Follow along with the video below to see how to install our site as a web app on your home screen.
Anmerkung: this_feature_currently_requires_accessing_site_using_safari
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.0.10-192.168.0.40
add name=dhcp_pool6 ranges=192.168.20.2-192.168.20.254
add name=dhcp_pool10 ranges=192.168.10.2-192.168.10.254
add name=DMZ ranges=192.168.100.2-192.168.100.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=ether5 lease-time=2h name=server1
add address-pool=dhcp_pool6 disabled=no interface=vlan20 name=dhcp2
add address-pool=DMZ disabled=no interface=ether4 name=dhcp3
add address-pool=dhcp_pool10 disabled=no interface=vlan10 name=dhcp4
/interface list member
add interface=ether1 list=WAN
add interface=ether5 list=LAN
/ip address
add address=192.168.0.1/24 interface=ether5 network=192.168.0.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
add address=192.168.100.1/24 interface=ether4 network=192.168.100.0
add address=EXTERNAL IP/30 interface=ether1 network=AAA
/ip dhcp-server lease
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.100.110 name=domainA
add address=192.168.100.110 name=domainB
add address=192.168.100.110 name=domainC
/ip firewall filter
add action=accept chain=forward connection-nat-state=dstnat
add action=drop chain=forward dst-address=192.168.100.0/24 src-address=192.168.0.0/24
add action=drop chain=forward dst-address=192.168.0.0/24 src-address=192.168.100.0/24
add action=drop chain=forward dst-address=192.168.20.0/24 src-address=192.168.0.0/24
add action=drop chain=forward dst-address=192.168.0.0/24 src-address=192.168.20.0/24
add action=drop chain=input comment="drop ssh from wan" connection-state=related dst-port=22 log=yes protocol=tcp
add action=drop chain=input comment="drop winbox from wan" dst-port=8291 in-interface-list=WAN log=yes protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment="HTTPS an reverse proxy" dst-address=EXTERNAL IP dst-port=80,443 protocol=tcp to-addresses=\
192.168.100.110
add action=dst-nat chain=dstnat dst-address=EXTERNAL IP dst-port=1194 in-interface=ether1 protocol=udp to-addresses=192.168.0.113 \
to-ports=1194
/ip ipsec policy
set 0 disabled=yes
/ip route
add distance=1 gateway=YYY
/ip firewall filter
add action=passthrough chain=.REJECT comment="REJECT Chain"
add action=reject chain=.REJECT disabled=yes protocol=udp reject-with=icmp-port-unreachable
add action=reject chain=.REJECT disabled=yes protocol=tcp reject-with=tcp-reset
add action=reject chain=.REJECT disabled=yes reject-with=icmp-network-unreachable
add action=jump chain=forward jump-target=.FORWARD
add action=jump chain=forward comment="REJECT sofern nicht in .FORWARD erlaubt" jump-target=.REJECT
add action=jump chain=input jump-target=.INPUT
add action=jump chain=input comment="REJECT sofern nicht in .INPUT erlaubt" jump-target=.REJECT
add action=jump chain=output jump-target=.OUTPUT
add action=passthrough chain=.INPUT comment="INPUT Chain"
add action=accept chain=.INPUT comment="ESTABLISHED & RELATED & UNTRACKED" connection-state=established,related,untracked
add action=accept chain=.INPUT comment="ICMP erlauben" protocol=icmp
add action=accept chain=.INPUT comment="Lokaler Zugriff (z.B. The Dude)" src-address-type=local
add action=accept chain=.INPUT src-address=127.0.0.0/24
add action=accept chain=.INPUT dst-port=53 in-interface-list=ALLOW_IN_Services protocol=udp comment="Services die der Router bereitstellt"
add action=accept chain=.INPUT in-interface-list=ALLOW_IN_Full comment="Vollzugriff von gegebenen Interfaces"
add action=passthrough chain=.FORWARD comment="FORWARD Chain"
add action=accept chain=.FORWARD comment="ESTABLISHED & RELATED & UNTRACKED" connection-state=established,related,untracked
add action=accept chain=.FORWARD comment="TEMPORARY ACCEPT ALL FORWARDING" disabled=yes
add action=accept chain=.FORWARD comment="Regelung des generellen Zugriffs auf Interfaces und VLANs mit Interface-Listen" in-interface-list=ALLOW_to_WAN out-interface-list=IS_WAN
add action=accept chain=.FORWARD in-interface-list=ALLOW_to_VPN out-interface-list=IS_VPN
add action=accept chain=.FORWARD in-interface-list=ALLOW_to_WAN_Voip out-interface-list=IS_WAN_VOIP
add action=accept chain=.FORWARD in-interface-list=ALLOW_to_LAN_Clients out-interface-list=IS_LAN_Clients
add action=accept chain=.FORWARD in-interface-list=ALLOW_to_LAN_Network out-interface-list=IS_LAN_Network
add action=accept chain=.FORWARD in-interface-list=ALLOW_to_LAN_Server out-interface-list=IS_LAN_Server
Gude,
wie sind eure Erfahrungen mit generic Tranceivern von FS und Mikrotik ?
Habe mir einen für meinen Hex S bestellt.Wird zwar erkannt aber er funktioniert nicht - in meinem CRS326 das gleiche Spiel.Erkannt aber kein Link, weder die LED (beim Hex S ist diese wenigstens an) noch in der Webfig ist Link aktiv.
Werde mich zwar mal an FS wenden, aber wollte hier auch mal nachfragen.(GGf. werd ich mir einfach direkt den Mikrotik bestellen)
An die Autonegotiation hatte ich auch schon gedacht (und getestet), weil ein Kollege hier auch schon Probleme mit hatte.
Wenn man das an beiden Geräten machen muss, wird das schonmal nicht klappen, da ich ein Kabelmodem im Bridge Betrieb betreibe - dadurch ist es nicht via IP/Web nicht erreichbar und konfigurierbar.
-----
Allerdings kommt mir gerade eine Idee.Könnte ich auch einen der anderen RJ45 Ports als Wan definieren und nicht nur die zwei die durch die Beschriftung/Quick Set vorgegeben werden ?
Ich will eigentlich nur den WAN RJ45 ins LAN bekommen, weil dieser auch der PoE in Port ist.Der soll dann wie andere Geräte per PoE Versorgt werden.
Du kommst immer auf ein Kabelmodem, laut CableLabs Standards müssen CPEs immer unter der 192.168.100.1 erreichbar sein. Ob du da allerdings den Speed der LAN-Ports einstellen kannst bezweifle ich mal.
auto lo
iface lo inet loopback
auto eth1
iface eth1 inet manual
auto enp7s0
iface enp7s0 inet manual
auto enp12s0
iface enp12s0 inet manual
auto enp11s0
iface enp11s0 inet manual
auto enp8s0
iface enp8s0 inet manual
auto vmbr0
iface vmbr0 inet static
address 192.168.0.131
netmask 255.255.255.0
gateway 192.168.0.1
bridge-ports eth1
bridge-stp off
bridge-fd 0
#Host & VPN & DNS
auto vmbr2
iface vmbr2 inet manual
bridge-ports enp7s0
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 2-4094
#Internetzugriff/DMZ
auto vmbr1
iface vmbr1 inet manual
bridge-ports enp8s0
bridge-stp off
bridge-fd 0
#LXC & VM
auto vmbr3
iface vmbr3 inet manual
bridge-ports enp11s0.20
bridge-stp off
bridge-fd 0
#VLAN 20; wird geblockt
auto vmbr4
iface vmbr4 inet manual
bridge-ports enp12s0.10
bridge-stp off
bridge-fd 0
#VLAN 10, wird geroutet
[COLOR="#FF0000"]auto vmbr5
iface vmbr5 inet manual
bridge-ports enp12s0.30
bridge-stp off
bridge-fd 0
#VLAN 30; wird geroutet[/COLOR]
[COLOR="#FF0000"]
iface vmbr6 inet manual
bridge-ports enp12s0
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 2-4094[/COLOR]
# may/01/2019 11:45:09 by RouterOS 6.44.3
# software id = WRW5-GD0Y
#
# model = CRS317-1G-16S+
# serial number = ***************
/interface bridge
add disabled=yes name=bridge1
add mtu=9000 name=bridge2
/interface ethernet
set [ find default-name=ether1 ] comment="Uplink zu Router"
set [ find default-name=sfp-sfpplus1 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full \
comment="Server - 10G" l2mtu=9000 mtu=9000
set [ find default-name=sfp-sfpplus2 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full \
comment="Switch - 10G" l2mtu=9000 mtu=9000
set [ find default-name=sfp-sfpplus16 ] comment="***"
/interface list
add name=WAN
add name=LAN
/interface bridge port
add bridge=bridge2 interface=ether1
add bridge=bridge2 interface=sfp-sfpplus1
add bridge=bridge2 interface=sfp-sfpplus2
add bridge=bridge2 interface=sfp-sfpplus3
add bridge=bridge2 interface=sfp-sfpplus4
add bridge=bridge2 interface=sfp-sfpplus7
add bridge=bridge2 interface=sfp-sfpplus8
add bridge=bridge2 interface=sfp-sfpplus9
add bridge=bridge2 interface=sfp-sfpplus10
add bridge=bridge2 interface=sfp-sfpplus11
add bridge=bridge2 interface=sfp-sfpplus12
add bridge=bridge2 interface=sfp-sfpplus13
add bridge=bridge2 interface=sfp-sfpplus14
add bridge=bridge2 interface=sfp-sfpplus15
add bridge=bridge2 interface=sfp-sfpplus16
add bridge=bridge2 interface=sfp-sfpplus5
add bridge=bridge2 interface=sfp-sfpplus6
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=ether1 list=WAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
add interface=sfp-sfpplus3 list=LAN
add interface=sfp-sfpplus4 list=LAN
add interface=sfp-sfpplus5 list=LAN
add interface=sfp-sfpplus6 list=LAN
add interface=sfp-sfpplus7 list=LAN
add interface=sfp-sfpplus8 list=LAN
add interface=sfp-sfpplus9 list=LAN
add interface=sfp-sfpplus10 list=LAN
add interface=sfp-sfpplus11 list=LAN
add interface=sfp-sfpplus12 list=LAN
add interface=sfp-sfpplus13 list=LAN
add interface=sfp-sfpplus14 list=LAN
add interface=sfp-sfpplus15 list=LAN
add interface=sfp-sfpplus16 list=LAN
/ip address
add address=192.168.***.220/24 interface=bridge2 network=192.168.***.0
/ip dns
set servers=192.168.***.1
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add distance=1 gateway=192.168.***.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=remote
/system clock
set time-zone-name=Europe/Berlin
/system ntp client
set enabled=yes primary-ntp=81.7.4.127
/system routerboard settings
set boot-os=router-os