Настройка локального ike2 vps на белом ip, предоставленным vpn-isp

Обсуждение ПО и его настройки
Ответить
yalta
Сообщения: 4
Зарегистрирован: 14 мар 2019, 22:28

Мой vpn-isp (Purevpn) предоставляет белый ip, который я использую для локального ike сервера (настроен по общеизвестному мануалу). Подключение к Purevpn возможно двумя способами: pptp-соединение, либо ike2 пирринг.
Соединение из wan с моим локальным ike2 vps без проблем устанавливается на pptp линке. При использовании ike2 вместо pptp, соединение не устанавливается, и эту проблему не могу победить.
В обеих случаях, наблюдаю прилёт запросов сессии с клиента в input (для контроля, отсниффил и сравнил пакеты, всё норм), однако, никакой реакции на входящие пакеты локального ike2 vps нет. Описанная ситуация при заходе клиентом из wan.
При нахождении клиента в пределах сегмента lan – линк поднимается, что подтверждает нормальную жизнь моего локального vps.
Попытка прикрепить кофиг в зипе вызывает ошибку "Достигнут максимальный общий размер ваших вложений", хотя никаких вложений нет, поэтому
 конфиг здесь
# jul/21/2022 15:17:33 by RouterOS 6.49.6
# software id = PQPN-4KRF
#
# model = RB4011iGS+5HacQ2HnD
# serial number = B8E0000095C0
/interface bridge add admin-mac=91:F1:1B:27:36:F2 auto-mac=no name=IPsec-Bridge
/interface bridge add admin-mac=71:41:21:B1:D1:27 arp=proxy-arp auto-mac=no name=bridge
/interface bridge add arp=reply-only name=guest_bridge
/interface bridge add name=vpn-blackhole protocol-mode=none
/interface ethernet set [ find default-name=ether1 ] advertise=100M-full,1000M-half,1000M-full arp=local-proxy-arp name=Port1_toFloor3
/interface ethernet set [ find default-name=ether2 ] name=Port2_Komp
/interface ethernet set [ find default-name=ether3 ] name=Port3_service
/interface ethernet set [ find default-name=ether6 ] name=Port6_toCap_small_house_1_floor
/interface ethernet set [ find default-name=ether7 ] name="Port7_Shtyl"
/interface ethernet set [ find default-name=ether8 ] name=Port8_DSL
/interface ethernet set [ find default-name=ether9 ] name=Port9_toCap4
/interface ethernet set [ find default-name=ether10 ] name=Port10_toCap2 poe-out=forced-on
/interface ethernet set [ find default-name=ether4 ] name=x_ether4
/interface ethernet set [ find default-name=ether5 ] name=x_ether5
/interface ethernet set [ find default-name=sfp-sfpplus1 ] disabled=yes name=x_sfp-sfpplus1
/interface wireless
# managed by CAPsMAN
# channel: 2437/20/gn(18dBm), SSID: HomeNet_2.4, CAPsMAN forwarding
set [ find default-name=wlan2 ] antenna-gain=0 country=no_country_set frequency-mode=manual-txpower name=wlan_2.4 ssid=MikroTik station-roaming=enabled
/interface 6to4 add comment="Hurricane Electric IPv6 Tunnel Broker" !keepalive local-address=46.243.123ё.47 mtu=1380 name=sit1 remote-address=216.66.66.46
/caps-man datapath add arp=proxy-arp bridge=bridge client-to-client-forwarding=yes local-forwarding=no name=datapath_2.4
/caps-man datapath add arp=reply-only bridge=guest_bridge client-to-client-forwarding=no local-forwarding=no name=datapath_guest_2.4
/caps-man datapath add arp=proxy-arp bridge=bridge client-to-client-forwarding=yes local-forwarding=no name=datapath_5.0
/caps-man datapath add arp=reply-only bridge=guest_bridge client-to-client-forwarding=no local-forwarding=no name=datapath_guest_5.0
/caps-man datapath add arp=proxy-arp bridge=bridge client-to-client-forwarding=yes local-forwarding=no name=datapath_v_2.4
/caps-man datapath add arp=proxy-arp bridge=bridge client-to-client-forwarding=yes local-forwarding=no name=datapath_v_5.0
/interface wireless add mac-address=BA:69:F4:E0:27:0A master-interface=wlan_2.4 name=wlan1
/interface wireless add mac-address=BA:69:F4:E0:27:0B master-interface=wlan_2.4 name=wlan2
/interface wireless add mac-address=B8:69:F4:E0:27:0B master-interface=wlan_2.4 name=wlan5
/interface wireless add mac-address=B8:69:F4:E0:27:0C master-interface=wlan_2.4 name=wlan6
/interface wireless add mac-address=BA:69:F4:E0:27:0C master-interface=wlan_2.4 name=wlan33
/interface wireless add mac-address=BA:69:F4:E0:27:0D master-interface=wlan_2.4 name=wlan34
/caps-man rates add basic=6Mbps name="GN only - no B rates" supported=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
/caps-man rates add basic=12Mbps name="GN only - 12M Basic Rate" supported=12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
/caps-man security add authentication-types=wpa2-psk encryption=aes-ccm group-key-update=1h name=HomeNet_2.4_5.0
/caps-man security add authentication-types=wpa2-psk encryption=aes-ccm group-key-update=5m name=guest_key
/caps-man configuration add country=ukraine datapath=datapath_2.4 distance=dynamic hw-protection-mode=none hw-retries=7 installation=any mode=ap multicast-helper=full name=cfg_2.4 rx-chains=0,1,2,3 security=HomeNet_2.4_5.0 ssid=HomeNet_2.4 tx-chains=0,1,2,3
/caps-man configuration add country=ukraine datapath=datapath_guest_2.4 distance=dynamic hw-protection-mode=none installation=any mode=ap name=guest_cfg_2.4 rx-chains=0,1,2,3 security=guest_key ssid=Yalta tx-chains=0,1,2,3
/caps-man configuration add country=ukraine datapath=datapath_5.0 distance=dynamic hw-protection-mode=none hw-retries=7 installation=any mode=ap multicast-helper=full name=cfg_5.0 rx-chains=0,1,2,3 security=HomeNet_2.4_5.0 ssid=HomeNet_5.0 tx-chains=0,1,2,3
/caps-man configuration add country=ukraine datapath=datapath_guest_5.0 distance=dynamic hw-protection-mode=none hw-retries=7 installation=any mode=ap name=guest_cfg_5.0 rx-chains=0,1,2,3 security=guest_key ssid=Yalta tx-chains=0,1,2,3
/caps-man configuration add datapath=datapath_v_2.4 mode=ap name=v_cfg_2.4 rx-chains=0,1,2,3 security=HomeNet_2.4_5.0 ssid=HomeNet tx-chains=0,1,2,3
/caps-man configuration add country=ukraine datapath=datapath_v_5.0 installation=any mode=ap multicast-helper=full name=v_cfg_5.0 rx-chains=0,1,2,3 security=HomeNet_2.4_5.0 ssid=HomeNet tx-chains=0,1,2,3
/interface ethernet switch port set 0 default-vlan-id=0
/interface ethernet switch port set 1 default-vlan-id=0
/interface ethernet switch port set 2 default-vlan-id=0
/interface ethernet switch port set 3 default-vlan-id=0
/interface ethernet switch port set 4 default-vlan-id=0
/interface ethernet switch port set 5 default-vlan-id=0
/interface ethernet switch port set 6 default-vlan-id=0
/interface ethernet switch port set 7 default-vlan-id=0
/interface ethernet switch port set 8 default-vlan-id=0
/interface ethernet switch port set 9 default-vlan-id=0
/interface ethernet switch port set 10 default-vlan-id=0
/interface ethernet switch port set 11 default-vlan-id=0
/interface list add name=WAN
/interface list add name=LAN
/interface list add exclude=dynamic name=discover
/interface list add name=mac-winbox
/interface list add exclude=dynamic name=vcaps
/interface list add name=guests
/interface list add exclude=dynamic name=cap
/interface list add name=caps
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/interface wireless security-profiles add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=HomeNet_2.4_5.0 supplicant-identity=""
/interface wireless
# managed by CAPsMAN
# channel: 5180/20-Ce/ac/P(19dBm), SSID: HomeNet_5.0, CAPsMAN forwarding
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode antenna-gain=0 band=5ghz-n/ac channel-width=20/40mhz-Ce country=japan frequency=5220 frequency-mode=manual-txpower hw-protection-mode=cts-to-self mode=ap-bridge name=wlan_5.0 security-profile=HomeNet_2.4_5.0 ssid=HomeNet_5.0 station-roaming=enabled tx-power=22 tx-power-mode=all-rates-fixed wmm-support=enabled wps-mode=disabled
/interface wireless add mac-address=76:4D:28:BA:D2:32 master-interface=wlan_5.0 name=wlan13
/interface wireless add mac-address=76:4D:28:BA:D2:33 master-interface=wlan_5.0 name=wlan14
/interface wireless add mac-address=76:4D:28:BA:D2:34 master-interface=wlan_5.0 name=wlan29
/interface wireless add mac-address=76:4D:28:BA:D2:35 master-interface=wlan_5.0 name=wlan30
/ip ipsec mode-config add connection-mark=through_vpn name="PureVPN mode config" responder=no src-address-list=local
/ip ipsec policy group add name="group vpn.ike2.comp"
/ip ipsec policy group add name=PureVPN
/ip ipsec profile add dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha256 name="profile vpn.ike2.comp"
/ip ipsec profile add dh-group=ecp256,ecp384,ecp521,ec2n185,ec2n155,modp2048,modp1536,modp1024,modp768 enc-algorithm=aes-256,aes-128 hash-algorithm=sha384 name="PureVPN link profile"
/ip ipsec peer add address=be-ipsec.ptoserver.com comment="nl-ipsec.ptoserver.com se-ikev.ptoserver.com" exchange-mode=ike2 name="PureVPN server" profile="PureVPN link profile"
/ip ipsec peer add comment="" exchange-mode=ike2 local-address=46.243.140.47 name="peer PureVPN" passive=yes profile="profile vpn.ike2.comp"
/ip ipsec proposal add auth-algorithms=sha512,sha256,sha1 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm name="proposal vpn.ike2.comp" pfs-group=none
/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=0s name="PureVPN proposal" pfs-group=none
/ip pool add name=pool_base ranges=192.168.234.10-192.168.234.254
/ip pool add name=pool_guest ranges=192.168.235.10-192.168.235.254
/ip pool add name=dhcp_vlan10 ranges=192.168.210.10-192.168.210.254
/ip pool add name=ike2-pool ranges=10.1.88.2-10.1.88.254
/ip dhcp-server add add-arp=yes address-pool=pool_base disabled=no interface=bridge lease-script="" lease-time=3d name=my_dhcp
/ip dhcp-server add add-arp=yes address-pool=pool_guest disabled=no interface=guest_bridge name=guest_dhcp
/ip ipsec mode-config add address-pool=ike2-pool address-prefix-length=32 name="modeconf vpn.ike2.car" split-include=0.0.0.0/0 static-dns=10.1.88.1 system-dns=no
/ipv6 dhcp-server option add code=23 name=OPTION_DNS_SERVERS value="'::1'"
/ipv6 dhcp-server option add code=24 name=OPTION_DOMAIN_LIST
/ppp profile add change-tcp-mss=yes name=PureVpn-encryption on-down="" use-upnp=no
/ppp profile add change-tcp-mss=yes name=CtDSL-PPPoE-profile on-up="" use-ipv6=no
/interface pppoe-client add allow=mschap1,mschap2 comment=DSL disabled=no interface=bridge keepalive-timeout=disabled name=CtDSL-PPPoE profile=CtDSL-PPPoE-profile user=suvorova_g@dsl.ukrtel.net
/interface pptp-client add allow=mschap2 comment=usfl1.pointtoserver.com connect-to=172.94.41.1 keepalive-timeout=20 max-mru=1500 name=pptp-PureVpn profile=PureVpn-encryption user=purevpn0s9357615
/queue simple add dst=pptp-PureVpn name="TrafficCounter pptp-PureVpn" queue=default/default target="" total-queue=default
/queue simple add dst=CtDSL-PPPoE name="TrafficCounter CtDSL-PPPoE" queue=default/default target="" total-queue=default
/routing bgp instance set default as=1 client-to-client-reflection=no disabled=yes ignore-as-path-len=yes router-id=1.1.1.1
/routing bgp instance add as=64515 client-to-client-reflection=no ignore-as-path-len=yes name=antifilter.download
/routing bgp instance add as=64999 client-to-client-reflection=no ignore-as-path-len=yes name=antifilter.network router-id=172.94.95.70
/system logging action set 0 memory-lines=10000
/user group set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/caps-man manager set enabled=yes
/caps-man manager interface set [ find default=yes ] forbid=yes
/caps-man manager interface add disabled=no forbid=yes interface=CtDSL-PPPoE
/caps-man manager interface add disabled=no forbid=yes
/caps-man manager interface add disabled=no forbid=yes interface=sit1
/caps-man manager interface add disabled=no interface=bridge
/interface bridge port add bridge=bridge interface=Port10_toCap2
/interface bridge port add bridge=bridge interface=Port1_toFloor3
/interface bridge port add bridge=bridge interface="Port7_Shtyl"
/interface bridge port add bridge=bridge interface=Port2_Komp
/interface bridge port add bridge=bridge interface=Port9_toCap4
/interface bridge port add bridge=bridge interface=Port3_service
/interface bridge port add bridge=bridge interface=Port6_toCap_small_house_1_floor
/interface bridge port add bridge=bridge interface=Port8_DSL
/interface bridge port add bridge=bridge interface=vcaps
/interface bridge port add bridge=bridge interface=guests
/ip firewall connection tracking set tcp-established-timeout=2m
/ip neighbor discovery-settings set discover-interface-list=discover
/ip settings set route-cache=no
/interface l2tp-server server set authentication=mschap2 default-profile=default keepalive-timeout=60 use-ipsec=yes
/interface list member add interface=bridge list=discover
/interface list member add interface=pptp-PureVpn list=WAN
/interface list member add interface=Port10_toCap2 list=LAN
/interface list member add disabled=yes interface=Port1_toFloor3 list=WAN
/interface wireless cap
#
set discovery-interfaces=bridge enabled=yes interfaces=wlan_2.4,wlan_5.0
/ip address add address=192.168.234.1/24 interface=bridge network=192.168.234.0
/ip address add address=192.168.235.1/24 interface=guest_bridge network=192.168.235.0
/ip address add address=10.1.88.1/24 interface=IPsec-Bridge network=10.1.88.0
/ip cloud set ddns-enabled=yes update-time=no
/ip dhcp-server network add address=192.168.210.0/24 gateway=192.168.210.1
/ip dhcp-server network add address=192.168.234.0/24 dns-server=192.168.234.1 gateway=192.168.234.1
/ip dhcp-server network add address=192.168.235.0/24 dns-server=77.88.8.8,77.88.8.1 gateway=192.168.235.1 netmask=24
/ip dhcp-server network add address=192.168.236.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.236.1 netmask=24
/ip dns set allow-remote-requests=yes servers=8.8.8.8 use-doh-server=https://dns.google/dns-query
/ip dns static add address=192.168.234.1 comment="Windows NTP" name=time.windows.com ttl=3d
/ip dns static add address=192.168.234.1 name=pool.ntp.org ttl=3d
/ip dns static add address=192.168.234.1 name=time.nist.gov ttl=3d
/ip dns static add address=192.168.8.1 name=mylte.com
/ip dns static add address=8.8.8.8 comment="DNS resolve for DoH" name=dns.google
/ip dns static add address=8.8.4.4 name=dns.google
/ip dns static add disabled=yes forward-to=159.148.147.201 regexp=".*\\.sn\\.mynetname\\.net\$" type=FWD
/ip dns static add disabled=yes forward-to=159.148.172.251 regexp=".*\\.sn\\.mynetname\\.net\$" type=FWD
/ip firewall address-list add address=192.168.234.1 list=local
/ip firewall filter add action=accept chain=input comment="" connection-state=established,related,untracked log-prefix=>>>
/ip firewall filter add action=accept chain=input connection-mark=through_vpn
/ip firewall filter add action=accept chain=input comment="\C4\EE\F1\F2\F3\EF \EA winbox " dst-port=8291 protocol=tcp
/ip firewall filter add action=accept chain=input comment="Access to local server l2tp+ipsec bozza.ru/art-248.html" connection-state="" dst-port=500,4500 log=yes log-prefix=ike2-udp>>> protocol=udp
/ip firewall filter add action=accept chain=input protocol=ipsec-esp
/ip firewall filter add action=accept chain=input connection-state=new dst-port=9,67 in-interface-list=all log-prefix=wol>>> protocol=udp
/ip firewall filter add action=accept chain=input comment="https://forum.mikrotik.com/viewtopic.ph ... 53#p729103" dst-port=5246,5247 protocol=udp
/ip firewall filter add action=accept chain=output comment="Allow ping ICMP from anywhere https://serveradmin.ru/mikrotik-nastroy ... -firewall/" disabled=yes log=yes log-prefix="icmp out >>" protocol=icmp
/ip firewall filter add action=passthrough chain=input log-prefix="from_192.168.234.3 >" src-address=192.168.234.3
/ip firewall filter add action=passthrough chain=output dst-address=192.168.234.3 log-prefix=to_192.168.234.3>>
/ip firewall filter add action=accept chain=input comment="Allow ping ICMP from anywhere serveradmin.ru/mikrotik-nastroyka-prostogo-firewall/" log-prefix="icmp in >>" protocol=icmp
/ip firewall filter add action=drop chain=input comment="Access deny to other ports" dst-port=1-8,10-66,68-499,501-4499,4501-65535 in-interface-list=WAN log-prefix="!!!port forcing>>>" protocol=udp src-address=!10.1.88.0/24
/ip firewall filter add action=accept chain=input ipsec-policy=in,ipsec src-address=10.1.88.0/24
/ip firewall filter add action=accept chain=input comment="IP Protocol 41 is one of the Internet Protocol numbers. Within the IPv4 header, the IPv4 Protocol field is set to 41 to indicate an encapsulated IPv6 packet." protocol=ipv6-encap
/ip firewall filter add action=accept chain=input comment="Local input \D0\E0\E7\F0\E5\F8\E5\ED\FB \E2\F1\E5 \EF\EE\E4\EA\EB\FE\F7\E5\ED\E8\FF \E8\E7 \EB\EE\EA\E0\EB\FC\ED\EE\E9 \F1\E5\F2\E8" in-interface-list=!WAN src-address=192.168.232.0/22
/ip firewall filter add action=drop chain=input comment="Drop invalid input" connection-state=invalid log-prefix="Drop invalid input>>>"
/ip firewall filter add action=drop chain=input comment="Drop all other input from Internet (Crimeatelecom-PPPoE)" in-interface-list=WAN log-prefix=in_drop>>>
/ip firewall filter add action=drop chain=input comment="\C4\EE\E1\E0\E2\EB\E5\ED\EE \EC\ED\EE\E9 \E4\EB\FF \F2\E5\F1\F2\E8\F0\EE\E2\E0\ED\E8\FF \CF\F0\E0\E2\E0\E8\EB\E0 15" connection-state=!invalid disabled=yes log=yes log-prefix=in_drop>>>
/ip firewall filter add action=accept chain=output protocol=ipv6-encap
/ip firewall filter add action=log chain=forward disabled=yes log=yes log-prefix=kl>> src-address=192.168.234.13
/ip firewall filter add action=accept chain=forward comment="Allow remote access from kl to Internet" disabled=yes dst-address-list=set_vpn log=yes log-prefix=kl>> src-address=192.168.234.50
/ip firewall filter add action=passthrough chain=forward comment="car ap" disabled=yes log=yes log-prefix=to_car>> src-address=192.168.234.32
/ip firewall filter add action=accept chain=forward comment="IKE2: Allow ALL forward traffic from 10.0.88.0/24 to Home network" dst-address=192.168.232.0/22 ipsec-policy=in,ipsec src-address=10.1.88.0/24
/ip firewall filter add action=accept chain=forward comment="IKE2: Allow ALL forward traffic from 10.0.88.0/24 to ANY network" dst-address=0.0.0.0/0 ipsec-policy=in,ipsec src-address=10.1.88.0/24
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
/ip firewall filter add action=fasttrack-connection chain=forward comment=https://gregory-gost.ru/mikrotik-fast-t ... obodu-cpu/ connection-state=established,related disabled=yes log-prefix=>>> protocol=udp
/ip firewall filter add action=fasttrack-connection chain=forward connection-state=established,related disabled=yes log-prefix=>>> protocol=tcp
/ip firewall filter add action=accept chain=forward connection-state=established,related log-prefix=>>>
/ip firewall filter add action=drop chain=forward comment="Drop invalid forward" connection-state=invalid log-prefix="Drop invalid forward>>>" src-address=!192.168.232.0/22
/ip firewall filter add action=accept chain=forward comment="Allow access from LAN to Internet" connection-state="" in-interface-list=!WAN log-prefix=>>>
/ip firewall filter add action=drop chain=forward log=yes log-prefix=fw_drop>>>
/ip firewall filter add action=accept chain=forward comment="" connection-nat-state=dstnat
/ip firewall filter add action=passthrough chain=forward comment="" connection-state=invalid disabled=yes dst-address=192.168.234.20 dst-port=80,8018,9100,9400 protocol=tcp src-address=192.168.234.0/24
/ip firewall filter add action=accept chain=forward comment="\EE\EF\F0\E5\E4\E5\EB\E5\ED\E8\FF dst.ip wifi \F0\EE\E7\E5\F2\EE\EA" disabled=yes log=yes log-prefix=lightl>>> src-address=192.168.234.120
/ip firewall filter add action=passthrough chain=input comment="Denon https://forum.mikrotik.com/viewtopic.php\?t=135405" disabled=yes dst-address-type=broadcast log=yes log-prefix=in-SSDP-Denon protocol=udp src-mac-address=00:05:CD:A1:A2:00
/ip firewall filter add action=passthrough chain=forward disabled=yes dst-address-type=!local log=yes log-prefix=fw-SSDP-Denon protocol=udp src-mac-address=00:05:CD:A1:A2:00
/ip firewall filter add action=log chain=output disabled=yes dst-address=!192.168.234.0/24 log=yes log-prefix="out >>>"
/ip firewall filter add action=log chain=output disabled=yes dst-address=159.148.147.201
/ip firewall filter add action=log chain=output disabled=yes dst-address=159.148.172.251
/ip firewall mangle add action=log chain=input disabled=yes dst-address=188.72.98.15 dst-port=500,4500 log=yes log-prefix=in_ike2_udp>> protocol=udp
/ip firewall mangle add action=log chain=prerouting comment="Restored swith .124" disabled=yes log=yes log-prefix=.124>> src-address=192.168.234.124
/ip firewall mangle add action=log chain=prerouting comment="\D1\E2\E5\F2 \E4\EE\EC\E8\EA 2 \FD\F2. \EA\EE\F0\E8\E4\EE\F0 .119" disabled=yes dst-address-list=!set_vpn log=yes log-prefix=.119>> src-address=192.168.234.119
/ip firewall mangle add action=log chain=prerouting disabled=yes dst-address-list=!set_vpn log=yes log-prefix=zs661kl>> src-address=192.168.234.11
/ip firewall mangle add action=mark-routing chain=prerouting disabled=yes dst-port=500 new-routing-mark=through_vpn passthrough=yes protocol=udp src-address=!5.254.73.172
/ip firewall mangle add action=mark-connection chain=prerouting dst-address-list=list-antifilter new-connection-mark=through_vpn passthrough=yes src-address-list=local
/ip firewall mangle add action=mark-routing chain=prerouting comment="VPN blackhole when vpn session lost forum.mikrotik.com/viewtopic.php\?f=23&t=169273&p=850595&#p829817" dst-address-list=list-antifilter new-routing-mark=vpn_blackhole passthrough=no
/ip firewall mangle add action=mark-connection chain=prerouting dst-address-list=set_vpn new-connection-mark=through_vpn passthrough=yes src-address-list=local
/ip firewall mangle add action=mark-routing chain=prerouting comment="VPN blackhole when vpn session lost" dst-address-list=set_vpn new-routing-mark=vpn_blackhole passthrough=no
/ip firewall mangle add action=mark-connection chain=output dst-address-list=set_vpn log-prefix=out_th_vpn>> new-connection-mark=through_vpn passthrough=yes
/ip firewall mangle add action=mark-routing chain=output comment="VPN blackhole when vpn session lost forum.mikrotik.com/viewtopic.php\?f=23&t=169273&p=850595&#p829817" dst-address-list=set_vpn new-routing-mark=vpn_blackhole passthrough=no
/ip firewall mangle add action=mark-routing chain=output disabled=yes dst-address=!192.168.232.0/22 log=yes log-prefix=mangle_ike2>> new-routing-mark=through_vpn passthrough=yes src-address=188.72.98.15
/ip firewall mangle add action=change-mss chain=forward connection-mark=through_vpn new-mss=1360 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1360
/ip firewall mangle add action=change-mss chain=forward comment="IKE2: Clamp TCP MSS from\r\
\n10.1.88.0/24 to ANY" ipsec-policy=in,ipsec new-mss=1360 passthrough=yes protocol=tcp src-address=10.1.88.0/24 tcp-flags=syn tcp-mss=!0-1360
/ip firewall mangle add action=change-mss chain=forward comment="IKE2: Clamp TCP MSS from\r\
\n10.1.88.0/24 to ANY" dst-address=10.1.88.0/24 ipsec-policy=out,ipsec new-mss=1360 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1360
/ip firewall mangle add action=set-priority chain=postrouting comment="Set priority for WMM forum.mikrotik.com/viewtopic.php\?t=125152#p687972" disabled=yes log-prefix="fw_wmm >>" new-priority=from-dscp-high-3-bits passthrough=no
/ip firewall mangle add action=mark-routing chain=output comment="\E7\E0\EC\E5\ED\E5\ED \EF\F0\E0\E2\E8\EB\EE\EC \E2 ip route rule VPN out to client IP \EE\E1\ED\EE\E2\EB\FF\E5\F2\F1\FF \E8\E7 \EE\E1\F0\E0\E1\EE\F2\F7\E8\EA\E0 \EF\EE\E4\EA\EB\FE\F7\E5\ED\E8\FF PureVPN updating from PureVPN connect handler" disabled=yes log-prefix="out_PureVpn >>" new-routing-mark=through_vpn passthrough=yes src-address=46.243.239.199
/ip firewall mangle add action=log chain=input comment="VPN in from client IP \EE\E1\ED\EE\E2\EB\FF\E5\F2\F1\FF \E8\E7 \EE\E1\F0\E0\E1\EE\F2\F7\E8\EA\E0 \EF\EE\E4\EA\EB\FE\F7\E5\ED\E8\FF PureVPN updating from PureVPN connect handler" disabled=yes log=yes log-prefix="in_PureVpn >>" src-address=141.101.148.98
/ip firewall mangle add action=mark-routing chain=prerouting comment="\E7\E0\EF\EB\E0\F2\EA\E0 \E4\EB\FF \EF\E8\ED\E3\EE\E2" disabled=yes log-prefix="icmp out >>" new-routing-mark=main passthrough=no protocol=!udp src-address=192.168.234.0/23
/ip firewall mangle add action=mark-routing chain=output comment=freedns.afraid.org disabled=yes dst-address=50.23.197.93 new-routing-mark=through_vpn passthrough=yes
/ip firewall mangle add action=mark-routing chain=output comment=freedns.afraid.org disabled=yes dst-address=69.42.215.252 new-routing-mark=through_vpn passthrough=yes
/ip firewall mangle add action=add-dst-to-address-list address-list=set_vpn address-list-timeout=12w6d chain=forward comment="\CF\E5\F0\E5\ED\E0\EF\F0\E0\E2\EB\FF\E5\F2 \E2 VPN \EF\F0\E8 \E4\EE\E1\E0\E2\EB\E5\ED\E8\E8 \E2 \EA\EE\ED\F6\E5 \E0\E4\F0\E5\F1\E0 \?vpn telegra.ph/Poluavtomaticheskij-obhod-blokirovok-sajtov-s-pomoshchyu-Mikrotik-PBR-i-VPN-08-12 " content="\?vpn" dst-address-list="!rkn, set_vpn, passed" log-prefix=">>set_vpn " protocol=tcp src-address=192.168.232.0/22
/ip firewall mangle add action=add-src-to-address-list address-list=p2p-seeds address-list-timeout=6h chain=forward comment="Torrents - \EF\EE\E4\EA\EB\FE\F7\E5\ED\E8\FF \E8\E7 WAN" disabled=yes dst-address=192.168.234.0/24 dst-port=1024-65535 in-interface-list=WAN layer7-protocol=ut_pex protocol=tcp src-address=0.0.0.0 src-address-list=!p2p-seeds src-port=1024-65535
/ip firewall mangle add action=add-src-to-address-list address-list=p2p-seeds address-list-timeout=6h chain=forward disabled=yes dst-address=192.168.234.0/24 dst-port=1024-65535 in-interface-list=WAN layer7-protocol=ut_pex_Teredo protocol=udp src-address-list=!p2p-seeds src-port=1024-65535
/ip firewall mangle add action=add-src-to-address-list address-list=p2p-seeds address-list-timeout=6h chain=forward disabled=yes dst-address=192.168.234.0/24 dst-port=1024-65535 in-interface-list=WAN layer7-protocol=BitTorrent protocol=tcp src-address-list=!p2p-seeds src-port=1024-65535
/ip firewall mangle add action=add-src-to-address-list address-list=p2p-seeds address-list-timeout=6h chain=forward disabled=yes dst-address=192.168.234.0/24 dst-port=1024-65535 in-interface-list=WAN layer7-protocol=BitTorrent_Teredo protocol=udp src-address-list=!p2p-seeds src-port=1024-65535
/ip firewall mangle add action=add-src-to-address-list address-list=p2p-seeds address-list-timeout=6h chain=forward disabled=yes dst-address=192.168.234.0/24 dst-port=1024-65535 in-interface-list=WAN layer7-protocol=DHT protocol=udp src-address-list=!p2p-seeds src-port=1024-65535
/ip firewall mangle add action=add-src-to-address-list address-list=p2p-seeds address-list-timeout=6h chain=forward disabled=yes dst-address=192.168.234.0/24 dst-port=1024-65535 in-interface-list=WAN layer7-protocol=DHT_Teredo protocol=udp src-address-list=!p2p-seeds src-port=1024-65535
/ip firewall mangle add action=add-src-to-address-list address-list=p2p-seeds address-list-timeout=6h chain=forward disabled=yes dst-address=192.168.234.0/24 dst-port=1024-65535 in-interface-list=WAN layer7-protocol="\B5TP_FIN" packet-size=48-54 protocol=udp src-address-list=!p2p-seeds src-port=1024-65535
/ip firewall mangle add action=add-src-to-address-list address-list=p2p-seeds address-list-timeout=6h chain=forward disabled=yes dst-address=192.168.234.0/24 dst-port=1024-65535 in-interface-list=WAN layer7-protocol="\B5TP_FIN_Teredo" log=yes log-prefix=uTP_FIN_Teredo protocol=udp src-address-list=!p2p-seeds src-port=1024-65535
/ip firewall mangle add action=add-src-to-address-list address-list=p2p-seeds address-list-timeout=6h chain=forward disabled=yes dst-address=192.168.234.0/24 dst-port=1024-65535 in-interface-list=WAN layer7-protocol="\B5TP_RESET" packet-size=48-54 protocol=udp src-address-list=!p2p-seeds src-port=1024-65535
/ip firewall mangle add action=add-src-to-address-list address-list=p2p-seeds address-list-timeout=6h chain=forward disabled=yes dst-address=192.168.234.0/24 dst-port=1024-65535 in-interface-list=WAN layer7-protocol="\B5TP_RESET_Teredo" log=yes log-prefix=uTP_RESET_Teredo protocol=udp src-address-list=!p2p-seeds src-port=1024-65535
/ip firewall mangle add action=add-src-to-address-list address-list=p2p-seeds address-list-timeout=6h chain=forward disabled=yes dst-address=192.168.234.0/24 dst-port=1024-65535 in-interface-list=WAN layer7-protocol="\B5TP_STATE" packet-size=48-54 protocol=udp src-address-list=!p2p-seeds src-port=1024-65535
/ip firewall mangle add action=add-src-to-address-list address-list=p2p-seeds address-list-timeout=6h chain=forward disabled=yes dst-address=192.168.234.0/24 dst-port=1024-65535 in-interface-list=WAN layer7-protocol="\B5TP_STATE_Teredo" protocol=udp src-address-list=!p2p-seeds src-port=1024-65535
/ip firewall mangle add action=add-src-to-address-list address-list=p2p-seeds address-list-timeout=6h chain=forward disabled=yes dst-address=192.168.234.0/24 dst-port=1024-65535 in-interface-list=WAN layer7-protocol="\B5TP_SYN" packet-size=48-54 protocol=udp src-address-list=!p2p-seeds src-port=1024-65535
/ip firewall mangle add action=add-src-to-address-list address-list=p2p-seeds address-list-timeout=6h chain=forward disabled=yes dst-address=192.168.234.0/24 dst-port=1024-65535 in-interface-list=WAN layer7-protocol="\B5TP_SYN_Teredo" log=yes log-prefix=uTP_SYN_Teredo protocol=udp src-address-list=!p2p-seeds src-port=1024-65535
/ip firewall mangle add action=mark-routing chain=prerouting comment=all_udp_to_vpn disabled=yes dst-address=!192.168.232.0/22 dst-port=1024-65535 log-prefix=all_udp_to_vpn new-routing-mark=through_vpn passthrough=no protocol=udp src-address=192.168.232.0/22 src-port=1024-1700,1702-4499,4501-65535
/ip firewall mangle add action=mark-routing chain=prerouting comment=all_udp_to_vpn disabled=yes dst-address=!192.168.234.0/24 dst-port=51805 log-prefix=all_udp_to_vpn new-routing-mark=through_vpn passthrough=no protocol=udp src-address=192.168.234.0/24 src-port=1024-1700,1702-4499,4501-65535
/ip firewall mangle add action=add-dst-to-address-list address-list=p2p-seeds address-list-timeout=6h chain=forward comment=all_udp_to_addr_list disabled=yes dst-address=!192.168.234.0/24 dst-port=1024-1700,1702-4499,4501-65535 log-prefix="ALL UDP" protocol=udp src-address=192.168.234.0/24 src-port=1024-1700,1702-4499,4501-65535
/ip firewall mangle add action=add-dst-to-address-list address-list=p2p-seeds address-list-timeout=6h chain=forward comment=Torrents connection-state=!established,related disabled=yes dst-address-list=!p2p-seeds dst-port=1024-65535 layer7-protocol=ut_pex out-interface-list=WAN protocol=tcp src-address=192.168.234.0/24 src-port=1024-65535
/ip firewall mangle add action=add-dst-to-address-list address-list=p2p-seeds address-list-timeout=6h chain=forward disabled=yes dst-address-list=!p2p-seeds dst-port=1024-65535 layer7-protocol=ut_pex_Teredo out-interface-list=WAN protocol=udp src-address=192.168.234.0/24 src-port=1024-65535
/ip firewall mangle add action=add-dst-to-address-list address-list=p2p-seeds address-list-timeout=6h chain=forward disabled=yes dst-address-list=!p2p-seeds dst-port=1024-65535 layer7-protocol=BitTorrent log=yes log-prefix="111 >>>" out-interface-list=WAN protocol=tcp src-address=192.168.234.0/24 src-port=1024-65535
/ip firewall mangle add action=add-dst-to-address-list address-list=p2p-seeds address-list-timeout=6h chain=forward disabled=yes dst-address-list=!p2p-seeds dst-port=1024-65535 layer7-protocol=BitTorrent_Teredo out-interface-list=WAN protocol=udp src-address=192.168.234.0/24 src-port=1024-65535
/ip firewall mangle add action=add-dst-to-address-list address-list=p2p-seeds address-list-timeout=6h chain=forward disabled=yes dst-address-list=!p2p-seeds dst-port=1024-65535 layer7-protocol=DHT log-prefix=DHT out-interface-list=WAN protocol=udp src-address=192.168.234.0/24 src-port=1024-65535
/ip firewall mangle add action=add-dst-to-address-list address-list=p2p-seeds address-list-timeout=6h chain=forward disabled=yes dst-address-list=!p2p-seeds dst-port=1024-65535 layer7-protocol=DHT_Teredo out-interface-list=WAN protocol=udp src-address=192.168.234.0/24 src-port=1024-65535
/ip firewall mangle add action=add-dst-to-address-list address-list=p2p-seeds address-list-timeout=6h chain=forward disabled=yes dst-address-list=!p2p-seeds dst-port=1024-65535 layer7-protocol="\B5TP_FIN" out-interface-list=WAN packet-size=48-54 protocol=udp src-address=192.168.234.0/24 src-port=1024-65535
/ip firewall mangle add action=add-dst-to-address-list address-list=p2p-seeds address-list-timeout=6h chain=forward disabled=yes dst-address-list=!p2p-seeds dst-port=1024-65535 layer7-protocol="\B5TP_FIN_Teredo" out-interface-list=WAN protocol=udp src-address=192.168.234.0/24 src-port=1024-65535
/ip firewall mangle add action=add-dst-to-address-list address-list=p2p-seeds address-list-timeout=6h chain=forward disabled=yes dst-address-list=!p2p-seeds dst-port=1024-65535 layer7-protocol="\B5TP_SYN" log=yes log-prefix=uTP_SYN out-interface-list=WAN packet-size=48-54 protocol=udp src-address=192.168.234.0/24 src-port=1024-65535
/ip firewall mangle add action=add-dst-to-address-list address-list=p2p-seeds address-list-timeout=6h chain=forward disabled=yes dst-address-list=!p2p-seeds dst-port=1024-65535 layer7-protocol="\B5TP_SYN_Teredo" log=yes log-prefix=uTP_SYN_Teredo out-interface-list=WAN protocol=udp src-address=192.168.234.0/24 src-port=1024-65535
/ip firewall mangle add action=add-dst-to-address-list address-list=p2p-seeds address-list-timeout=6h chain=forward disabled=yes dst-address-list=!p2p-seeds dst-port=1024-65535 layer7-protocol="\B5TP_STATE" out-interface-list=WAN packet-size=48-54 protocol=udp src-address=192.168.234.0/24 src-port=1024-65535
/ip firewall mangle add action=add-dst-to-address-list address-list=p2p-seeds address-list-timeout=6h chain=forward disabled=yes dst-address-list=!p2p-seeds dst-port=1024-65535 layer7-protocol="\B5TP_STATE_Teredo" out-interface-list=WAN protocol=udp src-address=192.168.234.0/24 src-port=1024-65535
/ip firewall mangle add action=add-dst-to-address-list address-list=p2p-seeds address-list-timeout=6h chain=forward disabled=yes dst-address-list=!p2p-seeds dst-port=1024-65535 layer7-protocol="\B5TP_RESET" out-interface-list=WAN packet-size=48-54 protocol=udp src-address=192.168.234.0/24 src-port=1024-65535
/ip firewall mangle add action=add-dst-to-address-list address-list=p2p-seeds address-list-timeout=6h chain=forward disabled=yes dst-address-list=!p2p-seeds dst-port=1024-65535 layer7-protocol="\B5TP_RESET_Teredo" log=yes log-prefix=uTP_RESET_Teredo out-interface-list=WAN protocol=udp src-address=192.168.234.0/24 src-port=1024-65535
/ip firewall mangle add action=mark-connection chain=forward disabled=yes dst-address=192.168.234.0/24 new-connection-mark=p2p-cmark passthrough=yes src-address-list=p2p-seeds
/ip firewall mangle add action=mark-connection chain=forward disabled=yes dst-address=!192.168.234.0/24 dst-address-list=p2p-seeds new-connection-mark=p2p-cmark passthrough=yes
/ip firewall mangle add action=mark-packet chain=forward connection-mark=p2p-cmark disabled=yes dst-address=!192.168.234.0/24 log-prefix=222>>> new-packet-mark=through_vpn passthrough=no src-address=192.168.234.0/24
/ip firewall mangle add action=mark-routing chain=prerouting disabled=yes dst-address=!192.168.234.0/24 dst-address-list=p2p-seeds log-prefix=p2p_vpn_mark new-routing-mark=through_vpn passthrough=no src-address=192.168.234.0/24
/ip firewall mangle add action=accept chain=prerouting comment="\C7\E0\EF\EB\E0\F2\EA\E0 \E4\EB\FF E3372H-153 \EF\EE\F1\EA\EE\EB\FC\EA\F3 \E0\E4\F0\E5\F1 192.168.8.1 \E2\F5\EE\E4\E8\F2 \E2 hide_4g \F1\EF\E8\F1\EE\EA" dst-address=192.168.8.1 src-address=192.168.232.0/22
/ip firewall mangle add action=accept chain=prerouting comment="\C7\E0\EF\EB\E0\F2\EA\E0 \E4\EB\FF Dlink" dst-address=192.168.234.6 src-address=192.168.232.0/22
/ip firewall mangle add action=mark-routing chain=prerouting comment="\D1\EE\EA\F0\FB\F2\E8\E5 \E4\EB\FF \EC\EE\E1.\EE\EF. ip \F5\E0\F0\E0\EA\F2\E5\F0\ED\FB\F5 \E4\EB\FF windows" dst-address-list=hide_4g new-routing-mark=through_vpn passthrough=yes src-address=192.168.232.0/22
/ip firewall mangle add action=mark-routing chain=prerouting dst-address-list=rkn new-routing-mark=through_vpn passthrough=yes src-address=192.168.232.0/22
/ip firewall mangle add action=mark-routing chain=prerouting dst-address-list=set_vpn log-prefix="through_vpn >>>" new-routing-mark=through_vpn passthrough=yes src-address=192.168.232.0/22
/ip firewall nat add action=dst-nat chain=dstnat dst-port=9 protocol=udp to-addresses=192.168.234.254 to-ports=9
/ip firewall nat add action=masquerade chain=srcnat comment="MSQRD IKE2:10.1.88.0/24 -->\r\nWAN traffic" ipsec-policy=out,none src-address=10.1.88.0/24
/ip firewall nat add action=masquerade chain=srcnat comment="/22 \F3\F1\F2\E0\ED\EE\E2\EB\E5\ED\EE \F1 \E7\E0\EF\E0\F1\EE\EC" out-interface-list=WAN src-address=192.168.232.0/22
/ip firewall nat add action=masquerade chain=srcnat disabled=yes out-interface-list=WAN src-address=192.168.234.0/24
/ip firewall nat add action=masquerade chain=srcnat disabled=yes out-interface-list=WAN src-address=192.168.235.0/24
/ip firewall nat add action=accept chain=dstnat comment=l2tp+ipsec disabled=yes dst-port=500,4500 in-interface=pptp-PureVpn log=yes log-prefix=dst-nat>>> protocol=udp to-addresses=192.168.234.1
/ip firewall nat add action=dst-nat chain=dstnat comment="Redirect DNS-requests to router" dst-address-type=!local dst-port=53 in-interface-list=vcaps protocol=udp to-addresses=192.168.234.1
/ip firewall nat add action=dst-nat chain=dstnat comment="Redirect DNS-requests to router" dst-address-type=!local dst-port=53 in-interface-list=vcaps protocol=tcp to-addresses=192.168.234.1
/ip firewall raw add action=log chain=prerouting disabled=yes log=yes log-prefix=raw_inIpsec>> src-address=85.193.67.13
/ip firewall raw add action=log chain=prerouting disabled=yes dst-address=188.72.98.15 log=yes log-prefix=rawIn_ike2>> src-address=85.193.67.41
/ip firewall raw add action=log chain=output disabled=yes dst-address=85.193.67.41 log=yes log-prefix=rawOut_ike2>> src-address=188.72.98.15
/ip firewall raw add action=log chain=prerouting disabled=yes log=yes log-prefix=.7>>
/ip ipsec identity add auth-method=digital-signature certificate=vpn.ike2.comp generate-policy=port-strict match-by=certificate mode-config="modeconf vpn.ike2.car" notrack-chain=output peer="peer PureVPN" policy-template-group="group vpn.ike2.comp" remote-certificate=kl@vpn.ike2.comp remote-id=user-fqdn:kl@vpn.ike2.comp
/ip ipsec identity add auth-method=digital-signature certificate=vpn.ike2.comp generate-policy=port-strict match-by=certificate mode-config="modeconf vpn.ike2.car" peer="peer PureVPN" policy-template-group="group vpn.ike2.comp" remote-certificate=zs661kl@vpn.ike2.comp remote-id=user-fqdn:zs661kl@vpn.ike2.comp
/ip ipsec identity add auth-method=eap certificate=USERTrustRSACertificationAuthority eap-methods=eap-mschapv2 generate-policy=port-strict mode-config="PureVPN mode config" notrack-chain=output peer="PureVPN server" policy-template-group=PureVPN username=purevpn0s9357615
/ip ipsec policy add disabled=yes dst-address=188.72.98.15/32 group="group vpn.ike2.comp" proposal="proposal vpn.ike2.comp" src-address=0.0.0.0/0 template=yes
/ip ipsec policy add dst-address=10.1.88.0/24 group="group vpn.ike2.comp" proposal="proposal vpn.ike2.comp" src-address=0.0.0.0/0 template=yes
/ip ipsec policy add dst-address=0.0.0.0/0 group=PureVPN proposal="PureVPN proposal" src-address=0.0.0.0/0 template=yes
/ip route add distance=1 gateway=vpn-blackhole routing-mark=vpn_blackhole
/ip route add comment=Yaltastar distance=15 gateway=192.168.234.7 pref-src=192.168.234.1
/ip route add comment=DSL distance=17 gateway=CtDSL-PPPoE pref-src=192.168.234.1
/ip route add comment="Cap .3" distance=18 gateway=192.168.234.3 pref-src=192.168.234.1
/ip route add distance=1 dst-address=192.168.210.0/24 gateway=192.168.234.32
/ip route rule add dst-address=192.168.235.0/24 src-address=192.168.234.0/24 table=main
/ip route rule add dst-address=192.168.234.0/24 src-address=192.168.235.0/24 table=main
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set www address=192.168.234.0/24
/ip service set ssh disabled=yes
/ip service set api disabled=yes
/ip service set winbox address=192.168.234.0/24,10.1.88.0/24
/ip service set api-ssl disabled=yes
/ip ssh set forwarding-enabled=remote
/ipv6 address add address=::2 advertise=no interface=sit1
/ipv6 address add address=::1 comment=::1 interface=bridge
/ipv6 dhcp-server add dhcp-option=OPTION_DNS_SERVERS,OPTION_DOMAIN_LIST interface=bridge name=dhcpv6-bridge
/ipv6 firewall address-list add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
/ipv6 firewall address-list add address=::1/128 comment="defconf: lo" list=bad_ipv6
/ipv6 firewall address-list add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
/ipv6 firewall address-list add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
/ipv6 firewall address-list add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
/ipv6 firewall address-list add address=100::/64 comment="defconf: discard only " list=bad_ipv6
/ipv6 firewall address-list add address=::/32 comment="defconf: documentation" list=bad_ipv6
/ipv6 firewall address-list add address=::/28 comment="defconf: ORCHID" list=bad_ipv6
/ipv6 firewall address-list add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall address-list add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
/ipv6 firewall address-list add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall address-list add address=::/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall address-list add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500,33434 protocol=udp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ipv6 firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ipv6 firewall filter add action=reject chain=output comment="Disable loop DNS-requests" dst-address=::1/128 dst-port=53 log-prefix=dns6_drop>> protocol=tcp reject-with=icmp-no-route
/ipv6 firewall filter add action=reject chain=output comment="Disable loop DNS-requests" dst-address=::1/128 dst-port=53 log-prefix=dns6_drop>> protocol=udp reject-with=icmp-no-route
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
/ipv6 firewall filter add action=drop chain=input comment="defconf: drop everything else not coming from LAN" disabled=yes in-interface-list=!LAN
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked disabled=yes
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" disabled=yes src-address-list=bad_ipv6
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" disabled=yes dst-address-list=bad_ipv6
/ipv6 firewall filter add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" disabled=yes hop-limit=equal:1 protocol=icmpv6
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ICMPv6" disabled=yes protocol=icmpv6
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept HIP" disabled=yes protocol=139
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept IKE" disabled=yes dst-port=500,4500 protocol=udp
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ipsec AH" disabled=yes protocol=ipsec-ah
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ipsec ESP" disabled=yes protocol=ipsec-esp
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" disabled=yes ipsec-policy=in,ipsec
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" disabled=yes in-interface-list=!LAN
/ipv6 firewall filter add action=drop chain=input comment="\D4\E0\E9\F0\E2\EE\EB \F0\E5\EA\EE\EC\E5\ED\E4\F3\E5\EC\FB\E9 \EF\EE \F3\EC\EE\EB\F7\E0\ED\E8\FE" connection-state=invalid disabled=yes
/ipv6 firewall filter add action=accept chain=forward disabled=yes dst-address-list="" out-interface-list=LAN
/ipv6 firewall filter add action=accept chain=input connection-state=established,related disabled=yes in-interface=sit1
/ipv6 firewall filter add action=accept chain=forward connection-state=established,related disabled=yes in-interface=sit1 out-interface=bridge
/ipv6 firewall filter add action=accept chain=input disabled=yes limit=50,5:packet protocol=icmpv6
/ipv6 firewall filter add action=accept chain=forward disabled=yes limit=50,5:packet log=yes log-prefix=ping6>> protocol=icmpv6
/ipv6 firewall filter add action=accept chain=input disabled=yes dst-port=546 in-interface=sit1 protocol=udp
/ipv6 firewall filter add action=accept chain=forward disabled=yes in-interface=bridge out-interface=sit1
/ipv6 firewall filter add action=drop chain=input disabled=yes
/ipv6 firewall filter add action=drop chain=forward disabled=yes
/ipv6 firewall mangle add action=passthrough chain=forward comment=Komp dst-address=::200e/128 log-prefix="ipv6 >>" out-interface=sit1 protocol=icmpv6 src-address=:fbd6/128
/ipv6 firewall mangle add action=log chain=forward comment=Komp dst-address=:fbd6/128 in-interface=sit1 log-prefix="google6 >>" protocol=icmpv6 src-address=::200e/128
/ipv6 firewall mangle add action=passthrough chain=forward comment=tunnelbroker.net dst-address=::2/128 log-prefix="ipv6 >>" out-interface=sit1 protocol=icmpv6 src-address=:fbd6/128
/ipv6 firewall mangle add action=log chain=forward comment=tunnelbroker.net dst-address=:fbd6/128 in-interface=sit1 log-prefix="google6 >>" protocol=icmpv6 src-address=::2/128
/ipv6 firewall mangle add action=passthrough chain=forward comment=Komp dst-address=:fbd6/128 log-prefix="ipv6 >>"
/ipv6 firewall mangle add action=log chain=forward comment=Google log-prefix="ipv6 >>" src-address=::200e/128
/ipv6 firewall mangle add action=passthrough chain=forward comment=Komp log-prefix="ipv6 >>" src-address=:fbd6/128
/ipv6 firewall mangle add action=accept chain=forward comment=kl dst-address=:8059/128 log-prefix="ipv6 >>"
/ipv6 firewall mangle add action=accept chain=forward comment=K7 dst-address=:be9/128 log-prefix="ipv6 >>"
/ipv6 firewall mangle add action=passthrough chain=forward comment="Dell 1555" dst-address=:1fa3/128 log-prefix="ipv6 >>"
/ipv6 nd set [ find default=yes ] disabled=yes hop-limit=64 mtu=1380 other-configuration=yes
/ipv6 nd add hop-limit=64 interface=bridge mtu=1380 other-configuration=yes
/ipv6 route add distance=1 dst-address=2000::/3 gateway=::1
/ppp secret add name=kl remote-address=192.168.234.50 service=l2tp
/routing bgp peer add address-families=ip,ipv6 comment=antifilter.download/index.php disabled=yes hold-time=4m in-filter=bgp_in instance=antifilter.download keepalive-time=1m multihop=yes name=antifilter remote-address=45.154.73.71 remote-as=65432 ttl=default
/routing bgp peer add address-families=ip,ipv6 comment=antifilter.network/bgp disabled=yes hold-time=4m in-filter=bgp_in instance=antifilter.network keepalive-time=1m multihop=yes name=backup remote-address=51.75.66.20 remote-as=65444 ttl=default
/routing filter add action=accept chain=bgp_in comment="Set nexthop to VPN" disabled=yes set-in-nexthop-direct=pptp-PureVpn
/system clock set time-zone-autodetect=no time-zone-name=Europe/Moscow
/system identity set name="Router .1"
/system leds add interface=wlan_2.4 leds=wlan_2.4_signal1-led,wlan_2.4_signal2-led,wlan_2.4_signal3-led,wlan_2.4_signal4-led,wlan_2.4_signal5-led type=wireless-signal-strength
/system leds add interface=wlan_2.4 leds=wlan_2.4_tx-led type=interface-transmit
/system leds add interface=wlan_2.4 leds=wlan_2.4_rx-led type=interface-receive
/system logging set 3 action=disk
/system logging add topics=wireless,caps,debug
/system logging add action=disk disabled=yes prefix="L2TPDBG===>" topics=l2tp
/system logging add action=disk disabled=yes prefix="IPSECDBG===>" topics=ipsec
/system ntp client set enabled=yes primary-ntp=85.199.214.99 secondary-ntp=193.30.120.245
/system ntp server set enabled=yes
/system routerboard settings set auto-upgrade=yes cpu-frequency=533MHz
/system watchdog set ping-timeout=3m watch-address=192.168.234.1
/tool e-mail set address=smtp.gmail.com from=c0@gmail.com port=587 start-tls=yes user=c0@gmail.com
/tool mac-server mac-winbox set allowed-interface-list=mac-winbox
/tool sniffer set filter-interface=Port2_Komp filter-ip-address=185.165.123.176/32 filter-ip-protocol=tcp
/tool traffic-monitor add interface=bridge name=tmon1 threshold=1000


yalta
Сообщения: 4
Зарегистрирован: 14 мар 2019, 22:28

Поиск решения наводит на мысль: поскольку пакеты прилетают в input (и отображаются в connections), хотелось бы видеть их дальнейшую "судьбу" в local process, но как это сделать не нахожу. Попытки найти соответствующий topic в logging - rules результат не дают.


Ответить