General • Router configuration recommendations

I would like to get some feedback before deploying in a production environment.

I am using the following block of IPs (changed for privacy)

Network - 10.202.200.128/28

Comcast – 10.202.200.114/30
Static IPs – 10.202.200.129-142
Broadcast IP – 10.202.200.143
Gateway IP – 10.202.200.113

It is set up as follows, the SonicWall is doing the firewall portion.

Comcast Ciena
|
|
MikroTik CCR
|
|
SonicWall
|
|
Core switch

Here is the configuration:

# CCR2004-16G-2S+

/interface bridge
add name=CC port-cost-mode=short vlan-filtering=yes

/interface ethernet
set [ find default-name=ether1 ] name=ether1-Comcast
set [ find default-name=ether2 ] name=ether2-WAN
set [ find default-name=ether3 ] name=ether3-WAN
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=ether11 ] disabled=yes
set [ find default-name=ether12 ] disabled=yes
set [ find default-name=ether13 ] disabled=yes
set [ find default-name=ether14 ] disabled=yes
set [ find default-name=ether16 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] disabled=yes
set [ find default-name=sfp-sfpplus2 ] disabled=yes

/interface vlan
add interface=CC name=internet vlan-id=999

/ip hotspot user profile
set [ find default=yes ] shared-users=unlimited

/port
set 0 name=serial0
set 1 name=serial1

/interface bridge port
add bridge=CC interface=ether2-WAN internal-path-cost=10 path-cost=10 pvid=999
add bridge=CC interface=ether3-WAN internal-path-cost=10 path-cost=10 pvid=999

/ip firewall connection tracking
set icmp-timeout=30s tcp-close-wait-timeout=1m tcp-fin-wait-timeout=2m \
tcp-last-ack-timeout=30s tcp-syn-received-timeout=1m tcp-syn-sent-timeout=2m \
tcp-time-wait-timeout=2m udp-stream-timeout=2m udp-timeout=30s

/ip neighbor discovery-settings
set discover-interface-list=none

/interface bridge vlan
add bridge=CC tagged=CC untagged=ether2-WAN,ether3-WAN vlan-ids=999

/ip address
add address=10.202.200.129/28 interface=internet network=10.202.200.128
add address=10.202.200.114/30 interface=ether1-Comcast network=10.202.200.112
add address=192.168.40.2/29 interface=ether15 network=192.168.40.0

/ip cloud
set update-time=no

/ip firewall address-list
add address=192.168.40.5-192.168.40.14 list=allowed_to_router

/ip firewall filter
add action=accept chain=input comment="allow > established/related" connection-state=established,related
add action=drop chain=input comment="drop > invalid" connection-state=invalid
add action=accept chain=input comment="allow > icmp" protocol=icmp
add action=accept chain=input comment="allow > networks" port=8291 protocol=tcp src-address-list=allowed_to_router
add action=drop chain=input comment="drop > all"

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.202.200.113 routing-table=main scope=30 suppress-hw-offload=no target-scope=10

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set www-ssl certificate=https-cert
set api disabled=yes
set api-ssl disabled=yes

/ipv6 nd
set [ find default=yes ] disabled=yes

/system clock set time-zone-name=America/New_York
/system identity set name=CCR2004-CC
/system ntp client set enabled=yes
/system ntp client servers add address=pool.ntp.org

/tool bandwidth-server set enabled=no
/tool mac-server set allowed-interface-list=none
/tool mac-server mac-winbox set allowed-interface-list=none
/tool mac-server ping set enabled=no

Statistics: Posted by hwnd — Tue Jan 16, 2024 11:44 pm

---