165 lines
7.4 KiB
Plaintext
165 lines
7.4 KiB
Plaintext
# 2024-09-04 13:07:44 by RouterOS 7.15.3
|
|
# software id = 73EZ-45GQ
|
|
#
|
|
# model = RB750Gr3
|
|
# serial number = 6F380862DC41
|
|
/interface bridge
|
|
add name=bridge-local
|
|
/interface ethernet
|
|
set [ find default-name=ether1 ] name=ether1-outside
|
|
/interface list
|
|
add name=interfaces-MAC-MGMT
|
|
add name=interfaces-outside
|
|
/ppp profile
|
|
add bridge=bridge-local change-tcp-mss=yes local-address=172.20.1.1 name=\
|
|
emergency only-one=yes use-ipv6=no use-mpls=no use-upnp=no
|
|
/ip smb
|
|
set enabled=no
|
|
/interface bridge port
|
|
add bridge=bridge-local interface=ether2
|
|
add bridge=bridge-local interface=ether3
|
|
add bridge=bridge-local interface=ether4
|
|
add bridge=bridge-local interface=ether5
|
|
/ip neighbor discovery-settings
|
|
set discover-interface-list=interfaces-MAC-MGMT
|
|
/ip settings
|
|
set tcp-syncookies=yes
|
|
/ipv6 settings
|
|
set disable-ipv6=yes
|
|
/interface list member
|
|
add interface=ether2 list=interfaces-MAC-MGMT
|
|
add interface=ether3 list=interfaces-MAC-MGMT
|
|
add interface=ether4 list=interfaces-MAC-MGMT
|
|
add interface=ether5 list=interfaces-MAC-MGMT
|
|
add interface=ether1-outside list=interfaces-outside
|
|
/interface ovpn-server server
|
|
set auth=sha1 certificate=ovpn-server cipher=aes256-cbc default-profile=\
|
|
emergency enabled=yes mode=ethernet port=40004 protocol=udp \
|
|
require-client-certificate=yes tls-version=only-1.2
|
|
/ip address
|
|
add address=11.11.11.123/29 interface=ether1-outside network=11.11.11.120
|
|
/ip cloud
|
|
set update-time=no
|
|
/ip dns
|
|
set servers=8.8.8.8
|
|
/ip firewall address-list
|
|
add address=11.11.11.123 comment="List addr OUTSIDE IPs" list=all-outside
|
|
add address=11.11.11.123 comment="List addr OUTSIDE IP=22.22.22.123" list=\
|
|
outside-only-22.22.22.123
|
|
add address=0.0.0.0/8 comment="List addr BOGON networks" list=all-bogon
|
|
add address=127.0.0.0/16 comment="List addr BOGON networks" list=all-bogon
|
|
add address=10.0.0.0/8 comment="List addr BOGON networks" list=all-bogon
|
|
add address=172.16.0.0/12 comment="List addr BOGON networks" list=all-bogon
|
|
add address=192.168.0.0/16 comment="List addr BOGON networks" list=all-bogon
|
|
add address=169.254.0.0/16 comment="List addr BOGON networks" list=all-bogon
|
|
add address=192.0.2.0/24 comment="List addr BOGON networks" list=all-bogon
|
|
add address=198.51.100.0/24 comment="List addr BOGON networks" list=all-bogon
|
|
add address=203.0.113.0/24 comment="List addr BOGON networks" list=all-bogon
|
|
add address=198.18.0.0/15 comment="List addr BOGON networks" list=all-bogon
|
|
add address=192.88.99.0/24 comment="List addr BOGON networks" list=all-bogon
|
|
add address=100.64.0.0/10 comment="List addr BOGON networks" list=all-bogon
|
|
add address=240.0.0.0/4 comment="List addr BOGON networks" list=all-bogon
|
|
add address=224.0.0.0/4 comment="List addr BOGON networks" list=all-bogon
|
|
add address=255.255.255.255 comment="List addr BOGON networks" list=all-bogon
|
|
/ip firewall filter
|
|
add action=accept chain=input comment="allow INPUT established,related" \
|
|
connection-state=established,related
|
|
add action=accept chain=forward comment="allow FORWARD established,related" \
|
|
connection-state=established,related
|
|
add action=drop chain=input comment="deny INPUT Invalid connections" \
|
|
connection-state=invalid
|
|
add action=drop chain=forward comment="deny FORWARD Invalid connections" \
|
|
connection-state=invalid
|
|
add action=drop chain=input comment=\
|
|
"deny INPUT outside ->> ME [ BOGON IP addresses ] FID=SERVICE-RULES" \
|
|
connection-state="" in-interface-list=interfaces-outside \
|
|
src-address-list=all-bogon
|
|
add action=drop chain=output comment="deny OUTPUT from ME -->> outside [ BOGON\
|
|
\_IP addresses ] FID=SERVICE-RULES" connection-state="" dst-address-list=\
|
|
all-bogon out-interface-list=interfaces-outside
|
|
add action=drop chain=forward comment="deny FORWARD from outside -->> inside [\
|
|
\_BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" \
|
|
in-interface-list=interfaces-outside src-address-list=all-bogon
|
|
add action=drop chain=forward comment="deny FORWARD from inside -->> outside [\
|
|
\_BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" \
|
|
dst-address-list=all-bogon out-interface-list=interfaces-outside
|
|
add action=drop chain=forward comment="deny FORWARD from inside -->> outside F\
|
|
ID=SERVICE-RULES FID=SERVICE-RULES" connection-nat-state=!dstnat \
|
|
connection-state=new in-interface=ether1-outside
|
|
add action=accept chain=input comment=\
|
|
"allow INPUT from outside -->> ME [ICMP]" connection-state=new \
|
|
in-interface=ether1-outside protocol=icmp
|
|
add action=accept chain=input comment=\
|
|
"allow INPUT from outside -->> ME OVPN server [UDP:40004]" \
|
|
connection-state=new dst-port=40004 in-interface=ether1-outside protocol=\
|
|
udp
|
|
add action=accept chain=input connection-state=new dst-port=22,8291 \
|
|
in-interface=ether1-outside protocol=tcp src-address=62.212.68.103
|
|
add action=accept chain=input connection-state=new dst-port=22,8291 \
|
|
in-interface=ether1-outside protocol=tcp src-address=213.141.150.29
|
|
add action=accept chain=input dst-address=172.20.1.0/24 in-interface=\
|
|
bridge-local protocol=icmp src-address=172.20.1.0/24
|
|
add action=accept chain=input connection-state=new dst-address=172.20.1.0/24 \
|
|
dst-port=22,8291 in-interface=bridge-local protocol=tcp src-address=\
|
|
172.20.1.0/24
|
|
add action=reject chain=input comment=\
|
|
"deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new \
|
|
protocol=tcp reject-with=tcp-reset
|
|
add action=reject chain=input comment=\
|
|
"deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" \
|
|
connection-state=new protocol=udp reject-with=icmp-port-unreachable
|
|
add action=drop chain=input comment="deny INPUT all" connection-state=""
|
|
add action=reject chain=forward comment=\
|
|
"deny FORWARD any -->> any TCP reject-with tcp-reset" connection-state=\
|
|
new protocol=tcp reject-with=tcp-reset
|
|
add action=reject chain=forward comment=\
|
|
"deny FORWARD any -->> any UDP reject-with tcp-reset" connection-state=\
|
|
new log-prefix=reject_fw_udp protocol=udp reject-with=\
|
|
icmp-port-unreachable
|
|
add action=drop chain=forward comment="deny FORWARD all" connection-state=""
|
|
/ip hotspot profile
|
|
set [ find default=yes ] html-directory=hotspot
|
|
/ip route
|
|
add disabled=no dst-address=0.0.0.0/0 gateway=11.11.11.121 routing-table=\
|
|
main suppress-hw-offload=no
|
|
add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" \
|
|
distance=249 dst-address=10.0.0.0/8
|
|
add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" \
|
|
distance=249 dst-address=169.254.0.0/16
|
|
add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" \
|
|
distance=249 dst-address=172.16.0.0/12
|
|
add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" \
|
|
distance=249 dst-address=192.168.0.0/16
|
|
/ip service
|
|
set telnet disabled=yes
|
|
set ftp disabled=yes
|
|
set www disabled=yes
|
|
set api disabled=yes
|
|
set api-ssl disabled=yes
|
|
/ip ssh
|
|
set always-allow-password-login=yes forwarding-enabled=both host-key-size=\
|
|
4096 strong-crypto=yes
|
|
/ppp secret
|
|
add name=ivanov_ovpn profile=emergency remote-address=172.20.1.2 service=ovpn
|
|
/system clock
|
|
set time-zone-name=Europe/Moscow
|
|
/system identity
|
|
set name=dc01-emer01
|
|
/system note
|
|
set show-at-login=no
|
|
/system ntp client
|
|
set enabled=yes
|
|
/system ntp client servers
|
|
add address=0.pool.ntp.org
|
|
add address=1.pool.ntp.org
|
|
add address=2.pool.ntp.org
|
|
add address=3.pool.ntp.org
|
|
/tool bandwidth-server
|
|
set enabled=no
|
|
/tool mac-server
|
|
set allowed-interface-list=none
|
|
/tool mac-server mac-winbox
|
|
set allowed-interface-list=interfaces-MAC-MGMT
|
|
/tool mac-server ping
|
|
set enabled=no
|