Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- [gvolkov@Zima - Auditors - hAP AC Lite] > /export
- # jun/30/2017 14:57:55 by RouterOS 6.39.2
- # software id = A4GC-GP0T
- #
- /interface bridge
- add fast-forward=no name=Bridge_Local protocol-mode=none
- add name=Bridge_WAN_Teorema protocol-mode=none
- /interface ethernet
- set [ find default-name=ether1 ] advertise=100M-full,1000M-full comment="Trunk to CRS " speed=1Gbps
- set [ find default-name=ether5 ] comment=SXT
- /interface wireless
- set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode band=2ghz-b/g/n country=russia \
- disabled=no frequency-mode=regulatory-domain hw-protection-mode=rts-cts hw-protection-threshold=10 \
- max-station-count=100 mode=ap-bridge ssid=M3DSS tx-power-mode=all-rates-fixed wireless-protocol=802.11 \
- wmm-support=enabled wps-mode=disabled
- set [ find default-name=wlan2 ] adaptive-noise-immunity=ap-and-client-mode band=5ghz-a/n/ac channel-width=\
- 20/40/80mhz-Ceee country=russia disabled=no hw-protection-mode=rts-cts max-station-count=50 mode=ap-bridge \
- ssid=M3DSS-5GHz tx-power-mode=all-rates-fixed wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
- /interface vlan
- add interface=ether1 name=Vlan10_Local vlan-id=10
- add interface=ether1 name=Vlan15_Teorema vlan-id=15
- /interface list
- add name="WAN Ports"
- /interface wireless security-profiles
- set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik \
- wpa2-pre-shared-key=
- /ip hotspot profile
- set [ find default=yes ] html-directory=flash/hotspot
- /ip ipsec policy group
- set [ find default=yes ] name=RemoteOffice
- add name=Remote
- /ip ipsec proposal
- set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=8h \
- pfs-group=none
- add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=8h name=proposal-aes128-256cbc \
- pfs-group=none
- /ip pool
- add name=dhcp_pool1 ranges=192.168.19.49-192.168.19.199
- /ip dhcp-server
- add address-pool=dhcp_pool1 disabled=no interface=Bridge_Local lease-time=4d10m name=DHCP_Local
- /interface l2tp-client
- add allow=mschap2 connect-to=1.2.3.4 ipsec-secret=111111 keepalive-timeout=3 name=MiranDC \
- password="2222222" profile=default user=222
- /interface sstp-client
- add authentication=mschap2 certificate=111.crt connect-to=1.2.3.4 keepalive-timeout=\
- 5 name=Finland password=1111 profile=default-encryption user=123 \
- verify-server-address-from-certificate=no verify-server-certificate=yes
- add authentication=mschap2 certificate=11111.crt connect-to=1.2.3.4 disabled=no \
- keepalive-timeout=3 name=Granat-MGMNT password="111" profile=default-encryption user=\
- MGMNT-DSS-Auditors verify-server-address-from-certificate=no verify-server-certificate=yes
- /snmp community
- set [ find default=yes ] addresses=192.168.0.0/16
- /system logging action
- add name=ipsecDebug target=memory
- /interface bridge port
- add bridge=Bridge_Local interface=ether2
- add bridge=Bridge_Local interface=ether3
- add bridge=Bridge_Local interface=wlan1
- add bridge=Bridge_Local interface=wlan2
- add bridge=Bridge_Local interface=ether4
- add bridge=Bridge_Local interface=Vlan10_Local
- add bridge=Bridge_WAN_Teorema interface=Vlan15_Teorema
- /interface list member
- add interface=ether5 list="WAN Ports"
- add interface=Bridge_WAN_Teorema list="WAN Ports"
- /ip address
- add address=1.2.3.4/24 interface=Bridge_WAN_Teorema network=1.2.3.0
- add address=192.168.19.1/24 interface=Bridge_Local network=192.168.19.0
- /ip dhcp-client
- add default-route-distance=2 dhcp-options=hostname,clientid disabled=no interface=ether5
- /ip dhcp-server lease
- add address=192.168.19.41 client-id=1:0:14:d1:32:2d:2 comment="Printer WiFi" mac-address=2C:33:7A:58:3C:86 \
- server=DHCP_Local
- add address=192.168.19.197 client-id=1:6c:f0:49:c7:f3:41 mac-address=6C:F0:49:C7:F3:41 server=DHCP_Local
- add address=192.168.19.196 client-id=1:0:1d:60:28:71:c1 mac-address=00:1D:60:28:71:C1 server=DHCP_Local
- add address=192.168.19.192 client-id=1:84:4b:f5:81:a4:16 mac-address=84:4B:F5:81:A4:16 server=DHCP_Local
- add address=192.168.19.191 client-id=1:84:4b:f5:b5:1:d4 mac-address=84:4B:F5:B5:01:D4 server=DHCP_Local
- add address=192.168.19.22 client-id=1:0:15:65:b5:d2:8d comment=ex23 mac-address=00:15:65:B5:D2:8D server=\
- DHCP_Local
- add address=192.168.19.2 always-broadcast=yes client-id=1:4c:5e:c:95:66:6A mac-address=4C:5E:0C:95:66:6A server=\
- DHCP_Local
- add address=192.168.19.40 always-broadcast=yes client-id=1:38:63:bb:dc:e6:ca comment=Printer mac-address=\
- 38:63:BB:DC:E6:CA server=DHCP_Local
- add address=192.168.19.23 client-id=1:0:15:65:b5:d1:50 comment=Ok mac-address=00:15:65:B5:D1:50 server=DHCP_Local
- add address=192.168.19.21 client-id=1:0:15:65:b5:ce:fe mac-address=00:15:65:B5:CE:FE server=DHCP_Local
- add address=192.168.19.20 client-id=1:0:15:65:b5:cd:fa comment="\C0\ED\ED\E0 \C0\EB\E5\EA\F1\E5\E5\E2\E0" \
- mac-address=00:15:65:B5:CD:FA server=DHCP_Local
- add address=192.168.19.194 client-id=1:f4:4d:30:65:7a:42 mac-address=F4:4D:30:65:7A:42 server=DHCP_Local
- /ip dhcp-server network
- add address=192.168.19.0/24 dns-server=192.168.19.1 gateway=192.168.19.1
- /ip dns
- set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
- /ip dns static
- add address=192.168.100.215 name=terminal
- add address=192.168.100.215 name=terminal.granat.local
- /ip firewall address-list
- add address=192.168.100.0/23 comment=Granat list="Zone: Local - Granat/Radiofid/Fin"
- add address=192.168.104.0/22 comment=Radiofid list="Zone: Local - Granat/Radiofid/Fin"
- add address=192.168.117.0/24 comment=Finland list="Zone: Local - Granat/Radiofid/Fin"
- add address=192.168.113.0/24 comment="Local net" list="Zone: Local - Granat/Radiofid/Fin"
- add address=192.168.100.200 list=granat
- add address=192.168.101.200 list=granat
- add address=192.168.100.215 list=granat
- add address=192.168.101.215 list=granat
- add address=192.168.100.216 list=granat
- add address=192.168.101.216 list=granat
- add address=192.168.101.217 list=granat
- add address=192.168.106.215 list=granat
- add address=192.168.106.216 list=granat
- add address=192.168.105.111 list=granat
- add address=192.168.117.5 list=granat
- add address=192.168.100.11 list=granat
- add address=192.168.104.11 list=granat
- add address=192.168.0.0/16 list="LAN All 192.168/10.0/172.16"
- add address=10.0.0.0/8 list="LAN All 192.168/10.0/172.16"
- add address=192.168.101.224 comment=3CX list=granat
- add address=192.168.101.218 list=granat
- add address=192.168.19.0/24 comment="Local net" list="Zone: Local - Granat/Radiofid/Fin"
- /ip firewall filter
- add action=drop chain=input comment="Drop DNS external" dst-port=53 in-interface-list="WAN Ports" protocol=udp
- add action=passthrough chain=input comment="Check DNS internal" dst-port=53 in-interface=Bridge_Local protocol=\
- udp
- add action=passthrough chain=forward comment="Download via LTE" in-interface=ether5
- add action=passthrough chain=forward comment="Upload via LTE" out-interface=ether5
- add action=drop chain=input comment="Drop invalid input" connection-state=invalid
- add action=drop chain=forward comment="Drop invalid forward" connection-state=invalid
- add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment=\
- "Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp tcp-flags=syn
- add action=drop chain=input comment="Drop to syn flood list" src-address-list=Syn_Flooder
- add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment=\
- "Port Scanner Detect" protocol=tcp psd=21,3s,3,1 src-address-list="!Network Admins"
- add action=drop chain=input comment="Drop to port scan list" src-address-list=Port_Scanner
- add action=add-src-to-address-list address-list="Mail spammers" address-list-timeout=3h chain=forward comment=\
- "Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=25,465,587 limit=30/1m,0:packet \
- protocol=tcp
- add action=drop chain=forward comment="Avoid Mail spammers action" dst-port=25,465,587 protocol=tcp \
- src-address-list="Mail spammers"
- add action=accept chain=input comment="Accept established, related input" connection-state=established,related
- add action=accept chain=forward comment="Accept established, related forward" connection-state=\
- established,related
- add action=jump chain=input comment="Jump to icmp input flow" jump-target=ICMP protocol=icmp
- add action=jump chain=forward comment="Jump to icmp forward flow" jump-target=ICMP protocol=icmp
- add action=jump chain=output comment="Jump to icmp output" jump-target=ICMP protocol=icmp
- add action=jump chain=input comment="Jump to FTP - SSH - Telnet - Winbox Chain" dst-port=21,22,23,8291 \
- jump-target=FTP-SSH-Telnet-Winbox protocol=tcp
- add action=jump chain=forward comment="Jump to FTP - SSH - Telnet - Winbox Chain" dst-port=21,22,23,8291 \
- jump-target=FTP-SSH-Telnet-Winbox protocol=tcp
- add action=jump chain=forward comment="Jump to Zone: Local - Granat/Radiofid/Fin" dst-address-list=\
- "Zone: Local - Granat/Radiofid/Fin" jump-target="Forward Zone: Local - Granat/Radiofid/Fin" src-address-list=\
- "Zone: Local - Granat/Radiofid/Fin"
- add action=accept chain=input comment="Network Admins input" in-interface-list="WAN Ports" src-address-list=\
- "Network Admins"
- add action=accept chain=forward comment="Network Admins forward" in-interface-list="WAN Ports" src-address-list=\
- "Network Admins"
- add action=drop chain=input comment="All other drop" connection-state=new in-interface-list="WAN Ports"
- add action=accept chain="Forward Zone: Local - Granat/Radiofid/Fin" comment="Address list granat" \
- dst-address-list=granat
- add action=accept chain="Forward Zone: Local - Granat/Radiofid/Fin" src-address-list=granat
- add action=accept chain="Forward Zone: Local - Granat/Radiofid/Fin" dst-port=4899 protocol=tcp
- add action=accept chain="Forward Zone: Local - Granat/Radiofid/Fin" comment="Address list Admins" \
- dst-address-list="Network Admins"
- add action=accept chain="Forward Zone: Local - Granat/Radiofid/Fin" src-address-list="Network Admins"
- add action=drop chain="Forward Zone: Local - Granat/Radiofid/Fin"
- add action=accept chain=ICMP comment="Allow All Local Net requests" dst-address-list=\
- "LAN All 192.168/10.0/172.16" src-address-list="LAN All 192.168/10.0/172.16"
- add action=accept chain=ICMP comment="Echo request" icmp-options=8:0 limit=5,7:packet protocol=icmp
- add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp
- add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp
- add action=accept chain=ICMP comment="Destination unreachable" icmp-options=3:0 protocol=icmp
- add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
- add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
- add action=accept chain=FTP-SSH-Telnet-Winbox comment="Allow anyone in the Network Admins Address List (SSH)" \
- src-address-list="Network Admins"
- add action=drop chain=FTP-SSH-Telnet-Winbox comment="Drop anyone in the Black List (SSH)" src-address-list=\
- "Black List (FTP-SSH-Telnet-Winbox)"
- add action=add-src-to-address-list address-list="Black List (FTP-SSH-Telnet-Winbox)" address-list-timeout=12h \
- chain=FTP-SSH-Telnet-Winbox comment=\
- "Transfer repeated attempts from FTP-SSH-Telnet-Winbox Stage 3 to Black-List" connection-state=new \
- src-address-list="FTP-SSH-Telnet-Winbox Stage 3"
- add action=add-src-to-address-list address-list="FTP-SSH-Telnet-Winbox Stage 3" address-list-timeout=1m chain=\
- FTP-SSH-Telnet-Winbox comment="Add succesive attempts to FTP-SSH-Telnet-Winbox Stage 3 Address List" \
- connection-state=new src-address-list="FTP-SSH-Telnet-Winbox Stage 2"
- add action=add-src-to-address-list address-list="FTP-SSH-Telnet-Winbox Stage 2" address-list-timeout=30s chain=\
- FTP-SSH-Telnet-Winbox comment="Add succesive attempts to FTP-SSH-Telnet-Winbox Stage 2 Address Li
- connection-state=new src-address-list="FTP-SSH-Telnet-Winbox Stage 1"
- add action=add-src-to-address-list address-list="FTP-SSH-Telnet-Winbox Stage 1" address-list-timeout=
- FTP-SSH-Telnet-Winbox comment="Add intial attempt to FTP-SSH-Telnet-Winbox Chain Stage 1 Address
- connection-state=new
- add action=accept chain=FTP-SSH-Telnet-Winbox
- add action=return chain=FTP-SSH-Telnet-Winbox comment="Return From FTP-SSH-Telnet-Winbox Chain"
- /ip firewall nat
- add action=masquerade chain=srcnat comment=Internet out-interface=Bridge_WAN_Teorema src-address=192.
- add action=masquerade chain=srcnat comment="Internet SXT" out-interface=ether5 src-address=192.168.19
- add action=dst-nat chain=dstnat dst-address=192.168.19.1 dst-port=8292 protocol=tcp to-addresses=192.
- to-ports=8291
- /ip firewall service-port
- set ftp disabled=yes
- set tftp disabled=yes
- set irc disabled=yes
- set h323 disabled=yes
- set sip disabled=yes
- set pptp disabled=yes
- set udplite disabled=yes
- set dccp disabled=yes
- set sctp disabled=yes
- /ip ipsec peer
- add address=1.2.3.4/32 disabled=yes enc-algorithm=aes-256,aes-128 exchange-mode=main-l2tp gene
- port-override hash-algorithm=sha256 nat-traversal=no policy-template-group=Remote secret=81230912
- add address=1.2.3.4/32 disabled=yes enc-algorithm=aes-256,aes-128 exchange-mode=main-l2tp gene
- port-override nat-traversal=no secret=81230912252016Granat
- /ip ipsec policy
- add disabled=yes dst-address=1.2.3.4/32 dst-port=1701 protocol=udp src-address=1.2.3.4/32
- add disabled=yes dst-address=1.2.3.4/32 dst-port=1701 protocol=udp src-address=1.2.3.4/32
- /ip route
- add distance=1 gateway=1.2.3.4 routing-mark=Direct
- add distance=1 gateway=192.168.88.1 routing-mark=SXT
- add distance=1 gateway=1.2.3.4
- add distance=3 dst-address=192.168.100.0/23 gateway=10.20.20.1
- /ip service
- set telnet disabled=yes
- set ftp disabled=yes
- set ssh disabled=yes
- set api disabled=yes
- set api-ssl disabled=yes
- /ip smb shares
- set [ find default=yes ] directory=/pub
- /radius
- add address=192.168.100.237 secret=1234 service=login
- /snmp
- set enabled=yes
- /system clock
- set time-zone-name=Europe/Moscow
- /system identity
- set name="Zima - Auditors - hAP AC Lite"
- /system logging
- add action=ipsecDebug topics=ipsec,debug,l2tp,critical
- /system routerboard settings
- # Firmware upgraded successfully, please reboot for changes to take effect!
- set init-delay=0s
- /tool sniffer
- set file-name=ether1 filter-interface=ether1
- /user aaa
- set use-radius=yes
- [gvolkov@Zima - Auditors - hAP AC Lite] >
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement