SergANT/network
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
network/mikrotik/base-config/README.md

113 lines
7.6 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# It is examples base configuration for Mikrotik.<br/>
Please always check these options for base config new device:
1. Add user new user with admin priv:<br/>
`/user add name="admin2" password="PASSWORD" group=full`<br/>
2. Set NTP server:<br/>
`/system ntp client set enabled=yes primary-ntp=80.240.216.155 secondary-ntp=85.21.78.23`<br/>
<br/>
`/system ntp client set enabled=yes`<br/>
`/system ntp client servers`<br/>
`add address=0.pool.ntp.org`<br/>
`add address=1.pool.ntp.org`<br/>
<br/>
`/system ntp server set enabled=no`<br/>
<br/>
3. Set Time Zone:<br/>
`/system clock set time-zone-name=Europe/Moscow`<br/>
<br/>
4. Disabled unuse service:<br/>
`{ :local ver [/system resource get version]; :global vermajor [:pick $ver 0 [:find $ver "."]] }`<br/>
`:if ($vermajor = 7) do={ /ipv6 settings set disable-ipv6=yes }`<br/>
`:if ($vermajor = 6) do={ /system package disable ipv6 }'`<br/>
<br/>
`/ip neighbor discovery-settings set discover-interface-list=interfaces-MAC-MGMT`<br/>
`/tool mac-server set allowed-interface-list=none`<br/>
`/tool mac-server mac-winbox set allowed-interface-list=interfaces-MAC-MGMT`<br/>
`/tool mac-server ping set enabled=no`<br/>
<br/>
`/ip smb set enabled=no`<br/>
<br/>
`/ip service set www disabled=yes`<br/>
`/ip service set api disabled=yes`<br/>
`/ip service set api-ssl disabled=yes`<br/>
`/ip service set ftp disabled=yes`<br/>
`/ip service set telnet disabled=yes`<br/>
`/ip service set winbox disabled=no`<br/>
`/ip service set ssh disabled=no`<br/>
<br/>
`/tool bandwidth-server set enabled=no`<br/>
`/tool romon set enabled=no`<br/>
<br/>
`/ip ssh set strong-crypto=yes host-key-size=4096 forwarding-enabled=both always-allow-password-login=yes`<br/>
<br/>
`/ip settings set tcp-syncookies=yes`<br/>
<br/>
`/ip proxy set enabled=no`<br/>
`/ip socks set enabled=no`<br/>
`/ip upnp set enabled=no`<br/>
`/ip cloud set ddns-enabled=no update-time=no`<br/>
<br/>
5. For security add blackhole routes and deny BOGON networks<br/>
<br/>
`/ip route add comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" distance=249 dst-address=10.0.0.0/8 blackhole`<br/>
`/ip route add comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" distance=249 dst-address=169.254.0.0/16 blackhole`<br/>
`/ip route add comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" distance=249 dst-address=172.16.0.0/12 blackhole`<br/>
`/ip route add comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" distance=249 dst-address=192.168.0.0/16 blackhole`<br/>
<br/>
`/ip firewall address-list add address=0.0.0.0/8 list=all-bogon comment="List addr BOGON networks"`<br/>
`/ip firewall address-list add address=127.0.0.0/16 list=all-bogon comment="List addr BOGON networks"`<br/>
`/ip firewall address-list add address=10.0.0.0/8 list=all-bogon comment="List addr BOGON networks"`<br/>
`/ip firewall address-list add address=172.16.0.0/12 list=all-bogon comment="List addr BOGON networks"`<br/>
`/ip firewall address-list add address=192.168.0.0/16 list=all-bogon comment="List addr BOGON networks"`<br/>
`/ip firewall address-list add address=169.254.0.0/16 list=all-bogon comment="List addr BOGON networks"`<br/>
`/ip firewall address-list add address=192.0.2.0/24 list=all-bogon comment="List addr BOGON networks"`<br/>
`/ip firewall address-list add address=198.51.100.0/24 list=all-bogon comment="List addr BOGON networks"`<br/>
`/ip firewall address-list add address=203.0.113.0/24 list=all-bogon comment="List addr BOGON networks"`<br/>
`/ip firewall address-list add address=198.18.0.0/15 list=all-bogon comment="List addr BOGON networks"`<br/>
`/ip firewall address-list add address=192.88.99.0/24 list=all-bogon comment="List addr BOGON networks"`<br/>
`/ip firewall address-list add address=100.64.0.0/10 list=all-bogon comment="List addr BOGON networks"`<br/>
`/ip firewall address-list add address=240.0.0.0/4 list=all-bogon comment="List addr BOGON networks"`<br/>
`/ip firewall address-list add address=224.0.0.0/4 list=all-bogon comment="List addr BOGON networks"`<br/>
`/ip firewall address-list add address=255.255.255.255 list=all-bogon comment="List addr BOGON networks"`<br/>
<br/>
`/ip firewall filter add action=drop chain=input comment="deny INPUT Invalid connections FID=SERVICE-RULES" connection-state=invalid`<br/>
`/ip firewall filter add action=drop chain=forward comment="deny FORWARD Invalid connections FID=SERVICE-RULES" connection-state=invalid`<br/>
`/ip firewall filter add action=drop chain=input comment="deny INPUT outside ->> ME [ BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" in-interface=ether1-outside src-address-list=all-bogon`<br/>
`/ip firewall filter add action=drop chain=output comment="deny OUTPUT from ME -->> outside [ BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" dst-address-list=all-bogon out-interface=ether1-outside`<br/>
`/ip firewall filter add action=drop chain=forward comment="deny FORWARD from outside -->> inside [ BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" in-interface=ether1-outside src-address-list=all-bogon`<br/>
`/ip firewall filter add action=drop chain=forward comment="deny FORWARD from inside -->> outside [ BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" dst-address-list=all-bogon out-interface=ether1-outside`<br/>
`/ip firewall filter add action=drop chain=forward comment="deny FORWARD from inside -->> outside FID=SERVICE-RULES FID=SERVICE-RULES" connection-nat-state=!dstnat connection-state=new in-interface=ether1-outside`<br/>
`/ip firewall filter add action=accept chain=input comment="allow INPUT from lo -->> ME " in-interface=lo`<br/>
<br/>
`/ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset`<br/>
`/ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" connection-state=new protocol=udp reject-with=icmp-port-unreachable`<br/>
`/ip firewall filter add action=drop chain=input comment="deny INPUT all" connection-state=""`<br/>
`/ip firewall filter add action=reject chain=forward comment="deny FORWARD any -->> any TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset`<br/>
`/ip firewall filter add action=reject chain=forward comment="deny FORWARD any -->> any UDP reject-with tcp-reset" connection-state=new protocol=udp reject-with=icmp-port-unreachable`<br/>
`/ip firewall filter add action=drop chain=forward comment="deny FORWARD all" connection-state=""`<br/>
<br/>
6. For config bridge:<br/>
`/interface bridge add name=bridge-1`<br/>
`/interface bridge port add bridge=bridge-1 hw=yes interface=ether2`<br/>
`/interface bridge port add bridge=bridge-1 hw=yes interface=ether3`<br/>
`/interface bridge port add bridge=bridge-1 hw=yes interface=ether4`<br/>
`/interface bridge port add bridge=bridge-1 hw=yes interface=ether5`<br/>
<br/>
У портов есть 3 варианта настроек:<br/>
`admit all — Аналог гибридного порта, пропускать весь трафик (все теги vlan, в т.ч. native Vlan)`<br/>
`admit only VLAN tagged — Аналог Trunk, пропускать только тэгированный трафик (все теги Vlan указанные в VLANs)`<br/>
`admit only untagged and priority tagged — Аналог Access, пропускать указанный PVID Vlan`<br/>
<br/>
<br/>
7. For backup<br/>
`export terse file=gw02-21.04.20`<br/>
<br/>
`console clear-history`<br/>
<br/>
For CHR:<br/>
4 vCPU / 4 RAM / 512MB IDE HDD<br/>
<br/>
vmkfstools -i chr-6.46.6.vmdk MikroTik-CHR.vmdk -d thin<br/>
vmkfstools -X 512M MikroTik-CHR.vmdk<br/>
Reference in New Issue View Git Blame Copy Permalink