Advertisement
k3NGuru

mikrot

Oct 16th, 2018
3,154
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. [admin@MikroTik] > /export
  2. # oct/09/2018 16:34:44 by RouterOS 6.43.2
  3. # software id = 6A4C-U1D3
  4. #
  5. # model = 951G-2HnD
  6. # serial number =
  7. /interface bridge
  8. add admin-mac= auto-mac=no comment=defconf fast-forward=no name=bridge
  9. /interface wireless
  10. set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-6F5991 wireless-protocol=802.11
  11. /interface ethernet
  12. set [ find default-name=ether1 ] speed=100Mbps
  13. set [ find default-name=ether2 ] name=ether2-master speed=100Mbps
  14. set [ find default-name=ether3 ] speed=100Mbps
  15. set [ find default-name=ether4 ] speed=100Mbps
  16. set [ find default-name=ether5 ] speed=100Mbps
  17. /interface list
  18. add exclude=dynamic name=discover
  19. add name=mactel
  20. add name=mac-winbox
  21. /interface wireless security-profiles
  22. set [ find default=yes ] supplicant-identity=MikroTik
  23. /ip ipsec peer profile
  24. add dh-group=modp768 enc-algorithm=aes-256 name=profile_1
  25. add dh-group=modp768 enc-algorithm=aes-256 name=profile_2
  26. add dh-group=modp768 enc-algorithm=aes-256 name=profile_3
  27. add dh-group=modp768 enc-algorithm=aes-256 name=profile_4
  28. /ip ipsec proposal
  29. set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-256-ctr lifetime=1d pfs-group=modp768
  30. /ip pool
  31. add name=dhcp ranges=192.168.88.10-192.168.88.254
  32. /ip dhcp-server
  33. add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=bridge name=defconf
  34. /snmp community
  35. set [ find default=yes ] addresses=0.0.0.0/0
  36. /system logging action
  37. set 0 memory-lines=1
  38. set 1 disk-file-name=log
  39. /interface bridge port
  40. add bridge=bridge comment=defconf interface=ether2-master
  41. add bridge=bridge comment=defconf interface=wlan1
  42. add bridge=bridge interface=ether3
  43. add bridge=bridge interface=ether4
  44. add bridge=bridge interface=ether5
  45. /ip neighbor discovery-settings
  46. set discover-interface-list=discover
  47. /interface list member
  48. add interface=ether2-master list=discover
  49. add interface=ether3 list=discover
  50. add interface=ether4 list=discover
  51. add interface=ether5 list=discover
  52. add interface=wlan1 list=discover
  53. add interface=bridge list=discover
  54. add interface=bridge list=mactel
  55. add interface=bridge list=mac-winbox
  56. /ip address
  57. add address=192.168.88.1/24 comment=defconf interface=ether2-master network=192.168.88.0
  58. add address=###.###.###.###/25 interface=ether1 network=###.###.###.###
  59. /ip dhcp-client
  60. add comment=defconf dhcp-options=hostname,clientid interface=ether1
  61. /ip dhcp-server network
  62. add address=192.168.88.0/24 comment=defconf dns-server=192.168.98.1,77.88.8.88,77.88.8.2 gateway=192.168.88.1 ntp-server=216.239.35.8
  63. /ip dns
  64. set allow-remote-requests=yes servers=192.168.98.1,109.194.160.1,109.194.161.1
  65. /ip dns static
  66. add address=192.168.88.1 name=router
  67. add address=192.168.91.16 name=unifi
  68. /ip firewall address-list
  69. add address=192.168.91.0/24 list="Internal nets"
  70. add address=192.168.88.0/24 list="Internal nets"
  71. add address=192.168.90.0/24 list="Internal nets"
  72. add address=192.168.98.0/24 list="Internal nets"
  73. add address=192.168.92.0/24 list="Internal nets"
  74. /ip firewall filter
  75. add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
  76. add chain=input comment="Allow  IKE/NAT-T  for  IPSec" dst-port=500,4500 log-prefix=IKE/NAT-T protocol=udp
  77. add chain=input comment="Allow IPSec-esp" protocol=ipsec-esp
  78. add chain=output comment="Allow IKE/NAT-T for IPSec" log-prefix=IKE/NAT-T protocol=udp src-port=500,4500
  79. add chain=output comment="Allow ESP for IPSec" log-prefix=ESP protocol=ipsec-esp
  80. add chain=forward comment="Accept, when packet from internal net to internal net (between vlans)" dst-address-list="Internal nets" src-address-list="Internal nets"
  81. add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
  82. add action=accept chain=input src-address-list="Internal nets"
  83. add action=drop chain=input comment="defconf: drop all from WAN" disabled=yes in-interface=ether1
  84. add action=accept chain=forward disabled=yes dst-address=192.168.88.3 dst-port=443 protocol=tcp
  85. add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
  86. add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
  87. add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
  88. add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1
  89. add chain=input comment="Input Chain" connection-state=established
  90. add chain=input connection-state=related
  91. add action=drop chain=input connection-state=invalid
  92. add chain=input protocol=icmp
  93. add chain=input dst-port=8291 protocol=tcp
  94. add chain=input in-interface=bridge
  95. add action=log chain=input disabled=yes log-prefix=Drop
  96. add action=drop chain=input
  97. add action=add-src-to-address-list address-list=Ok address-list-timeout=15s chain=input comment=sysadminpxy dst-port=8080 protocol=tcp
  98. /ip firewall nat
  99. add action=redirect chain=dstnat comment=sysadminpxy disabled=yes dst-port=80 protocol=tcp src-address-list=!Ok to-ports=8080
  100. add action=accept chain=srcnat comment="Does not touch IPSec ESP packets to avoid break packets checksum" ipsec-policy=out,ipsec log-prefix="NAT avoid" out-interface=ether1
  101. add action=netmap chain=dstnat disabled=yes in-interface=ether1 protocol=tcp to-addresses=192.168.88.3 to-ports=443
  102. add action=accept chain=srcnat dst-address=192.168.88.3 dst-port=443 protocol=tcp
  103. add action=accept chain=srcnat dst-address=192.168.88.3 dst-port=17990 protocol=tcp
  104. add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1
  105. add action=netmap chain=dstnat disabled=yes in-interface=ether1 protocol=tcp to-addresses=192.168.88.3 to-ports=17990
  106. /ip ipsec peer
  107. add address=###.###.###.###/32 generate-policy=port-override profile=profile_1 secret="%PAssw#ord"
  108. add address=###.###.###.###/32 generate-policy=port-override profile=profile_2 secret="%PAssw#ord"
  109. add address=###.###.###.###/32 generate-policy=port-override profile=profile_3 secret="%PAssw#ord"
  110. add address=###.###.###.###/32 generate-policy=port-override profile=profile_4 secret="%PAssw#ord"
  111. /ip ipsec policy
  112. set 0 disabled=yes
  113. add dst-address=192.168.91.0/24 sa-dst-address=###.###.###.### sa-src-address=###.###.###.### src-address=192.168.88.0/24 tunnel=yes
  114. add dst-address=192.168.90.0/24 sa-dst-address=###.###.###.### sa-src-address=###.###.###.### src-address=192.168.88.0/24 tunnel=yes
  115. add dst-address=192.168.98.0/24 sa-dst-address=###.###.###.### sa-src-address=###.###.###.### src-address=192.168.88.0/24 tunnel=yes
  116. add dst-address=192.168.92.0/24 sa-dst-address=###.###.###.### sa-src-address=###.###.###.### src-address=192.168.88.0/24 tunnel=yes
  117. /ip proxy access
  118. add action=deny disabled=yes
  119. /ip route
  120. add distance=1 gateway=###.###.###.###
  121. /ip service
  122. set telnet address=0.0.0.0/0 disabled=yes port=123
  123. set www disabled=yes
  124. /ip socks
  125. set port=45110
  126. /system clock
  127. set time-zone-name=Asia/Yekaterinburg
  128. /system routerboard settings
  129. set silent-boot=no
  130. /tool mac-server
  131. set allowed-interface-list=mactel
  132. /tool mac-server mac-winbox
  133. set allowed-interface-list=mac-winbox
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement