API tools faq
paste
Guest User

Untitled

a guest
May 30th, 2020
174
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 10.09 KB | None | 0 0
raw download clone embed print report
  1. /interface bridge
  2. add name=bridge-wifi
  3. add arp=reply-only name=bridge-wifi-guest
  4. add name=bridge-wifi-iot
  5. add comment=vlan192 name=bridge1
  6. add comment=vlan22 name=bridge1-vlan22
  7. add comment=vlan3000 name=bridge1-vlan3000
  8. /interface ethernet
  9. set [ find default-name=ether1 ] comment=WAN
  10. set [ find default-name=ether2 ] comment=LAN
  11. set [ find default-name=ether3 ] comment=Mikrotik-M1
  12. set [ find default-name=ether10 ] comment=Mikrotik-SW
  13. /interface vlan
  14. add interface=ether10 name=vlan-22 vlan-id=22
  15. add interface=ether10 name=vlan-192 vlan-id=192
  16. add comment=no-internet-access interface=ether10 name=vlan-3000 vlan-id=3000
  17. add interface=ether1 name=vlan3-eth1 use-service-tag=yes vlan-id=3
  18. add interface=ether1 name=vlan30-eth1 vlan-id=30
  19. /interface list
  20. add name=WAN
  21. add name=LAN
  22. /ip dhcp-client option
  23. add code=2 name=mgts-option2
  24. add code=42 name=mgts-option42
  25. add code=33 name=mgts-option33
  26. add code=249 name=mgts-option249
  27. add code=121 name=mgts-option121
  28. add code=43 name=mgts-option43
  29. add code=43 name=ubiq-opt43 value=0x01045FA58164
  30. add code=121 name=ubiq_opt121 value=0x17005FA58001
  31. /ip pool
  32. add name=dhcp ranges=192.168.1.2-192.168.1.254
  33. /ip dhcp-server
  34. add address-pool=dhcp disabled=no interface=bridge1 name=dhcp-bridge1
  35. /interface bridge port
  36. add bridge=bridge1 interface=ether2
  37. add bridge=bridge1 interface=ether3
  38. add bridge=bridge1 interface=ether4
  39. add bridge=bridge1 interface=ether5
  40. add bridge=bridge1 interface=ether7
  41. add bridge=bridge1 interface=ether8
  42. add bridge=bridge1 interface=ether9
  43. add bridge=bridge1 interface=ether10
  44. add bridge=bridge1-vlan22 interface=vlan-22
  45. add bridge=bridge1 interface=vlan-192
  46. add bridge=bridge1-vlan3000 interface=vlan-3000
  47. add bridge=bridge1 disabled=yes interface=ether1
  48. add bridge=bridge1 interface=ether6
  49. add bridge=bridge1 interface=sfp1
  50. /interface list member
  51. add interface=ether1 list=WAN
  52. add interface=ether2 list=LAN
  53. add interface=ether3 list=LAN
  54. add interface=ether4 list=LAN
  55. add interface=ether5 list=LAN
  56. add interface=ether6 list=LAN
  57. add interface=ether7 list=LAN
  58. add interface=ether8 list=LAN
  59. add interface=ether9 list=LAN
  60. add interface=ether10 list=LAN
  61. add interface=sfp1 list=LAN
  62. add interface=bridge1 list=LAN
  63. /ip address
  64. add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
  65. /ip dhcp-client
  66. add dhcp-options=clientid,hostname disabled=no interface=ether1
  67. add dhcp-options=clientid,ubiq_opt121,ubiq-opt43,hostname disabled=no interface=vlan3-eth1
  68. /ip firewall address-list
  69. add address=192.168.120.0/24 list=address_wifi
  70. /ip firewall filter
  71. add action=fasttrack-connection chain=forward connection-state=established,related
  72. add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp
  73. add action=drop chain=input dst-port=53 in-interface=ether1 protocol=tcp
  74. add action=accept chain=forward comment="allow cam to node" dst-address=192.168.1.52 src-address=192.168.1.23
  75. add action=reject chain=forward reject-with=icmp-network-unreachable src-address=192.168.1.23
  76. add action=accept chain=input protocol=icmp
  77. add action=accept chain=input comment="Unlock CAPsMAN" dst-address-type=local src-address-type=local
  78. add action=accept chain=forward connection-state=established,related
  79. add action=accept chain=forward comment="Telegram VPN" connection-state=established,new in-interface=bridge1 out-interface=vpn-usa src-address-list=address_server
  80. add action=accept chain=forward connection-state=established,new in-interface=bridge-wifi out-interface=vpn-usa src-address-list=address_wifi
  81. add action=accept chain=forward connection-state=established,related in-interface=vpn-usa out-interface=bridge1
  82. add action=accept chain=forward connection-state=established,related in-interface=vpn-usa out-interface=bridge-wifi
  83. add action=accept chain=forward comment="1.1. Forward and Input Established and Related connections" connection-state=established,related log-prefix=debug-firewall
  84. add action=drop chain=forward connection-state=invalid
  85. add action=accept chain=input connection-state=established,related
  86. add action=drop chain=input connection-state=invalid
  87. add action=tarpit chain=input connection-limit=3,32 protocol=tcp src-address-list=ddos-blacklist
  88. add action=add-src-to-address-list address-list=ddos-blacklist address-list-timeout=1d chain=input comment="1.2. DDoS Protect - Connection Limit" connection-limit=100,32 in-interface=ether1 protocol=tcp
  89. add action=add-src-to-address-list address-list="Port Scanners" address-list-timeout=none-dynamic chain=input in-interface=ether1 protocol=tcp psd=21,3s,3,1
  90. add action=jump chain=forward comment="1.3. DDoS Protect - SYN Flood" connection-state=new jump-target=SYN-Protect protocol=tcp tcp-flags=syn
  91. add action=return chain=SYN-Protect connection-state=new limit=200,5:packet protocol=tcp tcp-flags=syn
  92. add action=drop chain=SYN-Protect connection-state=new protocol=tcp tcp-flags=syn
  93. add action=jump chain=input connection-state=new in-interface=ether1 jump-target=SYN-Protect protocol=tcp tcp-flags=syn
  94. add action=drop chain=input comment="1.4. Protected - Ports Scanners" src-address-list="Port Scanners"
  95. add action=add-src-to-address-list address-list="Port Scanners" address-list-timeout=none-dynamic chain=input in-interface-list=WAN protocol=tcp psd=21,3s,3,1
  96. add action=drop chain=input comment="1.5. Protected - WinBox Access" src-address-list="Black List Winbox"
  97. add action=add-src-to-address-list address-list="Black List Winbox" address-list-timeout=none-dynamic chain=input connection-state=new dst-port=8291 in-interface=ether1 log=yes log-prefix="BLACK WINBOX" protocol=tcp src-address-list="Winbox Stage 3"
  98. add action=add-src-to-address-list address-list="Winbox Stage 3" address-list-timeout=1m chain=input connection-state=new dst-port=8291 in-interface=ether1 protocol=tcp src-address-list="Winbox Stage 2"
  99. add action=drop chain=input comment="1.4. Protected - Ports Scanners" src-address-list="Port Scanners"
  100. add action=add-src-to-address-list address-list="Winbox Stage 2" address-list-timeout=1m chain=input connection-state=new dst-port=8291 in-interface=ether1 protocol=tcp src-address-list="Winbox Stage 1"
  101. add action=accept chain=input comment="SNMP Monitoring" dst-port=161 protocol=udp src-address=213.183.63.14
  102. add action=accept chain=input dst-port=161 protocol=udp src-address=89.208.220.212
  103. /ip firewall mangle
  104. add action=mark-routing chain=prerouting comment="Mark Telegram" dst-address-list=Telegram new-routing-mark=mark_telegram passthrough=no src-address-list=address_server
  105. add action=mark-routing chain=prerouting comment="Mark Telegram" dst-address-list=Telegram new-routing-mark=mark_telegram passthrough=no src-address-list=address_wifi
  106. add action=mark-routing chain=prerouting comment="Mark Telegram" dst-address-list=Telegram new-routing-mark=mark_telegram passthrough=no src-address-list=address_wifi_guest
  107. /ip firewall nat
  108. add action=masquerade chain=srcnat disabled=yes out-interface=ether1
  109. add action=masquerade chain=srcnat out-interface=vpn-usa
  110. add action=masquerade chain=srcnat out-interface-list=WAN src-address-list=address_wifi
  111. add action=masquerade chain=srcnat out-interface-list=WAN src-address-list=address_server to-addresses=192.168.1.15
  112. add action=masquerade chain=srcnat out-interface-list=WAN src-address-list=address_wifi_guest to-addresses=192.168.1.15
  113. add action=masquerade chain=srcnat out-interface-list=WAN src-address-list=address_wifi_iot
  114. add action=return chain=dstnat dst-port=25570 in-interface-list=WAN protocol=tcp src-address=185.165.241.35
  115. add action=dst-nat chain=dstnat comment="HTTP hub" dst-port=80 in-interface=ether1 protocol=tcp to-addresses=192.168.1.14 to-ports=80
  116. add action=dst-nat chain=dstnat comment="HTTPS hub" dst-port=443 in-interface=ether1 protocol=tcp to-addresses=192.168.1.14 to-ports=443
  117. add action=dst-nat chain=dstnat comment="SSH/FTP hub" dst-port=20-22 in-interface=ether1 protocol=tcp to-addresses=192.168.1.14 to-
  118. /ip firewall raw
  119. add action=drop chain=prerouting dst-port=53 in-interface=ether1 log-prefix="[firewall-dns]" protocol=tcp
  120. add action=drop chain=prerouting dst-port=53 in-interface=ether1 protocol=udp
  121. /ip route rule
  122. add action=unreachable comment="guest -> servers : drop" dst-address=192.168.1.0/24 src-address=192.168.129.0/24
  123. add action=unreachable comment="iot -> servers : drop" dst-address=192.168.1.0/24 src-address=192.168.121.0/24
  124. add action=unreachable comment="guest -> iot : drop" dst-address=192.168.121.0/24 src-address=192.168.129.0/24
  125. add action=unreachable comment="iot -> guest : drop" dst-address=192.168.129.0/24 src-address=192.168.121.0/24
  126. /ip service
  127. set telnet disabled=yes
  128. set ftp disabled=yes
  129. set www address=192.168.1.0/24,192.168.120.0/24
  130. set ssh address=192.168.0.0/16
  131. set api address=192.168.0.0/16
  132. set winbox address=192.168.0.0/16,10.0.0.0/16
  133. set api-ssl disabled=yes
  134. /ip upnp
  135. set enabled=yes
  136. /ip upnp interfaces
  137. add interface=ether9 type=internal
  138. add interface=ether10 type=internal
  139. add interface=ether1 type=external
  140. /lcd
  141. set backlight-timeout=23h
  142. /routing rip
  143. set garbage-timer=30s timeout-timer=1m update-timer=10s
  144. /routing rip interface
  145. add interface=bridge1 send=v1-2
  146. /system clock
  147. set time-zone-name=Europe/Moscow
  148. /system identity
  149. set name=MikroTik-M2
  150. /system logging
  151. add action=remote prefix="[account]" topics=account
  152. add action=remote prefix="[backup]" topics=backup
  153. add action=remote prefix="[crit]" topics=critical
  154. add action=remote prefix="[email]" topics=e-mail
  155. add action=remote prefix="[error]" topics=error
  156. add action=remote prefix="[info]" topics=info
  157. add action=remote prefix="[interface]" topics=interface
  158. add action=remote prefix="[ovpn]" topics=ovpn
  159. add action=remote prefix="[script]" topics=script
  160. add action=remote prefix="[ssh]" topics=ssh
  161. add action=remote prefix="[system]" topics=system
  162. add action=remote prefix="[warning]" topics=warning
  163. add action=remote prefix="[watchdog]" topics=watchdog
  164. add action=remote prefix="[caps]" topics=caps
  165. add action=remote disabled=yes topics=firewall
  166. add action=remote prefix="[email]" topics=e-mail
  167. /system scheduler
  168. add interval=23h59m59s name=scheduler_daily-backup on-event=daily-backup policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=mar/29/2020 start-time=00:10:00
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!