Toto je starší verze dokumentu!
Routerboard
odkazy
Nastavení
defualtní skript
#| IP address 192.168.88.1/24 is on ether1
#| ether1 is enabled
:global action
# these commands are executed after installation or configuration reset
:if ($action = "apply") do={
:delay 5s
/ip address add address=192.168.88.1/24 interface=ether1 comment="default configuration"
}
# these commands are executed if user requests to remove default configuration
:if ($action = "revert") do={
/ip address {
:local o [find address="192.168.88.1/24" interface="ether1" comment="default configuration"]
:if ([:len $o] != 0) do={ remove $o }
}
}
Firewall
/ip firewall address-list add address=46.13.7.64/27 comment=Datron disabled=no list=AdminIP add address=92.240.178.97 comment=MTa disabled=no list=AdminIP add address=195.113.144.201 comment="ntp.cesnet.cz" disabled=no list=NTP_servers
/ip firewall nat add action=masquerade chain=srcnat comment="" disabled=no out-interface=ether1
/ip firewall filter
add action=jump chain=input comment="INPUT jump IN_FW ------------------------\
--------------------------------------------------------------------------\
--------------------------------------------------------------------------\
" disabled=no in-interface=ether1 jump-target=IN_FW
add action=accept chain=input comment=".....INPUT - established a related" \
connection-state=established disabled=no in-interface=ether1
add action=accept chain=input comment="" connection-state=related disabled=no \
in-interface=ether1
add action=accept chain=input comment=".....INPUT - ntp" disabled=no \
dst-port=123 protocol=udp src-address-list=NTP_servers
add action=accept chain=input comment="" disabled=no dst-port=123 \
in-interface=!ether1 protocol=udp
add action=accept chain=input comment=".....INPUT - sluzby na RB (DNS,NTP,ICMP)" disabled=no in-interface=ether1 protocol=udp src-port=53,123
add action=accept chain=input comment="" disabled=no in-interface=ether1 protocol=icmp
add action=accept chain=input comment=".....INPUT - spojeni z internetu" \
disabled=no in-interface=ether1 src-address-list=AdminIP
add action=accept chain=input comment="" disabled=no dst-port=22,8291 \
in-interface=ether1 protocol=tcp
add action=accept chain=input comment=\
".....INPUT - pakety z lokalni site na RB" disabled=no dst-address=\
192.168.0.1 dst-address-list="" in-interface=ether2
add action=accept chain=input comment=".....INPUT - dhcp pakety" disabled=yes \
dst-port=67 in-interface=!ether1 protocol=udp
add action=accept chain=input comment=\
".....INPUT - broadcasty jsou take nase" disabled=no dst-address=\
86.63.213.51 in-interface=ether1
add action=accept chain=input comment="" disabled=no dst-address=\
192.168.0.255 dst-address-list="" in-interface=ether2
add action=jump chain=input comment=".....INPUT - vse ostatni zakazat" \
disabled=no jump-target=LOGDROP
add action=jump chain=forward comment="FORWARD jump IN_FW --------------------\
--------------------------------------------------------------------------\
--------------------------------------------------------------------------\
----" disabled=no in-interface=ether1 jump-target=IN_FW
add action=accept chain=forward comment=\
".....FORWARD - established a related" connection-state=established \
disabled=no in-interface=ether1
add action=accept chain=forward comment="" connection-state=related disabled=\
no in-interface=ether1
add action=accept chain=forward comment=".....FORWARD - presmerovane porty" \
disabled=no dst-address-list=W2003_Exchange dst-port=3389 in-interface=\
ether1 out-interface=ether2 protocol=tcp src-address-list=AdminIP
add action=accept chain=forward comment=".....FORWARD - NAT pro LAN povolit" \
disabled=no in-interface=ether2 out-interface=ether1
add action=jump chain=forward comment=\
".....FORWARD - v\9Ae ostatn\ED zak\E1zat" disabled=no jump-target=\
LOGDROP
add action=accept chain=output comment="OUTPUT -------------------------------\
--------------------------------------------------------------------------\
-------------------------------------------------------------------" \
disabled=no src-address=86.63.213.49
add action=accept chain=output comment="" disabled=no src-address=192.168.0.1
add action=accept chain=output comment=\
".....OUTPUT - dhcp broadcasty na lan (zatim neni treba)" disabled=yes \
dst-port=68 out-interface=!ether1 protocol=udp src-port=67
add action=jump chain=output comment=".....OUTPUT - vse ostatni zakazat" \
disabled=no jump-target=LOGDROP
add action=drop chain=IN_FW comment="IN_FW -----------------------------------\
--------------------------------------------------------------------------\
---------------------------------------------------------------" \
disabled=no src-address=192.168.0.0/16
add action=drop chain=IN_FW comment="" disabled=no src-address=10.0.0.0/8
add action=drop chain=IN_FW comment="" disabled=no src-address=172.16.0.0/12
add action=log chain=LOGDROP comment="LOGDROP --------------------------------\
--------------------------------------------------------------------------\
------------------------------------------------------------------" \
disabled=no log-prefix=""
add action=drop chain=LOGDROP comment="" disabled=yes
Shaping
/ip firewall address-list add address=212.158.133.141 comment="" disabled=no list=ISA add address=212.158.133.135 comment="" disabled=no list=ASA add address=212.158.133.128/27 comment="" disabled=no list=DMZ add address=212.158.133.139 comment="" disabled=no list=KWF
/ip firewall mangle add action=log chain=prerouting comment="logov\E1n\ED provozu" disabled=yes log-prefix=traffic: p2p=all-p2p add action=mark-connection chain=prerouting comment="IN - remote" disabled=no new-connection-mark=remote_conn passthrough=yes port=22,1194,3389,1723 protocol=tcp add action=mark-connection chain=prerouting comment="" disabled=no new-connection-mark=remote_conn passthrough=yes port=1194,49411 protocol=udp add action=mark-connection chain=prerouting comment="" disabled=no new-connection-mark=remote_conn passthrough=yes protocol=gre add action=mark-connection chain=prerouting comment="" disabled=no new-connection-mark=remote_conn passthrough=yes protocol=ipsec-esp add action=mark-connection chain=prerouting comment="" disabled=no new-connection-mark=remote_conn passthrough=yes protocol=ipsec-ah add action=mark-packet chain=prerouting comment="" connection-mark=remote_conn disabled=no dst-address-list=ISA in-bridge-port=ether2 new-packet-mark=isa_remote_in passthrough=no add action=mark-packet chain=prerouting comment="" connection-mark=remote_conn disabled=no dst-address-list=ASA in-bridge-port=ether2 new-packet-mark=asa_remote_in passthrough=no add action=mark-packet chain=prerouting comment="" connection-mark=remote_conn disabled=no dst-address-list=KWF in-bridge-port=ether2 new-packet-mark=kwf_remote_in passthrough=no add action=mark-packet chain=prerouting comment="" connection-mark=remote_conn disabled=no dst-address-list=DMZ in-bridge-port=ether2 new-packet-mark=dmz_remote_in passthrough=no add action=mark-connection chain=prerouting comment="IN - WWW+FTP" disabled=no new-connection-mark=www_conn passthrough=yes port=80,443 protocol=tcp add action=mark-connection chain=prerouting comment="" disabled=no layer7-protocol=ftp new-connection-mark=www_conn passthrough=yes add action=mark-packet chain=prerouting comment="" connection-mark=www_conn disabled=no dst-address-list=ISA in-bridge-port=ether2 new-packet-mark=isa_www_in passthrough=no add action=mark-packet chain=prerouting comment="" connection-mark=www_conn disabled=no dst-address-list=ASA in-bridge-port=ether2 new-packet-mark=asa_www_in passthrough=no add action=mark-packet chain=prerouting comment="" connection-mark=www_conn disabled=no dst-address-list=KWF in-bridge-port=ether2 new-packet-mark=kwf_www_in passthrough=no add action=mark-packet chain=prerouting comment="" connection-mark=www_conn disabled=no dst-address-list=DMZ in-bridge-port=ether2 new-packet-mark=dmz_www_in passthrough=no add action=mark-connection chain=prerouting comment="IN - P2P" disabled=no new-connection-mark=p2p_conn p2p=all-p2p passthrough=yes add action=mark-packet chain=prerouting comment="" connection-mark=p2p_conn disabled=no dst-address-list=ISA in-bridge-port=ether2 new-packet-mark=isa_p2p_in passthrough=no add action=mark-packet chain=prerouting comment="" connection-mark=p2p_conn disabled=no dst-address-list=ASA in-bridge-port=ether2 new-packet-mark=asa_p2p_in passthrough=no add action=mark-packet chain=prerouting comment="" connection-mark=p2p_conn disabled=no dst-address-list=KWF in-bridge-port=ether2 new-packet-mark=kwf_p2p_in passthrough=no add action=mark-packet chain=prerouting comment="" connection-mark=p2p_conn disabled=no dst-address-list=DMZ in-bridge-port=ether2 new-packet-mark=dmz_p2p_in passthrough=no add action=mark-connection chain=prerouting comment="IN - ostatni provoz" disabled=no new-connection-mark=other_conn passthrough=yes add action=mark-packet chain=prerouting comment="" connection-mark=other_conn disabled=no dst-address-list=ISA in-bridge-port=ether2 new-packet-mark=isa_other_in passthrough=no add action=mark-packet chain=prerouting comment="" connection-mark=other_conn disabled=no dst-address-list=ASA in-bridge-port=ether2 new-packet-mark=asa_other_in passthrough=no add action=mark-packet chain=prerouting comment="" connection-mark=other_conn disabled=no dst-address-list=KWF in-bridge-port=ether2 new-packet-mark=kwf_other_in passthrough=no add action=mark-packet chain=prerouting comment="" connection-mark=other_conn disabled=no dst-address-list=DMZ in-bridge-port=ether2 new-packet-mark=dmz_other_in passthrough=no add action=mark-packet chain=prerouting comment="OUT - ostatni provoz" connection-mark=other_conn disabled=no in-bridge-port=ether3 new-packet-mark=isa_other_out passthrough=no src-address-list=ISA add action=mark-packet chain=prerouting comment="" connection-mark=other_conn disabled=no in-bridge-port=ether3 new-packet-mark=asa_other_out passthrough=no src-address-list=ASA add action=mark-packet chain=prerouting comment="" connection-mark=other_conn disabled=no in-bridge-port=ether3 new-packet-mark=kwf_other_out passthrough=no src-address-list=KWF add action=mark-packet chain=prerouting comment="" connection-mark=other_conn disabled=no in-bridge-port=ether3 new-packet-mark=dmz_other_out passthrough=no src-address-list=DMZ
/queue tree add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=6M name=main_in parent=global-in priority=1 add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=1500k max-limit=6M name=isa_in parent=main_in priority=1 add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=1500k max-limit=6M name=kwf_in parent=main_in priority=2 queue=synchronous-default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=1500k max-limit=6M name=asa_in parent=main_in priority=3 add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=6M name=main_out parent=global-in priority=2 add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=6M name=isa_out parent=main_out priority=1 add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=6M name=kwf_out parent=main_out priority=2 add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=6M name=asa_out parent=main_out priority=8 add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=1500k max-limit=6M name=dmz_in parent=main_in priority=8 queue=synchronous-default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=375k max-limit=5M name=isa_www_in packet-mark=isa_www_in parent=isa_in priority=5 queue=synchronous-default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=375k max-limit=5M name=isa_ostatni_in packet-mark=isa_other_in parent=isa_in priority=8 queue=synchronous-default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=500k max-limit=6M name=asa_www_in packet-mark=asa_www_in parent=asa_in priority=1 queue=synchronous-default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=500k max-limit=6M name=asa_ostatni_in packet-mark=asa_other_in parent=asa_in priority=8 queue=synchronous-default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=375k max-limit=2M name=isa_p2p_in packet-mark=isa_p2p_in parent=isa_in priority=7 queue=synchronous-default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=20k max-limit=6M name=asa_p2p_in packet-mark=asa_p2p_in parent=asa_in priority=2 queue=synchronous-default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=6M name=dmz_out parent=main_out priority=8 add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=6M name=isa_other_out packet-mark=isa_other_out parent=isa_out priority=8 queue=synchronous-default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=6M name=kwf_other_out packet-mark=kwf_other_out parent=kwf_out priority=8 queue=synchronous-default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=6M name=asa_other_out packet-mark=asa_other_out parent=asa_out priority=8 queue=synchronous-default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=6M name=dmz_other_out packet-mark=dmz_other_out parent=dmz_out priority=8 queue=synchronous-default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=375k max-limit=6M name=isa_remote_in packet-mark=isa_remote_in parent=isa_in priority=4 queue=synchronous-default
Clock
/system clock set time-zone-name=Europe/Prague /system ntp client set enabled=yes mode=unicast primary-ntp=195.113.144.201 secondary-ntp=195.113.144.238
Web proxy
- nutno zakázat port na WAN!
/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 \
cache-on-disk=no enabled=yes max-cache-size=3500KiB \
max-client-connections=600 max-fresh-time=3d max-server-connections=600 \
parent-proxy=0.0.0.0 parent-proxy-port=0 port=8080,3128 \
serialize-connections=no src-address=0.0.0.0
/ip proxy access
add action=allow comment="" disabled=no src-address=10.26.71.0/24
skripty
- vybrobí soubor zálohy ve formátu rsc - backup.rsc
/export file=backup
- dynamická změna IP ve skupině
/system scheduler add interval=2h name=dynamic_ACL_Admin on-event="/ip firewall address-list add\ \_address=[:resolve cl.talman.cz] list=Admin_IP timeout=\"7d 00:00:00\"\r\ \n/ip firewall address-list add address=[:resolve mail.nevole.com] list=Ad\ min_IP timeout=\"7d 00:00:00\"" policy=\ ftp,reboot,read,write,policy,test,password,sensitive start-date=\ sep/08/2015 start-time=00:00:00
- pokud není ping, provede se reset konfigurace a po spuštění se naleje backup.rsc
:if ([/ping 86.63.200.74 count=5] = 0) do={ /system reset-configuration keep-users=yes run-after-reset=backup.rsc }
- poslání zálohy na mail
add interval=1w name=send_config on-event=":local emailTo \"mtalman@datron.cz\"\r\ \n:local emailFrom \"<gym@gym-cl.cz>\"\r\ \n:local smtp \"172.16.10.49\"\r\ \n\r\ \n/system backup save name=backup.backup dont-encrypt=yes\r\ \n/export file=backup\r\ \n:delay 10s\r\ \n/tool e-mail send to=\$emailTo subject=(\"Mikrotik: \" . [/system identity get name] ) file=backup.\ backup server=\$smtp from=\$emailFrom\r\ \n/tool e-mail send to=\$emailTo subject=(\"Mikrotik: \" . [/system identity get name] ) file=backup.\ rsc server=\$smtp from=\$emailFrom\r\ \n:delay 10s\r\ \n/file remove backup.backup\r\ \n/file remove backup.rsc" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive \ start-date=aug/22/2011 start-time=00:01:00 :local emailFrom "<gym@gym-cl.cz>" :local emailTo "<mtalman@datron.cz>" :local smtp "172.16.10.49" /system backup save name=backup.backup dont-encrypt=yes /export file=backup :delay 10s /tool e-mail send to=$emailTo subject=("Mikrotik: " . [/system identity get name] ) file=backup.backup server=$smtp from=$emailFrom /tool e-mail send to=$emailTo subject=("Mikrotik: " . [/system identity get name] ) file=backup.rsc server=$smtp from=$emailFrom :delay 10s /file remove backup.backup /file remove backup.rsc"
- pošle IP adresu na mail
/tool e-mail send to="mtalman@datron.cz" subject=("Mikrotik: " . [/system identity get name] . " - restarted") server=212.158.133.141 from=<mikrotik@gym-cl.cz> body=([/ip address get number=4 value-name=address])
- Facebook IP
/ip firewall address-list add address=92.240.179.149 list=Facebook add address=31.13.24.0/21 list=Facebook add address=31.13.64.0/18 list=Facebook add address=31.13.64.0/19 list=Facebook add address=31.13.64.0/24 list=Facebook add address=31.13.65.0/24 list=Facebook add address=31.13.66.0/24 list=Facebook add address=31.13.70.0/24 list=Facebook add address=31.13.71.0/24 list=Facebook add address=31.13.72.0/24 list=Facebook add address=31.13.73.0/24 list=Facebook add address=31.13.74.0/24 list=Facebook add address=31.13.75.0/24 list=Facebook add address=31.13.76.0/24 list=Facebook add address=31.13.77.0/24 list=Facebook add address=31.13.79.0/24 list=Facebook add address=31.13.82.0/24 list=Facebook add address=31.13.83.0/24 list=Facebook add address=31.13.84.0/24 list=Facebook add address=31.13.85.0/24 list=Facebook add address=31.13.86.0/24 list=Facebook add address=31.13.90.0/24 list=Facebook add address=31.13.91.0/24 list=Facebook add address=31.13.93.0/24 list=Facebook add address=31.13.95.0/24 list=Facebook add address=31.13.96.0/19 list=Facebook add address=66.220.144.0/20 list=Facebook add address=66.220.144.0/21 list=Facebook add address=66.220.152.0/21 list=Facebook add address=69.63.176.0/20 list=Facebook add address=69.63.176.0/21 list=Facebook add address=69.63.184.0/21 list=Facebook add address=69.171.224.0/19 list=Facebook add address=69.171.224.0/20 list=Facebook add address=69.171.239.0/24 list=Facebook add address=69.171.240.0/20 list=Facebook add address=69.171.255.0/24 list=Facebook add address=74.119.76.0/22 list=Facebook add address=103.4.96.0/22 list=Facebook add address=173.252.64.0/19 list=Facebook add address=173.252.96.0/19 list=Facebook add address=179.60.192.0/22 list=Facebook add address=179.60.192.0/24 list=Facebook add address=179.60.193.0/24 list=Facebook add address=204.15.20.0/22 list=Facebook
export konfigurace na mail
# v6 and higher
:local emailTo "mail@from.cz";
:local emailFrom "rb493g@domain.com";
:local smtp "85.207.44.1";
/export compact file=export
/tool e-mail send to="$emailTo" subject=("Mikrotik: " . [/system identity get name] ) file=export.rsc server=$smtp from=$emailFrom
