Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # apr/01/2020 11:11:10 by RouterOS 6.46.4
- # software id = GRWW-JPES
- #
- # model = 2011UiAS-2HnD
- # serial number = ---
- /interface ethernet
- set [ find default-name=ether1 ] name=ether1-uplink-SWSTVAL01 speed=100Mbps
- set [ find default-name=ether2 ] disabled=yes speed=100Mbps
- set [ find default-name=ether3 ] disabled=yes speed=100Mbps
- set [ find default-name=ether4 ] advertise=100M-full name=\
- ether4-gw-fastweb-work speed=100Mbps
- set [ find default-name=ether5 ] name=ether5-gw-fastweb-home speed=100Mbps
- set [ find default-name=ether6 ] advertise=\
- 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
- ether6-Gigaset
- set [ find default-name=ether7 ] advertise=\
- 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
- set [ find default-name=ether8 ] advertise=\
- 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
- set [ find default-name=ether9 ] advertise=\
- 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
- set [ find default-name=ether10 ] advertise=100M-full auto-negotiation=no \
- disabled=yes poe-out=off
- set [ find default-name=sfp1 ] disabled=yes
- /interface bridge
- add fast-forward=no mtu=1500 name=bridge-guest
- add admin-mac=4C:5E:0C:D3:25:99 auto-mac=no fast-forward=no mtu=1500 name=\
- bridge-main
- add fast-forward=no mtu=1500 name=bridge-work
- /interface vlan
- add interface=ether1-uplink-SWSTVAL01 name=vlan101-main-ether1 vlan-id=101
- add interface=ether1-uplink-SWSTVAL01 name=vlan102-work-ether1 vlan-id=102
- add interface=ether1-uplink-SWSTVAL01 name=vlan103-guest-ether1 vlan-id=103
- /interface list
- add exclude=dynamic name=discover
- add name=mactel
- add name=mac-winbox
- /ip ipsec proposal
- set [ find default=yes ] enc-algorithms=aes-128-cbc
- /ip pool
- add name=main ranges=192.168.0.81-192.168.0.180
- add name=guest ranges=192.168.1.70-192.168.1.121
- add name=work ranges=192.168.1.6-192.168.1.57
- /ip dhcp-server
- add address-pool=main disabled=no interface=bridge-main lease-time=2d name=\
- main
- add address-pool=guest disabled=no interface=bridge-guest lease-time=30m \
- name=guest
- add address-pool=work disabled=no interface=bridge-work lease-time=2d name=\
- work
- /queue simple
- add max-limit=1M/1M name=iot-limit target="192.168.0.55/32,192.168.0.56/32,192\
- .168.0.57/32,192.168.0.58/32,192.168.0.59/32,192.168.0.60/32,192.168.0.61/\
- 32,192.168.0.62/32,192.168.0.63/32,192.168.0.64/32,192.168.0.65/32,192.168\
- .0.66/32,192.168.0.67/32,192.168.0.68/32,192.168.0.69/32"
- add max-limit=5M/20M name=guest-limit target=192.168.1.64/26
- add max-limit=1M/10M name=freewifi-limit target=192.168.1.64/26
- /snmp community
- set [ find default=yes ] addresses=0.0.0.0/0
- /user group
- add name=nosensitive policy="local,telnet,ssh,ftp,reboot,read,write,policy,tes\
- t,winbox,password,web,sniff,api,romon,dude,tikapp,!sensitive"
- /interface bridge port
- add bridge=bridge-main interface=ether6-Gigaset
- add bridge=bridge-guest interface=ether10
- add bridge=bridge-main interface=ether3
- add bridge=bridge-main interface=ether7
- add bridge=bridge-main interface=ether8
- add bridge=bridge-main interface=vlan101-main-ether1
- add bridge=bridge-work interface=vlan102-work-ether1
- add bridge=bridge-main interface=ether2
- add bridge=bridge-guest interface=ether9
- add bridge=bridge-guest interface=vlan103-guest-ether1
- /ip neighbor discovery-settings
- set discover-interface-list=discover
- /interface list member
- add interface=sfp1 list=discover
- add interface=ether2 list=discover
- add interface=ether3 list=discover
- add interface=ether4-gw-fastweb-work list=discover
- add interface=ether5-gw-fastweb-home list=discover
- add interface=ether6-Gigaset list=discover
- add interface=ether7 list=discover
- add interface=ether8 list=discover
- add interface=ether9 list=discover
- add interface=ether10 list=discover
- add list=discover
- add interface=bridge-main list=discover
- add list=discover
- add interface=bridge-guest list=discover
- add list=discover
- add list=discover
- add list=discover
- add list=discover
- add list=discover
- add interface=ether2 list=mactel
- add interface=ether3 list=mactel
- add interface=ether2 list=mac-winbox
- add interface=ether4-gw-fastweb-work list=mactel
- add interface=ether5-gw-fastweb-home list=mactel
- add interface=ether3 list=mac-winbox
- add interface=ether6-Gigaset list=mactel
- add interface=ether4-gw-fastweb-work list=mac-winbox
- add interface=ether7 list=mactel
- add interface=ether5-gw-fastweb-home list=mac-winbox
- add interface=ether8 list=mactel
- add interface=ether6-Gigaset list=mac-winbox
- add interface=ether9 list=mactel
- add interface=ether7 list=mac-winbox
- add interface=ether10 list=mactel
- add interface=ether8 list=mac-winbox
- add interface=sfp1 list=mactel
- add interface=ether9 list=mac-winbox
- add list=mactel
- add interface=ether10 list=mac-winbox
- add interface=bridge-main list=mactel
- add interface=sfp1 list=mac-winbox
- add list=mac-winbox
- add interface=bridge-main list=mac-winbox
- /ip address
- add address=192.168.0.1/24 comment="main network" interface=bridge-main \
- network=192.168.0.0
- add address=192.168.3.2/24 comment="Public Network (WAN FastWeb Home)" \
- interface=ether5-gw-fastweb-home network=192.168.3.0
- add address=192.168.4.2/24 comment="Public Network (WAN FastWeb work)" \
- interface=ether4-gw-fastweb-work network=192.168.4.0
- add address=192.168.1.1/26 comment="work network" interface=bridge-work \
- network=192.168.1.0
- add address=192.168.1.65/26 comment="guest network" interface=bridge-guest \
- network=192.168.1.64
- /ip dhcp-server lease
- add address=192.168.0.181 always-broadcast=yes comment="Laptop Antonio" \
- mac-address=00:E0:4C:68:14:6F server=main
- add address=192.168.0.182 always-broadcast=yes comment="Laptop Antonella" \
- mac-address=EC:F4:BB:03:30:6D server=main
- add address=192.168.0.54 always-broadcast=yes comment="Cisco SPA303" \
- mac-address=54:78:1A:13:17:EF server=main
- add address=192.168.0.55 comment="MAX! Cube Gateway" mac-address=\
- 00:1A:22:0A:62:73 server=main
- add address=192.168.0.51 always-broadcast=yes comment="Stampante HP" \
- mac-address=64:51:06:23:60:68 server=main
- add address=192.168.0.52 always-broadcast=yes comment="Siemens Gigaset" \
- mac-address=7C:2F:80:2F:A3:66 server=main
- add address=192.168.0.53 comment="Canon Selphy Printer" mac-address=\
- 60:12:8B:A4:4F:FE server=main
- add address=192.168.0.64 comment="Shelly Luce Bagno" mac-address=\
- CC:50:E3:F3:CA:7A server=main
- add address=192.168.0.68 comment="Shelly Faretti Sala" mac-address=\
- 98:F4:AB:F3:30:B2 server=main
- add address=192.168.0.69 comment="Shelly Luce Ufficio" mac-address=\
- 84:F3:EB:DB:33:CE server=main
- add address=192.168.0.67 comment="Shelly Luce Sala" mac-address=\
- CC:50:E3:F3:EA:DF server=main
- add address=192.168.0.65 comment="Shelly Luce Cucina" mac-address=\
- 98:F4:AB:F2:42:EB server=main
- add address=192.168.0.66 comment="Shelly Faretto Cucina" mac-address=\
- CC:50:E3:F3:68:FF server=main
- add address=192.168.0.63 comment="Shelly Tapparella Ufficio" mac-address=\
- C8:2B:96:10:CF:6E server=main
- add address=192.168.0.57 comment="Shelly Tapparella Bagno" mac-address=\
- C8:2B:96:11:32:27 server=main
- add address=192.168.0.58 comment="Shelly Tapparella Cameretta" mac-address=\
- 8C:AA:B5:05:81:07 server=main
- add address=192.168.0.56 comment="Shelly Tapparella Camera" mac-address=\
- 8C:AA:B5:05:9D:E3 server=main
- add address=192.168.0.60 comment="Shelly Tenda Cucina" mac-address=\
- 8C:AA:B5:05:90:5B server=main
- add address=192.168.0.59 comment="Shelly Tapparella Cucina" mac-address=\
- E0:98:06:8C:F8:0E server=main
- add address=192.168.0.61 comment="Shelly Tapparella Sala" mac-address=\
- E0:98:06:8D:4D:82 server=main
- /ip dhcp-server network
- add address=192.168.0.0/24 comment="main network" dns-server=\
- 192.168.0.22,208.67.222.222,8.8.8.8,208.67.220.220,8.8.4.4 domain=\
- stval.local gateway=192.168.0.1 netmask=24 ntp-server=\
- 193.204.114.232,193.204.114.233
- add address=192.168.1.0/26 comment="work network" dns-server=\
- 8.8.8.8,208.67.222.222,8.8.4.4,208.67.220.220 gateway=192.168.1.1 \
- netmask=26 ntp-server=193.204.114.232,193.204.114.233
- add address=192.168.1.64/26 comment="guest network" dns-server=\
- 156.154.70.4,156.154.71.4 gateway=192.168.1.65 netmask=26 ntp-server=\
- 193.204.114.232,193.204.114.233
- /ip dns
- set allow-remote-requests=yes servers=\
- 208.67.222.222,8.8.8.8,208.67.220.220,8.8.4.4
- /ip dns static
- add address=192.168.0.1 name=router
- /ip firewall address-list
- add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
- add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
- add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
- add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
- add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
- add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
- add address=224.0.0.0/4 comment=Multicast list=not_in_internet
- add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
- add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
- add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
- add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
- add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
- add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
- add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
- add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
- not_in_internet
- add address=192.168.0.0/24 comment=\
- "Address allowed to establish connection to the router" list=\
- allowed_to_router
- add address=192.168.1.64/26 list=guest_network
- add address=192.168.0.55-192.168.0.69 list=iot_devices
- add address=192.168.1.0/26 list=allowed_to_router
- /ip firewall filter
- add action=accept chain=input comment="default configuration" \
- connection-state=established,related
- add action=accept chain=input src-address-list=allowed_to_router
- add action=accept chain=input protocol=icmp
- add action=drop chain=input
- add action=accept chain=forward comment=\
- "Allow only OpenDNS and my DNS as DNS from Guest Network" dst-address=\
- 51.aaa.bbb.ccc dst-port=53 protocol=udp src-address=192.168.1.64/26
- add action=accept chain=forward dst-address=156.154.70.4 dst-port=53 \
- protocol=udp src-address=192.168.1.64/26
- add action=accept chain=forward dst-address=156.154.71.4 dst-port=53 \
- protocol=udp src-address=192.168.1.64/26
- add action=drop chain=forward dst-port=53 protocol=udp src-address=\
- 192.168.1.64/26
- add action=accept chain=forward dst-address=51.aaa.bbb.ccc dst-port=53 \
- protocol=tcp src-address=192.168.1.64/26
- add action=accept chain=forward dst-address=156.154.70.4 dst-port=53 \
- protocol=tcp src-address=192.168.1.64/26
- add action=accept chain=forward dst-address=156.154.71.4 dst-port=53 \
- protocol=tcp src-address=192.168.1.64/26
- add action=drop chain=forward dst-port=53 protocol=tcp src-address=\
- 192.168.1.64/26
- add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
- log=yes log-prefix=invalid
- add action=drop chain=forward comment=\
- "Drop packets from guest lan that do not have guest lan IP" \
- dst-address-list=not_in_internet log=yes log-prefix=LANGUEST_!LANGUEST \
- src-address=192.168.1.64/26
- add action=accept chain=forward comment=\
- "Guest Network has to go to forward, no fasttrack to manage queue" \
- connection-state=established,related src-address-list=guest_network
- add action=accept chain=forward connection-state=established,related \
- dst-address-list=guest_network
- add action=accept chain=forward comment=\
- "iot devices have to go to forward, no fasttrack to manage queue" \
- connection-state=established,related src-address-list=iot_devices
- add action=accept chain=forward connection-state=established,related \
- dst-address-list=iot_devices
- add action=fasttrack-connection chain=forward comment=FastTrack \
- connection-state=established,related
- /ip firewall mangle
- add action=mark-routing chain=prerouting comment=\
- "Mangle Main Addresses to route to Home Fastweb modem" dst-address-list=\
- !not_in_internet new-routing-mark=from-main passthrough=no src-address=\
- 192.168.0.0/24
- add action=mark-routing chain=prerouting comment=\
- "Mangle Work Addresses to route to work Fastweb modem" dst-address-list=\
- !not_in_internet new-routing-mark=from-work passthrough=no src-address=\
- 192.168.1.0/26
- add action=mark-routing chain=prerouting comment=\
- "Mangle GuestAddresses to route to Home Fastweb modem" new-routing-mark=\
- from-guest passthrough=no src-address=192.168.1.64/26
- /ip firewall nat
- add action=masquerade chain=srcnat comment="main network - routing " \
- out-interface=ether5-gw-fastweb-home src-address=192.168.0.0/24
- add action=masquerade chain=srcnat comment=\
- "work network - routing fastweb work" out-interface=\
- ether4-gw-fastweb-work src-address=192.168.1.0/26
- add action=masquerade chain=srcnat comment=\
- "guest network - routing fastweb home" out-interface=\
- ether5-gw-fastweb-home src-address=192.168.1.64/26
- add action=dst-nat chain=dstnat comment="OpenVPN to TinkerBoard" dst-address=\
- 192.168.3.2 dst-port=443 protocol=tcp to-addresses=192.168.0.22 to-ports=\
- 443
- add action=dst-nat chain=dstnat comment=\
- "***DISABLED*** SSH Opened toTinkerBoard" disabled=yes dst-address=\
- 192.168.3.2 dst-port=2200 protocol=tcp to-addresses=192.168.0.22 \
- to-ports=22
- add action=dst-nat chain=dstnat comment="***DISABLED*** SSH Opened to RasPBX" \
- disabled=yes dst-address=192.168.3.2 dst-port=2201 protocol=tcp \
- to-addresses=192.168.0.46 to-ports=22
- add action=dst-nat chain=dstnat comment=\
- "***DISABLED*** TVBHeadend opened to RaspberryPI TV Stream" disabled=yes \
- dst-address=192.168.3.2 dst-port=21906 protocol=tcp to-addresses=\
- 192.168.0.57 to-ports=9981
- add action=dst-nat chain=dstnat comment=\
- "***DISABLED*** TVBHeadend opened to RaspberryPI TV Stream" disabled=yes \
- dst-address=192.168.3.2 dst-port=21907 protocol=tcp to-addresses=\
- 192.168.0.57 to-ports=9982
- add action=dst-nat chain=dstnat comment=\
- "***DISABLED*** VNC on Raspberry PI Zero W" disabled=yes dst-address=\
- 192.168.3.2 dst-port=80 protocol=tcp to-addresses=192.168.0.241 to-ports=\
- 5900
- add action=dst-nat chain=dstnat comment=\
- "***DISABLED*** nginx on Raspberry PI Zero W" disabled=yes dst-address=\
- 192.168.3.2 dst-port=8080 protocol=tcp to-addresses=192.168.0.241 \
- to-ports=80
- add action=masquerade chain=srcnat comment="***DISABLED*** http://wiki.mikroti\
- k.com/wiki/Hairpin_NAT for testing OpenVPN Raspberry on the internal netwo\
- rk" disabled=yes dst-address=192.168.1.2 dst-port=443 out-interface=*15 \
- protocol=tcp src-address=192.168.0.0/24
- add action=masquerade chain=srcnat comment="***DISABLED*** http://wiki.mikroti\
- k.com/wiki/Hairpin_NAT for testing ftp Raspberry on the internal network" \
- disabled=yes dst-address=192.168.1.2 dst-port=21 out-interface=*15 \
- protocol=tcp src-address=192.168.0.0/24
- /ip firewall service-port
- set sip disabled=yes
- /ip ipsec policy
- set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
- /ip proxy
- set cache-path=web-proxy1
- /ip route
- add distance=1 gateway=192.168.3.1 routing-mark=from-main
- add distance=1 gateway=192.168.4.1 routing-mark=from-work
- add distance=1 gateway=192.168.3.1 routing-mark=from-guest
- add disabled=yes distance=1 gateway=192.168.3.1
- /ip service
- set telnet address=192.168.0.0/24,192.168.1.0/26 disabled=yes
- set ftp address=192.168.0.0/24,192.168.1.0/26 disabled=yes
- set www address=192.168.0.0/24,192.168.1.0/26
- set ssh address=192.168.0.0/24,192.168.1.0/26 disabled=yes
- set www-ssl address=192.168.0.0/24,192.168.1.0/26
- set api address=192.168.0.0/24,192.168.1.0/26 disabled=yes
- set winbox address=192.168.0.0/24,192.168.1.0/26
- set api-ssl address=192.168.0.0/24,192.168.1.0/26 disabled=yes
- /ip smb
- set allow-guests=no comment="" domain="" interfaces=bridge-main
- /ip smb users
- add name=antonio read-only=no
- add name=scanner read-only=no
- add name=antonella read-only=no
- /ip ssh
- set allow-none-crypto=yes forwarding-enabled=remote
- /lcd
- set backlight-timeout=5m default-screen=informative-slideshow time-interval=\
- daily
- /lcd interface pages
- set 0 interfaces="sfp1,ether1-uplink-SWSTVAL01,ether2,ether3,ether4-gw-fastweb\
- -work,ether5-gw-fastweb-home,ether6-Gigaset,ether7,ether8,ether9,ether10"
- /system clock
- set time-zone-autodetect=no time-zone-name=Europe/Rome
- /system identity
- set name=RTSTVAL01
- /system logging
- set 0 disabled=yes
- add disabled=yes topics=firewall
- /system ntp client
- set enabled=yes primary-ntp=193.204.114.232 secondary-ntp=193.204.114.233
- /tool graphing interface
- add interface=ether5-gw-fastweb-home
- add interface=ether4-gw-fastweb-work
- /tool graphing resource
- add
- /tool mac-server
- set allowed-interface-list=mactel
- /tool mac-server mac-winbox
- set allowed-interface-list=mac-winbox
- /tool romon port
- add
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement