cowcow728123 wrote:/ip firewall mangle
Firewall ...(恕刪)
15.
16.
17.
18.
19.
#
#
# model = RouterBOARD D52G-5HacD2HnD-TC
# serial number = ...
/ip firewall address-list
add address=216.218.128.0/17 comment="216.218.206.66/70/82 trying ipsec" \
disabled=yes list=blacklist.local
add address=10.0.0.0/8 list=Lan
add address=192.168.30.0/24 list=Lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="local area network" src-address-list=\
Lan
add action=accept chain=input disabled=yes dst-port=53 protocol=udp
add action=accept chain=input comment="allow pptp" disabled=yes dst-port=1723 \
protocol=tcp
add action=accept chain=input disabled=yes dst-port=443 protocol=tcp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
disabled=yes ipsec-policy=out,ipsec
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
protocol=icmp
add action=jump chain=input comment="Filter Input" connection-state=\
invalid,new jump-target=filter-input protocol=tcp
add action=jump chain=input connection-state=invalid,new jump-target=\
filter-input protocol=udp
add action=jump chain=input connection-state=new jump-target=filter-input \
protocol=icmp
add action=reject chain=filter-input comment="VPN Server" reject-with=\
icmp-admin-prohibited src-address-list=Scanners
add action=return chain=filter-input dst-port=1723,443,1194 protocol=tcp
add action=return chain=filter-input dst-port=500,1701,4500 protocol=udp
add action=reject chain=filter-input comment="Undefined discard packets" \
reject-with=icmp-network-unreachable
add action=accept chain=input comment="allow IKE, l2tp , IPsec NAT" dst-port=\
500,1701,4500 protocol=udp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=drop chain=input comment="port scanners" src-address-list=\
"port scanners"
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=jump chain=input comment="vpn point" connection-state=new \
jump-target=vpn-point
add action=return chain=vpn-point src-address-list=Scanners
add action=return chain=vpn-point src-address-list=temp
add action=add-src-to-address-list address-list=temp address-list-timeout=2m \
chain=vpn-point dst-port=1723,443,1194 protocol=tcp
add action=add-src-to-address-list address-list=temp address-list-timeout=2m \
chain=vpn-point dst-port=500,1701,4500 protocol=udp
這是對的嗎?
cowcow728123 wrote:
# may/31/2018...(恕刪)
/ip firewall filter順序大約是這樣
(但我猜應該最頂有3個浮動的rule,所以序號應該會需+3才對)
最前面有X代表需要關閉,請您關閉它們.
(我給您的已經是完整firewall filter設置,所以其它的就不再需要)
另外第12項目,除原本1723,443,1194外...您可以在後面再加個8291
8291是winbox的port號,若您router需要遠端援助,需要開放這個port號才能進行操作.
gfx wrote:
#v6.41後
#RB450G
/interface bridge
add name=bridge1 vlan-filtering=no
/interface bridge port
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether1 pvid=100
add bridge=bridge1 interface=ether2 pvid=200
add bridge=bridge1 interface=ether3 pvid=200
add bridge=bridge1 interface=ether4 pvid=100
/interface bridge vlan
add bridge=bridge1 tagged=ether5,bridge1 untagged=ether1,ether4 vlan-ids=100
add bridge=bridge1 tagged=ether5 untagged=ether2,ether3 vlan-ids=200
/interface vlan
add interface=bridge1 name=WAN vlan-id=100
/ip address
add address=192.168.88.1/24 interface=ether2 network=192.168.88.0
/ip dhcp-server
add address-pool=dhcp-pool authoritative=after-2sec-delay interface=ether2 name=DHCP
/interface pppoe-client
add allow=pap interface=WAN keepalive-timeout=60 profile=default name=pppoe-out1 password=xxxx user=xxxx
/interface bridge set bridge1 vlan-filtering=yes
請問DFX大...
先感謝DFX在小學那邊回答我問用vlan設定MOD的問題
那邊我可能沒表達清楚
其實我是想用rb750gr3 & rb260gsp 串接
rb750gr3 port1接小烏龜,port2~4接電腦,port5接rb260gsp的port5用vlan
rb260gsp port1~port3接電腦,port4接MOD
我目前是先設定rb750gr3,全部都跟你的RB450G設成一樣(先練習看看)
但是上面紅色dhcp-server卻會出現錯誤 couldn't add new dhcp server - can not run on slave interface
另外是不是要事先建一個dhcp-pool???
所以我目前只有dhcp-server那邊沒設定
結果電腦接rb750gr3 port2 or port3 都無法連到rb750gr3(192.168.88.1),IP都顯示169.254.x.x
電腦接rb750gr3 port4 可以連到rb750gr3(192.168.88.1),IP顯示192.168.1.x
電腦接rb750gr3 port5 可以連到rb750gr3(192.168.88.1),IP顯示169.254.x.x
目前想問為什麼我都依據設定(除了dhcp-server的沒用),但rb750gr3 port2 or port3卻無法連透過pppoe-out1來上網?
截圖是電腦接rb750gr3 port5時截的
nnn000 wrote:您可以閱讀這兩篇:
請問DFX大......(恕刪)
http://deanma.blogspot.com/2015/06/routeros-vlan-cht-mod.html
https://klseet.com/213-tm-unifi/unifi-mikrotik/rb750/94-mikrotik-rb750-vlans-trunking
RB750gr3用第一篇的方式設置,RB260gs則用第二篇的方式設置.
=== my vpn-server ===
:global active
:global vpn
:local logout
:foreach i in=[/ip firewall address-list find dynamic list=temp] \
do={
:local client [/ip firewall address-list get $i address]
:local online false
:if ([:typeof [:find [:toarray $active] $client]]="num") \
do={:set online true ; :do {/ip firewall address-list add list=mobile address=$client timeout=1d} on-error{}}
:if ($online) \
do={/ip firewall address-list remove $i} \
else={:if ([:len $logout]=0) do={:set logout $i} else={:set logout ($logout.",".$i)}}
}
:set active
:local scanners [:len [:toarray $logout]]
:foreach i in=[:toarray $logout] \
do={
:if ([/ip firewall address-list get $i timeout]<0:1:0) \
do={
/ip firewall address-list add list=Scanners address=[/ip firewall address-list get $i address] timeout=7d
/ip firewall address-list remove $i; :set scanners ($scanners-l)
}
}
:if ($scanners>0) do={:set vpn ($vpn-1)}
cowcow728123 wrote:
script not...(恕刪)
 :global vpn :if ([:typeof $vpn]!="num") do={:set vpn 0} :local tcp [/ip firewall mangle get [find dst-port="1723,443,1194"] byte] :local udp [/ip firewall mangle get [find dst-port="1701,500,4500"] byte] :local total ($tcp+$udp) :if ($vpn!=$total) do={:set vpn $total ; /system script run vpn-server} |
 :global active :foreach i in=[/ppp active find] \ do={ :local vpnc [/ppp active get $i caller-id] :if ([:len $active]=0) \ do={:set active $vpnc} \ else={:if ([:typeof [:find $active $vpnc]]="nil") do={:set active ($active.",".$vpnc)}} } :if ([:len [/ip firewall address-list find list=temp]]=0) do={:set active} |
 :global active :global vpn :local logout :foreach i in=[/ip firewall address-list find dynamic list=temp] \ do={ :local client [/ip firewall address-list get $i address] :local online false :if ([:typeof [:find [:toarray $active] $client]]="num") \ do={:set online true ; :do {/ip firewall address-list add list=mobile address=$client timeout=1d} on-error={}} :if ($online) \ do={/ip firewall address-list remove $i} \ else={:if ([:len $logout]=0) do={:set logout $i} else={:set logout ($logout.",".$i)}} } :set active :local scanners [:len [:toarray $logout]] :foreach i in=[:toarray $logout] \ do={ :if ([/ip firewall address-list get $i timeout]<0:1:0) \ do={ /ip firewall address-list add list=Scanners address=[/ip firewall address-list get $i address] timeout=7d /ip firewall address-list remove $i ; :set scanners ($scanners-1) } } :if ($scanners>0) do={:set vpn ($vpn-1)} |
 |
| :if ([/interface get $interface type]~"in") do={/system script run vpn-clients} |
| /system script run vpn-clients |
內文搜尋
從 APP 打開
X