Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # may/23/2022 00:54:16 by RouterOS 7.2.3
- # software id = 1NAS-A7DJ
- #
- # model = RB5009UG+S+
- # serial number = ECxxxxxxxx5E
- /interface ethernet
- set [ find default-name=ether1 ] name="ether1_WAN Orange_ISP1"
- set [ find default-name=ether2 ] name=ether2_WAN_Nordnet_ISP2
- set [ find default-name=ether3 ] disabled=yes
- set [ find default-name=ether4 ] disabled=yes
- set [ find default-name=ether5 ] disabled=yes
- set [ find default-name=ether6 ] disabled=yes
- set [ find default-name=ether7 ] disabled=yes
- set [ find default-name=ether8 ] disabled=yes
- set [ find default-name=sfp-sfpplus1 ] name="sfp-sfpplus1 - LAN"
- /interface list
- add name=WAN
- add name=LAN
- /interface wireless security-profiles
- set [ find default=yes ] supplicant-identity=MikroTik
- /ip pool
- add name=dhcp ranges=172.16.0.100-172.16.0.200
- /ip dhcp-server
- add address-pool=dhcp interface="sfp-sfpplus1 - LAN" lease-time=1d name=\
- "HOME DHCP SERVER"
- /routing table
- add fib name=to_ISP1
- add fib name=to_ISP2
- /ip neighbor discovery-settings
- set discover-interface-list=!WAN
- /ipv6 settings
- set disable-ipv6=yes
- /interface list member
- add interface="sfp-sfpplus1 - LAN" list=LAN
- add interface=ether2_WAN_Nordnet_ISP2 list=WAN
- add interface="ether1_WAN Orange_ISP1" list=WAN
- /ip address
- add address=172.16.0.z/24 interface="sfp-sfpplus1 - LAN" network=172.16.0.0
- /ip cloud
- set ddns-enabled=yes ddns-update-interval=1m
- /ip dhcp-client
- add add-default-route=no interface="ether1_WAN Orange_ISP1" use-peer-dns=no \
- use-peer-ntp=no
- add add-default-route=no interface=ether2_WAN_Nordnet_ISP2 use-peer-dns=no \
- use-peer-ntp=no
- /ip dhcp-server network
- add address=172.16.0.0/24 dns-server=172.16.0.z domain=home.local.lan \
- gateway=172.16.0.z netmask=24 ntp-server=172.16.0.yyy
- /ip dns
- set allow-remote-requests=yes servers=94.140.14.49,94.140.14.59
- /ip firewall address-list
- add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
- add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
- add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
- add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
- add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
- add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
- add address=224.0.0.0/4 comment=Multicast list=not_in_internet
- add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
- add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
- add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
- add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
- add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
- add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
- add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
- add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
- not_in_internet
- add address=69.162.124.226-69.162.124.237 list=Uptime-Robot
- add address=63.143.42.242-63.143.42.253 list=Uptime-Robot
- add address=46.137.190.132 list=Uptime-Robot
- add address=122.248.234.23 list=Uptime-Robot
- add address=167.99.209.234 list=Uptime-Robot
- add address=178.62.52.237 list=Uptime-Robot
- add address=54.79.28.129 list=Uptime-Robot
- add address=54.94.142.218 list=Uptime-Robot
- add address=104.131.107.63 list=Uptime-Robot
- add address=54.67.10.127 list=Uptime-Robot
- add address=54.64.67.106 list=Uptime-Robot
- add address=159.203.30.41 list=Uptime-Robot
- add address=46.101.250.135 list=Uptime-Robot
- add address=216.144.250.150 list=Uptime-Robot
- add address=216.245.221.82-216.245.221.93 list=Uptime-Robot
- add address=18.221.56.27 list=Uptime-Robot
- add address=52.60.129.180 list=Uptime-Robot
- add address=159.89.8.111 list=Uptime-Robot
- add address=146.185.143.14 list=Uptime-Robot
- add address=139.59.173.249 list=Uptime-Robot
- add address=165.227.83.148 list=Uptime-Robot
- add address=128.199.195.156 list=Uptime-Robot
- add address=138.197.150.151 list=Uptime-Robot
- add address=34.233.66.117 list=Uptime-Robot
- add address=208.115.199.18-208.115.199.30 list=Uptime-Robot
- add address=65.21.217.70 list=Uptime-Robot
- add address=172.16.0.0/24 list=LANs
- add address=xxxxxxxx list=WANs
- add address=xxxxxxxx list=WANs
- add address=10.16.0.0/24 list=WANs
- /ip firewall filter
- add action=accept chain=input comment="default configuration" \
- connection-state=established,related
- add action=accept chain=input src-address-list=LANs
- add action=accept chain=input comment="Ping from Uptime Robot" protocol=icmp \
- src-address-list=Uptime-Robot
- add action=accept chain=input comment="Ping from VPS" protocol=icmp \
- src-address-list=VPS
- add action=fasttrack-connection chain=forward comment=FastTrack \
- connection-state=established,related hw-offload=yes
- add action=accept chain=forward comment="Established, Related" \
- connection-state=established,related
- add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
- log-prefix=invalid
- add action=drop chain=forward comment=\
- "Drop tries to reach not public addresses from LAN" disabled=yes \
- dst-address-list=not_in_internet in-interface="sfp-sfpplus1 - LAN" log=\
- yes log-prefix=!public_from_LAN out-interface="sfp-sfpplus1 - LAN"
- add action=drop chain=forward comment=\
- "Drop incoming packets that are not NATted" connection-nat-state=!dstnat \
- connection-state=new disabled=yes in-interface="ether1_WAN Orange_ISP1" \
- log=yes log-prefix=!NAT
- add action=drop chain=forward comment=\
- "Drop incoming from internet which is not public IP" disabled=yes \
- in-interface="ether1_WAN Orange_ISP1" log=yes log-prefix=!public \
- src-address-list=not_in_internet
- add action=drop chain=forward comment=\
- "Drop incoming from internet which is not public IP" disabled=yes \
- in-interface=ether2_WAN_Nordnet_ISP2 log=yes log-prefix=!public \
- src-address-list=not_in_internet
- add action=drop chain=forward comment=\
- "Drop packets from LAN that do not have LAN IP" disabled=yes \
- in-interface="sfp-sfpplus1 - LAN" log=yes log-prefix=LAN_!LAN \
- src-address=!172.16.0.0/24
- add action=drop chain=forward comment=\
- "Drop packets from LAN that do not have LAN IP" disabled=yes \
- in-interface="sfp-sfpplus1 - LAN" log=yes log-prefix=LAN_!LAN \
- src-address=!10.16.0.0/24
- add action=drop chain=input comment="Default Drop"
- /ip firewall mangle
- add action=mark-connection chain=prerouting comment=\
- "Mark connections for hairpin NAT" dst-address-list=WANs \
- new-connection-mark="Hairpin NAT" passthrough=yes src-address-list=LANs
- add action=mark-connection chain=output connection-mark=no-mark \
- connection-state=new new-connection-mark=ISP1_conn out-interface=\
- "ether1_WAN Orange_ISP1"
- add action=mark-routing chain=output connection-mark=ISP1_conn \
- new-routing-mark=to_ISP1 out-interface="ether1_WAN Orange_ISP1"
- add action=mark-connection chain=output connection-mark=no-mark \
- connection-state=new new-connection-mark=ISP2_conn out-interface=\
- ether2_WAN_Nordnet_ISP2
- add action=mark-routing chain=output connection-mark=ISP2_conn \
- new-routing-mark=to_ISP2 out-interface=ether2_WAN_Nordnet_ISP2
- /ip firewall nat
- add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark=\
- "Hairpin NAT"
- add action=masquerade chain=srcnat comment="Masquerade WAN" \
- out-interface-list=WAN
- add action=dst-nat chain=dstnat comment=HTTP dst-address-list=WANs dst-port=\
- 80 protocol=tcp to-addresses=172.16.0.xxx to-ports=80
- add action=dst-nat chain=dstnat comment=HTTPS dst-address-list=WANs dst-port=\
- 443 protocol=tcp to-addresses=172.16.0.xxx to-ports=443
- add action=dst-nat chain=dstnat comment="Direct NAS DSM" dst-address-list=\
- WANs dst-port=1604-1605 protocol=tcp to-addresses=172.16.0.yyy to-ports=\
- 1604-1605
- add action=dst-nat chain=dstnat comment=SFTP dst-address-list=WANs dst-port=\
- 2211 protocol=tcp to-addresses=172.16.0.yyy to-ports=2211
- add action=dst-nat chain=dstnat comment=Plex dst-address-list=WANs dst-port=\
- 32401 protocol=tcp to-addresses=172.16.0.yyy to-ports=32400
- add action=dst-nat chain=dstnat comment="Remote Backup NAS" dst-address-list=\
- WANs dst-port=6281 protocol=tcp to-addresses=172.16.0.yyy to-ports=6281
- add action=dst-nat chain=dstnat comment="Veeam PN Site to Site" \
- dst-address-list=WANs dst-port=1194 protocol=udp to-addresses=172.16.0.yyy \
- to-ports=1194
- add action=dst-nat chain=dstnat comment="Active Backup for Business from VPS" \
- dst-address-list=WANs dst-port=5510 protocol=tcp src-address-list=VPS \
- to-addresses=172.16.0.yyy to-ports=5510
- add action=dst-nat chain=dstnat comment="Veeam PN Point to Site" \
- dst-address-list=WANs dst-port=6179 protocol=udp to-addresses=\
- 172.16.0.zzz to-ports=6179
- /ip route
- add dst-address=8.8.8.8 gateway=10.16.0.1 scope=10
- add dst-address=8.8.4.4 gateway=92.188.3.254 scope=10
- add check-gateway=ping distance=1 gateway=8.8.8.8 routing-table=to_ISP1
- add check-gateway=ping distance=2 gateway=8.8.4.4 routing-table=to_ISP1
- add check-gateway=ping distance=1 gateway=8.8.4.4 routing-table=to_ISP2
- add check-gateway=ping distance=2 gateway=8.8.8.8 routing-table=to_ISP2
- /ip service
- set telnet disabled=yes
- set ftp disabled=yes
- set www address=172.16.0.0/24
- set ssh address=172.16.0.0/24 port=xxxx
- set api disabled=yes
- set winbox address=172.16.0.0/24
- set api-ssl disabled=yes
- /ip ssh
- set forwarding-enabled=both strong-crypto=yes
- /ipv6 firewall address-list
- add address=fe80::/16 list=allowed
- add address=ff02::/16 comment=multicast list=allowed
- /ipv6 firewall filter
- add action=accept chain=input comment="allow established and related" \
- connection-state=established,related
- add action=accept chain=input comment="accept ICMPv6" protocol=icmpv6
- add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
- 33434-33534 protocol=udp
- add action=accept chain=input comment=\
- "accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \
- src-address=fe80::/16
- add action=accept chain=input comment="allow allowed addresses" \
- src-address-list=allowed
- add action=drop chain=input
- add action=accept chain=forward comment=established,related connection-state=\
- established,related
- add action=drop chain=forward comment=invalid connection-state=invalid log=\
- yes log-prefix=ipv6,invalid
- add action=drop chain=forward log-prefix=IPV6
- /system clock
- set time-zone-name=Europe/Paris
- /system identity
- set name=MikRouter
- /system note
- set note=\
- "Authorized administrators only. Access to this device is monitored."
- /system ntp client
- set enabled=yes
- /system ntp client servers
- add address=172.16.0.yyy
- /system scheduler
- add interval=5m name=CheckChangeExternalAdress on-event=\
- "/system script run CheckPublicIPChange;" policy=read,write,policy,test \
- start-date=may/17/2022 start-time=23:56:47
- /system script
- add dont-require-permissions=no name=CheckPublicIPChange owner=computman \
- policy=read,write,policy,test source=":global CurrentIP;\r\
- \n:local NewIP ([/tool fetch url=http://xxxxxxxxx.xxxx.xxx as-val\
- ue output=user] -> \"data\")\r\
- \n\r\
- \n:if (\$NewIP != \$CurrentIP) do={\r\
- \n # Variables\r\
- \n :local Time [/system clock get time];\r\
- \n :local Date [/system clock get date];\r\
- \n :local DeviceName [/system identity get name];\r\
- \n :local Text \"New IP: \$NewIP, Previous IP: \$CurrentIP\";\r\
- \n :set CurrentIP \$NewIP;\r\
- \n\r\
- \n\r\
- \n :local SendTo \"xxx@xxx.xxx\";\r\
- \n :local Subject \"\\F0\\9F\\9F\\A2 INFO: \$DeviceName [\$Date \$Time]\
- \_External IP address has changed.\";\r\
- \n :local MessageText \$Text;\r\
- \n# \$SendEmail SendTo=\$SendTo TextMail=\$MessageText Subject=\$Subjec\
- t FileName=\$FileName;\r\
- \n [/tool/e-mail/send to=\$SendTo body=\$MessageText subject=\$Subject]\
- \r\
- \n # END Send Email Module\r\
- \n};"
- /tool bandwidth-server
- set enabled=no
- /tool e-mail
- set address=172.16.0.yyy from=xxx@xxx.xxx user=computman
- /tool graphing interface
- add allow-address=172.16.0.0/24 interface="sfp-sfpplus1 - LAN"
- add allow-address=172.16.0.0/24 interface="ether1_WAN Orange_ISP1"
- add allow-address=172.16.0.0/24 interface=ether2_WAN_Nordnet_ISP2
- /tool mac-server
- set allowed-interface-list=none
- /tool mac-server mac-winbox
- set allowed-interface-list=none
- /tool mac-server ping
- set enabled=no
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement