mikrotik config

1. [admin@Home] > export
2.  
3. /interface bridge
4. add name=br0-lan protocol-mode=none
5.  
6. /interface ethernet
7. set [ find default-name=ether1 ] name=ether1-wan advertise=100M-full arp=disabled loop-protect=off
8. set [ find default-name=ether2 ] name=ether2-master advertise=100M-full,1000M-full speed=1Gbps
9. set [ find default-name=ether3 ] master-port=ether2-master advertise=10M-full,100M-full,1000M-full
10. set [ find default-name=ether4 ] master-port=ether2-master advertise=10M-full,100M-full,1000M-full
11. set [ find default-name=ether5 ] name=ether5-stb advertise=10M-full,100M-full,1000M-full
12.  
13. /interface wireless security-profiles
14. set [ find default=yes ] supplicant-identity=MikroTik
15. add name=wifi-ap-home authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys supplicant-identity="" wpa2-pre-shared-key=wifi-password
16.  
17. /interface wireless
18. add name=wlan1-home master-interface=wlan1 multicast-buffering=disabled multicast-helper=disabled security-profile=wifi-ap-home ssid=MikroTik wmm-support=enabled
19.  
20. /ip neighbor discovery
21. set wlan1-home discover=no
22.  
23. /ip pool
24. add name=pool-lan ranges=192.168.0.10-192.168.0.254
25. add name=pool-stb ranges=192.168.254.2-192.168.254.254
26.  
27. /ip dhcp-server
28. add name=server-lan add-arp=yes address-pool=pool-lan always-broadcast=yes disabled=no lease-time=1d10m interface=br0-lan
29. add name=server-stb add-arp=yes address-pool=pool-stb always-broadcast=yes disabled=no lease-time=1d10m interface=ether5-stb
30.  
31. /ppp profile
32. add name=pppoe-rt only-one=no use-compression=no use-encryption=no
33.  
34. /interface pppoe-client
35. add name=pppoe-rt interface=ether1-wan user=pppoe-user password=pppoe-password profile=pppoe-rt add-default-route=yes allow=chap disabled=no keepalive-timeout=disabled use-peer-dns=yes
36.  
37. /interface bridge port
38. add bridge=br0-lan interface=ether2-master
39. add bridge=br0-lan interface=wlan1-home
40.  
41. /ip firewall connection tracking
42. set enabled=yes
43.  
44. /ip settings
45. set rp-filter=loose
46.  
47. /interface list
48. add name=lan
49. add name=wan
50. add name=iptv-uplink
51. add name=iptv-downlink
52.  
53. /interface list member
54. add list=lan interface=br0-lan
55. add list=wan interface=pppoe-rt
56. add list=iptv-uplink interface=ether1-wan
57. add list=iptv-downlink interface=ether5-stb
58.  
59. /ip address
60. add interface=br0-lan address=192.168.0.1/24
61. add interface=ether1-wan address=10.1.33.7/32
62. add interface=ether5-stb address=192.168.254.1/24
63.  
64. /ip dhcp-server network
65. add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1 ntp-server=192.168.0.1
66. add address=192.168.254.0/24 dns-server=192.168.254.1 gateway=192.168.254.1 ntp-server=192.168.254.1
67.  
68. /ip dns
69. set allow-remote-requests=yes
70.  
71. /ip firewall address-list
72. add address=8.8.8.8 list=DNS
73. add address=8.8.4.4 list=DNS
74. add address=195.34.224.1 list=DNS
75. add address=195.34.224.2 list=DNS
76. add address=224.0.0.0/23 list=MCAST_BLACKLIST
77. add address=239.255.255.0/24 list=MCAST_BLACKLIST
78. add address=239.192.152.0/24 list=MCAST_BLACKLIST
79. add address=239.2.0.0/24 list=MCAST_BLACKLIST
80. add address=224.0.0.2 list=MCAST_WHITELIST
81.  
82. /ip firewall filter
83.  
84. add chain=accept-FT action=fasttrack-connection
85. add chain=accept-FT action=accept
86.  
87. add chain=input action=jump jump-target=accept-FT
88.  
89. add chain=output action=jump jump-target=accept-FT
90.  
91. add chain=fwd-mcast action=jump in-interface-list=iptv-uplink jump-target=accept-FT out-interface-list=iptv-downlink
92. add chain=fwd-mcast action=jump in-interface-list=iptv-downlink jump-target=accept-FT out-interface-list=iptv-uplink
93. add chain=fwd-mcast action=drop
94.  
95. add chain=forward action=jump connection-state=established,related jump-target=accept-FT
96. add chain=forward action=jump in-interface-list=lan jump-target=accept-FT out-interface-list=lan
97. add chain=forward action=jump dst-address-type=multicast jump-target=fwd-mcast
98. add chain=forward action=jump in-interface-list=lan jump-target=accept-FT out-interface-list=wan
99. add chain=forward action=jump in-interface-list=iptv-downlink jump-target=accept-FT out-interface-list=wan
100. add chain=forward action=jump connection-nat-state=dstnat in-interface-list=wan jump-target=accept-FT
101. add chain=forward action=drop connection-state=invalid
102. add chain=forward action=reject
103.  
104. /ip firewall mangle
105.  
106. add chain=prerouting action=change-dscp dst-address-type=multicast new-dscp=63 passthrough=no
107.  
108. add chain=postrouting action=change-dscp dst-address-type=multicast new-dscp=63 passthrough=no
109.  
110. /ip firewall nat
111. add chain=srcnat action=masquerade out-interface-list=wan
112.  
113. /ip firewall raw
114.  
115. add chain=accept-NOCT action=notrack
116. add chain=accept-NOCT action=accept
117.  
118. add chain=pre-mcast action=accept in-interface-list=iptv-uplink
119. add chain=pre-mcast action=accept in-interface-list=iptv-downlink
120. add chain=pre-mcast action=drop
121.  
122. add chain=pre-lan action=jump dst-address-type=local jump-target=accept-NOCT
123. add chain=pre-lan action=accept
124.  
125. add chain=pre-local action=jump jump-target=accept-NOCT protocol=udp src-address-list=DNS src-port=53
126. add chain=pre-local action=drop dst-port=53 protocol=tcp
127. add chain=pre-local action=drop dst-port=53 protocol=udp
128. add chain=pre-local action=accept
129.  
130. add chain=prerouting action=jump dst-address-type=multicast jump-target=pre-mcast
131. add chain=prerouting action=jump in-interface-list=lan jump-target=pre-lan
132. add chain=prerouting action=jump in-interface-list=iptv-downlink jump-target=pre-lan
133. add chain=prerouting action=jump dst-address-type=local jump-target=pre-local
134. add chain=prerouting action=accept
135.  
136. add chain=out-mcast-uplink action=drop protocol=!igmp
137. add chain=out-mcast-uplink action=accept dst-address-list=MCAST_WHITELIST
138. add chain=out-mcast-uplink action=drop dst-address-list=MCAST_BLACKLIST
139. add chain=out-mcast-uplink action=accept
140.  
141. add chain=out-mcast action=jump jump-target=out-mcast-uplink out-interface-list=iptv-uplink
142. add chain=out-mcast action=accept out-interface-list=iptv-downlink
143. add chain=out-mcast action=drop
144.  
145. add chain=out-local action=jump dst-address-list=DNS dst-port=53 jump-target=accept-NOCT out-interface-list=wan protocol=udp
146. add chain=out-local action=jump jump-target=accept-NOCT out-interface-list=lan
147. add chain=out-local action=accept
148.  
149. add chain=output action=jump dst-address-type=multicast jump-target=out-mcast
150. add chain=output action=jump jump-target=out-local src-address-type=local
151. add chain=output action=accept
152.  
153. /ip route
154. add distance=1 dst-address=169.254.0.0/16 type=blackhole
155.  
156. /ip upnp
157. set enabled=yes
158.  
159. /ip upnp interfaces
160. add interface=br0-lan type=internal
161.  
162. /routing igmp-proxy interface
163. add alternative-subnets=0.0.0.0/0 interface=ether1-wan upstream=yes
164. add interface=ether5-stb
165.  
166. /system clock
167. set time-zone-autodetect=no
168.  
169. /system clock manual
170. set time-zone=+03:00
171.  
172. /system identity
173. set name=Home
174.  
175. /system ntp client
176. set enabled=yes primary-ntp=62.76.96.4 secondary-ntp=87.229.205.75
177.  
178. /system ntp server
179. set enabled=yes