Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # sep/04/2019 19:07:08 by RouterOS 6.43.8
- # model = 2011UiAS-2HnD
- # you need some customization for your hardware (port count, port names, etc....).
- # If you have static WAN IP then setup it in `/ip address`, then replace 'pppoe-wan_OR_sfp-wan'
- # with wan interface name (in my case `sfp-wan`) , disable or remove dhcp-client lines and pppoe-client too.
- # if you have PPP user&pass with dynamic IP from your ISP then replace `pppoe-wan_OR_sfp-wan` with `pppoe-wan` ,
- # remove line from `/ip address` that add WAN_IP (this'll be done dynamically by dhcp-client)
- # don't remember if anything else :P
- /interface bridge
- add fast-forward=no name=LAN
- /interface ethernet
- set [ find default-name=ether1 ] name=eth1
- set [ find default-name=ether2 ] name=eth2
- set [ find default-name=ether3 ] name=eth3
- set [ find default-name=ether4 ] name=eth4
- set [ find default-name=ether5 ] name=eth5
- set [ find default-name=ether6 ] name=eth6
- set [ find default-name=ether7 ] name=eth7
- set [ find default-name=ether8 ] name=eth8
- set [ find default-name=ether9 ] name=eth9
- set [ find default-name=ether10 ] name=eth10
- set [ find default-name=sfp1 ] name=sfp-wan
- /interface pppoe-client
- add comment="PPPoE WAN" disabled=no interface=sfp-wan keepalive-timeout=30 name=pppoe-wan password=passowrd user=luser
- /interface list
- add exclude=dynamic name=discover
- add name=mac-winbox
- /ip pool
- add name=dhcp-pool ranges=192.168.0.2-192.168.0.80
- /ip dhcp-server
- add address-pool=dhcp-pool authoritative=after-2sec-delay disabled=no interface=LAN lease-time=9h name=dhcp-lan
- /queue simple
- add burst-limit=1M/1M burst-threshold=1M/1M burst-time=1s/1s max-limit=1M/1M name=queue1 target=192.168.0.101/32 time=8h-18h,mon,tue,wed,thu,fri
- add burst-limit=1M/1M burst-threshold=1M/1M burst-time=1s/1s max-limit=1M/1M name=queue2 target=192.168.0.102/32 time=8h-18h,mon,tue,wed,thu,fri
- /interface bridge port
- add bridge=LAN interface=eth1
- add bridge=LAN interface=eth5
- add bridge=LAN interface=eth2
- add bridge=LAN interface=eth3
- add bridge=LAN interface=eth4
- add bridge=LAN disabled=no interface=mac-winbox
- /ip neighbor discovery-settings
- set discover-interface-list=discover
- /interface list member
- add interface=eth1 list=discover
- add interface=eth2 list=discover
- add interface=eth3 list=discover
- add interface=eth4 list=discover
- add interface=eth5 list=discover
- add interface=eth7 list=discover
- add interface=eth8 list=discover
- add interface=eth9 list=discover
- add interface=eth10 list=discover
- add interface=LAN list=discover
- add interface=LAN list=mac-winbox
- add interface=eth5 list=mac-winbox
- /ip address
- add address=192.168.0.1/24 comment="ROUTER ADDRESS" interface=LAN network=192.168.0.0
- add address=WAIN_IP/WAN_MASK comment="ROUTER ADDRESS" interface=WAN_INTERFACE network=WAN_NETWORK
- /ip dhcp-client
- add dhcp-options=hostname,clientid disabled=no interface=sfp-wan
- /ip dhcp-server network
- add address=192.168.0.0/24 gateway=192.168.0.1
- /ip dns
- set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
- /ip dns static
- add address=192.168.0.105 name=some-server
- /ip firewall address-list
- add address=192.168.0.0/24 list=safe
- /ip firewall filter
- add action=accept chain=input comment="accept established connection packets" connection-state=established
- add action=accept chain=input comment="accept related connection packets" connection-state=related
- add action=drop chain=input comment="drop invalid packets" connection-state=invalid
- add action=accept chain=input comment="Allow access to router from known network (addresses): safe" src-address-list=safe
- add action=drop chain=input comment="detect and drop port scan connections" protocol=tcp psd=21,3s,3,1
- add action=tarpit chain=input comment="suppress DoS attack" connection-limit=3,32 log=yes log-prefix=DoS-TARPIT protocol=tcp src-address-list=black_list
- add action=add-src-to-address-list address-list=black_list address-list-timeout=1d chain=input comment="detect DoS attack" connection-limit=10,32 protocol=tcp
- add action=jump chain=input comment="jump: ICMP" jump-target=ICMP protocol=icmp
- add action=jump chain=input comment="jump: services" jump-target=services
- add action=accept chain=input comment="Allow Broadcast Traffic" dst-address-type=broadcast
- add action=log chain=input disabled=yes log-prefix=Filter:
- add action=jump chain=forward comment="Go to chain for banning computers access" jump-target=internet_ban
- add action=drop chain=input comment="Drop anything else"
- add action=accept chain=ICMP comment="0:0 and limit for 5p/sec" icmp-options=0:0-255 limit=5,5:packet protocol=icmp
- add action=accept chain=ICMP comment="3:3 and limit for 5pac/s" icmp-options=3:3 limit=5,5:packet protocol=icmp
- add action=accept chain=ICMP comment="3:4 and limit for 5pac/s" icmp-options=3:4 limit=5,5:packet protocol=icmp
- add action=accept chain=ICMP comment="8:0 and limit for 5pac/s" icmp-options=8:0-255 limit=5,5:packet protocol=icmp
- add action=accept chain=ICMP comment="11:0 and limit for 5pac/s" icmp-options=11:0-255 limit=5,5:packet protocol=icmp
- add action=drop chain=ICMP comment="Drop everything else" protocol=icmp
- add action=accept chain=services comment="accept localhost" dst-address=127.0.0.1 src-address=127.0.0.1
- add action=accept chain=services comment="allow MACwinbox " dst-port=20561 in-interface=LAN protocol=udp
- add action=accept chain=services comment="Bandwidth server" disabled=yes dst-port=2000 protocol=tcp
- add action=accept chain=services comment=" MT Discovery Protocol" dst-port=5678 in-interface=LAN protocol=udp
- add action=accept chain=services comment="allow SNMP" dst-port=161 in-interface=LAN protocol=tcp
- add action=accept chain=services comment="Allow BGP" disabled=yes dst-port=179 protocol=tcp
- add action=accept chain=services comment="allow BGP" disabled=yes dst-port=5000-5100 protocol=udp
- add action=accept chain=services comment="Allow NTP" disabled=yes dst-port=123 protocol=udp
- add action=accept chain=services comment="Allow PPTP" disabled=yes dst-port=1723 protocol=tcp
- add action=accept chain=services comment="allow PPTP and EoIP" disabled=yes protocol=gre
- add action=accept chain=services comment="allow OpenVPN" dst-port=25885 protocol=tcp
- add action=accept chain=services comment="allow DNS request" dst-port=53 in-interface=LAN protocol=tcp
- add action=accept chain=services comment="Allow DNS request" dst-port=53 in-interface=LAN protocol=udp
- add action=accept chain=services comment=UPnP dst-port=1900 in-interface=LAN protocol=udp
- add action=accept chain=services comment=UPnP dst-port=2828 in-interface=LAN protocol=tcp
- add action=accept chain=services comment="allow DHCP" disabled=yes dst-port=67-68 protocol=udp
- add action=accept chain=services comment="allow Web Proxy" disabled=yes dst-port=8080 protocol=tcp
- add action=accept chain=services comment="allow IPIP" disabled=yes protocol=ipencap
- add action=accept chain=services comment="allow https for Hotspot" disabled=yes dst-port=443 protocol=tcp
- add action=accept chain=services comment="allow Socks for Hotspot" disabled=yes dst-port=1080 protocol=tcp
- add action=accept chain=services comment="allow IPSec connections" disabled=yes dst-port=500 protocol=udp
- add action=accept chain=services comment="allow IPSec" disabled=yes protocol=ipsec-esp
- add action=accept chain=services comment="allow IPSec" disabled=yes protocol=ipsec-ah
- add action=accept chain=services comment="allow RIP" disabled=yes dst-port=520-521 protocol=udp
- add action=accept chain=services comment="allow OSPF" disabled=yes protocol=ospf
- add action=accept chain=services comment="Allow remote WinBox IP" disabled=yes dst-port=8291 protocol=tcp
- add action=return chain=services comment="end: SERVICES"
- add action=reject chain=internet_ban comment="BAN: -PC-NAME- internet" disabled=yes reject-with=icmp-net-prohibited src-mac-address=11:22:33:44:55:66
- add action=return chain=internet_ban comment="END BAN LIST"
- /ip firewall nat
- add action=masquerade chain=srcnat out-interface=pppoe-wan_OR_sfp-wan
- add action=dst-nat chain=dstnat comment="RDP SERVER" dst-address-type=local dst-port=12345 protocol=tcp to-addresses=192.168.0.105 to-ports=3389
- /ip firewall service-port
- set ftp disabled=yes
- set tftp disabled=yes
- set irc disabled=yes
- set h323 disabled=yes
- set sip disabled=yes
- set pptp disabled=yes
- set udplite disabled=yes
- set dccp disabled=yes
- set sctp disabled=yes
- /ip route
- add distance=1 gateway=pppoe-wan_OR_sfp-wan
- /ip service
- set telnet disabled=yes
- set ftp address=192.168.0.0/24 disabled=yes
- set www address=192.168.0.0/24
- set ssh address=192.168.0.0/24
- set www-ssl certificate=ROUTER
- set api address=192.168.0.0/24 disabled=yes
- set winbox address=192.168.0.0/24
- set api-ssl address=192.168.0.0/24,192.168.2.0/24 disabled=yes
- /ip upnp
- set enabled=yes show-dummy-rule=no
- /ip upnp interfaces
- add type=internal
- add interface=pppoe-wan_OR_sfp-wan type=external
- /system clock
- set time-zone-name=Europe/Warsaw
- /system identity
- set name=ROUTER
- /system logging
- add topics=route,debug,!calc
- add disabled=yes topics=pppoe
- add topics=wireless,debug
- /system ntp client
- set enabled=yes primary-ntp=194.146.251.100 secondary-ntp=194.146.251.101 server-dns-names=pl.pool.ntp.org
- /tool bandwidth-server
- set enabled=no
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement