Код: Выделить всё
# mar/24/2016 18:07:25 by RouterOS 6.34.3
# software id = SVRD-PS70
#
/caps-man channel
add band=2ghz-b/g/n extension-channel=disabled frequency=2427 name=\
MainChannel width=20
/interface bridge
add name=BRIDGE-LAN
/interface ethernet
set [ find default-name=ether1 ] name=ETHERNET-1
set [ find default-name=ether2 ] name=ETHERNET-2
set [ find default-name=ether3 ] name=ETHERNET-3
set [ find default-name=ether4 ] name=ETHERNET-4
set [ find default-name=ether5 ] name=ETHERNET-5
set [ find default-name=ether6 ] name=ETHERNET-6
set [ find default-name=ether7 ] name=ETHERNET-7
set [ find default-name=ether8 ] name=ETHERNET-8
set [ find default-name=sfp1 ] advertise=1000M-full name=SFP
set [ find default-name=sfp-sfpplus1 ] disabled=yes name=SFP-PLUS
/interface l2tp-server
add name="Dragon<=>Bailey" user=bailey-mikrotik
/ip neighbor discovery
set SFP discover=no
set "Dragon<=>Bailey" discover=no
/caps-man datapath
add bridge=BRIDGE-LAN name=MainDatapath
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
name=MainSecurity passphrase=123456789
/caps-man configuration
add channel=MainChannel channel.tx-power=25 country=no_country_set datapath=\
MainDatapath guard-interval=any mode=ap multicast-helper=disabled name=\
OUTConfigurations rx-chains=0,1,2 security=MainSecurity ssid=\
"Global Zone" tx-chains=0,1,2
add channel=MainChannel channel.tx-power=10 country=no_country_set datapath=\
MainDatapath guard-interval=any mode=ap multicast-helper=disabled name=\
INConfigurations rx-chains=0,1,2 security=MainSecurity ssid="Global Zone" \
tx-chains=0,1,2
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=POOL-LAN ranges=10.0.0.100-10.0.0.199
add name=POOL-PPTP ranges=10.0.0.200-10.0.0.209
add name=POOL-L2TP ranges=10.10.10.10-10.10.10.99
/ip dhcp-server
add address-pool=POOL-LAN disabled=no interface=BRIDGE-LAN lease-time=1w \
name=DHCP-LAN
/ppp profile
add change-tcp-mss=yes name=ISP-PPPoE-OPCOM only-one=yes use-compression=yes \
use-encryption=yes use-mpls=no use-upnp=no
add bridge=BRIDGE-LAN change-tcp-mss=yes local-address=10.0.0.2 name=\
PPTP-SERVER only-one=no remote-address=POOL-PPTP use-compression=yes \
use-encryption=yes use-mpls=no use-upnp=no
add change-tcp-mss=yes local-address=10.10.10.1 name=L2TP-SERVER only-one=no \
remote-address=POOL-L2TP use-compression=yes use-encryption=yes use-mpls=\
no
/interface pppoe-client
add disabled=no interface=SFP max-mru=1492 max-mtu=1492 name=ISP-PPPoE-OPCOM \
password=0000 profile=ISP-PPPoE-OPCOM user=0000
/ip neighbor discovery
set ISP-PPPoE-OPCOM discover=no
/queue simple
add burst-limit=10M/10M burst-threshold=2M/2M burst-time=2s/2s limit-at=5M/5M \
max-limit=5M/5M name="Neighbor: Andrey-1" queue=\
ethernet-default/ethernet-default target=\
10.0.0.100/32,10.0.0.101/32,10.0.0.103/32 time=\
7h-23h59m59s,sun,mon,tue,wed,thu,fri,sat total-queue=ethernet-default
add burst-limit=20M/20M burst-threshold=5M/5M burst-time=2s/2s limit-at=\
10M/10M max-limit=10M/10M name="Neighbor: Andrey-2" queue=\
ethernet-default/ethernet-default target=\
10.0.0.100/32,10.0.0.101/32,10.0.0.103/32 time=\
0s-6h59m59s,sun,mon,tue,wed,thu,fri,sat total-queue=ethernet-default
add burst-limit=5M/5M burst-threshold=1M/1M burst-time=2s/2s limit-at=3M/3M \
max-limit=3M/3M name="Neighbor: Ferdinand" queue=\
ethernet-default/ethernet-default target=10.0.0.102/32 total-queue=\
ethernet-default
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=OUTConfigurations \
name-format=prefix-identity name-prefix=CAP radio-mac=D4:CA:6D:25:BA:47
add action=create-dynamic-enabled master-configuration=INConfigurations \
name-format=prefix-identity name-prefix=CAP radio-mac=4C:5E:0C:86:71:89
/interface bridge port
add bridge=BRIDGE-LAN interface=ETHERNET-1
add bridge=BRIDGE-LAN interface=ETHERNET-2
add bridge=BRIDGE-LAN interface=ETHERNET-3
add bridge=BRIDGE-LAN interface=ETHERNET-4
add bridge=BRIDGE-LAN interface=ETHERNET-5
add bridge=BRIDGE-LAN interface=ETHERNET-6
add bridge=BRIDGE-LAN interface=ETHERNET-7
add bridge=BRIDGE-LAN interface=ETHERNET-8
/ip firewall connection tracking
set enabled=yes
/ip settings
set rp-filter=strict tcp-syncookies=yes
/interface l2tp-server server
set default-profile=L2TP-SERVER enabled=yes max-mru=1460 max-mtu=1460
/interface pptp-server server
set default-profile=PPTP-SERVER enabled=yes max-mru=1460 max-mtu=1460
/ip address
add address=10.0.0.1/24 interface=BRIDGE-LAN network=10.0.0.0
/ip dhcp-server lease
add address=10.0.0.5 address-lists=DHCP-Lease comment="Wi-Fi OUT" \
mac-address=D4:CA:6D:25:BA:46 server=DHCP-LAN
add address=10.0.0.6 address-lists=DHCP-Lease comment="Wi-Fi IN" mac-address=\
4C:5E:0C:86:71:88 server=DHCP-LAN
/ip dhcp-server network
add address=10.0.0.0/24 caps-manager=10.0.0.1 dns-server=10.0.0.1 gateway=\
10.0.0.1 netmask=24 ntp-server=10.0.0.1
/ip firewall address-list
add address=10.0.0.200-10.0.0.209 list=PPTP-Server
add address=10.0.0.210-10.0.0.219 list=L2TP-Server
add address=10.0.0.0/24 list=LAN
add address=109.105.128.0/19 list=Innova
add address=2.22.61.43 comment=WinTracking list=WinTracking
add address=2.22.61.66 comment=WinTracking list=WinTracking
add address=65.39.117.230 comment=WinTracking list=WinTracking
add address=65.55.108.23 comment=WinTracking list=WinTracking
add address=23.218.212.69 comment=WinTracking list=WinTracking
add address=134.170.30.202 comment=WinTracking list=WinTracking
add address=137.116.81.24 comment=WinTracking list=WinTracking
add address=157.56.106.189 comment=WinTracking list=WinTracking
add address=204.79.197.200 comment=WinTracking list=WinTracking
add address=65.52.108.33 comment=WinTracking list=WinTracking
add address=64.4.54.254 comment=WinTracking list=WinTracking
/ip firewall filter
add action=drop chain=input comment="Drop invalid connections" \
connection-state=invalid
add action=drop chain=forward comment="Drop invalid connections" \
connection-state=invalid
add action=drop chain=output comment="Drop invalid connections" \
connection-state=invalid
add action=drop chain=forward comment=WinTracking dst-address-list=\
WinTracking
add action=drop chain=input comment="Spamhaus DROP List" disabled=yes \
in-interface=ISP-PPPoE-OPCOM src-address-list=Spamhaus-DROP-List
add action=drop chain=forward comment="Spamhaus DROP List" disabled=yes \
in-interface=ISP-PPPoE-OPCOM src-address-list=Spamhaus-DROP-List
add action=drop chain=input comment="Spamhaus EDROP List" disabled=yes \
in-interface=ISP-PPPoE-OPCOM src-address-list=Spamhaus-EDROP-List
add action=drop chain=forward comment="Spamhaus EDROP List" disabled=yes \
in-interface=ISP-PPPoE-OPCOM src-address-list=Spamhaus-EDROP-List
add action=drop chain=forward comment="Innova Distribution LLC" disabled=yes \
dst-address-list=Innova
add action=drop chain=forward comment="Innova Distribution LLC" disabled=yes \
src-address-list=Innova
add chain=forward disabled=yes dst-port=80 protocol=tcp src-address=10.0.0.23
add chain=forward disabled=yes dst-port=443 protocol=tcp src-address=\
10.0.0.23
add action=drop chain=forward disabled=yes src-address=10.0.0.23
add action=drop chain=input comment="Drop external DNS connections" dst-port=\
53 in-interface=ISP-PPPoE-OPCOM protocol=udp
add action=drop chain=input comment="Drop external DNS connections" dst-port=\
53 in-interface=ISP-PPPoE-OPCOM protocol=tcp
add action=jump chain=forward comment="[OFF|ON] SYN Flood protect" \
connection-state=new jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add chain=SYN-Protect comment="SYN Flood protect" connection-state=new limit=\
400,5:packet protocol=tcp tcp-flags=syn
add action=drop chain=SYN-Protect comment="SYN Flood protect" \
connection-state=new protocol=tcp tcp-flags=syn
add action=drop chain=forward comment="HTTP(S) DoS protect" src-address-list=\
"DoS-HTTP(S)"
add action=add-src-to-address-list address-list="DoS-HTTP(S)" chain=forward \
comment="HTTP DoS detect" connection-limit=32,32 dst-port=80 \
in-interface=ISP-PPPoE-OPCOM protocol=tcp
add action=add-src-to-address-list address-list="DoS-HTTP(S)" chain=forward \
comment="HTTPS DoS detect" connection-limit=32,32 dst-port=443 \
in-interface=ISP-PPPoE-OPCOM protocol=tcp
add action=drop chain=forward comment="//\?True" content="//\?True" dst-port=\
80 protocol=tcp
add action=drop chain=forward comment="/\?True" content="/\?True" dst-port=80 \
protocol=tcp
add action=drop chain=forward comment=sputnik.ru content=sputnik.ru disabled=\
yes dst-port=80 protocol=tcp
add action=drop chain=forward comment="Sham \C1\E5\F8\E5\ED\FB\E9" content=\
1361373 disabled=yes dst-port=80 protocol=tcp
add chain=forward comment="PPTP: Accept PPTP to LAN" dst-address-list=LAN \
src-address-list=PPTP-Server
add chain=forward comment="PPTP: Accept LAN to PPTP" dst-address-list=\
PPTP-Server src-address-list=LAN
add action=drop chain=forward comment="PPTP: Drop PPTP to ALL" \
src-address-list=PPTP-Server
add action=drop chain=forward comment=\
"\C4\F0\EE\EF\E0\E5\EC \F2\F0\E0\F4\E8\EA \F1 !DHCP-Lease" \
dst-address-list=!DHCP-Lease in-interface=ISP-PPPoE-OPCOM
add action=drop chain=forward comment=\
"\C4\F0\EE\EF\E0\E5\EC \F2\F0\E0\F4\E8\EA \F1 !DHCP-Lease" in-interface=\
BRIDGE-LAN src-address-list=!DHCP-Lease
add chain=forward comment="Allow all for all (in)" in-interface=BRIDGE-LAN
add chain=forward comment="Allow all for all (out)" out-interface=BRIDGE-LAN
add action=log chain=forward comment="LOG Drop all" log-prefix=drop
add action=drop chain=forward comment="Drop all"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ISP-PPPoE-OPCOM
add action=masquerade chain=srcnat out-interface=BRIDGE-LAN src-address=\
10.0.0.5
add action=masquerade chain=srcnat out-interface=BRIDGE-LAN src-address=\
10.0.0.11
add action=masquerade chain=srcnat out-interface=BRIDGE-LAN src-address=\
10.0.0.12
add action=masquerade chain=srcnat out-interface=BRIDGE-LAN src-address=\
10.0.0.13
add action=masquerade chain=srcnat out-interface=BRIDGE-LAN src-address=\
10.0.0.14
add action=masquerade chain=srcnat out-interface=BRIDGE-LAN src-address=\
10.0.0.20-10.0.0.254
add action=dst-nat chain=dstnat comment="To HTTP Server" dst-address=\
46.150.164.106 dst-port=80 protocol=tcp to-addresses=10.0.0.10 to-ports=\
80
add action=dst-nat chain=dstnat comment="To HTTPS Server" dst-address=\
46.150.164.106 dst-port=443 protocol=tcp to-addresses=10.0.0.10 to-ports=\
443
add action=dst-nat chain=dstnat comment="4yryn: DropMasterServer" \
dst-address=46.150.164.106 dst-port=25575 protocol=tcp to-addresses=\
10.0.0.10 to-ports=25575
add action=dst-nat chain=dstnat comment="To Icecast2 Server" dst-address=\
46.150.164.106 dst-port=8000 protocol=tcp to-addresses=10.0.0.11 \
to-ports=8000
add action=dst-nat chain=dstnat comment="To Minecraft (HTTP) Server" \
dst-address=46.150.164.106 dst-port=8080 protocol=tcp to-addresses=\
10.0.0.11 to-ports=80
add action=dst-nat chain=dstnat comment="To Minecraft (MAP) Server" \
dst-address=46.150.164.106 dst-port=8123 protocol=tcp to-addresses=\
10.0.0.11 to-ports=8123
add action=dst-nat chain=dstnat comment="To Minecraft Server (25565)" \
disabled=yes dst-address=46.150.164.106 dst-port=25565 protocol=tcp \
to-addresses=10.0.0.11 to-ports=25565
add action=dst-nat chain=dstnat comment="To Minecraft Server (26565)" \
dst-address=46.150.164.106 dst-port=26565 protocol=tcp to-addresses=\
10.0.0.11 to-ports=26565
add action=dst-nat chain=dstnat comment="To Minecraft Server (27565)" \
dst-address=46.150.164.106 dst-port=27565 protocol=tcp to-addresses=\
10.0.0.11 to-ports=27565
add action=dst-nat chain=dstnat comment=\
"Teamspeak3 Server => INPUT/OUTPUT (voice)" dst-address=46.150.164.106 \
dst-port=9987 protocol=udp to-addresses=10.0.0.11 to-ports=9987
add action=dst-nat chain=dstnat comment=\
"Teamspeak3 Server => INPUT/OUTPUT (serverquery)" dst-address=\
46.150.164.106 dst-port=10011 protocol=tcp to-addresses=10.0.0.11 \
to-ports=10011
add action=dst-nat chain=dstnat comment=\
"Teamspeak3 Server => INPUT/OUTPUT (ftp)" dst-address=46.150.164.106 \
dst-port=30033 protocol=tcp to-addresses=10.0.0.11 to-ports=30033
add action=dst-nat chain=dstnat comment="To RadioServer, FTP" dst-address=\
46.150.164.106 dst-port=10021 protocol=tcp to-addresses=10.0.0.12 \
to-ports=21
add action=dst-nat chain=dstnat comment="To Terraria Server on HTTP Server" \
disabled=yes dst-address=46.150.164.106 dst-port=7777 protocol=tcp \
to-addresses=10.0.0.10 to-ports=7777
add action=dst-nat chain=dstnat comment="To Terraria Server on Dragon-PC" \
dst-address=46.150.164.106 dst-port=7777 protocol=tcp to-addresses=\
10.0.0.20 to-ports=7777
add action=dst-nat chain=dstnat comment="To CSS Server" dst-address=\
46.150.164.106 dst-port=27515 protocol=udp to-addresses=10.0.0.14 \
to-ports=27515
/ip route
add distance=10 gateway=ISP-PPPoE-OPCOM
add distance=100 dst-address=192.168.88.0/24 gateway="Dragon<=>Bailey"
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.0.0.0/24 port=12345
set ssh address=10.0.0.0/24
set api disabled=yes
set winbox address=10.0.0.0/24
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ISP-PPPoE-OPCOM type=external
add interface=BRIDGE-LAN type=internal
/lcd
set backlight-timeout=never default-screen=informative-slideshow \
read-only-mode=yes touch-screen=disabled
/ppp secret
add name=0000 password=0000 profile=PPTP-SERVER service=\
pptp
add name=0000 password=0000 profile=L2TP-SERVER \
service=l2tp
add disabled=yes name=0000 password=0000 profile=PPTP-SERVER \
service=pptp
add name=0000 password=0000 profile=PPTP-SERVER \
service=pptp
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name="MikroTik CCR1009-8G-1S-1S+"
/system leds
set 0 interface=SFP-PLUS
set 1 interface=SFP-PLUS
set 2 interface=SFP
add leds=user-led type=flash-access
/system ntp client
set enabled=yes primary-ntp=91.226.136.139 secondary-ntp=91.226.136.141
/system ntp server
set enabled=yes multicast=yes
/system resource irq rps
set SFP-PLUS disabled=no
set SFP disabled=no
set ETHERNET-5 disabled=no
set ETHERNET-6 disabled=no
set ETHERNET-7 disabled=no
set ETHERNET-8 disabled=no
/system routerboard settings
set boot-delay=3s cpu-frequency=1200MHz enter-setup-on=delete-key \
memory-frequency=1066DDR
/tool graphing interface
add
/tool graphing resource
add
/tool romon port
add
На контроллере NTP сервер стоит и по DHCP раздаёт IP сервера времени. Это ещё одна причина, по которой на точках есть DHCP-Client и IP адрес.