Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- [akoznov@wAP LTE] > export
- # sep/15/2018 00:16:09 by RouterOS 6.43
- # software id = XXX-XXX
- #
- # model = RouterBOARD wAP R-2nD
- # serial number = XXXXXX
- /caps-man channel
- add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=Ce frequency=2412 name=wAP-LTE tx-power=20
- add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=Ce frequency=2437 name=hAP tx-power=20
- /interface lte
- set [ find ] band=3,7,20,38 mac-address=AC:FF:XX:00:00:00 name=lte1 network-mode=lte
- /interface bridge
- add fast-forward=no name=bridge1
- /interface wireless
- # managed by CAPsMAN
- # channel: 2412/20-Ce/gn(20dBm), SSID: ShepShep, local forwarding
- set [ find default-name=wlan1 ] band=2ghz-g/n country=russia disabled=no mode=ap-bridge ssid=ShepShep wireless-protocol=802.11
- /interface ethernet
- set [ find default-name=ether1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
- /interface l2tp-client
- add connect-to=185.44.XX.XX disabled=no keepalive-timeout=disabled name=l2tp-out1 password=XXXXXXXXX user=shep
- /caps-man datapath
- add bridge=bridge1 client-to-client-forwarding=yes local-forwarding=yes name="CAPsMAN Datapath config"
- /caps-man security
- add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name="CAPsMAN Security config" passphrase=XXXXXXXXX
- /caps-man configuration
- add channel=wAP-LTE country=russia datapath="CAPsMAN Datapath config" mode=ap name=CAPs-Config rx-chains=0,1,2 security="CAPsMAN Security config" ssid=ShepShep tx-chains=0,1,2
- /caps-man interface
- add channel=hAP configuration=CAPs-Config datapath="CAPsMAN Datapath config" disabled=no l2mtu=1600 mac-address=XX:2D:XX:XX:D3:XX master-interface=none name="hAP lite" radio-mac=XX:2D:XX:XX:D3:XX security="CAPsMAN Security config"
- add channel=wAP-LTE configuration=CAPs-Config disabled=no l2mtu=1600 mac-address=XX:2D:XX:XX:80:XX master-interface=none name=wAP-LTE radio-mac=XX:2D:XX:XX:80:XX
- /interface list
- add name=WAN
- add name=LAN
- /interface wireless security-profiles
- set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=XXXXXXXXX wpa2-pre-shared-key=XXXXXXXXXXX
- /ip hotspot profile
- set [ find default=yes ] html-directory=flash/hotspot
- /ip ipsec proposal
- set [ find default=yes ] auth-algorithms=md5 enc-algorithms=3des
- /ip pool
- add name=dhcp ranges=10.255.252.2-10.255.252.254
- /ip dhcp-server
- add address-pool=dhcp disabled=no interface=bridge1 name=dhcp1
- /caps-man manager
- set enabled=yes
- /caps-man provisioning
- add action=create-dynamic-enabled hw-supported-modes=b,gn master-configuration=CAPs-Config
- /interface bridge port
- add bridge=bridge1 interface=ether1
- /ip neighbor discovery-settings
- set discover-interface-list=LAN
- /interface l2tp-server server
- set enabled=np ipsec-secret= use-ipsec=yes
- /interface list member
- add interface=lte1 list=WAN
- add list=LAN
- add interface=bridge1 list=LAN
- /interface pptp-server server
- set enabled=no
- /interface sstp-server server
- set default-profile=default-encryption enabled=no
- /interface wireless cap
- #
- set bridge=bridge1 caps-man-addresses=127.0.0.1 enabled=yes interfaces=wlan1
- /ip address
- add address=10.255.252.1/24 interface=ether1 network=10.255.252.0
- /ip cloud
- set ddns-enabled=yes
- /ip dhcp-server lease
- add address=10.255.252.254 client-id=1:xx:69:xx:xx:0:xx comment="Xiaomi Mi-AIR 13.3" mac-address=xx:69:xx:xx:00:xx server=dhcp1
- add address=10.255.252.2 always-broadcast=yes client-id=1:xx:2d:xx:35:xx:xx comment="MikroTik hAP lite" mac-address=xx:2D:xx:35:xx:xx server=dhcp1
- /ip dhcp-server network
- add address=10.255.252.0/24 dns-server=10.255.252.1 gateway=10.255.252.1
- /ip dns
- set allow-remote-requests=yes
- /ip firewall address-list
- add address=0.0.0.0/8 list=BOGON
- add address=10.0.0.0/8 list=BOGON
- add address=100.64.0.0/10 list=BOGON
- add address=127.0.0.0/8 list=BOGON
- add address=169.254.0.0/16 list=BOGON
- add address=172.16.0.0/12 list=BOGON
- add address=192.0.0.0/24 list=BOGON
- add address=192.0.2.0/24 list=BOGON
- add address=192.168.0.0/16 list=BOGON
- add address=198.18.0.0/15 list=BOGON
- add address=198.51.100.0/24 list=BOGON
- add address=203.0.113.0/24 list=BOGON
- add address=224.0.0.0/4 list=BOGON
- add address=240.0.0.0/4 list=BOGON
- /ip firewall filter
- add action=accept chain=input protocol=icmp
- add action=accept chain=input src-address=10.255.254.0/24
- add action=accept chain=Input src-address=172.16.40.0/30
- add action=accept chain=output comment="CAPsMAN exceptions" dst-address=127.0.0.1 port=5246,5247 protocol=udp src-address=127.0.0.1
- add action=accept chain=input dst-address=127.0.0.1 port=5246,5247 protocol=udp src-address=127.0.0.1
- add action=accept chain=Input src-address=185.44.8.188
- add action=accept chain=input dst-address=10.255.252.1 dst-port=80 protocol=tcp
- add action=accept chain=output dst-address=10.255.252.0/24 port=5246,5247 protocol=udp src-address=10.255.252.0/24
- add action=accept chain=Input dst-address=10.255.252.0/24 port=5246,5247 protocol=udp src-address=10.255.252.0/24
- add action=drop chain=input comment="Drop BOGON network connections" disabled=yes in-interface=lte1 src-address-list=BOGON
- add action=drop chain=input comment="Drop all INVALID" connection-state=invalid disabled=yes
- add action=drop chain=forward connection-state=invalid
- add action=accept chain=input comment="Allow all ESTABLISHED" connection-state=established
- add action=accept chain=forward connection-state=established
- add action=accept chain=input comment="Allow all RELATED" connection-state=related
- add action=accept chain=forward connection-state=related
- add action=accept chain=input comment="Allow ICMP from all" protocol=icmp
- add action=accept chain=forward protocol=icmp
- add action=accept chain=input comment="Allow DNS from LAN" dst-port=53 in-interface=bridge1 protocol=udp src-address=10.255.252.0/24
- add action=drop chain=input comment="SSH anti-bruteforce" disabled=yes dst-port=22 protocol=tcp src-address-list=ssh_blacklist
- add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
- add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
- add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
- add action=accept chain=input connection-state=new dst-port=22 protocol=tcp
- add action=accept chain=input comment="Allow SSH from all" dst-port=28282 protocol=tcp
- add action=accept chain=input comment="Allow WINBOX from all" dst-port=8291 protocol=tcp
- add action=accept chain=input comment="Allow NTP from LAN" dst-port=123 in-interface=bridge1 protocol=udp
- add action=accept chain=forward comment="Access from LAN to Internet" in-interface=bridge1 src-address=10.255.252.0/24
- add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
- add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
- add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
- add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
- add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
- add action=drop chain=input comment="DROP ALL REQUEST" disabled=yes
- add action=drop chain=forward disabled=yes
- /ip firewall nat
- add action=accept chain=srcnat comment="masq. vpn traffic" disabled=yes dst-address=10.255.254.0/24 src-address=10.255.252.0/24
- add action=masquerade chain=srcnat out-interface=lte1
- add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=172.16.28.0/24
- /ip ipsec peer
- add address=185.44.8.188/32 exchange-mode=ike2 port=500 secret=p!Bd^7G3YXQ1Z5pf
- /ip ipsec policy
- add dst-address=10.255.254.0/24 sa-dst-address=185.44.8.188 sa-src-address=85.140.2.26 src-address=10.255.252.0/24 tunnel=yes
- /ip route
- add distance=1 dst-address=10.255.254.0/24 gateway=172.16.40.1 pref-src=172.16.40.2
- /ip service
- set telnet disabled=yes
- set ftp disabled=yes
- set ssh port=xxxxx
- set api disabled=yes
- set api-ssl disabled=yes
- /ip upnp
- set enabled=yes
- /ip upnp interfaces
- add interface=bridge1 type=internal
- add interface=lte1 type=external
- /system clock
- set time-zone-name=Europe/Saratov
- /system identity
- set name="wAP LTE"
- /system leds
- # using RSRP, modem-signal-treshold ignored
- add interface=lte1 leds=led1 type=modem-signal
- # using RSRP, modem-signal-treshold ignored
- add interface=lte1 leds=led2 modem-signal-treshold=-75 type=modem-signal
- # using RSRP, modem-signal-treshold ignored
- add interface=lte1 leds=led3 modem-signal-treshold=-59 type=modem-signal
- /system routerboard settings
- set silent-boot=no
- /tool mac-server
- set allowed-interface-list=LAN
- /tool mac-server mac-winbox
- set allowed-interface-list=LAN
- /tool sms
- set port=lte1 receive-enabled=yes
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement