Aggiornato dump configurazione router
- firmware aggiornato 6.47.2 -> 7.8. - rinominate interfacce di rete per renderle più comprensibili. - riattivato DHCP per rete "pubblica" detta vela. - aggiunte regole firewall IPv4 per isolare rete vela nel suo brodo, solo accesso WAN. - allo stesso modo, aggiunte regole IPv4 per reti interne per consentire sia accesso WAN che a rete vela.
This commit is contained in:
parent
bdb840b91b
commit
076d1747fa
128
dump.rsc
128
dump.rsc
|
|
@ -1,24 +1,34 @@
|
|||
# apr/18/2023 23:55:25 by RouterOS 6.47.2
|
||||
# may/02/2023 22:16:43 by RouterOS 7.8
|
||||
# software id = GU1A-JDES
|
||||
#
|
||||
# model = RB3011UiAS
|
||||
# serial number = B88D0BD46C83
|
||||
/interface bridge
|
||||
add name=bridge-officina
|
||||
/interface ethernet
|
||||
set [ find default-name=ether1 ] name=ether1-wan
|
||||
set [ find default-name=ether5 ] name=ether5-vela
|
||||
set [ find default-name=ether6 ] name=ether6-switch
|
||||
set [ find default-name=ether7 ] name=ether7-cassiopea
|
||||
/interface list
|
||||
add name=WAN
|
||||
add name=LAN
|
||||
/interface lte apn
|
||||
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
|
||||
/interface wireless security-profiles
|
||||
set [ find default=yes ] supplicant-identity=MikroTik
|
||||
/ip pool
|
||||
add name=dhcp_pool1 ranges=192.168.5.128-192.168.5.254
|
||||
add name=dhcp_pool2 ranges=192.168.3.10-192.168.3.200
|
||||
add name=dhcp_pool_officina ranges=192.168.5.128-192.168.5.254
|
||||
add name=dhcp_pool_vela ranges=192.168.3.10-192.168.3.254
|
||||
/ip dhcp-server
|
||||
add address-pool=dhcp_pool1 disabled=no interface=bridge-officina lease-time=\
|
||||
1h name=dhcp1
|
||||
add address-pool=dhcp_pool2 interface=ether5 name=dhcp2 relay=192.168.3.1
|
||||
add address-pool=dhcp_pool_officina interface=bridge-officina lease-time=1h \
|
||||
name=dhcp-officina
|
||||
add address-pool=dhcp_pool_vela interface=ether5-vela lease-time=1h name=\
|
||||
dhcp-vela
|
||||
/port
|
||||
set 0 name=serial0
|
||||
/queue tree
|
||||
add max-limit=3M name=upload parent=ether1
|
||||
add max-limit=3M name=upload parent=ether1-wan
|
||||
add limit-at=20M max-limit=20M name=other_upload packet-mark=other_traffic \
|
||||
parent=upload priority=1
|
||||
add limit-at=20M max-limit=40M name=heavy_upload packet-mark=heavy_traffic \
|
||||
|
|
@ -28,38 +38,59 @@ add limit-at=200M max-limit=200M name=other_download packet-mark=\
|
|||
other_traffic parent=download priority=1
|
||||
add limit-at=120M max-limit=200M name=heavy_download packet-mark=\
|
||||
heavy_traffic parent=download
|
||||
/user group
|
||||
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
|
||||
sword,web,sniff,sensitive,api,romon,dude,tikapp"
|
||||
/routing bgp template
|
||||
set default disabled=no output.network=bgp-networks
|
||||
/routing ospf instance
|
||||
add disabled=no name=default-v2
|
||||
add disabled=no name=default-v3 version=3
|
||||
/routing ospf area
|
||||
add disabled=yes instance=default-v2 name=backbone-v2
|
||||
add disabled=yes instance=default-v3 name=backbone-v3
|
||||
/interface bridge port
|
||||
add interface=ether2
|
||||
add interface=ether3
|
||||
add interface=ether4
|
||||
add interface=ether5
|
||||
add bridge=bridge-officina interface=ether6
|
||||
add bridge=bridge-officina interface=ether7
|
||||
add bridge=bridge-officina interface=ether8
|
||||
add bridge=bridge-officina interface=ether9
|
||||
add bridge=bridge-officina interface=ether10
|
||||
add interface=sfp1
|
||||
add bridge=bridge-officina ingress-filtering=no interface=ether6-switch
|
||||
add bridge=bridge-officina ingress-filtering=no interface=ether7-cassiopea
|
||||
add bridge=bridge-officina ingress-filtering=no interface=ether8
|
||||
add bridge=bridge-officina ingress-filtering=no interface=ether9
|
||||
add bridge=bridge-officina ingress-filtering=no interface=ether10
|
||||
/interface bridge settings
|
||||
set use-ip-firewall=yes
|
||||
/ip neighbor discovery-settings
|
||||
set discover-interface-list=!dynamic
|
||||
/ip settings
|
||||
set max-neighbor-entries=8192
|
||||
/ipv6 settings
|
||||
set accept-redirects=no accept-router-advertisements=no
|
||||
set accept-redirects=no accept-router-advertisements=no max-neighbor-entries=\
|
||||
8192
|
||||
/interface list member
|
||||
add interface=ether1 list=WAN
|
||||
add list=LAN
|
||||
add interface=ether1-wan list=WAN
|
||||
add interface=*C list=LAN
|
||||
/interface ovpn-server server
|
||||
set auth=sha1,md5
|
||||
/ip address
|
||||
add address=192.168.7.128/24 interface=ether1 network=192.168.7.0
|
||||
add address=192.168.7.128/24 interface=ether1-wan network=192.168.7.0
|
||||
add address=192.168.5.20/24 interface=bridge-officina network=192.168.5.0
|
||||
add address=192.168.3.1/24 interface=ether5-vela network=192.168.3.0
|
||||
/ip dhcp-server lease
|
||||
add address=192.168.3.2 client-id=1:70:a7:41:80:97:bd mac-address=\
|
||||
70:A7:41:80:97:BD server=dhcp-vela
|
||||
/ip dhcp-server network
|
||||
add address=192.168.3.0/24 gateway=192.168.3.1
|
||||
add address=192.168.5.0/24 dns-server=8.8.8.8,1.1.1.1,8.8.4.4 gateway=\
|
||||
192.168.5.20 netmask=24
|
||||
add address=192.168.5.0/24 gateway=192.168.5.20 netmask=24
|
||||
/ip dns
|
||||
set servers=208.67.220.220,208.67.222.222,1.1.1.1,8.8.8.8,8.8.4.4
|
||||
/ip firewall filter
|
||||
add action=accept chain=input connection-state=established,related
|
||||
add action=accept chain=input in-interface=bridge-officina
|
||||
add action=accept chain=input comment="Allow ICMP from everyone. Ping is essen\
|
||||
tial to understand if network works." in-interface=all-ethernet protocol=\
|
||||
icmp
|
||||
add action=drop chain=input
|
||||
add action=accept chain=forward connection-state=established,related
|
||||
add action=accept chain=forward in-interface=bridge-officina
|
||||
add action=accept chain=forward comment=\
|
||||
"Allow forwarding from Vela to WAN only." in-interface=ether5-vela \
|
||||
out-interface=ether1-wan
|
||||
add action=drop chain=forward
|
||||
/ip firewall mangle
|
||||
add action=mark-connection chain=forward connection-mark=!heavy \
|
||||
new-connection-mark=generic
|
||||
|
|
@ -71,12 +102,26 @@ add action=mark-packet chain=forward connection-mark=heavy new-packet-mark=\
|
|||
add action=mark-packet chain=forward connection-mark=generic new-packet-mark=\
|
||||
other_traffic passthrough=no
|
||||
/ip firewall nat
|
||||
add action=masquerade chain=srcnat out-interface=ether1 src-address=\
|
||||
192.168.5.0/24 to-addresses=192.168.1.128
|
||||
add action=dst-nat chain=dstnat dst-port=8010 protocol=tcp to-addresses=\
|
||||
192.168.5.10 to-ports=22
|
||||
add action=masquerade chain=srcnat comment=\
|
||||
"Allow access to Internet for officina's LAN" out-interface=ether1-wan \
|
||||
src-address=192.168.5.0/24 to-addresses=192.168.1.128
|
||||
add action=masquerade chain=srcnat comment=\
|
||||
"Allow access to Internet for Vela's public LAN" out-interface=ether1-wan \
|
||||
src-address=192.168.3.0/24 to-addresses=192.168.1.128
|
||||
add action=dst-nat chain=dstnat comment="(\?) Legacy rule for serverozzo\?" \
|
||||
disabled=yes dst-port=8010 protocol=tcp to-addresses=192.168.5.10 \
|
||||
to-ports=22
|
||||
/ip route
|
||||
add distance=1 gateway=192.168.7.1
|
||||
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.7.1
|
||||
/ipv6 route
|
||||
add disabled=no dst-address=2000::/3 gateway=\
|
||||
fe80::20d:b9ff:fe44:e5f1%ether1-wan
|
||||
add disabled=no dst-address=2001:470:c844:202::/64 gateway=\
|
||||
2001:470:c844:200::10
|
||||
add disabled=no dst-address=2001:470:c844:204::/64 gateway=\
|
||||
2001:470:c844:200:2e0:81ff:fed0:ec03
|
||||
add disabled=no dst-address=2001:470:c844:100::/64 gateway=\
|
||||
2001:470:c844:200::10
|
||||
/ip service
|
||||
set telnet port=30023
|
||||
set ftp disabled=yes
|
||||
|
|
@ -86,15 +131,10 @@ set www-ssl certificate=webfig disabled=no
|
|||
set api disabled=yes
|
||||
set api-ssl disabled=yes
|
||||
/ipv6 address
|
||||
add address=2001:470:c844:1::3/127 advertise=no disabled=yes interface=ether1
|
||||
add address=2001:470:c844:200::1 interface=bridge-officina
|
||||
add address=fd00:6073::3/127 advertise=no disabled=yes interface=ether1
|
||||
/ipv6 firewall filter
|
||||
add action=accept chain=forward connection-state=established,related
|
||||
add action=accept chain=forward src-address=2001:470:c844::/48
|
||||
add action=accept chain=forward comment=\
|
||||
"vupiuesse: allows certbot certificates renewals." dst-address=\
|
||||
2001:470:c844:200:40e4:bcff:fed0:2635/128 dst-port=80 protocol=tcp
|
||||
add action=reject chain=forward reject-with=icmp-admin-prohibited
|
||||
/ipv6 firewall mangle
|
||||
add action=mark-connection chain=forward connection-mark=!heavy dst-address=\
|
||||
|
|
@ -111,24 +151,18 @@ add action=mark-connection chain=forward connection-bytes=1000000-0 \
|
|||
new-connection-mark=heavy protocol=tcp
|
||||
/ipv6 nd
|
||||
set [ find default=yes ] interface=bridge-officina ra-interval=10s-30s
|
||||
/ipv6 route
|
||||
add distance=1 dst-address=2000::/3 gateway=fe80::20d:b9ff:fe44:e5f1%ether1
|
||||
add distance=1 dst-address=2001:470:c844:100::/64 gateway=\
|
||||
2001:470:c844:200::10
|
||||
add distance=1 dst-address=2001:470:c844:202::/64 gateway=\
|
||||
2001:470:c844:200::10
|
||||
add distance=1 dst-address=2001:470:c844:204::/64 gateway=\
|
||||
2001:470:c844:200:2e0:81ff:fed0:ec03
|
||||
/system clock
|
||||
set time-zone-name=Europe/Rome
|
||||
/system identity
|
||||
set name=porceddu
|
||||
/system ntp client
|
||||
set enabled=yes primary-ntp=193.204.114.232 secondary-ntp=193.204.114.105
|
||||
set enabled=yes
|
||||
/system ntp client servers
|
||||
add address=193.204.114.232
|
||||
add address=193.204.114.105
|
||||
/tool graphing interface
|
||||
add interface=ether1 store-on-disk=no
|
||||
add interface=ether1-wan store-on-disk=no
|
||||
/tool graphing resource
|
||||
add store-on-disk=no
|
||||
/tool sniffer
|
||||
set file-name=giomba.pcap
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue