API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jun 30th, 2017
137
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 14.27 KB | None | 0 0
raw download clone embed print report
  1. [gvolkov@Zima - Auditors - hAP AC Lite] > /export
  2. # jun/30/2017 14:57:55 by RouterOS 6.39.2
  3. # software id = A4GC-GP0T
  4. #
  5. /interface bridge
  6. add fast-forward=no name=Bridge_Local protocol-mode=none
  7. add name=Bridge_WAN_Teorema protocol-mode=none
  8. /interface ethernet
  9. set [ find default-name=ether1 ] advertise=100M-full,1000M-full comment="Trunk to CRS " speed=1Gbps
  10. set [ find default-name=ether5 ] comment=SXT
  11. /interface wireless
  12. set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode band=2ghz-b/g/n country=russia \
  13. disabled=no frequency-mode=regulatory-domain hw-protection-mode=rts-cts hw-protection-threshold=10 \
  14. max-station-count=100 mode=ap-bridge ssid=M3DSS tx-power-mode=all-rates-fixed wireless-protocol=802.11 \
  15. wmm-support=enabled wps-mode=disabled
  16. set [ find default-name=wlan2 ] adaptive-noise-immunity=ap-and-client-mode band=5ghz-a/n/ac channel-width=\
  17. 20/40/80mhz-Ceee country=russia disabled=no hw-protection-mode=rts-cts max-station-count=50 mode=ap-bridge \
  18. ssid=M3DSS-5GHz tx-power-mode=all-rates-fixed wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
  19. /interface vlan
  20. add interface=ether1 name=Vlan10_Local vlan-id=10
  21. add interface=ether1 name=Vlan15_Teorema vlan-id=15
  22. /interface list
  23. add name="WAN Ports"
  24. /interface wireless security-profiles
  25. set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik \
  26. wpa2-pre-shared-key=
  27. /ip hotspot profile
  28. set [ find default=yes ] html-directory=flash/hotspot
  29. /ip ipsec policy group
  30. set [ find default=yes ] name=RemoteOffice
  31. add name=Remote
  32.  
  33. /ip ipsec proposal
  34. set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=8h \
  35. pfs-group=none
  36. add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=8h name=proposal-aes128-256cbc \
  37. pfs-group=none
  38. /ip pool
  39. add name=dhcp_pool1 ranges=192.168.19.49-192.168.19.199
  40. /ip dhcp-server
  41. add address-pool=dhcp_pool1 disabled=no interface=Bridge_Local lease-time=4d10m name=DHCP_Local
  42. /interface l2tp-client
  43. add allow=mschap2 connect-to=1.2.3.4 ipsec-secret=111111 keepalive-timeout=3 name=MiranDC \
  44. password="2222222" profile=default user=222
  45. /interface sstp-client
  46.  
  47. add authentication=mschap2 certificate=111.crt connect-to=1.2.3.4 keepalive-timeout=\
  48. 5 name=Finland password=1111 profile=default-encryption user=123 \
  49. verify-server-address-from-certificate=no verify-server-certificate=yes
  50. add authentication=mschap2 certificate=11111.crt connect-to=1.2.3.4 disabled=no \
  51. keepalive-timeout=3 name=Granat-MGMNT password="111" profile=default-encryption user=\
  52. MGMNT-DSS-Auditors verify-server-address-from-certificate=no verify-server-certificate=yes
  53. /snmp community
  54. set [ find default=yes ] addresses=192.168.0.0/16
  55. /system logging action
  56. add name=ipsecDebug target=memory
  57. /interface bridge port
  58. add bridge=Bridge_Local interface=ether2
  59. add bridge=Bridge_Local interface=ether3
  60. add bridge=Bridge_Local interface=wlan1
  61. add bridge=Bridge_Local interface=wlan2
  62. add bridge=Bridge_Local interface=ether4
  63. add bridge=Bridge_Local interface=Vlan10_Local
  64. add bridge=Bridge_WAN_Teorema interface=Vlan15_Teorema
  65. /interface list member
  66. add interface=ether5 list="WAN Ports"
  67. add interface=Bridge_WAN_Teorema list="WAN Ports"
  68. /ip address
  69. add address=1.2.3.4/24 interface=Bridge_WAN_Teorema network=1.2.3.0
  70. add address=192.168.19.1/24 interface=Bridge_Local network=192.168.19.0
  71. /ip dhcp-client
  72. add default-route-distance=2 dhcp-options=hostname,clientid disabled=no interface=ether5
  73. /ip dhcp-server lease
  74. add address=192.168.19.41 client-id=1:0:14:d1:32:2d:2 comment="Printer WiFi" mac-address=2C:33:7A:58:3C:86 \
  75. server=DHCP_Local
  76. add address=192.168.19.197 client-id=1:6c:f0:49:c7:f3:41 mac-address=6C:F0:49:C7:F3:41 server=DHCP_Local
  77. add address=192.168.19.196 client-id=1:0:1d:60:28:71:c1 mac-address=00:1D:60:28:71:C1 server=DHCP_Local
  78. add address=192.168.19.192 client-id=1:84:4b:f5:81:a4:16 mac-address=84:4B:F5:81:A4:16 server=DHCP_Local
  79. add address=192.168.19.191 client-id=1:84:4b:f5:b5:1:d4 mac-address=84:4B:F5:B5:01:D4 server=DHCP_Local
  80. add address=192.168.19.22 client-id=1:0:15:65:b5:d2:8d comment=ex23 mac-address=00:15:65:B5:D2:8D server=\
  81. DHCP_Local
  82. add address=192.168.19.2 always-broadcast=yes client-id=1:4c:5e:c:95:66:6A mac-address=4C:5E:0C:95:66:6A server=\
  83. DHCP_Local
  84. add address=192.168.19.40 always-broadcast=yes client-id=1:38:63:bb:dc:e6:ca comment=Printer mac-address=\
  85. 38:63:BB:DC:E6:CA server=DHCP_Local
  86. add address=192.168.19.23 client-id=1:0:15:65:b5:d1:50 comment=Ok mac-address=00:15:65:B5:D1:50 server=DHCP_Local
  87. add address=192.168.19.21 client-id=1:0:15:65:b5:ce:fe mac-address=00:15:65:B5:CE:FE server=DHCP_Local
  88. add address=192.168.19.20 client-id=1:0:15:65:b5:cd:fa comment="\C0\ED\ED\E0 \C0\EB\E5\EA\F1\E5\E5\E2\E0" \
  89. mac-address=00:15:65:B5:CD:FA server=DHCP_Local
  90. add address=192.168.19.194 client-id=1:f4:4d:30:65:7a:42 mac-address=F4:4D:30:65:7A:42 server=DHCP_Local
  91. /ip dhcp-server network
  92. add address=192.168.19.0/24 dns-server=192.168.19.1 gateway=192.168.19.1
  93. /ip dns
  94. set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
  95. /ip dns static
  96. add address=192.168.100.215 name=terminal
  97. add address=192.168.100.215 name=terminal.granat.local
  98. /ip firewall address-list
  99. add address=192.168.100.0/23 comment=Granat list="Zone: Local - Granat/Radiofid/Fin"
  100. add address=192.168.104.0/22 comment=Radiofid list="Zone: Local - Granat/Radiofid/Fin"
  101. add address=192.168.117.0/24 comment=Finland list="Zone: Local - Granat/Radiofid/Fin"
  102. add address=192.168.113.0/24 comment="Local net" list="Zone: Local - Granat/Radiofid/Fin"
  103. add address=192.168.100.200 list=granat
  104. add address=192.168.101.200 list=granat
  105. add address=192.168.100.215 list=granat
  106. add address=192.168.101.215 list=granat
  107. add address=192.168.100.216 list=granat
  108. add address=192.168.101.216 list=granat
  109. add address=192.168.101.217 list=granat
  110. add address=192.168.106.215 list=granat
  111. add address=192.168.106.216 list=granat
  112. add address=192.168.105.111 list=granat
  113. add address=192.168.117.5 list=granat
  114. add address=192.168.100.11 list=granat
  115. add address=192.168.104.11 list=granat
  116.  
  117. add address=192.168.0.0/16 list="LAN All 192.168/10.0/172.16"
  118. add address=10.0.0.0/8 list="LAN All 192.168/10.0/172.16"
  119. add address=192.168.101.224 comment=3CX list=granat
  120. add address=192.168.101.218 list=granat
  121. add address=192.168.19.0/24 comment="Local net" list="Zone: Local - Granat/Radiofid/Fin"
  122.  
  123.  
  124. /ip firewall filter
  125. add action=drop chain=input comment="Drop DNS external" dst-port=53 in-interface-list="WAN Ports" protocol=udp
  126. add action=passthrough chain=input comment="Check DNS internal" dst-port=53 in-interface=Bridge_Local protocol=\
  127. udp
  128. add action=passthrough chain=forward comment="Download via LTE" in-interface=ether5
  129. add action=passthrough chain=forward comment="Upload via LTE" out-interface=ether5
  130. add action=drop chain=input comment="Drop invalid input" connection-state=invalid
  131. add action=drop chain=forward comment="Drop invalid forward" connection-state=invalid
  132. add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment=\
  133. "Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp tcp-flags=syn
  134. add action=drop chain=input comment="Drop to syn flood list" src-address-list=Syn_Flooder
  135. add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment=\
  136. "Port Scanner Detect" protocol=tcp psd=21,3s,3,1 src-address-list="!Network Admins"
  137. add action=drop chain=input comment="Drop to port scan list" src-address-list=Port_Scanner
  138. add action=add-src-to-address-list address-list="Mail spammers" address-list-timeout=3h chain=forward comment=\
  139. "Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=25,465,587 limit=30/1m,0:packet \
  140. protocol=tcp
  141. add action=drop chain=forward comment="Avoid Mail spammers action" dst-port=25,465,587 protocol=tcp \
  142. src-address-list="Mail spammers"
  143. add action=accept chain=input comment="Accept established, related input" connection-state=established,related
  144. add action=accept chain=forward comment="Accept established, related forward" connection-state=\
  145. established,related
  146. add action=jump chain=input comment="Jump to icmp input flow" jump-target=ICMP protocol=icmp
  147. add action=jump chain=forward comment="Jump to icmp forward flow" jump-target=ICMP protocol=icmp
  148. add action=jump chain=output comment="Jump to icmp output" jump-target=ICMP protocol=icmp
  149. add action=jump chain=input comment="Jump to FTP - SSH - Telnet - Winbox Chain" dst-port=21,22,23,8291 \
  150. jump-target=FTP-SSH-Telnet-Winbox protocol=tcp
  151. add action=jump chain=forward comment="Jump to FTP - SSH - Telnet - Winbox Chain" dst-port=21,22,23,8291 \
  152. jump-target=FTP-SSH-Telnet-Winbox protocol=tcp
  153. add action=jump chain=forward comment="Jump to Zone: Local - Granat/Radiofid/Fin" dst-address-list=\
  154. "Zone: Local - Granat/Radiofid/Fin" jump-target="Forward Zone: Local - Granat/Radiofid/Fin" src-address-list=\
  155. "Zone: Local - Granat/Radiofid/Fin"
  156. add action=accept chain=input comment="Network Admins input" in-interface-list="WAN Ports" src-address-list=\
  157. "Network Admins"
  158. add action=accept chain=forward comment="Network Admins forward" in-interface-list="WAN Ports" src-address-list=\
  159. "Network Admins"
  160. add action=drop chain=input comment="All other drop" connection-state=new in-interface-list="WAN Ports"
  161. add action=accept chain="Forward Zone: Local - Granat/Radiofid/Fin" comment="Address list granat" \
  162. dst-address-list=granat
  163. add action=accept chain="Forward Zone: Local - Granat/Radiofid/Fin" src-address-list=granat
  164. add action=accept chain="Forward Zone: Local - Granat/Radiofid/Fin" dst-port=4899 protocol=tcp
  165. add action=accept chain="Forward Zone: Local - Granat/Radiofid/Fin" comment="Address list Admins" \
  166. dst-address-list="Network Admins"
  167. add action=accept chain="Forward Zone: Local - Granat/Radiofid/Fin" src-address-list="Network Admins"
  168. add action=drop chain="Forward Zone: Local - Granat/Radiofid/Fin"
  169. add action=accept chain=ICMP comment="Allow All Local Net requests" dst-address-list=\
  170. "LAN All 192.168/10.0/172.16" src-address-list="LAN All 192.168/10.0/172.16"
  171. add action=accept chain=ICMP comment="Echo request" icmp-options=8:0 limit=5,7:packet protocol=icmp
  172. add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp
  173. add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp
  174. add action=accept chain=ICMP comment="Destination unreachable" icmp-options=3:0 protocol=icmp
  175. add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
  176. add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
  177. add action=accept chain=FTP-SSH-Telnet-Winbox comment="Allow anyone in the Network Admins Address List (SSH)" \
  178. src-address-list="Network Admins"
  179. add action=drop chain=FTP-SSH-Telnet-Winbox comment="Drop anyone in the Black List (SSH)" src-address-list=\
  180. "Black List (FTP-SSH-Telnet-Winbox)"
  181. add action=add-src-to-address-list address-list="Black List (FTP-SSH-Telnet-Winbox)" address-list-timeout=12h \
  182. chain=FTP-SSH-Telnet-Winbox comment=\
  183. "Transfer repeated attempts from FTP-SSH-Telnet-Winbox Stage 3 to Black-List" connection-state=new \
  184. src-address-list="FTP-SSH-Telnet-Winbox Stage 3"
  185. add action=add-src-to-address-list address-list="FTP-SSH-Telnet-Winbox Stage 3" address-list-timeout=1m chain=\
  186. FTP-SSH-Telnet-Winbox comment="Add succesive attempts to FTP-SSH-Telnet-Winbox Stage 3 Address List" \
  187. connection-state=new src-address-list="FTP-SSH-Telnet-Winbox Stage 2"
  188. add action=add-src-to-address-list address-list="FTP-SSH-Telnet-Winbox Stage 2" address-list-timeout=30s chain=\
  189. FTP-SSH-Telnet-Winbox comment="Add succesive attempts to FTP-SSH-Telnet-Winbox Stage 2 Address Li
  190. connection-state=new src-address-list="FTP-SSH-Telnet-Winbox Stage 1"
  191. add action=add-src-to-address-list address-list="FTP-SSH-Telnet-Winbox Stage 1" address-list-timeout=
  192. FTP-SSH-Telnet-Winbox comment="Add intial attempt to FTP-SSH-Telnet-Winbox Chain Stage 1 Address
  193. connection-state=new
  194. add action=accept chain=FTP-SSH-Telnet-Winbox
  195. add action=return chain=FTP-SSH-Telnet-Winbox comment="Return From FTP-SSH-Telnet-Winbox Chain"
  196. /ip firewall nat
  197. add action=masquerade chain=srcnat comment=Internet out-interface=Bridge_WAN_Teorema src-address=192.
  198. add action=masquerade chain=srcnat comment="Internet SXT" out-interface=ether5 src-address=192.168.19
  199. add action=dst-nat chain=dstnat dst-address=192.168.19.1 dst-port=8292 protocol=tcp to-addresses=192.
  200. to-ports=8291
  201. /ip firewall service-port
  202. set ftp disabled=yes
  203. set tftp disabled=yes
  204. set irc disabled=yes
  205. set h323 disabled=yes
  206. set sip disabled=yes
  207. set pptp disabled=yes
  208. set udplite disabled=yes
  209. set dccp disabled=yes
  210. set sctp disabled=yes
  211.  
  212. /ip ipsec peer
  213. add address=1.2.3.4/32 disabled=yes enc-algorithm=aes-256,aes-128 exchange-mode=main-l2tp gene
  214. port-override hash-algorithm=sha256 nat-traversal=no policy-template-group=Remote secret=81230912
  215. add address=1.2.3.4/32 disabled=yes enc-algorithm=aes-256,aes-128 exchange-mode=main-l2tp gene
  216. port-override nat-traversal=no secret=81230912252016Granat
  217. /ip ipsec policy
  218. add disabled=yes dst-address=1.2.3.4/32 dst-port=1701 protocol=udp src-address=1.2.3.4/32
  219. add disabled=yes dst-address=1.2.3.4/32 dst-port=1701 protocol=udp src-address=1.2.3.4/32
  220.  
  221. /ip route
  222. add distance=1 gateway=1.2.3.4 routing-mark=Direct
  223. add distance=1 gateway=192.168.88.1 routing-mark=SXT
  224. add distance=1 gateway=1.2.3.4
  225. add distance=3 dst-address=192.168.100.0/23 gateway=10.20.20.1
  226. /ip service
  227. set telnet disabled=yes
  228. set ftp disabled=yes
  229. set ssh disabled=yes
  230. set api disabled=yes
  231. set api-ssl disabled=yes
  232. /ip smb shares
  233. set [ find default=yes ] directory=/pub
  234. /radius
  235. add address=192.168.100.237 secret=1234 service=login
  236. /snmp
  237. set enabled=yes
  238. /system clock
  239. set time-zone-name=Europe/Moscow
  240. /system identity
  241. set name="Zima - Auditors - hAP AC Lite"
  242. /system logging
  243. add action=ipsecDebug topics=ipsec,debug,l2tp,critical
  244. /system routerboard settings
  245. # Firmware upgraded successfully, please reboot for changes to take effect!
  246. set init-delay=0s
  247. /tool sniffer
  248. set file-name=ether1 filter-interface=ether1
  249. /user aaa
  250. set use-radius=yes
  251. [gvolkov@Zima - Auditors - hAP AC Lite] >
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!