Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /interface bridge
- add auto-mac=yes name=bridge-local
- /interface ethernet
- set [ find default-name=ether1 ] name=ether1-gateway
- set [ find default-name=ether2 ] name=ether2-master-local
- set [ find default-name=ether3 ] master-port=ether2-master-local name=\
- ether3-slave-local
- set [ find default-name=ether4 ] master-port=ether2-master-local name=\
- ether4-slave-local
- /ip neighbor discovery
- set ether1-gateway discover=no
- /interface vlan
- add interface=ether1-gateway name=vlan10 vlan-id=10
- /interface wireless security-profiles
- set [ find default=yes ] supplicant-identity=MikroTik
- add authentication-types=wpa2-psk management-protection=allowed mode=\
- dynamic-keys name=***** supplicant-identity=MikroTik wpa2-pre-shared-key=\
- *************
- /interface wireless
- set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no distance=indoors \
- frequency=2427 mode=ap-bridge security-profile=****** ssid=****** \
- wireless-protocol=802.11
- /ip ipsec proposal
- set [ find default=yes ] disabled=yes
- /ip pool
- add name=dhcp ranges=10.10.0.10-10.10.0.99
- /ip dhcp-server
- add address-pool=dhcp disabled=no interface=bridge-local name=default
- /interface l2tp-client
- add allow=chap,mschap2 connect-to=somehostname.somecompany.com disabled=no \
- keepalive-timeout=30 max-mru=1300 max-mtu=1300 name=l2tp-out1 password=\
- ************ profile=default user=default
- /interface bridge port
- add bridge=bridge-local interface=ether2-master-local
- add bridge=bridge-local interface=wlan1
- /ip address
- add address=10.10.0.1/24 comment="default configuration" interface=\
- ether2-master-local network=10.10.0.0
- /ip dhcp-client
- add comment="default configuration" dhcp-options=hostname,clientid disabled=\
- no interface=ether1-gateway
- add add-default-route=no dhcp-options=hostname,clientid disabled=no \
- interface=vlan10
- /ip dhcp-server network
- add address=10.10.0.0/24 comment="default configuration" dns-server=\
- 8.8.8.8,8.8.4.4 gateway=10.10.0.1 netmask=24
- /ip dns
- set allow-remote-requests=yes
- /ip dns static
- add address=10.10.0.1 name=router
- /ip firewall filter
- add chain=input comment="default configuration" protocol=icmp
- add chain=input comment="default configuration" connection-state=established,related
- add chain=input dst-address=10.10.0.1 dst-port=22,80 in-interface=ether1-gateway limit=3/1m,3 protocol=tcp
- add chain=input dst-port=22 in-interface=l2tp-out1 protocol=tcp
- add chain=input dst-address=10.10.0.1 dst-port=22,80 in-interface=l2tp-out1 protocol=tcp
- add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
- add action=fasttrack-connection chain=forward comment="default configuration" connection-state=established,related
- add chain=forward comment="default configuration" connection-state=established,related
- add chain=forward dst-address=10.10.0.2 dst-port=80,61682 in-interface=l2tp-out1 protocol=tcp
- add chain=forward dst-address=10.10.0.2 dst-port=61682 in-interface=l2tp-out1 protocol=udp
- add chain=forward dst-address=192.168.88.1 dst-port=22,80 in-interface=l2tp-out1 protocol=tcp
- add chain=forward dst-address=192.168.88.1 dst-port=22,80 in-interface=ether1-gateway protocol=tcp
- add action=drop chain=forward comment="default configuration" connection-state=invalid
- add action=drop chain=forward comment="default configuration" connection-nat-state=!dstnat connection-state=new in-interface=ether1-gateway
- add action=reject chain=forward in-interface=l2tp-out1
- /ip firewall nat
- add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway
- add action=masquerade chain=srcnat out-interface=vlan10
- add action=masquerade chain=srcnat out-interface=l2tp-out1
- add action=dst-nat chain=dstnat dst-port=222 in-interface=ether1-gateway protocol=tcp to-addresses=10.10.0.1 to-ports=22
- add action=dst-nat chain=dstnat dst-port=80 in-interface=l2tp-out1 protocol=tcp to-addresses=10.10.0.2 to-ports=80
- add action=dst-nat chain=dstnat dst-port=61682 in-interface=l2tp-out1 protocol=tcp to-addresses=10.10.0.2 to-ports=61682
- add action=dst-nat chain=dstnat dst-port=61682 in-interface=l2tp-out1 protocol=udp to-addresses=10.10.0.2 to-ports=61682
- add action=dst-nat chain=dstnat dst-port=888 in-interface=l2tp-out1 protocol=tcp to-addresses=10.10.0.1 to-ports=80
- add action=dst-nat chain=dstnat dst-port=222 in-interface=l2tp-out1 protocol=tcp to-addresses=10.10.0.1 to-ports=22
- add action=dst-nat chain=dstnat dst-port=888 in-interface=ether1-gateway protocol=tcp to-addresses=10.10.0.1 to-ports=80
- add action=dst-nat chain=dstnat dst-port=2222 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.88.1 to-ports=22
- add action=dst-nat chain=dstnat dst-port=2222 in-interface=l2tp-out1 protocol=tcp to-addresses=192.168.88.1 to-ports=22
- /ip ipsec policy
- set 0 disabled=yes
- /ip route
- add check-gateway=ping distance=1 dst-address=10.0.0.0/24 gateway=10.0.0.1
- add check-gateway=ping distance=1 dst-address=192.168.1.0/24 gateway=10.0.0.1
- /system clock
- set time-zone-name=Europe/Bratislava
- /system identity
- set name=somename-router
- /system routerboard settings
- set cpu-frequency=650MHz protected-routerboot=disabled
- /user set admin password=************ group=full
- /system script
- add name=ipsecwanip owner=admin policy=\
- ftp,reboot,read,write,policy,test,password,sniff,sensitive source="# IPsec\
- \_remote host and PSK\
- \n:local dhost \"111.222.333.444\";\
- \n:local psk \"*******************************\";\
- \n:local ifacevpn \"l2tp-out1\";\
- \n\
- \n# Get WAN IP and generate variables\
- \n:local wanip [/ip dhcp-client get number=0 address];\
- \n:local wanip [:pick \$wanip 0 [:find in=\$wanip key=\"/\"]];\
- \n:local ipsecwanip \"\$wanip/32\";\
- \n:local ipsecdhost \"\$dhost/32\"\
- \n\
- \n# Get IP from IPsec policy and return \"0\" if fail\
- \n:local getipoldstaddr do={\
- \n :do {\
- \n :local ipaddr [/ip ipsec policy get value-name=src-address [find\
- \_sa-dst-address=\"\$1\"]];\
- \n :return \"\$ipaddr\";\
- \n } on-error={return \"0\"};\
- \n}\
- \n\
- \n:local policywanip [\$getipoldstaddr \$dhost];\
- \n\
- \n# if wan ip changed\
- \n:if ( \$policywanip != \$ipsecwanip ) do={\
- \n :log warning \"Reinstalling IPsec rules. Remote ip: \$dhost, WAN IP:\
- \_\$wanip\"\
- \n # Remove IPsec rules\
- \n :put \"dhost: \$dhost\";\
- \n /interface l2tp-client disable \"\$ifacevpn\";\
- \n /ip ipsec proposal \\\
- \n remove [find name=\"\$dhost\"];\
- \n /ip ipsec peer \\\
- \n remove [find address=\"\$ipsecdhost\"];\
- \n /ip ipsec policy \\\
- \n remove [find sa-dst-address=\"\$dhost\"];\
- \n /ip ipsec installed-sa flush;\
- \n /ip ipsec remote-peers kill-connections;\
- \n\
- \n # Add new IPsec rules\
- \n /ip ipsec proposal \\\
- \n add enc-algorithms=aes-256-cbc auth-algorithms=sha1 \\\
- \n lifetime=30m pfs-group=modp2048 name=\"\$dhost\";\
- \n /ip ipsec peer \\\
- \n add address=\"\$ipsecdhost\" enc-algorithm=aes-256 dh-group=modp\
- 2048 \\\
- \n proposal-check=strict secret=\"\$psk\" nat-traversal=yes;\
- \n /ip ipsec policy \\\
- \n add dst-address=\"\$ipsecdhost\" dst-port=1701 level=unique \\\
- \n proposal=\"\$dhost\" protocol=udp sa-dst-address=\"\$dhost\" \\\
- \n sa-src-address=\"\$wanip\" src-address=\"\$ipsecwanip\";\
- \n :delay 0.5;\
- \n /interface l2tp-client enable \"\$ifacevpn\";\
- \n}\
- \n"
- /system scheduler
- add interval=1m name=ipsecwanip on-event=ipsecwanip policy=\
- ftp,reboot,read,write,policy,test,password,sniff,sensitive
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement