MikroTik gateway configuration

Minimal MT gateway configuration which includes some sort of security.

# Switch to long-term updates channel.
# https://wiki.mikrotik.com/wiki/Manual:Upgrading_RouterOS#Version_numbering
/system package update set channel=long-term

# Set proper timezone
/system clock set time-zone-name=[timezone]

# Enable NTP client.
# https://wiki.mikrotik.com/wiki/Manual:System/Time#SNTP_client
/system ntp client set enabled=yes primary-ntp=194.190.168.1 secondary-ntp=93.180.6.3

# I don't need Dynamic DNS feature as long as Time update from Mikrotik Cloud.
# https://wiki.mikrotik.com/wiki/Manual:IP/Cloud
/ip cloud set ddns-enabled=no update-time=no

# Define new interface lists.
# https://wiki.mikrotik.com/wiki/Manual:Interface/List#Lists
/interface list
add name=int-list-wan
add name=int-list-lan
add name=int-list-dmz

# Add interfaces to lists.
/interface list member
add disabled=no interface=br-lan list=int-list-lan
add disabled=no interface=ethN-ISP list=int-list-wan
add disabled=no interface=ethN-DMZ list=int-list-dmz

# For securing WPA/WPA2-PSK auth. Enable it (disable-pmkid=no)
# if there are compability/connection issues between AP and clients.
# https://wiki.mikrotik.com/wiki/Manual:Interface/Wireless#WPA_properties
/interface wireless security-profiles set [ find default=yes ] disable-pmkid=yes

# Keep it disabled. I enable it only when testing bandwidth speed.
# https://wiki.mikrotik.com/wiki/Manual:Tools/Bandwidth_Test
/tool bandwidth-server set authenticate=yes enabled=no

# https://wiki.mikrotik.com/wiki/MAC_access
/tool mac-server set allowed-interface-list=none
/tool mac-server ping set enabled=no
/tool mac-server mac-winbox set allowed-interface-list=none

# If using static routes - set gateway's IP address instead of just interface name.
/ip route add dst-address=0.0.0.0/0 distance=1 gateway=NNN.NNN.NNN.NNN

# 1. Using bridge filter for discarding MNDP packets is too expensive;
# 2. MNDP packets fly away over WLAN as well allowing to see version of Router OS to 
#    unauthorized Wi-Fi clients as well.
# So I'm just turning discovery off.
/ip neighbor discovery-settings set discover-interface-list=none

# Pure evil.
# Anyone can view your "private" data (photos, video, etc)
# if you have TwonkyMedia enabled on your NAS along with UPNP enabled on your router:
# https://www.shodan.io/search?query=product%3A"TwonkyMedia+UPnP"
# Surprise!
/ip upnp set enabled=no

# https://wiki.mikrotik.com/wiki/Manual:IP/SSH#Settings
/ip ssh set strong-crypto=yes

/ip socks set enabled=no

/ip proxy set enabled=no

/ip service
set winbox address=192.168.88.0/24
set ssh address=192.168.88.0/24
set telnet address=192.168.88.0/24 disabled=yes
set ftp address=192.168.88.0/24 disabled=yes
set www address=192.168.88.0/24 disabled=yes
set www-ssl address=192.168.88.0/24 disabled=yes
set api address=192.168.88.0/24 disabled=yes
set api-ssl address=192.168.88.0/24 disabled=yes

# Currently I'm not monitoring router via SNMP.
/snmp set enabled=no

/ip firewall address-list
add address=192.168.88.0/24 list=fw-addr-lan
add address=192.168.XX.0/24 list=fw-addr-dmz

# INPUT
/ip firewall filter
add action=accept chain=input comment=\
    "Accept input ESTABLISHED,RELATED from ALL" connection-state=\
    established,related
add action=drop chain=input comment="Drop input INVALID from ALL" \
    connection-state=invalid
add action=accept chain=input comment="Accept input ICMP from ALL" \
    protocol=icmp
add action=accept chain=input comment="Accept input ALL from LAN" \
    src-address-list=fw-addr-lan
add action=accept chain=input comment="Accept input DNS,DHCP,NTP from DMZ" \
    dst-port=53,67,123 protocol=udp src-address-list=fw-addr-dmz
add action=drop chain=input comment="Drop input ALL from ALL"

# FORWARD
/ip firewall filter
# I don't need traffic shaping so I've enabled fasttrack for all traffic being forwarded
add action=fasttrack-connection chain=forward comment=\
    "Accept forward ESTABLISHED,RELATED fasttrack from ALL" connection-state=\
    established,related
add action=accept chain=forward comment=\
    "Accept forward ESTABLISHED,RELATED from ALL" connection-state=\
    established,related
add action=drop chain=forward comment=\
    "Drop forward ALL from WAN not DST-NATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=int-list-wan
add action=accept chain=forward comment="Accept forward from LAN to WAN" \
    in-interface-list=int-list-lan out-interface-list=int-list-wan
add action=accept chain=forward comment="Accept forward from LAN to DMZ" \
    connection-state=new in-interface-list=int-list-lan out-interface-list=\
    int-list-dmz
add action=accept chain=forward comment="Accept forward from DMZ to WAN" \
    connection-state=new in-interface-list=int-list-dmz out-interface-list=\
    int-list-wan
add action=drop chain=forward comment="Drop forward ALL from ALL"

Optional configuration for receiving alerts via email.

# Configure logging subsystem to send email on all critical events
# such as failed login attempt, firmware upgrade etc.
/system logging action add email-start-tls=yes email-to="Admin <netadm@server.com>" \
    name=email target=email
# Change topics option below if you want to receive alerts from other log sections too.
/system logging add action=email topics=critical

# Also raise alert if another DHCP server detected on the LAN
/ip dhcp-server alert add disabled=no interface=br-lan

# Configure remote mail server to send alerts through
/tool e-mail set address=mail.server.com from="MikroTik-GW <alert@server.com>" \
    password="password" port=465 start-tls=tls-only user="alert@server.com"