Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ```bash
- # may/31/2018 20:31:36 by RouterOS 6.42.3
- # software id = Y8Y9-D171
- #
- # model = RouterBOARD 952Ui-5ac2nD
- # serial number =
- /interface lte
- set [ find ] mac-address=AA:BB:CC:DD:EE:FF name=lte1
- /interface bridge
- add admin-mac=CC:DD:EE:00:11:22 auto-mac=no comment=default name=bridge_default
- add comment=security name=bridge_security
- /interface ethernet
- set [ find default-name=ether1 ] name=ether1-WAN
- set [ find default-name=ether2 ] name=ether2-master
- /interface wireless
- set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee country=spain disabled=no \
- distance=indoors frequency=auto keepalive-frames=disabled mode=ap-bridge multicast-buffering=disabled \
- name=wlan2-5GHz-LAN ssid=HET-5GHz wds-cost-range=0 wds-default-cost=0 wireless-protocol=802.11 \
- wps-mode=disabled
- add disabled=no keepalive-frames=disabled mac-address=CE:2D:E0:0E:93:B8 master-interface=wlan2-5GHz-LAN \
- multicast-buffering=disabled name=wlan5-5GHz-LAN-SEG ssid=HET-5GHz-SEG wds-cost-range=0 \
- wds-default-cost=0 wps-mode=disabled
- /interface list
- add exclude=dynamic name=discover
- add name=mactel
- add name=mac-winbox
- /interface wireless security-profiles
- set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys \
- supplicant-identity=Mikrotik wpa2-pre-shared-key=YourPasswordComesHere!
- add authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=dynamic-keys name=WAN \
- supplicant-identity="" wpa-pre-shared-key=YourPasswordComesHere! \
- wpa2-pre-shared-key=YourPasswordComesHere!
- add name=none supplicant-identity=Mikrotik
- /interface wireless
- set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce country=spain disabled=no \
- distance=indoors frequency=auto keepalive-frames=disabled mode=station-pseudobridge \
- multicast-buffering=disabled name=wlan1-2GHz-WAN security-profile=WAN ssid=HotelSSID wds-cost-range=0 \
- wds-default-cost=0 wireless-protocol=802.11 wps-mode=disabled
- add disabled=no keepalive-frames=disabled mac-address=CE:2D:E0:0E:93:B9 master-interface=wlan1-2GHz-WAN \
- multicast-buffering=disabled name=wlan3-2GHz-LAN ssid=HET-2GHz wds-cost-range=0 wds-default-cost=0 \
- wps-mode=disabled
- add disabled=no keepalive-frames=disabled mac-address=CE:2D:E0:0E:93:BA master-interface=wlan1-2GHz-WAN \
- multicast-buffering=disabled name=wlan4-2GHz-LAN-SEG ssid=HET-2GHz-SEG wds-cost-range=0 \
- wds-default-cost=0 wps-mode=disabled
- /ip ipsec proposal
- add name=L2TP pfs-group=none
- /ip pool
- add name=pool_default ranges=192.168.88.10-192.168.88.254
- add name=pool_security ranges=192.168.99.10-192.168.99.254
- /ip dhcp-server
- add address-pool=pool_default disabled=no interface=bridge_default name=dhcp_default
- add address-pool=pool_security disabled=no interface=bridge_security name=dhcp_security
- /ppp profile
- add change-tcp-mss=yes name=L2TP-MC only-one=no use-compression=no use-encryption=required use-mpls=no
- /interface l2tp-client
- add allow=mschap2 allow-fast-path=yes connect-to=vpn-VPN_Endpoint_here disabled=no name=L2TP-MC \
- password=FuckingReallyDifficultPasswordComesHere! profile=L2TP-MC user=Username_here
- /interface bridge port
- add bridge=bridge_default interface=ether2-master
- add bridge=bridge_default interface=wlan2-5GHz-LAN
- add bridge=bridge_default interface=ether3
- add bridge=bridge_default interface=ether4
- add bridge=bridge_default interface=ether5
- add bridge=bridge_default interface=wlan3-2GHz-LAN
- add bridge=bridge_security interface=wlan4-2GHz-LAN-SEG
- add bridge=bridge_security interface=wlan5-5GHz-LAN-SEG
- /ip neighbor discovery-settings
- set discover-interface-list=discover
- /interface l2tp-server server
- set allow-fast-path=yes ipsec-secret=EA1HET
- /interface list member
- add interface=bridge_default list=discover
- add interface=bridge_default list=mactel
- add interface=bridge_default list=mac-winbox
- add interface=ether2-master list=discover
- add interface=ether2-master list=mac-winbox
- add interface=ether2-master list=mactel
- add interface=ether3 list=discover
- add interface=ether3 list=mac-winbox
- add interface=ether3 list=mactel
- add interface=ether4 list=discover
- add interface=ether4 list=mac-winbox
- add interface=ether4 list=mactel
- add interface=ether5 list=discover
- add interface=ether5 list=mac-winbox
- add interface=ether5 list=mactel
- add interface=wlan3-2GHz-LAN list=discover
- add interface=wlan3-2GHz-LAN list=mac-winbox
- add interface=wlan3-2GHz-LAN list=mactel
- add interface=wlan4-2GHz-LAN-SEG list=discover
- add interface=wlan4-2GHz-LAN-SEG list=mac-winbox
- add interface=wlan4-2GHz-LAN-SEG list=mactel
- add interface=wlan2-5GHz-LAN list=discover
- add interface=wlan2-5GHz-LAN list=mac-winbox
- add interface=wlan2-5GHz-LAN list=mactel
- add interface=wlan5-5GHz-LAN-SEG list=discover
- add interface=wlan5-5GHz-LAN-SEG list=mactel
- add interface=wlan5-5GHz-LAN-SEG list=mac-winbox
- /ip address
- add address=192.168.88.1/24 comment=default interface=bridge_default network=192.168.88.0
- add address=192.168.99.1/24 comment=security interface=bridge_security network=192.168.99.0
- /ip dhcp-client
- add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1-WAN
- add dhcp-options=hostname,clientid disabled=no interface=wlan1-2GHz-WAN
- /ip dhcp-server network
- add address=192.168.88.0/24 comment=default dns-server=192.168.88.1 gateway=192.168.88.1 \
- ntp-server=147.156.7.18,213.251.52.234,5.56.160.3,185.242.56.3
- add address=192.168.99.0/24 comment=security dns-server=192.168.99.1 gateway=192.168.99.1 \
- ntp-server=147.156.7.18,213.251.52.234,5.56.160.3,185.242.56.3
- /ip dns
- set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8,8.8.4.4
- /ip dns static
- add address=192.168.88.1 name=router
- /ip firewall address-list
- add address=192.168.88.0/24 list=net-local
- add address=192.168.99.0/24 list=net-vpn
- /ip firewall filter
- add action=accept chain=forward comment="debug rules: permit any any" disabled=yes
- add action=accept chain=input disabled=yes
- add action=accept chain=output disabled=yes
- add action=accept chain=input comment="defconf: accept ICMP" in-interface=!wlan1-2GHz-WAN \
- protocol=icmp
- add action=accept chain=input in-interface=!ether1-WAN protocol=icmp
- add action=accept chain=input comment="defconf: accept established,related" \
- connection-state=established,related
- add action=accept chain=input comment="defconf: accept DHCP/BootP on external interfaces" \
- dst-port=68 in-interface=wlan1-2GHz-WAN protocol=udp
- add action=accept chain=input dst-port=68 in-interface=ether1-WAN protocol=udp
- add action=drop chain=input comment="defconf: drop all from WAN" in-interface=wlan1-2GHz-WAN
- add action=drop chain=input in-interface=ether1-WAN
- add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
- connection-state=established,related
- add action=accept chain=forward comment="defconf: accept established,related" \
- connection-state=established,related
- add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
- add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
- connection-nat-state=!dstnat connection-state=new in-interface=wlan1-2GHz-WAN
- add action=drop chain=forward connection-nat-state=!dstnat connection-state=new \
- in-interface=ether1-WAN
- /ip firewall mangle
- add action=mark-routing chain=prerouting comment="defconf: when on a security Wi-Fi mark traffic \
- to send it through L2TP VPN" new-routing-mark=L2TP-MC passthrough=yes src-address-list=net-vpn
- /ip firewall nat
- add action=masquerade chain=srcnat comment="defconf: masquerade for outgoing traffic" \
- out-interface=wlan1-2GHz-WAN
- add action=masquerade chain=srcnat out-interface=ether1-WAN
- add action=masquerade chain=srcnat out-interface=lte1
- add action=masquerade chain=srcnat out-interface=L2TP-MC
- /ip firewall service-port
- set dccp disabled=yes
- set ftp disabled=yes
- set h323 disabled=yes
- set irc disabled=yes
- set pptp disabled=yes
- set sctp disabled=yes
- set sip disabled=yes
- set tftp disabled=yes
- set udplite disabled=yes
- /ip ipsec peer
- add address=0.0.0.0/0 dh-group=modp1024 enc-algorithm=aes-256,aes-192,aes-128 \
- secret=AnotherFuckingReallyDifficultPasswordComesHere!
- /ip route
- add distance=1 gateway=L2TP-MC routing-mark=L2TP-MC
- /ip service
- set api address=192.168.88.0/24,192.168.99.0/24 disabled=yes
- set api-ssl certificate=Mikrotik disabled=yes
- set ftp address=192.168.88.0/24,192.168.99.0/24 disabled=yes
- set telnet address=192.168.88.0/24,192.168.99.0/24 disabled=yes
- set winbox address=192.168.88.0/24,192.168.99.0/24
- set www address=192.168.88.0/24,192.168.99.0/24 disabled=yes
- set www-ssl certificate=Mikrotik disabled=no
- /ip upnp
- set enabled=yes
- /ip upnp interfaces
- add interface=bridge_default type=internal
- add interface=ether2-master type=internal
- add interface=ether3 type=internal
- add interface=ether4 type=internal
- add interface=ether5 type=internal
- add interface=wlan3-2GHz-LAN type=internal
- add interface=wlan2-5GHz-LAN type=internal
- /system clock
- set time-zone-name=Europe/Madrid
- /system note
- set note="You are attempting to connect to a private network - Authorized administrators only. \
- Access to this device is monitored."
- /system routerboard settings
- set silent-boot=no
- /tool mac-server
- set allowed-interface-list=mactel
- /tool mac-server mac-winbox
- set allowed-interface-list=mac-winbox
- ```
Add Comment
Please, Sign In to add comment