gmx писал(а):Пожалуйста, уберите ВСЕ из IP-Firewall-Filters.
Сюда нужно добавлять правила, которые действительно нужны, а не все подряд, что где-то увидели.
B шедулере очень длинный скрипт, он вам нужен???
Ограничения доступа к www, winbox - это тоже так нужно, или это все хвосты???
Графические интерфейсы тоже нужны???
По поводу стороны Б все верно, dhcp клиент можно не включать, все настройте вручную.
про фильтры, я не стал просто их удалять, т.к. ограничивал доступ к ресурсам из локалки, не стал заморачиваться на данный момент, уберу...
в планировщике 2 скрипта, 1 на бэкап, 2 на синхронизацию времени
не знаю с чем это связано, но никак не синхронизируются по NTP микротики с внешними адресами, пришлось скрипт использовать для синхронизации с cloud, как резервный вариант, а альтернативный NTP настроил на свой ноут, оба скрипта начинают работу также при ребуте (2 отдельные задачи)
ограничение доступа к ввв и винбокс тоже нужно, тут микротики пользуются большой популярностью, поэтому лучше ограничить. По мак-у только со стороны провайдера можно зайти... Графические интерфейсы убрал.
вот что получилось:
/interface ethernet
set [ find default-name=ether1 ] name=wan
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-a/n channel-width=20/40mhz-Ce \
disabled=no frequency=**** mode=bridge nv2-preshared-key=******** \
nv2-security=enabled ssid=home_secure wireless-protocol=nv2 wps-mode=\
disabled
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=lan-dhcp ranges=192.168.11.100-192.168.11.253
/ip dhcp-server
add add-arp=yes address-pool=lan-dhcp always-broadcast=yes authoritative=yes \
disabled=no interface=wlan1 lease-time=1w name=default
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=default enabled=\
yes
/interface sstp-server server
set enabled=yes
/ip address
add address=**.***.87.250/16 interface=wan network=**.**.87.240
add address=192.168.11.1/24 interface=wlan1 network=192.168.11.0
/ip dhcp-server network
add address=192.168.11.0/24 dns-server=192.168.11.1 gateway=192.168.11.1
/ip dns
set allow-remote-requests=yes servers=**.***.86.9,**.***.80.9
/ip firewall address-list
add address=192.168.11.0/24 list=LAN
/ip firewall filter
add action=accept chain=input comment="Alow VPN port 1723" dst-address=\
**.***.87.250 dst-port=1723 in-interface=wan protocol=tcp
add action=accept chain=input protocol=gre
add action=accept chain=forward comment="Allow access to internet - VPN" \
in-interface=all-ppp out-interface=wan
add action=accept chain=forward comment=" Allow access to local - VPN" \
connection-state="" in-interface=all-ppp out-interface=bridge-local
add action=accept chain=input comment="Accept WinBox - 8291" dst-port=8291 \
protocol=tcp
add action=accept chain=input comment="Allow Ping" protocol=icmp src-address=\
**.***.87.0/24
add action=drop chain=input comment="Drop Ping from others" protocol=icmp
add action=accept chain=input comment="Accept established connections" \
connection-state=established
add action=accept chain=forward connection-state=established
add action=accept chain=input comment="Accept related connections" \
connection-state=related
add action=accept chain=forward connection-state=related
add action=drop chain=input comment="Drop UDP Flood DNS" in-interface=ether1 \
protocol=udp src-port=53
add action=drop chain=input comment="Drop invalid connections" \
connection-state=invalid
add action=drop chain=forward connection-state=invalid
add action=accept chain=input comment="Access to router only from LocalNET" \
src-address=192.168.11.0/24
add action=accept chain=input comment="Allow UDP" protocol=udp
add action=accept chain=forward protocol=udp
add action=accept chain=forward comment=\
"Access to Internet from local network" src-address=192.168.11.0/24
add action=drop chain=input comment="All other drop"
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat comment=MASQUERADE out-interface=wan
/ip route
add comment=isp distance=1 gateway=**.***.87.141
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=\
**.***.86.142/32,**.***.87.59/32,192.168.11.100/32,192.168.11.200/32
set api disabled=yes
set winbox address=\
**.***.86.142/32,**.***.87.59/32,192.168.11.100/32,192.168.11.200/32
set api-ssl disabled=yes
/ppp secret
add local-address=192.168.11.1 name=***** password=******** profile=\
default-encryption remote-address=192.168.11.200 service=pptp
/system clock
set time-zone-name=Asia/Dushanbe
/system identity
set name=InternetRouter
/system ntp client
set enabled=yes primary-ntp=**.***.87.59 secondary-ntp=**.***.86.142
/system ntp server
set broadcast=yes broadcast-addresses=**.***.87.250 enabled=yes multicast=yes
/system routerboard settings
set init-delay=0s
/system scheduler
add comment="BACKUP for sending by e-mail" interval=3d name=Backup on-event="{\
\r\
\n:log info \"Starting Backup Script...\";\r\
\n:local sysname [/system identity get name];\r\
\n:local sysver [/system package get system version];\r\
\n:log info \"Flushing DNS cache...\";\r\
\n/ip dns cache flush;\r\
\n:delay 2;\r\
\n:log info \"Deleting last Backups...\";\r\
\n:foreach i in=[/file find] do={:if ([:typeof [:find [/file get \$i name]\
\_\\\r\
\n\"\$sysname-backup-\"]]!=\"nil\") do={/file remove \$i}};\r\
\n:delay 2;\r\
\n:local smtpserv [:resolve \"smtp.yandex.ru\"];\r\
\n:local Eaccount \"*****@********.tj\";\r\
\n:local pass \"********\";\r\
\n:local backupfile (\"\$sysname-backup-\" . \\\r\
\n[:pick [/system clock get date] 7 11] . [:pick [/system \\\r\
\nclock get date] 0 3] . [:pick [/system clock get date] 4 6] . \".backup\
\");\r\
\n:log info \"Creating new Full Backup file...\";\r\
\n/system backup save name=\$backupfile;\r\
\n:delay 2;\r\
\n:log info \"Sending Full Backup file via E-mail...\";\r\
\n/tool e-mail send from=\"<\$Eaccount>\" to=\$Eaccount server=\$smtpserv \
\\\r\
\nport=587 user=\$Eaccount password=\$pass start-tls=yes file=\$backupfile\
\_\\\r\
\nsubject=(\"\$sysname Full Backup (\" . [/system clock get date] . \")\")\
\_\\\r\
\nbody=(\"\$sysname full Backup file see in attachment.\\nRouterOS version\
: \\\r\
\n\$sysver\\nTime and Date stamp: \" . [/system clock get time] . \" \" . \
\\\r\
\n[/system clock get date]);\r\
\n:delay 5;\r\
\n:local exportfile (\"\$sysname-backup-\" . \\\r\
\n[:pick [/system clock get date] 7 11] . [:pick [/system \\\r\
\nclock get date] 0 3] . [:pick [/system clock get date] 4 6] . \".rsc\");\
\r\
\n:log info \"Creating new Setup Script file...\";\r\
\n/export verbose file=\$exportfile;\r\
\n:delay 2;\r\
\n:log info \"Sending Setup Script file via E-mail...\";\r\
\n/tool e-mail send from=\"<\$Eaccount>\" to=\$Eaccount server=\$smtpserv \
\\\r\
\nport=587 user=\$Eaccount password=\$pass start-tls=yes file=\$exportfile\
\_\\\r\
\nsubject=(\"\$sysname Setup Script Backup (\" . [/system clock get date] \
. \\\r\
\n\")\") body=(\"\$sysname Setup Script file see in attachment.\\nRouterOS\
\_\\\r\
\nversion: \$sysver\\nTime and Date stamp: \" . [/system clock get time] .\
\_\" \\\r\
\n\" . [/system clock get date]);\r\
\n:delay 5;\r\
\n:log info \"All System Backups emailed successfully.\\nBackuping complet\
ed.\";\r\
\n}" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-time=startup
add comment="UPDATE time from Cloud every 2 hours" interval=2h name=\
"TIME UPDATE" on-event="{\r\
\n:log info \"Starting TIME UPDATE Script...\";\r\
\n/system ntp client set enable=no;\r\
\n:delay 5;\r\
\n:log info \"Updating time from cloud...\";\r\
\n/ip cloud force-update;\r\
\n:delay 20;\r\
\n/system ntp client set enable=yes;\r\
\n:log info \"Time updated.\";\r\
\n:delay 3;\r\
\nsystem ntp client set enable=no;\r\
\n:delay 3\r\
\nsystem ntp client set enable=yes\r\
\n}" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-time=startup
add comment="BACKUP after REBOOT" name="Backup (reboot)" on-event="{\r\
\n:delay 60;\r\
\n:log info \"Starting Backup Script...\";\r\
\n:local sysname [/system identity get name];\r\
\n:local sysver [/system package get system version];\r\
\n:log info \"Flushing DNS cache...\";\r\
\n/ip dns cache flush;\r\
\n:delay 2;\r\
\n:log info \"Deleting last Backups...\";\r\
\n:foreach i in=[/file find] do={:if ([:typeof [:find [/file get \$i name]\
\_\\\r\
\n\"\$sysname-backup-\"]]!=\"nil\") do={/file remove \$i}};\r\
\n:delay 2;\r\
\n:local smtpserv [:resolve \"smtp.yandex.ru\"];\r\
\n:local Eaccount \"*****@********\";\r\
\n:local pass \"********\";\r\
\n:local backupfile (\"\$sysname-backup-\" . \\\r\
\n[:pick [/system clock get date] 7 11] . [:pick [/system \\\r\
\nclock get date] 0 3] . [:pick [/system clock get date] 4 6] . \".backup\
\");\r\
\n:log info \"Creating new Full Backup file...\";\r\
\n/system backup save name=\$backupfile;\r\
\n:delay 2;\r\
\n:log info \"Sending Full Backup file via E-mail...\";\r\
\n/tool e-mail send from=\"<\$Eaccount>\" to=\$Eaccount server=\$smtpserv \
\\\r\
\nport=587 user=\$Eaccount password=\$pass start-tls=yes file=\$backupfile\
\_\\\r\
\nsubject=(\"\$sysname Full Backup (\" . [/system clock get date] . \")\")\
\_\\\r\
\nbody=(\"\$sysname full Backup file see in attachment.\\nRouterOS version\
: \\\r\
\n\$sysver\\nTime and Date stamp: \" . [/system clock get time] . \" \" . \
\\\r\
\n[/system clock get date]);\r\
\n:delay 5;\r\
\n:local exportfile (\"\$sysname-backup-\" . \\\r\
\n[:pick [/system clock get date] 7 11] . [:pick [/system \\\r\
\nclock get date] 0 3] . [:pick [/system clock get date] 4 6] . \".rsc\");\
\r\
\n:log info \"Creating new Setup Script file...\";\r\
\n/export verbose file=\$exportfile;\r\
\n:delay 2;\r\
\n:log info \"Sending Setup Script file via E-mail...\";\r\
\n/tool e-mail send from=\"<\$Eaccount>\" to=\$Eaccount server=\$smtpserv \
\\\r\
\nport=587 user=\$Eaccount password=\$pass start-tls=yes file=\$exportfile\
\_\\\r\
\nsubject=(\"\$sysname Setup Script Backup (\" . [/system clock get date] \
. \\\r\
\n\")\") body=(\"\$sysname Setup Script file see in attachment.\\nRouterOS\
\_\\\r\
\nversion: \$sysver\\nTime and Date stamp: \" . [/system clock get time] .\
\_\" \\\r\
\n\" . [/system clock get date]);\r\
\n:delay 5;\r\
\n:log info \"All System Backups emailed successfully.\\nBackuping complet\
ed.\";\r\
\n}" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-time=startup
add comment="UPDATE time from Cloud after REBOOT" name="Update (reboot)" \
on-event="{\r\
\n:delay 20;\r\
\n:log info \"Starting TIME UPDATE Script...\";\r\
\n/system ntp client set enable=no;\r\
\n:delay 5;\r\
\n:log info \"Updating time from cloud...\";\r\
\n/ip cloud force-update;\r\
\n:delay 20;\r\
\n/system ntp client set enable=yes;\r\
\n:log info \"Time updated.\";\r\
\n:delay 3;\r\
\nsystem ntp client set enable=no;\r\
\n:delay 3\r\
\nsystem ntp client set enable=yes\r\
\n}" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-time=startup
/tool romon port
add
set [ find default-name=ether1 ] name=wan
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-a/n channel-width=20/40mhz-Ce \
disabled=no frequency=**** mode=bridge nv2-preshared-key=******** \
nv2-security=enabled ssid=home_secure wireless-protocol=nv2 wps-mode=\
disabled
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=lan-dhcp ranges=192.168.11.100-192.168.11.253
/ip dhcp-server
add add-arp=yes address-pool=lan-dhcp always-broadcast=yes authoritative=yes \
disabled=no interface=wlan1 lease-time=1w name=default
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=default enabled=\
yes
/interface sstp-server server
set enabled=yes
/ip address
add address=**.***.87.250/16 interface=wan network=**.**.87.240
add address=192.168.11.1/24 interface=wlan1 network=192.168.11.0
/ip dhcp-server network
add address=192.168.11.0/24 dns-server=192.168.11.1 gateway=192.168.11.1
/ip dns
set allow-remote-requests=yes servers=**.***.86.9,**.***.80.9
/ip firewall address-list
add address=192.168.11.0/24 list=LAN
/ip firewall filter
add action=accept chain=input comment="Alow VPN port 1723" dst-address=\
**.***.87.250 dst-port=1723 in-interface=wan protocol=tcp
add action=accept chain=input protocol=gre
add action=accept chain=forward comment="Allow access to internet - VPN" \
in-interface=all-ppp out-interface=wan
add action=accept chain=forward comment=" Allow access to local - VPN" \
connection-state="" in-interface=all-ppp out-interface=bridge-local
add action=accept chain=input comment="Accept WinBox - 8291" dst-port=8291 \
protocol=tcp
add action=accept chain=input comment="Allow Ping" protocol=icmp src-address=\
**.***.87.0/24
add action=drop chain=input comment="Drop Ping from others" protocol=icmp
add action=accept chain=input comment="Accept established connections" \
connection-state=established
add action=accept chain=forward connection-state=established
add action=accept chain=input comment="Accept related connections" \
connection-state=related
add action=accept chain=forward connection-state=related
add action=drop chain=input comment="Drop UDP Flood DNS" in-interface=ether1 \
protocol=udp src-port=53
add action=drop chain=input comment="Drop invalid connections" \
connection-state=invalid
add action=drop chain=forward connection-state=invalid
add action=accept chain=input comment="Access to router only from LocalNET" \
src-address=192.168.11.0/24
add action=accept chain=input comment="Allow UDP" protocol=udp
add action=accept chain=forward protocol=udp
add action=accept chain=forward comment=\
"Access to Internet from local network" src-address=192.168.11.0/24
add action=drop chain=input comment="All other drop"
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat comment=MASQUERADE out-interface=wan
/ip route
add comment=isp distance=1 gateway=**.***.87.141
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=\
**.***.86.142/32,**.***.87.59/32,192.168.11.100/32,192.168.11.200/32
set api disabled=yes
set winbox address=\
**.***.86.142/32,**.***.87.59/32,192.168.11.100/32,192.168.11.200/32
set api-ssl disabled=yes
/ppp secret
add local-address=192.168.11.1 name=***** password=******** profile=\
default-encryption remote-address=192.168.11.200 service=pptp
/system clock
set time-zone-name=Asia/Dushanbe
/system identity
set name=InternetRouter
/system ntp client
set enabled=yes primary-ntp=**.***.87.59 secondary-ntp=**.***.86.142
/system ntp server
set broadcast=yes broadcast-addresses=**.***.87.250 enabled=yes multicast=yes
/system routerboard settings
set init-delay=0s
/system scheduler
add comment="BACKUP for sending by e-mail" interval=3d name=Backup on-event="{\
\r\
\n:log info \"Starting Backup Script...\";\r\
\n:local sysname [/system identity get name];\r\
\n:local sysver [/system package get system version];\r\
\n:log info \"Flushing DNS cache...\";\r\
\n/ip dns cache flush;\r\
\n:delay 2;\r\
\n:log info \"Deleting last Backups...\";\r\
\n:foreach i in=[/file find] do={:if ([:typeof [:find [/file get \$i name]\
\_\\\r\
\n\"\$sysname-backup-\"]]!=\"nil\") do={/file remove \$i}};\r\
\n:delay 2;\r\
\n:local smtpserv [:resolve \"smtp.yandex.ru\"];\r\
\n:local Eaccount \"*****@********.tj\";\r\
\n:local pass \"********\";\r\
\n:local backupfile (\"\$sysname-backup-\" . \\\r\
\n[:pick [/system clock get date] 7 11] . [:pick [/system \\\r\
\nclock get date] 0 3] . [:pick [/system clock get date] 4 6] . \".backup\
\");\r\
\n:log info \"Creating new Full Backup file...\";\r\
\n/system backup save name=\$backupfile;\r\
\n:delay 2;\r\
\n:log info \"Sending Full Backup file via E-mail...\";\r\
\n/tool e-mail send from=\"<\$Eaccount>\" to=\$Eaccount server=\$smtpserv \
\\\r\
\nport=587 user=\$Eaccount password=\$pass start-tls=yes file=\$backupfile\
\_\\\r\
\nsubject=(\"\$sysname Full Backup (\" . [/system clock get date] . \")\")\
\_\\\r\
\nbody=(\"\$sysname full Backup file see in attachment.\\nRouterOS version\
: \\\r\
\n\$sysver\\nTime and Date stamp: \" . [/system clock get time] . \" \" . \
\\\r\
\n[/system clock get date]);\r\
\n:delay 5;\r\
\n:local exportfile (\"\$sysname-backup-\" . \\\r\
\n[:pick [/system clock get date] 7 11] . [:pick [/system \\\r\
\nclock get date] 0 3] . [:pick [/system clock get date] 4 6] . \".rsc\");\
\r\
\n:log info \"Creating new Setup Script file...\";\r\
\n/export verbose file=\$exportfile;\r\
\n:delay 2;\r\
\n:log info \"Sending Setup Script file via E-mail...\";\r\
\n/tool e-mail send from=\"<\$Eaccount>\" to=\$Eaccount server=\$smtpserv \
\\\r\
\nport=587 user=\$Eaccount password=\$pass start-tls=yes file=\$exportfile\
\_\\\r\
\nsubject=(\"\$sysname Setup Script Backup (\" . [/system clock get date] \
. \\\r\
\n\")\") body=(\"\$sysname Setup Script file see in attachment.\\nRouterOS\
\_\\\r\
\nversion: \$sysver\\nTime and Date stamp: \" . [/system clock get time] .\
\_\" \\\r\
\n\" . [/system clock get date]);\r\
\n:delay 5;\r\
\n:log info \"All System Backups emailed successfully.\\nBackuping complet\
ed.\";\r\
\n}" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-time=startup
add comment="UPDATE time from Cloud every 2 hours" interval=2h name=\
"TIME UPDATE" on-event="{\r\
\n:log info \"Starting TIME UPDATE Script...\";\r\
\n/system ntp client set enable=no;\r\
\n:delay 5;\r\
\n:log info \"Updating time from cloud...\";\r\
\n/ip cloud force-update;\r\
\n:delay 20;\r\
\n/system ntp client set enable=yes;\r\
\n:log info \"Time updated.\";\r\
\n:delay 3;\r\
\nsystem ntp client set enable=no;\r\
\n:delay 3\r\
\nsystem ntp client set enable=yes\r\
\n}" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-time=startup
add comment="BACKUP after REBOOT" name="Backup (reboot)" on-event="{\r\
\n:delay 60;\r\
\n:log info \"Starting Backup Script...\";\r\
\n:local sysname [/system identity get name];\r\
\n:local sysver [/system package get system version];\r\
\n:log info \"Flushing DNS cache...\";\r\
\n/ip dns cache flush;\r\
\n:delay 2;\r\
\n:log info \"Deleting last Backups...\";\r\
\n:foreach i in=[/file find] do={:if ([:typeof [:find [/file get \$i name]\
\_\\\r\
\n\"\$sysname-backup-\"]]!=\"nil\") do={/file remove \$i}};\r\
\n:delay 2;\r\
\n:local smtpserv [:resolve \"smtp.yandex.ru\"];\r\
\n:local Eaccount \"*****@********\";\r\
\n:local pass \"********\";\r\
\n:local backupfile (\"\$sysname-backup-\" . \\\r\
\n[:pick [/system clock get date] 7 11] . [:pick [/system \\\r\
\nclock get date] 0 3] . [:pick [/system clock get date] 4 6] . \".backup\
\");\r\
\n:log info \"Creating new Full Backup file...\";\r\
\n/system backup save name=\$backupfile;\r\
\n:delay 2;\r\
\n:log info \"Sending Full Backup file via E-mail...\";\r\
\n/tool e-mail send from=\"<\$Eaccount>\" to=\$Eaccount server=\$smtpserv \
\\\r\
\nport=587 user=\$Eaccount password=\$pass start-tls=yes file=\$backupfile\
\_\\\r\
\nsubject=(\"\$sysname Full Backup (\" . [/system clock get date] . \")\")\
\_\\\r\
\nbody=(\"\$sysname full Backup file see in attachment.\\nRouterOS version\
: \\\r\
\n\$sysver\\nTime and Date stamp: \" . [/system clock get time] . \" \" . \
\\\r\
\n[/system clock get date]);\r\
\n:delay 5;\r\
\n:local exportfile (\"\$sysname-backup-\" . \\\r\
\n[:pick [/system clock get date] 7 11] . [:pick [/system \\\r\
\nclock get date] 0 3] . [:pick [/system clock get date] 4 6] . \".rsc\");\
\r\
\n:log info \"Creating new Setup Script file...\";\r\
\n/export verbose file=\$exportfile;\r\
\n:delay 2;\r\
\n:log info \"Sending Setup Script file via E-mail...\";\r\
\n/tool e-mail send from=\"<\$Eaccount>\" to=\$Eaccount server=\$smtpserv \
\\\r\
\nport=587 user=\$Eaccount password=\$pass start-tls=yes file=\$exportfile\
\_\\\r\
\nsubject=(\"\$sysname Setup Script Backup (\" . [/system clock get date] \
. \\\r\
\n\")\") body=(\"\$sysname Setup Script file see in attachment.\\nRouterOS\
\_\\\r\
\nversion: \$sysver\\nTime and Date stamp: \" . [/system clock get time] .\
\_\" \\\r\
\n\" . [/system clock get date]);\r\
\n:delay 5;\r\
\n:log info \"All System Backups emailed successfully.\\nBackuping complet\
ed.\";\r\
\n}" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-time=startup
add comment="UPDATE time from Cloud after REBOOT" name="Update (reboot)" \
on-event="{\r\
\n:delay 20;\r\
\n:log info \"Starting TIME UPDATE Script...\";\r\
\n/system ntp client set enable=no;\r\
\n:delay 5;\r\
\n:log info \"Updating time from cloud...\";\r\
\n/ip cloud force-update;\r\
\n:delay 20;\r\
\n/system ntp client set enable=yes;\r\
\n:log info \"Time updated.\";\r\
\n:delay 3;\r\
\nsystem ntp client set enable=no;\r\
\n:delay 3\r\
\nsystem ntp client set enable=yes\r\
\n}" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-time=startup
/tool romon port
add
Можно шить?