Нужны configi /backup -ы

Тема в разделе "Скрипты", создана пользователем Ciff, 12 фев 2020.

  1. Ciff

    Ciff Новый участник

    Добрый день уважаемые коллеги .
    только начинаю пользоваться mikrotik .
    основы понятны , но хочу пощупать уже настроенный микротик на 2 провайдера c локалкой на 1000 чел и 1с и рабочая группа . так токово домена нет .
    скиньте пожалуйста config-и или backup-ы . мне проще пощупать и посмотреть примеры .
    мой mikrotik ссr1009 ....1s+ последняя версия прошивки.
     
  2. Илья Князев

    Илья Князев Администратор Команда форума

    Вот вам роутер с двумя провайдерами на бордере. Немного упростил :p
    Код:
    # feb/14/2020 16:37:19 by RouterOS 6.45.8
    # software id =
    #
    #
    #
    /interface bridge
    add name=Lo
    /interface ethernet
    set [ find default-name=ether1 ] disable-running-check=no name=ether1-uplink
    set [ find default-name=ether2 ] disable-running-check=no
    /interface vrrp
    add authentication=ah interface=ether2 name=vrrp1 password=KabnaFLy priority=\
        50 version=2
    /interface list
    add name=LAN
    add name=WAN
    /interface wireless security-profiles
    set [ find default=yes ] supplicant-identity=MikroTik
    /routing bgp instance
    set default as=2089075 router-id=99.0.195.3
    /interface list member
    add interface=ether1-uplink list=WAN
    /ip address
    add address=99.0.195.1 interface=vrrp1 network=99.0.195.0
    add address=99.0.195.3/24 interface=ether2 network=99.0.195.0
    add address=100.167.196.31 interface=ether1-uplink network=100.167.196.30
    /ip dhcp-client
    add interface=ether1-uplink
    /ip dns
    set allow-remote-requests=yes cache-max-ttl=12h servers=\
        8.8.8.8,2001:4860:4860::8844,2001:4860:4860::8888
    /ip firewall address-list
    add address=X.X.X.X list=Manage
    add address=Y.Y.Y.Y list=Manage
    /ip firewall filter
    add action=accept chain=input connection-state=established,related
    add action=accept chain=input comment=BGP-IN dst-port=179 protocol=tcp \
        src-address=99.0.195.2
    add action=accept chain=input comment=BGP-IN protocol=tcp src-address=\
        99.0.195.2 src-port=179
    add action=accept chain=input protocol=icmp
    add action=accept chain=input src-address-list=Manage
    add action=accept chain=input dst-port=53 in-interface=ether2 protocol=tcp \
        src-address=99.0.195.0/24
    add action=accept chain=input dst-port=53 in-interface=ether2 protocol=udp \
        src-address=99.0.195.0/24
    add action=drop chain=input
    /ip route
    add distance=254 gateway=109.167.196.30
    add distance=1 dst-address=199.44.13.64/32 gateway=99.0.195.2
    /ip service
    set telnet disabled=yes
    set ftp disabled=yes
    set www disabled=yes
    set ssh disabled=yes
    set api disabled=yes
    set api-ssl disabled=yes
    /ip ssh
    set allow-none-crypto=yes forwarding-enabled=remote
    /ipv6 address
    add address=2100:1c78:0:f010::2 advertise=no interface=ether1-uplink
    add address=210e:1107:0:1000::3 advertise=no interface=ether2
    add address=210e:1107:0:1000::1 interface=ether2 no-dad=yes
    /ipv6 firewall address-list
    add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
    add address=::1/128 comment="defconf: lo" list=bad_ipv6
    add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
    add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
    add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
    add address=100::/64 comment="defconf: discard only " list=bad_ipv6
    add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
    add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
    add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
    add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
    add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
    add address=::/104 comment="defconf: other" list=bad_ipv6
    add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
    /ipv6 firewall filter
    add action=accept chain=input src-address=fe80::84f9:f7ff:fed5:a611/128
    add action=accept chain=input comment="BGP From IKN" dst-port=179 protocol=\
        tcp src-address=210e:1107:0:1000::2/128
    add action=accept chain=input comment="BGP From IKN" protocol=tcp \
        src-address=210e:1107:0:1000::2/128 src-port=179
    add action=accept chain=input connection-state=established,related,untracked
    add action=drop chain=input comment="defconf: drop invalid" connection-state=\
        invalid disabled=yes
    add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
        icmpv6
    add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
        33434-33534 protocol=udp
    add action=accept chain=input dst-port=546 protocol=udp src-address=fe80::/10
    add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
        protocol=udp
    add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
        ipsec-ah
    add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
        ipsec-esp
    add action=accept chain=input comment=\
        "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
    add action=accept chain=input disabled=yes dst-port=8291 protocol=tcp
    add action=drop chain=input comment=\
        "defconf: drop everything else not coming from LAN" in-interface-list=\
        !LAN
    add action=accept chain=forward connection-state=\
        established,related,untracked
    add action=drop chain=forward comment="defconf: drop invalid" \
        connection-state=invalid disabled=yes
    add action=drop chain=forward comment=\
        "defconf: drop packets with bad src ipv6" disabled=yes src-address-list=\
        bad_ipv6
    add action=drop chain=forward comment=\
        "defconf: drop packets with bad dst ipv6" disabled=yes dst-address-list=\
        bad_ipv6
    add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
        disabled=yes hop-limit=equal:1 protocol=icmpv6
    add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
        icmpv6
    add action=accept chain=forward comment="defconf: accept HIP" protocol=139
    add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
        500,4500 protocol=udp
    add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
        ipsec-ah
    add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
        ipsec-esp
    add action=accept chain=forward comment=\
        "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
    add action=drop chain=forward comment=\
        "defconf: drop everything else not coming from LAN" disabled=yes \
        in-interface-list=!LAN
    /ipv6 route
    add disabled=yes distance=1 dst-address=2101:6520:101:3::/64 gateway=\
        210e:1107:0:1000::2
    add disabled=yes distance=1 dst-address=2101:6520:101:3::1/128 gateway=\
        210e:1107:0:1000::2
    add disabled=yes distance=1 dst-address=210e:1107::/48 gateway=\
        fe80::8cf5:d6ff:fe09:5e1e%ether2
    add comment="Ilya Knyazev router" distance=1 dst-address=210e:1107:0:100::/56 \
        gateway=210e:1107:0:1000::fffe
    /routing bgp network
    add network=99.0.195.0/24 synchronize=no
    add network=210e:1107::/48 synchronize=no
    /routing bgp peer
    add hold-time=1m30s keepalive-time=30s name=IKN-V4-iBGP remote-address=\
        99.0.195.2 remote-as=2089075 ttl=default update-source=ether2 use-bfd=yes
    add address-families=ipv6 hold-time=5m keepalive-time=1m name=IKN-V6-iBGP \
        nexthop-choice=propagate remote-address=210e:1107:0:1000::2 remote-as=\
        2089075 ttl=default
    add in-filter=V4-IN name=WestCall-V4 out-filter=V4-OUT remote-address=\
        109.167.196.30 remote-as=25408 ttl=default update-source=ether1-uplink
    add address-families=ipv6 in-filter=V6-IN name=WestCall-V6 out-filter=V6-OUT \
        remote-address=2100:1c78:0:f010::1 remote-as=25408 ttl=default \
        update-source=ether1-uplink
    /routing filter
    add action=accept chain=V4-IN set-bgp-local-pref=75
    add action=accept chain=V4-OUT prefix=99.0.195.0/24 prefix-length=24-32 \
        set-bgp-prepend=3
    add action=discard chain=V4-OUT
    add chain=V6-IN  set-bgp-local-pref=75
    add chain=V6-OUT set-bgp-prepend=3
    add action=accept chain=V6-OUT prefix=210e:1107::/48 prefix-length=48-64
    add action=discard chain=V6-OUT
    /system clock
    set time-zone-name=Europe/Moscow
    /system identity
    set name=Border-WestCall
    /system logging
    add topics=vrrp
    /system ntp client
    set enabled=yes primary-ntp=89.221.207.113 secondary-ntp=40.81.188.85
    /system package update
    set channel=long-term