Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /interface bridge
- add admin-mac=MA:CN:EI:ZV:ES:TE auto-mac=no name=bridge1
- /interface ethernet
- set [ find default-name=ether2 ] name=ether1
- set [ find default-name=ether3 ] name=ether2
- set [ find default-name=ether4 ] name=ether3
- set [ find default-name=ether1 ] name=wan
- /interface pppoe-client
- add add-default-route=yes disabled=no interface=wan max-mtu=1470 name=pppoe-out1 password=xxxxxx user=xxxxxx@beltel.by
- /interface list
- add comment=defconf name=WAN
- add comment=defconf name=LAN
- add name=LAN_and_WIFI
- /interface wireless security-profiles
- set [ find default=yes ] supplicant-identity=4324234
- add authentication-types=wpa-psk eap-methods="" mode=dynamic-keys name=profile1 supplicant-identity=xxxxx wpa-pre-shared-key=xxxxxxxxxxx wpa2-pre-shared-key=xxxxxxxxxxx
- /interface wireless
- set [ find default-name=wlan1 ] band=2ghz-b/g/n basic-rates-a/g=9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps basic-rates-b=11Mbps country=belarus disabled=no distance=\
- indoors frequency=2437 installation=indoor mode=ap-bridge rate-set=configured security-profile=profile1 ssid=xxxxx supported-rates-a/g=\
- 9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps supported-rates-b=11Mbps tx-power-mode=all-rates-fixed wds-ignore-ssid=yes wireless-protocol=802.11 wps-mode=disabled
- /interface wireless nstreme
- set wlan1 disable-csma=yes enable-polling=no
- /ip pool
- add name=dhcp1 ranges=192.168.88.2-192.168.88.254
- add name=dhcp2 ranges=192.168.89.2-192.168.89.254
- /ip dhcp-server
- add address-pool=dhcp1 disabled=no interface=bridge1 name=lan-dhcp1
- add address-pool=dhcp2 disabled=no interface=wlan1 name=wifi-dhcp2
- /queue type
- add kind=pcq name=pcq-download pcq-burst-rate=2M pcq-burst-threshold=100 pcq-burst-time=20s pcq-classifier=dst-address pcq-limit=100KiB
- add kind=pcq name=pcq-upload pcq-burst-rate=125k pcq-burst-threshold=100 pcq-burst-time=20s pcq-classifier=src-address pcq-limit=100KiB
- /queue tree
- add max-limit=8M name=1 parent=global queue=pcq-download
- add max-limit=512k name=2 parent=global queue=pcq-upload
- add max-limit=8M name=queue01 packet-mark=dns_and_ntp_mark parent=1 priority=1 queue=pcq-download
- add max-limit=8M name=queue03 packet-mark=forward_sm_traffik1_mark parent=1 priority=5 queue=pcq-download
- add max-limit=8M name=queue04 packet-mark=forward_bg_traffik1_mark parent=1 priority=6 queue=pcq-download
- add max-limit=512k name=queue20 packet-mark=forward_sm_traffik2_mark parent=2 priority=3 queue=pcq-upload
- add max-limit=512k name=queue21 packet-mark=forward_bg_traffik2_mark parent=2 priority=4 queue=pcq-upload
- add max-limit=8M name=queue05 packet-mark=no-mark parent=1 queue=pcq-download
- add max-limit=512k name=queue22 packet-mark=no-mark parent=2 queue=pcq-upload
- /user group
- add name=for_scripts policy=read,write,tikapp,!local,!telnet,!ssh,!ftp,!reboot,!policy,!test,!winbox,!password,!web,!sniff,!sensitive,!api,!romon,!dude
- /interface bridge port
- add bridge=bridge1 interface=ether1
- add bridge=bridge1 interface=ether2
- add bridge=bridge1 interface=ether3
- /interface bridge settings
- set allow-fast-path=no
- /ip firewall connection tracking
- set tcp-established-timeout=20m
- /ip neighbor discovery-settings
- set discover-interface-list=LAN
- /ip settings
- set allow-fast-path=no rp-filter=strict tcp-syncookies=yes
- /interface list member
- add interface=bridge1 list=LAN
- add interface=wan list=WAN
- add interface=wlan1 list=LAN_and_WIFI
- add interface=bridge1 list=LAN_and_WIFI
- add interface=pppoe-out1 list=WAN
- /ip address
- add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0
- add address=192.168.89.1/24 interface=wlan1 network=192.168.89.0
- /ip cloud
- set update-time=no
- /ip dhcp-client
- add dhcp-options=hostname,clientid disabled=no interface=wan use-peer-dns=no use-peer-ntp=no
- /ip dhcp-server network
- add address=192.168.88.0/24 gateway=192.168.88.1
- add address=192.168.89.0/24 gateway=192.168.89.1
- /ip dns static
- add address=192.168.88.1 name=router.lan
- /ip firewall address-list
- add address=192.168.88.2-192.168.89.254 list=lan_and_wifi
- add address=84.245.235.193 list=NTP
- add address=149.210.230.59 list=NTP
- add address=0.0.0.0/8 list=BOGONS
- add address=10.0.0.0/8 list=BOGONS
- add address=100.64.0.0/10 list=BOGONS
- add address=127.0.0.0/8 list=BOGONS
- add address=169.254.0.0/16 list=BOGONS
- add address=172.16.0.0/12 list=BOGONS
- add address=192.0.0.0/24 list=BOGONS
- add address=192.0.2.0/24 list=BOGONS
- add address=198.18.0.0/15 list=BOGONS
- add address=198.51.100.0/24 list=BOGONS
- add address=203.0.113.0/24 list=BOGONS
- add address=224.0.0.0/3 list=BOGONS
- add address=8.8.8.8 list=DNS
- add address=8.8.4.4 list=DNS
- add address=192.168.88.1 list=DNS_INTERFACE
- add address=8.8.8.8 list=DNS_and_NTP
- add address=8.8.4.4 list=DNS_and_NTP
- add address=xxx.xxx.xxx.xxx list=DNS_and_NTP
- add address=xxx.xxx.xxx.xxx list=DNS_and_NTP
- add address=192.168.89.1 list=DNS_INTERFACE
- add address=192.168.88.2-192.168.88.254 list=ethernet_pool
- add address=192.168.89.2-192.168.89.254 list=wifi_pool
- add address=8.8.8.8 list=DNS_and_DNS_INTERFACE
- add address=8.8.4.4 list=DNS_and_DNS_INTERFACE
- add address=192.168.88.1 list=DNS_and_DNS_INTERFACE
- add address=192.168.89.1 list=DNS_and_DNS_INTERFACE
- /ip firewall filter
- add action=accept chain=forward comment=SIP dst-address-list=lan_and_wifi in-interface=pppoe-out1 out-interface-list=LAN_and_WIFI packet-mark=sip1_mark src-address-list=\
- SIP
- add action=accept chain=forward dst-address-list=SIP in-interface-list=LAN_and_WIFI out-interface=pppoe-out1 packet-mark=sip2_mark src-address-list=lan_and_wifi
- add action=accept chain=forward comment="legal forward traffik" connection-state=established,related dst-address-list=lan_and_wifi in-interface=pppoe-out1 \
- out-interface-list=LAN_and_WIFI packet-mark=forward_sm_traffik1_mark packet-size=0-1000
- add action=accept chain=forward connection-state=established,related dst-address-list=lan_and_wifi in-interface=pppoe-out1 out-interface-list=LAN_and_WIFI packet-mark=\
- forward_bg_traffik1_mark packet-size=1000-65535
- add action=accept chain=forward connection-state=established,related,new in-interface-list=LAN_and_WIFI out-interface=pppoe-out1 packet-mark=forward_sm_traffik2_mark \
- packet-size=0-1000 src-address-list=lan_and_wifi
- add action=accept chain=forward connection-state=established,related,new in-interface-list=LAN_and_WIFI out-interface=pppoe-out1 packet-mark=forward_bg_traffik2_mark \
- packet-size=1000-65535 src-address-list=lan_and_wifi
- add action=accept chain=output comment="DNS and NTP" packet-mark=out_dns_and_ntp_mark port=53,123 protocol=udp
- add action=accept chain=input packet-mark=input_dns_and_ntp_mark port=53,123 protocol=udp
- add action=accept chain=input comment=dhcp dst-port=67 in-interface-list=LAN_and_WIFI packet-mark=dhcp_mark protocol=udp src-port=68
- add action=accept chain=input comment=winbox packet-mark=winbox_mark
- add action=accept chain=input comment="for wot vanya" packet-mark=for_wot_mark
- add action=drop chain=input comment=drops packet-mark=drop_marks
- add action=drop chain=forward packet-mark=drop_marks
- add action=accept chain=output comment="for world of tanks" icmp-options=3:0-255 protocol=icmp
- add action=drop chain=output packet-mark=drop_marks
- add action=drop chain=input comment=drops
- add action=drop chain=forward
- add action=drop chain=output
- add action=drop chain=input comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
- add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
- /ip firewall mangle
- add action=jump chain=prerouting comment="only TCP and UDP" jump-target=only_tcp_and_udp_chain protocol=!tcp
- add action=jump chain=output jump-target=only_tcp_and_udp_chain protocol=!tcp
- add action=mark-packet chain=only_tcp_and_udp_chain ipv4-options=loose-source-routing new-packet-mark=drop_marks passthrough=no protocol=!udp
- add action=mark-packet chain=prerouting comment="invalide drops" connection-state=invalid new-packet-mark=drop_marks passthrough=no
- add action=mark-packet chain=output connection-state=invalid new-packet-mark=drop_marks passthrough=no
- add action=mark-packet chain=prerouting comment="drop dnt !dsnat" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN new-packet-mark=drop_marks \
- passthrough=no
- add action=mark-packet chain=forward comment=SIP dst-address-list=lan_and_wifi in-interface=pppoe-out1 new-packet-mark=sip1_mark out-interface-list=LAN_and_WIFI \
- passthrough=no src-address-list=SIP
- add action=mark-packet chain=forward dst-address-list=SIP in-interface-list=LAN_and_WIFI new-packet-mark=sip2_mark out-interface=pppoe-out1 passthrough=no \
- src-address-list=lan_and_wifi
- add action=mark-packet chain=forward comment="legal forward traffik" connection-state=established,related dst-address-list=lan_and_wifi in-interface=pppoe-out1 \
- new-packet-mark=forward_sm_traffik1_mark out-interface-list=LAN_and_WIFI packet-size=0-1000 passthrough=no
- add action=mark-packet chain=forward connection-state=established,related dst-address-list=lan_and_wifi in-interface=pppoe-out1 new-packet-mark=forward_bg_traffik1_mark \
- out-interface-list=LAN_and_WIFI packet-size=1000-65535 passthrough=no
- add action=mark-packet chain=forward connection-state=established,related,new in-interface-list=LAN_and_WIFI new-packet-mark=forward_sm_traffik2_mark out-interface=\
- pppoe-out1 packet-size=0-1000 passthrough=no src-address-list=lan_and_wifi
- add action=mark-packet chain=forward connection-state=established,related,new in-interface-list=LAN_and_WIFI new-packet-mark=forward_bg_traffik2_mark out-interface=\
- pppoe-out1 packet-size=1000-65535 passthrough=no src-address-list=lan_and_wifi
- add action=mark-packet chain=forward comment="drop other forward" new-packet-mark=drop_marks passthrough=no
- add action=mark-packet chain=output comment="accepted for input (DNS/NTP/DHCP) part1" dst-address-list=lan_and_wifi new-packet-mark=out_dns_and_ntp_mark \
- out-interface-list=LAN_and_WIFI passthrough=no protocol=udp src-address-list=DNS_INTERFACE src-port=53
- add action=mark-packet chain=output dst-address-list=DNS_and_NTP dst-port=53,123 new-packet-mark=out_dns_and_ntp_mark out-interface=pppoe-out1 passthrough=no protocol=udp
- add action=mark-packet chain=output comment="drop other output" new-packet-mark=drop_marks passthrough=no
- add action=mark-packet chain=input comment="accepted for input (DNS/NTP/DHCP) part2" dst-address-list=DNS_INTERFACE dst-port=53 in-interface-list=LAN_and_WIFI \
- new-packet-mark=input_dns_and_ntp_mark passthrough=no protocol=udp src-address-list=lan_and_wifi
- add action=mark-packet chain=input in-interface=pppoe-out1 new-packet-mark=input_dns_and_ntp_mark passthrough=no protocol=udp src-address-list=DNS_and_NTP src-port=53,123
- add action=mark-packet chain=input dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN_and_WIFI new-packet-mark=dhcp_mark passthrough=no protocol=udp \
- src-address=0.0.0.0 src-port=68
- add action=mark-packet chain=input dst-address-list=DNS_INTERFACE dst-port=67 in-interface-list=LAN_and_WIFI new-packet-mark=dhcp_mark passthrough=no protocol=udp \
- src-address-list=lan_and_wifi src-port=68
- add action=mark-packet chain=input comment="world of tanks very bad works winthout this record" connection-state=new in-interface=pppoe-out1 new-packet-mark=for_wot_mark \
- passthrough=no port=6881 protocol=udp
- add action=mark-packet chain=input comment=winbox dst-port=20561 in-interface-list=LAN_and_WIFI new-packet-mark=winbox_mark passthrough=no protocol=udp src-address-list=\
- lan_and_wifi
- add action=mark-packet chain=input comment="drop other input" new-packet-mark=drop_marks passthrough=no
- /ip firewall nat
- add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=pppoe-out1 protocol=udp src-address-list=lan_and_wifi
- add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=pppoe-out1 protocol=tcp src-address-list=lan_and_wifi
- /ip firewall raw
- add action=drop chain=prerouting comment="drops BOGONS" in-interface=pppoe-out1 src-address-list=BOGONS
- add action=drop chain=output dst-address-list=BOGONS out-interface=pppoe-out1
- add action=accept chain=prerouting comment="accept DHCP WAN" dst-address=255.255.255.255 dst-port=68 in-interface=wan protocol=udp src-address=192.168.1.1 src-port=67
- add action=drop chain=prerouting comment="block WAN" in-interface=wan log=yes log-prefix="RAW: 5 "
- add action=drop chain=output log=yes log-prefix="RAW: 6 " out-interface=wan
- add action=accept chain=prerouting comment="accept DHCP LAN" dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN_and_WIFI log=yes protocol=udp src-address=\
- 0.0.0.0 src-port=68
- add action=accept chain=prerouting dst-address-list=DNS_INTERFACE dst-port=67 in-interface-list=LAN_and_WIFI protocol=udp src-address-list=lan_and_wifi src-port=68
- add action=accept chain=output comment=dns dst-address-list=DNS dst-port=53 out-interface-list=WAN protocol=udp
- add action=accept chain=output dst-address-list=lan_and_wifi out-interface-list=LAN_and_WIFI protocol=udp src-address-list=DNS_INTERFACE src-port=53
- add action=accept chain=prerouting in-interface=pppoe-out1 protocol=udp src-address-list=DNS src-port=53
- add action=accept chain=prerouting dst-address-list=DNS_and_DNS_INTERFACE dst-port=53 in-interface-list=LAN_and_WIFI protocol=udp src-address-list=lan_and_wifi
- add action=accept chain=prerouting comment=ntp in-interface=pppoe-out1 protocol=udp src-address-list=NTP src-port=123
- add action=accept chain=prerouting dst-address-list=NTP dst-port=123 in-interface-list=LAN_and_WIFI protocol=udp src-address-list=lan_and_wifi
- add action=accept chain=output dst-address-list=NTP dst-port=123 out-interface=pppoe-out1 protocol=udp
- add action=drop chain=prerouting comment="drop illegal" in-interface=pppoe-out1 protocol=udp src-address-list=!SIP src-port=5060-5062
- add action=drop chain=output port=53,123 protocol=udp
- add action=drop chain=prerouting log-prefix="RAW: 31" port=53,123 protocol=udp
- add action=drop chain=prerouting port=53,123 protocol=tcp
- /ip firewall service-port
- set ftp disabled=yes ports=45634
- set tftp disabled=yes ports=36256
- set irc disabled=yes ports=56345
- set h323 disabled=yes
- set sip disabled=yes ports=35445,35456
- set pptp disabled=yes
- set udplite disabled=yes
- set dccp disabled=yes
- set sctp disabled=yes
- /ip service
- set telnet disabled=yes port=24234
- set ftp disabled=yes port=24335
- set www disabled=yes port=25542
- set ssh disabled=yes port=34534
- set www-ssl port=54632
- set api disabled=yes port=23124
- set winbox disabled=yes port=35453
- set api-ssl disabled=yes port=43524
- /system clock
- set time-zone-name=Europe/Minsk
- /system identity
- set name=238101
- /system scheduler
- add name="after reboot" on-event=":delay 30\r\
- \n/interface disable wan\r\
- \n:delay 5\r\
- \n/interface enable wan\r\
- \n" policy=read,write start-time=startup
- add interval=4w2d name="reboot 1_1 in month" on-event="/system reboot" policy=reboot start-date=mar/01/2019 start-time=05:00:00
- add interval=4w2d name="reboot 1_2 in month" on-event="/system reboot" policy=reboot start-date=mar/02/2019 start-time=05:00:00
- add interval=1d name=reset_counters_all on-event=":delay 2\r\
- \n/interface reset-counters wan\r\
- \n:delay 2\r\
- \n/interface reset-counters pppoe-out1\r\
- \n:delay 2\r\
- \n/interface reset-counters ether1\r\
- \n:delay 2\r\
- \n/interface reset-counters ether2\r\
- \n:delay 2\r\
- \n/interface reset-counters ether3\r\
- \n:delay 2\r\
- \n/interface reset-counters wlan1\r\
- \n:delay 2\r\
- \n/interface reset-counters bridge1\r\
- \n:delay 2\r\
- \n/ip firewall filter reset-counters-all\r\
- \n:delay 2\r\
- \n/ip firewall nat reset-counters-all\r\
- \n:delay 2\r\
- \n/ip firewall mangle reset-counters-all\r\
- \n:delay 2\r\
- \n/ip firewall raw reset-counters-all\r\
- \n:delay 2\r\
- \n/queue tree reset-counters-all" policy=read,write,policy,test,sniff,sensitive,romon start-date=feb/09/2019 start-time=05:03:01
- add interval=1d name="wlan disable/enable p1" on-event="/interface disable wlan1\r\
- \n:delay 3\r\
- \n/interface enable wlan1" policy=read,write start-date=feb/09/2019 start-time=05:01:31
- add interval=1d name="wlan disable/enable p2" on-event="/interface enable wlan1" policy=read,write start-date=feb/09/2019 start-time=08:01:31
- /tool mac-server
- set allowed-interface-list=LAN_and_WIFI
- /tool mac-server mac-winbox
- set allowed-interface-list=LAN_and_WIFI
- /tool mac-server ping
- set enabled=no
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement