API tools faq
paste
Advertisement
rockdrilla

MikroTik with ISP PPPoE + IPTV

rockdrilla
Sep 30th, 2015
1,097
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 14.66 KB | None | 0 0
raw download clone embed print report
  1. ######################################################
  2. ### Ethernet
  3. ######################################################
  4.  
  5. /interface ethernet
  6. set [ find default-name=ether1 ] name=ether1-UP-RT
  7. set [ find default-name=ether2 ] name=ether2-LAN
  8. set [ find default-name=ether3 ] master-port=ether2-LAN
  9. set [ find default-name=ether4 ] master-port=ether2-LAN
  10. set [ find default-name=ether5 ] master-port=ether2-LAN
  11.  
  12. ######################################################
  13. ### WiFi
  14. ######################################################
  15.  
  16. /interface wireless
  17. set [ find default-name=wlan1 ] name=wlan0 ampdu-priorities=0,1,2,3,4,5,6,7 antenna-mode=txa-rxb arp=disabled band=2ghz-onlyn basic-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps basic-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps channel-width=20/40mhz-Ce country=russia default-authentication=no default-forwarding=no disabled=no distance=indoors frequency=2442 hide-ssid=yes ht-basic-mcs=mcs-6,mcs-7,mcs-8,mcs-9,mcs-10,mcs-11,mcs-12,mcs-13,mcs-14,mcs-15 ht-supported-mcs=mcs-6,mcs-7,mcs-8,mcs-9,mcs-10,mcs-11,mcs-12,mcs-13,mcs-14,mcs-15,mcs-16,mcs-17,mcs-18,mcs-19,mcs-20,mcs-21,mcs-22,mcs-23 hw-retries=5 mode=ap-bridge multicast-helper=full rate-set=configured rx-chains=1 security-profile=ap-home ssid="" tx-chains=0 wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
  18.  
  19. /interface wireless security-profiles
  20. set [ find default=yes ] supplicant-identity=""
  21. add name=ap-home authentication-types=wpa2-psk wpa2-pre-shared-key="${WPA2-PSK KEY}" group-key-update=1h mode=dynamic-keys eap-methods="" supplicant-identity=""
  22.  
  23. /interface wireless
  24. add master-interface=wlan0 name=wlan-home mac-address=${wlan0 MAC + 1} ssid=Home wmm-support=enabled wps-mode=disabled disabled=no security-profile=ap-home
  25. add master-interface=wlan0 name=wlan-free mac-address=${wlan0 MAC + 2} ssid=Free wmm-support=enabled wps-mode=disabled disabled=yes
  26.  
  27. ######################################################
  28. ### IP addresses
  29. ######################################################
  30.  
  31. /ip address
  32. add address=169.254.13.37 interface=ether1-UP-RT network=169.254.13.37
  33. add address=192.168.88.1/24 interface=ether2-LAN network=192.168.88.0
  34. add address=192.168.0.1/24 interface=wlan-home network=192.168.0.0
  35. add address=192.168.1.1/24 interface=wlan-free network=192.168.1.0
  36.  
  37. ######################################################
  38. ### DHCP
  39. ######################################################
  40.  
  41. /ip pool
  42. add name=dhcp-pool-ether-lan ranges=192.168.88.10-192.168.88.254
  43. add name=dhcp-pool-wifi-home ranges=192.168.0.2-192.168.0.254
  44. add name=dhcp-pool-wifi-free ranges=192.168.1.2-192.168.1.254
  45.  
  46. /ip dhcp-server
  47. add name=dhcpd-ether-lan address-pool=dhcp-pool-ether-lan interface=ether2-LAN always-broadcast=yes authoritative=yes disabled=no add-arp=yes lease-time=20w4d
  48. add name=dhcpd-wifi-home address-pool=dhcp-pool-wifi-home interface=wlan-home always-broadcast=yes authoritative=yes disabled=no add-arp=yes lease-time=20w4d
  49. add name=dhcpd-wifi-free address-pool=dhcp-pool-wifi-free interface=wlan-free always-broadcast=yes authoritative=yes disabled=no add-arp=yes lease-time=1d
  50.  
  51. /ip dhcp-server network
  52. add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 netmask=24 ntp-server=192.168.88.1
  53. add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1 netmask=24 ntp-server=192.168.0.1
  54. add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1 netmask=24 ntp-server=192.168.1.1
  55.  
  56. ######################################################
  57. ### DNS
  58. ######################################################
  59.  
  60. /ip dns
  61. set allow-remote-requests=yes cache-max-ttl=1d cache-size=4096KiB query-server-timeout=3s query-total-timeout=5s
  62.  
  63. ######################################################
  64. ### PPPoE
  65. ######################################################
  66.  
  67. /ppp profile
  68. add change-tcp-mss=no name=pppoe-RT only-one=no use-encryption=no
  69.  
  70. /interface pppoe-client
  71. add name=pppoe-RT profile=pppoe-RT user=${PPPoE login} password=${PPPoE password} interface=ether1-UP-RT add-default-route=yes default-route-distance=200 use-peer-dns=yes keepalive-timeout=disabled disabled=no
  72.  
  73. ######################################################
  74. ### WiFi::Free traffic shaper
  75. ######################################################
  76.  
  77. ### download
  78. ### overall = 4194304
  79. ### per user = 4194304
  80. ### upload
  81. ### overall = 2097152
  82. ### per user = 262144
  83.  
  84. /queue tree
  85. add name=wififree-DL parent=global queue=default max-limit=4194304
  86. add name=wififree-DL-pcq parent=wififree-DL queue=pcq-download-default max-limit=524288 limit-at=507904 packet-mark=wififree-P-DL
  87.  
  88. add name=wififree-UL parent=global queue=default max-limit=2097152
  89. add name=wififree-UL-pcq parent=wififree-UL queue=pcq-upload-default max-limit=262144 limit-at=245760 packet-mark=wififree-P-UL
  90.  
  91. ######################################################
  92. ### firewall
  93. ######################################################
  94.  
  95. /ip firewall address-list
  96. add list=BAN address=169.254.0.0/16
  97.  
  98. /ip firewall filter
  99. add chain=- comment="====" action=log
  100. add chain=input comment="DROP <- BANNED" action=drop src-address-list=BAN
  101. add chain=forward comment="DROP <=| BANNED" action=drop src-address-list=BAN
  102. add chain=forward comment="DROP |=> BANNED" action=drop dst-address-list=BAN
  103. add chain=output comment="DROP -> BANNED" action=drop dst-address-list=BAN
  104. add chain=- comment="====" action=log
  105. add chain=input comment="DROP limited broadcast" action=drop dst-address=255.255.255.255 in-interface=ether1-UP-RT
  106. add chain=input comment="DROP limited broadcast" action=drop dst-address=255.255.255.255 in-interface=pppoe-RT
  107. add chain=- comment="====" action=log
  108. add chain=input comment="ACCEPT incoming multicast" dst-address-type=multicast in-interface=ether1-UP-RT
  109. add chain=input comment="ACCEPT incoming multicast" dst-address-type=multicast in-interface=ether2-LAN
  110. add chain=input comment="ACCEPT incoming multicast" dst-address-type=multicast in-interface=wlan-home
  111. add chain=input comment="DROP incoming multicast" action=drop dst-address-type=multicast
  112. add chain=- comment="----" action=log
  113. add chain=forward comment="ACCEPT forwarded multicast" dst-address-type=multicast in-interface=ether1-UP-RT out-interface=ether2-LAN
  114. add chain=forward comment="ACCEPT forwarded multicast" dst-address-type=multicast in-interface=ether1-UP-RT out-interface=wlan-home
  115. add chain=forward comment="ACCEPT forwarded multicast" dst-address-type=multicast in-interface=ether2-LAN out-interface=ether1-UP-RT
  116. add chain=forward comment="ACCEPT forwarded multicast" dst-address-type=multicast in-interface=wlan-home out-interface=ether1-UP-RT
  117. add chain=forward comment="DROP forwarded multicast" action=drop dst-address-type=multicast
  118. add chain=- comment="----" action=log
  119. add chain=output comment="ACCEPT outgoing multicast" dst-address-type=multicast out-interface=ether1-UP-RT
  120. add chain=output comment="ACCEPT outgoing multicast" dst-address-type=multicast out-interface=wlan-home
  121. add chain=output comment="ACCEPT outgoing multicast" dst-address-type=multicast out-interface=ether2-LAN
  122. add chain=output comment="DROP outgoing multicast" action=drop dst-address-type=multicast
  123. add chain=- comment="====" action=log
  124. add chain=input comment="ACCEPT always MikroTik admin" dst-port=8291 protocol=tcp
  125. add chain=- comment="----" action=log
  126. add chain=input comment="ACCEPT ct::established" connection-state=established
  127. add chain=input comment="ACCEPT ct::related" connection-state=related
  128. add chain=input comment="ACCEPT icmp" protocol=icmp
  129. add chain=- comment="----" action=log
  130. add chain=input comment="ACCEPT ct::new" connection-state=new in-interface=ether2-LAN
  131. add chain=input comment="ACCEPT ct::new" connection-state=new in-interface=wlan-home
  132. add chain=input comment="ACCEPT ct::new" connection-state=new in-interface=wlan-free
  133. add chain=- comment="----" action=log
  134. add chain=input comment="DROP default input" action=drop
  135. add chain=- comment="====" action=log
  136. add chain=forward comment="ACCEPT ct::established" connection-state=established
  137. add chain=forward comment="ACCEPT ct::related" connection-state=related
  138. add chain=- comment="----" action=log
  139. add chain=forward comment="ACCEPT LAN -> UP-RT" in-interface=ether2-LAN out-interface=pppoe-RT
  140. add chain=forward comment="ACCEPT wifi home -> UP-RT" in-interface=wlan-home out-interface=pppoe-RT
  141. add chain=- comment="----" action=log
  142. add chain=forward comment="ACCEPT wifi free -> UP-RT" in-interface=wlan-free out-interface=pppoe-RT
  143. add chain=forward comment="DROP wifi free -> *" action=drop in-interface=wlan-free
  144. add chain=- comment="----" action=log
  145. add chain=forward comment="DROP default forward" action=drop
  146. add chain=- comment="====" action=log
  147.  
  148. /ip firewall mangle
  149. add chain=- comment="====" action=log
  150. add chain=prerouting action=mark-connection in-interface=wlan-free new-connection-mark=wififree-C-UL
  151. add chain=prerouting action=mark-packet connection-mark=wififree-C-UL new-packet-mark=wififree-P-UL passthrough=no
  152. add chain=- comment="----" action=log
  153. add chain=postrouting action=mark-connection out-interface=wlan-free new-connection-mark=wififree-C-DL
  154. add chain=postrouting action=mark-packet connection-mark=wififree-C-DL new-packet-mark=wififree-P-DL passthrough=no
  155. add chain=- comment="====" action=log
  156. add chain=prerouting action=set-priority in-interface=ether1-UP-RT dst-address-type=multicast new-priority=63
  157. add chain=prerouting action=set-priority in-interface=ether2-LAN dst-address-type=multicast new-priority=63
  158. add chain=prerouting action=set-priority in-interface=wlan-home dst-address-type=multicast new-priority=63
  159. add chain=- comment="====" action=log
  160. add chain=forward action=change-mss out-interface=pppoe-RT protocol=tcp tcp-flags=syn new-mss=clamp-to-pmtu
  161. add chain=- comment="====" action=log
  162.  
  163. /ip firewall nat
  164. add chain=- comment="====" action=log
  165. add chain=srcnat action=masquerade out-interface=pppoe-RT
  166. add chain=srcnat action=masquerade out-interface=ether2-LAN
  167. add chain=srcnat action=masquerade out-interface=wlan-home
  168. add chain=- comment="====" action=log
  169. add chain=dstnat action=dst-nat in-interface=pppoe-RT protocol=tcp dst-port=6881-6889,7881 to-addresses=${Torrent seeding PC}
  170. add chain=dstnat action=dst-nat in-interface=pppoe-RT protocol=udp dst-port=6881-6889,7881 to-addresses=${Torrent seeding PC}
  171. add chain=- comment="====" action=log
  172.  
  173. /ip route
  174. add distance=1 dst-address=169.254.0.0/16 type=blackhole
  175.  
  176. /ip firewall connection tracking
  177. set enabled=yes tcp-close-timeout=20s tcp-close-wait-timeout=20s tcp-established-timeout=3h tcp-fin-wait-timeout=20s tcp-last-ack-timeout=20s tcp-syn-received-timeout=20stcp-syn-sent-timeout=20s tcp-time-wait-timeout=20s udp-stream-timeout=2m udp-timeout=15s
  178.  
  179. /interface bridge settings
  180. set allow-fast-path=no use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=yes
  181.  
  182. /ip settings
  183. set rp-filter=loose tcp-syncookies=yes
  184.  
  185. ######################################################
  186. ### access control
  187. ######################################################
  188.  
  189. /ip service
  190. set ssh address=192.168.88.0/24,192.168.0.0/24
  191. set disabled=yes telnet
  192. set disabled=yes ftp
  193. set disabled=yes www
  194. set disabled=yes api
  195. set disabled=yes api-ssl
  196.  
  197. ######################################################
  198. ### UPnP
  199. ######################################################
  200.  
  201. /ip upnp
  202. set enabled=yes
  203.  
  204. /ip upnp interfaces
  205. add interface=pppoe-RT type=external
  206. add interface=ether2-LAN type=internal
  207. add interface=wlan-home type=internal
  208.  
  209. ######################################################
  210. ### IPTV via IGMP snooping
  211. ######################################################
  212.  
  213. /routing igmp-proxy
  214. set query-interval=30s quick-leave=yes
  215.  
  216. /routing igmp-proxy interface
  217. add interface=ether1-UP-RT upstream=yes alternative-subnets=0.0.0.0/0
  218. add interface=ether2-LAN
  219. add interface=wlan-home
  220.  
  221. ######################################################
  222. ### time zone & clock
  223. ######################################################
  224.  
  225. /system clock
  226. set time-zone-autodetect=no
  227.  
  228. /system clock manual
  229. set time-zone=+03:00
  230.  
  231. # primary = 0.ru.pool.ntp.org
  232. # secondary = 1.ru.pool.ntp.org
  233. /system ntp client
  234. set enabled=yes primary-ntp=62.76.96.4 secondary-ntp=87.229.205.7
  235.  
  236. /system ntp server
  237. set enabled=yes broadcast=yes broadcast-addresses=192.168.88.255,192.168.0.255,192.168.1.255 manycast=no
  238.  
  239. ######################################################
  240. ### logging
  241. ######################################################
  242.  
  243. /system logging action
  244. set 1 disk-file-count=8 disk-lines-per-file=10000
  245.  
  246. /system logging
  247. set 0 disabled=yes
  248. add topics=firewall
  249.  
  250. ######################################################
  251. ### tweaks
  252. ######################################################
  253.  
  254. /system package update
  255. set channel=current
  256.  
  257. /ip neighbor discovery
  258. set ether1-UP-RT discover=no
  259. set ether2-LAN discover=no
  260. set ether3 discover=no
  261. set ether4 discover=no
  262. set ether5 discover=no
  263. set wlan0 discover=no
  264. set wlan-free discover=no
  265. set wlan-home discover=no
  266. set pppoe-RT discover=no
  267.  
  268. /routing bgp instance
  269. set default disabled=yes
  270.  
  271. /routing ospf area
  272. set [ find default=yes ] disabled=yes
  273.  
  274. /routing ospf instance
  275. set [ find default=yes ] disabled=yes
  276.  
  277. /routing pim
  278. set switch-to-spt=no
  279.  
  280. /system leds
  281. set 0 interface=wlan0
  282.  
  283. /interface wireless nstreme
  284. set wlan0 enable-polling=no
  285.  
  286. /ip ipsec proposal
  287. set [ find default=yes ] disabled=yes enc-algorithms=3des
  288.  
  289. /ip firewall service-port
  290. set ftp disabled=yes
  291. set tftp disabled=yes
  292. set irc disabled=yes
  293. set h323 disabled=yes
  294. set sip disabled=yes
  295. set pptp disabled=yes
  296.  
  297. /ip ipsec policy
  298. set 0 disabled=yes dst-address=0.0.0.0/0 src-address=0.0.0.0/0
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!