# feb/09/2018 18:38:24 by RouterOS 6.38.7# software id =**********#/caps-m

1. # feb/09/2018 18:38:24 by RouterOS 6.38.7
2. # software id =**********
3. #
4. /caps-man channel
5. add band=2ghz-b/g/n frequency=2412 name=channel1 tx-power=20 width=20
6. add band=2ghz-b/g/n frequency=2437 name=channel6 tx-power=20 width=20
7. add band=2ghz-b/g/n frequency=2462 name=channel11 tx-power=20 width=20
8. add band=2ghz-b/g/n frequency=2417 name=channel2 tx-power=20 width=20
9. add band=2ghz-b/g/n frequency=2432 name=channel5 tx-power=20 width=20
10. /interface bridge
11. add name=BridgeStage2
12. add name=BridgeStage3
13. add name=BridgeStage4
14. /interface ethernet
15. set [ find default-name=ether1 ] comment=Local speed=1Gbps
16. set [ find default-name=ether6 ] comment=\
17. "ISP 1 Primary Rostelekom
18. set [ find default-name=ether8 ] comment="ISP2 Reserve Dom.ru "
19. /interface pppoe-client
20. add comment="ISP 2 DOM.RU" disabled=no interface=ether8 name=pppoe-out1 \
21. password=******** use-peer-dns=yes user=*******
22. /ip neighbor discovery
23. set ether1 discover=no
24. set ether2 discover=no
25. set ether3 discover=no
26. set ether4 discover=no
27. set ether5 discover=no
28. set ether6 discover=no
29. set ether7 discover=no
30. set ether8 discover=no
31. set ether9 discover=no
32. set ether10 discover=no
33. set sfp1 discover=no
34. set BridgeStage2 discover=no
35. set BridgeStage3 discover=no
36. set BridgeStage4 discover=no
37. set pppoe-out1 discover=no
38. /interface vlan
39. add comment="Network device management " interface=ether1 name=\
40. ManagementVlan2 vlan-id=2
41. add comment="Network of Servers" interface=ether1 name=\
42. "Network of ServersVlan3" vlan-id=3
43. add comment=Stage1 interface=ether1 name=Stage1Vlan10 vlan-id=10
44. add comment=Stage2 interface=ether1 name=Stage2Vlan20 vlan-id=20
45. add comment=Stage3 interface=ether1 name=Stage3Vlan30 vlan-id=30
46. add comment=Stage4 interface=ether1 name=Stage4Vlan40 vlan-id=40
47. add comment=Personal interface=ether1 name=Teh.PersonalVlan9 vlan-id=9
48. add comment=UnlimitedSpeed interface=ether1 name=UnlimitedSpeedVlan7 vlan-id=\
49. 7
50. add comment="Video network" interface=ether1 name=VideoVlan4 vlan-id=4
51. /caps-man datapath
52. add bridge=BridgeStage4 local-forwarding=no name=datapath2Stage4 vlan-id=40
53. add bridge=BridgeStage3 local-forwarding=no name=datapath3Stage3 vlan-id=30
54. add bridge=BridgeStage2 local-forwarding=no name=datapath4Stage2 vlan-id=20
55. /ip neighbor discovery
56. set Stage1Vlan10 discover=no
57. set Stage2Vlan20 discover=no
58. set Stage3Vlan30 discover=no
59. set Stage4Vlan40 discover=no
60. set UnlimitedSpeedVlan7 discover=no
61. set VideoVlan4 discover=no
62. /caps-man security
63. add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
64. name=security1 passphrase=*******
65. /caps-man configuration
66. add channel=channel1 datapath=datapath4Stage2 mode=ap name=cfg1_Stage2 \
67. rx-chains=0,1,2 security=security1 ssid=************ tx-chains=0,1,2
68. add channel=channel6 datapath=datapath4Stage2 mode=ap name=cfg6_Stage2 \
69. rx-chains=0,1,2 security=security1 ssid=************ tx-chains=0,1,2
70. add channel=channel11 datapath=datapath4Stage2 mode=ap name=cfg11_Stage2 \
71. rx-chains=0,1,2 security=security1 ssid=************ tx-chains=0,1,2
72. add channel=channel1 datapath=datapath3Stage3 mode=ap name=cfg1Stage3 \
73. rx-chains=0,1,2 security=security1 ssid=************ tx-chains=0,1,2
74. add channel=channel6 datapath=datapath3Stage3 mode=ap name=cfg6Stage3 \
75. rx-chains=0,1,2 security=security1 ssid=************ tx-chains=0,1,2
76. add channel=channel11 datapath=datapath3Stage3 mode=ap name=cfg11Stage3 \
77. rx-chains=0,1,2 security=security1 ssid=************ tx-chains=0,1,2
78. add channel=channel2 datapath=datapath3Stage3 mode=ap name=cfg2Stage3 \
79. rx-chains=0,1,2 security=security1 ssid=************ tx-chains=0,1,2
80. add channel=channel5 datapath=datapath2Stage4 mode=ap name=cfg5Stage4 \
81. rx-chains=0,1,2 security=security1 ssid=************ tx-chains=0,1,2
82. add channel=channel1 datapath=datapath2Stage4 mode=ap name=cfg1Stage4 \
83. rx-chains=0,1,2 security=security1 ssid=************ tx-chains=0,1,2
84. add channel=channel11 datapath=datapath2Stage4 mode=ap name=cfg11_Stage4 \
85. rx-chains=0,1,2 security=security1 ssid=************ tx-chains=0,1,2
86. add channel=channel1 datapath=datapath4Stage2 mode=ap name=cfg1Stage0 \
87. rx-chains=0,1,2 security=security1 ssid=************ tx-chains=0,1,2
88. add channel=channel1 datapath=datapath4Stage2 mode=ap name=\
89. cfg1Stage2DublinBar rx-chains=0,1,2 security=security1 ssid=************ \
90. tx-chains=0,1,2
91. add channel=channel11 datapath=datapath4Stage2 mode=ap name=\
92. "cfg11Stage0Sauna\B93" rx-chains=0,1,2 security=security1 ssid=************ \
93. tx-chains=0,1,2
94. /caps-man interface
95. add comment="Stage 0" configuration=cfg1Stage0 disabled=no l2mtu=1600 \
96. mac-address=64:D1:54:F3:E6:FE master-interface=none name=\
97. MikroTik_Stage0_Prachka radio-mac=64:D1:54:F3:E6:FE
98. add comment="Sauna \B91" configuration=cfg1Stage0 disabled=no l2mtu=1600 \
99. mac-address=CC:2D:E0:01:15:25 master-interface=none name=\
100. "MikroTik_Stage0_Sauna\B91" radio-mac=CC:2D:E0:01:15:25
101. add comment="Sauna \B93" configuration="cfg11Stage0Sauna\B93" disabled=no \
102. l2mtu=1600 mac-address=CC:2D:E0:02:51:74 master-interface=none name=\
103. "MikroTik_Stage0_Sauna\B93" radio-mac=CC:2D:E0:02:51:74
104. add comment=DublinBar configuration=cfg1_Stage2 disabled=no l2mtu=1600 \
105. mac-address=CC:2D:E0:12:2C:33 master-interface=none name=\
106. MikroTik_Stage2_Dublin_Bar radio-mac=CC:2D:E0:12:2C:33
107. add comment="Stage 2" configuration=cfg11_Stage2 disabled=no l2mtu=1600 \
108. mac-address=64:D1:54:26:FA:47 master-interface=none name=\
109. "MikroTik_Stage2\B9205" radio-mac=64:D1:54:26:FA:47
110. add configuration=cfg1_Stage2 disabled=no l2mtu=1600 mac-address=\
111. 64:D1:54:14:4B:83 master-interface=none name="MikroTik_Stage2\B9209" \
112. radio-mac=64:D1:54:14:4B:83
113. add configuration=cfg6_Stage2 disabled=no l2mtu=1600 mac-address=\
114. 64:D1:54:25:29:DD master-interface=none name="MikroTik_Stage2\B9215" \
115. radio-mac=64:D1:54:25:29:DD
116. add comment="Stage 3" configuration=cfg6Stage3 disabled=no l2mtu=1600 \
117. mac-address=64:D1:54:25:29:8F master-interface=none name=\
118. "MikroTik_Stage3\B9305" radio-mac=64:D1:54:25:29:8F
119. add configuration=cfg11Stage3 disabled=no l2mtu=1600 mac-address=\
120. 64:D1:54:44:C0:CF master-interface=none name="MikroTik_Stage3\B9309" \
121. radio-mac=64:D1:54:44:C0:CF
122. add configuration=cfg2Stage3 disabled=no l2mtu=1600 mac-address=\
123. 64:D1:54:44:C0:AB master-interface=none name="MikroTik_Stage3\B9315" \
124. radio-mac=64:D1:54:44:C0:AB
125. add comment="Stage 4" configuration=cfg5Stage4 disabled=no l2mtu=1600 \
126. mac-address=64:D1:54:46:D1:0B master-interface=none name=\
127. "MikroTik_Stage4\B9405" radio-mac=64:D1:54:46:D1:0B
128. add configuration=cfg1Stage4 disabled=no l2mtu=1600 mac-address=\
129. 64:D1:54:49:BF:83 master-interface=none name="MikroTik_Stage4\B9409" \
130. radio-mac=64:D1:54:49:BF:83
131. add configuration=cfg11_Stage4 disabled=no l2mtu=1600 mac-address=\
132. 64:D1:54:EC:19:FF master-interface=none name="MikroTik_Stage4\B9415" \
133. radio-mac=64:D1:54:EC:19:FF
134. /ip neighbor discovery
135. set MikroTik_Stage0_Prachka discover=no
136. set "MikroTik_Stage2\B9205" discover=no
137. set "MikroTik_Stage2\B9209" discover=no
138. set "MikroTik_Stage2\B9215" discover=no
139. set "MikroTik_Stage3\B9305" discover=no
140. set "MikroTik_Stage3\B9309" discover=no
141. set "MikroTik_Stage3\B9315" discover=no
142. set "MikroTik_Stage4\B9405" discover=no
143. set "MikroTik_Stage4\B9409" discover=no
144. set "MikroTik_Stage4\B9415" discover=no
145. /interface wireless security-profiles
146. set [ find default=yes ] supplicant-identity=MikroTik
147. /ip firewall layer7-protocol
148. add name=Video regexp="^.+(youtube|rutube|smotri|ivi|kinokrad|kinogo|megogo|ki\
149. noprofi|hdkinohit|kinomoov|bobfilm|okino|kino-max|youtube.com|video|video)\
150. .*\$"
151. add name=Aninomayzer regexp="^.+(cameleo|easy10.).*\$"
152. add name="Odnoklassniki Mobile" regexp=\
153. "^.+(m.ok.ru|vk.com|m.vk.com|ok.ru.).*\$"
154. /ip hotspot user profile
155. set [ find default=yes ] keepalive-timeout=2h status-autorefresh=1d
156. /ip ipsec proposal
157. set [ find default=yes ] enc-algorithms=aes-128-cbc,3des pfs-group=none
158. /ip pool
159. add name=PoolVlan2 ranges=172.16.1.30-172.16.1.254
160. add name=PoolVlan3 ranges=172.16.3.30-172.16.3.254
161. add name=PoolVlan10 ranges=172.16.10.30-172.16.10.254
162. add name=PoolVlan20 ranges=172.16.20.30-172.16.20.254
163. add name=PoolVlan30 ranges=172.16.30.30-172.16.30.254
164. add name=PoolVlan40 ranges=172.16.40.30-172.16.40.254
165. add name=PoolVlan9 ranges=172.16.9.30-172.16.9.254
166. add name=PoolVlan7 ranges=172.16.7.30-172.16.7.254
167. add name=PoolVlan4 ranges=172.16.4.30-172.16.4.254
168. /ip dhcp-server
169. add address-pool=PoolVlan2 authoritative=yes disabled=no interface=\
170. ManagementVlan2 lease-time=1d name=ServerdhcpVlan2
171. add address-pool=PoolVlan3 authoritative=yes disabled=no interface=\
172. "Network of ServersVlan3" lease-time=1d name=ServerdhcpVlan3
173. add address-pool=PoolVlan10 authoritative=yes disabled=no interface=\
174. Stage1Vlan10 lease-time=1d name=ServerdhcpVlan10
175. add address-pool=PoolVlan20 authoritative=yes disabled=no interface=\
176. BridgeStage2 lease-time=1d name=ServerdhcpVlan20
177. add address-pool=PoolVlan30 authoritative=yes disabled=no interface=\
178. BridgeStage3 lease-time=1d name=ServerdhcpVlan30
179. add address-pool=PoolVlan40 authoritative=yes disabled=no interface=\
180. BridgeStage4 lease-time=1d name=ServerdhcpVlan40
181. add address-pool=PoolVlan9 authoritative=yes disabled=no interface=\
182. Teh.PersonalVlan9 lease-time=1d name=ServerdhcpVlan9
183. add address-pool=PoolVlan7 authoritative=yes disabled=no interface=\
184. UnlimitedSpeedVlan7 lease-time=1d name=ServerdhcpVlan7
185. add address-pool=PoolVlan4 authoritative=yes disabled=no interface=VideoVlan4 \
186. lease-time=1d name=ServerdhcpVlan4
187. /port
188. set 1 baud-rate=9600 data-bits=8 flow-control=none name=usb2 parity=none \
189. stop-bits=1
190. /interface ppp-client
191. add apn=internet comment="USB Modem" info-channel=1 name=ppp-out1 port=usb2
192. /ip neighbor discovery
193. set ppp-out1 discover=no
194. /queue tree
195. add disabled=yes max-limit=25M name=in parent=global
196. add disabled=yes max-limit=25M name=out parent=global
197. add disabled=yes max-limit=1M name=Web_in packet-mark=WEB_in parent=in \
198. priority=5
199. add disabled=yes max-limit=1M name=WEB_out packet-mark=WEB_out parent=out \
200. priority=5
201. /queue type
202. add kind=pcq name=" pcq-download-3M" pcq-classifier=dst-address \
203. pcq-dst-address6-mask=64 pcq-rate=3M pcq-src-address6-mask=64
204. add kind=pcq name=pcq-upload-3M pcq-classifier=src-address \
205. pcq-dst-address6-mask=64 pcq-rate=3M pcq-src-address6-mask=64
206. add kind=pcq name=SIP pcq-classifier=\
207. src-address,dst-address,src-port,dst-port pcq-dst-address6-mask=64 \
208. pcq-rate=100k pcq-src-address6-mask=64
209. /queue simple
210. add max-limit=25M/25M name=queue-limit-3M_Vlan10 queue=\
211. "pcq-upload-3M/ pcq-download-3M" target=Stage1Vlan10
212. add max-limit=25M/25M name=queue-limit-3M_Vlan20 queue=\
213. "pcq-upload-3M/ pcq-download-3M" target=BridgeStage2
214. add max-limit=25M/25M name=queue-limit-3M_Vlan30 queue=\
215. "pcq-upload-3M/ pcq-download-3M" target=BridgeStage3
216. add max-limit=25M/25M name=queue-limit-3M_Vlan40 queue=\
217. "pcq-upload-3M/ pcq-download-3M" target=BridgeStage4
218. add disabled=yes max-limit=25M/25M name=UnlimitedNetwork queue=\
219. "pcq-upload-3M/ pcq-download-3M" target=UnlimitedSpeedVlan7
220. /queue tree
221. add max-limit=10M name=VPN_in packet-mark=PPTP_in,GRE_in parent=in priority=3 \
222. queue=pcq-download-default
223. add max-limit=10M name=VPN_out packet-mark=PPTP_out,GRE_out parent=out \
224. priority=3 queue=pcq-upload-default
225. add max-limit=2M name=SIP_in packet-mark=SIP_in parent=in priority=1 queue=\
226. SIP
227. add max-limit=2M name=SIP_out packet-mark=SIP_OUT parent=out priority=1 \
228. queue=SIP
229. add max-limit=2M name=VPN_SIP_in packet-mark=SIP_VPN_in parent=VPN_in \
230. priority=1 queue=SIP
231. add max-limit=2M name=VPN_SIP_out packet-mark=SIP_VPN_OUT parent=VPN_out \
232. priority=1 queue=SIP
233. add max-limit=10M name=VPN_WEB_in packet-mark=VPN_WEB_in parent=VPN_in \
234. priority=5 queue=pcq-download-default
235. add max-limit=10M name=VPN_WEB_out packet-mark=VPN_WEB_out parent=VPN_out \
236. priority=5 queue=pcq-download-default
237. /tool user-manager customer
238. set admin access=\
239. own-routers,own-users,own-profiles,own-limits,config-payment-gw
240. add access=own-routers,own-users,own-profiles,own-limits,config-payment-gw \
241. backup-allowed=yes disabled=no login=WZ password=PASS \
242. paypal-accept-pending=no paypal-allowed=no paypal-secure-response=no \
243. permissions=owner signup-allowed=no time-zone=-00:00
244. /tool user-manager profile
245. add name=admin name-for-users="" override-shared-users=off owner=admin price=\
246. 0 starts-at=now validity=0s
247. /caps-man access-list
248. add action=accept disabled=yes interface=all signal-range=-80..120 \
249. ssid-regexp=""
250. add action=reject disabled=yes interface=all signal-range=-120..-81 \
251. ssid-regexp=""
252. /caps-man manager
253. set enabled=yes
254. /caps-man provisioning
255. add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
256. cfg6_Stage2 radio-mac=64:D1:54:14:4B:7E
257. add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
258. cfg11_Stage2 radio-mac=64:D1:54:25:29:D8
259. add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
260. cfg11Stage3 radio-mac=64:D1:54:25:29:8A
261. add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
262. cfg6Stage3 radio-mac=64:D1:54:44:C0:A6
263. add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
264. cfg2Stage3 radio-mac=64:D1:54:44:C0:CA
265. add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
266. cfg5Stage4 radio-mac=64:D1:54:49:BF:7E
267. add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
268. cfg1Stage4 radio-mac=64:D1:54:46:D1:06
269. add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
270. cfg11_Stage4 radio-mac=64:D1:54:EC:19:FA
271. add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
272. cfg11_Stage2 radio-mac=64:D1:54:26:FA:42
273. add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
274. cfg1Stage0 radio-mac=64:D1:54:F3:E6:F9
275. add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
276. cfg1Stage2DublinBar radio-mac=CC:2D:E0:12:2C:2E
277. add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
278. cfg1Stage0 radio-mac=CC:2D:E0:01:15:20
279. add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
280. "cfg11Stage0Sauna\B93" radio-mac=CC:2D:E0:02:51:6F
281. /interface bridge port
282. add bridge=BridgeStage4 interface=Stage4Vlan40
283. add bridge=BridgeStage3 interface=Stage3Vlan30
284. add bridge=BridgeStage2 interface=Stage2Vlan20
285. /interface pptp-server server
286. set enabled=yes
287. /ip address
288. add address=172.16.1.1/24 comment="Network device management " interface=\
289. ManagementVlan2 network=172.16.1.0
290. add address=172.16.3.1/24 comment="Servers network" interface=\
291. "Network of ServersVlan3" network=172.16.3.0
292. add address=172.16.4.1/24 comment="Network video" interface=VideoVlan4 \
293. network=172.16.4.0
294. add address=172.16.7.1/24 comment="Unlimited speed" interface=\
295. UnlimitedSpeedVlan7 network=172.16.7.0
296. add address=172.16.9.1/24 comment=Personal interface=Teh.PersonalVlan9 \
297. network=172.16.9.0
298. add address=172.16.10.1/24 comment="Stage 1" interface=Stage1Vlan10 network=\
299. 172.16.10.0
300. add address=172.16.20.1/24 comment="Stage 2" interface=Stage2Vlan20 network=\
301. 172.16.20.0
302. add address=172.16.30.1/24 comment="Stage 3" interface=Stage3Vlan30 network=\
303. 172.16.30.0
304. add address=172.16.40.1/24 comment="Stage 4" interface=Stage4Vlan40 network=\
305. 172.16.40.0
306. add address=************/24 comment="ISP 1 Rostelekom " \
307. interface=ether6 network=85.172.120.0
308. /ip dhcp-client
309. add dhcp-options=hostname,clientid disabled=no interface=ether6
310. /ip dhcp-server alert
311. add disabled=no interface=ManagementVlan2
312. /ip dhcp-server lease
313. add address=172.16.9.33 client-id=1:0:25:ab:1a:6:6c mac-address=\
314. 00:25:AB:1A:06:6C server=ServerdhcpVlan9
315. add address=172.16.9.31 client-id=1:44:6d:57:d3:38:46 mac-address=\
316. 44:6D:57:D3:38:46 server=ServerdhcpVlan9
317. add address=172.16.10.161 always-broadcast=yes client-id=1:0:6d:52:15:13:a3 \
318. mac-address=00:6D:52:15:13:A3 server=ServerdhcpVlan10
319. add address=172.16.9.51 always-broadcast=yes client-id=1:0:1b:67:15:8f:bd \
320. mac-address=00:1B:67:15:8F:BD server=ServerdhcpVlan9
321. add address=172.16.20.135 client-id=1:0:6d:52:15:13:a3 mac-address=\
322. 00:6D:52:15:13:A3 server=ServerdhcpVlan20
323. /ip dhcp-server network
324. add address=172.16.1.0/24 dns-server=172.16.1.1,8.8.8.8 gateway=172.16.1.1
325. add address=172.16.3.0/24 dns-server=172.16.3.1,8.8.8.8 gateway=172.16.3.1
326. add address=172.16.4.0/24 dns-server=172.16.4.1,8.8.8.8 gateway=172.16.4.1
327. add address=172.16.6.0/24 dns-server=172.16.6.1,8.8.8.8 gateway=172.16.6.1
328. add address=172.16.7.0/24 dns-server=172.16.7.1,8.8.8.8 gateway=172.16.7.1
329. add address=172.16.9.0/24 dns-server=172.16.9.1,8.8.8.8 gateway=172.16.9.1
330. add address=172.16.10.0/24 dns-server=172.16.10.1,8.8.8.8 gateway=172.16.10.1
331. add address=172.16.20.0/24 dns-server=172.16.20.1,8.8.8.8 gateway=172.16.20.1
332. add address=172.16.30.0/24 dns-server=172.16.30.1,8.8.8.8 gateway=172.16.30.1
333. add address=172.16.40.0/24 dns-server=172.16.40.1,8.8.8.8 gateway=172.16.40.1
334. /ip dns
335. set allow-remote-requests=yes servers=8.8.8.8
336. /ip firewall address-list
337. add address=172.16.9.33 list="blacklist "
338. add address=172.16.9.30 list="blacklist "
339. /ip firewall filter
340. add action=reject chain=forward comment=VK.COM content=vk.com protocol=tcp \
341. reject-with=tcp-reset src-address-list="blacklist "
342. add action=reject chain=forward comment=OK.RU layer7-protocol=\
343. "Odnoklassniki Mobile" protocol=tcp reject-with=tcp-reset \
344. src-address-list="blacklist "
345. add action=reject chain=forward layer7-protocol=Video protocol=tcp \
346. reject-with=tcp-reset src-address=172.16.3.0/24
347. add action=reject chain=forward layer7-protocol=Video protocol=tcp \
348. reject-with=tcp-reset src-address-list="blacklist "
349. add action=drop chain=input comment="DNS DOM.RU" dst-port=53 in-interface=\
350. pppoe-out1 protocol=udp
351. add action=drop chain=output comment="GOOGLE PING" dst-address=8.8.4.4 \
352. out-interface=pppoe-out1
353. add action=accept chain=input comment=Estabilished/Related connection-state=\
354. established,related
355. add action=accept chain=forward connection-state=established,related
356. add action=drop chain=forward comment=Invalid connection-state=invalid
357. add action=drop chain=input connection-state=invalid in-interface=ether6
358. add action=accept chain=forward comment=IpSec dst-port=500 protocol=udp
359. add action=accept chain=forward dst-port=4500 protocol=udp
360. add action=accept chain=input comment="Allow IPSec-esp" protocol=ipsec-esp
361. add action=accept chain=input comment="Allow IPSec-ah" protocol=ipsec-ah
362. add action=drop chain=input comment="DNS ROSTELEKOM" dst-port=53 \
363. in-interface=ether6 protocol=udp
364. add action=accept chain=input comment=WinBox disabled=yes dst-port=8291 \
365. in-interface=ether6 protocol=tcp
366. add action=accept chain=input comment="Allow ping" protocol=icmp
367. add action=accept chain=forward comment=Video dst-port=34567 protocol=tcp
368. add action=accept chain=forward dst-port=90 protocol=tcp
369. add action=accept chain=forward comment="IIS Server" dst-port=80 protocol=tcp
370. add action=accept chain=input comment=Iwinbox dst-port=8728 in-interface=\
371. ether6 protocol=tcp
372. add action=accept chain=input comment="Allow UDP" protocol=udp
373. add action=accept chain=forward comment="Rule Femto-Sota Megafon" dst-port=\
374. 443 protocol=tcp
375. add action=accept chain=forward dst-port=123 protocol=udp
376. add action=accept chain=forward dst-port=123 protocol=tcp
377. add action=accept chain=forward dst-port=53 protocol=udp
378. /ip firewall mangle
379. add action=mark-connection chain=input comment=PPTP dst-port=1723 \
380. new-connection-mark=PPTP_in passthrough=no protocol=tcp
381. add action=mark-packet chain=prerouting connection-mark=PPTP_in \
382. new-packet-mark=PPTP_out passthrough=no
383. add action=mark-connection chain=output new-connection-mark=PPTP_out \
384. passthrough=no protocol=tcp src-port=1723
385. add action=mark-packet chain=postrouting connection-mark=PPTP_out \
386. new-packet-mark=PPTP_in passthrough=no
387. add action=mark-connection chain=input comment=GRE new-connection-mark=GRE_in \
388. passthrough=no protocol=gre
389. add action=mark-packet chain=prerouting connection-mark=GRE_in \
390. new-packet-mark=GRE_out passthrough=no
391. add action=mark-connection chain=output new-connection-mark=GRE_out \
392. passthrough=no protocol=gre
393. add action=mark-packet chain=postrouting connection-mark=GRE_out \
394. new-packet-mark=GRE_in passthrough=no
395. add action=mark-connection chain=prerouting comment=WEB dst-port=80,443,8080 \
396. new-connection-mark=Web passthrough=no protocol=tcp
397. add action=mark-packet chain=forward connection-mark=Web new-packet-mark=\
398. VPN_WEB_in out-interface=all-ppp passthrough=no
399. add action=mark-packet chain=forward connection-mark=Web in-interface=all-ppp \
400. new-packet-mark=VPN_WEB_out passthrough=no
401. add action=mark-packet chain=forward connection-mark=Web in-interface=ether6 \
402. new-packet-mark=WEB_in passthrough=no
403. add action=mark-packet chain=forward connection-mark=Web new-packet-mark=\
404. WEB_out out-interface=ether6 passthrough=no
405. add action=mark-packet chain=forward comment=ALL new-packet-mark=VPN_ALL_in \
406. out-interface=all-ppp passthrough=no
407. add action=mark-packet chain=forward in-interface=all-ppp new-packet-mark=\
408. VPN_ALL_out passthrough=no
409. add action=mark-packet chain=forward in-interface=ether6 new-packet-mark=\
410. ALL_in passthrough=yes
411. add action=mark-packet chain=forward new-packet-mark=ALL_out out-interface=\
412. ether6 passthrough=yes
413. add action=mark-connection chain=prerouting comment=SIP dst-port=\
414. 5060,36600-39999 new-connection-mark=sip passthrough=no protocol=udp
415. add action=mark-packet chain=forward connection-mark=sip new-packet-mark=\
416. SIP_VPN_in out-interface=all-ppp passthrough=no
417. add action=mark-packet chain=forward connection-mark=sip in-interface=all-ppp \
418. new-packet-mark=SIP_VPN_OUT passthrough=no
419. add action=mark-packet chain=forward connection-mark=sip in-interface=ether6 \
420. new-packet-mark=SIP_in passthrough=no
421. add action=mark-packet chain=forward connection-mark=sip new-packet-mark=\
422. SIP_OUT out-interface=ether6 passthrough=no
423. /ip firewall nat
424. add action=accept chain=srcnat comment="IPsec Moscow" dst-address=\
425. 100.65.224.0/24 protocol=tcp src-address=172.16.1.0/24
426. add action=dst-nat chain=dstnat comment="Terminal Server" dst-address-list="" \
427. dst-port=6988 protocol=tcp to-addresses=172.16.3.16 to-ports=3389
428. add action=accept chain=srcnat comment="IpSec tunnel ************" \
429. dst-address=10.8.0.0/24 src-address=172.16.1.0/24
430. add action=dst-nat chain=dstnat comment="Apache Server" dst-port=80 \
431. in-interface=ether6 protocol=tcp to-addresses=172.16.3.6 to-ports=80
432. add action=accept chain=srcnat comment="IpSec tunnel ************" \
433. dst-address=172.18.1.0/24 src-address=172.16.1.0/24
434. add action=accept chain=srcnat comment="IpSec tunnel ************" disabled=\
435. yes dst-address=172.17.3.0/24 src-address=172.16.0.0/16
436. add action=accept chain=srcnat comment="IpSec tunnel ************" \
437. dst-address=100.65.224.0/24 src-address=172.16.1.0/24
438. add action=dst-nat chain=dstnat comment="Video nat" dst-port=88 in-interface=\
439. ether6 protocol=tcp to-addresses=172.16.4.2 to-ports=34567
440. add action=dst-nat chain=dstnat dst-port=95 in-interface=ether6 protocol=tcp \
441. to-addresses=172.16.4.6 to-ports=34567
442. add action=dst-nat chain=dstnat dst-port=96 in-interface=ether6 protocol=tcp \
443. to-addresses=172.16.4.8 to-ports=34567
444. add action=dst-nat chain=dstnat dst-port=90 in-interface=ether6 protocol=tcp \
445. to-addresses=172.16.4.3 to-ports=90
446. add action=accept chain=srcnat comment="IpSec tunnel ************" \
447. dst-address=192.168.1.0/24 src-address=172.16.1.0/24
448. add action=masquerade chain=srcnat comment="Nat rostelekom" out-interface=\
449. ether6
450. add action=masquerade chain=srcnat comment="Nat Dom.ru" out-interface=\
451. pppoe-out1
452. /ip hotspot user
453. add name=admin
454. /ip ipsec peer
455. add address=************/32 dh-group=modp1536,modp1024 secret=************
456. add address=************/32 dh-group=modp1536 exchange-mode=main-l2tp \
457. generate-policy=port-override nat-traversal=no passive=yes secret=\
458. ************
459. add address=************/32 dh-group=modp1536 exchange-mode=main-l2tp \
460. generate-policy=port-override passive=yes secret=************
461. add address=************/32 dh-group=modp1536,modp1024 disabled=yes \
462. secret=************
463. /ip ipsec policy
464. add dst-address=172.18.1.0/24 sa-dst-address=************ sa-src-address=\
465. ************ src-address=172.16.1.0/24 tunnel=yes
466. add dst-address=100.65.224.0/24 sa-dst-address=************6 \
467. sa-src-address=************ src-address=172.16.1.0/24 tunnel=yes
468. /ip route
469. add comment=ISP1 distance=3 gateway=85.172.120.101
470. add comment=ISP2 disabled=yes distance=2 gateway=pppoe-out1
471. add comment=GOOGLE distance=1 dst-address=8.8.4.4/32 gateway=85.172.120.101
472. /ip route rule
473. add action=unreachable comment="Block Traffic Vlan" dst-address=\
474. 172.16.30.0/24 src-address=172.16.40.0/24
475. add action=unreachable dst-address=172.16.20.0/24 src-address=172.16.40.0/24
476. add action=unreachable dst-address=172.16.10.0/24 src-address=172.16.40.0/24
477. add action=unreachable dst-address=172.16.9.0/24 src-address=172.16.40.0/24
478. add action=unreachable dst-address=172.16.7.0/24 src-address=172.16.40.0/24
479. add action=unreachable dst-address=172.16.5.0/24 src-address=172.16.40.0/24
480. add action=unreachable dst-address=172.16.4.0/24 src-address=172.16.40.0/24
481. add action=unreachable dst-address=172.16.3.0/24 src-address=172.16.40.0/24
482. add action=unreachable dst-address=172.16.2.0/24 src-address=172.16.40.0/24
483. add action=unreachable dst-address=172.16.1.0/24 src-address=172.16.40.0/24
484. add action=unreachable dst-address=172.16.40.0/24 src-address=172.16.30.0/24
485. add action=unreachable dst-address=172.16.20.0/24 src-address=172.16.30.0/24
486. add action=unreachable dst-address=172.16.10.0/24 src-address=172.16.30.0/24
487. add action=unreachable dst-address=172.16.9.0/24 src-address=172.16.30.0/24
488. add action=unreachable dst-address=172.16.7.0/24 src-address=172.16.30.0/24
489. add action=unreachable dst-address=172.16.5.0/24 src-address=172.16.30.0/24
490. add action=unreachable dst-address=172.16.4.0/24 src-address=172.16.30.0/24
491. add action=unreachable dst-address=172.16.3.0/24 src-address=172.16.30.0/24
492. add action=unreachable dst-address=172.16.2.0/24 src-address=172.16.30.0/24
493. add action=unreachable dst-address=172.16.1.0/24 src-address=172.16.30.0/24
494. add action=unreachable dst-address=172.16.40.0/24 src-address=172.16.20.0/24
495. add action=unreachable dst-address=172.16.30.0/24 src-address=172.16.20.0/24
496. add action=unreachable dst-address=172.16.10.0/24 src-address=172.16.20.0/24
497. add action=unreachable dst-address=172.16.9.0/24 src-address=172.16.20.0/24
498. add action=unreachable dst-address=172.16.7.0/24 src-address=172.16.20.0/24
499. add action=unreachable dst-address=172.16.5.0/24 src-address=172.16.20.0/24
500. add action=unreachable dst-address=172.16.4.0/24 src-address=172.16.20.0/24
501. add action=unreachable dst-address=172.16.3.0/24 src-address=172.16.20.0/24
502. add action=unreachable dst-address=172.16.2.0/24 src-address=172.16.20.0/24
503. add action=unreachable dst-address=172.16.1.0/24 src-address=172.16.20.0/24
504. add action=unreachable dst-address=172.16.40.0/24 src-address=172.16.10.0/24
505. add action=unreachable dst-address=172.16.30.0/24 src-address=172.16.10.0/24
506. add action=unreachable dst-address=172.16.20.0/24 src-address=172.16.10.0/24
507. add action=unreachable dst-address=172.16.9.0/24 src-address=172.16.10.0/24
508. add action=unreachable dst-address=172.16.7.0/24 src-address=172.16.10.0/24
509. add action=unreachable dst-address=172.16.5.0/24 src-address=172.16.10.0/24
510. add action=unreachable dst-address=172.16.4.0/24 src-address=172.16.10.0/24
511. add action=unreachable disabled=yes dst-address=172.16.3.0/24 src-address=\
512. 172.16.10.0/24
513. add action=unreachable dst-address=172.16.2.0/24 src-address=172.16.10.0/24
514. add action=unreachable disabled=yes dst-address=172.16.1.0/24 src-address=\
515. 172.16.10.0/24
516. add action=unreachable dst-address=172.16.40.0/24 src-address=172.16.9.0/24
517. add action=unreachable dst-address=172.16.30.0/24 src-address=172.16.9.0/24
518. add action=unreachable dst-address=172.16.20.0/24 src-address=172.16.9.0/24
519. add action=unreachable dst-address=172.16.10.0/24 src-address=172.16.9.0/24
520. add action=unreachable dst-address=172.16.7.0/24 src-address=172.16.9.0/24
521. add action=unreachable dst-address=172.16.5.0/24 src-address=172.16.9.0/24
522. add action=unreachable dst-address=172.16.40.0/24 src-address=172.16.7.0/24
523. add action=unreachable dst-address=172.16.30.0/24 src-address=172.16.7.0/24
524. add action=unreachable dst-address=172.16.20.0/24 src-address=172.16.7.0/24
525. add action=unreachable dst-address=172.16.10.0/24 src-address=172.16.7.0/24
526. add action=unreachable dst-address=172.16.9.0/24 src-address=172.16.7.0/24
527. add action=unreachable dst-address=172.16.5.0/24 src-address=172.16.7.0/24
528. add action=unreachable dst-address=172.16.4.0/24 src-address=172.16.7.0/24
529. add action=unreachable dst-address=172.16.3.0/24 src-address=172.16.7.0/24
530. add action=unreachable dst-address=172.16.2.0/24 src-address=172.16.7.0/24
531. add action=unreachable dst-address=172.16.1.0/24 src-address=172.16.7.0/24
532. add action=unreachable dst-address=172.16.40.0/24 src-address=172.16.5.0/24
533. add action=unreachable dst-address=172.16.30.0/24 src-address=172.16.5.0/24
534. add action=unreachable dst-address=172.16.20.0/24 src-address=172.16.5.0/24
535. add action=unreachable dst-address=172.16.10.0/24 src-address=172.16.5.0/24
536. add action=unreachable dst-address=172.16.9.0/24 src-address=172.16.5.0/24
537. add action=unreachable dst-address=172.16.7.0/24 src-address=172.16.5.0/24
538. add action=unreachable dst-address=172.16.4.0/24 src-address=172.16.5.0/24
539. add action=unreachable dst-address=172.16.3.0/24 src-address=172.16.5.0/24
540. add action=unreachable dst-address=172.16.2.0/24 src-address=172.16.5.0/24
541. add action=unreachable dst-address=172.16.1.0/24 src-address=172.16.5.0/24
542. add action=unreachable dst-address=172.16.40.0/24 src-address=172.16.4.0/24
543. add action=unreachable dst-address=172.16.30.0/24 src-address=172.16.4.0/24
544. add action=unreachable dst-address=172.16.20.0/24 src-address=172.16.4.0/24
545. add action=unreachable dst-address=172.16.10.0/24 src-address=172.16.4.0/24
546. add action=unreachable dst-address=172.16.7.0/24 src-address=172.16.4.0/24
547. add action=unreachable dst-address=172.16.5.0/24 src-address=172.16.4.0/24
548. add action=unreachable dst-address=172.16.3.0/24 src-address=172.16.4.0/24
549. add action=unreachable dst-address=172.16.1.0/24 src-address=172.16.4.0/24
550. add action=unreachable dst-address=172.16.40.0/24 src-address=172.16.3.0/24
551. add action=unreachable dst-address=172.16.30.0/24 src-address=172.16.3.0/24
552. add action=unreachable dst-address=172.16.20.0/24 src-address=172.16.3.0/24
553. add action=unreachable disabled=yes dst-address=172.16.10.0/24 src-address=\
554. 172.16.3.0/24
555. add action=unreachable dst-address=172.16.40.0/24 src-address=172.16.1.0/24
556. add action=unreachable dst-address=172.16.30.0/24 src-address=172.16.1.0/24
557. add action=unreachable dst-address=172.16.20.0/24 src-address=172.16.1.0/24
558. add action=unreachable disabled=yes dst-address=172.16.10.0/24 src-address=\
559. 172.16.1.0/24
560. add action=unreachable dst-address=172.16.7.0/24 src-address=172.16.1.0/24
561. add action=unreachable dst-address=172.16.4.0/24 src-address=172.16.1.0/24
562. add action=unreachable dst-address=172.16.5.0/24 src-address=172.16.1.0/24
563. /ip service
564. set telnet disabled=yes
565. set ftp disabled=yes
566. set www disabled=yes port=99
567. set ssh disabled=yes
568. set winbox address="172.16.9.0/24,172.16.3.0/24,************/32,************\
569. /32,************/32"
570. set api-ssl disabled=yes
571. /ppp secret
572. add local-address=172.16.9.1 name=************ password=************ remote-address=\
573. 172.16.9.29 service=pptp
574. add local-address=172.16.9.1 name=************ password=************ remote-address=\
575. 172.16.9.28 service=pptp
576. add local-address=172.16.9.1 name=************ password=************ remote-address=\
577. 172.16.9.26 service=pptp
578. /snmp
579. set enabled=yes
580. /system clock
581. set time-zone-name=Europe/************
582. /system clock manual
583. set time-zone=+03:00
584. /system identity
585. set name="************"
586. /system ntp client
587. set enabled=yes primary-ntp=************ secondary-ntp=************ \
588. server-dns-names=ntp1.stratum2.ru
589. /system scheduler
590. add interval=1w3d name=Reboot on-event=" /system reboot" policy=\
591. ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
592. start-date=oct/17/2017 start-time=03:00:00
593. add interval=5d name=************ on-event=\
594. "/system script run ScriptBackup" policy=\
595. ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
596. start-date=nov/02/2017 start-time=23:00:24
597. /system script
598. add name=ScriptBackup owner=************ policy=\
599. ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="{\
600. \r\
601. \n:log info \"Starting Backup Script...\";\r\
602. \n:local sysname [/system identity get name];\r\
603. \n:local sysver [/system package get system version];\r\
604. \n:log info \"Flushing DNS cache...\";\r\
605. \n/ip dns cache flush;\r\
606. \n:delay 2;\r\
607. \n:log info \"Deleting last Backups...\";\r\
608. \n:foreach i in=[/file find] do={:if ([:typeof [:find [/file get \$i name]\
609. \_\\\r\
610. \n\"\$sysname-backup-\"]]!=\"nil\") do={/file remove \$i}};\r\
611. \n:delay 2;\r\
612. \n:local smtpserv [:resolve \"smtp.yandex.ru\"];\r\
613. \n:local Eaccount \"i.krivincov@ariz.su\";\r\
614. \n:local pass \"Gfhjkm1978\";\r\
615. \n:local backupfile (\"\$sysname-backup-\" . \\\r\
616. \n[:pick [/system clock get date] 7 11] . [:pick [/system \\\r\
617. \nclock get date] 0 3] . [:pick [/system clock get date] 4 6] . \".backup\
618. \");\r\
619. \n:log info \"Creating new Full Backup file...\";\r\
620. \n/system backup save name=\$backupfile;\r\
621. \n:delay 2;\r\
622. \n:log info \"Sending Full Backup file via E-mail...\";\r\
623. \n/tool e-mail send from=\"<\$Eaccount>\" to=\$Eaccount server=\$smtpserv \
624. \\\r\
625. \nport=587 user=\$Eaccount password=\$pass start-tls=yes file=\$backupfile\
626. \_\\\r\
627. \nsubject=(\"\$sysname Full Backup (\" . [/system clock get date] . \")\")\
628. \_\\\r\
629. \nbody=(\"\$sysname full Backup file see in attachment.\\nRouterOS version\
630. : \\\r\
631. \n\$sysver\\nTime and Date stamp: \" . [/system clock get time] . \" \" . \
632. \\\r\
633. \n[/system clock get date]);\r\
634. \n:delay 5;\r\
635. \n:local exportfile (\"\$sysname-backup-\" . \\\r\
636. \n[:pick [/system clock get date] 7 11] . [:pick [/system \\\r\
637. \nclock get date] 0 3] . [:pick [/system clock get date] 4 6] . \".rsc\");\
638. \r\
639. \n:log info \"Creating new Setup Script file...\";\r\
640. \n/export verbose file=\$exportfile;\r\
641. \n:delay 2;\r\
642. \n:log info \"Sending Setup Script file via E-mail...\";\r\
643. \n/tool e-mail send from=\"<\$Eaccount>\" to=\$Eaccount server=\$smtpserv \
644. \\\r\
645. \nport=587 user=\$Eaccount password=\$pass start-tls=yes file=\$exportfile\
646. \_\\\r\
647. \nsubject=(\"\$sysname Setup Script Backup (\" . [/system clock get date] \
648. . \\\r\
649. \n\")\") body=(\"\$sysname Setup Script file see in attachment.\\nRouterOS\
650. \_\\\r\
651. \nversion: \$sysver\\nTime and Date stamp: \" . [/system clock get time] .\
652. \_\" \\\r\
653. \n\" . [/system clock get date]);\r\
654. \n:delay 5;\r\
655. \n:log info \"All System Backups emailed successfully.\\nBackuping complet\
656. ed.\";\r\
657. \n}\r\
658. \n"
659. /tool bandwidth-server
660. set authenticate=no
661. /tool e-mail
662. set from=************ password=************ start-tls=yes user=\
663. ************
664. /tool netwatch
665. add down-script="/ip route enable [find comment=\"ISP2\"]" host=8.8.4.4 \
666. interval=5s up-script="/ip route disable [find comment=\"ISP2\"]"
667. /tool user-manager database
668. set db-path=user-manager
669. /tool user-manager router
670. add coa-port=1700 customer=admin disabled=no ip-address=127.0.0.1 log=\
671. auth-fail name=router1 shared-secret=************ use-coa=no