Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- [akoznov@hEX S] > export
- # sep/14/2018 23:16:16 by RouterOS 6.43
- # software id = XXX-XXX
- #
- # model = RB760iGS
- # serial number = XXXX
- /caps-man channel
- add band=2ghz-b/g/n extension-channel=Ce frequency=2412 name=2.4Ghz tx-power=20
- add band=5ghz-a/n/ac extension-channel=Ceee frequency=5180 name=5Ghz tx-power=\
- 20
- /interface l2tp-server
- add name=l2tp-in1 user=shep
- /interface bridge
- add arp=proxy-arp fast-forward=no name=bridge1
- /interface ethernet
- set [ find default-name=ether2 ] comment=Ufanet name=WAN speed=100Mbps
- set [ find default-name=ether1 ] comment=Localnet speed=100Mbps
- set [ find default-name=ether3 ] speed=100Mbps
- set [ find default-name=ether4 ] speed=100Mbps
- set [ find default-name=ether5 ] speed=100Mbps
- /interface gre
- add local-address=185.44.XX.XX name=gre1 remote-address=176.118.XX.XX
- add local-address=185.44.XX.XX name=gre2 remote-address=95.79.XX.XX
- /interface ipip
- add disabled=yes local-address=185.44.XX.XX name=ipip-tunnel1 remote-address=\
- 85.140.XX.XX
- /caps-man datapath
- add bridge=bridge1 client-to-client-forwarding=yes local-forwarding=yes name=\
- "CAPsMAN Datapath config"
- /caps-man security
- add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
- name="CAPsMAN Security config" passphrase=XXXXXXXX
- /caps-man configuration
- add channel=2.4Ghz datapath="CAPsMAN Datapath config" mode=ap name=\
- "2.4Ghz Config" rx-chains=0,1,2 security="CAPsMAN Security config" ssid=\
- "Mikrotik hAP BGN" tx-chains=0,1,2
- add channel=5Ghz datapath="CAPsMAN Datapath config" mode=ap name="5Ghz Config" \
- rx-chains=0,1,2 security="CAPsMAN Security config" ssid="Mikrotik hAP AC" \
- tx-chains=0,1,2
- /interface wireless security-profiles
- set [ find default=yes ] supplicant-identity=MikroTik
- /ip hotspot profile
- set [ find default=yes ] html-directory=flash/hotspot
- /ip ipsec peer profile
- add dh-group=modp2048 enc-algorithm=aes-256 lifetime=8h name=profile_1
- add dh-group=modp1024 enc-algorithm=3des hash-algorithm=md5 name=profile_2
- /ip ipsec proposal
- set [ find default=yes ] auth-algorithms=md5 enc-algorithms=3des
- add enc-algorithms=aes-256-cbc name=XXXX pfs-group=modp2048
- /ip pool
- add name=LAN-DHCP-Pool ranges=10.255.254.10-10.255.254.100
- /ip dhcp-server
- add add-arp=yes address-pool=LAN-DHCP-Pool bootp-support=dynamic disabled=no \
- interface=bridge1 lease-time=8h name=DHCP-Server
- /ppp profile
- add change-tcp-mss=yes name=shep-profile use-compression=yes use-encryption=yes
- /caps-man manager
- set enabled=yes
- /caps-man provisioning
- add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
- "2.4Ghz Config"
- add action=create-dynamic-enabled hw-supported-modes=an master-configuration=\
- "5Ghz Config"
- /interface bridge port
- add bridge=bridge1 interface=ether1
- add bridge=bridge1 interface=ether3
- add bridge=bridge1 interface=ether4
- add bridge=bridge1 interface=ether5
- add bridge=bridge1 interface=sfp1
- /interface l2tp-server server
- set default-profile=shep-profile enabled=yes
- /ip address
- add address=10.255.254.1/24 comment="Localnet Address" interface=bridge1 \
- network=10.255.254.0
- add address=192.168.2.1/24 interface=bridge1 network=192.168.2.0
- add address=172.16.30.2/30 interface=gre1 network=172.16.30.0
- add address=192.168.32.1/24 interface=ether4 network=192.168.32.0
- add address=176.16.50.1/30 interface=gre2 network=176.16.50.0
- add address=10.255.252.0/24 interface=ipip-tunnel1 network=10.255.252.0
- /ip dhcp-client
- add dhcp-options=hostname,clientid disabled=no interface=WAN use-peer-dns=no \
- use-peer-ntp=no
- /ip dhcp-server lease
- add address=10.255.254.100 client-id=XXXXXXXXXX comment=\
- "XXX NAS" mac-address=XXXXXXXXXXX server=DHCP-Server
- add address=10.255.254.101 client-id=XXXXXXXXX comment="Violet PC" \
- mac-address=XXXXXXXX server=DHCP-Server
- /ip dhcp-server network
- add address=10.255.254.0/24 dns-server=10.255.254.1 gateway=10.255.254.1 \
- netmask=24
- /ip dns
- set allow-remote-requests=yes servers=1.0.0.1,1.1.1.1,8.8.4.4,8.8.8.8
- /ip firewall filter
- add action=accept chain=forward dst-address=10.255.252.0/24 src-address=\
- 10.255.254.0/24
- add action=fasttrack-connection chain=forward connection-state=\
- established,related
- add action=accept chain=input disabled=yes src-address=176.118.XX.XX
- add action=accept chain=forward disabled=yes dst-address=192.168.100.0/24 \
- src-address=192.168.2.0/24
- add action=accept chain=forward disabled=yes dst-address=192.168.2.0/24 \
- src-address=192.168.100.0/24
- add action=drop chain=input disabled=yes dst-port=53 in-interface=WAN protocol=\
- udp
- add action=drop chain=input disabled=yes dst-port=53 in-interface=WAN protocol=\
- tcp
- add action=drop chain=input comment="drop ssh brute forcers" disabled=yes \
- dst-port=22 in-interface=WAN protocol=tcp src-address-list=ssh_blacklist
- add action=add-src-to-address-list address-list=ssh_blacklist \
- address-list-timeout=1w3d chain=input connection-state=new disabled=yes \
- dst-port=22 in-interface=WAN protocol=tcp src-address-list=ssh_stage3
- add action=add-src-to-address-list address-list=ssh_stage3 \
- address-list-timeout=1m chain=input connection-state=new disabled=yes \
- dst-port=22 in-interface=WAN protocol=tcp src-address-list=ssh_stage2
- add action=add-src-to-address-list address-list=ssh_stage2 \
- address-list-timeout=1m chain=input connection-state=new disabled=yes \
- dst-port=22 in-interface=WAN protocol=tcp src-address-list=ssh_stage1
- add action=add-src-to-address-list address-list=ssh_stage1 \
- address-list-timeout=1m chain=input connection-state=new disabled=yes \
- dst-port=22 in-interface=WAN protocol=tcp
- add action=drop chain=forward comment="drop ssh brute downstream" disabled=yes \
- dst-port=22 in-interface=WAN protocol=tcp src-address-list=ssh_blacklist
- add action=accept chain=forward disabled=yes dst-address=192.168.32.0/24 \
- src-address=192.168.100.0/24
- add action=accept chain=forward disabled=yes dst-address=192.168.100.0/24 \
- src-address=192.168.32.0/24
- /ip firewall nat
- add action=accept chain=srcnat disabled=yes dst-address=10.255.252.0/24 \
- src-address=10.255.254.0/24
- add action=masquerade chain=srcnat out-interface=WAN
- add action=dst-nat chain=dstnat dst-port=9987 in-interface=WAN protocol=udp \
- to-addresses=10.255.254.100 to-ports=9987
- /ip ipsec peer
- add address=176.118.XX.XX/32 disabled=yes profile=profile_1 secret=XXXXXXXXXX
- add address=0.0.0.0/0 exchange-mode=ike2 passive=yes profile=profile_2 secret=\
- XXXX send-initial-contact=no
- /ip ipsec policy
- add disabled=yes dst-address=192.168.100.0/24 proposal=XXX sa-dst-address=\
- 176.118.XX.XX sa-src-address=185.44.XX.XX src-address=192.168.32.0/24 \
- tunnel=yes
- add disabled=yes dst-address=10.255.252.0/32 sa-dst-address=85.140.XX.XX \
- sa-src-address=185.44.XX.XX src-address=10.255.254.0/32 tunnel=yes
- /ip route
- add distance=1 dst-address=10.255.252.0/24 gateway=172.16.40.2 pref-src=\
- 172.16.40.1
- add distance=1 dst-address=10.255.253.0/24 gateway=176.16.50.2 pref-src=\
- 176.16.50.1
- add distance=1 dst-address=192.168.100.0/24 gateway=172.16.30.1
- /ip service
- set telnet disabled=yes
- set ftp disabled=yes
- set www disabled=yes
- set ssh disabled=yes
- set api disabled=yes
- set api-ssl disabled=yes
- /ppp secret
- add local-address=172.16.40.1 name=shep password=XXXXXXXXXXX profile=\
- shep-profile remote-address=172.16.40.2 service=l2tp
- /system clock
- set time-zone-name=Europe/Moscow
- /system identity
- set name="hEX S"
- /system ntp client
- set enabled=yes primary-ntp=37.153.16.170
- /system routerboard settings
- set silent-boot=no
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement