Код: Выделить всё
# may/10/2021 09:43:06 by RouterOS 6.48.2
# software id = CIX6-9KV7
#
# model = RB4011iGS+5HacQ2HnD
# serial number = B8E00AC0E34C
/interface bridge
add name=Bridge-6-10
add name=Bridge-ET
add name=Bridge-PC
add name=Bridge-WLAN
/interface wireless
set [ find default-name=wlan2 ] antenna-gain=0 band=2ghz-b/g/n country=\
russia3 disabled=no frequency=2442 frequency-mode=superchannel mode=\
ap-bridge name=WLAN ssid=************ station-roaming=enabled \
tx-power-mode=all-rates-fixed
set [ find default-name=wlan1 ] antenna-gain=0 band=5ghz-a/n/ac \
channel-width=20/40/80/160mhz-Ceeeeeee country=russia3 disabled=no \
frequency-mode=superchannel mode=ap-bridge name="WLAN(5G)" ssid=\
"COVID-19 5G Test Tower" station-roaming=enabled tx-power=19 \
tx-power-mode=all-rates-fixed
/interface ethernet
set [ find default-name=ether1 ] comment=MTS l2mtu=1598 name=LAN1 speed=\
100Mbps
set [ find default-name=ether2 ] comment=CUP l2mtu=1598 name=LAN2 speed=\
100Mbps
set [ find default-name=ether3 ] comment=ET l2mtu=1598 loop-protect=off name=\
LAN3 speed=100Mbps
set [ find default-name=ether4 ] l2mtu=1598 name=LAN4 speed=100Mbps
set [ find default-name=ether5 ] comment=ET-Storage l2mtu=1598 name=LAN5
set [ find default-name=ether6 ] l2mtu=1598 name=LAN6
set [ find default-name=ether7 ] l2mtu=1598 name=LAN7
set [ find default-name=ether8 ] l2mtu=1598 name=LAN8
set [ find default-name=ether9 ] l2mtu=1598 name=LAN9
set [ find default-name=ether10 ] l2mtu=1598 loop-protect=on name=LAN10 \
poe-out=off speed=100Mbps
set [ find default-name=sfp-sfpplus1 ] disabled=yes name=SPF
/interface pppoe-client
add add-default-route=yes disabled=no interface=LAN1 keepalive-timeout=\
disabled name="PPPOE(MTS)" password=********** use-peer-dns=yes user=\
***********
/interface wireless nstreme
set WLAN enable-polling=no
set "WLAN(5G)" enable-polling=no
/caps-man datapath
add bridge=Bridge-WLAN name=datapath1
/caps-man configuration
add channel.band=2ghz-b/g/n channel.control-channel-width=20mhz \
channel.frequency=2472 channel.tx-power=20 country=russia4 datapath=\
datapath1 datapath.bridge=Bridge-WLAN mode=ap name=cfg1 rx-chains=0,1,2,3 \
security.authentication-types=wpa2-psk security.encryption=aes-ccm \
security.group-encryption=aes-ccm security.passphrase=***************** \
ssid=*********** tx-chains=0,1,2,3
/interface ethernet switch port
set 0 default-vlan-id=auto
set 1 default-vlan-id=auto
set 2 default-vlan-id=auto
set 3 default-vlan-id=auto
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=auto
set 11 default-vlan-id=0
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" \
group-ciphers=tkip,aes-ccm mode=dynamic-keys supplicant-identity=\
*********** unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key=\
***************** wpa2-pre-shared-key=*****************
add authentication-types=wpa2-psk eap-methods="" group-ciphers=tkip,aes-ccm \
management-protection=allowed mode=dynamic-keys name=WiFi-Guest \
supplicant-identity="" unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key=\
******** wpa2-pre-shared-key=********
add authentication-types=wpa2-psk eap-methods="" group-ciphers=tkip,aes-ccm \
management-protection=allowed mode=dynamic-keys name=WiFi-Clients \
supplicant-identity="" unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key=\
************ wpa2-pre-shared-key=***********s
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name="POOL PC" ranges=192.168.0.3-192.168.0.254
add name="POOL Wi-Fi" ranges=192.168.101.2-192.168.101.254
add name="POOL ET" ranges=192.168.102.2-192.168.102.254
add name="POOL 6-10" ranges=192.168.103.2-192.168.103.254
/ip dhcp-server
add add-arp=yes address-pool="POOL Wi-Fi" authoritative=after-2sec-delay \
disabled=no interface=Bridge-WLAN name="DHCP Wi-Fi"
add add-arp=yes address-pool="POOL PC" always-broadcast=yes disabled=no \
interface=Bridge-PC lease-time=1d name="DHCP PhotoClub"
add add-arp=yes address-pool="POOL ET" disabled=no insert-queue-before=bottom \
interface=Bridge-ET lease-time=5m name="DHCP ET+"
add add-arp=yes address-pool="POOL 6-10" authoritative=after-10sec-delay \
disabled=no insert-queue-before=bottom interface=LAN8 name="DHCP 6-10"
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/caps-man aaa
set mac-format=00:00:00:00:00:00
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
cfg1
/interface bridge port
add bridge=Bridge-WLAN interface=WLAN multicast-router=disabled
add bridge=Bridge-WLAN interface="WLAN(5G)" multicast-router=disabled
add bridge=Bridge-PC interface=LAN2 multicast-router=disabled
add bridge=Bridge-PC interface=LAN4 multicast-router=disabled
add bridge=Bridge-PC interface=LAN5 multicast-router=disabled
add bridge=Bridge-6-10 disabled=yes fast-leave=yes interface=LAN8
add bridge=Bridge-6-10 disabled=yes interface=LAN7
add bridge=Bridge-6-10 disabled=yes interface=LAN10
add bridge=Bridge-ET interface=LAN3 multicast-router=disabled
add bridge=Bridge-6-10 disabled=yes interface=LAN6
add bridge=Bridge-6-10 disabled=yes interface=LAN9
/interface bridge port-controller
set bridge=Bridge-6-10
/interface bridge settings
set use-ip-firewall-for-pppoe=yes
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set tcp-syncookies=yes
/interface l2tp-server server
set authentication=mschap2
/interface list member
add interface=LAN2 list=discover
add interface=LAN2 list=mactel
add interface=LAN2 list=mac-winbox
/interface pptp-server server
set authentication=mschap2 enabled=yes
/interface wireless align
set ssid-all=yes
/interface wireless cap
set bridge=Bridge-WLAN discovery-interfaces=WLAN interfaces=WLAN
/ip address
add address=192.168.0.1/24 interface=Bridge-PC network=192.168.0.0
add address=192.168.101.1/24 interface=Bridge-WLAN network=192.168.101.0
add address=192.168.102.1/24 interface=Bridge-ET network=192.168.102.0
add address=192.168.103.1/24 interface=LAN8 network=192.168.103.0
/ip dhcp-server network
add address=192.168.0.0/24 comment="default configuration" dns-server=\
192.168.0.1 gateway=192.168.0.1 netmask=24
add address=192.168.101.0/24 dns-server=192.168.102.1 gateway=192.168.101.1 \
netmask=24
add address=192.168.102.0/24 dns-server=192.168.102.1 gateway=192.168.102.1 \
netmask=24
add address=192.168.103.0/24 dns-server=192.168.103.1 gateway=192.168.103.1 \
netmask=24
/ip dns
set allow-remote-requests=yes servers=\
192.168.0.1,192.168.100.1,192.168.101.1,192.168.102.1,192.168.103.1
/ip firewall address-list
add address=************* list=PPTP
/ip firewall filter
add action=accept chain=input comment="PPTP Access" protocol=gre \
src-address-list=PPTP
add action=accept chain=input comment="PPTP Access" dst-port=1723 protocol=\
tcp src-address-list=PPTP
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward connection-state=established,related
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=drop chain=input connection-state=new in-interface=all-ppp \
protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="Internet to PC" \
disabled=yes src-address=192.168.0.0/24 src-address-list=!NoInternet
add action=masquerade chain=srcnat comment="Internet to Wi-Fi" disabled=yes \
src-address=192.168.101.0/24
add action=masquerade chain=srcnat comment="Internet to ET" disabled=yes \
src-address=192.168.102.0/24
add action=masquerade chain=srcnat comment="Internet to ET"
/ip firewall service-port
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add check-gateway=ping distance=1 gateway=192.168.175.1 routing-mark=\
vpn_192_168_175_0
/ip route rule
add dst-address=192.168.175.0/24 table=vpn_192_168_175_0
/ip service
set telnet disabled=yes
set www disabled=yes
set ssh disabled=yes port=26711
set api disabled=yes
set api-ssl disabled=yes
/ip socks
set max-connections=500
/ppp secret
add local-address=192.168.0.1 name=pptp_192_168_175_0 password=\
****************************** profile=default-encryption remote-address=\
192.168.175.1
/system clock
set time-zone-name=Europe/Samara
/system identity
set name="PC - CUP"
/system leds
set 0 leds="" type=wireless-status
/tool mac-server
set allowed-interface-list=none