2WAN PCC 3:2 PPPoE

1. # Begin Script
2. # Please change upon your design decision
3. # Port 1 or ether1-WAN1 is WAN1 (Dynamic PPPoE Client Mode : WAN1-PPPoE)
4. # Port 2 or ether2-WAN2 is WAN2 (Dynamic PPPoE Client Mode : WAN2-PPPoE)
5. # Port 3 or ether3 is LAN (Bridge Member of Interface : "bridge1-Home")
6. # Port 4 or ether4 is LAN (Bridge Member of Interface : "bridge1-Home")
7. # Port 5 or ether5 is LAN (Bridge Member of Interface : "bridge1-Home")
8.  
9.  
10. /interface bridge
11. add comment="bridge1-Home : ether3-5" name="bridge1-Home" arp=enabled
12.  
13. /interface ethernet
14. set [ find default-name=ether1 ] disabled=no name="ether1-WAN1" arp=enabled
15. set [ find default-name=ether2 ] disabled=no name="ether2-WAN2" arp=enabled
16.  
17. /ip address
18. add address=192.168.88.1/24 interface="bridge1-Home" network=192.168.88.0 comment="Home (bridge1-Home : ether3-5) = 192.168.88.1/24"
19.  
20.  
21. /interface bridge port
22. add bridge="bridge1-Home" interface=ether3 auto-isolate=no
23. add bridge="bridge1-Home" interface=ether4 auto-isolate=no
24. add bridge="bridge1-Home" interface=ether5 auto-isolate=no
25.  
26.  
27.  
28. /ip service
29. set api disabled=yes
30. set api-ssl disabled=yes
31. set ftp disabled=yes
32. set ssh disabled=yes
33. set telnet disabled=yes
34. set winbox port=8291 disabled=no
35. set www port=81 disabled=no
36. set www-ssl disabled=yes
37.  
38. /ip firewall service-port
39. set ftp disabled=yes
40. set tftp disabled=yes
41. set irc disabled=yes
42. set h323 disabled=yes
43. set sip disabled=yes
44. set pptp disabled=yes
45.  
46. /system clock
47. set time-zone-name=Asia/Bangkok
48.  
49. /ip cloud
50. set enabled=yes update-time=yes
51.  
52. /ip dns
53. set allow-remote-requests=yes max-udp-packet-size=548 cache-size=512KiB servers=8.8.8.8,8.8.4.4,208.67.222.222,208.67.220.220
54.  
55. /ip dns static
56. add address=192.168.88.1 name="DNS-Home"
57.  
58. /ip pool
59. add name="pool1-Home" ranges=192.168.88.20-192.168.88.240
60.  
61. /ip dhcp-server
62. add add-arp=yes address-pool="pool1-Home" disabled=no interface="bridge1-Home" name="dhcp1-Home" lease-time=3d
63.  
64. /ip dhcp-server network
65. add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 netmask=24 wins-server=192.168.88.1
66.  
67.  
68.  
69. /interface pppoe-client
70. add add-default-route=no comment="WAN1-PPPoE on ether1-WAN1" interface="ether1-WAN1" name="WAN1-PPPoE" user="aaaa@bbbb" password="xxxx" disabled=no
71. add add-default-route=no comment="WAN2-PPPoE on ether2-WAN2" interface="ether2-WAN2" name="WAN2-PPPoE" user="cccc@dddd" password="xxxx" disabled=no
72.  
73. /ip neighbor discovery
74. set "ether1-WAN1" discover=no
75. set "WAN1-PPPoE" discover=no
76. set "ether2-WAN2" discover=no
77. set "WAN2-PPPoE" discover=no
78.  
79. /ip firewall address-list
80. add address=192.168.88.0/24 disabled=no list="All-Client-IP"
81.  
82.  
83.  
84. /ip firewall nat
85. add action=masquerade chain=srcnat disabled=no out-interface="WAN1-PPPoE"
86. add action=masquerade chain=srcnat disabled=no out-interface="WAN2-PPPoE"
87. add action=masquerade chain=srcnat disabled=no src-address-list="All-Client-IP" dst-address-list="All-Client-IP"
88.  
89. /ip firewall mangle
90. add action=accept chain=prerouting comment="Accept traffic From All-Client-IP to All-Client-IP" disabled=no dst-address-list="All-Client-IP" src-address-list="All-Client-IP"
91.  
92. add action=mark-connection chain=input connection-state=new in-interface="WAN1-PPPoE" new-connection-mark="wan1_conn" passthrough=yes comment="ALL WAN TO ROUTER "
93. add action=mark-connection chain=input connection-state=new in-interface="WAN2-PPPoE" new-connection-mark="wan2_conn" passthrough=yes
94.  
95. add action=mark-connection chain=prerouting connection-state=related in-interface="WAN1-PPPoE" new-connection-mark="wan1_conn" passthrough=yes
96. add action=mark-connection chain=prerouting connection-state=related in-interface="WAN2-PPPoE" new-connection-mark="wan2_conn" passthrough=yes
97.  
98. add action=mark-routing chain=output connection-mark="wan1_conn" new-routing-mark="to_wan1" passthrough=yes
99. add action=mark-routing chain=output connection-mark="wan2_conn" new-routing-mark="to_wan2" passthrough=yes
100.  
101. add chain=prerouting src-address-list="All-Client-IP" dst-address-type=!local per-connection-classifier=both-addresses-and-ports:5/0 action=mark-connection new-connection-mark="pcc_wan1_conn" passthrough=yes comment="Loadbalance PCC WAN1:WAN2 = 3:2"
102. add chain=prerouting src-address-list="All-Client-IP" dst-address-type=!local per-connection-classifier=both-addresses-and-ports:5/1 action=mark-connection new-connection-mark="pcc_wan1_conn" passthrough=yes
103. add chain=prerouting src-address-list="All-Client-IP" dst-address-type=!local per-connection-classifier=both-addresses-and-ports:5/2 action=mark-connection new-connection-mark="pcc_wan1_conn" passthrough=yes
104. add chain=prerouting src-address-list="All-Client-IP" dst-address-type=!local per-connection-classifier=both-addresses-and-ports:5/3 action=mark-connection new-connection-mark="pcc_wan2_conn" passthrough=yes
105. add chain=prerouting src-address-list="All-Client-IP" dst-address-type=!local per-connection-classifier=both-addresses-and-ports:5/4 action=mark-connection new-connection-mark="pcc_wan2_conn" passthrough=yes
106.  
107. add chain=prerouting connection-mark="pcc_wan1_conn" src-address-list="All-Client-IP" action=mark-routing new-routing-mark="pcc_wan1_route" passthrough=yes
108. add chain=prerouting connection-mark="pcc_wan2_conn" src-address-list="All-Client-IP" action=mark-routing new-routing-mark="pcc_wan2_route" passthrough=yes
109.  
110.  
111. /ip route
112. add dst-address=0.0.0.0/0 gateway="WAN1-PPPoE" distance=1 check-gateway=arp
113. add dst-address=0.0.0.0/0 gateway="WAN2-PPPoE" distance=2 check-gateway=arp
114.  
115. add check-gateway=ping distance=1 gateway="WAN1-PPPoE" routing-mark="to_wan1"
116. add check-gateway=ping distance=1 gateway="WAN2-PPPoE" routing-mark="to_wan2"
117.  
118. add dst-address=0.0.0.0/0 gateway="WAN1-PPPoE" check-gateway=arp distance=1 routing-mark="pcc_wan1_route"
119. add dst-address=0.0.0.0/0 gateway="WAN2-PPPoE" check-gateway=arp distance=2 routing-mark="pcc_wan1_route"
120.  
121. add dst-address=0.0.0.0/0 gateway="WAN2-PPPoE" check-gateway=arp distance=1 routing-mark="pcc_wan2_route"
122. add dst-address=0.0.0.0/0 gateway="WAN1-PPPoE" check-gateway=arp distance=2 routing-mark="pcc_wan2_route"
123.  
124.  
125. #Block Bogon IP addresses
126. /ip firewall filter
127. add chain=forward src-address=0.0.0.0/8 action=drop \ comment="Block Bogon IP addresses"
128. add chain=forward dst-address=0.0.0.0/8 action=drop
129. add chain=forward src-address=127.0.0.0/8 action=drop
130. add chain=forward dst-address=127.0.0.0/8 action=drop
131. add chain=forward src-address=224.0.0.0/3 action=drop
132. add chain=forward dst-address=224.0.0.0/3 action=drop
133.  
134.  
135. #ป้องกันการขอใช้ DNS Caching จากภายนอก
136. /ip firewall filter
137. add chain=input in-interface="WAN1-PPPoE" protocol=udp dst-port=53 action=drop
138. add chain=input in-interface="WAN1-PPPoE" protocol=tcp dst-port=53 action=drop
139. add chain=input in-interface="WAN2-PPPoE" protocol=udp dst-port=53 action=drop
140. add chain=input in-interface="WAN2-PPPoE" protocol=tcp dst-port=53 action=drop
141.  
142. #ป้องกันการโดนทำ DHCP Relay จากภายนอก จัดไป
143. /ip firewall filter
144. add chain=forward protocol=udp dst-port=53 out-interface=!"WAN1-PPPoE" action=drop
145. add chain=forward protocol=tcp dst-port=53 out-interface=!"WAN1-PPPoE" action=drop
146. add chain=forward protocol=udp dst-port=53 out-interface=!"WAN2-PPPoE" action=drop
147. add chain=forward protocol=tcp dst-port=53 out-interface=!"WAN2-PPPoE" action=drop
148.  
149. #Customer protection (forward chain - traffic passing through the router)
150. /ip firewall filter
151. add chain=forward connection-state=invalid \ action=drop comment="drop invalid connections"
152. add chain=forward connection-state=established action=accept \ comment="allow already established connections"
153. add chain=forward connection-state=related action=accept \ comment="allow related connections"
154.  
155. #ยอมให้มีการใช้ icmp
156. /ip firewall filter
157. add chain=icmp protocol=icmp icmp-options=0:0 action=accept \ comment="echo reply"
158. add chain=icmp protocol=icmp icmp-options=3:0 action=accept \ comment="net unreachable"
159. add chain=icmp protocol=icmp icmp-options=3:1 action=accept \ comment="host unreachable"
160. add chain=icmp protocol=icmp icmp-options=4:0 action=accept \ comment="allow source quench"
161. add chain=icmp protocol=icmp icmp-options=8:0 action=accept \ comment="allow echo request"
162. add chain=icmp protocol=icmp icmp-options=11:0 action=accept \ comment="allow time exceed"
163. add chain=icmp protocol=icmp icmp-options=12:0 action=accept \ comment="allow parameter bad"
164. add chain=icmp action=drop comment="deny all other types"
165.  
166. #Login FTP
167. /ip firewall filter
168. add chain=input protocol=tcp dst-port=21 src-address-list="ftp_blacklist" action=drop \ comment="drop ftp brute forcers"
169. add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m
170. add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" \ address-list="ftp_blacklist" address-list-timeout=3h
171.  
172. #Prevent a SSH brute forcer to be banned for 10 days after repetitive attempts
173. /ip firewall filter
174. add chain=input protocol=tcp dst-port=22 src-address-list="ssh_blacklist" action=drop \ comment="drop ssh brute forcers" disabled=no
175. add chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list="ssh_stage3" action=add-src-to-address-list address-list="ssh_blacklist" \ address-list-timeout=10d comment="" disabled=no
176. add chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list="ssh_stage2" action=add-src-to-address-list address-list="ssh_stage3" \ address-list-timeout=1m comment="" disabled=no
177. add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list="ssh_stage1" \ action=add-src-to-address-list address-list="ssh_stage2" address-list-timeout=1m comment="" disabled=no
178. add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \ address-list="ssh_stage1" address-list-timeout=1m comment="" disabled=no
179. add chain=forward protocol=tcp dst-port=22 src-address-list="ssh_blacklist" action=drop \ comment="drop ssh brute downstream" disabled=no
180.  
181. #Drop port scanners
182. /ip firewall filter
183. add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="Port scanners to list " disabled=no
184. add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP FIN Stealth scan"
185. add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/FIN scan"
186. add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/RST scan"
187. add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="FIN/PSH/URG scan"
188. add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="ALL/ALL scan"
189. add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP NULL scan"
190.  
191. #Drop those IPs in both Input & Forward chains:
192. /ip firewall filter
193. add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no
194. add chain=forward src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no
195.  
196. #Make jumps to new chains
197. /ip firewall filter
198. add chain=forward protocol=tcp action=jump jump-target=tcp \ comment="Make jumps to new chains"
199. add chain=forward protocol=udp action=jump jump-target=udp
200. add chain=forward protocol=icmp action=jump jump-target=icmp
201.  
202. #Create TCP chain and deny some TCP ports in it (revise port numbers as needed)
203. /ip firewall filter
204. add chain=tcp protocol=tcp dst-port=69 action=drop \ comment="deny TFTP"
205. add chain=tcp protocol=tcp dst-port=111 action=drop \ comment="deny RPC portmapper"
206. add chain=tcp protocol=tcp dst-port=135 action=drop \ comment="deny RPC portmapper"
207. add chain=tcp protocol=tcp dst-port=137-139 action=drop \ comment="deny NBT"
208. add chain=tcp protocol=tcp dst-port=445 action=drop \ comment="deny cifs"
209. add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS"
210. add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny NetBus"
211. add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus"
212. add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny BackOriffice"
213. add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP"
214.  
215. #Create UDP chain and deny some UDP ports in it (revise port numbers as needed)
216. /ip firewall filter
217. add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP"
218. add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC portmapper"
219. add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC portmapper"
220. add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT"
221. add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS"
222. add chain=udp protocol=udp dst-port=3133 action=drop comment="deny BackOriffice"
223.  
224. /ip upnp
225. set allow-disable-external-interface=yes enabled=yes
226. /ip upnp interfaces
227. add interface="bridge1-Home" type=internal
228. add interface="WAN1-PPPoE" type=external
229. add interface="WAN2-PPPoE" type=external
230.  
231. /ip firewall connection tracking
232. set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=1m tcp-established-timeout=1h tcp-fin-wait-timeout=1m \
233. tcp-last-ack-timeout=30s tcp-syn-received-timeout=1m tcp-syn-sent-timeout=10s tcp-time-wait-timeout=1m udp-stream-timeout=3m udp-timeout=30s
234.  
235.  
236. /system script
237. add name=reboot policy=reboot source="/system reboot"
238. add name=Force_WAN_Reconnect policy=\
239. ftp,read,write,policy,test,password,sniff,sensitive source="/interface dis\
240. able WAN1-PPPoE\r\
241. \n/interface disable WAN2-PPPoE\r\
242. \n/ip upnp set enabled=no\r\
243. \n/log info message=\"WAN1 & WAN2 Disable!\"\r\
244. \n:delay 30s\r\
245. \n/interface enable WAN1-PPPoE\r\
246. \n/interface enable WAN2-PPPoE\r\
247. \n/log info message=\"WAN1 & WAN2 Enable!\"\r\
248. \n:delay 10s\r\
249. \n/ip upnp set enabled=yes\r\
250. \n:delay 3s\r\
251. \n/log info message=\"WAN1 & WAN2 forced reconnect. Done!\""
252.  
253. /system scheduler
254. add disabled=yes interval=1d name=Force_Reboot on-event=Force_Reboot policy=reboot start-date=jan/01/2002 start-time=05:00:00
255. add interval=1d name=Force_WAN_Reconnect on-event=Force_WAN_Reconnect policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api start-date=jan/01/2002 start-time=05:00:00
256.  
257. /tool graphing interface
258. add interface="WAN1-PPPoE"
259. add interface="WAN2-PPPoE"
260. add interface="bridge1-Home"
261.  
262. /system reboot