# jul/19/2021 08:46:10 by RouterOS 6.46.8
# software id = 114J-7H71
#
# model = RB760iGS
# serial number = A36A0C4CC084
/interface bridge
add name=brdg-local
/interface ethernet
set [ find default-name=ether1 ] advertise=100M-half,100M-full,1000M-full \
    name=ether1-WAN1
set [ find default-name=ether2 ] advertise=100M-half,100M-full,1000M-full \
    name=ether2-WAN2
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] advertise=100M-half,100M-full,1000M-full \
    name=ether4-LAN
set [ find default-name=ether5 ] advertise=100M-half,100M-full,1000M-full \
    name=ether5-LAN
set [ find default-name=sfp1 ] disabled=yes
/interface bridge port
add bridge=brdg-local interface=ether4-LAN
add bridge=brdg-local interface=ether5-LAN
/ip neighbor discovery-settings
set discover-interface-list=none
/ip address
add address=192.168.88.1/24 comment=LAN interface=brdg-local network=\
    192.168.88.0
add address=82.Z.X.Y/24 comment="Free Static" interface=ether1-WAN1 \
    network=82.Z.X.0
/ip dhcp-client
add add-default-route=no comment="Orange / Huawei DHCP" disabled=no \
    interface=ether2-WAN2 use-peer-dns=no use-peer-ntp=no
add add-default-route=no interface=ether1-WAN1 use-peer-dns=no use-peer-ntp=\
    no
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=\
    1.1.1.1,8.8.8.8,208.67.222.222,208.67.222.220

/ip firewall filter
add action=fasttrack-connection chain=forward comment=\
    "fast-track for established,related" connection-state=established,related
add action=accept chain=forward comment="accept established,related" \
    connection-state=established,related
add action=accept chain=input comment="accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment=FinalDrop-AllInvalidFWD \
    connection-state=invalid log-prefix=FinalDrop-AllFwdInvalid
add action=drop chain=input comment=FinalDrop-AllInvalidINPUT \
    connection-state=invalid log-prefix=FinalDrop-AllInputInvalid
add action=drop chain=forward comment=\
    "drop access to clients behind NAT from WAN1" connection-nat-state=\
    !dstnat connection-state=new in-interface=ether1-WAN1
add action=drop chain=forward comment=\
    "drop access to clients behind NAT from WAN2" connection-nat-state=\
    !dstnat connection-state=new in-interface=ether2-WAN2
add action=drop chain=input comment="block everything else to-WAN1" \
    in-interface=ether1-WAN1 log-prefix=FinalDrop-WAN1
add action=drop chain=input comment="block everything else to-WAN2" \
    in-interface=ether2-WAN2 log=yes log-prefix=FinalDrop-WAN2
/ip firewall mangle
add action=accept chain=prerouting dst-address=82.Z.X.0/24 in-interface=\
    brdg-local
add action=accept chain=prerouting dst-address=172.16.2.0/24 in-interface=\
    brdg-local
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=ether1-WAN1 log-prefix=WAN1PreroutMarkISP1_c \
    new-connection-mark=ISP1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=ether2-WAN2 new-connection-mark=ISP2_conn
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=brdg-local new-connection-mark=\
    ISP1_conn per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=brdg-local new-connection-mark=\
    ISP2_conn per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=ISP1_conn \
    in-interface=brdg-local log-prefix=WAN1PreToISP1 new-routing-mark=to_ISP1 \
    passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ISP2_conn \
    in-interface=brdg-local new-routing-mark=to_ISP2
add action=mark-routing chain=output connection-mark=ISP1_conn \
    new-routing-mark=to_ISP1
add action=mark-routing chain=output connection-mark=ISP2_conn \
    new-routing-mark=to_ISP2
add action=log chain=prerouting disabled=yes in-interface=ether1-WAN1 log=yes \
    log-prefix=step1WAN1SSHinPreRouting port=2022 protocol=tcp
add action=log chain=forward disabled=yes log=yes log-prefix=\
    step3-SSHinNoBrdgLocalFWD out-interface=!brdg-local port=2022 protocol=\
    tcp
add action=log chain=input disabled=yes log=yes log-prefix=step2-SSHinput \
    port=2022 protocol=tcp
add action=log chain=output disabled=yes log=yes log-prefix=step2-SSHoutput \
    port=2022 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether2-WAN2
add action=masquerade chain=srcnat out-interface=ether1-WAN1
/ip route
add check-gateway=ping distance=2 gateway=82.Z.Y.254 routing-mark=to_ISP1
add check-gateway=ping distance=1 gateway=172.16.2.1 routing-mark=to_ISP2
add distance=1 gateway=172.16.2.1
add check-gateway=ping distance=1 dst-address=1.0.0.1/32 gateway=172.16.2.1 \
    scope=10
add check-gateway=ping distance=2 dst-address=8.8.4.4/32 gateway=82.Z.Y.254 \
    scope=10