RouterOS 2.9.27# software id = 22G5-4TT
#
/ interface ethernet
set eth-LAN name="eth-LAN" mtu=1500 mac-address=00:07:95:F5:75:8A \
arp=enabled disable-running-check=yes auto-negotiation=yes \
full-duplex=yes cable-settings=default speed=1Gbps comment="" \
disabled=no
set eth-Velox name="eth-Velox" mtu=1500 mac-address=00:E0:7D:F8:1A:79 \
arp=enabled disable-running-check=yes auto-negotiation=yes \
full-duplex=yes cable-settings=default speed=100Mbps comment="" \
disabled=no
/ interface bridge port
add interface=eth-LAN priority=0x80 path-cost=10 edge=auto \
point-to-point=auto external-fdb=auto comment="" disabled=yes
/ interface l2tp-server server
set enabled=no max-mtu=1460 max-mru=1460 \
authentication=pap,chap,mschap1,mschap2 \
default-profile=default-encryption
/ interface pppoe-server server
add service-name="zirta" interface=eth-Velox max-mtu=1492 max-mru=1492 \
authentication=pap,chap,mschap1,mschap2 keepalive-timeout=60 \
one-session-per-host=no max-sessions=60 \
default-profile=default-encryption disabled=no
/ interface pptp-server server
set enabled=no max-mtu=1460 max-mru=1460 authentication=mschap1,mschap2 \
keepalive-timeout=30 default-profile=default-encryption
/ interface pppoe-client
add name="Velox" max-mtu=1492 max-mru=1492 interface=eth-Velox \
user="
[email protected]" password="2122222576" \
profile=default-encryption service-name="" ac-name="" \
add-default-route=yes dial-on-demand=no use-peer-dns=yes \
allow=pap,chap,mschap1,mschap2 disabled=no
/ ip pool
add name="Pool_Clientes" ranges=192.168.25.10-192.168.25.100
add name="hs-pool-2" ranges=192.168.25.10-192.168.25.200
/ ip accounting
set enabled=no account-local-traffic=no threshold=256
/ ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0
/ ip service
set telnet port=23 address=0.0.0.0/0 disabled=no
set ftp port=21 address=0.0.0.0/0 disabled=no
set www port=80 address=0.0.0.0/0 disabled=no
set ssh port=22 address=0.0.0.0/0 disabled=no
set www-ssl port=443 address=0.0.0.0/0 certificate=none disabled=yes
/ ip upnp
set enabled=no allow-disable-external-interface=yes show-dummy-rule=yes
/ ip arp
add address=192.168.25.94 mac-address=00:0F:EA:A0:37:9F interface=eth-LAN \
comment="MARRA" disabled=no
/ ip socks
set enabled=no port=1080 connection-idle-timeout=2m max-connections=200
/ ip dns
set primary-dns=200.222.122.134 secondary-dns=200.165.132.155 \
allow-remote-requests=yes cache-size=2048KiB cache-max-ttl=1w
/ ip dns static
add name="DNS" address=200.185.6.131 ttl=1d
add name="DNS2" address=200.184.26.3 ttl=1d
/ ip traffic-flow
set enabled=no interfaces=all cache-entries=4k active-flow-timeout=30m \
inactive-flow-timeout=15s
/ ip address
add address=192.168.25.252/24 network=192.168.25.0 broadcast=192.168.25.255 \
interface=eth-LAN comment="" disabled=no
add address=192.168.25.1/24 network=192.168.25.0 broadcast=192.168.25.255 \
interface=eth-Velox comment="hotspot network" disabled=no
/ ip proxy
set enabled=no port=8080 parent-proxy=0.0.0.0:0 \
maximal-client-connecions=1000 maximal-server-connectons=1000
/ ip proxy access
add dst-port=23-25 action=deny comment="block telnet & spam e-mail relaying" \
disabled=no
/ ip neighbor discovery
set eth-LAN discover=yes
set eth-Velox discover=yes
set Velox discover=no
/ ip route
/ ip firewall mangle
/ ip firewall nat
add chain=srcnat out-interface=Velox action=masquerade comment="" \
disabled=no
add chain=dstnat in-interface=eth-LAN protocol=tcp dst-port=80 \
action=redirect to-ports=3128 comment="" disabled=no
add chain=dstnat in-interface=eth-Velox protocol=tcp dst-port=80 \
action=redirect to-ports=3128 comment="" disabled=no
/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=5s tcp-syn-received-timeout=5s \
tcp-established-timeout=1d tcp-fin-wait-timeout=10s \
tcp-close-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-time-wait-timeout=10s tcp-close-timeout=10s udp-timeout=10s \
udp-stream-timeout=3m icmp-timeout=10s generic-timeout=10m \
tcp-syncookie=no
/ ip firewall filter
add chain=forward content=facebook action=drop comment="" disabled=no
add chain=forward content=uol action=drop comment="" disabled=no
add chain=forward content=player action=drop comment="" disabled=no
add chain=forward content=bol action=drop comment="" disabled=no
add chain=forward content=sexo action=drop comment="" disabled=no
add chain=forward content=jogos action=drop comment="" disabled=no
add chain=forward content=hotmail src-address-list="" action=drop comment="" \
disabled=no
add chain=forward content=mail.google action=drop comment="" disabled=no
add chain=forward content=g1.globo action=drop comment="" disabled=no
add chain=forward content=twitter action=drop comment="" disabled=no
add chain=forward content=.bol action=drop comment="" disabled=no
add chain=forward content=ORKUT action=drop comment="" disabled=no
add chain=forward content=porn action=drop comment="" disabled=no
add chain=forward content=flagra action=drop comment="" disabled=no
add chain=input in-interface=Velox protocol=tcp dst-port=3128 action=drop \
comment="" disabled=no
add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist \
action=drop comment="drop ftp brute forcers" disabled=no
add chain=output protocol=tcp content="530 Login incorrect" \
dst-limit=1/1m,9,dst-address/1m action=accept comment="" disabled=no
add chain=output protocol=tcp content="530 Login incorrect" \
action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h comment="" disabled=no
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist \
action=drop comment="drop ssh brute forcers" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage3 action=add-src-to-address-list \
address-list=ssh_blacklist address-list-timeout=1w3d comment="" \
disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage2 action=add-src-to-address-list \
address-list=ssh_stage3 address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage1 action=add-src-to-address-list \
address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m comment="" disabled=no
/ ip firewall service-port
set ftp ports=21 disabled=no
set tftp ports=69 disabled=no
set irc ports=6667 disabled=yes
set h323 disabled=yes
set quake3 disabled=yes
set gre disabled=yes
set pptp disabled=yes
/ ip hotspot service-port
set ftp ports=21 disabled=no
/ ip hotspot profile
set default name="default" hotspot-address=0.0.0.0 dns-name="" \
html-directory=hotspot rate-limit="" http-proxy=0.0.0.0:0 \
smtp-server=0.0.0.0 login-by=cookie,http-chap http-cookie-lifetime=3d \
split-user-domain=no use-radius=no
add name="hsprof1" hotspot-address=192.168.25.1 dns-name="dns" \
html-directory=hotspot rate-limit="" http-proxy=0.0.0.0:0 \
smtp-server=0.0.0.0 login-by=cookie,http-chap http-cookie-lifetime=3d \
split-user-domain=no use-radius=no
/ ip hotspot user profile
set default name="default" idle-timeout=none keepalive-timeout=2m \
status-autorefresh=1m shared-users=1 transparent-proxy=yes \
open-status-page=always advertise=no
/ ip dhcp-server
add name="DHCP_Clientes" interface=eth-LAN lease-time=3d \
address-pool=Pool_Clientes bootp-support=static disabled=no
add name="dhcp1" interface=eth-Velox lease-time=1h address-pool=hs-pool-2 \
bootp-support=static authoritative=after-2sec-delay disabled=no
/ ip dhcp-server config
set store-leases-disk=5m
/ ip dhcp-server lease
/ ip dhcp-server network
add address=192.168.25.0/24 gateway=192.168.25.252 netmask=24 comment=""
/ ip ipsec proposal
add name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m \
lifebytes=0 pfs-group=modp1024 disabled=no
/ ip web-proxy
set enabled=yes src-address=0.0.0.0 port=3128 hostname="proxy" \
transparent-proxy=yes parent-proxy=0.0.0.0:0 \
cache-administrator="webmaster" max-object-size=100000KiB \
cache-drive=system max-cache-size=unlimited max-ram-cache-size=unlimited
/ ip web-proxy access
add url="facebook.com" action=deny comment="Block sites " disabled=no
add url="mail.google.com" action=deny comment="" disabled=no
add url="uol.com.br" action=deny comment="" disabled=no
add url="globo.com" action=deny comment="" disabled=no
add url="orkut.com" action=deny comment="" disabled=no
add url="gmail.com" action=deny comment="" disabled=no
add url="hotmail.com" action=deny comment="" disabled=no
add url="
layer" action=deny comment="" disabled=no
add url="ig.com.br" action=deny comment="" disabled=no
add url="
orn" action=deny comment="" disabled=no
add url=":video" action=deny comment="" disabled=no
add url="youtube" action=deny comment="" disabled=no
add url="twitter" action=deny comment="" disabled=no
add url="piada" action=deny comment="" disabled=no
add url="sexo" action=deny comment="" disabled=no
add url="penis" action=deny comment="" disabled=no
add url="jogo" action=deny comment="" disabled=no
add url="yahoo.com" action=deny comment="" disabled=no
add url="blogger.com" action=deny comment="" disabled=no
add url="blogspot.com" action=deny comment="" disabled=no
/ ip web-proxy cache
add url=":cgi-bin\\?" action=deny comment="don't cache dynamic http pages" \
disabled=no
/ ip web-proxy direct
add url="facebook" action=deny comment="" disabled=yes