API tools faq
paste
Guest User

RouterOS configuration export for KPN

a guest
Jan 11th, 2013
423
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 15.55 KB | None | 0 0
raw download clone embed print report
  1. # jan/11/2013 07:52:20 by RouterOS 5.22
  2. # software id = LACC-MZG3
  3. #
  4.  
  5.  
  6. # Name interfaces
  7. #  ether1-6 is LAN
  8. #  ether7   is connected to LAN port of KPN box
  9. #  ether8   is SIP, connected to WAN port of KPN box
  10. #  ether9   is IPTV (VLAN 4 untagged)
  11. #  ether10  is WAN port
  12. /interface ethernet
  13. set 0 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=yes full-duplex=yes l2mtu=1598 mac-address=D4:CA:6D:31:B3:64 master-port=none mtu=1500 name=sfp1-gateway speed=100Mbps
  14. set 1 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1598 mac-address=D4:CA:6D:31:B3:65 master-port=none mtu=1500 name=ether1-nas speed=1Gbps
  15. set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1598 mac-address=D4:CA:6D:31:B3:66 master-port=ether1-nas mtu=1500 name=ether2 speed=100Mbps
  16. set 3 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1598 mac-address=D4:CA:6D:31:B3:67 master-port=ether1-nas mtu=1500 name=ether3 speed=1Gbps
  17. set 4 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1598 mac-address=D4:CA:6D:31:B3:68 master-port=ether1-nas mtu=1500 name=ether4 speed=100Mbps
  18. set 5 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1598 mac-address=D4:CA:6D:31:B3:69 master-port=ether1-nas mtu=1500 name=ether5 speed=1Gbps
  19. set 6 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1598 mac-address=D4:CA:6D:31:B3:6A master-port=none mtu=1500 name=ether6 speed=100Mbps
  20. set 7 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1598 mac-address=D4:CA:6D:31:B3:6B master-port=none mtu=1500 name=ether7-kpnint speed=100Mbps
  21. set 8 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1598 mac-address=D4:CA:6D:31:B3:6C master-port=none mtu=1500 name=ether8-sip speed=100Mbps
  22. set 9 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1598 mac-address=D4:CA:6D:31:B3:6D master-port=none mtu=1500 name=ether9-iptv speed=100Mbps
  23. set 10 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1598 mac-address=D4:CA:6D:31:B3:6E master-port=none mtu=1500 name=ether10-gw speed=100Mbps
  24.  
  25.  
  26. # bridges for LAN, IPTV, SIP and guest (W)LAN
  27. # Important: MAC of bridge-vlan7-sip can NOT be the cloned MAC of KPN box! The others can (and should).
  28. /interface bridge
  29. add admin-mac=50:7E:5D:XX:XX:XX ageing-time=5m arp=enabled auto-mac=yes disabled=no forward-delay=15s l2mtu=1598 max-message-age=20s mtu=1500 name=bridge-local priority=0x8000 protocol-mode=rstp transmit-hold-count=6
  30. add admin-mac=50:7E:5D:XX:XX:XX ageing-time=5m arp=enabled auto-mac=no disabled=no forward-delay=15s l2mtu=1594 max-message-age=20s mtu=1500 name=bridge-vlan4-iptv priority=0x8000 protocol-mode=none transmit-hold-count=6
  31. add admin-mac=50:7E:5D:YY:YY:YY ageing-time=5m arp=enabled auto-mac=no disabled=no forward-delay=15s l2mtu=1594 max-message-age=20s mtu=1500 name=bridge-vlan7-sip priority=0x8000 protocol-mode=none transmit-hold-count=6
  32. add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes disabled=no forward-delay=15s l2mtu=65535 max-message-age=20s mtu=1500 name=bridge-guest priority=0x8000 protocol-mode=none transmit-hold-count=6
  33.  
  34. /interface bridge port
  35. add bridge=bridge-local disabled=no edge=auto external-fdb=auto horizon=none interface=ether1-nas path-cost=10 point-to-point=auto priority=0x80
  36. add bridge=bridge-local disabled=no edge=auto external-fdb=auto horizon=none interface=ether6 path-cost=10 point-to-point=auto priority=0x80
  37. add bridge=bridge-local disabled=no edge=auto external-fdb=auto horizon=none interface=wlan path-cost=10 point-to-point=auto priority=0x80
  38. add bridge=bridge-vlan4-iptv disabled=no edge=auto external-fdb=auto horizon=none interface=ether10.4-iptv path-cost=10 point-to-point=auto priority=0x80
  39. add bridge=bridge-vlan4-iptv disabled=no edge=auto external-fdb=auto horizon=none interface=ether9-iptv path-cost=10 point-to-point=auto priority=0x80
  40. add bridge=bridge-vlan7-sip disabled=no edge=auto external-fdb=auto horizon=none interface=ether10.7-sip path-cost=10 point-to-point=auto priority=0x80
  41. add bridge=bridge-vlan7-sip disabled=no edge=auto external-fdb=auto horizon=none interface=ether8.7-sip path-cost=10 point-to-point=auto priority=0x80
  42. add bridge=bridge-guest disabled=no edge=auto external-fdb=auto horizon=none interface=wlan-guest path-cost=10 point-to-point=auto priority=0x80
  43.  
  44.  
  45. # VLANs on ether10 (wan) and ether8 for SIP
  46. /interface vlan
  47. add arp=enabled disabled=no interface=ether10-gw l2mtu=1594 mtu=1500 name=ether10.4-iptv use-service-tag=no vlan-id=4
  48. add arp=enabled disabled=no interface=ether8-sip l2mtu=1594 mtu=1500 name=ether8.7-sip use-service-tag=no vlan-id=7
  49. add arp=enabled disabled=no interface=ether10-gw l2mtu=1594 mtu=1500 name=ether10.6-inet use-service-tag=no vlan-id=6
  50. add arp=enabled disabled=no interface=ether10-gw l2mtu=1594 mtu=1500 name=ether10.7-sip use-service-tag=no vlan-id=7
  51.  
  52.  
  53. # KPN PPPoE client
  54. /ppp profile
  55. set 0 change-tcp-mss=yes name=default only-one=default use-compression=default use-encryption=default use-mpls=default use-vj-compression=default
  56. set 1 change-tcp-mss=yes name=default-encryption only-one=default use-compression=yes use-encryption=yes use-mpls=default use-vj-compression=default
  57.  
  58. /interface pppoe-client
  59. add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 dial-on-demand=no disabled=no interface=ether10.6-inet max-mru=1480 max-mtu=1480 mrru=disabled name=pppoe-kpn password=kpn profile=default service-name="" \
  60.     use-peer-dns=no user=50-7E-5D-XX:XX:XX@direct-adsl
  61.  
  62.  
  63.  
  64. # Default WLAN config, WPA2
  65. /interface wireless security-profiles
  66. set [ find default=yes ] authentication-types=wpa2-psk eap-methods=passthrough group-ciphers=aes-ccm group-key-update=5m interim-update=0s management-protection=disabled management-protection-key="" mode=dynamic-keys name=\
  67.     default radius-eap-accounting=no radius-mac-accounting=no radius-mac-authentication=no radius-mac-caching=disabled radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username static-algo-0=none static-algo-1=none \
  68.     static-algo-2=none static-algo-3=none static-key-0="" static-key-1="" static-key-2="" static-key-3="" static-sta-private-algo=none static-sta-private-key="" static-transmit-key=key-0 supplicant-identity=MikroTik \
  69.     tls-certificate=none tls-mode=no-certificates unicast-ciphers=aes-ccm wpa-pre-shared-key=XXXXX wpa2-pre-shared-key=XXXXX
  70. add authentication-types="" eap-methods=passthrough group-ciphers=aes-ccm group-key-update=5m interim-update=0s management-protection=disabled management-protection-key="" mode=none name=wlan-guest radius-eap-accounting=no \
  71.     radius-mac-accounting=no radius-mac-authentication=no radius-mac-caching=disabled radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=\
  72.     none static-key-0="" static-key-1="" static-key-2="" static-key-3="" static-sta-private-algo=none static-sta-private-key="" static-transmit-key=key-0 supplicant-identity=MikroTik tls-certificate=none tls-mode=\
  73.     no-certificates unicast-ciphers=aes-ccm wpa-pre-shared-key="" wpa2-pre-shared-key=""
  74.  
  75. # Protected WLAN and unprotected guest network
  76. /interface wireless
  77. set 0 adaptive-noise-immunity=none allow-sharedkey=no antenna-gain=0 area="" arp=enabled band=2ghz-b/g/n basic-rates-a/g=6Mbps basic-rates-b=1Mbps bridge-mode=enabled channel-width=20/40mhz-ht-above compression=no country=\
  78.     netherlands default-ap-tx-limit=0 default-authentication=yes default-client-tx-limit=0 default-forwarding=yes dfs-mode=none disable-running-check=no disabled=no disconnect-timeout=3s distance=indoors frame-lifetime=0 \
  79.     frequency=2412 frequency-mode=manual-txpower frequency-offset=0 hide-ssid=no ht-ampdu-priorities=0 ht-amsdu-limit=8192 ht-amsdu-threshold=8192 ht-basic-mcs=mcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7 \
  80.     ht-guard-interval=any ht-rxchains=0,1 ht-supported-mcs=mcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7,mcs-8,mcs-9,mcs-10,mcs-11,mcs-12,mcs-13,mcs-14,mcs-15,mcs-16,mcs-17,mcs-18,mcs-19,mcs-20,mcs-21,mcs-22,mcs-23 \
  81.     ht-txchains=0,1 hw-fragmentation-threshold=disabled hw-protection-mode=none hw-protection-threshold=0 hw-retries=7 l2mtu=2290 mac-address=D4:CA:6D:31:B3:6F max-station-count=2007 mode=ap-bridge mtu=1500 \
  82.     multicast-helper=default name=wlan noise-floor-threshold=default nv2-cell-radius=30 nv2-noise-floor-offset=default nv2-preshared-key="" nv2-qos=default nv2-queue-count=2 nv2-security=disabled on-fail-retry-time=100ms \
  83.     periodic-calibration=default periodic-calibration-interval=60 preamble-mode=both proprietary-extensions=post-2.9.25 radio-name=D4CA6D31B36F rate-selection=advanced rate-set=default scan-list=default security-profile=\
  84.     default ssid=Geusmans station-bridge-clone-mac=00:00:00:00:00:00 supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps tdma-period-size=2 tx-power=15 \
  85.     tx-power-mode=card-rates update-stats-interval=disabled wds-cost-range=50-150 wds-default-bridge=none wds-default-cost=100 wds-ignore-ssid=no wds-mode=disabled wireless-protocol=802.11 wmm-support=disabled
  86. add area="" arp=enabled bridge-mode=enabled default-ap-tx-limit=0 default-authentication=yes default-client-tx-limit=0 default-forwarding=yes disable-running-check=no disabled=no hide-ssid=no l2mtu=2290 mac-address=\
  87.     D6:CA:6D:31:B3:6F master-interface=wlan max-station-count=2007 mtu=1500 multicast-helper=default name=wlan-guest proprietary-extensions=post-2.9.25 security-profile=wlan-guest ssid=Geusmans-gast update-stats-interval=\
  88.     disabled wds-cost-range=50-150 wds-default-bridge=none wds-default-cost=100 wds-ignore-ssid=no wds-mode=disabled wmm-support=disabled
  89.  
  90.  
  91.  
  92.  
  93. # IP pools and DHCP server for both LANs
  94. /ip pool
  95. add name=pool-dhcp-lan ranges=192.168.88.10-192.168.88.254
  96. add name=pool-dhcp-guest ranges=192.168.99.10-192.168.99.254
  97.  
  98. /ip dhcp-server
  99. add address-pool=pool-dhcp-lan authoritative=yes bootp-support=static disabled=no interface=bridge-local lease-time=3d name=dhcp-lan
  100. add address-pool=pool-dhcp-guest authoritative=after-2sec-delay bootp-support=static disabled=no interface=bridge-guest lease-time=1d name=dhcp-guest
  101.  
  102. # Router IP's for LANs
  103. /ip address
  104. add address=192.168.88.1/24 disabled=no interface=wlan network=192.168.88.0
  105. add address=192.168.99.1/24 disabled=no interface=wlan-guest network=192.168.99.0
  106.  
  107. /ip dhcp-server network
  108. add address=192.168.88.0/24 dhcp-option="" dns-server=192.168.88.1 gateway=192.168.88.1 ntp-server="" wins-server=""
  109. add address=192.168.99.0/24 dhcp-option="" dns-server=192.168.99.1 gateway=192.168.99.1 ntp-server="" wins-server=""
  110.  
  111. # DHCP client on ether7, which is connected to a LAN port of the KPN box - allows access to its config page
  112. /ip dhcp-client
  113. add add-default-route=no disabled=no interface=ether7-kpnint use-peer-dns=no use-peer-ntp=no
  114.  
  115. # Google DNS
  116. /ip dns
  117. set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB max-udp-packet-size=4096 servers=8.8.8.8,8.8.4.4
  118.  
  119. # Firewall rules
  120. /ip firewall connection tracking
  121. set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s \
  122.     tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
  123.  
  124. /ip firewall filter
  125. # No traffic from guest to LAN
  126. add action=reject chain=input disabled=no dst-address=192.168.88.0/24 reject-with=icmp-net-prohibited src-address=192.168.99.0/24
  127. add action=reject chain=forward disabled=no dst-address=192.168.88.0/24 reject-with=icmp-net-prohibited src-address=192.168.99.0/24
  128. add action=reject chain=forward disabled=no dst-address=192.168.2.0/24 reject-with=icmp-net-prohibited src-address=192.168.99.0/24
  129.  
  130. # Accept ping, internal DHCP traffic
  131. add action=accept chain=input disabled=no in-interface=pppoe-kpn protocol=icmp
  132. add action=accept chain=input disabled=no dst-port=67-68 in-interface=bridge-local protocol=udp
  133.  
  134. # Accept traffic from LANs and other internal ports
  135. add action=accept chain=input disabled=no in-interface=bridge-local src-address=192.168.88.0/24
  136. add action=accept chain=input disabled=no in-interface=bridge-guest src-address=192.168.99.0/24
  137. add action=accept chain=input disabled=no in-interface=ether7-kpnint
  138. add action=accept chain=input disabled=no in-interface=bridge-vlan4-iptv
  139.  
  140. # Accept related traffic (NAT etc)
  141. add action=accept chain=input connection-state=established disabled=no
  142. add action=accept chain=input connection-state=related disabled=no
  143.  
  144. # Open up some ports
  145. add action=accept chain=input disabled=no dst-port=1194 protocol=tcp
  146. add action=accept chain=input disabled=yes dst-port=80 in-interface=pppoe-kpn protocol=tcp
  147. add action=accept chain=input disabled=no dst-port=22 in-interface=pppoe-kpn protocol=tcp
  148.  
  149. # Drop & log other stuff
  150. add action=drop chain=input disabled=no in-interface=pppoe-kpn
  151. add action=drop chain=input disabled=no in-interface=ether10-gw
  152. add action=log chain=input disabled=no log-prefix=UNKNOWN
  153. add action=drop chain=input disabled=no
  154.  
  155. /ip firewall nat
  156. add action=masquerade chain=srcnat disabled=no out-interface=pppoe-kpn src-address=192.168.0.0/16
  157. add action=masquerade chain=srcnat disabled=no dst-address=192.168.2.0/24 out-interface=ether7-kpnint src-address=192.168.0.0/16
  158.  
  159.  
  160. # No discovery on external interfaces
  161. /ip neighbor discovery
  162. set sfp1-gateway disabled=yes
  163. set ether1-nas disabled=no
  164. set ether2 disabled=no
  165. set ether3 disabled=no
  166. set ether4 disabled=no
  167. set ether5 disabled=no
  168. set ether6 disabled=no
  169. set ether7-kpnint disabled=yes
  170. set ether8-sip disabled=no
  171. set ether9-iptv disabled=no
  172. set ether10-gw disabled=yes
  173. set wlan disabled=yes
  174. set bridge-local disabled=no
  175. set ether10.4-iptv disabled=yes
  176. set bridge-vlan4-iptv disabled=yes
  177. set pppoe-kpn disabled=yes
  178. set ether8.7-sip disabled=no
  179. set ether10.6-inet disabled=yes
  180. set bridge-vlan7-sip disabled=yes
  181. set ether10.7-sip disabled=yes
  182. set ovpn-server disabled=yes
  183. set wlan-guest disabled=yes
  184. set bridge-guest disabled=no
  185.  
  186.  
  187. # Enable UPnP
  188. /ip upnp
  189. set allow-disable-external-interface=no enabled=yes show-dummy-rule=yes
  190. /ip upnp interfaces
  191. add disabled=no interface=bridge-local type=internal
  192. add disabled=no type=internal
  193. add disabled=no interface=pppoe-kpn type=external
  194.  
  195. # NTP client (correct time is important for PPPoE)
  196. /system clock
  197. set time-zone-name=Europe/Amsterdam
  198. /system ntp client
  199. set enabled=yes mode=unicast primary-ntp=193.67.79.202 secondary-ntp=193.79.237.14
  200.  
  201.  
  202. # Default switch settings
  203. /interface ethernet switch
  204. set 0 mirror-source=none mirror-target=none name=switch1
  205. set 1 mirror-source=none mirror-target=none name=switch2
  206.  
  207. /interface ethernet switch port
  208. set 0 vlan-header=leave-as-is vlan-mode=disabled
  209. set 1 vlan-header=leave-as-is vlan-mode=disabled
  210. set 2 vlan-header=leave-as-is vlan-mode=disabled
  211. set 3 vlan-header=leave-as-is vlan-mode=disabled
  212. set 4 vlan-header=leave-as-is vlan-mode=disabled
  213. set 5 vlan-header=leave-as-is vlan-mode=disabled
  214. set 6 vlan-header=leave-as-is vlan-mode=disabled
  215. set 7 vlan-header=leave-as-is vlan-mode=disabled
  216. set 8 vlan-header=leave-as-is vlan-mode=disabled
  217. set 9 vlan-header=leave-as-is vlan-mode=disabled
  218. set 10 vlan-header=leave-as-is vlan-mode=disabled
  219. set 11 vlan-header=leave-as-is vlan-mode=disabled
  220. set 12 vlan-header=leave-as-is vlan-mode=disabled
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!