# aug/11/2014 1437 by RouterOS 6.18
# software id = 56YE-PIRA
#
/interface ethernet
set [ find default-name=ether3 ] arp=reply-only name=lan1
set [ find default-name=ether4 ] master-port=lan1 name=lan2
set [ find default-name=ether5 ] master-port=lan1 name=lan3
set [ find default-name=ether1 ] name=wan1
set [ find default-name=ether2 ] name=wan2
/ip dhcp-server
add add-arp=yes disabled=no interface=lan1 lease-time=1d name=default
/ip pool
add name=default-dhcp ranges=172.22.22.184-172.22.22.247
/port
set 0 name=serial0
/interface pppoe-client
add ac-name="" add-default-route=no allow=pap,chap,mschap1,mschap2 \
dial-on-demand=no disabled=no interface=wan1 keepalive-timeout=10 \
max-mru=1480 max-mtu=1480 mrru=1600 name=pppoe-out1 password=xxxxxx \
profile=default service-name="" use-peer-dns=yes user=xxxxxxxxxx@3bb
/ip address
add address=172.22.22.254/24 comment="default configuration" interface=lan1 \
network=172.22.22.0
add address=192.168.1.2/24 interface=wan1 network=192.168.1.0
/ip arp
add address=172.22.22.250 comment=DEVIL-AP_FL1 interface=lan1 mac-address=\
xx:xx:xx:xx:xx:xx
/ip dhcp-server network
add address=172.22.22.0/24 comment="default configuration" dns-server=\
172.22.22.254 gateway=172.22.22.254
/ip dns
set allow-remote-requests=yes cache-size=5000000KiB max-udp-packet-size=512
/ip dns static
add address=172.22.22.254 name=router
/ip firewall filter
add action=drop chain=output comment=block_dns_!pppoe-out1 dst-address=\
110.164.252.222 out-interface=!pppoe-out1
add action=drop chain=output comment=block_dns_!pppoe-out1 dst-address=\
110.164.252.223 out-interface=!pppoe-out1
add action=drop chain=output comment=block_dns_!wan2 dst-address=\
203.144.206.29 out-interface=!wan2
add action=drop chain=output comment=block_dns_!wan2 dst-address=\
203.144.206.49 out-interface=!wan2
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 \
protocol=tcp src-address-list=ftp_blacklist
add chain=output content="530 Login incorrect" dst-limit=\
1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=output content="530 Login incorrect" \
protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp
add action=drop chain=input comment="Block External DNS Request" dst-port=53 \
in-interface=wan2 protocol=udp
add action=drop chain=input dst-port=53 in-interface=wan2 protocol=tcp
add action=drop chain=input dst-port=53 in-interface=pppoe-out1 protocol=udp
add action=drop chain=input dst-port=53 in-interface=pppoe-out1 protocol=tcp
add action=drop chain=forward comment="Block External DNS Relay" dst-port=53 \
out-interface=!wan2 protocol=udp
add action=drop chain=forward dst-port=53 out-interface=!wan2 protocol=tcp
add action=drop chain=forward dst-port=53 out-interface=!pppoe-out1 protocol=\
udp
add action=drop chain=forward dst-port=53 out-interface=!pppoe-out1 protocol=\
tcp
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=110.164.252.222 \
new-routing-mark=to_wan1
add action=mark-routing chain=prerouting dst-address=203.144.206.29 \
new-routing-mark=to_wan2
add action=mark-routing chain=prerouting dst-address=192.168.1.0/24 \
in-interface=lan1 new-routing-mark=to_wan1
add action=mark-routing chain=prerouting dst-address=192.168.100.0/24 \
in-interface=lan1 new-routing-mark=to_wan2
add action=mark-connection chain=input comment=load-balance in-interface=\
pppoe-out1 new-connection-mark=wan1_conn
add action=mark-connection chain=input comment=load-balance in-interface=wan2 \
new-connection-mark=wan2_conn
add action=mark-routing chain=output comment=load-balance connection-mark=\
wan1_conn new-routing-mark=to_wan1
add action=mark-routing chain=output comment=load-balance connection-mark=\
wan2_conn new-routing-mark=to_wan2
add action=mark-connection chain=prerouting comment=load-balance \
dst-address-type=!local in-interface=lan1 new-connection-mark=wan1_conn \
per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting comment=load-balance \
dst-address-type=!local in-interface=lan1 new-connection-mark=wan2_conn \
per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting comment=load-balance \
connection-mark=wan1_conn in-interface=lan1 new-routing-mark=to_wan1
add action=mark-routing chain=prerouting comment=load-balance \
connection-mark=wan2_conn in-interface=lan1 new-routing-mark=to_wan2
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.1.0/24 out-interface=\
wan1
add action=masquerade chain=srcnat dst-address=192.168.100.0/24 \
out-interface=wan2
add action=masquerade chain=srcnat comment=nat_wan1 out-interface=pppoe-out1
add action=masquerade chain=srcnat comment=nat_wan2 out-interface=wan2 \
to-addresses=0.0.0.0
add action=dst-nat chain=dstnat comment="Remote Mikrotik" dst-address-type=\
local dst-port=8088 protocol=tcp to-addresses=172.22.22.254 to-ports=80
add action=dst-nat chain=dstnat comment="Remote Modem WAN1" dst-address-type=\
local dst-port=8090 protocol=tcp to-addresses=192.168.1.1 to-ports=80
add action=dst-nat chain=dstnat comment="Remote Modem WAN2" dst-address-type=\
local dst-port=8091 protocol=tcp to-addresses=192.168.100.1 to-ports=80
add action=dst-nat chain=dstnat comment="Remote AP GooJ" dst-address-type=\
local dst-port=8089 protocol=tcp to-addresses=172.22.22.253 to-ports=80
add action=dst-nat chain=dstnat comment="Remote AP 6" dst-address-type=local \
dst-port=8092 protocol=tcp to-addresses=172.22.22.252 to-ports=80
add action=dst-nat chain=dstnat comment="Remote AP 7 " dst-address-type=local \
dst-port=8093 protocol=tcp to-addresses=172.22.22.251 to-ports=80
add action=dst-nat chain=dstnat comment="Remote AP 1" dst-address-type=local \
dst-port=8094 protocol=tcp to-addresses=172.22.22.250 to-ports=80
add action=dst-nat chain=dstnat comment="Remote AP 8" dst-port=8095 protocol=\
tcp to-addresses=172.22.22.249 to-ports=80
add action=dst-nat chain=dstnat comment="Remote AP 4" dst-address-type=local \
dst-port=8096 protocol=tcp to-addresses=172.22.22.248 to-ports=80
add action=dst-nat chain=dstnat comment=WinBox dst-address-type=local \
dst-port=8291 protocol=tcp to-addresses=172.22.22.254 to-ports=8291
add action=redirect chain=dstnat comment="Block Internal DNS" dst-port=53 \
in-interface=!wan2 protocol=udp
add action=redirect chain=dstnat dst-port=53 in-interface=!wan2 protocol=tcp
add action=redirect chain=dstnat dst-port=53 in-interface=!pppoe-out1 \
protocol=udp
add action=redirect chain=dstnat dst-port=53 in-interface=!pppoe-out1 \
protocol=tcp
/ip route
add check-gateway=ping comment=load-balance distance=1 gateway=pppoe-out1 \
routing-mark=to_wan1
add check-gateway=ping comment=load-balance distance=1 gateway=wan2 \
routing-mark=to_wan2
add check-gateway=ping distance=1 gateway=pppoe-out1
add check-gateway=ping distance=2 gateway=wan2
add distance=1 dst-address=192.168.100.0/24 gateway=wan2
/ip upnp
set enabled=yes
/system clock
set time-zone-name=Asia/Bangkok
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set pppoe-out1 disabled=yes display-time=5s
set wan1 disabled=yes display-time=5s
set wan2 disabled=yes display-time=5s
set lan1 disabled=yes display-time=5s
set lan2 disabled=yes display-time=5s
set lan3 disabled=yes display-time=5s
/system ntp client
set enabled=yes primary-ntp=203.185.69.60 secondary-ntp=203.185.69.59
/system scheduler
add comment="Update No-IP DDNS" interval=5m name=no-ip_ddns_update on-event=\
no-ip_ddns_update policy=read,write,test start-date=jun/29/2014 \
start-time=1629
add comment="Update No-IP DDNS2" interval=5m name=no-ip_ddns_update2 \
on-event=no-ip_ddns_update2 policy=read,write,test start-date=jun/29/2014 \
start-time=1613
add comment="Reboot Router Daily" interval=1d name="Reboot Router Daily" \
on-event="/system reboot" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=\
jan/01/1970 start-time=00:00:10
/system script
add name=no-ip_ddns_update policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive source="# No-IP\
\_automatic Dynamic DNS update\r\
\n\r\
\n#--------------- Change Values in this section to match your setup -----\
-------------\r\
\n\r\
\n# No-IP User account info\r\
\n:local noipuser \"xxxxxxxx\"\r\
\n:local noippass \"xxxxxxxx\"\r\
\n\r\
\n# Set the hostname or label of network to be updated.\r\
\n# Hostnames with spaces are unsupported. Replace the value in the quotat\
ions below with your host names.\r\
\n# To specify multiple hosts, separate them with commas.\r\
\n:local noiphost \"xxxxxx.no-ip.biz\"\r\
\n\r\
\n# Change to the name of interface that gets the dynamic IP address\r\
\n:local inetinterface \"pppoe-out1\"\r\
\n\r\
\n#-----------------------------------------------------------------------\
-------------\r\
\n# No more changes need\r\
\n\r\
\n:global previousIP1\r\
\n\r\
\n:if ([/interface get \$inetinterface value-name=running]) do={\r\
\n# Get the current IP on the interface\r\
\n :local currentIP [/ip address get [find interface=\"\$inetinterface\"\
\_disabled=no] address]\r\
\n\r\
\n# Strip the net mask off the IP address\r\
\n :for i from=( [:len \$currentIP] - 1) to=0 do={\r\
\n :if ( [ick \$currentIP \$i] = \"/\") do={ \r\
\n :set currentIP [ick \$currentIP 0 \$i]\r\
\n } \r\
\n }\r\
\n\r\
\n :if (\$currentIP != \$previousIP1) do={\r\
\n :log info \"No-IP: Current IP \$currentIP is not equal to previou\
s IP, update needed\"\r\
\n :set previousIP1 \$currentIP\r\
\n\r\
\n# The update URL. Note the \"\\3F\" is hex for question mark (\?). Requi\
red since \? is a special character in commands.\r\
\n :local url \"http://dynupdate.no-ip.com/nic/update\\3Fmyip=\$curr\
entIP\"\r\
\n :local noiphostarray\r\
\n :set noiphostarray [:toarray \$noiphost]\r\
\n :foreach host in=\$noiphostarray do={\r\
\n :log info \"No-IP: Sending update for \$host\"\r\
\n /tool fetch url=(\$url . \"&hostname=\$host\") user=\$noipuse\
r password=\$noippass mode=http dst-path=(\"no-ip_ddns_update-\" . \$host \
. \".txt\")\r\
\n :log info \"No-IP: Host \$host updated on No-IP with IP \$cur\
rentIP\"\r\
\n }\r\
\n } else={\r\
\n :log info \"No-IP: Previous IP \$previousIP1 is equal to current \
IP, no update needed\"\r\
\n }\r\
\n} else={\r\
\n :log info \"No-IP: \$inetinterface is not currently running, so there\
fore will not update.\"\r\
\n}\r\
\n"
add name=no-ip_ddns_update2 policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive source="# No-IP\
\_automatic Dynamic DNS update\r\
\n\r\
\n#--------------- Change Values in this section to match your setup -----\
-------------\r\
\n\r\
\n# No-IP User account info\r\
\n:local noipuser \"xxxxxxxx\"\r\
\n:local noippass \"xxxxxxxx\"\r\
\n\r\
\n# Set the hostname or label of network to be updated.\r\
\n# Hostnames with spaces are unsupported. Replace the value in the quotat\
ions below with your host names.\r\
\n# To specify multiple hosts, separate them with commas.\r\
\n:local noiphost \"xxxxxx.no-ip.org\"\r\
\n\r\
\n# Change to the name of interface that gets the dynamic IP address\r\
\n:local inetinterface \"wan2\"\r\
\n\r\
\n#-----------------------------------------------------------------------\
-------------\r\
\n# No more changes need\r\
\n\r\
\n:global previousIP2\r\
\n\r\
\n:if ([/interface get \$inetinterface value-name=running]) do={\r\
\n# Get the current IP on the interface\r\
\n :local currentIP [/ip address get [find interface=\"\$inetinterface\"\
\_disabled=no] address]\r\
\n\r\
\n# Strip the net mask off the IP address\r\
\n :for i from=( [:len \$currentIP] - 1) to=0 do={\r\
\n :if ( [ick \$currentIP \$i] = \"/\") do={ \r\
\n :set currentIP [ick \$currentIP 0 \$i]\r\
\n } \r\
\n }\r\
\n\r\
\n :if (\$currentIP != \$previousIP2) do={\r\
\n :log info \"No-IP: Current IP \$currentIP is not equal to previou\
s IP, update needed\"\r\
\n :set previousIP2 \$currentIP\r\
\n\r\
\n# The update URL. Note the \"\\3F\" is hex for question mark (\?). Requi\
red since \? is a special character in commands.\r\
\n :local url \"http://dynupdate.no-ip.com/nic/update\\3Fmyip=\$curr\
entIP\"\r\
\n :local noiphostarray\r\
\n :set noiphostarray [:toarray \$noiphost]\r\
\n :foreach host in=\$noiphostarray do={\r\
\n :log info \"No-IP: Sending update for \$host\"\r\
\n /tool fetch url=(\$url . \"&hostname=\$host\") user=\$noipuse\
r password=\$noippass mode=http dst-path=(\"no-ip_ddns_update2-\" . \$host\
\_. \".txt\")\r\
\n :log info \"No-IP: Host \$host updated on No-IP with IP \$cur\
rentIP\"\r\
\n }\r\
\n } else={\r\
\n :log info \"No-IP: Previous IP \$previousIP2 is equal to current \
IP, no update needed\"\r\
\n }\r\
\n} else={\r\
\n :log info \"No-IP: \$inetinterface is not currently running, so there\
fore will not update.\"\r\
\n}\r\
\n"
/tool netwatch
add down-script="/ip route set [find comment=load-balance] disabled=yes\r\
\n\r\
\n/ip firewall mangle set [find comment=load-balance] disabled=yes" host=\
110.164.252.222 up-script="/ip route set [find comment=load-balance] disab\
led=no\r\
\n\r\
\n/ip firewall mangle set [find comment=load-balance] disabled=no"
add down-script="/ip route set [find comment=load-balance] disabled=yes\r\
\n\r\
\n/ip firewall mangle set [find comment=load-balance] disabled=yes" host=\
203.144.206.29 up-script="/ip route set [find comment=load-balance] disabl\
ed=no\r\
\n\r\
\n/ip firewall mangle set [find comment=load-balance] disabled=no"