Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # mar/19/2016 09:30:10 by RouterOS 6.34.2
- #
- /interface ethernet
- set [ find default-name=ether1 ] comment=WAN name=eth1-wan
- set [ find default-name=ether2 ] comment=LAN name=eth2-lan
- set [ find default-name=ether3 ] master-port=eth2-lan name=eth3-lan
- set [ find default-name=ether4 ] master-port=eth2-lan name=eth4-lan
- set [ find default-name=ether5 ] master-port=eth2-lan name=eth5-lan
- /ip neighbor discovery
- set eth1-wan comment=WAN discover=no
- set eth2-lan comment=LAN
- set eth3-lan discover=no
- set eth4-lan discover=no
- set eth5-lan discover=no
- /interface wireless security-profiles
- add authentication-types=wpa-psk,wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=wpa2 supplicant-identity="" wpa-pre-shared-key=password wpa2-pre-shared-key=password
- /interface wireless
- set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode area=home band=2ghz-b/g/n channel-width=20/40mhz-eC comment=WIR country=russia default-authentication=no disabled=no distance=indoors frequency=2472 hide-ssid=yes \
- hw-protection-mode=rts-cts mode=ap-bridge multicast-helper=full security-profile=wpa2 ssid=0xdeadbeef tx-power=21 tx-power-mode=all-rates-fixed wireless-protocol=802.11 wmm-support=enabled
- /interface wireless manual-tx-power-table
- set wlan1 comment=WIR
- /interface wireless nstreme
- set wlan1 comment=WIR
- /ip neighbor discovery
- set wlan1 comment=WIR discover=no
- /ip ipsec proposal
- set [ find default=yes ] enc-algorithms=aes-128-cbc
- /ip pool
- add name=dhcp_lan_pool ranges=192.168.10.100-192.168.10.254
- add name=dhcp_wir_pool ranges=192.168.1.100-192.168.1.254
- /ip dhcp-server
- add add-arp=yes address-pool=dhcp_lan_pool disabled=no interface=eth2-lan name=dhcp_lan
- add add-arp=yes address-pool=dhcp_wir_pool disabled=no interface=wlan1 name=dhcp_wireless
- /system logging action
- set 0 memory-lines=200
- add name=weblog remote=192.168.10.178 remote-port=546 src-address=192.168.10.1 target=remote
- /ip settings
- set tcp-syncookies=yes
- /interface wireless access-list
- add comment=emachines interface=wlan1 mac-address=88:9F:FA:84:BE:72 vlan-mode=no-tag
- add comment="android asus" interface=wlan1 mac-address=BC:EE:7B:D2:A6:FE vlan-mode=no-tag
- add comment="android htc" interface=wlan1 mac-address=7C:61:93:35:D8:5E vlan-mode=no-tag
- add comment="android philips" interface=wlan1 mac-address=00:1D:07:ED:30:A6 vlan-mode=no-tag
- add comment=blackberry interface=wlan1 mac-address=48:9D:24:98:4A:8C vlan-mode=no-tag
- add comment="android sony" interface=wlan1 mac-address=30:A8:DB:8B:3D:E1 vlan-mode=no-tag
- /ip address
- add address=192.168.10.1/24 interface=eth2-lan network=192.168.10.0
- add address=192.168.1.1/24 interface=wlan1 network=192.168.1.0
- /ip dhcp-client
- add default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=eth1-wan
- /ip dhcp-server network
- add address=192.168.1.0/24 dns-server=192.168.1.1,8.8.8.8 gateway=192.168.1.1 netmask=24 ntp-server=192.36.143.130
- add address=192.168.10.0/24 dns-server=192.168.10.1,8.8.8.8 gateway=192.168.10.1 netmask=24 ntp-server=192.36.143.130
- /ip dns
- set allow-remote-requests=yes servers=8.8.8.8,8.8.2.2
- /ip firewall address-list
- add address=0.0.0.0/8 list=BOGON
- add address=10.0.0.0/8 list=BOGON
- add address=100.64.0.0/10 list=BOGON
- add address=127.0.0.0/8 list=BOGON
- add address=169.254.0.0/16 list=BOGON
- add address=172.16.0.0/12 list=BOGON
- add address=192.0.0.0/24 list=BOGON
- add address=192.0.2.0/24 list=BOGON
- add address=192.168.0.0/16 list=BOGON
- add address=198.18.0.0/15 list=BOGON
- add address=198.51.100.0/24 list=BOGON
- add address=203.0.113.0/24 list=BOGON
- add address=224.0.0.0/4 list=BOGON
- add address=240.0.0.0/4 list=BOGON
- /ip firewall filter
- add action=fasttrack-connection chain=forward connection-state=established,related
- add chain=forward comment="torrent forwarding" dst-address=192.168.10.178 dst-port=65192 in-interface=!eth2-lan protocol=udp
- add chain=forward comment="torrent forwarding" dst-address=192.168.10.178 dst-port=65192 in-interface=!eth2-lan protocol=tcp
- add chain=forward comment="torrent forwarding" dst-address=192.168.10.213 dst-port=65194 in-interface=!eth2-lan protocol=tcp
- add chain=forward comment="torrent forwarding" dst-address=192.168.10.213 dst-port=65194 in-interface=!eth2-lan protocol=udp
- add action=reject chain=input comment="drop all new in eth1-wan" connection-state=new in-interface=eth1-wan log-prefix=reject_new reject-with=icmp-port-unreachable
- add action=reject chain=input comment="drop from bogon" in-interface=eth1-wan src-address-list=BOGON
- add action=drop chain=input comment="drop invalid connections" connection-state=invalid
- add action=drop chain=forward comment="drop invalid connections" connection-state=invalid
- add action=reject chain=input comment="drop all from blacklist" reject-with=icmp-port-unreachable src-address-list=blacklist
- add action=add-src-to-address-list address-list=blacklist address-list-timeout=2m chain=input comment="icmp ttl expired attack" icmp-options=11 in-interface=eth1-wan protocol=icmp
- add action=add-src-to-address-list address-list=blacklist address-list-timeout=2m chain=input comment=syn-flood connection-limit=30,32 in-interface=eth1-wan protocol=tcp tcp-flags=syn
- add action=add-src-to-address-list address-list=blacklist address-list-timeout=4w2d chain=input comment="web proxy" dst-port=8080 in-interface=eth1-wan protocol=tcp
- add action=add-src-to-address-list address-list=blacklist address-list-timeout=4w2d chain=input comment="tcp priviliged ports" dst-port=1-1030 in-interface=eth1-wan protocol=tcp
- add action=add-src-to-address-list address-list=blacklist address-list-timeout=4w2d chain=input comment="udp priviliged ports" dst-port=1-1030 in-interface=eth1-wan log=yes protocol=udp
- add action=add-src-to-address-list address-list=blacklist address-list-timeout=4w2d chain=input comment="mikrotik ports" dst-port=8291,8728,8729,2000,5678 in-interface=eth1-wan protocol=tcp
- add action=reject chain=input comment="drop all from blacklist" reject-with=icmp-port-unreachable src-address-list=blacklist
- /ip firewall nat
- add action=dst-nat chain=dstnat comment="torrent forwarding" dst-port=65192 protocol=udp to-addresses=192.168.10.178 to-ports=65192
- add action=dst-nat chain=dstnat comment="torrent forwarding" dst-port=65192 protocol=tcp to-addresses=192.168.10.178 to-ports=65192
- add action=dst-nat chain=dstnat comment="torrent forwarding" dst-port=65194 protocol=udp to-addresses=192.168.10.213 to-ports=65194
- add action=dst-nat chain=dstnat comment="torrent forwarding" dst-port=65194 protocol=tcp to-addresses=192.168.10.213 to-ports=65194
- add action=masquerade chain=srcnat out-interface=eth1-wan src-address=192.168.10.0/24
- add action=masquerade chain=srcnat out-interface=eth1-wan src-address=192.168.1.0/24
- add action=redirect chain=dstnat dst-port=80 protocol=tcp src-address=192.168.10.0/24 to-ports=8080
- add action=redirect chain=dstnat dst-port=80 protocol=tcp src-address=192.168.1.0/24 to-ports=8080
- /ip firewall service-port
- set ftp disabled=yes
- set tftp disabled=yes
- set irc disabled=yes
- set h323 disabled=yes
- set sip disabled=yes
- set pptp disabled=yes
- /ip proxy
- set cache-path=disk1/web_proxy enabled=yes max-cache-size=none src-address=192.168.10.1
- /ip proxy access
- add action=deny dst-host=*.yadro.ru* method=GET path=""
- add action=deny dst-host=*liveinternet.ru* method=GET
- add action=deny disabled=yes dst-host=*vk.com* method=POST
- add action=deny dst-host=*adriver.ru* method=GET
- add action=deny dst-host=*scorecardresearch.com* method=GET
- add action=deny dst-host=*rl0.ru* method=GET
- add action=deny dst-host=*mshcdn.com* method=GET
- add action=deny dst-host=*1dmp.io* method=GET
- add action=deny dst-host=*madnet.ru* method=GET
- add action=deny dst-host=*doubleclick.net* method=GET
- add action=deny dst-host=*imrk.net* method=GET
- add action=deny dst-host=*.revee.com* method=GET
- /ip service
- set telnet address=192.168.10.0/24 disabled=yes
- set ftp address=192.168.10.0/24 disabled=yes
- set www address=192.168.10.0/24
- set ssh address=192.168.10.0/24
- set www-ssl address=192.168.10.0/24
- set api address=192.168.10.0/24 disabled=yes
- set winbox address=192.168.10.0/24
- set api-ssl address=192.168.10.0/24 disabled=yes
- /ip smb
- set allow-guests=no domain=WORKGROUP enabled=yes interfaces=eth2-lan
- /ip smb shares
- set [ find default=yes ] disabled=yes
- add comment=silicon-power directory=/disk1 disabled=yes name=mikrotik
- /ip smb users
- add name=Stanislav read-only=no
- /system clock
- set time-zone-name=Europe/Moscow
- /system leds
- set 0 interface=wlan1
- /system logging
- add action=weblog disabled=yes prefix=prefix topics=web-proxy,!debug
- add action=weblog disabled=yes prefix=prefix topics=wireless
- add action=weblog disabled=yes prefix=prefix topics=firewall
- add action=weblog disabled=yes prefix=prefix topics=dhcp,!debug
- add action=weblog disabled=yes prefix=prefix topics=dns,!packet
- /system ntp client
- set enabled=yes primary-ntp=91.206.16.3 secondary-ntp=185.22.60.71 server-dns-names=8.8.8.8
- /system routerboard settings
- set protected-routerboot=disabled
- /tool mac-server
- set [ find default=yes ] disabled=yes
- add interface=eth2-lan
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement