Różnice
Różnice między wybraną wersją a wersją aktualną.
Poprzednia rewizja po obu stronach Poprzednia wersja Nowa wersja | Poprzednia wersja | ||
mikrotik [2020/10/12 17:26] yasiu [Firewall] |
mikrotik [2021/02/10 22:33] yasiu |
||
---|---|---|---|
Linia 3: | Linia 3: | ||
---- | ---- | ||
- | Podarowany przez [[user>mw]]. Obecnie stanowi serce [[network|infrastruktury sieciowej]]. Hasło do [[192.168.88.1|panelu administracyjnego]] dumnie dzierży [[user>amadeusz]]. | + | Podarowany przez [[user>mw]]. Obecnie stanowi serce [[network|infrastruktury sieciowej]]. Hasło do [[https://192.168.88.1|panelu administracyjnego]] dumnie dzierży [[user>amadeusz]]. Urządzenie również rozsiewa [[wifi]]. |
===== Hardware ===== | ===== Hardware ===== | ||
Linia 15: | Linia 15: | ||
RB4011iGS+5HacQ2HnD-IN (International) supports 2412-2484MHz and 5150MHz-5875MHz range (Specific frequency range can be limited by country regulations). | RB4011iGS+5HacQ2HnD-IN (International) supports 2412-2484MHz and 5150MHz-5875MHz range (Specific frequency range can be limited by country regulations). | ||
===== Konfiguracja ===== | ===== Konfiguracja ===== | ||
- | Poniższe komendy możesz dodać ponownie poprzez interfejs graficzny bądź terminal, przy użyciu komendy ''add'' w odpowiednim katalogu. | + | W miarę możliwości opisuj swoje wpisy przy użyciu pola ''comment''. |
+ | Wprowadzone zmiany wypisz przy pomocy komendy ''export'' i wrzuć tutaj. | ||
+ | |||
+ | ==== Firewall ==== | ||
+ | |||
+ | ''/ip firewall filter'' | ||
+ | |||
+ | <code> | ||
+ | add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked | ||
+ | |||
+ | add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid | ||
+ | |||
+ | add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp | ||
+ | |||
+ | add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 | ||
+ | |||
+ | add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN | ||
+ | |||
+ | add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec | ||
+ | |||
+ | add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec | ||
+ | |||
+ | add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked | ||
+ | |||
+ | add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid | ||
+ | |||
+ | add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related | ||
+ | |||
+ | add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN | ||
+ | |||
+ | add action=accept chain=forward comment=Arthur disabled=yes dst-address=192.168.88.112 dst-port=80,443 protocol=tcp | ||
+ | |||
+ | add action=accept chain=forward comment=Squire dst-address=192.168.88.252 dst-port=22,80,443 in-interface-list=WAN protocol=tcp | ||
+ | |||
+ | add action=accept chain=forward comment="Minecraft Server #1" dst-address=192.168.88.204 dst-port=1337,8100,25565 in-interface-list=WAN protocol=tcp | ||
+ | |||
+ | add action=accept chain=forward comment="Minecraft Server #2" dst-address=192.168.88.32 dst-port=2137,25566 in-interface-list=WAN protocol=tcp | ||
+ | </code> | ||
==== NAT ==== | ==== NAT ==== | ||
+ | |||
''/ip firewall nat'' | ''/ip firewall nat'' | ||
- | - ''chain=dstnat action=dst-nat to-addresses=192.168.88.112 protocol=tcp dst-address=31.179.161.6 dst-port=80,443 omment="Arthur"'' Konfiguracja dla [[arthur]]. | + | <code> |
- | - ''chain=srcnat action=masquerade protocol=tcp src-address=192.168.88.0/24 dst-address=192.168.88.112 out-interface-list=LAN dst-port=22,80,443 comment="Arthur Hairpin NAT"'' Konfiguracja dla [[arthur]]. | + | add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN |
- | - ''chain=dstnat action=dst-nat to-addresses=192.168.88.204 protocol=tcp dst-address=31.179.161.6 dst-port=25565 comment="Minecraft Server"'' Konfiguracja dla [[user>yasiu]]. | + | |
- | - ''chain=srcnat action=masquerade protocol=tcp src-address=192.168.88.0/24 dst-address=192.168.88.204 dst-port=25565 comment="Minecraft Server Hairpin NAT'' Konfiguracja dla [[user>yasiu]] | + | |
- | Czym jest [[https://wiki.mikrotik.com/wiki/Hairpin_NAT|Hairpin NAT]]? | + | add action=dst-nat chain=dstnat comment=Arthur disabled=yes dst-address=31.179.161.6 dst-port=80,443 protocol=tcp to-addresses=192.168.88.112 |
- | ==== Firewall ==== | + | |
- | ''/ip firewall filter'' | + | |
- | - ''chain=forward action=accept protocol=tcp dst-address=192.168.88.112 in-interface-list=WAN dst-port=80,443 comment="Arthur"'' Konfiguracja dla [[arthur]] | + | add action=masquerade chain=srcnat comment="Arthur Hairpin NAT" disabled=yes dst-address=192.168.88.112 dst-port=80,443 out-interface-list=LAN protocol=tcp src-address=192.168.88.0/24 |
- | - ''chain=forward action=accept protocol=tcp dst-address=192.168.88.204 in-interface-list=WAN dst-port=25565 comment="Minecraft Server"'' Konfiguracja dla [[user>yasiu]] | + | |
+ | add action=dst-nat chain=dstnat comment=Squire dst-address=31.179.161.6 dst-port=22,80,443 protocol=tcp to-addresses=192.168.88.252 | ||
+ | |||
+ | add action=masquerade chain=srcnat comment="Squire Hairpin NAT" dst-address=192.168.88.252 dst-port=22,80,443 out-interface-list=LAN protocol=tcp src-address=192.168.88.0/24 | ||
+ | |||
+ | add action=dst-nat chain=dstnat comment="Minecraft Server #1" dst-address=31.179.161.6 dst-port=1337,8100,25565 protocol=tcp to-addresses=192.168.88.204 | ||
+ | |||
+ | add action=masquerade chain=srcnat comment="Minecraft Server #1 Hairpin NAT" dst-address=192.168.88.204 dst-port=1337,8100,25565 out-interface-list=LAN protocol=tcp src-address=192.168.88.0/24 | ||
+ | |||
+ | add action=dst-nat chain=dstnat comment="Minecraft Server #2" dst-address=31.179.161.6 dst-port=2137,25566 protocol=tcp to-addresses=192.168.88.32 | ||
+ | </code> | ||
==== Skrypty ==== | ==== Skrypty ==== | ||
Linia 35: | Linia 80: | ||
- [[https://github.com/hspsh/whois/blob/master/helpers/mikrotik_script|Skrypt]] pushujący DHCP Lease'y do [[whois|whois'a]]. Dodaj do niego odpowiedni Schedule aby odpalał się cyklicznie. | - [[https://github.com/hspsh/whois/blob/master/helpers/mikrotik_script|Skrypt]] pushujący DHCP Lease'y do [[whois|whois'a]]. Dodaj do niego odpowiedni Schedule aby odpalał się cyklicznie. | ||
+ | |||
+ | <code> | ||
+ | add dont-require-permissions=no name=whois owner=admin policy=ftp,read,write,test,sniff,sensitive,romon source="# Get DHCP leases records and send selected fields (MAC ADDRESS, HOST NAME, LAST SEEN and STATUS) to a webservice via POST.\ | ||
+ | |||
+ | \n:put \"Get DHCP leases\";\ | ||
+ | |||
+ | \n:local leases \"\";\ | ||
+ | |||
+ | \n:foreach i in=[/ip dhcp-server lease find] do={ \ | ||
+ | |||
+ | \n :local dhcp [/ip dhcp-server lease get \$i] \ | ||
+ | |||
+ | \n :local client \"\\\"mac\\\":\\\"\$(\$dhcp->\"active-mac-address\")\\\",\\\"name\\\":\\\"\$(\$dhcp->\"host-name\")\\\",\\\"last\\\":\\\"\$(\$dhcp->\"last-seen\")\\\",\\\"status\\\":\\\"\$(\$dhcp->\"status\")\\\"\";\ | ||
+ | |||
+ | \n :set \$leases (\$leases, \$client);\ | ||
+ | |||
+ | \n}\ | ||
+ | |||
+ | \n:local json \"[\";\ | ||
+ | |||
+ | \n:local first true;\ | ||
+ | |||
+ | \n:foreach k,v in \$leases do={\ | ||
+ | |||
+ | \n if ([:len \$v] > 0) do={\ | ||
+ | |||
+ | \n if (\$first = true) do={\ | ||
+ | |||
+ | \n :set \$json (\$json . \"{\" . \$v . \"}\");\ | ||
+ | |||
+ | \n } else={\ | ||
+ | |||
+ | \n :set \$json (\$json . \",{\" . \$v . \"}\");\ | ||
+ | |||
+ | \n };\ | ||
+ | |||
+ | \n :set \$first false;\ | ||
+ | |||
+ | \n }\ | ||
+ | |||
+ | \n}\ | ||
+ | |||
+ | \n:set \$json (\$json.\"]\");\ | ||
+ | |||
+ | \n:local data (\"data=\" . \$json);\ | ||
+ | |||
+ | \n:do {\ | ||
+ | |||
+ | \n :put \"Send DHCP leases\";\ | ||
+ | |||
+ | \n /tool fetch mode=https url=https://192.168.88.252/api/last_seen host=whois.at.hsp.sh keep-result=yes http-method=\"post\" http-data=\$data;\ | ||
+ | |||
+ | \n\ | ||
+ | |||
+ | \n} on-error={\ | ||
+ | |||
+ | \n :put \"Send DHCP leases failed!\";\ | ||
+ | |||
+ | \n log warning \"Send DHCP leases failed!\";\ | ||
+ | |||
+ | \n}" | ||
+ | </code> | ||
+ | |||
+ | ===== Info ===== | ||
+ | Czym jest [[https://wiki.mikrotik.com/wiki/Hairpin_NAT|Hairpin NAT]]? | ||
+ | |||