API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Aug 27th, 2019
482
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.88 KB | None | 0 0
raw download clone embed print report
  1. /ip ipsec mode-config
  2. add address=172.16.1.2 address-prefix-length=32 name=GRE split-include=\
  3. 172.16.1.1/32 system-dns=no
  4. /ip ipsec policy group
  5. add name=IKE2
  6. add name=GRE
  7. /ip ipsec profile
  8. set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256,aes-128 \
  9. lifetime=15m
  10. add enc-algorithm=aes-256,aes-128 name=IKE2
  11. /ip ipsec peer
  12. add exchange-mode=ike2 name=IKE2 passive=yes profile=IKE2 \
  13. send-initial-contact=no
  14. /ip ipsec proposal
  15. set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=\
  16. aes-256-cbc,aes-128-cbc pfs-group=none
  17. add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc name=\
  18. IKE2 pfs-group=none
  19. /ip pool
  20. add name=Gabi_DHCP ranges=10.10.11.100-10.10.11.200
  21. add name=WIFI ranges=10.10.12.100-10.10.12.200
  22. add name=LAN ranges=10.10.100.150-10.10.100.200
  23. add name=IKE2 ranges=10.10.13.10-10.10.13.100
  24. /ip dhcp-server
  25. add address-pool=Gabi_DHCP disabled=no interface=ether5 lease-time=1h name=\
  26. Gabi_DHCP
  27. add address-pool=WIFI disabled=no interface=WIFI name=WIFI
  28. add address-pool=LAN disabled=no interface=ether2 name=LAN
  29. /ip ipsec mode-config
  30. add address-pool=IKE2 address-prefix-length=32 name=IKE2
  31. /ip address
  32. add address=10.10.100.1/24 interface=ether2 network=10.10.100.0
  33. add address=10.10.110.1/24 interface=ether3 network=10.10.110.0
  34. add address=10.10.120.1/24 interface=ether4 network=10.10.120.0
  35. add address=10.10.11.1/24 interface=ether5 network=10.10.11.0
  36. add address=10.10.12.1/24 interface=WIFI network=10.10.12.0
  37. add address=172.16.1.1 interface=GRE_Site_to_Site network=172.16.1.1
  38. /ip dhcp-server network
  39. add address=10.10.11.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.10.11.1
  40. add address=10.10.12.0/24 gateway=10.10.12.1
  41. add address=10.10.100.0/24 gateway=10.10.100.1
  42. /ip firewall filter
  43. add action=accept chain=input dst-port=2250,8291 protocol=tcp
  44. add action=accept chain=input dst-port=500,1701,4500 protocol=udp
  45. add action=accept chain=input protocol=ipsec-esp
  46. add action=accept chain=input protocol=icmp tcp-flags=""
  47. add action=accept chain=input protocol=gre
  48. add action=accept chain=input in-interface=ether4 protocol=ospf
  49. add action=accept chain=input connection-state=established,related
  50. add action=drop chain=input connection-state=invalid
  51. add action=drop chain=input
  52. add action=accept chain=forward ipsec-policy=in,ipsec
  53. add action=accept chain=forward ipsec-policy=out,ipsec
  54. add action=fasttrack-connection chain=forward connection-state=\
  55. established,related
  56. add action=accept chain=forward connection-state=established,related,new
  57. add action=drop chain=forward connection-state=invalid
  58. /ip firewall mangle
  59. add action=change-mss chain=forward new-mss=1300 out-interface=DIGI_PPPoE \
  60. passthrough=yes protocol=tcp src-address=10.10.13.0/24 tcp-flags=syn
  61. /ip firewall nat
  62. add action=masquerade chain=srcnat out-interface=DIGI_PPPoE
  63. add action=dst-nat chain=dstnat dst-port=50000 in-interface=DIGI_PPPoE \
  64. protocol=tcp to-addresses=10.10.14.10 to-ports=50000
  65. add action=dst-nat chain=dstnat dst-port=50000 in-interface=DIGI_PPPoE \
  66. protocol=tcp to-addresses=10.10.100.50 to-ports=50000
  67. add action=dst-nat chain=dstnat dst-port=15000 in-interface=DIGI_PPPoE \
  68. protocol=tcp to-addresses=10.10.110.2 to-ports=15000
  69. add action=dst-nat chain=dstnat disabled=yes dst-port=12022 in-interface=\
  70. DIGI_PPPoE protocol=tcp to-addresses=10.10.11.140 to-ports=12002
  71. add action=dst-nat chain=dstnat dst-port=12002 in-interface=DIGI_PPPoE \
  72. protocol=tcp to-addresses=10.10.11.140 to-ports=12002
  73. add action=dst-nat chain=dstnat dst-port=22220 in-interface=DIGI_PPPoE \
  74. protocol=tcp to-addresses=10.10.11.118 to-ports=22220
  75. add action=dst-nat chain=dstnat dst-port=22220 in-interface=DIGI_PPPoE \
  76. protocol=udp to-addresses=10.10.11.118 to-ports=22220
  77. add action=dst-nat chain=dstnat disabled=yes dst-port=8001 in-interface=\
  78. DIGI_PPPoE protocol=tcp to-addresses=10.10.110.3 to-ports=8001
  79. add action=dst-nat chain=dstnat disabled=yes dst-port=8888 in-interface=\
  80. DIGI_PPPoE protocol=tcp to-addresses=10.10.11.140 to-ports=8888
  81. add action=dst-nat chain=dstnat disabled=yes dst-port=80 in-interface=\
  82. DIGI_PPPoE protocol=tcp to-addresses=10.10.110.3 to-ports=80
  83. /ip ipsec identity
  84. add auth-method=digital-signature certificate=server generate-policy=\
  85. port-strict mode-config=IKE2 peer=IKE2 policy-template-group=IKE2
  86. add generate-policy=port-strict mode-config=GRE peer=IKE2 \
  87. policy-template-group=GRE secret=Laci19881124
  88. /ip ipsec policy
  89. add dst-address=10.10.13.0/24 group=IKE2 proposal=IKE2 src-address=0.0.0.0/0 \
  90. template=yes
  91. add dst-address=172.16.1.2/32 group=GRE proposal=IKE2 src-address=\
  92. 172.16.1.1/32 template=yes
  93. /ip service
  94. set telnet disabled=yes
  95. set ftp disabled=yes
  96. set www disabled=yes
  97. set ssh address=10.10.100.50/32,10.10.14.0 port=2250
  98. set api disabled=yes
  99. set api-ssl disabled=yes
  100. /ip ssh
  101. set forwarding-enabled=remote strong-crypto=yes
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!