Код: Выделить всё
/caps-man channel
add band=2ghz-onlyn control-channel-width=20mhz extension-channel=disabled name="2.4 AUTO" reselect-interval=5d12h
add band=5ghz-onlyac control-channel-width=20mhz name="5 AUTO" reselect-interval=5d12h
/interface bridge
add arp=reply-only fast-forward=no name="Guest WLAN"
add admin-mac=xx arp=proxy-arp auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] rx-flow-control=auto tx-flow-control=auto
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 max-mtu=1500 name=Internet password=xx user=xx
/interface l2tp-client
add allow-fast-path=yes connect-to=xx disabled=no ipsec-secret=xx name="Home Connect" password=xx! use-ipsec=yes user=xx
/interface wireless
# managed by CAPsMAN
# channel: 2462/20/gn(27dBm), SSID: Lemurs, CAPsMAN forwarding
set [ find default-name=wlan1 ] country=no_country_set frequency-mode=superchannel ssid=MikroTik
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac(14dBm), SSID: xx, CAPsMAN forwarding
set [ find default-name=wlan2 ] country=no_country_set frequency-mode=superchannel ssid=MikroTik
/caps-man datapath
add bridge=bridge client-to-client-forwarding=yes local-forwarding=no name="LAN Datapath"
add bridge="Guest WLAN" client-to-client-forwarding=no local-forwarding=no name="Guest Data"
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=xx passphrase=gxx
add authentication-types=wpa2-psk encryption=aes-ccm name=GuestWiFi passphrase=xx
add authentication-types=wpa-psk encryption=aes-ccm,tkip name=CameraOlder passphrase=xxx
/caps-man configuration
add channel="5 AUTO" country=no_country_set datapath="Guest Data" distance=indoors hw-protection-mode=rts-cts installation=indoor mode=ap name="xx" rx-chains=0,1,2,3 security=GuestWiFi ssid="xx" tx-chains=0,1,2,3
add channel="2.4 AUTO" country=no_country_set datapath="LAN Datapath" distance=indoors hw-protection-mode=rts-cts installation=indoor mode=ap multicast-helper=full name="xx" rx-chains=0,1,2,3 security=xx ssid=xx tx-chains=\
0,1,2,3
add channel="2.4 AUTO" country=no_country_set datapath="LAN Datapath" hw-protection-mode=rts-cts installation=indoor mode=ap name="xx" rx-chains=0,1,2,3 security=xx ssid=xxx tx-chains=0,1,2,3
add channel="5 AUTO" country=no_country_set datapath="LAN Datapath" distance=indoors hw-protection-mode=rts-cts installation=indoor mode=ap name="xx" rx-chains=0,1,2,3 security=xx ssid=xx tx-chains=0,1,2,3
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=xx wpa2-pre-shared-key=xx
add authentication-types=wpa-psk,wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name="Guest WiFi" supplicant-identity="" wpa-pre-shared-key=xx wpa2-pre-shared-key=xx
add authentication-types=wpa2-psk mode=dynamic-keys name="Lemurs Wifi" supplicant-identity=MikroTik wpa2-pre-shared-key=xx
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-192,aes-128,3des
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.90
add name="Guest WLAN" ranges=192.168.77.10-192.168.77.20
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name="DHCP Dacha"
add add-arp=yes address-pool="Guest WLAN" disabled=no interface="Guest WLAN" name="Guest DHCP"
/port
set 0 name=usb1
/interface ppp-client
add add-default-route=no apn=internet.mts.ru data-channel=1 dial-on-demand=no modem-init="" name=MTS-4G password=mts phone=*99***1# port=usb1 use-peer-dns=no user=mts
/queue simple
add max-limit=2M/2M name=Guest-que target="Guest WLAN"
/snmp community
set [ find default=yes ] addresses=192.168.1.0/24,192.168.0.0/24
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration="xx" name-format=identity slave-configurations="xx"
add action=create-dynamic-enabled hw-supported-modes=an master-configuration="xx" name-format=identity slave-configurations="xx"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=Internet list=WAN
add interface="Home Connect" list=LAN
/interface wireless cap
#
set bridge=bridge certificate=request discovery-interfaces=bridge enabled=yes interfaces=wlan1,wlan2
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2 network=192.168.1.0
add address=192.168.77.1/24 interface="Guest WLAN" network=192.168.77.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.1.92 client-id=1:xx mac-address=xx server="DHCP Dacha"
add address=192.168.1.99 client-id=1:xx mac-address=xx server="DHCP Dacha"
add address=192.168.1.16 client-id=1:xx mac-address=xx server="DHCP Dacha"
add address=192.168.1.93 client-id=1:34:ce:0:d1:61:ae mac-address=xx server="DHCP Dacha"
add address=192.168.1.8 client-xx5 mac-address=xx server="DHCP Dacha"
/ip dhcp-server network
add address=192.168.1.0/24 comment="Dacha NET" dns-server=192.168.0.10 domain=xx.local gateway=192.168.1.1 netmask=24
add address=192.168.77.0/24 comment="Guest WiFi" dns-server=8.8.8.8 gateway=192.168.77.1
/ip dns
set allow-remote-requests=yes servers=192.168.0.10,8.8.8.8,4.4.4.4
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=192.168.77.0/24 list=Guests
add address=192.168.1.90-92 list=Cameras
add address=192.168.0.0/24 list=internal
add address=192.168.1.0/24 list=internal
add address=10.10.15.1 list=internal
add address=10.10.15.2 list=internal
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-mark=!con-r1 connection-state=established,related
add action=accept chain=input comment="Local CAPSMAN" src-address-type=local
add action=accept chain=input comment=PINGS protocol=icmp
add action=log chain=input log=yes log-prefix=DACHA src-address=192.168.1.8
add action=accept chain=forward comment=Kvartira dst-address=192.168.1.0/24 in-interface="Home Connect" src-address=192.168.0.0/24
add action=accept chain=forward disabled=yes dst-address=10.10.15.2 in-interface="Home Connect" src-address=192.168.0.0/24
add action=accept chain=input dst-port=8291 in-interface="Home Connect" protocol=tcp
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=log chain=forward disabled=yes log=yes log-prefix=CAMERA out-interface-list=!LAN src-address-list=Cameras
add action=accept chain=forward disabled=yes dst-address=192.168.1.8 dst-port=8125 log=yes log-prefix="DACHA PORT ACCEPT" protocol=tcp
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix=DROP
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix=DROP2
add action=drop chain=input in-interface-list=!LAN log-prefix=DROOP3
/ip firewall mangle
add action=mark-routing chain=prerouting connection-mark=con-r1 in-interface-list=LAN new-routing-mark=via-r1 passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface="Home Connect" new-connection-mark=con-r1 passthrough=no src-address-list=!internal
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none log-prefix=SNAT out-interface-list=WAN
/ip route
add distance=1 gateway="Home Connect" routing-mark=via-r1
add distance=1 dst-address=192.168.0.0/24 gateway=10.10.15.1 pref-src=10.10.15.2 scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=4000
/ip ssh
set strong-crypto=yes
/ip upnp
set show-dummy-rule=no
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/snmp
set contact=Support enabled=yes location=Home trap-generators="" trap-version=2
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=BLACK
/system logging
add prefix=CAPS topics=caps
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN