MikroTik Solutions: Diff

Differences From Artifact [aa9ebb3c6e]:

File defconf/RB4011iGS+.rsc — part of check-in [13ea1968de] at 2024-07-05 10:50:51 on branch trunk — Added the default configuration generated by RouterOS 7.15.2 for the RB4011iGS+ here, with minor elisions for PII and such. The purpose is to begin providing baseline defaults for reference, which are easier to read than what you get out of "/system/default-configuration/print", having all the conditionals flattened and the loops unrolled. (user: tangent size: 7155)
File defconf/RB4011iGS+RM.rsc — part of check-in [930af467ca] at 2024-07-05 11:59:17 on branch trunk — Using full name of RB4011iGS+RM in defconf/*.rsc (user: tangent size: 7155)

To Artifact [2ab00e6e87]:

File defconf/RB4011iGS+RM.rsc — part of check-in [c259d170a2] at 2025-03-23 00:08:17 on branch trunk — Upgraded RB4011 defconf from RouterOS 7.15.2 to 7.18.2. Partly this is because I had cause to reset my exemplar here, but also because I wanted to publish a defconf showing the new IPv6 fasttrack rule. (user: tangent size: 7247)

1 2 3 4 5 6 7 8	~~# ~~1970~~-01~~-01 00~~:00:00 by RouterOS 7.15.2~~ # # model = RB4011iGS+ /interface bridge add admin-mac=ELIDED auto-mac=no comment=defconf name=bridge /interface list add comment=defconf name=WAN /interface list add comment=defconf name=LAN /ip pool add name=default-dhcp ranges=192.168.88.10-192.168.88.254 /port set 0 name=serial0	\|	1 2 3 4 5 6 7 8	# 2025-03-10 12:00:03 by RouterOS 7.18.2 # # model = RB4011iGS+ /interface bridge add admin-mac=ELIDED auto-mac=no comment=defconf name=bridge /interface list add comment=defconf name=WAN /interface list add comment=defconf name=LAN /ip pool add name=default-dhcp ranges=192.168.88.10-192.168.88.254 /port set 0 name=serial0
︙			︙
22 23 24 25 26 27 28 29 30 31 32 33 34 35 36	/interface list member add comment=defconf interface=bridge list=LAN /interface list member add comment=defconf interface=ether1 list=WAN /ip address add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0 /ip dhcp-client add comment=defconf interface=ether1 /ip dhcp-server add address-pool=default-dhcp interface=bridge name=defconf /ip dhcp-server network add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1 /ip dns set allow-remote-requests=yes ~~/ip dns static add address=192.168.88.1 comment=defconf name=router.lan~~ /ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked /ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid /ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp /ip firewall filter add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 /ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN /ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec /ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec	\|	22 23 24 25 26 27 28 29 30 31 32 33 34 35 36	/interface list member add comment=defconf interface=bridge list=LAN /interface list member add comment=defconf interface=ether1 list=WAN /ip address add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0 /ip dhcp-client add comment=defconf interface=ether1 /ip dhcp-server add address-pool=default-dhcp interface=bridge name=defconf /ip dhcp-server network add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1 /ip dns set allow-remote-requests=yes /ip dns static add address=192.168.88.1 comment=defconf name=router.lan type=A /ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked /ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid /ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp /ip firewall filter add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 /ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN /ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec /ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
︙			︙
54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75	/ipv6 firewall filter add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp /ipv6 firewall filter add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10 /ipv6 firewall filter add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp /ipv6 firewall filter add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah /ipv6 firewall filter add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp /ipv6 firewall filter add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec /ipv6 firewall filter add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN /ipv6 firewall filter add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked /ipv6 firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid /ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6 /ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6 /ipv6 firewall filter add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6 /ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6 /ipv6 firewall filter add action=accept chain=forward comment="defconf: accept HIP" protocol=139 /ipv6 firewall filter add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp /ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah /ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp /ipv6 firewall filter add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec /ipv6 firewall filter add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN ~~/system routerboard settings set auto-upgrade=yes~~ /tool mac-server set allowed-interface-list=LAN /tool mac-server mac-winbox set allowed-interface-list=LAN	> <	54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75	/ipv6 firewall filter add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp /ipv6 firewall filter add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10 /ipv6 firewall filter add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp /ipv6 firewall filter add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah /ipv6 firewall filter add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp /ipv6 firewall filter add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec /ipv6 firewall filter add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN /ipv6 firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" connection-state=established,related /ipv6 firewall filter add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked /ipv6 firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid /ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6 /ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6 /ipv6 firewall filter add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6 /ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6 /ipv6 firewall filter add action=accept chain=forward comment="defconf: accept HIP" protocol=139 /ipv6 firewall filter add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp /ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah /ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp /ipv6 firewall filter add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec /ipv6 firewall filter add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN /tool mac-server set allowed-interface-list=LAN /tool mac-server mac-winbox set allowed-interface-list=LAN