Code: Select all
# 2024-01-24 21:16:45 by RouterOS 7.13
# software id = 9ARR-3SRK
#
# model = RB4011iGS+
/interface bridge
add add-dhcp-option82=yes admin-mac=78:9A:18:9F:05:21 auto-mac=no comment=\
defconf dhcp-snooping=yes name=bridge_LOCAL port-cost-mode=short \
vlan-filtering=yes
/interface vlan
add interface=bridge_LOCAL name=VLAN100_GuestWiFi vlan-id=100
/interface list
add name=WAN
add name=LAN
/interface wifi channel
add band=2ghz-ax disabled=no frequency=2412,2437,2462 name=2.4Ghz \
skip-dfs-channels=all width=20/40mhz
add band=5ghz-ax disabled=no frequency=5170-5250 name=5Ghz skip-dfs-channels=\
all width=20/40/80mhz
/interface wifi datapath
add bridge=bridge_LOCAL disabled=no name=datapath1
add disabled=no name=datapath_GuestWiFi vlan-id=100
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no encryption="" name=\
sec1
add authentication-types=wpa2-psk,wpa3-psk disabled=no encryption="" name=\
sec_GuestWiFi
/interface wifi configuration
add channel=5Ghz country="United States" datapath=datapath1 disabled=no mode=\
ap name=5Ghz security=sec1 ssid=Szostak_Design_5
add channel=2.4Ghz country="United States" datapath=datapath1 disabled=no \
mode=ap name=2.4Ghz security=sec1 ssid=Szostak_Design_2.4
add channel=5Ghz country="United States" datapath=datapath_GuestWiFi \
disabled=no mode=ap name=cfg_GuestWiFi security=sec_GuestWiFi ssid=\
Szostak_Design_Guest
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-192,aes-128,3des
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1
/ip pool
add name=L2TP_VPN01 ranges=10.10.10.201-10.10.10.250
add name=GuestWiFi ranges=172.16.8.2-172.16.8.100
/ip dhcp-server
add address-pool=L2TP_VPN01 interface=ether1 lease-time=8h name=dhcp_VPN01
add address-pool=GuestWiFi interface=VLAN100_GuestWiFi lease-time=8h name=\
dhcp_GuestWiFi
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
add dns-server=10.10.10.100,9.9.9.9 local-address=10.10.10.1 name=L2TP_VPN01 \
remote-address=L2TP_VPN01 use-ipv6=no
/interface bridge port
add bridge=bridge_LOCAL comment=defconf disabled=yes interface=ether1 \
internal-path-cost=10 path-cost=10
add bridge=bridge_LOCAL comment=defconf interface=ether2 internal-path-cost=\
10 path-cost=10
add bridge=bridge_LOCAL interface=VLAN100_GuestWiFi
/interface detect-internet
set detect-interface-list=WAN
/interface l2tp-server server
set authentication=mschap2 default-profile=L2TP_VPN01 enabled=yes \
one-session-per-host=yes use-ipsec=yes
/interface list member
add interface=ether1 list=WAN
add interface=bridge_LOCAL list=LAN
/interface wifi capsman
set ca-certificate=********* certificate=\
********* enabled=yes interfaces=bridge_LOCAL \
package-path="" require-peer-certificate=no upgrade-policy=\
suggest-same-version
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=5Ghz \
supported-bands=5ghz-ax,5ghz-n,5ghz-ac
add action=create-dynamic-enabled disabled=no master-configuration=2.4Ghz \
supported-bands=2ghz-ax,2ghz-g,2ghz-n
/ip address
add address=10.10.10.1/24 interface=bridge_LOCAL network=10.10.10.0
add address=172.16.8.1/24 interface=VLAN100_GuestWiFi network=172.16.8.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=172.16.8.0/24 dns-server=9.9.9.9,142.112.112.112 gateway=\
172.16.8.1
/ip dns
set servers=9.9.9.9,142.112.112.112
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
connection-state=established,related,untracked
add action=accept chain=input comment=VPN01_ipsec in-interface=ether1 \
protocol=ipsec-esp
add action=accept chain=input comment=VPN01_udp dst-port=500,1701,4500 \
in-interface=ether1 protocol=udp
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=drop chain=input comment="drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment=\
"accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ppp secret
"Removed Secrets for privacy"
/system clock
set time-zone-name=America/New_York
/system identity
set name=StkDgn
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key