Witaj na Forum Linuxiarzy
Zanim zalogujesz się, by pisać na naszym forum, zapoznaj się z kilkoma zasadami savoir-vivre'u w dziale Administracja.
Wiadomości z problemami zamieszczone w wątku "Przywitaj się" oraz wszelkie reklamy na naszym forum będą usuwane.

anybody know how to add vlans?

Zaczęty przez dushback1111, Luty 07, 2023, 01:30:26 PM

Poprzedni wątek - Następny wątek

dushback1111

/interface bridge
add fast-forward=no name=bridge1-lan vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp name=ether1-WAN-Fiber
set [ find default-name=ether2 ] name=ether2-WAN-Cable
/interface vlan
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=lan ranges=192.168.168.50-192.168.168.190
/ip dhcp-server
add address-pool=lan disabled=no interface=bridge1-lan lease-time=1d name=bridge1
/queue tree
add max-limit=100M name=FiberQueue parent=ether1-WAN-Fiber
add limit-at=10M max-limit=100M name=FiberQueueVoice packet-mark=voice parent=FiberQueue priority=3
add max-limit=100M name=FiberQueueBestEffort packet-mark=best_effort parent=FiberQueue priority=5
add max-limit=5M name=CableQueue parent=ether1-WAN-Fiber
add limit-at=2M max-limit=5M name=CableQueueVoice packet-mark=voice parent=FiberQueue priority=3
add max-limit=5M name=CableQueueBestEffort packet-mark=best_effort parent=FiberQueue priority=5
/snmp community
/system logging action
/dude
set enabled=yes
/interface bridge port
/interface bridge vlan
add bridge=bridge1-lan
/interface l2tp-server server
/ip address
add address=192.168.168.1/24 interface=bridge1-lan network=192.168.168.0
add address=50.238.145.163/29 interface=ether1-WAN-Fiber network=50.238.145.160
add address=96.70.56.130/29 interface=ether2-WAN-Cable network=96.70.56.128
add address=50.238.145.164/29 interface=ether1-WAN-Fiber network=50.238.145.160
add address=50.238.145.165/29 interface=ether1-WAN-Fiber network=50.238.145.160
add address=50.238.145.166/29 disabled=yes interface=ether1-WAN-Fiber network=50.238.145.160
add address=96.70.56.131/29 interface=ether2-WAN-Cable network=96.70.56.128
add address=96.70.56.132/29 interface=ether2-WAN-Cable network=96.70.56.128
add address=96.70.56.133/29 interface=ether2-WAN-Cable network=96.70.56.128
add address=50.238.145.162/29 interface=ether1-WAN-Fiber network=50.238.145.160
add address=50.239.246.98/28 comment="IPS LAN block 1" interface=ether1-WAN-Fiber network=50.239.246.96
add address=50.239.246.99/28 comment="IPS LAN block 1" interface=ether1-WAN-Fiber network=50.239.246.96
add address=50.239.246.100/28 comment="IPS LAN block 1" interface=ether1-WAN-Fiber network=50.239.246.96
add address=50.239.246.101/28 comment="IPS LAN block 1" interface=ether1-WAN-Fiber network=50.239.246.96
add address=50.239.246.102/28 comment="IPS LAN block 1" interface=ether1-WAN-Fiber network=50.239.246.96
add address=50.239.246.103/28 comment="IPS LAN block 1" interface=ether1-WAN-Fiber network=50.239.246.96
add address=50.239.246.104/28 comment="IPS LAN block 1" interface=ether1-WAN-Fiber network=50.239.246.96
add address=50.239.246.105/28 comment="IPS LAN block 1" interface=ether1-WAN-Fiber network=50.239.246.96
add address=50.239.246.106/28 comment="IPS LAN block 1" interface=ether1-WAN-Fiber network=50.239.246.96
add address=50.239.246.107/28 comment="IPS LAN block 1" interface=ether1-WAN-Fiber network=50.239.246.96
add address=50.239.246.108/28 comment="IPS LAN block 1" interface=ether1-WAN-Fiber network=50.239.246.96
add address=50.239.246.109/28 comment="IPS LAN block 1" interface=ether1-WAN-Fiber network=50.239.246.96
add address=50.239.246.110/28 comment="IPS LAN block 1" interface=ether1-WAN-Fiber network=50.239.246.96
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1-WAN-IPS
add dhcp-options=hostname,clientid disabled=no interface=sfp1-WAN-DHCP
/ip dhcp-server lease
/ip dns
set allow-remote-requests=yes cache-max-ttl=10m servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.168.15 name=voip.kvik.net ttl=10m
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=NotPublic
add address=10.0.0.0/8 comment=RFC6890 list=NotPublic
add address=100.64.0.0/10 comment=RFC6890 list=NotPublic
add address=127.0.0.0/8 comment=RFC6890 list=NotPublic
add address=169.254.0.0/16 comment=RFC6890 list=NotPublic
add address=172.16.0.0/12 comment=RFC6890 list=NotPublic
add address=192.0.0.0/24 comment=RFC6890 list=NotPublic
add address=192.0.2.0/24 comment=RFC6890 list=NotPublic
add address=192.168.0.0/16 comment=RFC6890 list=NotPublic
add address=192.88.99.0/24 comment=RFC3068 list=NotPublic
add address=198.18.0.0/15 comment=RFC6890 list=NotPublic
add address=198.51.100.0/24 comment=RFC6890 list=NotPublic
add address=203.0.113.0/24 comment=RFC6890 list=NotPublic
add address=224.0.0.0/4 comment=RFC4601 list=NotPublic
add address=240.0.0.0/4 comment=RFC6890 list=NotPublic
add address=192.168.168.206 list=zimbra_internal
add address=192.168.168.207 list=zimbra_internal
/ip firewall filter
add chain=input comment="Accept established and related packets" connection-state=established,related
add chain=input comment="Accept all connections from local network" in-interface=bridge1-lan
add action=drop chain=input comment="Drop invalid packets" connection-state=invalid
add action=drop chain=input comment="Drop all packets which are not destined to routes IP address" dst-address-type=!local
add action=drop chain=input comment="Drop all packets which does not have unicast source IP address" src-address-type=!unicast
add action=drop chain=input comment="Drop all packets from public internet which should not exist in public network" in-interface=ether1-WAN-Fiber src-address-list=NotPublic
add action=drop chain=input comment="Drop all packets from public internet which should not exist in public network" in-interface=ether2-WAN-Cable src-address-list=NotPublic
add action=drop chain=input in-interface=ether1-WAN-Fiber
add action=drop chain=input in-interface=ether2-WAN-Cable
add chain=forward comment="Accept established and related packets" connection-state=established,related
add action=drop chain=forward comment="Drop invalid packets" connection-state=invalid
add action=drop chain=forward comment="Drop new connections from internet which are not dst-natted" connection-nat-state=!dstnat connection-state=new in-interface=ether1-WAN-Fiber
add action=drop chain=forward comment="Drop new connections from internet which are not dst-natted" connection-nat-state=!dstnat connection-state=new in-interface=ether2-WAN-Cable
add action=drop chain=forward comment="Drop all packets from public internet which should not exist in public network" in-interface=ether1-WAN-Fiber src-address-list=NotPublic
add action=drop chain=forward comment="Drop all packets from public internet which should not exist in public network" in-interface=ether2-WAN-Cable src-address-list=NotPublic
add action=drop chain=forward comment="Please keep this rule disabled for traffic between VLANS !!!!!!!!!!!" disabled=yes dst-address-list=NotPublic in-interface=bridge1-lan
add action=drop chain=forward comment="Drop all packets in local network which does not have local network address" in-interface=bridge1-lan src-address=!192.168.0.0/16
add action=accept chain=forward comment="Internal managed " dst-port=10000-20000 protocol=udp
add action=accept chain=forward dst-port=1194 in-interface=ether1-WAN-Fiber protocol=udp
add action=accept chain=forward dst-port=80,443 in-interface=ether1-WAN-Fiber protocol=tcp
add action=accept chain=forward dst-port=25,110,995,143,993,7071,7072,7110,7995,7143,7993 in-interface=ether1-WAN-Fiber protocol=tcp
add action=accept chain=forward dst-port=21,10090-10100 in-interface=ether1-WAN-Fiber protocol=tcp
add action=accept chain=forward dst-port=3389 in-interface=ether1-WAN-Fiber protocol=tcp
add action=accept chain=forward dst-port=9090 in-interface=ether1-WAN-Fiber protocol=tcp
add action=accept chain=forward dst-port=33389 in-interface=ether1-WAN-Fiber protocol=tcp
add action=accept chain=forward dst-port=8989 in-interface=ether1-WAN-Fiber protocol=tcp
add action=accept chain=forward dst-port=3050 in-interface=ether1-WAN-Fiber protocol=tcp
add action=accept chain=forward dst-port=33333 in-interface=ether1-WAN-Fiber protocol=tcp
/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=best_effort_con src-address=192.168.0.0/16
add action=mark-packet chain=forward connection-mark=voice_con new-packet-mark=voice
add action=mark-packet chain=forward connection-mark=best_effort_con new-packet-mark=best_effort
/ip firewall nat
add action=src-nat chain=srcnat comment="MAIL mx.kvik.net" out-interface=ether1-WAN-Fiber src-address=192.168.168.206 to-addresses=50.239.246.98
add action=dst-nat chain=dstnat dst-address=50.239.246.98 in-interface=ether1-WAN-Fiber to-addresses=192.168.168.206
add action=dst-nat chain=dstnat dst-address=50.239.246.99 in-interface=ether1-WAN-Fiber to-addresses=192.168.168.252
add action=src-nat chain=srcnat comment="WEB SERVER wx.kvik.net" out-interface=ether1-WAN-Fiber src-address=192.168.168.253 to-addresses=50.239.246.100
add action=dst-nat chain=dstnat dst-address=50.239.246.100 in-interface=ether1-WAN-Fiber to-addresses=192.168.168.253
add action=src-nat chain=srcnat comment="VOIP" out-interface=ether1-WAN-Fiber src-address=192.168.168.250 to-addresses=50.238.145.162
add action=dst-nat chain=dstnat dst-address=50.238.145.162 in-interface=ether1-WAN-Fiber to-addresses=192.168.168.250
add action=dst-nat chain=dstnat dst-port=3389 protocol=tcp src-address=!192.168.0.0/16 to-addresses=192.168.168.251
add action=dst-nat chain=dstnat dst-port=33389 protocol=tcp src-address=!192.168.0.0/16 to-addresses=192.168.168.240 to-ports=3389
add action=dst-nat chain=dstnat dst-port=8989 protocol=tcp src-address=!192.168.0.0/16 to-addresses=192.168.168.240
add action=dst-nat chain=dstnat dst-port=3050 protocol=tcp src-address=!192.168.0.0/16 to-addresses=192.168.168.251 to-ports=3050
add action=dst-nat chain=dstnat dst-port=1194 protocol=udp src-address=!192.168.0.0/16 to-addresses=192.168.168.245
add action=src-nat chain=srcnat comment=168 out-interface=ether1-WAN-Fiber src-address=192.168.0.0/16 to-addresses=50.238.145.163
add action=src-nat chain=srcnat out-interface=ether2-WAN-Cable src-address=192.168.0.0/16 to-addresses=96.70.56.130
add action=dst-nat chain=dstnat comment="RDP" dst-address=50.239.246.101 dst-port=33333 protocol=tcp src-address=!192.168.0.0/16 to-addresses=192.168.168.241 to-ports=3389
add action=dst-nat chain=dstnat comment=RTP dst-address=50.238.145.163 dst-port=10000-20000 protocol=udp src-address=!192.168.0.0/16 to-addresses=192.168.181.2
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set udplite disabled=yes
set dccp disabled=yes
/ip ipsec peer
/ip ipsec policy
/ip route
add distance=1 gateway=50.238.145.161
add distance=2 gateway=96.70.56.134
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
/lcd
set time-interval=daily
/ppp secret
/snmp
set enabled=yes
/system clock
set time-zone-name=America
/system logging
add action=remote topics=script,info,dhcp,error,system,critical,warning
add action=logging topics=account
add action=logging prefix="login failure" topics=critical
/system routerboard settings
set silent-boot=no
/system scheduler
/tool sniffer


Zobacz najnowsze wiadomości na forum