Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # dec/12/2019 22:16:36 by RouterOS 6.46
- # software id =
- #
- #
- #
- /interface ethernet
- set [ find default-name=ether1 ] comment="to ISP1"
- set [ find default-name=ether2 ] comment="to ISP2"
- set [ find default-name=ether3 ] comment="to LAN1"
- set [ find default-name=ether4 ] comment="to LAN2"
- set [ find default-name=ether5 ] comment=MGMT
- /interface list
- add comment="For Internet" name=WAN
- add comment="For Local Area" name=LAN
- /interface wireless security-profiles
- set [ find default=yes ] supplicant-identity=MikroTik
- /ip pool
- add name=dhcp_pool0 ranges=192.168.88.1-192.168.88.253
- add name=dhcp_pool1 ranges=172.16.100.2-172.16.100.254
- /ip dhcp-server
- add address-pool=dhcp_pool0 disabled=no interface=ether3 name=dhcp1
- add address-pool=dhcp_pool1 disabled=no interface=ether4 name=dhcp2
- /interface list member
- add comment=ISP1 interface=ether1 list=WAN
- add comment=ISP2 interface=ether2 list=WAN
- add comment=LAN1 interface=ether3 list=LAN
- add comment=LAN2 interface=ether4 list=LAN
- /ip address
- add address=192.168.88.254/24 comment="LAN1 IP" interface=ether3 network=\
- 192.168.88.0
- add address=172.16.100.1/24 comment="LAN2 IP" interface=ether4 network=\
- 172.16.100.0
- add address=88.88.88.2/29 comment=ISP1 interface=ether1 network=88.88.88.0
- add address=44.44.44.2/29 comment=ISP2 interface=ether2 network=44.44.44.0
- /ip dhcp-client
- add disabled=no interface=ether1
- /ip dhcp-server network
- add address=172.16.100.0/24 gateway=172.16.100.1
- add address=192.168.88.0/24 gateway=192.168.88.254
- /ip dns
- set servers=77.88.8.88,77.88.8.2
- /ip firewall address-list
- add address=0.0.0.0/8 comment="\"This\" Network" list=BOGONS
- add address=10.0.0.0/8 comment="Private-Use Networks" list=BOGONS
- add address=100.64.0.0/10 comment="Shared Address Space. RFC 6598" list=\
- BOGONS
- add address=127.0.0.0/8 comment=Loopback list=BOGONS
- add address=169.254.0.0/16 comment="Link Local" list=BOGONS
- add address=172.16.0.0/12 comment="Private-Use Networks" list=BOGONS
- add address=192.0.0.0/24 comment="IETF Protocol Assignments" list=BOGONS
- add address=192.0.2.0/24 comment=TEST-NET-1 list=BOGONS
- add address=192.168.0.0/16 comment="Private-Use Networks" list=BOGONS
- add address=198.18.0.0/15 comment=\
- "Network Interconnect Device Benchmark Testing" list=BOGONS
- add address=198.51.100.0/24 comment=TEST-NET-2 list=BOGONS
- add address=203.0.113.0/24 comment=TEST-NET-3 list=BOGONS
- add address=224.0.0.0/4 comment=Multicast list=BOGONS
- add address=192.88.99.0/24 comment="6to4 Relay Anycast" list=BOGONS
- add address=240.0.0.0/4 comment="Reserved for Future Use" list=BOGONS
- add address=255.255.255.255 comment="Limited Broadcast" list=BOGONS
- /ip firewall filter
- add action=jump chain=input comment="ICMP from ALL" jump-target=icmp \
- protocol=icmp
- add action=accept chain=input comment="Related Established Untracked Allow" \
- connection-state=established,related,untracked
- add action=accept chain=forward comment=\
- "Established, Related, Untracked allow" connection-state=\
- established,related,untracked
- add action=drop chain=input comment="Invalid Drop WAN" connection-state=\
- invalid in-interface-list=WAN
- add action=drop chain=input comment="All other WAN Drop" in-interface-list=\
- WAN
- add action=drop chain=forward comment="Invalid drop" connection-state=invalid
- add action=drop chain=forward comment="Drop all from WAN not DSTNATed" \
- connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
- add action=accept chain=icmp comment="ICMP echo reply" icmp-options=0:0 \
- protocol=icmp
- add action=accept chain=icmp comment="ICMP echo request" icmp-options=8:0 \
- protocol=icmp
- add action=accept chain=icmp comment="ICMP time exceeded" icmp-options=11:0 \
- protocol=icmp
- add action=drop chain=icmp comment="DROP other icmp type" protocol=icmp
- /ip firewall mangle
- add action=mark-connection chain=prerouting comment="Connmark in from ISP1" \
- connection-mark=no-mark in-interface=ether1 new-connection-mark=conn_isp1 \
- passthrough=no
- add action=mark-connection chain=prerouting comment="Connmark in from ISP2" \
- connection-mark=no-mark in-interface=ether2 new-connection-mark=conn_isp2 \
- passthrough=no
- add action=mark-routing chain=prerouting comment=\
- "Routemark transit out via ISP1" connection-mark=conn_isp1 \
- dst-address-type=!local in-interface-list=!WAN new-routing-mark=to_isp1 \
- passthrough=no
- add action=mark-routing chain=prerouting comment=\
- "Routemark transit out via ISP2" connection-mark=conn_isp2 \
- dst-address-type=!local in-interface-list=!WAN new-routing-mark=to_isp2 \
- passthrough=no
- add action=mark-routing chain=output comment="Routemark local out via ISP1" \
- connection-mark=conn_isp1 dst-address-type=!local new-routing-mark=\
- to_isp1 passthrough=no
- add action=mark-routing chain=output comment="Routemark local out via ISP2" \
- connection-mark=conn_isp2 dst-address-type=!local new-routing-mark=\
- to_isp2 passthrough=no
- add action=mark-routing chain=prerouting comment="LAN load balancing Lan1" \
- dst-address-type=!local in-interface=!ether1 new-routing-mark=to_isp1 \
- passthrough=no per-connection-classifier=both-addresses-and-ports:2/0
- add action=mark-routing chain=prerouting dst-address-type=!local \
- in-interface=!ether1 new-routing-mark=to_isp2 passthrough=no \
- per-connection-classifier=both-addresses-and-ports:2/1
- add action=mark-routing chain=prerouting comment="LAN load balancing Lan2" \
- dst-address-type=!local in-interface=!ether2 new-routing-mark=to_isp1 \
- passthrough=no per-connection-classifier=both-addresses-and-ports:2/0
- add action=mark-routing chain=prerouting dst-address-type=!local \
- in-interface=!ether2 new-routing-mark=to_isp2 passthrough=no \
- per-connection-classifier=both-addresses-and-ports:2/1
- /ip firewall nat
- add action=src-nat chain=srcnat comment="Hairpin to LAN1" disabled=yes \
- out-interface=ether3 src-address=192.168.88.0/24 to-addresses=\
- 192.168.88.254
- add action=src-nat chain=srcnat comment="NAT via ISP1" ipsec-policy=out,none \
- out-interface=ether1 to-addresses=88.88.88.2
- add action=src-nat chain=srcnat comment="NAT via ISP2" ipsec-policy=out,none \
- out-interface=ether2 to-addresses=44.44.44.2
- /ip firewall service-port
- set ftp disabled=yes
- set tftp disabled=yes
- set irc disabled=yes
- set h323 disabled=yes
- set sip disabled=yes
- set pptp disabled=yes
- set udplite disabled=yes
- set dccp disabled=yes
- set sctp disabled=yes
- /ip route
- add comment="Marked via ISP1 Main" distance=1 gateway=4.2.2.1 routing-mark=\
- to_isp1
- add comment="Marked via ISP1 Backup1" distance=2 gateway=4.2.2.2 \
- routing-mark=to_isp1
- add comment="Marked via ISP2 Main" distance=1 gateway=4.2.2.2 routing-mark=\
- to_isp2
- add comment="Marked via ISP2 Backup1" distance=2 gateway=4.2.2.1 \
- routing-mark=to_isp2
- add check-gateway=ping comment="Unmarked via ISP1" distance=2 gateway=4.2.2.1
- add check-gateway=ping comment="Unmarked via ISP2" distance=2 gateway=4.2.2.2
- add comment="Emergency route" distance=254 type=blackhole
- add check-gateway=ping comment="For recursion via ISP1" distance=1 \
- dst-address=4.2.2.1/32 gateway=88.88.88.1 scope=10
- add check-gateway=ping comment="For recursion via ISP2" distance=1 \
- dst-address=4.2.2.2/32 gateway=44.44.44.2 scope=10
- /ip route rule
- add comment="From ISP1 IP to Inet" routing-mark=to_isp1 table=to_isp1
- add comment="From ISP2 IP to Inet" routing-mark=to_isp2 table=to_isp2
- add comment="to LAN1" dst-address=192.168.88.0/24 table=main
- add comment="to LAN2" dst-address=172.16.100.0/24 table=main
- /system clock
- set time-zone-name=Europe/Moscow
- /system identity
- set name=Core-CHR
- /system ntp client
- set enabled=yes primary-ntp=88.147.254.230 secondary-ntp=88.147.254.227
- /tool romon
- set enabled=yes
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement