API tools faq
paste
Advertisement
Guest User

Untitled

a guest
May 22nd, 2022
298
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 12.28 KB | None | 0 0
raw download clone embed print report
  1. # may/23/2022 00:54:16 by RouterOS 7.2.3
  2. # software id = 1NAS-A7DJ
  3. #
  4. # model = RB5009UG+S+
  5. # serial number = ECxxxxxxxx5E
  6. /interface ethernet
  7. set [ find default-name=ether1 ] name="ether1_WAN Orange_ISP1"
  8. set [ find default-name=ether2 ] name=ether2_WAN_Nordnet_ISP2
  9. set [ find default-name=ether3 ] disabled=yes
  10. set [ find default-name=ether4 ] disabled=yes
  11. set [ find default-name=ether5 ] disabled=yes
  12. set [ find default-name=ether6 ] disabled=yes
  13. set [ find default-name=ether7 ] disabled=yes
  14. set [ find default-name=ether8 ] disabled=yes
  15. set [ find default-name=sfp-sfpplus1 ] name="sfp-sfpplus1 - LAN"
  16. /interface list
  17. add name=WAN
  18. add name=LAN
  19. /interface wireless security-profiles
  20. set [ find default=yes ] supplicant-identity=MikroTik
  21. /ip pool
  22. add name=dhcp ranges=172.16.0.100-172.16.0.200
  23. /ip dhcp-server
  24. add address-pool=dhcp interface="sfp-sfpplus1 - LAN" lease-time=1d name=\
  25. "HOME DHCP SERVER"
  26. /routing table
  27. add fib name=to_ISP1
  28. add fib name=to_ISP2
  29. /ip neighbor discovery-settings
  30. set discover-interface-list=!WAN
  31. /ipv6 settings
  32. set disable-ipv6=yes
  33. /interface list member
  34. add interface="sfp-sfpplus1 - LAN" list=LAN
  35. add interface=ether2_WAN_Nordnet_ISP2 list=WAN
  36. add interface="ether1_WAN Orange_ISP1" list=WAN
  37. /ip address
  38. add address=172.16.0.z/24 interface="sfp-sfpplus1 - LAN" network=172.16.0.0
  39. /ip cloud
  40. set ddns-enabled=yes ddns-update-interval=1m
  41. /ip dhcp-client
  42. add add-default-route=no interface="ether1_WAN Orange_ISP1" use-peer-dns=no \
  43. use-peer-ntp=no
  44. add add-default-route=no interface=ether2_WAN_Nordnet_ISP2 use-peer-dns=no \
  45. use-peer-ntp=no
  46. /ip dhcp-server network
  47. add address=172.16.0.0/24 dns-server=172.16.0.z domain=home.local.lan \
  48. gateway=172.16.0.z netmask=24 ntp-server=172.16.0.yyy
  49. /ip dns
  50. set allow-remote-requests=yes servers=94.140.14.49,94.140.14.59
  51. /ip firewall address-list
  52. add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
  53. add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
  54. add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
  55. add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
  56. add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
  57. add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
  58. add address=224.0.0.0/4 comment=Multicast list=not_in_internet
  59. add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
  60. add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
  61. add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
  62. add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
  63. add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
  64. add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
  65. add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
  66. add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
  67. not_in_internet
  68. add address=69.162.124.226-69.162.124.237 list=Uptime-Robot
  69. add address=63.143.42.242-63.143.42.253 list=Uptime-Robot
  70. add address=46.137.190.132 list=Uptime-Robot
  71. add address=122.248.234.23 list=Uptime-Robot
  72. add address=167.99.209.234 list=Uptime-Robot
  73. add address=178.62.52.237 list=Uptime-Robot
  74. add address=54.79.28.129 list=Uptime-Robot
  75. add address=54.94.142.218 list=Uptime-Robot
  76. add address=104.131.107.63 list=Uptime-Robot
  77. add address=54.67.10.127 list=Uptime-Robot
  78. add address=54.64.67.106 list=Uptime-Robot
  79. add address=159.203.30.41 list=Uptime-Robot
  80. add address=46.101.250.135 list=Uptime-Robot
  81. add address=216.144.250.150 list=Uptime-Robot
  82. add address=216.245.221.82-216.245.221.93 list=Uptime-Robot
  83. add address=18.221.56.27 list=Uptime-Robot
  84. add address=52.60.129.180 list=Uptime-Robot
  85. add address=159.89.8.111 list=Uptime-Robot
  86. add address=146.185.143.14 list=Uptime-Robot
  87. add address=139.59.173.249 list=Uptime-Robot
  88. add address=165.227.83.148 list=Uptime-Robot
  89. add address=128.199.195.156 list=Uptime-Robot
  90. add address=138.197.150.151 list=Uptime-Robot
  91. add address=34.233.66.117 list=Uptime-Robot
  92. add address=208.115.199.18-208.115.199.30 list=Uptime-Robot
  93. add address=65.21.217.70 list=Uptime-Robot
  94. add address=172.16.0.0/24 list=LANs
  95. add address=xxxxxxxx list=WANs
  96. add address=xxxxxxxx list=WANs
  97. add address=10.16.0.0/24 list=WANs
  98. /ip firewall filter
  99. add action=accept chain=input comment="default configuration" \
  100. connection-state=established,related
  101. add action=accept chain=input src-address-list=LANs
  102. add action=accept chain=input comment="Ping from Uptime Robot" protocol=icmp \
  103. src-address-list=Uptime-Robot
  104. add action=accept chain=input comment="Ping from VPS" protocol=icmp \
  105. src-address-list=VPS
  106. add action=fasttrack-connection chain=forward comment=FastTrack \
  107. connection-state=established,related hw-offload=yes
  108. add action=accept chain=forward comment="Established, Related" \
  109. connection-state=established,related
  110. add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
  111. log-prefix=invalid
  112. add action=drop chain=forward comment=\
  113. "Drop tries to reach not public addresses from LAN" disabled=yes \
  114. dst-address-list=not_in_internet in-interface="sfp-sfpplus1 - LAN" log=\
  115. yes log-prefix=!public_from_LAN out-interface="sfp-sfpplus1 - LAN"
  116. add action=drop chain=forward comment=\
  117. "Drop incoming packets that are not NATted" connection-nat-state=!dstnat \
  118. connection-state=new disabled=yes in-interface="ether1_WAN Orange_ISP1" \
  119. log=yes log-prefix=!NAT
  120. add action=drop chain=forward comment=\
  121. "Drop incoming from internet which is not public IP" disabled=yes \
  122. in-interface="ether1_WAN Orange_ISP1" log=yes log-prefix=!public \
  123. src-address-list=not_in_internet
  124. add action=drop chain=forward comment=\
  125. "Drop incoming from internet which is not public IP" disabled=yes \
  126. in-interface=ether2_WAN_Nordnet_ISP2 log=yes log-prefix=!public \
  127. src-address-list=not_in_internet
  128. add action=drop chain=forward comment=\
  129. "Drop packets from LAN that do not have LAN IP" disabled=yes \
  130. in-interface="sfp-sfpplus1 - LAN" log=yes log-prefix=LAN_!LAN \
  131. src-address=!172.16.0.0/24
  132. add action=drop chain=forward comment=\
  133. "Drop packets from LAN that do not have LAN IP" disabled=yes \
  134. in-interface="sfp-sfpplus1 - LAN" log=yes log-prefix=LAN_!LAN \
  135. src-address=!10.16.0.0/24
  136. add action=drop chain=input comment="Default Drop"
  137. /ip firewall mangle
  138. add action=mark-connection chain=prerouting comment=\
  139. "Mark connections for hairpin NAT" dst-address-list=WANs \
  140. new-connection-mark="Hairpin NAT" passthrough=yes src-address-list=LANs
  141. add action=mark-connection chain=output connection-mark=no-mark \
  142. connection-state=new new-connection-mark=ISP1_conn out-interface=\
  143. "ether1_WAN Orange_ISP1"
  144. add action=mark-routing chain=output connection-mark=ISP1_conn \
  145. new-routing-mark=to_ISP1 out-interface="ether1_WAN Orange_ISP1"
  146. add action=mark-connection chain=output connection-mark=no-mark \
  147. connection-state=new new-connection-mark=ISP2_conn out-interface=\
  148. ether2_WAN_Nordnet_ISP2
  149. add action=mark-routing chain=output connection-mark=ISP2_conn \
  150. new-routing-mark=to_ISP2 out-interface=ether2_WAN_Nordnet_ISP2
  151. /ip firewall nat
  152. add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark=\
  153. "Hairpin NAT"
  154. add action=masquerade chain=srcnat comment="Masquerade WAN" \
  155. out-interface-list=WAN
  156. add action=dst-nat chain=dstnat comment=HTTP dst-address-list=WANs dst-port=\
  157. 80 protocol=tcp to-addresses=172.16.0.xxx to-ports=80
  158. add action=dst-nat chain=dstnat comment=HTTPS dst-address-list=WANs dst-port=\
  159. 443 protocol=tcp to-addresses=172.16.0.xxx to-ports=443
  160. add action=dst-nat chain=dstnat comment="Direct NAS DSM" dst-address-list=\
  161. WANs dst-port=1604-1605 protocol=tcp to-addresses=172.16.0.yyy to-ports=\
  162. 1604-1605
  163. add action=dst-nat chain=dstnat comment=SFTP dst-address-list=WANs dst-port=\
  164. 2211 protocol=tcp to-addresses=172.16.0.yyy to-ports=2211
  165. add action=dst-nat chain=dstnat comment=Plex dst-address-list=WANs dst-port=\
  166. 32401 protocol=tcp to-addresses=172.16.0.yyy to-ports=32400
  167. add action=dst-nat chain=dstnat comment="Remote Backup NAS" dst-address-list=\
  168. WANs dst-port=6281 protocol=tcp to-addresses=172.16.0.yyy to-ports=6281
  169. add action=dst-nat chain=dstnat comment="Veeam PN Site to Site" \
  170. dst-address-list=WANs dst-port=1194 protocol=udp to-addresses=172.16.0.yyy \
  171. to-ports=1194
  172. add action=dst-nat chain=dstnat comment="Active Backup for Business from VPS" \
  173. dst-address-list=WANs dst-port=5510 protocol=tcp src-address-list=VPS \
  174. to-addresses=172.16.0.yyy to-ports=5510
  175. add action=dst-nat chain=dstnat comment="Veeam PN Point to Site" \
  176. dst-address-list=WANs dst-port=6179 protocol=udp to-addresses=\
  177. 172.16.0.zzz to-ports=6179
  178. /ip route
  179. add dst-address=8.8.8.8 gateway=10.16.0.1 scope=10
  180. add dst-address=8.8.4.4 gateway=92.188.3.254 scope=10
  181. add check-gateway=ping distance=1 gateway=8.8.8.8 routing-table=to_ISP1
  182. add check-gateway=ping distance=2 gateway=8.8.4.4 routing-table=to_ISP1
  183. add check-gateway=ping distance=1 gateway=8.8.4.4 routing-table=to_ISP2
  184. add check-gateway=ping distance=2 gateway=8.8.8.8 routing-table=to_ISP2
  185. /ip service
  186. set telnet disabled=yes
  187. set ftp disabled=yes
  188. set www address=172.16.0.0/24
  189. set ssh address=172.16.0.0/24 port=xxxx
  190. set api disabled=yes
  191. set winbox address=172.16.0.0/24
  192. set api-ssl disabled=yes
  193. /ip ssh
  194. set forwarding-enabled=both strong-crypto=yes
  195. /ipv6 firewall address-list
  196. add address=fe80::/16 list=allowed
  197. add address=ff02::/16 comment=multicast list=allowed
  198. /ipv6 firewall filter
  199. add action=accept chain=input comment="allow established and related" \
  200. connection-state=established,related
  201. add action=accept chain=input comment="accept ICMPv6" protocol=icmpv6
  202. add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
  203. 33434-33534 protocol=udp
  204. add action=accept chain=input comment=\
  205. "accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \
  206. src-address=fe80::/16
  207. add action=accept chain=input comment="allow allowed addresses" \
  208. src-address-list=allowed
  209. add action=drop chain=input
  210. add action=accept chain=forward comment=established,related connection-state=\
  211. established,related
  212. add action=drop chain=forward comment=invalid connection-state=invalid log=\
  213. yes log-prefix=ipv6,invalid
  214. add action=drop chain=forward log-prefix=IPV6
  215. /system clock
  216. set time-zone-name=Europe/Paris
  217. /system identity
  218. set name=MikRouter
  219. /system note
  220. set note=\
  221. "Authorized administrators only. Access to this device is monitored."
  222. /system ntp client
  223. set enabled=yes
  224. /system ntp client servers
  225. add address=172.16.0.yyy
  226. /system scheduler
  227. add interval=5m name=CheckChangeExternalAdress on-event=\
  228. "/system script run CheckPublicIPChange;" policy=read,write,policy,test \
  229. start-date=may/17/2022 start-time=23:56:47
  230. /system script
  231. add dont-require-permissions=no name=CheckPublicIPChange owner=computman \
  232. policy=read,write,policy,test source=":global CurrentIP;\r\
  233. \n:local NewIP ([/tool fetch url=http://xxxxxxxxx.xxxx.xxx as-val\
  234. ue output=user] -> \"data\")\r\
  235. \n\r\
  236. \n:if (\$NewIP != \$CurrentIP) do={\r\
  237. \n # Variables\r\
  238. \n :local Time [/system clock get time];\r\
  239. \n :local Date [/system clock get date];\r\
  240. \n :local DeviceName [/system identity get name];\r\
  241. \n :local Text \"New IP: \$NewIP, Previous IP: \$CurrentIP\";\r\
  242. \n :set CurrentIP \$NewIP;\r\
  243. \n\r\
  244. \n\r\
  245. \n :local SendTo \"xxx@xxx.xxx\";\r\
  246. \n :local Subject \"\\F0\\9F\\9F\\A2 INFO: \$DeviceName [\$Date \$Time]\
  247. \_External IP address has changed.\";\r\
  248. \n :local MessageText \$Text;\r\
  249. \n# \$SendEmail SendTo=\$SendTo TextMail=\$MessageText Subject=\$Subjec\
  250. t FileName=\$FileName;\r\
  251. \n [/tool/e-mail/send to=\$SendTo body=\$MessageText subject=\$Subject]\
  252. \r\
  253. \n # END Send Email Module\r\
  254. \n};"
  255. /tool bandwidth-server
  256. set enabled=no
  257. /tool e-mail
  258. set address=172.16.0.yyy from=xxx@xxx.xxx user=computman
  259. /tool graphing interface
  260. add allow-address=172.16.0.0/24 interface="sfp-sfpplus1 - LAN"
  261. add allow-address=172.16.0.0/24 interface="ether1_WAN Orange_ISP1"
  262. add allow-address=172.16.0.0/24 interface=ether2_WAN_Nordnet_ISP2
  263. /tool mac-server
  264. set allowed-interface-list=none
  265. /tool mac-server mac-winbox
  266. set allowed-interface-list=none
  267. /tool mac-server ping
  268. set enabled=no
  269.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!