/interface bridge add name=WAN protocol-mode=none add name=bridge1-LAN protocol-mode=none /interface ethernet set [ find default-name=ether1 ] name=ether1-WAN /interface vlan add interface=ether1-WAN name=vlan835 vlan-id=835 /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /ip pool add name=pool1 ranges=192.168.10.0/24 /ip dhcp-server add add-arp=yes address-pool=pool1 interface=bridge1-LAN name=dhcp1 /interface bridge port add bridge=bridge1-LAN interface=ether2 add bridge=bridge1-LAN interface=ether3 add bridge=bridge1-LAN interface=ether4 add bridge=WAN interface=ether1-WAN /ip address add address=88.xx.xx.14/31 interface=vlan835 network=88.xx.xx.14 add address=192.168.10.1/24 interface=bridge1-LAN network=192.168.10.0 add address=80.xx.xx.8/29 interface=WAN network=80.xx.xx.8 /ip dhcp-server network add address=80.xx.xx.8/29 dns-server=151.xx.xx.2,62.xx.xx.150 gateway=\ 88.xx.xx.8 /ip dns set servers=151.xx.xx.2,62.xx.xx.150 /ip firewall address-list add address=80.xx.xx.8/29 list=connected_host add address=192.168.10.0/24 list=connected_host /ip firewall filter add action=accept chain=input comment="accept established connection packets" \ connection-state=established,related,untracked add action=fasttrack-connection chain=forward hw-offload=no limit=10,5:packet add action=accept chain=input comment="accept related connection packets" \ connection-state=related add action=drop chain=input comment="drop invalid packets" connection-state=\ invalid add action=accept chain=input comment=\ "Allow access to router from managing network" src-address-list=\ managed_host add action=drop chain=input comment="detect and drop port scan connections" \ protocol=tcp psd=21,3s,3,1 add action=tarpit chain=input comment="suppress DoS attack" connection-limit=\ 3,32 limit=1,5:packet protocol=tcp src-address-list=black_list add action=add-src-to-address-list address-list=black_list \ address-list-timeout=1d chain=input comment="detect DoS attack" \ connection-limit=10,32 protocol=tcp add action=jump chain=input comment="jump to chain ICMP" jump-target=ICMP \ protocol=icmp add action=accept chain=input comment=\ "Allow access to router from connected network" src-address-list=\ connected_host add action=accept chain=input comment="Allow Broadcast Traffic" \ dst-address-type=broadcast add action=drop chain=input comment="drop everything else" add action=accept chain=ICMP comment="0:0 and limit for 5pac/s" icmp-options=\ 0:0-255 limit=5,5:packet protocol=icmp add action=accept chain=ICMP comment="3:3 and limit for 5pac/s" icmp-options=\ 3:3 limit=5,5:packet protocol=icmp add action=accept chain=ICMP comment="3:4 and limit for 5pac/s" icmp-options=\ 3:4 limit=5,5:packet protocol=icmp add action=accept chain=ICMP comment="8:0 and limit for 5pac/s" icmp-options=\ 8:0-255 limit=5,5:packet protocol=icmp add action=accept chain=ICMP comment="11:0 and limit for 5pac/s" icmp-options=\ 11:0-255 limit=5,5:packet protocol=icmp add action=drop chain=ICMP comment="Drop everything else" protocol=icmp add action=accept chain=forward in-interface=WAN out-interface=WAN add action=drop chain=forward /ip firewall nat add action=netmap chain=dstnat dst-address=80.xx.xx.8/29 to-addresses=\ 192.168.10.0/24 add action=netmap chain=srcnat src-address=192.168.10.0/24 to-addresses=\ 80.xx.xx.8/29 /ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=88.xx.xx.15 pref-src=\ "" routing-table=main scope=30 suppress-hw-offload=no target-scope=10