โดย w9iii เมื่อ ศุกร์ 15 ม.ค. 2016 1:42 pm
fw ไปหา client นี่ใช้คำสั่งยังครับ พอดีเพื่งมาจับ mikrotik ครับ
นี่คือ config router ของผมครับ
/interface l2tp-client
add connect-to=xx.xx.xx.xx disabled=no ipsec-secret="E5/-C0B6D8" max-mru=
1460 max-mtu=1460 name=xxxx password=xxxxxx use-ipsec=yes user=
xxxxxx
/ip firewall layer7-protocol
add name=bittorrent regexp="^(x13bittorrent protocol|azverx01$|get /scrap
e?info_hash=get /announce?info_hash=|get /client/bitcomet/|GET /data
?fid=)|d1:ad2:id20:|x08'7P)[RP]"
add name=bit regexp=
"^(x13bittorrent protocol|azverx01$|get /scrape?info_hash=)"
add name=youtube regexp="^.+(youtube.com).*$"
add name=facebook regexp="^.+(facebook.com).*$"
add name=Bittorrent regexp="^(x13bittorrent protocol|azverx01$|get /scrap
e?info_hash=get /announce?info_hash=|get /client/bitcomet/|GET /data
?fid=)|d1:ad2:id20:|x08'7P)[RP]"
add name="facebook & youtube" regexp="^.+(facebook|youtube).*$"
/ip hotspot profile
add hotspot-address=1.1.0.1 name=hsprof1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=dhcp ranges=192.168.99.20-192.168.99.200
add name="dhcp hotspot" ranges=1.1.0.2-1.1.1.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=ether5 lease-time=1d name=dhcp1
add address-pool="dhcp hotspot" disabled=no interface=ether6 lease-time=1h
name="dhcp hotspot"
/ip hotspot
add address-pool="dhcp hotspot" disabled=no idle-timeout=none interface=
ether6 name=hotspot1 profile=hsprof1
/ip hotspot user profile
set [ find default=yes ] address-pool="dhcp hotspot" idle-timeout=12h
mac-cookie-timeout=2d shared-users=500
/ip address
add address=xxxxxxxxx/30 interface=ether1 network=xxxxxxxxx
add address=192.168.99.1/24 interface=ether5 network=192.168.99.0
add address=1.1.0.1/23 interface=ether6 network=1.1.0.0
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no
interface=ether2
/ip dhcp-server network
add address=1.1.0.0/23 dns-server=8.8.8.8,8.8.4.4 gateway=1.1.0.1
add address=192.168.99.0/24 gateway=192.168.99.1 netmask=24
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=
"place hotspot rules here" disabled=yes
add action=add-src-to-address-list address-list="IP LOAD BIT"
address-list-timeout=30m chain=forward comment="Block Bit"
dst-address-list="!Allow Bit" p2p=bit-torrent src-address=192.168.99.0/24
src-address-list="!Allow Bit"
add action=add-src-to-address-list address-list="IP LOAD BIT"
address-list-timeout=30m chain=forward dst-address-list="!Allow Bit"
layer7-protocol=Bittorrent src-address=192.168.99.0/24 src-address-list=
"!Allow Bit" src-address-type=local
add action=add-src-to-address-list address-list="IP LOAD BIT"
address-list-timeout=30m chain=forward comment="Block Bit"
dst-address-list="!Allow Bit" p2p=bit-torrent src-address=1.1.0.0/23
src-address-list="!Allow Bit"
add action=add-src-to-address-list address-list="IP LOAD BIT"
address-list-timeout=30m chain=forward dst-address-list="!Allow Bit"
layer7-protocol=Bittorrent src-address=1.1.0.0/23 src-address-list=
"!Allow Bit" src-address-type=local
add action=drop chain=forward disabled=yes dst-port=!80,443 protocol=tcp
src-address-list="IP LOAD BIT"
add action=drop chain=forward disabled=yes protocol=udp src-address-list=
"IP LOAD BIT"
add action=drop chain=forward comment=">>> Block Web Facebook & Youtube <<<"
disabled=yes layer7-protocol="facebook & youtube" src-address-list=
"Block Web Range 230 - 240"
/ip firewall mangle
add chain=prerouting in-interface=ether1
add chain=prerouting in-interface=ether2
add action=mark-connection chain=prerouting dst-address-type=!local hotspot=
auth new-connection-mark=wan2_conn per-connection-classifier=
both-addresses-and-ports:5/0 src-address=1.1.0.0/23
add action=mark-connection chain=prerouting dst-address-type=!local hotspot=
auth new-connection-mark=wan2_conn per-connection-classifier=
both-addresses-and-ports:5/1 src-address=1.1.0.0/23
add action=mark-connection chain=prerouting dst-address-type=!local hotspot=
auth new-connection-mark=wan2_conn per-connection-classifier=
both-addresses-and-ports:5/2 src-address=1.1.0.0/23
add action=mark-connection chain=prerouting dst-address-type=!local hotspot=
auth new-connection-mark=wan1_conn per-connection-classifier=
both-addresses-and-ports:5/3 src-address=1.1.0.0/23
add action=mark-connection chain=prerouting dst-address-type=!local hotspot=
auth new-connection-mark=wan1_conn per-connection-classifier=
both-addresses-and-ports:5/4 src-address=1.1.0.0/23
add action=mark-connection chain=prerouting disabled=yes dst-address-type=
!local hotspot=auth new-connection-mark=wan1_conn
per-connection-classifier=both-addresses-and-ports:6/5 src-address=
1.1.0.0/23
add action=mark-routing chain=prerouting connection-mark=wan1_conn
new-routing-mark=to_wan1 src-address=1.1.0.0/23
add action=mark-routing chain=prerouting connection-mark=wan2_conn
new-routing-mark=to_wan2 src-address=1.1.0.0/23
add action=mark-connection chain=input comment=
"?????????????????????????????/"
in-interface=ether1 new-connection-mark=PORT1_conn
add action=mark-connection chain=input in-interface=ether2
new-connection-mark=PORT2_conn
add action=mark-routing chain=output connection-mark=PORT1_conn
new-routing-mark=to_PORT1
add action=mark-routing chain=output connection-mark=PORT2_conn
new-routing-mark=to_PORT2
add chain=prerouting dst-address=61.91.54.29 in-interface=ether5
add chain=prerouting dst-address=192.168.1.0/24 in-interface=ether5
add action=mark-connection chain=prerouting dst-address-type=!local
in-interface=ether5 new-connection-mark=PORT1_conn
per-connection-classifier=both-addresses-and-ports:5/0
add action=mark-connection chain=prerouting dst-address-type=!local
in-interface=ether5 new-connection-mark=PORT1_conn
per-connection-classifier=both-addresses-and-ports:5/1
add action=mark-connection chain=prerouting dst-address-type=!local
in-interface=ether5 new-connection-mark=PORT1_conn
per-connection-classifier=both-addresses-and-ports:5/2
add action=mark-connection chain=prerouting dst-address-type=!local
in-interface=ether5 new-connection-mark=PORT2_conn
per-connection-classifier=both-addresses-and-ports:5/3
add action=mark-connection chain=prerouting dst-address-type=!local
in-interface=ether5 new-connection-mark=PORT2_conn
per-connection-classifier=both-addresses-and-ports:5/4
add action=mark-connection chain=prerouting disabled=yes dst-address-type=
!local in-interface=ether5 new-connection-mark=PORT2_conn
per-connection-classifier=both-addresses-and-ports:6/5
add action=mark-routing chain=prerouting connection-mark=PORT1_conn
in-interface=ether5 new-routing-mark=to_PORT1
add action=mark-routing chain=prerouting connection-mark=PORT2_conn
in-interface=ether5 new-routing-mark=to_PORT2
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether2
/ip ipsec peer
add address=9.9.9.9/32 comment=Bangkok enc-algorithm=3des local-address=
0.0.0.0 nat-traversal=no secret=123456
/ip ipsec policy
set 0 disabled=yes
add comment="Connect Bangkok" dst-address=192.168.88.0/24 sa-dst-address=
9.9.9.9 sa-src-address=9.9.9.10 src-address=192.168.99.0/24 tunnel=yes
/ip route
add check-gateway=ping distance=1 gateway=61.91.54.29 routing-mark=to_wan1
add check-gateway=ping distance=1 gateway=192.168.1.1 routing-mark=to_wan2
add check-gateway=ping distance=1 gateway=61.91.54.29 routing-mark=to_PORT1
add check-gateway=ping distance=1 gateway=192.168.1.1 routing-mark=to_PORT2
add check-gateway=ping distance=1 gateway=61.91.54.29,192.168.1.1
add check-gateway=ping distance=1 dst-address=192.168.88.0/24 gateway=9.9.9.9
- แนบไฟล์
-
- Untitled.png (15.82 KiB) เปิดดู 4723 ครั้ง