Имеется hap ac2, 2 wifi точки в мост SXTsq Lite 2, и на конце одной TP-Link с OpenWRT
На TP-Link стоит статика, DHCP отключено, Gateway и DNS стоят 192.168.1.1, все порты в бридже.
Так вот микрот ругается на этот тплинк "offering lease 192.168.1.4 for **:EA:**:E0:**:81 without success" каждые 10 сек в лог сыпет.... если убрать статику в микроте на этот тплинк, он почему то пишет "Detected conflict by ARP response for 192.168.1.4 from **:EA:**:E0:**:81" и выдаёт ему другой IP 192.168.1.5
Подскажите, пожалуйста, что можно с этим сделать?
Вот настройки, если что.
/interface bridge
add admin-mac=B**********B auto-mac=no name=bridge-to-LAN port-cost-mode=short
add fast-forward=no mtu=1500 name=bridge-to-WAN port-cost-mode=short protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-MY
set [ find default-name=ether3 ] loop-protect=on
set [ find default-name=ether4 ] loop-protect=on
/interface sstp-client
add authentication=mschap2 connect-to=1*******8 disabled=no max-mtu=1480 name=sstp-out1 user=**** \
verify-server-address-from-certificate=no
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VPN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk disable-pmkid=yes eap-methods="" mode=dynamic-keys name=Pass_for_wifi supplicant-identity=\
MikroTik
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode antenna-gain=0 band=2ghz-b/g/n channel-width=\
20/40mhz-Ce country=russia disabled=no distance=indoors frequency=auto hw-protection-mode=rts-cts mode=ap-bridge \
multicast-buffering=disabled multicast-helper=full name=wlan1-2GHz security-profile=Pass_for_wifi ssid=FSB_network \
station-roaming=enabled wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
set [ find default-name=wlan2 ] adaptive-noise-immunity=ap-and-client-mode antenna-gain=0 band=5ghz-a/n/ac channel-width=\
20/40/80mhz-Ceee country=russia distance=indoors frequency=auto hw-protection-mode=cts-to-self mode=ap-bridge \
multicast-helper=full name=wlan2-5GHz security-profile=Pass_for_wifi ssid="Troyan C:/5GHz" station-roaming=enabled \
wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
/interface wireless nstreme
set wlan1-2GHz enable-polling=no
set wlan2-5GHz enable-polling=no
/ip dhcp-client option
add code=55 name=parameter_request_list value=0x01F90321062A
/ip kid-control
add fri=0s-1d mon=0s-1d name=Artem sat=0s-1d sun=0s-1d thu=0s-1d tue=0s-1d wed=0s-1d
/ip pool
add name=LAN-pool-dhcp ranges=192.168.1.1-192.168.1.199
/ip dhcp-server
add address-pool=LAN-pool-dhcp bootp-support=dynamic interface=bridge-to-LAN lease-time=3d10m name=LAN-dhcp
/ip smb users
set [ find default=yes ] disabled=yes
/ppp profile
set *0 use-compression=no use-encryption=no use-mpls=no
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add disabled=no fib name=sstp
/interface bridge port
add bridge=bridge-to-LAN hw=no ingress-filtering=no interface=ether2-MY internal-path-cost=10 path-cost=10
add bridge=bridge-to-LAN hw=no ingress-filtering=no interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge-to-LAN hw=no ingress-filtering=no interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge-to-LAN ingress-filtering=no interface=wlan1-2GHz internal-path-cost=10 path-cost=10
add bridge=bridge-to-LAN ingress-filtering=no interface=wlan2-5GHz internal-path-cost=10 path-cost=10
add bridge=bridge-to-WAN ingress-filtering=no interface=ether1-WAN internal-path-cost=10 path-cost=10
add bridge=bridge-to-LAN hw=no ingress-filtering=no interface=ether5 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!WAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=bridge-to-LAN list=LAN
add interface=bridge-to-WAN list=WAN
add disabled=yes interface=L2TP-Beeline list=WAN
add interface=sstp-out1 list=VPN
/interface ovpn-server server
add auth=sha1,md5 mac-address=******* name=ovpn-server1
/ip address
add address=192.168.1.1/24 interface=bridge-to-LAN network=192.168.1.0
/ip arp
add address=192.168.1.11 interface=bridge-to-LAN mac-address=5*******
add address=192.168.1.12 interface=bridge-to-LAN mac-address=7*********B
add address=192.168.1.18 interface=bridge-to-LAN mac-address=0********A
add address=192.168.1.17 interface=bridge-to-LAN mac-address=D************0
add address=192.168.1.2 interface=bridge-to-LAN mac-address=7********E5
add address=192.168.1.3 interface=bridge-to-LAN mac-address=7*********B
add address=192.168.1.6 interface=bridge-to-LAN mac-address=3***********1
add address=192.168.1.4 interface=bridge-to-LAN mac-address=74**************1
/ip cloud
set ddns-enabled=yes ddns-update-interval=3m
/ip dhcp-client
add add-default-route=special-classless default-route-distance=2 dhcp-options=clientid,hostname,parameter_request_list interface=\
bridge-to-WAN
/ip dhcp-server lease
add address=192.168.1.11 mac-address=5***********9 server=LAN-dhcp
add address=192.168.1.12 client-id=1:7********b mac-address=70********B server=LAN-dhcp
add address=192.168.1.17 client-id=1:d**********0 mac-address=D********0 server=LAN-dhcp
add address=192.168.1.18 client-id=1:**********6a mac-address=0*******6A server=LAN-dhcp
add address=192.168.1.2 client-id=1:7***********5 mac-address=7*******5 server=LAN-dhcp
add address=192.168.1.3 client-id=1:********** mac-address=7**********B server=LAN-dhcp
add address=192.168.1.6 client-id=1:*******1 mac-address=3**********1 server=LAN-dhcp
add address=192.168.1.8 client-id=1:0***********9 mac-address=0************9 server=LAN-dhcp
add address=192.168.1.4 mac-address=74:***********1 server=LAN-dhcp
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1,8.8.8.8,1.1.1.1 gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip dns static
add address=192.168.88.1 name=router.lan type=A
/ip firewall address-list
add address=192.168.1.0/24 list=FULL-SSTP
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes in-interface=bridge-to-LAN \
out-interface=bridge-to-WAN
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes in-interface=bridge-to-WAN \
out-interface=bridge-to-LAN
add action=fasttrack-connection chain=forward connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment="ALLOW established, related" connection-state=established,related
add action=accept chain=input connection-state=established,related
add action=drop chain=forward comment="DROP Invalid" connection-state=invalid
add action=drop chain=input connection-state=invalid
add action=jump chain=input comment="DDoS - SYN flood protection" connection-limit=100,32 connection-state=new in-interface-list=\
WAN jump-target=SYN-Protect protocol=tcp
add action=return chain=SYN-Protect limit=200,5:packet
add action=add-src-to-address-list address-list=DDoS-blacklist address-list-timeout=1w3d chain=SYN-Protect log-prefix=\
"DDoS: SYN-Protect"
add action=jump chain=input comment="DDoS - Main protection" connection-state=new in-interface-list=WAN jump-target=DDoS-Protect
add action=return chain=DDoS-Protect dst-limit=15,15,src-address/10s
add action=add-src-to-address-list address-list=DDoS-blacklist address-list-timeout=1w3d chain=DDoS-Protect log-prefix=\
"DDoS: -MAIN-Protect"
add action=drop chain=input comment="1.5. Protected - WinBox Access" log=yes log-prefix=WINBOX-block src-address-list=\
"Black List Winbox"
add action=add-src-to-address-list address-list="Black List Winbox" address-list-timeout=none-dynamic chain=input \
connection-state=new dst-port=8291 in-interface-list=WAN log=yes log-prefix="BLACK WINBOX" protocol=tcp src-address-list=\
"Winbox Stage 3"
add action=add-src-to-address-list address-list="Winbox Stage 3" address-list-timeout=1m chain=input connection-state=new \
dst-port=8291 in-interface-list=WAN log=yes log-prefix=WINBOX protocol=tcp src-address-list="Winbox Stage 2"
add action=add-src-to-address-list address-list="Winbox Stage 2" address-list-timeout=1m chain=input connection-state=new \
dst-port=8291 in-interface-list=WAN log=yes log-prefix=WINBOX protocol=tcp src-address-list="Winbox Stage 1"
add action=add-src-to-address-list address-list="Winbox Stage 1" address-list-timeout=1m chain=input connection-state=new \
dst-port=8291 in-interface-list=WAN log=yes log-prefix=WINBOX protocol=tcp
add action=accept chain=input comment="Winbox-MY access" disabled=yes dst-port=8291 in-interface-list=WAN log=yes log-prefix=\
WINBOX-accept protocol=tcp src-address-list="" src-mac-address=6***************4
add action=drop chain=input comment="DROP - Block all other input/forward connections on the WAN" in-interface-list=WAN
add action=drop chain=forward in-interface-list=WAN
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes protocol=icmp
add action=accept chain=input comment="DELTA-MY access" connection-state=new disabled=yes dst-port=*** in-interface=\
bridge-to-WAN log=yes log-prefix=DELTA-accept protocol=tcp
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=\
new disabled=yes in-interface-list=WAN
add action=add-src-to-address-list address-list=DNS_FLOOD address-list-timeout=none-dynamic chain=input comment=DNS_FLOOD \
disabled=yes dst-port=53 in-interface=L2TP-Beeline protocol=udp
add action=drop chain=input comment=DNS_FLOOD disabled=yes dst-port=53 in-interface=L2TP-Beeline protocol=udp
add action=accept chain=forward disabled=yes dst-port=8999 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment=Close_9443_for_all disabled=yes dst-port=9443 in-interface=bridge-to-WAN protocol=tcp
add action=drop chain=input comment=Close_8080_for_all disabled=yes dst-port=8080 in-interface=bridge-to-WAN protocol=tcp
/ip firewall mangle
add action=change-mss chain=forward new-mss=1360 protocol=tcp tcp-flags=syn tcp-mss=1453-65535
add action=mark-routing chain=prerouting comment="SSTP-MY comp" disabled=yes new-routing-mark=sstp src-address=192.168.1.14
add action=mark-routing chain=prerouting comment=SSTP-S24Ultra new-routing-mark=sstp src-address=192.168.1.139
add action=mark-routing chain=prerouting comment=Discord-sstp dst-address-list=Discord-sstp new-routing-mark=sstp
add action=mark-routing chain=prerouting comment=SSTP-TV disabled=yes new-routing-mark=sstp src-address=192.168.1.19
add action=change-mss chain=forward disabled=yes in-interface=L2TP-Beeline new-mss=1420 protocol=tcp tcp-flags=syn tcp-mss=\
1421-65535
add action=change-mss chain=forward disabled=yes new-mss=1420 out-interface=L2TP-Beeline protocol=tcp tcp-flags=syn tcp-mss=\
1421-65535
add action=mark-routing chain=prerouting comment=SSTP-Garage disabled=yes new-routing-mark=sstp src-address=192.168.1.5
add action=mark-routing chain=prerouting comment=SSTP-Natali new-routing-mark=sstp src-address=192.168.1.185
/ip firewall nat
add action=masquerade chain=srcnat comment=Masquerade ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=Raspberry dst-port=9443 in-interface=bridge-to-WAN protocol=tcp to-addresses=192.168.1.17 \
to-ports=9443
add action=dst-nat chain=dstnat comment=Raspberry dst-port=8080 in-interface=bridge-to-WAN protocol=tcp to-addresses=192.168.1.17 \
to-ports=8080
add action=dst-nat chain=dstnat comment=Raspberry dst-port=80 in-interface=bridge-to-WAN protocol=tcp to-addresses=192.168.1.17 \
to-ports=80
add action=dst-nat chain=dstnat comment=Raspberry dst-port=8440-8443 in-interface=bridge-to-WAN protocol=tcp to-addresses=\
192.168.1.17 to-ports=8440-8443
add action=dst-nat chain=dstnat comment="Delta printer" dst-port=8888 in-interface=bridge-to-WAN log=yes protocol=tcp \
to-addresses=192.168.1.11 to-ports=8888
add action=masquerade chain=srcnat comment=SSTP out-interface=sstp-out1
add action=src-nat chain=srcnat comment="Delta printer" disabled=yes dst-address=192.168.1.11 dst-port=8888 protocol=tcp \
to-addresses=192.168.1.1
add action=dst-nat chain=dstnat comment=Cam disabled=yes dst-port=8999 in-interface=L2TP-Beeline protocol=tcp to-addresses=\
192.168.1.18 to-ports=8080
add action=dst-nat chain=dstnat comment=Cam disabled=yes dst-port=8899 in-interface=L2TP-Beeline protocol=tcp to-addresses=\
192.168.1.18 to-ports=8899
add action=dst-nat chain=dstnat comment=Cam disabled=yes dst-port=8899 in-interface=L2TP-Beeline protocol=udp to-addresses=\
192.168.1.18 to-ports=8899
add action=dst-nat chain=dstnat comment=Cam disabled=yes dst-port=34567 in-interface=L2TP-Beeline protocol=tcp to-addresses=\
192.168.1.18 to-ports=34567
add action=dst-nat chain=dstnat comment=Cam disabled=yes dst-port=8999 in-interface=L2TP-Beeline protocol=udp to-addresses=\
192.168.1.18 to-ports=8080
add action=dst-nat chain=dstnat comment=Cam disabled=yes dst-port=554 in-interface=L2TP-Beeline protocol=tcp to-addresses=\
192.168.1.18 to-ports=554
add action=dst-nat chain=dstnat comment=Cam disabled=yes dst-port=554 in-interface=L2TP-Beeline protocol=udp to-addresses=\
192.168.1.18 to-ports=554
add action=dst-nat chain=dstnat comment=IPC_Garage disabled=yes dst-port=37777 in-interface=L2TP-Beeline protocol=tcp \
to-addresses=192.168.1.6 to-ports=37777
add action=dst-nat chain=dstnat disabled=yes dst-port=554 in-interface=L2TP-Beeline protocol=tcp to-addresses=192.168.1.6 \
to-ports=554
add action=dst-nat chain=dstnat disabled=yes dst-port=37778 in-interface=L2TP-Beeline protocol=udp to-addresses=192.168.1.6 \
to-ports=37778
add action=dst-nat chain=dstnat disabled=yes dst-port=80 in-interface=L2TP-Beeline protocol=tcp to-addresses=192.168.1.6 \
to-ports=80
/ip firewall raw
add action=drop chain=prerouting comment="DDoS - Drop blacklist IP" in-interface-list=WAN src-address-list=DDoS-blacklist
add action=drop chain=prerouting comment="NetBIOS Name Service BLOCK" dst-port=137,138,139 in-interface-list=WAN protocol=udp
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip kid-control device
add mac-address=B*********1 name="TV Samsung" user=Artem
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.66.66.1 routing-table=sstp scope=30 suppress-hw-offload=no \
target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Asia/Yekaterinburg
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=88.147.254.235
add address=88.147.254.228
/system routerboard settings
set auto-upgrade=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
add admin-mac=B**********B auto-mac=no name=bridge-to-LAN port-cost-mode=short
add fast-forward=no mtu=1500 name=bridge-to-WAN port-cost-mode=short protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-MY
set [ find default-name=ether3 ] loop-protect=on
set [ find default-name=ether4 ] loop-protect=on
/interface sstp-client
add authentication=mschap2 connect-to=1*******8 disabled=no max-mtu=1480 name=sstp-out1 user=**** \
verify-server-address-from-certificate=no
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VPN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk disable-pmkid=yes eap-methods="" mode=dynamic-keys name=Pass_for_wifi supplicant-identity=\
MikroTik
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode antenna-gain=0 band=2ghz-b/g/n channel-width=\
20/40mhz-Ce country=russia disabled=no distance=indoors frequency=auto hw-protection-mode=rts-cts mode=ap-bridge \
multicast-buffering=disabled multicast-helper=full name=wlan1-2GHz security-profile=Pass_for_wifi ssid=FSB_network \
station-roaming=enabled wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
set [ find default-name=wlan2 ] adaptive-noise-immunity=ap-and-client-mode antenna-gain=0 band=5ghz-a/n/ac channel-width=\
20/40/80mhz-Ceee country=russia distance=indoors frequency=auto hw-protection-mode=cts-to-self mode=ap-bridge \
multicast-helper=full name=wlan2-5GHz security-profile=Pass_for_wifi ssid="Troyan C:/5GHz" station-roaming=enabled \
wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
/interface wireless nstreme
set wlan1-2GHz enable-polling=no
set wlan2-5GHz enable-polling=no
/ip dhcp-client option
add code=55 name=parameter_request_list value=0x01F90321062A
/ip kid-control
add fri=0s-1d mon=0s-1d name=Artem sat=0s-1d sun=0s-1d thu=0s-1d tue=0s-1d wed=0s-1d
/ip pool
add name=LAN-pool-dhcp ranges=192.168.1.1-192.168.1.199
/ip dhcp-server
add address-pool=LAN-pool-dhcp bootp-support=dynamic interface=bridge-to-LAN lease-time=3d10m name=LAN-dhcp
/ip smb users
set [ find default=yes ] disabled=yes
/ppp profile
set *0 use-compression=no use-encryption=no use-mpls=no
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add disabled=no fib name=sstp
/interface bridge port
add bridge=bridge-to-LAN hw=no ingress-filtering=no interface=ether2-MY internal-path-cost=10 path-cost=10
add bridge=bridge-to-LAN hw=no ingress-filtering=no interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge-to-LAN hw=no ingress-filtering=no interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge-to-LAN ingress-filtering=no interface=wlan1-2GHz internal-path-cost=10 path-cost=10
add bridge=bridge-to-LAN ingress-filtering=no interface=wlan2-5GHz internal-path-cost=10 path-cost=10
add bridge=bridge-to-WAN ingress-filtering=no interface=ether1-WAN internal-path-cost=10 path-cost=10
add bridge=bridge-to-LAN hw=no ingress-filtering=no interface=ether5 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!WAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=bridge-to-LAN list=LAN
add interface=bridge-to-WAN list=WAN
add disabled=yes interface=L2TP-Beeline list=WAN
add interface=sstp-out1 list=VPN
/interface ovpn-server server
add auth=sha1,md5 mac-address=******* name=ovpn-server1
/ip address
add address=192.168.1.1/24 interface=bridge-to-LAN network=192.168.1.0
/ip arp
add address=192.168.1.11 interface=bridge-to-LAN mac-address=5*******
add address=192.168.1.12 interface=bridge-to-LAN mac-address=7*********B
add address=192.168.1.18 interface=bridge-to-LAN mac-address=0********A
add address=192.168.1.17 interface=bridge-to-LAN mac-address=D************0
add address=192.168.1.2 interface=bridge-to-LAN mac-address=7********E5
add address=192.168.1.3 interface=bridge-to-LAN mac-address=7*********B
add address=192.168.1.6 interface=bridge-to-LAN mac-address=3***********1
add address=192.168.1.4 interface=bridge-to-LAN mac-address=74**************1
/ip cloud
set ddns-enabled=yes ddns-update-interval=3m
/ip dhcp-client
add add-default-route=special-classless default-route-distance=2 dhcp-options=clientid,hostname,parameter_request_list interface=\
bridge-to-WAN
/ip dhcp-server lease
add address=192.168.1.11 mac-address=5***********9 server=LAN-dhcp
add address=192.168.1.12 client-id=1:7********b mac-address=70********B server=LAN-dhcp
add address=192.168.1.17 client-id=1:d**********0 mac-address=D********0 server=LAN-dhcp
add address=192.168.1.18 client-id=1:**********6a mac-address=0*******6A server=LAN-dhcp
add address=192.168.1.2 client-id=1:7***********5 mac-address=7*******5 server=LAN-dhcp
add address=192.168.1.3 client-id=1:********** mac-address=7**********B server=LAN-dhcp
add address=192.168.1.6 client-id=1:*******1 mac-address=3**********1 server=LAN-dhcp
add address=192.168.1.8 client-id=1:0***********9 mac-address=0************9 server=LAN-dhcp
add address=192.168.1.4 mac-address=74:***********1 server=LAN-dhcp
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1,8.8.8.8,1.1.1.1 gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip dns static
add address=192.168.88.1 name=router.lan type=A
/ip firewall address-list
add address=192.168.1.0/24 list=FULL-SSTP
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes in-interface=bridge-to-LAN \
out-interface=bridge-to-WAN
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes in-interface=bridge-to-WAN \
out-interface=bridge-to-LAN
add action=fasttrack-connection chain=forward connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment="ALLOW established, related" connection-state=established,related
add action=accept chain=input connection-state=established,related
add action=drop chain=forward comment="DROP Invalid" connection-state=invalid
add action=drop chain=input connection-state=invalid
add action=jump chain=input comment="DDoS - SYN flood protection" connection-limit=100,32 connection-state=new in-interface-list=\
WAN jump-target=SYN-Protect protocol=tcp
add action=return chain=SYN-Protect limit=200,5:packet
add action=add-src-to-address-list address-list=DDoS-blacklist address-list-timeout=1w3d chain=SYN-Protect log-prefix=\
"DDoS: SYN-Protect"
add action=jump chain=input comment="DDoS - Main protection" connection-state=new in-interface-list=WAN jump-target=DDoS-Protect
add action=return chain=DDoS-Protect dst-limit=15,15,src-address/10s
add action=add-src-to-address-list address-list=DDoS-blacklist address-list-timeout=1w3d chain=DDoS-Protect log-prefix=\
"DDoS: -MAIN-Protect"
add action=drop chain=input comment="1.5. Protected - WinBox Access" log=yes log-prefix=WINBOX-block src-address-list=\
"Black List Winbox"
add action=add-src-to-address-list address-list="Black List Winbox" address-list-timeout=none-dynamic chain=input \
connection-state=new dst-port=8291 in-interface-list=WAN log=yes log-prefix="BLACK WINBOX" protocol=tcp src-address-list=\
"Winbox Stage 3"
add action=add-src-to-address-list address-list="Winbox Stage 3" address-list-timeout=1m chain=input connection-state=new \
dst-port=8291 in-interface-list=WAN log=yes log-prefix=WINBOX protocol=tcp src-address-list="Winbox Stage 2"
add action=add-src-to-address-list address-list="Winbox Stage 2" address-list-timeout=1m chain=input connection-state=new \
dst-port=8291 in-interface-list=WAN log=yes log-prefix=WINBOX protocol=tcp src-address-list="Winbox Stage 1"
add action=add-src-to-address-list address-list="Winbox Stage 1" address-list-timeout=1m chain=input connection-state=new \
dst-port=8291 in-interface-list=WAN log=yes log-prefix=WINBOX protocol=tcp
add action=accept chain=input comment="Winbox-MY access" disabled=yes dst-port=8291 in-interface-list=WAN log=yes log-prefix=\
WINBOX-accept protocol=tcp src-address-list="" src-mac-address=6***************4
add action=drop chain=input comment="DROP - Block all other input/forward connections on the WAN" in-interface-list=WAN
add action=drop chain=forward in-interface-list=WAN
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes protocol=icmp
add action=accept chain=input comment="DELTA-MY access" connection-state=new disabled=yes dst-port=*** in-interface=\
bridge-to-WAN log=yes log-prefix=DELTA-accept protocol=tcp
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=\
new disabled=yes in-interface-list=WAN
add action=add-src-to-address-list address-list=DNS_FLOOD address-list-timeout=none-dynamic chain=input comment=DNS_FLOOD \
disabled=yes dst-port=53 in-interface=L2TP-Beeline protocol=udp
add action=drop chain=input comment=DNS_FLOOD disabled=yes dst-port=53 in-interface=L2TP-Beeline protocol=udp
add action=accept chain=forward disabled=yes dst-port=8999 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment=Close_9443_for_all disabled=yes dst-port=9443 in-interface=bridge-to-WAN protocol=tcp
add action=drop chain=input comment=Close_8080_for_all disabled=yes dst-port=8080 in-interface=bridge-to-WAN protocol=tcp
/ip firewall mangle
add action=change-mss chain=forward new-mss=1360 protocol=tcp tcp-flags=syn tcp-mss=1453-65535
add action=mark-routing chain=prerouting comment="SSTP-MY comp" disabled=yes new-routing-mark=sstp src-address=192.168.1.14
add action=mark-routing chain=prerouting comment=SSTP-S24Ultra new-routing-mark=sstp src-address=192.168.1.139
add action=mark-routing chain=prerouting comment=Discord-sstp dst-address-list=Discord-sstp new-routing-mark=sstp
add action=mark-routing chain=prerouting comment=SSTP-TV disabled=yes new-routing-mark=sstp src-address=192.168.1.19
add action=change-mss chain=forward disabled=yes in-interface=L2TP-Beeline new-mss=1420 protocol=tcp tcp-flags=syn tcp-mss=\
1421-65535
add action=change-mss chain=forward disabled=yes new-mss=1420 out-interface=L2TP-Beeline protocol=tcp tcp-flags=syn tcp-mss=\
1421-65535
add action=mark-routing chain=prerouting comment=SSTP-Garage disabled=yes new-routing-mark=sstp src-address=192.168.1.5
add action=mark-routing chain=prerouting comment=SSTP-Natali new-routing-mark=sstp src-address=192.168.1.185
/ip firewall nat
add action=masquerade chain=srcnat comment=Masquerade ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=Raspberry dst-port=9443 in-interface=bridge-to-WAN protocol=tcp to-addresses=192.168.1.17 \
to-ports=9443
add action=dst-nat chain=dstnat comment=Raspberry dst-port=8080 in-interface=bridge-to-WAN protocol=tcp to-addresses=192.168.1.17 \
to-ports=8080
add action=dst-nat chain=dstnat comment=Raspberry dst-port=80 in-interface=bridge-to-WAN protocol=tcp to-addresses=192.168.1.17 \
to-ports=80
add action=dst-nat chain=dstnat comment=Raspberry dst-port=8440-8443 in-interface=bridge-to-WAN protocol=tcp to-addresses=\
192.168.1.17 to-ports=8440-8443
add action=dst-nat chain=dstnat comment="Delta printer" dst-port=8888 in-interface=bridge-to-WAN log=yes protocol=tcp \
to-addresses=192.168.1.11 to-ports=8888
add action=masquerade chain=srcnat comment=SSTP out-interface=sstp-out1
add action=src-nat chain=srcnat comment="Delta printer" disabled=yes dst-address=192.168.1.11 dst-port=8888 protocol=tcp \
to-addresses=192.168.1.1
add action=dst-nat chain=dstnat comment=Cam disabled=yes dst-port=8999 in-interface=L2TP-Beeline protocol=tcp to-addresses=\
192.168.1.18 to-ports=8080
add action=dst-nat chain=dstnat comment=Cam disabled=yes dst-port=8899 in-interface=L2TP-Beeline protocol=tcp to-addresses=\
192.168.1.18 to-ports=8899
add action=dst-nat chain=dstnat comment=Cam disabled=yes dst-port=8899 in-interface=L2TP-Beeline protocol=udp to-addresses=\
192.168.1.18 to-ports=8899
add action=dst-nat chain=dstnat comment=Cam disabled=yes dst-port=34567 in-interface=L2TP-Beeline protocol=tcp to-addresses=\
192.168.1.18 to-ports=34567
add action=dst-nat chain=dstnat comment=Cam disabled=yes dst-port=8999 in-interface=L2TP-Beeline protocol=udp to-addresses=\
192.168.1.18 to-ports=8080
add action=dst-nat chain=dstnat comment=Cam disabled=yes dst-port=554 in-interface=L2TP-Beeline protocol=tcp to-addresses=\
192.168.1.18 to-ports=554
add action=dst-nat chain=dstnat comment=Cam disabled=yes dst-port=554 in-interface=L2TP-Beeline protocol=udp to-addresses=\
192.168.1.18 to-ports=554
add action=dst-nat chain=dstnat comment=IPC_Garage disabled=yes dst-port=37777 in-interface=L2TP-Beeline protocol=tcp \
to-addresses=192.168.1.6 to-ports=37777
add action=dst-nat chain=dstnat disabled=yes dst-port=554 in-interface=L2TP-Beeline protocol=tcp to-addresses=192.168.1.6 \
to-ports=554
add action=dst-nat chain=dstnat disabled=yes dst-port=37778 in-interface=L2TP-Beeline protocol=udp to-addresses=192.168.1.6 \
to-ports=37778
add action=dst-nat chain=dstnat disabled=yes dst-port=80 in-interface=L2TP-Beeline protocol=tcp to-addresses=192.168.1.6 \
to-ports=80
/ip firewall raw
add action=drop chain=prerouting comment="DDoS - Drop blacklist IP" in-interface-list=WAN src-address-list=DDoS-blacklist
add action=drop chain=prerouting comment="NetBIOS Name Service BLOCK" dst-port=137,138,139 in-interface-list=WAN protocol=udp
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip kid-control device
add mac-address=B*********1 name="TV Samsung" user=Artem
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.66.66.1 routing-table=sstp scope=30 suppress-hw-offload=no \
target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Asia/Yekaterinburg
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=88.147.254.235
add address=88.147.254.228
/system routerboard settings
set auto-upgrade=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN