MikroTik gateway configuration

Minimal MT gateway configuration which includes some sort of security.

# Switch to long-term updates channel.
# https://wiki.mikrotik.com/wiki/Manual:Upgrading_RouterOS#Version_numbering
/system package update set channel=long-term

# Set proper timezone
/system clock set time-zone-name=[timezone]

# Enable NTP client.
# https://wiki.mikrotik.com/wiki/Manual:System/Time#SNTP_client
/system ntp client set enabled=yes primary-ntp= secondary-ntp=

# I don't need Dynamic DNS feature as long as Time update from Mikrotik Cloud.
# https://wiki.mikrotik.com/wiki/Manual:IP/Cloud
/ip cloud set ddns-enabled=no update-time=no

# Increase lease time for DHCP server listening on LAN bridge
/ip dhcp-server set [find interface="br-lan"] lease-time=1d

# Define new interface lists.
# https://wiki.mikrotik.com/wiki/Manual:Interface/List#Lists
/interface list
add name=int-list-wan
add name=int-list-lan
add name=int-list-dmz

# Add interfaces to lists.
/interface list member
add disabled=no interface=br-lan list=int-list-lan
add disabled=no interface=ethN-ISP list=int-list-wan
add disabled=no interface=ethN-DMZ list=int-list-dmz

# For securing WPA/WPA2-PSK auth. Enable it (disable-pmkid=no)
# if there are compability/connection issues between AP and clients.
# https://wiki.mikrotik.com/wiki/Manual:Interface/Wireless#WPA_properties
/interface wireless security-profiles set [ find default=yes ] disable-pmkid=yes

# Keep it disabled. I enable it only when testing bandwidth speed.
# https://wiki.mikrotik.com/wiki/Manual:Tools/Bandwidth_Test
/tool bandwidth-server set authenticate=yes enabled=no

# https://wiki.mikrotik.com/wiki/MAC_access
/tool mac-server set allowed-interface-list=none
/tool mac-server ping set enabled=no
/tool mac-server mac-winbox set allowed-interface-list=none

# If using static routes - set gateway's IP address instead of just interface name.
/ip route add dst-address= distance=1 gateway=NNN.NNN.NNN.NNN

# 1. Using bridge filter for discarding MNDP packets is too expensive;
# 2. MNDP packets fly away over WLAN as well allowing to see version of Router OS to 
#    unauthorized Wi-Fi clients as well.
# So I'm just turning discovery off.
/ip neighbor discovery-settings set discover-interface-list=none

# Pure evil.
# Anyone can view your "private" data (photos, video, etc)
# if you have TwonkyMedia enabled on your NAS along with UPNP enabled on your router:
# https://www.shodan.io/search?query=product%3A"TwonkyMedia+UPnP"
# Surprise!
/ip upnp set enabled=no

# https://wiki.mikrotik.com/wiki/Manual:IP/SSH#Settings
/ip ssh set strong-crypto=yes

/ip socks set enabled=no

/ip proxy set enabled=no

/ip service
set winbox address=
set ssh address=
set telnet address= disabled=yes
set ftp address= disabled=yes
set www address= disabled=yes
set www-ssl address= disabled=yes
set api address= disabled=yes
set api-ssl address= disabled=yes

# Currently I'm not monitoring router via SNMP.
/snmp set enabled=no

/ip firewall address-list
add address= list=fw-addr-lan
add address=192.168.XX.0/24 list=fw-addr-dmz

/ip firewall filter
add action=accept chain=input comment=\
    "Accept input ESTABLISHED,RELATED from ALL" connection-state=\
add action=drop chain=input comment="Drop input INVALID from ALL" \
add action=accept chain=input comment="Accept input ICMP from ALL" \
add action=accept chain=input comment="Accept input ALL from LAN" \
add action=accept chain=input comment="Accept input DNS,DHCP,NTP from DMZ" \
    dst-port=53,67,123 protocol=udp src-address-list=fw-addr-dmz
add action=drop chain=input comment="Drop input ALL from ALL"

/ip firewall filter
# I don't need traffic shaping so I've enabled fasttrack for all traffic being forwarded
add action=fasttrack-connection chain=forward comment=\
    "Accept forward ESTABLISHED,RELATED fasttrack from ALL" connection-state=\
add action=accept chain=forward comment=\
    "Accept forward ESTABLISHED,RELATED from ALL" connection-state=\
add action=drop chain=forward comment=\
    "Drop forward ALL from WAN not DST-NATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=int-list-wan
add action=accept chain=forward comment="Accept forward from LAN to WAN" \
    in-interface-list=int-list-lan out-interface-list=int-list-wan
add action=accept chain=forward comment="Accept forward from LAN to DMZ" \
    connection-state=new in-interface-list=int-list-lan out-interface-list=\
add action=accept chain=forward comment="Accept forward from DMZ to WAN" \
    connection-state=new in-interface-list=int-list-dmz out-interface-list=\
add action=drop chain=forward comment="Drop forward ALL from ALL"

# Timeout for established connections if there is no traffic passed during 1 hour
# https://www.youtube.com/watch?v=wGDTWaDL8jc
/ip firewall connection tracking set tcp-established-timeout=1h

Optional configuration for receiving alerts via email.

# Configure logging subsystem to send email on all critical events
# such as failed login attempt, firmware upgrade etc.
/system logging action add email-start-tls=yes email-to="Admin <netadm@server.com>" \
    name=email target=email
# Change topics option below if you want to receive alerts from other log sections too.
/system logging add action=email topics=critical

# Also raise alert if another DHCP server detected on the LAN
/ip dhcp-server alert add disabled=no interface=br-lan

# Configure remote mail server to send alerts through
/tool e-mail set address=mail.server.com from="MikroTik-GW <alert@server.com>" \
    password="password" port=465 start-tls=tls-only user="alert@server.com"

Receive weekly configuration backup via email.
config_backup script:

:local sysname [/system identity get name];
:local ver [/system resource get version];
:local exportconfig ($sysname . "-backup.rsc")

/export hide-sensitive file=$exportconfig
:delay 10s
/tool e-mail send to="Admin <netadm@server.com>" subject=("Configuration backup from " . $sysname) file=$exportconfig body=($ver)
:delay 10s
/file remove $exportconfig

scheduler's sched_config_backup task:

/system script run config_backup