Использование Mangle для маршрутизации

[someone_strange]

Добрый день!

Сломал уже себе всю голову, несколько дней пытался настроить - никак не получается.
Итак, что нужно: перенаправить часть трафика через VPN.
Что делал: Access List, правило Mangle, Route для маркированного трафика
Пробовал и на 6 и на 7 версии ROS.
Пробовал разные VPN (менял поставщиков, менял типы VPN - PPTP, L2TP, OVPN).
Не работает.
MikroTik RB4011iGS+5HacQ2HnD-IN

Как настраивал:

Код: Выделить всё

/ppp profile
add name=OVPN-Profile-Fornex use-encryption=required

/interface ovpn-client
add connect-to=vpnse01.fornex.org mac-address=********* max-mtu=1400 name=Interface-Out-OVPN-Fornex password=********* port=443 profile=OVPN-Profile-Fornex protocol=udp use-peer-dns=no user=*********

/routing table
add fib name=route-mark-fornex

/ip firewall address-list
add address=2ip.ru list=facebook_list
add address=facebook.com disabled=yes list=facebook_list

/ip firewall mangle
add action=mark-routing chain=prerouting comment="Mark FornexVPN - OUT (dst-list)" dst-address-list=facebook_list dst-address-type=!local log=yes log-prefix=___OVPN-MARK-DST-LST new-routing-mark=route-mark-fornex passthrough=no

/ip firewall nat
add action=masquerade chain=srcnat

/ip route
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=Interface-Out-OVPN-Fornex pref-src="" routing-table=route-mark-fornex scope=30 suppress-hw-offload=no target-scope=10
# маршрут для проверки (enable/disable)
add comment=2ip.ru disabled=yes distance=1 dst-address=195.201.201.32/32 gateway=Interface-Out-OVPN-Fornex pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10

/routing rule
add action=lookup-only-in-table disabled=no routing-mark=route-mark-fornex table=route-mark-fornex

Включаю маршрут непосредственно до 2ip.ru - все ок, внешний IP меняется. Выключаю маршрут - через маркированный маршрут ничего не идет. Счетчик на mangle тикает.

[someone_strange]

На всякий случай - полный конфиг (вставляю кодом, файлом почему-то не получается):

Код: Выделить всё

# apr/02/2022 19:24:49 by RouterOS 7.1.5
# software id = LVUE-YMHD
#
# model = RB4011iGS+5HacQ2HnD
# serial number = *********

/caps-man channel
add band=2ghz-b/g/n extension-channel=XX name=CAPSMAN-Channels-SETKO2
add band=5ghz-a/n/ac extension-channel=XXXX name=CAPSMAN-Channels-SETKO5

/interface bridge
add name=Bridge-LAN

/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp comment=GAME name=Interface-ETH01-LAN
set [ find default-name=ether2 ] arp=proxy-arp comment=NOTER name=Interface-ETH02-LAN
set [ find default-name=ether3 ] arp=proxy-arp comment=AP2 name=Interface-ETH03-LAN
set [ find default-name=ether4 ] arp=proxy-arp disabled=yes name=Interface-ETH04-LAN
set [ find default-name=ether5 ] arp=proxy-arp disabled=yes name=Interface-ETH05-LAN
set [ find default-name=ether6 ] arp=proxy-arp disabled=yes name=Interface-ETH06-LAN
set [ find default-name=ether7 ] arp=proxy-arp disabled=yes name=Interface-ETH07-LAN
set [ find default-name=ether8 ] arp=proxy-arp disabled=yes name=Interface-ETH08-LAN
set [ find default-name=ether9 ] arp=proxy-arp disabled=yes name=Interface-ETH09-LAN
set [ find default-name=ether10 ] arp=proxy-arp disabled=yes name=Interface-ETH10-LAN poe-out=off
set [ find default-name=sfp-sfpplus1 ] mac-address=********* name=Interface-SFP01-WAN

/interface l2tp-server
add disabled=yes name=Interface-L2TP-DACHA user=*********
add name=Interface-L2TP-********* user=*********
add name=Interface-L2TP-********* user=*********
add name=Interface-L2TP-********* user=*********
add name=Interface-L2TP-********* user=*********

/caps-man datapath
add bridge=Bridge-LAN name=CAPSMAN-DP01

/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm group-key-update=5m name=CAPSMAN-SETKO passphrase=*********

/caps-man configuration
add channel=CAPSMAN-Channels-SETKO2 channel.band=2ghz-b/g/n .control-channel-width=20mhz .extension-channel=XX country=russia2 datapath=CAPSMAN-DP01 mode=ap name=CAPSMAN-Config-SETKO2 rx-chains=0,1,2,3 security=CAPSMAN-SETKO ssid=SETKO2 tx-chains=0,1,2,3
add channel=CAPSMAN-Channels-SETKO5 channel.band=5ghz-onlyac .control-channel-width=20mhz .extension-channel=XXXX country=russia2 datapath=CAPSMAN-DP01 mode=ap name=CAPSMAN-Config-SETKO5 rx-chains=0,1,2,3 security=CAPSMAN-SETKO ssid=SETKO tx-chains=0,1,2,3

/interface list
add name=InterfaceList-LAN-Wired
add name=InterfaceList-LAN-Wireless
add name=InterfaceList-VPNClients
add name=InterfaceList-WAN
add include="InterfaceList-LAN-Wired,InterfaceList-LAN-Wireless,InterfaceList-VPNClients" name=InterfaceList-LAN

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=SETKO supplicant-identity=MikroTik wpa2-pre-shared-key=*********

/ip dhcp-server option
add code=119 name="DNS suffix search list" value=0x067A6F6469616B000372646E056C6F63616C0004736B6466C00C

/ip ipsec policy group
add name=IPSec-Group-L2TPVPN

/ip ipsec profile
add dh-group=modp1024 enc-algorithm=3des name=IPSec-Profile-L2TPVPN

/ip ipsec peer
add name=IPSec-Peer-L2TPVPN passive=yes profile=IPSec-Profile-L2TPVPN

/ip ipsec proposal
set [ find default=yes ] disabled=yes enc-algorithms=aes-256-cbc,aes-256-ctr,3des pfs-group=none
add enc-algorithms=aes-256-cbc,aes-256-ctr,3des name=IPSec-Proposal-L2TPVPN pfs-group=none

/ip pool
add name=Pool-IPv4-LAN ranges=192.168.111.101-192.168.111.150
add name=Pool-IPv4-VPN ranges=192.168.112.101-192.168.112.150

/ip dhcp-server
add add-arp=yes address-pool=Pool-IPv4-LAN authoritative=after-2sec-delay interface=Bridge-LAN lease-time=12h name=DHCP-IPv4-LAN

/port
set 0 name=serial0
set 1 name=serial1

/ppp profile
add bridge=Bridge-LAN change-tcp-mss=yes dns-server=1.1.1.1,8.8.8.8 local-address=192.168.111.254 name=L2TP-Profile-VPN only-one=no remote-address=Pool-IPv4-VPN use-encryption=required
add bridge=Bridge-LAN change-tcp-mss=yes dns-server=1.1.1.1,8.8.8.8 local-address=192.168.111.254 name=L2TP-Profile-VPNDACHA only-one=no remote-address=Pool-IPv4-VPN-Site2Site use-compression=yes use-encryption=yes
add name=OVPN-Profile-Fornex use-encryption=required

/interface pptp-client
add allow=mschap2 connect-to=vpnse01.fornex.org name=Interface-Out-PPTP-Fornex password=********* profile=OVPN-Profile-Fornex user=moxhatbi4@_19743

/interface ovpn-client
add connect-to=vpnse01.fornex.org mac-address=********* max-mtu=1400 name=Interface-Out-OVPN-Fornex password=********* port=443 profile=OVPN-Profile-Fornex protocol=udp use-peer-dns=no user=moxhatbi4@_19743

/routing table
add fib name=route-mark-fornex
add fib name=route-mark-main

/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
add disk-file-count=50 disk-file-name=logs/log name=logging target=disk

/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp,rest-api"

/caps-man access-list
add action=accept allow-signal-out-of-range=10s disabled=no signal-range=-79..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s disabled=no signal-range=-120..-80 ssid-regexp=""

/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes

/caps-man manager interface
add disabled=no forbid=yes interface=Interface-Out-PPTP-Fornex
add disabled=no forbid=yes interface=Interface-SFP01-WAN
add disabled=no forbid=yes interface=Interface-Out-OVPN-Fornex

/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=b,g,gn master-configuration=CAPSMAN-Config-SETKO2 name-format=prefix-identity name-prefix=2G
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=CAPSMAN-Config-SETKO5 name-format=prefix-identity name-prefix=5G

/interface bridge port
add bridge=Bridge-LAN ingress-filtering=no interface=InterfaceList-LAN

/ip neighbor discovery-settings
set discover-interface-list=!InterfaceList-WAN

/ip settings
set max-neighbor-entries=8192 rp-filter=strict

/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192

/interface l2tp-server server
set authentication=mschap2 default-profile=L2TP-Profile-VPNDACHA enabled=yes ipsec-secret=*********

/interface list member
add interface=Interface-ETH01-LAN list=InterfaceList-LAN-Wired
add interface=Interface-ETH02-LAN list=InterfaceList-LAN-Wired
add interface=Interface-ETH03-LAN list=InterfaceList-LAN-Wired
add interface=Interface-ETH04-LAN list=InterfaceList-LAN-Wired
add interface=Interface-ETH05-LAN list=InterfaceList-LAN-Wired
add interface=Interface-ETH06-LAN list=InterfaceList-LAN-Wired
add interface=Interface-ETH07-LAN list=InterfaceList-LAN-Wired
add interface=Interface-ETH08-LAN list=InterfaceList-LAN-Wired
add interface=Interface-ETH09-LAN list=InterfaceList-LAN-Wired
add interface=Interface-ETH10-LAN list=InterfaceList-LAN-Wired
add interface=Interface-L2TP-********* list=InterfaceList-VPNClients
add interface=Interface-L2TP-********* list=InterfaceList-VPNClients
add interface=Interface-L2TP-********* list=InterfaceList-VPNClients
add interface=Interface-L2TP-********* list=InterfaceList-VPNClients
add interface=Interface-SFP01-WAN list=InterfaceList-WAN
add interface=Interface-Out-OVPN-Fornex list=InterfaceList-WAN

/interface wireless access-list
add comment="Noter (2GHz/5GHz)" disabled=yes interface=InterfaceList-LAN-Wireless mac-address=********* vlan-mode=no-tag
add comment="MacBook Air \DE\EB\FF" disabled=yes interface=InterfaceList-LAN-Wireless mac-address=********* vlan-mode=no-tag
add comment="LG \D2\E5\EB\E5\E2\E8\E7\EE\F0 \E3\EE\F1\F2\E8\ED\ED\E0\FF (5GHz)" disabled=yes interface=InterfaceList-LAN-Wireless mac-address=********* vlan-mode=no-tag
add comment="LG washer (2GHz)" disabled=yes interface=InterfaceList-LAN-Wireless mac-address=********* vlan-mode=no-tag

/interface wireless cap
set bridge=Bridge-LAN certificate=request discovery-interfaces=Bridge-LAN enabled=yes interfaces=wlan1,wlan2 lock-to-caps-man=yes

/ip address
add address=192.168.111.254/24 interface=Bridge-LAN network=192.168.111.0

/ip cloud
set ddns-enabled=yes ddns-update-interval=10m

/ip dhcp-client
add interface=Interface-SFP01-WAN use-peer-dns=no use-peer-ntp=no

/ip dhcp-server lease
add address=192.168.111.201 client-id=1:68:ec:c5:dd:82:4f comment="Noter (2GHz/5GHz)" mac-address=********* server=DHCP-IPv4-LAN
add address=192.168.111.204 client-id=1:38:f9:d3:67:8a:c5 comment="MacBook Air \DE\EB\FF (Wi-Fi)" mac-address=********* server=DHCP-IPv4-LAN
add address=192.168.111.174 client-id=1:f8:b9:5a:60:44:d5 comment="LG washer (Wi-Fi)" mac-address=********* server=DHCP-IPv4-LAN
add address=192.168.111.198 client-id=1:60:ab:14:ab:71:a comment="LG \D2\E5\EB\E5\E2\E8\E7\EE\F0 \E3\EE\F1\F2\E8\ED\ED\E0\FF (5GHz)" mac-address=********* server=DHCP-IPv4-LAN

/ip dhcp-server network
add address=192.168.111.0/24 comment="Lan Network" dhcp-option="DNS suffix search list" dns-server=192.168.111.254 domain=zodiak gateway=192.168.111.254 netmask=24 ntp-server=192.168.111.254

/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8

/ip dns static
add address=192.168.111.254 name=SHLUZKO-HOME.zodiak
add address=192.168.111.198 name=LGwebOSTV.zodiak ttl=6h
add address=192.168.111.253 name=AP2-HOME.zodiak.zodiak ttl=6h
add address=192.168.111.202 name=NOTER.zodiak ttl=6h
add address=192.168.111.174 name=qca-ioeboard.zodiak ttl=6h

/ip firewall address-list
add address=2ip.ru list=facebook_list
add address=facebook.com disabled=yes list=facebook_list
add address=fbcdn.net disabled=yes list=facebook_list
add address=31.13.24.0/21 disabled=yes list=facebook_list
add address=31.13.64.0/18 disabled=yes list=facebook_list
add address=45.64.40.0/22 disabled=yes list=facebook_list
add address=66.220.144.0/20 disabled=yes list=facebook_list
add address=69.63.176.0/20 disabled=yes list=facebook_list
add address=69.171.224.0/19 disabled=yes list=facebook_list
add address=74.119.76.0/22 disabled=yes list=facebook_list
add address=157.240.0.0/17 disabled=yes list=facebook_list
add address=173.252.64.0/18 disabled=yes list=facebook_list
add address=173.252.88.0/21 disabled=yes list=facebook_list
add address=185.60.216.0/22 disabled=yes list=facebook_list
add address=204.15.20.0/22 disabled=yes list=facebook_list
add address=whatismyipaddress.com list=facebook_list
add address=whatismyip.com list=facebook_list

/ip firewall filter
add action=fasttrack-connection chain=forward comment="Allow fasttrack" connection-state=established,related hw-offload=yes protocol=tcp
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes protocol=udp
add action=accept chain=forward comment="Checking OVPN flow" disabled=yes log=yes log-prefix=.___FW_CHECK out-interface=Interface-Out-OVPN-Fornex
add action=accept chain=input comment="Allow L2TP+IPSec" dst-port=500,1701,4500 protocol=udp
add action=accept chain=input dst-port=4500 protocol=tcp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input comment="Allow L2TP VPN" in-interface-list=InterfaceList-WAN ipsec-policy=in,ipsec src-address=192.168.112.0/24
add action=accept chain=forward dst-address=192.168.111.0/24 in-interface-list=InterfaceList-WAN ipsec-policy=in,ipsec src-address=192.168.112.0/24
add action=accept chain=forward dst-address=192.168.112.0/24 ipsec-policy=out,ipsec out-interface-list=InterfaceList-WAN src-address=192.168.111.0/24
add action=accept chain=input comment="Accept established, related and untracked connections" connection-state=established,related,untracked
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward comment="Drop NAT attack" connection-nat-state=!dstnat connection-state=new in-interface-list=InterfaceList-WAN log=yes log-prefix=NATAttack_Drop
add action=drop chain=input comment="Drop bruteforcers" in-interface-list=InterfaceList-WAN log=yes log-prefix=BlacklistBruteforce_Drop src-address-list=brutefroce_blacklist
add action=drop chain=input comment="Drop portscanners" in-interface-list=InterfaceList-WAN log=yes log-prefix=BlacklistPortScan_Drop src-address-list=portscan_blacklist
add action=add-src-to-address-list address-list=portscan_blacklist address-list-timeout=6h chain=input comment="Blacklist portscanners on wellknown ports" connection-state=new dst-port=21-23,25,80,135-139,443-445,1723,3127-3149,3306,3389,8080,8888 in-interface-list=InterfaceList-WAN protocol=tcp
add action=add-src-to-address-list address-list=portscan_blacklist address-list-timeout=6h chain=input connection-state=new dst-port=80,135-139,443-445,1400-1499,3127-3149,5060,8080,8888 in-interface-list=InterfaceList-WAN protocol=udp
add action=add-src-to-address-list address-list=portscan_blacklist address-list-timeout=6h chain=input comment="Blacklist portscanners" in-interface-list=InterfaceList-WAN log-prefix=BlacklistPortscan_List protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=portscan_blacklist address-list-timeout=6h chain=input comment="Blacklist connections with wrong TCP flags" in-interface-list=InterfaceList-WAN log-prefix=BlacklistPortscan_SYN/FIN_scan_List protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=portscan_blacklist address-list-timeout=6h chain=input in-interface-list=InterfaceList-WAN log-prefix=BlacklistPortscan_SYN/RST_scan_List protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=portscan_blacklist address-list-timeout=6h chain=input in-interface-list=InterfaceList-WAN log-prefix=BlacklistPortscan_FIN/PSH/URG_scan_List protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=portscan_blacklist address-list-timeout=6h chain=input in-interface-list=InterfaceList-WAN log-prefix=BlacklistPortscan_NMAP_NULL_scan_List protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=portscan_blacklist address-list-timeout=6h chain=input in-interface-list=InterfaceList-WAN log-prefix=BlacklistPortscan_NMAP_FIN_Stealth_scan_List protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid in-interface-list=InterfaceList-WAN
add action=drop chain=forward connection-state=invalid in-interface-list=InterfaceList-WAN
add action=drop chain=input comment="Drop Incoming DNS connections" dst-port=53 in-interface-list=InterfaceList-WAN protocol=tcp
add action=drop chain=input dst-port=53 in-interface-list=InterfaceList-WAN protocol=udp
add action=add-src-to-address-list address-list=ddos_blacklist address-list-timeout=6h chain=input comment="Blacklist DDoS" connection-limit=100,32 in-interface-list=InterfaceList-WAN protocol=tcp
add action=drop chain=input comment="Drop DDoS" connection-limit=3,32 in-interface-list=InterfaceList-WAN protocol=tcp src-address-list=ddos_blacklist
add action=jump chain=forward comment="Drop DDoS SYN" connection-state=new in-interface-list=InterfaceList-WAN jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=jump chain=input connection-state=new in-interface-list=InterfaceList-WAN jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=return chain=SYN-Protect connection-state=new in-interface-list=InterfaceList-WAN limit=200,5:packet protocol=tcp tcp-flags=syn
add action=drop chain=SYN-Protect connection-state=new in-interface-list=InterfaceList-WAN protocol=tcp tcp-flags=syn
add action=drop chain=forward comment="Drop Invalid" connection-state=invalid
add action=drop chain=input comment="Final Rule" in-interface-list=InterfaceList-WAN log-prefix=FinRulDrop
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface-list=InterfaceList-WAN

/ip firewall mangle
add action=mark-connection chain=prerouting comment="Mark Main - IN" in-interface=Interface-SFP01-WAN log-prefix=___OVPN-MARK-IN new-connection-mark=conn-mark-main passthrough=no
add action=mark-connection chain=prerouting comment="Mark FornexVPN - IN" in-interface=Interface-Out-OVPN-Fornex log-prefix=___OVPN-MARK-IN new-connection-mark=conn-mark-fornex passthrough=no
add action=mark-routing chain=prerouting comment="Mark Main - OUT (conn-mark)" connection-mark=conn-mark-main dst-address-type=!local in-interface-list=InterfaceList-LAN log-prefix=___OVPN-MARK-PRE-R new-routing-mark=route-mark-main passthrough=no
add action=mark-routing chain=prerouting comment="Mark FornexVPN - OUT (conn-mark)" connection-mark=conn-mark-fornex dst-address-type=!local in-interface-list=InterfaceList-LAN log-prefix=___OVPN-MARK-PRE-R new-routing-mark=route-mark-fornex passthrough=no
add action=mark-routing chain=output comment="Mark Main - OUT (conn-mark)" connection-mark=conn-mark-main dst-address-type=!local log-prefix=___OVPN-MARK-OUTP new-routing-mark=route-mark-main passthrough=no
add action=mark-routing chain=output comment="Mark FornexVPN - OUT (conn-mark)" connection-mark=conn-mark-fornex dst-address-type=!local log-prefix=___OVPN-MARK-OUTP new-routing-mark=route-mark-fornex passthrough=no
add action=mark-routing chain=prerouting comment="Mark FornexVPN - OUT (dst-list)" dst-address-list=facebook_list dst-address-type=!local log=yes log-prefix=___OVPN-MARK-DST-LST new-routing-mark=route-mark-fornex passthrough=no

/ip firewall nat
add action=accept chain=srcnat comment="IPSec L2TP VPN" disabled=yes dst-address=192.168.112.0/24 ipsec-policy=out,ipsec out-interface-list=InterfaceList-WAN src-address=192.168.111.0/24
add action=dst-nat chain=dstnat comment="DNS only shluzko" dst-port=53 in-interface=Bridge-LAN protocol=tcp src-address=192.168.0.0/16 to-addresses=192.168.111.254 to-ports=53
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat comment="uTorrent Game" dst-port=7777 in-interface=Interface-SFP01-WAN protocol=tcp to-addresses=192.168.111.200 to-ports=7777
add action=dst-nat chain=dstnat dst-port=7777 in-interface=Interface-SFP01-WAN protocol=udp to-addresses=192.168.111.200 to-ports=7777

/ip firewall service-port
set sip disabled=yes

/ip ipsec identity
add generate-policy=port-override peer=IPSec-Peer-L2TPVPN policy-template-group=IPSec-Group-L2TPVPN remote-id=ignore secret=*********

/ip ipsec policy
set 0 group=IPSec-Group-L2TPVPN proposal=IPSec-Proposal-L2TPVPN

/ip proxy
set parent-proxy=0.0.0.0

/ip route
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=Interface-Out-OVPN-Fornex pref-src="" routing-table=route-mark-fornex scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=93.81.252.149 pref-src=0.0.0.0 routing-table=route-mark-main scope=30 suppress-hw-offload=no target-scope=10
add comment=2ip.ru disabled=yes distance=1 dst-address=195.201.201.32/32 gateway=Interface-Out-OVPN-Fornex pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=Facebook disabled=yes distance=1 dst-address=103.4.96.0/22 gateway=Interface-Out-OVPN-Fornex pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=Facebook disabled=yes distance=1 dst-address=173.252.64.0/19 gateway=Interface-Out-OVPN-Fornex pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=Facebook disabled=yes distance=1 dst-address=173.252.70.0/24 gateway=Interface-Out-OVPN-Fornex pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=Facebook disabled=yes distance=1 dst-address=173.252.96.0/19 gateway=Interface-Out-OVPN-Fornex pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=Facebook disabled=yes distance=1 dst-address=175.28.1.0/24 gateway=Interface-Out-OVPN-Fornex pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=Facebook disabled=yes distance=1 dst-address=204.15.20.0/22 gateway=Interface-Out-OVPN-Fornex pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=Facebook disabled=yes distance=1 dst-address=31.13.24.0/21 gateway=Interface-Out-OVPN-Fornex pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=Facebook disabled=yes distance=1 dst-address=31.13.64.0/19 gateway=Interface-Out-OVPN-Fornex pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=Facebook disabled=yes distance=1 dst-address=31.13.69.0/24 gateway=Interface-Out-OVPN-Fornex pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=Facebook disabled=yes distance=1 dst-address=31.13.70.0/24 gateway=Interface-Out-OVPN-Fornex pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=Facebook disabled=yes distance=1 dst-address=31.13.71.0/24 gateway=Interface-Out-OVPN-Fornex pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=Facebook disabled=yes distance=1 dst-address=31.13.72.0/24 gateway=Interface-Out-OVPN-Fornex pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=Facebook disabled=yes distance=1 dst-address=31.13.73.0/24 gateway=Interface-Out-OVPN-Fornex pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=Facebook disabled=yes distance=1 dst-address=31.13.75.0/24 gateway=Interface-Out-OVPN-Fornex pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=Facebook disabled=yes distance=1 dst-address=31.13.76.0/24 gateway=Interface-Out-OVPN-Fornex pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=Facebook disabled=yes distance=1 dst-address=31.13.77.0/24 gateway=Interface-Out-OVPN-Fornex pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=Facebook disabled=yes distance=1 dst-address=31.13.78.0/24 gateway=Interface-Out-OVPN-Fornex pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=Facebook disabled=yes distance=1 dst-address=31.13.79.0/24 gateway=Interface-Out-OVPN-Fornex pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=Facebook disabled=yes distance=1 dst-address=31.13.80.0/24 gateway=Interface-Out-OVPN-Fornex pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=Facebook disabled=yes distance=1 dst-address=66.220.144.0/20 gateway=Interface-Out-OVPN-Fornex pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=Facebook disabled=yes distance=1 dst-address=66.220.152.0/21 gateway=Interface-Out-OVPN-Fornex pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=Facebook disabled=yes distance=1 dst-address=66.220.159.0/24 gateway=Interface-Out-OVPN-Fornex pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=Facebook disabled=yes distance=1 dst-address=69.171.224.0/19 gateway=Interface-Out-OVPN-Fornex pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=Facebook disabled=yes distance=1 dst-address=69.171.239.0/24 gateway=Interface-Out-OVPN-Fornex pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=Facebook disabled=yes distance=1 dst-address=69.171.240.0/20 gateway=Interface-Out-OVPN-Fornex pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=Facebook disabled=yes distance=1 dst-address=69.171.255.0/24 gateway=Interface-Out-OVPN-Fornex pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=Facebook disabled=yes distance=1 dst-address=69.63.176.0/21 gateway=Interface-Out-OVPN-Fornex pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=Facebook disabled=yes distance=1 dst-address=69.63.184.0/21 gateway=Interface-Out-OVPN-Fornex pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=Facebook disabled=yes distance=1 dst-address=74.119.76.0/22 gateway=Interface-Out-OVPN-Fornex pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10

/ip service
set telnet address=192.168.111.0/24 disabled=yes
set ftp address=192.168.111.0/24 disabled=yes
set www address=192.168.111.0/24 disabled=yes
set ssh address=192.168.111.0/24 disabled=yes
set www-ssl address=192.168.111.0/24 certificate=192.168.111.254 disabled=no
set api address=192.168.111.0/24 disabled=yes
set winbox address=192.168.111.0/24
set api-ssl address=192.168.111.0/24 certificate=192.168.111.254

/ip smb
set allow-guests=no domain=ZODIAK interfaces=Bridge-LAN

/ip smb shares
set [ find default=yes ] disabled=yes
add directory=/ disabled=yes name=root
add directory=/logs name=logs

/ip smb users
add name=********* password=********* read-only=no

/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote

/ip upnp interfaces
add interface=Bridge-LAN type=internal
add interface=Interface-SFP01-WAN type=external
add interface=Interface-Out-OVPN-Fornex type=external
add interface=Interface-Out-PPTP-Fornex type=external

/ppp secret
add local-address=192.168.111.254 name=********* password=********* profile=L2TP-Profile-VPN routes="0.0.0.0 192.168.111.254"
add local-address=192.168.111.254 name=********* password=********* profile=L2TP-Profile-VPN routes="0.0.0.0 192.168.111.254"
add local-address=192.168.111.254 name=********* password=********* profile=L2TP-Profile-VPN routes="0.0.0.0 192.168.111.254"
add local-address=192.168.111.254 name=********* password=********* profile=L2TP-Profile-VPN routes="0.0.0.0 192.168.111.254"

/routing rule
add action=lookup-only-in-table disabled=no routing-mark=route-mark-fornex table=route-mark-fornex

/system clock
set time-zone-autodetect=no time-zone-name=Europe/Moscow

/system clock manual
set time-zone=+03:00

/system identity
set name=SHLUZKO-HOME.zodiak

/system logging
add topics=script
add action=logging topics=info,firewall
add prefix=ipsec topics=ipsec,!debug
add prefix=ipsec topics=ipsec,error

/system note
set show-at-login=no

/system ntp client
set enabled=yes

/system ntp server
set broadcast=yes broadcast-addresses=192.168.111.254 enabled=yes

/system ntp client servers
add address=95.140.150.140
add address=194.190.168.1

/system resource irq rps
set Interface-SFP01-WAN disabled=no

/system scheduler
add interval=1h name="DNS-DHCP sync" on-event="/system script run \"DNS-DHCP sync\"" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=oct/16/2014 start-time=00:00:00
add interval=30m name="DDNS - Update" on-event="/system script run \"DDNS - Update\"" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=dec/01/2015 start-time=00:00:00
add interval=1d name="Update - Firmware" on-event="/system script run \"Update - Firmware\"" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=oct/23/2018 start-time=07:30:00
add comment="SHLUZKO-HOME.zodiak started up at apr/02/2022 16:48:25" name="Notify - Router start" on-event="/system script run \"Notify - Router start\"" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-time=startup
add comment="Internet offline at mar/30/2022 01:00:18. \r\nInternet online at mar/30/2022 01:05:18" interval=5m name="Notify - Internet status" on-event="/system script run \"Notify - Internet status\"" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-time=startup
add disabled=yes interval=1m name="Notify - Computer status - Game" on-event="/system script run \"Notify - Computer status - Game\"" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-time=startup
add comment="Last succeeded login: apr/02/2022 19:23:52" interval=1m name="Notify - Login Succeeded" on-event="/system script run \"Notify - Login Succeeded\"" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-time=startup
add comment="Last failed login: oct/17 00:48:36" interval=1m name="Notify - Login Failed" on-event="/system script run \"Notify - Login Failed\"" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-time=startup
add interval=1m30s name="Global Variables" on-event="/system script run \"Global Variables\"" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-time=startup
add interval=1d name="Update - Software" on-event="/system script run \"Update - Software\"" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=oct/23/2018 start-time=07:00:00
add interval=1d name="Mail settings autoupdate" on-event="/system script run \"Mail settings autoupdate\"" policy=read,write,policy,test,password,sniff,sensitive start-date=jan/06/2021 start-time=00:00:00

/system script
add dont-require-permissions=no name="DNS-DHCP sync" owner=********* policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive source=":local scheduleName \"DNS-DHCP sync\"\r\n\r\n:if ([:len [/system scheduler find name=\"\$scheduleName\"]] = 0) do={\r\n    /log error \"[\$scheduleName]: Schedule '\$scheduleName' does not exist. Create schedule and edit script to match name\"\r\n} else={\r\n    :local dhcpserver \"DHCP-IPv4-LAN\"\r\n    :local zone \"zodiak\"\r\n     \r\n    # Set the TTL to the scheduler frequency for this script.\r\n    :local ttl \"06:00:00\"\r\n     \r\n    # Clear old static DNS entries matching the zone and TTL.\r\n    /ip dns static\r\n    :foreach dnsrecord in=[find where name ~ (\".*\\\\.\".\$zone) ] do={\r\n        :local fqdn [ get \$dnsrecord name ]\r\n        :local hostname [ :pick \$fqdn 0 ( [ :len \$fqdn ] - ( [ :len \$zone ] + 1 ) ) ]\r\n        :local recordttl [get \$dnsrecord ttl]\r\n        :if ( \$recordttl != \$ttl ) do={\r\n            # /log debug \"[\$scheduleName]: Ignoring DNS record \$fqdn with TTL \$recordttl\"\r\n        } else={\r\n            /ip dhcp-server lease\r\n            :local dhcplease [ find where host-name=\$hostname and server=\"\$dhcpserver\"]\r\n            :if ( [ :len \$dhcplease ] > 0) do={\r\n                # /log debug \"[\$scheduleName]: DHCP lease exists for \$hostname in \$dhcpserver, keeping DNS record \$fqdn\"\r\n            } else={\r\n                # /log info \"[\$scheduleName]: DHCP lease expired for \$hostname, deleting DNS record \$fqdn\"\r\n                /ip dns static remove \$dnsrecord\r\n            }\r\n        }\r\n    }\r\n     \r\n    # Create or update static DNS entries from DHCP server leases.\r\n    /ip dhcp-server lease\r\n    :foreach dhcplease in=[find where server ~ (\"\$dhcpserver\")] do={\r\n        :local hostname [ get \$dhcplease host-name ]\r\n        :local dhcphoststatus [ get \$dhcplease status ]\r\n        :if ( \$dhcphoststatus = \"bound\" ) do={\r\n            :if ( [ :len \$hostname ] > 0) do={\r\n                :local dhcpip [ get \$dhcplease address ]\r\n                :local fqdn ( \$hostname . \".\" . \$zone )\r\n                /ip dns static\r\n                :local dnsrecord [ find where name=\$fqdn ]\r\n                :if ( [ :len \$dnsrecord ] > 0 ) do={\r\n                    :local dnsip [ get \$dnsrecord address ]\r\n                    :if ( \$dnsip = \$dhcpip ) do={\r\n                        # /log debug \"[\$scheduleName]: DNS record for \$fqdn to \$dhcpip is up to date\"\r\n                    } else={\r\n                        # /log info \"[\$scheduleName]: Updating DNS record for \$fqdn to \$dhcpip\"\r\n                        /ip dns static remove \$dnsrecord\r\n                        /ip dns static add name=\$fqdn address=\$dhcpip ttl=\$ttl\r\n                    }\r\n                } else={\r\n                    # /log info \"[\$scheduleName]: Creating DNS record for \$fqdn to \$dhcpip\"\r\n                    /ip dns static add name=\$fqdn address=\$dhcpip ttl=\$ttl\r\n                }\r\n            }\r\n        }\r\n    }\r\n}\r\n"
add dont-require-permissions=no name="DDNS - Update" owner=********* policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive source=":local scheduleName \"DDNS - Update\"\r\n:if ([:len [/system scheduler find name=\"\$scheduleName\"]] = 0) do={\r\n    /log error \"[\$scheduleName]: Schedule '\$scheduleName' does not exist. Create schedule and edit script to match name\"\r\n} else={\r\n    :global CurrentIP\r\n    \r\n    :local tmpIP [/ip address get [find interface~\"WAN\"] address];\r\n    :local myIP [:pick \$tmpIP 0 [:find \$tmpIP \"/\"]];\r\n    \r\n    :if (\$myIP != \$CurrentIP) do={\r\n        /log info \"[\$scheduleName]: WAN IP address changed from [\$CurrentIP] to [\$myIP]\"\r\n        :set CurrentIP \$myIP\r\n        \r\n        :local ResolvedName [/ip cloud get dns-name]\r\n        :local ResolvedIP [:resolve \"\$ResolvedName\"]\r\n        \r\n        /tool fetch mode=http url=\"http://myip.dnsomatic.com/mypublicip.txt\"\r\n        :delay 2;\r\n        :local DynamicIP [/file get mypublicip.txt contents ]\r\n        /file remove \"mypublicip.txt\"\r\n        \r\n        :if (\$DynamicIP != \$ResolvedIP) do={\r\n            /log info \"[\$scheduleName]: Update needed (Dynamic IP: [\$DynamicIP] Resolved IP: [\$ResolvedIP])\"\r\n            /ip cloud force-update\r\n        } else={\r\n            #/log info \"[\$scheduleName]: Update not needed (Dynamic IP: [\$DynamicIP] Resolved IP: [\$ResolvedIP])\"\r\n        }\r\n    } else={\r\n        #/log info \"[\$scheduleName]: WAN IP address did not changed\"\r\n    }\r\n}\r\n"
add dont-require-permissions=no name="Notify - Router start" owner=********* policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":local CurDateTime ([/system clock get date].\" \".[/system clock get time]);\r\n:delay 1m;\r\n\r\n:local scheduleName \"Notify - Router start\";\r\n:if ([:len [/system scheduler find name=\"\$scheduleName\"]] = 0) do={\r\n    :log error \"[\$scheduleName]: Schedule '\$scheduleName' does not exist. Create schedule and edit script to match name\";\r\n} else={\r\n    :local lCheckAddress \"8.8.8.8\";\r\n    :if ([/ping \$lCheckAddress count=5] = 0) do={\r\n        :delay 10s;\r\n    };\r\n    :local lRouterName [/system identity get name];\r\n    :local lEMail \"moxhatbi4@gmail.com\";\r\n    :local Output \"\$lRouterName started up at \$CurDateTime\";\r\n    /tool e-mail send to=\"\$lEMail\" subject=\"MikroTik (\$lRouterName): \$scheduleName\" body=\"\$Output\";\r\n    /system scheduler set [find name=\"\$scheduleName\"] comment=\$Output;\r\n};\r\n"
add dont-require-permissions=no name="Notify - Internet status" owner=********* policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":local scheduleName \"Notify - Internet status\";\r\n:if ([:len [/system scheduler find name=\"\$scheduleName\"]] = 0) do={\r\n    :log error \"[\$scheduleName]: Schedule '\$scheduleName' does not exist. Create schedule and edit script to match name\";\r\n} else={\r\n    :local sysuptime [/system resource get uptime];\r\n    :if (\$sysuptime > 1m) do={\r\n        :global email;\r\n        :global RouterName;\r\n        :global CheckAddress;\r\n        \r\n        :local PingCount 4;\r\n        \r\n        :local SchedComment [/system scheduler get [find name=\"\$scheduleName\"] comment];\r\n        :local SchedCommentSubStr [find \$SchedComment \"online\" -1];\r\n        :if ([:len \$SchedComment] = 0 || \$SchedCommentSubStr > 0) do={\r\n            :if ([/ping \$CheckAddress count=\$PingCount] = 0) do={\r\n                :local FailDate [/system clock get date];\r\n                :local FailTime [/system clock get time];\r\n                :local FailMessage \"Internet offline at \$FailDate \$FailTime\";\r\n                \r\n                :if ([:len \$SchedComment] = 0 || \$SchedCommentSubStr >\_0) do={\r\n                    :log error \"[\$scheduleName]: \$FailMessage\";\r\n                    /system scheduler set [find name=\"\$scheduleName\"]\_comment=\"\$FailMessage\";\r\n                };\r\n            };\r\n        } else={\r\n            :if ([/ping \$CheckAddress count=\$PingCount] > (\$PingCount\_- 1)) do={\r\n                :local RestDate [/system clock get date];\r\n                :local RestTime [/system clock get time];\r\n                :local RestMessage \"Internet online at \$RestDate \$RestTime\";\r\n                \r\n                :log warning \"[\$scheduleName]: \$RestMessage\";\r\n                /system scheduler set [find name=\"\$scheduleName\"] comment=\"\$SchedComment. \\r\\n\$RestMessage\";\r\n                /tool e-mail send to=\$email subject=\"MikroTik (\$RouterName): \$scheduleName\" body=\"\$SchedComment\\r\\n\$RestMessage\";\r\n            };\r\n        };\r\n    };\r\n};\r\n"
add dont-require-permissions=no name="Update - Software" owner=********* policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":local scheduleName \"Update - Software\";\r\n:if ([:len [/system scheduler find name=\"\$scheduleName\"]] = 0) do={\r\n    :log error \"[\$scheduleName]: Schedule '\$scheduleName' does not exist. Create schedule and edit script to match name\";\r\n} else={\r\n    :local currentOSver [/system package update get installed-version];\r\n    \r\n    :global updChannel;\r\n    /system package update set channel=\$updChannel;\r\n    \r\n    /system package update check-for-updates;\r\n    :local CheckUpdateStatus [/system package update get status];\r\n    :if (\$CheckUpdateStatus  = \"New version is available\") do={\r\n        :local latestOSver [/system package update get latest-version];\r\n        \r\n        :global RouterName;\r\n        :local upgradeOSmsg \"Upgrading software on router \$RouterName from \$currentOSver to \$latestOSver (channel:\$[/system package update get channel])\";\r\n        :log info \"[\$scheduleName]: \$upgradeOSmsg\";\r\n        \r\n        :global CheckAddress;\r\n        :while ([/ping \$CheckAddress count=5] = 0) do={\r\n            :delay 10s;\r\n        };\r\n        :global email;\r\n        /tool e-mail send to=\"\$email\" subject=\"MikroTik (\$RouterName): \$scheduleName\" body=\"\$upgradeOSmsg\";\r\n        \r\n        /system package update install;\r\n    } else={\r\n        :log info \"[\$scheduleName]: No updates found\";\r\n    };\r\n};\r\n"
add dont-require-permissions=no name="Update - Firmware" owner=********* policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":local scheduleName \"Update - Firmware\";\r\n:if ([:len [/system scheduler find name=\"\$scheduleName\"]] = 0) do={\r\n    :log error \"[\$scheduleName]: Schedule '\$scheduleName' does not exist. Create schedule and edit script to match name\";\r\n} else={\r\n    :local currentFWver [/system routerboard get current-firmware];\r\n    :local latestFWver [/system routerboard get upgrade-firmware];\r\n    :if (\$currentFWver != \$latestFWver) do={\r\n        :local upgradeFWmsg \"Upgrading firmware on router \$RouterName from \$currentFWver to \$latestFWver\";\r\n        :log info \"[\$scheduleName]: \$upgradeFWmsg\";\r\n        \r\n        :global CheckAddress;\r\n        :while ([/ping \$CheckAddress count=5] = 0) do={\r\n            :delay 10s;\r\n        };\r\n        :global email;\r\n        :global RouterName;\r\n        /tool e-mail send to=\"\$email\" subject=\"MikroTik (\$RouterName): \$scheduleName\" body=\"\$upgradeFWmsg\";\r\n        \r\n        /system routerboard upgrade;\r\n        /system reboot;\r\n    } else={\r\n        :log info \"[\$scheduleName]: No updates found\";\r\n    };\r\n};\r\n"
add dont-require-permissions=no name="Notify - Computer status - Game" owner=********* policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":local scheduleName \"Notify - Computer status - Game\";\r\n:if ([:len [/system scheduler find name=\"\$scheduleName\"]] = 0) do={\r\n    :log error \"[\$scheduleName]: Schedule '\$scheduleName' does not exist. Create schedule and edit script to match name\";\r\n} else={\r\n    :local sysuptime [/system resource get uptime];\r\n    :if (\$sysuptime > 1m) do={\r\n        :global email;\r\n        :global RouterName;\r\n        :global CheckAddress;\r\n        \r\n        :local PingCount 4;\r\n        :local GameName \"Game\";\r\n        :local DNSZone \"zodiak\";\r\n        :local GameAddr [resolve (\$GameName.\".\".\$DNSZone)];\r\n        \r\n        :local SchedComment [/system scheduler get [find name=\"\$scheduleName\"] comment];\r\n        :local SchedCommentSubStr [find \$SchedComment \"online\" -1];\r\n        :if ([:len \$SchedComment] = 0 || \$SchedCommentSubStr > 0) do={\r\n            :if ([/ping \$GameAddr count=\$PingCount] = 0) do={\r\n                :local FailDate [/system clock get date];\r\n                :local FailTime [/system clock get time];\r\n                :local FailMessage \"\$GameName (\$GameAddr) went offline at \$FailDate \$FailTime\";\r\n                :if ([:len \$SchedComment] = 0 || \$SchedCommentSubStr >\_0) do={\r\n                    /system scheduler set [find name=\"\$scheduleName\"]\_comment=\"\$FailMessage\"\r\n                    :log error \"[\$scheduleName]: \$FailMessage\";\r\n                    :while ([/ping \$CheckAddress count=5] = 0) do={\r\n                        :delay 10s;\r\n                    };\r\n                    /tool e-mail send to=\$email subject=\"MikroTik (\$RouterName): \$scheduleName\" body=\"\$FailMessage\"\r\n                };\r\n            };\r\n        } else={\r\n            :if ([/ping \$GameAddr count=\$PingCount] > (\$PingCount - 1)) do={\r\n                :local RestDate [/system clock get date];\r\n                :local RestTime [/system clock get time];\r\n                :local RestMessage \"\$GameName (\$GameAddr) went online\_at \$RestDate \$RestTime\";\r\n                /system scheduler set [find name=\"\$scheduleName\"] comment=\"\$SchedComment. \\r\\n\$RestMessage\"\r\n                :log warning \"[\$scheduleName]: \$RestMessage\";\r\n                ;\r\n                :while ([/ping \$CheckAddress count=5] = 0) do={\r\n                    :delay 10s;\r\n                };\r\n                /tool e-mail send to=\$email subject=\"MikroTik (\$RouterName): \$scheduleName\" body=\"\$SchedComment\\r\\n\$RestMessage\"\r\n            };\r\n        };\r\n    };\r\n};\r\n"
add dont-require-permissions=no name="Global Variables" owner=********* policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":global email \"moxhatbi4@gmail.com\"\r\n:global RouterName [/system identity get name]\r\n:global CheckAddress \"8.8.8.8\"\r\n:global updChannel \"stable\"\r\n"
add dont-require-permissions=no name="Notify - Login Succeeded" owner=********* policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":local scheduleName \"Notify - Login Succeeded\";\r\n:if ([:len [/system scheduler find name=\"\$scheduleName\"]] = 0) do={\r\n    :log error \"[\$scheduleName]: Schedule '\$scheduleName' does not exist. Create schedule and edit script to match name\";\r\n} else={\r\n    :local lastTime [/system scheduler get [find name=\"\$scheduleName\"] comment];\r\n    :local startBuf [:toarray [/log find message~\"logged in\"]];\r\n    \r\n    :local message;\r\n    :local output;\r\n    :local currentTime;\r\n    :foreach i in=\$startBuf do={\r\n        :set currentTime [/log get \$i time];\r\n        :if ([:len \$currentTime] = 8 ) do={\r\n            :set currentTime ([/system clock get date].\" \".\$currentTime);\r\n        };\r\n        \r\n        :set message [/log get \$i message];\r\n        :set output (\$output.\$currentTime.\" \".\$message.\"\\r\\n\");\r\n        \r\n        :set currentTime (\"Last succeeded login: \".\$currentTime);\r\n        :if (\$currentTime = \$lastTime) do={\r\n            :set output \"\";\r\n        };\r\n    };\r\n    if ([:len \$output] > 0) do={\r\n        /system scheduler set [find name=\"\$scheduleName\"] comment=\$currentTime;\r\n        :log warning \"[\$scheduleName] New login logs found, send email\";\r\n        :global CheckAddress;\r\n        :if ([/ping \$CheckAddress count=5] = 0) do={\r\n            :delay 10s; ;\r\n        };\r\n        :global email;\r\n        :global RouterName;\r\n        /tool e-mail send to=\"\$email\" subject=\"MikroTik (\$RouterName): \$scheduleName\" body=\"\$output\";\r\n    };\r\n};\r\n"
add dont-require-permissions=no name="Notify - Login Failed" owner=********* policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":local scheduleName \"Notify - Login Failed\";\r\n:if ([:len [/system scheduler find name=\"\$scheduleName\"]] = 0) do={\r\n    :log error \"[\$scheduleName]: Schedule '\$scheduleName' does not exist. Create schedule and edit script to match name\";\r\n} else={\r\n    :local lastTime [/system scheduler get [find name=\"\$scheduleName\"] comment];\r\n    :local startBuf [:toarray [/log find message~\"login failure\"]];\r\n    \r\n    :local message;\r\n    :local output;\r\n    :local currentTime;\r\n    :foreach i in=\$startBuf do={\r\n        :set currentTime [/log get \$i time];\r\n        :if ([:len \$currentTime] = 8 ) do={\r\n            :set currentTime ([/system clock get date].\" \".\$currentTime);\r\n        };\r\n        :set message [/log get \$i message];\r\n        :set output (\$output.\$currentTime.\" \".\$message.\"\\r\\n\");\r\n        \r\n        :set currentTime (\"Last failed login: \".\$currentTime);\r\n        :if (\$currentTime = \$lastTime) do={\r\n            :set output \"\";\r\n        };\r\n    };\r\n    if ([:len \$output] > 0) do={\r\n        /system scheduler set [find name=\"\$scheduleName\"] comment=\$currentTime;\r\n        :log error \"[\$scheduleName]: New login logs found, send email\";\r\n        :global CheckAddress;\r\n        :if ([/ping \$CheckAddress count=5] = 0) do={\r\n            :delay 10s; ;\r\n        };\r\n        :global email;\r\n        :global RouterName;\r\n        /tool e-mail send to=\"\$email\" subject=\"MikroTik (\$RouterName): \$scheduleName\" body=\"\$output\";\r\n    };\r\n};\r\n"
add dont-require-permissions=no name="Notify - Computer status - Server" owner=********* policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":local scheduleName \"Notify - Computer status - Server\";\r\n:if ([:len [/system scheduler find name=\"\$scheduleName\"]] = 0) do={\r\n    :log error \"[\$scheduleName]: Schedule '\$scheduleName' does not exist. Create schedule and edit script to match name\";\r\n} else={\r\n    :local sysuptime [/system resource get uptime];\r\n    :if (\$sysuptime > 1m) do={\r\n        :global email;\r\n        :global RouterName;\r\n        :global CheckAddress;\r\n        \r\n        :local PingCount 4;\r\n        :local ServerName \"Server\";\r\n        :local DNSZone \"zodiak\";\r\n        :local ServerAddr [resolve (\$ServerName.\".\".\$DNSZone)];\r\n        \r\n        :local SchedComment [/system scheduler get [find name=\"\$scheduleName\"] comment];\r\n        :local SchedCommentSubStr [find \$SchedComment \"online\" -1];\r\n        :if ([:len \$SchedComment] = 0 || \$SchedCommentSubStr > 0) do={\r\n            :if ([/ping \$ServerAddr count=\$PingCount] = 0) do={\r\n                :local FailDate [/system clock get date];\r\n                :local FailTime [/system clock get time];\r\n                :local FailMessage \"\$ServerName (\$ServerAddr) went offline at \$FailDate \$FailTime\";\r\n                :if ([:len \$SchedComment] = 0 || \$SchedCommentSubStr >\_0) do={\r\n                    /system scheduler set [find name=\"\$scheduleName\"]\_comment=\"\$FailMessage\"\r\n                    :log error \"[\$scheduleName]: \$FailMessage\";\r\n                    :while ([/ping \$CheckAddress count=5] = 0) do={\r\n                        :delay 10s;\r\n                    };\r\n                    /tool e-mail send to=\$email subject=\"MikroTik (\$RouterName): \$scheduleName\" body=\"\$FailMessage\"\r\n                };\r\n            };\r\n        } else={\r\n            :if ([/ping \$ServerAddr count=\$PingCount] > (\$PingCount -\_1)) do={\r\n                :local RestDate [/system clock get date];\r\n                :local RestTime [/system clock get time];\r\n                :local RestMessage \"\$ServerName (\$ServerAddr) went online at \$RestDate \$RestTime\";\r\n                /system scheduler set [find name=\"\$scheduleName\"] comment=\"\$SchedComment. \\r\\n\$RestMessage\"\r\n                :log warning \"[\$scheduleName]: \$RestMessage\";\r\n                ;\r\n                :while ([/ping \$CheckAddress count=5] = 0) do={\r\n                    :delay 10s;\r\n                };\r\n                /tool e-mail send to=\$email subject=\"MikroTik (\$RouterName): \$scheduleName\" body=\"\$SchedComment\\r\\n\$RestMessage\"\r\n            };\r\n        };\r\n    };\r\n};\r\n"
add dont-require-permissions=no name="Mail settings autoupdate" owner=********* policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":local scheduleName \"Mail settings autoupdate\";\r\n:if ([:len [/system scheduler find name=\"\$scheduleName\"]] = 0) do={\r\n    :log error \"[\$scheduleName]: Schedule '\$scheduleName' does not exist. Create schedule and edit script to match name\";\r\n} else={\r\n    :local mailserverip [:resolve smtp.mail.ru];\r\n    /tool e-mail set address=\$mailserverip;\r\n    :log info \"[E-Mail settings]: E-Mail server set to \$mailserverip\";\r\n};"

/tool bandwidth-server
set authenticate=no enabled=no

/tool e-mail
set address=94.100.180.160 from=********* password=********* port=465 tls=yes user=*********

/tool graphing interface
add interface=Interface-SFP01-WAN

/tool graphing resource
add

[KaNelam]

src-address указать адрес машины, или всю подсеть в правиле мангл
создать дефроут с новой меркой из правила

[someone_strange]

src-address указать адрес машины, или всю подсеть в правиле мангл

Пробовал. И src-adress (как конкретную машину, так и всю подсеть), и interface, и interface-list. Не работает.

создать дефроут с новой меркой из правила

Так указан же уже:

Код: Выделить всё

/ip route
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=Interface-Out-OVPN-Fornex pref-src="" routing-table=route-mark-fornex scope=30 suppress-hw-offload=no target-scope=10

[KaNelam]

Пример, трафик всей сети завернут в warp.

Код: Выделить всё

/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface wireguard
add listen-port=13231 mtu=1280 name=wireguard1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1 lease-time=30m name=dhcp1
/routing table
add disabled=no fib name=WG
/interface bridge port
add bridge=bridge1 interface=ether2
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=162.159.192.1 endpoint-port=\
    2408 interface=wireguard1 public-key=\
    "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo="
/ip address
add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0
add address=172.16.0.2 interface=wireguard1 network=172.16.0.2
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=192.168.88.254 client-id=1:14:da:e9:f7:c1:da mac-address=\
    14:DA:E9:F7:C1:DA server=dhcp1
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=WG passthrough=yes \
    src-address=192.168.88.254
/ip firewall nat
add action=masquerade chain=srcnat out-interface=wireguard1
add action=masquerade chain=srcnat out-interface=ether1 src-address=\
    192.168.88.0/24
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard1 pref-src=\
    0.0.0.0 routing-table=WG scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Moscow
/system routerboard settings
set auto-upgrade=yes

П.с. фастрак выключить!

[xvo]

fasttrack отключите.

Можно не для всего, а только для помеченного трафика.

[someone_strange]

fasttrack отключите.

Можно не для всего, а только для помеченного трафика.

Пробовал, не помогает.
И да, после отключения перезагружал )

[xvo]

Маршрут то активен маркированный?

[someone_strange]

Маршрут то активен маркированный?

Да, конечно.

Заметил странность - на mangle счетчик пакетов примерно в два раза больше, чем счетчик на NAT. И общее кол-во пакетов, в целом, очень маленькое.... Т.е., например, при открытии того же 2ip.ru по обычному маршруту где-то 40-50 пакетов (точное кол-во не помню). А если пытаюсь по маркированному идти - то где-то около 10 в mangle, и около 5 в NAT

[hardrockbaby]

Итак, что нужно: перенаправить часть трафика через VPN

Что-то вы намудрили в своем конфиге
Рабочий вариант на ROS v6 и OVPN:

Код: Выделить всё

/ip firewall
mangle add action=mark-routing chain=prerouting new-routing-mark=go_vpn passthrough=yes dst-address-list=facebook_list
nat add action=masquerade chain=srcnat out-interface=my_vpn_interface routing-mark=go_vpn
/ip route add distance=1 dst-address=0.0.0.0/0 gateway=my_vpn_interface routing-mark=go_vpn

my_vpn_interface замените на свой тоннель (например ovpn-out1) и теперь то что указано в facebook_list полетит через него.