Edge Router Configuration

Sample Configuration from ER1.Westin Edge Router

/interface bridge
add name=LAN protocol-mode=none
add name=OPP protocol-mode=none
add fast-forward=no name=loopback0
/interface ethernet
set [ find default-name=ether2 ] comment="ISP 1" disable-running-check=no name=ether1
set [ find default-name=ether1 ] comment=Gold disable-running-check=no name=ether2
set [ find default-name=ether3 ] comment="ISP 2" disable-running-check=no
set [ find default-name=ether4 ] comment="Queen Anne / LAN" disable-running-check=no
/interface gre
add local-address=44.25.16.1 name=sanjuan-gre remote-address=44.25.143.150
/interface 6to4
add comment=Seattle-ER1 disabled=yes !keepalive local-address=209.189.196.68 \
    mtu=1280 name=sit2 remote-address=173.225.18.18
/interface eoip
add allow-fast-path=no mac-address=FE:0E:31:C1:0D:A6 mtu=1500 name=\
    ER1.FMT-eoip remote-address=64.62.134.52 tunnel-id=1
add allow-fast-path=no mac-address=FE:F1:14:DB:E1:89 mtu=1500 name=\
    ER1.Ziply-eoip remote-address=50.54.243.191 tunnel-id=2
/interface ipipv6
add clamp-tcp-mss=no disabled=yes dscp=0 !keepalive local-address=\
    2604:5000:20:2::1 mtu=1460 name=ipipv6-1 remote-address=2604:5000:20:2::2
/interface vlan
add interface=ER1.FMT-eoip name=ER1.FMT-eoip.mgmt vlan-id=1044
add interface=ER1.Ziply-eoip name=ER1.Ziply-eoip.mgmt vlan-id=1044
add interface=LAN name=LAN.mgmt vlan-id=1044
/interface bonding
add lacp-rate=1sec mode=active-backup name=bond1 primary=ether1 slaves=\
    ether1,ether3 transmit-hash-policy=layer-2-and-3
/ip pool
add name=LAN ranges=44.25.16.40-44.25.16.60
/ip smb users
set [ find default=yes ] disabled=yes
/ip vrf
add interfaces=LAN.mgmt,ER1.FMT-eoip.mgmt,ER1.Ziply-eoip.mgmt name=mgmt
/port
set 0 name=serial0
set 1 name=serial1
/queue interface
set ether1 queue=ethernet-default
set ether2 queue=ethernet-default
set ether4 queue=ethernet-default
/routing bgp template
set default as=<YOUR AS NUMBER> comment="Peering with ISP" output.filter-chain=\
    BGP-Announce .network=bgp-networks .no-client-to-client-reflection=yes \
    .redistribute=connected,ospf,bgp router-id=209.189.196.67
add address-families=ip as=<ANOTHER AS NUMBER> comment="Peering with HamWAN partners" name=\
    OPP output.network=bgp-networks .no-client-to-client-reflection=no \
    .redistribute=connected,ospf,bgp router-id=44.25.16.1
/routing ospf instance
add disabled=no in-filter-chain=Ham-default name=public originate-default=\
    if-installed out-filter-chain=Ham-default redistribute=\
    connected,static,bgp router-id=44.25.12.117
add disabled=no in-filter-chain=mgmt name=mgmt out-filter-chain=mgmt \
    redistribute=connected,ospf,bgp router-id=10.44.3.1 vrf=mgmt
/routing ospf area
add disabled=no instance=public name=backbone
add disabled=no instance=mgmt name=mgmt
/snmp community
set [ find default=yes ] addresses=44.25.0.0/16 name=hamwan
/system logging action
set 3 remote=44.25.0.8
/interface bridge port
add bridge=LAN interface=ether2
add bridge=LAN interface=ether4
/ip firewall connection tracking
set udp-timeout=10s
/ip settings
set send-redirects=no
/ipv6 settings
set max-neighbor-entries=1024
/ip address
add address=44.25.8.17/30 interface=ER1.FMT-eoip network=44.25.8.16
add address=209.189.196.68/28 interface=bond1 network=209.189.196.64
add address=44.25.16.1/26 interface=LAN network=44.25.16.0
add address=44.25.12.86 interface=loopback0 network=44.25.12.86
add address=44.25.8.149/30 interface=sanjuan-gre network=44.25.8.148
add address=44.25.8.241/30 interface=ER1.Ziply-eoip network=44.25.8.240
add address=10.44.32.26/30 interface=ER1.FMT-eoip.mgmt network=10.44.32.24
add address=10.44.32.30/30 interface=ER1.Ziply-eoip.mgmt network=10.44.32.28
add address=10.44.3.1/24 interface=LAN.mgmt network=10.44.3.0
/ip dhcp-server
add address-pool=LAN interface=LAN lease-time=1h name=dhcp
/ip dhcp-server network
add address=44.25.16.0/26 dns-server=44.25.0.1,44.25.1.1 domain=HamWAN.net \
    gateway=44.25.16.1 ntp-server=44.25.0.4,44.25.1.4
/ip dns
set servers=44.25.0.1,44.25.1.1
/ip firewall address-list
add address=44.24.241.128/28 comment="VPN pool" list=whitelist
add address=50.46.215.96 comment=K7NVH list=whitelist
add address=209.66.65.66 comment=Osburn list=whitelist
add address=73.83.58.54 comment=AE7SJ list=whitelist
add address=75.172.15.204 comment=tom list=whitelist
add address=70.89.113.113 comment=NQ1E list=whitelist
add address=44.24.244.2 list=auth_dns_servers
add address=44.24.245.2 list=auth_dns_servers
add address=44.24.244.4 list=ntp_servers
add address=44.24.245.4 list=ntp_servers
add address=44.0.0.1 comment=ampr.org list=UCSD
add address=128.54.0.0/16 list=UCSD
add address=132.239.0.0/16 list=UCSD
add address=137.110.0.0/16 list=UCSD
add address=169.228.0.0/16 list=UCSD
add address=44.24.242.23 list=APRSC
add address=44.24.240.201 list=APRSC
add address=44.24.244.5 list=PORTAL
add address=44.24.245.5 list=PORTAL
add address=44.24.244.6 list=PORTAL
add address=44.24.245.6 list=PORTAL
add address=44.24.255.128/25 list=AE7SJ
add address=44.24.255.0/25 list=K7NVH
add address=44.24.240.173 list=AE7Q
add address=71.191.86.161 comment=\
    "manual entry after hundreds of brute force ssh login attemps" list=blacklist
add address=125.212.202.43 comment=\
    "manual entry after hundreds of brute force ssh login attemps" list=blacklist
add address=44.24.241.32/28 comment=Haystack list=whitelist
add address=209.189.196.64/28 comment="ISP handoff LAN" list=whitelist
add address=27.72.64.66 comment=\
    "manual entry after hundreds of brute force ssh login attemps" list=blacklist
add address=104.233.116.161 list=blacklist
add address=212.91.171.178 list=blacklist
add address=44.12.6.0/24 comment=K7NVH list=bgp-networks
add address=44.24.240.0/20 comment=HamWAN list=bgp-networks
add address=44.25.0.0/16 comment=HamWAN list=bgp-networks
add address=44.12.9.0/24 list=bgp-networks
add address=44.135.219.0/24 list=bgp-networks
add address=44.26.168.0/24 list=bgp-networks
add address=44.25.0.4 list=ntp_servers
add address=44.25.1.4 list=ntp_servers
add address=44.25.0.2 list=auth_dns_servers
add address=44.25.1.2 list=auth_dns_servers
/ip firewall filter
add action=accept chain=input comment="Allow everything from our whitelist" \
    src-address-list=whitelist
add action=drop chain=input comment="Drop everything from out blacklist" \
    src-address-list=blacklist
add action=drop chain=input src-address-list=china
add action=accept chain=input comment="Allow ipip to Local" protocol=ipencap
add action=accept chain=input comment="Allow icmp to Local" protocol=icmp
add action=accept chain=input comment="Allow UDP traceroute" port=33434-33625 protocol=udp
add action=accept chain=input comment="Allow related to Local" connection-state=related
add action=accept chain=input comment="Allow SSH to Local" dst-port=222 protocol=tcp
add action=accept chain=input comment="Allow SSTP to Local" dst-port=443 protocol=tcp
add action=accept chain=input comment="Allow WinBox to Local from whitelist" \
    dst-port=8291 protocol=tcp src-address-list=whitelist
add action=accept chain=input comment="Allow bandwidth test from 44net" \
    dst-port=2000 protocol=tcp src-address=44.0.0.0/8
add action=accept chain=input comment="Allow ipsec-esp to Local" protocol=ipsec-esp
add action=accept chain=input comment="Allow ipsec-ah to Local" protocol=ipsec-ah
add action=accept chain=input comment="Allow ipsec to Local" dst-port=500 protocol=udp
add action=accept chain=input comment="Allow ipsec to Local" dst-port=4500 protocol=udp
add action=accept chain=input protocol=gre
add action=accept chain=input comment="Allow ospf to Local" protocol=ospf
add action=accept chain=input comment="Allow bgp to Local" dst-port=179 protocol=tcp
add action=accept chain=input comment="Allow bgp responses" protocol=tcp src-port=179
add action=accept chain=input comment="Allow NTP Responses" dst-port=123 \
    protocol=udp src-address-list=ntp_servers
add action=log chain=input connection-state=established disabled=yes
add action=accept chain=input comment="Allow established to Local" \
    connection-state=established
add action=accept chain=input comment="Allow SNMP" dst-port=161 protocol=udp \
    src-address=44.25.0.0/16
add action=accept chain=input comment="Allow SNMP" dst-port=161 log=yes \
    protocol=udp src-address=44.24.240.0/20
add action=accept chain=input comment=\
    "bandwidth-test server control connections" dst-port=2000 protocol=tcp
add action=drop chain=input comment="Drop unwanted packets to Local"
add action=accept chain=forward comment="Allow established to HamWAN" connection-state=established
add action=accept chain=forward comment="Allow related to HamWAN" connection-state=related
add action=accept chain=forward comment="Allow everything from our whitelist" src-address-list=whitelist
add action=drop chain=forward comment="Drop everything from our blacklist" src-address-list=blacklist
add action=drop chain=forward connection-state=new src-address-list=china
add action=log chain=forward comment="log egress ssh,telnet" \
    connection-state=new dst-port=22,23 log-prefix=egress out-interface=bond1 \
    protocol=tcp tcp-flags=syn,!ack
add action=accept chain=forward comment="Allow icmp to HamWAN" protocol=icmp
add action=accept chain=forward comment=\
    "Allow DNS to specified authoritative nameservers" dst-address-list=\
    auth_dns_servers dst-port=53 protocol=udp
add action=accept chain=forward comment=\
    "Allow DNS to specified authoritative nameservers" dst-address-list=\
    auth_dns_servers dst-port=53 protocol=tcp
add action=accept chain=forward comment="Allow NTP to specified timeservers" \
    dst-address-list=ntp_servers dst-port=123 protocol=udp
add action=accept chain=forward comment=\
    "Allow HTTP and HTTPS to specified PORTAL servers" dst-address-list=\
    PORTAL dst-port=80,443 protocol=tcp
add action=accept chain=forward comment="Allow SSH to HamWAN" dst-port=22 protocol=tcp
add action=accept chain=forward comment=\
    "Allow WinBox to HamWAN from some local ISPs" dst-port=8291 protocol=tcp src-address-list=local_isp
add action=drop chain=forward comment="Drop Telnet from Outside" dst-port=23 in-interface=bond1 protocol=tcp
add action=drop chain=forward comment=\
    "Drop Winbox, API, and API-SSL from outside" dst-port=8291,8728,8729 in-interface=bond1 protocol=tcp
add action=drop chain=forward comment=\
    "Drop Winbox to outside (sterilizes compromised routers)" dst-port=8291 out-interface=bond1 protocol=tcp
add action=drop chain=forward comment=\
    "Block OpenSLP access due to CVE-2021-21974" dst-port=427 protocol=tcp
/ip firewall mangle
add action=change-mss chain=output new-mss=1378 protocol=tcp tcp-flags=syn tcp-mss=!0-1378
add action=change-mss chain=forward new-mss=1378 protocol=tcp tcp-flags=syn tcp-mss=!0-1378
/ip firewall nat
add action=masquerade chain=srcnat comment=\
    "NAT kludge since UCSD does not send return traffic for src-44/8 IPs" \
    dst-address-list=UCSD out-interface=bond1
add action=dst-nat chain=dstnat dst-port=51838 in-interface=bond1 protocol=\
    udp to-addresses=44.25.16.11 to-ports=51838
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add blackhole disabled=no distance=253 dst-address=44.25.0.0/16
add blackhole distance=253 dst-address=44.12.6.0/24
add blackhole distance=253 dst-address=44.24.221.0/24
add dst-address=50.54.243.191/32 gateway=209.189.196.65
add dst-address=50.54.243.191/32 gateway=209.189.196.66
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=222
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=both
/ipv6 firewall address-list
add address=2601:8:9180::/48 comment="tom (Comcast, Tacoma region, dynamic)" \
    list=whitelist
/routing bgp connection
add comment="ISP 1 IPv4" connect=yes disabled=no input.filter=\
    AMPR-default listen=yes local.address=209.189.196.68 .role=ebgp name=\
    peer1 output.filter-chain=BGP-Announce remote.address=209.189.196.65 .as=\
    <IPS AS> templates=default
add comment="ISP 2 IPv4" connect=yes disabled=no input.filter=\
    AMPR-default listen=yes local.address=209.189.196.68 .role=ebgp name=\
    peer2 output.filter-chain=BGP-Announce remote.address=209.189.196.66 .as=\
    <ISP AS> templates=default
add as=<YOUR AS NUMBER> comment="SanJuan Is." connect=yes disabled=no input.filter=\
    OPP-KD7KAB listen=yes local.address=44.25.8.149 .role=ebgp multihop=yes \
    name=OPP-KD7KAB output.default-originate=if-installed .filter-chain=\
    OPP-KD7KAB-OUT remote.address=44.25.8.150 .as=<THEIR AS NUMBER> routing-table=main \
    templates=OPP
/routing filter rule
add chain=mgmt rule="if (dst in 10.44.0.0/16 && dst-len >= 16) { accept }"
add chain=mgmt rule="if (dst == 0.0.0.0/0) { accept }"
add chain=Ham-default comment="Place rules to accept specific static routes fo\
    r redistribution above this line" rule="if (protocol static) { reject }"
add chain=Ham-default rule=\
    "if (dst in 44.0.0.0/9 && dst-len >= 9) { accept }"
add chain=Ham-default rule=\
    "if (dst in 44.128.0.0/10 && dst-len >= 10) { accept }"
add chain=Ham-default rule="if (dst == 0.0.0.0/0) { accept }"
add chain=AMPR-default rule="if (dst == 44.24.200.0/22) { reject; }"
add chain=AMPR-default rule="if (dst == 44.135.219.0/24) { reject; }"
add chain=AMPR-default disabled=no rule=\
    "if (dst in 44.0.0.0/9 && dst-len in 9-32) { accept; }"
add chain=AMPR-default disabled=no rule=\
    "if (dst in 44.128.0.0/10 && dst-len in 10-32) { accept; }"
add chain=AMPR-default disabled=no rule="if (dst == 0.0.0.0/0) { accept; }"
add chain=BGP-Announce disabled=no rule=\
    "if (dst in 44.24.240.0/20 && dst-len in 20-21) { accept; }"
add chain=BGP-Announce disabled=no rule=\
    "if (dst == 44.12.6.0/24) { accept; }"
add chain=BGP-Announce disabled=no rule=\
    "if (dst == 44.12.9.0/24) { accept; }"
add chain=BGP-Announce disabled=no rule=\
    "if (dst == 44.24.221.0/24) { accept; }"
add chain=BGP-Announce disabled=no rule=\
    "if (dst == 44.24.125.0/24) { accept; }"
add chain=BGP-Announce disabled=no rule=\
    "if (dst == 44.24.131.0/24) { accept; }"
add chain=BGP-Announce rule="if (dst == 44.135.180.0/24) { accept; }"
add chain=BGP-Announce disabled=no rule=\
    "if (dst == 44.135.219.0/24) { accept; }"
add chain=BGP-Announce disabled=no rule=\
    "if (dst == 44.25.0.0/16) { accept; }"
add chain=BGP-Announce rule="jump OPP;"
add chain=BGP-Announce comment=VE7XMC disabled=no rule=\
    "if (dst == 44.31.187.0/24) { accept; }"
add chain=OPP comment=OPP-KG5IRU rule="if (dst == 44.31.137.0/24) { accept }"
add chain=OPP comment=OPP-WB7AWL rule="if (dst == 44.26.168.0/24) { accept }"
add chain=OPP comment=OPP-KJ7DMC rule="if (dst == 44.26.163.0/24) { accept }"
add chain=OPP comment=VE7XMC rule="if (dst == 44.31.187.0/24) { accept }"
add chain=OPP comment=VE7XMC rule="if (dst == 44.135.180.0/24) { accept }"
add chain=OPP comment=WARA rule="if (dst == 44.135.219.0/24) { accept }"
add chain=OPP comment=OPP-KF4GTA disabled=yes rule=\
    "if (dst == 44.36.240.0/21) { accept }"
add chain=OPP comment=OPP-KD7LXL rule="if (dst == 44.24.131.0/24) { accept }"
add chain=OPP comment=OPP-NQ1E rule="if (dst == 44.24.125.0/24) { accept }"
add chain=OPP comment="OPP-KD7KAB - SanJuan Is." disabled=no rule=\
    "if (dst == 44.24.200.0/22) { accept; }"
add chain=OPP-KD7KAB-OUT rule="if (dst == 0.0.0.0/0) { accept; }"
add chain=OPP-KD7KAB rule=\
    "if (dst == 44.24.200.0/22 && dst-len in 22-32) { accept; }"
/routing ospf interface-template
add area=mgmt disabled=no interfaces=LAN.mgmt
add area=backbone auth=md5 auth-id=1 auth-key=ABCD1234 disabled=no \
    interfaces=LAN
add area=backbone auth=md5 auth-id=1 auth-key=1A2B3C4D cost=10 disabled=no \
    interfaces=ER1.Ziply-eoip type=ptp
add area=backbone auth=md5 auth-id=1 auth-key=1234AABB cost=40 disabled=no \
    interfaces=ER1.FMT-eoip type=ptp
add area=mgmt disabled=no interfaces=ER1.FMT-eoip.mgmt type=ptp
add area=mgmt disabled=no interfaces=ER1.Ziply-eoip.mgmt type=ptp
/snmp
set contact="#HamWAN-Support on libera.chat" enabled=yes
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name=ER1.Westin
/system logging
add action=remote topics=!debug,!snmp
add disabled=yes topics=ipsec
add disabled=yes topics=snmp
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=44.25.0.4
add address=44.25.1.4