R2

1. # nov/03/2017 10:23:41 by RouterOS 6.32.2
2. # software id = 2HJJ-HQ9U
3. #
4. /interface ethernet
5. set [ find default-name=ether1 ] name=ether1-TTK-inet
6. set [ find default-name=ether2 ] name=ether2-TVT-inet
7. set [ find default-name=ether3 ] name=ether3-SE-local
8. set [ find default-name=ether4 ] name=ether4-LAN
9. set [ find default-name=sfp1 ] name=sfp1-TPK1
10. /interface pppoe-client
11. add add-default-route=yes default-route-distance=2 disabled=no interface=\
12. ether2-TVT-inet max-mru=1480 max-mtu=1480 mrru=1600 name=pppoe-out-TVT \
13. password=****** user=2002832/3
14. /interface l2tp-server
15. add comment=VPN_Svobodny name=L2TP_Svobodny user=Svobodny
16. /interface ipip
17. add comment="\D1\E2\FF\E7\FC \DD\ED\E5\F0\E3\EE" !keepalive local-address=\
18. 10.10.10.3 name=ipip-SE-4505 remote-address=10.10.10.1
19. add !keepalive local-address=10.10.10.3 name=ipip-SE-KipM remote-address=\
20. 10.10.10.2
21. add comment=SFP !keepalive local-address=10.10.10.10 name=ipip-SFP-TPK1 \
22. remote-address=10.10.10.9
23. add comment=tattelecom !keepalive local-address=172.22.33.162 name=\
24. ipip-TTK-4505 remote-address=172.22.33.178
25. add !keepalive local-address=172.22.33.162 name=ipip-TTK-TPK1 remote-address=\
26. 172.22.33.170
27. add comment=TVT !keepalive local-address=83.151.14.163 name=ipip-TVT-4505 \
28. remote-address=83.151.14.101
29. add !keepalive local-address=83.151.14.163 name=ipip-TVT-TPK remote-address=\
30. 83.151.14.168
31. /ip neighbor discovery
32. set L2TP_Svobodny comment=VPN_Svobodny
33. set ipip-SE-4505 comment="\D1\E2\FF\E7\FC \DD\ED\E5\F0\E3\EE"
34. set ipip-SFP-TPK1 comment=SFP
35. set ipip-TTK-4505 comment=tattelecom
36. set ipip-TVT-4505 comment=TVT
37. /ip dhcp-server option
38. add code=252 name=wpad_url value="'http://sm1.riat.ru/wpad.dat\
39. \n'"
40. /ip pool
41. add name=pool1_dhcp ranges=10.104.2.0-10.104.3.254
42. /ip dhcp-server
43. add add-arp=yes address-pool=pool1_dhcp always-broadcast=yes authoritative=\
44. yes disabled=no interface=ether4-LAN lease-time=1d10m name=DHCP
45. /ppp profile
46. add change-tcp-mss=yes name=TDRZ use-compression=yes use-encryption=yes
47. /queue simple
48. add disabled=yes max-limit=40M/40M name=svideo target=10.100.8.10/32
49. /interface l2tp-server server
50. set default-profile=TDRZ enabled=yes
51. /interface pptp-server server
52. set enabled=yes
53. /ip address
54. add address=10.104.0.1/22 interface=ether4-LAN network=10.104.0.0
55. add address=172.22.33.162/27 interface=ether1-TTK-inet network=172.22.33.160
56. add address=10.10.10.10/30 interface=sfp1-TPK1 network=10.10.10.8
57. add address=10.10.10.3/29 interface=ether3-SE-local network=10.10.10.0
58. /ip dhcp-server lease
59. add address=10.104.3.21 client-id=1:0:b:82:5b:66:e8 mac-address=\
60. 00:0B:82:5B:66:E8 server=DHCP
61. add address=10.104.3.8 client-id=1:0:17:c8:e:22:7d mac-address=\
62. 00:17:C8:0E:22:7D server=DHCP
63. add address=10.104.2.215 client-id=1:0:12:12:3c:9f:f mac-address=\
64. 00:12:12:3C:9F:0F server=DHCP
65. add address=10.104.2.202 client-id=1:c4:2f:90:63:f:e4 mac-address=\
66. C4:2F:90:63:0F:E4 server=DHCP
67. add address=10.104.2.192 client-id=1:c4:2f:90:63:f:cc mac-address=\
68. C4:2F:90:63:0F:CC server=DHCP
69. add address=10.104.2.190 client-id=1:c4:2f:90:63:21:45 mac-address=\
70. C4:2F:90:63:21:45 server=DHCP
71. add address=10.104.2.167 client-id=1:c4:2f:90:3d:87:d6 mac-address=\
72. C4:2F:90:3D:87:D6 server=DHCP
73. add address=10.104.0.208 client-id=1:0:25:ab:39:9b:6c mac-address=\
74. 00:25:AB:39:9B:6C server=DHCP
75. add address=10.104.0.190 always-broadcast=yes client-id=1:0:23:68:f4:bf:56 \
76. mac-address=00:23:68:F4:BF:56 server=DHCP
77. add address=10.104.0.172 client-id=1:0:0:21:4:41:8d mac-address=\
78. 00:00:21:04:41:8D server=DHCP
79. add address=10.104.0.126 mac-address=00:25:0B:00:5D:A7 server=DHCP
80. add address=10.104.0.125 mac-address=00:25:0B:00:8A:B1 server=DHCP
81. add address=10.104.0.79 mac-address=00:C0:EE:DC:30:7D server=DHCP
82. add address=10.104.2.30 always-broadcast=yes client-id=1:bc:ae:c5:da:7:a6 \
83. mac-address=BC:AE:C5:DA:07:A6 server=DHCP
84. add address=10.104.3.58 comment="\D1\F7\E8\F2\FB\E2\E0\F2\E5\EB\FC \C0\C1\CA" \
85. mac-address=00:25:0B:01:2F:2E server=DHCP
86. /ip dhcp-server network
87. add address=10.104.0.0/22 dns-server=10.104.0.4,10.100.1.4 gateway=10.104.0.1 \
88. ntp-server=10.100.1.4 wins-server=10.104.0.4,10.100.1.4
89. /ip dns
90. set servers=10.100.1.4,10.100.8.3
91. /ip firewall address-list
92. add address=10.104.2.30 comment="\C8\EB\FC\FE\F8\E5\ED\EA\EE\E2" list=\
93. direct-inet
94. add address=10.104.0.80 comment=SZR list=direct-inet
95. add address=10.104.0.208 comment=Lobov list=direct-inet
96. add address=10.104.0.252 comment=Rivali-cafe-WIFI list=direct-inet
97. add address=10.104.0.253 comment=CPA-WIFI list=direct-inet
98. add address=10.104.0.4 comment=SDC2 list=direct-inet
99. add address=85.26.232.22 list=blacklist
100. add address=10.104.2.23 comment="\E2\F0\E5\EC\E5\ED\ED\FB\E9" disabled=yes \
101. list=direct-inet
102. add address=10.104.0.112 comment=KASSA-bufet list=direct-inet
103. add address=10.104.0.113 comment=KASSA-TD-RZCH list=direct-inet
104. /ip firewall filter
105. add action=drop chain=forward comment="Black list - \F1\EF\E8\F1\EE\EA IP \EA\
106. \EE\F2\EE\F0\FB\E9 \ED\E5\EE\E1\F5\EE\E4\E8\EC\EE \E1\EB\EE\EA\E8\F0\EE\E2\
107. \E0\F2\FC" connection-state=new src-address-list=blacklist
108. add action=drop chain=forward comment="drop invalid" connection-state=invalid
109. add action=drop chain=input connection-state=invalid
110. add chain=forward comment="Accept established,related" connection-state=\
111. established,related
112. add chain=input connection-state=established,related
113. add chain=input comment="SSH router" dst-port=22 protocol=tcp
114. add chain=forward comment="SSH All" dst-port=22 protocol=tcp
115. add chain=forward comment="Accept telnet" dst-port=23 protocol=tcp
116. add chain=forward comment="Accept SMB" dst-port=139 protocol=udp
117. add chain=forward dst-port=139 protocol=tcp
118. add chain=input comment="Winbox Router" connection-state=related dst-port=\
119. 8291 protocol=tcp
120. add chain=forward comment="Winbox All Routers" dst-port=8291 protocol=tcp
121. add action=log chain=forward comment="\CF\F0\E0\E2\E8\EB\E0 \E2\FB\F8\E5 \ED\
122. \E5 \F2\F0\EE\E3\E0\F2\FC - \E4\EE\F1\F2\F3\EF \EA \E0\E4\EC\E8\ED\EA\E5" \
123. disabled=yes
124. add chain=forward comment="Accept tunnel" in-interface=ipip-SE-4505
125. add chain=forward in-interface=ipip-SE-KipM
126. add chain=forward in-interface=ipip-SFP-TPK1 log-prefix=SFP
127. add chain=input comment="Accept L2TP" dst-port=1701 protocol=udp
128. add chain=forward comment="Accept VIDEO" dst-port=8080 protocol=tcp
129. add chain=forward dst-port=8000 protocol=tcp
130. add chain=forward dst-port=4433 protocol=tcp
131. add chain=forward dst-port=3084 protocol=tcp
132. add chain=forward dst-port=3084 protocol=udp
133. add chain=forward dst-port=3081 protocol=tcp
134. add chain=forward dst-port=3081 protocol=udp
135. add chain=forward dst-port=3080 protocol=tcp
136. add chain=forward dst-port=5432 protocol=tcp
137. add chain=forward dst-port=554 protocol=tcp
138. add chain=forward dst-port=554 protocol=udp
139. add chain=forward dst-port=555 protocol=tcp
140. add chain=forward comment="Accept RDP" dst-port=3389 protocol=tcp
141. add chain=forward comment="Accept 1c key hasp" dst-port=475 protocol=tcp
142. add chain=forward dst-port=475 protocol=udp
143. add chain=forward comment="Accept PROXY http" dst-port=4480 protocol=tcp
144. add chain=forward dst-port=80 protocol=tcp
145. add chain=forward dst-port=443 protocol=tcp
146. add chain=forward comment=SELMA dst-port=8087-8091 protocol=tcp
147. add chain=forward comment="Accept Zabbix agent" dst-port=10051 protocol=tcp
148. add chain=forward dst-port=10050 protocol=tcp
149. add action=drop chain=forward comment=FS-8525 dst-address=10.100.1.46 \
150. dst-port=10500 protocol=tcp
151. add chain=forward comment="Accept CapsMan" dst-port=161 protocol=udp
152. add chain=input comment="Accept PPTP" dst-port=1723 protocol=tcp
153. add chain=forward dst-port=1723 protocol=tcp
154. add chain=forward comment="HP print services" dst-port=9100 protocol=tcp
155. add chain=forward comment="Accept ping" protocol=icmp
156. add chain=forward comment="Accept FTP" dst-port=21 protocol=tcp
157. add chain=input protocol=icmp
158. add chain=forward comment="Accept Asterisk" dst-port=10000-20000 protocol=udp
159. add chain=forward dst-port=5004-5020 protocol=udp
160. add chain=forward dst-port=5060-5064 protocol=udp
161. add chain=forward comment="Accept DNS" dst-port=53 protocol=udp
162. add chain=forward dst-port=137 protocol=udp
163. add chain=forward dst-port=445 protocol=tcp
164. add chain=forward dst-port=135-139 protocol=tcp
165. add chain=forward dst-port=135-139 protocol=udp
166. add chain=forward comment="Accept NTP" dst-port=123 protocol=udp
167. add chain=forward comment="Accept LDAP" dst-port=389 protocol=udp
168. add chain=forward dst-port=389 protocol=tcp
169. add chain=forward dst-port=3268 protocol=udp
170. add chain=input comment="Accept LAN" in-interface=ether4-LAN src-address=\
171. 10.104.0.0/22
172. add chain=forward in-interface=ether4-LAN src-address=10.104.0.0/22
173. add chain=forward comment="Accept mail" dst-port=25 protocol=tcp
174. add chain=forward dst-port=143 protocol=tcp
175. add chain=forward dst-port=110 protocol=tcp
176. add chain=forward dst-port=3000 protocol=tcp
177. add chain=forward comment="Accept miranda" dst-port=5222 protocol=tcp
178. add chain=forward comment="Accept tunnel" in-interface=ipip-TTK-4505
179. add chain=forward in-interface=ipip-TTK-TPK1
180. add chain=forward in-interface=ipip-TVT-4505
181. add chain=forward in-interface=ipip-TVT-TPK
182. add action=drop chain=forward log=yes log-prefix="\$\$\$\$\$\$"
183. /ip firewall mangle
184. add action=change-mss chain=forward in-interface=all-ppp new-mss=1440 \
185. protocol=tcp tcp-flags=syn tcp-mss=1441-65535
186. add action=change-mss chain=forward new-mss=1440 out-interface=all-ppp \
187. protocol=tcp tcp-flags=syn tcp-mss=1441-65535
188. add action=mark-packet chain=postrouting dst-port=4480 new-packet-mark=\
189. proxy_pac out-interface=ipip-SE-4505 protocol=tcp
190. add action=mark-packet chain=postrouting dst-address=10.100.0.100 \
191. new-packet-mark=asterisk_pac out-interface=ipip-SE-4505
192. add action=mark-routing chain=prerouting dst-address=8.8.8.8 \
193. new-routing-mark=test
194. add action=mark-connection chain=input disabled=yes dst-address=83.151.14.163 \
195. in-interface=pppoe-out-TVT new-connection-mark=TVT
196. add action=mark-routing chain=output connection-mark=TVT disabled=yes \
197. new-routing-mark=TVT-r
198. /ip firewall nat
199. add action=netmap chain=dstnat comment="SZR rdp" dst-port=7898 in-interface=\
200. pppoe-out-TVT protocol=tcp to-addresses=10.104.0.80 to-ports=3389
201. add action=masquerade chain=srcnat comment=SIP-dorhan-smirnov dst-address=\
202. 91.209.94.230 out-interface=pppoe-out-TVT src-address=10.104.2.60
203. add action=masquerade chain=srcnat comment=\
204. "\CF\F0\FF\EC\EE\E9 \E8\ED\F2\E5\F0\ED\E5\F2 \EF\EE address-list" \
205. out-interface=pppoe-out-TVT src-address-list=direct-inet
206. add action=masquerade chain=srcnat comment="\D1\E2\EE\E1\EE\E4\ED\FB\E9" \
207. out-interface=L2TP_Svobodny
208. /ip firewall service-port
209. set ftp disabled=yes
210. set tftp disabled=yes
211. /ip route
212. add check-gateway=ping distance=1 dst-address=10.100.0.0/22 gateway=\
213. ipip-SE-4505
214. add check-gateway=ping comment=45/05 distance=20 dst-address=10.100.0.0/22 \
215. gateway=ipip-TTK-4505
216. add check-gateway=ping distance=30 dst-address=10.100.0.0/22 gateway=\
217. ipip-TVT-4505
218. add check-gateway=ping comment=TPK1 distance=1 dst-address=10.100.8.0/22 \
219. gateway=ipip-SFP-TPK1
220. add check-gateway=ping comment=TPK1 distance=20 dst-address=10.100.8.0/22 \
221. gateway=ipip-TVT-TPK
222. add check-gateway=ping comment=TPK1 distance=30 dst-address=10.100.8.0/22 \
223. gateway=ipip-SE-4505
224. add check-gateway=ping comment=TPK1 distance=40 dst-address=10.100.8.0/22 \
225. gateway=ipip-TVT-4505
226. add check-gateway=ping comment=TPK1 distance=50 dst-address=10.100.8.0/22 \
227. gateway=ipip-TTK-4505
228. add comment=KipMaster distance=1 dst-address=10.100.12.0/24 gateway=\
229. ipip-SE-KipM
230. add check-gateway=ping comment=KipMaster distance=20 dst-address=\
231. 10.100.12.0/24 gateway=ipip-SE-4505
232. add check-gateway=ping comment=KipMaster distance=30 dst-address=\
233. 10.100.12.0/24 gateway=ipip-TVT-4505
234. add check-gateway=ping comment=KipMaster distance=40 dst-address=\
235. 10.100.12.0/24 gateway=ipip-TTK-4505
236. add distance=1 dst-address=10.100.13.64/26 gateway=ipip-SE-4505
237. add distance=1 dst-address=10.100.13.128/26 gateway=ipip-SE-KipM
238. add distance=1 dst-address=10.100.13.192/26 gateway=ipip-SFP-TPK1
239. add comment="\C0\C2\C7" distance=1 dst-address=10.101.4.0/24 gateway=\
240. ipip-SFP-TPK1
241. add distance=1 dst-address=172.31.0.0/16 gateway=ipip-TTK-4505
242. add comment=KAZAN distance=1 dst-address=192.168.80.0/24 gateway=ipip-SE-4505
243. add distance=1 dst-address=192.168.80.0/24 gateway=ipip-TVT-4505
244. add comment="\D3\F4\E0" distance=1 dst-address=192.168.81.0/24 gateway=\
245. ipip-SE-4505
246. add distance=2 dst-address=192.168.81.0/24 gateway=ipip-TVT-4505
247. add comment="\CD\E8\E6\ED\E5\E2\E0\F0\F2\EE\E2\F1\EA" distance=1 dst-address=\
248. 192.168.82.0/24 gateway=ipip-SE-4505
249. add comment=Svobodny distance=1 dst-address=192.168.83.0/24 gateway=\
250. 10.50.0.11 pref-src=10.50.0.10
251. add comment=Guest distance=1 dst-address=192.168.100.0/24 gateway=\
252. ipip-SE-4505
253. add distance=1 dst-address=192.168.100.0/24 gateway=ipip-TVT-4505
254. /ip service
255. set telnet disabled=yes
256. set ftp disabled=yes
257. set www disabled=yes
258. set ssh disabled=yes
259. set api disabled=yes
260. /lcd
261. set time-interval=hour
262. /ppp secret
263. add local-address=10.50.0.10 name=Svobodny password=****** profile=TDRZ \
264. remote-address=10.50.0.11 service=l2tp
265. add local-address=10.50.0.10 name=NV password=****** profile=TDRZ \
266. remote-address=10.50.0.11 service=l2tp
267. /system clock
268. set time-zone-autodetect=no time-zone-name=Europe/Moscow
269. /system identity
270. set name=MikroTik_TPK4
271. /system ntp client
272. set enabled=yes primary-ntp=10.104.0.4 secondary-ntp=10.100.1.4
273. /system routerboard settings
274. set protected-routerboot=disabled
275. /tool sniffer
276. set only-headers=yes
277. /tool traffic-generator packet-template
278. add data=random name=packet-template1
279. /tool traffic-generator stream
280. add name=str1 packet-size=1500 tx-template=packet-template1