Пример моей конфигурации

Материал из darklurker wiki
Перейти к: навигация, поиск
# oct/20/2018 19:19:00 by RouterOS 6.42.7 

/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX arp=proxy-arp auto-mac=no name=bridge

/interface wireless
set [ find default-name=wlan1 ] band=2ghz-onlyn channel-width=20/40mhz-Ce comment=WLAN country=russia disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=whoami wireless-protocol=802.11

/interface ethernet
set [ find default-name=ether1 ] comment=WAN mac-address=XX:XX:XX:XX:XX:XX
set [ find default-name=ether2 ] comment=LAN mac-address=XX:XX:XX:XX:XX:XX
set [ find default-name=ether3 ] mac-address=XX:XX:XX:XX:XX:XX
set [ find default-name=ether4 ] mac-address=XX:XX:XX:XX:XX:XX

/interface wireless manual-tx-power-table
set wlan1 comment=WLAN

/interface wireless nstreme
set wlan1 comment=WLAN

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=XXXXXXXX wpa2-pre-shared-key=XXXXXXXX
add name=profile_guest_wifi supplicant-identity=MikroTik

/interface wireless
add comment="Guest wifi" disabled=no mac-address=XX:XX:XX:XX:XX:XX master-interface=wlan1 name=wlan2 security-profile=profile_guest_wifi ssid="zalupa free" wds-cost-range=0 wds-default-cost=0 wmm-support=enabled wps- mode=disabled

/interface wireless manual-tx-power-table
set wlan2 comment="Guest wifi"

/interface wireless nstreme
set wlan2 comment="Guest wifi"

/ip ipsec policy group
set [ find default=yes ] name=policy_group1

/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn_pool ranges=192.168.112.2-192.168.112.10
add name=pptp-vpn-pool ranges=192.168.120.2-192.168.120.10
add name=guest_wifi_pool ranges=172.16.0.2-172.16.0.254

/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=guest_wifi_pool disabled=no interface=wlan2 lease-time=15m name=dhcp_guest

/ppp profile
add change-tcp-mss=yes local-address=192.168.112.1 name=l2tp_profile remote-address=vpn_pool
add change-tcp-mss=yes local-address=192.168.120.1 name=pptp_profile remote-address=pptp-vpn-pool

/queue simple
add max-limit=10M/10M name=queue-guest target=wlan2

/snmp community
set [ find default=yes ] addresses=192.168.88.0/24

/system logging action
set 0 memory-lines=65000
add email-start-tls=yes email-to=XXXXXX@gmail.com name=mail target=email

/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wlan1

/ip neighbor discovery-settings
set discover-interface-list=none

/interface l2tp-server server
set authentication=mschap2 default-profile=l2tp_profile enabled=yes ipsec-secret=noway use-ipsec=yes

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN

/interface ovpn-server server
set require-client-certificate=yes

/interface pptp-server server
set default-profile=pptp_profile enabled=yes

/ip accounting
set enabled=yes threshold=1600

/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
add address=XX.XX.XX.XX/24 interface=ether1 network=XX.XX.XX.XX
add address=172.16.0.1/24 interface=wlan2 network=172.16.0.0

/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1

/ip dhcp-server lease
add address=192.168.88.XX client-id=1:xx:xx:xx:xx:xx:xx mac-address=XX:XX:XX:XX:XX:XX server=defconf

/ip dhcp-server network
add address=172.16.0.0/24 dns-server=172.16.0.1,8.8.8.8 gateway=172.16.0.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1

/ip dns
set allow-remote-requests=yes servers=XX.XX.XX.XX,XX.XX.XX.XX

/ip dns static
add address=192.168.88.1 name=router.lan

/ip firewall address-list
add address=XX.XX.XX.XX list=whitelist
add address=192.168.112.0/24 list=whitelist
add address=192.168.120.0/24 list=whitelist
add address=192.168.88.0/24 list=whitelist

/ip firewall filter
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related disabled=yes
add action=drop chain=forward comment="deny guest reguests" dst-address=192.168.88.0/24 src-address=172.16.0.0/24
add action=drop chain=forward comment="deny guest reguests" dst-address=172.16.0.0/24 src-address=192.168.88.0/24
add action=accept chain=forward comment="remote access" disabled=yes dst-port=993,995 protocol=tcp
add action=accept chain=input dst-address-list=whitelist dst-port=3389,5900 log=yes log-prefix=RDP/TCP protocol=tcp src-address=192.168.88.0/24
add action=accept chain=forward comment="ftp win server" disabled=yes dst-port=21 port="" protocol=tcp
add action=accept chain=output disabled=yes dst-port=21 port="" protocol=tcp
add action=drop chain=input comment="telnet, web, ssh access" dst-port=23 protocol=tcp
add action=accept chain=forward disabled=yes dst-port=80 protocol=tcp
add action=accept chain=forward disabled=yes dst-port=443 protocol=tcp
add action=accept chain=input dst-port=22 protocol=tcp
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=input comment=VPN_servers port=1701,500,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input disabled=yes port=1723 protocol=tcp
add action=accept chain=input disabled=yes protocol=gre
add action=accept chain=forward comment="accept estabilished, related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!LAN

/ip firewall nat
add action=dst-nat chain=dstnat comment=RDP dst-address=XX.XX.XX.XX dst-port=995 log=yes log-prefix=RDP protocol=tcp src-address-list=whitelist to-addresses=192.168.88.XX to-ports=3389
add action=dst-nat chain=dstnat comment=VNC dst-address=XX.XX.XX.XX dst-port=993 log=yes log-prefix=VNC protocol=tcp src-address-list=whitelist to-addresses=192.168.88.XX to-ports=5900
add action=dst-nat chain=dstnat comment=webserver dst-address=XX.XX.XX.XX dst-port=80 protocol=tcp to-addresses=192.168.88.XX to-ports=80
add action=dst-nat chain=dstnat dst-address=XX.XX.XX.XX dst-port=443 protocol=tcp to-addresses=192.168.88.XX to-ports=443
add action=dst-nat chain=dstnat comment="FTP win srv" dst-address=XX.XX.XX.XX dst-port=21 log=yes log-prefix=FTP protocol=tcp to-addresses=192.168.88.XX to-ports=21
add action=masquerade chain=srcnat comment="guest wifi" out-interface=wlan2 src-address=172.16.0.0/24
add action=masquerade chain=srcnat comment="acces from LAN to WAN apache" dst-address=192.168.88.XX dst-port=80,443 protocol=tcp src-address=192.168.88.XX
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

/ip ipsec peer
add address=0.0.0.0/0 dh-group=modp1024 enc-algorithm=aes-256,aes-128,3des exchange-mode=main-l2tp generate-policy=port-override passive=yes secret=XXXXXX

/ip route
add distance=1 gateway=XX.XX.XX.XX

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=XX.XX.XX.XX/32,192.168.88.0/24,192.168.112.0/24,192.168.120.0/24
set api disabled=yes
set winbox address=192.168.88.0/24,XX.XX.XX.XX/32,192.168.112.0/24,192.168.120.0/24
set api-ssl disabled=yes

/ppp secret
add name=XXXXXX password=XXXXXXXXX profile=l2tp_profile service=l2tp
add name=XXXXXX password=XXXXXXXXX profile=pptp_profile service=pptp
add name=XXXXXX password=XXXXXXXXX profile=l2tp_profile service=l2tp

/snmp
set contact=XXXXX@gmail.com enabled=yes location=home trap-version=2

/system clock
set time-zone-name=Asia/Yekaterinburg

/system logging
add topics=watchdog
add topics=backup
add topics=firewall

/system ntp client
set enabled=yes primary-ntp=87.255.0.135 secondary-ntp=85.113.37.163

/system routerboard settings
set silent-boot=no

/system watchdog
set auto-send-supout=yes send-email-from=XXX@gmail.com send-email-to=XXX@gmail.com send-smtp-server=173.194.222.109 watch-address=8.8.8.8

/tool bandwidth-server
set enabled=no

/tool e-mail
set address=173.194.222.109 from=xxxx@gmail.com password=xxxxxxxxxx port=587 start-tls=yes user=xxxxxxx

/tool graphing interface add

/tool graphing queue add

/tool graphing resource add

/tool mac-server
set allowed-interface-list=none

/tool mac-server mac-winbox
set allowed-interface-list=none

/tool mac-server ping
set enabled=no