213

1. export compact
2. # nov/18/2016 16:44:09 by RouterOS 6.37.1
3. # software id = SA10-W5I5
4. #
5. /interface bridge
6. add name=bridge2
7. /interface ethernet
8. set [ find default-name=ether1 ] comment=Wan name=Wan-ISP
9. set [ find default-name=ether2 ] comment=Local
10. /ip neighbor discovery
11. set Wan-ISP comment=Wan discover=no
12. set ether2 comment=Local
13. set ether3 discover=no
14. set ether4 discover=no
15. set ether5 discover=no
16. set bridge2 discover=no
17. /interface vlan
18. add comment=VoIP interface=ether3 name=vlan4 vlan-id=4
19. /ip neighbor discovery
20. set vlan4 comment=VoIP discover=no
21. /ip ipsec proposal
22. set [ find default=yes ] enc-algorithms=aes-128-cbc,3des
23. /ip pool
24. add name=dhcp_pool1 ranges=172.16.2.30-172.16.2.254
25. add name=dhcp_pool2 ranges=172.16.3.30-172.16.3.254
26. add name=dhcp_pool3 ranges=172.16.4.30-172.16.4.254
27. add name=dhcp_pool4 ranges=172.16.5.30-172.16.5.254
28. add name=L2TPServer ranges=172.16.6.1-172.16.6.30
29. /ip dhcp-server
30. add address-pool=dhcp_pool1 disabled=no interface=ether2 lease-time=3d name=\
31. dhcp1
32. add address-pool=dhcp_pool2 disabled=no interface=ether3 lease-time=3d name=\
33. dhcp2
34. add address-pool=dhcp_pool3 disabled=no interface=bridge2 lease-time=3d name=\
35. dhcp3
36. add address-pool=dhcp_pool4 disabled=no interface=ether5 lease-time=3d name=\
37. dhcp4
38. /ppp profile
39. add local-address=L2TPServer name=L2TP remote-address=L2TPServer
40. /queue tree
41. add disabled=yes max-limit=9500k name=in parent=global
42. add disabled=yes max-limit=9500k name=def-in packet-mark=def_in parent=in
43. add disabled=yes limit-at=1M max-limit=2M name=voip-in packet-mark=voip_in \
44. parent=in priority=1
45. add disabled=yes max-limit=9500k name=out parent=global
46. add disabled=yes max-limit=9500k name=def-out packet-mark=def_out parent=out
47. add disabled=yes limit-at=1M max-limit=2M name=voip-out packet-mark=voip_out \
48. parent=out priority=1
49. /system logging action
50. set 0 memory-lines=100
51. set 1 disk-lines-per-file=100
52. /interface bridge port
53. add bridge=bridge2 interface=vlan4
54. add bridge=bridge2 interface=ether4
55. /interface l2tp-server server
56. set authentication=mschap2 ipsec-secret=********* use-ipsec=yes
57. /interface pptp-server server
58. set enabled=yes
59. /ip address
60. add address=172.16.2.1/24 interface=ether2 network=172.16.2.0
61. add address=172.16.3.1/24 interface=ether3 network=172.16.3.0
62. add address=172.16.4.1/24 interface=vlan4 network=172.16.4.0
63. add address=172.16.5.1/24 interface=ether5 network=172.16.5.0
64. add address=************ interface=Wan-ISP network=***********
65. /ip dhcp-server network
66. add address=172.16.2.0/24 dns-server=172.16.3.2,8.8.8.8 gateway=172.16.2.1
67. add address=172.16.3.0/24 dns-server=172.16.3.2,172.16.3.1 gateway=172.16.3.1
68. add address=172.16.4.0/24 dns-server=172.16.3.2,172.16.3.1 gateway=172.16.4.1
69. add address=172.16.5.0/24 dns-server=172.16.3.2,172.16.3.1 gateway=172.16.5.1
70. /ip dns
71. set allow-remote-requests=yes servers=************,***************
72. /ip firewall filter
73. add action=drop chain=input dst-port=53 in-interface=Wan-ISP protocol=udp
74. add action=accept chain=input comment="Allow Ping" protocol=icmp
75. add action=accept chain=forward protocol=icmp
76. add action=accept chain=forward comment=Terminal disabled=yes dst-port=6984 \
77. protocol=tcp
78. add action=accept chain=input comment="Accept established connections" \
79. connection-state=established
80. add action=accept chain=forward connection-state=established
81. add action=accept chain=input comment="Accept related connections" \
82. connection-state=related
83. add action=accept chain=forward connection-state=related
84. add action=accept chain=input comment=PPPTP dst-address=************* \
85. dst-port=1723 in-interface=Wan-ISP protocol=tcp
86. add action=drop chain=input comment="Drop invalid connections" \
87. connection-state=invalid
88. add action=drop chain=forward connection-state=invalid
89. add action=accept chain=input comment="Allow UDP" protocol=udp
90. add action=accept chain=forward protocol=udp
91. add chain=input comment="Allow IKE" dst-port=500 protocol=udp
92. add chain=input comment="Allow IPSec-esp" protocol=ipsec-esp
93. add chain=input comment="Allow IPSec-ah" protocol=ipsec-ah
94. /ip firewall mangle
95. add action=mark-packet chain=forward new-packet-mark=def_out passthrough=yes \
96. src-address=172.16.2.0/24
97. add action=mark-packet chain=forward dst-address=172.16.2.0/24 new-packet-mark=\
98. def_in passthrough=yes
99. add action=mark-packet chain=forward new-packet-mark=voip_out src-address=\
100. 172.16.4.2
101. add action=mark-packet chain=forward dst-address=172.16.4.2 new-packet-mark=\
102. voip_in
103. /ip firewall nat
104. add action=accept chain=srcnat dst-address=192.168.1.0/24 src-address=\
105. 172.16.2.0/24
106. add action=dst-nat chain=dstnat disabled=yes dst-port=6984 in-interface=Wan-ISP \
107. protocol=tcp to-addresses=172.16.3.3 to-ports=3389
108. add action=masquerade chain=srcnat out-interface=Wan-ISP
109. add action=redirect chain=dstnat dst-port=7777 in-interface=Wan-ISP protocol=\
110. tcp to-ports=80
111. /ip ipsec peer
112. add address=****************** dh-group=modp1536 exchange-mode=main-l2tp \
113. generate-policy=port-override passive=yes secret=**************
114. /ip route
115. add distance=1 gateway=***************
116. /ip service
117. set telnet disabled=yes
118. set ftp disabled=yes
119. set www disabled=yes
120. set ssh disabled=yes
121. set api disabled=yes
122. set api-ssl disabled=yes
123. /ppp secret
124. add local-address=172.16.2.1 name=Wizart password=*************** remote-address=\
125. 172.16.2.3 service=pptp
126. /system clock
127. set time-zone-name=Europe/Moscow
128. /tool mac-server
129. set [ find default=yes ] disabled=yes
130. add
131. add interface=ether2
132. /tool mac-server mac-winbox
133. set [ find default=yes ] disabled=yes
134. add interface=ether2