Код: Выделить всё
MikroTik RouterOS 6.45.1 (c) 1999-2019 http://www.mikrotik.com/
[?] Gives the list of available commands
command [?] Gives help on the command and list of arguments
[Tab] Completes the command/word. If the input is ambiguous,
a second [Tab] gives possible options
/ Move up to base level
.. Move up one level
/command Use command at the base level
[admin@MikroTik] > /export compact
# nov/20/2020 15:48:06 by RouterOS 6.45.1
# software id = B7TE-D471
#
# model = 951G-2HnD
# serial number = 965009215CCA
/interface bridge
add name=LAN_Bridge
add name=WiFi_bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no mode=ap-bridge \
name=WLAN ssid=Wi-Fi_shop
/interface ethernet
set [ find default-name=ether2 ] name=LAN1
set [ find default-name=ether3 ] name=LAN2
set [ find default-name=ether4 ] name=LAN3
set [ find default-name=ether5 ] name=LAN4
set [ find default-name=ether1 ] name=WAN
/interface list
add name=Internet
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" \
group-ciphers=tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
unicast-ciphers=tkip,aes-ccm wpa2-pre-shared-key=40034410
/ip ipsec policy group
add name=policy_group1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=dhcp_pool0 ranges=192.168.0.115-192.168.0.190
add name=vpn_pool ranges=77.88.1.1-77.88.1.199
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=LAN_Bridge name=dhcp1
/ppp profile
add bridge=LAN_Bridge change-tcp-mss=yes dns-server=192.168.0.1 local-address=\
vpn_pool name=l2tp_profile remote-address=vpn_pool
/interface bridge port
add bridge=LAN_Bridge interface=LAN1
add bridge=LAN_Bridge interface=LAN2
add bridge=LAN_Bridge interface=LAN3
add bridge=LAN_Bridge interface=LAN4
add bridge=LAN_Bridge interface=WLAN
/interface l2tp-server server
set authentication=mschap2 default-profile=l2tp_profile enabled=yes \
ipsec-secret=***** use-ipsec=yes
/interface list member
add interface=WAN list=Internet
add interface=LAN1 list=LAN
add interface=LAN2 list=LAN
add interface=LAN3 list=LAN
add interface=LAN4 list=LAN
add interface=LAN_Bridge list=LAN
/ip address
add address=192.168.0.1/24 interface=LAN_Bridge network=192.168.0.0
add address=194.28.213.153/24 interface=WAN network=194.28.213.0
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes servers=194.28.212.212,31.130.248.248
/ip firewall filter
add action=drop chain=input comment="Drop invalid connections" \
connection-state=invalid
add action=drop chain=forward connection-state=invalid
add action=drop chain=output connection-state=invalid
add action=accept chain=output comment=\
"\D0\E0\E7\F0\E5\F8\E0\F2\FC \EC\E8\EA\F0\EE\F2\E8\EA\F3 dns " dst-port=53 \
out-interface=WAN protocol=udp
add action=accept chain=input comment="Ping allow for any" protocol=icmp
add action=accept chain=forward protocol=icmp
add action=accept chain=output protocol=icmp
add action=accept chain=input comment=\
"Established and Related connections for any" connection-state=\
established,related
add action=accept chain=forward connection-state=established,related
add action=accept chain=output connection-state=established,related
add action=accept chain=input comment="For VPN" port=1701,500,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input comment="\D0\E0\E7\F0\E5\F8\E0\E5\F2 \F2\F0\E0\F4\
\E8\EA \E8\E7 \EF\EE\E4\F1\E5\F2\E8 vpn(\ED\E0\EF\F0\E8\EC\E5\F0 \E4\EB\FF \
\E8\ED\F2\E5\F0\ED\E5\F2\E0)" src-address=77.88.1.0/24
add action=accept chain=output src-address=77.88.1.0/24
add action=accept chain=forward src-address=77.88.1.0/24
add action=accept chain=forward comment="\D0\E0\E7\F0\E5\F8\E0\E5\F2 \F2\F0\E0\
\F4\E8\EA \E8\E7 vpn \EF\EE\E4\F1\E5\F2\E8 \EA \EB\EE\EA\E0\EB\EA\E5" \
in-interface=!WAN out-interface=LAN_Bridge src-address=77.88.1.0/24
add action=accept chain=input comment="allow winbox from inet" disabled=yes \
dst-port=8291 protocol=tcp
add action=accept chain=input comment="\D0\E0\E7\F0\E5\F8\E0\E5\EC \EF\EE\E4\EA\
\EB\FE\F7\E0\F2\FC\F1\FF \E8\E7 \EB\EE\EA\E0\EB\FC\ED\EE\E9 \F1\E5\F2\E8" \
in-interface=!WAN src-address=192.168.0.0/24
add action=accept chain=forward comment="\D0\E0\E7\F0\E5\F8\E0\E5\EC \EF\F0\EE\
\F5\EE\E6\E4\E5\ED\E8\E5 \F2\F0\E0\F4\E8\EA\E0 \E8\E7 \EB\EE\EA\E0\EB\EA\E8 \
\E2 \E8\ED\F2\E5\F0\ED\E5\F2" in-interface=!WAN out-interface=WAN
add action=accept chain=forward comment="allow dvr to inet" dst-port=37896 \
protocol=tcp
add action=accept chain=forward comment="for 1c web" disabled=yes dst-port=80 \
protocol=tcp
add action=drop chain=input comment="All other drop"
add action=drop chain=forward
add action=drop chain=output
/ip firewall nat
add action=masquerade chain=srcnat comment=Masquarade out-interface=WAN
add action=dst-nat chain=dstnat comment="for video server" dst-port=37896 \
protocol=tcp to-addresses=192.168.0.67 to-ports=37896
add action=dst-nat chain=dstnat comment="for 1c web" disabled=yes dst-port=80 \
protocol=tcp to-addresses=192.168.0.116 to-ports=80
/ip route
add distance=1 gateway=194.28.213.1
add distance=1 dst-address=77.88.1.0/24 gateway=LAN_Bridge
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
/ppp secret
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Moscow