[[routerboard]]
Historie: routerboard
Zdrojový kód stránky
SprávaPoslední úpravyMapa stránek

Obsah

ÚVOD » tajná oblast CLnet » 3comCiscoHuaweiIPv6LinuxMicrosoftNovellRouterboardVMwareostatní instalaceknihovna

04.01.2015 09:55

Routerboard

odkazy

Nastavení

defualtní skript

#| IP address 192.168.88.1/24 is on ether1
#| ether1 is enabled

:global action

# these commands are executed after installation or configuration reset
:if ($action = "apply") do={
    :delay 5s
    /ip address add address=192.168.88.1/24 interface=ether1 comment="default configuration"
}

# these commands are executed if user requests to remove default configuration
:if ($action = "revert") do={
    /ip address {
        :local o [find address="192.168.88.1/24" interface="ether1" comment="default configuration"]
	:if ([:len $o] != 0) do={ remove $o }
    }
}

Firewall

/ip firewall address-list
add address=46.13.7.64/27 comment=Datron disabled=no list=AdminIP
add address=92.240.178.97 comment=MTa disabled=no list=AdminIP
add address=195.113.144.201 comment="ntp.cesnet.cz" disabled=no list=NTP_servers
/ip firewall nat add action=masquerade chain=srcnat comment="" disabled=no out-interface=ether1
################
## VPN L2TP/PPTP
################
/ip firewall nat
add action=dst-nat chain=dstnat comment="FWD -> SBS (PPTP)" dst-port=1723 in-interface=ether6-internet protocol=tcp to-addresses=192.168.1.5
add action=dst-nat chain=dstnat in-interface=ether6-internet protocol=gre to-addresses=192.168.1.5

add action=dst-nat chain=dstnat comment="FWD -> SBS (L2TP IpSEC)" dst-port=500,1701,4500 in-interface=ether6-internet protocol=udp to-addresses=192.168.1.5
add action=dst-nat chain=dstnat in-interface=ether6-internet protocol=ipsec-esp to-addresses=192.168.1.5
/ip firewall filter
add action=jump chain=input comment="INPUT jump IN_FW ------------------------\
    --------------------------------------------------------------------------\
    --------------------------------------------------------------------------\
    " disabled=no in-interface=ether1 jump-target=IN_FW
add action=accept chain=input comment=".....INPUT - established a related" \
    connection-state=established disabled=no in-interface=ether1
add action=accept chain=input comment="" connection-state=related disabled=no \
    in-interface=ether1
add action=accept chain=input comment=".....INPUT - ntp" disabled=no \
    dst-port=123 protocol=udp src-address-list=NTP_servers
add action=accept chain=input comment="" disabled=no dst-port=123 \
    in-interface=!ether1 protocol=udp
add action=accept chain=input comment=".....INPUT - sluzby na RB (DNS,NTP,ICMP)" disabled=no in-interface=ether1 protocol=udp src-port=53,123
add action=accept chain=input comment="" disabled=no in-interface=ether1 protocol=icmp
add action=accept chain=input comment=".....INPUT - spojeni z internetu" \
    disabled=no in-interface=ether1 src-address-list=AdminIP
add action=accept chain=input comment="" disabled=no dst-port=22,8291 \
    in-interface=ether1 protocol=tcp
add action=accept chain=input comment=\
    ".....INPUT - pakety z lokalni site na RB" disabled=no dst-address=\
    192.168.0.1 dst-address-list="" in-interface=ether2
add action=accept chain=input comment=".....INPUT - dhcp pakety" disabled=yes \
    dst-port=67 in-interface=!ether1 protocol=udp
add action=accept chain=input comment=\
    ".....INPUT - broadcasty jsou take nase" disabled=no dst-address=\
    86.63.213.51 in-interface=ether1
add action=accept chain=input comment="" disabled=no dst-address=\
    192.168.0.255 dst-address-list="" in-interface=ether2
add action=jump chain=input comment=".....INPUT - vse ostatni zakazat" \
    disabled=no jump-target=LOGDROP
add action=jump chain=forward comment="FORWARD jump IN_FW --------------------\
    --------------------------------------------------------------------------\
    --------------------------------------------------------------------------\
    ----" disabled=no in-interface=ether1 jump-target=IN_FW
add action=accept chain=forward comment=\
    ".....FORWARD - established a related" connection-state=established \
    disabled=no in-interface=ether1
add action=accept chain=forward comment="" connection-state=related disabled=\
    no in-interface=ether1
add action=accept chain=forward comment=".....FORWARD - presmerovane porty" \
    disabled=no dst-address-list=W2003_Exchange dst-port=3389 in-interface=\
    ether1 out-interface=ether2 protocol=tcp src-address-list=AdminIP
add action=accept chain=forward comment=".....FORWARD - NAT pro LAN povolit" \
    disabled=no in-interface=ether2 out-interface=ether1
add action=jump chain=forward comment=\
    ".....FORWARD - v\9Ae ostatn\ED zak\E1zat" disabled=no jump-target=\
    LOGDROP
add action=accept chain=output comment="OUTPUT -------------------------------\
    --------------------------------------------------------------------------\
    -------------------------------------------------------------------" \
    disabled=no src-address=86.63.213.49
add action=accept chain=output comment="" disabled=no src-address=192.168.0.1
add action=accept chain=output comment=\
    ".....OUTPUT - dhcp broadcasty na lan (zatim neni treba)" disabled=yes \
    dst-port=68 out-interface=!ether1 protocol=udp src-port=67
add action=jump chain=output comment=".....OUTPUT - vse ostatni zakazat" \
    disabled=no jump-target=LOGDROP
add action=drop chain=IN_FW comment="IN_FW -----------------------------------\
    --------------------------------------------------------------------------\
    ---------------------------------------------------------------" \
    disabled=no src-address=192.168.0.0/16
add action=drop chain=IN_FW comment="" disabled=no src-address=10.0.0.0/8
add action=drop chain=IN_FW comment="" disabled=no src-address=172.16.0.0/12
add action=log chain=LOGDROP comment="LOGDROP --------------------------------\
    --------------------------------------------------------------------------\
    ------------------------------------------------------------------" \
    disabled=no log-prefix=""
add action=drop chain=LOGDROP comment="" disabled=yes

Shaping

/ip firewall address-list
add address=212.158.133.141 comment="" disabled=no list=ISA
add address=212.158.133.135 comment="" disabled=no list=ASA
add address=212.158.133.128/27 comment="" disabled=no list=DMZ
add address=212.158.133.139 comment="" disabled=no list=KWF
/ip firewall mangle
add action=log chain=prerouting comment="logov\E1n\ED provozu" disabled=yes log-prefix=traffic: p2p=all-p2p
add action=mark-connection chain=prerouting comment="IN - remote" disabled=no new-connection-mark=remote_conn passthrough=yes port=22,1194,3389,1723 protocol=tcp
add action=mark-connection chain=prerouting comment="" disabled=no new-connection-mark=remote_conn passthrough=yes port=1194,49411 protocol=udp
add action=mark-connection chain=prerouting comment="" disabled=no new-connection-mark=remote_conn passthrough=yes protocol=gre
add action=mark-connection chain=prerouting comment="" disabled=no new-connection-mark=remote_conn passthrough=yes protocol=ipsec-esp
add action=mark-connection chain=prerouting comment="" disabled=no new-connection-mark=remote_conn passthrough=yes protocol=ipsec-ah
add action=mark-packet chain=prerouting comment="" connection-mark=remote_conn disabled=no dst-address-list=ISA in-bridge-port=ether2 new-packet-mark=isa_remote_in passthrough=no
add action=mark-packet chain=prerouting comment="" connection-mark=remote_conn disabled=no dst-address-list=ASA in-bridge-port=ether2 new-packet-mark=asa_remote_in passthrough=no
add action=mark-packet chain=prerouting comment="" connection-mark=remote_conn disabled=no dst-address-list=KWF in-bridge-port=ether2 new-packet-mark=kwf_remote_in passthrough=no
add action=mark-packet chain=prerouting comment="" connection-mark=remote_conn disabled=no dst-address-list=DMZ in-bridge-port=ether2 new-packet-mark=dmz_remote_in passthrough=no
add action=mark-connection chain=prerouting comment="IN - WWW+FTP" disabled=no new-connection-mark=www_conn passthrough=yes port=80,443 protocol=tcp
add action=mark-connection chain=prerouting comment="" disabled=no layer7-protocol=ftp new-connection-mark=www_conn passthrough=yes
add action=mark-packet chain=prerouting comment="" connection-mark=www_conn disabled=no dst-address-list=ISA in-bridge-port=ether2 new-packet-mark=isa_www_in passthrough=no
add action=mark-packet chain=prerouting comment="" connection-mark=www_conn disabled=no dst-address-list=ASA in-bridge-port=ether2 new-packet-mark=asa_www_in passthrough=no
add action=mark-packet chain=prerouting comment="" connection-mark=www_conn disabled=no dst-address-list=KWF in-bridge-port=ether2 new-packet-mark=kwf_www_in passthrough=no
add action=mark-packet chain=prerouting comment="" connection-mark=www_conn disabled=no dst-address-list=DMZ in-bridge-port=ether2 new-packet-mark=dmz_www_in passthrough=no
add action=mark-connection chain=prerouting comment="IN - P2P" disabled=no new-connection-mark=p2p_conn p2p=all-p2p passthrough=yes
add action=mark-packet chain=prerouting comment="" connection-mark=p2p_conn disabled=no dst-address-list=ISA in-bridge-port=ether2 new-packet-mark=isa_p2p_in passthrough=no
add action=mark-packet chain=prerouting comment="" connection-mark=p2p_conn disabled=no dst-address-list=ASA in-bridge-port=ether2 new-packet-mark=asa_p2p_in passthrough=no
add action=mark-packet chain=prerouting comment="" connection-mark=p2p_conn disabled=no dst-address-list=KWF in-bridge-port=ether2 new-packet-mark=kwf_p2p_in passthrough=no
add action=mark-packet chain=prerouting comment="" connection-mark=p2p_conn disabled=no dst-address-list=DMZ in-bridge-port=ether2 new-packet-mark=dmz_p2p_in passthrough=no
add action=mark-connection chain=prerouting comment="IN - ostatni provoz" disabled=no new-connection-mark=other_conn passthrough=yes
add action=mark-packet chain=prerouting comment="" connection-mark=other_conn disabled=no dst-address-list=ISA in-bridge-port=ether2 new-packet-mark=isa_other_in passthrough=no
add action=mark-packet chain=prerouting comment="" connection-mark=other_conn disabled=no dst-address-list=ASA in-bridge-port=ether2 new-packet-mark=asa_other_in passthrough=no
add action=mark-packet chain=prerouting comment="" connection-mark=other_conn disabled=no dst-address-list=KWF in-bridge-port=ether2 new-packet-mark=kwf_other_in passthrough=no
add action=mark-packet chain=prerouting comment="" connection-mark=other_conn disabled=no dst-address-list=DMZ in-bridge-port=ether2 new-packet-mark=dmz_other_in passthrough=no
add action=mark-packet chain=prerouting comment="OUT - ostatni provoz" connection-mark=other_conn disabled=no in-bridge-port=ether3 new-packet-mark=isa_other_out passthrough=no src-address-list=ISA
add action=mark-packet chain=prerouting comment="" connection-mark=other_conn disabled=no in-bridge-port=ether3 new-packet-mark=asa_other_out passthrough=no src-address-list=ASA
add action=mark-packet chain=prerouting comment="" connection-mark=other_conn disabled=no in-bridge-port=ether3 new-packet-mark=kwf_other_out passthrough=no src-address-list=KWF
add action=mark-packet chain=prerouting comment="" connection-mark=other_conn disabled=no in-bridge-port=ether3 new-packet-mark=dmz_other_out passthrough=no src-address-list=DMZ
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=6M name=main_in parent=global-in priority=1
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=1500k max-limit=6M name=isa_in parent=main_in priority=1
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=1500k max-limit=6M name=kwf_in parent=main_in priority=2 queue=synchronous-default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=1500k max-limit=6M name=asa_in parent=main_in priority=3
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=6M name=main_out parent=global-in priority=2
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=6M name=isa_out parent=main_out priority=1
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=6M name=kwf_out parent=main_out priority=2
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=6M name=asa_out parent=main_out priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=1500k max-limit=6M name=dmz_in parent=main_in priority=8 queue=synchronous-default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=375k max-limit=5M name=isa_www_in packet-mark=isa_www_in parent=isa_in priority=5 queue=synchronous-default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=375k max-limit=5M name=isa_ostatni_in packet-mark=isa_other_in parent=isa_in priority=8 queue=synchronous-default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=500k max-limit=6M name=asa_www_in packet-mark=asa_www_in parent=asa_in priority=1 queue=synchronous-default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=500k max-limit=6M name=asa_ostatni_in packet-mark=asa_other_in parent=asa_in priority=8 queue=synchronous-default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=375k max-limit=2M name=isa_p2p_in packet-mark=isa_p2p_in parent=isa_in priority=7 queue=synchronous-default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=20k max-limit=6M name=asa_p2p_in packet-mark=asa_p2p_in parent=asa_in priority=2 queue=synchronous-default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=6M name=dmz_out parent=main_out priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=6M name=isa_other_out packet-mark=isa_other_out parent=isa_out priority=8 queue=synchronous-default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=6M name=kwf_other_out packet-mark=kwf_other_out parent=kwf_out priority=8 queue=synchronous-default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=6M name=asa_other_out packet-mark=asa_other_out parent=asa_out priority=8 queue=synchronous-default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=6M name=dmz_other_out packet-mark=dmz_other_out parent=dmz_out priority=8 queue=synchronous-default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=375k max-limit=6M name=isa_remote_in packet-mark=isa_remote_in parent=isa_in priority=4 queue=synchronous-default

Clock

/system clock set time-zone-name=Europe/Prague
/system ntp client
set enabled=yes mode=unicast primary-ntp=195.113.144.201 secondary-ntp=195.113.144.238

Web proxy

  • nutno zakázat port na WAN!
/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 \
    cache-on-disk=no enabled=yes max-cache-size=3500KiB \
    max-client-connections=600 max-fresh-time=3d max-server-connections=600 \
    parent-proxy=0.0.0.0 parent-proxy-port=0 port=8080,3128 \
    serialize-connections=no src-address=0.0.0.0
/ip proxy access
add action=allow comment="" disabled=no src-address=10.26.71.0/24

skripty

  • vybrobí soubor zálohy ve formátu rsc - backup.rsc
    /export file=backup
  • dynamická změna IP ve skupině
    /system scheduler
add interval=2h name=dynamic_ACL_Admin on-event="/ip firewall address-list add\
    \_address=[:resolve cl.talman.cz] list=Admin_IP timeout=\"7d 00:00:00\"\r\
    \n/ip firewall address-list add address=[:resolve mail.nevole.com] list=Ad\
    min_IP timeout=\"7d 00:00:00\"" policy=\
    ftp,reboot,read,write,policy,test,password,sensitive start-date=\
    sep/08/2015 start-time=00:00:00
  • pokud není ping, provede se reset konfigurace a po spuštění se naleje backup.rsc
    :if ([/ping 86.63.200.74 count=5] = 0) do={ /system reset-configuration keep-users=yes no-defaults=yes run-after-reset=backup.rsc   }
  • poslání zálohy na mail
    :local emailFrom "<asd@asda.cz>"
:local emailTo "<asd@asdasd>"
:local smtp "mailserver"

# set mailserver
/tool e-mail set address=$smtp

# start backup
/system backup save name=backup.backup password=[/system identity get name] 
/export file=backup

:delay 10s
/tool e-mail send to=$emailTo subject=("Mikrotik: " . [/system identity get name] ) file=backup.backup from=$emailFrom
/tool e-mail send to=$emailTo subject=("Mikrotik: " . [/system identity get name] ) file=backup.rsc from=$emailFrom
:delay 10s
/file remove backup.backup
/file remove backup.rsc
  • pošle IP adresu na mail
      /tool e-mail send to="mtalman@datron.cz" subject=("Mikrotik: " . [/system identity get name] . " - restarted") server=212.158.133.141 from=<mikrotik@gym-cl.cz> body=([/ip address get number=4 value-name=address])
  • Facebook IP
    /ip firewall address-list
add address=92.240.179.149 list=Facebook
add address=31.13.24.0/21 list=Facebook
add address=31.13.64.0/18 list=Facebook
add address=31.13.64.0/19 list=Facebook
add address=31.13.64.0/24 list=Facebook
add address=31.13.65.0/24 list=Facebook
add address=31.13.66.0/24 list=Facebook
add address=31.13.70.0/24 list=Facebook
add address=31.13.71.0/24 list=Facebook
add address=31.13.72.0/24 list=Facebook
add address=31.13.73.0/24 list=Facebook
add address=31.13.74.0/24 list=Facebook
add address=31.13.75.0/24 list=Facebook
add address=31.13.76.0/24 list=Facebook
add address=31.13.77.0/24 list=Facebook
add address=31.13.79.0/24 list=Facebook
add address=31.13.82.0/24 list=Facebook
add address=31.13.83.0/24 list=Facebook
add address=31.13.84.0/24 list=Facebook
add address=31.13.85.0/24 list=Facebook
add address=31.13.86.0/24 list=Facebook
add address=31.13.90.0/24 list=Facebook
add address=31.13.91.0/24 list=Facebook
add address=31.13.93.0/24 list=Facebook
add address=31.13.95.0/24 list=Facebook
add address=31.13.96.0/19 list=Facebook
add address=66.220.144.0/20 list=Facebook
add address=66.220.144.0/21 list=Facebook
add address=66.220.152.0/21 list=Facebook
add address=69.63.176.0/20 list=Facebook
add address=69.63.176.0/21 list=Facebook
add address=69.63.184.0/21 list=Facebook
add address=69.171.224.0/19 list=Facebook
add address=69.171.224.0/20 list=Facebook
add address=69.171.239.0/24 list=Facebook
add address=69.171.240.0/20 list=Facebook
add address=69.171.255.0/24 list=Facebook
add address=74.119.76.0/22 list=Facebook
add address=103.4.96.0/22 list=Facebook
add address=173.252.64.0/19 list=Facebook
add address=173.252.96.0/19 list=Facebook
add address=179.60.192.0/22 list=Facebook
add address=179.60.192.0/24 list=Facebook
add address=179.60.193.0/24 list=Facebook
add address=204.15.20.0/22 list=Facebook

export konfigurace na mail

# v6 and higher

:local emailTo "mail@from.cz";
:local emailFrom "rb493g@domain.com";
:local smtp "85.207.44.1";

/export compact file=export
/tool e-mail send to="$emailTo" subject=("Mikrotik: " . [/system identity get name] ) file=export.rsc server=$smtp from=$emailFrom

resolve Eset

:local listname Eset
:local list {
"um01.eset.com";"um02.eset.com";"um03.eset.com";"um04.eset.com";"um05.eset.com";"um06.eset.com";"um07.eset.com";"um08.eset.com";"um09.eset.com";
"um10.eset.com";"um11.eset.com";"um13.eset.com";"um21.eset.com";"um23.eset.com";"um01.ru.eset.com";"um01.cn.eset.com";"um10.za.eset.com";
"register.eset.com";"h1-weblb01-v.eset.com";"h3-weblb01-v.eset.com";"edf.eset.com";"edfpcs.trafficmanager.net";"edf-pcs.cloudapp.net";"edf-pcs2.cloudapp.net"
};

:foreach name in=$list do={
:do {
  /ip firewall address-list add address=[:resolve $name] list="$listname" comment="$name" timeout="1d 00:00:00"
} on-error={ :log info "resolver failed - $name allready in list"};
};

access list by IP Country

/system scheduler
add interval=1d name="address lists CZ" on-event="/tool fetch url=http://www.iwik.org/ipcountry/mikrotik/CZ\r\
    \n/import file-name=CZ" policy=read,write,test start-time=startup
routerboard.txt · Poslední úprava: 13.03.2020 18:43 (upraveno mimo DokuWiki)
Zdrojový kód stránkyStarší verze
Správa médiíNahoru
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0