Jump to content
  • 0

WiFi мрежа за гости с лимит на трафика.

walkingcurs3

Asked by walkingcurs3,

 Share

Question

walkingcurs3 Rookie

walkingcurs3

Posted
Posted

Здравейте, направил съм си WiFi мрежа с гости с уш лимит на скороста. Мрежата е реализирана с втори рутер в AP режим. Той е вързан към 5 порт на микротика, който е сложен в друг бридж. Следвах този туториал но не работи. Пробвах и други ествено без успех. Версията на RouterOS e 7.7 Stable. 

/ip firewall filter
add action=accept chain=input comment="accept ICMP after RAW" protocol=icmp
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="accept all that matches IPSec policy" disabled=yes ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
    in-interface-list=WAN
add action=drop chain=forward comment="drop bad forward IPs" src-address-list=no_forward_ipv4
add action=drop chain=forward comment="drop bad forward IPs" dst-address-list=no_forward_ipv4
add action=add-src-to-address-list address-list=bruteforce_blacklist address-list-timeout=1d chain=input comment=Blacklist \
    connection-state=new dst-port=80,443,2200,8291 protocol=tcp src-address-list=connection3
add action=add-src-to-address-list address-list=connection3 address-list-timeout=1h chain=input comment="Third attempt" \
    connection-state=new dst-port=80,443,2200,8291 protocol=tcp src-address-list=connection2,!secured
add action=add-src-to-address-list address-list=connection2 address-list-timeout=15m chain=input comment="Second attempt" \
    connection-state=new dst-port=80,443,2200,8291 protocol=tcp src-address-list=connection1
add action=add-src-to-address-list address-list=connection1 address-list-timeout=5m chain=input comment="First attempt" \
    connection-state=new dst-port=80,443,2200,8291 protocol=tcp
add action=accept chain=input dst-port=80,443,2200,8291 protocol=tcp src-address-list=!bruteforce_blacklist
add action=drop chain=forward comment="Network isolation" dst-address=192.168.20.0/24 src-address=192.168.10.0/24
add action=drop chain=forward comment="Network isolation" dst-address=192.168.10.0/24 src-address=192.168.20.0/24

/ip firewall nat
add action=accept chain=srcnat comment="accept all that matches IPSec policy" disabled=yes ipsec-policy=out,ipsec
add action=masquerade chain=srcnat comment=masquerade out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=53 protocol=udp src-address=192.168.10.0/24 to-addresses=192.168.10.1 to-ports=53
add action=dst-nat chain=dstnat dst-port=53 protocol=udp src-address=192.168.20.0/24 to-addresses=192.168.20.1 to-ports=53

/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=upload_connection passthrough=yes src-address=192.168.20.0/24
add action=mark-packet chain=prerouting connection-mark=upload_connection new-packet-mark=upload_packages passthrough=no
add action=mark-connection chain=postrouting dst-address=192.168.20.0/24 new-connection-mark=download_connection passthrough=yes
add action=mark-packet chain=postrouting connection-mark=download_connection new-packet-mark=download_packages passthrough=no

/ip firewall raw
add action=accept chain=prerouting comment="defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: accept DHCP discover" dst-address=255.255.255.255 dst-port=67 \
    in-interface-list=LAN protocol=udp src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=WAN src-address-list=not_global_ipv4
add action=drop chain=prerouting comment="defconf: drop forward to local lan from WAN" dst-address-list=local_ip in-interface-list=\
    WAN
add action=drop chain=prerouting comment="defconf: drop local if not from default IP range" in-interface-list=LAN src-address-list=\
    !local_ip
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 protocol=udp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment="defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 protocol=tcp
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp4 comment="defconf: host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp4 comment="defconf: protocol unreachable" icmp-options=3:2 protocol=icmp
add action=accept chain=icmp4 comment="defconf: port unreachable" icmp-options=3:3 protocol=icmp
add action=accept chain=icmp4 comment="defconf: fragmentation needed" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp4 comment="defconf: echo" icmp-options=8:0 limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: time exceeded " icmp-options=11:0-255 protocol=icmp
add action=drop chain=icmp4 comment="defconf: drop other icmp" protocol=icmp

/queue tree
add max-limit=15M name=Guest-Limit parent=global
add max-limit=2M name=upload_limit packet-mark=upload_packages parent=Guest-Limit
add max-limit=13M name=download_limit packet-mark=download_packages parent=Guest-Limit

Качил съм целия firewall. Някакви идей как да го оправя ?

Link to comment
Share on other sites

0 answers to this question

Recommended Posts

There have been no answers to this question yet

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to question listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept