API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Feb 21st, 2022
148
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 16.44 KB | None | 0 0
raw download clone embed print report
  1. # feb/21/2022 12:24:56 by RouterOS 7.1.2
  2. # software id = AMZZ-D334
  3. #
  4. # model = RouterBOARD 3011UiAS
  5. # serial number = 8EED08B9D374
  6. /interface bridge
  7. add admin-mac=CC:2D:E0:8A:04:4C auto-mac=no comment=defconf name=bridge protocol-mode=none
  8. add igmp-snooping=yes name=bridge-vlan10
  9. add name=bridge1
  10. /interface ethernet
  11. set [ find default-name=sfp1 ] auto-negotiation=no
  12. /interface wireguard
  13. add listen-port=13231 mtu=1420 name=mullvad
  14. add listen-port=18889 mtu=1420 name=wireguard-movil-ipv6
  15. add listen-port=18890 mtu=1420 name=wireguard-neinor
  16. add listen-port=18888 mtu=1420 name=wireguard-remoto
  17. /interface 6to4
  18. add !keepalive mtu=1280 name=6to4-tunnel1 remote-address=216.66.84.42
  19. /interface eoip
  20. add !keepalive local-address=10.0.1.8 mac-address=02:F4:B6:B4:73:3D mtu=1370 name=eoip-fibra \
  21. remote-address=10.0.2.5 tunnel-id=2
  22. add !keepalive local-address=10.0.6.1 mac-address=02:75:59:A7:8F:58 mtu=1370 name=eoip-movistar \
  23. remote-address=10.0.6.2 tunnel-id=1
  24. add !keepalive mac-address=02:CA:33:F7:AC:44 mtu=1370 name=eoip-vlan10 remote-address=10.0.1.246 \
  25. tunnel-id=4
  26. /interface vlan
  27. add interface=ether5 name=internet-vlan6 vlan-id=6
  28. add interface=ether5 name=vlan2-iptv vlan-id=2
  29. add interface=ether5 name=voip-vlan3 vlan-id=3
  30. /interface pppoe-client
  31. add add-default-route=yes disabled=no interface=internet-vlan6 max-mru=1492 max-mtu=1492 name=\
  32. internet use-peer-dns=yes user=adslppp@telefonicanetpa
  33. /interface list
  34. add comment=defconf name=WAN
  35. add comment=defconf name=LAN
  36. add comment="Vlan2 (Iptv) & Vlan3 (Voip)" name=Vlan2&3
  37. /interface lte apn
  38. set [ find default=yes ] ip-type=ipv4
  39. /interface wireless security-profiles
  40. set [ find default=yes ] supplicant-identity=MikroTik
  41. /ip dhcp-server option
  42. add code=240 name=option_para_deco value="':::::239.0.2.10:22222:v6.0:239.0.2.30:22222'"
  43. /ip pool
  44. add name=pool-iptv-descos ranges=192.168.1.201-192.168.1.206
  45. add name=pool-vlan10 ranges=192.168.1.10-192.168.1.199
  46. add name=dhcp-lan ranges=10.0.1.100-10.0.1.200
  47. add name=dhcp-vlan50 ranges=10.0.50.10-10.0.50.200
  48. add name=dhcp-vlan100 ranges=10.0.100.10-10.0.100.200
  49. /ip dhcp-server
  50. add address-pool=pool-iptv-descos interface=bridge-vlan10 name=dhcp-server-iptv
  51. /port
  52. set 0 name=serial0
  53. /routing rip instance
  54. add afi=ipv4 disabled=no name=rip
  55. add afi=ipv4 disabled=no name=rip
  56. /routing table
  57. add disabled=no fib name=mullvad
  58. /interface bridge port
  59. add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
  60. add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
  61. add bridge=bridge-vlan10 comment=defconf ingress-filtering=no interface=ether7
  62. add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
  63. add bridge=bridge comment=defconf ingress-filtering=no interface=ether9
  64. add bridge=bridge comment=defconf ingress-filtering=no interface=ether10
  65. add bridge=bridge interface=ether1
  66. add bridge=bridge1 interface=eoip-movistar
  67. add bridge=bridge1 interface=eoip-vlan10
  68. add bridge=bridge1 interface=eoip-fibra
  69. add bridge=bridge interface=ether2
  70. add bridge=bridge-vlan10 interface=ether6
  71. /ip neighbor discovery-settings
  72. set discover-interface-list=LAN
  73. /ip settings
  74. set max-neighbor-entries=8192
  75. /ipv6 settings
  76. set max-neighbor-entries=8192
  77. /interface list member
  78. add interface=bridge list=LAN
  79. add interface=internet-vlan6 list=WAN
  80. add interface=voip-vlan3 list=Vlan2&3
  81. add interface=vlan2-iptv list=Vlan2&3
  82. /interface wireguard peers
  83. add allowed-address=10.0.6.2/32,10.0.2.0/24 endpoint-address=xxx \
  84. endpoint-port=x interface=wireguard-neinor public-key=\
  85. ""
  86. add allowed-address= interface=wireguard-movil-ipv6 public-key=\
  87. ""
  88. add allowed-address=10.0.10.2/32 interface=wireguard-remoto public-key=\
  89. ""
  90. add allowed-address=0.0.0.0/0,::/0 endpoint-address=194.99.104.10 endpoint-port=51820 interface=\
  91. mullvad public-key=""
  92. /ip address
  93. add address=10.0.1.8/24 interface=bridge network=10.0.1.0
  94. add address=10.0.6.1/30 interface=wireguard-neinor network=10.0.6.0
  95. add address=10.0.10.1/24 interface=wireguard-remoto network=10.0.10.0
  96. add address=IPTV/9 interface=vlan2-iptv network=10.128.0.0
  97. add address=IPinterface=mullvad network=10.124.0.23
  98. add address=192.168.2.1/24 interface=sfp1 network=192.168.2.0
  99. add address=192.168.1.1/24 interface=bridge-vlan10 network=192.168.1.0
  100. /ip cloud
  101. set ddns-enabled=yes
  102. /ip dhcp-client
  103. add add-default-route=no interface=voip-vlan3
  104. /ip dhcp-server network
  105. add address=10.0.1.0/24 dns-server=10.0.1.10 gateway=10.0.1.1 netmask=24
  106. add address=192.168.1.200/29 comment="IPTV subnet for descos" dhcp-option=option_para_deco \
  107. dns-server=172.26.23.3 gateway=192.168.1.1 netmask=24
  108. /ip dhcp-server vendor-class-id
  109. add address-pool=pool-iptv-descos name="Movistar Descos" server=dhcp-server-iptv vid="\"[IAL]\""
  110. /ip dns
  111. set allow-remote-requests=yes servers=100.64.0.7,10.0.1.10
  112. /ip dns static
  113. add address=192.168.88.1 comment=defconf name=router.lan
  114. /ip firewall filter
  115. add action=accept chain=input in-interface=vlan2-iptv
  116. add action=accept chain=input comment="Accept vlan2 Iptv IGMP packets" in-interface=vlan2-iptv \
  117. protocol=igmp
  118. add action=accept chain=input comment="defconf: accept established,related,untracked" \
  119. connection-state=established,related,untracked
  120. add action=accept chain=input comment="Acepta el trafico de la vlan del telefono" in-interface=\
  121. voip-vlan3 src-address=10.0.0.0/8
  122. add action=accept chain=input comment="Accept vlan2 & 3 (Iptv & Voip) multicast & broadcast traffic" \
  123. dst-address-type=!unicast in-interface-list=Vlan2&3
  124. add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
  125. add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
  126. add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=\
  127. 127.0.0.1
  128. add action=accept chain=input comment="voip: accept rip multicast traffic" dst-address=224.0.0.9 \
  129. dst-port=520 in-interface=voip-vlan3 protocol=udp
  130. add action=drop chain=input in-interface=mullvad
  131. add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
  132. add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
  133. add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
  134. add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
  135. established,related hw-offload=yes
  136. add action=accept chain=forward comment="defconf: accept established,related, untracked" \
  137. connection-state=established,related,untracked
  138. add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
  139. add action=drop chain=forward comment=\
  140. "Drop all new unicast traffic from vlan3 & 2 (Voip & Iptv) not DSTNATed" connection-nat-state=\
  141. !dstnat connection-state=new dst-address-type=unicast in-interface-list=Vlan2&3
  142. add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface=mullvad
  143. add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=\
  144. !dstnat connection-state=new in-interface-list=WAN
  145. /ip firewall mangle
  146. add action=mark-routing chain=output dst-address=100.64.0.7 new-routing-mark=mullvad passthrough=no
  147. add action=mark-routing chain=prerouting disabled=yes in-interface=ether2 new-routing-mark=mullvad \
  148. passthrough=no
  149. add action=set-priority chain=postrouting comment="Prioritise Iptv packets" new-priority=4 \
  150. out-interface=vlan2-iptv passthrough=yes
  151. add action=set-priority chain=postrouting comment="Prioritise Voip packets" new-priority=5 \
  152. out-interface=voip-vlan3 passthrough=yes
  153. add action=set-priority chain=postrouting new-priority=1 out-interface=internet-vlan6
  154. add action=add-src-to-address-list address-list=vod-receiver address-list-timeout=1m chain=\
  155. postrouting comment="RTSP - VOD Movistar" connection-state=new dst-port=554 out-interface=\
  156. vlan2-iptv protocol=tcp
  157. /ip firewall nat
  158. add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none \
  159. out-interface-list=WAN
  160. add action=masquerade chain=srcnat out-interface=vlan2-iptv
  161. add action=masquerade chain=srcnat comment="masq. vlan2 & vlan3 (Iptv & Voip)" out-interface-list=\
  162. Vlan2&3
  163. add action=masquerade chain=srcnat out-interface=mullvad
  164. add action=masquerade chain=srcnat src-address=10.0.1.0/24
  165. add action=masquerade chain=srcnat src-address=10.0.50.0/24
  166. add action=masquerade chain=srcnat src-address=10.0.100.0/24
  167. add action=masquerade chain=srcnat src-address=192.168.1.0/24
  168. add action=masquerade chain=srcnat dst-address=10.0.10.0/24
  169. add action=dst-nat chain=dstnat comment="VOD Movistar 1 Desco" dst-address-type=local in-interface=\
  170. vlan2-iptv to-addresses=192.168.1.203
  171. /ip firewall service-port
  172. set ftp disabled=yes
  173. set tftp disabled=yes
  174. set irc disabled=yes
  175. set h323 disabled=yes
  176. set sip disabled=yes
  177. set pptp disabled=yes
  178. /ip route
  179. add disabled=no distance=1 dst-address=10.0.2.0/24 gateway=10.0.6.2 pref-src=0.0.0.0 routing-table=\
  180. main scope=30 suppress-hw-offload=no target-scope=10
  181. add disabled=no dst-address=10.0.50.1/24 gateway=10.0.1.1 routing-table=main suppress-hw-offload=no
  182. add disabled=no dst-address=10.0.100.0/24 gateway=10.0.1.1 routing-table=main suppress-hw-offload=no
  183. add disabled=no distance=10 dst-address=0.0.0.0/0 gateway=10.0.1.1 pref-src=0.0.0.0 routing-table=\
  184. main scope=30 suppress-hw-offload=no target-scope=10
  185. add disabled=no dst-address=172.23.96.0/21 gateway=10.128.0.1 routing-table=main suppress-hw-offload=\
  186. no
  187. add disabled=no dst-address=172.26.22.0/26 gateway=10.128.0.1 routing-table=main suppress-hw-offload=\
  188. no
  189. add disabled=no dst-address=172.26.23.0/27 gateway=10.128.0.1 routing-table=main suppress-hw-offload=\
  190. no
  191. add disabled=no dst-address=172.26.80.0/21 gateway=10.128.0.1 routing-table=main suppress-hw-offload=\
  192. no
  193. add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.124.0.23 pref-src=0.0.0.0 routing-table=\
  194. mullvad scope=30 suppress-hw-offload=no target-scope=10
  195. add disabled=no dst-address=100.64.0.7 gateway=10.124.0.23 routing-table=main suppress-hw-offload=no
  196. /ipv6 route
  197. add disabled=no distance=1 dst-address=2000::/3 gateway=xx scope=30 target-scope=10
  198. add disabled=yes distance=1 dst-address=::/0 gateway=fc00:bbbb:bbbb:bb01::1 routing-table=mullvad \
  199. scope=30 target-scope=10
  200. /ip service
  201. set telnet disabled=yes
  202. set ftp disabled=yes
  203. set api disabled=yes
  204. set api-ssl disabled=yes
  205. /ipv6 address
  206. add address=x interface=6to4-tunnel1
  207. add address=x interface=bridge
  208. add address=x interface=wireguard-movil-ipv6
  209. add address=xx/128 advertise=no interface=mullvad
  210. /ipv6 firewall address-list
  211. add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
  212. add address=::1/128 comment="defconf: lo" list=bad_ipv6
  213. add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
  214. add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
  215. add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
  216. add address=100::/64 comment="defconf: discard only " list=bad_ipv6
  217. add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
  218. add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
  219. add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
  220. add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
  221. add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
  222. add address=::/104 comment="defconf: other" list=bad_ipv6
  223. add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
  224. /ipv6 firewall filter
  225. add action=accept chain=input comment="defconf: accept established,related,untracked" \
  226. connection-state=established,related,untracked
  227. add action=drop chain=input in-interface=mullvad
  228. add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
  229. add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
  230. add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
  231. add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 \
  232. protocol=udp src-address=fe80::/10
  233. add action=accept chain=input comment="defconf: accept IKE" disabled=yes dst-port=500,4500 protocol=\
  234. udp
  235. add action=accept chain=input comment="defconf: accept ipsec AH" disabled=yes protocol=ipsec-ah
  236. add action=accept chain=input comment="defconf: accept ipsec ESP" disabled=yes protocol=ipsec-esp
  237. add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=\
  238. in,ipsec
  239. add action=drop chain=input comment="defconf: drop everything else not coming from LAN" \
  240. in-interface-list=!LAN
  241. add action=accept chain=forward comment="defconf: accept established,related,untracked" \
  242. connection-state=established,related,untracked
  243. add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
  244. add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=\
  245. bad_ipv6
  246. add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=\
  247. bad_ipv6
  248. add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=\
  249. icmpv6
  250. add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" \
  251. in-interface-list=!LAN
  252. add action=drop chain=forward connection-state=new in-interface=mullvad
  253. add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
  254. add action=accept chain=forward comment="defconf: accept HIP" protocol=139
  255. add action=accept chain=forward comment="defconf: accept IKE" disabled=yes dst-port=500,4500 \
  256. protocol=udp
  257. add action=accept chain=forward comment="defconf: accept ipsec AH" disabled=yes protocol=ipsec-ah
  258. add action=accept chain=forward comment="defconf: accept ipsec ESP" disabled=yes protocol=ipsec-esp
  259. add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" disabled=yes \
  260. ipsec-policy=in,ipsec
  261. /ipv6 firewall mangle
  262. add action=mark-routing chain=prerouting disabled=yes in-interface=ether2 new-routing-mark=mullvad \
  263. passthrough=no
  264. /ipv6 firewall nat
  265. add action=masquerade chain=srcnat out-interface=mullvad
  266. /ipv6 nd
  267. set [ find default=yes ] managed-address-configuration=yes other-configuration=yes
  268. /routing igmp-proxy
  269. set query-interval=30s quick-leave=yes
  270. /routing igmp-proxy interface
  271. add alternative-subnets=0.0.0.0/0 interface=vlan2-iptv upstream=yes
  272. add interface=bridge-vlan10
  273. /routing rip interface-template
  274. add disabled=no instance=rip interfaces=vlan2-iptv mode=passive
  275. add disabled=no instance=rip interfaces=voip-vlan3 mode=passive
  276. /routing rule
  277. add action=lookup-only-in-table routing-mark=mullvad table=mullvad
  278. /system clock
  279. set time-zone-name=Europe/Madrid
  280. /system scheduler
  281. add interval=6s name=vod on-event=vod policy=read,write start-time=startup
  282. /system script
  283. add dont-require-permissions=no name=vod owner=admin policy=read,write source=":local iplist [:len [/i\
  284. p firewall address-list find list=\"vod-receiver\"]]\
  285. \n:local rules [:len [/ip firewall nat find where comment=\"VOD Script\"]]\
  286. \n#:log info \"VODScript: IPs in list are \$iplist !\"\
  287. \n#:log info \"VODScript: Rules are \$rules !\"\
  288. \n:if (\$iplist = 0 and \$rules > 0) do={\
  289. \n\t#/ip firewall nat remove [find comment=\"VOD Script\"];\
  290. \n\t#:log info \"VODScript: Rule removed !\"\
  291. \n} else {\
  292. \n\t:local ipadressnew [/ip firewall address-list get [:pick [/ip firewall address-list find list=\
  293. \"vod-receiver\"] (\$iplist-1)] address]\
  294. \n\t:local ipadressold \"None\"\
  295. \n\t#:log info \"VODScript: IP address new is \$ipadressnew !\"\
  296. \n\t:if (\$iplist > 0 ) do {\
  297. \n\t\tif (\$rules > 0 ) do {\
  298. \n\t\t\t:set ipadressold [/ip firewall nat get [find comment=\"VOD Script\"] to-addresses] \
  299. \n\t\t\t#:log info \"VODScript: IP address old is \$ipadressold !\"\
  300. \n\t\t}\
  301. \n\t\t:if (\$ipadressnew != \$ipadressold) do={\
  302. \n\t\t\tif (\$rules > 0 ) do {\
  303. \n\t\t\t\t/ip firewall nat remove [find comment=\"VOD Script\"];\
  304. \n\t\t\t}\
  305. \n\t\t\t/ip firewall nat add action=dst-nat chain=dstnat comment=\"VOD Script\" dst-address-type=l\
  306. ocal in-interface=iptv-vlan2 to-addresses=\$ipadressnew\
  307. \n\t\t\t:log info \"VODScript: IP address changed from \$ipadressold to \$ipadressnew !\"\
  308. \n\t\t}\
  309. \n\t}\
  310. \n}"
  311. /tool mac-server
  312. set allowed-interface-list=LAN
  313. /tool mac-server mac-winbox
  314. set allowed-interface-list=LAN
  315.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!