Здравейте, направил съм си WiFi мрежа с гости с уш лимит на скороста. Мрежата е реализирана с втори рутер в AP режим. Той е вързан към 5 порт на микротика, който е сложен в друг бридж. Следвах този туториал но не работи. Пробвах и други ествено без успех. Версията на RouterOS e 7.7 Stable.
/ip firewall filter
add action=accept chain=input comment="accept ICMP after RAW" protocol=icmp
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="accept all that matches IPSec policy" disabled=yes ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
in-interface-list=WAN
add action=drop chain=forward comment="drop bad forward IPs" src-address-list=no_forward_ipv4
add action=drop chain=forward comment="drop bad forward IPs" dst-address-list=no_forward_ipv4
add action=add-src-to-address-list address-list=bruteforce_blacklist address-list-timeout=1d chain=input comment=Blacklist \
connection-state=new dst-port=80,443,2200,8291 protocol=tcp src-address-list=connection3
add action=add-src-to-address-list address-list=connection3 address-list-timeout=1h chain=input comment="Third attempt" \
connection-state=new dst-port=80,443,2200,8291 protocol=tcp src-address-list=connection2,!secured
add action=add-src-to-address-list address-list=connection2 address-list-timeout=15m chain=input comment="Second attempt" \
connection-state=new dst-port=80,443,2200,8291 protocol=tcp src-address-list=connection1
add action=add-src-to-address-list address-list=connection1 address-list-timeout=5m chain=input comment="First attempt" \
connection-state=new dst-port=80,443,2200,8291 protocol=tcp
add action=accept chain=input dst-port=80,443,2200,8291 protocol=tcp src-address-list=!bruteforce_blacklist
add action=drop chain=forward comment="Network isolation" dst-address=192.168.20.0/24 src-address=192.168.10.0/24
add action=drop chain=forward comment="Network isolation" dst-address=192.168.10.0/24 src-address=192.168.20.0/24
/ip firewall nat
add action=accept chain=srcnat comment="accept all that matches IPSec policy" disabled=yes ipsec-policy=out,ipsec
add action=masquerade chain=srcnat comment=masquerade out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=53 protocol=udp src-address=192.168.10.0/24 to-addresses=192.168.10.1 to-ports=53
add action=dst-nat chain=dstnat dst-port=53 protocol=udp src-address=192.168.20.0/24 to-addresses=192.168.20.1 to-ports=53
/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=upload_connection passthrough=yes src-address=192.168.20.0/24
add action=mark-packet chain=prerouting connection-mark=upload_connection new-packet-mark=upload_packages passthrough=no
add action=mark-connection chain=postrouting dst-address=192.168.20.0/24 new-connection-mark=download_connection passthrough=yes
add action=mark-packet chain=postrouting connection-mark=download_connection new-packet-mark=download_packages passthrough=no
/ip firewall raw
add action=accept chain=prerouting comment="defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: accept DHCP discover" dst-address=255.255.255.255 dst-port=67 \
in-interface-list=LAN protocol=udp src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=WAN src-address-list=not_global_ipv4
add action=drop chain=prerouting comment="defconf: drop forward to local lan from WAN" dst-address-list=local_ip in-interface-list=\
WAN
add action=drop chain=prerouting comment="defconf: drop local if not from default IP range" in-interface-list=LAN src-address-list=\
!local_ip
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 protocol=udp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment="defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 protocol=tcp
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp4 comment="defconf: host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp4 comment="defconf: protocol unreachable" icmp-options=3:2 protocol=icmp
add action=accept chain=icmp4 comment="defconf: port unreachable" icmp-options=3:3 protocol=icmp
add action=accept chain=icmp4 comment="defconf: fragmentation needed" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp4 comment="defconf: echo" icmp-options=8:0 limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: time exceeded " icmp-options=11:0-255 protocol=icmp
add action=drop chain=icmp4 comment="defconf: drop other icmp" protocol=icmp
/queue tree
add max-limit=15M name=Guest-Limit parent=global
add max-limit=2M name=upload_limit packet-mark=upload_packages parent=Guest-Limit
add max-limit=13M name=download_limit packet-mark=download_packages parent=Guest-Limit
Качил съм целия firewall. Някакви идей как да го оправя ?
Въпрос
walkingcurs3
Здравейте, направил съм си WiFi мрежа с гости с уш лимит на скороста. Мрежата е реализирана с втори рутер в AP режим. Той е вързан към 5 порт на микротика, който е сложен в друг бридж. Следвах този туториал но не работи. Пробвах и други ествено без успех. Версията на RouterOS e 7.7 Stable.
/ip firewall filter add action=accept chain=input comment="accept ICMP after RAW" protocol=icmp add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN add action=accept chain=forward comment="accept all that matches IPSec policy" disabled=yes ipsec-policy=in,ipsec add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related hw-offload=yes add action=accept chain=forward comment="accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=forward comment="drop invalid" connection-state=invalid add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \ in-interface-list=WAN add action=drop chain=forward comment="drop bad forward IPs" src-address-list=no_forward_ipv4 add action=drop chain=forward comment="drop bad forward IPs" dst-address-list=no_forward_ipv4 add action=add-src-to-address-list address-list=bruteforce_blacklist address-list-timeout=1d chain=input comment=Blacklist \ connection-state=new dst-port=80,443,2200,8291 protocol=tcp src-address-list=connection3 add action=add-src-to-address-list address-list=connection3 address-list-timeout=1h chain=input comment="Third attempt" \ connection-state=new dst-port=80,443,2200,8291 protocol=tcp src-address-list=connection2,!secured add action=add-src-to-address-list address-list=connection2 address-list-timeout=15m chain=input comment="Second attempt" \ connection-state=new dst-port=80,443,2200,8291 protocol=tcp src-address-list=connection1 add action=add-src-to-address-list address-list=connection1 address-list-timeout=5m chain=input comment="First attempt" \ connection-state=new dst-port=80,443,2200,8291 protocol=tcp add action=accept chain=input dst-port=80,443,2200,8291 protocol=tcp src-address-list=!bruteforce_blacklist add action=drop chain=forward comment="Network isolation" dst-address=192.168.20.0/24 src-address=192.168.10.0/24 add action=drop chain=forward comment="Network isolation" dst-address=192.168.10.0/24 src-address=192.168.20.0/24 /ip firewall nat add action=accept chain=srcnat comment="accept all that matches IPSec policy" disabled=yes ipsec-policy=out,ipsec add action=masquerade chain=srcnat comment=masquerade out-interface-list=WAN add action=dst-nat chain=dstnat dst-port=53 protocol=udp src-address=192.168.10.0/24 to-addresses=192.168.10.1 to-ports=53 add action=dst-nat chain=dstnat dst-port=53 protocol=udp src-address=192.168.20.0/24 to-addresses=192.168.20.1 to-ports=53 /ip firewall mangle add action=mark-connection chain=prerouting new-connection-mark=upload_connection passthrough=yes src-address=192.168.20.0/24 add action=mark-packet chain=prerouting connection-mark=upload_connection new-packet-mark=upload_packages passthrough=no add action=mark-connection chain=postrouting dst-address=192.168.20.0/24 new-connection-mark=download_connection passthrough=yes add action=mark-packet chain=postrouting connection-mark=download_connection new-packet-mark=download_packages passthrough=no /ip firewall raw add action=accept chain=prerouting comment="defconf: enable for transparent firewall" disabled=yes add action=accept chain=prerouting comment="defconf: accept DHCP discover" dst-address=255.255.255.255 dst-port=67 \ in-interface-list=LAN protocol=udp src-address=0.0.0.0 src-port=68 add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_ipv4 add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_ipv4 add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_src_ipv4 add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_dst_ipv4 add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=WAN src-address-list=not_global_ipv4 add action=drop chain=prerouting comment="defconf: drop forward to local lan from WAN" dst-address-list=local_ip in-interface-list=\ WAN add action=drop chain=prerouting comment="defconf: drop local if not from default IP range" in-interface-list=LAN src-address-list=\ !local_ip add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 protocol=udp add action=jump chain=prerouting comment="defconf: jump to ICMP chain" jump-target=icmp4 protocol=icmp add action=jump chain=prerouting comment="defconf: jump to TCP chain" jump-target=bad_tcp protocol=tcp add action=accept chain=prerouting comment="defconf: accept everything else from LAN" in-interface-list=LAN add action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WAN add action=drop chain=prerouting comment="defconf: drop the rest" add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 protocol=tcp add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 limit=5,10:packet protocol=icmp add action=accept chain=icmp4 comment="defconf: net unreachable" icmp-options=3:0 protocol=icmp add action=accept chain=icmp4 comment="defconf: host unreachable" icmp-options=3:1 protocol=icmp add action=accept chain=icmp4 comment="defconf: protocol unreachable" icmp-options=3:2 protocol=icmp add action=accept chain=icmp4 comment="defconf: port unreachable" icmp-options=3:3 protocol=icmp add action=accept chain=icmp4 comment="defconf: fragmentation needed" icmp-options=3:4 protocol=icmp add action=accept chain=icmp4 comment="defconf: echo" icmp-options=8:0 limit=5,10:packet protocol=icmp add action=accept chain=icmp4 comment="defconf: time exceeded " icmp-options=11:0-255 protocol=icmp add action=drop chain=icmp4 comment="defconf: drop other icmp" protocol=icmp /queue tree add max-limit=15M name=Guest-Limit parent=global add max-limit=2M name=upload_limit packet-mark=upload_packages parent=Guest-Limit add max-limit=13M name=download_limit packet-mark=download_packages parent=Guest-LimitКачил съм целия firewall. Някакви идей как да го оправя ?
Адрес на коментара
Сподели в други сайтове
0 отговори на този въпрос
Recommended Posts
Създайте нов акаунт или се впишете, за да коментирате
За да коментирате, трябва да имате регистрация
Създайте акаунт
Присъединете се към нашата общност. Регистрацията става бързо!
Регистрация на нов акаунтВход
Имате акаунт? Впишете се оттук.
Вписване