[akoznov@hEX S] > export # sep/14/2018 23:16:16 by RouterOS 6.43# software i

1. [akoznov@hEX S] > export
2. # sep/14/2018 23:16:16 by RouterOS 6.43
3. # software id = XXX-XXX
4. #
5. # model = RB760iGS
6. # serial number = XXXX
7. /caps-man channel
8. add band=2ghz-b/g/n extension-channel=Ce frequency=2412 name=2.4Ghz tx-power=20
9. add band=5ghz-a/n/ac extension-channel=Ceee frequency=5180 name=5Ghz tx-power=\
10. 20
11. /interface l2tp-server
12. add name=l2tp-in1 user=shep
13. /interface bridge
14. add arp=proxy-arp fast-forward=no name=bridge1
15. /interface ethernet
16. set [ find default-name=ether2 ] comment=Ufanet name=WAN speed=100Mbps
17. set [ find default-name=ether1 ] comment=Localnet speed=100Mbps
18. set [ find default-name=ether3 ] speed=100Mbps
19. set [ find default-name=ether4 ] speed=100Mbps
20. set [ find default-name=ether5 ] speed=100Mbps
21. /interface gre
22. add local-address=185.44.XX.XX name=gre1 remote-address=176.118.XX.XX
23. add local-address=185.44.XX.XX name=gre2 remote-address=95.79.XX.XX
24. /interface ipip
25. add disabled=yes local-address=185.44.XX.XX name=ipip-tunnel1 remote-address=\
26. 85.140.XX.XX
27. /caps-man datapath
28. add bridge=bridge1 client-to-client-forwarding=yes local-forwarding=yes name=\
29. "CAPsMAN Datapath config"
30. /caps-man security
31. add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
32. name="CAPsMAN Security config" passphrase=XXXXXXXX
33. /caps-man configuration
34. add channel=2.4Ghz datapath="CAPsMAN Datapath config" mode=ap name=\
35. "2.4Ghz Config" rx-chains=0,1,2 security="CAPsMAN Security config" ssid=\
36. "Mikrotik hAP BGN" tx-chains=0,1,2
37. add channel=5Ghz datapath="CAPsMAN Datapath config" mode=ap name="5Ghz Config" \
38. rx-chains=0,1,2 security="CAPsMAN Security config" ssid="Mikrotik hAP AC" \
39. tx-chains=0,1,2
40. /interface wireless security-profiles
41. set [ find default=yes ] supplicant-identity=MikroTik
42. /ip hotspot profile
43. set [ find default=yes ] html-directory=flash/hotspot
44. /ip ipsec peer profile
45. add dh-group=modp2048 enc-algorithm=aes-256 lifetime=8h name=profile_1
46. add dh-group=modp1024 enc-algorithm=3des hash-algorithm=md5 name=profile_2
47. /ip ipsec proposal
48. set [ find default=yes ] auth-algorithms=md5 enc-algorithms=3des
49. add enc-algorithms=aes-256-cbc name=XXXX pfs-group=modp2048
50. /ip pool
51. add name=LAN-DHCP-Pool ranges=10.255.254.10-10.255.254.100
52. /ip dhcp-server
53. add add-arp=yes address-pool=LAN-DHCP-Pool bootp-support=dynamic disabled=no \
54. interface=bridge1 lease-time=8h name=DHCP-Server
55. /ppp profile
56. add change-tcp-mss=yes name=shep-profile use-compression=yes use-encryption=yes
57. /caps-man manager
58. set enabled=yes
59. /caps-man provisioning
60. add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
61. "2.4Ghz Config"
62. add action=create-dynamic-enabled hw-supported-modes=an master-configuration=\
63. "5Ghz Config"
64. /interface bridge port
65. add bridge=bridge1 interface=ether1
66. add bridge=bridge1 interface=ether3
67. add bridge=bridge1 interface=ether4
68. add bridge=bridge1 interface=ether5
69. add bridge=bridge1 interface=sfp1
70. /interface l2tp-server server
71. set default-profile=shep-profile enabled=yes
72. /ip address
73. add address=10.255.254.1/24 comment="Localnet Address" interface=bridge1 \
74. network=10.255.254.0
75. add address=192.168.2.1/24 interface=bridge1 network=192.168.2.0
76. add address=172.16.30.2/30 interface=gre1 network=172.16.30.0
77. add address=192.168.32.1/24 interface=ether4 network=192.168.32.0
78. add address=176.16.50.1/30 interface=gre2 network=176.16.50.0
79. add address=10.255.252.0/24 interface=ipip-tunnel1 network=10.255.252.0
80. /ip dhcp-client
81. add dhcp-options=hostname,clientid disabled=no interface=WAN use-peer-dns=no \
82. use-peer-ntp=no
83. /ip dhcp-server lease
84. add address=10.255.254.100 client-id=XXXXXXXXXX comment=\
85. "XXX NAS" mac-address=XXXXXXXXXXX server=DHCP-Server
86. add address=10.255.254.101 client-id=XXXXXXXXX comment="Violet PC" \
87. mac-address=XXXXXXXX server=DHCP-Server
88. /ip dhcp-server network
89. add address=10.255.254.0/24 dns-server=10.255.254.1 gateway=10.255.254.1 \
90. netmask=24
91. /ip dns
92. set allow-remote-requests=yes servers=1.0.0.1,1.1.1.1,8.8.4.4,8.8.8.8
93. /ip firewall filter
94. add action=accept chain=forward dst-address=10.255.252.0/24 src-address=\
95. 10.255.254.0/24
96. add action=fasttrack-connection chain=forward connection-state=\
97. established,related
98. add action=accept chain=input disabled=yes src-address=176.118.XX.XX
99. add action=accept chain=forward disabled=yes dst-address=192.168.100.0/24 \
100. src-address=192.168.2.0/24
101. add action=accept chain=forward disabled=yes dst-address=192.168.2.0/24 \
102. src-address=192.168.100.0/24
103. add action=drop chain=input disabled=yes dst-port=53 in-interface=WAN protocol=\
104. udp
105. add action=drop chain=input disabled=yes dst-port=53 in-interface=WAN protocol=\
106. tcp
107. add action=drop chain=input comment="drop ssh brute forcers" disabled=yes \
108. dst-port=22 in-interface=WAN protocol=tcp src-address-list=ssh_blacklist
109. add action=add-src-to-address-list address-list=ssh_blacklist \
110. address-list-timeout=1w3d chain=input connection-state=new disabled=yes \
111. dst-port=22 in-interface=WAN protocol=tcp src-address-list=ssh_stage3
112. add action=add-src-to-address-list address-list=ssh_stage3 \
113. address-list-timeout=1m chain=input connection-state=new disabled=yes \
114. dst-port=22 in-interface=WAN protocol=tcp src-address-list=ssh_stage2
115. add action=add-src-to-address-list address-list=ssh_stage2 \
116. address-list-timeout=1m chain=input connection-state=new disabled=yes \
117. dst-port=22 in-interface=WAN protocol=tcp src-address-list=ssh_stage1
118. add action=add-src-to-address-list address-list=ssh_stage1 \
119. address-list-timeout=1m chain=input connection-state=new disabled=yes \
120. dst-port=22 in-interface=WAN protocol=tcp
121. add action=drop chain=forward comment="drop ssh brute downstream" disabled=yes \
122. dst-port=22 in-interface=WAN protocol=tcp src-address-list=ssh_blacklist
123. add action=accept chain=forward disabled=yes dst-address=192.168.32.0/24 \
124. src-address=192.168.100.0/24
125. add action=accept chain=forward disabled=yes dst-address=192.168.100.0/24 \
126. src-address=192.168.32.0/24
127. /ip firewall nat
128. add action=accept chain=srcnat disabled=yes dst-address=10.255.252.0/24 \
129. src-address=10.255.254.0/24
130. add action=masquerade chain=srcnat out-interface=WAN
131. add action=dst-nat chain=dstnat dst-port=9987 in-interface=WAN protocol=udp \
132. to-addresses=10.255.254.100 to-ports=9987
133. /ip ipsec peer
134. add address=176.118.XX.XX/32 disabled=yes profile=profile_1 secret=XXXXXXXXXX
135. add address=0.0.0.0/0 exchange-mode=ike2 passive=yes profile=profile_2 secret=\
136. XXXX send-initial-contact=no
137. /ip ipsec policy
138. add disabled=yes dst-address=192.168.100.0/24 proposal=XXX sa-dst-address=\
139. 176.118.XX.XX sa-src-address=185.44.XX.XX src-address=192.168.32.0/24 \
140. tunnel=yes
141. add disabled=yes dst-address=10.255.252.0/32 sa-dst-address=85.140.XX.XX \
142. sa-src-address=185.44.XX.XX src-address=10.255.254.0/32 tunnel=yes
143. /ip route
144. add distance=1 dst-address=10.255.252.0/24 gateway=172.16.40.2 pref-src=\
145. 172.16.40.1
146. add distance=1 dst-address=10.255.253.0/24 gateway=176.16.50.2 pref-src=\
147. 176.16.50.1
148. add distance=1 dst-address=192.168.100.0/24 gateway=172.16.30.1
149. /ip service
150. set telnet disabled=yes
151. set ftp disabled=yes
152. set www disabled=yes
153. set ssh disabled=yes
154. set api disabled=yes
155. set api-ssl disabled=yes
156. /ppp secret
157. add local-address=172.16.40.1 name=shep password=XXXXXXXXXXX profile=\
158. shep-profile remote-address=172.16.40.2 service=l2tp
159. /system clock
160. set time-zone-name=Europe/Moscow
161. /system identity
162. set name="hEX S"
163. /system ntp client
164. set enabled=yes primary-ntp=37.153.16.170
165. /system routerboard settings
166. set silent-boot=no