Różnice

Różnice między wybraną wersją a wersją aktualną.

--- mikrotik [2020/10/12 17:08]
yasiu [Firewall]
+++ mikrotik [2021/02/10 22:33]
yasiu
@@ Linia 3: / Linia 3: @@
 ----
-Podarowany przez [[user>mw]]. Obecnie stanowi serce [[network|infrastruktury sieciowej]].
+Podarowany przez [[user>mw]]. Obecnie stanowi serce [[network|infrastruktury sieciowej]]. Hasło do [[https://192.168.88.1|panelu administracyjnego]] dumnie dzierży [[user>amadeusz]]. Urządzenie również rozsiewa [[wifi]].
 ===== Hardware =====
 [[https://mikrotik.com/product/rb4011igs_5hacq2hnd_in|Mikrotik RB4011iGS+5HacQ2HnD-IN]]
+The RB4011 uses a quad core Cortex A15 CPU. The unit is equipped with 1GB of RAM, can provide PoE output on port #10 and comes with a compact and professional looking solid metal enclosure in matte black.
+RB4011iGS+5HacQ2HnD-IN (WiFi model) is dual band, four chain unit with a supported data rate of up to 1733 Mbps in 5GHz. For legacy devices, the unit also has a dual chain 2GHz wireless card installed in miniPCI-e slot.
+RB4011iGS+5HacQ2HnD-IN (International) supports 2412-2484MHz and 5150MHz-5875MHz range (Specific frequency range can be limited by country regulations).
 ===== Konfiguracja =====
-==== NAT ====
+W miarę możliwości opisuj swoje wpisy przy użyciu pola ''comment''.
-  - ''chain=dstnat action=dst-nat to-addresses=192.168.88.112 protocol=tcp dst-address=31.179.161.6 dst-port=80,443 omment="Arthur"''
+Wprowadzone zmiany wypisz przy pomocy komendy ''export'' i wrzuć tutaj.
-  - ''chain=srcnat action=masquerade protocol=tcp src-address=192.168.88.0/24 dst-address=192.168.88.112 out-interface-list=LAN dst-port=22,80,443 comment="Arthur Hairpin NAT"''
-  - ''chain=dstnat action=dst-nat to-addresses=192.168.88.204 protocol=tcp dst-address=31.179.161.6 dst-port=25565 comment="Minecraft Server"''
-  - ''chain=srcnat action=masquerade protocol=tcp src-address=192.168.88.0/24 dst-address=192.168.88.204 dst-port=25565 comment="Minecraft Server Hairpin NAT''
 ==== Firewall ====
-  - ''chain=forward action=accept protocol=tcp dst-address=192.168.88.112 dst-port=80,443 comment="Arthur"''
-  - ''chain=forward action=accept protocol=tcp dst-address=192.168.88.204 in-interface-list=WAN dst-port=25565  comment="Minecraft Server"''
+''/ip firewall filter''
+<code>
+add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
+add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
+add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
+add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
+add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
+add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
+add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
+add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
+add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
+add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
+add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
+add action=accept chain=forward comment=Arthur disabled=yes dst-address=192.168.88.112 dst-port=80,443 protocol=tcp
+add action=accept chain=forward comment=Squire dst-address=192.168.88.252 dst-port=22,80,443 in-interface-list=WAN protocol=tcp
+add action=accept chain=forward comment="Minecraft Server #1" dst-address=192.168.88.204 dst-port=1337,8100,25565 in-interface-list=WAN protocol=tcp
+add action=accept chain=forward comment="Minecraft Server #2" dst-address=192.168.88.32 dst-port=2137,25566 in-interface-list=WAN protocol=tcp
+</code>
+==== NAT ====
+''/ip firewall nat''
+<code>
+add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
+add action=dst-nat chain=dstnat comment=Arthur disabled=yes dst-address=31.179.161.6 dst-port=80,443 protocol=tcp to-addresses=192.168.88.112
+add action=masquerade chain=srcnat comment="Arthur Hairpin NAT" disabled=yes dst-address=192.168.88.112 dst-port=80,443 out-interface-list=LAN protocol=tcp src-address=192.168.88.0/24
+add action=dst-nat chain=dstnat comment=Squire dst-address=31.179.161.6 dst-port=22,80,443 protocol=tcp to-addresses=192.168.88.252
+add action=masquerade chain=srcnat comment="Squire Hairpin NAT" dst-address=192.168.88.252 dst-port=22,80,443 out-interface-list=LAN protocol=tcp src-address=192.168.88.0/24
+add action=dst-nat chain=dstnat comment="Minecraft Server #1" dst-address=31.179.161.6 dst-port=1337,8100,25565 protocol=tcp to-addresses=192.168.88.204
+add action=masquerade chain=srcnat comment="Minecraft Server #1 Hairpin NAT" dst-address=192.168.88.204 dst-port=1337,8100,25565 out-interface-list=LAN protocol=tcp src-address=192.168.88.0/24
+add action=dst-nat chain=dstnat comment="Minecraft Server #2" dst-address=31.179.161.6 dst-port=2137,25566 protocol=tcp to-addresses=192.168.88.32
+</code>
 ==== Skrypty ====
-  - [[https://github.com/hspsh/whois/blob/master/helpers/mikrotik_script|Skrypt]] pushujący DHCP Lease'y do [[whois|whois'a]].
+''/system script''
+  - [[https://github.com/hspsh/whois/blob/master/helpers/mikrotik_script|Skrypt]] pushujący DHCP Lease'y do [[whois|whois'a]]. Dodaj do niego odpowiedni Schedule aby odpalał się cyklicznie.
+<code>
+add dont-require-permissions=no name=whois owner=admin policy=ftp,read,write,test,sniff,sensitive,romon source="# Get DHCP leases records and send selected fields (MAC ADDRESS, HOST NAME, LAST SEEN and STATUS) to a webservice via POST.\
+    \n:put \"Get DHCP leases\";\
+    \n:local leases \"\";\
+    \n:foreach i in=[/ip dhcp-server lease find] do={ \
+    \n  :local dhcp [/ip dhcp-server lease get \$i] \
+    \n  :local client \"\\\"mac\\\":\\\"\$(\$dhcp->\"active-mac-address\")\\\",\\\"name\\\":\\\"\$(\$dhcp->\"host-name\")\\\",\\\"last\\\":\\\"\$(\$dhcp->\"last-seen\")\\\",\\\"status\\\":\\\"\$(\$dhcp->\"status\")\\\"\";\
+    \n  :set \$leases (\$leases, \$client);\
+    \n}\
+    \n:local json \"[\";\
+    \n:local first true;\
+    \n:foreach k,v in \$leases do={\
+    \n  if ([:len \$v] > 0) do={\
+    \n    if (\$first = true) do={\
+    \n     :set \$json (\$json .  \"{\" . \$v . \"}\");\
+    \n    } else={\
+    \n      :set \$json (\$json . \",{\" .  \$v . \"}\");\
+    \n    };\
+    \n    :set \$first false;\
+    \n  }\
+    \n}\
+    \n:set \$json (\$json.\"]\");\
+    \n:local data (\"data=\" . \$json);\
+    \n:do {\
+    \n  :put \"Send DHCP leases\";\
+    \n  /tool fetch mode=https url=https://192.168.88.252/api/last_seen host=whois.at.hsp.sh keep-result=yes http-method=\"post\" http-data=\$data;\
+    \n\
+    \n} on-error={\
+    \n  :put \"Send DHCP leases failed!\";\
+    \n  log warning \"Send DHCP leases failed!\";\
+    \n}"
+</code>
+===== Info =====
+Czym jest [[https://wiki.mikrotik.com/wiki/Hairpin_NAT|Hairpin NAT]]?