Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # dec/11/2017 11:05:55 by RouterOS 6.41rc61
- # software id = 0PEF-DU4H
- #
- # model = CCR1009-7G-1C-1S+
- # serial number = 849707CBB2CC
- /interface bridge
- add fast-forward=no name=br-lan10/24
- /interface ethernet
- set [ find default-name=combo1 ] combo-mode=copper comment=tenet-main-work \
- mac-address=00:1A:64:B3:AA:3A name=combo1-wtenetw
- set [ find default-name=ether5 ] name=eth5-g1724
- set [ find default-name=ether6 ] name=eth6v2024
- set [ find default-name=ether7 ] comment=tenet2-video-guest mac-address=\
- 64:D1:54:E5:94:BD name=eth7-tenet2vg
- set [ find default-name=ether1 ] comment=br-lan1024 mac-address=\
- 6C:3B:6B:00:87:DA
- /interface pppoe-client
- add add-default-route=yes comment=pppoe-tenet-main-work disabled=no \
- interface=combo1-wtenetw name=pppoe-tenetmainw password=hidden user=\
- user
- add comment=pppoe-tenet2-vg disabled=no interface=eth7-tenet2vg name=\
- pppoe-wtenet2vg password=hidden user=user1
- /interface wireless security-profiles
- set [ find default=yes ] supplicant-identity=MikroTik
- /ip ipsec proposal
- set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc,3des \
- pfs-group=none
- /ip pool
- add name=dhcp_poolw1024 ranges=192.168.10.100-192.168.10.155
- add name=poolv2024 ranges=192.168.20.100-192.168.20.200
- add name=poolguest1724 ranges=172.138.17.100-172.138.17.200
- add name=poolvpnl2tp ranges=17.77.7.3-17.77.7.60
- /ip dhcp-server
- add address-pool=dhcp_poolw1024 disabled=no interface=br-lan10/24 lease-time=\
- 8h name=server1mw1024
- add address-pool=poolv2024 disabled=no interface=eth6v2024 lease-time=8h \
- name=server2v2024
- add address-pool=poolguest1724 disabled=no interface=eth5-g1724 lease-time=8h \
- name=server3guest1724
- /ppp profile
- add change-tcp-mss=yes local-address=17.77.7.1 name=vpnl2tp only-one=yes \
- remote-address=poolvpnl2tp use-encryption=yes
- /interface bridge port
- add bridge=br-lan10/24 interface=ether2
- add bridge=br-lan10/24 interface=ether3
- add bridge=br-lan10/24 interface=ether4
- add bridge=br-lan10/24 interface=ether1
- /interface l2tp-server server
- set authentication=mschap2 default-profile=vpnl2tp enabled=yes
- /ip address
- add address=192.168.20.1/24 comment=videoreg-lan interface=eth6v2024 network=\
- 192.168.20.0
- add address=172.138.17.1/24 comment=guest-lan interface=eth5-g1724 network=\
- 172.138.17.0
- add address=192.168.10.1/24 comment=main-work-lan interface=br-lan10/24 \
- network=192.168.10.0
- /ip arp
- add address=192.168.20.30 interface=eth6v2024 mac-address=2E:2E:45:BE:A9:89
- add address=192.168.20.4 interface=eth6v2024 mac-address=00:12:14:00:26:F1
- /ip dhcp-client
- add comment=wan-tenet2vg dhcp-options=hostname,clientid disabled=no \
- interface=eth7-tenet2vg
- add comment=wan-tenet-main default-route-distance=2 dhcp-options=\
- hostname,clientid disabled=no interface=combo1-wtenetw
- /ip dhcp-server lease
- add address=192.168.10.9 client-id=1:10:1f:74:77:f6:dd comment=admin-book \
- mac-address=10:1F:74:77:F6:DD server=server1mw1024
- add address=192.168.20.9 client-id=1:10:1f:74:77:f6:dd comment=admin-book \
- mac-address=10:1F:74:77:F6:DD server=server2v2024
- add address=192.168.20.32 client-id=0E:F7:9C:89:4D:DC mac-address=\
- 0E:F7:9C:89:4D:DC server=server2v2024
- add address=192.168.20.31 client-id=4E:16:A3:95:2D:93 mac-address=\
- 4E:16:A3:95:2D:93 server=server2v2024
- add address=192.168.20.30 client-id=2e:2e:45:be:a9:89 comment=ipcam1 \
- mac-address=2E:2E:45:BE:A9:89 server=server2v2024
- add address=192.168.20.33 client-id=DE:69:84:7A:1E:E7 mac-address=\
- DE:69:84:7A:1E:E7 server=server2v2024
- add address=192.168.20.34 client-id=B2:0D:8E:36:97:92 mac-address=\
- B2:0D:8E:36:97:92 server=server2v2024
- add address=192.168.20.4 client-id=00:12:14:00:26:F1 comment=Videoreg3 \
- mac-address=00:12:14:00:26:F1 server=server2v2024
- add address=192.168.20.35 client-id=CE:30:EA:92:C9:5A mac-address=\
- CE:30:EA:92:C9:5A server=server2v2024
- add address=192.168.20.37 client-id=A2:58:09:8D:ED:B2 mac-address=\
- A2:58:09:8D:ED:B2 server=server2v2024
- add address=192.168.20.36 client-id=76:50:72:D9:EE:17 mac-address=\
- 76:50:72:D9:EE:17 server=server2v2024
- add address=192.168.20.38 client-id=36:A2:3F:7D:AC:8A mac-address=\
- 36:A2:3F:7D:AC:8A server=server2v2024
- add address=192.168.20.39 client-id=8E:B4:16:BD:59:EA mac-address=\
- 8E:B4:16:BD:59:EA server=server2v2024
- add address=192.168.10.14 client-id=00:23:24:26:E0:E3 comment=hp-term1-mag2 \
- mac-address=00:23:24:26:E0:E3 server=server1mw1024
- add address=192.168.10.18 comment=samsung-print_m2 mac-address=\
- 30:CD:A7:BE:DF:EE server=server1mw1024
- add address=192.168.10.15 client-id=98:DE:D0:BA:FC:7F comment=\
- lenovo-term2-mag2 mac-address=98:DE:D0:BA:FC:7F server=server1mw1024
- add address=192.168.10.32 client-id=F8:A9:63:DC:51:4D comment=cashbox2-m2 \
- mac-address=F8:A9:63:DC:51:4D server=server1mw1024
- add address=192.168.10.33 client-id=F8:A9:63:DC:51:F3 comment=cashbox3-m2 \
- mac-address=F8:A9:63:DC:51:F3 server=server1mw1024
- add address=192.168.10.34 client-id=F8:A9:63:DC:53:57 comment=cashbox4-m2 \
- mac-address=F8:A9:63:DC:53:57 server=server1mw1024
- /ip dhcp-server network
- add address=17.77.7.0/24 comment=vpnl2tp dns-server=17.77.7.1 gateway=\
- 17.77.7.1
- add address=172.138.17.0/24 comment=guest dns-server=\
- 172.138.17.1,8.8.8.8,8.8.4.4 gateway=172.138.17.1
- add address=192.168.10.0/24 comment=work-main dns-server=\
- 192.168.10.1,8.8.8.8,8.8.4.4 gateway=192.168.10.1
- add address=192.168.20.0/24 comment=videoreg dns-server=\
- 192.168.20.1,8.8.8.8,8.8.4.4 gateway=192.168.20.1
- /ip dns
- set servers=8.8.8.8,8.8.4.4
- /ip firewall filter
- add action=accept chain=input comment=l2tp-ipsec-accept dst-port=4500 \
- protocol=udp
- add action=accept chain=input dst-port=1701 protocol=udp
- add action=accept chain=input dst-port=500 protocol=udp
- add action=accept chain=forward comment=allow-vpn-to-work-lan out-interface=\
- all-ppp src-address=17.77.7.0/24
- add action=accept chain=forward comment=allow-work-lan-to-vpn dst-address=\
- 192.168.10.0/24 in-interface=all-ppp
- add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
- add action=accept chain=forward comment="defconf: accept ICMP" protocol=icmp
- add action=accept chain=input comment="defconf: accept established" \
- connection-state=established
- add action=accept chain=forward comment="defconf: accept established" \
- connection-state=established
- add action=accept chain=input comment="defconf: accept related" \
- connection-state=related
- add action=accept chain=forward comment="defconf: accept related" \
- connection-state=related
- add action=accept chain=input in-interface=br-lan10/24 src-address=\
- 192.168.10.0/24
- add action=accept chain=input comment=wan-isp1-winbox dst-address=\
- 195.138.85.137 dst-port=9987 log=yes protocol=tcp
- add action=accept chain=input comment=wan-isp1-web dst-address=195.138.85.137 \
- dst-port=9990 log=yes protocol=tcp
- add action=drop chain=input comment="defconf: drop invalid" connection-state=\
- invalid
- add action=drop chain=forward comment="defconf: drop invalid" \
- connection-state=invalid
- add action=drop chain=input comment=\
- "defconf: drop all not coming from LAN ISP1" in-interface=\
- pppoe-tenetmainw
- add action=drop chain=input comment=\
- "defconf: drop all not coming from LAN ISP2" in-interface=pppoe-wtenet2vg
- add action=accept chain=forward in-interface=br-lan10/24 out-interface=\
- pppoe-tenetmainw
- add action=accept chain=forward in-interface=eth6v2024 out-interface=\
- pppoe-wtenet2vg
- add action=accept chain=forward in-interface=eth5-g1724 out-interface=\
- pppoe-wtenet2vg
- add action=accept chain=forward comment=\
- "defconf: accept established,related, untracked" connection-state=\
- established,related,untracked
- add action=accept chain=forward comment=\
- "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
- connection-state=new in-interface-list=all
- add action=drop chain=input dst-address=195.138.85.137 dst-port=53 protocol=\
- tcp
- add action=drop chain=input dst-address=195.138.85.137 dst-port=53 protocol=\
- udp
- /ip firewall mangle
- add action=mark-routing chain=prerouting new-routing-mark=241 passthrough=yes \
- src-address=172.138.17.0/24
- add action=mark-routing chain=prerouting new-routing-mark=242 passthrough=yes \
- src-address=192.168.20.0/24
- add action=mark-routing chain=prerouting new-routing-mark=243 passthrough=yes \
- src-address=17.77.7.0/24
- /ip firewall nat
- add action=masquerade chain=srcnat out-interface=pppoe-tenetmainw \
- src-address=192.168.10.0/24
- add action=masquerade chain=srcnat out-interface=pppoe-wtenet2vg src-address=\
- 172.138.17.0/24
- add action=masquerade chain=srcnat out-interface=pppoe-wtenet2vg src-address=\
- 192.168.20.0/24
- add action=dst-nat chain=dstnat dst-address=185.177.242.190 dst-port=34567 \
- protocol=tcp to-addresses=192.168.20.4 to-ports=34567
- /ip ipsec peer
- add address=0.0.0.0/0 dh-group=modp1024 enc-algorithm=aes-256,aes-128,3des \
- exchange-mode=main-l2tp generate-policy=port-strict lifetime=8h \
- nat-traversal=no passive=yes secret=testsecret
- /ip route
- add distance=1 gateway=pppoe-wtenet2vg routing-mark=241
- add distance=1 gateway=pppoe-wtenet2vg routing-mark=242
- add distance=1 gateway=combo1-wtenetw routing-mark=243
- /ip route rule
- add action=unreachable dst-address=192.168.20.0/24 src-address=\
- 172.138.17.0/24
- add action=unreachable dst-address=172.138.17.0/24 src-address=\
- 192.168.20.0/24
- /ip service
- set telnet disabled=yes
- set ftp disabled=yes
- set www port=9990
- set ssh disabled=yes
- set api disabled=yes
- set winbox port=9987
- set api-ssl disabled=yes
- /lcd
- set color-scheme=dark default-screen=stats
- /lcd pin
- set pin-number=8520
- /ppp secret
- add local-address=17.77.7.1 name=Usver-m password=testpasswd profile=\
- vpnl2tp remote-address=17.77.7.30 service=l2tp
- add local-address=17.77.7.1 name=Usver password=testpasswd profile=\
- vpnl2tp remote-address=17.77.7.5 service=l2tp
- /system clock
- set time-zone-name=Europe/Kiev
- /system identity
- set name=MikroT-Main
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement