Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # apr/05/2019 14:05:13 by RouterOS 6.43.13
- # software id = GZ6A-PA2N
- #
- # model = 951Ui-2HnD
- # serial number =
- /interface bridge
- add admin-mac=CC:2D:E0:***** auto-mac=no comment=defconf name=bridge
- /interface ethernet
- set [ find default-name=ether1 ] advertise=\
- 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=\
- reply-only comment=wan mac-address=00:26:*
- set [ find default-name=ether2 ] advertise=\
- 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=\
- "lan2 to asus 24 port ne upravlyaeniy"
- set [ find default-name=ether3 ] advertise=\
- 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=\
- "not use off"
- set [ find default-name=ether4 ] advertise=\
- 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=\
- "live univisal zal" disabled=yes
- set [ find default-name=ether5 ] advertise=\
- 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full poe-out=off
- /interface pppoe-client
- add add-default-route=yes comment="dom ru isp" disabled=no interface=ether1 \
- name=pppoe-out-domru password= user=
- /interface wireless
- set [ find default-name=wlan1 ] band=2ghz-onlyn comment=kinozal@59 \
- default-forwarding=no distance=indoors mode=ap-bridge ssid="" \
- wireless-protocol=802.11 wps-mode=disabled
- /interface wireless manual-tx-power-table
- set wlan1 comment=kinozal@59
- /interface wireless nstreme
- set wlan1 comment=kinozal@59
- /interface list
- add comment=defconf name=WAN
- add comment=defconf name=LAN
- add exclude=dynamic name=discover
- add name=mactel
- add name=mac-winbox
- /interface wireless security-profiles
- set [ find default=yes ] authentication-types=wpa2-psk disable-pmkid=yes \
- eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik \
- wpa2-pre-shared-key=*
- /ip dhcp-server
- add disabled=no interface=bridge name=dhcp1
- /ip firewall layer7-protocol
- add name="soc -vk" regexp=\
- "^.+(odnoklassniki|odnoklasniki|facebook|ok.ru).*\$"
- add name=add regexp="^.+(rad.msn.com|apps.skype.com|vortex-win.data.microsoft.\
- com|settings-win.data.microsoft.com).*\$"
- add name=GOOGLE regexp="^.+(google.ru|google.com).*\$"
- add name="GOOGLE mail" regexp="^.+(mail.google.ru|mail.google.com).*\$"
- /ip pool
- add name=dhcp ranges=192.168.1.70-192.168.1.100
- add name=OVPN_srv_pool ranges=172.16.6.2-172.16.6.30
- /ppp profile
- add local-address=172.16.6.1 name=OVPN_server remote-address=OVPN_srv_pool \
- use-compression=yes
- /queue type
- add kind=pcq name=pcq-custom pcq-classifier=src-address pcq-limit=1000KiB
- /queue simple
- add burst-limit=10M/10M burst-threshold=5M/5M burst-time=20s/20s disabled=yes \
- max-limit=1M/1M name=Burst target=192.168.1.0/24 total-queue=pcq-custom
- /snmp community
- set [ find default=yes ] name="" security=private
- /interface bridge port
- add bridge=bridge comment=defconf interface=ether2
- add bridge=bridge comment=defconf disabled=yes interface=wlan1
- add bridge=bridge disabled=yes interface=ether1
- add bridge=bridge interface=ether3
- add bridge=bridge interface=ether4
- add bridge=bridge interface=ether5
- /ip firewall connection tracking
- set enabled=yes tcp-established-timeout=1h
- /ip neighbor discovery-settings
- set discover-interface-list=none
- /ip settings
- set tcp-syncookies=yes
- /interface list member
- add comment=defconf interface=bridge list=LAN
- add interface=wlan1 list=discover
- add interface=ether2 list=discover
- add interface=ether3 list=discover
- add interface=ether4 list=discover
- add interface=ether5 list=discover
- add interface=bridge list=discover
- add list=discover
- add interface=ether2 list=mactel
- add interface=wlan1 list=mactel
- add interface=ether2 list=mac-winbox
- add interface=wlan1 list=mac-winbox
- add interface=pppoe-out-domru list=WAN
- add list=WAN
- /interface ovpn-server server
- set certificate=ovpn-SRV cipher=aes128 default-profile=OVPN_server \
- require-client-certificate=yes
- /interface wireless access-list
- add comment="sony zl kornilov" interface=wlan1 mac-address=18:00:2**** \
- vlan-mode=no-tag
- /ip address
- add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
- /ip cloud
- set update-time=no
- /ip dhcp-client
- add dhcp-options=hostname,clientid interface=wlan1
- add dhcp-options=hostname,clientid interface=ether1
- /ip dhcp-server config
- set store-leases-disk=15m
- /ip dhcp-server network
- add address=192.168.1.0/32 dns-server=192.168.1.1 gateway=192.168.1.1 \
- netmask=24
- /ip dns
- set allow-remote-requests=yes servers=\
- 77.88.8.7,77.88.8.3,193.58.251.251,208.67.222.222
- /ip dns static
- add address=192.168.1.1 name=router.lan
- /ip firewall address-list
- add address=0.0.0.0/8 list=BOGONS
- add address=10.0.0.0/8 list=BOGONS
- add address=100.64.0.0/10 list=BOGONS
- add address=127.0.0.0/8 list=BOGONS
- add address=169.254.0.0/16 list=BOGONS
- add address=172.16.0.0/12 list=BOGONS
- add address=192.0.0.0/24 list=BOGONS
- add address=192.0.2.0/24 list=BOGONS
- add address=192.168.0.0/16 list=BOGONS
- add address=198.18.0.0/15 list=BOGONS
- add address=198.51.100.0/24 list=BOGONS
- add address=203.0.113.0/24 list=BOGONS
- /ip firewall filter
- add action=reject chain=forward comment="ok block" layer7-protocol="soc -vk" \
- protocol=tcp reject-with=tcp-reset src-address=192.168.1.0/24
- add action=accept chain=forward comment="google mail" disabled=yes \
- layer7-protocol="GOOGLE mail" protocol=tcp src-address=192.168.1.0/24
- add action=reject chain=forward comment="google block" disabled=yes \
- layer7-protocol=GOOGLE protocol=tcp reject-with=tcp-reset src-address=\
- 192.168.1.0/24
- add action=accept chain=forward comment="accept established,related forward" \
- connection-state=established,related
- add action=accept chain=input comment="accept established,related, input" \
- connection-state=established,related
- add action=drop chain=input comment="drop echo request wan" icmp-options=8:0 \
- in-interface-list=WAN protocol=icmp
- add action=drop chain=input comment="drop flood on port udp" dst-port=\
- 21,22,53,5060,4569,389,53,161 in-interface-list=WAN protocol=udp
- add action=drop chain=input comment="drop flood on port tcp" dst-port=\
- 21,22,53,5060,4569,389,53,161 in-interface-list=WAN protocol=tcp
- add action=drop chain=forward comment=\
- "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
- connection-state=new in-interface-list=WAN
- add action=add-src-to-address-list address-list="port scanners" \
- address-list-timeout=2w chain=input comment="Port scanners to list " \
- protocol=tcp psd=21,3s,3,1
- add action=add-src-to-address-list address-list="port scanners" \
- address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
- protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
- add action=add-src-to-address-list address-list="port scanners" \
- address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
- tcp-flags=fin,syn
- add action=add-src-to-address-list address-list="port scanners" \
- address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
- tcp-flags=syn,rst
- add action=add-src-to-address-list address-list="port scanners" \
- address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
- tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
- add action=add-src-to-address-list address-list="port scanners" \
- address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
- tcp-flags=fin,syn,rst,psh,ack,urg
- add action=add-src-to-address-list address-list="port scanners" \
- address-list-timeout=2w chain=input protocol=tcp tcp-flags=\
- !fin,!syn,!rst,!psh,!ack,!urg
- add action=drop chain=forward comment="defconf: drop invalid" \
- connection-state=invalid
- add action=drop chain=input comment="defconf: drop invalid input" \
- connection-state=invalid
- add action=drop chain=input comment="dropping port scanners" \
- src-address-list="port scanners"
- /ip firewall nat
- add action=masquerade chain=srcnat comment="defconf: masquerade" \
- ipsec-policy=out,none out-interface-list=WAN
- /ip firewall raw
- add action=notrack chain=output
- add action=drop chain=forward dst-address-list=BOGONS log=yes \
- out-interface-list=WAN
- /ip firewall service-port
- set ftp disabled=yes
- set tftp disabled=yes
- set irc disabled=yes
- set h323 disabled=yes
- set sip disabled=yes
- set pptp disabled=yes
- set dccp disabled=yes
- set sctp disabled=yes
- /ip proxy access
- add action=deny
- /ip route
- add disabled=yes distance=1 gateway=192.168.1.1
- /ip service
- set telnet disabled=yes
- set ftp disabled=yes
- set www disabled=yes
- set ssh address=192.168.1.0/24 disabled=yes
- set api disabled=yes
- set api-ssl disabled=yes
- /ip upnp
- set show-dummy-rule=no
- /ppp secret
- add name=ceo password=* profile=OVPN_server service=ovpn
- add name=admin password=* profile=OVPN_server service=ovpn
- add name=test password=* profile=OVPN_server service=ovpn
- /system clock
- set time-zone-name=Europe/Moscow
- /system identity
- set name=core
- /system ntp client
- set enabled=yes primary-ntp=85.254.217.3 secondary-ntp=37.193.156.169
- /system package update
- set channel=long-term
- /system script
- add dont-require-permissions=no name=NTPServerUpdate owner=fok policy=\
- read,write,test source=""
- /system watchdog
- set automatic-supout=no watchdog-timer=no
- /tool bandwidth-server
- set authenticate=no enabled=no
- /tool mac-server
- set allowed-interface-list=none
- /tool mac-server mac-winbox
- set allowed-interface-list=mac-winbox
- /tool mac-server ping
- set enabled=no
- /tool romon
- set secrets=""
- /tool romon port
- set [ find default=yes ] secrets=*
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement