{{page>:menu}}
====== Routerboard ======
*[[http://wiki.mikrotik.com/index.php?title=Manual:License&redirect=no#License_Levels|LEVELS - porovnání]]
*[[http://wiki.hkfree.org/Routerboard|HKfree Routerboard]]
*[[http://www.mikrotik.com/testdocs/ros/3.0/refman3.0.pdf|PDF dokumentace]]
*[[routerboard:EoIP]]
*[[routerboard:IpSec + Zywall]]
*[[routerboard:Wireless Client (Bridge)]]
*[[http://wiki.mikrotik.com|Wiki]]
*[[http://wiki.mikrotik.com/wiki/Manual:Packet_Flow|PacketFlow]]
===== odkazy =====
*http://wiki.mikrotik.com/wiki/Manual:Interface/Wireless
===== Nastavení =====
==== defualtní skript ====
#| IP address 192.168.88.1/24 is on ether1
#| ether1 is enabled
:global action
# these commands are executed after installation or configuration reset
:if ($action = "apply") do={
:delay 5s
/ip address add address=192.168.88.1/24 interface=ether1 comment="default configuration"
}
# these commands are executed if user requests to remove default configuration
:if ($action = "revert") do={
/ip address {
:local o [find address="192.168.88.1/24" interface="ether1" comment="default configuration"]
:if ([:len $o] != 0) do={ remove $o }
}
}
==== Firewall ====
/ip firewall address-list
add address=46.13.7.64/27 comment=Datron disabled=no list=AdminIP
add address=92.240.178.97 comment=MTa disabled=no list=AdminIP
add address=195.113.144.201 comment="ntp.cesnet.cz" disabled=no list=NTP_servers
/ip firewall nat add action=masquerade chain=srcnat comment="" disabled=no out-interface=ether1
################
## VPN L2TP/PPTP
################
/ip firewall nat
add action=dst-nat chain=dstnat comment="FWD -> SBS (PPTP)" dst-port=1723 in-interface=ether6-internet protocol=tcp to-addresses=192.168.1.5
add action=dst-nat chain=dstnat in-interface=ether6-internet protocol=gre to-addresses=192.168.1.5
add action=dst-nat chain=dstnat comment="FWD -> SBS (L2TP IpSEC)" dst-port=500,1701,4500 in-interface=ether6-internet protocol=udp to-addresses=192.168.1.5
add action=dst-nat chain=dstnat in-interface=ether6-internet protocol=ipsec-esp to-addresses=192.168.1.5
/ip firewall filter
add action=jump chain=input comment="INPUT jump IN_FW ------------------------\
--------------------------------------------------------------------------\
--------------------------------------------------------------------------\
" disabled=no in-interface=ether1 jump-target=IN_FW
add action=accept chain=input comment=".....INPUT - established a related" \
connection-state=established disabled=no in-interface=ether1
add action=accept chain=input comment="" connection-state=related disabled=no \
in-interface=ether1
add action=accept chain=input comment=".....INPUT - ntp" disabled=no \
dst-port=123 protocol=udp src-address-list=NTP_servers
add action=accept chain=input comment="" disabled=no dst-port=123 \
in-interface=!ether1 protocol=udp
add action=accept chain=input comment=".....INPUT - sluzby na RB (DNS,NTP,ICMP)" disabled=no in-interface=ether1 protocol=udp src-port=53,123
add action=accept chain=input comment="" disabled=no in-interface=ether1 protocol=icmp
add action=accept chain=input comment=".....INPUT - spojeni z internetu" \
disabled=no in-interface=ether1 src-address-list=AdminIP
add action=accept chain=input comment="" disabled=no dst-port=22,8291 \
in-interface=ether1 protocol=tcp
add action=accept chain=input comment=\
".....INPUT - pakety z lokalni site na RB" disabled=no dst-address=\
192.168.0.1 dst-address-list="" in-interface=ether2
add action=accept chain=input comment=".....INPUT - dhcp pakety" disabled=yes \
dst-port=67 in-interface=!ether1 protocol=udp
add action=accept chain=input comment=\
".....INPUT - broadcasty jsou take nase" disabled=no dst-address=\
86.63.213.51 in-interface=ether1
add action=accept chain=input comment="" disabled=no dst-address=\
192.168.0.255 dst-address-list="" in-interface=ether2
add action=jump chain=input comment=".....INPUT - vse ostatni zakazat" \
disabled=no jump-target=LOGDROP
add action=jump chain=forward comment="FORWARD jump IN_FW --------------------\
--------------------------------------------------------------------------\
--------------------------------------------------------------------------\
----" disabled=no in-interface=ether1 jump-target=IN_FW
add action=accept chain=forward comment=\
".....FORWARD - established a related" connection-state=established \
disabled=no in-interface=ether1
add action=accept chain=forward comment="" connection-state=related disabled=\
no in-interface=ether1
add action=accept chain=forward comment=".....FORWARD - presmerovane porty" \
disabled=no dst-address-list=W2003_Exchange dst-port=3389 in-interface=\
ether1 out-interface=ether2 protocol=tcp src-address-list=AdminIP
add action=accept chain=forward comment=".....FORWARD - NAT pro LAN povolit" \
disabled=no in-interface=ether2 out-interface=ether1
add action=jump chain=forward comment=\
".....FORWARD - v\9Ae ostatn\ED zak\E1zat" disabled=no jump-target=\
LOGDROP
add action=accept chain=output comment="OUTPUT -------------------------------\
--------------------------------------------------------------------------\
-------------------------------------------------------------------" \
disabled=no src-address=86.63.213.49
add action=accept chain=output comment="" disabled=no src-address=192.168.0.1
add action=accept chain=output comment=\
".....OUTPUT - dhcp broadcasty na lan (zatim neni treba)" disabled=yes \
dst-port=68 out-interface=!ether1 protocol=udp src-port=67
add action=jump chain=output comment=".....OUTPUT - vse ostatni zakazat" \
disabled=no jump-target=LOGDROP
add action=drop chain=IN_FW comment="IN_FW -----------------------------------\
--------------------------------------------------------------------------\
---------------------------------------------------------------" \
disabled=no src-address=192.168.0.0/16
add action=drop chain=IN_FW comment="" disabled=no src-address=10.0.0.0/8
add action=drop chain=IN_FW comment="" disabled=no src-address=172.16.0.0/12
add action=log chain=LOGDROP comment="LOGDROP --------------------------------\
--------------------------------------------------------------------------\
------------------------------------------------------------------" \
disabled=no log-prefix=""
add action=drop chain=LOGDROP comment="" disabled=yes
==== Shaping ====
/ip firewall address-list
add address=212.158.133.141 comment="" disabled=no list=ISA
add address=212.158.133.135 comment="" disabled=no list=ASA
add address=212.158.133.128/27 comment="" disabled=no list=DMZ
add address=212.158.133.139 comment="" disabled=no list=KWF
/ip firewall mangle
add action=log chain=prerouting comment="logov\E1n\ED provozu" disabled=yes log-prefix=traffic: p2p=all-p2p
add action=mark-connection chain=prerouting comment="IN - remote" disabled=no new-connection-mark=remote_conn passthrough=yes port=22,1194,3389,1723 protocol=tcp
add action=mark-connection chain=prerouting comment="" disabled=no new-connection-mark=remote_conn passthrough=yes port=1194,49411 protocol=udp
add action=mark-connection chain=prerouting comment="" disabled=no new-connection-mark=remote_conn passthrough=yes protocol=gre
add action=mark-connection chain=prerouting comment="" disabled=no new-connection-mark=remote_conn passthrough=yes protocol=ipsec-esp
add action=mark-connection chain=prerouting comment="" disabled=no new-connection-mark=remote_conn passthrough=yes protocol=ipsec-ah
add action=mark-packet chain=prerouting comment="" connection-mark=remote_conn disabled=no dst-address-list=ISA in-bridge-port=ether2 new-packet-mark=isa_remote_in passthrough=no
add action=mark-packet chain=prerouting comment="" connection-mark=remote_conn disabled=no dst-address-list=ASA in-bridge-port=ether2 new-packet-mark=asa_remote_in passthrough=no
add action=mark-packet chain=prerouting comment="" connection-mark=remote_conn disabled=no dst-address-list=KWF in-bridge-port=ether2 new-packet-mark=kwf_remote_in passthrough=no
add action=mark-packet chain=prerouting comment="" connection-mark=remote_conn disabled=no dst-address-list=DMZ in-bridge-port=ether2 new-packet-mark=dmz_remote_in passthrough=no
add action=mark-connection chain=prerouting comment="IN - WWW+FTP" disabled=no new-connection-mark=www_conn passthrough=yes port=80,443 protocol=tcp
add action=mark-connection chain=prerouting comment="" disabled=no layer7-protocol=ftp new-connection-mark=www_conn passthrough=yes
add action=mark-packet chain=prerouting comment="" connection-mark=www_conn disabled=no dst-address-list=ISA in-bridge-port=ether2 new-packet-mark=isa_www_in passthrough=no
add action=mark-packet chain=prerouting comment="" connection-mark=www_conn disabled=no dst-address-list=ASA in-bridge-port=ether2 new-packet-mark=asa_www_in passthrough=no
add action=mark-packet chain=prerouting comment="" connection-mark=www_conn disabled=no dst-address-list=KWF in-bridge-port=ether2 new-packet-mark=kwf_www_in passthrough=no
add action=mark-packet chain=prerouting comment="" connection-mark=www_conn disabled=no dst-address-list=DMZ in-bridge-port=ether2 new-packet-mark=dmz_www_in passthrough=no
add action=mark-connection chain=prerouting comment="IN - P2P" disabled=no new-connection-mark=p2p_conn p2p=all-p2p passthrough=yes
add action=mark-packet chain=prerouting comment="" connection-mark=p2p_conn disabled=no dst-address-list=ISA in-bridge-port=ether2 new-packet-mark=isa_p2p_in passthrough=no
add action=mark-packet chain=prerouting comment="" connection-mark=p2p_conn disabled=no dst-address-list=ASA in-bridge-port=ether2 new-packet-mark=asa_p2p_in passthrough=no
add action=mark-packet chain=prerouting comment="" connection-mark=p2p_conn disabled=no dst-address-list=KWF in-bridge-port=ether2 new-packet-mark=kwf_p2p_in passthrough=no
add action=mark-packet chain=prerouting comment="" connection-mark=p2p_conn disabled=no dst-address-list=DMZ in-bridge-port=ether2 new-packet-mark=dmz_p2p_in passthrough=no
add action=mark-connection chain=prerouting comment="IN - ostatni provoz" disabled=no new-connection-mark=other_conn passthrough=yes
add action=mark-packet chain=prerouting comment="" connection-mark=other_conn disabled=no dst-address-list=ISA in-bridge-port=ether2 new-packet-mark=isa_other_in passthrough=no
add action=mark-packet chain=prerouting comment="" connection-mark=other_conn disabled=no dst-address-list=ASA in-bridge-port=ether2 new-packet-mark=asa_other_in passthrough=no
add action=mark-packet chain=prerouting comment="" connection-mark=other_conn disabled=no dst-address-list=KWF in-bridge-port=ether2 new-packet-mark=kwf_other_in passthrough=no
add action=mark-packet chain=prerouting comment="" connection-mark=other_conn disabled=no dst-address-list=DMZ in-bridge-port=ether2 new-packet-mark=dmz_other_in passthrough=no
add action=mark-packet chain=prerouting comment="OUT - ostatni provoz" connection-mark=other_conn disabled=no in-bridge-port=ether3 new-packet-mark=isa_other_out passthrough=no src-address-list=ISA
add action=mark-packet chain=prerouting comment="" connection-mark=other_conn disabled=no in-bridge-port=ether3 new-packet-mark=asa_other_out passthrough=no src-address-list=ASA
add action=mark-packet chain=prerouting comment="" connection-mark=other_conn disabled=no in-bridge-port=ether3 new-packet-mark=kwf_other_out passthrough=no src-address-list=KWF
add action=mark-packet chain=prerouting comment="" connection-mark=other_conn disabled=no in-bridge-port=ether3 new-packet-mark=dmz_other_out passthrough=no src-address-list=DMZ
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=6M name=main_in parent=global-in priority=1
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=1500k max-limit=6M name=isa_in parent=main_in priority=1
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=1500k max-limit=6M name=kwf_in parent=main_in priority=2 queue=synchronous-default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=1500k max-limit=6M name=asa_in parent=main_in priority=3
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=6M name=main_out parent=global-in priority=2
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=6M name=isa_out parent=main_out priority=1
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=6M name=kwf_out parent=main_out priority=2
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=6M name=asa_out parent=main_out priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=1500k max-limit=6M name=dmz_in parent=main_in priority=8 queue=synchronous-default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=375k max-limit=5M name=isa_www_in packet-mark=isa_www_in parent=isa_in priority=5 queue=synchronous-default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=375k max-limit=5M name=isa_ostatni_in packet-mark=isa_other_in parent=isa_in priority=8 queue=synchronous-default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=500k max-limit=6M name=asa_www_in packet-mark=asa_www_in parent=asa_in priority=1 queue=synchronous-default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=500k max-limit=6M name=asa_ostatni_in packet-mark=asa_other_in parent=asa_in priority=8 queue=synchronous-default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=375k max-limit=2M name=isa_p2p_in packet-mark=isa_p2p_in parent=isa_in priority=7 queue=synchronous-default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=20k max-limit=6M name=asa_p2p_in packet-mark=asa_p2p_in parent=asa_in priority=2 queue=synchronous-default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=6M name=dmz_out parent=main_out priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=6M name=isa_other_out packet-mark=isa_other_out parent=isa_out priority=8 queue=synchronous-default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=6M name=kwf_other_out packet-mark=kwf_other_out parent=kwf_out priority=8 queue=synchronous-default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=6M name=asa_other_out packet-mark=asa_other_out parent=asa_out priority=8 queue=synchronous-default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=6M name=dmz_other_out packet-mark=dmz_other_out parent=dmz_out priority=8 queue=synchronous-default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=375k max-limit=6M name=isa_remote_in packet-mark=isa_remote_in parent=isa_in priority=4 queue=synchronous-default
==== Clock ====
/system clock set time-zone-name=Europe/Prague
/system ntp client
set enabled=yes mode=unicast primary-ntp=195.113.144.201 secondary-ntp=195.113.144.238
==== Web proxy ====
*nutno zakázat port na WAN!
/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 \
cache-on-disk=no enabled=yes max-cache-size=3500KiB \
max-client-connections=600 max-fresh-time=3d max-server-connections=600 \
parent-proxy=0.0.0.0 parent-proxy-port=0 port=8080,3128 \
serialize-connections=no src-address=0.0.0.0
/ip proxy access
add action=allow comment="" disabled=no src-address=10.26.71.0/24
==== skripty ====
*vybrobí soubor zálohy ve formátu rsc - backup.rsc
/export file=backup
*dynamická změna IP ve skupině
/system scheduler
add interval=2h name=dynamic_ACL_Admin on-event="/ip firewall address-list add\
\_address=[:resolve cl.talman.cz] list=Admin_IP timeout=\"7d 00:00:00\"\r\
\n/ip firewall address-list add address=[:resolve mail.nevole.com] list=Ad\
min_IP timeout=\"7d 00:00:00\"" policy=\
ftp,reboot,read,write,policy,test,password,sensitive start-date=\
sep/08/2015 start-time=00:00:00
*pokud není ping, provede se reset konfigurace a po spuštění se naleje backup.rsc
:if ([/ping 86.63.200.74 count=5] = 0) do={ /system reset-configuration keep-users=yes no-defaults=yes run-after-reset=backup.rsc }
*poslání zálohy na mail
:local emailFrom ""
:local emailTo ""
:local smtp "mailserver"
# set mailserver
/tool e-mail set address=$smtp
# start backup
/system backup save name=backup.backup password=[/system identity get name]
/export file=backup
:delay 10s
/tool e-mail send to=$emailTo subject=("Mikrotik: " . [/system identity get name] ) file=backup.backup from=$emailFrom
/tool e-mail send to=$emailTo subject=("Mikrotik: " . [/system identity get name] ) file=backup.rsc from=$emailFrom
:delay 10s
/file remove backup.backup
/file remove backup.rsc
*pošle IP adresu na mail
/tool e-mail send to="mtalman@datron.cz" subject=("Mikrotik: " . [/system identity get name] . " - restarted") server=212.158.133.141 from= body=([/ip address get number=4 value-name=address])
*Facebook IP
/ip firewall address-list
add address=92.240.179.149 list=Facebook
add address=31.13.24.0/21 list=Facebook
add address=31.13.64.0/18 list=Facebook
add address=31.13.64.0/19 list=Facebook
add address=31.13.64.0/24 list=Facebook
add address=31.13.65.0/24 list=Facebook
add address=31.13.66.0/24 list=Facebook
add address=31.13.70.0/24 list=Facebook
add address=31.13.71.0/24 list=Facebook
add address=31.13.72.0/24 list=Facebook
add address=31.13.73.0/24 list=Facebook
add address=31.13.74.0/24 list=Facebook
add address=31.13.75.0/24 list=Facebook
add address=31.13.76.0/24 list=Facebook
add address=31.13.77.0/24 list=Facebook
add address=31.13.79.0/24 list=Facebook
add address=31.13.82.0/24 list=Facebook
add address=31.13.83.0/24 list=Facebook
add address=31.13.84.0/24 list=Facebook
add address=31.13.85.0/24 list=Facebook
add address=31.13.86.0/24 list=Facebook
add address=31.13.90.0/24 list=Facebook
add address=31.13.91.0/24 list=Facebook
add address=31.13.93.0/24 list=Facebook
add address=31.13.95.0/24 list=Facebook
add address=31.13.96.0/19 list=Facebook
add address=66.220.144.0/20 list=Facebook
add address=66.220.144.0/21 list=Facebook
add address=66.220.152.0/21 list=Facebook
add address=69.63.176.0/20 list=Facebook
add address=69.63.176.0/21 list=Facebook
add address=69.63.184.0/21 list=Facebook
add address=69.171.224.0/19 list=Facebook
add address=69.171.224.0/20 list=Facebook
add address=69.171.239.0/24 list=Facebook
add address=69.171.240.0/20 list=Facebook
add address=69.171.255.0/24 list=Facebook
add address=74.119.76.0/22 list=Facebook
add address=103.4.96.0/22 list=Facebook
add address=173.252.64.0/19 list=Facebook
add address=173.252.96.0/19 list=Facebook
add address=179.60.192.0/22 list=Facebook
add address=179.60.192.0/24 list=Facebook
add address=179.60.193.0/24 list=Facebook
add address=204.15.20.0/22 list=Facebook
=== export konfigurace na mail ===
# v6 and higher
:local emailTo "mail@from.cz";
:local emailFrom "rb493g@domain.com";
:local smtp "85.207.44.1";
/export compact file=export
/tool e-mail send to="$emailTo" subject=("Mikrotik: " . [/system identity get name] ) file=export.rsc server=$smtp from=$emailFrom
=== resolve Eset ===
:local listname Eset
:local list {
"um01.eset.com";"um02.eset.com";"um03.eset.com";"um04.eset.com";"um05.eset.com";"um06.eset.com";"um07.eset.com";"um08.eset.com";"um09.eset.com";
"um10.eset.com";"um11.eset.com";"um13.eset.com";"um21.eset.com";"um23.eset.com";"um01.ru.eset.com";"um01.cn.eset.com";"um10.za.eset.com";
"register.eset.com";"h1-weblb01-v.eset.com";"h3-weblb01-v.eset.com";"edf.eset.com";"edfpcs.trafficmanager.net";"edf-pcs.cloudapp.net";"edf-pcs2.cloudapp.net"
};
:foreach name in=$list do={
:do {
/ip firewall address-list add address=[:resolve $name] list="$listname" comment="$name" timeout="1d 00:00:00"
} on-error={ :log info "resolver failed - $name allready in list"};
};
=== access list by IP Country ===
/system scheduler
add interval=1d name="address lists CZ" on-event="/tool fetch url=http://www.iwik.org/ipcountry/mikrotik/CZ\r\
\n/import file-name=CZ" policy=read,write,test start-time=startup