API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Apr 5th, 2019
230
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 9.42 KB | None | 0 0
raw download clone embed print report
  1. # apr/05/2019 14:05:13 by RouterOS 6.43.13
  2. # software id = GZ6A-PA2N
  3. #
  4. # model = 951Ui-2HnD
  5. # serial number =
  6. /interface bridge
  7. add admin-mac=CC:2D:E0:***** auto-mac=no comment=defconf name=bridge
  8. /interface ethernet
  9. set [ find default-name=ether1 ] advertise=\
  10. 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=\
  11. reply-only comment=wan mac-address=00:26:*
  12. set [ find default-name=ether2 ] advertise=\
  13. 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=\
  14. "lan2 to asus 24 port ne upravlyaeniy"
  15. set [ find default-name=ether3 ] advertise=\
  16. 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=\
  17. "not use off"
  18. set [ find default-name=ether4 ] advertise=\
  19. 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=\
  20. "live univisal zal" disabled=yes
  21. set [ find default-name=ether5 ] advertise=\
  22. 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full poe-out=off
  23. /interface pppoe-client
  24. add add-default-route=yes comment="dom ru isp" disabled=no interface=ether1 \
  25. name=pppoe-out-domru password= user=
  26. /interface wireless
  27. set [ find default-name=wlan1 ] band=2ghz-onlyn comment=kinozal@59 \
  28. default-forwarding=no distance=indoors mode=ap-bridge ssid="" \
  29. wireless-protocol=802.11 wps-mode=disabled
  30. /interface wireless manual-tx-power-table
  31. set wlan1 comment=kinozal@59
  32. /interface wireless nstreme
  33. set wlan1 comment=kinozal@59
  34. /interface list
  35. add comment=defconf name=WAN
  36. add comment=defconf name=LAN
  37. add exclude=dynamic name=discover
  38. add name=mactel
  39. add name=mac-winbox
  40. /interface wireless security-profiles
  41. set [ find default=yes ] authentication-types=wpa2-psk disable-pmkid=yes \
  42. eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik \
  43. wpa2-pre-shared-key=*
  44. /ip dhcp-server
  45. add disabled=no interface=bridge name=dhcp1
  46. /ip firewall layer7-protocol
  47. add name="soc -vk" regexp=\
  48. "^.+(odnoklassniki|odnoklasniki|facebook|ok.ru).*\$"
  49. add name=add regexp="^.+(rad.msn.com|apps.skype.com|vortex-win.data.microsoft.\
  50. com|settings-win.data.microsoft.com).*\$"
  51. add name=GOOGLE regexp="^.+(google.ru|google.com).*\$"
  52. add name="GOOGLE mail" regexp="^.+(mail.google.ru|mail.google.com).*\$"
  53. /ip pool
  54. add name=dhcp ranges=192.168.1.70-192.168.1.100
  55. add name=OVPN_srv_pool ranges=172.16.6.2-172.16.6.30
  56. /ppp profile
  57. add local-address=172.16.6.1 name=OVPN_server remote-address=OVPN_srv_pool \
  58. use-compression=yes
  59. /queue type
  60. add kind=pcq name=pcq-custom pcq-classifier=src-address pcq-limit=1000KiB
  61. /queue simple
  62. add burst-limit=10M/10M burst-threshold=5M/5M burst-time=20s/20s disabled=yes \
  63. max-limit=1M/1M name=Burst target=192.168.1.0/24 total-queue=pcq-custom
  64. /snmp community
  65. set [ find default=yes ] name="" security=private
  66. /interface bridge port
  67. add bridge=bridge comment=defconf interface=ether2
  68. add bridge=bridge comment=defconf disabled=yes interface=wlan1
  69. add bridge=bridge disabled=yes interface=ether1
  70. add bridge=bridge interface=ether3
  71. add bridge=bridge interface=ether4
  72. add bridge=bridge interface=ether5
  73. /ip firewall connection tracking
  74. set enabled=yes tcp-established-timeout=1h
  75. /ip neighbor discovery-settings
  76. set discover-interface-list=none
  77. /ip settings
  78. set tcp-syncookies=yes
  79. /interface list member
  80. add comment=defconf interface=bridge list=LAN
  81. add interface=wlan1 list=discover
  82. add interface=ether2 list=discover
  83. add interface=ether3 list=discover
  84. add interface=ether4 list=discover
  85. add interface=ether5 list=discover
  86. add interface=bridge list=discover
  87. add list=discover
  88. add interface=ether2 list=mactel
  89. add interface=wlan1 list=mactel
  90. add interface=ether2 list=mac-winbox
  91. add interface=wlan1 list=mac-winbox
  92. add interface=pppoe-out-domru list=WAN
  93. add list=WAN
  94. /interface ovpn-server server
  95. set certificate=ovpn-SRV cipher=aes128 default-profile=OVPN_server \
  96. require-client-certificate=yes
  97. /interface wireless access-list
  98. add comment="sony zl kornilov" interface=wlan1 mac-address=18:00:2**** \
  99. vlan-mode=no-tag
  100. /ip address
  101. add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
  102. /ip cloud
  103. set update-time=no
  104. /ip dhcp-client
  105. add dhcp-options=hostname,clientid interface=wlan1
  106. add dhcp-options=hostname,clientid interface=ether1
  107. /ip dhcp-server config
  108. set store-leases-disk=15m
  109. /ip dhcp-server network
  110. add address=192.168.1.0/32 dns-server=192.168.1.1 gateway=192.168.1.1 \
  111. netmask=24
  112. /ip dns
  113. set allow-remote-requests=yes servers=\
  114. 77.88.8.7,77.88.8.3,193.58.251.251,208.67.222.222
  115. /ip dns static
  116. add address=192.168.1.1 name=router.lan
  117. /ip firewall address-list
  118. add address=0.0.0.0/8 list=BOGONS
  119. add address=10.0.0.0/8 list=BOGONS
  120. add address=100.64.0.0/10 list=BOGONS
  121. add address=127.0.0.0/8 list=BOGONS
  122. add address=169.254.0.0/16 list=BOGONS
  123. add address=172.16.0.0/12 list=BOGONS
  124. add address=192.0.0.0/24 list=BOGONS
  125. add address=192.0.2.0/24 list=BOGONS
  126. add address=192.168.0.0/16 list=BOGONS
  127. add address=198.18.0.0/15 list=BOGONS
  128. add address=198.51.100.0/24 list=BOGONS
  129. add address=203.0.113.0/24 list=BOGONS
  130. /ip firewall filter
  131. add action=reject chain=forward comment="ok block" layer7-protocol="soc -vk" \
  132. protocol=tcp reject-with=tcp-reset src-address=192.168.1.0/24
  133. add action=accept chain=forward comment="google mail" disabled=yes \
  134. layer7-protocol="GOOGLE mail" protocol=tcp src-address=192.168.1.0/24
  135. add action=reject chain=forward comment="google block" disabled=yes \
  136. layer7-protocol=GOOGLE protocol=tcp reject-with=tcp-reset src-address=\
  137. 192.168.1.0/24
  138. add action=accept chain=forward comment="accept established,related forward" \
  139. connection-state=established,related
  140. add action=accept chain=input comment="accept established,related, input" \
  141. connection-state=established,related
  142. add action=drop chain=input comment="drop echo request wan" icmp-options=8:0 \
  143. in-interface-list=WAN protocol=icmp
  144. add action=drop chain=input comment="drop flood on port udp" dst-port=\
  145. 21,22,53,5060,4569,389,53,161 in-interface-list=WAN protocol=udp
  146. add action=drop chain=input comment="drop flood on port tcp" dst-port=\
  147. 21,22,53,5060,4569,389,53,161 in-interface-list=WAN protocol=tcp
  148. add action=drop chain=forward comment=\
  149. "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
  150. connection-state=new in-interface-list=WAN
  151. add action=add-src-to-address-list address-list="port scanners" \
  152. address-list-timeout=2w chain=input comment="Port scanners to list " \
  153. protocol=tcp psd=21,3s,3,1
  154. add action=add-src-to-address-list address-list="port scanners" \
  155. address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
  156. protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
  157. add action=add-src-to-address-list address-list="port scanners" \
  158. address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
  159. tcp-flags=fin,syn
  160. add action=add-src-to-address-list address-list="port scanners" \
  161. address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
  162. tcp-flags=syn,rst
  163. add action=add-src-to-address-list address-list="port scanners" \
  164. address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
  165. tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
  166. add action=add-src-to-address-list address-list="port scanners" \
  167. address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
  168. tcp-flags=fin,syn,rst,psh,ack,urg
  169. add action=add-src-to-address-list address-list="port scanners" \
  170. address-list-timeout=2w chain=input protocol=tcp tcp-flags=\
  171. !fin,!syn,!rst,!psh,!ack,!urg
  172. add action=drop chain=forward comment="defconf: drop invalid" \
  173. connection-state=invalid
  174. add action=drop chain=input comment="defconf: drop invalid input" \
  175. connection-state=invalid
  176. add action=drop chain=input comment="dropping port scanners" \
  177. src-address-list="port scanners"
  178. /ip firewall nat
  179. add action=masquerade chain=srcnat comment="defconf: masquerade" \
  180. ipsec-policy=out,none out-interface-list=WAN
  181. /ip firewall raw
  182. add action=notrack chain=output
  183. add action=drop chain=forward dst-address-list=BOGONS log=yes \
  184. out-interface-list=WAN
  185. /ip firewall service-port
  186. set ftp disabled=yes
  187. set tftp disabled=yes
  188. set irc disabled=yes
  189. set h323 disabled=yes
  190. set sip disabled=yes
  191. set pptp disabled=yes
  192. set dccp disabled=yes
  193. set sctp disabled=yes
  194. /ip proxy access
  195. add action=deny
  196. /ip route
  197. add disabled=yes distance=1 gateway=192.168.1.1
  198. /ip service
  199. set telnet disabled=yes
  200. set ftp disabled=yes
  201. set www disabled=yes
  202. set ssh address=192.168.1.0/24 disabled=yes
  203. set api disabled=yes
  204. set api-ssl disabled=yes
  205. /ip upnp
  206. set show-dummy-rule=no
  207. /ppp secret
  208. add name=ceo password=* profile=OVPN_server service=ovpn
  209. add name=admin password=* profile=OVPN_server service=ovpn
  210. add name=test password=* profile=OVPN_server service=ovpn
  211. /system clock
  212. set time-zone-name=Europe/Moscow
  213. /system identity
  214. set name=core
  215. /system ntp client
  216. set enabled=yes primary-ntp=85.254.217.3 secondary-ntp=37.193.156.169
  217. /system package update
  218. set channel=long-term
  219. /system script
  220. add dont-require-permissions=no name=NTPServerUpdate owner=fok policy=\
  221. read,write,test source=""
  222. /system watchdog
  223. set automatic-supout=no watchdog-timer=no
  224. /tool bandwidth-server
  225. set authenticate=no enabled=no
  226. /tool mac-server
  227. set allowed-interface-list=none
  228. /tool mac-server mac-winbox
  229. set allowed-interface-list=mac-winbox
  230. /tool mac-server ping
  231. set enabled=no
  232. /tool romon
  233. set secrets=""
  234. /tool romon port
  235. set [ find default=yes ] secrets=*
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!