Propojení 3 MK

tirus

Ahoj,

obracím se na Vás s prosbu o radu, jakým způsobem mohu propojit 3 domácí sítě u kterých je vždy routerem MK.

1 sít

192.168.40.0/24

RB RB951Ui-2HnD

FW nevím

má veřejnou IP

2. síť

192.168.42.0/24

RB 450G

FW: 3.10

nemá veřejnou IP

3. síť

192.168.44.0/24

RB 962UiGS-5HacT2HnT

FW: 3.34

má veřejnou IP

Všechny mají RouterOS 6.40.1

Teoreticky bych rád, aby síť 3 byla tou primární, ovšem ne na úkor toho, aby byla linka zpomalena. Co jsem pochopil, tak 1 a 3 by se dala spojit tunelem, ovšem nejsem si jist s tou 2..

Jsem v tomto lajk a jediné co mne napadlo, tak je vytvořit klasickou VPN na 3. síti a následně na 1. a 2. vytvořit VPN klienta a na všech 3 to proroutovat. jen 3. bude mít routy i z 1. na 2.

kadlcikales

Můžeš použít IPSEC a L2TP - Na stranách 1 a 3 můžeš použít server a na straně 2 client a pak routy

Jednoduché , jdou propojit i lokality bez veřejné ip , pokud by ti nestačil výkon , je i řešení výměnného uzlu v podobě VPS serveru a na něm linux VPN L2TP IPSEC server, kde by si pak všechny oblasti připojil jako L2TP client , (řešení pokud nemáš ani v jedné oblasti výkonný stroj nebo rychlí internet)

<--- ia0 -->SCAN038.jpg<--- ia0 -->

Výhoda toho všeho je že když se ti rozpadne jedna oblast třeba (MK2 to MK3) tak se pakety pošlou přes MK1 , a ten pošle na MK3 (příklad MK3 přišel o spojení vlivem ztráty veřejné ip , nebo jiných potíží )

tirus

Zkoušel jsem propojit nyní MK1 a MK2 ovšem nějak se mi to nepodařilo spojit.

Vlevo je MK1

Nemám tam vytvoření routy, jelikož se ještě dle mého ani nespojili.

Na MK1 je sice firewall, ale mám tam accept na UDP port 500 a 4500 a TCP 1701

MK3 má stále "waiting for packets.."

<--- ia0 -->mk.PNG<--- ia0 -->

kadlcikales

L2TP lítá spíše po UDP konkretně 1701 a myslím že ještě musíš povolit PPTP pokud ti to ještě nefunguje 1723 TCP

tirus

Mám tyto pravidla

Když na to koukám, tak TCP 1723 a UDP 1701, 500, 4500 mám povolené. Co můžu dělat špatně?

add action=add-src-to-address-list address-list=Syn_Flooder \

address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" \

connection-limit=30,32 protocol=tcp tcp-flags=syn

add action=drop chain=input comment="Drop to syn flood list" src-address-list=\

Syn_Flooder

add action=add-src-to-address-list address-list=Port_Scanner \

address-list-timeout=1w chain=input comment="Port Scanner Detect" protocol=\

tcp psd=21,3s,3,1

add action=jump chain=forward comment="Jump for icmp forward flow" jump-target=\

ICMP protocol=icmp

add action=drop chain=input comment="Drop to port scan list" src-address-list=\

Port_Scanner

add action=jump chain=input comment="Jump for icmp input flow" jump-target=ICMP \

protocol=icmp

add action=drop chain=input comment=\

"Block all access to the winbox - except to support list" dst-port=8291 \

protocol=tcp src-address-list=!support

add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\

bogons

add action=add-src-to-address-list address-list=spammers address-list-timeout=\

3h chain=forward comment="Add Spammers to the list for 3 hours" \

connection-limit=30,32 dst-port=25,587 limit=30/1m,0:packet protocol=tcp

add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \

protocol=tcp src-address-list=spammers

add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp

add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp

add action=accept chain=input comment="Accept to established connections" \

connection-state=established

add action=accept chain=input comment="Accept to related connections" \

connection-state=related

add action=accept chain=input comment="Full access to SUPPORT address list" \

src-address-list=support

add action=accept chain=input comment="Full access to IPTV-1 address list" \

src-address-list=IPTV-1

add action=accept chain=input comment="Full access to IPTV-2 address list" \

src-address-list=IPTV-2

add action=accept chain=input comment="Accept IGMP for IPTV" protocol=igmp

add action=accept chain=input comment="Accept VPN - TCP" port=1723 protocol=tcp

add action=accept chain=input comment="Accept VPN - L2TP UDP 1701" port=1701 \

protocol=udp

add action=accept chain=input comment="Accept VPN - L2TP protocol" protocol=\

ipsec-esp

add action=accept chain=input comment="Accept VPN - L2TP 500" port=500 \

protocol=udp

add action=accept chain=input comment="Accept VPN - L2TP 4500" port=4500 \

protocol=udp

add action=accept chain=input comment="Accept HTTP" port=8081 protocol=tcp

add action=drop chain=input comment="Drop anything else! "

add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" \

icmp-options=8:0 limit=1,5:packet protocol=icmp

add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\

icmp

add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \

protocol=icmp

add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\

3:0-1 protocol=icmp

add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp

add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp

add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \

protocol=icmp

kadlcikales

Dáváš VPN tunelům IP adresní rosah - TJ na server straně musí být pool adresy nejlépe z rosahu který nenajdeš nikde po cestě (dělalo by to velkou paseku) já jsem si do POOL pro vpn zvolil 172.31.3.0/24

tirus

OK. na server straně (MK1) jsem vytvořil nový Pool s rozsahem 192.168.50.1 - 192.168.50.10

Tento pool jsem nastavil profilu jako local i remote adresy. L2TP server jsem nastavil dle tvého screenshotu a přidal nový interface ve kterém jsem zadal uživatele, který je shodným s uživatelem v secrets.

Myslím že server side je OK. Co se týče Client side, tak tam jsem vytovřil jen profil (jen pojmenování bez poolu) a následně interface L2TP client. I když vypnu firewall na obou stranách, tak výsledek je stejný

V logu na server straně je toto

<--- ia0 -->mkLog.PNG<--- ia0 -->

kadlcikales

100% FUNKČNOST - příklad L2TP serveru a clienta

/interface l2tp-server

add disabled=yes name="0. L2TP_SERVER_PROPOJ_KVASICE" user=\

PROPOJ_OTROKOVICE_KVASICE

add name="0. L2TP_SERVER_PROPOJ_MALENOVICE" user=PROPOJ_OTROKOVICE_MALENOVICE

/interface l2tp-client

add allow=mschap2 connect-to=verejna ip ipsec-secret=nejakeheslo name=\

"0. CLIENT_PROPOJ_MALENOVICE" password=\

NEJAKEHESLO use-ipsec=yes user=\

PROPOJ_MALENOVICE_OTROKOVICE

/ip pool

add name=POOL_DOMACI_VPN ranges=172.31.0.2-172.31.0.254

/ppp profile

add comment="0. L2TP_SERVER_PROPOJ_OTROKOVICE_MALENOVICE" local-address=\

POOL_DOMACI_VPN name="0. L2TP_SERVER_PROPOJ_OTROKOVICE_MALENOVICE" \

remote-address=POOL_DOMACI_VPN

add comment="0. L2TP_SERVER_PROPOJ_OTROKOVICE_KVASICE" local-address=\

POOL_DOMACI_VPN name="0. L2TP_SERVER_PROPOJ_OTROKOVICE_KVASICE" \

remote-address=POOL_DOMACI_VPN

add comment="0. CLIENT_PROPOJ_MALENOVICE" name="0. CLIENT_PROPOJ_MALENOVICE"

add comment="0. CLIENT_PROPOJ_KVASICE" name="0. CLIENT_PROPOJ_KVASICE"

/interface l2tp-client

add allow=mschap2 connect-to=VEREJKA disabled=no ipsec-secret=\

nejakeheslo name="0. CLIENT_PROPOJ_KVASICE" password=\

NEJAKEHESLO profile=\

"0. CLIENT_PROPOJ_MALENOVICE" use-ipsec=yes user=\

PROPOJ_KVASICE_OTROKOVICE

/interface l2tp-server server

set authentication=mschap1,mschap2 default-profile=default enabled=yes \

ipsec-secret=NEJAKEHESLO use-ipsec=yes

/ip dhcp-server network

add address=172.31.0.0/24 comment=NETWORK_DOMACI_VPN gateway=172.31.0.1 \

netmask=24

/ip firewall filter

add action=accept chain=forward dst-port=41 in-interface="06. INTERNET" \

protocol=tcp

add action=accept chain=forward comment=POVOL_PORT__UDP_1701__L2TP dst-port=\

1701 in-interface="06. INTERNET" protocol=udp

add action=accept chain=forward comment=POVOL_PORT__1723__PPTP dst-port=1723 \

in-interface="06. INTERNET" protocol=tcp

add action=accept chain=forward comment=POVOL_NAVAZANE_SPOJENI \

connection-state=established in-interface="06. INTERNET"

add action=accept chain=forward comment=POVOL_NAVAZANE_SPOJENI_VEN \

connection-state=related in-interface="06. INTERNET"

add action=accept chain=forward comment=POVOL_SPOJENI_VEN out-interface=\

"06. INTERNET"

add action=drop chain=forward comment=ZAHOD_VSE_CO_NENI_POVOLENO \

in-interface="06. INTERNET" log=yes

/ip route

add distance=1 dst-address=192.168.0.0/24 gateway=\

"0. L2TP_SERVER_PROPOJ_MALENOVICE"

add distance=1 dst-address=192.168.20.0/24 gateway="0. CLIENT_PROPOJ_KVASICE"

add distance=2 dst-address=192.168.20.0/24 gateway=\

"0. L2TP_SERVER_PROPOJ_MALENOVICE"

add distance=1 dst-address=192.168.30.0/24 gateway=\

"0. L2TP_SERVER_PROPOJ_MALENOVICE"

add distance=2 dst-address=192.168.30.0/24 gateway="0. CLIENT_PROPOJ_KVASICE"

/ppp secret

add name=PROPOJ_OTROKOVICE_MALENOVICE password=\

NEJAKEHESLO profile=\

"0. L2TP_SERVER_PROPOJ_OTROKOVICE_MALENOVICE"

add name=PROPOJ_OTROKOVICE_KVASICE password=\

NEJAKEHESLO profile=\

"0. L2TP_SERVER_PROPOJ_OTROKOVICE_KVASICE"

add name=kadlcikales password=NEJAKEHESLO profile="1. KADLCIK_ALES_ADMIN"

tirus

Díky moc za příklad.

Zda sem to dobře pochopil, tak to je pouze pro jeden MK a to 3. nebo 1.

DHCP server budou 2 a pokaždé pro jiný IP pool na obou VPN serverech. (s jiným rozsahem)

Co se týče interface, tak "06. INTERNET" je vstup, že?

Proč v routách jsou 3 různý rozsahy, když de o routy do 2 sítí?

A poslední. Jaký je rozdíl mezi ipsec-secret a heslem?

kadlcikales

Tato konfigurece připomíná v zapojení MK 3 , pro MK1 budete muset mít trochu jinou ale podobnou konfiguraci

6. Internet je vstup , jelikož mám RB1200 a porty víš (9 a 10 lan) nejedou dobře - tato serie měla tyto porty špatně vyrobené ...

Při tomhle řešení musí být na každém IPsec serveru rosah ip které bude rozdávat

IPsec/L2TP je lépeřečeno PPP , a v něm zapouzdřené šifrované spojení - nejdříve se naváže tunel PPP (šifra mschap2 která je dávno prolomená) , a pak v něm probíhá šifrované spojení (které je neprolomené a bezpečné) , šifra toho spojení je certifikát nebo ipsec-secret heslo , tohle není čistý IPsec pokud by byl potřebujeme na obou stranách veřejnou ip nebo alespoň jeden veřejný port

1. rosah routy se nechává na bridge , Automaticky vytvořený - Distance 0

2. rasah routy jde na zvolenou oblast 1 - Distance 1

3. rosah routy jde na zvolenou oblast 1 ale pakety putují přes oblast 2 , kde oblast 2 pošle pakety do oblasti 1 - Distance 2 - Je to kvůli záloze jelikož se mi stávalo při zatížení vypadlo spojení nebo spojení se natrvalo rozvázalo když nějaký můj ISP změnil ni veřejnou ip v nějaké oblasti tak se to řešit nemuselo , taková IMPROVIZOVANÁ kruhová s VPN

4. rasah routy jde na zvolenou oblast 2 - Distance 1

5. rosah routy jde na zvolenou oblast 2 ale pakety putují přes oblast 1 , kde oblast 2 pošle pakety do oblasti 1 - Distance 2 - Je to kvůli záloze jelikož se mi stávalo při zatížení vypadlo spojení nebo spojení se natrvalo rozvázalo když nějaký můj ISP změnil ni veřejnou ip v nějaké oblasti tak se to řešit nemuselo , taková IMPROVIZOVANÁ kruhová s VPN

tirus

Tak jsem to zkusil a výsledek je stejný. Na straně serveru mi skáčou errory viz předchozí screenshot

kadlcikales

Ty errory to hází když je zadané špatně heslo nebo špatně zvolené šifrování , když mě pošlete celou konfiguraci MK , hadím si ji na stroj a mohu se vám na to podívat jestli chcete

tirus

Ještě jsem to kontroloval, ale nepříjde mi, že bych tam měl špatně údaje

Jedná se o propojení MK1 a MK3

MK1

# aug/20/2017 11:43:48 by RouterOS 6.40.1

# software id = 58CZ-EMKL

# model = 951G-2HnD

# serial number = 4699027A0482

/interface bridge

add admin-mac=D4:CA:6D:F4:90:CD arp=proxy-arp auto-mac=no fast-forward=no mtu=\

1500 name=bridge-local

/interface wireless

set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \

country="czech republic" disabled=no distance=indoors frequency=auto mode=\

ap-bridge ssid=Tirus wireless-protocol=802.11

/interface ethernet

set [ find default-name=ether1 ] name="1_WAN - A1M"

set [ find default-name=ether2 ] arp=proxy-arp name=2_Pokojik speed=1Gbps

set [ find default-name=ether3 ] arp=proxy-arp disabled=yes name=3_none

set [ find default-name=ether4 ] arp=proxy-arp disabled=yes name=4_NAS

set [ find default-name=ether5 ] arp=proxy-arp master-port=2_Pokojik name=\

5_Obyvak

/interface l2tp-server

add disabled=yes name="0. L2TP_SERVER_PROPOJ_VOSTOCNYJ" user=\

PROPOJ_BAJKONUR_VOSTOCNYJ

/ip neighbor discovery

set wlan1 discover=no

/interface wireless security-profiles

set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\

dynamic-keys wpa-pre-shared-key=hesloWifi wpa2-pre-shared-key=hesloWifi

/ip ipsec proposal

set [ find default=yes ] enc-algorithms=3des

/ip pool

add name=dhcp ranges=192.168.40.100-192.168.40.199

add name=PPTP-TIRUS ranges=192.168.40.230-192.168.40.240

add name=L2TP ranges=192.168.50.1-192.168.50.10

add name=POOL_DOMACI_VPN ranges=172.31.0.2-172.31.0.254

/ip dhcp-server

add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=\

bridge-local lease-time=3d name=default

/ppp profile

add comment="0. L2TP_SERVER_PROPOJ_BAJKONUR_VOSTOCNYJ" local-address=\

POOL_DOMACI_VPN name="0. L2TP_SERVER_PROPOJ_BAJKONUR_VOSTOCNYJ" \

remote-address=POOL_DOMACI_VPN

add comment="0. CLIENT_PROPOJ_VOSTOCNYJ" name="0. CLIENT_PROPOJ_VOSTOCNYJ"

/system logging action

set 0 memory-lines=100

set 1 disk-lines-per-file=100

/interface bridge port

add bridge=bridge-local interface=2_Pokojik

add bridge=bridge-local interface=wlan1

/interface l2tp-server server

set authentication=mschap1,mschap2 default-profile=default enabled=yes \

ipsec-secret=jineTajneHeslo use-ipsec=yes

/interface pptp-server server

set authentication=chap,mschap1,mschap2 enabled=yes max-mru=1460 max-mtu=1460

/ip address

add address=192.168.40.1/24 comment="default configuration" interface=2_Pokojik \

network=192.168.40.0

/ip dhcp-client

add comment="default configuration" dhcp-options=hostname,clientid disabled=no \

interface="1_WAN - A1M" use-peer-dns=no

/ip dhcp-server network

add address=172.31.0.0/24 comment=NETWORK_DOMACI_VPN gateway=172.31.0.1 \

netmask=24

add address=192.168.40.0/24 comment="default configuration" dns-server=\

192.168.40.1 gateway=192.168.40.1 netmask=24

/ip dns

set allow-remote-requests=yes servers=\

217.30.64.53,217.30.64.54,8.8.8.8,8.8.4.4,192.168.1.200

/ip dns static

add address=192.168.88.1 name=router

/ip firewall address-list

add address=192.168.40.0/24 list=LAN

add address=verejnaIpMK2 list=support

add address=83.240.1.50 list=IPTV-1

add address=83.240.1.57 list=IPTV-2

/ip firewall filter

add action=add-src-to-address-list address-list=Syn_Flooder \

address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" \

connection-limit=30,32 protocol=tcp tcp-flags=syn

add action=drop chain=input comment="Drop to syn flood list" src-address-list=\

Syn_Flooder

add action=add-src-to-address-list address-list=Port_Scanner \

address-list-timeout=1w chain=input comment="Port Scanner Detect" protocol=\

tcp psd=21,3s,3,1

add action=jump chain=forward comment="Jump for icmp forward flow" jump-target=\

ICMP protocol=icmp

add action=drop chain=input comment="Drop to port scan list" src-address-list=\

Port_Scanner

add action=jump chain=input comment="Jump for icmp input flow" jump-target=ICMP \

protocol=icmp

add action=drop chain=input comment=\

"Block all access to the winbox - except to support list" dst-port=8291 \

protocol=tcp src-address-list=!support

add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\

bogons

add action=add-src-to-address-list address-list=spammers address-list-timeout=\

3h chain=forward comment="Add Spammers to the list for 3 hours" \

connection-limit=30,32 dst-port=25,587 limit=30/1m,0:packet protocol=tcp

add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \

protocol=tcp src-address-list=spammers

add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp

add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp

add action=accept chain=input comment="Accept to established connections" \

connection-state=established

add action=accept chain=input comment="Accept to related connections" \

connection-state=related

add action=accept chain=input comment="Full access to SUPPORT address list" \

src-address-list=support

add action=accept chain=input comment="Full access to IPTV-1 address list" \

src-address-list=IPTV-1

add action=accept chain=input comment="Full access to IPTV-2 address list" \

src-address-list=IPTV-2

add action=accept chain=input comment="Accept IGMP for IPTV" protocol=igmp

add action=accept chain=input comment="Accept VPN - TCP" port=1723 protocol=tcp

add action=accept chain=input comment="Accept VPN - L2TP UDP 1701" port=1701 \

protocol=udp

add action=accept chain=input comment="Accept VPN - L2TP protocol" protocol=\

ipsec-esp

add action=accept chain=input comment="Accept VPN - L2TP 500" port=500 \

protocol=udp

add action=accept chain=input comment="Accept VPN - L2TP 4500" port=4500 \

protocol=udp

add action=accept chain=input comment="Accept HTTP" port=8081 protocol=tcp

add action=accept chain=forward dst-port=41 in-interface="1_WAN - A1M" \

protocol=tcp

add action=accept chain=forward comment=POVOL_PORT__UDP_1701__L2TP dst-port=\

1701 in-interface="1_WAN - A1M" protocol=udp

add action=accept chain=forward comment=POVOL_PORT__1723__PPTP dst-port=1723 \

in-interface="1_WAN - A1M" protocol=tcp

add action=accept chain=forward comment=POVOL_NAVAZANE_SPOJENI \

connection-state=established in-interface="1_WAN - A1M"

add action=accept chain=forward comment=POVOL_NAVAZANE_SPOJENI_VEN \

connection-state=related in-interface="1_WAN - A1M"

add action=accept chain=forward comment=POVOL_SPOJENI_VEN out-interface=\

"1_WAN - A1M"

add action=drop chain=input comment="Drop anything else! "

add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" \

icmp-options=8:0 limit=1,5:packet protocol=icmp

add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\

icmp

add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \

protocol=icmp

add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\

3:0-1 protocol=icmp

add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp

add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp

add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \

protocol=icmp

/ip firewall nat

add action=masquerade chain=srcnat comment="default configuration" \

out-interface="1_WAN - A1M" to-addresses=0.0.0.0

/ip proxy

set cache-path=web-proxy1 parent-proxy=0.0.0.0

/ip route

add distance=1 dst-address=192.168.42.0/24 gateway=\

"0. L2TP_SERVER_PROPOJ_VOSTOCNYJ"

add distance=1 dst-address=192.168.44.0/24 gateway=*11

/ip service

set telnet disabled=yes

set ftp disabled=yes

set www port=8081

set ssh disabled=yes

set api disabled=yes

set api-ssl disabled=yes

/ppp secret

add name=PROPOJ_BAJKONUR_VOSTOCNYJ password=MojeTajneHeslo profile=\

"0. L2TP_SERVER_PROPOJ_BAJKONUR_VOSTOCNYJ"

/routing igmp-proxy interface

add alternative-subnets=\

239.1.2.0/24,239.1.1.0/24,83.240.1.50/32,83.240.1.57/32,192.168.40.0/24 \

interface="1_WAN - A1M" upstream=yes

add interface=bridge-local

add

/system clock

set time-zone-autodetect=no time-zone-name=Europe/Prague

/system clock manual

set time-zone=+01:00

/system leds

set 0 interface=wlan1

/system ntp client

set enabled=yes primary-ntp=195.113.144.201 secondary-ntp=217.11.227.60

#error exporting /system routerboard mode-button

/tool mac-server

set [ find default=yes ] disabled=yes

add interface=2_Pokojik

add interface=3_none

add interface=4_NAS

add interface=5_Obyvak

add interface=wlan1

add interface=bridge-local

/tool mac-server mac-winbox

set [ find default=yes ] disabled=yes

add interface=2_Pokojik

add interface=3_none

add interface=4_NAS

add interface=5_Obyvak

add interface=wlan1

add interface=bridge-local

MK3

# aug/20/2017 11:39:38 by RouterOS 6.40.1

# software id = KXFU-SJVV

# model = RouterBOARD 962UiGS-5HacT2HnT

# serial number = 6F1206D1582A

/interface bridge

add admin-mac=6C:3B:6B:BD:BA:7F auto-mac=no comment=defconf name=bridge

/interface ethernet

set [ find default-name=ether2 ] name=ether2-master

set [ find default-name=ether3 ] master-port=ether2-master

set [ find default-name=ether4 ] master-port=ether2-master

set [ find default-name=ether5 ] master-port=ether2-master

/interface l2tp-client

add allow=mschap2 connect-to=verejnaIpMK1 disabled=no ipsec-secret=jineTajneHeslo name=\

"0. CLIENT_PROPOJ_BAJKONUR" password=MojeTajneHeslo use-ipsec=yes user=PROPOJ_BAJKONUR_VOSTOCNYJ

/interface wireless

set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce country="czech republic" disabled=no \

distance=indoors frequency=auto mode=ap-bridge ssid=Tirus.cz wireless-protocol=802.11

set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee country="czech republic" \

disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=Tirus.cz wireless-protocol=802.11

/ip neighbor discovery

set ether1 discover=no

/interface wireless security-profiles

set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys wpa-pre-shared-key=hesloWifi \

wpa2-pre-shared-key=hesloWifi

/ip hotspot profile

set [ find default=yes ] html-directory=flash/hotspot

/ip pool

add name=dhcp ranges=192.168.44.10-192.168.44.254

/ip dhcp-server

add address-pool=dhcp disabled=no interface=bridge name=defconf

/ppp profile

add change-tcp-mss=yes dns-server=192.168.1.200 name=Software602 use-encryption=yes

/interface pptp-client

add connect-to=asdfghjk disabled=no name=asdasdasd password=asdasdasdasd profile=Software602 user=jnb

/interface bridge port

add bridge=bridge comment=defconf interface=ether2-master

add bridge=bridge comment=defconf interface=sfp1

add bridge=bridge comment=defconf interface=wlan1

add bridge=bridge comment=defconf interface=wlan2

/interface l2tp-server server

set ipsec-secret=Lama2017* use-ipsec=yes

/interface sstp-server server

set default-profile=default-encryption

/ip address

add address=192.168.44.1/24 comment=defconf interface=ether2-master network=192.168.44.0

/ip cloud

set ddns-enabled=yes

/ip dhcp-client

add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1

/ip dhcp-server lease

add address=192.168.44.242 client-id=1:flag_ac:2b:6e:53:5c:3c mac-address=AC:2B:6E:53:5C:3C server=defconf

/ip dhcp-server network

add address=192.168.44.0/24 comment=defconf dns-server=192.168.1.200,192.168.1.77,192.168.44.1 gateway=\

192.168.44.1 netmask=24

/ip dns

set allow-remote-requests=yes servers=192.168.1.200,192.168.1.77,217.30.64.53,217.30.64.54

/ip dns static

add address=192.168.44.1 name=router

/ip firewall address-list

add list=Syn_Flooder

add list=spammers

add list=support

add list=Port_Scanner

add list=bogons

/ip firewall filter

add action=accept chain=forward connection-state=established,related

add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment=\

"Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp tcp-flags=syn

add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp

add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp

add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp

add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp

add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp

add action=drop chain=input comment="Drop to syn flood list" src-address-list=Syn_Flooder

add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment=\

"Port Scanner Detect" protocol=tcp psd=21,3s,3,1

add action=jump chain=forward comment="Jump for icmp forward flow" jump-target=ICMP protocol=icmp

add action=drop chain=input comment="Drop to port scan list" src-address-list=Port_Scanner

add action=jump chain=input comment="Jump for icmp input flow" jump-target=ICMP protocol=icmp

add action=drop chain=forward comment="Drop to bogon list" dst-address-list=bogons

add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment=\

"Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=25,587 limit=30/1m,0:packet \

protocol=tcp

add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 protocol=tcp src-address-list=\

spammers

add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp

add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp

add action=accept chain=input comment="Accept to established connections" connection-state=established

add action=accept chain=input comment="Accept to related connections" connection-state=related

add action=accept chain=input comment="Full access to SUPPORT address list" src-address-list=support

add action=accept chain=input comment="Full access to IPTV-1 address list" src-address-list=IPTV-1

add action=accept chain=input comment="Full access to IPTV-2 address list" src-address-list=IPTV-2

add action=accept chain=input comment="Accept IGMP for IPTV" protocol=igmp

add action=accept chain=input comment="Accept VPN - TCP" port=1723 protocol=tcp

add action=accept chain=input comment="Accept HTTP" port=80 protocol=tcp

add action=accept chain=input comment="Accept HTTPS" port=443 protocol=tcp

add action=accept chain=input comment="Accept HTTPS" port=8291 protocol=tcp

add action=drop chain=input comment="Drop anything else! "

add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" icmp-options=8:0 limit=1,5:packet \

protocol=icmp

add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp

add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp

add action=accept chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 protocol=icmp

add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp

add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp

/ip firewall mangle

add action=mark-routing chain=prerouting dst-address=192.168.0.1-192.168.4.254 new-routing-mark=Software602 \

passthrough=yes src-address=192.168.44.0/24

/ip firewall nat

add action=masquerade chain=srcnat out-interface=ether1

add action=masquerade chain=srcnat comment="maskarada S602" out-interface=Software602

add action=dst-nat chain=dstnat dst-address=verejnaIpMK3 dst-port=80 protocol=tcp to-addresses=192.168.44.242

add action=masquerade chain=srcnat dst-address=192.168.44.242 dst-port=80 out-interface=bridge protocol=tcp \

src-address=192.168.44.0/24

/ip route

add distance=1 gateway=Software602 routing-mark=Software602

add distance=1 dst-address=192.168.40.0/24 gateway=*F

add distance=1 dst-address=192.168.40.0/24 gateway="0. CLIENT_PROPOJ_BAJKONUR"

/ip service

set telnet disabled=yes

set ftp disabled=yes

set www disabled=yes

set api disabled=yes

set api-ssl disabled=yes

/ppp profile

set *FFFFFFFE local-address=192.168.89.1 remote-address=*2

/system clock

set time-zone-name=Europe/Prague

/system package update

set channel=development

#error exporting /system routerboard mode-button