API tools faq
paste
Advertisement
lego11

routeros

lego11
Apr 24th, 2024
764
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
INI file 13.00 KB | None | 0 0
raw download clone embed print report
  1. # 2024-04-24 15:20:29 by RouterOS 7.14.3
  2. # software id = Y09A-7J23
  3. #
  4. # model = RB3011UiAS
  5. # serial number = ##############
  6. /disk
  7. add parent=usb1 partition-number=1 partition-offset=512 partition-size=\
  8.     "30 765 219 328" type=partition
  9. /interface bridge
  10. add admin-mac=B8:69:F4:98:60:FB auto-mac=no name=bridge-LAN port-cost-mode=\
  11.     short
  12. /interface ethernet
  13. set [ find default-name=ether1 ] name=ether1-PF_AIR
  14. set [ find default-name=ether2 ] name=ether2-TIM
  15. set [ find default-name=ether5 ] name=ether5-LAN2
  16. /interface wireguard
  17. add comment=back-to-home-vpn listen-port=10434 mtu=1420 name=back-to-home-vpn
  18. /interface vlan
  19. add interface=bridge-LAN name=vlan10-Ospiti vlan-id=10
  20. add interface=bridge-LAN name=vlan11-IoT vlan-id=11
  21. add interface=bridge-LAN name=vlan13-Inaffidabile vlan-id=13
  22. /interface pppoe-client
  23. add add-default-route=yes interface=ether1-PF_AIR name=PF-AIR user=\
  24.     air218@pianetafibra.it
  25. add add-default-route=yes disabled=no interface=sfp1 name=PF-FTTC \
  26.     use-peer-dns=yes user=fttc4250
  27. /interface list
  28. add comment=defconf name=WAN
  29. add comment=defconf name=LAN
  30. /interface lte apn
  31. set [ find default=yes ] ip-type=ipv4 use-network-apn=no
  32. /ip dhcp-server option
  33. add code=160 name=160_Polycom value=\
  34.     "' http://172.16.20.215/provisioning/m1c2up6299fyn4'"
  35. /ip pool
  36. add name=dhcp ranges=172.16.30.2-172.16.30.254
  37. add name=vpn ranges=192.168.89.2-192.168.89.255
  38. add name=dhcp_pool2 ranges=192.168.12.2-192.168.12.254
  39. add name=dhcp_pool3 ranges=192.168.10.2-192.168.10.254
  40. add name=dhcp_pool4 ranges=192.168.11.2-192.168.11.254
  41. add name=dhcp_pool5 ranges=192.168.13.2-192.168.13.254
  42. /ip dhcp-server
  43. add address-pool=dhcp interface=bridge-LAN lease-time=23h59m59s name=LAN_DHCP
  44. add address-pool=dhcp_pool2 interface=ether5-LAN2 name=LAN2_DHCP
  45. add address-pool=dhcp_pool3 interface=vlan10-Ospiti name=Ospiti_DHCP
  46. add address-pool=dhcp_pool4 interface=vlan11-IoT name=IoT_DHCP
  47. add address-pool=dhcp_pool5 interface=vlan13-Inaffidabile name=\
  48.     Inaffidabile_DHCP
  49. /ip smb users
  50. add name=admin
  51. /port
  52. set 0 name=serial0
  53. /ppp profile
  54. set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
  55. /queue simple
  56. add comment="Limite Ospiti" max-limit=1M/7M name=Ospiti target=\
  57.     192.168.10.0/24
  58. add comment="Limite AptDis" max-limit=1M/10M name=AptDis target=\
  59.     192.16.12.0/24
  60. add comment="Limite Inaffidabile" max-limit=500k/5M name=Inaffidabile target=\
  61.     192.168.13.0/24
  62. /routing table
  63. add disabled=no fib name=to_FTTC
  64. add disabled=no fib name=to_AIR
  65. /ip smb
  66. set comment=MIKROTIK domain=WORKGROUP interfaces=bridge-LAN
  67. /interface bridge port
  68. add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether6 \
  69.     internal-path-cost=10 path-cost=10
  70. add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether7 \
  71.     internal-path-cost=10 path-cost=10
  72. add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether8 \
  73.     internal-path-cost=10 path-cost=10
  74. add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether9 \
  75.     internal-path-cost=10 path-cost=10
  76. add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether10 \
  77.     internal-path-cost=10 path-cost=10
  78. add bridge=bridge-LAN comment=defconf disabled=yes ingress-filtering=no \
  79.     interface=sfp1 internal-path-cost=10 path-cost=10
  80. /ip firewall connection tracking
  81. set udp-timeout=10s
  82. /ip neighbor discovery-settings
  83. set discover-interface-list=LAN
  84. /ip settings
  85. set max-neighbor-entries=8192
  86. /ipv6 settings
  87. set disable-ipv6=yes max-neighbor-entries=8192
  88. /interface bridge vlan
  89. add bridge=bridge-LAN tagged=vlan10-Ospiti,vlan11-IoT,vlan13-Inaffidabile \
  90.     vlan-ids=10,11,13
  91. /interface l2tp-server server
  92. set enabled=yes use-ipsec=yes
  93. /interface list member
  94. add comment=defconf interface=bridge-LAN list=LAN
  95. add interface=PF-FTTC list=WAN
  96. add interface=PF-AIR list=WAN
  97. /interface ovpn-server server
  98. set auth=sha256,sha512 certificate=a-centauri cipher=\
  99.     blowfish128,aes256-cbc,aes256-gcm enabled=yes protocol=udp \
  100.     redirect-gateway=def1
  101. /interface pptp-server server
  102. # PPTP connections are considered unsafe, it is suggested to use a more modern V N protocol instead
  103. set authentication=pap,chap,mschap1,mschap2 enabled=yes
  104. /interface sstp-server server
  105. set default-profile=default-encryption
  106. /ip address
  107. add address=172.16.20.1/16 comment=LAN interface=bridge-LAN network=\
  108.     172.16.0.0
  109. add address=192.168.12.1/24 comment=LAN2 interface=ether5-LAN2 network=\
  110.     192.168.12.0
  111. add address=192.168.10.1/24 comment=Ospiti interface=vlan10-Ospiti network=\
  112.     192.168.10.0
  113. add address=192.168.11.1/24 comment=IoT interface=vlan11-IoT network=\
  114.     192.168.11.0
  115. add address=192.168.13.1/24 comment=Inaffidabile interface=\
  116.     vlan13-Inaffidabile network=192.168.13.0
  117. add address=192.168.2.1/24 comment=TIM interface=ether2-TIM network=\
  118.     192.168.2.0
  119. /ip cloud
  120. set back-to-home-vpn=enabled ddns-enabled=yes
  121. /ip dhcp-server lease
  122. add address=172.16.20.161 mac-address=BC:DD:C2:44:1E:DA server=LAN_DHCP
  123. add address=172.16.20.233 client-id=1:b8:27:eb:f7:41:9f comment=Marconi \
  124.     mac-address=B8:27:EB:F7:41:9F server=LAN_DHCP
  125. add address=172.16.30.244 dhcp-option=160_Polycom mac-address=\
  126.     64:16:7F:0B:F6:FA server=LAN_DHCP
  127. add address=172.16.20.235 client-id=1:b8:27:eb:be:70:8f mac-address=\
  128.     B8:27:EB:BE:70:8F server=LAN_DHCP
  129. add address=172.16.20.212 client-id=1:b8:27:eb:cf:86:71 mac-address=\
  130.     B8:27:EB:CF:86:71 server=LAN_DHCP
  131. add address=172.16.25.42 client-id=1:0:60:35:6:f0:16 mac-address=\
  132.     00:60:35:06:F0:16 server=LAN_DHCP
  133. add address=172.16.22.100 client-id=\
  134.     ff:11:e4:49:24:0:1:0:1:2d:a7:ed:cd:bc:24:11:e4:49:24 mac-address=\
  135.     BC:24:11:E4:49:24 server=LAN_DHCP
  136. add address=172.16.20.215 client-id=1:bc:24:11:9e:f2:3 mac-address=\
  137.     BC:24:11:9E:F2:03 server=LAN_DHCP
  138. add address=172.16.20.211 client-id=\
  139.     ff:11:6e:18:77:0:1:0:1:2d:a5:b3:f5:bc:24:11:6e:18:77 mac-address=\
  140.     BC:24:11:6E:18:77 server=LAN_DHCP
  141. add address=172.16.20.160 client-id=1:d8:3a:dd:a7:d6:5e comment=Helios \
  142.     mac-address=D8:3A:DD:A7:D6:5E server=LAN_DHCP
  143. add address=172.16.20.230 comment=SunFire mac-address=00:03:BA:16:77:13 \
  144.     server=LAN_DHCP
  145. add address=172.16.23.1 client-id=1:0:a0:c5:b9:35:b1 mac-address=\
  146.     00:A0:C5:B9:35:B1 server=LAN_DHCP
  147. /ip dhcp-server network
  148. add address=172.16.0.0/16 comment=LAN dns-server=172.16.20.211,172.16.20.210 \
  149.     gateway=172.16.20.1 netmask=16
  150. add address=192.168.10.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\
  151.     192.168.10.1
  152. add address=192.168.11.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\
  153.     192.168.11.1
  154. add address=192.168.12.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\
  155.     192.168.12.1
  156. add address=192.168.13.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\
  157.     192.168.13.1
  158. /ip dns static
  159. add address=172.16.20.1 comment=defconf name=router.lan
  160. /ip firewall filter
  161. add action=accept chain=input comment=\
  162.     "defconf: accept established,related,untracked" connection-state=\
  163.     established,related,untracked
  164. add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
  165.     protocol=udp
  166. add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
  167. add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
  168. add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
  169. add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
  170. add action=drop chain=input comment="defconf: drop invalid" connection-state=\
  171.     invalid
  172. add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
  173. add action=accept chain=input comment=\
  174.     "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
  175. add action=accept chain=forward comment="defconf: accept in ipsec policy" \
  176.     ipsec-policy=in,ipsec
  177. add action=accept chain=forward comment="defconf: accept out ipsec policy" \
  178.     ipsec-policy=out,ipsec
  179. add action=accept chain=forward comment=\
  180.     "defconf: accept established,related, untracked" connection-state=\
  181.     established,related,untracked
  182. add action=drop chain=forward comment="defconf: drop invalid" \
  183.     connection-state=invalid
  184. add action=drop chain=forward comment=\
  185.     "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
  186.     connection-state=new in-interface-list=WAN
  187. add action=drop chain=input comment="Deny SSH from WAN" dst-port=22 \
  188.     in-interface-list=WAN protocol=tcp
  189. add action=drop chain=input comment="Deny telnet from WAN" dst-port=23 \
  190.     in-interface-list=WAN protocol=tcp
  191. /ip firewall mangle
  192. add action=mark-connection chain=forward comment="PF-AIR Forward" disabled=\
  193.     yes in-interface=PF-AIR new-connection-mark=AIR_conn passthrough=yes
  194. add action=mark-connection chain=forward comment="PF-FTTC forward" disabled=\
  195.     yes in-interface=PF-FTTC new-connection-mark=FTTC_conn passthrough=yes
  196. add action=mark-connection chain=prerouting comment="PF-AIR PortForward" \
  197.     disabled=yes dst-address-type=!local in-interface=PF-AIR \
  198.     new-connection-mark=AIR_conn passthrough=yes
  199. add action=mark-connection chain=prerouting comment="PF-FTTC PortForward" \
  200.     disabled=yes dst-address-type=!local in-interface=PF-FTTC \
  201.     new-connection-mark=FTTC_conn passthrough=yes
  202. add action=mark-connection chain=input in-interface=PF-FTTC \
  203.     new-connection-mark=FTTC_conn
  204. # PF-AIR not ready
  205. add action=mark-connection chain=input in-interface=PF-AIR \
  206.     new-connection-mark=AIR_conn
  207. add action=mark-routing chain=output connection-mark=FTTC_conn \
  208.     new-routing-mark=to_FTTC
  209. add action=mark-routing chain=output connection-mark=AIR_conn \
  210.     new-routing-mark=to_AIR
  211. add action=mark-connection chain=prerouting dst-address-type=!local \
  212.     in-interface=bridge-LAN new-connection-mark=FTTC_conn passthrough=yes \
  213.     per-connection-classifier=both-addresses-and-ports:2/0
  214. add action=mark-connection chain=prerouting dst-address-type=!local \
  215.     in-interface=bridge-LAN new-connection-mark=AIR_conn passthrough=yes \
  216.     per-connection-classifier=both-addresses-and-ports:2/1
  217. add action=mark-routing chain=prerouting connection-mark=FTTC_conn \
  218.     in-interface=bridge-LAN new-routing-mark=to_FTTC
  219. add action=mark-routing chain=prerouting connection-mark=AIR_conn \
  220.     in-interface=bridge-LAN new-routing-mark=to_AIR
  221. /ip firewall nat
  222. add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
  223.     192.168.89.0/24
  224. add action=dst-nat chain=dstnat comment="SunFire HTTPS" dst-port=443 \
  225.     in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=\
  226.     443
  227. add action=dst-nat chain=dstnat comment="SunFire FTP" dst-port=21 \
  228.     in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=21
  229. add action=dst-nat chain=dstnat comment="SunFire HTTP" dst-port=80 \
  230.     in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=80
  231. add action=dst-nat chain=dstnat comment="SunFire SSH" dst-port=2222 \
  232.     in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=22
  233. add action=dst-nat chain=dstnat comment="Webmin sunfire" dst-port=10000 \
  234.     in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=\
  235.     10000
  236. add action=dst-nat chain=dstnat comment=Minecraft dst-port=25565 \
  237.     in-interface-list=WAN protocol=tcp to-addresses=172.16.20.220 to-ports=\
  238.     25565
  239. add action=dst-nat chain=dstnat comment="Minecraft Dynmap" dst-port=8123 \
  240.     in-interface-list=WAN protocol=tcp to-addresses=172.16.20.220 to-ports=\
  241.     8123
  242. add action=dst-nat chain=dstnat comment="SSH Pi5 JVital" dst-port=52233 \
  243.     in-interface-list=WAN protocol=tcp to-addresses=172.16.20.160 to-ports=22
  244. add action=masquerade chain=srcnat out-interface=PF-FTTC
  245. # PF-AIR not ready
  246. add action=masquerade chain=srcnat out-interface=PF-AIR
  247. add action=masquerade chain=srcnat comment="defconf: masquerade" \
  248.     ipsec-policy=out,none out-interface-list=WAN
  249. /ip route
  250. add check-gateway=ping dst-address=0.0.0.0/0 gateway=PF-FTTC routing-table=\
  251.     to_FTTC
  252. add check-gateway=ping dst-address=0.0.0.0/0 gateway=PF-AIR routing-table=\
  253.     to_AIR
  254. /ip service
  255. set www-ssl address=0.0.0.0/0 certificate=a-centauri disabled=no tls-version=\
  256.     only-1.2
  257. /ip smb shares
  258. add directory=usb1-part1 name=USB1 valid-users=guest
  259. /ip upnp
  260. set enabled=yes
  261. /ip upnp interfaces
  262. add interface=PF-AIR type=external
  263. /ppp aaa
  264. set use-radius=yes
  265. /ppp secret
  266. add name=vpn
  267. add name=J2 profile=default-encryption
  268. /radius
  269. add accounting-backup=yes address=172.16.20.216 comment=RADIUS service=\
  270.     ppp,login,hotspot,ipsec,dot1x
  271. /routing bfd configuration
  272. add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
  273. /system clock
  274. set time-zone-name=Europe/Rome
  275. /system identity
  276. set name=MikroTik-VR
  277. /system note
  278. set show-at-login=no
  279. /system ntp client
  280. set enabled=yes
  281. /system ntp server
  282. set enabled=yes use-local-clock=yes
  283. /system ntp client servers
  284. add address=time.inrim.it
  285. add address=ntp1.inrim.it
  286. /tool graphing interface
  287. add allow-address=172.16.0.0/16
  288. /tool mac-server
  289. set allowed-interface-list=LAN
  290. /tool mac-server mac-winbox
  291. set allowed-interface-list=LAN
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!