6to4-basic-firewall

/ipv6 firewall filter

# INPUT

add chain=input in-interface=6to4-tunnel1 action=jump jump-target=wan-to-mkt comment="Jump to

wan-to-mkt rules"

add chain=wan-to-mkt connection-state=established action=accept comment="Allow established

connections"

add chain=wan-to-mkt connection-state=related action=accept comment="Allow related connections"

add chain=wan-to-mkt connection-state=invalid action=drop comment="Drop invalid connections"

add chain=wan-to-mkt protocol=icmpv6 action=accept comment="Accept ICMP"

add chain=wan-to-mkt action=drop log=yes log-prefix="6to4 INPUT:" comment="Log and drop everyting
else"

# FORWARD

add chain=forward in-interface=6to4-tunnel1 action=jump jump-target=wan-to-lan comment="Jump to

wan-to-lan rules"

add chain=wan-to-lan connection-state=established action=accept comment="Allow established

connections"

add chain=wan-to-lan connection-state=related action=accept comment="Allow related connections"

add chain=wan-to-lan connection-state=invalid action=drop comment="Drop invalid connections"

add chain=wan-to-lan action=drop log=yes log-prefix="6to4 FORWARD:" comment="Log and drop

everyting else"

6to4-setup

/interface 6to4

add name=6to4-tunnel1 local-address=123.45.67.89 remote-address=192.88.99.1 disabled=no

/ipv6 address

add address=2002:7b2d:4359::1/48 interface=6to4-tunnel1 advertise=no

add address=2002:7b2d:4359:1::1/64 interface=bridge1

/ipv6 route

add distance=1 dst-address=2000::/3 gateway=6to4-tunnel1

/routing ospf-v3 instance

set [ find default=yes ] redistribute-connected=as-type-1 redistribute-static=as-type-1

/routing ospf-v3 interface

add area=backbone

firewall-input

/ip firewall filter

# INPUT - General

add action=accept chain=input comment="Allow 6to4" protocol=ipv6

add action=accept chain=input comment="Allow ICMP" protocol=icmp

add action=accept chain=input comment="Allow Broadcast" dst-address-type=broadcast

add action=accept chain=input comment="Allow local CAPsMAN" dst-address=127.0.0.1 dst-

port=5246,5247 protocol=udp src-address=127.0.0.1

# INPUT - LAN Services

add action=jump chain=input comment="Jump to IN-LAN" rules" in-interface=bridge1-local jump-
target=IN-LAN

add action=accept chain=IN-LAN comment="Allow DNS" dst-port=53 protocol=udp

add action=accept chain=IN-LAN comment="Allow DNS" dst-port=53 protocol=tcp

add action=accept chain=IN-LAN comment="Allow DHCP" dst-port=67 protocol=udp

add action=accept chain=IN-LAN comment="Allow CAPsMAN" dst-port=5246 protocol=udp

add action=return chain=IN-LAN comment="Return from IN-LAN rules"

# INPUT - Admin Services

add action=jump chain=input comment="Jump to IN-Admin rules" jump-target=IN-Admin src-address-

list=Admins

add action=accept chain=IN-Admin comment="Allow SSH" dst-port=22 protocol=tcp

add action=accept chain=IN-Admin comment="Allow SNMP" dst-port=161 protocol=udp

add action=accept chain=IN-Admin comment="Allow WinBox" dst-port=8291 protocol=tcp

add action=return chain=IN-Admin comment="Return from IN-Admin rules"

# INPUT - General

add action=accept chain=input comment="Allow established and related connections" connection-

state=established,related

add action=drop chain=input comment="Drop invalid connections" connection-state=invalid

add action=drop chain=input comment="Drop everything else" log=yes log-prefix="IN FILTER:"

firewall-output

/ip firewall filter

# FORWARD - General

add action=drop chain=forward comment="Drop blocked IPs" src-address-list=Blocked

add action=drop chain=forward comment="Log and drop malware traffic" dst-address-list=Malware

log=yes log-prefix="OUT MALWARE:"
add action=accept chain=forward comment="Bypass firewall for allowed IPs" dst-address-list=Allowed

# FORWARD - Output from LAN clients

add action=jump chain=forward comment="Jump to OUT-Clients rules" in-interface=bridge1-local jump-

target=OUT-Clients out-interface=ether1-WAN

add action=accept chain=OUT-Clients comment="Allow ICMP" protocol=icmp

add action=accept chain=OUT-Clients comment="Allow FTP" dst-port=21 protocol=tcp

add action=accept chain=OUT-Clients comment="Allow SSH" dst-port=22 protocol=tcp

add action=accept chain=OUT-Clients comment="Allow SMTP" dst-port=25 protocol=tcp

add action=accept chain=OUT-Clients comment="Allow DNS" dst-port=53 protocol=tcp

add action=accept chain=OUT-Clients comment="Allow DNS" dst-port=53 protocol=udp

add action=accept chain=OUT-Clients comment="Allow HTTP" dst-port=80 protocol=tcp

add action=accept chain=OUT-Clients comment="Allow POP3" dst-port=110 protocol=tcp

add action=accept chain=OUT-Clients comment="Allow NTP" dst-port=123 protocol=udp

add action=accept chain=OUT-Clients comment="Allow IMAP" dst-port=143 protocol=tcp

add action=accept chain=OUT-Clients comment="Allow SNMP" dst-port=161 protocol=udp

add action=accept chain=OUT-Clients comment="Allow LDAP" dst-port=389 protocol=tcp

add action=accept chain=OUT-Clients comment="Allow HTTPS" dst-port=443 protocol=tcp

add action=accept chain=OUT-Clients comment="Allow QUIC" dst-port=443 protocol=udp

add action=accept chain=OUT-Clients comment="Allow SMTPS" dst-port=465 protocol=tcp

add action=accept chain=OUT-Clients comment="Allow Syslog" dst-port=514 protocol=udp

add action=accept chain=OUT-Clients comment="Allow RTSP" dst-port=554 protocol=tcp

add action=accept chain=OUT-Clients comment="Allow RTSP" dst-port=554 protocol=udp

add action=accept chain=OUT-Clients comment="Allow Submission" dst-port=587 protocol=tcp

add action=accept chain=OUT-Clients comment="Allow LDAPS" dst-port=636 protocol=tcp

add action=accept chain=OUT-Clients comment="Allow Flash Socket Policy" dst-port=843 protocol=tcp

add action=accept chain=OUT-Clients comment="Allow SFTP" dst-port=990 protocol=tcp

add action=accept chain=OUT-Clients comment="Allow IMAPS" dst-port=993 protocol=tcp

add action=accept chain=OUT-Clients comment="Allow POP3S" dst-port=995 protocol=tcp

add action=accept chain=OUT-Clients comment="Allow SOCKS5" dst-port=1080 protocol=tcp

add action=accept chain=OUT-Clients comment="Allow Blizzard games" dst-port=1119,3724,6012,6112-

6119 protocol=tcp

add action=accept chain=OUT-Clients comment="Allow Blizzard games" dst-port=1119,3724,6012,6112-

6119 protocol=udp

add action=accept chain=OUT-Clients comment="Allow OpenVPN" dst-port=1194 protocol=tcp

add action=accept chain=OUT-Clients comment="Allow OpenVPN" dst-port=1194 protocol=udp

add action=accept chain=OUT-Clients comment="Allow Xbox" dst-port=1836,3074 protocol=tcp

add action=accept chain=OUT-Clients comment="Allow Xbox" dst-port=1836,3074,3544 protocol=udp

add action=accept chain=OUT-Clients comment="Allow MQTT" dst-port=1883 protocol=tcp

add action=accept chain=OUT-Clients comment="Allow RTMP" dst-port=1935 protocol=tcp

add action=accept chain=OUT-Clients comment="Allow Squid" dst-port=3128 protocol=tcp

add action=accept chain=OUT-Clients comment="Allow MySQL" dst-port=3306 protocol=tcp

add action=accept chain=OUT-Clients comment="Allow RDP" dst-port=3389 protocol=tcp

add action=accept chain=OUT-Clients comment="Allow STUN" dst-port=3478 protocol=tcp

add action=accept chain=OUT-Clients comment="Allow STUN" dst-port=3478 protocol=udp

add action=accept chain=OUT-Clients comment="Allow PlayStation" dst-port=3480,3658-3659

protocol=tcp

add action=accept chain=OUT-Clients comment="Allow Teredo" dst-port=3544 protocol=udp

add action=accept chain=OUT-Clients comment="Allow PlayStation" dst-port=3658-3659 protocol=udp

add action=accept chain=OUT-Clients comment="Allow Viber" dst-port=4244,5242 protocol=tcp

add action=accept chain=OUT-Clients comment="Allow Steam" dst-port=4379,4380,27000-27036

protocol=udp

add action=accept chain=OUT-Clients comment="Allow Signal" dst-port=4433 protocol=tcp

add action=accept chain=OUT-Clients comment="Allow SIP" dst-port=5060 protocol=tcp

add action=accept chain=OUT-Clients comment="Allow SIP" dst-port=5060 protocol=udp

add action=accept chain=OUT-Clients comment="Allow SIPS" dst-port=5061 protocol=tcp

add action=accept chain=OUT-Clients comment="Allow OSCAR" dst-port=5190 protocol=tcp

add action=accept chain=OUT-Clients comment="Allow XMPP" dst-port=5222 protocol=tcp

add action=accept chain=OUT-Clients comment="Allow XMPPS, Apple Push" dst-port=5223 protocol=tcp

add action=accept chain=OUT-Clients comment="Allow Google Play" dst-port=5228 protocol=tcp

add action=accept chain=OUT-Clients comment="Allow Viber" dst-port=5243,9785 protocol=udp

add action=accept chain=OUT-Clients comment="Allow XMPP Federation" dst-port=5269 protocol=tcp

add action=accept chain=OUT-Clients comment="Allow PostgreSQL" dst-port=5432 protocol=tcp

add action=accept chain=OUT-Clients comment="Allow VNC" dst-port=5900 protocol=tcp

add action=accept chain=OUT-Clients comment="Allow TeamViewer" dst-port=5938 protocol=tcp

add action=accept chain=OUT-Clients comment="Allow TeamViewer" dst-port=5938 protocol=udp

add action=accept chain=OUT-Clients comment="Allow SUPL" dst-port=7275 protocol=tcp

add action=accept chain=OUT-Clients comment="Allow Alternative HTTP" dst-port=8080 protocol=tcp

add action=accept chain=OUT-Clients comment="Allow WinBox" dst-port=8291 protocol=tcp

add action=accept chain=OUT-Clients comment="Allow Alternative HTTPS" dst-port=8443 protocol=tcp

add action=accept chain=OUT-Clients comment="Allow MQTTS" dst-port=8883 protocol=tcp

add action=accept chain=OUT-Clients comment="Allow TeamSpeak" dst-port=9987 protocol=udp

add action=accept chain=OUT-Clients comment="Allow TeamSpeak" dst-port=10011,30033 protocol=tcp

add action=accept chain=OUT-Clients comment="Allow Apple FaceTime" dst-port=16384-16387

protocol=udp

add action=accept chain=OUT-Clients comment="Allow Apple FaceTime" dst-port=16393-16402

protocol=udp

add action=accept chain=OUT-Clients comment="Allow Google Hangouts" dst-port=19302-19309

protocol=udp

add action=accept chain=OUT-Clients comment="Allow Google Hangouts" dst-port=19305-19309

protocol=tcp

add action=accept chain=OUT-Clients comment="Allow Steam" dst-port=27014-27050 protocol=tcp

add action=accept chain=OUT-Clients comment="Allow Windows Update" dst-port=40001-40046

protocol=tcp

add action=accept chain=OUT-Clients comment="Allow Windows Update" dst-port=40001-40046

protocol=udp

add action=accept chain=OUT-Clients comment="Allow established and related connections"

connection-state=established,related

add action=drop chain=OUT-Clients comment="Drop invalid connections" connection-state=invalid

add action=drop chain=OUT-Clients comment="Log and drop everything else" log=yes log-prefix="OUT
FILTER:"
upgrade-setup

/tool e-mail

set address=10.0.0.1 from=mikrotik@example.com password=xxx port=587 start-tls=yes

user=mikrotik@example.com

/system scheduler

add interval=1w name=backup on-event="/system script run upgrade" start-date=jan/01/2000 start-

time=22:00:00

upgrade

:local recipient "mikrotik@example.com"

:local identity [/system identity get name]

/system package update check-for-update

:delay 5

:local current [/system package update get installed-version]

:local latest [/system package update get latest-version]

:if ([:tostr $latest] != "" && $current != $latest) do={

:local mailbody ("Identity: " . $identity . "\r\nBoard name: " . [/system resource get board-name] . "\r\
nSerial number: " . [/system routerboard get serial-number] . "\r\nFrom version: " . $current . "\r\nTo
version: " . $latest)

/tool e-mail send to=$recipient subject=($identity . " - RouterOS has been upgraded")
body=$mailbody

/system package update install