CTLR-INTEGRATION-2.0-BUILD-100

1. {
2. ######## Substituir os VALUE="XXXX" com as informacoes corretas, para a integracao do MK com o Controllr ########
3. :global name="IPCTLR" value="192.168.142.22";
4. :global name="IPCTLRPUBLIC" value="192.168.142.22";
5. :global name="RADIUSNAS" value="198.18.3.1";
6. :global name="PINCOMING" value="3799";
7. :global name="INTERNET" value="8.8.8.8";
8. #insira notice ou auth
9. :global name="ADDRLIST" value="notice";
10. # Se tiver perfis diferentes que ira usar notice e o auth marque CHECK "sim", no ADDRLIST marque "notice". Se nao escreva no CHECK "nao"
11. :global name="CHECK" value="nao";
12. #################################################################################################################
13. :log warning "Iniciando configuracao do Controllr no MK";
14. :delay 5s;
15. :log warning "Criando o Radius do Controllr";
16. :if ([/radius find comment~"####CONTROLLR####"] !="") do={:log warning "ja existe um Radius cadastrado";} else={:log warning "Nao existe nenhum Radius cadastrado"; /radius add address=$IPCTLR comment="####CONTROLLR####" secret=brbyte service=ppp src-address=$RADIUSNAS timeout=3s disabled=no};
17. :delay 5s;
18. :log warning "Habilitando o Incoming";
19. /radius incoming set accept=yes port=$PINCOMING;
20. :delay 5s;
21. :log warning "Setando as regras do Filter rules";
22. :log warning "Removendo regras antigas";
23. /ip firewall filter {
24. remove [find comment="CONTROLLR"]
25. remove [find comment~"CTLR-MSG"]
26. remove [find comment="Controllr"]};
27. :log warning "Recriando os filter rules";
28. :if ([$CHECK] ="sim") do={:log warning "Ira usar perfis de NOTICE e AUTH"; /ip firewall filter {
29. add action=accept chain=forward  comment="CONTROLLR" dst-port=7840 protocol=tcp
30. add action=drop   chain=forward   comment="CTLR-MSG-ALERT"  disabled=no dst-address-list=!released_ips dst-port=!53 protocol=udp src-address-list="brb-alert-$ADDRLIST"
31. add action=drop   chain=forward   comment="CTLR-MSG-ALERT"  disabled=no dst-address-list=!released_ips protocol=tcp src-address-list="brb-alert-$ADDRLIST"
32. add action=drop   chain=forward   comment="CTLR-MSG-BLOCK"  disabled=no dst-address-list=!released_ips dst-port=!53 protocol=udp src-address-list="brb-block-$ADDRLIST"
33. add action=drop   chain=forward   comment="CTLR-MSG-BLOCK"  disabled=no dst-address-list=!released_ips protocol=tcp src-address-list="brb-block-$ADDRLIST"
34. add action=drop   chain=forward   comment="CTLR-MSG-CANCEL" disabled=no dst-address-list=!released_ips dst-port=!53 protocol=udp src-address-list="brb-cancel-$ADDRLIST"
35. add action=drop   chain=forward   comment="CTLR-MSG-CANCEL" disabled=no dst-address-list=!released_ips protocol=tcp src-address-list="brb-cancel-$ADDRLIST"
36. add action=drop   chain=forward   comment="CTLR-MSG-BLOCK"  disabled=no dst-address-list=!released_ips dst-port=!53 protocol=udp src-address-list="brb-block-auth"
37. add action=drop   chain=forward   comment="CTLR-MSG-BLOCK"  disabled=no dst-address-list=!released_ips protocol=tcp src-address-list="brb-block-auth"
38. add action=drop   chain=forward   comment="CTLR-MSG-CANCEL" disabled=no dst-address-list=!released_ips dst-port=!53 protocol=udp src-address-list="brb-cancel-auth"
39. add action=drop   chain=forward   comment="CTLR-MSG-CANCEL" disabled=no dst-address-list=!released_ips protocol=tcp src-address-list="brb-cancel-auth"};
40. } else={:log warning "So tem um tipo de perfil"; /ip firewall filter {
41. add action=accept chain=forward   comment="CONTROLLR" dst-port=7840 protocol=tcp
42. add action=drop   chain=forward   comment="CTLR-MSG-ALERT"  disabled=no dst-address-list=!released_ips dst-port=!53 protocol=udp src-address-list="brb-alert-$ADDRLIST"
43. add action=drop   chain=forward   comment="CTLR-MSG-ALERT"  disabled=no dst-address-list=!released_ips protocol=tcp src-address-list="brb-alert-$ADDRLIST"
44. add action=drop   chain=forward   comment="CTLR-MSG-BLOCK"  disabled=no dst-address-list=!released_ips dst-port=!53 protocol=udp src-address-list="brb-block-$ADDRLIST"
45. add action=drop   chain=forward   comment="CTLR-MSG-BLOCK"  disabled=no dst-address-list=!released_ips protocol=tcp src-address-list="brb-block-$ADDRLIST"
46. add action=drop   chain=forward   comment="CTLR-MSG-CANCEL" disabled=no dst-address-list=!released_ips dst-port=!53 protocol=udp src-address-list="brb-cancel-$ADDRLIST"
47. add action=drop   chain=forward   comment="CTLR-MSG-CANCEL" disabled=no dst-address-list=!released_ips protocol=tcp src-address-list="brb-cancel-$ADDRLIST"};
48. };
49. :if ([$ADDRLIST] ="auth") do={/ip firewall filter {
50. remove [find src-address-list="brb-alert-auth"] };
51. };
52. :delay 5s;
53. #OBS Essa regra serve para saber qual o IP do seu Controllr, que está vindo com o Comando de desconexao.
54. :log warning "Regra do radius log";
55. :log warning "Removendo regra do log antiga";
56. /ip firewall filter remove [find comment="CTLR-RADIUS-LOG"];
57. :log warning "Recriando regra do radiuslog";
58. /ip firewall filter add action=add-src-to-address-list address-list=radius_log address-list-timeout=30m chain=input comment=CTLR-RADIUS-LOG dst-port=3799 protocol=udp;
59. :log warning "Setando as regras de redirecionamento - NAT para acessar o seu Controllr fora da rede";
60. :log warning "Removendo redirecionamentos antigos";
61. /ip firewall nat remove [find comment~"ACESSO"];
62. :log warning "Recriando os redirecionamentos";
63. :if ([$IPCTLRPUBLIC] =$IPCTLR) do={:log warning "IP da maquina e igual o ip publico. Nao tem dst-nat"} else={/ip firewall nat {
64. add action=dst-nat chain=dstnat comment="CTLR-ACESSO-WEB-HTTP"      dst-port=8080 protocol=tcp to-addresses=$IPCTLR to-ports=8080
65. add action=dst-nat chain=dstnat comment="CTLR-ACESSO-WEB-HTTPS"     dst-port=8443 protocol=tcp to-addresses=$IPCTLR to-ports=8443
66. add action=dst-nat chain=dstnat comment="CTLR-ACESSO-SSH"           dst-port=2229 protocol=tcp to-addresses=$IPCTLR to-ports=2229
67. add action=dst-nat chain=dstnat comment="CTLR-ACESSO-SERVICO"       dst-port=8083 protocol=tcp to-addresses=$IPCTLR to-ports=8083
68. add action=dst-nat chain=dstnat comment="CTLR-ACESSO-HOTSITE-HTTP"  disabled=yes dst-address=$IPCTLRPUBLIC dst-port=80  protocol=tcp to-addresses=$IPCTLR to-ports=80
69. add action=dst-nat chain=dstnat comment="CTLR-ACESSO-HOTSITE-HTTPS" disabled=yes dst-address=$IPCTLRPUBLIC dst-port=443 protocol=tcp to-addresses=$IPCTLR to-ports=443};
70. };
71. #OBS: O redirecionamento para o Hotsite está desabilitado, pois **dst-address** tem que ser o seu IP publico, para poder acessar o Hotsite dentro e fora da rede pelo IP publico.
72. :delay 5s;
73. :log warning "Redirecionamento para as telas de pendencias";
74. :log warning "Removendo redirecionamentos antigos de pendencias";
75. /ip firewall nat remove [find comment~"CTLR-MSG"];
76. :log warning "Recriando os redirecionamento de pendencias";
77. :if ([$ADDRLIST] ="auth") do={:log warning "Nao ira redirecionar";} else={/ip firewall nat{
78. add action=dst-nat chain=dstnat comment="CTLR-MSG-ALERT-HTTP"        disabled=no  dst-address-list=!released_ips dst-port=80  protocol=tcp src-address-list=brb-alert-notice     to-addresses=$IPCTLR to-ports=8090
79. add action=dst-nat chain=dstnat comment="CTLR-MSG-ALERT-HTTPS"       disabled=no  dst-address-list=!released_ips dst-port=443 protocol=tcp src-address-list=brb-alert-notice     to-addresses=$IPCTLR to-ports=8490
80. add action=dst-nat chain=dstnat comment="CTLR-MSG-PENDENCY-HTTP"     disabled=no  dst-address-list=!released_ips dst-port=80  protocol=tcp src-address-list=brb-pendency-notice  to-addresses=$IPCTLR to-ports=8091
81. add action=dst-nat chain=dstnat comment="CTLR-MSG-PENDENCY-HTTPS"    disabled=no  dst-address-list=!released_ips dst-port=443 protocol=tcp src-address-list=brb-pendency-notice  to-addresses=$IPCTLR to-ports=8491
82. add action=dst-nat chain=dstnat comment="CTLR-MSG-BLOCK-HTTP"        disabled=no  dst-address-list=!released_ips dst-port=80  protocol=tcp src-address-list=brb-block-notice     to-addresses=$IPCTLR to-ports=8092
83. add action=dst-nat chain=dstnat comment="CTLR-MSG-BLOCK-HTTPS"       disabled=no  dst-address-list=!released_ips dst-port=443 protocol=tcp src-address-list=brb-block-notice     to-addresses=$IPCTLR to-ports=8492
84. add action=dst-nat chain=dstnat comment="CTLR-MSG-CANCEL-HTTP"       disabled=no  dst-address-list=!released_ips dst-port=80  protocol=tcp src-address-list=brb-cancel-notice    to-addresses=$IPCTLR to-ports=8093
85. add action=dst-nat chain=dstnat comment="CTLR-MSG-CANCEL-HTTPS"      disabled=no  dst-address-list=!released_ips dst-port=443 protocol=tcp src-address-list=brb-cancel-notice    to-addresses=$IPCTLR to-ports=8493};
86. };
87. :delay 5s;
88. #OBS essa regra serve para notificar todos os seus clientes, caso tenha alguma manutencao na sua rede ou outra coisa, so habilite ela caso saiba como funciona.
89. :log warning "Redirecionamento para a tela de aviso";
90. :log warning "Removendo redirecionamentos de aviso antigos";
91. /ip firewall nat remove [find comment~"CTLR-AVISO"];
92. /tool netwatch remove [find comment="CTLR-AVISO"];
93. :log warning "Recriando os redirecionamento de aviso";
94. /ip firewall nat {
95. add action=dst-nat chain=dstnat comment="CTLR-AVISO-HTTP"  disabled=yes dst-port=80  protocol=tcp to-addresses=$IPCTLR to-ports=8096
96. add action=dst-nat chain=dstnat comment="CTLR-AVISO-HTTPS" disabled=yes dst-port=443 protocol=tcp to-addresses=$IPCTLR to-ports=8496};
97. /tool netwatch add comment="CTLR-AVISO" disabled=yes down-script="/ip firewall nat set [find comment~\"CTLR-AVISO\"] disabled=no;" host=$INTERNET interval=30m up-script="/ip firewall nat set [find comment~\"CTLR-AVISO\"] disabled=yes";
98. :delay 5s;
99. :log warning "Criando regras mangle";
100. :log warning "Removendo mangle antigo";
101. /ip firewall mangle remove [find comment~"CTLR"];
102. :log  warning "Recriando regras do mangle";
103. :if ([$CHECK] ="sim") do={:log warning "Ira usar perfis diferentes"; /ip firewall mangle {
104. add action=jump chain=prerouting  comment=CTLR-JUMP-ALERT    dst-address-list=!released_ips jump-target=CONTROLLR src-address-list="brb-alert-$ADDRLIST"
105. add action=jump chain=prerouting  comment=CTLR-JUMP-PENDENCY dst-address-list=!released_ips jump-target=CONTROLLR src-address-list="brb-pendency-$ADDRLIST"
106. add action=jump chain=prerouting  comment=CTLR-JUMP-BLOCK    dst-address-list=!released_ips jump-target=CONTROLLR src-address-list="brb-block-$ADDRLIST"
107. add action=jump chain=prerouting  comment=CTLR-JUMP-CANCEL   dst-address-list=!released_ips jump-target=CONTROLLR src-address-list="brb-cancel-$ADDRLIST"
108. add action=jump chain=prerouting  comment=CTLR-JUMP-ALERT    dst-address-list=!released_ips jump-target=CONTROLLR src-address-list="brb-alert-auth"
109. add action=jump chain=prerouting  comment=CTLR-JUMP-PENDENCY dst-address-list=!released_ips jump-target=CONTROLLR src-address-list="brb-pendency-auth"
110. add action=jump chain=prerouting  comment=CTLR-JUMP-BLOCK    dst-address-list=!released_ips jump-target=CONTROLLR src-address-list="brb-block-auth"
111. add action=jump chain=prerouting  comment=CTLR-JUMP-CANCEL   dst-address-list=!released_ips jump-target=CONTROLLR src-address-list="brb-cancel-auth"
112. add action=accept chain=CONTROLLR comment=CTLR-CHAIN-ACCEPT};
113. } else={:log warning "Nao usa dois perfis"; /ip firewall mangle {
114. add action=jump chain=prerouting  comment=CTLR-JUMP-ALERT    dst-address-list=!released_ips jump-target=CONTROLLR src-address-list="brb-alert-$ADDRLIST"
115. add action=jump chain=prerouting  comment=CTLR-JUMP-PENDENCY dst-address-list=!released_ips jump-target=CONTROLLR src-address-list="brb-pendency-$ADDRLIST"
116. add action=jump chain=prerouting  comment=CTLR-JUMP-BLOCK    dst-address-list=!released_ips jump-target=CONTROLLR src-address-list="brb-block-$ADDRLIST"
117. add action=jump chain=prerouting  comment=CTLR-JUMP-CANCEL   dst-address-list=!released_ips jump-target=CONTROLLR src-address-list="brb-cancel-$ADDRLIST"
118. add action=accept chain=CONTROLLR comment=CTLR-CHAIN-ACCEPT};
119. };
120. :if ([$ADDRLIST] ="auth") do={/ip firewall mangle {
121. remove [find src-address-list="brb-alert-auth"] };
122. };
123. :delay 5s;
124. :log warning "Criando address list";
125. :log warning "Removendo released_ips antigos";
126. /ip firewall address-list remove [find list=released_ips];
127. :if ([$IPCTLRPUBLIC] =$IPCTLR) do={:log warning "IP da maquina e igual o ip publico"; /ip firewall address-list {
128. add address=$IPCTLR       list=released_ips
129. add address=8.8.8.8       list=released_ips
130. add address=8.8.4.4       list=released_ips};
131. } else={/ip firewall address-list {
132. add address=$IPCTLR       list=released_ips
133. add address=8.8.8.8       list=released_ips
134. add address=8.8.4.4       list=released_ips
135. add address=$IPCTLRPUBLIC list=released_ips};
136. };
137. :delay 5s;
138. :log warning "Configurando Scheduler - Agendador";
139. /system scheduler {
140. remove [find name="Pendency"]
141. remove [find name~"CTLR-MSG"]
142. add interval=2m name="CTLR-MSG-PENDNECY" on-event="/ip firewall address-list set list=\"brb-pendency-auth\" [find where list=\"brb-pendency-notice\"]" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-time=startup};
143. :delay 5s;
144. :log warning "Habilitando a porta API do MK";
145. /ip service set api address="" disabled=no port=8728;
146. :delay 5s;
147. :log warning "Setando o Interim Update";
148. /ppp aaa set interim-update=1m use-radius=yes;
149. :delay 5s;
150. :log warning "Configuracoes setadas com sucesso";
151. }