Advertisement
rockdrilla

MikroTik with ISP PPPoE + IPTV

Sep 30th, 2015
1,101
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 14.66 KB | None | 0 0
  1. ######################################################
  2. ### Ethernet
  3. ######################################################
  4.  
  5. /interface ethernet
  6. set [ find default-name=ether1 ] name=ether1-UP-RT
  7. set [ find default-name=ether2 ] name=ether2-LAN
  8. set [ find default-name=ether3 ] master-port=ether2-LAN
  9. set [ find default-name=ether4 ] master-port=ether2-LAN
  10. set [ find default-name=ether5 ] master-port=ether2-LAN
  11.  
  12. ######################################################
  13. ### WiFi
  14. ######################################################
  15.  
  16. /interface wireless
  17. set [ find default-name=wlan1 ] name=wlan0 ampdu-priorities=0,1,2,3,4,5,6,7 antenna-mode=txa-rxb arp=disabled band=2ghz-onlyn basic-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps basic-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps channel-width=20/40mhz-Ce country=russia default-authentication=no default-forwarding=no disabled=no distance=indoors frequency=2442 hide-ssid=yes ht-basic-mcs=mcs-6,mcs-7,mcs-8,mcs-9,mcs-10,mcs-11,mcs-12,mcs-13,mcs-14,mcs-15 ht-supported-mcs=mcs-6,mcs-7,mcs-8,mcs-9,mcs-10,mcs-11,mcs-12,mcs-13,mcs-14,mcs-15,mcs-16,mcs-17,mcs-18,mcs-19,mcs-20,mcs-21,mcs-22,mcs-23 hw-retries=5 mode=ap-bridge multicast-helper=full rate-set=configured rx-chains=1 security-profile=ap-home ssid="" tx-chains=0 wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
  18.  
  19. /interface wireless security-profiles
  20. set [ find default=yes ] supplicant-identity=""
  21. add name=ap-home authentication-types=wpa2-psk wpa2-pre-shared-key="${WPA2-PSK KEY}" group-key-update=1h mode=dynamic-keys eap-methods="" supplicant-identity=""
  22.  
  23. /interface wireless
  24. add master-interface=wlan0 name=wlan-home mac-address=${wlan0 MAC + 1} ssid=Home wmm-support=enabled wps-mode=disabled disabled=no security-profile=ap-home
  25. add master-interface=wlan0 name=wlan-free mac-address=${wlan0 MAC + 2} ssid=Free wmm-support=enabled wps-mode=disabled disabled=yes
  26.  
  27. ######################################################
  28. ### IP addresses
  29. ######################################################
  30.  
  31. /ip address
  32. add address=169.254.13.37 interface=ether1-UP-RT network=169.254.13.37
  33. add address=192.168.88.1/24 interface=ether2-LAN network=192.168.88.0
  34. add address=192.168.0.1/24 interface=wlan-home network=192.168.0.0
  35. add address=192.168.1.1/24 interface=wlan-free network=192.168.1.0
  36.  
  37. ######################################################
  38. ### DHCP
  39. ######################################################
  40.  
  41. /ip pool
  42. add name=dhcp-pool-ether-lan ranges=192.168.88.10-192.168.88.254
  43. add name=dhcp-pool-wifi-home ranges=192.168.0.2-192.168.0.254
  44. add name=dhcp-pool-wifi-free ranges=192.168.1.2-192.168.1.254
  45.  
  46. /ip dhcp-server
  47. add name=dhcpd-ether-lan address-pool=dhcp-pool-ether-lan interface=ether2-LAN always-broadcast=yes authoritative=yes disabled=no add-arp=yes lease-time=20w4d
  48. add name=dhcpd-wifi-home address-pool=dhcp-pool-wifi-home interface=wlan-home always-broadcast=yes authoritative=yes disabled=no add-arp=yes lease-time=20w4d
  49. add name=dhcpd-wifi-free address-pool=dhcp-pool-wifi-free interface=wlan-free always-broadcast=yes authoritative=yes disabled=no add-arp=yes lease-time=1d
  50.  
  51. /ip dhcp-server network
  52. add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 netmask=24 ntp-server=192.168.88.1
  53. add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1 netmask=24 ntp-server=192.168.0.1
  54. add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1 netmask=24 ntp-server=192.168.1.1
  55.  
  56. ######################################################
  57. ### DNS
  58. ######################################################
  59.  
  60. /ip dns
  61. set allow-remote-requests=yes cache-max-ttl=1d cache-size=4096KiB query-server-timeout=3s query-total-timeout=5s
  62.  
  63. ######################################################
  64. ### PPPoE
  65. ######################################################
  66.  
  67. /ppp profile
  68. add change-tcp-mss=no name=pppoe-RT only-one=no use-encryption=no
  69.  
  70. /interface pppoe-client
  71. add name=pppoe-RT profile=pppoe-RT user=${PPPoE login} password=${PPPoE password} interface=ether1-UP-RT add-default-route=yes default-route-distance=200 use-peer-dns=yes keepalive-timeout=disabled disabled=no
  72.  
  73. ######################################################
  74. ### WiFi::Free traffic shaper
  75. ######################################################
  76.  
  77. ### download
  78. ### overall = 4194304
  79. ### per user = 4194304
  80. ### upload
  81. ### overall = 2097152
  82. ### per user = 262144
  83.  
  84. /queue tree
  85. add name=wififree-DL parent=global queue=default max-limit=4194304
  86. add name=wififree-DL-pcq parent=wififree-DL queue=pcq-download-default max-limit=524288 limit-at=507904 packet-mark=wififree-P-DL
  87.  
  88. add name=wififree-UL parent=global queue=default max-limit=2097152
  89. add name=wififree-UL-pcq parent=wififree-UL queue=pcq-upload-default max-limit=262144 limit-at=245760 packet-mark=wififree-P-UL
  90.  
  91. ######################################################
  92. ### firewall
  93. ######################################################
  94.  
  95. /ip firewall address-list
  96. add list=BAN address=169.254.0.0/16
  97.  
  98. /ip firewall filter
  99. add chain=- comment="====" action=log
  100. add chain=input comment="DROP <- BANNED" action=drop src-address-list=BAN
  101. add chain=forward comment="DROP <=| BANNED" action=drop src-address-list=BAN
  102. add chain=forward comment="DROP |=> BANNED" action=drop dst-address-list=BAN
  103. add chain=output comment="DROP -> BANNED" action=drop dst-address-list=BAN
  104. add chain=- comment="====" action=log
  105. add chain=input comment="DROP limited broadcast" action=drop dst-address=255.255.255.255 in-interface=ether1-UP-RT
  106. add chain=input comment="DROP limited broadcast" action=drop dst-address=255.255.255.255 in-interface=pppoe-RT
  107. add chain=- comment="====" action=log
  108. add chain=input comment="ACCEPT incoming multicast" dst-address-type=multicast in-interface=ether1-UP-RT
  109. add chain=input comment="ACCEPT incoming multicast" dst-address-type=multicast in-interface=ether2-LAN
  110. add chain=input comment="ACCEPT incoming multicast" dst-address-type=multicast in-interface=wlan-home
  111. add chain=input comment="DROP incoming multicast" action=drop dst-address-type=multicast
  112. add chain=- comment="----" action=log
  113. add chain=forward comment="ACCEPT forwarded multicast" dst-address-type=multicast in-interface=ether1-UP-RT out-interface=ether2-LAN
  114. add chain=forward comment="ACCEPT forwarded multicast" dst-address-type=multicast in-interface=ether1-UP-RT out-interface=wlan-home
  115. add chain=forward comment="ACCEPT forwarded multicast" dst-address-type=multicast in-interface=ether2-LAN out-interface=ether1-UP-RT
  116. add chain=forward comment="ACCEPT forwarded multicast" dst-address-type=multicast in-interface=wlan-home out-interface=ether1-UP-RT
  117. add chain=forward comment="DROP forwarded multicast" action=drop dst-address-type=multicast
  118. add chain=- comment="----" action=log
  119. add chain=output comment="ACCEPT outgoing multicast" dst-address-type=multicast out-interface=ether1-UP-RT
  120. add chain=output comment="ACCEPT outgoing multicast" dst-address-type=multicast out-interface=wlan-home
  121. add chain=output comment="ACCEPT outgoing multicast" dst-address-type=multicast out-interface=ether2-LAN
  122. add chain=output comment="DROP outgoing multicast" action=drop dst-address-type=multicast
  123. add chain=- comment="====" action=log
  124. add chain=input comment="ACCEPT always MikroTik admin" dst-port=8291 protocol=tcp
  125. add chain=- comment="----" action=log
  126. add chain=input comment="ACCEPT ct::established" connection-state=established
  127. add chain=input comment="ACCEPT ct::related" connection-state=related
  128. add chain=input comment="ACCEPT icmp" protocol=icmp
  129. add chain=- comment="----" action=log
  130. add chain=input comment="ACCEPT ct::new" connection-state=new in-interface=ether2-LAN
  131. add chain=input comment="ACCEPT ct::new" connection-state=new in-interface=wlan-home
  132. add chain=input comment="ACCEPT ct::new" connection-state=new in-interface=wlan-free
  133. add chain=- comment="----" action=log
  134. add chain=input comment="DROP default input" action=drop
  135. add chain=- comment="====" action=log
  136. add chain=forward comment="ACCEPT ct::established" connection-state=established
  137. add chain=forward comment="ACCEPT ct::related" connection-state=related
  138. add chain=- comment="----" action=log
  139. add chain=forward comment="ACCEPT LAN -> UP-RT" in-interface=ether2-LAN out-interface=pppoe-RT
  140. add chain=forward comment="ACCEPT wifi home -> UP-RT" in-interface=wlan-home out-interface=pppoe-RT
  141. add chain=- comment="----" action=log
  142. add chain=forward comment="ACCEPT wifi free -> UP-RT" in-interface=wlan-free out-interface=pppoe-RT
  143. add chain=forward comment="DROP wifi free -> *" action=drop in-interface=wlan-free
  144. add chain=- comment="----" action=log
  145. add chain=forward comment="DROP default forward" action=drop
  146. add chain=- comment="====" action=log
  147.  
  148. /ip firewall mangle
  149. add chain=- comment="====" action=log
  150. add chain=prerouting action=mark-connection in-interface=wlan-free new-connection-mark=wififree-C-UL
  151. add chain=prerouting action=mark-packet connection-mark=wififree-C-UL new-packet-mark=wififree-P-UL passthrough=no
  152. add chain=- comment="----" action=log
  153. add chain=postrouting action=mark-connection out-interface=wlan-free new-connection-mark=wififree-C-DL
  154. add chain=postrouting action=mark-packet connection-mark=wififree-C-DL new-packet-mark=wififree-P-DL passthrough=no
  155. add chain=- comment="====" action=log
  156. add chain=prerouting action=set-priority in-interface=ether1-UP-RT dst-address-type=multicast new-priority=63
  157. add chain=prerouting action=set-priority in-interface=ether2-LAN dst-address-type=multicast new-priority=63
  158. add chain=prerouting action=set-priority in-interface=wlan-home dst-address-type=multicast new-priority=63
  159. add chain=- comment="====" action=log
  160. add chain=forward action=change-mss out-interface=pppoe-RT protocol=tcp tcp-flags=syn new-mss=clamp-to-pmtu
  161. add chain=- comment="====" action=log
  162.  
  163. /ip firewall nat
  164. add chain=- comment="====" action=log
  165. add chain=srcnat action=masquerade out-interface=pppoe-RT
  166. add chain=srcnat action=masquerade out-interface=ether2-LAN
  167. add chain=srcnat action=masquerade out-interface=wlan-home
  168. add chain=- comment="====" action=log
  169. add chain=dstnat action=dst-nat in-interface=pppoe-RT protocol=tcp dst-port=6881-6889,7881 to-addresses=${Torrent seeding PC}
  170. add chain=dstnat action=dst-nat in-interface=pppoe-RT protocol=udp dst-port=6881-6889,7881 to-addresses=${Torrent seeding PC}
  171. add chain=- comment="====" action=log
  172.  
  173. /ip route
  174. add distance=1 dst-address=169.254.0.0/16 type=blackhole
  175.  
  176. /ip firewall connection tracking
  177. set enabled=yes tcp-close-timeout=20s tcp-close-wait-timeout=20s tcp-established-timeout=3h tcp-fin-wait-timeout=20s tcp-last-ack-timeout=20s tcp-syn-received-timeout=20stcp-syn-sent-timeout=20s tcp-time-wait-timeout=20s udp-stream-timeout=2m udp-timeout=15s
  178.  
  179. /interface bridge settings
  180. set allow-fast-path=no use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=yes
  181.  
  182. /ip settings
  183. set rp-filter=loose tcp-syncookies=yes
  184.  
  185. ######################################################
  186. ### access control
  187. ######################################################
  188.  
  189. /ip service
  190. set ssh address=192.168.88.0/24,192.168.0.0/24
  191. set disabled=yes telnet
  192. set disabled=yes ftp
  193. set disabled=yes www
  194. set disabled=yes api
  195. set disabled=yes api-ssl
  196.  
  197. ######################################################
  198. ### UPnP
  199. ######################################################
  200.  
  201. /ip upnp
  202. set enabled=yes
  203.  
  204. /ip upnp interfaces
  205. add interface=pppoe-RT type=external
  206. add interface=ether2-LAN type=internal
  207. add interface=wlan-home type=internal
  208.  
  209. ######################################################
  210. ### IPTV via IGMP snooping
  211. ######################################################
  212.  
  213. /routing igmp-proxy
  214. set query-interval=30s quick-leave=yes
  215.  
  216. /routing igmp-proxy interface
  217. add interface=ether1-UP-RT upstream=yes alternative-subnets=0.0.0.0/0
  218. add interface=ether2-LAN
  219. add interface=wlan-home
  220.  
  221. ######################################################
  222. ### time zone & clock
  223. ######################################################
  224.  
  225. /system clock
  226. set time-zone-autodetect=no
  227.  
  228. /system clock manual
  229. set time-zone=+03:00
  230.  
  231. # primary = 0.ru.pool.ntp.org
  232. # secondary = 1.ru.pool.ntp.org
  233. /system ntp client
  234. set enabled=yes primary-ntp=62.76.96.4 secondary-ntp=87.229.205.7
  235.  
  236. /system ntp server
  237. set enabled=yes broadcast=yes broadcast-addresses=192.168.88.255,192.168.0.255,192.168.1.255 manycast=no
  238.  
  239. ######################################################
  240. ### logging
  241. ######################################################
  242.  
  243. /system logging action
  244. set 1 disk-file-count=8 disk-lines-per-file=10000
  245.  
  246. /system logging
  247. set 0 disabled=yes
  248. add topics=firewall
  249.  
  250. ######################################################
  251. ### tweaks
  252. ######################################################
  253.  
  254. /system package update
  255. set channel=current
  256.  
  257. /ip neighbor discovery
  258. set ether1-UP-RT discover=no
  259. set ether2-LAN discover=no
  260. set ether3 discover=no
  261. set ether4 discover=no
  262. set ether5 discover=no
  263. set wlan0 discover=no
  264. set wlan-free discover=no
  265. set wlan-home discover=no
  266. set pppoe-RT discover=no
  267.  
  268. /routing bgp instance
  269. set default disabled=yes
  270.  
  271. /routing ospf area
  272. set [ find default=yes ] disabled=yes
  273.  
  274. /routing ospf instance
  275. set [ find default=yes ] disabled=yes
  276.  
  277. /routing pim
  278. set switch-to-spt=no
  279.  
  280. /system leds
  281. set 0 interface=wlan0
  282.  
  283. /interface wireless nstreme
  284. set wlan0 enable-polling=no
  285.  
  286. /ip ipsec proposal
  287. set [ find default=yes ] disabled=yes enc-algorithms=3des
  288.  
  289. /ip firewall service-port
  290. set ftp disabled=yes
  291. set tftp disabled=yes
  292. set irc disabled=yes
  293. set h323 disabled=yes
  294. set sip disabled=yes
  295. set pptp disabled=yes
  296.  
  297. /ip ipsec policy
  298. set 0 disabled=yes dst-address=0.0.0.0/0 src-address=0.0.0.0/0
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement