Dominikus
Junior Member | Редактировать | Профиль | Сообщение | Цитировать | Сообщить модератору
Код: # feb/15/2019 18:02:19 by RouterOS 6.43.12 # software id = RG2W-6FVW # # model = RouterBOARD 952Ui-5ac2nD # serial number = 6CBA06D53F0A /interface lte set [ find ] comment=Yota mac-address=0C:5B:8F:27:9A:64 name=lte1 /interface bridge add arp=proxy-arp comment=LAN fast-forward=no name=bridge1 /interface ethernet set [ find default-name=ether1 ] advertise=\ 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full set [ find default-name=ether2 ] advertise=\ 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full set [ find default-name=ether3 ] advertise=\ 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full set [ find default-name=ether4 ] advertise=\ 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full set [ find default-name=ether5 ] advertise=\ 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full /interface wireless set [ find default-name=wlan1 ] ssid=MikroTik set [ find default-name=wlan2 ] ssid=MikroTik /interface pptp-client add allow=mschap2 comment="Private VPN" connect-to=xx.xx.xx.xx disabled=no \ max-mru=1350 max-mtu=1350 name=pptp_home password=xxxxxx user=xxxxx /interface list add name=VPN add name=Internet add name=Local /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /ip ipsec proposal set [ find default=yes ] disabled=yes /ip pool add name=dhcp_pool ranges=192.168.2.2-192.168.2.30 /ip dhcp-server add add-arp=yes address-pool=dhcp_pool disabled=no interface=bridge1 \ lease-time=59m name=dhcp /ppp profile set *0 bridge=bridge1 change-tcp-mss=no use-compression=no use-encryption=no \ use-mpls=no use-upnp=no set *FFFFFFFE bridge=bridge1 use-compression=no use-mpls=no use-upnp=no /routing bgp instance set default as=64999 disabled=yes ignore-as-path-len=yes router-id=172.16.1.2 /interface bridge port add bridge=bridge1 interface=ether1 add bridge=bridge1 interface=ether2 add bridge=bridge1 interface=ether3 add bridge=bridge1 interface=ether4 add bridge=bridge1 interface=ether5 /ip neighbor discovery-settings set discover-interface-list=Local /interface list member add interface=pptp_home list=VPN add interface=lte1 list=Internet add interface=bridge1 list=Local /ip address add address=192.168.2.1/24 interface=bridge1 network=192.168.2.0 /ip dhcp-server lease /ip dhcp-server network add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1 \ netmask=24 /ip dns set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4 /ip dns static add address=192.168.2.1 name=router-mikrotik /ip firewall address-list add address=192.168.1.0/24 list=AdminIP add address=192.168.3.0/24 list=AdminIP add address=192.168.2.0/24 list=AdminIP add address=8.8.4.4 list=dns add address=8.8.8.8 list=dns add address=77.88.8.8 list=dns add address=77.88.8.1 list=dns add address=89.255.66.53 list=dns add address=89.255.64.7 list=dns add address=1.11.3.201 list=rkn add address=1.32.194.0/25 list=rkn add address=1.32.194.195 list=rkn add address=1.36.178.179 list=rkn add address=1.36.236.74 list=rkn add address=1.36.236.229 list=rkn add address=1.36.237.118 list=rkn add address=1.85.189.35 list=rkn add address=1.135.251.23 list=rkn add address=1.156.198.35 list=rkn /ip firewall filter add action=accept chain=forward comment=\ "defconf: Allow forward established and related" connection-state=\ established,related add action=drop chain=forward comment="defconf: DROP Invalid connections" \ connection-state=invalid add action=accept chain=input comment=\ "defconf: ACCEPT input established and related" connection-state=\ established,related add action=drop chain=input comment="defconf: DROP Invalid connections" \ connection-state=invalid add action=add-src-to-address-list address-list=ddos-blacklist \ address-list-timeout=1d chain=input comment=\ "defconf: DDoS Protect - Connection Limit" connection-limit=100,32 \ in-interface-list=Internet protocol=tcp add action=tarpit chain=input connection-limit=3,32 protocol=tcp \ src-address-list=ddos-blacklist add action=jump chain=forward comment="defconf: DDoS Protect - SYN Flood" \ connection-state=new jump-target=SYN-Protect protocol=tcp tcp-flags=syn add action=jump chain=input connection-state=new in-interface-list=Internet \ jump-target=SYN-Protect protocol=tcp tcp-flags=syn add action=return chain=SYN-Protect connection-state=new limit=200,5:packet \ protocol=tcp tcp-flags=syn add action=drop chain=SYN-Protect connection-state=new protocol=tcp \ tcp-flags=syn add action=drop chain=input comment="defconf: Protected - Ports Scanners" \ src-address-list="Port Scanners" add action=add-src-to-address-list address-list="Port Scanners" \ address-list-timeout=none-dynamic chain=input in-interface-list=Internet \ protocol=tcp psd=21,3s,3,1 add action=drop chain=input comment="defconf: Protected - WinBox Access" \ src-address-list="Black List Winbox" add action=add-src-to-address-list address-list="Black List Winbox" \ address-list-timeout=none-dynamic chain=input connection-state=new \ dst-port=8291 in-interface-list=Internet log=yes log-prefix=\ "BLACK WINBOX" protocol=tcp src-address-list="Winbox Stage 3" add action=add-src-to-address-list address-list="Winbox Stage 3" \ address-list-timeout=1m chain=input connection-state=new dst-port=8291 \ in-interface-list=Internet protocol=tcp src-address-list="Winbox Stage 2" add action=add-src-to-address-list address-list="Winbox Stage 2" \ address-list-timeout=1m chain=input connection-state=new dst-port=8291 \ in-interface-list=Internet protocol=tcp src-address-list="Winbox Stage 1" add action=add-src-to-address-list address-list="Winbox Stage 1" \ address-list-timeout=1m chain=input connection-state=new dst-port=8291 \ in-interface-list=Internet protocol=tcp add action=accept chain=input dst-port=8291 in-interface-list=Internet \ protocol=tcp add action=drop chain=input comment=\ "defconf: Protected - PPTP-VPN Connections" src-address-list=\ "Black List OpenVPN" add action=add-src-to-address-list address-list="Black List OpenVPN" \ address-list-timeout=none-dynamic chain=input connection-state=new \ dst-port=1723 in-interface-list=Internet log=yes log-prefix="BLACK OVPN" \ protocol=tcp src-address-list="OpenVPN Stage 3" add action=add-src-to-address-list address-list="OpenVPN Stage 3" \ address-list-timeout=1m chain=input connection-state=new dst-port=1723 \ in-interface-list=Internet protocol=tcp src-address-list=\ "OpenVPN Stage 2" add action=add-src-to-address-list address-list="OpenVPN Stage 2" \ address-list-timeout=1m chain=input connection-state=new dst-port=1723 \ in-interface-list=Internet protocol=tcp src-address-list=\ "OpenVPN Stage 1" add action=add-src-to-address-list address-list="OpenVPN Stage 1" \ address-list-timeout=1m chain=input connection-state=new dst-port=1723 \ in-interface-list=Internet protocol=tcp add action=accept chain=input dst-port=1723 in-interface-list=Internet \ protocol=tcp add action=accept chain=input comment="defconf: ACCEPT VPN Connections" \ in-interface-list=VPN add action=accept chain=input comment="defconf: ACCEPT ICMP" \ in-interface-list=Internet limit=50/5s,2:packet protocol=icmp add action=accept chain=input comment="defconf: Allow DNS request from LAN" \ dst-port=53 in-interface-list=Local protocol=udp add action=accept chain=input comment=\ "defconf: Allow access for AdminIP group" src-address-list=AdminIP add action=accept chain=forward comment="defconf: ACCEPT VPN connections" \ connection-state=established,new in-interface=bridge1 out-interface=\ pptp_home src-address=192.168.2.0/24 add action=accept chain=forward connection-state=established,related \ in-interface=pptp_home out-interface=bridge1 add action=drop chain=input comment="defconf: All other drop" add action=fasttrack-connection chain=forward comment="defconf: Fasttrack" \ connection-state=established,related disabled=yes /ip firewall mangle add action=mark-routing chain=prerouting comment="Mark Blocket Adress" \ dst-address-list=rkn new-routing-mark=rkn_mark passthrough=no \ src-address=192.168.2.2 add action=mark-routing chain=prerouting comment="Mark DNS traffic" \ dst-address-list=dns new-routing-mark=traffic_dns passthrough=no \ src-address=192.168.2.0/24 add action=change-mss chain=forward comment="Change MSS" new-mss=1300 \ out-interface-list=VPN passthrough=yes protocol=tcp tcp-flags=syn \ tcp-mss=1301-65535 /ip firewall nat add action=masquerade chain=srcnat out-interface=lte1 src-address=\ 192.168.2.0/24 add action=masquerade chain=srcnat out-interface-list=VPN src-address=\ 192.168.2.0/24 add action=masquerade chain=srcnat disabled=yes dst-address-list=\ 192.168.3.0/24 out-interface=pptp_home add action=masquerade chain=srcnat disabled=yes dst-address-list=\ 192.168.3.0/24 out-interface=pptp_home src-address=192.168.2.0/24 /ip firewall service-port set tftp disabled=yes set irc disabled=yes set h323 disabled=yes set sip disabled=yes set sctp disabled=yes /ip ipsec policy set 0 disabled=yes /ip route add comment="Telegram to VPN" distance=1 gateway=pptp_home routing-mark=\ rkn_mark add comment="Route DNS" distance=1 gateway=pptp_home routing-mark=traffic_dns add comment="Private VPN route" distance=1 gateway=pptp_home routing-mark=\ home-vpn add distance=1 dst-address=172.16.1.3/32 gateway=pptp_home add distance=1 dst-address=192.168.1.0/24 gateway=pptp_home add distance=1 dst-address=192.168.3.0/24 gateway=pptp_home /ip route rule add dst-address=192.168.8.0/24 table=main /ip service set telnet disabled=yes set ftp disabled=yes set www disabled=yes set ssh disabled=yes set www-ssl certificate=weblane disabled=no set api disabled=yes set api-ssl disabled=yes /ip smb set allow-guests=no /routing bgp peer add disabled=yes in-filter=dynamic-in multihop=yes name=VPS remote-address=\ 89.255.94.163 remote-as=64998 ttl=default /routing filter add action=accept chain=dynamic-in comment="Set nexthop" protocol=bgp \ set-in-nexthop=172.16.1.33 /system ntp client set enabled=yes primary-ntp=17.253.54.253 secondary-ntp=17.253.54.125 /system scheduler /tool mac-server set allowed-interface-list=Local /tool mac-server mac-winbox set allowed-interface-list=Local |
| Всего записей: 101 | Зарегистр. 08-07-2006 | Отправлено: 15:20 15-02-2019 | Исправлено: Dominikus, 20:08 15-02-2019 |
|