Код: Выделить всё
/interface bridge
add name=br_wifi
add fast-forward=no mtu=1500 name=bridge_shopto
add fast-forward=no mtu=1500 name=bridge_service
add fast-forward=no mtu=1500 name=bridge_sfp
/interface ethernet
set [ find default-name=ether1 ] comment="WAN1 - G" l2mtu=1590 speed=\
100Mbps
set [ find default-name=ether2 ] comment="WAN2 - O" l2mtu=1590 speed=\
100Mbps
set [ find default-name=ether3 ] comment=TELEFONIYA l2mtu=1590 speed=100Mbps
set [ find default-name=ether4 ] advertise=1000M-half,1000M-full comment=\
"MIK NEW" disabled=yes l2mtu=1598
set [ find default-name=ether5 ] comment=WIFI l2mtu=1590 speed=100Mbps
set [ find default-name=ether6 ] comment=BackupSrv l2mtu=1590 speed=100Mbps
set [ find default-name=ether7 ] comment=Auction2 l2mtu=1590 speed=100Mbps
set [ find default-name=ether8 ] comment="Server 1C" l2mtu=1590 speed=100Mbps
set [ find default-name=ether9 ] comment="LAN Oleg" l2mtu=1590 speed=100Mbps
set [ find default-name=ether10 ] comment="ROUTE SIP" l2mtu=1590 speed=\
100Mbps
set [ find default-name=ether11 ] comment=Server l2mtu=1590 speed=100Mbps
set [ find default-name=ether12 ] comment=ServicePort l2mtu=1590 speed=\
100Mbps
set [ find default-name=sfp1 ] advertise=10M-full,100M-full,1000M-full \
comment=SFP_BRIDGE l2mtu=1590
set [ find default-name=sfp2 ] advertise=10M-full,100M-full,1000M-full l2mtu=\
1590
set [ find default-name=sfp3 ] advertise=10M-full,100M-full,1000M-full \
disabled=yes l2mtu=1590
set [ find default-name=sfp4 ] advertise=10M-full,100M-full,1000M-full \
comment=MT_GF_dop_main l2mtu=1590
/interface l2tp-server
add name=KV3-in user=user3u
/interface vlan
add interface=bridge_sfp name=vlan11 vlan-id=11
/ip firewall layer7-protocol
add name=site_video regexp="^.+(youtube.ru|youtube.com).*\$"
add name=youtube regexp="(^.+(youtu.be).*\$)"
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=dhcppool_service ranges=192.168.77.4-192.168.77.8
add name=pool_sfp ranges=\
192.168.7.22-192.168.7.199,192.168.7.211-192.168.7.254
add name=dhcppool_aukc ranges=192.168.10.11-192.168.10.250
add name=dhcppool_wifi ranges=192.168.11.40-192.168.11.254
/ip dhcp-server
add address-pool=dhcppool_service authoritative=after-2sec-delay disabled=no \
interface=bridge_service lease-time=5d name=dhcp_service
add address-pool=pool_sfp authoritative=after-2sec-delay disabled=no \
interface=bridge_sfp lease-time=5d name=dhcp_sfp
add address-pool=dhcppool_aukc authoritative=after-2sec-delay disabled=no \
interface=bridge_shopto lease-time=1w name=dhcp1
add address-pool=dhcppool_wifi authoritative=after-2sec-delay disabled=no \
interface=br_wifi lease-time=3d name=dhcp_wifi
/ppp profile
add local-address=192.168.7.1 name=profile1ppp remote-address=pool_sfp
add name=baza2 use-compression=yes use-encryption=yes
add name=kv use-compression=yes use-encryption=yes
/snmp community
set [ find default=yes ] addresses=192.168.7.0/24
/interface bridge port
add bridge=bridge_sfp interface=sfp1
add bridge=bridge_sfp interface=sfp2
add bridge=bridge_service interface=ether12
add bridge=bridge_sfp interface=ether11
add bridge=bridge_sfp interface=ether9
add bridge=bridge_sfp interface=ether8
add bridge=bridge_sfp interface=ether6
add bridge=bridge_shopto interface=ether7
add bridge=bridge_shopto interface=ether3
add bridge=bridge_sfp interface=sfp4
add bridge=br_wifi interface=ether5
add bridge=br_wifi interface=vlan11
/interface l2tp-server server
set default-profile=baza2 enabled=yes
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=profile1ppp \
enabled=yes
/ip address
add address=192.168.77.1/29 comment=Service interface=bridge_service network=\
192.168.77.0
add address=192.168.7.1/24 comment="SFP Bridge" interface=bridge_sfp network=\
192.168.7.0
add address=192.168.10.1/24 comment=shopto interface=ether7 network=\
192.168.10.0
add address=192.168.105.2/24 comment=WAN2 interface=ether2 network=\
192.168.105.0
add address=192.168.11.5/24 comment=WIFI disabled=yes interface=ether5 \
network=192.168.11.0
add address=192.168.22.2/24 comment=SIP interface=ether10 network=\
192.168.22.0
add address=xx.xxx.xxx.xx/27 comment=WAN1 interface=ether1 network=\
89.188.118.128
add address=192.168.11.4/24 comment=WIFI interface=br_wifi network=\
192.168.11.0
add address=192.168.88.10/24 comment="MIK new" disabled=yes interface=ether4 \
network=192.168.88.0
add address=192.168.8.1/24 comment="SFP Bridge" interface=bridge_sfp network=\
192.168.8.0
add address=192.168.35.1/24 interface=ether3 network=192.168.35.0
add address=192.168.100.1/30 comment="to MT2" interface=bridge_sfp network=\
192.168.100.0
/ip dhcp-server network
add address=192.168.7.0/24 dns-server=\
87.245.145.6,87.245.190.122,8.8.8.8,8.8.4.4 gateway=192.168.7.1 netmask=\
24
add address=192.168.10.0/24 dns-server=\
8.8.8.8,8.8.4.4,87.245.145.6,87.245.190.122 gateway=192.168.10.1
add address=192.168.11.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.11.4
add address=192.168.77.0/24 gateway=192.168.77.1
/ip dns
set servers=195.128.48.65,195.128.50.30,8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.10.0/24 comment=Shopto list=LANIP
add address=192.168.11.0/24 comment=Wifi list=LANIP
add address=192.168.7.0/24 comment="Lan(seti)" list=LANIP
add address=192.168.77.0/29 comment=Service list=LANIP
add address=192.168.7.0/24 disabled=yes list=BLOCKtoWAN1
add address=192.168.0.0/24 comment=Video list=LANIP
add address=192.168.22.0/24 comment="br dlya SIP" list=LANIP
add address=192.168.113.0/24 comment="br dlya SIP2" list=LANIP
add address=192.168.199.0/24 disabled=yes list=LANIP
add address=192.168.21.0/24 comment=Wifi_b list=LANIP
add address=192.168.8.0/24 comment=TEL list=LANIP
add address=192.168.0.0/16 list=allow_sip
/ip firewall filter
add action=accept chain=input disabled=yes dst-port=1723 protocol=tcp
add action=accept chain=input disabled=yes protocol=gre
add action=accept chain=input in-interface=bridge_service
add action=accept chain=input dst-port=1701 protocol=udp
add action=accept chain=output out-interface=bridge_service
add action=accept chain=forward dst-address-list=play.google.com
add action=accept chain=input dst-address-list=play.google.com
add action=reject chain=forward comment="YouTube blok2" disabled=yes \
dst-limit=1,5,dst-address/1m40s layer7-protocol=youtube limit=5,5:packet \
reject-with=icmp-network-unreachable
add action=reject chain=forward comment="YouTube blok1" disabled=yes \
layer7-protocol=site_video protocol=tcp reject-with=\
icmp-network-unreachable
add action=drop chain=forward dst-address=64.233.162.190
add action=drop chain=forward dst-address=151.106.13.171
add action=drop chain=forward dst-address=93.131.125.74
add action=drop chain=forward dst-address=173.194.44.0/24
add action=drop chain=forward dst-address=173.194.32.169 protocol=tcp
add action=drop chain=forward dst-address=173.194.122.231 protocol=tcp
add action=accept chain=forward in-interface=bridge_service
add action=accept chain=input protocol=icmp src-address=192.168.77.0/24
add action=drop chain=input disabled=yes dst-address=192.168.10.0/24 \
src-address=192.168.11.0/24
add action=accept chain=forward comment=Video disabled=yes dst-address=\
192.168.0.0/24 src-address=192.168.7.1
add action=accept chain=forward dst-address=192.168.0.99 src-address=\
192.168.7.35
add action=accept chain=forward dst-address=192.168.10.182 src-address=\
192.168.30.0/24
add action=accept chain=forward dst-address=192.168.30.0/24 src-address=\
192.168.10.182
add action=accept chain=forward comment=PLANSHET dst-address=192.168.7.99 \
src-address=192.168.11.56
add action=accept chain=input comment=PLANSHET dst-address=192.168.7.99 \
src-address=192.168.11.56
add action=accept chain=forward comment=PLANSHET dst-address=192.168.11.56 \
src-address=192.168.7.99
add action=accept chain=input comment=PLANSHET dst-address=192.168.11.56 \
src-address=192.168.7.99
add action=accept chain=forward dst-address=192.168.0.0/24 src-address=\
192.168.7.85
add action=accept chain=forward dst-address=192.168.0.0/24 src-address=\
192.168.7.46
add action=accept chain=forward disabled=yes dst-address=192.168.7.1 \
src-address=192.168.0.0/24
add action=accept chain=forward dst-address=192.168.0.0/24 src-address=\
192.168.7.35
add action=accept chain=forward dst-address=192.168.0.0/24 src-address=\
192.168.7.61
add action=accept chain=forward dst-address=192.168.7.35 src-address=\
192.168.0.0/24
add action=accept chain=forward dst-address=192.168.7.61 src-address=\
192.168.0.0/24
add action=accept chain=forward dst-address=192.168.7.85 src-address=\
192.168.0.0/24
add action=accept chain=forward dst-address=192.168.7.46 src-address=\
192.168.0.0/24
add action=drop chain=forward disabled=yes dst-address=192.168.0.0/24 \
src-address=192.168.7.0/24
add action=drop chain=forward disabled=yes dst-address=192.168.7.0/24 \
src-address=192.168.0.0/24
add action=drop chain=forward disabled=yes dst-address=192.168.0.0/24 \
src-address=192.168.10.0/24
add action=drop chain=forward dst-address=192.168.10.0/24 src-address=\
192.168.0.0/24
add action=drop chain=forward dst-address=192.168.0.0/24 src-address=\
192.168.11.0/24
add action=drop chain=forward dst-address=192.168.11.0/24 src-address=\
192.168.0.0/24
add action=drop chain=input comment="podbor pass po ssh - drop" in-interface=\
ether1 src-address=183.136.214.248
add action=drop chain=forward comment="sip - drop" dst-port=5060 protocol=udp \
src-address=37.8.94.61
add action=drop chain=input comment=iax_drop dst-port=4569 protocol=udp \
src-address-list=!sip_iax src-port=4569
add action=drop chain=input comment=sip_drop dst-port=5060 protocol=tcp \
src-address-list=!allow_sip
add action=drop chain=input comment=sip_drop dst-port=5060 protocol=udp \
src-address-list=!allow_sip
/ip firewall mangle
add action=mark-connection chain=input dst-address=xx.xxx.xxx.xx \
in-interface=ether1 new-connection-mark=WAN1->Input passthrough=no
add action=mark-routing chain=output connection-mark=WAN1->Input \
new-routing-mark=WAN1 passthrough=no
add action=mark-connection chain=input dst-address=192.168.105.2 \
in-interface=ether2 new-connection-mark=WAN2->Input passthrough=no
add action=mark-routing chain=output connection-mark=WAN2->Input \
new-routing-mark=WAN2 passthrough=no
add action=mark-routing chain=prerouting dst-address-list=!LANIP \
new-routing-mark=Shopto passthrough=no src-address=192.168.10.0/24
add action=mark-routing chain=prerouting dst-address-list=!LANIP \
new-routing-mark=WIFI passthrough=no src-address=192.168.11.0/24
add action=mark-routing chain=prerouting dst-address-list=!LANIP \
new-routing-mark=WIFI_b passthrough=no src-address=192.168.21.0/24
add action=mark-routing chain=prerouting dst-address-list=!LANIP \
new-routing-mark=BridgeSFP passthrough=no src-address=192.168.7.0/24
add action=mark-routing chain=prerouting dst-address-list=!LANIP \
new-routing-mark=TEL passthrough=no src-address=192.168.8.0/24
add action=mark-routing chain=prerouting dst-address-list=!LANIP \
new-routing-mark=Service passthrough=no src-address=192.168.77.0/29
add action=mark-routing chain=prerouting dst-address-list=!LANIP \
new-routing-mark=Video passthrough=no src-address=192.168.0.0/24
add action=mark-routing chain=prerouting dst-address-list=!LANIP \
new-routing-mark=SIP passthrough=no src-address=192.168.22.0/24
add action=mark-routing chain=prerouting dst-address-list=!LANIP \
new-routing-mark=SIP2 passthrough=no src-address=192.168.113.0/24
add action=mark-routing chain=prerouting disabled=yes dst-address-list=!LANIP \
new-routing-mark=Prime passthrough=no src-address=192.168.30.0/24
add action=mark-packet chain=forward disabled=yes layer7-protocol=youtube \
new-packet-mark=youtube passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=l2tp-in2
add action=masquerade chain=srcnat out-interface=l2tp-in1
add action=masquerade chain=srcnat out-interface=ether2
add action=masquerade chain=srcnat out-interface=bridge_service
add action=masquerade chain=srcnat out-interface=ether10
add action=masquerade chain=srcnat dst-address=192.168.7.0/24
add action=masquerade chain=srcnat dst-address=192.168.30.0/24
add action=masquerade chain=srcnat dst-address=192.168.52.0/24
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip sip-timeout=4m
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip proxy
set cache-path=web-proxy1
/ip route
add check-gateway=ping distance=1 gateway=xx.xxx.xxx.xx-1 routing-mark=WAN1
add distance=1 gateway=192.168.105.1 routing-mark=WAN2
add check-gateway=ping distance=10 gateway=xx.xxx.xxx.xx-1 routing-mark=\
Shopto
add check-gateway=ping distance=11 gateway=192.168.105.1 routing-mark=Shopto
add check-gateway=ping distance=10 gateway=192.168.105.1 routing-mark=WIFI
add check-gateway=ping distance=11 gateway=xx.xxx.xxx.xx-1 routing-mark=WIFI
add check-gateway=ping distance=10 gateway=192.168.105.1 routing-mark=WIFI_b
add check-gateway=ping distance=10 gateway=xx.xxx.xxx.xx-1 routing-mark=\
BridgeSFP
add check-gateway=ping distance=11 gateway=192.168.105.1 routing-mark=\
BridgeSFP
add check-gateway=ping distance=11 gateway=xx.xxx.xxx.xx-1 routing-mark=TEL
add check-gateway=ping disabled=yes distance=10 gateway=192.168.105.1 \
routing-mark=TEL
add check-gateway=ping distance=10 gateway=192.168.105.1 routing-mark=Service
add check-gateway=ping disabled=yes distance=11 gateway=xx.xxx.xxx.xx-1 \
routing-mark=Service
add check-gateway=ping distance=10 gateway=xx.xxx.xxx.xx-1 routing-mark=Video
add check-gateway=ping comment=Gleb distance=1 gateway=xx.xxx.xxx.xx-1
add check-gateway=ping comment=Oleg distance=2 gateway=192.168.105.1
add distance=1 dst-address=192.168.0.0/24 gateway=192.168.7.11
add distance=1 dst-address=192.168.1.0/24 gateway=10.50.0.20
add distance=1 dst-address=192.168.3.0/24 gateway=10.50.0.20,10.51.1.10
add distance=1 dst-address=192.168.21.0/24 gateway=192.168.11.3
add distance=1 dst-address=192.168.22.1/32 gateway=ether10
add distance=1 dst-address=192.168.30.0/24 gateway=10.50.30.11
add distance=1 dst-address=192.168.31.0/24 gateway=10.50.30.11
add distance=1 dst-address=192.168.41.0/24 gateway=10.50.40.11
add distance=1 dst-address=192.168.51.0/24 gateway=10.50.50.11
add distance=1 dst-address=192.168.52.0/24 gateway=10.50.52.11
add distance=1 dst-address=192.168.53.0/24 gateway=10.50.53.11
add distance=1 dst-address=192.168.60.0/24 gateway=10.50.61.11
add distance=1 dst-address=192.168.113.113/32 gateway=192.168.22.1
add distance=1 dst-address=192.168.199.0/24 gateway=192.168.77.3
add distance=1 dst-address=192.168.199.10/32 gateway=192.168.7.12
add disabled=yes distance=1 dst-address=194.226.10.1/32 gateway=192.168.105.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.10.0/24,192.168.9.0/24,192.168.7.0/24,192.168.77.0/24
set ssh address=192.168.10.0/32,192.168.77.0/32,192.168.9.0/32
set api disabled=yes
/ppp secret
add name=ttko password=pass profile=profile1ppp service=pptp
add local-address=192.168.10.1 name=ole password=PASS profile=\
baza2 remote-address=192.168.10.178 service=pptp
add local-address=10.50.0.10 name=baza21 password=pass profile=\
baza2 remote-address=10.50.0.20 service=l2tp
add local-address=10.50.30.10 name=Prime1 password=pass profile=\
baza2 remote-address=10.50.30.11 service=l2tp
add name=ppp2 password=ppp2 profile=pass service=pptp
add local-address=10.50.40.10 name=kv1ppp password=pass profile=kv \
remote-address=10.50.40.11 service=l2tp
add local-address=10.50.50.10 name=kv2ppp password=pass profile=kv \
remote-address=10.50.50.11 service=l2tp
add name=ppp3 password=pass profile=baza2 service=l2tp
add local-address=10.50.61.10 name=Prime2 password=pass profile=\
baza2 remote-address=10.50.61.11 service=l2tp
add local-address=192.168.25.1 name=malik password=pass profile=\
default-encryption remote-address=192.168.25.2 service=pptp
add local-address=192.168.25.1 name=val password=\
pass profile=default-encryption remote-address=\
192.168.25.3 service=pptp
add local-address=10.50.52.10 name=user3u password=pass profile=kv \
remote-address=10.50.52.11 service=l2tp
add local-address=10.50.53.10 name=b1ppp password=pass \
profile=kv remote-address=10.50.53.11 service=l2tp
/radius
add address=192.168.11.4 secret=pass service=wireless
/snmp
set enabled=yes trap-version=2
/system clock
set time-zone-autodetect=no
/system clock manual
set time-zone=+03:00
/system identity
set name=MT_main
/system package update
set channel=release-candidate
/system routerboard settings
set silent-boot=no
/system scheduler
add disabled=yes name=job_eth2_disable on-event=\
"/system script run eth2-disable" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=\
sep/29/2014 start-time=01:20:30
add disabled=yes name=reboot on-event="/system reboot" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=\
sep/29/2014 start-time=01:16:35
add disabled=yes name=job_again on-event="/system script run eth2-disable" \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive \
start-date=sep/29/2014 start-time=01:15:30
add name=UP_Gleb policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=\
feb/05/2015 start-time=13:00:00
/system script
add dont-require-permissions=no name=eth2-disable owner=userr policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive source=\
"/interface disable ether2"
add dont-require-permissions=no name=gleb_UP owner=userr policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive source=\
"/ip route enable numbers=12"
add dont-require-permissions=no name=gleb_down owner=userr policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive source=\
"/ip route disable numbers=12"
/system watchdog
set watchdog-timer=no
/tool netwatch
add disabled=yes down-script="/system script run gleb_up" host=192.168.9.1 \
interval=10m up-script="/system script run gleb_down"
/tool romon
set enabled=yes id=CC:2D:E0:BB:00:00 secrets=pass
/tool romon port
add
add disabled=no forbid=yes interface=ether1
add disabled=no forbid=yes interface=ether2
в фаерволе нет правил запрета, относящихся к этим подсетям.