SHARE
TWEET

mikrotik auto

a guest Jan 25th, 2016 92 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. /interface bridge
  2. add auto-mac=yes name=bridge-local
  3. /interface ethernet
  4. set [ find default-name=ether1 ] name=ether1-gateway
  5. set [ find default-name=ether2 ] name=ether2-master-local
  6. set [ find default-name=ether3 ] master-port=ether2-master-local name=\
  7.     ether3-slave-local
  8. set [ find default-name=ether4 ] master-port=ether2-master-local name=\
  9.     ether4-slave-local
  10. /ip neighbor discovery
  11. set ether1-gateway discover=no
  12. /interface vlan
  13. add interface=ether1-gateway name=vlan10 vlan-id=10
  14. /interface wireless security-profiles
  15. set [ find default=yes ] supplicant-identity=MikroTik
  16. add authentication-types=wpa2-psk management-protection=allowed mode=\
  17.     dynamic-keys name=***** supplicant-identity=MikroTik wpa2-pre-shared-key=\
  18.     *************
  19. /interface wireless
  20. set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no distance=indoors \
  21.     frequency=2427 mode=ap-bridge security-profile=****** ssid=****** \
  22.     wireless-protocol=802.11
  23. /ip ipsec proposal
  24. set [ find default=yes ] disabled=yes
  25. /ip pool
  26. add name=dhcp ranges=10.10.0.10-10.10.0.99
  27. /ip dhcp-server
  28. add address-pool=dhcp disabled=no interface=bridge-local name=default
  29. /interface l2tp-client
  30. add allow=chap,mschap2 connect-to=somehostname.somecompany.com disabled=no \
  31.     keepalive-timeout=30 max-mru=1300 max-mtu=1300 name=l2tp-out1 password=\
  32.     ************ profile=default user=default
  33. /interface bridge port
  34. add bridge=bridge-local interface=ether2-master-local
  35. add bridge=bridge-local interface=wlan1
  36. /ip address
  37. add address=10.10.0.1/24 comment="default configuration" interface=\
  38.     ether2-master-local network=10.10.0.0
  39. /ip dhcp-client
  40. add comment="default configuration" dhcp-options=hostname,clientid disabled=\
  41.     no interface=ether1-gateway
  42. add add-default-route=no dhcp-options=hostname,clientid disabled=no \
  43.     interface=vlan10
  44. /ip dhcp-server network
  45. add address=10.10.0.0/24 comment="default configuration" dns-server=\
  46.     8.8.8.8,8.8.4.4 gateway=10.10.0.1 netmask=24
  47. /ip dns
  48. set allow-remote-requests=yes
  49. /ip dns static
  50. add address=10.10.0.1 name=router
  51. /ip firewall filter
  52. add chain=input comment="default configuration" protocol=icmp
  53. add chain=input comment="default configuration" connection-state=established,related
  54. add chain=input dst-address=10.10.0.1 dst-port=22,80 in-interface=ether1-gateway limit=3/1m,3 protocol=tcp
  55. add chain=input dst-port=22 in-interface=l2tp-out1 protocol=tcp
  56. add chain=input dst-address=10.10.0.1 dst-port=22,80 in-interface=l2tp-out1 protocol=tcp
  57. add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
  58. add action=fasttrack-connection chain=forward comment="default configuration" connection-state=established,related
  59. add chain=forward comment="default configuration" connection-state=established,related
  60. add chain=forward dst-address=10.10.0.2 dst-port=80,61682 in-interface=l2tp-out1 protocol=tcp
  61. add chain=forward dst-address=10.10.0.2 dst-port=61682 in-interface=l2tp-out1 protocol=udp
  62. add chain=forward dst-address=192.168.88.1 dst-port=22,80 in-interface=l2tp-out1 protocol=tcp
  63. add chain=forward dst-address=192.168.88.1 dst-port=22,80 in-interface=ether1-gateway protocol=tcp
  64. add action=drop chain=forward comment="default configuration" connection-state=invalid
  65. add action=drop chain=forward comment="default configuration" connection-nat-state=!dstnat connection-state=new in-interface=ether1-gateway
  66. add action=reject chain=forward in-interface=l2tp-out1
  67. /ip firewall nat
  68. add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway
  69. add action=masquerade chain=srcnat out-interface=vlan10
  70. add action=masquerade chain=srcnat out-interface=l2tp-out1
  71. add action=dst-nat chain=dstnat dst-port=222 in-interface=ether1-gateway protocol=tcp to-addresses=10.10.0.1 to-ports=22
  72. add action=dst-nat chain=dstnat dst-port=80 in-interface=l2tp-out1 protocol=tcp to-addresses=10.10.0.2 to-ports=80
  73. add action=dst-nat chain=dstnat dst-port=61682 in-interface=l2tp-out1 protocol=tcp to-addresses=10.10.0.2 to-ports=61682
  74. add action=dst-nat chain=dstnat dst-port=61682 in-interface=l2tp-out1 protocol=udp to-addresses=10.10.0.2 to-ports=61682
  75. add action=dst-nat chain=dstnat dst-port=888 in-interface=l2tp-out1 protocol=tcp to-addresses=10.10.0.1 to-ports=80
  76. add action=dst-nat chain=dstnat dst-port=222 in-interface=l2tp-out1 protocol=tcp to-addresses=10.10.0.1 to-ports=22
  77. add action=dst-nat chain=dstnat dst-port=888 in-interface=ether1-gateway protocol=tcp to-addresses=10.10.0.1 to-ports=80
  78. add action=dst-nat chain=dstnat dst-port=2222 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.88.1 to-ports=22
  79. add action=dst-nat chain=dstnat dst-port=2222 in-interface=l2tp-out1 protocol=tcp to-addresses=192.168.88.1 to-ports=22
  80. /ip ipsec policy
  81. set 0 disabled=yes
  82. /ip route
  83. add check-gateway=ping distance=1 dst-address=10.0.0.0/24 gateway=10.0.0.1
  84. add check-gateway=ping distance=1 dst-address=192.168.1.0/24 gateway=10.0.0.1
  85. /system clock
  86. set time-zone-name=Europe/Bratislava
  87. /system identity
  88. set name=somename-router
  89. /system routerboard settings
  90. set cpu-frequency=650MHz protected-routerboot=disabled
  91. /user set admin password=************ group=full
  92. /system script
  93. add name=ipsecwanip owner=admin policy=\
  94.     ftp,reboot,read,write,policy,test,password,sniff,sensitive source="# IPsec\
  95.     \_remote host and PSK\
  96.     \n:local dhost \"111.222.333.444\";\
  97.     \n:local psk \"*******************************\";\
  98.     \n:local ifacevpn \"l2tp-out1\";\
  99.     \n\
  100.     \n# Get WAN IP and generate variables\
  101.     \n:local wanip [/ip dhcp-client get number=0 address];\
  102.     \n:local wanip [:pick \$wanip 0 [:find in=\$wanip key=\"/\"]];\
  103.     \n:local ipsecwanip \"\$wanip/32\";\
  104.     \n:local ipsecdhost \"\$dhost/32\"\
  105.     \n\
  106.     \n# Get IP from IPsec policy and return \"0\" if fail\
  107.     \n:local getipoldstaddr do={\
  108.     \n    :do {\
  109.     \n        :local ipaddr [/ip ipsec policy get value-name=src-address [find\
  110.     \_sa-dst-address=\"\$1\"]];\
  111.     \n        :return \"\$ipaddr\";\
  112.     \n    } on-error={return \"0\"};\
  113.     \n}\
  114.     \n\
  115.     \n:local policywanip [\$getipoldstaddr \$dhost];\
  116.     \n\
  117.     \n# if wan ip changed\
  118.     \n:if ( \$policywanip != \$ipsecwanip ) do={\
  119.     \n    :log warning \"Reinstalling IPsec rules. Remote ip: \$dhost, WAN IP:\
  120.     \_\$wanip\"\
  121.     \n    # Remove IPsec rules\
  122.     \n    :put \"dhost: \$dhost\";\
  123.     \n    /interface l2tp-client disable \"\$ifacevpn\";\
  124.     \n    /ip ipsec proposal \\\
  125.     \n        remove [find name=\"\$dhost\"];\
  126.     \n    /ip ipsec peer \\\
  127.     \n        remove [find address=\"\$ipsecdhost\"];\
  128.     \n    /ip ipsec policy \\\
  129.     \n        remove [find sa-dst-address=\"\$dhost\"];\
  130.     \n    /ip ipsec installed-sa flush;\
  131.     \n    /ip ipsec remote-peers kill-connections;\
  132.     \n\
  133.     \n    # Add new IPsec rules\
  134.     \n    /ip ipsec proposal \\\
  135.     \n        add enc-algorithms=aes-256-cbc auth-algorithms=sha1 \\\
  136.     \n        lifetime=30m pfs-group=modp2048 name=\"\$dhost\";\
  137.     \n    /ip ipsec peer \\\
  138.     \n        add address=\"\$ipsecdhost\" enc-algorithm=aes-256 dh-group=modp\
  139.     2048 \\\
  140.     \n        proposal-check=strict secret=\"\$psk\" nat-traversal=yes;\
  141.     \n    /ip ipsec policy \\\
  142.     \n        add dst-address=\"\$ipsecdhost\" dst-port=1701 level=unique \\\
  143.     \n        proposal=\"\$dhost\" protocol=udp sa-dst-address=\"\$dhost\" \\\
  144.     \n        sa-src-address=\"\$wanip\" src-address=\"\$ipsecwanip\";\
  145.     \n        :delay 0.5;\
  146.     \n        /interface l2tp-client enable \"\$ifacevpn\";\
  147.     \n}\
  148.     \n"
  149. /system scheduler
  150. add interval=1m name=ipsecwanip on-event=ipsecwanip policy=\
  151.     ftp,reboot,read,write,policy,test,password,sniff,sensitive
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top