Не мога да подкарам hEX S

[Huku_911]

Привет хора, реших да ъпгрейда домашната мрежа с един hEX S и срещам трудности да го подкарам. Клонирах мак-а от старият рутер, като виждам че си взима ip от мрежата на доставчика, но реално нямам достъп до интернет, нямам пинг извън локалната мрежа. Експортнах настройките и съм заличил серийният номер и мак адреса. Някой може ли да предложи някакво решение с което да подкарам рутера. 

Поздрави

# jan/02/1970 00:46:34 by RouterOS 6.41.3
# software id = 59SA-20HS
#
# model = RB760iGS
# serial number = ***********
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] mac-address=**:**:**:**:**:**
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=sfp1
/interface detect-internet
set detect-interface-list=all internet-interface-list=WAN lan-interface-list=\
    LAN wan-interface-list=WAN
/interface list member
add interface=ether1 list=WAN
add list=LAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.88.1/24 interface=ether2 network=192.168.88.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=15m max-udp-packet-size=768 \
    servers=8.8.8.8
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/system ntp client
set enabled=yes primary-ntp=195.238.84.23 secondary-ntp=212.233.131.131

 

[111111]

Преди 13 часа, Huku_911 написа:

Нещо друго може ли да добавя като правала към firewall-a.

В терминала на микротика

/system default-configuration print

правилата са доста по читави

[Huku_911]

Преди 7 часа, 111111 написа:

В терминала на микротика

/system default-configuration print

правилата са доста по читави

 

[admin@MikroTik] > /system  default-configuration print    
            script: #| RouterMode:
                    #|  * WAN port is protected by firewall and enabled DHCP cli>
                    #|  * Ethernet interfaces (except WAN port ether1) are part >
                    #| LAN Configuration:
                    #|     IP address 192.168.88.1/24 is set on bridge (LAN port)
                    #|     DHCP Server: enabled;
                    #| WAN (gateway) Configuration:
                    #|     gateway:  ether1 ;
                    #|     ip4 firewall:  enabled;
                    #|     NAT:   enabled;
                    #|     DHCP Client: enabled;
                    #|     DNS: enabled;
                    
                    :log info Starting_defconf_script_;
                    #----------------------------------------------------------->
                    # Apply configuration.
                    # these commands are executed after installation or configur>
                    #----------------------------------------------------------->
                    :if ($action = "apply") do={
                    # wait for interfaces
                    :local count 0; 
                    :while ([/interface ethernet find] = "") do={ 
                    :if ($count = 30) do={

Добавих и правила за дропване на порт скенерите описани тук https://wiki.mikrotik.com/wiki/Drop_port_scanners

Интересно ми как са ме надушили толкова бързо? Това което забелязах ,че скоростта заначително ми се подобри като преди това използвах един Netgear WNDR4300v2  и след като го подмених с микротика виждам доста добро подобрение.  

 

[111111]

на дали правилата против сканиране ще отчетат нещо ако си сложил заводските правила

 

script: :global ssid;
		#| RouterMode:
		#|  * WAN port is protected by firewall and enabled DHCP client
		#|  * Wireless and Ethernet interfaces (except WAN port ether1)
		#|    are part of LAN bridge
		#| wlan1 Configuration:
		#|     mode:          ap-bridge;
		#|     band:          2ghz-b/g/n;
		#|     ht-chains:     0,1;
		#|     ht-extension:  20/40mhz-Ce;
		#| LAN Configuration:
		#|     IP address 192.168.88.1/24 is set on bridge (LAN port)
		#|     DHCP Server: enabled;
		#| WAN (gateway) Configuration:
		#|     gateway:  ether1 ;
		#|     ip4 firewall:  enabled;
		#|     ip6 firewall:  enabled;
		#|     NAT:   enabled;
		#|     DHCP Client: enabled;
		#|     DNS: enabled;
		
		:log info Starting_defconf_script_;
		#-------------------------------------------------------------------------------
		# Apply configuration.
		# these commands are executed after installation or configuration reset
		#-------------------------------------------------------------------------------
		:if ($action = "apply") do={
		# wait for interfaces
		:local count 0; 
		:while ([/interface ethernet find] = "") do={ 
		:if ($count = 30) do={
		:log warning "DefConf: Unable to find ethernet interfaces";
		/quit;
		}
		:delay 1s; :set count ($count +1); 
		};
		
		  :local count 0;
		  :while ([/interface wireless print count-only] < 1) do={ 
			:set count ($count +1);
			:if ($count = 40) do={
			  :log warning "DefConf: Unable to find wireless interface(s)"; 
			  /ip address add address=192.168.88.1/24 interface=ether1 comment="defconf";
			  /quit
			}
			:delay 1s;
		  };
		  /interface wireless {
			set wlan1 mode=ap-bridge band=2ghz-b/g/n tx-chains=0,1 rx-chains=0,1 \
			  disabled=no wireless-protocol=802.11 distance=indoors
			:local wlanMac  [/interface wireless get wlan1 mac-address];
			:set ssid "MikroTik-$[:pick $wlanMac 9 11]$[:pick $wlanMac 12 14]$[:pick $wlanMac 15 17]"
			set wlan1 ssid=$ssid
			set wlan1 frequency=auto
			set wlan1 channel-width=20/40mhz-Ce ;
		  }
		 /interface list add name=WAN comment="defconf"
		 /interface list add name=LAN comment="defconf"
		 /interface bridge
		   add name=bridge disabled=no auto-mac=yes protocol-mode=rstp comment=defconf;
		 :local bMACIsSet 0;
		 :foreach k in=[/interface find where !(slave=yes  || name="ether1" || name~"bridge")] do={
		   :local tmpPortName [/interface get $k name];
		   :log info "port: $tmpPortName"
		   :if ($bMACIsSet = 0) do={
			 :if ([/interface get $k type] = "ether") do={
			   /interface bridge set "bridge" auto-mac=no admin-mac=[/interface ethernet get $tmpPortName mac-address];
			   :set bMACIsSet 1;
			 }
		   }
		   /interface bridge port
			 add bridge=bridge interface=$tmpPortName comment=defconf;
		 }
		   /ip pool add name="default-dhcp" ranges=192.168.88.10-192.168.88.254;
		   /ip dhcp-server
			 add name=defconf address-pool="default-dhcp" interface=bridge lease-time=10m disabled=no;
		   /ip dhcp-server network
			 add address=192.168.88.0/24 gateway=192.168.88.1 comment="defconf";
		  /ip address add address=192.168.88.1/24 interface=bridge comment="defconf";
		   /ip dhcp-client add interface=ether1 disabled=no comment="defconf";
		 /interface list member add list=LAN interface=bridge comment="defconf"
		 /interface list member add list=WAN interface=ether1 comment="defconf"
		 /ip firewall nat add chain=srcnat out-interface-list=WAN ipsec-policy=out,none action=masquerade comment="defconf: masquerade"
		 /ip firewall {
		   filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
		   filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
		   filter add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
		   filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
		   filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
		   filter add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
		   filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
		   filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
		   filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
		   filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf:  drop all from WAN not DSTNATed"
		 }
		 /ipv6 firewall {
		   address-list add list=bad_ipv6 address=::/128 comment="defconf: unspecified address"
		   address-list add list=bad_ipv6 address=::1 comment="defconf: lo"
		   address-list add list=bad_ipv6 address=fec0::/10 comment="defconf: site-local"
		   address-list add list=bad_ipv6 address=::ffff:0:0/96 comment="defconf: ipv4-mapped"
		   address-list add list=bad_ipv6 address=::/96 comment="defconf: ipv4 compat"
		   address-list add list=bad_ipv6 address=100::/64 comment="defconf: discard only "
		   address-list add list=bad_ipv6 address=2001:db8::/32 comment="defconf: documentation"
		   address-list add list=bad_ipv6 address=2001:10::/28 comment="defconf: ORCHID"
		   address-list add list=bad_ipv6 address=3ffe::/16 comment="defconf: 6bone"
		   address-list add list=bad_ipv6 address=::224.0.0.0/100 comment="defconf: other"
		   address-list add list=bad_ipv6 address=::127.0.0.0/104 comment="defconf: other"
		   address-list add list=bad_ipv6 address=::/104 comment="defconf: other"
		   address-list add list=bad_ipv6 address=::255.0.0.0/104 comment="defconf: other"
		   filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
		   filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
		   filter add chain=input action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
		   filter add chain=input action=accept protocol=udp port=33434-33534 comment="defconf: accept UDP traceroute"
		   filter add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/16 comment="defconf: accept DHCPv6-Client prefix delegation."
		   filter add chain=input action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
		   filter add chain=input action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
		   filter add chain=input action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
		   filter add chain=input action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
		   filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
		   filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
		   filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
		   filter add chain=forward action=drop src-address-list=bad_ipv6 comment="defconf: drop packets with bad src ipv6"
		   filter add chain=forward action=drop dst-address-list=bad_ipv6 comment="defconf: drop packets with bad dst ipv6"
		   filter add chain=forward action=drop protocol=icmpv6 hop-limit=equal:1 comment="defconf: rfc4890 drop hop-limit=1"
		   filter add chain=forward action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
		   filter add chain=forward action=accept protocol=139 comment="defconf: accept HIP"
		   filter add chain=forward action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
		   filter add chain=forward action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
		   filter add chain=forward action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
		   filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
		   filter add chain=forward action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
		 }
		   /ip neighbor discovery-settings set discover-interface-list=LAN
		   /tool mac-server set allowed-interface-list=LAN
		   /tool mac-server mac-winbox set allowed-interface-list=LAN
		 /ip dns {
			 set allow-remote-requests=yes
			 static add name=router.lan address=192.168.88.1
		 }
		
		}
		#-------------------------------------------------------------------------------
		# Revert configuration.
		# these commands are executed if user requests to remove default configuration
		#-------------------------------------------------------------------------------
		:if ($action = "revert") do={
		/user set admin password=""
		 /system routerboard mode-button set enabled=no
		 /system routerboard mode-button set on-event=""
		 /system script remove [find comment~"defconf"]
		 /ip firewall filter remove [find comment~"defconf"]
		 /ipv6 firewall filter remove [find comment~"defconf"]
		 /ipv6 firewall address-list remove [find comment~"defconf"]
		 /ip firewall nat remove [find comment~"defconf"]
		 /interface list member remove [find comment~"defconf"]
		 /interface detect-internet set detect-interface-list=none
		 /interface detect-internet set lan-interface-list=none
		 /interface detect-internet set wan-interface-list=none
		 /interface detect-internet set internet-interface-list=none
		 /interface list remove [find comment~"defconf"]
		 /tool mac-server set allowed-interface-list=all
		 /tool mac-server mac-winbox set allowed-interface-list=all
		 /ip neighbor discovery-settings set discover-interface-list=!dynamic
		   :local o [/ip dhcp-server network find comment="defconf"]
		   :if ([:len $o] != 0) do={ /ip dhcp-server network remove $o }
		   :local o [/ip dhcp-server find name="defconf" !disabled]
		   :if ([:len $o] != 0) do={ /ip dhcp-server remove $o }
		   /ip pool {
			 :local o [find name="default-dhcp" ranges=192.168.88.10-192.168.88.254]
			 :if ([:len $o] != 0) do={ remove $o }
		   }
		   :local o [/ip dhcp-client find comment="defconf"]
		   :if ([:len $o] != 0) do={ /ip dhcp-client remove $o }
		 /ip dns {
		   set allow-remote-requests=no
		   :local o [static find name=router.lan address=192.168.88.1]
		   :if ([:len $o] != 0) do={ static remove $o }
		 }
		 /ip address {
		   :local o [find comment="defconf"]
		   :if ([:len $o] != 0) do={ remove $o }
		 }
		 :foreach iface in=[/interface ethernet find] do={
		   /interface ethernet set $iface name=[get $iface default-name]
		 }
		 /interface bridge port remove [find comment="defconf"]
		 /interface bridge remove [find comment="defconf"]
		 /interface wireless reset-configuration wlan1
		}
		:log info Defconf_script_finished;
		:set ssid;