Pular para conteúdo

Image title

Modo Router no Mikrotik

Bridge
/interface bridge
add name=bridge
add name=loopback
/interface ethernet
set [ find default-name=ether1 ] comment=UPLINK
set [ find default-name=ether2 ] comment="LAN1"
set [ find default-name=ether3 ] comment="LAN2"
set [ find default-name=ether4 ] comment="LAN3"
set [ find default-name=ether5 ] comment="LAN4"

/interface bridge port
add bridge=bridge ingress-filtering=no interface=ether2
add bridge=bridge ingress-filtering=no interface=ether3
add bridge=bridge ingress-filtering=no interface=ether4
add bridge=bridge ingress-filtering=no interface=ether5
address
1
2
3
/ip address
add address=172.16.0.1/20 interface=bridge network=172.16.0.0
add address=192.168.88.1 interface=loopback network=192.168.88.1
pppoe-client
1
2
3
/interface pppoe-client
add add-default-route=yes comment="UPLINK" disabled=no interface=\
    ether1 name=pppoe-out1 user=XXXX
DNS
/ip dns
set servers=8.8.8.8,1.1.1.1,2001:4860:4860::8888,2001:4860:4860::8844

firewall
/ip firewall address-list
add address=172.16.0.0/25 list=IPs-Permitidos-AcessoWeb
add address=192.168.88.0/24 list=IPs-Permitidos-AcessoWeb
add address=172.16.0.0/25 list=Servidores-monitoramento
/ip firewall filter
add action=drop chain=input comment="CONNECTION INVALID" connection-state=\
    invalid disabled=yes in-interface=ether1
add action=add-src-to-address-list address-list=PORTSCAN \
    address-list-timeout=1w chain=input comment="DETECTION PORT SCANNER" \
    disabled=yes protocol=tcp psd=21,3s,3,1
add action=accept chain=input comment="WINBOX ACEPT" disabled=yes dst-port=\
    8291 protocol=tcp
add action=accept chain=input comment=Mac-Winbox disabled=yes dst-port=20561 \
    in-interface=bridge protocol=udp
add action=accept chain=input comment=L2TP+IPSEC disabled=yes dst-port=\
    1701,4500,500 protocol=udp
add action=accept chain=input disabled=yes protocol=ipsec-esp
add action=accept chain=input disabled=yes protocol=ipsec-ah
add action=accept chain=input comment="DHCPv4 & DHCPv6" disabled=yes \
    dst-port=67,68,546,547 protocol=udp
add action=accept chain=input comment=IPs-Permitidos-AcessoWeb disabled=yes \
    dst-port=80 protocol=tcp src-address-list=IPs-Permitidos-AcessoWeb
add action=accept chain=input comment=NTP disabled=yes dst-port=123 protocol=\
    tcp
add action=accept chain=input comment=SNMP disabled=yes dst-port=161 \
    protocol=udp src-address-list=Servidores-monitoramento
add action=accept chain=input comment=LDP disabled=yes dst-port=646 protocol=\
    tcp
add action=accept chain=input comment=LDP disabled=yes dst-port=646 protocol=\
    udp
add action=accept chain=input comment=MNDP disabled=yes dst-port=5678 \
    in-interface=bridge protocol=udp
add action=jump chain=input comment="ICMP CONTROL - CHAIN ICMP" disabled=yes \
    in-interface=pppoe-out1 jump-target=ICMP protocol=icmp
add action=accept chain=ICMP comment="ECHO REPLY" disabled=yes icmp-options=\
    0:0-255 limit=1,10:packet protocol=icmp
add action=accept chain=ICMP comment="ECHO REQUEST" disabled=yes \
    icmp-options=8:0-255 limit=2,10:packet protocol=icmp
add action=accept chain=ICMP comment=TTL disabled=yes icmp-options=11:0-255 \
    limit=1,10:packet protocol=icmp
add action=accept chain=ICMP comment="TTL EXCED" disabled=yes icmp-options=\
    3:0-255 limit=1,10:packet protocol=icmp
add action=drop chain=forward comment="DROP ICMP RESTANTE" disabled=yes \
    protocol=icmp
add action=fasttrack-connection chain=forward comment=\
    "FAST TRACK (DESATIVAR CASO USE O SIMPLE QUEUE)" connection-state=\
    established,related disabled=yes hw-offload=yes
add action=accept chain=forward connection-state=established,related \
    disabled=yes
add action=drop chain=input disabled=yes
add action=fasttrack-connection chain=forward connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
/ip firewall raw
add action=drop chain=prerouting disabled=yes src-address-list=PORTSCAN
service
1
2
3
4
5
6
7
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=9090
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
IPv6
1
2
3
4
5
6
7
8
/ipv6 address
add from-pool=Pool-V6 interface=bridge
/ipv6 dhcp-client
add add-default-route=yes interface=pppoe-out1 pool-name=Pool-V6 request=\
    prefix
/ipv6 nd
set [ find default=yes ] managed-address-configuration=yes \
    other-configuration=yes
clock
/system clock
set time-zone-name=America/Sao_Paulo
ntp
1
2
3
4
5
/system ntp client
set enabled=yes
/system ntp client servers
add address=200.160.0.8
add address=200.189.40.8
dhcp-server
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge lease-time=10m name=dhcp1
/ip dhcp-server lease
add address=172.16.12.115 client-id=1:d0:21:f9:88:4:11 comment="unifi terreo" \
    mac-address=D0:21:F9:88:04:11 server=dhcp1
add address=172.16.4.140 client-id=1:d0:21:f9:87:f3:2d comment="unifi 2 andar" \
    mac-address=D0:21:F9:87:F3:2D server=dhcp1
add address=172.16.15.191 client-id=1:d0:21:f9:88:7:15 comment="unifi 1 andar" \
    mac-address=D0:21:F9:88:07:15 server=dhcp1
/ip dhcp-server network
add address=172.16.0.0/20 gateway=172.16.0.1
script dhcp queues
/ip dhcp-server lease
:foreach x in=[find] do={

# grab variables for use below
:local leaseaddr ([get $x address]."/32")
:local leasemacaddr [get $x mac-address]
:local leasehostname [get $x host-name]
:local leasename [get $x comment]
:local queuecomment

:local leaseinqueue false

/queue simple
:foreach y in=[find] do={

#grab variables for use below
:local queuetargetaddr [get $y target]
:set queuecomment [get $y comment]

# Isolate information  from the comment field (MAC, Hostname)
:local queuemac [:pick $queuecomment 4 21]
:local queuehostname [:pick $queuecomment 22 [:len $queuecomment]]

# If MAC from lease matches the queue MAC then refresh the queue item
:if ($queuemac = $leasemacaddr) do={
# build a comment field
:set queuecomment ("JBits," . $leasemacaddr . "," . $leasehostname)

set $y target=$leaseaddr comment=$queuecomment
:if ($leasename != "") do= {
set $y name=($leasename . " (" . $leasemacaddr . ")")
} else= {
:if ($leasehostname != "") do= {
set $y name=($leasehostname . " (" . $leasemacaddr . ")")
} else= {
set $y name=$leasemacaddr
}
}
:set leaseinqueue true
} else= {
# if ip exists for this lease but mac is different then update mac/hostname and reset counter
:if ($queuetargetaddr = $leaseaddr) do={
# build a comment field
:set queuecomment ("leo," . $leasemacaddr . "," . $leasehostname)

set $y comment=$queuecomment
reset-counters $y
:if ($leasename != "") do= {
set $y name=($leasename . " (" . $leasemacaddr . ")")
} else= {
:if ($leasehostname != "") do= {
set $y name=($leasehostname . " (" . $leasemacaddr . ")")
} else= {
set $y name=$leasemacaddr
}
}
:set leaseinqueue true
}
}
}

# There was not an existing entry so add one for this lease
:if ($leaseinqueue = false) do={
# build a comment field
:set queuecomment ("JBits," . $leasemacaddr . "," . $leasehostname)
# build command
:local cmd "/queue simple add target=$leaseaddr max-limit=50M/50M comment=$queuecomment"
:if ($leasename != "") do={ 
:set cmd "$cmd name=\"$leasename ($leasemacaddr)\"" 
} else= {
:if ($leasehostname != "") do={
:set cmd "$cmd name=\"$leasehostname ($leasemacaddr)\""
} else= {
:set cmd "$cmd name=\"$leasemacaddr\""
}
}

:execute $cmd
}
}

# Cleanup Routine - remove dynamic entries that no longer exist in the lease table
/queue simple
:foreach z in=[find] do={
:local queuecomment [get $z comment]
:local queue1stpart [:pick $queuecomment 0 3]
:local queue2ndpart [:pick $queuecomment 4 21]
:if ( $queue1stpart = "JBits") do={
:if ( [/ip dhcp-server lease find mac-address=$queue2ndpart] = "") do={
:log info ("leo: Removing stale entry for MAC Address - " . $queue2ndpart)
remove $z
}
}
}

route
/ip route
add dst-address=0.0.0.0/0 gateway=pppoe-out1