返回列表 發帖
角色

Rank: 2
1# 跳轉到 » 倒序看帖
打印
tT
發表於 2018-6-20 15:48 | 只看該作者

MikroTik hAP ac² - Script difference before and after for checking VPN tab box

Script difference before and after for checking VPN tab box

Listing 1: Before checking the VPN tab box
  1. /interface bridge
  2. add admin-mac=CC:2D:E0:xx:xx:xx auto-mac=no comment=defconf name=bridge
  3. /interface wireless
  4. set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-AExxx1 \
  5.     wireless-protocol=802.11
  6. set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=\
  7.     MikroTik-AExxx2 wireless-protocol=802.11
  8. /interface list
  9. add comment=defconf name=WAN
  10. add comment=defconf name=LAN
  11. /interface wireless security-profiles
  12. set [ find default=yes ] supplicant-identity=MikroTik
  13. /ip pool
  14. add name=default-dhcp ranges=192.168.88.10-192.168.88.254
  15. /ip dhcp-server
  16. add address-pool=default-dhcp disabled=no interface=bridge name=defconf
  17. /interface bridge port
  18. add bridge=bridge comment=defconf interface=ether2
  19. add bridge=bridge comment=defconf interface=ether3
  20. add bridge=bridge comment=defconf interface=ether4
  21. add bridge=bridge comment=defconf interface=ether5
  22. add bridge=bridge comment=defconf interface=wlan1
  23. add bridge=bridge comment=defconf interface=wlan2
  24. /ip neighbor discovery-settings
  25. set discover-interface-list=LAN
  26. /interface list member
  27. add comment=defconf interface=bridge list=LAN
  28. add comment=defconf interface=ether1 list=WAN
  29. /ip address
  30. add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
  31. /ip dhcp-client
  32. add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
  33. /ip dhcp-server network
  34. add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
  35. /ip dns
  36. set allow-remote-requests=yes
  37. /ip dns static
  38. add address=192.168.88.1 name=router.lan
  39. /ip firewall filter
  40. add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
  41. add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
  42. add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
  43. add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
  44. add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,apices
  45. add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
  46. add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
  47. add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
  48. add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
  49. add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
  50. /ip firewall nat
  51. add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
  52. /system routerboard settings
  53. set silent-boot=no
  54. /tool mac-server
  55. set allowed-interface-list=LAN
  56. /tool mac-server mac-winbox
  57. set allowed-interface-list=LAN
  58. [admin@MikroTik] >
複製代碼
.

Listing 2: After checking the VPN tab box
  1. /interface bridge
  2. add admin-mac=CC:2D:E0:xx:xx:xx auto-mac=no comment=defconf name=bridge
  3. /interface wireless
  4. set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-AExxx1 \
  5.     wireless-protocol=802.11
  6. set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-AExxx2 \
  7.     wireless-protocol=802.11
  8. /interface list
  9. add comment=defconf name=WAN
  10. add comment=defconf name=LAN
  11. /interface wireless security-profiles
  12. set [ find default=yes ] supplicant-identity=MikroTik
  13. /ip hotspot profile
  14. set [ find default=yes ] html-directory=flash/hotspot
  15. /ip pool
  16. add name=dhcp ranges=192.168.88.10-192.168.88.254
  17. add name=vpn ranges=192.168.89.2-192.168.89.255
  18. /ip dhcp-server
  19. add address-pool=dhcp disabled=no interface=bridge name=defconf
  20. /ppp profile
  21. set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
  22. /interface bridge port
  23. add bridge=bridge comment=defconf interface=ether2
  24. add bridge=bridge comment=defconf interface=ether3
  25. add bridge=bridge comment=defconf interface=ether4
  26. add bridge=bridge comment=defconf interface=ether5
  27. add bridge=bridge comment=defconf interface=wlan1
  28. add bridge=bridge comment=defconf interface=wlan2
  29. /ip neighbor discovery-settings
  30. set discover-interface-list=LAN
  31. /interface l2tp-server server
  32. set enabled=yes ipsec-secret=vpn-password use-ipsec=yes
  33. /interface list member
  34. add comment=defconf interface=bridge list=LAN
  35. add comment=defconf interface=ether1 list=WAN
  36. /interface pptp-server server
  37. set enabled=yes
  38. /interface sstp-server server
  39. set default-profile=default-encryption enabled=yes
  40. /ip address
  41. add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
  42. /ip cloud
  43. set ddns-enabled=yes
  44. /ip dhcp-client
  45. add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
  46. /ip dhcp-server network
  47. add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
  48. /ip dns
  49. set allow-remote-requests=yes
  50. /ip dns static
  51. add address=192.168.88.1 name=router.lan
  52. /ip firewall filter
  53. add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
  54. add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
  55. add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
  56. add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
  57. add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
  58. add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
  59. add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
  60. add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
  61. add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
  62. add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
  63. add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
  64. add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
  65. add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
  66. add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
  67. add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
  68. /ip firewall nat
  69. add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
  70. add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
  71. /ppp secret
  72. add name=vpn password=vpn-password
  73. /system routerboard settings
  74. set silent-boot=no
  75. /tool mac-server
  76. set allowed-interface-list=LAN
  77. /tool mac-server mac-winbox
  78. set allowed-interface-list=LAN
  79. [admin@MikroTik] >
複製代碼
.

The difference in code are
  1. /ip pool
  2. add name=vpn ranges=192.168.89.2-192.168.89.255

  4. /ppp profile
  5. set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn

  7. /ppp secret
  8. add name=vpn password=vpn-password

  10. /interface l2tp-server server
  11. set enabled=yes ipsec-secret=vpn-password use-ipsec=yes

  13. /interface pptp-server server
  14. set enabled=yes
  15. /interface sstp-server server
  16. set default-profile=default-encryption enabled=yes

  18. /ip cloud
  19. set ddns-enabled=yes

  21. /ip firewall filter
  22. add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
  23. add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
  24. add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
  25. add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
  26. add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp

  28. add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
複製代碼
收藏 分享

返回列表