# nov/05/2016 19:21:48 by RouterOS 6.37.2 # software id = 4K7S-Z1F1 # /interface ethernet set [ find default-name=ether1 ] comment=INET-Aniol set [ find default-name=ether2 ] comment=INET-Casal set [ find default-name=ether3 ] comment=Ubuntu set [ find default-name=ether4 ] comment=Jugadors set [ find default-name=ether5 ] comment=Ubuntu2 master-port=ether3 set [ find default-name=ether9 ] comment="Gesti\F3" /ip neighbor discovery set ether1 comment=INET-Aniol set ether2 comment=INET-Casal set ether3 comment=Ubuntu set ether4 comment=Jugadors set ether5 comment=Ubuntu2 set ether9 comment="Gesti\F3" /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=lanparty supplicant-identity="" wpa2-pre-shared-key=jugadors /interface wireless set [ find default-name=wlan1 ] band=2ghz-b/g/n comment=Wifi-Jugadors frequency=2447 mode=ap-bridge security-profile=lanparty ssid=LanParty-Jugadors wireless-protocol=802.11 wps-mode=disabled /interface wireless manual-tx-power-table set wlan1 comment=Wifi-Jugadors /ip neighbor discovery set wlan1 comment=Wifi-Jugadors /interface wireless nstreme set wlan1 comment=Wifi-Jugadors /ip firewall layer7-protocol add name=torrentsites regexp="^.*(get|GET).+(torrent|thepiratebay|isohunt\ |entertane|demonoid|btjunkie|mininova|flixflux|torrentz|vertor|h33t|b\ tscene|bitunity|bittoxic|thunderbytes|entertane|zoozle|vcdq|bitnova|b\ itsoup|meganova|fulldls|btbot|flixflux|seedpeer|fenopy|gpirate|common\ bits).*\$" /ip pool add name=dhcp_pool1 ranges=192.168.250.150-192.168.250.250 add name=dhcp_pool2 ranges=192.168.160.15-192.168.160.254 add name=dhcp_pool3 ranges=192.168.150.15-192.168.150.254 add name=dhcp_pool4 ranges=192.168.170.15-192.168.170.254 /ip dhcp-server add address-pool=dhcp_pool1 disabled=no interface=ether9 lease-time=1d name=DHCP-Gestio add address-pool=dhcp_pool2 disabled=no interface=ether3 lease-time=1d name=DHCP-Ubuntu add address-pool=dhcp_pool3 disabled=no interface=ether4 lease-time=1d name=DHCP-Jugadors add address-pool=dhcp_pool4 disabled=no interface=wlan1 lease-time=1d name=DHCP-WifiJugadors /queue simple add comment=Ubuntaires max-limit=30M/30M name=ubuntaires target=ether3 add comment="Jugadors Wifi" max-limit=15M/15M name=wifi target=wlan1 /system logging action add disk-file-name=disk1/log disk-stop-on-full=yes name=usb target=disk /ip firewall connection tracking set tcp-established-timeout=1h /ip address add address=192.168.250.1/24 comment="Gesti\F3" interface=ether9 network=192.168.250.0 add address=192.168.10.10/24 comment=INET-Aniol interface=ether1 network=192.168.10.0 add address=192.168.1.10/24 comment=INET-Casal interface=ether2 network=192.168.1.0 add address=192.168.150.1/24 comment=Jugadors interface=ether4 network=192.168.150.0 add address=192.168.160.1/24 comment=Ubuntu interface=ether3 network=192.168.160.0 add address=192.168.170.1/24 comment=Wifi-Jugadors interface=wlan1 network=192.168.170.0 /ip dhcp-server network add address=192.168.150.0/24 gateway=192.168.150.1 add address=192.168.160.0/24 gateway=192.168.160.1 add address=192.168.170.0/24 gateway=192.168.170.1 add address=192.168.250.0/24 gateway=192.168.250.1 /ip dns set servers=8.8.8.8,8.8.4.4 /ip firewall address-list add address=192.168.10.0/24 comment=INET-Aniol list=prohibit add address=192.168.1.0/24 comment=INET-Casal list=prohibit add address=8.8.8.8 comment="DNS Google" list=dns add address=8.8.4.4 comment="DNS Google" list=dns add address=192.168.150.0/24 comment=Jugadors list=internet add address=192.168.160.0/24 comment=Ubuntaires list=internet add address=192.168.250.0/24 comment="Gesti\F3" list=internet add address=192.168.150.0/24 comment=Jugadors list=restringits add address=192.168.160.0/24 comment=Ubuntaires list=restringits add address=192.168.150.1 comment=GW-Jugadors list=router add address=192.168.160.1 comment=GW-Ubuntaires list=router add address=192.168.170.0/24 comment=Jugadors-Wifi list=restringits add address=192.168.170.0/24 comment=Jugadors-Wifi list=internet add address=192.168.170.1 comment=GW-Wifi list=router /ip firewall filter add action=log chain=forward comment="Bloqueig LANs" disabled=yes add action=drop chain=forward comment="Bloqueja acc\E9s jugadors a LANs INET" dst-address-list=prohibit in-interface=ether4 add action=drop chain=forward comment="Bloqueja acc\E9s wifi a LANs INET" dst-address-list=prohibit in-interface=wlan1 add action=drop chain=forward comment="Bloqueja acc\E9s ubuntaires a LANs INET" dst-address-list=prohibit in-interface=ether3 add action=drop chain=forward comment="Bloqueja acc\E9s ubuntaires a Jugadors" dst-address=192.168.150.0/24 in-interface=ether3 add action=drop chain=forward comment="Bloqueja acc\E9s wifi a Jugadors" dst-address=192.168.150.0/24 in-interface=wlan1 add action=log chain=forward comment="Bloqueig torrents i P2P" disabled=yes add action=drop chain=forward comment=torrentsites layer7-protocol=torrentsites src-address-list=restringits add action=drop chain=forward comment=dropDNS dst-port=53 layer7-protocol=torrentsites protocol=udp src-address-list=restringits add action=drop chain=forward comment=keyword_drop content=torrent src-address-list=restringits add action=drop chain=forward comment=trackers_drop content=tracker src-address-list=restringits add action=drop chain=forward comment=get_peers_drop content=getpeers src-address-list=restringits add action=drop chain=forward comment=info_hash_drop content=info_hash src-address-list=restringits add action=drop chain=forward comment=announce_peers_drop content=announce_peers src-address-list=restringits add action=drop chain=forward comment=p2p_drop p2p=all-p2p src-address-list=restringits add action=log chain=forward comment="Bloqueig port scanners" disabled=yes add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Port scanners to list " protocol=tcp psd=21,3s,3,1 add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg add action=drop chain=input comment="dropping port scanners" src-address-list="port scanners" add action=log chain=forward comment="Bloqueig DDoS" disabled=yes add action=jump chain=forward connection-state=new jump-target=detect-ddos add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s add action=return chain=detect-ddos src-address-list=!router add action=return chain=detect-ddos dst-address-list=!dns add action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m chain=detect-ddos add action=add-src-to-address-list address-list=ddoser address-list-timeout=10m chain=detect-ddos add action=drop chain=forward connection-state=new dst-address-list=ddosed src-address-list=ddoser add action=log chain=forward comment="Log connexions" connection-state=new src-address-list=restringits /ip firewall nat add action=masquerade chain=srcnat comment=INET-Aniol out-interface=ether1 src-address-list=internet add action=masquerade chain=srcnat comment=INET-Casal out-interface=ether2 src-address-list=internet /ip route add check-gateway=ping comment="Default Route INET-Aniol" distance=1 gateway=192.168.10.1 add comment="Default Route INET-Casal" distance=2 gateway=192.168.1.1 /lcd set enabled=no touch-screen=disabled /lcd interface pages set 0 interfaces="sfp1,ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10" /system clock set time-zone-name=Europe/Madrid /system identity set name=FestaLAN-Ripoll /system logging add action=usb topics=firewall,!debug /system ntp client set primary-ntp=185.132.136.32 secondary-ntp=194.239.123.230 /system routerboard settings set protected-routerboot=disabled