Re: Паразитный трафик
Добавлено: 22 мар 2019, 22:23
oleg.ohotnikov
[admin@MikroTik] > export
# mar/22/2019 21:16:20 by RouterOS 6.44.1
# software id = 4VXZ-PD40
#
# model = 951Ui-2nD
# serial number = xxxxxxxxxxxx
/interface bridge
add admin-mac=6C:3B:6B:DA:5F:83 auto-mac=no comment=defconf fast-forward=no name=bridge
/interface ethernet
set [ find default-name=ether1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full \
mac-address=6C:3B:6B:DA:5F:82
set [ find default-name=ether2 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full \
mac-address=6C:3B:6B:DA:5F:83 name=ether2-master
set [ find default-name=ether3 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full \
mac-address=6C:3B:6B:DA:5F:84
set [ find default-name=ether4 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full \
mac-address=6C:3B:6B:DA:5F:85
set [ find default-name=ether5 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full \
mac-address=6C:3B:6B:DA:5F:86
/interface wireless
set [ find default-name=wlan1 ] name=wlan2 ssid=MikroTik
/interface pptp-client
add add-default-route=yes connect-to=172.28.28.214 disabled=no name=pptp-out1 password="xxxxxxxxx" \
user=xxxxxxxxxx
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=10.110.210.10-10.110.210.100
/ip dhcp-server
add address-pool=default-dhcp authoritative=after-2sec-delay interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=*6
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add list=discover
add interface=bridge list=discover
add interface=wlan2 list=discover
add interface=pptp-out1 list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
/ip address
add address=10.110.210.1/24 comment=defconf interface=bridge network=10.110.210.0
/ip dhcp-client
add comment=defconf default-route-distance=2 dhcp-options=hostname,clientid disabled=no interface=\
ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
add address=10.110.210.254 name=xxxxxxxx
/ip firewall filter
add action=accept chain=input comment="Allow Ping" protocol=icmp
add action=accept chain=forward protocol=icmp
add action=accept chain=input comment="Accept established connections" connection-state=established
add action=accept chain=forward connection-state=established
add action=accept chain=input comment="Accept related connections" connection-state=related
add action=accept chain=forward connection-state=related
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid
add action=drop chain=forward connection-state=invalid
add action=accept chain=input comment="Allow UDP" protocol=udp
add action=accept chain=forward protocol=udp
add action=accept chain=forward comment="Access to Internet from local network" in-interface=bridge \
src-address=10.110.210.0/24
add action=drop chain=input comment="All other drop"
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether
add action=dst-nat chain=dstnat dst-port=80,443,3333,2222,7777,3389,1433,21,20 in-in
protocol=tcp to-addresses=10.110.210.254
add action=dst-nat chain=dstnat disabled=yes dst-address=10.110.210.1 dst-port=\
80,443,3333,2222,7777,3389,1433 protocol=tcp to-addresses=10.110.210.254
add action=dst-nat chain=dstnat dst-port=1935,3478,8089,8088 in-interface=pptp-out1
to-addresses=10.110.210.253
add action=dst-nat chain=dstnat disabled=yes dst-address=10.110.210.1 dst-port=1935,
to-addresses=10.110.210.253
add action=dst-nat chain=dstnat dst-port=3478,10000-20000,49000-65535 in-interface=p
udp to-addresses=10.110.210.253
add action=dst-nat chain=dstnat disabled=yes dst-address=10.110.210.1 dst-port=\
3478,10000-20000,49000-65535 protocol=udp to-addresses=10.110.210.253
add action=masquerade chain=srcnat out-interface=pptp-out1
add action=accept chain=dstnat dst-port=8291 in-interface=pptp-out1 protocol=tcp
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes port=8090
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip socks
set enabled=yes max-connections=500 port=3629
/ip socks access
add action=deny src-address=!5.96.0.0/12
/ip ssh
set allow-none-crypto=yes
/system clock
set time-zone-name=Europe/Kaliningrad
/system ntp client
set enabled=yes primary-ntp=52.178.161.41
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
# mar/22/2019 21:16:20 by RouterOS 6.44.1
# software id = 4VXZ-PD40
#
# model = 951Ui-2nD
# serial number = xxxxxxxxxxxx
/interface bridge
add admin-mac=6C:3B:6B:DA:5F:83 auto-mac=no comment=defconf fast-forward=no name=bridge
/interface ethernet
set [ find default-name=ether1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full \
mac-address=6C:3B:6B:DA:5F:82
set [ find default-name=ether2 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full \
mac-address=6C:3B:6B:DA:5F:83 name=ether2-master
set [ find default-name=ether3 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full \
mac-address=6C:3B:6B:DA:5F:84
set [ find default-name=ether4 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full \
mac-address=6C:3B:6B:DA:5F:85
set [ find default-name=ether5 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full \
mac-address=6C:3B:6B:DA:5F:86
/interface wireless
set [ find default-name=wlan1 ] name=wlan2 ssid=MikroTik
/interface pptp-client
add add-default-route=yes connect-to=172.28.28.214 disabled=no name=pptp-out1 password="xxxxxxxxx" \
user=xxxxxxxxxx
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=10.110.210.10-10.110.210.100
/ip dhcp-server
add address-pool=default-dhcp authoritative=after-2sec-delay interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=*6
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add list=discover
add interface=bridge list=discover
add interface=wlan2 list=discover
add interface=pptp-out1 list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
/ip address
add address=10.110.210.1/24 comment=defconf interface=bridge network=10.110.210.0
/ip dhcp-client
add comment=defconf default-route-distance=2 dhcp-options=hostname,clientid disabled=no interface=\
ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
add address=10.110.210.254 name=xxxxxxxx
/ip firewall filter
add action=accept chain=input comment="Allow Ping" protocol=icmp
add action=accept chain=forward protocol=icmp
add action=accept chain=input comment="Accept established connections" connection-state=established
add action=accept chain=forward connection-state=established
add action=accept chain=input comment="Accept related connections" connection-state=related
add action=accept chain=forward connection-state=related
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid
add action=drop chain=forward connection-state=invalid
add action=accept chain=input comment="Allow UDP" protocol=udp
add action=accept chain=forward protocol=udp
add action=accept chain=forward comment="Access to Internet from local network" in-interface=bridge \
src-address=10.110.210.0/24
add action=drop chain=input comment="All other drop"
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether
add action=dst-nat chain=dstnat dst-port=80,443,3333,2222,7777,3389,1433,21,20 in-in
protocol=tcp to-addresses=10.110.210.254
add action=dst-nat chain=dstnat disabled=yes dst-address=10.110.210.1 dst-port=\
80,443,3333,2222,7777,3389,1433 protocol=tcp to-addresses=10.110.210.254
add action=dst-nat chain=dstnat dst-port=1935,3478,8089,8088 in-interface=pptp-out1
to-addresses=10.110.210.253
add action=dst-nat chain=dstnat disabled=yes dst-address=10.110.210.1 dst-port=1935,
to-addresses=10.110.210.253
add action=dst-nat chain=dstnat dst-port=3478,10000-20000,49000-65535 in-interface=p
udp to-addresses=10.110.210.253
add action=dst-nat chain=dstnat disabled=yes dst-address=10.110.210.1 dst-port=\
3478,10000-20000,49000-65535 protocol=udp to-addresses=10.110.210.253
add action=masquerade chain=srcnat out-interface=pptp-out1
add action=accept chain=dstnat dst-port=8291 in-interface=pptp-out1 protocol=tcp
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes port=8090
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip socks
set enabled=yes max-connections=500 port=3629
/ip socks access
add action=deny src-address=!5.96.0.0/12
/ip ssh
set allow-none-crypto=yes
/system clock
set time-zone-name=Europe/Kaliningrad
/system ntp client
set enabled=yes primary-ntp=52.178.161.41
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
