Mikrotik
Podarowany przez mw. Obecnie stanowi serce infrastruktury sieciowej. Hasło do panelu administracyjnego dumnie dzierży amadeusz. Urządzenie również rozsiewa wifi.
Hardware
Mikrotik RB4011iGS+5HacQ2HnD-IN
The RB4011 uses a quad core Cortex A15 CPU. The unit is equipped with 1GB of RAM, can provide PoE output on port #10 and comes with a compact and professional looking solid metal enclosure in matte black.
RB4011iGS+5HacQ2HnD-IN (WiFi model) is dual band, four chain unit with a supported data rate of up to 1733 Mbps in 5GHz. For legacy devices, the unit also has a dual chain 2GHz wireless card installed in miniPCI-e slot.
RB4011iGS+5HacQ2HnD-IN (International) supports 2412-2484MHz and 5150MHz-5875MHz range (Specific frequency range can be limited by country regulations).
Konfiguracja
W miarę możliwości opisuj swoje wpisy przy użyciu pola comment
.
Wprowadzone zmiany wypisz przy pomocy komendy export
i wrzuć tutaj.
Firewall
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN add action=accept chain=forward comment=Arthur disabled=yes dst-address=192.168.88.112 dst-port=80,443 protocol=tcp add action=accept chain=forward comment=Squire dst-address=192.168.88.252 dst-port=22,80,443 in-interface-list=WAN protocol=tcp add action=accept chain=forward comment="Minecraft Server #1" dst-address=192.168.88.204 dst-port=1337,8100,25565 in-interface-list=WAN protocol=tcp add action=accept chain=forward comment="Minecraft Server #2" dst-address=192.168.88.32 dst-port=2137,25566 in-interface-list=WAN protocol=tcp
NAT
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN add action=dst-nat chain=dstnat comment=Arthur disabled=yes dst-address=31.179.161.6 dst-port=80,443 protocol=tcp to-addresses=192.168.88.112 add action=masquerade chain=srcnat comment="Arthur Hairpin NAT" disabled=yes dst-address=192.168.88.112 dst-port=80,443 out-interface-list=LAN protocol=tcp src-address=192.168.88.0/24 add action=dst-nat chain=dstnat comment=Squire dst-address=31.179.161.6 dst-port=22,80,443 protocol=tcp to-addresses=192.168.88.252 add action=masquerade chain=srcnat comment="Squire Hairpin NAT" dst-address=192.168.88.252 dst-port=22,80,443 out-interface-list=LAN protocol=tcp src-address=192.168.88.0/24 add action=dst-nat chain=dstnat comment="Minecraft Server #1" dst-address=31.179.161.6 dst-port=1337,8100,25565 protocol=tcp to-addresses=192.168.88.204 add action=masquerade chain=srcnat comment="Minecraft Server #1 Hairpin NAT" dst-address=192.168.88.204 dst-port=1337,8100,25565 out-interface-list=LAN protocol=tcp src-address=192.168.88.0/24 add action=dst-nat chain=dstnat comment="Minecraft Server #2" dst-address=31.179.161.6 dst-port=2137,25566 protocol=tcp to-addresses=192.168.88.32
Skrypty
/system script
add dont-require-permissions=no name=whois owner=admin policy=ftp,read,write,test,sniff,sensitive,romon source="# Get DHCP leases records and send selected fields (MAC ADDRESS, HOST NAME, LAST SEEN and STATUS) to a webservice via POST.\ \n:put \"Get DHCP leases\";\ \n:local leases \"\";\ \n:foreach i in=[/ip dhcp-server lease find] do={ \ \n :local dhcp [/ip dhcp-server lease get \$i] \ \n :local client \"\\\"mac\\\":\\\"\$(\$dhcp->\"active-mac-address\")\\\",\\\"name\\\":\\\"\$(\$dhcp->\"host-name\")\\\",\\\"last\\\":\\\"\$(\$dhcp->\"last-seen\")\\\",\\\"status\\\":\\\"\$(\$dhcp->\"status\")\\\"\";\ \n :set \$leases (\$leases, \$client);\ \n}\ \n:local json \"[\";\ \n:local first true;\ \n:foreach k,v in \$leases do={\ \n if ([:len \$v] > 0) do={\ \n if (\$first = true) do={\ \n :set \$json (\$json . \"{\" . \$v . \"}\");\ \n } else={\ \n :set \$json (\$json . \",{\" . \$v . \"}\");\ \n };\ \n :set \$first false;\ \n }\ \n}\ \n:set \$json (\$json.\"]\");\ \n:local data (\"data=\" . \$json);\ \n:do {\ \n :put \"Send DHCP leases\";\ \n /tool fetch mode=https url=https://192.168.88.252/api/last_seen host=whois.at.hsp.sh keep-result=yes http-method=\"post\" http-data=\$data;\ \n\ \n} on-error={\ \n :put \"Send DHCP leases failed!\";\ \n log warning \"Send DHCP leases failed!\";\ \n}"
Info
Czym jest Hairpin NAT?