API tools faq
paste
Advertisement
Mike057

RB5009UG+S+ actual

Mike057
May 24th, 2024
321
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 9.40 KB | None | 0 0
raw download clone embed print report
  1. # may/24/2024 22:27:39 by RouterOS 7.8
  2. # software id = 1LQN-EFTV
  3. #
  4. # model = RB5009UG+S+
  5. # serial number = HFD090P15QZ
  6. /interface bridge
  7. add ingress-filtering=no name=bridge1 vlan-filtering=yes
  8. /interface ethernet
  9. set [ find default-name=ether1 ] name="ether1[2.5G ADMIN]"
  10. set [ find default-name=ether2 ] name="ether2[MGM]"
  11. set [ find default-name=ether3 ] name="ether3[temp WAN]"
  12. set [ find default-name=ether4 ] name="ether4[IPCAM]"
  13. set [ find default-name=ether5 ] name="ether5[WIFI]"
  14. set [ find default-name=ether6 ] name="ether6[SERVERS]"
  15. set [ find default-name=ether7 ] name="ether7[PRINTERS]"
  16. set [ find default-name=ether8 ] name="ether8[WAN]"
  17. /interface vlan
  18. add interface=bridge1 name=ADMIN vlan-id=80
  19. add interface=bridge1 name=GUEST vlan-id=900
  20. add interface=bridge1 name=IPCAM vlan-id=40
  21. add interface=bridge1 name=LAN vlan-id=10
  22. add interface=bridge1 name=MANAGEMENT vlan-id=90
  23. add interface="ether8[WAN]" name=O2 vlan-id=848
  24. add interface=bridge1 name=PRINTERS vlan-id=30
  25. add interface=bridge1 name=SERVERS vlan-id=20
  26. add interface=bridge1 name=TV vlan-id=50
  27. /interface pppoe-client
  28. add add-default-route=yes disabled=no interface=O2 max-mru=1492 max-mtu=1492 \
  29. name=pppoe-out1 user=cetin
  30. /interface wireless security-profiles
  31. set [ find default=yes ] supplicant-identity=MikroTik
  32. /ip pool
  33. add name=dhcp_pool10 ranges=192.168.10.100-192.168.10.254
  34. add name=dhcp_pool11 ranges=192.168.20.100-192.168.20.254
  35. add name=dhcp_pool12 ranges=192.168.30.100-192.168.30.254
  36. add name=dhcp_pool13 ranges=192.168.90.100-192.168.90.254
  37. add name=dhcp_pool14 ranges=192.168.10.100-192.168.10.254
  38. add name=dhcp_pool15 ranges=192.168.40.100-192.168.40.254
  39. add name=dhcp_pool16 ranges=192.168.50.100-192.168.50.254
  40. add name=dhcp_pool17 ranges=192.168.20.100-192.168.20.254
  41. add name=dhcp_pool18 ranges=10.0.1.2-10.0.1.254
  42. add name=dhcp_pool19 ranges=192.168.80.100-192.168.80.254
  43. /ip dhcp-server
  44. add address-pool=dhcp_pool12 interface=PRINTERS lease-time=2h name=dhcp3
  45. add address-pool=dhcp_pool13 interface=MANAGEMENT lease-time=2h name=dhcp4
  46. add address-pool=dhcp_pool14 interface=LAN lease-time=2h name=dhcp1
  47. add address-pool=dhcp_pool15 interface=IPCAM lease-time=2h name=dhcp2
  48. add address-pool=dhcp_pool16 interface=TV lease-time=2h name=dhcp5
  49. add address-pool=dhcp_pool17 interface=SERVERS lease-time=2h name=dhcp6
  50. add address-pool=dhcp_pool18 interface=GUEST lease-time=2h name=dhcp7
  51. add address-pool=dhcp_pool19 interface=ADMIN lease-time=2h name=dhcp8
  52. /interface bridge port
  53. add bridge=bridge1 interface="ether2[MGM]" pvid=90
  54. add bridge=bridge1 interface="ether4[IPCAM]" pvid=40
  55. add bridge=bridge1 interface="ether5[WIFI]" pvid=10
  56. add bridge=bridge1 interface="ether6[SERVERS]" pvid=20
  57. add bridge=bridge1 interface="ether7[PRINTERS]" pvid=30
  58. add bridge=bridge1 interface=sfp-sfpplus1 pvid=10
  59. add bridge=bridge1 interface="ether1[2.5G ADMIN]" pvid=80
  60. /ip neighbor discovery-settings
  61. set discover-interface-list=!dynamic
  62. /ipv6 settings
  63. set disable-ipv6=yes
  64. /interface bridge vlan
  65. add bridge=bridge1 tagged=sfp-sfpplus1,bridge1 untagged="ether6[SERVERS]" \
  66. vlan-ids=20
  67. add bridge=bridge1 tagged="sfp-sfpplus1,bridge1,ether5[WIFI]" vlan-ids=10
  68. add bridge=bridge1 tagged=sfp-sfpplus1,bridge1 untagged="ether7[PRINTERS]" \
  69. vlan-ids=30
  70. add bridge=bridge1 tagged=sfp-sfpplus1,bridge1 untagged="ether4[IPCAM]" vlan-ids=\
  71. 40
  72. add bridge=bridge1 tagged=sfp-sfpplus1,bridge1 vlan-ids=50
  73. add bridge=bridge1 tagged="sfp-sfpplus1,bridge1,ether5[WIFI]" untagged=\
  74. "ether2[MGM]" vlan-ids=90
  75. add bridge=bridge1 tagged="sfp-sfpplus1,ether5[WIFI],bridge1" vlan-ids=900
  76. add bridge=bridge1 tagged=sfp-sfpplus1,bridge1 untagged="ether1[2.5G ADMIN]" \
  77. vlan-ids=80
  78. /ip address
  79. add address=192.168.90.1/24 interface=MANAGEMENT network=192.168.90.0
  80. add address=192.168.10.1/24 interface=LAN network=192.168.10.0
  81. add address=192.168.20.1/24 interface=SERVERS network=192.168.20.0
  82. add address=192.168.30.1/24 interface=PRINTERS network=192.168.30.0
  83. add address=192.168.40.1/24 interface=IPCAM network=192.168.40.0
  84. add address=192.168.50.1/24 interface=TV network=192.168.50.0
  85. add address=10.0.1.1/24 interface=GUEST network=10.0.1.0
  86. add address=192.168.80.1/24 interface=ADMIN network=192.168.80.0
  87. /ip dhcp-client
  88. add interface="ether3[temp WAN]"
  89. /ip dhcp-server lease
  90. add address=192.168.80.10 mac-address=E8:9C:25:C3:52:0F server=dhcp8
  91. /ip dhcp-server network
  92. add address=10.0.1.0/24 dns-server=10.0.1.1 gateway=10.0.1.1
  93. add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
  94. add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1
  95. add address=192.168.30.0/24 dns-server=192.168.30.1 gateway=192.168.30.1
  96. add address=192.168.40.0/24 dns-server=192.168.40.1 gateway=192.168.40.1
  97. add address=192.168.50.0/24 dns-server=192.168.50.1 gateway=192.168.50.1
  98. add address=192.168.80.0/24 dns-server=192.168.80.1 gateway=192.168.80.1
  99. add address=192.168.90.0/24 dns-server=192.168.90.1 gateway=192.168.90.1
  100. /ip dns
  101. set allow-remote-requests=yes servers=8.8.8.8
  102. /ip dns static
  103. add address=192.168.20.10 name=docker01.nazmrzliku.net
  104. add address=192.168.20.10 name=filmy.nazmrzliku.net
  105. add address=192.168.20.10 name=services.nazmrzliku.net
  106. add address=192.168.20.20 name=docker02.nazmrzliku.net
  107. add address=192.168.20.30 name=rp01.nazmrzliku.net
  108. add address=192.168.20.50 name=nas01.nazmrzliku.net
  109. /ip firewall address-list
  110. add address=0.0.0.0/8 list=no_forward_ipv4
  111. add address=169.254.0.0/16 list=no_forward_ipv4
  112. add address=224.0.0.0/4 list=no_forward_ipv4
  113. add address=255.255.255.255 list=no_forward_ipv4
  114. add address=192.168.10.0/24 list=allowed_to_router
  115. add address=192.168.20.0/24 list=allowed_to_router
  116. add address=192.168.30.0/24 list=allowed_to_router
  117. add address=192.168.40.0/24 list=allowed_to_router
  118. add address=192.168.50.0/24 list=allowed_to_router
  119. add address=192.168.90.0/24 list=allowed_to_router
  120. add address=10.0.1.0/24 list=allowed_to_router
  121. add address=192.168.80.0/24 list=allowed_to_router
  122. add address=192.168.10.0/24 list=printer_allowed
  123. add address=192.168.80.0/24 list=printer_allowed
  124. add address=192.168.20.0/24 list=printer_allowed
  125. add address=192.168.90.0/24 list=printer_allowed
  126. add address=192.168.10.0/24 list=nas_allowed
  127. add address=192.168.20.0/24 list=nas_allowed
  128. add address=192.168.80.0/24 list=nas_allowed
  129. add address=192.168.90.0/24 list=nas_allowed
  130. add address=192.168.80.0/24 list=server_allowed
  131. add address=192.168.80.0/24 list=management_allowed
  132. add address=192.168.10.0/24 list=docker01_web_allowed
  133. add address=192.168.50.0/24 list=docker01_web_allowed
  134. add address=192.168.80.0/24 list=tv_allowed
  135. add address=192.168.80.10 list=lan_allowed
  136. /ip firewall filter
  137. add action=accept chain=input comment="default configuration" connection-state=\
  138. established,related
  139. add action=drop chain=input connection-state=invalid
  140. add action=accept chain=input protocol=icmp
  141. add action=accept chain=input dst-address=127.0.0.1
  142. add action=accept chain=input src-address-list=allowed_to_router
  143. add action=drop chain=input
  144. add action=fasttrack-connection chain=forward comment=fasttrack connection-state=\
  145. established,related hw-offload=yes
  146. add action=accept chain=forward comment="accept established,related, untracked" \
  147. connection-state=established,related,untracked
  148. add action=drop chain=forward comment="drop invalid" connection-state=invalid
  149. # pppoe-out1 not ready
  150. add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
  151. connection-nat-state=!dstnat connection-state=new in-interface=pppoe-out1
  152. add action=drop chain=forward comment="drop bad forward IPs" src-address-list=\
  153. no_forward_ipv4
  154. add action=drop chain=forward comment="drop bad forward IPs" dst-address-list=\
  155. no_forward_ipv4
  156. add action=accept chain=forward dst-address=192.168.20.10 dst-port=80 protocol=\
  157. tcp src-address-list=docker01_web_allowed
  158. add action=accept chain=forward dst-address=192.168.20.10 dst-port=443 protocol=\
  159. tcp src-address-list=docker01_web_allowed
  160. add action=accept chain=forward dst-address=192.168.20.50 dst-port=445 \
  161. log-prefix=nas protocol=tcp src-address-list=nas_allowed
  162. add action=accept chain=forward dst-address=192.168.30.0/24 src-address-list=\
  163. printer_allowed
  164. add action=accept chain=forward dst-address=192.168.20.0/24 src-address-list=\
  165. server_allowed
  166. add action=accept chain=forward dst-address=192.168.90.0/24 log-prefix=acc \
  167. src-address-list=management_allowed
  168. add action=accept chain=forward dst-address=192.168.50.0/24 log-prefix=acc \
  169. src-address-list=tv_allowed
  170. add action=accept chain=forward dst-address=192.168.10.0/24 src-address-list=\
  171. lan_allowed
  172. add action=drop chain=forward log-prefix=all out-interface="!ether3[temp WAN]"
  173. /ip firewall nat
  174. add action=masquerade chain=srcnat disabled=yes out-interface=pppoe-out1
  175. add action=masquerade chain=srcnat out-interface="ether3[temp WAN]"
  176. add action=dst-nat chain=dstnat comment=HTTP disabled=yes dst-port=80 \
  177. in-interface="ether3[temp WAN]" protocol=tcp to-addresses=192.168.20.20 \
  178. to-ports=80
  179. add action=dst-nat chain=dstnat comment=HTTPS disabled=yes dst-port=443 \
  180. in-interface="ether3[temp WAN]" protocol=tcp to-addresses=192.168.20.20 \
  181. to-ports=443
  182. /ip service
  183. set telnet disabled=yes
  184. set ftp disabled=yes
  185. set www disabled=yes
  186. set ssh address=192.168.80.0/24,192.168.90.0/24
  187. set api disabled=yes
  188. set winbox address=192.168.80.0/24,192.168.90.0/24
  189. set api-ssl disabled=yes
  190. /system clock
  191. set time-zone-name=Europe/Prague
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!