Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- {
- ######## Substituir os VALUE="XXXX" com as informacoes corretas, para a integracao do MK com o Controllr ########
- :global name="IPCTLR" value="192.168.142.22";
- :global name="IPCTLRPUBLIC" value="192.168.142.22";
- :global name="RADIUSNAS" value="198.18.3.1";
- :global name="PINCOMING" value="3799";
- # Se tiver perfis notifica ira usar CHECK "sim"
- :global name="CHECK" value="sim";
- #################################################################################################################
- :log warning "Iniciando configuracao do Controllr no MK";
- :delay 5s;
- :log warning "Criando o Radius do Controllr";
- :if ([/radius find comment~"####CONTROLLR####"] !="") do={:log warning "ja existe um Radius cadastrado";} else={:log warning "Nao existe nenhum Radius cadastrado"; /radius add address=$IPCTLR comment="####CONTROLLR####" secret=brbyte service=ppp src-address=$RADIUSNAS timeout=3s disabled=no};
- :delay 5s;
- :log warning "Habilitando o Incoming";
- /radius incoming set accept=yes port=$PINCOMING;
- :delay 5s;
- :log warning "Setando as regras do Filter rules";
- :log warning "Removendo regras antigas";
- /ip firewall filter {
- remove [find comment="CONTROLLR"]
- remove [find comment~"CTLR-MSG"]
- remove [find comment="Controllr"]};
- :log warning "Recriando os filter rules";
- /ip firewall filter {
- add action=accept chain=forward comment="CONTROLLR" dst-port=7840 protocol=tcp
- add action=drop chain=forward comment="CTLR-MSG-ALERT" disabled=no dst-address-list=!released_ips dst-port=!53 protocol=udp src-address-list="brb-alert-notice"
- add action=drop chain=forward comment="CTLR-MSG-ALERT" disabled=no dst-address-list=!released_ips protocol=tcp src-address-list="brb-alert-notice"
- add action=drop chain=forward comment="CTLR-MSG-BLOCK" disabled=no dst-address-list=!released_ips dst-port=!53 protocol=udp src-address-list="brb-block-notice"
- add action=drop chain=forward comment="CTLR-MSG-BLOCK" disabled=no dst-address-list=!released_ips protocol=tcp src-address-list="brb-block-notice"
- add action=drop chain=forward comment="CTLR-MSG-CANCEL" disabled=no dst-address-list=!released_ips dst-port=!53 protocol=udp src-address-list="brb-cancel-notice"
- add action=drop chain=forward comment="CTLR-MSG-CANCEL" disabled=no dst-address-list=!released_ips protocol=tcp src-address-list="brb-cancel-notice"
- add action=drop chain=forward comment="CTLR-MSG-BLOCK" disabled=no dst-address-list=!released_ips dst-port=!53 protocol=udp src-address-list="brb-block-auth"
- add action=drop chain=forward comment="CTLR-MSG-BLOCK" disabled=no dst-address-list=!released_ips protocol=tcp src-address-list="brb-block-auth"
- add action=drop chain=forward comment="CTLR-MSG-CANCEL" disabled=no dst-address-list=!released_ips dst-port=!53 protocol=udp src-address-list="brb-cancel-auth"
- add action=drop chain=forward comment="CTLR-MSG-CANCEL" disabled=no dst-address-list=!released_ips protocol=tcp src-address-list="brb-cancel-auth"
- add action=drop chain=forward comment="CTLR-MSG-DISABLE" disabled=no dst-address-list=!released_ips dst-port=!53 protocol=udp src-address-list="brb-disabled"
- add action=drop chain=forward comment="CTLR-MSG-DISABLE" disabled=no dst-address-list=!released_ips protocol=tcp src-address-list="brb-disabled"};
- :delay 5s;
- #OBS Essa regra serve para saber qual o IP do seu Controllr, que está vindo com o Comando de desconexao.
- :log warning "Regra do radius log";
- :log warning "Removendo regra do log antiga";
- /ip firewall filter remove [find comment="CTLR-RADIUS-LOG"];
- :log warning "Recriando regra do radiuslog";
- /ip firewall filter add action=add-src-to-address-list address-list=radius_log address-list-timeout=30m chain=input comment=CTLR-RADIUS-LOG dst-port=3799 protocol=udp;
- :log warning "Setando as regras de redirecionamento - NAT para acessar o seu Controllr fora da rede";
- :log warning "Removendo redirecionamentos antigos";
- /ip firewall nat remove [find comment~"ACESSO"];
- :log warning "Recriando os redirecionamentos";
- :if ([$IPCTLRPUBLIC] =$IPCTLR) do={:log warning "IP da maquina e igual o ip publico. Nao tem dst-nat"} else={/ip firewall nat {
- add action=dst-nat chain=dstnat comment="CTLR-ACESSO-WEB-HTTP" dst-port=8080 protocol=tcp to-addresses=$IPCTLR to-ports=8080
- add action=dst-nat chain=dstnat comment="CTLR-ACESSO-WEB-HTTPS" dst-port=8443 protocol=tcp to-addresses=$IPCTLR to-ports=8443
- add action=dst-nat chain=dstnat comment="CTLR-ACESSO-SSH" dst-port=2229 protocol=tcp to-addresses=$IPCTLR to-ports=2229
- add action=dst-nat chain=dstnat comment="CTLR-ACESSO-SERVICO" dst-port=8083 protocol=tcp to-addresses=$IPCTLR to-ports=8083
- add action=dst-nat chain=dstnat comment="CTLR-ACESSO-HOTSITE-HTTP" disabled=yes dst-address=$IPCTLRPUBLIC dst-port=80 protocol=tcp to-addresses=$IPCTLR to-ports=80
- add action=dst-nat chain=dstnat comment="CTLR-ACESSO-HOTSITE-HTTPS" disabled=yes dst-address=$IPCTLRPUBLIC dst-port=443 protocol=tcp to-addresses=$IPCTLR to-ports=443};
- };
- #OBS: O redirecionamento para o Hotsite está desabilitado, pois **dst-address** tem que ser o seu IP publico, para poder acessar o Hotsite dentro e fora da rede pelo IP publico.
- :delay 5s;
- :log warning "Redirecionamento para as telas de pendencias";
- :log warning "Removendo redirecionamentos antigos de pendencias";
- /ip firewall nat remove [find comment~"CTLR-MSG"];
- :log warning "Recriando os redirecionamento de pendencias";
- :if ([$CHECK] ="nao") do={:log warning "Nao ira redirecionar";} else={/ip firewall nat{
- add action=dst-nat chain=dstnat comment="CTLR-MSG-ALERT-HTTP" disabled=no dst-address-list=!released_ips dst-port=80 protocol=tcp src-address-list=brb-alert-notice to-addresses=$IPCTLR to-ports=8090
- add action=dst-nat chain=dstnat comment="CTLR-MSG-ALERT-HTTPS" disabled=no dst-address-list=!released_ips dst-port=443 protocol=tcp src-address-list=brb-alert-notice to-addresses=$IPCTLR to-ports=8490
- add action=dst-nat chain=dstnat comment="CTLR-MSG-PENDENCY-HTTP" disabled=no dst-address-list=!released_ips dst-port=80 protocol=tcp src-address-list=brb-pendency-notice to-addresses=$IPCTLR to-ports=8091
- add action=dst-nat chain=dstnat comment="CTLR-MSG-PENDENCY-HTTPS" disabled=no dst-address-list=!released_ips dst-port=443 protocol=tcp src-address-list=brb-pendency-notice to-addresses=$IPCTLR to-ports=8491
- add action=dst-nat chain=dstnat comment="CTLR-MSG-BLOCK-HTTP" disabled=no dst-address-list=!released_ips dst-port=80 protocol=tcp src-address-list=brb-block-notice to-addresses=$IPCTLR to-ports=8092
- add action=dst-nat chain=dstnat comment="CTLR-MSG-BLOCK-HTTPS" disabled=no dst-address-list=!released_ips dst-port=443 protocol=tcp src-address-list=brb-block-notice to-addresses=$IPCTLR to-ports=8492
- add action=dst-nat chain=dstnat comment="CTLR-MSG-CANCEL-HTTP" disabled=no dst-address-list=!released_ips dst-port=80 protocol=tcp src-address-list=brb-cancel-notice to-addresses=$IPCTLR to-ports=8093
- add action=dst-nat chain=dstnat comment="CTLR-MSG-CANCEL-HTTPS" disabled=no dst-address-list=!released_ips dst-port=443 protocol=tcp src-address-list=brb-cancel-notice to-addresses=$IPCTLR to-ports=8493};
- };
- :delay 5s;
- #OBS essa regra serve para notificar todos os seus clientes, caso tenha alguma manutencao na sua rede ou outra coisa, so habilite ela caso saiba como funciona.
- :log warning "Redirecionamento para a tela de aviso";
- :log warning "Removendo redirecionamentos de aviso antigos";
- /ip firewall nat remove [find comment~"CTLR-AVISO"];
- /tool netwatch remove [find comment="CTLR-AVISO"];
- :delay 5s;
- :log warning "Criando regras mangle";
- :log warning "Removendo mangle antigo";
- /ip firewall mangle remove [find comment~"CTLR"];
- :log warning "Recriando regras do mangle";
- :if ([$CHECK] ="sim") do={:log warning "Ira usar perfis com NOTICE e AUTH"; /ip firewall mangle {
- add action=jump chain=prerouting comment=CTLR-JUMP-ALERT dst-address-list=!released_ips jump-target=CONTROLLR src-address-list="brb-alert-notice"
- add action=jump chain=prerouting comment=CTLR-JUMP-PENDENCY dst-address-list=!released_ips jump-target=CONTROLLR src-address-list="brb-pendency-notice"
- add action=jump chain=prerouting comment=CTLR-JUMP-BLOCK dst-address-list=!released_ips jump-target=CONTROLLR src-address-list="brb-block-notice"
- add action=jump chain=prerouting comment=CTLR-JUMP-CANCEL dst-address-list=!released_ips jump-target=CONTROLLR src-address-list="brb-cancel-notice"
- add action=jump chain=prerouting comment=CTLR-JUMP-ALERT dst-address-list=!released_ips jump-target=CONTROLLR src-address-list="brb-alert-auth"
- add action=jump chain=prerouting comment=CTLR-JUMP-PENDENCY dst-address-list=!released_ips jump-target=CONTROLLR src-address-list="brb-pendency-auth"
- add action=jump chain=prerouting comment=CTLR-JUMP-BLOCK dst-address-list=!released_ips jump-target=CONTROLLR src-address-list="brb-block-auth"
- add action=jump chain=prerouting comment=CTLR-JUMP-CANCEL dst-address-list=!released_ips jump-target=CONTROLLR src-address-list="brb-cancel-auth"
- add action=jump chain=prerouting comment=CTLR-JUMP-DISABLE dst-address-list=!released_ips jump-target=CONTROLLR src-address-list="brb-disabled"
- add action=accept chain=CONTROLLR comment=CTLR-CHAIN-ACCEPT};
- } else={:log warning "Nao usa dois perfis"; /ip firewall mangle {
- add action=jump chain=prerouting comment=CTLR-JUMP-ALERT dst-address-list=!released_ips jump-target=CONTROLLR src-address-list="brb-alert-notice"
- add action=jump chain=prerouting comment=CTLR-JUMP-PENDENCY dst-address-list=!released_ips jump-target=CONTROLLR src-address-list="brb-pendency-auth"
- add action=jump chain=prerouting comment=CTLR-JUMP-BLOCK dst-address-list=!released_ips jump-target=CONTROLLR src-address-list="brb-block-auth"
- add action=jump chain=prerouting comment=CTLR-JUMP-CANCEL dst-address-list=!released_ips jump-target=CONTROLLR src-address-list="brb-cancel-auth"
- add action=jump chain=prerouting comment=CTLR-JUMP-DISABLE dst-address-list=!released_ips jump-target=CONTROLLR src-address-list="brb-disabled"
- add action=accept chain=CONTROLLR comment=CTLR-CHAIN-ACCEPT};
- };
- :delay 5s;
- :log warning "Criando address list";
- :log warning "Removendo released_ips antigos";
- /ip firewall address-list remove [find list=released_ips];
- :if ([$IPCTLRPUBLIC] =$IPCTLR) do={:log warning "IP da maquina e igual o ip publico"; /ip firewall address-list {
- add address=$IPCTLR list=released_ips
- add address=8.8.8.8 list=released_ips
- add address=8.8.4.4 list=released_ips};
- } else={/ip firewall address-list {
- add address=$IPCTLR list=released_ips
- add address=8.8.8.8 list=released_ips
- add address=8.8.4.4 list=released_ips
- add address=$IPCTLRPUBLIC list=released_ips};
- };
- :delay 5s;
- :log warning "Configurando Scheduler - Agendador";
- /system scheduler {
- remove [find name="Pendency"]
- remove [find name~"CTLR-MSG"]
- add interval=2m name="CTLR-MSG-PENDENCY" on-event="/ip firewall address-list set list=\"brb-pendency-auth\" [find where list=\"brb-pendency-notice\"]" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-time=startup};
- :delay 5s;
- :log warning "Habilitando a porta API do MK";
- /ip service set api address="" disabled=no port=8728;
- :delay 5s;
- :log warning "Setando o Interim Update";
- /ppp aaa set interim-update=1m use-radius=yes;
- :delay 5s;
- :log warning "Configuracoes setadas com sucesso";
- }
Add Comment
Please, Sign In to add comment