Конфиг сервера
Код: Выделить всё
# jun/06/2020 13:23:10 by RouterOS 6.47
# model = 2011UiAS-2HnD
/interface l2tp-server
add name=l2tp-in-Home2 user=l2tp-in-Home2
add name=l2tp-in1 user=client_l2tp1
/interface bridge
add admin-mac=xxxxxxxxxxxxxxxx arp=proxy-arp auto-mac=no comment=defconf name=bridge
/interface vlan
add interface=ether5 name=VLAN_1 vlan-id=1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=L2TP_enable
add include=LAN name=ALL_LAN
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-128,3des hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,des
/ip pool
add name=dhcp ranges=192.168.5.10-192.168.5.30
add name=Pool_L2TP_VPN ranges=172.20.10.12-172.20.10.30
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=1w3d name=defconf
/ppp profile
set *0 interface-list=VPN
add change-tcp-mss=yes local-address=Pool_L2TP_VPN name=l2tp_profile remote-address=Pool_L2TP_VPN
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge vlan-ids=1
/interface l2tp-server server
set authentication=mschap2 default-profile=l2tp_profile enabled=yes ipsec-secret=xxxxxxxx use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=l2tp-in1 list=VPN
/ip address
add address=192.168.5.1/24 comment=defconf interface=ether2 network=192.168.5.0
/ip dhcp-client
add comment=defconf interface=ether1
add comment=defconf disabled=no interface=ether1
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.5.0/24 comment=defconf dns-server=85.234.32.35,85.234.33.23 gateway=192.168.5.1 ntp-server=192.168.5.1
/ip dns
set servers=85.234.32.35,85.234.33.23
/ip dns static
add address=192.168.5.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=ttt.ttt.ttt.ttt list="Access L2TP"
add address=eee.eee.eee.eee list="Access L2TP"
add address=rrr.rrr.rrr.rrr list="Access L2TP"
/ip firewall filter
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=input comment="Access L2TP" dst-address-list="Access L2TP" dst-port=1701 in-interface-list=WAN protocol=udp src-address-list="Access L2TP" src-port=1701
add action=accept chain=input dst-address-list="Access L2TP" dst-port=500,1701,4500 in-interface-list=WAN protocol=udp src-address-list="Access L2TP" src-port=500,1701,4500
add action=drop chain=input dst-port=1701 in-interface-list=WAN protocol=udp src-port=1701
add action=accept chain=forward comment=NTP dst-port=123 protocol=udp
add action=drop chain=forward comment=NAT connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="Forward and Input Established and Related connections" connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=drop chain=input comment="Protected - WinBox Access" src-address-list="Black List Winbox"
add action=add-src-to-address-list address-list="Black List Winbox" address-list-timeout=none-dynamic chain=input connection-state=new dst-port=8291 in-interface-list=WAN log=yes log-prefix="BLACK WINBOX" protocol=\
tcp src-address-list="Winbox Stage 3"
add action=add-src-to-address-list address-list="Winbox Stage 3" address-list-timeout=1m chain=input connection-state=new dst-port=8291 in-interface-list=WAN protocol=tcp src-address-list="Winbox Stage 2"
add action=add-src-to-address-list address-list="Winbox Stage 2" address-list-timeout=1m chain=input connection-state=new dst-port=8291 in-interface-list=WAN protocol=tcp src-address-list="Winbox Stage 1"
add action=add-src-to-address-list address-list="Winbox Stage 1" address-list-timeout=1m chain=input connection-state=new dst-port=8291 in-interface-list=WAN protocol=tcp
add action=accept chain=input dst-port=8291 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="Protected - OpenVPN Connections" src-address-list="Black List OpenVPN"
add action=add-src-to-address-list address-list="Black List OpenVPN" address-list-timeout=none-dynamic chain=input connection-state=new dst-port=1194 in-interface-list=WAN log=yes log-prefix="BLACK OVPN" protocol=tcp \
src-address-list="OpenVPN Stage 3"
add action=add-src-to-address-list address-list="OpenVPN Stage 3" address-list-timeout=1m chain=input connection-state=new dst-port=1194 in-interface-list=WAN protocol=tcp src-address-list="OpenVPN Stage 2"
add action=add-src-to-address-list address-list="OpenVPN Stage 2" address-list-timeout=1m chain=input connection-state=new dst-port=1194 in-interface-list=WAN protocol=tcp src-address-list="OpenVPN Stage 1"
add action=add-src-to-address-list address-list="OpenVPN Stage 1" address-list-timeout=1m chain=input connection-state=new dst-port=1194 in-interface-list=WAN protocol=tcp
add action=accept chain=input dst-port=1194 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="Protected - L2TP Connections" src-address-list="Black List L2TP"
add action=add-src-to-address-list address-list="Black List L2TP" address-list-timeout=none-dynamic chain=input connection-state=new dst-port=500,1701,4500 in-interface-list=WAN log=yes log-prefix="BLACK L2TP" \
protocol=tcp src-address-list="L2TP Stage 3"
add action=add-src-to-address-list address-list="L2TP Stage 3" address-list-timeout=1m chain=input connection-state=new dst-port=500,1701,4500 in-interface-list=WAN protocol=tcp src-address-list="L2TP Stage 2"
add action=add-src-to-address-list address-list="L2TP Stage 2" address-list-timeout=1m chain=input connection-state=new dst-port=500,1701,4500 in-interface-list=WAN protocol=tcp src-address-list="L2TP Stage 1"
add action=add-src-to-address-list address-list="L2TP Stage 1" address-list-timeout=1m chain=input connection-state=new dst-port=500,1701,4500 in-interface-list=WAN protocol=tcp
add action=accept chain=input dst-port=500,1701,4500 in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="Accept OpenVPN Requests" dst-port=1194 in-interface=ether1 log=yes protocol=tcp
add action=fasttrack-connection chain=forward connection-state=established,related protocol=tcp
add action=fasttrack-connection chain=forward connection-state=established,related protocol=udp
add action=fasttrack-connection chain=forward connection-state=established,related protocol=tcp
add action=fasttrack-connection chain=forward connection-state=established,related protocol=udp
add action=accept chain=forward comment="ALLOW Established, Related and Untracked connections" connection-state=established,related
add action=accept chain=input connection-state=established,related in-interface-list=WAN
add action=accept chain=input comment="ALLOW All after ICMP knocking" in-interface-list=WAN src-address-list="Access IP"
add action=accept chain=forward in-interface-list=WAN src-address-list="Access IP"
add action=drop chain=forward comment="DROP Invalid connections" connection-state=invalid
add action=jump chain=forward comment="DDoS SYN flood protection" connection-state=new in-interface-list=WAN jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=jump chain=input connection-state=new in-interface-list=WAN jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=return chain=SYN-Protect limit=200,5:packet tcp-flags=""
add action=add-src-to-address-list address-list=ddos-blacklist address-list-timeout=1d chain=SYN-Protect log=yes log-prefix="DDoS: SYN-Protect" tcp-flags=""
add action=jump chain=forward comment="DDoS Main protection" connection-state=new in-interface-list=WAN jump-target=DDoS-Protect
add action=jump chain=input connection-state=new in-interface-list=WAN jump-target=DDoS-Protect
add action=return chain=DDoS-Protect dst-limit=15,15,src-address/10s
add action=add-src-to-address-list address-list=ddos-blacklist address-list-timeout=1d chain=DDoS-Protect log=yes log-prefix="DDoS: MAIN-Protect"
add action=jump chain=input comment="Port Knocking Permission to access the router" in-interface-list=WAN jump-target=port-knocking log-prefix=PING protocol=icmp
add action=add-src-to-address-list address-list="Access IP Gate 1" address-list-timeout=30s chain=port-knocking in-interface-list=WAN log-prefix="Access IP Gate 1" packet-size=255 protocol=icmp
add action=add-src-to-address-list address-list="Access IP Gate 2" address-list-timeout=30s chain=port-knocking in-interface-list=WAN log-prefix="Access IP Gate 2" packet-size=350 protocol=icmp src-address-list=\
"Access IP Gate 1"
add action=add-src-to-address-list address-list="Access IP" address-list-timeout=8h chain=port-knocking in-interface-list=WAN log-prefix="Access IP" packet-size=650 protocol=icmp src-address-list="Access IP Gate 2"
add action=add-src-to-address-list address-list="Access IP" address-list-timeout=8h chain=port-knocking in-interface-list=WAN log-prefix="Access IP" packet-size=530 protocol=icmp src-address-list="Access IP Gate 2"
add action=return chain=port-knocking
add action=drop chain=input comment="DROP Block all other input/forward connections on the WAN" in-interface-list=WAN
add action=drop chain=forward in-interface-list=WAN
add action=drop chain=input comment="Drop All Other" in-interface-list=WAN
add action=drop chain=input comment="DROP Block all other input/forward connections on the WAN" in-interface-list=WAN
add action=drop chain=forward in-interface-list=WAN
/ip firewall mangle
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN src-address=192.168.5.0/24
/ip firewall raw
add action=drop chain=prerouting comment="DDoS Drop blacklist IP" in-interface-list=WAN src-address-list=ddos-blacklist
add action=drop chain=prerouting comment=Block_NetBios dst-port=137,138,445 in-interface-list=WAN protocol=udp
add action=drop chain=prerouting dst-port=137,138,445 in-interface-list=WAN protocol=tcp
add action=accept chain=prerouting comment="ALLOW Resolved SIP provider" disabled=yes in-interface-list=WAN protocol=udp src-address-list=SIP
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set sip disabled=yes
/ip route
add distance=1 gateway=rrr.rrr.rrr.1
add distance=1 dst-address=10.67.5.0/24 gateway=l2tp-in1
add distance=1 dst-address=192.168.30.0/32 gateway=l2tp-in-Home2
/ip route rule
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.5.0/24
set ssh disabled=yes
set winbox address=192.168.5.0/24
/ip smb
set interfaces=bridge
/ip traffic-flow
set enabled=yes interfaces=ether1
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/lcd
set backlight-timeout=5m
/lcd interface pages
set 0 interfaces=wlan1
/ppp secret
add name=client_l2tp1 password=xxxxxxxx profile=l2tp_profile service=l2tp
add name=l2tp-in-Home2 password=xxxxxxxx profile=l2tp_profile service=l2tp
/snmp
set enabled=yes trap-generators=interfaces trap-version=2
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Moscow
/system identity
set name=Home
/system logging
add topics=critical
add topics=firewall
add topics=ipsec
/system ntp client
set enabled=yes primary-ntp=88.147.254.235 secondary-ntp=88.147.254.232
/system ntp server
set enabled=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Код: Выделить всё
# jun/06/2020 13:21:34 by RouterOS 6.47
# model = 2011UiAS-2HnD
/interface bridge
add admin-mac=xxxxxxxxxxxxxxx arp=proxy-arp auto-mac=no comment=defconf name=bridge
/interface l2tp-client
add allow=mschap2 connect-to=rrr.rrr.rrr.rrr disabled=no ipsec-secret=xxxxxxxxx name=l2tp-in-Home2 password=xxxxxxxx use-ipsec=yes user=l2tp-in-Home2
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VPN
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-128,3des hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1
/ip pool
add name=dhcp ranges=192.168.30.2-192.168.30.20
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
set *0 interface-list=VPN
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.30.1/24 comment=defconf interface=ether2 network=192.168.30.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.30.0/24 comment=defconf dns-server=85.234.32.35,85.234.33.23 gateway=192.168.30.1 netmask=24 ntp-server=88.147.254.235,88.147.254.230
/ip dns
set servers=85.234.32.35,85.234.33.23
/ip dns static
add address=192.168.30.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=ttt.ttt.ttt.ttt list="Access L2TP"
add address=eee.eee.eee.eee list="Access L2TP"
add address=rrr.rrr.rrr.rrr list="Access L2TP"
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related protocol=tcp
add action=fasttrack-connection chain=forward connection-state=established,related protocol=udp
add action=accept chain=input comment="Access OpenVPN Tunnel Data" disabled=yes in-interface-list=VPN
add action=accept chain=input disabled=yes dst-port=123 protocol=tcp
add action=accept chain=input connection-state=established,related disabled=yes in-interface-list=WAN
add action=accept chain=input comment="Access L2TP" dst-address-list="Access L2TP" dst-port=1701 in-interface-list=WAN protocol=udp src-address-list="Access L2TP" src-port=1701
add action=accept chain=input dst-address-list="Access L2TP" dst-port=500,1701,4500 in-interface-list=WAN protocol=udp src-address-list="Access L2TP" src-port=500,1701,4500
add action=drop chain=input dst-port=1701 in-interface-list=WAN protocol=udp src-port=1701
add action=accept chain=forward comment=NTP dst-port=123 protocol=udp
add action=accept chain=forward comment="ALLOW Established, Related and Untracked connections" connection-state=established,related
add action=accept chain=input comment="ALLOW All after ICMP knocking" in-interface-list=WAN src-address-list="Access IP"
add action=accept chain=forward in-interface-list=WAN src-address-list="Access IP"
add action=drop chain=forward comment="DROP Invalid connections" connection-state=invalid
add action=jump chain=forward comment="DDoS SYN flood protection" connection-state=new in-interface-list=WAN jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=jump chain=input connection-state=new in-interface-list=WAN jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=return chain=SYN-Protect limit=200,5:packet tcp-flags=""
add action=add-src-to-address-list address-list=ddos-blacklist address-list-timeout=1d chain=SYN-Protect log=yes log-prefix="DDoS: SYN-Protect" tcp-flags=""
add action=jump chain=forward comment="DDoS Main protection" connection-state=new in-interface-list=WAN jump-target=DDoS-Protect
add action=jump chain=input connection-state=new in-interface-list=WAN jump-target=DDoS-Protect
add action=return chain=DDoS-Protect dst-limit=15,15,src-address/10s
add action=add-src-to-address-list address-list=ddos-blacklist address-list-timeout=1d chain=DDoS-Protect log=yes log-prefix="DDoS: MAIN-Protect"
add action=jump chain=input comment="Port Knocking Permission to access the router" in-interface-list=WAN jump-target=port-knocking log-prefix=PING protocol=icmp
add action=add-src-to-address-list address-list="Access IP Gate 1" address-list-timeout=30s chain=port-knocking in-interface-list=WAN log-prefix="Access IP Gate 1" packet-size=255 \
protocol=icmp
add action=add-src-to-address-list address-list="Access IP Gate 2" address-list-timeout=30s chain=port-knocking in-interface-list=WAN log-prefix="Access IP Gate 2" packet-size=350 \
protocol=icmp src-address-list="Access IP Gate 1"
add action=add-src-to-address-list address-list="Access IP" address-list-timeout=8h chain=port-knocking in-interface-list=WAN log-prefix="Access IP" packet-size=650 protocol=icmp \
src-address-list="Access IP Gate 2"
add action=add-src-to-address-list address-list="Access IP" address-list-timeout=8h chain=port-knocking in-interface-list=WAN log-prefix="Access IP" packet-size=530 protocol=icmp \
src-address-list="Access IP Gate 2"
add action=return chain=port-knocking
add action=accept chain=forward comment="Forward and Input Established and Related connections" connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=drop chain=input comment="Protected - WinBox Access" src-address-list="Black List Winbox"
add action=add-src-to-address-list address-list="Black List Winbox" address-list-timeout=none-dynamic chain=input connection-state=new dst-port=8291 in-interface-list=WAN log=yes \
log-prefix="BLACK WINBOX" protocol=tcp src-address-list="Winbox Stage 3"
add action=add-src-to-address-list address-list="Winbox Stage 3" address-list-timeout=1m chain=input connection-state=new dst-port=8291 in-interface-list=WAN protocol=tcp \
src-address-list="Winbox Stage 2"
add action=add-src-to-address-list address-list="Winbox Stage 2" address-list-timeout=1m chain=input connection-state=new dst-port=8291 in-interface-list=WAN protocol=tcp \
src-address-list="Winbox Stage 1"
add action=add-src-to-address-list address-list="Winbox Stage 1" address-list-timeout=1m chain=input connection-state=new dst-port=8291 in-interface-list=WAN protocol=tcp
add action=accept chain=input dst-port=8291 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="Protected - OpenVPN Connections" src-address-list="Black List OpenVPN"
add action=add-src-to-address-list address-list="Black List OpenVPN" address-list-timeout=none-dynamic chain=input connection-state=new dst-port=1194 in-interface-list=WAN log=yes \
log-prefix="BLACK OVPN" protocol=tcp src-address-list="OpenVPN Stage 3"
add action=add-src-to-address-list address-list="OpenVPN Stage 3" address-list-timeout=1m chain=input connection-state=new dst-port=1194 in-interface-list=WAN protocol=tcp \
src-address-list="OpenVPN Stage 2"
add action=add-src-to-address-list address-list="OpenVPN Stage 2" address-list-timeout=1m chain=input connection-state=new dst-port=1194 in-interface-list=WAN protocol=tcp \
src-address-list="OpenVPN Stage 1"
add action=add-src-to-address-list address-list="OpenVPN Stage 1" address-list-timeout=1m chain=input connection-state=new dst-port=1194 in-interface-list=WAN protocol=tcp
add action=accept chain=input dst-port=1194 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="Protected - L2TP Connections" src-address-list="Black List L2TP"
add action=add-src-to-address-list address-list="Black List L2TP" address-list-timeout=none-dynamic chain=input connection-state=new dst-port=500,1701,4500 in-interface-list=WAN log=yes \
log-prefix="BLACK L2TP" protocol=tcp src-address-list="L2TP Stage 3"
add action=add-src-to-address-list address-list="L2TP Stage 3" address-list-timeout=1m chain=input connection-state=new dst-port=500,1701,4500 in-interface-list=WAN protocol=tcp \
src-address-list="L2TP Stage 2"
add action=add-src-to-address-list address-list="L2TP Stage 2" address-list-timeout=1m chain=input connection-state=new dst-port=500,1701,4500 in-interface-list=WAN protocol=tcp \
src-address-list="L2TP Stage 1"
add action=add-src-to-address-list address-list="L2TP Stage 1" address-list-timeout=1m chain=input connection-state=new dst-port=500,1701,4500 in-interface-list=WAN protocol=tcp
add action=accept chain=input dst-port=500,1701,4500 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="DROP Block all other input/forward connections on the WAN" in-interface-list=WAN
add action=drop chain=forward in-interface-list=WAN
add action=drop chain=input comment="Drop All Other" in-interface-list=WAN
add action=drop chain=input comment="DROP Block all other input/forward connections on the WAN" in-interface-list=WAN
add action=drop chain=forward in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="MASQ WAN out masquerade" out-interface-list=WAN src-address=192.168.30.0/24
/ip firewall raw
add action=drop chain=prerouting comment="DDoS Drop blacklist IP" in-interface-list=WAN src-address-list=ddos-blacklist
add action=drop chain=prerouting comment=Block_NetBios dst-port=137,138,445 in-interface-list=WAN protocol=udp
add action=drop chain=prerouting dst-port=137,138,445 in-interface-list=WAN protocol=tcp
add action=accept chain=prerouting comment="ALLOW Resolved SIP provider" disabled=yes in-interface-list=WAN protocol=udp src-address-list=SIP
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set sip disabled=yes
/ip route
add distance=1 dst-address=192.168.5.0/24 gateway=l2tp-in-Home2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip traffic-flow
set enabled=yes interfaces=ether1
/lcd
set backlight-timeout=5m
/lcd interface pages
set 0 interfaces=wlan1
/snmp
set enabled=yes trap-generators=interfaces trap-version=2
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Moscow
/system identity
set name=Home_2
/system logging
set 0 disabled=yes
add action=remote topics=firewall
add disabled=yes topics=debug
add topics=event
add disabled=yes topics=ovpn
add topics=interface
add action=remote topics=info
add action=remote topics=system
add action=remote topics=critical
add topics=l2tp
add action=remote disabled=yes topics=snmp
add topics=firewall
/system ntp client
set enabled=yes primary-ntp=88.147.254.235 secondary-ntp=88.147.254.230
/system ntp server
set enabled=yes
/system scheduler
add interval=1m name=start_icmp_knock on-event="/system script run \"icmp_knock\"" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-time=startup
/system script
add dont-require-permissions=no name=icmp_knock owner=michail policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":local IP rrr.rrr.rrr.rrr\r\
\n:local PING\r\
\n:set \$PING [/ping \$IP count=1]\r\
\n:if (\$PING<1) do={\r\
\n # Step 1\r\
\n /ping \$IP count=1 size=255\r\
\n :delay 2s\r\
\n # Step 2\r\
\n /ping \$IP count=1 size=350\r\
\n :delay 2s\r\
\n # Step 3\r\
\n /ping \$IP count=1 size=650\r\
\n :delay 2s\r\
\n :set \$PING [/ping \$IP count=1]\r\
\n :if (\$PING>0) do={\r\
\n :log info \"Access Granted\"\r\
\n } else={\r\
\n :log info \"Access Failed\"\r\
\n }\r\
\n}"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Спасибо.