config:
Code: Select all
# jun/15/2022 09:52:52 by RouterOS 6.49.6
# software id = 2TA3-2AX8
#
# model = RB3011UiAS
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] dh-group=modp1536 enc-algorithm=aes-256 \
hash-algorithm=sha256 nat-traversal=no
add dh-group=modp1536 enc-algorithm=des name=MPK
add dh-group=modp1536 enc-algorithm=des name=svk-3
add dh-group=modp1536 enc-algorithm=des name=svk-4
add dh-group=modp1536 enc-algorithm=des name=CPK
/ip ipsec peer
add address=93.153.xx.xx/32 local-address=213.189.yy.yy name=SVK-4 \
profile=svk-4
add address=84.42.1xx.xx/32 local-address=213.189.yy.yy name=MPK profile=MPK
add address=81.3.1xx.2xx/32 local-address=213.189.yy.yy name=SVK-3 profile=\
svk-3
add address=79.171.xx.xx/32 local-address=213.189.yy.yy name=CPK profile=\
CPK
/ip ipsec proposal
set [ find default=yes ] disabled=yes enc-algorithms=null pfs-group=none
add enc-algorithms=des lifetime=1d name=MPK pfs-group=modp1536
add enc-algorithms=des lifetime=1d name=svk-3 pfs-group=modp1536
add enc-algorithms=des lifetime=1d name=svk-4 pfs-group=modp1536
add enc-algorithms=des lifetime=1d name=CPK pfs-group=modp1536
/ip pool
add name=dhcp ranges=10.18.10.50-10.18.10.250
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=10.18.10.254/24 comment=defconf interface=bridge network=\
10.18.10.0
add address=213.189.xx.xx/30 interface=ether1 network=213.189.206.xxxx
add address=10.7.202.0/24 disabled=yes interface=bridge network=10.7.202.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.18.10.0/24 comment=defconf gateway=10.18.10.254 netmask=24
/ip dns
set allow-remote-requests=yes servers=10.7.202.21,10.7.202.22
/ip dns static
add address=10.18.10.254 comment=defconf name=router.lan
/ip firewall address-list
add address=10.15.2.0/24 disabled=yes list=bruteforse_stage1
/ip firewall filter
add action=accept chain=input comment=int dst-port=\
123,161,500,1701,4500,3081,3080 in-interface=ether1 protocol=udp
add action=accept chain=input comment="ipsec policy" protocol=ipsec-esp
add action=accept chain=output protocol=ipsec-esp
add action=accept chain=input comment=new disabled=yes dst-address=\
84.42.11.38 in-interface=ether1 protocol=ipsec-esp src-address=\
213.189.206.174
add action=accept chain=input disabled=yes dst-address=84.42.xx dst-port=\
500 in-interface=ether1 protocol=udp src-address=213.189.2xx.xx \
src-port=500
add action=accept chain=input disabled=yes dst-address=213.189.xxxx \
dst-port=500 in-interface=ether1 protocol=udp src-address=84.42.xxxx \
src-port=500
add action=accept chain=input disabled=yes dst-address=213.189.xxxxx\
in-interface=ether1 protocol=ipsec-esp src-address=84.42.1xxxxx
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment=WinBox dst-port=8291 protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=add-src-to-address-list address-list=bruteforse_stage1 \
address-list-timeout=1w3d chain=input comment="bruteforse add to stage2" \
connection-state=new dst-port=3389 protocol=tcp src-address-list=\
bruteforse_stage1
add action=drop chain=forward comment="DROP- invalid DDOS" connection-state=\
invalid
add action=drop chain=input connection-state=invalid
/ip firewall mangle
add action=mark-routing chain=prerouting dst-port=80 new-routing-mark=ORA \
passthrough=yes protocol=tcp
add action=mark-routing chain=prerouting disabled=yes dst-address=\
10.15.2.0/24 dst-port=80 new-routing-mark=2 packet-mark="" passthrough=\
yes protocol=tcp routing-mark=main src-address=10.18.10.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=static
add action=accept chain=dstnat disabled=yes in-interface=ether1 src-address=\
10.18.10.0/24
/ip ipsec identity
add peer=MPK secret=coral-meat
add peer=SVK-3 secret=coral-meat
add peer=SVK-4 secret=coral-meat
add peer=CPK secret=coral-meat
/ip ipsec policy
set 0 disabled=yes
add comment=MPK dst-address=10.7.202.0/24 peer=MPK proposal=MPK src-address=\
10.18.10.0/24 tunnel=yes
add comment=SVK-7 dst-address=10.15.2.0/24 peer=MPK proposal=MPK src-address=\
10.18.10.0/24 tunnel=yes
add comment=CPK dst-address=192.168.144.0/24 peer=CPK proposal=CPK \
src-address=10.18.10.0/24 tunnel=yes
add comment=SVK-3 dst-address=192.168.61.0/24 peer=SVK-3 proposal=svk-3 \
src-address=10.18.10.0/24 tunnel=yes
add comment=SVK-1.2 dst-address=192.168.20.0/24 peer=MPK proposal=MPK \
src-address=10.18.10.0/24 tunnel=yes
add comment=SVK-8 dst-address=10.16.2.0/24 peer=MPK proposal=MPK src-address=\
10.18.10.0/24 tunnel=yes
add comment=SVK-5 dst-address=10.13.10.0/24 peer=MPK proposal=MPK \
src-address=10.18.10.0/24 tunnel=yes
add comment=SVK-6 dst-address=10.14.10.0/24 peer=MPK proposal=MPK \
src-address=10.18.10.0/24 tunnel=yes
add comment=SVK-9 dst-address=10.17.10.0/24 peer=MPK proposal=MPK \
src-address=10.18.10.0/24 tunnel=yes
add comment=SVK-4 dst-address=10.12.2.0/24 peer=SVK-4 proposal=svk-4 \
src-address=10.18.10.0/24 tunnel=yes
/ip route
add comment=int distance=1 gateway=213.189.xxxxx
add comment=IP-sec distance=1 dst-address=10.7.202.0/24 gateway=bridge
add comment=IP-sec disabled=yes distance=1 dst-address=10.15.2.0/24 gateway=\
bridge
add comment=int distance=1 dst-address=10.18.10.0/24 gateway=213.189.xxxxx
add comment=IP-sec disabled=yes distance=1 dst-address=192.168.144.0/24 \
gateway=bridge pref-src=10.18.10.254
/ip route rule
add disabled=yes dst-address=10.15.2.0/24 src-address=10.18.10.0/24 table=2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/lcd
set time-interval=daily
/system clock
set time-zone-name=Europe/Moscow
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN