[Daster7879@MikroTik] > export
# jan/15/2017 09:30:36 by RouterOS 6.7
# software id = DHH3-A7PQ
#
/interface bridge
add l2mtu=1598 name=bridge-lan4
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether4 ] comment=LAN
set [ find default-name=ether5 ] comment=LAN2
/ip neighbor discovery
set ether1 comment=WAN
set ether4 comment=LAN
set ether5 comment=LAN2
/interface vlan
add interface=bridge-lan4 l2mtu=1594 name=vlan2 vlan-id=2
add interface=bridge-lan4 l2mtu=1594 name=vlan8 vlan-id=8
add interface=bridge-lan4 l2mtu=1594 name=vlan29 vlan-id=29
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
mac-cookie-timeout=3d
/ip pool
add name=dhcp_pool1 ranges=192.168.88.2-192.168.88.254
add name=dhcp_pool2 ranges=192.168.2.100-192.168.2.200
add name=dhcp_pool3 ranges=192.168.2.100-192.168.2.200
add name=dhcp_pool4 ranges=192.168.2.2-192.168.2.254
add name=dhcp_pool5 ranges=192.168.2.100-192.168.2.200
add name=dhcp_pool6 ranges=192.168.2.100-192.168.2.200
/ip dhcp-server
add address-pool=dhcp_pool6 disabled=no interface=bridge-lan4 name=dhcp1
/queue type
add kind=pcq name=pcq-download-3M pcq-classifier=dst-address \
pcq-dst-address6-mask=64 pcq-rate=3M pcq-src-address6-mask=64
add kind=pcq name=pcq-upload-0.5M pcq-classifier=src-address \
pcq-dst-address6-mask=64 pcq-rate=512k pcq-src-address6-mask=64
add kind=pcq name=pcq-download-4M pcq-burst-time=32s pcq-classifier=\
dst-address pcq-dst-address6-mask=64 pcq-rate=4M pcq-src-address6-mask=64
add kind=pcq name=pcq-burst-download pcq-burst-rate=10M pcq-burst-threshold=\
2M pcq-burst-time=1m4s pcq-classifier=dst-address pcq-dst-address6-mask=\
64 pcq-rate=4M pcq-src-address6-mask=64
add kind=pcq name=pcq-burst-upload pcq-burst-rate=1800k pcq-burst-threshold=\
512k pcq-burst-time=1m4s pcq-classifier=src-address \
pcq-dst-address6-mask=64 pcq-rate=900k pcq-src-address6-mask=64
/queue simple
add disabled=yes max-limit=1500k/10M name=queue-limit-4M queue=\
pcq-upload-0.5M/pcq-download-4M target=192.168.2.0/24,192.168.8.0/24
add name=queue-burst-limit queue=pcq-burst-upload/pcq-burst-download target=\
192.168.2.0/24,192.168.8.0/24,192.168.29.0/24
/interface bridge filter
удалено
/interface bridge port
add bridge=bridge-lan4 interface=ether4
add bridge=bridge-lan4 interface=vlan2
add bridge=bridge-lan4 interface=vlan8
add bridge=bridge-lan4 interface=vlan29
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip address
add address=192.168.100.190/24 interface=ether1 network=192.168.100.0
add address=192.168.200.154/24 interface=ether2 network=192.168.200.0
add address=192.168.2.1/24 interface=vlan2 network=192.168.2.0
add address=192.168.50.170/24 interface=ether3 network=192.168.50.0
add address=192.168.8.1/24 interface=vlan8 network=192.168.8.0
add address=192.168.29.1/24 interface=vlan29 network=192.168.29.0
/ip dhcp-server network
add address=192.168.2.0/24 gateway=192.168.2.1
add address=192.168.88.0/24 dns-server=8.8.8.8,192.168.88.1 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=drop chain=input comment=\
"\C1\EB\EE\EA \E4\EE\F1\F2\F3\EF\E0 \EA \EC\EE\E4\E5\EC\F3" disabled=yes \
dst-address=192.168.50.1 src-address=192.168.8.0/24
add action=drop chain=input comment=WinBox disabled=yes dst-address=\
192.168.2.201 in-interface=bridge-lan4
add action=jump chain=forward comment="DDOS - Block" connection-state=new \
jump-target=block-ddos
add action=drop chain=forward connection-state=new dst-address-list=ddosed \
src-address-list=ddoser
add action=return chain=block-ddos dst-limit=50,50,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=\
10m chain=block-ddos
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
10m chain=block-ddos
add action=drop chain=input comment="drop ftp brute forcers" disabled=yes \
dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add chain=output content="530 Login incorrect" disabled=yes dst-limit=\
1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=1h chain=output content="530 Login incorrect" \
disabled=yes protocol=tcp
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1h chain=input comment="record ssh brute forcers" \
disabled=yes dst-port=22 protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" disabled=yes \
dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=3h chain=input connection-state=new disabled=yes \
dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new disabled=yes \
dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new disabled=yes \
dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new disabled=yes \
dst-port=22 protocol=tcp
add chain=input comment="\D0\E0\E7\F0\E5\F8\E0\E5\EC \EF\E8\ED\E3\E8" \
protocol=icmp
add chain=forward protocol=icmp
add chain=input comment="\D0\E0\E7\F0\E5\F8\E0\E5\EC \F3\F1\F2\E0\ED\E0\E2\EB\
\E8\E2\E0\F2\FC \EF\EE\E4\EA\EB\FE\F7\E5\ED\E8\FF" connection-state=\
established
add chain=forward connection-state=established
add chain=input comment="\D0\E0\E7\F0\E5\F8\E0\E5\EC \F1\E2\FF\E7\E0\ED\ED\FB\
\E5 \EF\EE\E4\EA\EB\FE\F7\E5\ED\E8\FF" connection-state=related
add chain=forward connection-state=related
add chain=input comment="\D0\E0\E7\F0\E5\F8\E0\E5\EC \E2\F1\E5 \EF\EE\E4\EA\EB\
\FE\F7\E5\ED\E8\FF \E8\E7 \ED\E0\F8\E5\E9 \EB\EE\EA\E0\EB\FC\ED\EE\E9 \F1\
\E5\F2\E8" in-interface=!ether1 src-address=192.168.2.0/24
add chain=input in-interface=!ether2 src-address=192.168.8.0/24
add chain=input in-interface=!ether3 src-address=192.168.29.0/24
add chain=forward comment="\D0\E0\E7\F0\E5\F8\E0\E5\EC \E2\F5\EE\E4\FF\F9\E8\
\E5 \EF\EE\E4\EA\EB\FE\F7\E5\ED\E8\FF \E4\EB\FF \F2\EE\F0\F0\E5\ED\F2\E0" \
dst-port=45000 in-interface=ether1 protocol=tcp
add chain=forward dst-port=45000 in-interface=ether2 protocol=tcp
add chain=forward dst-port=45000 in-interface=ether3 protocol=tcp
add action=drop chain=input comment="\CE\F2\F0\F3\E1\E0\E5\EC \C8\ED\E2\E0\EB\
\E8\ED\E4\ED\FB\E5 \EF\EE\E4\EA\EB\FE\F7\E5\ED\E8\FF" connection-state=\
invalid
add action=drop chain=forward connection-state=invalid
add action=drop chain=input comment="\CE\E1\F0\F3\E1\E0\E5\EC \E2\F1\E5 \EE\F1\
\F2\E0\EB\FC\ED\FB\E5 \E2\F5\EE\E4\FF\F9\E8\E5 \EF\EE\E4\EA\EB\FE\F7\E5\ED\
\E8\FF" in-interface=ether1
add action=drop chain=input in-interface=ether2
add action=drop chain=input in-interface=ether3
add chain=forward comment="\D0\E0\E7\F0\E5\F8\E0\E5\EC \E4\EE\F1\F2\F3\EF \E8\
\E7 \EB\EE\EA\E0\EB\FC\ED\EE\E9 \F1\E5\F2\E8 \E2 \E8\ED\F2\E5\F0\ED\E5\F2" \
in-interface=!ether1 out-interface=ether1
add chain=forward in-interface=!ether2 out-interface=ether2
add chain=forward in-interface=!ether3 out-interface=ether3
add action=drop chain=forward comment="\CE\E1\F0\F3\E1\E0\E5\EC \E2\F1\E5 \EE\
\F1\F2\E0\EB\FC\ED\FB\E5 \EF\EE\E4\EA\EB\FE\F7\E5\ED\E8\FF (Lockdown)"
/ip firewall mangle
add action=mark-routing chain=prerouting comment=\
"\C8\ED\F4\E0 \F1 \FE\F2\F3\E1\E0" disabled=yes new-routing-mark=m2 \
passthrough=no src-address=192.168.2.0/24
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=m8 \
passthrough=no src-address=192.168.8.0/24
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=m29 \
passthrough=no src-address=192.168.29.0/24
add action=mark-connection chain=input comment=\
"\C8\ED\F4\E0 \F1
https://geektimes.ru/post/186284/" disabled=yes \
dst-address=192.168.100.1 in-interface=ether1 new-connection-mark=ISP1
add action=mark-routing chain=output connection-mark=ISP1 disabled=yes \
new-routing-mark=ISP1 passthrough=no
add action=mark-connection chain=input disabled=yes dst-address=192.168.200.1 \
in-interface=ether2 new-connection-mark=ISP2
add action=mark-routing chain=output connection-mark=ISP2 disabled=yes \
new-routing-mark=ISP2 passthrough=no
add action=mark-connection chain=input disabled=yes dst-address=192.168.250.1 \
in-interface=ether3 new-connection-mark=ISP3
add action=mark-routing chain=output connection-mark=ISP3 disabled=yes \
new-routing-mark=ISP3 passthrough=no
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=\
network2 passthrough=no src-address=192.168.2.0/24
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=\
network8 passthrough=no src-address=192.168.8.0/24
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=\
network29 passthrough=no src-address=192.168.29.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether2
add action=masquerade chain=srcnat out-interface=ether3
/ip firewall service-port
set ftp disabled=yes
/ip route
add comment="\CC\E0\F0\EA\E8\F0\EE\E2\EA\E0 (\E2\E0\F0\E8\E0\ED\F2 \F1 \FE\F2\
\F3\E1\E0)" disabled=yes distance=1 gateway=192.168.100.1 routing-mark=m2
add disabled=yes distance=2 gateway=192.168.200.1 routing-mark=m8
add disabled=yes distance=3 gateway=ether2 routing-mark=m29
add check-gateway=arp comment="\CC\E0\F0\F8\F0\F3\F2 \F1 \F1\E0\E9\F2\E0" \
disabled=yes distance=10 gateway=192.168.100.1 routing-mark=network2
add check-gateway=arp disabled=yes distance=11 gateway=192.168.200.1 \
routing-mark=network8
add check-gateway=arp disabled=yes distance=12 gateway=192.168.250.1 \
routing-mark=network29
in-interface=ether3 new-connection-mark=ISP3
add action=mark-routing chain=output connection-mark=ISP3 disabled=yes \
new-routing-mark=ISP3 passthrough=no
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=\
network2 passthrough=no src-address=192.168.2.0/24
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=\
network8 passthrough=no src-address=192.168.8.0/24
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=\
network29 passthrough=no src-address=192.168.29.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether2
add action=masquerade chain=srcnat out-interface=ether3
/ip firewall service-port
set ftp disabled=yes
/ip route
add comment="\CC\E0\F0\EA\E8\F0\EE\E2\EA\E0 (\E2\E0\F0\E8\E0\ED\F2 \F1 \FE\F2\
\F3\E1\E0)" disabled=yes distance=1 gateway=192.168.100.1 routing-mark=m2
add disabled=yes distance=2 gateway=192.168.200.1 routing-mark=m8
add disabled=yes distance=3 gateway=ether2 routing-mark=m29
add check-gateway=arp comment="\CC\E0\F0\F8\F0\F3\F2 \F1 \F1\E0\E9\F2\E0" \
disabled=yes distance=10 gateway=192.168.100.1 routing-mark=network2
add check-gateway=arp disabled=yes distance=11 gateway=192.168.200.1 \
routing-mark=network8
add check-gateway=arp disabled=yes distance=12 gateway=192.168.250.1 \
routing-mark=network29
add comment="\CC\E0\F0\F8\F0\F3\F2 (\EE\E1\F9\E8\E9)" distance=1 gateway=\
192.168.100.1,192.168.200.1
add comment="\CC\E0\F0\F8\F0\F3\F2 (\EE\F2\E4\E5\EB\FC\ED\EE)" disabled=yes \
distance=1 gateway=192.168.200.1
add disabled=yes distance=1 gateway=192.168.100.1
add disabled=yes distance=1 gateway=192.168.250.1
/ip service
set telnet address=192.168.8.0/24 disabled=yes
set ftp address=192.168.8.0/24 disabled=yes
set ssh disabled=yes
set www-ssl disabled=no
set winbox address=192.168.2.201/32,192.168.8.201/32,192.168.29.201/32
/system clock
set time-zone-name=Europe/Kiev
/system clock manual
set time-zone=+02:00
/system ntp client
set enabled=yes mode=unicast primary-ntp=79.142.192.4 secondary-ntp=\
31.28.161.68
/tool graphing interface
add allow-address=192.168.29.201/32
, вместо PPPoE поднимите DHCP-client на нем