API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Apr 1st, 2020
556
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 16.88 KB | None | 0 0
raw download clone embed print report
  1. # apr/01/2020 11:11:10 by RouterOS 6.46.4
  2. # software id = GRWW-JPES
  3. #
  4. # model = 2011UiAS-2HnD
  5. # serial number = ---
  6. /interface ethernet
  7. set [ find default-name=ether1 ] name=ether1-uplink-SWSTVAL01 speed=100Mbps
  8. set [ find default-name=ether2 ] disabled=yes speed=100Mbps
  9. set [ find default-name=ether3 ] disabled=yes speed=100Mbps
  10. set [ find default-name=ether4 ] advertise=100M-full name=\
  11. ether4-gw-fastweb-work speed=100Mbps
  12. set [ find default-name=ether5 ] name=ether5-gw-fastweb-home speed=100Mbps
  13. set [ find default-name=ether6 ] advertise=\
  14. 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
  15. ether6-Gigaset
  16. set [ find default-name=ether7 ] advertise=\
  17. 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
  18. set [ find default-name=ether8 ] advertise=\
  19. 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
  20. set [ find default-name=ether9 ] advertise=\
  21. 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
  22. set [ find default-name=ether10 ] advertise=100M-full auto-negotiation=no \
  23. disabled=yes poe-out=off
  24. set [ find default-name=sfp1 ] disabled=yes
  25. /interface bridge
  26. add fast-forward=no mtu=1500 name=bridge-guest
  27. add admin-mac=4C:5E:0C:D3:25:99 auto-mac=no fast-forward=no mtu=1500 name=\
  28. bridge-main
  29. add fast-forward=no mtu=1500 name=bridge-work
  30. /interface vlan
  31. add interface=ether1-uplink-SWSTVAL01 name=vlan101-main-ether1 vlan-id=101
  32. add interface=ether1-uplink-SWSTVAL01 name=vlan102-work-ether1 vlan-id=102
  33. add interface=ether1-uplink-SWSTVAL01 name=vlan103-guest-ether1 vlan-id=103
  34. /interface list
  35. add exclude=dynamic name=discover
  36. add name=mactel
  37. add name=mac-winbox
  38. /ip ipsec proposal
  39. set [ find default=yes ] enc-algorithms=aes-128-cbc
  40. /ip pool
  41. add name=main ranges=192.168.0.81-192.168.0.180
  42. add name=guest ranges=192.168.1.70-192.168.1.121
  43. add name=work ranges=192.168.1.6-192.168.1.57
  44. /ip dhcp-server
  45. add address-pool=main disabled=no interface=bridge-main lease-time=2d name=\
  46. main
  47. add address-pool=guest disabled=no interface=bridge-guest lease-time=30m \
  48. name=guest
  49. add address-pool=work disabled=no interface=bridge-work lease-time=2d name=\
  50. work
  51. /queue simple
  52. add max-limit=1M/1M name=iot-limit target="192.168.0.55/32,192.168.0.56/32,192\
  53. .168.0.57/32,192.168.0.58/32,192.168.0.59/32,192.168.0.60/32,192.168.0.61/\
  54. 32,192.168.0.62/32,192.168.0.63/32,192.168.0.64/32,192.168.0.65/32,192.168\
  55. .0.66/32,192.168.0.67/32,192.168.0.68/32,192.168.0.69/32"
  56. add max-limit=5M/20M name=guest-limit target=192.168.1.64/26
  57. add max-limit=1M/10M name=freewifi-limit target=192.168.1.64/26
  58. /snmp community
  59. set [ find default=yes ] addresses=0.0.0.0/0
  60. /user group
  61. add name=nosensitive policy="local,telnet,ssh,ftp,reboot,read,write,policy,tes\
  62. t,winbox,password,web,sniff,api,romon,dude,tikapp,!sensitive"
  63. /interface bridge port
  64. add bridge=bridge-main interface=ether6-Gigaset
  65. add bridge=bridge-guest interface=ether10
  66. add bridge=bridge-main interface=ether3
  67. add bridge=bridge-main interface=ether7
  68. add bridge=bridge-main interface=ether8
  69. add bridge=bridge-main interface=vlan101-main-ether1
  70. add bridge=bridge-work interface=vlan102-work-ether1
  71. add bridge=bridge-main interface=ether2
  72. add bridge=bridge-guest interface=ether9
  73. add bridge=bridge-guest interface=vlan103-guest-ether1
  74. /ip neighbor discovery-settings
  75. set discover-interface-list=discover
  76. /interface list member
  77. add interface=sfp1 list=discover
  78. add interface=ether2 list=discover
  79. add interface=ether3 list=discover
  80. add interface=ether4-gw-fastweb-work list=discover
  81. add interface=ether5-gw-fastweb-home list=discover
  82. add interface=ether6-Gigaset list=discover
  83. add interface=ether7 list=discover
  84. add interface=ether8 list=discover
  85. add interface=ether9 list=discover
  86. add interface=ether10 list=discover
  87. add list=discover
  88. add interface=bridge-main list=discover
  89. add list=discover
  90. add interface=bridge-guest list=discover
  91. add list=discover
  92. add list=discover
  93. add list=discover
  94. add list=discover
  95. add list=discover
  96. add interface=ether2 list=mactel
  97. add interface=ether3 list=mactel
  98. add interface=ether2 list=mac-winbox
  99. add interface=ether4-gw-fastweb-work list=mactel
  100. add interface=ether5-gw-fastweb-home list=mactel
  101. add interface=ether3 list=mac-winbox
  102. add interface=ether6-Gigaset list=mactel
  103. add interface=ether4-gw-fastweb-work list=mac-winbox
  104. add interface=ether7 list=mactel
  105. add interface=ether5-gw-fastweb-home list=mac-winbox
  106. add interface=ether8 list=mactel
  107. add interface=ether6-Gigaset list=mac-winbox
  108. add interface=ether9 list=mactel
  109. add interface=ether7 list=mac-winbox
  110. add interface=ether10 list=mactel
  111. add interface=ether8 list=mac-winbox
  112. add interface=sfp1 list=mactel
  113. add interface=ether9 list=mac-winbox
  114. add list=mactel
  115. add interface=ether10 list=mac-winbox
  116. add interface=bridge-main list=mactel
  117. add interface=sfp1 list=mac-winbox
  118. add list=mac-winbox
  119. add interface=bridge-main list=mac-winbox
  120. /ip address
  121. add address=192.168.0.1/24 comment="main network" interface=bridge-main \
  122. network=192.168.0.0
  123. add address=192.168.3.2/24 comment="Public Network (WAN FastWeb Home)" \
  124. interface=ether5-gw-fastweb-home network=192.168.3.0
  125. add address=192.168.4.2/24 comment="Public Network (WAN FastWeb work)" \
  126. interface=ether4-gw-fastweb-work network=192.168.4.0
  127. add address=192.168.1.1/26 comment="work network" interface=bridge-work \
  128. network=192.168.1.0
  129. add address=192.168.1.65/26 comment="guest network" interface=bridge-guest \
  130. network=192.168.1.64
  131. /ip dhcp-server lease
  132. add address=192.168.0.181 always-broadcast=yes comment="Laptop Antonio" \
  133. mac-address=00:E0:4C:68:14:6F server=main
  134. add address=192.168.0.182 always-broadcast=yes comment="Laptop Antonella" \
  135. mac-address=EC:F4:BB:03:30:6D server=main
  136. add address=192.168.0.54 always-broadcast=yes comment="Cisco SPA303" \
  137. mac-address=54:78:1A:13:17:EF server=main
  138. add address=192.168.0.55 comment="MAX! Cube Gateway" mac-address=\
  139. 00:1A:22:0A:62:73 server=main
  140. add address=192.168.0.51 always-broadcast=yes comment="Stampante HP" \
  141. mac-address=64:51:06:23:60:68 server=main
  142. add address=192.168.0.52 always-broadcast=yes comment="Siemens Gigaset" \
  143. mac-address=7C:2F:80:2F:A3:66 server=main
  144. add address=192.168.0.53 comment="Canon Selphy Printer" mac-address=\
  145. 60:12:8B:A4:4F:FE server=main
  146. add address=192.168.0.64 comment="Shelly Luce Bagno" mac-address=\
  147. CC:50:E3:F3:CA:7A server=main
  148. add address=192.168.0.68 comment="Shelly Faretti Sala" mac-address=\
  149. 98:F4:AB:F3:30:B2 server=main
  150. add address=192.168.0.69 comment="Shelly Luce Ufficio" mac-address=\
  151. 84:F3:EB:DB:33:CE server=main
  152. add address=192.168.0.67 comment="Shelly Luce Sala" mac-address=\
  153. CC:50:E3:F3:EA:DF server=main
  154. add address=192.168.0.65 comment="Shelly Luce Cucina" mac-address=\
  155. 98:F4:AB:F2:42:EB server=main
  156. add address=192.168.0.66 comment="Shelly Faretto Cucina" mac-address=\
  157. CC:50:E3:F3:68:FF server=main
  158. add address=192.168.0.63 comment="Shelly Tapparella Ufficio" mac-address=\
  159. C8:2B:96:10:CF:6E server=main
  160. add address=192.168.0.57 comment="Shelly Tapparella Bagno" mac-address=\
  161. C8:2B:96:11:32:27 server=main
  162. add address=192.168.0.58 comment="Shelly Tapparella Cameretta" mac-address=\
  163. 8C:AA:B5:05:81:07 server=main
  164. add address=192.168.0.56 comment="Shelly Tapparella Camera" mac-address=\
  165. 8C:AA:B5:05:9D:E3 server=main
  166. add address=192.168.0.60 comment="Shelly Tenda Cucina" mac-address=\
  167. 8C:AA:B5:05:90:5B server=main
  168. add address=192.168.0.59 comment="Shelly Tapparella Cucina" mac-address=\
  169. E0:98:06:8C:F8:0E server=main
  170. add address=192.168.0.61 comment="Shelly Tapparella Sala" mac-address=\
  171. E0:98:06:8D:4D:82 server=main
  172. /ip dhcp-server network
  173. add address=192.168.0.0/24 comment="main network" dns-server=\
  174. 192.168.0.22,208.67.222.222,8.8.8.8,208.67.220.220,8.8.4.4 domain=\
  175. stval.local gateway=192.168.0.1 netmask=24 ntp-server=\
  176. 193.204.114.232,193.204.114.233
  177. add address=192.168.1.0/26 comment="work network" dns-server=\
  178. 8.8.8.8,208.67.222.222,8.8.4.4,208.67.220.220 gateway=192.168.1.1 \
  179. netmask=26 ntp-server=193.204.114.232,193.204.114.233
  180. add address=192.168.1.64/26 comment="guest network" dns-server=\
  181. 156.154.70.4,156.154.71.4 gateway=192.168.1.65 netmask=26 ntp-server=\
  182. 193.204.114.232,193.204.114.233
  183. /ip dns
  184. set allow-remote-requests=yes servers=\
  185. 208.67.222.222,8.8.8.8,208.67.220.220,8.8.4.4
  186. /ip dns static
  187. add address=192.168.0.1 name=router
  188. /ip firewall address-list
  189. add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
  190. add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
  191. add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
  192. add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
  193. add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
  194. add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
  195. add address=224.0.0.0/4 comment=Multicast list=not_in_internet
  196. add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
  197. add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
  198. add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
  199. add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
  200. add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
  201. add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
  202. add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
  203. add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
  204. not_in_internet
  205. add address=192.168.0.0/24 comment=\
  206. "Address allowed to establish connection to the router" list=\
  207. allowed_to_router
  208. add address=192.168.1.64/26 list=guest_network
  209. add address=192.168.0.55-192.168.0.69 list=iot_devices
  210. add address=192.168.1.0/26 list=allowed_to_router
  211. /ip firewall filter
  212. add action=accept chain=input comment="default configuration" \
  213. connection-state=established,related
  214. add action=accept chain=input src-address-list=allowed_to_router
  215. add action=accept chain=input protocol=icmp
  216. add action=drop chain=input
  217. add action=accept chain=forward comment=\
  218. "Allow only OpenDNS and my DNS as DNS from Guest Network" dst-address=\
  219. 51.aaa.bbb.ccc dst-port=53 protocol=udp src-address=192.168.1.64/26
  220. add action=accept chain=forward dst-address=156.154.70.4 dst-port=53 \
  221. protocol=udp src-address=192.168.1.64/26
  222. add action=accept chain=forward dst-address=156.154.71.4 dst-port=53 \
  223. protocol=udp src-address=192.168.1.64/26
  224. add action=drop chain=forward dst-port=53 protocol=udp src-address=\
  225. 192.168.1.64/26
  226. add action=accept chain=forward dst-address=51.aaa.bbb.ccc dst-port=53 \
  227. protocol=tcp src-address=192.168.1.64/26
  228. add action=accept chain=forward dst-address=156.154.70.4 dst-port=53 \
  229. protocol=tcp src-address=192.168.1.64/26
  230. add action=accept chain=forward dst-address=156.154.71.4 dst-port=53 \
  231. protocol=tcp src-address=192.168.1.64/26
  232. add action=drop chain=forward dst-port=53 protocol=tcp src-address=\
  233. 192.168.1.64/26
  234. add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
  235. log=yes log-prefix=invalid
  236. add action=drop chain=forward comment=\
  237. "Drop packets from guest lan that do not have guest lan IP" \
  238. dst-address-list=not_in_internet log=yes log-prefix=LANGUEST_!LANGUEST \
  239. src-address=192.168.1.64/26
  240. add action=accept chain=forward comment=\
  241. "Guest Network has to go to forward, no fasttrack to manage queue" \
  242. connection-state=established,related src-address-list=guest_network
  243. add action=accept chain=forward connection-state=established,related \
  244. dst-address-list=guest_network
  245. add action=accept chain=forward comment=\
  246. "iot devices have to go to forward, no fasttrack to manage queue" \
  247. connection-state=established,related src-address-list=iot_devices
  248. add action=accept chain=forward connection-state=established,related \
  249. dst-address-list=iot_devices
  250. add action=fasttrack-connection chain=forward comment=FastTrack \
  251. connection-state=established,related
  252. /ip firewall mangle
  253. add action=mark-routing chain=prerouting comment=\
  254. "Mangle Main Addresses to route to Home Fastweb modem" dst-address-list=\
  255. !not_in_internet new-routing-mark=from-main passthrough=no src-address=\
  256. 192.168.0.0/24
  257. add action=mark-routing chain=prerouting comment=\
  258. "Mangle Work Addresses to route to work Fastweb modem" dst-address-list=\
  259. !not_in_internet new-routing-mark=from-work passthrough=no src-address=\
  260. 192.168.1.0/26
  261. add action=mark-routing chain=prerouting comment=\
  262. "Mangle GuestAddresses to route to Home Fastweb modem" new-routing-mark=\
  263. from-guest passthrough=no src-address=192.168.1.64/26
  264. /ip firewall nat
  265. add action=masquerade chain=srcnat comment="main network - routing " \
  266. out-interface=ether5-gw-fastweb-home src-address=192.168.0.0/24
  267. add action=masquerade chain=srcnat comment=\
  268. "work network - routing fastweb work" out-interface=\
  269. ether4-gw-fastweb-work src-address=192.168.1.0/26
  270. add action=masquerade chain=srcnat comment=\
  271. "guest network - routing fastweb home" out-interface=\
  272. ether5-gw-fastweb-home src-address=192.168.1.64/26
  273. add action=dst-nat chain=dstnat comment="OpenVPN to TinkerBoard" dst-address=\
  274. 192.168.3.2 dst-port=443 protocol=tcp to-addresses=192.168.0.22 to-ports=\
  275. 443
  276. add action=dst-nat chain=dstnat comment=\
  277. "***DISABLED*** SSH Opened toTinkerBoard" disabled=yes dst-address=\
  278. 192.168.3.2 dst-port=2200 protocol=tcp to-addresses=192.168.0.22 \
  279. to-ports=22
  280. add action=dst-nat chain=dstnat comment="***DISABLED*** SSH Opened to RasPBX" \
  281. disabled=yes dst-address=192.168.3.2 dst-port=2201 protocol=tcp \
  282. to-addresses=192.168.0.46 to-ports=22
  283. add action=dst-nat chain=dstnat comment=\
  284. "***DISABLED*** TVBHeadend opened to RaspberryPI TV Stream" disabled=yes \
  285. dst-address=192.168.3.2 dst-port=21906 protocol=tcp to-addresses=\
  286. 192.168.0.57 to-ports=9981
  287. add action=dst-nat chain=dstnat comment=\
  288. "***DISABLED*** TVBHeadend opened to RaspberryPI TV Stream" disabled=yes \
  289. dst-address=192.168.3.2 dst-port=21907 protocol=tcp to-addresses=\
  290. 192.168.0.57 to-ports=9982
  291. add action=dst-nat chain=dstnat comment=\
  292. "***DISABLED*** VNC on Raspberry PI Zero W" disabled=yes dst-address=\
  293. 192.168.3.2 dst-port=80 protocol=tcp to-addresses=192.168.0.241 to-ports=\
  294. 5900
  295. add action=dst-nat chain=dstnat comment=\
  296. "***DISABLED*** nginx on Raspberry PI Zero W" disabled=yes dst-address=\
  297. 192.168.3.2 dst-port=8080 protocol=tcp to-addresses=192.168.0.241 \
  298. to-ports=80
  299. add action=masquerade chain=srcnat comment="***DISABLED*** http://wiki.mikroti\
  300. k.com/wiki/Hairpin_NAT for testing OpenVPN Raspberry on the internal netwo\
  301. rk" disabled=yes dst-address=192.168.1.2 dst-port=443 out-interface=*15 \
  302. protocol=tcp src-address=192.168.0.0/24
  303. add action=masquerade chain=srcnat comment="***DISABLED*** http://wiki.mikroti\
  304. k.com/wiki/Hairpin_NAT for testing ftp Raspberry on the internal network" \
  305. disabled=yes dst-address=192.168.1.2 dst-port=21 out-interface=*15 \
  306. protocol=tcp src-address=192.168.0.0/24
  307. /ip firewall service-port
  308. set sip disabled=yes
  309. /ip ipsec policy
  310. set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
  311. /ip proxy
  312. set cache-path=web-proxy1
  313. /ip route
  314. add distance=1 gateway=192.168.3.1 routing-mark=from-main
  315. add distance=1 gateway=192.168.4.1 routing-mark=from-work
  316. add distance=1 gateway=192.168.3.1 routing-mark=from-guest
  317. add disabled=yes distance=1 gateway=192.168.3.1
  318. /ip service
  319. set telnet address=192.168.0.0/24,192.168.1.0/26 disabled=yes
  320. set ftp address=192.168.0.0/24,192.168.1.0/26 disabled=yes
  321. set www address=192.168.0.0/24,192.168.1.0/26
  322. set ssh address=192.168.0.0/24,192.168.1.0/26 disabled=yes
  323. set www-ssl address=192.168.0.0/24,192.168.1.0/26
  324. set api address=192.168.0.0/24,192.168.1.0/26 disabled=yes
  325. set winbox address=192.168.0.0/24,192.168.1.0/26
  326. set api-ssl address=192.168.0.0/24,192.168.1.0/26 disabled=yes
  327. /ip smb
  328. set allow-guests=no comment="" domain="" interfaces=bridge-main
  329. /ip smb users
  330. add name=antonio read-only=no
  331. add name=scanner read-only=no
  332. add name=antonella read-only=no
  333. /ip ssh
  334. set allow-none-crypto=yes forwarding-enabled=remote
  335. /lcd
  336. set backlight-timeout=5m default-screen=informative-slideshow time-interval=\
  337. daily
  338. /lcd interface pages
  339. set 0 interfaces="sfp1,ether1-uplink-SWSTVAL01,ether2,ether3,ether4-gw-fastweb\
  340. -work,ether5-gw-fastweb-home,ether6-Gigaset,ether7,ether8,ether9,ether10"
  341. /system clock
  342. set time-zone-autodetect=no time-zone-name=Europe/Rome
  343. /system identity
  344. set name=RTSTVAL01
  345. /system logging
  346. set 0 disabled=yes
  347. add disabled=yes topics=firewall
  348. /system ntp client
  349. set enabled=yes primary-ntp=193.204.114.232 secondary-ntp=193.204.114.233
  350. /tool graphing interface
  351. add interface=ether5-gw-fastweb-home
  352. add interface=ether4-gw-fastweb-work
  353. /tool graphing resource
  354. add
  355. /tool mac-server
  356. set allowed-interface-list=mactel
  357. /tool mac-server mac-winbox
  358. set allowed-interface-list=mac-winbox
  359. /tool romon port
  360. add
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!