API tools faq
paste
Advertisement
VincentBr

Router 1

VincentBr
May 31st, 2023
213
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 9.55 KB | None | 0 0
raw download clone embed print report
  1. # jun/01/2023 01:03:55 by RouterOS 7.7
  2. # software id =
  3. #
  4. /caps-man configuration
  5. add country=belgium datapath.local-forwarding=yes .vlan-id=40 .vlan-mode=\
  6. use-tag name=Config_Work security.authentication-types=wpa-psk,wpa2-psk \
  7. ssid=Wifi_Work
  8. add country=belgium datapath.local-forwarding=yes .vlan-id=50 .vlan-mode=\
  9. use-tag name=Config_Guest security.authentication-types=wpa-psk,wpa2-psk \
  10. ssid=Wifi_Guest
  11. /interface bridge
  12. add ingress-filtering=no name=bridge1 priority=0 vlan-filtering=yes
  13. /interface ethernet
  14. set [ find default-name=ether1 ] name=ether1-LACP-RT2
  15. set [ find default-name=ether2 ] name=ether2-LACP-RT2
  16. set [ find default-name=ether3 ] name=ether3-LACP-SW1
  17. set [ find default-name=ether4 ] name=ether4-LACP-SW1
  18. set [ find default-name=ether5 ] name=ether5-LACP-SW2
  19. set [ find default-name=ether6 ] name=ether6-LACP-SW2
  20. set [ find default-name=ether7 ] name=ether7-VLAN10-Servers
  21. set [ find default-name=ether8 ] name=ether8-VLAN10-Servers
  22. set [ find default-name=ether9 ] name=ether9-VLAN10-Servers
  23. set [ find default-name=ether10 ] name=ether10-VLAN99-Management
  24. set [ find default-name=ether11 ] name=sfp-sfpplus1-WAN
  25. /interface vlan
  26. add interface=bridge1 mtu=1496 name=Cameras vlan-id=30
  27. add interface=bridge1 mtu=1496 name=Guest vlan-id=50
  28. add interface=bridge1 mtu=1496 name=Hosts vlan-id=20
  29. add interface=bridge1 mtu=1496 name=Management vlan-id=99
  30. add interface=bridge1 mtu=1496 name=Servers vlan-id=10
  31. add interface=bridge1 mtu=1496 name=WiFi vlan-id=40
  32. /interface bonding
  33. add mode=802.3ad name=LACP-RT2 slaves=ether1-LACP-RT2,ether2-LACP-RT2 \
  34. transmit-hash-policy=layer-2-and-3
  35. add mode=802.3ad name=LACP-SW1 slaves=ether3-LACP-SW1,ether4-LACP-SW1 \
  36. transmit-hash-policy=layer-2-and-3
  37. add mode=802.3ad name=LACP-SW2 slaves=ether5-LACP-SW2,ether6-LACP-SW2 \
  38. transmit-hash-policy=layer-2-and-3
  39. /interface vrrp
  40. add interface=Cameras mtu=1496 name="VRRP Cameras" priority=99 vrid=30
  41. add interface=Guest mtu=1496 name="VRRP Guest" priority=99 vrid=50
  42. add interface=Hosts mtu=1496 name="VRRP Hosts" priority=101 vrid=20
  43. add interface=Management mtu=1496 name="VRRP Management" priority=101 vrid=99
  44. add interface=Servers mtu=1496 name="VRRP Servers" priority=101 vrid=10
  45. add interface=WiFi mtu=1496 name="VRRP WiFi" priority=99 vrid=40
  46. /interface list
  47. add name=LAN
  48. add name=WAN
  49. /interface wireless security-profiles
  50. set [ find default=yes ] supplicant-identity=MikroTik
  51. /ip pool
  52. add name=dhcp_pool0 ranges=172.16.20.100-172.16.20.200
  53. /port
  54. set 0 name=serial0
  55. /caps-man manager
  56. set enabled=yes
  57. /caps-man manager interface
  58. set [ find default=yes ] forbid=yes
  59. add disabled=no interface=bridge1
  60. /caps-man provisioning
  61. add action=create-dynamic-enabled master-configuration=Config_Work \
  62. slave-configurations=Config_Guest
  63. /interface bridge port
  64. add bridge=bridge1 interface=LACP-RT2
  65. add bridge=bridge1 interface=LACP-SW1
  66. add bridge=bridge1 interface=ether7-VLAN10-Servers pvid=10
  67. add bridge=bridge1 interface=ether8-VLAN10-Servers pvid=10
  68. add bridge=bridge1 interface=ether9-VLAN10-Servers pvid=10
  69. add bridge=bridge1 interface=ether10-VLAN99-Management pvid=99
  70. add bridge=bridge1 interface=LACP-SW2
  71. /interface bridge vlan
  72. add bridge=bridge1 tagged=LACP-RT2,LACP-SW1,LACP-SW2,bridge1 vlan-ids=20
  73. add bridge=bridge1 tagged=LACP-RT2,LACP-SW1,LACP-SW2,bridge1 vlan-ids=30
  74. add bridge=bridge1 tagged=LACP-RT2,LACP-SW1,LACP-SW2,bridge1 vlan-ids=40
  75. add bridge=bridge1 tagged=LACP-RT2,LACP-SW1,LACP-SW2,bridge1 vlan-ids=50
  76. add bridge=bridge1 tagged=LACP-RT2,LACP-SW1,LACP-SW2,bridge1 untagged=\
  77. ether10-VLAN99-Management vlan-ids=99
  78. add bridge=bridge1 tagged=LACP-RT2,LACP-SW1,LACP-SW2,bridge1 untagged=\
  79. ether7-VLAN10-Servers,ether8-VLAN10-Servers,ether9-VLAN10-Servers \
  80. vlan-ids=10
  81. /interface list member
  82. add interface=sfp-sfpplus1-WAN list=WAN
  83. add interface=bridge1 list=LAN
  84. add interface="VRRP Hosts" list=LAN
  85. add interface="VRRP Servers" list=LAN
  86. add interface="VRRP Cameras" list=LAN
  87. add interface="VRRP Guest" list=LAN
  88. add interface="VRRP WiFi" list=LAN
  89. add interface="VRRP Management" list=LAN
  90. add interface=Hosts list=LAN
  91. add interface=Servers list=LAN
  92. add interface=Cameras list=LAN
  93. add interface=Guest list=LAN
  94. add interface=WiFi list=LAN
  95. add interface=Management list=LAN
  96. /ip address
  97. add address=192.168.10.10/24 interface=sfp-sfpplus1-WAN network=192.168.10.0
  98. add address=172.16.10.254/24 interface=Servers network=172.16.10.0
  99. add address=172.16.20.254/24 interface=Hosts network=172.16.20.0
  100. add address=172.16.30.254/24 interface=Cameras network=172.16.30.0
  101. add address=172.16.40.254/24 interface=WiFi network=172.16.40.0
  102. add address=172.16.50.254/24 interface=Guest network=172.16.50.0
  103. add address=172.16.99.254/24 interface=Management network=172.16.99.0
  104. add address=172.16.10.1 interface="VRRP Servers" network=172.16.10.1
  105. add address=172.16.20.1 interface="VRRP Hosts" network=172.16.20.1
  106. add address=172.16.30.1 interface="VRRP Cameras" network=172.16.30.1
  107. add address=172.16.40.1 interface="VRRP WiFi" network=172.16.40.1
  108. add address=172.16.50.1 interface="VRRP Guest" network=172.16.50.1
  109. add address=172.16.99.1 interface="VRRP Management" network=172.16.99.1
  110. /ip dhcp-relay
  111. add dhcp-server=172.16.10.11 disabled=no interface=Hosts name=Hosts
  112. add dhcp-server=172.16.10.11 disabled=no interface=WiFi name=Wifi
  113. add dhcp-server=172.16.10.11 disabled=no interface=Guest name=Guest
  114. /ip firewall address-list
  115. add address=192.168.10.150 list=Allowed
  116. add address=192.168.10.1 list=Allowed
  117. add address=172.16.50.0/24 list=Guest
  118. add address=172.16.20.0/24 list=Hosts
  119. add address=172.16.10.0/24 list=Servers
  120. add address=172.16.30.0/24 list=Cameras
  121. add address=172.16.40.0/24 list=Wifi
  122. add address=172.16.99.0/24 list=Management
  123. /ip firewall filter
  124. add action=accept chain=input comment=\
  125. "defconf: accept established,related,untracked" connection-state=\
  126. established,related,untracked
  127. add action=drop chain=input comment="defconf: drop invalid" connection-state=\
  128. invalid
  129. add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
  130. add action=accept chain=input comment=\
  131. "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
  132. add action=accept chain=input comment=\
  133. "Winbox toelaten van WAN via specifiek IP adress" dst-port=8291 protocol=\
  134. tcp src-address-list=Allowed
  135. add action=accept chain=input comment=\
  136. "SNMP toelaten van WAN via specifiek IP adress" dst-port=161 protocol=udp \
  137. src-address-list=Allowed
  138. add action=drop chain=input comment="defconf: drop all not coming from LAN" \
  139. in-interface-list=!LAN
  140. add action=accept chain=forward comment="defconf: accept in ipsec policy" \
  141. ipsec-policy=in,ipsec
  142. add action=accept chain=forward comment="defconf: accept out ipsec policy" \
  143. ipsec-policy=out,ipsec
  144. add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
  145. connection-state=established,related hw-offload=yes
  146. add action=accept chain=forward comment=\
  147. "defconf: accept established,related, untracked" connection-state=\
  148. established,related,untracked
  149. add action=drop chain=forward comment="defconf: drop invalid" \
  150. connection-state=invalid
  151. add action=accept chain=forward comment="accept hosts to servers" \
  152. dst-address-list=Servers src-address-list=Hosts
  153. add action=accept chain=forward comment="accept servers to hosts" \
  154. dst-address-list=Hosts src-address-list=Servers
  155. add action=accept chain=forward comment="accept wifi to servers" \
  156. dst-address-list=Servers src-address-list=Wifi
  157. add action=accept chain=forward comment="accept servers to wifi" \
  158. dst-address-list=Wifi src-address-list=Servers
  159. add action=accept chain=forward comment="accept wifi to hosts" \
  160. dst-address-list=Hosts src-address-list=Wifi
  161. add action=accept chain=forward comment="accept host to wifi" \
  162. dst-address-list=Wifi src-address-list=Hosts
  163. add action=accept chain=forward comment="accept management to LAN" \
  164. out-interface-list=LAN src-address-list=Management
  165. add action=reject chain=forward comment="drop cameras to WAN" \
  166. out-interface-list=WAN reject-with=icmp-admin-prohibited \
  167. src-address-list=Cameras
  168. add action=accept chain=forward comment="Accept LAN to WAN" \
  169. in-interface-list=LAN out-interface-list=WAN
  170. add action=accept chain=forward comment=\
  171. "defconf: accept all from WAN that is DSTNATed" connection-nat-state=\
  172. dstnat connection-state=new in-interface-list=WAN src-address-list=\
  173. Allowed
  174. add action=reject chain=forward comment="drop all" reject-with=\
  175. icmp-admin-prohibited
  176. /ip firewall nat
  177. add action=masquerade chain=srcnat out-interface=sfp-sfpplus1-WAN
  178. add action=dst-nat chain=dstnat dst-port=5030 in-interface=sfp-sfpplus1-WAN \
  179. protocol=tcp to-addresses=172.16.99.30 to-ports=8291
  180. add action=dst-nat chain=dstnat dst-port=30161 in-interface=sfp-sfpplus1-WAN \
  181. protocol=udp to-addresses=172.16.99.30 to-ports=161
  182. add action=dst-nat chain=dstnat dst-port=40161 in-interface=sfp-sfpplus1-WAN \
  183. protocol=udp to-addresses=172.16.99.40 to-ports=161
  184. add action=dst-nat chain=dstnat dst-port=5040 in-interface=sfp-sfpplus1-WAN \
  185. protocol=tcp to-addresses=172.16.99.40 to-ports=8291
  186. /ip route
  187. add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.10.2 \
  188. pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
  189. target-scope=10
  190. /ip service
  191. set telnet disabled=yes
  192. set ftp disabled=yes
  193. set www disabled=yes
  194. set api disabled=yes
  195. set api-ssl disabled=yes
  196. /snmp
  197. set enabled=yes
  198. /system identity
  199. set name=MKT-RT1
  200. /tool mac-server
  201. set allowed-interface-list=none
  202. /tool mac-server ping
  203. set enabled=no
  204.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!