Статья будет дополняться.
/interface bridge
add name=bridge1 priority=0x1000
/interface ethernet
set [ find default-name=ether1 ] loop-protect=on
set [ find default-name=ether2 ] loop-protect=on
set [ find default-name=ether3 ] loop-protect=on
set [ find default-name=ether4 ] loop-protect=on
set [ find default-name=ether5 ] loop-protect=on
/interface list
add name=LAN
add exclude=LAN name=WAN
/ip pool
add name=dhcp_pool0 ranges=192.168.0.200-192.168.0.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=wlan2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.0.1/24 interface=bridge1 network=192.168.0.0
/ip dhcp-client
add default-route-distance=50 dhcp-options=hostname,clientid disabled=no \
interface=ether1
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=77.88.8.8,1.1.1.1 gateway=192.168.0.1 \
ntp-server=194.190.168.1
/ip dns
set servers=78.88.8.8,8.8.8.8
/ip firewall address-list
add address=fanzavod-gw.itsp-vl.ru list=TrustedRemoteAdmin
/ip firewall filter
add action=drop chain=input comment="drop DNS from WAN" dst-port=53 \
in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="drop DNS from WAN" dst-port=53 \
in-interface-list=WAN protocol=udp
add action=drop chain=input comment="drop winbox from wan" dst-port=8291 \
in-interface-list=WAN protocol=tcp src-address-list=!TrustedRemoteAdmin
add action=add-src-to-address-list address-list=winbox_ban_during_4w \
address-list-timeout=4w chain=input comment="limit connections to winbox" \
connection-state=new dst-port=8291 protocol=tcp src-address-list=\
winbox_ban_during_2m
add action=drop chain=input dst-port=8291 protocol=tcp src-address-list=\
winbox_ban_during_4w
add action=add-src-to-address-list address-list=winbox_ban_during_2m \
address-list-timeout=2m chain=input connection-state=new dst-port=8291 \
protocol=tcp src-address-list=winbox_ban_during_1m
add action=reject chain=input dst-port=8291 protocol=tcp reject-with=\
icmp-admin-prohibited src-address-list=winbox_ban_during_2m
add action=add-src-to-address-list address-list=winbox_ban_during_1m \
address-list-timeout=1m chain=input connection-state=new dst-port=8291 \
protocol=tcp src-address-list=winbox_connection_attempt3
add action=reject chain=input dst-port=8291 protocol=tcp reject-with=\
icmp-admin-prohibited src-address-list=winbox_ban_during_1m
add action=add-src-to-address-list address-list=winbox_connection_attempt3 \
address-list-timeout=1m chain=input connection-state=new dst-port=8291 \
protocol=tcp src-address-list=winbox_connection_attempt2
add action=add-src-to-address-list address-list=winbox_connection_attempt2 \
address-list-timeout=1m chain=input connection-state=new dst-port=8291 \
protocol=tcp src-address-list=winbox_connection_attempt1
add action=add-src-to-address-list address-list=winbox_connection_attempt1 \
address-list-timeout=1m chain=input connection-state=new dst-port=8291 \
protocol=tcp
add action=accept chain=input comment="allow winbox" dst-port=8291 protocol=\
tcp
add action=accept chain=input comment="allow ping this router" protocol=icmp
add action=drop chain=input comment="drop ssh from wan" dst-port=22001 \
in-interface-list=WAN protocol=tcp src-address-list=!TrustedRemoteAdmin
add action=add-src-to-address-list address-list=ssh_ban_during_4w \
address-list-timeout=4w chain=input comment="limit connections to ssh" \
connection-state=new dst-port=22001 protocol=tcp src-address-list=\
ssh_ban_during_2m
add action=drop chain=input dst-port=22001 protocol=tcp src-address-list=\
ssh_ban_during_4w
add action=add-src-to-address-list address-list=ssh_ban_during_2m \
address-list-timeout=2m chain=input connection-state=new dst-port=22001 \
protocol=tcp src-address-list=ssh_ban_during_1m
add action=reject chain=input dst-port=22001 protocol=tcp reject-with=\
icmp-admin-prohibited src-address-list=ssh_ban_during_2m
add action=add-src-to-address-list address-list=ssh_ban_during_1m \
address-list-timeout=1m chain=input connection-state=new dst-port=22001 \
protocol=tcp src-address-list=ssh_connection_attempt
add action=reject chain=input dst-port=22001 protocol=tcp reject-with=\
icmp-admin-prohibited src-address-list=ssh_ban_during_1m
add action=add-src-to-address-list address-list=ssh_connection_attempt \
address-list-timeout=1m chain=input connection-state=new dst-port=22001 \
protocol=tcp
add action=accept chain=input comment="allow ssh" dst-port=22001 protocol=tcp
add action=drop chain=forward comment="default action - drop" \
connection-nat-state=!dstnat connection-state=invalid,new,untracked \
in-interface-list=WAN
add action=drop chain=input connection-state=invalid,new,untracked \
in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=22001
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-autodetect=no time-zone-name=Asia/Vladivostok
/system identity
set name=Mikrotik66
/system ntp client
set enabled=yes primary-ntp=194.190.168.1
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/interface bridge
add name=bridge1 priority=0x1000
/interface ethernet
set [ find default-name=ether1 ] loop-protect=on
set [ find default-name=ether2 ] loop-protect=on
set [ find default-name=ether3 ] loop-protect=on
set [ find default-name=ether4 ] loop-protect=on
set [ find default-name=ether5 ] loop-protect=on
/interface list
add name=LAN
add exclude=LAN name=WAN
/ip pool
add name=dhcp_pool0 ranges=192.168.0.200-192.168.0.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=wlan2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.0.1/24 interface=bridge1 network=192.168.0.0
/ip dhcp-client
add default-route-distance=50 dhcp-options=hostname,clientid disabled=no \
interface=ether1
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=77.88.8.8,1.1.1.1 gateway=192.168.0.1 \
ntp-server=194.190.168.1
/ip dns
set servers=78.88.8.8,8.8.8.8
/ip firewall address-list
add address=fanzavod-gw.itsp-vl.ru list=TrustedRemoteAdmin
/ip firewall filter
add action=drop chain=input comment="drop DNS from WAN" dst-port=53 \
in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="drop DNS from WAN" dst-port=53 \
in-interface-list=WAN protocol=udp
add action=drop chain=input comment="drop winbox from wan" dst-port=8291 \
in-interface-list=WAN protocol=tcp src-address-list=!TrustedRemoteAdmin
add action=add-src-to-address-list address-list=winbox_ban_during_4w \
address-list-timeout=4w chain=input comment="limit connections to winbox" \
connection-state=new dst-port=8291 protocol=tcp src-address-list=\
winbox_ban_during_2m
add action=drop chain=input dst-port=8291 protocol=tcp src-address-list=\
winbox_ban_during_4w
add action=add-src-to-address-list address-list=winbox_ban_during_2m \
address-list-timeout=2m chain=input connection-state=new dst-port=8291 \
protocol=tcp src-address-list=winbox_ban_during_1m
add action=reject chain=input dst-port=8291 protocol=tcp reject-with=\
icmp-admin-prohibited src-address-list=winbox_ban_during_2m
add action=add-src-to-address-list address-list=winbox_ban_during_1m \
address-list-timeout=1m chain=input connection-state=new dst-port=8291 \
protocol=tcp src-address-list=winbox_connection_attempt3
add action=reject chain=input dst-port=8291 protocol=tcp reject-with=\
icmp-admin-prohibited src-address-list=winbox_ban_during_1m
add action=add-src-to-address-list address-list=winbox_connection_attempt3 \
address-list-timeout=1m chain=input connection-state=new dst-port=8291 \
protocol=tcp src-address-list=winbox_connection_attempt2
add action=add-src-to-address-list address-list=winbox_connection_attempt2 \
address-list-timeout=1m chain=input connection-state=new dst-port=8291 \
protocol=tcp src-address-list=winbox_connection_attempt1
add action=add-src-to-address-list address-list=winbox_connection_attempt1 \
address-list-timeout=1m chain=input connection-state=new dst-port=8291 \
protocol=tcp
add action=accept chain=input comment="allow winbox" dst-port=8291 protocol=\
tcp
add action=accept chain=input comment="allow ping this router" protocol=icmp
add action=drop chain=input comment="drop ssh from wan" dst-port=22001 \
in-interface-list=WAN protocol=tcp src-address-list=!TrustedRemoteAdmin
add action=add-src-to-address-list address-list=ssh_ban_during_4w \
address-list-timeout=4w chain=input comment="limit connections to ssh" \
connection-state=new dst-port=22001 protocol=tcp src-address-list=\
ssh_ban_during_2m
add action=drop chain=input dst-port=22001 protocol=tcp src-address-list=\
ssh_ban_during_4w
add action=add-src-to-address-list address-list=ssh_ban_during_2m \
address-list-timeout=2m chain=input connection-state=new dst-port=22001 \
protocol=tcp src-address-list=ssh_ban_during_1m
add action=reject chain=input dst-port=22001 protocol=tcp reject-with=\
icmp-admin-prohibited src-address-list=ssh_ban_during_2m
add action=add-src-to-address-list address-list=ssh_ban_during_1m \
address-list-timeout=1m chain=input connection-state=new dst-port=22001 \
protocol=tcp src-address-list=ssh_connection_attempt
add action=reject chain=input dst-port=22001 protocol=tcp reject-with=\
icmp-admin-prohibited src-address-list=ssh_ban_during_1m
add action=add-src-to-address-list address-list=ssh_connection_attempt \
address-list-timeout=1m chain=input connection-state=new dst-port=22001 \
protocol=tcp
add action=accept chain=input comment="allow ssh" dst-port=22001 protocol=tcp
add action=drop chain=forward comment="default action - drop" \
connection-nat-state=!dstnat connection-state=invalid,new,untracked \
in-interface-list=WAN
add action=drop chain=input connection-state=invalid,new,untracked \
in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=22001
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-autodetect=no time-zone-name=Asia/Vladivostok
/system identity
set name=Mikrotik66
/system ntp client
set enabled=yes primary-ntp=194.190.168.1
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Комментариев нет:
Отправить комментарий