Community discussions

MikroTik App
 
User avatar
Ullinator
just joined
Topic Author
Posts: 8
Joined: Tue Jun 08, 2021 12:53 pm
Location: North-West Germany

RB5009 starts toggleing after update to 7.2.1 (after a while)

Tue Apr 12, 2022 5:13 pm

I don´t know if this behavoiur has something to do with 7.2.1, but since the update my Router RB5009 looses after different times half of the packets in direction internet.
Exactly every second PING is lost. After a reboot the connection is ok, but only for a while.
I´ve downgraded back to 7.2 for comparison......I´ll report about the behaviour with 7.2..........
I´ve nothing changed in the config between 7.2 and 7.2.1...no idea what´s going on :-/

Here´s my config of the router: (it´s looong :D )

/interface bridge
add add-dhcp-option82=yes admin-mac=2C:C8:1B:DB:5A:CF auto-mac=no \
dhcp-snooping=yes igmp-snooping=yes multicast-querier=yes \
multicast-router=permanent name=bridge1-Hausnetz priority=0x7000 \
protocol-mode=mstp vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Internet
set [ find default-name=sfp-sfpplus1 ] name=sfp-sfpplus1-core1-mt
/interface wireguard
add listen-port=12345 mtu=1420 name=wg0
add listen-port=23456 mtu=1420 name=wg1
add listen-port=34567 mtu=1420 name=wg2
/interface vlan
add interface=bridge1-Hausnetz name=bridge1-Hausnetz-vlan99-Gast vlan-id=99
/interface list
add name=WAN
add name=LAN
add name=WireGuard
/ip pool
add name=DHCP-Pool-Gast ranges=192.168.99.100-192.168.99.200
/ip dhcp-server
add address-pool=DHCP-Pool-Gast interface=bridge1-Hausnetz-vlan99-Gast \
lease-time=1d name=DHCP-Gast
/ipv6 pool
add name=Pool2-Hausnetz prefix=fdf3:f067:cb13:7071::/64 prefix-length=64
add name=Pool3-Gast prefix=fd99:0:0:fd99::/64 prefix-length=64
/snmp community
set [ find default=yes ] addresses=::/0,0.0.0.0/0
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,rest-api"
/interface bridge msti
add bridge=bridge1-Hausnetz identifier=1 priority=0x7000 vlan-mapping=1,99
/interface bridge port
add bridge=bridge1-Hausnetz interface=ether2
add bridge=bridge1-Hausnetz interface=ether3
add bridge=bridge1-Hausnetz interface=ether4
add bridge=bridge1-Hausnetz interface=ether5
add bridge=bridge1-Hausnetz interface=ether6
add bridge=bridge1-Hausnetz interface=ether7
add bridge=bridge1-Hausnetz interface=ether8
add bridge=bridge1-Hausnetz interface=sfp-sfpplus1-core1-mt trusted=yes
add bridge=bridge1-Hausnetz interface=bridge1-Hausnetz-vlan99-Gast pvid=99 \
trusted=yes
add bridge=bridge1-Hausnetz interface=WireGuard
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set accept-router-advertisements=yes
/interface bridge vlan
add bridge=bridge1-Hausnetz tagged=bridge1-Hausnetz,sfp-sfpplus1-core1-mt \
untagged=bridge1-Hausnetz-vlan99-Gast vlan-ids=99
/interface list member
add interface=bridge1-Hausnetz list=LAN
add interface=ether1-Internet list=WAN
add interface=bridge1-Hausnetz-vlan99-Gast list=LAN
add interface=wg0 list=WireGuard
add interface=wg1 list=WireGuard
add interface=wg2 list=WireGuard
/interface wireguard peers
add allowed-address="192.168.50.0/23,172.20.0.0/24,fdff:fdff:fdff:fdff::/64,fd\
00:fd00:fd00:fd00::/64" comment="VPN Main <-> Backup" \
endpoint-address=example.example.com endpoint-port=12345 \
interface=wg0 persistent-keepalive=30s public-key=\
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
add allowed-address=172.20.1.241/32,fd00:fd00:fd00:fd01:172:20:1:241/128 \
comment="XL" interface=wg1 public-key=\
"yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy"
add allowed-address=172.20.1.243/32,fd00:fd00:fd00:fd01:172:20:1:243/128 \
comment="Thinkpad" interface=wg1 public-key=\
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
add allowed-address=192.168.200.0/24,fd00::1/64 comment=mail.example.com \
endpoint-address=mail.example.com endpoint-port=12345 interface=wg2 \
persistent-keepalive=30s public-key=\
"bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"
/ip address
add address=192.168.10.1/23 interface=bridge1-Hausnetz network=192.168.10.0
add address=192.168.99.1/24 interface=bridge1-Hausnetz-vlan99-Gast network=\
192.168.99.0
add address=172.20.0.1/24 interface=wg0 network=172.20.0.0
add address=172.20.1.1/24 interface=wg1 network=172.20.1.0
add address=192.168.200.4/24 interface=wg2 network=192.168.200.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h
/ip dhcp-client
add interface=ether1-Internet use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.99.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.99.1
/ip dns
set servers="192.168.10.222,192.168.10.150,192.168.10.110,fdf3:f067:cb13:7071:\
192:168:10:222,fdf3:f067:cb13:7071:192:168:10:150,fdf3:f067:cb13:7071:192:\
168:10:110"
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=\
"Gesperrte Adresslisten"
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
d this subnet before enable it" list="Gesperrte Adresslisten"
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=\
"Gesperrte Adresslisten"
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=\
"Gesperrte Adresslisten"
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
need this subnet before enable it" disabled=yes list=\
"Gesperrte Adresslisten"
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=\
"Gesperrte Adresslisten"
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
"Gesperrte Adresslisten"
add address=198.18.0.0/15 comment="NIDB Testing" list=\
"Gesperrte Adresslisten"
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=\
"Gesperrte Adresslisten"
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=\
"Gesperrte Adresslisten"
add address=ssl81-v4.telefon.unitymedia.de list="VOIP SIP Server"
add address=sipgate.de list="VOIP SIP Server"
add address=192.168.50.0/23 list="Main <-> Backup"
add address=192.168.10.0/23 list="Main <-> Backup"
add address=172.20.0.0/24 list="Main <-> Backup"
add address=172.20.1.0/24 list="Main <-> Backup"
add address=ssl102ds.telefon.unitymedia.de list="VOIP SIP Server"
add address=ssl31.telefon.unitymedia.de list="VOIP SIP Server"
add address=192.168.99.0/24 list="Gast"
add address=195.201.23.198 list=Hetzner
add address=192.168.200.0/24 list=Hetzner
add address=192.168.200.0/24 list="Main <-> Backup"
/ip firewall filter
add action=jump chain=forward comment=\
"If coonection state \"new\"Jump to detect-ddos" connection-state=new \
jump-target=detect-ddos
add action=return chain=detect-ddos comment="Protection against DDoS" \
dst-limit=32,32,src-and-dst-addresses/10s in-interface=ether1-Internet
add action=return chain=detect-ddos comment="Protection against SYN attacks" \
dst-limit=100,32,src-and-dst-addresses/10s in-interface=ether1-Internet \
protocol=tcp src-address-list="!Main <-> Backup" tcp-flags=syn,ack
add action=add-src-to-address-list address-list=ddos-attackers \
address-list-timeout=1w chain=detect-ddos comment=\
"Add Src to DDoS address list" in-interface=ether1-Internet
add action=add-dst-to-address-list address-list=ddos-target \
address-list-timeout=10m chain=detect-ddos comment=\
"Add Dst to DDoS address list" in-interface=ether1-Internet
add action=add-src-to-address-list address-list="SYN Flooder address list" \
address-list-timeout=1w chain=input comment=\
"Add SYN Flood address to the list" connection-limit=100,32 in-interface=\
ether1-Internet protocol=tcp src-address-list="!Main <-> Backup" \
tcp-flags=syn,ack
add action=add-src-to-address-list address-list="port-scanner Liste" \
address-list-timeout=1w chain=input comment="Port-Scanner erkennen (TCP)" \
in-interface=ether1-Internet log-prefix=PortScanner-TCP_ protocol=tcp \
psd=21,3s,3,1
add action=add-src-to-address-list address-list="port-scanner Liste" \
address-list-timeout=1w chain=input comment="Port-Scanner erkennen (UDP)" \
in-interface=ether1-Internet log-prefix=PortScanner-UDP_ protocol=udp \
psd=21,3s,3,1
add action=fasttrack-connection chain=input comment=\
"fasttrack connections that have related and established packets" \
connection-state=established,related,untracked hw-offload=yes
add action=accept chain=input comment="accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="DDoS Attacker blocken" src-address-list=\
ddos-attackers
add action=drop chain=input comment="SYN Flooder blocken" src-address-list=\
"SYN Flooder address list"
add action=drop chain=input comment="Port-Scanner blocken" src-address-list=\
"port-scanner Liste"
add action=drop chain=input comment="Kein Gast auf rt1-mt" dst-address=\
192.168.99.1 src-address-list="Gast"
add action=drop chain=input comment="kein Hetzner auf RT1-MT" in-interface=\
wg2 src-address-list=Hetzner
add action=accept chain=input comment=\
"accept established,related,new,untracked from LAN" connection-state=\
established,related,new,untracked in-interface-list=LAN src-address-list=\
"Main <-> Backup"
add action=drop chain=input comment="drop invalid" connection-state=invalid \
src-address-list="!Main <-> Backup"
add action=accept chain=input comment="accept ICMP from Main <-> Backup" \
protocol=icmp src-address-list="Main <-> Backup"
add action=accept chain=input comment=\
"accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 \
in-interface-list=LAN
add action=accept chain=input comment="Allow ICMP for LAN" protocol=icmp \
src-address-list="Main <-> Backup"
add action=jump chain=input comment="Jump for ICMP input flow" jump-target=\
ICMP protocol=icmp
add action=accept chain=ICMP comment="Echo Request - Avoiding Ping Flood" \
icmp-options=8:0 limit=1,5:packet protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
icmp
add action=accept chain=ICMP comment="Time exceeded" icmp-options=11:0 \
protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop all other ICMPs" protocol=icmp \
src-address-list="!Main <-> Backup"
add action=accept chain=input comment="Allow Wireguard on wg0 (UDP)" \
dst-port=51840 protocol=udp
add action=accept chain=input comment="Allow Wireguard on wg0 (TCP)" \
dst-port=51840 protocol=tcp
add action=accept chain=input comment="Allow Wireguard on wg1 (UDP)" \
dst-port=51820 protocol=udp
add action=accept chain=input comment="Allow Wireguard on wg1 (TCP)" \
dst-port=51820 protocol=tcp
add action=accept chain=input comment="Allow Wireguard on wg2 (UDP)" \
dst-port=51830 protocol=udp
add action=accept chain=input comment="Allow Wireguard on wg2 (TCP)" \
dst-port=51830 protocol=tcp
add action=accept chain=input comment="allow IPSec VPN" dst-port=\
500,1701,4500 protocol=udp
add action=accept chain=input comment="allow IPSec-ESP VPN" protocol=\
ipsec-esp
add action=drop chain=input comment="Drop all (input)" connection-nat-state=\
!dstnat in-interface=ether1-Internet log-prefix=Outside_IPv4_ \
src-address-list="!Main <-> Backup"
add action=fasttrack-connection chain=forward comment=\
"Fasttrack connections that have related and established packets" \
connection-state=established,related,untracked hw-offload=yes
add action=fasttrack-connection chain=forward comment="Fasttrack DNS (UDP)" \
dst-port=53 hw-offload=yes in-interface-list=LAN out-interface-list=WAN \
protocol=udp
add action=fasttrack-connection chain=forward comment=\
"Fasttrack DNS (UDP) for WireGuard" dst-port=53 hw-offload=yes \
in-interface-list=WireGuard out-interface-list=LAN protocol=udp
add action=fasttrack-connection chain=forward comment="Fasttrack DNS (TCP)" \
dst-port=53 hw-offload=yes in-interface-list=LAN out-interface-list=WAN \
protocol=tcp
add action=fasttrack-connection chain=forward comment=\
"Fasttrack DNS (TCP) for WireGuard" dst-port=53 hw-offload=yes \
in-interface-list=WireGuard out-interface-list=LAN protocol=tcp
add action=accept chain=forward comment=\
"accept established, related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment=\
"Drop wegen enthalten in \"Gesperrte Adresslisten\"" dst-address-list=\
"Gesperrte Adresslisten"
add action=drop chain=forward comment="Drop wegen enthalten in \"blacklist\"" \
dst-address-list=blacklist
add action=drop chain=forward comment="Kein Gast ins Hausnetz" \
dst-address-list="Main <-> Backup" src-address-list="Greven Gast"
add action=drop chain=forward comment="kein Hetzner ins Hausnetz" \
src-address-list=Hetzner
add action=accept chain=forward comment="Dest-NAT erlauben" \
connection-nat-state=dstnat in-interface=ether1-Internet
add action=accept chain=forward comment="accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment="accept ICMP from Main <-> Backup" \
protocol=icmp src-address-list="Main <-> Backup"
add action=drop chain=forward comment="drop all from WAN not DSTNAT" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN \
src-address-list="!Main <-> Backup"
add action=drop chain=forward comment="drop invalid" connection-state=invalid \
log-prefix=Invalid src-address=!192.168.10.0/23
add action=drop chain=forward comment="Port-Scanner blocken" \
src-address-list="port-scanner Liste"
add action=drop chain=forward comment="Drop all (forward)" connection-state=\
"" in-interface-list=WAN log-prefix=Outside_IPv4_ src-address-list=\
"!Main <-> Backup"
/ip firewall mangle
add action=mark-connection chain=forward comment=\
"Connection mark SIP signalling" connection-state=new dst-address-list=\
"VOIP SIP Server" dst-port=5060 new-connection-mark=\
"SIP signalling connection" passthrough=yes protocol=udp
add action=mark-packet chain=forward comment="Packet mark SIP signalling" \
connection-mark="SIP signalling connection" new-packet-mark=\
"SIP signalling packet" passthrough=yes
add action=mark-connection chain=forward comment="Connection mark VOIP RTP" \
connection-state=new dst-address-list="VOIP SIP Server" \
new-connection-mark="VOIP RTP connection" passthrough=yes port=\
7078-7110,10000-20000 protocol=udp
add action=mark-packet chain=forward comment="Packet mark VOIP RTP" \
connection-mark="VOIP RTP connection" new-packet-mark="VOIP RTP packet" \
passthrough=yes
add action=mark-connection chain=forward comment="Connection mark TCP-ACK" \
new-connection-mark="TCP-ACK connection" passthrough=yes protocol=tcp \
tcp-flags=ack
add action=mark-packet chain=forward comment="Packet mark TCP-ACK" \
connection-mark="TCP-ACK connection" new-packet-mark="TCP-ACK packet" \
passthrough=yes
add action=mark-connection chain=forward comment="Connection mark DNS (TCP)" \
dst-port=53 new-connection-mark="DNS Connection" passthrough=yes \
protocol=tcp
add action=mark-connection chain=forward comment="Connection mark DNS (UDP)" \
dst-port=53 new-connection-mark="DNS Connection" passthrough=yes \
protocol=udp
add action=mark-packet chain=forward comment="Packet mark DNS" \
connection-mark="DNS Connection" new-packet-mark="DNS packet" \
passthrough=yes
add action=change-dscp chain=postrouting comment="Change DSCP incoming" \
new-dscp=46 out-interface=bridge1-Hausnetz packet-mark="VOIP RTP packet" \
passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="Source NAT -> Internet" \
ipsec-policy=out,none out-interface=ether1-Internet out-interface-list=\
WAN
/ip firewall raw
add action=accept chain=prerouting comment="Allow Backup -> Main" \
dst-address=192.168.10.0/23 src-address=192.168.50.0/23
add action=accept chain=prerouting comment="Allow Main -> Backup" \
dst-address=192.168.50.0/23 src-address=192.168.10.0/23
add action=drop chain=prerouting comment=\
"Deny Prerouting on \"blacklist\" addresses" src-address-list=blacklist
add action=drop chain=prerouting comment=\
"DNS deaktivieren vom Internet (UDP)" dst-port=53 in-interface=\
ether1-Internet protocol=udp
add action=drop chain=prerouting comment=\
"DNS deaktivieren vom Internet (TCP)" dst-port=53 in-interface=\
ether1-Internet protocol=tcp
add action=drop chain=prerouting comment="Protection against DDoS" \
dst-address-list=ddos-target log-prefix=DDos_ src-address-list=\
ddos-attackers
add action=drop chain=prerouting comment="Protection against SYN-Flood" \
log-prefix=SYN-Flood_ src-address-list="SYN Flooder address list"
add action=drop chain=prerouting comment=\
"Deny Prerouting on \"portscanner\" address" src-address-list=\
"port-scanner Liste"
/ip route
add check-gateway=ping comment="Route nach Backup" disabled=no distance=2 \
dst-address=192.168.50.0/24 gateway=172.20.0.2 pref-src="" routing-table=\
main scope=30 suppress-hw-offload=no target-scope=10
/ipv6 route
add check-gateway=ping comment="Route to Backup" disabled=no distance=2 \
dst-address=fdff:fdff:fdff:fdff::/64 gateway=\
fd00:fd00:fd00:fd00:172:20:0:2 routing-table=main scope=250 target-scope=\
10
/ip service
set telnet address=192.168.10.0/23,fdf3:f067:cb13:7071::/64 disabled=yes
set ftp address=192.168.10.0/23,fdf3:f067:cb13:7071::/64 disabled=yes
set www address="192.168.10.0/23,fdf3:f067:cb13:7071::/64,172.20.1.0/24,fd00:f\
d00:fd00:fd01::/64"
set ssh address=192.168.10.0/23,fdf3:f067:cb13:7071::/64 disabled=yes
set www-ssl address=192.168.10.0/23,fdf3:f067:cb13:7071::/64 tls-version=\
only-1.2
set api address=192.168.10.0/23,fdf3:f067:cb13:7071::/64 disabled=yes
set winbox address="192.168.10.0/23,fdf3:f067:cb13:7071::/64,172.20.1.0/24,fd0\
0:fd00:fd00:fd01::/64"
set api-ssl address=192.168.10.0/23,fdf3:f067:cb13:7071::/64 disabled=yes \
tls-version=only-1.2
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1-Internet type=external
add interface=sfp-sfpplus1-core1-mt type=internal
/ipv6 address
add address=fdf3:f067:cb13:7071:192:168:10:1 interface=bridge1-Hausnetz
add address=::192:168:10:1 from-pool=Pool1-Internet interface=\
bridge1-Hausnetz
add address=fd99::fd99:192:168:99:1 interface=bridge1-Hausnetz-vlan99-Gast
add address=fd00:fd00:fd00:fd00:172:20:0:1 advertise=no interface=wg0
add address=fd00:fd00:fd00:fd01:172:20:1:1 advertise=no interface=wg1
add address=fd00::4 advertise=no interface=wg2
add address=::192:168:1:1 advertise=no from-pool=Pool1-Internet interface=\
ether1-Internet
add address=::1292:168:99:1 from-pool=Pool1-Internet interface=\
bridge1-Hausnetz-vlan99-Gast
/ipv6 dhcp-client
add add-default-route=yes interface=ether1-Internet pool-name=Pool1-Internet \
prefix-hint=::/56 request=prefix script="\"\\\"if (1=\\\\\\\$\\\\\\\"pd-va\
lid\\\\\\\") do=\\\r\
\n \\\\\\r\\\r\
\n \\n {\\\\r\\\\\\r\\\r\
\n \\n \\\\n /delay 2\\\\r\\\\\\r\\\r\
\n \\n \\\\n /system script run PrEfiX;\\\\r\\\\\\r\\\r\
\n \\n \\\\n};\\\"\" use-peer-dns=no" use-peer-dns=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=ssl81-v6.telefon.unitymedia.de list="VOIP SIP Server"
add address=sipgate.de list="VOIP SIP Server"
add address=fdf3:f067:cb13:7071::/64 list="Main <-> Backup"
add address=fdff:fdff:fdff:fdff::/64 list="Main <-> Backup"
add address=fd00:fd00:fd00:fd00::/64 list="Main <-> Backup"
add address=fd00:fd00:fd00:fd01::/64 list="Main <-> Backup"
add address=ssl102ds.telefon.unitymedia.de list="VOIP SIP Server"
add address=fe80::/16 list=allowed
add address=ff02::/16 comment=multicast list=allowed
add address=2001::/23 comment=RFC6890 list=bad_ipv6
add address=100::/64 comment="RFC6890 Discard-only" list=not_global_ipv6
add address=2001::/32 comment="RFC6890 TEREDO" list=not_global_ipv6
add address=2001:2::/48 comment="RFC6890 Benchmark" list=not_global_ipv6
add address=ff00::/8 comment=Multicast list=bad_src_ipv6
add address=fd99:0:0:fd99::/64 list="Gast"
add address=fdf3:f067:cb13:100::/64 list="Main <-> Backup"
add address=2a02:908:d24:b660::/59 list="Main <-> Backup"
add address=fe80::/10 comment="RFC6890 Linked-Scoped Unicast" list=\
no_forward_ipv6
add address=ff00::/8 comment=Multicast list=no_forward_ipv6
add address=2a01:4f8:1c1e:7341::/64 list=Hetzner
add address=fd00::/64 list=Hetzner
/ipv6 firewall filter
add action=accept chain=input comment="Accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=drop chain=input comment="Kein Gast auf rt1-mt" dst-address=\
fd99::fd99:192:168:99:1/128 src-address-list="Gast"
add action=drop chain=input comment="kein Hetzner auf RT1-MT" in-interface=\
wg2 src-address-list=Hetzner
add action=drop chain=input comment="Drop SYN Flooder adresses" \
src-address-list="SYN Flooder address list"
add action=add-src-to-address-list address-list="SYN Flooder address list" \
address-list-timeout=1w chain=input comment=\
"Add SYN Flood address to the list" connection-limit=30,64 protocol=tcp \
tcp-flags=syn
add action=jump chain=input comment="Jump for ICMP input flow" jump-target=\
ICMP protocol=icmp
add action=accept chain=ICMP comment="Echo Request - Avoiding Ping Flood" \
icmp-options=8:0 limit=1,5:packet protocol=icmpv6
add action=accept chain=ICMP comment="Echo Request - Avoiding Ping Flood" \
icmp-options=8:0 limit=1,5:packet protocol=icmpv6
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 \
in-interface-list=!WAN protocol=icmpv6
add action=accept chain=ICMP comment="Time exceeded" icmp-options=11:0 \
in-interface-list=!WAN protocol=icmpv6
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
3:0-1 in-interface-list=!WAN protocol=icmpv6
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 \
in-interface-list=!WAN protocol=icmpv6
add action=accept chain=input comment="Accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="Accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \
src-address=fe80::/10
add action=accept chain=input comment="Allow Main <-> Backup" \
src-address-list="Main <-> Backup"
add action=accept chain=input comment="Allow Address List \"allowed\"" \
src-address-list=allowed
add action=accept chain=input comment="Accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment="Accept Wireguard (input)" dst-port=\
51820,51830,51840 protocol=udp
add action=accept chain=input comment="Accept IKE (input)" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="Accept IPSec AH (input)" protocol=\
ipsec-ah
add action=accept chain=input comment="Accept IPSec ESP (input)" protocol=\
ipsec-esp
add action=accept chain=input comment="Accept IPSec (input)" ipsec-policy=\
in,ipsec
add action=drop chain=input comment="Drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment=\
"Accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment=\
"Accept established,related,new,untracked from LAN" connection-state=\
established,related,new,untracked dst-address=::/0 src-address-list=\
"Main <-> Backup"
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
log-prefix=ipv6,invalid
add action=drop chain=forward comment="Drop hop-limit=1 (RFC4890)" hop-limit=\
equal:1 protocol=icmpv6
add action=reject chain=forward comment="Kein Gast ins Hausnetz" \
dst-address-list="Main <-> Backup" reject-with=icmp-no-route \
src-address-list="Gast"
add action=drop chain=forward comment="kein Hetzner ins Hausnetz" \
in-interface=wg2 src-address-list=Hetzner
add action=accept chain=forward comment="Accept ICMPv6" in-interface-list=\
!WAN protocol=icmpv6
add action=accept chain=forward comment="Accept HIP (forward)" protocol=139
add action=accept chain=forward comment="Accept IKE (forward)" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="Accept AH (forward)" protocol=\
ipsec-ah
add action=accept chain=forward comment="Accept ESP (forward)" protocol=\
ipsec-esp
add action=accept chain=forward comment="Accept IPSec (forward)" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="Allow allowed addresses (forward)" \
in-interface=!ether1-Internet src-address-list=allowed
add action=drop chain=forward comment="Drop everything (forward)" log-prefix=\
IPV6
/ipv6 firewall mangle
add action=mark-connection chain=forward comment=\
"Connection mark SIP signalling" connection-state=new disabled=yes \
dst-address-list="VOIP SIP Server" dst-port=5060 dst-prefix=::/0 \
new-connection-mark="SIP signalling connection" passthrough=yes protocol=\
udp src-prefix=::/0
add action=mark-packet chain=forward comment="Packet mark SIP signalling" \
connection-mark="SIP signalling connection" disabled=yes dst-prefix=::/0 \
new-packet-mark="SIP signalling packet" passthrough=yes src-prefix=::/0
add action=mark-connection chain=forward comment="Connection mark RTP" \
connection-state=established,related,new disabled=yes dst-address-list=\
"VOIP SIP Server" dst-prefix=::/0 new-connection-mark=\
"VOIP RTP connection" passthrough=yes port=7078-7110,10000-20000 \
protocol=udp src-prefix=::/0
add action=mark-packet chain=forward comment="Packet mark RTP" \
connection-mark="VOIP RTP connection" disabled=yes dst-prefix=::/0 \
new-packet-mark="VOIP RTP packet" passthrough=yes src-prefix=::/0
add action=mark-connection chain=forward comment="Connection mark TCP-ACK" \
disabled=yes dst-prefix=::/0 new-connection-mark="TCP-ACK connection" \
passthrough=yes protocol=tcp src-prefix=::/0 tcp-flags=ack
add action=mark-packet chain=forward comment="Packet mark TCP-ACK" \
connection-mark="TCP-ACK connection" disabled=yes dst-prefix=::/0 \
new-packet-mark="TCP-ACK packet" passthrough=yes src-prefix=::/0
add action=mark-connection chain=forward comment="Connection mark DNS (TCP)" \
disabled=yes dst-port=53 dst-prefix=::/0 new-connection-mark=\
"DNS Connection" passthrough=yes protocol=tcp src-prefix=::/0 tcp-flags=\
ack
add action=mark-connection chain=forward comment="Connection mark DNS (UDP)" \
disabled=yes dst-port=53 dst-prefix=::/0 new-connection-mark=\
"DNS Connection" passthrough=yes protocol=udp src-prefix=::/0
add action=mark-packet chain=forward comment="Packet mark DNS" \
connection-mark="DNS Connection" disabled=yes dst-prefix=::/0 \
new-packet-mark="DNS packet" passthrough=yes src-prefix=::/0
add action=change-dscp chain=postrouting comment="Change DSCP incoming" \
disabled=yes dst-prefix=::/0 new-dscp=46 out-interface=bridge1-Hausnetz \
packet-mark="VOIP RTP packet" passthrough=yes src-prefix=::/0
/ipv6 firewall raw
add action=accept chain=prerouting comment="Allow Backup -> Main" \
dst-address=fdff:fdff:fdff:fdff::/64 src-address=fdf3:f067:cb13:7071::/64
add action=accept chain=prerouting comment="Allow Main -> Backup" \
dst-address=fdf3:f067:cb13:7071::/64 src-address=fdff:fdff:fdff:fdff::/64
add action=drop chain=prerouting comment=\
"DNS deaktivieren vom Internet (UDP)" dst-port=53 in-interface=\
ether1-Internet protocol=udp
add action=drop chain=prerouting comment=\
"DNS deaktivieren vom Internet (TCP)" dst-port=53 in-interface=\
ether1-Internet protocol=tcp
add action=drop chain=prerouting comment="Drop SYN Flooder adresses" \
src-address-list="SYN Flooder address list"
add action=drop chain=prerouting comment="Drop bogon IP's" src-address-list=\
bad_ipv6
add action=drop chain=prerouting comment="Drop bogon IP's" dst-address-list=\
bad_ipv6
add action=drop chain=prerouting comment="Drop non global from WAN" \
in-interface-list=WAN src-address-list=not_global_ipv6
/ipv6 nd
set [ find default=yes ] disabled=yes
add dns="fdf3:f067:cb13:7071:192:168:10:222,fdf3:f067:cb13:7071:192:168:10:150\
,fdf3:f067:cb13:7071:192:168:10:110" interface=bridge1-Hausnetz \
managed-address-configuration=yes other-configuration=yes ra-interval=\
1m40s-10m ra-lifetime=10m retransmit-interval=30s
add advertise-dns=no interface=ether1-Internet
add dns=2001:4860:4860::8888,2001:4860:4860::8844 interface=\
bridge1-Hausnetz-vlan99-Gast ra-lifetime=10m retransmit-interval=30s
/snmp
set contact=rt1-mt enabled=yes location="B\FCro" trap-interfaces=\
sfp-sfpplus1-core1-mt trap-target="192.168.10.180,192.168.10.181,192.168.1\
0.200,192.168.10.201,fdf3:f067:cb13:7071:192:168:10:180,fdf3:f067:cb13:707\
1:192:168:10:181,fdf3:f067:cb13:7071:192:168:10:200,fdf3:f067:cb13:7071:19\
2:168:10:201" trap-version=2
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=rt1-mt
/system logging
add disabled=yes topics=debug
add disabled=yes topics=script
add topics=wireguard,!debug
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes enabled=yes manycast=yes multicast=yes
/system ntp client servers
add address=ptbtime1.ptb.de
add address=ptbtime2.ptb.de
/system package update
set channel=testing
/system scheduler
add interval=5m name="Update PrEfiX" on-event="/system script run PrEfiX" \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-time=startup
add interval=15m name="Update \"Blacklist\" Address lists" on-event=\
"/system script run Blacklist-EMOTEP" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-time=startup
add interval=5m name=ups-powermonitor on-event=\
"/system script run ups-powermonitor" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=mar/11/2022 start-time=20:30:00
/system script
add dont-require-permissions=no name=PrEfiX owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
\_find current IPv6 prefix from pool \"Pool1-Internet\"\r\
\n:global poolPrefix [/ipv6 pool used get [:pick [find pool=\"Pool1-Intern\
et\" && info=\"bridge1-Hausnetz\"] 0] prefix];\r\
\n:global wanPrefix [:pick \$poolPrefix 0 [:find \$poolPrefix \"::\" 0]];\
\r\
\n/log debug (\"IPv6 WAN prefix= \" . \$wanPrefix);\r\
\n\r\
\n# find all rules with magic ID (PrEfIx)\r\
\n:foreach ruleIndex in [/ipv6 firewall filter find comment~\"(PrEfiX)\"] \
\_do= {\r\
\n # get current IPv6 prefix for that rule\r\
\n :local addr [/ipv6 firewall filter get \$ruleIndex dst-address];\r\
\n :local pos1 [:find \$addr \":\" 0];\r\
\n :local pos2 [:find \$addr \":\" \$pos1];\r\
\n :local pos3 [:find \$addr \":\" \$pos2];\r\
\n :local pos4 [:find \$addr \":\" \$pos3];\r\
\n :local rulePrefix [:pick \$addr 0 \$pos4];\r\
\n\r\
\n # get IPv6 interface ID for rule\r\
\n :local ruleID [:pick \$addr (\$pos4 + 1) [:find \$addr \"/\" 0]];\r\
\n\r\
\n # get IPv6 prefix length for rule\r\
\n :local rulePlen [:pick \$addr ([:find \$addr \"/\" 0] + 1) 255];\r\
\n\r\
\n /log debug (\"IPv6 rule \" . \$ruleIndex . \", prefix=\" . \$rulePre\
fix . \", interface ID=\" . \$ruleID . \", prefix length=\" . \$rulePlen);\
\r\
\n\r\
\n # if different, update rule to WAN IPv6 prefix\r\
\n :if (\$wanPrefix != \$rulePrefix) do= {\r\
\n :local ret [/ipv6 firewall filter set \"\$ruleIndex\" dst-addres\
s=\"\$wanPrefix:\$ruleID/\$rulePlen\"];\r\
\n /log info (\"Changed IPv6 rule \" . \$ruleIndex . \" to dst-addr\
ess=\$wanPrefix:\$ruleID/\$rulePlen\");\r\
\n }\r\
\n}\r\
\n"
add dont-require-permissions=no name=Blacklist-EMOTEP owner=admin policy=\
read,write,test source="ip firewall address-list\r\
\n:local update do={\r\
\n:do {\r\
\n:local data ([:tool fetch url=\$url output=user as-value]->\"data\")\r\
\nremove [find list=blacklist comment=\$description]\r\
\n:while ([:len \$data]!=0) do={\r\
\n:if ([:pick \$data 0 [:find \$data \"\\n\"]]~\"^[0-9]{1,3}\\\\.[0-9]{1,3\
}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\") do={\r\
\n:do {add list=blacklist address=([:pick \$data 0 [:find \$data \$delimit\
er]].\$cidr) comment=\$description timeout=1d} on-error={}\r\
\n}\r\
\n:set data [:pick \$data ([:find \$data \"\\n\"]+1) [:len \$data]]\r\
\n}\r\
\n} on-error={:log warning \"Address list <\$description> update failed\"}\
\r\
\n}\r\
\n\$update url=https://feodotracker.abuse.ch/downloads ... st_recomme\
nded.txt description=\"Botnet C2 IP Blacklist\" delimiter=(\"\\r\")\r\
\n\$update url=https://www.dshield.org/block.txt description=DShield delim\
iter=(\"\\t\") cidr=/24\r\
\n\$update url=https://www.spamhaus.org/drop/drop.txt description=\"Spamha\
us DROP\" delimiter=(\"\\_\")\r\
\n\$update url=https://www.spamhaus.org/drop/edrop.txt description=\"Spamh\
aus EDROP\" delimiter=(\"\\_\")\r\
\n\$update url=https://sslbl.abuse.ch/blacklist/sslipblacklist.txt descrip\
tion=\"Abuse.ch SSLBL\" delimiter=(\"\\r\")"
add dont-require-permissions=no name=ups-powermonitor owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
\_UPS-Script powerfail\r\
\n# (c) steinmann und weidinger OEG\r\
\n# www.stone-rich.at\r\
\n#\r\
\n# Watches ups status and sends emails on power failure and low battery.\
\r\
\n# This script will FAIL if:\r\
\n# - Policies write, test, and read are not set\r\
\n# - The system name contains non-standard characters (space, /, ...)\r\
\n# - The UPS is not named ups1 (fixed by adding configurable variable)\r\
\n#\r\
\n# This script was tested up to ROS 3.23\r\
\n# user-configurable parameters below:\r\
\n\r\
\n:local mailserver [:resolve smtp.google.com];\r\
\n:local mailfrom \"core1-mt@os2wg.de\";\r\
\n:local mailto \"ulrich.wessendorf@gmail.com\";\r\
\n:local upsName \"Back-UPS XS 950U\";\r\
\n\r\
\n#\r\
\n# do NOT make changes below!\r\
\n#\r\
\n\r\
\n:global flagonbatt;\r\
\n:global flagbattlow;\r\
\n\r\
\n:local battalarm 15;\r\
\n:local battok 40;\r\
\n\r\
\n:local curonbatt;\r\
\n:local curcharge;\r\
\n\r\
\n:local sysname [/system identity get name];\r\
\n:local datetime \"\$[/system clock get date] \$[/system clock get time]\
\";\r\
\n\r\
\n# First run\? If so, we need to initialize the global flags\r\
\n:if ([:typeof \$flagonbatt]=\"nothing\") do={:set flagonbatt 0}\r\
\n:if ([:typeof \$flagbattlow]=\"nothing\") do={:set flagbattlow 0}\r\
\n\r\
\n:set curonbatt false;\r\
\n:set curcharge 100;\r\
\n/system ups monitor [/system ups find name=\$upsName] once do={\r\
\n :set curonbatt \$\"on-battery\"; :set curcharge \$\"battery-charge\";\
\r\
\n}\r\
\n\r\
\n:if ((\$curonbatt) && (\$flagonbatt=0)) do={\r\
\n :set flagonbatt 1;\r\
\n /tool e-mail send from=\$mailfrom to=\$mailto server=\$mailserver subj\
ect=\"\$sysname: Power failure!\" \\\r\
\n body=\"\$sysname is on battery since \$datetime\";\r\
\n :log info \"Power-Fail: EMail sent to \$mailto\";\r\
\n}\r\
\n\r\
\n:if ((!\$curonbatt) && (\$flagonbatt=1)) do={\r\
\n :set flagonbatt 0;\r\
\n /tool e-mail send from=\$mailfrom to=\$mailto server=\$mailserver subj\
ect=\"\$sysname: Power is back\" \\\r\
\n body=\"\$sysname is back on power since \$datetime\";\r\
\n :log info \"Power-Restore: Email sent to \$mailto\";\r\
\n}\r\
\n\r\
\n:if ((\$curcharge <= \$battalarm) && (\$flagbattlow=0)) do={\r\
\n :set flagbattlow 1;\r\
\n /tool e-mail send from=\$mailfrom to=\$mailto server=\$mailserver sub\
ject=\"\$sysname: Low battery!\" \\\r\
\n body=\"\$sysname battery is at \$curcharge %! \$datetime\";\r\
\n :log info \"Batt-Low: Email sent to \$mailto\";\r\
\n}\r\
\n\r\
\n:if ((\$curcharge >= \$battok) && (\$flagbattlow=1)) do={\r\
\n :set flagbattlow 0;\r\
\n /tool e-mail send from=\$mailfrom to=\$mailto server=\$mailserver sub\
ject=\"\$sysname: Battery recharged\" \\\r\
\n body=\"\$sysname Battery recharged to \$curcharge% \$datetime\";\r\
\n :log info \"Batt-Recharged: Email sent to \$mailto\";\r\
\n}\r\
\n"
/system ups
add name=ups1 port=usbhid1
/tool graphing interface
add allow-address=192.168.10.0/23
/tool graphing queue
add allow-address=192.168.10.0/23
/tool graphing resource
add allow-address=192.168.10.0/23
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add down-script=":delay 30\r\
\n/interface wg0 peer disable 0\r\
\n:delay 10\r\
\n/interface wg0 peer enable 0\r\
\n:log info \"WG Backup toggled\"" host=\
1.2.3.4 interval=5m
add down-script=":delay 25\r\
\n/interface wg2 peer disable 0\r\
\n:delay 5\r\
\n/interface wg2 peer enable 0\r\
\n:log info \"WG mail.exaple.com toggled\"" host=fd00::1 interval=5m
/tool romon
set enabled=yes

Who is online

Users browsing this forum: gogle, madstupid, maxslug, mkx and 84 guests