3 (будет 2) провайдера, настроена балансировка каналов (скорости - 15/15 мбит/с, 8/1 мбит/с, 2/0.5 мбит/с), PPTP-сервер (будет меняться на l2tp).
Помогите, пожалуйста, советами, что в ней можно улучшить/оптимизировать?
Кофигурация перешла по наследству :)
Из вычитанного на форуме, напрашивается замена маркировки пакетов на маркировку соединений.
Код: Выделить всё
/interface> export
/interface bridge
add comment="guest lan-wlan (wifi and 1 lan)" name=bridge-guest
/interface ethernet
set [ find default-name=ether1 ] comment="internet Atlant" name=ether1-atlant
set [ find default-name=ether2 ] comment="internet ADSL.BY" name=ether2-adsl
set [ find default-name=ether3 ] comment="internet BYFLY" name=ether3-byfly
set [ find default-name=ether4 ] comment="wi-fi guest" name=ether4-wifi-guest
set [ find default-name=ether5 ] comment="LAN guest" name=ether5-lan-guest
set [ find default-name=ether6 ] comment="master port, connect to LAN" name=ether6-lan-work
set [ find default-name=ether7 ] master-port=ether6-lan-work
set [ find default-name=ether8 ] master-port=ether6-lan-work
set [ find default-name=ether9 ] comment="wi-fi work" master-port=ether6-lan-work name=ether9-wifi-work
set [ find default-name=ether10 ] master-port=ether6-lan-work poe-out=off
set [ find default-name=sfp1 ] disabled=yes
/interface pppoe-client
add comment="client byfly" interface=ether3-byfly max-mru=1480 max-mtu=1480 mrru=1600 name=BYFLY password=\
****** user=*****
/interface l2tp-client
add comment="connect AtlantTelecom" connect-to=10.254.254.5 disabled=no keepalive-timeout=disabled max-mru=\
1460 max-mtu=1460 mrru=1600 name=ATLANT password=***** user=*****
/interface pptp-client
add comment="client ADSL.BY" connect-to=81.25.32.67 keepalive-timeout=disabled max-mru=1400 max-mtu=1400 \
name=ADSL password=***** user=*****
/interface bridge port
add bridge=bridge-guest interface=ether4-wifi-guest
add bridge=bridge-guest interface=ether5-lan-guest
/interface pptp-server server
set default-profile=pptp-vpn enabled=yes
/ppp profile
add dns-server=192.168.0.1 local-address=192.168.1.200 name=pptp-vpn only-one=yes remote-address=pool-vpn \
use-encryption=yes wins-server=192.168.0.5
/ip firewall nat
add action=masquerade chain=srcnat comment="internet Atlant" out-interface=ATLANT
add action=masquerade chain=srcnat comment=\
"vnutrennei resursi Atlant" out-interface=ether1-atlant
# ADSL not ready
add action=masquerade chain=srcnat comment="internet ADSL.BY" out-interface=ADSL
add action=masquerade chain=srcnat comment=\
"vnutrennei resursi ADSL.BY" \
out-interface=ether2-adsl
# BYFLY not ready
add action=masquerade chain=srcnat comment="internet byfly" out-interface=BYFLY
/ip firewall mangle
add action=mark-connection chain=prerouting comment="mark all lo\
cal-ip" new-connection-mark=MARK_ALL src-address-list=local-ip
add action=mark-routing chain=prerouting comment="Server WSUS ot ADSL.BY 4erez client-ADSL.BY" \
connection-mark=MARK_ALL dst-port=8530 new-routing-mark=adsl-routing protocol=tcp
add action=mark-routing chain=prerouting comment="Vnutr resource adsl.by 4erez client-ADSL.BY" \
connection-mark=MARK_ALL dst-address-list=adsl.by new-routing-mark=adsl-routing
add action=mark-packet chain=forward comment=\
"markirovka vhodiachih paketov dlia guest" \
dst-address-list=limit-guest new-packet-mark=limit-guest-down
add action=mark-packet chain=forward comment=\
"markirovka vhodiachih paketov vpn" dst-address-list=no-limit-vpn \
new-packet-mark=no-limit-vpn-down
add action=mark-packet chain=forward comment=\
"markirovka vhodiachih paketov dlia office" \
dst-address-list="limit office" new-packet-mark=limit-office-down
add action=mark-packet chain=forward comment=\
"markirovka ishodiachih paketov dlia guest" \
new-packet-mark=limit-guest-up src-address-list=limit-guest
add action=mark-packet chain=forward comment=\
"markirovka ishodiachih paketov dlia vpn" new-packet-mark=\
no-limit-vpn-up src-address-list=no-limit-vpn
add action=mark-packet chain=forward comment="markirovka ishodiachih paketov dlia office" new-packet-mark=limit-office-up src-address-list=\
limit-office
/ip route
add distance=1 gateway=10.23.103.185 routing-mark=adsl-routing
add comment="vnutrennie resursi Atlant" distance=1 dst-address=10.0.0.0/10 gateway=\
10.13.28.1 routing-mark=atlant-routing
add comment="DNS server Atlant" distance=1 dst-address=213.184.224.254/32 gateway=ether1-atlant routing-mark=\
atlant-routing
add comment="DNS server Atlant" distance=1 dst-address=213.184.225.32/27 gateway=ether1-atlant routing-mark=\
atlant-routing
add comment="balansirovka kanalov internet" distance=1 gateway=\
ATLANT,ATLANT,ATLANT,ATLANT,ATLANT,ATLANT,ATLANT,ADSL,ADSL,ADSL,ADSL,BYFLY
add comment="l2tp server Atlanta" distance=1 dst-address=10.254.254.0/24 gateway=10.13.28.1
add comment="vnutrennie resursi adsl.by" distance=1 \
dst-address=81.25.32.6/32 gateway=10.23.103.185
add comment="DNS server adsl.by" distance=1 \
dst-address=81.25.32.32/27 gateway=10.23.103.185
add comment="VPN server adsl.by" distance=1 \
dst-address=81.25.32.64/26 gateway=10.23.103.185
add comment="IGET server adsl.by " \
distance=1 dst-address=81.25.34.96/28 gateway=10.23.103.185
/ip firewall filter
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid
add chain=forward comment="razreshenie porta dlia mail-servera" dst-port=25 protocol=tcp
add chain=input comment="Allow established connections"
add chain=input comment="Access related connections" connection-state=related
add action=add-src-to-address-list address-list=dns-flood address-list-timeout=1h chain=input comment="zashita ot flooda na 53 port" dst-port=53 in-interface=all-ppp protocol=udp
add action=drop chain=input comment="zashita ot flooda na 53 port" dst-port=53 \
in-interface=all-ppp protocol=udp src-address-list=dns-flood
add chain=input comment="Allow UDP" protocol=udp
add chain=input comment="razre6enie gjhnjv UDP dlia l2tp" disabled=yes in-interface=all-ppp port=\
500,1701,4500 protocol=udp
add chain=input comment="Allow PPTP" limit=50/5s,2:packet protocol=icmp
add chain=input comment="Allow PPTP" dst-port=1723 limit=50/5s,2:packet protocol=tcp
add chain=input comment="Allow ICMP" protocol=icmp
add chain=input comment="Allow PPTP" disabled=yes dst-port=8291 protocol=tcp
add chain=input comment="Allow PPTP" protocol=gre
add chain=input comment="Allow access to router from know network" src-address=192.168.0.0/24
add chain=input comment="L2tp vpn server udp 4500 (nat-travelrsal)" disabled=yes protocol=udp src-port=\
4500
add action=drop chain=tcp comment="Deny CIFS" dst-port=445 protocol=tcp src-address-list=!no-block
add chain=input comment=" l2tp vpn server udp" disabled=yes protocol=tcp src-port=1701
add action=drop chain=input comment="Block Open Proxy" in-interface=all-ppp
add action=drop chain=forward comment="Drop invalid connections" connection-state=invalid protocol=tcp
add action=drop chain=forward comment=Block_social disabled=yes layer7-protocol=social src-address-list=\
CU_BLOCK_SOCIAL
add action=drop chain=forward comment="block social site dns" disabled=yes dst-port=53 layer7-protocol=social \
protocol=tcp
add chain=forward comment="Allow related connections" connection-state=related
add action=reject chain=forward comment="block social sites (reject)" disabled=yes dst-address-list=block \
reject-with=icmp-host-prohibited src-address-list=limit-office
add action=reject chain=input dst-port=8080 in-interface=all-ppp protocol=tcp reject-with=tcp-reset
add action=drop chain=forward comment="Drop bogons" src-address=0.0.0.0/8
add action=drop chain=forward comment="Drop bogons" dst-address=0.0.0.0/8
add action=drop chain=forward comment="Drop bogons" src-address=127.0.0.0/8
add action=drop chain=forward comment="Drop bogons" dst-address=127.0.0.0/8
add action=drop chain=forward comment="Drop bogons" src-address=224.0.0.0/3
add action=drop chain=forward comment="Drop bogons" dst-address=224.0.0.0/3
add action=jump chain=forward jump-target=tcp protocol=tcp
add action=jump chain=forward jump-target=udp protocol=udp
add action=jump chain=forward jump-target=icmp protocol=icmp
add action=drop chain=tcp comment="Deny TFTP" dst-port=69 protocol=tcp
add action=drop chain=tcp comment="Deny RPC portmapper" dst-port=111 protocol=tcp
add action=drop chain=tcp comment="Deny RPC portmapper" dst-port=135 protocol=tcp
add action=drop chain=tcp comment="Deny NBT" dst-port=137-139 protocol=tcp src-address-list=!no-block
add action=drop chain=tcp comment="Deny NFS" dst-port=2049 protocol=tcp
add action=drop chain=tcp comment="Deny NetBus" dst-port=12345-12346 protocol=tcp
add action=drop chain=tcp comment="Deny NetBus" dst-port=20034 protocol=tcp
add action=drop chain=tcp comment="Deny DHCP" dst-port=67-68 protocol=tcp
add action=drop chain=udp comment="Deny TFTP" dst-port=69 protocol=udp
add action=drop chain=udp comment="Deny PRC" dst-port=111 protocol=udp
add action=drop chain=udp comment="Deny PRC portmapper" dst-port=135 protocol=udp src-address-list=!no-block
add action=drop chain=udp comment="Deny NBT" dst-port=137-139 protocol=udp src-address-list=!no-block
add action=drop chain=udp comment="Deny NFS" dst-port=2049 protocol=udp src-address-list=!no-block
add chain=icmp comment="echo reply" icmp-options=0:0 ipv4-options=loose-source-routing protocol=icmp
add chain=icmp comment="net unreachable" icmp-options=3:0 ipv4-options=loose-source-routing protocol=icmp
add chain=icmp comment="host unreachable" icmp-options=3:1 ipv4-options=loose-source-routing protocol=icmp
add chain=icmp comment="host unreachable fargmentation required" icmp-options=3:4 ipv4-options=\
loose-source-routing protocol=icmp
add chain=icmp comment="Allow source quench" icmp-options=4:0 protocol=icmp
add chain=icmp comment="Allow echo request" icmp-options=8:0 protocol=icmp
add chain=icmp comment="Allow time exceed" icmp-options=11:0 protocol=icmp
add chain=icmp comment="Allow parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="Deny all other types"
add action=log chain=input comment="Log everything else" log-prefix=drop-input
add action=drop chain=input comment="Drop anything else"
add chain=forward comment="Allow already established connections" connection-state=established