Untitled

--- cryo-rtr-RB951x-0.2.9-default.rsc   2017-02-24 17:08:28.000000000 +0200
+++ cryo-rtr-RB951x-0.3.0-default.rsc   2017-05-21 19:52:06.422832076 +0300
@@ -1,4 +1,4 @@
-:global version                "0.2.9"
+:global version                "0.3.0"

 #Wifi settings
 :global wifiname       "Cryo"
@@ -6,26 +6,34 @@

 #VPN1 settings
 :global ifacevpn1      "l2tp-out1"
-:global vpnserver1     "vpn01.healthycold.com"
+:global vpnserver1     "server.cryomedpro.com"
 :global l2tpuser1      "default"
 :global l2tppassword1  "default"
-:global vpnsrvip1      "185.44.105.96"
+:global vpnsrvip1      "87.197.111.47"
 :global vpnpsk1                "X501:410:ffff:200:86ff"
+:global vpn1disabled   "no"

 #VPN2 settings
+:global vpnserver2     "vpn01.cryomedpro.com"
 :global ifacevpn2      "l2tp-out2"
-:global vpnserver2     "server.healthycold.com"
 :global l2tpuser2      "default"
 :global l2tppassword2  "default"
-:global vpnsrvip2      "87.197.111.47"
+:global vpnsrvip2      "185.44.105.96"
 :global vpnpsk2                "X501:410:ffff:200:86ff"
+:global vpn2disabled   "yes"
+
+#Hosts to ping
+:global hosts2ping 10.10.0.2,10.10.0.3

 #Do not edit other lines.
 :if ([:len [/file find name="sys-note.txt"]] > 0) do={ /file remove sys-note.txt; }
+
 /system note
 set note="Config version: $version"
+
 /interface bridge
 add auto-mac=yes name=bridge-local
+
 /interface ethernet
 set [ find default-name=ether1 ] name=ether1-gateway
 set [ find default-name=ether2 ] name=ether2-master-local
@@ -35,46 +43,60 @@
     ether4-slave-local
 set [ find default-name=ether5 ] master-port=ether2-master-local name=\
     ether5-slave-local
+
 /ip neighbor discovery
 set ether1-gateway discover=yes
+
 /interface wireless security-profiles
 set [ find default=yes ] supplicant-identity=MikroTik
 add authentication-types=wpa2-psk management-protection=allowed mode=\
     dynamic-keys name=Cryo supplicant-identity=MikroTik wpa2-pre-shared-key=\
     "$wifipassword"
+
 /interface wireless
 set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no distance=dynamic \
     frequency=2427 mode=ap-bridge security-profile=Cryo ssid="$wifiname" \
     wireless-protocol=802.11
+
 /ip ipsec proposal
 set [ find default=yes ] disabled=yes
+
 /ip pool
 add name=dhcp ranges=10.10.0.10-10.10.0.99
+
 /ip dhcp-server
 add address-pool=dhcp disabled=no interface=bridge-local name=default
+
 /interface l2tp-client
-add allow=chap,mschap2 connect-to="$vpnserver1" disabled=no \
-    keepalive-timeout=30 max-mru=1300 max-mtu=1300 name=l2tp-out1 password=\
-    "$l2tppassword1" profile=default user="$l2tpuser1"
-add allow=chap,mschap2 connect-to="$vpnserver2" disabled=no \
-    keepalive-timeout=30 max-mru=1300 max-mtu=1300 name=l2tp-out2 password=\
-    "$l2tppassword2" profile=default user="$l2tpuser2"
+add allow=chap,mschap2 connect-to="$vpnserver1" \
+    keepalive-timeout=30 max-mru=1300 max-mtu=1300 name="$ifacevpn1" password=\
+    "$l2tppassword1" profile=default user="$l2tpuser1" disabled="$vpn1disabled"
+add allow=chap,mschap2 connect-to="$vpnserver2" \
+    keepalive-timeout=30 max-mru=1300 max-mtu=1300 name="$ifacevpn2" password=\
+    "$l2tppassword2" profile=default user="$l2tpuser2" disabled="$vpn2disabled"
+
 /interface bridge port
 add bridge=bridge-local interface=ether2-master-local
 add bridge=bridge-local interface=wlan1
+
 /ip address
 add address=10.10.0.1/24 comment="default configuration" interface=\
     bridge-local network=10.10.0.0
+
 /ip dhcp-client
 add comment="default configuration" dhcp-options=hostname,clientid disabled=\
     no interface=ether1-gateway
+
 /ip dhcp-server network
 add address=10.10.0.0/24 comment="default configuration" dns-server=\
     8.8.8.8,8.8.4.4 gateway=10.10.0.1 netmask=24
+
 /ip dns
 set allow-remote-requests=yes
+
 /ip dns static
 add address=10.10.0.1 name=router
+
 /ip firewall filter
 add chain=input protocol=icmp
 add chain=input connection-state=established,related
@@ -86,8 +108,7 @@
 add action=drop chain=input in-interface=ether1-gateway
 add action=fasttrack-connection chain=forward comment="default configuration" connection-state=established,related
 add chain=forward connection-state=established,related
-add chain=forward dst-address=10.10.0.2 dst-port=22,80,5900,61682 in-interface=all-ppp protocol=tcp
-add chain=forward dst-address=10.10.0.2 dst-port=21,22,80,5900,61682 in-interface=all-ppp protocol=tcp
+add chain=forward dst-address=10.10.0.2 dst-port=20,21,22,80,5900,61682 in-interface=all-ppp protocol=tcp
 add chain=forward dst-address=10.10.0.2 dst-port=61682 in-interface=all-ppp protocol=udp
 add chain=forward dst-address=10.10.0.3 dst-port=20,21,23,5001,8080 in-interface=all-ppp protocol=tcp
 add chain=forward dst-address=192.168.88.1 dst-port=22,80 in-interface=all-ppp protocol=tcp
@@ -98,12 +119,13 @@
 add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface=ether1-gateway
 add action=reject chain=forward in-interface=all-ppp
 add action=reject chain=forward in-interface=ether1-gateway
+
 /ip firewall nat
 add action=masquerade chain=srcnat out-interface=all-ppp
 add action=masquerade chain=srcnat out-interface=ether1-gateway
 add action=dst-nat chain=dstnat dst-port=5021 in-interface=all-ppp protocol=tcp to-addresses=10.10.0.2 to-ports=21
 add action=dst-nat chain=dstnat dst-port=5022 in-interface=all-ppp protocol=tcp to-addresses=10.10.0.2 to-ports=22
-add action=dst-nat chain=dstnat dst-port=80,5900,61682 in-interface=all-ppp protocol=tcp to-addresses=10.10.0.2
+add action=dst-nat chain=dstnat dst-port=80,5900,8000,20248,61682 in-interface=all-ppp protocol=tcp to-addresses=10.10.0.2
 add action=dst-nat chain=dstnat dst-port=61682 in-interface=all-ppp protocol=udp to-addresses=10.10.0.2 to-ports=61682
 add action=dst-nat chain=dstnat dst-port=20,21,23,5001,8080 in-interface=all-ppp protocol=tcp to-addresses=10.10.0.3
 add action=dst-nat chain=dstnat dst-port=222 in-interface=all-ppp protocol=tcp to-addresses=10.10.0.1 to-ports=22
@@ -114,8 +136,10 @@
 add action=dst-nat chain=dstnat dst-port=2222 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.88.1 to-ports=22
 add action=dst-nat chain=dstnat dst-port=88 in-interface=all-ppp protocol=tcp to-addresses=192.168.88.1 to-ports=80
 add action=dst-nat chain=dstnat dst-port=88 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.88.1 to-ports=80
+
 /ip ipsec policy
 set 0 disabled=yes
+
 /ip route
 add check-gateway=ping distance=1 dst-address=10.0.0.0/24 gateway=10.0.0.1
 add check-gateway=ping distance=10 dst-address=10.1.0.0/24 gateway=10.0.0.1
@@ -123,14 +147,25 @@
 add check-gateway=ping distance=10 dst-address=10.0.0.0/24 gateway=10.1.0.1
 add check-gateway=ping distance=1 dst-address=10.1.0.0/24 gateway=10.1.0.1
 add check-gateway=ping distance=10 dst-address=192.168.1.0/24 gateway=10.1.0.1
+
 /system clock
 set time-zone-autodetect=yes
+
 /system identity
-set name="cryo-rtr-$version"
+set name="cryo-rtr-$version-$l2tpuser1"
+
+/system logging action
+add disk-file-count=2 disk-file-name=flash/script-warnings-log disk-lines-per-file=5000 name=file target=disk
+
+/system logging
+set 2 topics=warning,!script
+add action=file topics=script,warning
+
 /system ntp client
 set enabled=yes server-dns-names=pool.ntp.org
+
 /user set admin password=Cryosauna group=full
-/user add name=pilson password=PfkegjukfprF group=full
+
 /system script
 add name=ipsecwanip source="# IPsec remote host and PSK\
     \n:local vpnsrv1 \"$vpnserver1\";\
@@ -150,8 +185,8 @@
     \n# Get IP from IPsec policy and return \"0\" if fail\
     \n:local getipoldstaddr do={\
     \n    :do {\
-    \n        :local ipaddr [/ip ipsec policy get value-name=src-address [find sa-dst-address=\"\$1\"]];\
-    \n        :return \"\$ipaddr\";\
+    \n        :local ip [/ip ipsec policy get value-name=src-address [find dst-address=\"\$1/32\"]];\
+    \n        :return \"\$ip\";\
     \n    } on-error={return \"0\"};\
     \n}\
     \n\
@@ -166,12 +201,12 @@
     \n:local dhost2 [\$getipfromname \$vpnsrv2];\
     \n\
     \nif (\$dhost1 = 0 ) do={\
-    \n    :log warning \"Could not resolve IP of \$vpnsrv1, using \$vpnsrv1default\";\
+    \n    :log info \"Could not resolve IP of \$vpnsrv1, using \$vpnsrv1default\";\
     \n    :set dhost1 \"\$vpnsrv1default\";\
     \n}\
     \n\
     \nif (\$dhost2 = 0 ) do={\
-    \n    :log warning \"Could not resolve IP of \$vpnsrv2, using \$vpnsrv2default\";\
+    \n    :log info \"Could not resolve IP of \$vpnsrv2, using \$vpnsrv2default\";\
     \n    :set dhost2 \"\$vpnsrv2default\";\
     \n}\
     \n\
@@ -182,9 +217,13 @@
     \n:if ( \$policywanip1 != \$ipsecwanip or \$policywanip2 != \$ipsecwanip) do={\
     \n    :local ipsecdhost1 \"\$dhost1/32\"\
     \n    :local ipsecdhost2 \"\$dhost2/32\"\
+    \n    :local vpn1disabled [/system scheduler get l2tp-out1-up disabled];\
+    \n    :local vpn2disabled [/system scheduler get l2tp-out2-up disabled];\
+    \n\
+    \n    :log info \"policywanip1: \$policywanip1, policywanip2: \$policywanip2, ipsecwanip: \$ipsecwanip\";\
+    \n    :log info \"Reinstalling IPsec rules. WAN IP: \$wanip, remote ip1: \$dhost1\";\
+    \n    :log info \"Reinstalling IPsec rules. WAN IP: \$wanip, remote ip2: \$dhost2\";\
     \n\
-    \n    :log warning \"Reinstalling IPsec rules. WAN IP: \$wanip, remote ip1: \$dhost1\";\
-    \n    :log warning \"Reinstalling IPsec rules. WAN IP: \$wanip, remote ip2: \$dhost2\";\
     \n    # Remove IPsec rules\
     \n    /interface l2tp-client disable \"\$ifacevpn1\";\
     \n    /interface l2tp-client disable \"\$ifacevpn2\";\
@@ -225,15 +264,19 @@
     \n        proposal=\"\$dhost2\" protocol=udp sa-dst-address=\"\$dhost2\" \\\
     \n        sa-src-address=\"\$wanip\" src-address=\"\$ipsecwanip\" comment=\"\$vpnsrv2\";\
     \n        :delay 0.5;\
-    \n        /interface l2tp-client enable \"\$ifacevpn1\";\
-    \n        /interface l2tp-client enable \"\$ifacevpn2\";\
+    \n    :if (\$vpn1disabled = \"false\") do={\
+    \n            /interface l2tp-client enable \"\$ifacevpn1\";\
+    \n    }\
+    \n    :if (\$vpn2disabled = \"false\") do={\
+    \n            /interface l2tp-client enable \"\$ifacevpn2\";\
+    \n    }\
     \n}\
     \n"
 add name=l2tp-out1-up source="# Auto-UP $ifacevpn1\
     \n\
     \nlocal l2ifr [/interface l2tp-client get $ifacevpn1 running];\
     \nif ( \$l2ifr != true ) do={\
-    \n    :log warning \"$ifacevpn1 is not active. Restarting...\"\
+    \n    :log info \"$ifacevpn1 is not active. Restarting...\"\
     \n    /interface l2tp-client disable $ifacevpn1;\
     \n    :delay 5;\
     \n    /interface l2tp-client enable $ifacevpn1;\
@@ -243,26 +286,40 @@
     \n\
     \nlocal l2ifr [/interface l2tp-client get $ifacevpn2 running];\
     \nif ( \$l2ifr != true ) do={\
-    \n    :log warning \"$ifacevpn2 is not active. Restarting...\"\
+    \n    :log info \"$ifacevpn2 is not active. Restarting...\"\
     \n    /interface l2tp-client disable $ifacevpn2;\
     \n    :delay 5;\
     \n    /interface l2tp-client enable $ifacevpn2;\
     \n}\
     \n"
+add name=pinger source="# Pinger\
+    \n:local hosts $hosts2ping;\
+    \n:foreach host in=\"\$hosts\" do={\
+    \n    :if ([/ping \$host count=5] = 0) do={\
+    \n        :log warning \"$l2tpuser1 \$host ping failed\";\
+    \n    }\
+    \n}\
+    \n"
 add name=vars source="# Global variables\
     \n\
     \nlocal version \"$version\";\
     \n:execute \":global version \\\"$version\\\"\";\
     \n"
+
 set ipsecwanip owner=ipsecwanip
 set l2tp-out1-up owner=l2tp-out1-up
 set l2tp-out2-up owner=l2tp-out2-up
 set vars owner=vars
+set pinger owner=pinger
+
 /system scheduler
 add interval=0s name=vars on-event=vars start-time=startup
 add interval=1m name=ipsecwanip on-event=ipsecwanip \
     start-time=startup
 add interval=1m name=l2tp-out1-up on-event=l2tp-out1-up \
-    start-time=startup
+    start-time=startup disabled="$vpn1disabled"
 add interval=1m name=l2tp-out2-up on-event=l2tp-out2-up \
+    start-time=startup disabled="$vpn2disabled"
+add interval=1m name=pinger on-event=pinger \
     start-time=startup
+