CONFIGURACION BASICA DE MIKROTIK (clientes)

CONFIGURACION BASICA DE MIKROTIK (clientes)

######################      CONFIGURACION BASICA DE UN MIKROTIK    ##################

 

#Cambiar nombre del router

 

/system identity

set name=PTIQ

 

#Agregar bridge

 

/interface bridge

add name=bridge1

 

#Ligar las interfaces físicas con el bridge

 

/interface bridge port

add bridge=bridge1 interface=ether2

add bridge=bridge1 interface=ether3

add bridge=bridge1 interface=ether4

add bridge=bridge1 interface=ether5

add bridge=bridge1 interface=wlan1

 

#Asignar ip a interface wan y lan(bridge)

 

/ip address

add address=201.158.2.214/30 interface=ether1

add address=192.168.1.1/24 interface=bridge1

 

#Agregar ruta por defecto (gateway)

 

/ip route

add distance=1 gateway=201.158.2.213

 

#Agregar DNS

 

/ip dns

set servers=201.158.0.11,201.158.4.11

 

#Crear el pool de direcciones para el DHCP

 

/ip pool

add name=pool1 ranges=192.168.1.10-192.168.1.254

 

#Configurar el servidor DHCP

 

/ip dhcp-server

add address-pool=pool1 disabled=no interface=bridge1 name=dhcp1

/ip dhcp-server network

add address=192.168.1.0/24 gateway=192.168.1.1

 

#Configurar red inalambrica

 

/interface wireless

set [ find default-name=wlan1 ] disabled=no frequency=auto mode=ap-bridge ssid=ADVANCE

/interface wireless security-profiles

set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik wpa2-pre-shared-key=4dv4nc3-2019

 

#Crear reglas de firewall

 

/ip firewall address-list

add address=192.168.1.0/24 list="IPs Permitidas Admin RTR"

add address=201.158.0.0/26 list="IPs Permitidas Admin RTR"

add address=192.168.1.0/24 list="Acceso a Internet"

/ip firewall filter

add chain=input comment="IN - Permitir conexiones establecidas y relacionadas" connection-state=established,related

add action=drop chain=input comment="IN - Rechazar conexiones invalidas" connection-state=invalid

add action=drop chain=input comment="Detecta y descarta las conexiones de port scan" protocol=tcp psd=10,3s,3,1

add action=tarpit chain=input comment="Suprime los ataques DoS" connection-limit=3,32 protocol=tcp src-address-list=black_list

add action=add-src-to-address-list address-list=black_list address-list-timeout=1d chain=input comment="Detecta los ataques DoS" connection-limit=10,32 protocol=tcp

add action=jump chain=input comment="Salto al chain ICMP" jump-target=ICMP protocol=icmp

add chain=input comment="IN - IPs permitidas admin RTR" src-address-list="IPs Permitidas Admin RTR"

add action=drop chain=input comment="IN - descartar todo lo demas"

add action=accept chain=ICMP comment="0:0 and limit for 5pac/s" icmp-options=0:0-255 limit=5,5 protocol=icmp

add action=accept chain=ICMP comment="3:3 and limit for 5pac/s" icmp-options=3:3 limit=5,5 protocol=icmp

add action=accept chain=ICMP comment="3:4 and limit for 5pac/s" icmp-options=3:4 limit=5,5 protocol=icmp

add action=accept chain=ICMP comment="8:0 and limit for 5pac/s" icmp-options=8:0-255 limit=5,5 protocol=icmp

add action=accept chain=ICMP comment="11:0 and limit for 5pac/s" icmp-options=11:0-255 limit=5,5 protocol=icmp

add action=drop chain=ICMP comment="Drop everything else" protocol=icmp

add chain=forward comment="FWD - Permitir conexiones establecidas y relacionadas" connection-state=established,related

add action=drop chain=forward comment="FWD - Rechazar conexiones invalidas" connection-state=invalid

add action=jump chain=forward comment="FWD - Salto a ICMP" jump-target=ICMP protocol=icmp

add chain=forward comment="FWD - Acceso a Internet" src-address-list="Acceso a Internet"

add action=drop chain=forward comment="FWD - Descartar todo lo demas"

 

#Cambiar el password de administración del router

 

/user

set numbers=0 password=zxcmnb

 

#Limitar ancho de banda

 

/queue simple

add max-limit=4M/4M name=target1 target=bridge1

 

#Crear Nat

 

/ip firewall nat

add action=masquerade chain=srcnat out-interface=ether1

 

#Configurar SNMP

 

/snmp community

set [ find default=yes ] addresses=201.158.0.0/26 name=AbaNet-Pub

/snmp

set contact=sitemaster enabled=yes location=ADVANCE

 

#Deshabilitar los servicio que no se ocupan

 

/ip service

set telnet disabled=yes

set ftp disabled=yes

set www disabled=yes

set ssh port=8022

set api disabled=yes

set winbox port=8299

set api-ssl disabled=yes

#Habilitar etherboot

 

/partitions

set numbers=0 fallback-to=etherboot

 

#Configurar ntp cliente

 

/system ntp client

set enabled=yes primary-ntp=216.239.35.0 secondary-ntp=201.158.0.40

 

#Crear el script de respaldo

 

/system script

add name=FTP-Backup owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive source="log info \"Starting Automatic Backup Script\"\r\

    \n:global ftpusername \"abanetbkp\"\r\

    \n:global ftpuserpassword \"4b4n3ts\"\r\

    \n:global ftphostname \"201.158.0.19\"\r\

    \n\r\

    \nlog info \"\$ftphostname\"\r\

    \n\r\

    \nlog info \"Get Date\"\r\

    \n:global thisdate [/system clock get date]\r\

    \n:global thistime [/system clock get time]\r\

    \n:log info \"\$thisdate\"\r\

    \n:global datetimestring ([:pick \$thisdate 7 11].[:pick \$thisdate 0 3].[:pick \$thisdate 4 6])\r\

    \n\r\

    \nlog info \"Set names\"\r\

    \n:global fname2 ([/system identity get name].\"-\".\$datetimestring.\".backup\")\r\

    \n\r\

    \nlog info \"\$fname2\"\r\

    \n\r\

    \nlog info \"Starting Backup\"\r\

    \n# backup the data\r\

    \n/system backup save name=\"\$fname2\"\r\

    \n:log info message=\"System backup finished.\";\r\

    \n\r\

    \n:log info \"Please wait\85!!!\"\r\

    \n:delay 5s\r\

    \n:log info \"Sending Backup Mikrotik to FTP Server\85\85\85\85.\"\r\

    \n/tool fetch address=\"201.158.0.19\" src-path=\$fname2 user=\"abanetbkp\" password=\"4b4n3t\" port=21 upload=yes mode=ftp dst-path=\"mikrotik_backup/\$fname2\"\r\

    \n\r\

    \n:log info \"Remove Files\"\r\

    \n:delay 1\r\

    \n/file remove \"\$fname2\"\r\

    \n:log info \"Finished Backup Script\85!!!!\""

 

/system scheduler

add interval=1w name=schedule1 on-event=FTP-Backup policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-time=startup

 


##############################          FIN           #####################################

 

########################        AGREGAR VLAN 42       ##################################

 

 

/interface vlan

add interface=ether1 name=et1_42_VoIP vlan-id=42

add interface=ether2 name=et2_42_VoIP vlan-id=42

add interface=ether3 name=et3_42_VoIP vlan-id=42

add interface=ether4 name=et4_42_VoIP vlan-id=42

add interface=ether5 name=et5_42_VoIP vlan-id=42

 

 

/interface bridge

add name=42_VoIP

 

 

/interface bridge port

add bridge=42_VoIP interface=et1_42_VoIP

add bridge=42_VoIP interface=et2_42_VoIP

add bridge=42_VoIP interface=et3_42_VoIP

add bridge=42_VoIP interface=et4_42_VoIP

add bridge=42_VoIP interface=et5_42_VoIP

 

######################################    FIN      ###################################

 

############################    FORDWARDEAR UN PUERTO  ##########################

 

#Solicitar al cliente puerto externo, puerto interno, protocolo, ip privada.

 

/ip firewall nat

add action=dst-nat chain=dstnat dst-port=80 protocol=udp to-addresses=192.168.1.10 to-ports=80

 

 

######################################   FIN     ####################################

 

################################### CREAR UNA VPN  ##############################

 

#VPN IpSec Gateway to Gateway

 

/ip ipsec policy

add src-address=192.168.1.0/24 dst-address=172.16.0.0/24 action=encrypt ipsec-protocols=esp tunnel=yes sa-src-address=201.158.0.8 sa-dst-address=201.158.5.66 proposal=default

 

/ip ipsec peer

add address=201.158.5.66 exchange-mode=aggressive secret=aco-v0dk4 lifetime=28800 hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024

 

/ip ipsec proposal

set numbers=0 auth-algorithms=sha1 enc-algorithms=3des lifetime=28800 pfs-group=modp1024

 

 

 

####################################    FIN     #####################################

 

 

############################   CAMBIAR A MODO BRIDGE ############################

 

#Conocer la vlan del cliente

#Seleccionar la ip del Mikrotik (vlan 50)

#Cambiar nombre del router

/system identity

set name=CLIENTE

#Agregar vlan del cliente en ether1

 /interface vlan

add name=eth1_XXX_CLIENTE vlan-id=XXX interface=ether1

#Agregar vlan 50 en ether1

 /interface vlan

add name=eth1_50_ADMINISTRACION vlan-id=50 interface=ether1

#Agregar bridges

 

/interface bridge

add name=XXX_CLIENTE

add name=50_ADMINISTRACION

 #Ligar las interfaces físicas con el bridge

 

/interface bridge port

add bridge=XXX_CLIENTE interface=eth1_XXX_CLIENTE

add bridge=XXX_CLIENTE interface=ether2

add bridge=XXX_CLIENTE interface=ether3

add bridge=XXX_CLIENTE interface=ether4

add bridge=XXX_CLIENTE interface=ether5

 

#Asignar ip a vlan 50

 

/ip address

add address=172.16.5X.XXX/23

 

#Agregar ruta por defecto (gateway)

/ip route

add distance=1 gateway=172.16.50.1

 

#####################################   FIN   ######################################

 

############################   ASIGNACION DE UNA VLAN ############################

 

#Crear vlan

/interface vlan

add name=etX_XXX_CLIENTE vlan-id=XXX interface=etherX

 

#Crear bridge

/interface bridge

add name=XXX_CLIENTE

 

#Ligar bridge con vlan

/interface bridge

add bridge=XXX interface=etX_XXX_CLIENTE

 

#Asignar IP a Bridge

/ip address

add address=201.158.X.X/30 interface=XXX_CLIENTE

 

#####################################   FIN   ######################################