1. Configuracao Basica
Bootstrap de qualquer RouterBoard: identity, NTP, DNS, backup e usuarios.
Configuracao Inicial Padrao
Identity, timezone, NTP (a.ntp.br/b.ntp.br), DNS, IP Cloud DDNS, desabilita servicos inseguros (telnet, ftp, www, api) e move SSH/Winbox para portas nao padrao.
Ver codigo
# Configuracao inicial recomendada
:local ROUTERNAME "mevlox-router"
:local TIMEZONE "America/Fortaleza"
:local NTPPRIMARY "a.ntp.br"
:local NTPSECONDARY "b.ntp.br"
/system identity set name=$ROUTERNAME
/system clock set time-zone-name=$TIMEZONE
/system ntp client set enabled=yes
/system ntp client servers
add address=$NTPPRIMARY
add address=$NTPSECONDARY
/ip dns set servers="8.8.8.8,1.1.1.1"
/ip cloud set ddns-enabled=yes update-time=yes
/ip service disable telnet,ftp,www,api
/ip service set ssh port=22022
/ip service set winbox port=8291
# (Script completo no arquivo .rsc)Usuarios e Seguranca de Acesso
Cria grupo noc-admin, usuario dedicado com ACL de origem, desabilita o admin default, forca SSH strong-crypto e define minimo de 10 caracteres para senhas.
Ver codigo
# Usuarios e hardening de acesso
:local NOMEUSER "noc"
:local SENHAUSER "TrocarSenhaForte#2026"
:local GRUPONOVO "noc-admin"
:local ALLOWFROM "192.168.88.0/24"
/user group add name=$GRUPONOVO \
policy="ssh,winbox,read,write,policy,test,sensitive"
/user add name=$NOMEUSER password=$SENHAUSER \
group=$GRUPONOVO address=$ALLOWFROM
/user disable admin
/ip service set ssh address=$ALLOWFROM
/ip ssh set strong-crypto=yes allow-none-crypto=no
/user settings set minimum-password-length=10
# (Script completo no arquivo .rsc)Backup Automatico Diario por E-mail
Scheduler as 03:15 que gera backup binario + export .rsc, envia por e-mail via SMTP configurado, com filename dinamico contendo nome do router e data.
Ver codigo
# Backup diario por email
/tool e-mail set server=[:resolve "smtp.office365.com"] \
port=587 user="backup@empresa.com" \
password="SUA_SENHA" from="backup@empresa.com" tls=starttls
/system script add name=mevlox-backup source={
:local DATA [/system clock get date]
:local NOME [/system identity get name]
:local ARQ ("backup-" . $NOME . "-" . $DATA)
/system backup save name=$ARQ dont-encrypt=yes
/export file=$ARQ
:delay 5s
/tool e-mail send to="ti@empresa.com" \
subject=("Backup " . $NOME) \
file=($ARQ . ".backup,$ARQ.rsc")
}
/system scheduler add name=backup-diario \
interval=1d start-time=03:15:00 \
on-event="/system script run mevlox-backup"
# (Script completo no arquivo .rsc)2. Firewall
Regras padrao ISP, address-lists, anti-bruteforce e protecao DDoS.
Firewall Padrao ISP
Firewall completo: chains input/forward/NAT, anti-bogons RFC, protecao DDoS basica com connection-limit e dst-limit, fasttrack-connection para wire-speed, conntrack otimizado.
Ver codigo
# Firewall padrao para ISPs
/interface list
add name=WAN
add name=LAN
/ip firewall filter
# Input - protege o router
add chain=input action=accept \
connection-state=established,related
add chain=input action=drop connection-state=invalid
add chain=input action=accept in-interface-list=LAN
add chain=input action=drop in-interface-list=WAN
# Forward - trafego dos clientes
add chain=forward action=fasttrack-connection \
connection-state=established,related hw-offload=yes
add chain=forward action=drop connection-state=invalid
/ip firewall nat
add chain=srcnat action=masquerade out-interface-list=WAN
# (Script completo no arquivo .rsc)Firewall com Address Lists
Cria listas whitelist/blacklist/geoblock e scripts auxiliares para adicionar IPs em runtime. Bloqueio por CIDR de paises e parceiros confiaveis sempre liberados.
Ver codigo
# Firewall com address-lists
/ip firewall address-list
add list=whitelist address=200.200.200.0/24 \
comment="Gerencia matriz"
add list=blacklist address=192.0.2.0/24 \
comment="Scanner"
add list=geoblock address=5.188.0.0/16 \
comment="Range exemplo"
/ip firewall filter
add chain=input action=accept src-address-list=whitelist
add chain=input action=drop src-address-list=blacklist
add chain=input action=drop src-address-list=geoblock
# Script runtime para adicionar blacklist
/system script add name=addBlacklist source={
/ip firewall address-list add list=blacklist \
address=[:toip $1]
}
# (Script completo no arquivo .rsc)Anti-BruteForce SSH/Winbox/API
Cadeia de 3 estagios que bloqueia IPs apos 4 tentativas em ~1min, bloqueio por 10 dias na ssh-blacklist/wb-blacklist/api-blacklist. Whitelist de gerencia protegida.
Ver codigo
# Anti-bruteforce SSH (22), Winbox (8291), API (8728)
/ip firewall filter
# SSH - estagios progressivos
add chain=input action=drop protocol=tcp dst-port=22 \
src-address-list=ssh-blacklist
add chain=input action=add-src-to-address-list \
address-list=ssh-blacklist address-list-timeout=1w3d \
protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh-stage3
add chain=input action=add-src-to-address-list \
address-list=ssh-stage3 address-list-timeout=1m \
protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh-stage2
add chain=input action=add-src-to-address-list \
address-list=ssh-stage2 address-list-timeout=1m \
protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh-stage1
add chain=input action=add-src-to-address-list \
address-list=ssh-stage1 address-list-timeout=1m \
protocol=tcp dst-port=22 connection-state=new
# (Script completo no arquivo .rsc)3. PPPoE Server
Servidor PPPoE, queues por cliente e integracao RADIUS.
Servidor PPPoE Completo
IP Pool, PPP profile com rate-limit e DNS, pppoe-server em ether2 com PAP/CHAP/MSCHAP, exemplos de secrets para clientes e configuracao one-session-per-host.
Ver codigo
# Servidor PPPoE completo
/ip pool
add name=pool-clientes-pppoe \
ranges=10.100.0.2-10.100.3.254
/ppp profile
add name=plano-100M local-address=10.100.0.1 \
remote-address=pool-clientes-pppoe \
dns-server="8.8.8.8,1.1.1.1" \
rate-limit=100M/100M only-one=yes
/interface pppoe-server server
add service-name=mevlox-isp interface=ether2 \
default-profile=plano-100M \
authentication=pap,chap,mschap1,mschap2 \
one-session-per-host=yes max-mru=1492 max-mtu=1492
/ppp secret
add name=cliente001 password=senha123 \
profile=plano-100M service=pppoe
# (Script completo no arquivo .rsc)Queue Tree PPPoE com PCQ
Distribuicao igualitaria de banda entre clientes PPPoE com PCQ dinamico por src-address/dst-address, marcacao via mangle em all-ppp e limite total na raiz global.
Ver codigo
# PCQ para PPPoE
/queue type
add name=pcq-download kind=pcq pcq-rate=0 \
pcq-classifier=dst-address pcq-limit=100KiB
add name=pcq-upload kind=pcq pcq-rate=0 \
pcq-classifier=src-address pcq-limit=100KiB
/ip firewall mangle
add chain=forward action=mark-connection \
new-connection-mark=pppoe-conn in-interface=all-ppp
add chain=forward action=mark-packet \
new-packet-mark=pppoe-down \
connection-mark=pppoe-conn out-interface=all-ppp
/queue tree
add name=pppoe-download parent=global \
packet-mark=pppoe-down queue=pcq-download \
max-limit=1G
# (Script completo no arquivo .rsc)Integracao RADIUS/AAA
Autenticacao externa RADIUS para PPPoE, Hotspot e Login. CoA habilitado (porta 3799) para desconectar sessoes remotamente, accounting e interim-update a cada 5 minutos.
Ver codigo
# RADIUS/AAA
:local RADIUSIP "10.0.0.10"
:local RADIUSSECRET "segredo-compartilhado"
/radius
add service=ppp address=$RADIUSIP \
secret=$RADIUSSECRET authentication-port=1812 \
accounting-port=1813 timeout=3s
add service=hotspot address=$RADIUSIP \
secret=$RADIUSSECRET authentication-port=1812 \
accounting-port=1813
/radius incoming set accept=yes port=3799
/ppp aaa set use-radius=yes accounting=yes \
interim-update=5m
# (Script completo no arquivo .rsc)4. VLANs e Bridge
Bridge VLAN-aware, trunks entre RouterOS/SwOS e HW offload.
Bridge com VLAN Filtering
Bridge VLAN-aware com 3 VLANs (gerencia 10, clientes 20, VoIP 30), portas tagged/untagged, interfaces VLAN L3 com IPs de gateway e vlan-filtering ativado no final (seguro).
Ver codigo
# Bridge VLAN filtering
/interface bridge
add name=bridge-vlan protocol-mode=rstp \
vlan-filtering=no
/interface bridge port
add bridge=bridge-vlan interface=ether2 pvid=10
add bridge=bridge-vlan interface=ether3 pvid=20
add bridge=bridge-vlan interface=ether4 pvid=30
add bridge=bridge-vlan interface=ether5
/interface bridge vlan
add bridge=bridge-vlan vlan-ids=10 \
tagged=bridge-vlan,ether5 untagged=ether2
add bridge=bridge-vlan vlan-ids=20 \
tagged=bridge-vlan,ether5 untagged=ether3
add bridge=bridge-vlan vlan-ids=30 \
tagged=bridge-vlan,ether5 untagged=ether4
/interface bridge set bridge-vlan vlan-filtering=yes
# (Script completo no arquivo .rsc)VLAN Trunk entre RouterOS e Switches
Template de trunk entre router e switch MikroTik (CSS/CRS) com VLANs 10, 20, 30, 40 tagged. Inclui instrucoes comentadas para o lado CSS-SwOS e CRS-RouterOS.
Ver codigo
# VLAN trunk entre RouterOS e switches
:local TRUNKPORT "sfp-sfpplus1"
:local VLANS "10,20,30,40"
/interface bridge port
add bridge=bridge-vlan interface=$TRUNKPORT
/interface bridge vlan
:foreach VID in=[:toarray $VLANS] do={
:do {
/interface bridge vlan set \
[find vlan-ids=$VID] \
tagged=($TRUNKPORT . "," . \
[/interface bridge vlan get \
[find vlan-ids=$VID] tagged])
} on-error={
/interface bridge vlan add \
bridge=bridge-vlan vlan-ids=$VID \
tagged=$TRUNKPORT
}
}
# No lado do switch CSS/CRS: configurar
# a mesma porta como trunk (ver comentarios no .rsc)Switch Chip HW Offload
Bridge com flags fast-forward e portas com hw=yes para ativar hardware offload no switch chip, garantindo wire-speed (ate 100G) sem consumo de CPU.
Ver codigo
# HW offload no switch chip
/interface bridge
add name=bridge-hw protocol-mode=none \
vlan-filtering=no fast-forward=yes
/interface bridge port
add bridge=bridge-hw interface=ether1 hw=yes
add bridge=bridge-hw interface=ether2 hw=yes
add bridge=bridge-hw interface=ether3 hw=yes
add bridge=bridge-hw interface=ether4 hw=yes
add bridge=bridge-hw interface=ether5 hw=yes
add bridge=bridge-hw interface=ether6 hw=yes
add bridge=bridge-hw interface=ether7 hw=yes
add bridge=bridge-hw interface=ether8 hw=yes
# Verificar offload ativo em cada porta:
# /interface bridge port print detail
# Deve mostrar "hw-offload: yes"
# (Script completo no arquivo .rsc)5. VPN
IPsec site-to-site, WireGuard e L2TP/IPsec para roadwarriors.
IPsec Site-to-Site
Tunel IKEv2 entre dois MikroTiks com AES-256-GCM, SHA256, DH2048, PFS. Regra NO-NAT para o trafego IPsec e firewall abrindo UDP 500/4500 e ESP.
Ver codigo
# IPsec Site-to-Site IKEv2
:local IPREMOTO "200.200.2.1"
:local SUBNETLOCAL "192.168.10.0/24"
:local SUBNETREMOTO "192.168.20.0/24"
:local PSK "PSKForte#2026"
/ip ipsec proposal
add name=prop-s2s auth-algorithms=sha256 \
enc-algorithms=aes-256-cbc,aes-256-gcm \
pfs-group=modp2048
/ip ipsec profile
add name=prof-s2s hash-algorithm=sha256 \
enc-algorithm=aes-256 dh-group=modp2048
/ip ipsec peer
add name=peer-s2s address=$IPREMOTO/32 \
exchange-mode=ike2 profile=prof-s2s
/ip ipsec identity
add peer=peer-s2s auth-method=pre-shared-key \
secret=$PSK
/ip ipsec policy
add peer=peer-s2s src-address=$SUBNETLOCAL \
dst-address=$SUBNETREMOTO tunnel=yes \
action=encrypt proposal=prop-s2s
# (Script completo no arquivo .rsc)WireGuard Server
Servidor WireGuard em UDP 51820 com sub-rede 10.99.99.0/24, 2 peers exemplo, NAT para saida e impressao automatica da chave publica do servidor ao final.
Ver codigo
# WireGuard server
/interface wireguard
add name=wg-mevlox listen-port=51820
/ip address
add address=10.99.99.1/24 interface=wg-mevlox
/interface wireguard peers
add interface=wg-mevlox \
public-key="PUB_KEY_CLIENTE_1" \
allowed-address=10.99.99.10/32
add interface=wg-mevlox \
public-key="PUB_KEY_CLIENTE_2" \
allowed-address=10.99.99.11/32
/ip firewall filter
add chain=input action=accept protocol=udp \
dst-port=51820
/ip firewall nat
add chain=srcnat action=masquerade \
src-address=10.99.99.0/24
:local PUBKEY [/interface wireguard get \
wg-mevlox public-key]
:put "Chave publica: $PUBKEY"
# (Script completo no arquivo .rsc)L2TP + IPsec para Roadwarrior
Servidor L2TP/IPsec compativel com clientes nativos Windows, macOS, iOS, Android. Proposal compativel (AES-256/128, SHA1/256), pool 10.88.88.0/24 e NAT de saida.
Ver codigo
# L2TP/IPsec roadwarrior
:local PSK "PSK-L2TP-Forte#2026"
/ip pool
add name=pool-l2tp ranges=10.88.88.10-10.88.88.250
/ppp profile
add name=l2tp-profile local-address=10.88.88.1 \
remote-address=pool-l2tp dns-server=8.8.8.8 \
change-tcp-mss=yes use-encryption=required
/interface l2tp-server server
set enabled=yes use-ipsec=yes ipsec-secret=$PSK \
default-profile=l2tp-profile \
authentication=mschap1,mschap2
/ppp secret
add name=user-roadwarrior password="SenhaForte#" \
service=l2tp profile=l2tp-profile
# (Script completo no arquivo .rsc)6. Hotspot e Wi-Fi
Captive portal para ambientes publicos e controlador de APs.
Hotspot com Captive Portal
Hotspot para restaurantes/recepcoes com captive portal, trial de 1 hora, perfis plano-trial (5M) e plano-pago (20M), walled-garden com sites liberados (WhatsApp, Mevlox, Google).
Ver codigo
# Hotspot com captive portal
/ip address
add address=10.5.50.1/24 interface=bridge-wifi
/ip pool
add name=pool-hotspot \
ranges=10.5.50.10-10.5.50.254
/ip hotspot profile
add name=hotspot-mevlox \
hotspot-address=10.5.50.1 \
login-by=http-chap,http-pap,trial \
trial-uptime-limit=1h trial-uptime-reset=1d
/ip hotspot user profile
add name=plano-trial rate-limit=5M/5M \
shared-users=1 session-timeout=1h
add name=plano-pago rate-limit=20M/20M \
shared-users=2
/ip hotspot walled-garden
add dst-host=*.mevlox.com.br action=allow
add dst-host=*.whatsapp.com action=allow
# (Script completo no arquivo .rsc)CAPsMAN Controller
Controlador centralizado de APs MikroTik. Security WPA2, canais 2.4GHz e 5GHz, datapaths separados para corporativo e guest, provisioning automatico para APs em modo CAP.
Ver codigo
# CAPsMAN controller
/caps-man manager set enabled=yes
/caps-man security
add name=sec-wpa2 \
authentication-types=wpa2-psk \
encryption=aes-ccm \
passphrase="MevloxWiFi#Forte2026"
/caps-man channel
add name=ch-2g-1 band=2ghz-b/g/n frequency=2412
add name=ch-5g-36 band=5ghz-a/n/ac frequency=5180
/caps-man datapath
add name=dp-corp bridge=bridge-vlan \
client-to-client-forwarding=yes
/caps-man configuration
add name=cfg-corp-2g ssid="Mevlox-Corp" \
datapath=dp-corp security=sec-wpa2 \
mode=ap country=brazil
/caps-man provisioning
add action=create-dynamic-enabled \
master-configuration=cfg-corp-2g
# (Script completo no arquivo .rsc)7. Queues e QoS
Distribuicao igualitaria de banda (PCQ) e priorizacao VoIP.
Queue Tree com PCQ por IP
Distribui a banda total (500M) igualmente entre todos os IPs da LAN. Mangle marca connection e packet por direcao, queue tree usa pcq-classifier src-address/dst-address.
Ver codigo
# PCQ por IP
/queue type
add name=pcq-down-ip kind=pcq pcq-rate=0 \
pcq-classifier=dst-address pcq-limit=100KiB
add name=pcq-up-ip kind=pcq pcq-rate=0 \
pcq-classifier=src-address pcq-limit=100KiB
/ip firewall mangle
add chain=forward action=mark-connection \
new-connection-mark=lan-conn \
src-address=192.168.10.0/24
add chain=forward action=mark-packet \
new-packet-mark=lan-up \
connection-mark=lan-conn \
src-address=192.168.10.0/24
/queue tree
add name=total-down parent=global max-limit=500M
add name=pcq-lan-down parent=total-down \
packet-mark=lan-down queue=pcq-down-ip
# (Script completo no arquivo .rsc)QoS VoIP com DSCP EF
Marca SIP (UDP 5060) e RTP (10000-20000) com DSCP EF (46) e cria queue tree com prioridade 1 (maxima), reservando 50Mbps para voz sobre total de 500Mbps.
Ver codigo
# QoS VoIP prioritario
/ip firewall mangle
add chain=prerouting action=mark-connection \
new-connection-mark=voip-conn \
protocol=udp port=5060
add chain=prerouting action=mark-connection \
new-connection-mark=voip-conn \
protocol=udp port=10000-20000
add chain=prerouting action=mark-packet \
new-packet-mark=voip-pkt \
connection-mark=voip-conn
add chain=postrouting action=change-dscp \
new-dscp=46 packet-mark=voip-pkt
/queue type
add name=voip-fifo kind=pfifo pfifo-limit=20
/queue tree
add name=raiz-prioritaria parent=global \
max-limit=500M priority=1
add name=voip-tree parent=raiz-prioritaria \
packet-mark=voip-pkt queue=voip-fifo \
priority=1 max-limit=50M limit-at=50M
# (Script completo no arquivo .rsc)8. Monitoramento
SNMP para Zabbix/LibreNMS e syslog para servidor remoto.
SNMP para Zabbix/LibreNMS/PRTG
Habilita SNMPv2c (comunidade restrita por IP) + SNMPv3 (SHA1+AES). Firewall abrindo UDP 161 apenas para o NMS. Imprime OIDs uteis: sysDescr, ifTable, temperatura core.
Ver codigo
# SNMP v2c + v3
:local COMUNIDADE "mevlox-ro"
:local IPNMS "10.10.10.50"
/snmp
set enabled=yes contact="noc@empresa.com" \
location="Teresina-PI" trap-version=2
/snmp community
set [find default=yes] disabled=yes
add name=$COMUNIDADE addresses=$IPNMS \
read-access=yes write-access=no
add name=monitor authentication-protocol=SHA1 \
authentication-password="AuthSNMP#" \
encryption-protocol=AES \
encryption-password="PrivSNMP#" security=private
/ip firewall filter
add chain=input action=accept protocol=udp \
dst-port=161 src-address=$IPNMS
# OIDs uteis:
# .1.3.6.1.2.1.1.1.0 sysDescr
# .1.3.6.1.2.1.2.2.1 ifTable
# .1.3.6.1.4.1.14988.1.1.3.100 Core temp
# (Script completo no arquivo .rsc)Syslog Remoto
Envia logs para servidor externo (Graylog, rsyslog, Splunk) em UDP 514, separando criticos, erros, warnings, sistema, auth, firewall, PPP e DHCP com prefixos.
Ver codigo
# Syslog remoto
:local SYSLOGIP "10.10.10.99"
/system logging action
add name=syslog-remoto target=remote \
remote=$SYSLOGIP remote-port=514 \
bsd-syslog=yes syslog-facility=daemon
/system logging
add topics=critical action=syslog-remoto \
prefix="[CRITICAL]"
add topics=error action=syslog-remoto \
prefix="[ERROR]"
add topics=warning action=syslog-remoto \
prefix="[WARN]"
add topics=system,info,!debug \
action=syslog-remoto prefix="[SYS]"
add topics=account action=syslog-remoto \
prefix="[AUTH]"
add topics=firewall action=syslog-remoto \
prefix="[FW]"
add topics=ppp,info action=syslog-remoto \
prefix="[PPP]"
# (Script completo no arquivo .rsc)