WISP Configuration (uplink to WISP LHG)
Code: Select all
# apr/13/2023 10:19:23 by RouterOS 6.48.6
# software id = 6FBK-EBKY
#
# model = RB952Ui-5ac2nD
# serial number = 71A*****
/interface l2tp-server
add name=l2tp-ad***** user=ad*****
/interface bridge
add name=br-wlan
add name=bridge
/interface ethernet
set [ find default-name=ether1 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether2 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether3 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether4 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether5 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=\
"Uplink to Airtel Net"
/interface l2tp-client
add connect-to=ns1.ck****.com disabled=no max-mru=1370 max-mtu=1370 name=\
l2tp-to-bbone0 use-ipsec=yes user=ad****
/interface eoip
add disabled=yes local-address=10.2.1.153 mac-address=02:EB:39:4F:10:36 mtu=\
1500 name=eoip_to_HQ remote-address=10.2.1.152 tunnel-id=17
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=\
allowed mode=dynamic-keys name=profile1 supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n country=\
no_country_set disabled=no distance=indoors frequency=auto \
frequency-mode=manual-txpower mode=ap-bridge scan-list=2412,2437,2462 \
security-profile=profile1 ssid=HOME-WIFI station-roaming=enabled \
wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] antenna-gain=0 band=5ghz-n/ac channel-width=\
20/40mhz-XX country=no_country_set disabled=no distance=indoors \
frequency=auto frequency-mode=manual-txpower mode=ap-bridge scan-list=\
5180,5200,5220 security-profile=profile1 ssid=HOME-WIFI station-roaming=\
enabled wireless-protocol=802.11 wps-mode=disabled
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256,3des \
hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc \
pfs-group=modp2048
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=L2TP ranges=10.3.1.2-10.3.1.254
add name=dhcp_pool_wlan ranges=192.153.50.10-192.153.50.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge lease-time=2h \
name=defconf
add address-pool=dhcp_pool_wlan disabled=no interface=br-wlan lease-time=2h \
name=wlan_dhcp
/ppp profile
add change-tcp-mss=yes local-address=10.3.1.1 name=L2TP remote-address=L2TP \
use-encryption=yes
/snmp community
set [ find default=yes ] disabled=yes
add addresses=::/0 name=7******
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge interface=ether1
add bridge=br-wlan interface=wlan1
add bridge=br-wlan interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=all
/interface l2tp-server server
set default-profile=L2TP enabled=yes max-mru=1700 max-mtu=1700 \
one-session-per-host=yes
/ip address
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
add address=192.168.1.2/24 interface=ether5 network=192.168.1.0
add address=192.153.50.1/24 interface=br-wlan network=192.153.50.0
/ip dhcp-client
add disabled=no interface=ether5 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.153.50.0/24 gateway=192.153.50.1
add address=192.168.88.0/24 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=10.0.0.1,1.1.1.1,8.8.8.8
/ip firewall filter
add action=accept chain=forward comment=\
"Allow forward good connection states" connection-state=\
established,related,new
add action=accept chain=input comment="Allow incoming good connection states" \
connection-state=established,related,new
add action=drop chain=forward comment="Drop forward invalid connection state" \
connection-state=invalid
add action=drop chain=input comment="Drop input invalid connection state" \
connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether5
add action=dst-nat chain=dstnat dst-port=90 protocol=tcp to-addresses=\
10.3.1.2
add action=dst-nat chain=dstnat dst-port=11111 protocol=tcp to-addresses=\
10.3.1.2
add action=redirect chain=dstnat dst-port=53 protocol=tcp to-ports=53
add action=redirect chain=dstnat dst-port=53 protocol=udp to-ports=53
/ip route
add distance=1 dst-address=10.2.1.152/32 gateway=l2tp-to-bbone0
add distance=1 dst-address=192.153.10.0/30 gateway=l2tp-ad*****
/ip service
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=ad*****l2tp profile=L2TP remote-address=10.3.1.2 service=l2tp
/snmp
set contact=admin@c******.com enabled=yes trap-community=\
7t******* trap-version=2
/system clock
set time-zone-name=Asia/Nicosia
/system identity
set name=adu-1.PA-8820POLIS.ck****.com
/system ntp client
set enabled=yes primary-ntp=213.7.231.xx
/system routerboard settings
set auto-upgrade=yes protected-routerboot=enabled reformat-hold-button=5s
/tool romon
set enabled=yes
Fixed Fiber configuration (uplink to ISP cpe)
Code: Select all
# apr/13/2023 10:39:19 by RouterOS 6.49.7
# software id = B8BE-SCNF
#
# model = RB941-2nD
# serial number = D1*****
/interface ethernet
set [ find default-name=ether1 ] comment="Uplink from PTCPE" loop-protect=on
set [ find default-name=ether2 ] comment=CCTV loop-protect=on
set [ find default-name=ether3 ] disabled=yes loop-protect=on
set [ find default-name=ether4 ] disabled=yes loop-protect=on
/interface l2tp-client
add connect-to=213.7.231.xx disabled=no max-mru=1700 max-mtu=1700 name=\
l2tp-to-bbone0 use-ipsec=yes user=ad****
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk group-ciphers=tkip,aes-ccm mode=\
dynamic-keys name=wifi-profile supplicant-identity="" unicast-ciphers=\
tkip,aes-ccm
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country="united states" \
disabled=no frequency=auto mode=ap-bridge security-profile=wifi-profile \
ssid=CHOME-AP wps-mode=disabled
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 \
hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc \
pfs-group=modp2048
/ip pool
add name=dhcp_pool_wlan ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=dhcp_pool_wlan disabled=no interface=wlan1 lease-time=2h \
name=dhcp-wlan
/snmp community
set [ find default=yes ] disabled=yes
add addresses=10.2.1.1/32 name=nnd******
/interface l2tp-server server
set default-profile=L2TP max-mru=1700 max-mtu=1700 use-ipsec=yes
/ip address
add address=192.168.2.10/24 interface=ether1 network=192.168.2.0
add address=192.150.20.1/30 interface=ether2 network=192.150.20.0
add address=192.168.10.1/24 interface=wlan1 network=192.168.10.0
add address=172.168.88.1/24 interface=ether2 network=172.168.88.0
/ip dhcp-server network
add address=192.168.10.0/24 gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes servers=10.0.0.1,1.1.1.1,1.0.0.1
/ip firewall address-list
add address=192.100.30.2 list=l2tp-to-bbhq
/ip firewall filter
add action=accept chain=forward comment=\
"Allow forward good connection states" connection-state=\
established,related,new
add action=accept chain=input comment="Allow incoming good connection states" \
connection-state=established,related,new
add action=drop chain=forward comment="Drop forward invalid connection state" \
connection-state=invalid
add action=drop chain=input comment="Drop input invalid connection state" \
connection-state=invalid
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=\
n02tobbhq passthrough=yes src-address-list=l2tp-to-bbhq
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes ipsec-policy=out,none \
out-interface=l2tp-to-bbone0
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat dst-port=40011 protocol=tcp to-addresses=\
192.150.20.2
add action=dst-nat chain=dstnat dst-port=40080 protocol=tcp to-addresses=\
192.150.20.2
add action=redirect chain=dstnat dst-port=53 protocol=tcp to-ports=53
add action=redirect chain=dstnat dst-port=53 protocol=udp to-ports=53
/ip route
add disabled=yes distance=1 gateway=10.2.1.1 routing-mark=n02tobbhq
add disabled=yes distance=2 routing-mark=n02tobbhq type=unreachable
add distance=1 gateway=192.168.2.1
/ip service
set telnet disabled=yes
set ftp address=213.7.231.xx/32,172.168.88.0/24,10.2.1.1/32
set www address=213.7.231.xx/32,172.168.88.0/24,10.2.1.1/32
set ssh address=213.7.231.xx/32,172.168.88.0/24,10.2.1.1/32
set api disabled=yes
set winbox address=213.7.231.xx/32,172.168.88.0/24,10.2.1.1/32
set api-ssl disabled=yes
/ppp profile
add change-tcp-mss=yes local-address=10.10.1.1 name=L2TP remote-address=*2 \
use-encryption=yes
/ppp secret
add disabled=yes name=adu1hqck*****com profile=L2TP service=l2tp
/snmp
set contact=admin@c*****.com enabled=yes trap-community=\
nn***** trap-target=213.7.231.xx trap-version=2
/system clock
set time-zone-name=Asia/Nicosia
/system identity
set name=adu-1.PA-8010ANDGER7.ck*****.com
/system ntp client
set enabled=yes primary-ntp=213.7.231.xx secondary-ntp=213.7.231.xx
/tool e-mail
set address=mail.ck*****.com from=r1@ck*****.com port=587 start-tls=yes \
user=r1@ck*****.com
/tool netwatch
add down-script="tool e-mail send to=ch****@hotmail.com subject=adu-1.\
PA-8010ANDGER7.ck*****.com start-tls=yes body=CCTV_on_ether2_of_adu-1.P\
A-8010ANDGER7.ck*****.com_is_UNREACHABLE." host=192.100.30.2 interval=\
10m up-script="tool e-mail send to=ch****@hotmail.com subject=adu-\
1.PA-8010ANDGER7.ck*****.com start-tls=yes body=CCTV_on_ether2_of_adu-1\
.PA-8010ANDGER7.ck*****.com_is_UP."
Server configuration over Fixed Fiber (Uplink to bridged ISP cpe)
Code: Select all
# apr/13/2023 10:48:20 by RouterOS 7.8
# software id = GID6-7H3W
#
# model = RB5009UG+S+
# serial number = HE*****
/interface ethernet
set [ find default-name=ether1 ] comment="Uplink to CTCPE" l2mtu=1550 mtu=\
1550
set [ find default-name=ether2 ] comment=\
"Downlink to adu-2.hq.ck*****.com" loop-protect=on
set [ find default-name=ether3 ] comment="Downlink to AP-1" loop-protect=on
set [ find default-name=ether4 ] comment=CCTV loop-protect=on
set [ find default-name=ether5 ] comment=sw-8p loop-protect=on
set [ find default-name=ether6 ] disabled=yes loop-protect=on
set [ find default-name=ether7 ] disabled=yes loop-protect=on
set [ find default-name=ether8 ] comment=Failover disabled=yes loop-protect=\
on
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface ovpn-server
add name=ovpn-ck user=ch****
/interface l2tp-server
add name=l2tp-adu-1.PA-8010ANDGER7 user=ad****
add name=l2tp-adu-1.PA-8820POLIS user=ad****
add name=l2tp-adu-2.hq user=ad****
add name=l2tp-ad**** user=ad****
add disabled=yes name=l2tp-ad**** user=ad****
add name=l2tp-hb535 user=ad****
/interface pppoe-client
add disabled=no interface=ether1 name=pppoe-ctfiber user=user
/interface wireguard
add listen-port=13231 name=wg-server
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group
set [ find default=yes ] name=L2TP
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 dpd-interval=disable-dpd \
enc-algorithm=aes-256 hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc \
pfs-group=modp2048
/ip pool
add name=OVPN-Pool ranges=10.1.1.2-10.1.1.254
add name=L2TP-Pool ranges=10.2.1.2-10.2.1.100
add name=ether3_pool ranges=192.168.20.2-192.168.20.254
add name=ether2_pool ranges=192.168.10.2-192.168.10.254
add name=ether5_pool ranges=192.168.40.2-192.168.40.6
add name=vlan30 ranges=192.100.30.2
add name=dhcp_pool6 ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=ether3_pool interface=ether3 lease-time=2h name=ether3_dhcp
add address-pool=ether5_pool interface=ether5 lease-time=2h name=ether5_dhcp
/ppp profile
set *0 change-tcp-mss=default
add local-address=10.1.1.1 name=OVPN remote-address=OVPN-Pool use-ipv6=\
default
add local-address=10.2.1.1 name=L2TP remote-address=L2TP-Pool
set *FFFFFFFE change-tcp-mss=default use-encryption=default
/queue simple
add max-limit=52M/205M name=ether3_200/50 target=ether3
/snmp community
set [ find default=yes ] disabled=yes
add addresses=172.168.188.0/29 name=d*****
/system logging action
add email-start-tls=yes email-to=ch******@hotmail.com name=email \
target=email
/ipv6 settings
set disable-ipv6=yes
/interface l2tp-server server
set default-profile=L2TP enabled=yes max-mru=1730 max-mtu=1730 \
one-session-per-host=yes use-ipsec=required
/interface ovpn-server server
set certificate=OVPN-SERVER cipher="blowfish128,aes128-cbc,aes192-cbc,aes256-c\
bc,aes128-gcm,aes192-gcm,aes256-gcm" default-profile=OVPN enabled=yes \
port=61194 protocol=udp redirect-gateway=def1 require-client-certificate=\
yes
/interface wireguard peers
add allowed-address=10.1.2.2/32 interface=wg-server persistent-keepalive=25s \
public-key="u5*********="
add allowed-address=10.1.2.3/32 interface=wg-server persistent-keepalive=25s \
public-key="3hu*************="
/ip address
add address=192.168.20.1/24 comment=DHCP interface=ether3 network=\
192.168.20.0
add address=172.168.188.1/29 comment=Fasttrack interface=ether2 network=\
172.168.188.0
add address=192.168.8.250/24 comment=Failover interface=ether8 network=\
192.168.8.0
add address=192.100.30.1/30 comment=CCTV interface=ether4 network=\
192.100.30.0
add address=192.168.40.1/29 comment=DHCP interface=ether5 network=\
192.168.40.0
add address=10.1.2.1/24 interface=wg-server network=10.1.2.0
/ip dhcp-server network
add address=192.168.20.0/24 dns-server=1.1.1.1 gateway=192.168.20.1
add address=192.168.40.0/29 dns-server=1.1.1.1 gateway=192.168.40.1
/ip dns
set allow-remote-requests=yes servers=10.0.0.1,1.1.1.1,8.8.8.8
/ip dns static
add address=213.7.231.xx name=ns1monitoring.ck*****.com
add address=38.242.199.97 name=ns2monitoring.ck*****.com
add address=38.242.199.97 name=mail.ck*****.com
add address=172.168.188.1 name=bbone0.ck*****.com
add address=10.2.1.150 name=adu-1.PA-8010ANDGER7.ck*****.com
add address=10.2.1.151 name=adu-1.PA-8820POLIS.ck*****.com
add address=192.100.30.2 name=cctv.ck*****.com
/ip firewall filter
add action=fasttrack-connection chain=forward comment=\
"Allow fasttrack on 172.168.188.0/30" hw-offload=yes src-address=\
172.168.188.0/29
add action=accept chain=forward comment=\
"Allow forward good connection states" connection-state=\
established,related,new
add action=accept chain=input comment="Allow incoming good connection states" \
connection-state=established,related,new
add action=drop chain=forward comment="Drop forward invalid connection state" \
connection-state=invalid
add action=drop chain=input comment="Drop input invalid connection state" \
connection-state=invalid
add action=accept chain=input comment="Port Scanner Block" disabled=yes \
protocol=tcp src-address=172.168.188.0/24
add action=accept chain=input disabled=yes protocol=tcp src-address=\
10.100.1.0/24
add action=add-src-to-address-list address-list="Ports Scanner Attacks" \
address-list-timeout=1d chain=input disabled=yes dst-port=\
62222,60080,60090 protocol=tcp
add action=drop chain=input disabled=yes dst-port=62222,60080,60090 protocol=\
tcp src-address-list="Ports Scanner Attacks"
/ip firewall mangle
add action=change-mss chain=forward disabled=yes new-mss=1700 passthrough=yes \
protocol=tcp tcp-flags=syn tcp-mss=!0-1700
/ip firewall nat
add action=masquerade chain=srcnat src-address=172.168.188.0/29
add action=masquerade chain=srcnat src-address=192.168.20.0/24
add action=masquerade chain=srcnat src-address=192.100.30.0/30
add action=masquerade chain=srcnat src-address=192.168.40.0/29
add action=masquerade chain=srcnat src-address=192.168.8.0/24
add action=masquerade chain=srcnat src-address=10.1.1.0/24
add action=masquerade chain=srcnat src-address=10.1.2.0/24
add action=masquerade chain=srcnat src-address=10.2.1.0/24
add action=dst-nat chain=dstnat comment=DCOS dst-address=213.7.231.xx \
dst-port=1-40000 protocol=tcp to-addresses=172.168.188.3 to-ports=1-40000
add action=dst-nat chain=dstnat dst-address=213.7.231.xx dst-port=53 \
protocol=udp to-addresses=172.168.188.3 to-ports=53
add action=dst-nat chain=dstnat dst-address=213.7.231.xx dst-port=1194 \
protocol=udp to-addresses=172.168.188.3 to-ports=1194
add action=dst-nat chain=dstnat dst-address=213.7.231.xx dst-port=123 \
protocol=udp to-addresses=172.168.188.3 to-ports=123
add action=dst-nat chain=dstnat comment=WoL dst-address=213.7.231.xx \
dst-port=7 protocol=udp to-addresses=172.168.188.3 to-ports=7
add action=dst-nat chain=dstnat comment=CCTV dst-port=65000 protocol=tcp \
to-addresses=192.100.30.2
add action=dst-nat chain=dstnat dst-port=65090 protocol=tcp to-addresses=\
192.100.30.2
add action=redirect chain=dstnat comment="DNS Server" dst-port=53 protocol=\
tcp to-ports=53
add action=redirect chain=dstnat dst-port=53 protocol=udp to-ports=53
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=pppoe-ctfiber routing-table=\
main suppress-hw-offload=no
add disabled=no dst-address=10.3.1.1/32 gateway=l2tp-ad**** \
routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=10.3.1.2/32 gateway=l2tp-ad**** \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=192.153.10.0/30 gateway=\
l2tp-ad**** pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.150.20.0/30 gateway=\
l2tp-adu-1.PA-8010ANDGER7 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add disabled=no dst-address=192.152.30.0/30 gateway=l2tp-adu-2.hq \
routing-table=main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp address=172.168.188.0/24,10.1.1.0/24,10.1.2.0/24 port=60021
set www address=172.168.188.0/24,10.1.1.0/24,10.1.2.0/24 disabled=yes port=\
60080
set ssh address=172.168.188.0/24,10.1.1.0/24,10.1.2.0/24 port=62222
set api disabled=yes
set winbox address=172.168.188.0/24,10.1.1.0/24,10.1.2.0/24 port=60090
set api-ssl disabled=yes
/ppp secret
add name=ch**** profile=OVPN service=ovpn
add name=ad**** profile=L2TP service=l2tp
add disabled=yes name=ad**** profile=L2TP service=l2tp
add name=ad**** profile=L2TP remote-address=10.2.1.150 service=l2tp
add name=ad**** profile=L2TP remote-address=10.2.1.151 service=l2tp
add name=ad**** profile=L2TP remote-address=10.2.1.152 service=l2tp
add name=ad**** profile=L2TP remote-address=10.2.1.153 service=l2tp
/snmp
set contact=ch******@hotmail.com enabled=yes location=HQ \
trap-community=d***** trap-version=2
/system clock
set time-zone-name=Asia/Nicosia
/system identity
set name=bbone0.ck*****.com
/system logging
add action=email topics=critical
add action=email disabled=yes topics=interface
add action=email topics=firewall
/system ntp client
set enabled=yes
/system ntp client servers
add address=213.7.231.xx
add address=172.168.188.3
/tool e-mail
set address=mail.ck*****.com from=r1@ck*****.com port=587 tls=starttls \
user=r1@ck*****.com
/tool graphing interface
add interface=ether1
add interface=ether2
add interface=ether3
add interface=ether4
add interface=pppoe-ctfiber
/tool graphing resource
add
/tool netwatch
add disabled=yes down-script="interface set ether5 disable=no" host=\
213.7.231.xx interval=1s type=simple up-script=\
"interface set ether5 disable=yes"
add disabled=yes down-script="tool e-mail send to=ch******@hotmail.com s\
ubject=Uplink_from_CPE_DOWN start-tls=yes body=Uplink_from_CPE_is_DOWN" \
host=213.7.231.xx interval=10s type=simple up-script="tool e-mail send to=\
ch******@hotmail.com subject=Uplink_from_CPE_UP start-tls=yes body=U\
plink_from_CPE_is_UP"