script must be run on RouterOS 7.0 or newer.
#
# Pre-Deployment Requirement:
# Router must be in a "no-default-configuration" state before running this script.
#
# About this script:
# This is a baseline, infinitely customizable deployment script intended for MikroTik routing
# hardware. It is designed to work in approximately 85% of environments "out of the box" and
# provides a consistent foundation for adding, upgrading, and tailoring configurations over time.
#
# Reference Platform:
# Designed and tested on the MikroTik RB4011 (10x Ethernet ports).
# Usable on smaller models — you must adjust Bridge and VLAN sections to remove ports that
# do not exist on your hardware.
#
# Default Interface Behavior:
# - ether1 is treated as WAN
# - ether2–ether10 are treated as LAN
# - NO SFP/SFP+ ports are added to the bridge by default
#
# VLAN Behavior (RB4011 Defaults):
# - ether2–ether10 are configured as Native (Untagged) VLAN 1
# - VLAN 10 is tagged on ether2–ether10
#
# High-Level Features:
# - Allows persistent management access from a designated Home/Corporate router FQDN
# - Configures NTP and sets the router time zone to Central (America/Chicago)
#
# WiFi Note:
# This configuration does NOT include WiFi configuration. Wireless settings (SSID/security/VLAN
# assignment) must be configured separately if your hardware includes wireless interfaces.
#
# CRITICAL DEPLOYMENT NOTE:
# Run this script while connected to ether1 to avoid disconnection during interface, bridge,
# or interface list changes. The script is intentionally ordered for rapid deployment.
####################################################################################################

####################################################################################################
# Notes (Firewall / NAT / Services)
#
# Exempt IP Addresses:
# The "Exempt IP Addresses" list is intended for trusted management sources.
# You can add satellite offices, remote networks, and VPN subnets here.
#
# If ByteMe Networks provides consulting/managed services, it is advisable that you add AT LEAST:
# add address=home.bytemenetworks.com comment="ByteMe Network CHR" list="Exempt IP Addresses"
#
# Common Camera Port Forwards:
# This script includes common port forwards often used for Dahua / HikVision systems.
# These should be reviewed and either modified for your environment or disabled after deployment.
#
# SSH / Remote Management:
# SSH is moved to port 25 in the Services section below.
# If you will be connecting this router via VPNs, add trusted VPN networks/subnets to the
# allowed-from address fields so you can remotely access management interfaces.
# By default, these service rules restrict management and WILL NOT allow Winbox from WAN.
####################################################################################################

####################################################################################################
# Setup Instructions (Start Here)
#
# After the script is applied:
# - Verify ether1 is your upstream Internet connection
# - Verify LAN devices are connected to ether2–ether10
# - Adjust interface lists if your topology differs
#
# Interface Lists Used:
# - "WAN" → Untrusted / Internet-facing interfaces
# - "LAN" → Trusted internal interfaces
####################################################################################################

####################################################################################################
# Variables / Find & Replace (Customization)
#
# For easier customization, these are the variables used throughout this script.
# Everything AFTER the ":" on each line should be CTRL+F replaced prior to deployment.
#
# You MAY run this script as-is, but it will be insecure and is intended only for lab/testing.
#
# Identity: Unconfigured
# RouterPassword: RouterPassword
# LAN IP: 172.26.254
# VLAN_10 IP: 192.168.254
# DHCP Server Option 43 (UniFi Controller): 0x01046bbf2cae
# UniFi Controller IP Address (Public or private depending on topology): 107.191.44.174
# Home/Corporate Router FQDN: bytemenetworks.com
# L2TP/IPsec PSK: ChangeMe
# SNMP Community: V2-ByteMeNetworks
####################################################################################################

/ip settings
set rp-filter=strict secure-redirects=no send-redirects=no tcp-syncookies=yes

/interface bridge
add name=VLAN_Bridge vlan-filtering=yes fast-forward=no

/interface vlan
add interface=VLAN_Bridge name=VLAN_10 vlan-id=10

/interface list
add name=WAN
add name=LAN

/ip dhcp-server option
add code=43 name=unifi value=0x01046bbf2cae

/ip dns static
add name=unifi address=107.191.44.174 disabled=no ttl=1d type=A

/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot

/ip pool
add name=dhcp ranges=172.26.254.100-172.26.254.250
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=VLAN_10 ranges=192.168.254.100-192.168.254.250

/ip dhcp-server
add address-pool=dhcp disabled=no interface=VLAN_Bridge name=defconf
add address-pool=VLAN_10 disabled=no interface=VLAN_10 name=VLAN_10

/ppp profile
add name=Encryption use-encryption=yes
add bridge=VLAN_Bridge local-address=172.26.254.1 name="L2TP Mobile" remote-address=dhcp use-encryption=yes use-upnp=yes
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn

/snmp community
add addresses=::/0 name=V2-ByteMeNetworks

/interface bridge port
add bridge=VLAN_Bridge interface=ether2
add bridge=VLAN_Bridge interface=ether3
add bridge=VLAN_Bridge interface=ether4
add bridge=VLAN_Bridge interface=ether5
add bridge=VLAN_Bridge interface=ether6
add bridge=VLAN_Bridge interface=ether7
add bridge=VLAN_Bridge interface=ether8
add bridge=VLAN_Bridge interface=ether9
add bridge=VLAN_Bridge interface=ether10

/ip firewall connection tracking set enabled=yes

/ip neighbor discovery-settings
set discover-interface-list=LAN

/interface bridge vlan
add bridge=VLAN_Bridge tagged=VLAN_Bridge,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10 vlan-ids=10
add bridge=VLAN_Bridge untagged=VLAN_Bridge,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10 vlan-ids=1

/interface l2tp-server server
set enabled=yes ipsec-secret=ChangeMe keepalive-timeout=disabled use-ipsec=yes

/interface list member
add comment=WAN1 interface=ether1 list=WAN
add interface=VLAN_Bridge list=LAN

/interface pptp-server server set enabled=yes
/interface sstp-server server set default-profile=default-encryption enabled=yes

/ip address
add address=172.26.254.1/24 comment=defconf interface=VLAN_Bridge network=172.26.254.0
add address=192.168.254.1/24 comment=VLAN_10 interface=VLAN_10 network=192.168.254.0

/ip cloud set ddns-enabled=yes

/ip dhcp-client
add disabled=no interface=ether1 use-peer-dns=no use-peer-ntp=no

/ip dhcp-server network
add address=172.26.254.0/24 comment=defconf dhcp-option=unifi dns-server=172.26.254.1,1.1.1.1 gateway=172.26.254.1 netmask=24
add address=192.168.254.0/24 comment=VLAN_10 dhcp-option=unifi dns-server=192.168.254.1,1.1.1.1 gateway=192.168.254.1 netmask=24

/ip dns
set cache-max-ttl=1h servers=1.1.1.1,8.8.8.8 allow-remote-requests=yes

/ip dns static
add name=Unifi type=A address=107.191.44.174

/ip firewall address-list
add address=172.26.254.1 comment="Local Router" list="Exempt IP Addresses"
add address=192.168.254.1 comment="Local Router VLAN_10" list="Exempt IP Addresses"
add address=bytemenetworks.com comment="Home/Corporate Router FQDN" list="Exempt IP Addresses"

/ip firewall filter
add action=accept chain=input comment="allow WireGuard" dst-port=13000-13255 protocol=udp
add action=accept chain=input comment="Accept Established, Related" connection-state=established,related
add action=accept chain=input comment="Accept Ping" protocol=icmp
add action=accept chain=input comment="Allow Admins" src-address-list=Admins
add action=accept chain=input comment="Allow Exempt IP Addresses" src-address-list="Exempt IP Addresses"
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="Drop all else from internet" in-interface-list=WAN
add action=accept chain=forward comment="Forward Accepted and established" connection-state=established,related
add action=accept chain=forward comment="Forward Pings" protocol=icmp
add action=drop chain=forward connection-nat-state=!dstnat in-interface-list=WAN

/ip firewall nat
add action=dst-nat chain=dstnat comment="NVR Server" dst-port=8000 in-interface-list=WAN protocol=tcp to-addresses=172.26.254.5 to-ports=8000
add action=dst-nat chain=dstnat comment="NVR RTSP" dst-port=554 in-interface-list=WAN protocol=tcp to-addresses=172.26.254.50 to-ports=554
add action=dst-nat chain=dstnat comment="NVR Web" dst-port=81 in-interface-list=WAN protocol=tcp to-addresses=172.26.254.50 to-ports=554
add action=dst-nat chain=dstnat comment="NVR Web" dst-port=81 in-interface-list=WAN protocol=tcp to-addresses=172.26.254.50 to-ports=80
add action=dst-nat chain=dstnat comment="Dahua Remote App" dst-port=37777 in-interface-list=WAN protocol=tcp to-addresses=172.26.254.50 to-ports=37777
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=172.26.254.0/24 src-address=172.26.254.0/24
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24

/ip service
set telnet disabled=yes
set ftp address=172.26.254.0/24
set www disabled=yes
set ssh address=172.26.254.0/24 port=25
set api disabled=yes
set api-ssl disabled=yes

/ip upnp set enabled=yes
/ip upnp interfaces
add interface=VLAN_Bridge type=internal
add interface=ether1 type=external

/ppp aaa set use-radius=yes
/ppp secret add name=vpn password=ChangeMe

####################################################################################################
# RADIUS (OPTIONAL — EXAMPLE CONFIGURATION)
#
# This section demonstrates how to integrate an external RADIUS service for centralized
# authentication and management of the router.
#
# You may use JumpCloud (including their free tier, if available) or any other RADIUS provider
# to manage PPP, login, hotspot, wireless, DHCP, and IPsec authentication.
#
# This is an example configuration only and WILL NOT function until you replace the
# address and secret with your own RADIUS server details.
#
# Deployment, licensing, and configuration of RADIUS services are the responsibility
# of the user.
####################################################################################################
/radius add address=1.2.3.4 secret=RADIUSSecret service=ppp,login,hotspot,wireless,dhcp,ipsec

/system clock set time-zone-name=America/Chicago

/system identity set name=Unconfigured

/system logging
set 0 action=disk
set 1 action=disk
set 2 action=disk

/system ntp client set enabled=yes servers=time.nist.gov

/system routerboard settings set auto-upgrade=yes

/tool romon set enabled=yes

/tool graphing interface add
/tool graphing queue add
/tool graphing resource add

/user aaa set accounting=no default-group=full use-radius=yes

/user group set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon"

/tool mac-server set allowed-interface-list=all
/tool mac-server mac-winbox set allowed-interface-list=all

/user set admin password=RouterPassword