Sat Jul 02, 2005 7:03 pm
here is my current setup
[admin@DeerCreek] > export
# jan/01/2000 12:34:59 by RouterOS 2.8.27
# software id = D0YE-9B0
#
/ interface ethernet
set ether1 name="ether1" mtu=1500 arp=enabled disable-running-check=yes \
auto-negotiation=yes full-duplex=yes cable-settings=default speed=100Mbps \
disabled=no
set ether2 name="ether2" mtu=1500 arp=enabled disable-running-check=yes \
auto-negotiation=yes full-duplex=yes cable-settings=default speed=100Mbps \
disabled=no
/ interface wireless
set wlan1 name="wlan1" mtu=1500 arp=enabled disable-running-check=no \
prism-cardtype=200mW radio-name="00026F09A1E7" mode=station \
ssid="SurfnetAP6" frequency=2457 band=2.4ghz-b scan-list=default-ism \
rate-set=default supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps \
supported-rates-a/g="" basic-rates-b=1Mbps basic-rates-a/g="" \
max-station-count=2007 tx-power=default periodic-calibration=default \
fast-frames=no dfs-mode=none antenna-mode=ant-a wds-mode=disabled \
wds-default-bridge=none wds-ignore-ssid=no update-stats-interval=disabled \
default-authentication=no default-forwarding=yes hide-ssid=no \
802.1x-mode=none disconnect-timeout=3s on-fail-retry-time=100ms \
disabled=no
set wlan2 name="wlan2" mtu=1500 arp=reply-only disable-running-check=no \
prism-cardtype=200mW radio-name="00026F33AD65" mode=ap-bridge \
ssid="Surfnet" frequency=2452 band=2.4ghz-b scan-list=default-ism \
rate-set=default supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps \
supported-rates-a/g="" basic-rates-b=1Mbps basic-rates-a/g="" \
max-station-count=2007 tx-power=default periodic-calibration=default \
fast-frames=no dfs-mode=none antenna-mode=ant-a wds-mode=disabled \
wds-default-bridge=none wds-ignore-ssid=no update-stats-interval=disabled \
default-authentication=yes default-forwarding=no hide-ssid=no \
802.1x-mode=none disconnect-timeout=3s on-fail-retry-time=100ms \
disabled=no
/ interface wireless nstreme
set (unknown) enable-nstreme=no enable-polling=yes framer-policy=none \
framer-limit=3200
set (unknown) enable-nstreme=no enable-polling=yes framer-policy=none \
framer-limit=3200
/ interface wireless security
set wlan1 security=none algo-0=none key-0="" algo-1=none key-1="" algo-2=none \
key-2="" algo-3=none key-3="" transmit-key=key-0 sta-private-algo=none \
sta-private-key="" radius-mac-authentication=no
set wlan2 security=none algo-0=none key-0="" algo-1=none key-1="" algo-2=none \
key-2="" algo-3=none key-3="" transmit-key=key-0 sta-private-algo=none \
sta-private-key="" radius-mac-authentication=no
/ interface wireless align
set frame-size=300 active-mode=yes receive-all=no \
audio-monitor=00:00:00:00:00:00 filter-mac=00:00:00:00:00:00 ssid-all=no \
frames-per-second=25 audio-min=-100 audio-max=-20
/ interface wireless access-list
add mac-address=00:02:6F:33:AD:68 interface=wlan1 authentication=no \
forwarding=no skip-802.1x=no private-algo=none private-key="" comment="" \
disabled=no
add mac-address=00:02:6F:35:30:41 interface=wlan1 authentication=yes \
forwarding=yes skip-802.1x=no private-algo=none private-key="" comment="" \
disabled=no
/ interface bridge port
set ether1 bridge=none priority=128 path-cost=10
set ether2 bridge=none priority=128 path-cost=10
set wlan1 bridge=none priority=128 path-cost=10
set wlan2 bridge=none priority=128 path-cost=10
/ interface l2tp-server server
set enabled=no mtu=1460 mru=1460 authentication=mschap2,mschap1,chap,pap \
default-profile=default
/ interface pptp-server server
set enabled=no mtu=1460 mru=1460 authentication=mschap2,mschap1 \
keepalive-timeout=30 default-profile=default
/ ip pool
add name="wlan2-pool" ranges=192.168.230.100-192.168.230.254
add name="dhcp_pool1" ranges=192.168.254.100-192.168.254.254
add name="Basic" ranges=192.168.3.100-192.168.3.250
add name="Advanced" ranges=192.168.4.100-192.168.4.250
add name="Premium" ranges=192.168.5.100-192.168.5.250
add name="HotSpot" ranges=192.168.2.100-192.168.2.250
/ ip telephony region
/ ip telephony gatekeeper
set gatekeeper=none remote-id="" remote-address=0.0.0.0
/ ip telephony aaa
set use-radius-accounting=no interim-update=0s
/ ip telephony codec
move G.711-uLaw-64k/sw
move G.711-ALaw-64k/sw
move G.729A-8k/sw
move G.729-8k/sw
move G.723.1-6.3k/sw
move GSM-06.10-13.2k/sw
move LPC-10-2.5k/sw
/ ip service
set telnet port=23 address=0.0.0.0/0 disabled=no
set ftp port=21 address=0.0.0.0/0 disabled=no
set www port=8081 address=0.0.0.0/0 disabled=no
set hotspot port=80 address=0.0.0.0/0 disabled=no
set ssh port=22 address=0.0.0.0/0 disabled=no
set hotspot-ssl port=443 address=0.0.0.0/0 certificate=none disabled=no
/ ip upnp
set enabled=no allow-disable-external-interface=yes show-dummy-rule=yes
/ ip arp
/ ip socks
set enabled=no port=1080 connection-idle-timeout=2m max-connections=200
/ ip dns
set primary-dns=66.151.140.2 secondary-dns=192.168.171.1 \
allow-remote-requests=no cache-size="2048 kB" cache-max-ttl=7d
/ ip address
add address=192.168.254.1/24 network=192.168.254.0 broadcast=192.168.254.255 \
interface=ether2 comment="" disabled=no
add address=192.168.230.1/24 network=192.168.230.0 broadcast=192.168.230.255 \
interface=wlan2 comment="" disabled=no
add address=192.168.3.1/24 network=192.168.3.0 broadcast=192.168.3.255 \
interface=wlan2 comment="" disabled=no
add address=192.168.4.1/24 network=192.168.4.0 broadcast=192.168.4.255 \
interface=wlan2 comment="" disabled=no
add address=192.168.5.1/24 network=192.168.5.0 broadcast=192.168.5.255 \
interface=wlan2 comment="" disabled=no
add address=192.168.2.1/24 network=192.168.2.0 broadcast=192.168.2.255 \
interface=wlan2 comment="" disabled=no
add address=192.168.251.1/24 network=192.168.251.0 broadcast=192.168.251.255 \
interface=ether1 comment="" disabled=no
add address=64.74.213.78/32 network=64.74.213.78 broadcast=64.74.213.78 \
interface=wlan1 comment="" disabled=yes
/ ip firewall
set input name="input" policy=accept comment=""
set forward name="forward" policy=accept comment=""
set output name="output" policy=accept comment=""
add name="hotspot-temp" policy=none comment="limit unauthorized hotspot \
clients"
add name="hotspot" policy=none comment="account authorized hotspot clients"
/ ip firewall rule forward
add dst-address=192.168.251.10/32 action=accept comment="" disabled=no
add dst-address=192.168.242.242/32:80 protocol=tcp action=accept comment="" \
disabled=no
add dst-address=64.74.213.78/32 action=accept comment="" disabled=no
add in-interface=wlan2 action=jump jump-target=hotspot-temp comment="limit \
access for unauthorized hotspot clients" disabled=no
add action=jump jump-target=hotspot comment="account traffic for authorized \
hotspot clients" disabled=no
/ ip firewall rule hotspot
add dst-address=192.168.251.10/32 action=accept comment="" disabled=no
add dst-address=64.74.213.78/32 action=accept comment="" disabled=no
add dst-address=192.168.242.244/32:80 protocol=tcp action=accept comment="" \
disabled=no
/ ip firewall rule hotspot-temp
add flow=hs-auth action=return comment="return, if connection is authorized" \
disabled=no
add protocol=icmp action=return comment="allow ping requests" disabled=no
add dst-address=:53 protocol=udp action=return comment="allow dns requests" \
disabled=no
add dst-address=64.74.213.78/32 action=accept comment="" disabled=no
add dst-address=192.168.242.244/32:80 protocol=tcp action=accept comment="" \
disabled=no
add action=reject comment="reject access for unauthorized hotspot clients" \
disabled=no
/ ip firewall rule input
add dst-address=192.168.242.244/32:80 protocol=tcp action=accept comment="" \
disabled=no
add dst-address=192.168.251.10/32 action=accept comment="" disabled=no
add dst-address=64.74.213.78/32 action=accept comment="" disabled=no
add in-interface=wlan2 dst-address=:80 protocol=tcp action=jump \
jump-target=hotspot comment="account traffic from hotspot clients to \
hotspot servlet" disabled=no
add in-interface=wlan2 dst-address=:80 protocol=tcp action=accept \
comment="accept requests for hotspot servlet" disabled=no
add in-interface=wlan2 dst-address=:67 protocol=udp action=accept \
comment="accept requests for local DHCP server" disabled=no
add in-interface=wlan2 action=jump jump-target=hotspot-temp comment="limit \
access for unauthorized hotspot clients" disabled=no
/ ip firewall rule output
add src-address=:80 out-interface=wlan2 protocol=tcp action=jump \
jump-target=hotspot comment="account traffic from hotspot servlet to \
hotspot clients" disabled=no
/ ip firewall service-port
set ftp ports=21 disabled=no
set pptp disabled=yes
set gre disabled=yes
set h323 disabled=yes
set mms disabled=no
set irc ports=6667 disabled=no
set quake3 disabled=no
set tftp ports=69 disabled=no
/ ip firewall mangle
add dst-address=192.168.242.244/32:80 protocol=tcp action=accept \
mark-flow=hs-auth comment="" disabled=no
add dst-address=64.74.213.78/32 action=accept mark-flow=hs-auth comment="" \
disabled=no
add dst-address=192.168.251.10/32 action=accept mark-flow=hs-auth comment="" \
disabled=no
/ ip firewall src-nat
add src-address=192.168.251.0/24 action=masquerade comment="" disabled=yes
add src-address=192.168.251.10/32 action=nat to-src-address=64.74.213.78 \
comment="" disabled=yes
add src-address=192.168.0.0/16 action=nat to-src-address=192.168.242.244 \
comment="" disabled=no
add src-address=192.168.2.0/24 action=masquerade comment="" disabled=no
/ ip firewall dst-nat
add src-address=192.168.251.10/32 action=nat to-dst-address=64.74.213.78 \
comment="" disabled=yes
add dst-address=64.74.213.78/32 action=nat to-dst-address=192.168.251.10 \
comment="" disabled=no
add dst-address=192.168.242.244/32:80 protocol=tcp action=nat \
to-dst-address=192.168.251.10 to-dst-port=80 comment="" disabled=no
add in-interface=wlan2 protocol=tcp flow=!hs-auth action=redirect \
to-dst-port=80 comment="redirect unauthorized hotspot clients to hotspot \
service" disabled=no
add in-interface=wlan2 dst-address=:80 protocol=tcp action=redirect \
to-dst-port=80 comment="transparent HTTP proxy for hotspot clients" \
disabled=no
/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=2m tcp-syn-received-timeout=1m \
tcp-established-timeout=5d tcp-fin-wait-timeout=2m \
tcp-close-wait-timeout=1m tcp-last-ack-timeout=30s \
tcp-time-wait-timeout=2m tcp-close-timeout=10s udp-timeout=30s \
udp-stream-timeout=3m icmp-timeout=30s generic-timeout=10m
/ ip accounting
set enabled=no threshold=256
/ ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0
/ ip policy-routing
/ ip policy-routing rule
add src-address=0.0.0.0/0 dst-address=0.0.0.0/0 flow="" interface=all \
action=lookup table=main comment="" disabled=no
/ ip policy-routing table main
add dst-address=0.0.0.0/0 gateway=192.168.242.1 preferred-source=0.0.0.0 \
comment="" disabled=yes
/ ip neighbor discovery
set ether1 discover=yes
set ether2 discover=yes
set wlan1 discover=yes
set wlan2 discover=yes
/ ip route
add dst-address=0.0.0.0/0 preferred-source=0.0.0.0 gateway=192.168.242.1 \
distance=1 comment="" disabled=yes
/ ip dhcp-client
set enabled=yes interface=wlan1 host-name="" client-id="" \
add-default-route=yes use-peer-dns=yes
/ ip dhcp-server
add name="HotSpot-DCHP" interface=wlan2 lease-time=14s address-pool=HotSpot \
add-arp=yes authoritative=yes disabled=no
add name="dhcp1" interface=ether2 lease-time=3d address-pool=dhcp_pool1 \
add-arp=no authoritative=no disabled=no
/ ip dhcp-server lease
/ ip dhcp-server network
add address=192.168.2.0/24 gateway=192.168.2.1 netmask=24 \
dns-server=66.151.140.2 comment=""
add address=192.168.3.0/24 gateway=192.168.3.1 netmask=24 \
dns-server=66.151.140.2,66.151.140.3 comment=""
add address=192.168.4.0/24 gateway=192.168.4.1 netmask=24 \
dns-server=66.151.140.2,66.151.140.3 comment=""
add address=192.168.5.0/24 gateway=192.168.5.1 netmask=24 \
dns-server=66.151.140.2,66.151.140.3 comment=""
add address=192.168.230.0/24 gateway=192.168.230.1 dns-server=66.151.140.2 \
comment=""
add address=192.168.254.0/24 gateway=192.168.254.1 dns-server=66.151.140.2 \
comment=""
/ ip hotspot
set use-ssl=no hotspot-address=192.168.230.1 dns-name="66.151.140.1" \
status-autorefresh=1m universal-proxy=yes parent-proxy=0.0.0.0:0 \
auth-requires-mac=no auth-mac=yes auth-mac-password=yes \
auth-http-cookie=no http-cookie-lifetime=1d \
allow-unencrypted-passwords=no login-mac-universal=no \
split-user-domain=no
/ ip hotspot profile
set default name="default" shared-users=1 mark-flow="hs-auth" \
login-method=dhcp-pool keepalive-timeout=2m
/ ip hotspot server
add name="HotSpot" dhcp-server=HotSpot-DCHP lease-time=1d login-delay=10s \
address-pool=Basic
/ ip hotspot walled-garden
add dst-host="192.168.251.10" dst-port=80 action=allow comment="" disabled=no
add dst-host="64.74.213.78" dst-port=80 action=allow comment="" disabled=no
add dst-host="192.168.242.244" dst-port=80 action=allow comment="" \
disabled=no
/ ip hotspot aaa
set use-radius=yes accounting=yes interim-update=1m
/ ip hotspot universal service-port
set ftp ports=21 disabled=no
/ ip ipsec proposal
add name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m \
lifebytes=0 pfs-group=modp1024 disabled=no
/ ip web-proxy
set enabled=no src-address=0.0.0.0 port=3128 hostname="proxy" \
transparent-proxy=no parent-proxy=0.0.0.0:0 \
cache-administrator="webmaster" max-object-size="4096 kB" \
cache-drive=system max-cache-size=none
/ ip web-proxy access
add dst-port=!443,563 method=connect action=deny comment="allow CONNECT only \
to SSL ports 443 \[https\] and 563 \[snews\]" disabled=no
/ ip web-proxy cache
add url="cgi-bin \\?" action=deny comment="don't cache dynamic http pages" \
disabled=no
/ system logging
set default-remote-address=0.0.0.0 default-remote-port=514 \
disk-buffer-lines=100 memory-buffer-lines=100
/ system logging facility
set Firewall-Log local=memory remote=none remote-address=0.0.0.0 \
remote-port=0 prefix="" echo=no
set PPP-Account local=memory remote=none remote-address=0.0.0.0 remote-port=0 \
prefix="" echo=no
set PPP-Info local=memory remote=none remote-address=0.0.0.0 remote-port=0 \
prefix="" echo=no
set PPP-Error local=memory remote=none remote-address=0.0.0.0 remote-port=0 \
prefix="" echo=no
set System-Info local=memory remote=none remote-address=0.0.0.0 remote-port=0 \
prefix="" echo=no
set System-Error local=memory remote=none remote-address=0.0.0.0 \
remote-port=0 prefix="" echo=no
set System-Warning local=memory remote=none remote-address=0.0.0.0 \
remote-port=0 prefix="" echo=no
set Telephony-Info local=memory remote=none remote-address=0.0.0.0 \
remote-port=0 prefix="" echo=no
set Telephony-Error local=memory remote=none remote-address=0.0.0.0 \
remote-port=0 prefix="" echo=no
set Web-Proxy-Access local=memory remote=none remote-address=0.0.0.0 \
remote-port=0 prefix="" echo=no
set ISDN-Info local=memory remote=none remote-address=0.0.0.0 remote-port=0 \
prefix="" echo=no
set Hotspot-Account local=memory remote=none remote-address=0.0.0.0 \
remote-port=0 prefix="" echo=no
set Hotspot-Info local=memory remote=none remote-address=0.0.0.0 \
remote-port=0 prefix="" echo=no
set Hotspot-Error local=memory remote=none remote-address=0.0.0.0 \
remote-port=0 prefix="" echo=no
set IPsec-Event local=memory remote=none remote-address=0.0.0.0 remote-port=0 \
prefix="" echo=no
set IKE-Event local=memory remote=none remote-address=0.0.0.0 remote-port=0 \
prefix="" echo=no
set IPsec-Warning local=memory remote=none remote-address=0.0.0.0 \
remote-port=0 prefix="" echo=no
set System-Echo local=memory remote=none remote-address=0.0.0.0 remote-port=0 \
prefix="" echo=yes
set OSPF-Info local=memory remote=none remote-address=0.0.0.0 remote-port=0 \
prefix="" echo=no
set Wireless-Info local=memory remote=none remote-address=0.0.0.0 \
remote-port=0 prefix="" echo=no
/ system upgrade mirror
set enabled=no primary-server=0.0.0.0 secondary-server=0.0.0.0 \
check-interval=1d user=""
/ system watchdog
set reboot-on-failure=no watch-address=none watchdog-timer=no \
ping-start-after-boot=5m
/ system identity
set name="DeerCreek"
/ system serial-console
set enabled=yes port=serial0
/ system gps
set enabled=no set-system-time=no
/ system lcd
set enabled=no type=powertip
/ system lcd page
set time display-time=5s disabled=yes
set resources display-time=5s disabled=yes
set uptime display-time=5s disabled=yes
set packets display-time=5s disabled=yes
set bits display-time=5s disabled=yes
set version display-time=5s disabled=yes
set ether1 display-time=5s disabled=yes
set ether2 display-time=5s disabled=yes
set wlan1 display-time=5s disabled=yes
set wlan2 display-time=5s disabled=yes
/ system routerboard health
set state-after-reboot=enabled
/ system routerboard bios
set
/ system ups
set enabled=no off-line-time=5m min-run-time=5m alarm-setting=immediate \
rtc-alarm-setting=none
/ system ntp server
set enabled=no broadcast=no multicast=no manycast=yes
/ system ntp client
set enabled=no mode=unicast primary-ntp=0.0.0.0 secondary-ntp=0.0.0.0
/ port
set serial0 name="serial0" baud-rate=9600 data-bits=8 parity=none stop-bits=1 \
flow-control=hardware
set serial1 name="serial1" baud-rate=9600 data-bits=8 parity=none stop-bits=1 \
flow-control=hardware
/ ppp profile
set default name="default" local-address=0.0.0.0 remote-address=0.0.0.0 \
session-timeout=0s idle-timeout=0s use-compression=no \
use-vj-compression=no use-encryption=no require-encryption=no only-one=no \
change-tcp-mss=yes tx-bit-rate=0 rx-bit-rate=0 incoming-filter="" \
outgoing-filter="" dns-server="" wins-server="" comment=""
/ ppp aaa
set use-radius=no accounting=yes interim-update=0s
/ routing ospf
set router-id=0.0.0.0 distribute-default=never redistribute-connected=no \
redistribute-static=no redistribute-rip=no redistribute-bgp=no \
metric-default=1 metric-connected=20 metric-static=20 metric-rip=20 \
metric-bgp=20
/ routing ospf area
set backbone area-id=0.0.0.0 authentication=none disabled=no
/ routing bgp
set enabled=no as=1 router-id=0.0.0.0 redistribute-static=no \
redistribute-connected=no redistribute-rip=no redistribute-ospf=no
/ routing rip
set redistribute-static=no redistribute-connected=no redistribute-ospf=no \
redistribute-bgp=no metric-static=1 metric-connected=1 metric-ospf=1 \
metric-bgp=1 update-timer=30s timeout-timer=3m garbage-timer=2m
/ queue type
set default name="default" kind=pfifo bfifo-limit=15000 pfifo-limit=50 \
red-limit=60 red-min-threshold=10 red-max-threshold=50 red-burst=20 \
sfq-perturb=5 sfq-allot=1514 pcq-rate=0 pcq-limit=50 pcq-classifier=""
set ethernet-default name="ethernet-default" kind=pfifo bfifo-limit=15000 \
pfifo-limit=50 red-limit=60 red-min-threshold=10 red-max-threshold=50 \
red-burst=20 sfq-perturb=5 sfq-allot=1514 pcq-rate=0 pcq-limit=50 \
pcq-classifier=""
set wireless-default name="wireless-default" kind=sfq bfifo-limit=15000 \
pfifo-limit=50 red-limit=60 red-min-threshold=10 red-max-threshold=50 \
red-burst=20 sfq-perturb=5 sfq-allot=1514 pcq-rate=0 pcq-limit=50 \
pcq-classifier=""
set synchronous-default name="synchronous-default" kind=red bfifo-limit=15000 \
pfifo-limit=50 red-limit=60 red-min-threshold=10 red-max-threshold=50 \
red-burst=20 sfq-perturb=5 sfq-allot=1514 pcq-rate=0 pcq-limit=50 \
pcq-classifier=""
/ user
add name="admin" group=full address=0.0.0.0/0 comment="system default user" \
disabled=no
/ user group
add name="read" policy=local,telnet,ssh,!ftp,reboot,read,!write,!policy,test,w\
eb
add name="write" policy=local,telnet,ssh,!ftp,reboot,read,write,!policy,test,w\
eb
add name="full" policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,web
/ user aaa
set use-radius=no accounting=yes interim-update=0s default-group=read