Mikrotik Concentrator

From My Notepad
Jump to: navigation, search
/ interface vlan 
add name="vlan-2-gw1" mtu=1500 arp=enabled vlan-id=2 interface=ether1 \
    comment="Gateway 1 - COX Static Cable Modem" disabled=no 
add name="vlan-3-gw2" mtu=1500 arp=enabled vlan-id=3 interface=ether1 \
    comment="Gateway 2 - T1" disabled=no 
add name="vlan-4-gw3" mtu=1500 arp=enabled vlan-id=4 interface=ether1 \
    comment="Gateway 3 - Cox Dynamic Cable Modem" disabled=no 
add name="vlan-5-gw4" mtu=1500 arp=enabled vlan-id=5 interface=ether1 \
    comment="Gateway 4" disabled=no 
add name="vlan-6-gw5" mtu=1500 arp=enabled vlan-id=6 interface=ether1 \
    comment="Gateway 5" disabled=no 
add name="vlan-7-gw6" mtu=1500 arp=enabled vlan-id=7 interface=ether1 \
    comment="Gateway 6" disabled=no 

/ interface ethernet 
set ether1 name="ether1" mtu=1500 mac-address=00:30:48:93:10:E8 arp=enabled \
    disable-running-check=yes auto-negotiation=yes full-duplex=yes \
    cable-settings=default speed=100Mbps comment="LAN" disabled=no 

/ ip address 
add address=192.168.2.1/24 network=192.168.2.0 broadcast=192.168.2.255 \
    interface=ether1 comment="LAN IP" disabled=no 
add address=10.10.20.30/24 network=10.10.20.0 broadcast=10.10.20.255 \
    interface=vlan-2-gw1 comment="Gateway 1 IP" disabled=no 
add address=69.18.98.229/27 network=69.18.98.224 broadcast=69.18.98.255 \
    interface=vlan-3-gw2 comment="Gateway 3 IP" disabled=no 

/ ip route 
#
# Default route in this setup is configured by the dhcp client on vlan-4-gw3
#
add dst-address=0.0.0.0/0 gateway=10.10.20.1 distance=1 scope=255 \
    target-scope=10 routing-mark=gw1 comment="Default route for gateway 1" \
    disabled=no 
add dst-address=0.0.0.0/0 gateway=69.18.98.225 distance=1 scope=255 \
    target-scope=10 routing-mark=gw2 comment="Default route for gateway 2" \
    disabled=no 

/ ip firewall nat 
add chain=srcnat action=masquerade out-interface=vlan-2-gw1 \
    connection-mark=gw1 comment="NAT out gateway 1" disabled=no 
add chain=srcnat action=masquerade out-interface=vlan-3-gw2 \
    connection-mark=gw2 comment="NAT out gateway 2" disabled=no 
add chain=srcnat action=masquerade out-interface=vlan-4-gw3 comment="NAT out \
    gateway 3" disabled=no 
add chain=dstnat action=dst-nat to-addresses=192.168.2.254 to-ports=80 \
    in-interface=vlan-2-gw1 dst-port=8888 protocol=tcp comment="" disabled=no 
add chain=dstnat action=dst-nat to-addresses=192.168.2.254 to-ports=80 \
    in-interface=vlan-3-gw2 dst-port=8888 protocol=tcp comment="" disabled=no 
add chain=dstnat action=dst-nat to-addresses=192.168.2.254 to-ports=80 \
    in-interface=vlan-4-gw3 dst-port=8888 protocol=tcp comment="" disabled=no 

/ ip firewall mangle 
add chain=prerouting action=mark-connection new-connection-mark=gw1 \
    passthrough=no connection-state=new in-interface=vlan-2-gw1 comment="Mark \
    inbound traffic connection on gateway 1" disabled=no 
add chain=prerouting action=mark-connection new-connection-mark=gw2 \
    passthrough=no connection-state=new in-interface=vlan-3-gw2 comment="Mark \
    inbound traffic connection on gateway 2" disabled=no 
add chain=prerouting action=mark-connection new-connection-mark=default \
    passthrough=no connection-state=new in-interface=vlan-4-gw3 comment="Mark \
    inbound traffic connection on gateway 3 \(default\)" disabled=no 
add chain=prerouting action=mark-connection new-connection-mark=gw1 \
    passthrough=yes connection-state=new in-interface=ether1 nth=2,1,0 \
    comment="Round robin out to gateway 1 - mark connection" disabled=no 
add chain=prerouting action=mark-routing new-routing-mark=gw1 passthrough=no \
    in-interface=ether1 connection-mark=gw1 comment="" disabled=no 
add chain=prerouting action=mark-connection new-connection-mark=gw2 \
    passthrough=yes connection-state=new in-interface=ether1 nth=2,1,1 \
    comment="Round robin out to gateway 2 - mark connection" disabled=no 
add chain=prerouting action=mark-routing new-routing-mark=gw2 passthrough=no \
    in-interface=ether1 connection-mark=gw2 comment="" disabled=no 
add chain=prerouting action=mark-connection new-connection-mark=default \
    passthrough=yes connection-state=new in-interface=ether1 nth=2,1,2 \
    comment="Round robin out to gateway 3 \(default\) - mark connection" \
    disabled=no 
add chain=prerouting action=mark-routing new-routing-mark=main passthrough=no \
    in-interface=ether1 connection-mark=default comment="" disabled=no 
add chain=output action=mark-routing new-routing-mark=gw1 passthrough=no \
    src-address=10.10.20.30 comment="Mark local process outbound routing for \
    gateway 1" disabled=no 
add chain=output action=mark-routing new-routing-mark=gw2 passthrough=no \
    src-address=69.18.98.229 comment="Mark local process outbound routing for \
    gateway 2" disabled=no 
add chain=output action=passthrough src-address=68.227.143.11 comment="Mark \
    local process outbound routing for gateway 3" disabled=no 

/ ip firewall filter 
add chain=input action=jump jump-target=lan-forward-out in-interface=ether1 \
    comment="Filter outbound traffic" disabled=no 
add chain=input action=jump jump-target=protect-wan in-interface=vlan-2-gw1 \
    src-address-list=!allowed-management comment="Filter WAN input" \
    disabled=no 
add chain=input action=jump jump-target=protect-wan in-interface=vlan-3-gw2 \
    src-address-list=!allowed-management comment="" disabled=no 
add chain=input action=jump jump-target=protect-wan in-interface=vlan-4-gw3 \
    src-address-list=!allowed-management comment="" disabled=no 
add chain=input action=jump jump-target=protect-wan in-interface=vlan-5-gw4 \
    src-address-list=!allowed-management comment="" disabled=no 
add chain=input action=jump jump-target=protect-wan in-interface=vlan-6-gw5 \
    src-address-list=!allowed-management comment="" disabled=no 
add chain=input action=jump jump-target=protect-wan in-interface=vlan-7-gw6 \
    src-address-list=!allowed-management comment="" disabled=no 
add chain=protect-wan action=drop dst-port=21 protocol=tcp comment="Protect \
    services running on the WAN interface" disabled=no 
add chain=protect-wan action=drop dst-port=22 protocol=tcp comment="" \
    disabled=no 
add chain=protect-wan action=drop dst-port=53 protocol=tcp comment="" \
    disabled=no 
add chain=protect-wan action=drop dst-port=53 protocol=udp comment="" \
    disabled=no 
add chain=protect-wan action=drop dst-port=23 protocol=tcp comment="" \
    disabled=no 
add chain=protect-wan action=drop dst-port=80 protocol=tcp comment="" \
    disabled=no 
add chain=protect-wan action=drop dst-port=443 protocol=tcp comment="" \
    disabled=no 
add chain=protect-wan action=jump jump-target=manage-icmp protocol=icmp \
    comment="" disabled=no 
add chain=protect-wan action=passthrough comment="Log traffic WAN traffic" \
    disabled=no 
add chain=lan-forward-out action=accept dst-port=25 protocol=tcp \
    src-address-list=smtp-allowed-outbound comment="SPAM: Allow traffic from \
    whitelist" disabled=no 
add chain=lan-forward-out action=drop dst-port=25 protocol=tcp \
    src-address-list=smtp-possible-spammers comment="SPAM: Block SMTP from \
    blacklist" disabled=no 
add chain=lan-forward-out action=add-src-to-address-list dst-port=25 \
    protocol=tcp connection-limit=3,32 address-list=smtp-possible-spammers \
    address-list-timeout=0s comment="SPAM: Test outbound connections for \
    connection limit" disabled=no 
add chain=manage-icmp action=accept protocol=icmp icmp-options=8:0 \
    comment="Allow pings" disabled=no 
add chain=manage-icmp action=accept protocol=icmp icmp-options=0:0 \
    comment="Accept responses to our pings" disabled=no 
add chain=manage-icmp action=accept protocol=icmp icmp-options=3:0 comment="# \
    Accept notifications of unreachable hosts" disabled=no 
add chain=manage-icmp action=accept protocol=icmp icmp-options=4:0 comment="# \
    Accept notifications to reduce sending speed" disabled=no 
add chain=manage-icmp action=accept protocol=icmp icmp-options=11:0 comment="# \
    Accept notifications of lost packets" disabled=no 
add chain=manage-icmp action=accept protocol=icmp icmp-options=12:0 comment="# \
    Accept notifications of protocol problems" disabled=no 
add chain=manage-icmp action=drop protocol=icmp comment="Drop all other ICMP \
    traffic" disabled=no 

/ ip firewall address-list 
add list=allowed-management address=69.18.98.2 comment="" disabled=no 
add list=allowed-management address=69.18.98.1 comment="" disabled=no 
add list=allowed-management address=70.164.52.174 comment="" disabled=no 
add list=allowed-management address=69.18.98.226 comment="" disabled=no 

/ ip dhcp-client 
add interface=vlan-4-gw3 add-default-route=yes use-peer-dns=yes \
    use-peer-ntp=yes comment="" disabled=no 

/ ip dhcp-server 
add name="dhcp1" interface=ether1 lease-time=3d address-pool=dhcp_pool1 \
    bootp-support=static authoritative=after-2sec-delay disabled=no 

/ ip pool 
add name="dhcp_pool1" ranges=192.168.2.2-192.168.2.254