====== Mikrotik ======
{{tag>infrastruktura}}
----

Podarowany przez [[user>mw]]. Obecnie stanowi serce [[network|infrastruktury sieciowej]]. Hasło do [[https://192.168.88.1|panelu administracyjnego]] dumnie dzierży [[user>amadeusz]]. Urządzenie również rozsiewa [[wifi]].

===== Hardware =====

[[https://mikrotik.com/product/rb4011igs_5hacq2hnd_in|Mikrotik RB4011iGS+5HacQ2HnD-IN]]

The RB4011 uses a quad core Cortex A15 CPU. The unit is equipped with 1GB of RAM, can provide PoE output on port #10 and comes with a compact and professional looking solid metal enclosure in matte black.

RB4011iGS+5HacQ2HnD-IN (WiFi model) is dual band, four chain unit with a supported data rate of up to 1733 Mbps in 5GHz. For legacy devices, the unit also has a dual chain 2GHz wireless card installed in miniPCI-e slot.

RB4011iGS+5HacQ2HnD-IN (International) supports 2412-2484MHz and 5150MHz-5875MHz range (Specific frequency range can be limited by country regulations). 
===== Konfiguracja =====
W miarę możliwości opisuj swoje wpisy przy użyciu pola ''comment''. 
Wprowadzone zmiany wypisz przy pomocy komendy ''export'' i wrzuć tutaj.

==== Firewall ====

''/ip firewall filter''

<code>
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked

add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid

add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp

add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1

add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN

add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec

add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec

add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked

add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related

add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

add action=accept chain=forward comment=Arthur disabled=yes dst-address=192.168.88.112 dst-port=80,443 protocol=tcp

add action=accept chain=forward comment=Squire dst-address=192.168.88.252 dst-port=22,80,443 in-interface-list=WAN protocol=tcp

add action=accept chain=forward comment="Minecraft Server #1" dst-address=192.168.88.204 dst-port=1337,8100,25565 in-interface-list=WAN protocol=tcp

add action=accept chain=forward comment="Minecraft Server #2" dst-address=192.168.88.32 dst-port=2137,25566 in-interface-list=WAN protocol=tcp
</code>

==== NAT ====

''/ip firewall nat''

<code>
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

add action=dst-nat chain=dstnat comment=Arthur disabled=yes dst-address=31.179.161.6 dst-port=80,443 protocol=tcp to-addresses=192.168.88.112

add action=masquerade chain=srcnat comment="Arthur Hairpin NAT" disabled=yes dst-address=192.168.88.112 dst-port=80,443 out-interface-list=LAN protocol=tcp src-address=192.168.88.0/24

add action=dst-nat chain=dstnat comment=Squire dst-address=31.179.161.6 dst-port=22,80,443 protocol=tcp to-addresses=192.168.88.252

add action=masquerade chain=srcnat comment="Squire Hairpin NAT" dst-address=192.168.88.252 dst-port=22,80,443 out-interface-list=LAN protocol=tcp src-address=192.168.88.0/24

add action=dst-nat chain=dstnat comment="Minecraft Server #1" dst-address=31.179.161.6 dst-port=1337,8100,25565 protocol=tcp to-addresses=192.168.88.204

add action=masquerade chain=srcnat comment="Minecraft Server #1 Hairpin NAT" dst-address=192.168.88.204 dst-port=1337,8100,25565 out-interface-list=LAN protocol=tcp src-address=192.168.88.0/24

add action=dst-nat chain=dstnat comment="Minecraft Server #2" dst-address=31.179.161.6 dst-port=2137,25566 protocol=tcp to-addresses=192.168.88.32
</code>

==== Skrypty ====
''/system script''

  - [[https://github.com/hspsh/whois/blob/master/helpers/mikrotik_script|Skrypt]] pushujący DHCP Lease'y do [[whois|whois'a]]. Dodaj do niego odpowiedni Schedule aby odpalał się cyklicznie.

<code>
add dont-require-permissions=no name=whois owner=admin policy=ftp,read,write,test,sniff,sensitive,romon source="# Get DHCP leases records and send selected fields (MAC ADDRESS, HOST NAME, LAST SEEN and STATUS) to a webservice via POST.\

    \n:put \"Get DHCP leases\";\

    \n:local leases \"\";\

    \n:foreach i in=[/ip dhcp-server lease find] do={ \

    \n  :local dhcp [/ip dhcp-server lease get \$i] \

    \n  :local client \"\\\"mac\\\":\\\"\$(\$dhcp->\"active-mac-address\")\\\",\\\"name\\\":\\\"\$(\$dhcp->\"host-name\")\\\",\\\"last\\\":\\\"\$(\$dhcp->\"last-seen\")\\\",\\\"status\\\":\\\"\$(\$dhcp->\"status\")\\\"\";\

    \n  :set \$leases (\$leases, \$client);\

    \n}\

    \n:local json \"[\";\

    \n:local first true;\

    \n:foreach k,v in \$leases do={\

    \n  if ([:len \$v] > 0) do={\

    \n    if (\$first = true) do={\

    \n     :set \$json (\$json .  \"{\" . \$v . \"}\");\

    \n    } else={\

    \n      :set \$json (\$json . \",{\" .  \$v . \"}\");\

    \n    };\

    \n    :set \$first false;\

    \n  }\

    \n}\

    \n:set \$json (\$json.\"]\");\

    \n:local data (\"data=\" . \$json);\

    \n:do {\

    \n  :put \"Send DHCP leases\";\

    \n  /tool fetch mode=https url=https://192.168.88.252/api/last_seen host=whois.at.hsp.sh keep-result=yes http-method=\"post\" http-data=\$data;\

    \n\

    \n} on-error={\

    \n  :put \"Send DHCP leases failed!\";\

    \n  log warning \"Send DHCP leases failed!\";\

    \n}"
</code>

===== Info =====
Czym jest [[https://wiki.mikrotik.com/wiki/Hairpin_NAT|Hairpin NAT]]?