From 076d1747fa7a784c8cd4713de864a3c7e8515ba7 Mon Sep 17 00:00:00 2001 From: giuliof Date: Tue, 2 May 2023 20:25:40 +0000 Subject: [PATCH] Aggiornato dump configurazione router MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - firmware aggiornato 6.47.2 -> 7.8. - rinominate interfacce di rete per renderle piĆ¹ comprensibili. - riattivato DHCP per rete "pubblica" detta vela. - aggiunte regole firewall IPv4 per isolare rete vela nel suo brodo, solo accesso WAN. - allo stesso modo, aggiunte regole IPv4 per reti interne per consentire sia accesso WAN che a rete vela. --- dump.rsc | 128 +++++++++++++++++++++++++++++++++++-------------------- 1 file changed, 81 insertions(+), 47 deletions(-) diff --git a/dump.rsc b/dump.rsc index 3707b09..c73835b 100644 --- a/dump.rsc +++ b/dump.rsc @@ -1,24 +1,34 @@ -# apr/18/2023 23:55:25 by RouterOS 6.47.2 +# may/02/2023 22:16:43 by RouterOS 7.8 # software id = GU1A-JDES # # model = RB3011UiAS # serial number = B88D0BD46C83 /interface bridge add name=bridge-officina +/interface ethernet +set [ find default-name=ether1 ] name=ether1-wan +set [ find default-name=ether5 ] name=ether5-vela +set [ find default-name=ether6 ] name=ether6-switch +set [ find default-name=ether7 ] name=ether7-cassiopea /interface list add name=WAN add name=LAN +/interface lte apn +set [ find default=yes ] ip-type=ipv4 use-network-apn=no /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /ip pool -add name=dhcp_pool1 ranges=192.168.5.128-192.168.5.254 -add name=dhcp_pool2 ranges=192.168.3.10-192.168.3.200 +add name=dhcp_pool_officina ranges=192.168.5.128-192.168.5.254 +add name=dhcp_pool_vela ranges=192.168.3.10-192.168.3.254 /ip dhcp-server -add address-pool=dhcp_pool1 disabled=no interface=bridge-officina lease-time=\ - 1h name=dhcp1 -add address-pool=dhcp_pool2 interface=ether5 name=dhcp2 relay=192.168.3.1 +add address-pool=dhcp_pool_officina interface=bridge-officina lease-time=1h \ + name=dhcp-officina +add address-pool=dhcp_pool_vela interface=ether5-vela lease-time=1h name=\ + dhcp-vela +/port +set 0 name=serial0 /queue tree -add max-limit=3M name=upload parent=ether1 +add max-limit=3M name=upload parent=ether1-wan add limit-at=20M max-limit=20M name=other_upload packet-mark=other_traffic \ parent=upload priority=1 add limit-at=20M max-limit=40M name=heavy_upload packet-mark=heavy_traffic \ @@ -28,38 +38,59 @@ add limit-at=200M max-limit=200M name=other_download packet-mark=\ other_traffic parent=download priority=1 add limit-at=120M max-limit=200M name=heavy_download packet-mark=\ heavy_traffic parent=download -/user group -set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\ - sword,web,sniff,sensitive,api,romon,dude,tikapp" +/routing bgp template +set default disabled=no output.network=bgp-networks +/routing ospf instance +add disabled=no name=default-v2 +add disabled=no name=default-v3 version=3 +/routing ospf area +add disabled=yes instance=default-v2 name=backbone-v2 +add disabled=yes instance=default-v3 name=backbone-v3 /interface bridge port -add interface=ether2 -add interface=ether3 -add interface=ether4 -add interface=ether5 -add bridge=bridge-officina interface=ether6 -add bridge=bridge-officina interface=ether7 -add bridge=bridge-officina interface=ether8 -add bridge=bridge-officina interface=ether9 -add bridge=bridge-officina interface=ether10 -add interface=sfp1 +add bridge=bridge-officina ingress-filtering=no interface=ether6-switch +add bridge=bridge-officina ingress-filtering=no interface=ether7-cassiopea +add bridge=bridge-officina ingress-filtering=no interface=ether8 +add bridge=bridge-officina ingress-filtering=no interface=ether9 +add bridge=bridge-officina ingress-filtering=no interface=ether10 /interface bridge settings set use-ip-firewall=yes /ip neighbor discovery-settings set discover-interface-list=!dynamic +/ip settings +set max-neighbor-entries=8192 /ipv6 settings -set accept-redirects=no accept-router-advertisements=no +set accept-redirects=no accept-router-advertisements=no max-neighbor-entries=\ + 8192 /interface list member -add interface=ether1 list=WAN -add list=LAN +add interface=ether1-wan list=WAN +add interface=*C list=LAN +/interface ovpn-server server +set auth=sha1,md5 /ip address -add address=192.168.7.128/24 interface=ether1 network=192.168.7.0 +add address=192.168.7.128/24 interface=ether1-wan network=192.168.7.0 add address=192.168.5.20/24 interface=bridge-officina network=192.168.5.0 +add address=192.168.3.1/24 interface=ether5-vela network=192.168.3.0 +/ip dhcp-server lease +add address=192.168.3.2 client-id=1:70:a7:41:80:97:bd mac-address=\ + 70:A7:41:80:97:BD server=dhcp-vela /ip dhcp-server network add address=192.168.3.0/24 gateway=192.168.3.1 -add address=192.168.5.0/24 dns-server=8.8.8.8,1.1.1.1,8.8.4.4 gateway=\ - 192.168.5.20 netmask=24 +add address=192.168.5.0/24 gateway=192.168.5.20 netmask=24 /ip dns set servers=208.67.220.220,208.67.222.222,1.1.1.1,8.8.8.8,8.8.4.4 +/ip firewall filter +add action=accept chain=input connection-state=established,related +add action=accept chain=input in-interface=bridge-officina +add action=accept chain=input comment="Allow ICMP from everyone. Ping is essen\ + tial to understand if network works." in-interface=all-ethernet protocol=\ + icmp +add action=drop chain=input +add action=accept chain=forward connection-state=established,related +add action=accept chain=forward in-interface=bridge-officina +add action=accept chain=forward comment=\ + "Allow forwarding from Vela to WAN only." in-interface=ether5-vela \ + out-interface=ether1-wan +add action=drop chain=forward /ip firewall mangle add action=mark-connection chain=forward connection-mark=!heavy \ new-connection-mark=generic @@ -71,12 +102,26 @@ add action=mark-packet chain=forward connection-mark=heavy new-packet-mark=\ add action=mark-packet chain=forward connection-mark=generic new-packet-mark=\ other_traffic passthrough=no /ip firewall nat -add action=masquerade chain=srcnat out-interface=ether1 src-address=\ - 192.168.5.0/24 to-addresses=192.168.1.128 -add action=dst-nat chain=dstnat dst-port=8010 protocol=tcp to-addresses=\ - 192.168.5.10 to-ports=22 +add action=masquerade chain=srcnat comment=\ + "Allow access to Internet for officina's LAN" out-interface=ether1-wan \ + src-address=192.168.5.0/24 to-addresses=192.168.1.128 +add action=masquerade chain=srcnat comment=\ + "Allow access to Internet for Vela's public LAN" out-interface=ether1-wan \ + src-address=192.168.3.0/24 to-addresses=192.168.1.128 +add action=dst-nat chain=dstnat comment="(\?) Legacy rule for serverozzo\?" \ + disabled=yes dst-port=8010 protocol=tcp to-addresses=192.168.5.10 \ + to-ports=22 /ip route -add distance=1 gateway=192.168.7.1 +add disabled=no dst-address=0.0.0.0/0 gateway=192.168.7.1 +/ipv6 route +add disabled=no dst-address=2000::/3 gateway=\ + fe80::20d:b9ff:fe44:e5f1%ether1-wan +add disabled=no dst-address=2001:470:c844:202::/64 gateway=\ + 2001:470:c844:200::10 +add disabled=no dst-address=2001:470:c844:204::/64 gateway=\ + 2001:470:c844:200:2e0:81ff:fed0:ec03 +add disabled=no dst-address=2001:470:c844:100::/64 gateway=\ + 2001:470:c844:200::10 /ip service set telnet port=30023 set ftp disabled=yes @@ -86,15 +131,10 @@ set www-ssl certificate=webfig disabled=no set api disabled=yes set api-ssl disabled=yes /ipv6 address -add address=2001:470:c844:1::3/127 advertise=no disabled=yes interface=ether1 add address=2001:470:c844:200::1 interface=bridge-officina -add address=fd00:6073::3/127 advertise=no disabled=yes interface=ether1 /ipv6 firewall filter add action=accept chain=forward connection-state=established,related add action=accept chain=forward src-address=2001:470:c844::/48 -add action=accept chain=forward comment=\ - "vupiuesse: allows certbot certificates renewals." dst-address=\ - 2001:470:c844:200:40e4:bcff:fed0:2635/128 dst-port=80 protocol=tcp add action=reject chain=forward reject-with=icmp-admin-prohibited /ipv6 firewall mangle add action=mark-connection chain=forward connection-mark=!heavy dst-address=\ @@ -111,24 +151,18 @@ add action=mark-connection chain=forward connection-bytes=1000000-0 \ new-connection-mark=heavy protocol=tcp /ipv6 nd set [ find default=yes ] interface=bridge-officina ra-interval=10s-30s -/ipv6 route -add distance=1 dst-address=2000::/3 gateway=fe80::20d:b9ff:fe44:e5f1%ether1 -add distance=1 dst-address=2001:470:c844:100::/64 gateway=\ - 2001:470:c844:200::10 -add distance=1 dst-address=2001:470:c844:202::/64 gateway=\ - 2001:470:c844:200::10 -add distance=1 dst-address=2001:470:c844:204::/64 gateway=\ - 2001:470:c844:200:2e0:81ff:fed0:ec03 /system clock set time-zone-name=Europe/Rome /system identity set name=porceddu /system ntp client -set enabled=yes primary-ntp=193.204.114.232 secondary-ntp=193.204.114.105 +set enabled=yes +/system ntp client servers +add address=193.204.114.232 +add address=193.204.114.105 /tool graphing interface -add interface=ether1 store-on-disk=no +add interface=ether1-wan store-on-disk=no /tool graphing resource add store-on-disk=no /tool sniffer set file-name=giomba.pcap -