Mikrotik configuration
Код: Выделить всё
# dec/26/2019 12:28:37 by RouterOS 6.46
# software id = *********
#
# model = RouterBOARD 3011UiAS
# serial number = **************
/interface bridge
add fast-forward=no name=WAN-bridge
add name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN1_Backup speed=100Mbps
set [ find default-name=ether2 ] name=ether2-WAN2-Main speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=ether9 ] speed=100Mbps
set [ find default-name=ether10 ] speed=100Mbps
set [ find default-name=sfp1 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface pptp-server
add name=PPTP user=vpn
/interface ovpn-server
add name=OpenVPN user=admin
/interface vlan
add interface=bridge name="VLAN 101 Perianth Hotel" vlan-id=101
add interface=bridge name="VLAN 102 Perianth Staff" vlan-id=102
add interface=bridge name="VLAN 120 TV's & Office Lan's" vlan-id=120
add interface=bridge name="VLAN 200 Perianth Boss" vlan-id=200
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.100.45-192.168.100.254
add name=dhcp_pool1 ranges=192.168.100.80-192.168.100.254
add name=dhcp_pool2 ranges=192.168.101.10-192.168.101.254
add name=dhcp_pool3 ranges=192.168.102.10-192.168.102.254
add name=dhcp_pool4 ranges=192.168.200.200-192.168.200.254
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=dhcp_pool6 ranges=192.168.120.2-192.168.120.254
add name=dhcp_pool7 ranges=192.168.5.2-192.168.5.254
add name=OpenVPN ranges=192.168.50.50-192.168.50.70
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=bridge name=\
"Perianth 100 DHCP"
add address-pool=dhcp_pool2 disabled=no interface="VLAN 101 Perianth Hotel" \
name="VLAN 101 DHCP"
add address-pool=dhcp_pool3 disabled=no interface="VLAN 102 Perianth Staff" \
name="VLAN 102 DHCP"
add address-pool=dhcp_pool4 disabled=no interface="VLAN 200 Perianth Boss" \
name="VLAN 200 DHCP"
add address-pool=dhcp_pool6 disabled=no interface=\
"VLAN 120 TV's & Office Lan's" name="VLAN 120 DHCP"
/ppp profile
add bridge=bridge local-address=192.168.50.1 name=OpenVPN only-one=no \
remote-address=OpenVPN use-encryption=yes
set *FFFFFFFE local-address=192.168.89.1 only-one=no remote-address=vpn
/queue simple
add disabled=yes name=TOTAL target="VLAN 101 Perianth Hotel,VLAN 102 Perianth \
Staff,VLAN 120 TV's & Office Lan's,VLAN 200 Perianth Boss,bridge"
/queue tree
add disabled=yes name=queue_total parent=global
/queue type
add kind=pcq name=pcq-download-2M pcq-classifier=dst-address pcq-rate=2048k
add kind=pcq name=pcq-upload-512k pcq-classifier=src-address pcq-rate=512k
add kind=pcq name=pcq-download-5M pcq-classifier=dst-address pcq-rate=5120k
add kind=pcq name=pcq-download-1M pcq-classifier=dst-address pcq-rate=1M
add kind=pcq name=pcq-upload-2M pcq-classifier=src-address pcq-rate=2048k
add kind=pcq name=pcq-download-512k pcq-classifier=dst-address pcq-rate=512k
add kind=pcq name=pcq-upload-1M pcq-classifier=src-address pcq-rate=1M
add kind=pcq name=pcq-upload-8M pcq-classifier=src-address pcq-rate=8192k
add kind=pcq name=pcq-upload-4M pcq-classifier=src-address pcq-rate=4096k
/queue simple
add disabled=yes max-limit=10M/25M name=queue_Perianth_Hotel parent=TOTAL \
priority=3/3 queue=pcq-upload-512k/pcq-download-1M target=\
"VLAN 101 Perianth Hotel"
add disabled=yes name=queue_VLAN100 parent=TOTAL priority=1/1 queue=\
pcq-upload-4M/pcq-download-2M target=bridge
add disabled=yes name=queue_VLAN_102 parent=TOTAL priority=2/2 queue=\
pcq-upload-512k/pcq-download-1M target="VLAN 102 Perianth Staff"
/interface bridge filter
add action=drop chain=input comment="Bridge MAC Adrress" disabled=yes \
dst-mac-address=CC:2D:E0:9B:A4:83/FF:FF:FF:FF:FF:FF src-mac-address=\
98:29:A6:95:0F:C6/FF:FF:FF:FF:FF:FF
add action=drop chain=input comment="perianth-reception2-hp MAC Address" \
dst-mac-address=18:60:24:EC:54:4D/FF:FF:FF:FF:FF:FF src-mac-address=\
98:29:A6:95:0F:C6/FF:FF:FF:FF:FF:FF
add action=drop chain=input comment="perianth-rec1-hp MAC Address" \
dst-mac-address=18:60:24:EC:54:08/FF:FF:FF:FF:FF:FF src-mac-address=\
98:29:A6:95:0F:C6/FF:FF:FF:FF:FF:FF
add action=drop chain=input comment="perianth-rec1-hp MAC Address" \
dst-mac-address=98:29:A6:95:11:33/FF:FF:FF:FF:FF:FF src-mac-address=\
98:29:A6:95:0F:C6/FF:FF:FF:FF:FF:FF
add action=drop chain=input comment="PerianthSrv MAC Address" \
dst-mac-address=8C:EC:4B:8F:1D:C6/FF:FF:FF:FF:FF:FF src-mac-address=\
98:29:A6:95:0F:C6/FF:FF:FF:FF:FF:FF
add action=drop chain=input comment="DESKTOP-UDJ1OKG MAC Address" \
dst-mac-address=AC:E2:D3:57:F0:B3/FF:FF:FF:FF:FF:FF src-mac-address=\
98:29:A6:95:0F:C6/FF:FF:FF:FF:FF:FF
add action=drop chain=input comment="perianth-pc2-v510z MAC Address" \
dst-mac-address=34:41:5D:A5:DA:F7/FF:FF:FF:FF:FF:FF src-mac-address=\
98:29:A6:95:0F:C6/FF:FF:FF:FF:FF:FF
/interface bridge port
add bridge=bridge interface=ether6
add bridge=bridge hw=no interface=sfp1
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=ether9
add bridge=bridge interface=ether10
add bridge=WAN-bridge interface=ether1-WAN1_Backup
add bridge=WAN-bridge disabled=yes interface=ether3
add bridge=WAN-bridge interface=ether2-WAN2-Main
/interface bridge settings
set use-ip-firewall-for-vlan=yes
/ip firewall connection tracking
set enabled=yes
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface bridge vlan
add bridge=bridge disabled=yes vlan-ids=10
/interface l2tp-server server
set enabled=yes ipsec-secret="***********" use-ipsec=yes
/interface list member
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=sfp1 list=discover
add interface=ether6 list=discover
add interface=ether7 list=discover
add interface=ether8 list=discover
add interface=ether9 list=discover
add interface=ether10 list=discover
add interface=bridge list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
add interface=ether1-WAN1_Backup list=WAN
add interface=ether2-WAN2-Main list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=sfp1 list=LAN
/interface ovpn-server server
set certificate=*********.dynserv.org default-profile=OpenVPN enabled=\
yes
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.100.1/24 interface=bridge network=192.168.100.0
add address=195.167.86.34/28 interface=ether2-WAN2-Main network=195.167.86.32
add address=192.168.101.1/24 interface="VLAN 101 Perianth Hotel" network=\
192.168.101.0
add address=192.168.102.1/24 interface="VLAN 102 Perianth Staff" network=\
192.168.102.0
add address=192.168.200.1/24 interface="VLAN 200 Perianth Boss" network=\
192.168.200.0
add address=192.168.120.1/24 interface="VLAN 120 TV's & Office Lan's" \
network=192.168.120.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-server lease
add address=192.168.100.120 client-id=1:8c:ec:4b:8f:1d:c6 mac-address=\
8C:EC:4B:8F:1D:C6 server="Perianth 100 DHCP"
add address=192.168.100.80 client-id=1:18:60:24:ec:54:4d mac-address=\
18:60:24:EC:54:4D server="Perianth 100 DHCP"
add address=192.168.100.94 always-broadcast=yes client-id=1:98:29:a6:95:11:33 \
mac-address=98:29:A6:95:11:33 server="Perianth 100 DHCP"
add address=192.168.100.112 always-broadcast=yes client-id=1:98:29:a6:95:f:c6 \
comment=4th_Fl_PC_Internet_Access_Only mac-address=98:29:A6:95:0F:C6 \
server="Perianth 100 DHCP"
add address=192.168.100.162 always-broadcast=yes client-id=\
1:ac:e2:d3:57:f0:b3 mac-address=AC:E2:D3:57:F0:B3 server=\
"Perianth 100 DHCP"
add address=192.168.100.83 always-broadcast=yes client-id=1:18:60:24:ec:54:8 \
mac-address=18:60:24:EC:54:08 server="Perianth 100 DHCP"
add address=192.168.100.95 always-broadcast=yes client-id=1:0:21:b7:1b:20:5 \
mac-address=00:21:B7:1B:20:05 server="Perianth 100 DHCP"
/ip dhcp-server network
add address=192.168.5.0/24 gateway=192.168.5.1
add address=192.168.100.0/24 comment=LAN dns-server=192.168.100.1,8.8.8.8 \
gateway=192.168.100.1,195.167.86.33
add address=192.168.101.0/24 comment="VLAN 101" dns-server=192.168.101.1 \
gateway=192.168.101.1
add address=192.168.102.0/24 comment="VLAN 102" dns-server=192.168.101.1 \
gateway=192.168.102.1
add address=192.168.120.0/24 gateway=192.168.120.1
add address=192.168.200.0/24 comment="VLAN 200 BOSS" dns-server=192.168.101.1 \
gateway=192.168.200.1
/ip dns
set allow-remote-requests=yes servers=195.170.0.1,8.8.8.8
/ip dns static
add address=192.168.88.1 name=router
/ip firewall address-list
add address=192.168.100.0/24 list=LAN100
/ip firewall filter
add action=accept chain=input connection-state="" in-interface=WAN-bridge
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add chain=forward comment="Permit all PPP" in-interface=all-ppp
add action=accept chain=input comment="Permit PPTP" dst-port=1723 \
in-interface=WAN-bridge protocol=tcp
add action=accept chain=input comment="Permit GRE" protocol=gre
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add chain=input comment="Permit L2TP" dst-port=1701 protocol=udp
add chain=input comment="Permit IPSec ports 500 and 4500" port=500,4500 \
protocol=udp
add action=accept chain=input comment="Permit OpenVPN" dst-port=1194 \
in-interface=WAN-bridge protocol=tcp
add chain=input comment="Permit IPSec protocol ipsec-esp" protocol=ipsec-esp
add action=accept chain=input comment="Permit SSTP" dst-port=443 protocol=tcp
add action=accept chain=input comment="Permit GRE" protocol=gre
add action=accept chain=input comment="Permit IPIP" protocol=ipip
add action=accept chain=output content="530 Login incorrect" dst-limit=\
1/1m,9,dst-address/1m protocol=tcp
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 \
protocol=tcp src-address-list=ftp_blacklist
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=output content="530 Login incorrect" \
protocol=tcp
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface=WAN-bridge
add action=dst-nat chain=dstnat comment="Server Remote Access" in-interface=\
WAN-bridge protocol=tcp to-addresses=192.168.100.120 to-ports=1433
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add distance=1 gateway=********** pref-src=***********
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8001
set api disabled=yes
set winbox port=8002
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/lcd
set backlight-timeout=never default-screen=interfaces time-interval=daily
/lcd interface
set ether2-WAN2-Main disabled=yes
set ether3 disabled=yes
set ether4 disabled=yes
set ether5 disabled=yes
set sfp1 disabled=yes
set ether6 disabled=yes
set ether7 disabled=yes
set ether8 disabled=yes
set ether9 disabled=yes
set ether10 disabled=yes
/ppp secret
add name=vpn password="**********"
add name=admin password=*********** profile=OpenVPN service=ovpn
/system clock
set time-zone-name=Europe/Athens
/system identity
set name=Perianth_Hotel
/system logging
add prefix=logs topics=ovpn
/system scheduler
add interval=10m name=DDNS on-event="/system script run DDNS" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-time=startup
/system script
add dont-require-permissions=no name=DDNS owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
\_Now-DNS automatic Dynamic DNS update\r\
\n\r\
\n#--------------- Change Values in this section to match your setup -----\
-------------\r\
\n\r\
\n# No-DNS User account info\r\
\n:local NowUser \"**************\"\r\
\n:local NowPass \"*************\"\r\
\n\r\
\n# Your hostname you want to update\r\
\n# To specify multiple hosts, separate them with commas.\r\
\n:local NowHost \"****************\"\r\
\n\r\
\n#-----------------------------------------------------------------------\
-------------\r\
\n\r\
\n:local url \"https://now-dns.com/update\\3F\"\r\
\n\r\
\n:log info \"Now-DNS: sending update for \$host\"\r\
\n\r\
\n/tool fetch url=(\$url . \"hostname=\$NowHost\") user=\$NowUser password\
=\$NowPass mode=https dst-path=(\"now-dns.txt\")\r\
\n\r\
\n:log info \"Now-DNS: host \$host updated with IP \$currentIP\""
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool traffic-monitor
add interface=ether2-WAN2-Main name=tmon1 threshold=0 trigger=always
Код: Выделить всё
Thu Dec 26 12:46:23 2019 OpenVPN 2.4.7 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 25 2019
Thu Dec 26 12:46:23 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Thu Dec 26 12:46:23 2019 library versions: OpenSSL 1.1.0j 20 Nov 2018, LZO 2.10
Enter Management Password:
Thu Dec 26 12:46:23 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25348
Thu Dec 26 12:46:23 2019 Need hold release from management interface, waiting...
Thu Dec 26 12:46:23 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25348
Thu Dec 26 12:46:23 2019 MANAGEMENT: CMD 'state on'
Thu Dec 26 12:46:23 2019 MANAGEMENT: CMD 'log all on'
Thu Dec 26 12:46:23 2019 MANAGEMENT: CMD 'echo all on'
Thu Dec 26 12:46:23 2019 MANAGEMENT: CMD 'bytecount 5'
Thu Dec 26 12:46:23 2019 MANAGEMENT: CMD 'hold off'
Thu Dec 26 12:46:23 2019 MANAGEMENT: CMD 'hold release'
Thu Dec 26 12:46:24 2019 MANAGEMENT: CMD 'username "Auth" "admin"'
Thu Dec 26 12:46:24 2019 MANAGEMENT: CMD 'password [...]'
Thu Dec 26 12:46:24 2019 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Thu Dec 26 12:46:24 2019 MANAGEMENT: >STATE:1577357184,RESOLVE,,,,,,
Thu Dec 26 12:46:24 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]************:1194
Thu Dec 26 12:46:24 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
Thu Dec 26 12:46:24 2019 Attempting to establish TCP connection with [AF_INET]*************:1194 [nonblock]
Thu Dec 26 12:46:24 2019 MANAGEMENT: >STATE:1577357184,TCP_CONNECT,,,,,,
Thu Dec 26 12:46:25 2019 TCP connection established with [AF_INET]**************:1194
Thu Dec 26 12:46:25 2019 TCP_CLIENT link local: (not bound)
Thu Dec 26 12:46:25 2019 TCP_CLIENT link remote: [AF_INET]****************:1194
Thu Dec 26 12:46:25 2019 MANAGEMENT: >STATE:1577357185,WAIT,,,,,,
Thu Dec 26 12:46:25 2019 Connection reset, restarting [0]
Thu Dec 26 12:46:25 2019 SIGUSR1[soft,connection-reset] received, process restarting
Thu Dec 26 12:46:25 2019 MANAGEMENT: >STATE:1577357185,RECONNECTING,connection-reset,,,,,
Thu Dec 26 12:46:25 2019 Restart pause, 5 second(s)