Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- --- cryo-rtr-RB951x-0.2.9-default.rsc 2017-02-24 17:08:28.000000000 +0200
- +++ cryo-rtr-RB951x-0.3.0-default.rsc 2017-05-21 19:52:06.422832076 +0300
- @@ -1,4 +1,4 @@
- -:global version "0.2.9"
- +:global version "0.3.0"
- #Wifi settings
- :global wifiname "Cryo"
- @@ -6,26 +6,34 @@
- #VPN1 settings
- :global ifacevpn1 "l2tp-out1"
- -:global vpnserver1 "vpn01.healthycold.com"
- +:global vpnserver1 "server.cryomedpro.com"
- :global l2tpuser1 "default"
- :global l2tppassword1 "default"
- -:global vpnsrvip1 "185.44.105.96"
- +:global vpnsrvip1 "87.197.111.47"
- :global vpnpsk1 "X501:410:ffff:200:86ff"
- +:global vpn1disabled "no"
- #VPN2 settings
- +:global vpnserver2 "vpn01.cryomedpro.com"
- :global ifacevpn2 "l2tp-out2"
- -:global vpnserver2 "server.healthycold.com"
- :global l2tpuser2 "default"
- :global l2tppassword2 "default"
- -:global vpnsrvip2 "87.197.111.47"
- +:global vpnsrvip2 "185.44.105.96"
- :global vpnpsk2 "X501:410:ffff:200:86ff"
- +:global vpn2disabled "yes"
- +
- +#Hosts to ping
- +:global hosts2ping 10.10.0.2,10.10.0.3
- #Do not edit other lines.
- :if ([:len [/file find name="sys-note.txt"]] > 0) do={ /file remove sys-note.txt; }
- +
- /system note
- set note="Config version: $version"
- +
- /interface bridge
- add auto-mac=yes name=bridge-local
- +
- /interface ethernet
- set [ find default-name=ether1 ] name=ether1-gateway
- set [ find default-name=ether2 ] name=ether2-master-local
- @@ -35,46 +43,60 @@
- ether4-slave-local
- set [ find default-name=ether5 ] master-port=ether2-master-local name=\
- ether5-slave-local
- +
- /ip neighbor discovery
- set ether1-gateway discover=yes
- +
- /interface wireless security-profiles
- set [ find default=yes ] supplicant-identity=MikroTik
- add authentication-types=wpa2-psk management-protection=allowed mode=\
- dynamic-keys name=Cryo supplicant-identity=MikroTik wpa2-pre-shared-key=\
- "$wifipassword"
- +
- /interface wireless
- set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no distance=dynamic \
- frequency=2427 mode=ap-bridge security-profile=Cryo ssid="$wifiname" \
- wireless-protocol=802.11
- +
- /ip ipsec proposal
- set [ find default=yes ] disabled=yes
- +
- /ip pool
- add name=dhcp ranges=10.10.0.10-10.10.0.99
- +
- /ip dhcp-server
- add address-pool=dhcp disabled=no interface=bridge-local name=default
- +
- /interface l2tp-client
- -add allow=chap,mschap2 connect-to="$vpnserver1" disabled=no \
- - keepalive-timeout=30 max-mru=1300 max-mtu=1300 name=l2tp-out1 password=\
- - "$l2tppassword1" profile=default user="$l2tpuser1"
- -add allow=chap,mschap2 connect-to="$vpnserver2" disabled=no \
- - keepalive-timeout=30 max-mru=1300 max-mtu=1300 name=l2tp-out2 password=\
- - "$l2tppassword2" profile=default user="$l2tpuser2"
- +add allow=chap,mschap2 connect-to="$vpnserver1" \
- + keepalive-timeout=30 max-mru=1300 max-mtu=1300 name="$ifacevpn1" password=\
- + "$l2tppassword1" profile=default user="$l2tpuser1" disabled="$vpn1disabled"
- +add allow=chap,mschap2 connect-to="$vpnserver2" \
- + keepalive-timeout=30 max-mru=1300 max-mtu=1300 name="$ifacevpn2" password=\
- + "$l2tppassword2" profile=default user="$l2tpuser2" disabled="$vpn2disabled"
- +
- /interface bridge port
- add bridge=bridge-local interface=ether2-master-local
- add bridge=bridge-local interface=wlan1
- +
- /ip address
- add address=10.10.0.1/24 comment="default configuration" interface=\
- bridge-local network=10.10.0.0
- +
- /ip dhcp-client
- add comment="default configuration" dhcp-options=hostname,clientid disabled=\
- no interface=ether1-gateway
- +
- /ip dhcp-server network
- add address=10.10.0.0/24 comment="default configuration" dns-server=\
- 8.8.8.8,8.8.4.4 gateway=10.10.0.1 netmask=24
- +
- /ip dns
- set allow-remote-requests=yes
- +
- /ip dns static
- add address=10.10.0.1 name=router
- +
- /ip firewall filter
- add chain=input protocol=icmp
- add chain=input connection-state=established,related
- @@ -86,8 +108,7 @@
- add action=drop chain=input in-interface=ether1-gateway
- add action=fasttrack-connection chain=forward comment="default configuration" connection-state=established,related
- add chain=forward connection-state=established,related
- -add chain=forward dst-address=10.10.0.2 dst-port=22,80,5900,61682 in-interface=all-ppp protocol=tcp
- -add chain=forward dst-address=10.10.0.2 dst-port=21,22,80,5900,61682 in-interface=all-ppp protocol=tcp
- +add chain=forward dst-address=10.10.0.2 dst-port=20,21,22,80,5900,61682 in-interface=all-ppp protocol=tcp
- add chain=forward dst-address=10.10.0.2 dst-port=61682 in-interface=all-ppp protocol=udp
- add chain=forward dst-address=10.10.0.3 dst-port=20,21,23,5001,8080 in-interface=all-ppp protocol=tcp
- add chain=forward dst-address=192.168.88.1 dst-port=22,80 in-interface=all-ppp protocol=tcp
- @@ -98,12 +119,13 @@
- add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface=ether1-gateway
- add action=reject chain=forward in-interface=all-ppp
- add action=reject chain=forward in-interface=ether1-gateway
- +
- /ip firewall nat
- add action=masquerade chain=srcnat out-interface=all-ppp
- add action=masquerade chain=srcnat out-interface=ether1-gateway
- add action=dst-nat chain=dstnat dst-port=5021 in-interface=all-ppp protocol=tcp to-addresses=10.10.0.2 to-ports=21
- add action=dst-nat chain=dstnat dst-port=5022 in-interface=all-ppp protocol=tcp to-addresses=10.10.0.2 to-ports=22
- -add action=dst-nat chain=dstnat dst-port=80,5900,61682 in-interface=all-ppp protocol=tcp to-addresses=10.10.0.2
- +add action=dst-nat chain=dstnat dst-port=80,5900,8000,20248,61682 in-interface=all-ppp protocol=tcp to-addresses=10.10.0.2
- add action=dst-nat chain=dstnat dst-port=61682 in-interface=all-ppp protocol=udp to-addresses=10.10.0.2 to-ports=61682
- add action=dst-nat chain=dstnat dst-port=20,21,23,5001,8080 in-interface=all-ppp protocol=tcp to-addresses=10.10.0.3
- add action=dst-nat chain=dstnat dst-port=222 in-interface=all-ppp protocol=tcp to-addresses=10.10.0.1 to-ports=22
- @@ -114,8 +136,10 @@
- add action=dst-nat chain=dstnat dst-port=2222 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.88.1 to-ports=22
- add action=dst-nat chain=dstnat dst-port=88 in-interface=all-ppp protocol=tcp to-addresses=192.168.88.1 to-ports=80
- add action=dst-nat chain=dstnat dst-port=88 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.88.1 to-ports=80
- +
- /ip ipsec policy
- set 0 disabled=yes
- +
- /ip route
- add check-gateway=ping distance=1 dst-address=10.0.0.0/24 gateway=10.0.0.1
- add check-gateway=ping distance=10 dst-address=10.1.0.0/24 gateway=10.0.0.1
- @@ -123,14 +147,25 @@
- add check-gateway=ping distance=10 dst-address=10.0.0.0/24 gateway=10.1.0.1
- add check-gateway=ping distance=1 dst-address=10.1.0.0/24 gateway=10.1.0.1
- add check-gateway=ping distance=10 dst-address=192.168.1.0/24 gateway=10.1.0.1
- +
- /system clock
- set time-zone-autodetect=yes
- +
- /system identity
- -set name="cryo-rtr-$version"
- +set name="cryo-rtr-$version-$l2tpuser1"
- +
- +/system logging action
- +add disk-file-count=2 disk-file-name=flash/script-warnings-log disk-lines-per-file=5000 name=file target=disk
- +
- +/system logging
- +set 2 topics=warning,!script
- +add action=file topics=script,warning
- +
- /system ntp client
- set enabled=yes server-dns-names=pool.ntp.org
- +
- /user set admin password=Cryosauna group=full
- -/user add name=pilson password=PfkegjukfprF group=full
- +
- /system script
- add name=ipsecwanip source="# IPsec remote host and PSK\
- \n:local vpnsrv1 \"$vpnserver1\";\
- @@ -150,8 +185,8 @@
- \n# Get IP from IPsec policy and return \"0\" if fail\
- \n:local getipoldstaddr do={\
- \n :do {\
- - \n :local ipaddr [/ip ipsec policy get value-name=src-address [find sa-dst-address=\"\$1\"]];\
- - \n :return \"\$ipaddr\";\
- + \n :local ip [/ip ipsec policy get value-name=src-address [find dst-address=\"\$1/32\"]];\
- + \n :return \"\$ip\";\
- \n } on-error={return \"0\"};\
- \n}\
- \n\
- @@ -166,12 +201,12 @@
- \n:local dhost2 [\$getipfromname \$vpnsrv2];\
- \n\
- \nif (\$dhost1 = 0 ) do={\
- - \n :log warning \"Could not resolve IP of \$vpnsrv1, using \$vpnsrv1default\";\
- + \n :log info \"Could not resolve IP of \$vpnsrv1, using \$vpnsrv1default\";\
- \n :set dhost1 \"\$vpnsrv1default\";\
- \n}\
- \n\
- \nif (\$dhost2 = 0 ) do={\
- - \n :log warning \"Could not resolve IP of \$vpnsrv2, using \$vpnsrv2default\";\
- + \n :log info \"Could not resolve IP of \$vpnsrv2, using \$vpnsrv2default\";\
- \n :set dhost2 \"\$vpnsrv2default\";\
- \n}\
- \n\
- @@ -182,9 +217,13 @@
- \n:if ( \$policywanip1 != \$ipsecwanip or \$policywanip2 != \$ipsecwanip) do={\
- \n :local ipsecdhost1 \"\$dhost1/32\"\
- \n :local ipsecdhost2 \"\$dhost2/32\"\
- + \n :local vpn1disabled [/system scheduler get l2tp-out1-up disabled];\
- + \n :local vpn2disabled [/system scheduler get l2tp-out2-up disabled];\
- + \n\
- + \n :log info \"policywanip1: \$policywanip1, policywanip2: \$policywanip2, ipsecwanip: \$ipsecwanip\";\
- + \n :log info \"Reinstalling IPsec rules. WAN IP: \$wanip, remote ip1: \$dhost1\";\
- + \n :log info \"Reinstalling IPsec rules. WAN IP: \$wanip, remote ip2: \$dhost2\";\
- \n\
- - \n :log warning \"Reinstalling IPsec rules. WAN IP: \$wanip, remote ip1: \$dhost1\";\
- - \n :log warning \"Reinstalling IPsec rules. WAN IP: \$wanip, remote ip2: \$dhost2\";\
- \n # Remove IPsec rules\
- \n /interface l2tp-client disable \"\$ifacevpn1\";\
- \n /interface l2tp-client disable \"\$ifacevpn2\";\
- @@ -225,15 +264,19 @@
- \n proposal=\"\$dhost2\" protocol=udp sa-dst-address=\"\$dhost2\" \\\
- \n sa-src-address=\"\$wanip\" src-address=\"\$ipsecwanip\" comment=\"\$vpnsrv2\";\
- \n :delay 0.5;\
- - \n /interface l2tp-client enable \"\$ifacevpn1\";\
- - \n /interface l2tp-client enable \"\$ifacevpn2\";\
- + \n :if (\$vpn1disabled = \"false\") do={\
- + \n /interface l2tp-client enable \"\$ifacevpn1\";\
- + \n }\
- + \n :if (\$vpn2disabled = \"false\") do={\
- + \n /interface l2tp-client enable \"\$ifacevpn2\";\
- + \n }\
- \n}\
- \n"
- add name=l2tp-out1-up source="# Auto-UP $ifacevpn1\
- \n\
- \nlocal l2ifr [/interface l2tp-client get $ifacevpn1 running];\
- \nif ( \$l2ifr != true ) do={\
- - \n :log warning \"$ifacevpn1 is not active. Restarting...\"\
- + \n :log info \"$ifacevpn1 is not active. Restarting...\"\
- \n /interface l2tp-client disable $ifacevpn1;\
- \n :delay 5;\
- \n /interface l2tp-client enable $ifacevpn1;\
- @@ -243,26 +286,40 @@
- \n\
- \nlocal l2ifr [/interface l2tp-client get $ifacevpn2 running];\
- \nif ( \$l2ifr != true ) do={\
- - \n :log warning \"$ifacevpn2 is not active. Restarting...\"\
- + \n :log info \"$ifacevpn2 is not active. Restarting...\"\
- \n /interface l2tp-client disable $ifacevpn2;\
- \n :delay 5;\
- \n /interface l2tp-client enable $ifacevpn2;\
- \n}\
- \n"
- +add name=pinger source="# Pinger\
- + \n:local hosts $hosts2ping;\
- + \n:foreach host in=\"\$hosts\" do={\
- + \n :if ([/ping \$host count=5] = 0) do={\
- + \n :log warning \"$l2tpuser1 \$host ping failed\";\
- + \n }\
- + \n}\
- + \n"
- add name=vars source="# Global variables\
- \n\
- \nlocal version \"$version\";\
- \n:execute \":global version \\\"$version\\\"\";\
- \n"
- +
- set ipsecwanip owner=ipsecwanip
- set l2tp-out1-up owner=l2tp-out1-up
- set l2tp-out2-up owner=l2tp-out2-up
- set vars owner=vars
- +set pinger owner=pinger
- +
- /system scheduler
- add interval=0s name=vars on-event=vars start-time=startup
- add interval=1m name=ipsecwanip on-event=ipsecwanip \
- start-time=startup
- add interval=1m name=l2tp-out1-up on-event=l2tp-out1-up \
- - start-time=startup
- + start-time=startup disabled="$vpn1disabled"
- add interval=1m name=l2tp-out2-up on-event=l2tp-out2-up \
- + start-time=startup disabled="$vpn2disabled"
- +add interval=1m name=pinger on-event=pinger \
- start-time=startup
- +
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement