Mikrotik

Ebben a cikkben bemutatok egy mikrotik router alapbeállítását.

LAN1 = WAN1 DHCP-client

Bridge-LAN = LAN2, LAN3, LAN4, LAN5

Bridge IP: 192.168.2.254

Neighbors = !WAN

VLAN10 192.168.10.1/23

VLAN30 192.168.30.1/23

DHCP: Bridge-LAN VALN10, VLAN30

NTP server, client

alap firewall :)

WIFI kikapcsolva : Jelszó WIFI2G, WIFI5G: Jelszo2018

Fasttrack bekaspcsolása:
/ip firewall filter 
add chain=forward action=fasttrack-connection connection-state=established,related
add chain=forward action=accept connection-state=established,related
Fasttrack kikapcsolása:


példa ( backup letöltése itt.)

# may/24/2018 20:55:28 by RouterOS 6.42.2
# model = RouterBOARD 952Ui-5ac2nD
/interface bridge
add admin-mac=64:D1:54:2A:9A:0B auto-mac=no comment=\
    "created from master port" name=Bridge-LAN
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN1
set [ find default-name=ether2 ] arp=proxy-arp name=ether2-LAN-SLV
set [ find default-name=ether3 ] arp=proxy-arp name=ether3-LAN-SLV
set [ find default-name=ether4 ] arp=proxy-arp name=ether4-LAN-SLV
set [ find default-name=ether5 ] name=ether5-LAN-SLV
/interface wireless
set [ find default-name=wlan1 ] mode=ap-bridge ssid=MikroTik2G \
    wireless-protocol=802.11
set [ find default-name=wlan2 ] mode=ap-bridge ssid=MikroTik5G \
    wireless-protocol=802.11
/interface vlan
add interface=Bridge-LAN name=VLAN10 vlan-id=10
add interface=Bridge-LAN name=VLAN30 vlan-id=30
/interface list
add name=WAN
add name=LAN
add name=VLAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=\
    Jelszo2018 wpa2-pre-shared-key=Jelszo2018
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1,md5 enc-algorithms=\
    aes-256-cbc,aes-128-cbc pfs-group=modp8192
/ip pool
add name=POOL-LAN ranges=192.168.2.40-192.168.2.200
add name=POOL-VLAN10 ranges=192.168.10.40-192.168.11.200
add name=POOL-VLAN30 ranges=192.168.30.40-192.168.31.200
/ip dhcp-server
add add-arp=yes address-pool=POOL-LAN disabled=no interface=Bridge-LAN \
    lease-time=8h30m31s name=DHCP-LAN-220
add address-pool=POOL-VLAN10 disabled=no interface=VLAN10 lease-time=8h name=\
    DHCP-VLAN10
add address-pool=POOL-VLAN30 disabled=no interface=VLAN30 lease-time=8h name=\
    DHCP-VLAN30
/queue tree
add max-limit=100M name=MASTER_UP parent=ether1-WAN1 queue=default
add burst-limit=120M burst-threshold=80M burst-time=1s limit-at=4M max-limit=\
    100M name=VOIP_U packet-mark=VOIP parent=MASTER_UP priority=1 queue=\
    default
add bucket-size=0.2 burst-limit=120M burst-threshold=80M burst-time=1s \
    limit-at=4M max-limit=100M name=ACK_U packet-mark=ACK parent=MASTER_UP \
    priority=2 queue=default
add bucket-size=0.2 burst-limit=120M burst-threshold=80M burst-time=1s \
    limit-at=4M max-limit=100M name=DNS_U packet-mark=DNS parent=MASTER_UP \
    priority=3 queue=default
add bucket-size=0.2 burst-limit=120M burst-threshold=80M burst-time=1s \
    limit-at=4M max-limit=100M name=UDP_U packet-mark=UDP parent=MASTER_UP \
    priority=5 queue=default
add bucket-size=0.2 burst-limit=120M burst-threshold=80M burst-time=1s \
    limit-at=4M max-limit=100M name=ICMP_U packet-mark=ICMP parent=MASTER_UP \
    priority=4 queue=default
add bucket-size=0.2 burst-limit=120M burst-threshold=80M burst-time=1s \
    limit-at=4M max-limit=100M name=HTTP_U packet-mark=HTTP,OTHER parent=\
    MASTER_UP priority=6 queue=pcq-upload-default
add bucket-size=0.2 burst-limit=120M burst-threshold=80M burst-time=1s \
    limit-at=4M max-limit=100M name=HEAVY_U packet-mark=\
    HTTP_BIG,UDP_BIG,OTHER_TCP_BIG,OTHER_BIG parent=MASTER_UP queue=\
    pcq-upload-default
add bucket-size=0.2 burst-limit=120M burst-threshold=80M burst-time=1s \
    limit-at=4M max-limit=100M name=OTHER_TCP_U packet-mark=OTHER_TCP parent=\
    MASTER_UP priority=7 queue=default
add bucket-size=0.2 burst-limit=120M burst-threshold=50M burst-time=1s \
    limit-at=4M max-limit=100M name=OTHER_U packet-mark=no-mark parent=\
    MASTER_UP priority=7 queue=default
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=Bridge-LAN interface=ether3-LAN-SLV
add bridge=Bridge-LAN interface=ether4-LAN-SLV
add bridge=Bridge-LAN interface=ether2-LAN-SLV
add bridge=Bridge-LAN interface=ether5-LAN-SLV
add bridge=Bridge-LAN interface=wlan2
add bridge=Bridge-LAN interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=WAN
/ip settings
set rp-filter=strict tcp-syncookies=yes
/interface l2tp-server server
set authentication=mschap1,mschap2 caller-id-type=number max-sessions=2 \
    use-ipsec=required
/interface list member
add interface=ether1-WAN1 list=WAN
add interface=Bridge-LAN list=LAN
add interface=VLAN10 list=VLAN
add interface=VLAN30 list=VLAN
/ip address
add address=192.168.2.254/24 interface=ether3-LAN-SLV network=192.168.2.0
add address=192.168.10.1/23 interface=VLAN10 network=192.168.10.0
add address=192.168.30.1/23 interface=VLAN30 network=192.168.30.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1-WAN1
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.2.254 gateway=192.168.2.254
add address=192.168.10.0/23 dns-server=8.8.8.8 gateway=192.168.10.1
add address=192.168.30.0/23 dns-server=8.8.8.8 gateway=192.168.30.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d servers=8.8.8.8
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=NemIP
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
    d this subnet before enable it" list=NemIP
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=NemIP
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=NemIP
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
    need this subnet before enable it" list=NemIP
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you\
    \_need this subnet before enable it" disabled=yes list=NemIP
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=NemIP
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=NemIP
add address=198.18.0.0/15 comment="NIDB Testing" list=NemIP
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=NemIP
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=NemIP
add address=224.0.0.0/4 comment=\
    "MC, Class D, IANA # Check if you need this subnet before enable it" \
    list=NemIP
add address=255.255.255.255 list=NemIP
/ip firewall filter
add action=drop chain=input comment="DNS tilt\E1sa kintr\F5l" dst-port=53 \
    in-interface-list=WAN protocol=udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=fasttrack-connection chain=forward connection-state=\
    established,related
add action=accept chain=forward connection-state=established,related
add action=drop chain=input comment=\
    "DROP minden olyan csoamg ami nem tartozik a routerhez" dst-address-type=\
    !local
add action=drop chain=input comment="DROP invalid" connection-state=invalid
add action=drop chain=forward comment="DROP az internetr\F5l \E9rkez\F5 \FAj k\
    apcsolatokat, amelyek nem a DNS-NAT-ok" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="VLAN tiltasa a belso halozat fel\E9" \
    dst-address=192.168.2.0/24 in-interface-list=VLAN
add action=add-src-to-address-list address-list=Port_Scanner \
    address-list-timeout=9w2d23h22m21s chain=input comment=\
    "Port Scanner Detect" protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=Port_Scanner \
    address-list-timeout=none-dynamic chain=input comment=\
    "Port Scanner Detect UDP" protocol=udp psd=21,3s,3,1 src-port=!53
add action=add-src-to-address-list address-list=Port_Scanner \
    address-list-timeout=30m chain=input comment=\
    "Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
    tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="Fix ip engedelyezes p\E9lda" \
    disabled=yes out-interface-list=WAN src-address=192.168.2.1
add action=masquerade chain=srcnat out-interface-list=WAN src-address=\
    192.168.2.0/24
add action=masquerade chain=srcnat out-interface-list=WAN src-address=\
    192.168.10.0/23
add action=masquerade chain=srcnat out-interface-list=WAN src-address=\
    192.168.30.0/23
/ip firewall raw
add action=drop chain=prerouting dst-port=53 in-interface-list=WAN protocol=\
    udp
add action=drop chain=prerouting comment="Port Scan DROP" src-address-list=\
    Port_Scanner
add action=drop chain=prerouting comment="Src NemIP DROP" src-address-list=\
    NemIP
add action=drop chain=prerouting comment="Dsc NemIP DROP" dst-address-list=\
    NemIP
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall raw
add action=drop chain=prerouting
add action=drop chain=output
/system clock
set time-zone-name=Europe/Budapest
/system identity
set name=utvalaszto
/system ntp client
set enabled=yes primary-ntp=193.225.190.4 secondary-ntp=193.225.190.6
/system ntp server
set enabled=yes
/system routerboard settings
set silent-boot=no
/tool bandwidth-server
set authenticate=no enabled=no

 

 

 

 

 

 

Ez az oldal is sütiket használ, hogy jól működhessen.
Ok