Russian Users MikroTik | Форум пользователей MikroTik

# dec/25/2020 17:31:36 by RouterOS 6.48
# software id = ITFC-IZ9N
#
# model = RBD52G-5HacD2HnD
# serial number = BXXXXXXXXXX5
/caps-man channel add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=XX name=dumpel
/caps-man channel add band=5ghz-n/ac control-channel-width=20mhz extension-channel=XXXX name=dumpel_5G
/interface wireless
# managed by CAPsMAN
# channel: 2452/20-Ce/gn(20dBm), SSID: dumpel, local forwarding
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=dumpel station-roaming=enabled wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
/interface wireless
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac/P(20dBm), SSID: dumpel_5G, local forwarding set [ find default-name=wlan2 ] antenna-gain=0 band=5ghz-n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=dumpel_5G station-roaming=enabled wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
/interface bridge add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface ethernet set [ find default-name=ether1 ] comment=wan
/caps-man datapath add bridge=bridge client-to-client-forwarding=yes local-forwarding=yes name=home_matrix
/caps-man security add authentication-types=wpa2-psk encryption=aes-ccm name=home_marix
/caps-man configuration add channel=dumpel country=russia3 datapath=home_matrix
mode=ap name=dumpel rx-chains=0,1,2,3 security=home_marix ssid=dumpel tx-chains=0,1,2,3
/caps-man configuration add channel=dumpel_5G country=russia3 datapath=home_matrix mode=ap name=fdumpel_5G rx-chains=0,1,2,3 security=home_marix ssid=dumpel_5G tx-chains=0,1,2,3
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface list add include=dynamic name=VPN
/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik
/ip pool add name=dhcp ranges=10.10.10.10-10.10.10.100
/ip pool add name=vpn ranges=10.10.1.10-10.10.1.50
/ip dhcp-server add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile add dns-server=10.10.1.1 interface-list=VPN local-address=10.10.1.1 name=l2tp remote-address=vpn
/ppp profile add name=vpn99 use-encryption=yes
/interface pptp-client add allow=chap,mschap1,mschap2 connect-to=th.vpn99.net disabled=no name=pptp-vpn99 profile=vpn99 user=user
/routing bgp instance set default as=64999 ignore-as-path-len=yes router-id=x.x.x.x
/system logging action set 3 bsd-syslog=yes remote=10.10.10.20
/user group set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/caps-man manager set enabled=yes
/caps-man provisioning add action=create-dynamic-enabled hw-supported-modes=b,g,gn master-configuration=dumpel name-format=prefix-identity name-prefix=2G
/caps-man provisioning add action=create-dynamic-enabled hw-supported-modes=a,an,ac master-configuration=dumpel_5G name-format=prefix-identity name-prefix=5G
/interface bridge port add bridge=bridge comment=defconf interface=ether2
/interface bridge port add bridge=bridge comment=defconf interface=ether3
/interface bridge port add bridge=bridge comment=defconf interface=ether4
/interface bridge port add bridge=bridge comment=defconf interface=ether5
/interface bridge port add bridge=bridge comment=defconf interface=wlan1
/interface bridge port add bridge=bridge comment=defconf interface=wlan2
/ip firewall connection tracking set tcp-established-timeout=1h
/ip neighbor discovery-settings set discover-interface-list=LAN
/interface detect-internet set detect-interface-list=all
/interface l2tp-server server set authentication=mschap2 default-profile=l2tp enabled=yes use-ipsec=required
/interface list member add comment=defconf interface=bridge list=LAN
/interface list member add comment=defconf interface=ether1 list=WAN
/interface wireless cap
#
set bridge=bridge caps-man-addresses=127.0.0.1 discovery-interfaces=bridge enabled=yes interfaces=wlan1,wlan2
/ip address add address=10.10.10.1/24 comment=defconf interface=ether2 network=10.10.10.0
/ip cloud set ddns-enabled=yes
/ip dhcp-client add comment=defconf disabled=no interface=ether1 use-peer-dns=no
/ip dhcp-server network add address=10.10.10.0/24 comment=defconf gateway=10.10.10.1 netmask=24
/ip dns set allow-remote-requests=yes use-doh-server=https://dns.google/dns-query verify-doh-cert=yes
/ip dns static add address=10.10.10.1 name=router.lan
/ip dns static add address=8.8.8.8 name=dns.google
/ip dns static add address=8.8.4.4 name=dns.google
/ip dns static add address=1.1.1.1 name=cloudflare-dns.com
/ip dns static add address=1.0.0.1 name=cloudflare-dns.com
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=accept chain=input comment="Allow localhost connection input" src-address=127.0.0.1
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=accept chain=input comment="l2tp vpn server" dst-port=500,1701,4500 in-interface-list=WAN protocol=udp
/ip firewall filter add action=accept chain=input comment="allow all dumpel vpn traffic " in-interface-list=VPN
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
/ip firewall filter add action=accept chain=output comment="Allow localhost connection output" dst-address=127.0.0.1
/ip firewall nat add action=accept chain=dstnat comment=openvpn disabled=yes dst-port=1194 in-interface=ether1 protocol=udp to-addresses=10.10.10.20 to-ports=1194
/ip firewall nat add action=accept chain=dstnat comment="ssh to NAS" disabled=yes dst-port=31337 in-interface=ether1 protocol=tcp to-addresses=10.10.10.20 to-ports=31337
/ip firewall nat add action=accept chain=dstnat comment="torrents to NAS udp" dst-port=16881 in-interface=ether1 protocol=udp to-addresses=10.10.10.20 to-ports=16881
/ip firewall nat add action=accept chain=dstnat comment="torrents to NAS tcp" dst-port=16881 in-interface=ether1 protocol=tcp to-addresses=10.10.10.20 to-ports=16881
/ip firewall nat add action=accept chain=dstnat comment="BGP access" dst-port=179 in-interface=ether1 protocol=tcp
/ip firewall nat add action=redirect chain=dstnat comment="redirect all dns to local" dst-port=53 in-interface-list=LAN protocol=udp
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip firewall nat add action=masquerade chain=srcnat comment="RKN via vpn" out-interface=pptp-vpn99 src-address-list=""
/ip route add distance=1 dst-address=163.172.210.8/32 gateway=pptp-vpn99
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set www disabled=yes
/ip service set www-ssl address=10.10.10.0/24
/ip service set api disabled=yes
/ip service set api-ssl disabled=yes
/ppp secret add name=user profile=l2tp
/routing bgp peer add hold-time=4m in-filter=bgp_in keepalive-time=1m multihop=yes name=antifilter remote-address=163.172.210.8 remote-as=65432 ttl=default
/routing filter add action=accept chain=bgp_in comment="Set nexthop to VPN" set-in-nexthop-direct=pptp-vpn99
/system clock set time-zone-name=Europe/Moscow
/system identity set name=brain
/system logging add action=remote topics=error
/system logging add action=remote topics=critical
/system logging add action=remote topics=info
/system logging add action=remote topics=system
/system logging add action=remote topics=warning
/system logging add action=remote topics=firewall
/system ntp client set primary-ntp=46.17.104.93 secondary-ntp=85.21.78.23
/system ntp server set multicast=yes
/system scheduler add interval=5m name=bgp_watch on-event="/system script run bgp_restart" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-time=startup
/system script add dont-require-permissions=no name=bgp_restart owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=
"/routing bgp peer {\r\
\n :foreach peer in [find state!=\"established\" and disabled=no] do={\r\
\n :log warning \"Restart stuck BGP Peer: \$([get \$peer name])\"\r\
\n disable \$peer\r\
\n :delay 100ms\r\
\n enable \$peer\r\
\n }\r\
\n}"
/system watchdog set auto-send-supout=yes ping-start-after-boot=30m send-email-to=xxx@gmail.com watchdog-timer=no
/tool bandwidth-server set enabled=no
/tool e-mail set address=smtp.gmail.com from=xxx@gmail.com port=465 start-tls=tls-only user=xxx@gmail.com
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN