Router OS

-----------------------------------------------------------------------------------
-----
-----------------------------------------------------------------------------------
-----
--------------------------- ( RouterOS.Basic-Config ) --------------------- [ INI ]
-----------------------------------------------------------------------------------
-----
-----------------------------------------------------------------------------------
-----
# SO: RouterOS (Mikrotik), config general x (8) etherX.
# Interfaces: WAN (1…5) LAN (6…19) IPPu.Client (20…89) SOS/RES (90…99).
# Tormenta ARP (Interface-Loop):.
# Interfaces.Config (+anti-LOOPs): --------------------------------------------
/interface ethernet set 0 name=”WAN1” loop-protect=on loop-protect-send-interval=5s
loop-protect-disable-time=1mcomment=”WAN1.[ TELCO ]”;
loop-protect-disable-time=1mcomment=”WAN2.[ … ]”;
loop-protect-disable-time=1mcomment=”WAN3.[ … ]”;
/interface ethernet set 3 name=”LAN1” loop-protect=on loop-protect-send-interval=5s
loop-protect-disable-time=1mcomment=”LAN1.[ WR.1-1 ]”;
loop-protect-disable-time=1mcomment=”LAN2.[ WR.2-2 ]”;
loop-protect-disable-time=1mcomment=”LAN3.[ … ]”;
/interface ethernet set 6 name=”SOS1” loop-protect=on loop-protect-send-interval=5s
loop-protect-disable-time=1mcomment=”SOS1.[ … ]”;
/interface ethernet set 7 name=”RES1” loop-protect=on loop-protect-send-interval=5s
loop-protect-disable-time=1mcomment=”RES1.[ … ]”;
# …
# Nota: descubre (loops de paquetes en capa.2 ® (RB.MAC=src-MAC=dst-MAC).
# Address.Config:
------------------------------------------------------------------------
/ip address add address=X.Y.Z.W/24 interface=WAN1 comment=”01R>: WAN1.
[ TELCO.1.2.3.4 ]” disable=yes;
/ip address add address=1...21/32 interface=WAN2 comment=”02Rx: WAN2.[ … ]”
disable=yes;
/ip address add address=1...21/32 interface=WAN3 comment=”03Rx: WAN3.[ … ]”
disable=yes;
/ip address add address=1...1/24 interface=LAN1 comment=”06R+: LAN1.[ Gateway+DNS1.
]” disable=yes;
/ip address add address=1...1/24 interface=LAN1 comment=”07Rx: LAN1.[ Gateway+DNS1.
]” disable=yes;
]” disable=yes;
]” disable=yes;
]” disable=yes;
]” disable=yes;
/ip address add address=1...2/32 interface=SOS1 comment=”90R+: EMERGENCY1.[ … ]”
disable=yes;
/ip address add address=1.../32 interface=RES1 comment=”91R+: RESERVADO1.[ … ]”
disable=yes;
# …
# Agrupar Interfaces (WANs):
----------------------------------------------------------
/interface list member add interface=WAN1 list=WANs comment=”01R+: WANs.Add (WAN1)”
disable=yes;
/interface list member add interface=WAN2 list=WANs comment=”02Rx: WANs.Add (WAN2)”
disable=yes;
/interface list member add interface=WAN3 list=WANs comment=”03Rx: WANs.Add (WAN3)”
disable=yes;
# …
# Agrupar Interfaces (LANs):
-----------------------------------------------------------
/interface list member add interface=LAN1 list=LANs comment=”06R+: LANs.Add (LAN1)”
disable=yes;
/interface list member add interface=LAN2 list=LANs comment=”07R+: LANs.Add (LAN2)”
disable=yes;
/interface list member add interface=LAN3 list=LANs comment=”08Rx: LANs.Add (LAN3)”
disable=yes;
# …
# Nota: comenzar las LANs con el puerto (físico:4, lógico:3) x (WAN.Balanceo). En
caso de usar Wireless (WLAN1, usar: interface=bridge1).
# Establecer Queue.Interface: ------------------------------------- (FUNDAMENTAL)
/queue interface set WAN1 queue=ethernet-default; # ® PFIFO(50p)
/queue interface set WAN2 queue=ethernet-default;
/queue interface set WAN3 queue=ethernet-default;
/queue interface set LAN1 queue=ethernet-default;
/queue interface set SOS1 queue=ethernet-default;
/queue interface set RES1 queue=ethernet-default;
# …
# Nota: continuar hasta cubrir all interafaces usadas (cambiar según eficiencia).
# DNS.Config:
----------------------------------------------------------------------------
/ip dns set servers=1.1.1.1,1.0.0.1,209.244.0.3,209.244.0.4;
/ip dns set allow-remote-requests=yes; # Uso el DNS.Cache x capturar IPs
/ip dns set max-udp-packet-size=4096;
/ip dns set cache-size=51200; # (50MB, el DNS.cache, no es persistente
/ip dns set cache-max-ttl=1d; # (1d, para mitigar ataques: (Type=unknown)
# Routes.Config:
-------------------------------------------------------------------------
/ip route add gateway=1.2.3.1 check-gateway=ping comment=”01R>: Ruta.WAN1, hacia
XXX.GateWay-Border.....1” disable=yes;
# Nota: (AS: Active and Static Conextion), (CD: Conected and Dinamic), (X:
Deshabilitada), (ping: chequea c/10s – check-gateway=ping –).
# Enmascaramiento.Config:
-------------------------------------------------------------
/ip firewall nat add chain=srcnat out-interface-list=WANs comment=”100R>: NAT.C-
IPPri (WANs)” action=masquerade disable=yes;
/ip firewall nat add chain=srcnat out-interface=WAN1 comment=”101R<: NAT.C-IPPri
(WAN1)” action=masquerade disable=yes;
# Nota: establece y restringe, acceso desde LANs a Internet, a travez de WANs.
# Reglas para transparentar (RB.DNS-Cache): ---------------------------------------
/ip firewall nat add chain=dstnat protocol=udp dst-port=53 in-interface-list=LANs
comment=”110R+: NAT.DNS-Trafic a DNSCache.UDP” action=redirect to-ports=53
disable=yes;
/ip firewall nat add chain=dstnat protocol=tcp dst-port=53 in-interface-list=LANs
comment=”111R+: NAT.DNS-Trafic a DNSCache.TCP” action=redirect to-ports=53
disable=yes;
# Nota: redirecciona (peticiones de DNS) y permite, establecer any-IP en
Client.TarjetRed.
# SNTP-Client.Config:
--------------------------------------------------------------------
/system ntp client set primary-ntp=170.155.148.1 secondary-ntp=201.217.3.85
enable=yes;
# Email.Config:
---------------------------------------------------------------------------
/tool e-mail set address=64.233.186.108;
/tool e-mail set port=587;
/tool e-mail set from=xxx@gmail.com; # smtp.gmail.com
/tool e-mail set user=xxx;
/tool e-mail set password=Gmail.Key; # o la clave de 2da autenticación
/tool e-mail set start-tls=yes; # Cifrado entre el RB y
Gmail.Servers
# Nota: (2da autenti: https://security.google.com/settings/security/apppasswords)
#
-----------------------------------------------------------------------------------
--------
# Configuración básica de seguridad del RB:

# Usuarios.Config:
-----------------------------------------------------------------------
/system identity set name="xxx.ISP [ .... ]"; # cambiar según RB
/user set 0 name="user(x)" password=”key.generator(x)” group=full comment=“xxx.RB01
”; # dejar espacio final y cambiar según RB
# --------------------------------------------------
/user add name="user(y)" password="zzzzzzza” group=write comment=“xxx.RB01 ”
disable=yes; # dejar espacio final y cambiar según RB
/user add name="user(z)" password="zzzzzzzb” group=read comment=“xxx.RB01 ”
disable=yes; # dejar espacio final y cambiar según RB
# Nota: modificar permisos (read a full), según corresponda.
# Servicios-RBAccess.Config:
------------------------------------------------------------
/ip service disable telnet,ftp,www,www-ssl,api-ssl,ssh;
/ip service enable winbox,api;
/ip service set api-ssl port=3333; # Activar, solo si logre resolver: (SSL)
/ip service set www-ssl port=3334; # Activar, solo si logre resolver: (SSL)
/ip service set winbox port=3335;
# Nota: o cerrarlo por ej.: address=.....
/ip service set api port=3336;
# Nota: o cerrarlo por ej.: address=..... solo x (WiFi.BackUp)
# Winbox-RBDiscovery.Config:
----------------------------------------------------------
/tool mac-server mac-winbox set allowed-interface-list=all; # none, drop Winbox-
Access.MAC (actualmente, permito acceso por MAC).
/tool mac-server set allowed-interface-list=none; # Ignora MAC-Telnet Services
/tool mac-server ping set enabled=no; # Ignora ping
a MAC
/ip neighbor discovery-settings set discover-interface-list=none; # Oculta
MAC
# Email.Critical Alert:
--------------------------------------------------------------------
/system logging action add name=EmailCriticalAlert target=email email-
to=xxx@gmail.com;
/system logging action add name=EmailCriticalAlert target=email email-
to=xxx@gmail.com;
/system logging add topics=critical,system,error prefix=([/system identity get
name].“.LoginFailed”) action=EmailCriticalAlert; # Se da, cuando acontece un acceso
fallido.
/system logging add topics=interface,warning prefix=([/system identity get
name].“.EthernetLoop”) action=EmailCriticalAlert; # Se da, cuando acontece un loop-
ethernet.
# Creo listas static de IPs, según necesidad:
----------------------------------------
# ---------------------------------- [Admin.IPs]
/ip firewall address-list add address=X.Y.Z.W list=A-ADMIN.List comment=”R+:
AdminCtrl.AX (Public)” disable=yes;
/ip firewall address-list add address=X.Y.Z.W1 list=A-ADMIN.List comment=”R+:
AdminCtrl.Router (WiFi)” disable=yes;
/ip firewall address-list add address=1...120 list=A-ADMIN.List comment=”R+:
AdminCtrl.AX (Private)” disable=yes;
/ip firewall address-list add address=1...120 list=A-ADMIN.List comment=”Rx:
Emergencia.Acceso (Private)” disable=yes;
Emergencia.Acceso (Private)” disable=yes;
# Nota: si la (IP.RouterAdmin), se encuentra en el rango del (RB.IPLAN), debo
agregar la (IP.RouterAdmin) como permitida.
# --------------------------------------- [ClientLAN.IPs]
/ip firewall address-list add address=1...0/24 list=A-LAN.List comment=”C+:
IPs.LAN1 permitidas” disable=yes;
/ip firewall address-list add address=1...0/24 list=A-LAN.List comment=”Cx:
# Nota: LANs, habilitadas en el RB.
# --------------------------------------- [ISPServers.IPs]
/ip firewall address-list add address=X.Y.Z.W/32 list=A-ISPSERVER.List comment=”Rx:
BGP/24.Server permitido” disable=yes;
/ip firewall address-list add address=1.1.1.1/32 list=A-ISPSERVER.List comment=”Rx:
DNS.Server permitido” disable=yes;
/ip firewall address-list add address=1.0.0.1/32 list=A-ISPSERVER.List comment=”Rx:
DNS.Server permitido” disable=yes;
/ip firewall address-list add address=209.244.0.3/32 list=A-ISPSERVER.List
comment=”Rx: DNS.Server permitido” disable=yes;
/ip firewall address-list add address=209.244.0.4/32 list=A-ISPSERVER.List
comment=”Rx: DNS.Server permitido” disable=yes;
# …
# ----------------------------------------- [RBNAT.IPs (especiales)]

# /ip firewall address-list add address=1...11/32 list=A-LAN.List comment=”Rx:
IP.AdminSpecialPort (ID: Zarate.Omni5G)” disable=yes;
# /ip firewall address-list add address=1...12/32 list=A-LAN.List comment=”Rx:
IP.AdminSpecialPort (ID: Zarate.ClientX)” disable=yes;
# …
# Nota: especificas IPs (no A-LAN.List), habilitadas x Nateo de Ports en el RB.

# ---------------------------------------- [ICMPWANSRC.Permitidos]
/ip firewall address-list add address=X.Y.Z.W1 list=A-ICMPWANSRC.List comment=”R+:
ICMPWANSRC.Permitido (ID: Publ.Admin)” disable=yes;
/ip firewall address-list add address=1.1.1.1 list=A-ICMPWANSRC.List comment=”R+:
ICMPWANSRC.Permitido (ID: Publ.DNS)” disable=yes;
/ip firewall address-list add address=1.0.0.1 list=A-ICMPWANSRC.List comment=”R+:
ICMPWANSRC.Permitido (ID: Publ.DNS)” disable=yes;
/ip firewall address-list add address=209.244.0.3/32 list=A-ICMPWANSRC.List
comment=”R+: ICMPWANSRC.Permitido (ID: Publ.DNS)” disable=yes;
/ip firewall address-list add address=209.244.0.4/32 list=A-ICMPWANSRC.List
comment=”R+: ICMPWANSRC.Permitido (ID: Publ.DNS)” disable=yes;
# …
Nota: ¿desbloquear (#), si fuese necesario, responder ping de los DNS?

# ----------------------------------- [ICMPWANDST.Permitidos] (ClientWAN.IPs)
/ip firewall address-list add address=X.Y.Z.W10-X.Y.Z.W42 list=A-ICMPWANDST.List
comment=”R+: ICMPWANDST.Permitido (ID: Familia )” disable=yes;
# …
# ---------------------------------------- [ICMPSRCLAN.Permitidos]
/ip firewall address-list add address=1...120 list=A-ICMPLANSRC.List comment=”R+:
ICMPLANSRC.Permitido (ID: Priv.Admin)” disable=yes;
ICMPLANSRC.Permitido (ID: Priv.Admin)” disable=yes;
ICMPLANSRC.Permitido (ID: ______,________________ )” disable=yes;
# …
# Nota: Se usará solo x ataque. Add IP.LANs, según requerimiento del Client.
# ---------------------------------------- [ICMPLANDST.Permitidos]
/ip firewall address-list add address=X.Y.Z.0/24 list=A-ICMPLANDST.List
comment=”R+: ICMPLANDST.Permitido (ID: Pool/24.VCI)” disable=yes;
/ip firewall address-list add address=1.1.1.1 list=A-ICMPLANDST.List comment=”Rx:
ICMPLANDST.Permitido (ID: Publ.DNS)” disable=yes;
/ip firewall address-list add address=1.0.0.1 list=A-ICMPLANDST.List comment=”Rx:
ICMPLANDST.Permitido (ID: Publ.DNS)” disable=yes;
/ip firewall address-list add address=209.244.0.3/32 list=A-ICMPLANDST.List
comment=”Rx: ICMPLANDST.Permitido (ID: Publ.DNS)” disable=yes;
/ip firewall address-list add address=209.244.0.4/32 list=A-ICMPLANDST.List
comment=”Rx: ICMPLANDST.Permitido (ID: Publ.DNS)” disable=yes;
# …
Nota: ¿desbloquear (#), si fuese necesario, emitir ping a los DNS?
# ----------------------------- [BOGON IPs]
/ip firewall address-list add address=169.254.0.0/16 list=A-BOGON.List comment=”R+:
BOGONIP: Rango IP.Privadas” disable=yes;
BOGONIP: ” disable=yes;
/ip firewall address-list add address=0.0.0.0/8 list=A-BOGON.List comment=”R:
BOGONIP: --- ” disable=yes;
/ip firewall address-list add address=192.0.2.0/24 list= A-BOGON.List comment=”R+:
/ip firewall address-list add address=198.51.100.0/24 list=A-BOGON.List
comment=”R+: BOGONIP: --- ” disable=yes;
# Nota: (ips, actualmente, no asignadas a ninguna entidad, hay un monton mas).
# -------------------------------------------- [IP Public especiales]
# --------------------- [DOS.ATTACK]
/ip firewall address-list add address=1..255 list=A-DARK.List comment=”Rx: RB.Input
(IP.Drop)” disable=yes;
/ip firewall address-list add address=1..255 list=A-WHITE.List comment=”Rx:
RB.Input (IP.Accept)” disable=yes;
# --------------------- [BLACKHOLE]
/ip firewall address-list add address=10..1 list=A-BLACKHOLE.List comment=”R+:

RB.Forward (IP.Carnada: PRIVATE-ADDRESS-ABLK-RFC1918-IANA-RESERVED)” disable=yes;
# --------------------- [ENACOM.OFF]
# …
# --------------------- [ENACOM.ON]
/ip firewall address-list add address=1..1 list=A-ENACOMACCEPT.List comment=”Cx:
Client.Forward (Accept x ENACOM (ID: ______,________________ ))” disable=yes;
# …
# Nota: CuevanaÌ(AS13335 - NetName: CLOUDFLARENET), limitar rangos.

# --------------------------------------------- [Alta-Conectividad.IPs]
# --------------------------------------------------------------------------- [x
Routers]
/ip firewall address-list add address=X.Y.Z.W/32 list=A-ALTACONECTIVIDAD.List
comment=”Rx: Alta-Conectividad (BGP/24.GateWay)” disable=yes;
/ip firewall address-list add address=X.A.B.W/32 list=A-ALTACONECTIVIDAD.List
comment=”Rx: Alta-Conectividad (BGP/23.GateWay)” disable=yes;
# ------------------------------------------
/ip firewall address-list add address=8.8.8.8/32 list=A-ALTACONECTIVIDAD.List
comment=”Rx: Alta-Conectividad (DNS.Publ: 8.8.8.8)” disable=yes;
# ------------------------------------------
/ip firewall address-list add address=1...1/32 list=A-ALTACONECTIVIDAD.List
comment=”R+: Alta-Conectividad (DNS.Priv: 1...1)” disable=yes;
/ip firewall address-list add address=2...2/32 list=A-ALTACONECTIVIDAD.List
comment=”R+: Alta-Conectividad (DNS.Priv: 2...2)” disable=yes;
# --------------------------------------------------------------------------- [x
Clientes]
/ip firewall address-list add address=1...1 list=C-ALTACONECTIVIDAD.List
comment=”Cx: Alta-Conectividad (ID: ______,________________)” disable=yes;
# …
# --------------------------------------------- [Promo.Franja-Horaria]
/ip firewall address-list add address=1..1 list=C-PROMO2DCLIENT.List comment=”C+:
Client.Promo (S-D)” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMO5DCLIENT.List comment=”C+:
Client.Promo (L-V)” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMO7MCLIENT.List comment=”Cx:
Client.Promo (7.Mañanas)” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMO7NCLIENT.List comment=”Cx:
Client.Promo (7.Noches)” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMOXDCLIENT.List comment=”Cx:
Client.Promo (<Nombre>: 000D, expira el: 00/00/0000)” disable=yes;
# Nota: Promo.XD, Script.Ctrl hasta comment (fecha expira<fecha actual).
# --------------------------------------------- [Promo.Social-Media]
/ip firewall address-list add address=1..1 list=C-PROMO!FACEBOOK.List comment=”Cx:
Client.Promo (!RS.Facebook)” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMO!YOUTUBE.List comment=”Cx:
Client.Promo (!RS.Youtube)” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMO!NETFLIX.List comment=”Cx:
Client.Promo (!RS.Netflix)” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMO!WHATSAPP.List comment=”Cx:
Client.Promo (!RS.Whatsapp)” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMO!TWITTER.List comment=”Cx:
Client.Promo (!RS.Twitter)” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMO!INSTAGRAM.List comment=”Cx:
Client.Promo (!RS.Instagram)” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMO!SKYPE.List comment=”Cx:
Client.Promo (!RS.Skype)” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMO!SPOTIFY.List comment=”Cx:
Client.Promo (!RS.Spotify)” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMO!SNAPCHAT.List comment=”Cx:
Client.Promo (!RS.Snapchat)” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMO!TELEGRAM.List comment=”Cx:
Client.Promo (!RS.Telegram)” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMO!TWITCH.List comment=”Cx:
Client.Promo (!RS.Twitch)” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMO!VIMEO.List comment=”Cx:
Client.Promo (!RS.Vimeo)” disable=yes;
# ---------------------------------------------------------------
[DNSs.Problematicos]
/ip firewall address-list add address=”probe-dradis-aws-only.prod.ftl.netflix.com”
list=S-NETFLIX.List comment=”Cx: QoS ( CDDNS.Problematico de Netflix: probe-dradis-
aws-only.prod.ftl.netflix.com)” disable=yes;
/ip firewall address-list add address=”probe-unified-aws-only.prod.ftl.netflix.com”
list=S-NETFLIX.List comment=”Cx: QoS ( DDDNS.Problematico de Netflix: probe-
unified-aws-only.prod.ftl.netflix.com )” disable=yes;
/ip firewall address-list add address=”oca-api.us-east-1.origin.prodaa.netflix.com”
list=S-NETFLIX.List comment=”Cx: QoS ( CDDNS.Problematico de Netflix: oca-api.us-
east-1.origin.prodaa.netflix.com )” disable=yes;
# …
# --------------------------------------------- [Drop VPN.DDNS]

/ip firewall address-list add address=1.0.0.255 list="V-CLIENTACCEPT.List"
comment=”Cx: VPN-Client.Permitido (ID: ______,________________ )” disable=yes;
# --------------------------------------------------------------------------
[(UltraSurf)]
/ip firewall address-list add address=104.20.61.0/24 list="V-DDNS.List"
comment=”Cx: Add.VPN-DDNS (UltraSurf.CloudFlare 1er.Serv)” disable=yes;
comment=”Cx: Add.VPN-DDNS (UltraSurf.CloudFlare 1er.Serv)” disable=yes;
# ------------------------------------
comment=”Cx: Add.VPN-DDNS (UltraSurf.CoreSpace 2do.Serv)” disable=yes;
/ip firewall address-list add address=64.182.0.0/16 list="V-DDNS.List" comment=”Cx:
Add.VPN-DDNS (UltraSurf.CoreSpace 2do.Serv)” disable=yes;
# -------------------------------------------------------------------------
[(------------)]
# …
# Nota: recordar que, según entiendo, las reglas de (Raw, Mangle y Filter), no
marcaran/bloquearan VPN.Conn de las IPP Fijas dadas a Clientes.
# Web.Proxy (Config y Protection): ------------------------------- [en
construcción]
/ip proxy set enabled=no; # Desactivo el
(Web.Proxy)
# ---------------------------------------------
# /ip proxy set enabled=yes; # Activo el
Web-Proxy
# /ip firewall nat add chain=dstnat protocol=tcp dst-port=80 in-interface-list=LANs
comment=”Rx: Web.Proxy (Redireciona Port (80 a 8070)” action=redirect to-port=8070
disable=yes;
# Nota: si (on), redireccionar port (80a8070) y bloquear pedidos desde (WANs).
# Web.Proxy (Config y Protection): ------------------------------- [en
construcción]
# Schedulers.Config:
---------------------------------------------------------------------
/system scheduler add name=”TP (RB.PromoXDay-Cheq)“ start-date=dec/01/2017 start-
time=hh:mm:ss interval=1d on-event=”RB.PromoXDay-Cheq” comment="C+: ( RB.PromoXDay-
Cheq )" disabled=yes;
# --------------------------------------------
/system scheduler add name=”TP (AddressList.Ctrl (RedesSociales)“
start-date=dec/01/2017 start-time=hh:mm:ss interval=1d on-event=”AddressList.Ctrl
(Redes Sociales)” comment="C+: ( AddressList.Ctrl (Redes Sociales) )" disabled=yes;
# --------------------------------------------
/system scheduler add name=”TP (RB.IP-Change)“ start-date=dec/01/2017 start-
time=hh:mm:ss interval=1d on-event=”RB.IP-ChangeWAN1” comment="R+: ( RB.IP-
Change )" disabled=yes;
# --------------------------------------------
/system scheduler add name="TP (RB.Reboot)" on-event="/system reboot" start-
date=dec/01/2017 start-time=hh:mm:ss interval=xd02:13:00 comment="Rx:
( RB.Reboot )" disabled=yes;
# --------------------------------------------
/system scheduler add name=”TP (RB.QoSChange%)“ start-date=dec/01/2017 start-
time=hh:mm:ss interval=1d on-event=”RB.QoSChange% (xRate)” comment="Cx:
( RB.QoSChange% (xRate) )" disabled=yes;
# --------------------------------------------
/ system scheduler add name="TP (RB.BackUp-Config)" on-event="RB.BackUp-Config"
start-date=dec/01/2017 start-time=hh:mm:ss interval=1d comment="R+: ( RB.BackUp-
Config )" disabled=yes;
# --------------------------------------------
/system scheduler add name=”TP (RB.BackUp-AddressList (RSC))“
start-date=dec/01/2017 start-time=hh:mm:ss interval=1d on-event=”RB.BackUp-
AddressListRSC” comment="Rx: ( RB.BackUp-AddressList (RSC) )" disabled=yes;
# --------------------------------------------
/system scheduler add name=”TP (RB.ISP-Stadistic)“ start-date=dec/01/2017 start-
time=hh:mm:ss interval=1d on-event=RB.ISP-Stadistic comment="C+: ( RB.ISP-Stadistic
)" disabled=yes;
# --------------------------------------------
/system scheduler add name=”TP (RB.BackUp-Log)“ start-date=dec/01/2017 start-
time=hh:mm:ss interval=1d on-event=RB.BackUp-Log comment="C+: ( RB.BackUp-Log )"
disabled=yes;
# --------------------------------------------
/system scheduler add name=”TP (AddressList.DOSAttack-Alert)“
start-date=dec/01/2017 start-time=start interval=hh:mm:ss on-
event=”AddressList.DOSAttack-Alert” comment="R+: ( AddressList.DOSAttack-Alert )"
disabled=yes;
# --------------------------------------------
/system scheduler add name=”TP (QS.ChangeAB)“ start-date=dec/01/2017 start-
time=start interval=hh:mm:ss on-event=”QS.ChangeAB” comment="C+: ( QS.ChangeAB )"
disabled=yes;
# --------------------------------------------
/system scheduler add name=”TP (AddressList.AddIP-RSociales)“
start-date=dec/01/2017 start-time=start interval=hh:mm:ss on-
event=”AddressList.AddIP-RSociales” comment="C+: ( AddressList.AddIP-RSociales )"
disabled=yes;
# --------------------------------------------
/system scheduler add name=”TP (AddressList.Ctrl (ServicesIPChange)“ start-
date=dec/01/2017 start-time=start interval=hh:mm:ss on-event=”AddressList.Ctrl
(ServicesIPChange)” comment="C+: ( AddressList.Ctrl (Services IP Change) )"
disabled=yes;
# --------------------------------------------
/system scheduler add name=”TP (Client.Ctrl (ABTemp)“ start-date=dec/01/2017 start-
time=start interval=hh:mm:ss on-event=”Client.Ctrl (ABTemp)” comment="C+:
( Client.Ctrl (ABTemp) )" disabled=yes;
# --------------------------------------------
/system scheduler add name=”TP (Alert.LinkChange-RBLink)“ start-date=dec/01/2017
start-time=start interval=hh:mm:ss on-event=”Alert.LinkChange-RBLink” comment="Rx:
( RB.Alert.LinkChange-RBList )" disabled=yes;
# Micelaneos.Config:
---------------------------------------------------------------------
/ip socks set enabled=no;
/ip upnp set enabled=no;
/tool bandwidth-server set enabled=no;
/ip firewall connection tracking set enabled=yes; # Necesario x FastTrack
/ip settings set tcp-syncookies=yes; # Mitiga (DDoS)
/ip settings set rp-filter=strict; # Mitiga
(IPSpoofing: no test)
/snmp set enabled=no;
/ip cloud set ddns-enabled=yes update-time=yes; # Auto-Update DDNS.Server
# Nota: bloquea el RB.(agente.SNMP) para monitoreo externo (TCP.UDP (161-
162)ÌSNMP). Un agente.SNMP, almacena y recupera información tal como se definio por
el fabricante en las especificas (MIBs: lo que un control.SNMP (NMS) puede
preguntar a un agente.SNMP) de éste (SNMPv3).
#
-----------------------------------------------------------------------------------
--------
/system scheduler add name=RB.Reboot on-event="/system reboot" start-time=([/system

clock get time]+00:00:10); # Reiniciando (RB) en 10s
# [ 02 ] --------------------------- [ RB reinciando ]
------------------------------
# ---------------------------- [ Connections
Types ]-----------------------------------
# NEW: Intenta crear una nueva conexión.
# ESTABLISHED: El paquete forma parte de una conexión ya existente.
# RELATED: El paquete está relacionado, aunque realmente no forma parte de una
conexión existente.
# INVALID: El paquete ni es parte de una conexión existente ni intenta crear una
nueva conexión.
#
-----------------------------------------------------------------------------------
--------
/system scheduler set [/system scheduler get [find name=”RB.Reboot”] value-

name=name] disable=yes; # Deshabilito tarea (RB.Reboot anterior)
# ------------------------------------------------------------------------------
[INI]
#
-----------------------------------------------------------------------------------
--
# -------------------------- Reglas básica del Firewall:
---------------------------
#
-----------------------------------------------------------------------------------
--
#
-----------------------------------------------------------------------------------
--
# Recorre, en forma descendente, las listas del firewall, hasta cumplirse las
condiciones de una regla (accept o drop). Ergo: disponer, las mas probables arriba
y en secuencia (de estar relacionadas).
#
-----------------------------------------------------------------------------------
[INI]
# ------------------------------------------ [Raw]
---------------------------------------
#
-----------------------------------------------------------------------------------
-------
# Reglas x Mitigar (DoS Attacks): ---------------------------------------------

[INI]
# El (1.Raw), es previo a (2.Connection-Tracking 3.Mangle, 4.NAT y 5.Filter). Ergo:
RAM-, e igual efectividad que el firewall (CPU-) y sirve, tanto x (Forward) como x
(Input). Ante un ataque masivo, mis reglas no son efectivas. (log=yes – save MAC –,
only x ataque).
# -------------------------------------------------------------- [x
DNSTCPFlood.WAN]
/ip firewall raw add chain=prerouting protocol=tcp dst-port=53 in-interface-
list=WANs comment=“001Rx: Guardo.1h (src-IP en T-DOSDNSTCPWAN.List x
Input.DNSTCPConn desde WANs)” action=add-src-to-address-list log=no log-
prefix="[DOS-DNSTCPWAN.Flood]: " address-list=T-DOSDNSTCPWAN.List address-list-
timeout=1h disable=yes;
list=WANs comment="002R+: Mitiga (DNSTCPWAN.Flood)" action=drop disable=yes;
# ------------------------------------------------------------- [x DNSUDPFlood.WAN]
/ip firewall raw add chain=prerouting protocol=udp dst-port=53 in-interface-
list=WANs comment=“003Rx: Guardo.1h (src-IP en T-DOSDNSUDPWAN.List x
Input.DNSUDPConn desde WANs)” action=add-src-to-address-list log=no log-
prefix="[DOS-DNSUDPWAN.Flood]: " address-list=T-DOSDNSUDPWAN.List address-list-
list=WANs comment="004R+: Mitiga (DNSUDPWAN.Flood)" action=drop disable=yes;
# Nota: crea redundancia, pues en (Filter), bloqueo lo no-aceptado; pero sirve para
proteger (ClientIPPub.Port (53)).
# ------------------------------------------------------- [x UDPACKFlood.WAN/LAN]
/ip firewall raw add chain=output protocol=icmp out-interface-list=WANs dst-
address-list=!A-ICMPWANSRC.List icmp-options=3:3 limit=1000/5s,5:packet
comment=“005Cx: Guardo.1h (src-IP en T-DOSUDPACK.List x Input.UDPACKFlood)”
action=add-dst-to-address-list log=no log-prefix="[DOS-UDPACK.Flood]: " address-
list=T-DOSUDPACK.List address-list-timeout=1h disable=yes;
/ip firewall raw add chain=output protocol=icmp out-interface-list=WANs dst-
address-list=!A-ICMPWANSRC.List icmp-options=3:3 limit=1000/5s,5:packet
comment="006R+: Mitigo (UDPACK.Flood x ICMP.ACK [ 3:3 port unreachable ])"
action=drop disable=yes;
# Nota: cuando el RB recibe un UDP.Packet (Port), revisa si existen programas
escuchando dicho (Port), de no existir, envia un (ICMP.PortACK, 3:3) al origen,
avisando que (destino unreachable). Cuidado con (dst-address-list).
# ------------------------------------------------------------------ [x
IPSpoofing.LAN]
# ACK: Confirma conexión.
# PSH: Fuerza priorización del paquete en destino y obliga esperar otro.
# RST: Indica que se debe reiniciar la conexión.
# SYN: Indica que se pretende iniciar una conexión.
# FIN: Indica la finalización de una conexión.
/ip firewall raw add chain=prerouting in-interface-list=LANs src-address-list=!A-
LAN.List comment=“007Rx: Guardo.1h (src-IP en T-DOSIPSPOOFLAN.List x
Input/Forward.Conn desde !A-LAN.List)” action=add-src-to-address-list log=yes log-
prefix="[DOS-IPSPOOFLAN.BCP38]: " address-list=T-DOSIPSPOOFLAN.List address-list-
/ip firewall raw add chain=prerouting in-interface-list=LANs src-address-list=!A-
LAN.List comment="008R+: Mitigo.IPSpoofingLAN (x Input/Forward.Conn desde !A-
LAN.List)" action=drop disable=yes;
# ----------------------------------------------------------------- [x
ICMPFlood.WAN]
# ------------------------------------ [x Client.IPPub (WAN)]
/ip firewall raw add chain=prerouting protocol=icmp in-interface-list=WANs dst-
address-list=A-ICMPWANDST.List limit=50/5s,5:packet comment=“009Cx: Guardo.1h (src-
IP en T-DOSICMPWANDST.List x ICMPWANDST.Flood)” action=add-src-to-address-list
log=no log-prefix="[DOS-ICMPWANDST.Flood]: " address-list=T-DOSICMPWANDST.List
address-list-timeout=1h disable=yes;
/ip firewall raw add chain=prerouting protocol=icmp in-interface-list=WANs dst-
address-list=A-ICMPWANDST.List limit=50/5s,5:packet comment=“010C+:
Acepto.InputICMP-Limitado (desde src-IP hacia ICMPWANDST.List)” action=accept
disable=yes;
# Nota: tambien se supera (limit=50/5s,5:p) con (ping x.x.x.x –l 8873 –t).
# ---------------------------------------- [x RB.IPPub (WAN)]

# Regla x RBACCESS (x ByteKnocking - ICMP): ---------------------------- [INI]
# (A: Administrativo), (P: Privilegiado – durante ataques –) y (L: Liberado).
# ------------------------------------------ [Acceso Administrativo (x PKnocking)]
/ip firewall raw add chain=prerouting protocol=icmp packet-size=700 in-interface-
list=WANs src-address-list=!A-ADMIN.List limit=50/5s,5:packet log=no log-
prefix="[ BKnocking1-1 (A) ]: " action=add-src-to-address-list comment=“011R>:
BKnocking1-1 (A) (Add.60s src-IP a A-ADMIN.List x Input.ICMP)” address-list=A-
ICMPWANSRC.List address-list-timeout=60s disable=yes;
# --------------------------------------------- [Acceso Privilegiado (x PKnocking)]

/ip firewall raw add chain=prerouting protocol=icmp packet-size=800 in-interface-
list=WANs src-address-list=!A-ADMIN.List limit=50/5s,5:packet log=no log-
prefix="[ BKnocking1-1 (P) ]: " action=add-src-to-address-list comment=“011R<:
BKnocking1-1 (P) (Add.60s src-IP a A-ADMIN.List x Input.ICMP)” address-list=A-
ICMPWANSRC.List address-list-timeout=60s disable=yes;
# --------------------------------------------------------- [Acceso Liberado (x

Port)]
/ip firewall raw add chain=prerouting protocol=icmp in-interface-list=WANs
limit=50/5s,5:packet log=no log-prefix="[ ICMP.Free (L) ]: " action=add-src-to-
address-list comment=“011R*: ICMP.Free (L) (Add.60s src-IP a A-ADMIN.List x
Input.ICMP)” address-list=A-ICMPWANSRC.List address-list-timeout=60s disable=yes;
# Nota: 60s+, y la IP deja de ser valida (ping IP -l {700/800=((672/772)+(28 –
cabezera de paquete TCP –))}.
# Regla x RBACCESS (x ByteKnocking - ICMP): ---------------------------- [FIN]
/ip firewall raw add chain=prerouting protocol=icmp in-interface-list=WANs src-

address-list=A-ICMPWANSRC.List limit=100/5s,5:packet comment=“012R+:
Acepto.InputICMP-Limitado (desde A-ICMPWANSRC.List)” action=accept disable=yes;
# Nota: tambien se supera (limit=100/5s,5:p) con (ping x.x.x.x –l 17753 –t). Dado
que, (Raw.Accept) no llega hasta (Filter), es necesario un (Filter.Accept).
/ip firewall raw add chain=prerouting protocol=icmp in-interface-list=WANs src-
address-list=!A-ICMPWANSRC.List comment=“013Rx: Guardo.1h (src-IP en T-
DOSICMPWANSRC.List x !A-ICMPWANSRC.List, posible ICMPWAN.Flood)” action=add-src-to-
address-list log=no log-prefix="[DOS-ICMPWANSRC.Flood]: " address-list=T-
DOSICMPWANSRC.List address-list-timeout=1h disable=yes;
# Nota: no graba, si el ataque: (es de src-A-ICMPWANSRC y supera limit).
/ip firewall raw add chain=prerouting protocol=icmp in-interface-list=WANs
comment=“014R+: Bloqueo.Resto de InputICMP.Conn (hacia WANs)” action=drop
disable=yes;
# Nota: Si (icmp-type=!0:0 action=drop), el RB, pide y recibe ecos, mas no los
responde.
# ----------------------------------------------------------------- [x
ICMPFlood.LAN]
# ------------------------------------ [x RB.IPPri (src-LANs)]
/ip firewall raw add chain=prerouting protocol=icmp in-interface-list=LANs src-
address-list=A-ICMPLANSRC.List limit=50/5s,5:packet comment=“015Rx:
Acepto.InputICMP-Limitado (desde A-ICMPLANSRC.List)” action=accept disable=yes;
/ip firewall raw add chain=prerouting protocol=icmp in-interface-list=LANs src-
address-list=!A-ICMPLANSRC.List comment=“016Rx: Guardo.1h (src-IP en T-
DOSICMPLANSRC.List x !A-ICMPLANSRC.List, debido a ICMPLAN.Limit)” action=add-src-
to-address-list log=no log-prefix="[DOS-ICMPLANSRC.Flood]: " address-list=T-
DOSICMPLANSRC.List address-list-timeout=1h disable=yes;
/ip firewall raw add chain=prerouting protocol=icmp in-interface-list=LANs
comment=“017Rx: Bloqueo.Resto de InputICMP.Conn (desde LANs)” action=drop
disable=yes;
# Nota: activar solo x uso de ICMPLANSRC.Limit (desactivar Forward ICMP.Jump) o
ICMP.LAN-Attack.
# ------------------------------------ [x RB.IPPri (dst-LANs)]

/ip firewall raw add chain=output protocol=icmp in-interface-list=LANs dst-address-
list=A-ICMPLANDST.List limit=50/5s,5:packet comment=“018Rx: Acepto.OutputICMP-
Limitado (hacia A-ICMPLANDST.List)” action=accept disable=yes;
/ip firewall raw add chain=output protocol=icmp in-interface-list=LANs dst-address-
list=!A-ICMPLANDST.List comment=“019Rx: Guardo.1h (src-IP en T-DOSICMPLANDST.List x
!A-ICMPLANDST.List, debido a ICMPLAN.Limit)” action=add-src-to-address-list log=no
log-prefix="[DOS-ICMPLANDST.Flood]: " address-list=T-DOSICMPLANDST.List address-
list-timeout=1h disable=yes;
/ip firewall raw add chain=output protocol=icmp in-interface-list=LANs
comment=“020Rx: Bloqueo.Resto de OutputICMP.Conn (hacia LANs)” action=drop
disable=yes;
# Nota: activar solo x uso de ICMPLANDST.Limit (desactivar Forward ICMP.Jump) o
ICMP.LAN-Attack.
[FIN]
# Reglas x Ctrl.Client (x C-CLIENTDROP.List x VPN-DDNS.List): -------- [INI]

# Eficiencia+, pero CPU+ que usar reglas en (Filter.Input/Forward).
# ------------------------------------------------------------- [x VPN-DDNS.LAN-
P53]
list=LANs src-address-list="V-T30SCLIENTDROP.List" comment=”050Cx: Drop.DNSUDP
(src-Address de V-T30SCLIENTDROP.List x VPN.Conn)” action=drop disable=yes;
list=LANs src-address-list="V-T30SCLIENTDROP.List" comment=”051Cx: Drop.DNSTCP
(src-Address de V-T30SCLIENTDROP.List x VPN.Conn)” action=drop disable=yes;
# Nota: (src-address-list="V-T30SCLIENTDROP.List"), usado x Drop.VPN-DDNS.
# --------------------------------------------------------------------- [x
CLIENT.DROP]
/ip firewall raw add chain=prerouting in-interface-list=LANs src-address-list=C-
CLIENTDROP.List comment=”060Cx: Bloqueo (Input/Forward.Conn desde C-
CLIENTDROP.List)” action=drop disable=yes;
#... (constituir seguidamente, solo x ataque desde (C-CLIENTDROP.List), el resto de

reglas de Control de Clientes (Drop), antes de los (Accept) de (Filter)).
Desactivar, homónimos en (Filter).
# Reglas x Ctrl.Client (x C-CLIENTDROP.List x VPN-DDNS.List): -------- [FIN]
#
-----------------------------------------------------------------------------------
[FIN]
# ------------------------------------------ [Raw]
---------------------------------------
#
-----------------------------------------------------------------------------------
-------
#
-----------------------------------------------------------------------------------
[INI]
# ----------------------------------------- [Filter]
---------------------------------------
#
-----------------------------------------------------------------------------------
--------
# Reglas x Aceleracion de Tráfico: ------------------------------------------ [INI]

/ip firewall filter add chain=forward connection-state=established,related
comment=”001C+: Acepto (Forward.Conn=Establecidas y Relacionadas)” action=accept
disable=yes;
/ip firewall filter add chain=input connection-state=established,related
comment=”002R+: Acepto (Input.Conn=Establecidas y Relacioadas)” action=accept
disable=yes;
/ip firewall filter add chain=forward connection-state=invalid comment=”003C+:
Rechazo (Forward.Conn=Invalidas)” action=drop disable=yes;
/ip firewall filter add chain=input connection-state=invalid comment=”004R+:
Rechazo (Input.Conn=Invalidas)” action=drop disable=yes;
# Reglas x Aceleracion de Tráfico: ------------------------------------------ [FIN]
[INI]
# ---------------------------------- Opcion.01 (>) ------------------------ [INI]
# (A), referencia una regla que tanto puede aplicarse a (R) como a (C). Recomiendan
que: (burst>=rate).
# ---------------------------------------------------------------- [x TCPFlood/src-
dst]
/ip firewall filter add chain=forward comment=”005A>: JUMP.Make (Forward.DOSJUMP to
new-chains.Forward)” action=jump jump-target=DOS.Jump disable=yes;
/ip firewall filter add chain=DOS.Jump dst-limit=164,164,src-and-dst-addresses/10s
comment=”006A>: Acepto (hasta un Packet-Limit=164p/s-Burst=164p/s x src-dst)”
action=return disable=yes;
/ip firewall filter add chain=DOS.Jump src-address-list=C-ALTACONECTIVIDAD.List
dst-limit=512,512,src-and-dst-addresses/10s action=return log=no log-prefix="[DOS-
TCP.Flood/Excepcion.C]: " comment=”007A>: Acepto Excepciones.aPacket-Limit (desde
src-C-ALTACONECTIVIDAD.List, hasta 512p/s-Burst=512p/s x src-dst)” disable=yes;
/ip firewall filter add chain=DOS.Jump src-address-list=!A-ALTACONECTIVIDAD.List
log=no log-prefix="[DOS-TCP.Flood/src]: " comment=”008A>: Add.5m (src-Address a T-
DOSTCPFSRC.List si src-Address=!A-ALTACONECTIVIDAD.List)” action=add-src-to-
address-list address-list=T-DOSTCPFSRC.List address-list-timeout=5m disable=yes;
/ip firewall filter add chain=DOS.Jump src-address-list=!A-ALTACONECTIVIDAD.List
log=no log-prefix="[DOS-TCP.Flood/dst]: " comment=”009A>: Add.5m (dst-Address a T-
DOSTCPFDST.List si src-Address=!A-ALTACONECTIVIDAD.List)” action=add-dst-to-
address-list address-list=T-DOSTCPFDST.List address-list-timeout=5m disable=yes;
/ip firewall filter add chain=forward src-address-list=T-DOSTCPFSRC.List dst-
address-list=T-DOSTCPFDST.List action=drop log=no log-prefix="[DOS-TCP.Flood/src-
dst]: " comment=”010A>: Bloqueo (src-dst x Packet-Limit+)” disable=yes;
# Nota: acepto (src-A-AltaC, dst-C-AltaC), rechazo (src-C-AltaC, dst-A-AltaC) y
rechazo (src-C-AltaC, dst-C-AltaC). Habilitar (Rx: A-AltaC), solo en caso de
(IPSpoofing.WAN).
# ---------------------------------- Opcion.01 (>) -----------------------------
[FIN]
# ---------------------------------- Opcion.02 (<) -----------------------------

[INI]
# --------------------------------------------------------------------- [x
TCPFlood/32]
# En (Raw), dropearia cada connection TCP (new o establecida) de T-
DOSTCPF____.List, provocando en las LANs, un Client.IPDrop. Siendo que, lo que
busco, es limitar las connection x IP a (IN: 200+/32)/FW: 400+/32).
# --------------------------------------------- [x TCPFlood/32.IN]
/ip firewall filter add chain=input protocol=tcp src-address-list=T-DOSTCPFIN.List
connection-limit=20,32 comment="005R<: Limito (a 20/32 Input.TarpitType
(ralentizadas) a los de T-DOSTCPFIN.List)" action=tarpit disabled=yes;
/ip firewall filter add chain=input protocol=tcp src-address-list=!C-
ALTACONECTIVIDAD.List connection-limit=200,32 comment="006R<: Guardo.1h (src-IPs en
T-DOSTCPFIN.List x 200+/32 Input.TCP)” action=add-src-to-address-list log=yes log-
prefix="[DOS-TCP.Flood/IN32]: " address-list=T-DOSTCPFIN.List address-list-
timeout=1h disabled=yes;
# --------------------------------------------- [x TCPFlood/32.FW]
/ip firewall filter add chain=forward protocol=tcp src-address-list=T-
DOSTCPFFW.List connection-limit=40,32 comment="007R<: Limito (a 40/32
Forward.TarpitType (ralentizadas) a los de T-DOSTCPFFW.List)" action=tarpit
disabled=yes;
/ip firewall filter add chain=forward protocol=tcp src-address-list=!C-
ALTACONECTIVIDAD.List connection-limit=400,32 comment="008R<: Guardo.1h (src-IPs en
T-DOSTCPFFW.List x 400+/32 Forward.TCP)” action=add-src-to-address-list log=yes
log-prefix="[DOS-TCP.Flood/FW32]: " address-list=T-DOSTCPFFW.List address-list-
timeout=1h disabled=yes;
# … (reservado hasta 011R)
# Nota: (Tarpit), usa CPU+ que (Drop), ya que mantiene la conexión establecida,
reduciendo su trafico hasta cero, evitando asi, que el atacante cree una new-
connection al hacerle nosotros un (Drop).
# -------------------------------------------------------------------------- [x
SYNFlood]
# En (Raw), dropearia cada connection SYN (new o establecida) de T-DOSSYN____.List,
provocando en las LANs, un Client.IPDrop. Siendo que, lo que busco, es limitar las
connection x Chain a (IN: 150+/s)/FW: 600+/s). Activar, las next 4 reglas, solo en
caso de (DoSAttack.SYNFlood), estando usando (Opcion.02) y determinar valores
reales para: (IN/FW).
# ------------------------------------------------------- [x SYNFlood.IN]
/ip firewall filter add chain=input protocol=tcp tcp-flags=syn limit=150,5:packet
comment="012Cx: Guardo.1h (src-IP en T-DOSSYNIN.List x posible Input.SYNFlood)"
action=add-src-to-address-list log=no log-prefix="[DOS-InputSYN.Flood]: " address-
list=T-DOSSYNIN.List address-list-timeout=1h disable=yes;
/ip firewall filter add chain=input protocol=tcp tcp-flags=syn limit=150,5:packet
comment="013Cx: Bloqueo (x 150+/s Input.SYN-Conn simultaneas x posible
Input.SYNFlood)" action=drop disabled=yes;
# ------------------------------------------------------- [x SYNFlood.FW]
/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn limit=600,5:packet
comment="014Cx: Guardo.1h (src-IP en T-DOSSYNFW.List x posible Forward.SYNFlood)"
action=add-src-to-address-list log=no log-prefix="[DOS-ForwardSYN.Flood]: "
address-list=T-DOSSYNFW.List address-list-timeout=1h disable=yes;
/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn limit=600,5:packet
comment="015Cx: Bloqueo (x 600+/s Forward.SYN-Conn simultaneas x posible
Input.SYNFlood)" action=drop disabled=yes;
# Nota: x descubrir (IP.Externa), cambiar en (IN/FW) a: (action=add-dst-to-address-
list).
# ---------------------------------- Opcion.02 (<) -----------------------------
[FIN]
# ------------------------------------------------------------------- [x
NTPFlood.WAN]
/ip firewall filter add chain=input protocol=udp dst-port=123 in-interface-
list=WANs comment="016Rx: Guardo.1h (src-IPs en T-DOSNTPWAN.List x posible
Input.NTPWANFlood)" action=add-src-to-address-list log=no log-prefix="[DOS-
NTPWAN.Flood]: " address-list=T-DOSNTPWAN.List address-list-timeout=1h
disabled=yes;
/ip firewall filter add chain=input protocol=udp dst-port=123 in-interface-
list=WANs comment="017R+: Bloqueo (src-IP x posible DOSNTPWAN.Flood)" action=drop
disabled=yes;
# Nota: x posicionarse después de (Aceleracion de Trafico), no pregunto x
(connection-state=new), para asegurarme que solo bloquee trafico NTP iniciado
externamente. No puede hacerla funcionar en (Raw).
# ------------------------------------------------------------ [x dst-
LANIP.BlackHole]
/ip firewall filter add chain=forward in-interface-list=WANs dst-address-list=A-
BLACKHOLE comment=“018Cx: Guardo.1h (src-IP en T-BLACKHOLE.List x Forward.Conn no
permitido hacia RB.IPPubClient)” action=add-src-to-address-list log=no log-
prefix="[DOS-RBIPPubClient.BLACKHOLE]: " address-list=T-DOSBLACKHOLE.List address-
list-timeout=1h disable=yes;
/ip firewall filter add chain=forward in-interface-list=WANs dst-address-list=A-
BLACKHOLE comment="019C+: Mitigo.DOSIPPubClient (ForwardConn no permitido hacia
RB.IPPubClient)" action=drop disable=yes;
# Nota: considerar usar (tarpit) o mandarlo a un PC.Carnada.
# -------------------------------------------------------------- [x dst-
LANIP.UnKnow]
/ip firewall filter add chain=forward in-interface-list=WANs dst-address-list=!A-
LAN.List comment=“020Rx: Guardo.1h (src-IP en T-DOSdstLANIPUK.List x Forward.Conn
hacia !A-LAN.List)” action=add-src-to-address-list log=no log-prefix="[DOS-
dstLANIP.UnKnow]: " address-list=T-DOSdstLANIPUK.List address-list-timeout=1h
disable=yes;
/ip firewall filter add chain=forward in-interface-list=WANs dst-address-list=!A-
LAN.List comment="021R+: Mitigo.dstLANIPUnKnow (x Forward.Conn hacia !A-LAN.List)"
# ------------------------------------------------------------- [x
PortScan.WAN/LAN]
/ip firewall filter add chain=input protocol=tcp psd=21,3s,3,1 comment="022Rx:
Guardo.1h (src-IPs en T-DOSPORTSCAN.List x posible Input.PortScan)" action=add-src-
to-address-list log=no log-prefix="[DOS-Input.PortScan]: " address-list=T-
DOSPORTSCAN.List address-list-timeout=1h disabled=yes;
/ip firewall filter add chain=input protocol=tcp psd=21,3s,3,1 comment="023R+:
Bloqueo (src-IP x posible Input.PortScan)" action=drop disabled=yes;
# Nota: no uso (src-address-list=!A-ADMIN.List) x posible infeccion. Cuidado: si,

el atacante, usa las IPs de mis DNS.Externos (IP.Spoofing), termino por auto-
bloquearme. Alternativa de amplio expectro: (tcp-flags=fin,syn,rst,psh,ack,urg).
[FIN]
# Regla x Drop (A-DARK.List desde Input): -----------------------------------------

/ip firewall filter add chain=input src-address-list=A-DARK.List comment=”026Rx:
Rechazo (Input.Conn desde A-DARK.List)” action=drop disable=yes;
# Nota: Precisión-, al excluir (in-interface-list=WANs), para CPU-.
# Regla x Accept (A-WHITE.List desde Input): -------------------------------------

/ip firewall filter add chain=input src-address-list=A-WHITE.List comment=”027Rx:
Acepto (Input.Conn desde A-WHITE.List)” action=accept disable=yes;
# Nota: Precisión-, al excluir (in-interface-list=WANs), para CPU-.
# Regla x Accept (Input.ICMP desde ICMPWANSRC.List): -----------------------

/ip firewall filter add chain=input protocol=icmp in-interface-list=WANs src-
address-list=A-ICMPWANSRC.List limit=100/5s,5:packet comment=“028R+:
Acepto.InputICMP-Limitado (desde A-ICMPWANSRC.List)” action=accept disable=yes;
# Regla x RBACCESS (x Access.Type - WINBOX): -------------------------- [INI]

# (A: Administrativo), (P: Privilegiado – durante ataques –) y (L: Liberado).
/ip firewall filter add chain=input protocol=tcp dst-port=3335-3336 src-address-
list=A-ADMIN.List comment="029R>: Acepto (A) (only Input.RBACC desde A-ADMIN.List)"
action=accept disable=yes;

/ip firewall filter add chain=input protocol=tcp dst-port=3333-3334 src-address-
list=A-ADMIN.List comment="029R<: Acepto (P) (only Input.RBACC desde A-ADMIN.List)"
# --------------------------------------------------------- [Acceso Liberado (x

Port)]
/ip firewall filter add chain=input protocol=tcp dst-port=3333-3334 comment="029R*:
Acepto (L) (only Input.RBACC desde AnyIP)" action=accept disable=yes;
# Nota: only RBACC.TCPP (debo cambiar los ports de IP/Services).
# Regla x RBACCESS (x Access.Type - WINBOX): -------------------------- [FIN]
# Regla x RBACCESS (x PortKnocking - WINBOX): ------------------------ [INI]

/ip firewall filter add chain=input protocol=tcp dst-port=111 comment=“030R>:
PKnocking1-3 (A) (Add.30s src-IP a T-RBACCS1.List x Input.RBACC)” log=no log-
prefix="[ PKnocking1-3 (A) ]: " action=add-src-to-address-list address-list=T-
RBACCS1.List address-list-timeout=30s disable=yes;
/ip firewall filter add chain=input protocol=tcp dst-port=112 src-address-list=T-
RBACC-S1.List comment=“031R>: PKnocking2-3 (A) (Add.30s src-IP a T-RBACCS2.List x
Input.RBACC)” log=no log-prefix="[ PKnocking2-3 (A) ]: " action=add-src-to-address-
list address-list=T-RBACCS2.List address-list-timeout=30s disable=yes;
RBACC-S2.List comment=“032R>: PKnocking3-3 (A) (Add.15m src-IP a A-ADMIN.List x
Input.RBACC)” log=no log-prefix="[ PKnocking3-3 (A) ]: " action=add-src-to-address-
list address-list=A-ADMIN.List address-list-timeout=15m disable=yes;

/ip firewall filter add chain=input protocol=tcp dst-port=22 comment=“030R<:
PKnocking1-3 (P) (Add.30s src-IP a T-RBACCS1.List x Input.RBACC)” log=no log-
prefix="[ PKnocking1-3 (P) ]: " action=add-src-to-address-list address-list=T-
RBACCS1.List address-list-timeout=30s disable=yes;
RBACC-S1.List comment=“031R<: PKnocking2-3 (P) (Add.30s src-IP a T-RBACCS2.List x
Input.RBACC)” log=no log-prefix="[ PKnocking2-3 (P) ]: " action=add-src-to-address-
list address-list=T-RBACCS2.List address-list-timeout=30s disable=yes;
RBACC-S2.List comment=“032R<: PKnocking3-3 (P) (Add.15m src-IP a A-ADMIN.List x
Input.RBACC)” log=no log-prefix="[ PKnocking3-3 (P) ]: " action=add-src-to-address-
list address-list=A-ADMIN.List address-list-timeout=15m disable=yes;
# Nota: +30s, y la IP deja de ser valida. Hasta que, la sesión (conexión no
finalice: winbox o ping) no se de por finalizada, la IP en cuestion, continuara
habilitada por mas tiempo que (15m o 60s).
# Regla x RBACCESS (x PortKnocking - WINBOX): ------------------------ [FIN]
# Regla x RBACCESS (save src-!A-ADMIN.List - WINBOX): ----------------------

/ip firewall filter add chain=input src-address-list=!A-ADMIN.List protocol=tcp
dst-port=3333-3336 comment=“033Rx: Guardo.1d (src-IP en T-RBACCUK.List x
Input.RBACCUnKnow desde !A-ADMIN.List)” action=add-src-to-address-list log=no log-
prefix="[RBACC.UnKnow]: " address-list=T-RBACCUK.List address-list-timeout=1d
disable=yes;
# Nota: x secuenciación de mí (Firewall), sin +reglas, no puedo evitar usar algunos

(port).
# Reglas x Ctrl.Client (x C-CLIENTDROP.List): -------------------------------------

/ip firewall filter add chain=input in-interface-list=LANs src-address-list=C-
CLIENTDROP.List comment=”034Cx: Bloqueo (Input.Conn desde C-CLIENTDROP.List)”
# Nota: regla escasamente relevante, tan solo, aumenta el nivel de bloqueo.
# Regla x Accept (LANInput.Trafic-Autorizado): ----------------------------------

/ip firewall filter add chain=input in-interface-list=LANs src-address-list=A-
LAN.List comment=“035R+: Acepto (only LAN-Input.Conn desde A-LAN.List)”
# Nota: precisión-, dado que, no especifico segmento IP permitido x interface.
# Regla x Drop (Input.Rest-Trafic):

-------------------------------------------------
/ip firewall filter add chain=input comment=“036R+: Bloqueo (resto de Input.Conn)”
# Nota: x CPU-, las reglas que save IPs (ej: no-PKnocking), deben deshabilitarse o
eliminarse, dejando solo el bloqueo de las mismas.
# Regla x Drop (Forward.Bogons): --------------------------------------------------

/ip firewall filter add chain=forward dst-address-list=A-BOGON.List comment="042C+:
Bloqueo (Forward.Conn desde A-BOGON.List)" action=drop disable=yes;
# Nota: precisión-, al excluir la condicion (out-interface-list=WANs), para CPU-.
# Reglas x Mitigar (Email.Spam):

----------------------------------------------------
/ip firewall filter add chain=forward protocol=tcp dst-port=25,110,587,993,995
connection-limit=30,32 limit=30/1m,0 comment="043Cx: Guardo.1h (src-IP en T-
EMAILSPAM.List x posible Email.Spam)" action=add-src-to-address-list log=no log-
prefix="[EMAIL.SPAM]: " address-list=T-EMAILSPAM.List address-list-timeout=1h
disabled=yes;
/ip firewall filter add chain=forward protocol=tcp dst-port=25,110,587,993,995
connection-limit=30,32 limit=30/1m,0 comment="044Cx: Mitigo.EMAILSPAM (Forward.TCP
[ 25,110,587,993,995 ] x posible Email.Spam)" action=drop disabled=yes;
# Reglas x Ctrl.Client (Estado): -----------------------------------------------

[INI]
# En (Raw), dropearian mas eficientemente, pero implicaria CPU+.
# Reglas x Ctrl.Client-Basic (x C-CLIENTDROP.List): -----------------------------
/ip firewall filter add chain=forward in-interface-list=LANs src-address-list=C-
CLIENTDROP.List comment=”045C+: Bloqueo (Forward.Conn desde C-CLIENTDROP.List)”
# Nota: Precisión+, al incluir la condicion (in-interface-list=LANs), CPU+. Dada la
posición en (Firewall.Filter), es necesario eliminar sus conexiones existentes en
(Connections), para surtir efecto al agregar IP a (Address-List).
# Reglas x Ctrl.Promo-Franjas (x C-PPROMO__CLIENT.List): ----------- [INI]

PROMO2DCLIENT.List comment=”046C+: Ctrl.Promo (bloqueo Forward.Conn desde C-
PROMO2DCLIENT.List)” time=00:00:00-1d,mon,tue,wed,thu,fri action=drop disable=yes;
PROMO5DCLIENT.List comment=”047C+: Ctrl.Promo (bloqueo Forward.Conn desde C-
PROMO5DCLIENT.List)” time=00:00:00-1d,sat,sun action=drop disable=yes;
PROMO7MCLIENTP.List comment=”048Cx: Ctrl.Promo (bloqueo Forward.Conn desde C-
PROMO7MCLIENT.List)” time=19:00:00-07:00:00,mon,tue,wed,thu,fri,sat,sun action=drop
disable=yes;
PROMO7NCLIENT.List comment=”049Cx: Ctrl.Promo (bloqueo Forward.Conn desde C-
PROMO7NCLIENT.List)” time=07:00:00-19:00:00,mon,tue,wed,thu,fri,sat,sun action=drop
disable=yes;
# … (reservado hasta 055C)
# Nota: precisión+, al incluir la condicion (in-interface=LANs), aunque CPU+.

Importante: el Ctrl.Promo de (C-PROMOXDCLIENT.List) se hace x script.
# Reglas x Ctrl.Promo-Franjas (x C-PPROMO__CLIENT.List): ----------- [FIN]
# Reglas x Ctrl.Promo-SocialMedia (x C-PPROMO______.List): --------- [INI]
PROMO!YOUTUBE.List dst-address-list=S-YOUTUBE.List comment=”056Cx: Ctrl.Promo
(bloqueo Youtube.Servers x src-IP of C-PROMO!YOUTUBE.List)” action=drop
disable=yes;
PROMO!FACEBOOK.List dst-address-list=S-FACEBOOK.List comment=”057Cx: Ctrl.Promo
(bloqueo Facebook.Servers x src-IP of C-PROMO!FACEBOOK.List)” action=drop
disable=yes;
PROMO!NETFLIX.List dst-address-list=S-NETFLIX.List comment=”058Cx: Ctrl.Promo
(bloqueo Netflix.Servers x src-IP of C-PROMO!NETFLIX.List)” action=drop
disable=yes;
PROMO!WHATSAPP.List dst-address-list=S-WHATSAPP.List comment=”059Cx: Ctrl.Promo
(bloqueo Whatsapp.Servers x src-IP of C-PROMO!WHATSAPP.List)” action=drop
disable=yes;
PROMO!TWITTER.List dst-address-list=S-TWITTER.List comment=”060Cx: Ctrl.Promo
(bloqueo Twitter.Servers x src-IP of C-PROMO!TWITTER.List)” action=drop
disable=yes;
PROMO!INSTAGRAM.List dst-address-list=S-INSTAGRAM.List comment=”061Cx: Ctrl.Promo
(bloqueo Instagram.Servers x src-IP of C-PROMO!INSTAGRAM.List)” action=drop
disable=yes;
PROMO!SKYPE.List dst-address-list=S-SKYPE.List comment=”062Cx: Ctrl.Promo (bloqueo
Skype.Servers x src-IP of C-PROMO!SKYPE.List)” action=drop disable=yes;
PROMO!SPOTIFY.List dst-address-list=S-SPOTIFY.List comment=”063Cx: Ctrl.Promo
(bloqueo Spotify.Servers x src-IP of C-PROMO!SPOTIFY.List)” action=drop
disable=yes;
PROMO!SNAPCHAT.List dst-address-list=S-SNAPCHAT.List comment=”064Cx: Ctrl.Promo
(bloqueo Snapchat.Servers x src-IP of C-PROMO!SNAPCHAT.List)” action=drop
disable=yes;
PROMO!TELEGRAM.List dst-address-list=S-TELEGRAM.List comment=”065Cx: Ctrl.Promo
(bloqueo Telegram.Servers x src-IP of C-PROMO!TELEGRAM.List)” action=drop
disable=yes;
PROMO!TWITCH.List dst-address-list=S-TWITCH.List comment=”066Cx: Ctrl.Promo
(bloqueo Twitch.Servers x src-IP of C-PROMO!TWITCH.List)” action=drop disable=yes;
PROMO!VIMEO.List dst-address-list=S-VIMEO.List comment=”067Cx: Ctrl.Promo (bloqueo
Vimeo.Servers x src-IP of C-PROMO!VIMEO.List)” action=drop disable=yes;
# Nota: precisión+, al incluir la condicion (in-interface-list=WANs), CPU+.

# Reglas x Ctrl.Promo-SocialMedia (x C-PPROMO______.List): --------- [FIN]
# Reglas x Ctrl.Client (Estado): -----------------------------------------------
[FIN]
# Reglas x Drop (específicos Servicios.IP): -----------------------------------

[INI]
/ip firewall filter add chain=forward in-interface-list=LANs src-address-list=!A-
ENACOMACCEPT.List dst-address-list=A-ENACOMDROP.List comment=”078C+: Bloqueo
(Cuevana.Servers x ENACOM NO-2019-16651442)” action=drop disable=yes;
/ip firewall filter add chain=forward in-interface-list=WANs protocol=tcp dst-
port=443 tls-host=”*torproject.org*” comment=”079Cx: Bloqueo.HTTPS
(https://www.torproject.org/...)” action=drop disable=yes;
# Nota: (tls-host), usa TCP, mientra que (QUIC: google), usa UDP.
# Reglas x Drop (específicos Servicios.IP): ----------------------------------
[FIN]
# Reglas x JUMP.FW ICMP/TCP/UDP (new Chain x Protect): ------------ [INI]

/ip firewall filter add chain=forward protocol=icmp comment=”089C+: JUMP.Make
(Forward.ICMPJUMP to new-chains.ICMP)” action=jump jump-target=FW-ICMP.Jump
disable=yes;
/ip firewall filter add chain=forward protocol=tcp comment=”090C+: JUMP.Make
(Forward.TCPJUMP to new-chains.TCP)” action=jump jump-target=FW-TCP.Jump
disable=yes;
/ip firewall filter add chain=forward protocol=udp comment=”091C+: JUMP.Make
(Forward.UDPJUMP to new-chains.UPD)” action=jump jump-target=FW-UDP.Jump
disable=yes;
# Reglas x JUMP.FW ICMP/TCP/UDP (new Chain x Protect): ------------ [FIN]
# Reglas x Ctrl (ICMP.Jump x Amenazas.Forward-ICMP): --------------- [INI]

/ip firewall filter add chain=FW-ICMP.Jump protocol=icmp icmp-options=8:0
limit=50/5s,5:packet action=accept comment="092C+: Acepto (Forward.ICMP [ 8:0 ]
limitado x allow echo request)" disable=yes;
limit=50/5s,5:packet comment="093C+: Acepto (Forward.ICMP [ 0:0 ] limitado x echo
reply)" action=accept disable=yes;
limit=50/5s,5:packet action=accept comment="094C+: Acepto (Forward.ICMP [ 11:0 ]
limitado x allow time exceed)" disable=yes;
/ip firewall filter add chain=FW-ICMP.Jump protocol=icmp icmp-options=3:0-1
limit=50/5s,5:packet comment="095C+: Acepto (Forward.ICMP [ 3:0-1 ] limitado x
net/host unreachable)" action=accept disable=yes;
limit=50/5s,5:packet comment="096C+: Acepto (Forward.ICMP [ 3:4 ] limitado x host
unreachable fragmentation required)" action=accept disable=yes;
/ip firewall filter add chain=FW-ICMP.Jump comment="097C+: Bloqueo (all other types
of Forward.ICMP)" action=drop disable=yes;
# Nota: determinar, conveniencia de (limit=50/5s,5:packet) en cada regla.
# Reglas x Ctrl (ICMP.Jump x Amenazas.Forward-ICMP): --------------- [FIN]
# Reglas x Drop (TCP.Jump x Amenazas.Forward-TCPPort): ------------ [INI]

/ip firewall filter add chain=FW-TCP.Jump protocol=tcp dst-port=67-68
comment="098C+: Bloqueo (Forward.TCP [ 67-68 ] x posible DHCP)" action=drop
disable=yes;
/ip firewall filter add chain=FW-TCP.Jump protocol=tcp dst-port=69 comment="099C+:
Bloqueo (Forward.TCP [ 69 ] x posible TFTP)" action=drop disable=yes;
Bloqueo (Forward.TCP [ 111 ] x posible RPC portmapper)" action=drop disable=yes;
Bloqueo (Forward.TCP [ 135 ] x posible RPC portmapper)" action=drop disable=yes;
comment="102C+: Bloqueo (Forward.TCP [ 137-139 ] x posible NBT)" action=drop
disable=yes;
Bloqueo (Forward.TCP [ 445 ] x posible CIFS)" action=drop disable=yes;
/ip firewall filter add chain=FW-TCP.Jump protocol=tcp dst-port=2049
comment="104C+: Bloqueo (Forward.TCP [ 2049 ] x posible NFS)" action=drop
disable=yes;
comment="105C+: Bloqueo (Forward.TCP [ 3133 ] x posible BackOriffice)" action=drop
disable=yes;
comment="106C+: Bloqueo (Forward.TCP [ 12345-12346 ] x posible NetBus)" action=drop
disable=yes;
comment="107C+: Bloqueo (Forward.TCP [ 20034 ] x posible NetBus)" action=drop
disable=yes;
# Reglas x Drop (TCP.Jump x Amenazas.Forward-TCPPort): ------------ [FIN]
# Reglas x Drop (UDP.Jump x Amenazas.Forward-UDPPort): ----------- [INI]

/ip firewall filter add chain=FW-UDP.Jump protocol=udp dst-port=69 comment="108C+:
Bloqueo (Forward.UDP [ 69 ] x posible TFTP)" action=drop disable=yes;
Bloqueo (Forward.UDP [ 111 ] x posible PRC portmapper)" action=drop disable=yes;
Bloqueo (Forward.UDP [ 135 ] x posible PRC portmapper)" action=drop disable=yes;
/ip firewall filter add chain=FW-UDP.Jump protocol=udp dst-port=137-139
comment="111C+: Bloqueo (Forward.UDP [ 137-139 ] x posible NBT)" action=drop
disable=yes;
/ip firewall filter add chain=FW-UDP.Jump protocol=udp dst-port=2049
comment="112C+: Bloqueo (Forward.UDP [ 2049 ] x posible NFS)" action=drop
disable=yes;
/ip firewall filter add chain=FW-UDP.Jump protocol=udp dst-port=3133
comment="113C+: Bloqueo (Forward.UDP [ 3133 ] x posible BackOriffice)" action=drop
disable=yes;
# Reglas x Drop (UDP.Jump x Amenazas.Forward-UDPPort): ----------- [FIN]
# Reglas x Drop (VPN.Conn): --------------------------------------------------

[INI]
/ip firewall filter add chain=forward protocol=udp dst-port=500,1194,4500 src-
address-list=!”V-CLIENTACCEPT.List” comment=”200Cx: Add.1h (src-Address a T-
VPNUDPSRC.List x VPN-Conn.UDP)” action=add-src-to-address-list log=no log-
prefix=”[VPN-Conn.UDP]: ” address-list=T-VPNUDPSRC.List address-list-timeout=1h
disable=yes;
/ip firewall filter add chain=forward protocol=udp dst-port=500,1194,4500 src-
address-list=!”V-CLIENTACCEPT.List” comment=”201Cx: Bloqueo (VPN-Conn.UDP)”
action=drop log=no log-prefix=”[VPN-Conn.UDP]: ” disable=yes;
/ip firewall filter add chain=forward protocol=tcp dst-port=1194,1701,1723 src-
address-list=!”V-CLIENTACCEPT.List” comment=”202Cx: Add.1h (dst-Address a T-
VPNTCPSRC.List x VPN-Conn.TCP)” action=add-dst-to-address-list log=no log-
prefix=”[VPN-Conn.TCP]: ” address-list=T-VPNTCPSRC.List address-list-timeout=1h
disable=yes;
/ip firewall filter add chain=forward protocol=tcp dst-port=1194,1701,1723 src-
address-list=!”V-CLIENTACCEPT.List” comment=”203Cx: Bloqueo (VPN-Conn.TCP)”
action=drop log=no log-prefix=”[VPN-Conn.TCP]: ” disable=yes;
# ------------------------------------
/ip firewall filter add chain=forward protocol=gre src-address-list=!”V-
CLIENTACCEPT.List” comment=”204Cx: Add.1h (src-Address a T-VPNGRESRC.List x VPN-
Conn.PPTP)” action=add-src-to-address-list log=no log-prefix=”[VPN-Conn.PPTP]: ”
address-list=T-VPNGRESRC.List address-list-timeout=1h disable=yes;
/ip firewall filter add chain=forward protocol=gre src-address-list=!”V-
CLIENTACCEPT.List” comment=”205Cx: Bloqueo (VPN-Conn.PPTP)” action=drop log=no log-
prefix=”[VPN-Conn.PPTP]: ” disable=yes;
/ip firewall filter add chain=forward protocol=ipsec-esp src-address-list=!”V-
CLIENTACCEPT.List” comment=”206Cx: Add.1h (src-Address a T-VPNIPSECESPSRC.List x
VPN-Conn.IPSecESP)” action=add-src-to-address-list log=no log-prefix=”[VPN-
Conn.IPSecESP]: ” address-list=T-VPNIPSECESPSRC.List address-list-timeout=1h
disable=yes;
/ip firewall filter add chain=forward protocol=ipsec-esp src-address-list=!”V-
CLIENTACCEPT.List” comment=”207Cx: Bloqueo (VPN-Conn.IPSecESP)” action=drop log=no
log-prefix=”[VPN-Conn.IPSecESP]: ” disable=yes;
/ip firewall filter add chain=forward protocol=ipsec-ah src-address-list=!”V-
CLIENTACCEPT.List” comment=”208Cx: Add.1h (src-Address a T-VPNIPSECAHSRC.List x
VPN-Conn.IPSecAH)” action=add-src-to-address-list log=no log-prefix=”[VPN-
Conn.IPSecAH]: ” address-list=T-VPNIPSECAHSRC.List address-list-timeout=1h
disable=yes;
/ip firewall filter add chain=forward protocol=ipsec-ah src-address-list=!”V-
CLIENTACCEPT.List” comment=”209Cx: Bloqueo (VPN-Conn.IPSecAH)” action=drop log=no
log-prefix=”[VPN-Conn.IPSecAH]:” disable=yes;
/ip firewall filter add chain=forward protocol=ipencap src-address-list=!”V-
CLIENTACCEPT.List” comment=”210Cx: Add.1h (src-Address a T-VPNIPENCAPSRC.List x
VPN-Conn.ProxyTraffic)” action=add-src-to-address-list log=no log-prefix=”[VPN-
Conn.ProxyTraffic]: ” address-list=T-VPNIPENCAPSRC.List address-list-timeout=1h
disable=yes;
/ip firewall filter add chain=forward protocol=ipencap src-address-list=!”V-
CLIENTACCEPT.List” comment=”211Cx: Bloqueo (VPN-Conn.ProxyTraffic)” action=drop
log=no log-prefix=”[VPN-Conn.ProxyTraffic]: ” disable=yes;
# ------------------------------------
/ip firewall filter add chain=forward in-interface-list=LANs src-address-list=!”V-
CLIENTACCEPT.List” dst-address-list="V-DDNS.List" comment=”212Cx: Add.30s (src-
Address a V-T30SCLIENTDROP.List x VPN.Conn y !V-CLIENTACCEPT.List)” action=add-src-
to-address-list address-list="V-T30SCLIENTDROP.List" address-list-timeout=30s
disable=yes;
/ip firewall filter add chain=forward in-interface-list=LANs src-address-list=!”V-
CLIENTACCEPT.List” dst-address-list="V-DDNS.List" comment=”213Cx: Add.1d (src-
Address a V-T01DCLIENTDROP.List x VPN.Conn y !V-CLIENTACCEPT.List)” action=add-src-
to-address-list address-list="V-T01DCLIENTDROP.List" address-list-timeout=1d
disable=yes;
# ------------------------------------
/ip firewall filter add chain=forward in-interface-list=LANs src-address-list="V-
T30SCLIENTDROP.List" comment=”214Cx: Drop (src-Address a V-T30SCLIENTDROP.List x
VPN.Conn)” action=drop disable=yes;
# Nota: Only drop standart VPN.port (neither SSTP-TCP.433, except include V-
DDNS.List). Recordar que, según entiendo, las reglas de (Raw, Mangle y Filter), no
marcaran/bloquearan VPN.Conn de las IPP Fijas dadas a Clientes.
# Reglas x Drop (VPN.Conn): --------------------------------------------------
[FIN]
#
-----------------------------------------------------------------------------------
[INI]
# ------------------------------------------ [NAT]
----------------------------------------
#
-----------------------------------------------------------------------------------
--------
# Nateo (IP.Pub y RB.Port): ----- [Opcional] ------ ( 1x Client.IP/Client.Port )

# ------------------------------------------------- [ IP.Pub (costo extra x IP)]
/ip firewall nat add chain=dstnat dst-address=X.Y.Z.(x) protocol=tcp dst-
port=22,23,53,67-69,111,135,137-139,161,162,445,2049,3133,20034 comment=”002Cx:
NAT.C-IPPub (Firewall.TCP-Port –> 10..1, IN : ______,________________)” to-
address=10..1 action=dst-nat disable=yes;
/ip firewall nat add chain=dstnat dst-address=X.Y.Z.(x) protocol=udp dst-
port=22,23,53,69,111,135,137-139,161,162,445,2049,3133 comment=”003Cx: NAT.C-IPPub
(Firewall.UDP-Port –> 10..1, IN : ______,________________)” to-address=10..1
action=dst-nat disable=yes;
# …
# Nota: Posicionar antes de (to-address=IPPriClient) y Activar solo en caso de
necesitar un Firewall x IPPubClient. Siendo (10.1), una IP.Priv inexistente en LANs
o la IP.Priv de una PC.Carnada.
/ip firewall nat add chain=dstnat dst-address=X.Y.Z.(x) comment=”004C+: NAT.C-IPPub
(IN : ______,________________)” to-address=1..(x).(y) action=dst-nat disable=yes;
/ip firewall nat add chain=srcnat scr-address=1..(x).(y) comment=”005C+: NAT.C-
IPPub (OUT: ______,________________)” to-address=X.Y.Z.(x) action=src-nat
disable=yes;
# Nota: agregar (in/out-interface-list=WANs x IN/OUT, serian casi redundantes).
# ------------------------------------------------- [ RB.Port (resta Port disp. en
RB)]
/ip firewall nat add chain=dstnat protocol=udp dst-port=9XXX comment=”110C+:
Redirec Forward.Trafic-Port to RB.IPPub24 to (IPPriClient,PortDstClient (IN/OUT:
______,________________)” to-address=1..(x).(y) to-port=9YYY action=dst-nat
disable=yes;
# …
# Nota: para los puertos especiales (x Admin.Port o x Client.Port: camera, shh,
telnet, etc.), deben implementarse los redireccionamientos mediante el agregado de
reglas de Nateo (IPPubClient o RB.PortDstClient), puesto que, el (/IP Firewall Nat)
se chequea antes del (/IP Firewall Filter).
#
-----------------------------------------------------------------------------------
[FIN]
# ------------------------------------------ [NAT]
----------------------------------------
#
-----------------------------------------------------------------------------------
--------
QoS (Leyer7+AddressList+Mangle+QueueTree): ---------------------- [ INI ]

Layer 7 (RegExp):
------------------------------------------------------------------------
(^): implica, coincidir desde el principio del string.
(.): implica, coincidir con al menos un carácter.
(+): cuantificador que define cuantos caracteres anteriores deben repetirse (+,
significa 1 o cualquier repetición).
(*): cuantificador que define cuantos caracteres anteriores deben repetirse (*,
significa 0 o cualquier repetición).
(\.): (\), se usa para definir (.), y evitar asi, su confusión con un punto.
($): implica, coincidencia con el fin del string.
Nota: el (protocolo layer 7), es un método de búsqueda de patrones (expresiones
regulares: regexp) en flujos (ICMP/TCP/UDP), pudiendo usarse, para bloqueo por
dominio. En base a los 1eros 10 paquetes de una new conection (o 2KB) – de no
encontrarse el patrón, se lo declara: no coincidente –.
...
...
# HTB (Leyer7 Rules): ----------------------------------------------------- [ INI ]

# En análisis de HTB, es previo al de Queue.Simple en el Flow de RouterOS.
# Down (¿50M?):
------------------------------------------------------------------------
/ip firewall layer7-protocol add name=File.Down regexp="^.+\\.(exe|rar|zip|7z|cab|
asf|mov|vob|wmv|mpg|mpeg|mkv|avi|flv|wav|rm|mp3|mp|ram|rmvb|dat|daa|iso|nrg|bin|
vcd|3gp|aac|ace|aif|arj|bz2|gz|gzip|img|lzh|m4a|m4v|mpa|mpe|msi|msu|ogg|ogv|pdf|
plj|pps|ppt|qt|ro*|r1*|ra|rm|sea|sit|sitx|tar|tif|tiff|z|001|002|003|004|005).*\$"
comment="028C+: L7 (Patron regular de File.Down)";
/ip firewall layer7-protocol add name=Video.Streaming regexp=”^.+(videoplayback|
video).*\$” comment="001C+: L7 (Patron regular de VideoStream)";
/ip firewall layer7-protocol add name=P2P.WWW regexp="^.+(get|GET).+(torrent|
thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|vertor|h33t|
zoozle|bitnova|bitsoup|meganova|fulldls|btbot|fenopy|gpirate|commonbits).*\$"
comment="002C+: L7 (Patron regular de P2P.WWW)";
/ip firewall layer7-protocol add name=P2P.DNS regexp="^.+(torrent|thepiratebay|
isohunt|entertane|demonoid|btjunkie|mininova|flixflux|vertor|h33t|zoozle|bitnova|
bitsoup|meganova|fulldls|btbot|fenopy|gpirate|commonbits).*\$" comment="003C+: L7
(Patron regular de P2P.DNS)";
/ip firewall layer7-protocol add name=P2P.BitT regexp="^.+(\\x13bittorrent
protocol|azver\\x01\$|get /scrape\\\?info_hash=get /announce\\\?info_hash=|get
/client/bitcomet/|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP].*\$"
comment="004C+: L7 (Patron regular de P2P.BitTorrent)";
# Nota: BitTorrent: (6881-6999)
/ip firewall layer7-protocol add name=P2P.BitTE regexp="^.+(\\x13bittorrent
protocol|azver\\x01\$|get /scrape\\\?info_hash=get /announce\\\?info_hash=|get
/client/bitcomet/|GET/data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP].*\$"
comment="005C+: L7 (Patron regular de P2P.BitTorrent-Expert)";
# Services.Special:
-----------------------------------------------------------------------
/ip firewall layer7-protocol add name=SpeedTest regexp="^.+(speedtest.3bb.co.th|
speedtest.adslthailand.com|spe edtest1.totbb.net|speedtest.net|
speedtest.trueinternet.co.th|catspeedtest.net).*\$" comment="006C+: L7 (Patron
regular de SpeedTest)";
# Social.Media:
---------------------------------------------------------------------------
# …
# HTB (Mangle Rules): ---------------------------------------------------- [ INI ]

# Mecanismo similar a Firewall, salvo que agrega un condicional (passthrough=no),
evita que continue descendiendo.
# VoIP (Mangle Rules):
-----------------------------------------------------------------
/ip firewall mangle add chain=forward dst-address=X.X.X.X protocol=udp port=10000-
20000 connection-state=newcomment="001Cx: Marco (VoIP-RTP.Conn)" action=mark-
connection new-connection-mark=VoIP-RTP.Conn passthrough=yesdisable=yes;
/ip firewall mangle add chain=forward connection-mark=VoIP-RTP.Conn comment="002Cx:
Marco (VoIP-RTP.1erPacket)" action=mark-packet log=no log-prefix=VoIP-RTP.Pack new-
packet-mark=VoIP-RTP.Pack passthrough=no disable=yes;
# Nota: (87.2k x Call. Cambiar SIP.Port (C-Telefonica y Telefono.IP). RTP, se usa
para el intercambio de voz)
/ip firewall mangle add chain=forward dst-address=X.X.X.X protocol=tcp dst-
port=5060-5061 connection-state=newcomment="003Cx: Marco (VoIP-SIPTCP.Conn)"
action=mark-connection new-connection-mark=VoIP-SIPTCP.Connpassthrough=yes
disable=yes;
/ip firewall mangle add chain=forward connection-mark=VoIP-SIPTCP.Conn
comment="004Cx: Marco (VoIP-SIPTCP.1erPacket)" action=mark-packet log=no log-
prefix=VoIPSIPUDP.Pack new-packet-mark=VoIP-SIPUDP.Packpassthrough=no disable=yes;X
/ip firewall mangle add chain=forward dst-address=X.X.X.X protocol=udp dst-
port=5060-5061 connection-state=newcomment="005Cx: Marco (VoIP-SIPUDP.Conn)"
action=mark-connection new-connection-mark=VoIP-SIPUDP.Connpassthrough=yes
disable=yes;
/ip firewall mangle add chain=forward connection-mark=VoIP-SIPUDP.Conn
comment="006Cx: Marco (VoIP-SIPUDP.1erPacket)" action=mark-packet log=no log-
prefix=VoIP-SIPUDP.Pack new-packet-mark=VoIP-SIPUDP.Packpassthrough=no disable=yes;
# Nota: (65k x Call. Cambiar SIP.Port (C-Telefonica y Telefono.IP: VPN(x)), TCP y
UDP. SIP, se usa para iniciar sesión (RING))
/ip firewall mangle add chain=prerouting in-interface-list=WANs packet-mark=VoIP-
RTP.Pack comment="007Cx: Change (WAN-DSCP.Type Of Service)" action=change-dscp
log=no log-prefix=”WAN-DSCP.TOS (Change)“ new-dscp=10 passthrough=nodisable=yes;
/ip firewall mangle add chain=postrouting out-interface-list=LANs packet-mark=VoIP-
RTP.Pack comment="008Cx: Change(LANs-DSCP.Type Of Service)" action=change-dscp
log=no log-prefix=”LANs-DSCP.TOS (Change)“ new-dscp=46passthrough=no disable=yes;
# Nota: efectivo, en redes que soportan tratamiento por DSCP (priorización de
paquetes: 01-64) – obviamente, debe coincidir con config de C-Telefonica.DSCP –. Se
recomienda, crear VLAN(x) x (out-interface) exclusiva para VoIP.
# IPTV (Mangle Rules): --------------------------------------------------------

[ HLS ]
/ip firewall mangle add chain=forward dst-address=X.X.X.X protocol=tcp port=80
connection-state=new comment="009Cx: Marco(IPTV.Conn)" action=mark-connection new-
connection-mark=IPTV.Conn passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=IPTV.Conn comment="010Cx:
Marco (IPTV.1erPacket)" action=mark-packet log=no log-prefix=IPTV.Pack new-packet-
mark=IPTV.Pack passthrough=no disable=yes;
# Nota: (790k x Señal, en H.265). Es un servicio intranet. Fundamental: priorizar
paquetes TCP (SYN – inicio de negociación–/ACK – acuse de recibo –)).
# DNS (Mangle Rules): -------------------------------------------- [DNS.Cache=ON]

/ip firewall mangle add chain=prerouting protocol=udp dst-port=53 connection-
state=new comment="011C+: Marco (DNS-UDP.Conn)" action=mark-connection new-
connection-mark=DNS-UDP.Conn passthrough=yes disable=yes;
/ip firewall mangle add chain=prerouting connection-mark=DNS-UDP.Conn
comment="012C+: Marco (DNS-UDP.1erPacket)" action=mark-packet log=no log-
prefix=DNS-UDP.Pack new-packet-mark=DNS-UDP.Pack passthrough=no disable=yes;
# Nota: (UDP), solicitud de resolución de nombre y (respuesta < 512b).
/ip firewall mangle add chain=prerouting protocol=tcp dst-port=53 connection-
state=new comment="013C+: Marco (DNS-TCP.Conn)" action=mark-connection new-
connection-mark=DNS-TCP.Conn passthrough=yes disable=yes;
/ip firewall mangle add chain=prerouting connection-mark=DNS-TCP.Conn
comment="014C+: Marco (DNS-TCP.1erPacket)" action=mark-packet log=no log-
prefix=DNS-TCP.Pack new-packet-mark=DNS-TCP.Pack passthrough=no disable=yes;
# Nota: (TCP), only x (respuesta >= 512b) y x CPU--, no estableci: (in-interface-
list=LANs).
# ICMP (Mangle Rules):

-----------------------------------------------------------------
/ip firewall mangle add chain=forward protocol=icmp connection-state=new
comment="015C+: Marco (ICMP.Conn)" action=mark-connection new-connection-
mark=ICMP.Conn passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=ICMP.Conn comment="016C+:
Marco (ICMP.1erPacket)" action=mark-packet log=no log-prefix=ICMP.Pack new-packet-
mark=ICMP.Pack passthrough=no disable=yes;
# Nota: x CPU--, no estableci: (in-interface-list=LANs).
# Social.Media (Mangle Rules):

--------------------------------------------------------
/ip firewall mangle add chain=forward connection-state=new dst-address-list=S-
YOUTUBE.List comment="017C+: Marco(Youtube.Conn)" action=mark-connection new-
connection-mark=Youtube.Conn passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=Youtube.Conn comment="018C+:
Marco (Youtube.1erPacket)" action=mark-packet log=no log-prefix=Youtube.Pack new-
packet-mark=Youtube.Pack passthrough=no disable=yes;
FACEBOOK.List comment="019C+: Marco(Facebook.Conn)" action=mark-connection new-
connection-mark=Facebook.Conn passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=Facebook.Conn comment="020C+:
Marco (Facebook.1erPacket)" action=mark-packet log=no log-prefix=Facebook.Pack new-
packet-mark=Facebook.Pack passthrough=no disable=yes;
TWITTER.List comment="021C+: Marco(Twitter.Conn)" action=mark-connection new-
connection-mark=Twitter.Conn passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=Twitter.Conn comment="022C+:
Marco (Twitter.1erPacket)" action=mark-packet log=no log-prefix=Twitter.Pack new-
packet-mark=Twitter.Pack passthrough=no disable=yes;
INSTAGRAM.List comment="023C+: Marco(Instagram.Conn)" action=mark-connection new-
connection-mark=Instagram.Conn passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=Instagram.Conn
comment="024C+: Marco (Instagram.1erPacket)" action=mark-packet log=no log-
prefix=Instagram.Pack new-packet-mark=Instagram.Pack passthrough=no disable=yes;
NETFLIX.List comment="025C+: Marco(Netflix.Conn)" action=mark-connection new-
connection-mark=Netflix.Conn passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=Netflix.Conn comment="026C+:
Marco (Netflix.1erPacket)" action=mark-packet log=no log-prefix=Netflix.Pack new-
packet-mark=Netflix.Pack passthrough=no disable=yes;
WHATSAPP.List comment="027C+: Marco(Whatsapp.Conn)" action=mark-connection new-
connection-mark=Whatsapp.Conn passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=Whatsapp.Conn comment="028C+:
Marco (Whatsapp.1erPacket)" action=mark-packet log=no log-prefix=Whatsapp.Pack new-
packet-mark=Whatsapp.Pack passthrough=no disable=yes;
# Nota: Whatsapp.Port=TCP: (4244,5222,5223,5228,5242), TCP/UDP: (50318,59234) y
UDP: (3478,45395).
SKYPE.List comment="029C+: Marco(Skype.Conn)" action=mark-connection new-
connection-mark=Skype.Conn passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=Skype.Conn comment="030C+:
Marco (Skype.1erPacket)" action=mark-packet log=no log-prefix=Skype.Pack new-
packet-mark=Skype.Pack passthrough=no disable=yes;
SPOTIFY.List comment="031C+: Marco(Spotify.Conn)" action=mark-connection new-
connection-mark=Spotify.Conn passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=Spotify.Conn comment="032C+:
Marco (Spotify.1erPacket)" action=mark-packet log=no log-prefix=Spotify.Pack new-
packet-mark=Spotify.Pack passthrough=no disable=yes;
SNAPCHAT.List comment="033C+: Marco(Snapchat.Conn)" action=mark-connection new-
connection-mark=Snapchat.Conn passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=Snapchat.Conn comment="034C+:
Marco (Snapchat.1erPacket)" action=mark-packet log=no log-prefix=Snapchat.Pack new-
packet-mark=Snapchat.Pack passthrough=no disable=yes;
TELEGRAM.List comment="035C+: Marco(Telegram.Conn)" action=mark-connection new-
connection-mark=Telegram.Conn passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=Telegram.Conn comment="036C+:
Marco (Telegram.1erPacket)" action=mark-packet log=no log-prefix=Telegram.Pack new-
packet-mark=Telegram.Pack passthrough=no disable=yes;
TWITCH.List comment="037C+: Marco(Twitch.Conn)" action=mark-connection new-
connection-mark=Twitch.Conn passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=Twitch.Conn comment="038C+:
Marco (Twitch.1erPacket)" action=mark-packet log=no log-prefix=Twitch.Pack new-
packet-mark=Twitch.Pack passthrough=no disable=yes;
VIMEO.List comment="039C+: Marco(Vimeo.Conn)" action=mark-connection new-
connection-mark=Vimeo.Conn passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=Vimeo.Conn comment="040C+:
Marco (Vimeo.1erPacket)" action=mark-packet log=no log-prefix=Vimeo.Pack new-
packet-mark=Vimeo.Pack passthrough=no disable=yes;
# Nota: Deje Space x (17) reglas social media mas.
# HTTPS (Mangle Rules):

---------------------------------------------------------------
/ip firewall mangle add chain=forward protocol=udp dst-port=443 connection-
state=new comment="075C+: Marco (HTTPS-UDP.Conn)" action=mark-connection new-
connection-mark=HTTPS-UDP.Conn passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=HTTPS-UDP.Conn
comment="076C+: Marco (HTTPS-UDP.1erPacket)" action=mark-packet log=no log-
prefix=HTTPS-UDP.Pack new-packet-mark=HTTPS-UDP.Pack passthrough=no disable=yes;
/ip firewall mangle add chain=forward protocol=tcp dst-port=443 connection-
state=new comment="077C+: Marco (HTTPS-TCP.Conn)" action=mark-connection new-
connection-mark=HTTPS-TCP.Conn passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=HTTPS-TCP.Conn
comment="078C+: Marco (HTTPS-TCP.1erPacket)" action=mark-packet log=no log-
prefix=HTTPS-TCP.Pack new-packet-mark=HTTPS-TCP.Pack passthrough=no disable=yes;
# HTTP (Mangle Rules):

-----------------------------------------------------------------
/ip firewall mangle add chain=forward protocol=tcp dst-port=80,8080 connection-
state=new comment="079C+: Marco(HTTP.Conn)" action=mark-connection new-connection-
mark=HTTP.Conn passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=HTTP.Conn comment="080C+:
Marco (HTTP.1erPacket)" action=mark-packet log=no log-prefix=HTTP.Pack new-packet-
mark=HTTP.Pack passthrough=no disable=yes;
# Down (¿50M?) (Mangle Rules):

-----------------------------------------------------
/ip firewall mangle add chain=forward connection-state=new layer7-
protocol=File.Down connection-bytes=50M comment="111Cx: Marco (FileDown.Conn) :: "
action=mark-connection new-connection-mark=FileDown.Conn passthrough=yes
disable=yes;
/ip firewall mangle add chain=forward connection-mark=FileDown.Conn comment="112Cx:
Marco (FileDown.1erPacket) :: " action=mark-packet log=no log-prefix=FileDown.Pack
new-packet-mark=FileDown.Pack passthrough=no disable=yes;
protocol=Video.Streaming connection-bytes=50M comment="113Cx: Marco
(VideoStreaming.Conn) :: " action=mark-connection new-connection-
mark=VideoStreaming.Conn passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=VideoStreaming.Conn
comment="114Cx: Marco (VideoStreaming.1erPacket) :: " action=mark-packet log=no
log-prefix=VideoStreaming.Pack new-packet-mark=VideoStreaming.Pack passthrough=no
disable=yes;
/ip firewall mangle add chain=forward connection-state=new layer7-protocol=P2P.WWW
connection-bytes=50M comment="115Cx: Marco (P2PWWW.Conn) :: " action=mark-
connection new-connection-mark=P2PWWW.Conn passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=P2PWWW.Conn comment="116Cx:
Marco (P2PWWW.1erPacket) :: " action=mark-packet log=no log-prefix=P2P-WWW.Pack
new-packet-mark=P2P-WWW.Pack passthrough=no disable=yes;
/ip firewall mangle add chain=forward connection-state=new layer7-protocol=P2P.DNS
connection-bytes=50M comment="117Cx: Marco (P2PDNS.Conn) :: " action=mark-
connection new-connection-mark=P2PDNS.Conn passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=P2PDNS.Conn comment="118Cx:
Marco (P2PDNS.1erPacket) :: " action=mark-packet log=no log-prefix=P2P-DNS.Pack
new-packet-mark=P2P-DNS.Pack passthrough=no disable=yes;
/ip firewall mangle add chain=forward connection-state=new layer7-protocol=P2P.BitT
connection-bytes=50M comment="119Cx: Marco (P2PBitTorrent.Conn) :: " action=mark-
connection new-connection-mark=P2PBitT.Conn passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=P2PBitT.Conn comment="120Cx:
Marco (P2PBitTorrent.1erPacket) :: " action=mark-packet log=no log-prefix=P2P-
BitT.Pack new-packet-mark=P2P-BitT.Pack passthrough=no disable=yes;
protocol=P2P.BitTE connection-bytes=50M comment="121Cx: Marco (P2PBitTorrentE.Conn)
:: " action=mark-connection new-connection-mark=P2PBitTE.Conn passthrough=yes
disable=yes;
/ip firewall mangle add chain=forward connection-mark=P2PBitTE.Conn comment="122Cx:
Marco (P2PBitTorrentE.1erPacket) :: " action=mark-packet log=no log-prefix=P2P-
BitTE.Pack new-packet-mark=P2P-BitTE.Pack passthrough=no disable=yes;
# Nota: decidir si conviene o no usar (connection-bytes=50M).
# Services.Special (Mangle Rules):

---------------------------------------------------
# VPN (Mangle Rules):
-----------------------------------------------------------------
/ip firewall mangle add chain=forward protocol=udp dst-port=500,1194,4500
connection-state=new comment="123C+: Marco (VPN-UDP.Conn) :: " action=mark-
connection new-connection-mark=VPN-UDP.Conn passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=VPN-UDP.Conn comment="124C+:
Marco (VPN-UDP.1erPacket) :: " action=mark-packet log=no log-prefix=VPN-UDP.Pack
new-packet-mark=VPN-UDP.Pack passthrough=no disable=yes;
/ip firewall mangle add chain=forward protocol=tcp dst-port=1194,1701,1723
connection-state=new comment="125C+: Marco (VPN-TCP.Conn) :: " action=mark-
connection new-connection-mark=VPN-TCP.Conn passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=VPN-TCP.Conn comment="126C+:
Marco (VPN-TCP.1erPacket) :: " action=mark-packet log=no log-prefix=VPN-TCP.Pack
new-packet-mark=VPN-TCP.Pack passthrough=no disable=yes;
/ip firewall mangle add chain=forward protocol=gre connection-state=new
comment="127C+: Marco (VPN-GREr.Conn) :: " action=mark-connection new-connection-
mark=VPN-GRE.Conn passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=VPN-GRE.Conn comment="128C+:
Marco (VPN-GRE.1erPacket) :: " action=mark-packet log=no log-prefix=VPN-GRE.Pack
new-packet-mark=VPN-GRE.Pack passthrough=no disable=yes;
/ip firewall mangle add chain=forward protocol=ipsec-esp connection-state=new
comment="129C+: Marco (VPN-IPSECESP.Conn) :: " action=mark-connection new-
connection-mark=VPN-IPSECESP.Conn passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=VPN-IPSECESP.Conn
comment="130C+: Marco (VPN-IPSECESP.1erPacket) :: " action=mark-packet log=no log-
prefix=VPN-IPSECESP.Pack new-packet-mark=VPN-IPSECESP.Pack passthrough=no
disable=yes;
/ip firewall mangle add chain=forward protocol=ipsec-ah connection-state=new
comment="131C+: Marco (VPN-IPSECAH.Conn) :: " action=mark-connection new-
connection-mark=VPN-IPSECESP.Conn passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=VPN-IPSECAH.Conn
comment="132C+: Marco (VPN-IPSECAH.1erPacket) :: " action=mark-packet log=no log-
prefix=VPN-IPSECAH.Pack new-packet-mark=VPN-IPSECAH.Pack passthrough=no
disable=yes;
/ip firewall mangle add chain=forward protocol=ipencap connection-state=new
comment="133C+: Marco (VPN-IPENCAP.Conn) :: " action=mark-connection new-
connection-mark=VPN-IPENCAP.Conn passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=VPN-IPENCAP.Conn
comment="134C+: Marco (VPN-IPENCAP.1erPacket) :: " action=mark-packet log=no log-
prefix=VPN-IPENCAP.Pack new-packet-mark=VPN-IPENCAP.Pack passthrough=no
disable=yes;
/ip firewall mangle add chain=forward connection-state=new dst-address-list=V-
DDNS.List comment="135C+: Marco (VPN-DDNS.Conn) :: " action=mark-connection new-
connection-mark=VPN-DDNS.Conn passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=VPN-DDNS.Conn comment="136C+:
Marco (VPN-DDNS.1erPacket) :: " action=mark-packet log=no log-prefix=VPN-DDNS.Pack
new-packet-mark=VPN-DDNS.Pack passthrough=no disable=yes;
# Nota: only drop standart VPN.port (neither SSTP-TCP.433, except include V-
DDNS.List).
# FTP/SFTP (Mangle Rules):

------------------------------------------------------------
/ip firewall mangle add chain=forward protocol=tcp dst-port=20-23 packet-size=1400-
1500 connection-state=new comment="140C+: Marco (FTP/SFTP.Conn) :: " action=mark-
connection new-connection-mark=FTP.Conn passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=FTP.Conn comment="141C+:
Marco (FTP.1erPacket) :: " action=mark-packet log=no log-prefix=FTP.Pack new-
packet-mark=FTP.Pack passthrough=no disable=yes;
# SpeedTest (Mangle Rules):

-----------------------------------------------------------
protocol=SpeedTest comment="142Cx: Marco (SpeedTest.Conn) :: " action=mark-
connection new-connection-mark=SpeedTest.Conn passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=SpeedTest.Conn
comment="143Cx: Marco (SpeedTest.1erPacket) :: " action=mark-packet log=no log-
prefix=SpeedTest.Pack new-packet-mark=SpeedTest.Pack passthrough=no disable=yes;
# Resto de conexiones (Mangle Rules):

----------------------------------------------
/ip firewall mangle add chain=forward connection-state=new comment="180C+: Marco
(Rest.Conn) :: " action=mark-connection new-connection-mark=Rest.Conn
passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=Rest.Conn comment="181C+:
Marco (Resto.1erPacket) :: " action=mark-packet log=no log-prefix=Rest.Pack new-
packet-mark=Rest.Pack passthrough=no disable=yes;
# Nota: (asignar AB restante hasta Parent.max-limit).
# -------------------------- HTB (QueueTree Rules): ----------------- [ INI: 01 ]

# En QueueTree, no es posible usar interface-list (LANs), solo interface (etherX).
# QoS.QueueTree (Crea Variables):
---------------------------------------------------
# RB1.Interfaces
:global InterfWAN1 “ether1”; # RB1.WAN1 (interface) [ ISP.01 ]
:global InterfLAN1 “ether3”; # RB1.LAN1 (interface) [ ]
# ---------------------------------------------
# RB2.Interfaces
# ---------------------------------------------
# RB3.Interfaces
:global InterfLAN1 “ether-HFC”; # RB3.LAN1 (interface) [ CMTS ]
# QoS conections (QueueTree Rules): -------------------------------------------

# -----------------------------------------------------------------------------
[ INI ]
# QoS.UpLoad conections (QueueTree Rules): ----------------------------------

# -----------------------------------------------------------------------------
[ INI ]
# [ Nivel 01 ] -------------------------------------------------------------------
[ INI ]
/queue tree add name=010000.WAN1 parent=$InterfWAN1 limit-at=0 max-limit=0
priority=8 queue=ethernet-default comment="001C+: QoS (WAN1.Ups) :: " disable=yes;
# [ Nivel 02 ] ---------------------------------------------------------- [ INI ]

/queue tree add name=010100.VoIP parent=010000.WAN1 limit-at=0 max-limit=0
priority=1 queue=ethernet-default comment="002Cx: QoS (WAN1.VoIPs) :: "
disable=yes;
# [ Nivel 03 ] ------------------------------------------------- [ INI ]

/queue tree add name=010101.RTP parent=010100.VoIP packet-mark=VoIP-RTP.Pack limit-
at=0 max-limit=0 priority=1 queue=ethernet-default comment="003Cx: QoS (WAN1.VoIP-
RTP) :: " disable=yes;
/queue tree add name=010102.SIPTCP parent=010100.VoIP packet-mark=VoIP-SIPTCP.Pack
limit-at=0 max-limit=0 priority=1 queue=ethernet-default comment="004Cx: QoS
(WAN1.VoIP-SIPTCP) :: " disable=yes;
/queue tree add name=010103.SIPUDP parent=010100.VoIP packet-mark=VoIP-SIPUDP.Pack
(WAN1.VoIP-SIPUDP) :: " disable=yes;
# [ Nivel 03 ] ------------------------------------------------- [ FIN ]
/queue tree add name=010200.IPTV parent=010000.WAN1 packet-mark=IPTV.Pack limit-

at=0 max-limit=0 priority=2 queue=ethernet-default comment="006Cx: QoS (WAN1.IPTVs)
:: " disable=yes;
/queue tree add name=010300.DNS parent=010000.WAN1 limit-at=256k max-limit=512k
priority=2 queue=ethernet-default comment="007C+: QoS (WAN1.DNS) :: " disable=yes;
# [ Nivel 03 ] ------------------------------------------------- [ INI ]

/queue tree add name=010301.DNS-UDP parent=010300.DNS packet-mark=DNS-UDP.Pack
limit-at=128k max-limit=256k priority=2 queue=ethernet-default comment="008C+: QoS
(WAN1.DNS-UDP) :: " disable=yes;
/queue tree add name=010302.DNS-TCP parent=010300.DNS packet-mark=DNS-TCP.Pack
(WAN1.DNS-TCP) :: " disable=yes;
# [ Nivel 03 ] ------------------------------------------------- [ FIN ]
/queue tree add name=010400.ICMP parent=010000.WAN1 packet-mark=ICMP.Pack limit-

at=128k max-limit=256k priority=2 queue=ethernet-default comment="010C+: QoS
(WAN1.ICMP) :: " disable=yes;
/queue tree add name=010500.SocialM parent=010000.WAN1 limit-at=0 max-limit=0
priority=3 queue=ethernet-default comment="011C+: QoS (WAN1.SocialMedia) :: "
disable=yes;
# [ Nivel 03 ] ------------------------------------------------- [ INI ]

/queue tree add name=010501.Youtube parent=010500.SocialM packet-mark=Youtube.Pack
limit-at=0 max-limit=0 priority=3 queue=ethernet-default comment="012C+: QoS
(WAN1.Youtube) :: " disable=yes;
/queue tree add name=010502.Netflix parent=010500.SocialM packet-mark=Netflix.Pack
(WAN1.Netflix) :: " disable=yes;
/queue tree add name=010503.Facebook parent=010500.SocialM packet-
mark=Facebook.Pack limit-at=0 max-limit=0 priority=3 queue=ethernet-default
comment="014C+: QoS (WAN1.Facebook) :: " disable=yes;
/queue tree add name=010504.Whatsapp parent=010500.SocialM packet-
mark=Whatsapp.Pack limit-at=0 max-limit=0 priority=3 queue=ethernet-default
comment="015C+: QoS (WAN1.Whatsapp) :: " disable=yes;
/queue tree add name=010505.Twitter parent=010500.SocialM packet-mark=Twitter.Pack
(WAN1.Twitter) :: " disable=yes;
/queue tree add name=010506.Instagram parent=010500.SocialM packet-
mark=Instagram.Pack limit-at=0 max-limit=0 priority=3 queue=ethernet-default
comment="017C+: QoS (WAN1.Instagram) :: " disable=yes;
/queue tree add name=010507.Skype parent=010500.SocialM packet-mark=Skype.Pack
(WAN1.Skype) :: " disable=yes;
/queue tree add name=010508.Spotify parent=010500.SocialM packet-mark=Spotify.Pack
(WAN1.Spotify) :: " disable=yes;
/queue tree add name=010509.Snapchat parent=010500.SocialM packet-
mark=Snapchat.Pack limit-at=0 max-limit=0 priority=3 queue=ethernet-default
comment="020C+: QoS (WAN1.Snapchat) :: " disable=yes;
/queue tree add name=010510.Telegram parent=010500.SocialM packet-
mark=Telegram.Pack limit-at=0 max-limit=0 priority=3 queue=ethernet-default
comment="021C+: QoS (WAN1.Telegram) :: " disable=yes;
/queue tree add name=010511.Twitch parent=010500.SocialM packet-mark=Twitch.Pack
(WAN1.Twitch) :: " disable=yes;
/queue tree add name=010512.Vimeo parent=010500.SocialM packet-mark=Vimeo.Pack
(WAN1.Vimeo) :: " disable=yes;
# [ Nivel 03 ] ------------------------------------------------- [ FIN ]
/queue tree add name=010600.HTTPSTCP parent=010000.WAN1 packet-mark=HTTPS-TCP.Pack

(WAN1.HTTPS-TCP) :: " disable=yes;
/queue tree add name=010700.HTTPSUDP parent=010000.WAN1 packet-mark=HTTPS-UDP.Pack
(WAN1.HTTPS-UDP) :: " disable=yes;
/queue tree add name=010800.HTTP parent=010000.WAN1 packet-mark=HTTP.Pack limit-
at=0 max-limit=0 priority=4 queue=ethernet-default comment="043C+: QoS
(WAN1.HTTP) :: " disable=yes;
/queue tree add name=010900.VPN parent=010000.WAN1 limit-at=0 max-limit=0
priority=5 queue=ethernet-default comment="044C+: QoS (WAN1.VPN) :: " disable=yes;
# [ Nivel 03 ] ------------------------------------------------- [ INI ]

/queue tree add name=010901.VPNTCP parent=010900.VPN packet-mark=VPN-TCP.Pack
(WAN1.VPN-TCP) :: " disable=yes;
/queue tree add name=010902.VPNUDP parent=010900.VPN packet-mark=VPN-UDP.Pack
(WAN1.VPN-UDP) :: " disable=yes;
/queue tree add name=010903.VPNGRE parent=010900.VPN packet-mark=VPN-GRE.Pack
(WAN1.VPN-GRE) :: " disable=yes;
/queue tree add name=010904.VPNIPSECESP parent=010900.VPN packet-mark=VPN-
IPSECESP.Pack limit-at=0 max-limit=0 priority=5 queue=ethernet-default
comment="048C+: QoS (WAN1.VPN-IPSECESP) :: " disable=yes;
/queue tree add name=010905.VPNIPSECAH parent=010900.VPN packet-mark=VPN-
IPSECAH.Pack limit-at=0 max-limit=0 priority=5 queue=ethernet-default
comment="049C+: QoS (WAN1.VPN-IPSECAH) :: " disable=yes;
/queue tree add name=010906.VPNIPENCAP parent=010900.VPN packet-mark=VPN-
IPENCAP.Pack limit-at=0 max-limit=0 priority=5 queue=ethernet-default
comment="050C+: QoS (WAN1.VPN-IPENCAP) :: " disable=yes;
/queue tree add name=010907.VPNDDNS parent=010900.VPN packet-mark=VPN-DDNS.Pack
(WAN1.VPN-DDNS) :: " disable=yes;
# [ Nivel 03 ] ------------------------------------------------- [ FIN ]
/queue tree add name=011000.FTP parent=010000.WAN1 packet-mark=FTP.Pack limit-at=0

max-limit=0 priority=5 queue=ethernet-default comment="052C+: QoS
(WAN1.FTP/SFTP) :: " disable=yes;
/queue tree add name=011100.SeepT parent=010000.WAN1 packet-mark=SpeedTest.Pack
(WAN1.SpeedTest) :: " disable=yes;
/queue tree add name=011500.Down parent=010000.WAN1 limit-at=0 max-limit=0
priority=6 queue=ethernet-default comment="060Cx: QoS (WAN1.Downs) :: "
disable=yes;
# [ Nivel 03 ] ------------------------------------------------- [ INI ]

/queue tree add name=011501.File parent=011500.Down packet-mark=FileDown.Pack
(WAN1.File Down) :: " disable=yes;
/queue tree add name=011502.VideoS parent=011500.Down packet-
mark=VideoStreaming.Pack limit-at=0 max-limit=0 priority=6 queue=ethernet-default
comment="062Cx: QoS (WAN1.VideoStreaming) :: " disable=yes;
/queue tree add name=011503.P2PWWW parent=011500.Down packet-mark=P2P-WWW.Pack
(WAN1.P2PWWW) :: " disable=yes;
/queue tree add name=011504.P2PDNS parent=011500.Down packet-mark=P2P-DNS.Pack
(WAN1.P2PDNS) :: " disable=yes;
/queue tree add name=011505.P2PBitT parent=011500.Down packet-mark=P2P-BitT.Pack
(WAN1.P2PBitTorrent) :: " disable=yes;
/queue tree add name=011506.P2PBitTE parent=011500.Down packet-mark=P2P-BitTE.Pack
(WAN1.P2PBitTorrentExp) :: " disable=yes;
# [ Nivel 03 ] ------------------------------------------------- [ FIN ]
/queue tree add name=013000.Rest parent=010000.WAN1 packet-mark=Rest.Pack limit-

(WAN1.Rest) :: " disable=yes;
# [ Nivel 02 ] -------------------------------------------------------------------
[ FIN ]
# [ Nivel 01 ] -------------------------------------------------------------------
[ FIN ]
# QoS.DwLoad conections (QueueTree Rules): ---------------------------------

# -----------------------------------------------------------------------------
[ INI ]
# [ Nivel 01 ] -------------------------------------------------------------------
[ INI ]
/queue tree add name=020000.LAN1 parent=$InterfLAN1 limit-at=0 max-limit=0
priority=8 queue=ethernet-default comment="101C+: QoS (LAN1.Downs) :: "
disable=yes;
# [ Nivel 02 ] ---------------------------------------------------------- [ INI ]
/queue tree add name=020100.VoIP parent=020000.LAN1 limit-at=0 max-limit=0
disable=yes;
# [ Nivel 03 ] ------------------------------------------------- [ INI ]

at=0 max-limit=0 priority=1 queue=ethernet-default comment="103Cx: QoS (LAN1.VoIP-
(LAN1.VoIP-SIPTCP) :: " disable=yes;
(LAN1.VoIP-SIPUTP) :: " disable=yes;
# [ Nivel 03 ] ------------------------------------------------- [ FIN ]
/queue tree add name=020200.IPTV parent=020000.LAN1 packet-mark=IPTV.Pack limit-

at=0 max-limit=0 priority=2 queue=ethernet-default comment="106Cx: QoS (LAN1.IPTVs)
:: " disable=yes;
/queue tree add name=020300.DNS parent=020000.LAN1 limit-at=256k max-limit=512k
priority=2 queue=ethernet-default comment="107C+: QoS (LAN1.DNS) :: " disable=yes;
# [ Nivel 03 ] ------------------------------------------------- [ INI ]

(LAN1.DNS-UDP) :: " disable=yes;
(LAN1.DNS-TCP) :: " disable=yes;
# [ Nivel 03 ] ------------------------------------------------- [ FIN ]
/queue tree add name=020400.ICMP parent=020000.LAN1 packet-mark=ICMP.Pack limit-

(LAN1.ICMP) :: " disable=yes;
/queue tree add name=020500.SocialM parent=020000.LAN1 limit-at=0 max-limit=0
priority=3 queue=ethernet-default comment=“111C+: QoS (LAN1.SocialMedia) :: "
disable=yes;
# [ Nivel 03 ] ------------------------------------------------- [ INI ]

(LAN1.Youtube) :: " disable=yes;
(LAN1.Netflix) :: " disable=yes;
comment="114C+: QoS (LAN1.Facebook) :: " disable=yes;
comment="115C+: QoS (LAN1.Whatsapp) :: " disable=yes;
(LAN1.Twitter) :: " disable=yes;
comment="117C+: QoS (LAN1.Instagram) :: " disable=yes;
(LAN1.Skype) :: " disable=yes;
(LAN1.Spotify) :: " disable=yes;
comment="120C+: QoS (LAN1.Snapchat) :: " disable=yes;
comment="121C+: QoS (LAN1.Telegram) :: " disable=yes;
(LAN1.Twitch) :: " disable=yes;
(LAN1.Vimeo) :: " disable=yes;
# [ Nivel 03 ] ------------------------------------------------- [ FIN ]
/queue tree add name=020600.HTTPSTCP parent=020000.LAN1 packet-mark=HTTPS-TCP.Pack

(LAN1.HTTPS-TCP) :: " disable=yes;
/queue tree add name=020700.HTTPSUDP parent=020000.LAN1 packet-mark=HTTPS-UDP.Pack
limit-at=0 max-limit=0 priority=4 queue=ethernet-default comment=“142C+: QoS
(LAN1.HTTPS-UDP) :: " disable=yes;
/queue tree add name=020800.HTTP parent=020000.LAN1 packet-mark=HTTP.Pack limit-
(LAN1.HTTP) :: " disable=yes;
/queue tree add name=020900.VPN parent=020000.LAN1 limit-at=0 max-limit=0
priority=5 queue=ethernet-default comment="144C+: QoS (LAN1.VPN) :: " disable=yes;
# [ Nivel 03 ] ------------------------------------------------- [ INI ]

(LAN1.VPN-TCP) :: " disable=yes;
(LAN1.VPN-UDP) :: " disable=yes;
(LAN1.VPN-GRE) :: " disable=yes;
comment="148C+: QoS (LAN1.VPN-IPSECESP) :: " disable=yes;
comment="149C+: QoS (LAN1.VPN-IPSECAH) :: " disable=yes;
comment="150C+: QoS (LAN1.VPN-IPENCAP) :: " disable=yes;
(LAN1.VPN-DDNS) :: " disable=yes;
# [ Nivel 03 ] ------------------------------------------------- [ FIN ]
/queue tree add name=021100.FTP parent=020000.LAN1 packet-mark=FTP.Pack limit-at=0

(LAN1.FTP/SFTP) :: " disable=yes;
/queue tree add name=021200.SeepT parent=020000.LAN1 packet-mark=SpeedTest.Pack
(LAN1.SpeedTest) :: " disable=yes;
/queue tree add name=021500.Down parent=020000.LAN1 limit-at=0 max-limit=0
priority=6 queue=ethernet-default comment="160Cx: QoS (LAN1.Downs) :: "
disable=yes;
# [ Nivel 03 ] ------------------------------------------------- [ INI ]

(LAN1.File Down) :: " disable=yes;
/queue tree add name=021502.VideoS parent=021500.Down packet-mark=VideoStream.Pack
(LAN1.VideoStream) :: " disable=yes;
(LAN1.P2PWWW) :: " disable=yes;
(LAN1.P2PDNS) :: " disable=yes;
(LAN1.P2PBitTorrent) :: " disable=yes;
(LAN1.P2PBitTorrentExp) :: " disable=yes;
# [ Nivel 03 ] ------------------------------------------------- [ FIN ]
/queue tree add name=023000.Rest parent=020000.LAN1 packet-mark=Rest.Pack limit-

(LAN1.Rest) :: " disable=yes;
# [ Nivel 02 ] ---------------------------------------------------------- [ FIN ]
# [ Nivel 01 ] -------------------------------------------------------------------
[ FIN ]
# [ Nivel 01 ] -------------------------------------------------------------------
[ INI ]
/queue tree add name=030000.LAN2 parent=$InterfLAN2 limit-at=0 max-limit=0
priority=8 queue=ethernet-default comment="201C+: QoS (LAN2.Downs) :: "
disable=yes;
# [ Nivel 02 ] ---------------------------------------------------------- [ INI ]

/queue tree add name=030100.VoIP parent=030000.LAN2 limit-at=0 max-limit=0
disable=yes;
# [ Nivel 03 ] ------------------------------------------------- [ INI ]

at=0 max-limit=0 priority=1 queue=ethernet-default comment="203Cx: QoS (LAN2.VoIP-
(LAN2.VoIP-SIPTCP) :: " disable=yes;
(LAN2.VoIP-SIPUTP) :: " disable=yes;
# [ Nivel 03 ] ------------------------------------------------- [ FIN ]
/queue tree add name=030200.IPTV parent=030000.LAN2 packet-mark=IPTV.Pack limit-

at=0 max-limit=0 priority=2 queue=ethernet-default comment="206Cx: QoS (LAN2.IPTVs)
:: " disable=yes;
/queue tree add name=030300.DNS parent=030000.LAN2 limit-at=256k max-limit=512k
priority=2 queue=ethernet-default comment="207C+: QoS (LAN2.DNS) :: " disable=yes;
# [ Nivel 03 ] ------------------------------------------------- [ INI ]

(LAN2.DNS-UDP) :: " disable=yes;
(LAN2.DNS-TCP) :: " disable=yes;
# [ Nivel 03 ] ------------------------------------------------- [ FIN ]
/queue tree add name=030400.ICMP parent=030000.LAN2 packet-mark=ICMP.Pack limit-

(LAN2.ICMP) :: " disable=yes;
/queue tree add name=030500.SocialM parent=030000.LAN2 limit-at=0 max-limit=0
priority=3 queue=ethernet-default comment="211C+: QoS (LAN2.SocialMedia) :: "
disable=yes;
# [ Nivel 03 ] ------------------------------------------------- [ INI ]

(LAN2.Youtube) :: " disable=yes;
(LAN2.Netflix) :: " disable=yes;
comment="214C+: QoS (LAN2.Facebook) :: " disable=yes;
comment="215C+: QoS (LAN2.Whatsapp) :: " disable=yes;
(LAN2.Twitter) :: " disable=yes;
comment="217C+: QoS (LAN2.Instagram) :: " disable=yes;
(LAN2.Skype) :: " disable=yes;
(LAN2.Spotify) :: " disable=yes;
comment="220C+: QoS (LAN2.Snapchat) :: " disable=yes;
comment="221C+: QoS (LAN2.Telegram) :: " disable=yes;
(LAN2.Twitch) :: " disable=yes;
(LAN2.Vimeo) :: " disable=yes;
# [ Nivel 03 ] ------------------------------------------------- [ FIN ]
/queue tree add name=030600.HTTPSTCP parent=030000.LAN2 packet-mark=HTTPS-TCP.Pack
(LAN2.HTTPS-TCP) :: " disable=yes;
/queue tree add name=030700.HTTPSUDP parent=030000.LAN2 packet-mark=HTTPS-UDP.Pack
(LAN2.HTTPS-UDP) :: " disable=yes;
/queue tree add name=030800.HTTP parent=030000.LAN2 packet-mark=HTTP.Pack limit-
(LAN2.HTTP) :: " disable=yes;
/queue tree add name=030900.VPN parent=030000.LAN2 limit-at=0 max-limit=0
priority=5 queue=ethernet-default comment="244C+: QoS (LAN2.VPN) :: " disable=yes;
# [ Nivel 03 ] ------------------------------------------------- [ INI ]

(LAN2.VPN-TCP) :: " disable=yes;
(LAN2.VPN-UDP) :: " disable=yes;
(LAN2.VPN-GRE) :: " disable=yes;
comment="248C+: QoS (LAN2.VPN-IPSECESP) :: " disable=yes;
comment="249C+: QoS (LAN2.VPN-IPSECAH) :: " disable=yes;
comment="250C+: QoS (LAN2.VPN-IPENCAP) :: " disable=yes;
(LAN2.VPN-DDNS) :: " disable=yes;
# [ Nivel 03 ] ------------------------------------------------- [ FIN ]
/queue tree add name=031100.FTP parent=030000.LAN2 packet-mark=FTP.Pack limit-at=0

(LAN2.FTP/SFTP) :: " disable=yes;
/queue tree add name=031200.SeepT parent=030000.LAN2 packet-mark=SpeedTest.Pack
(LAN2.SpeedTest) :: " disable=yes;
/queue tree add name=031500.Down parent=030000.LAN2 limit-at=0 max-limit=0
priority=6 queue=ethernet-default comment="260Cx: QoS (LAN2.Downs) :: "
disable=yes;
# [ Nivel 03 ] ------------------------------------------------- [ INI ]

(LAN2.File Down) :: " disable=yes;
/queue tree add name=031502.VideoS parent=031500.Down packet-mark=VideoStream.Pack
(LAN2.VideoStream) :: " disable=yes;
(LAN2.P2PWWW) :: " disable=yes;
(LAN2.P2PDNS) :: " disable=yes;
(LAN2.P2PBitTorrent) :: " disable=yes;
(LAN2.P2PBitTorrentExp) :: " disable=yes;
# [ Nivel 03 ] ------------------------------------------------- [ FIN ]
/queue tree add name=033000.Rest parent=030000.LAN2 packet-mark=Rest.Pack limit-

(LAN2.Rest) :: " disable=yes;
# [ Nivel 02 ] ---------------------------------------------------------- [ FIN ]
# [ Nivel 01 ] -------------------------------------------------------------------
[ FIN ]
# QoS conections (QueueTree Rules): -------------------------------------------

# -----------------------------------------------------------------------------
[ FIN ]
# QoS.QueueTree (Remove Variables): --------------------------------------- [ INI ]

/system script environment remove [find name="InterfWAN1"];
/system script environment remove [find name="InterfWAN2"];
/system script environment remove [find name="InterfLAN1"];
# QoS.QueueTree (Remove Variables): --------------------------------------- [ FIN ]
# -------------------------- HTB (QueueTree Rules): ----------------- [ FIN: 01 ]
# QoS.QueueType (QueueType Rules): ------- [ act. no usado ] ------ [ INI ]

# /queue type add kind=pcq name=PCQ.Down pcq-burst-rate=0 pcq-burst-threshold=0
pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 pcq-dst-
address6-mask=128 pcq-limit=50 pcq-rate=384k pcq-src-address-mask=32 pcq-src-
address6-mask=128 pcq-total-limit=2000 comment=”C: PCQ (Down.384k)”;
# /queue type add kind=pcq name=PCQ.Up pcq-burst-rate=0 pcq-burst-threshold=0 pcq-
burst-time=10s pcq-classifier=src-addresspcq-dst-address-mask=32 pcq-dst-address6-
mask=128 pcq-limit=50 pcq-rate=128k pcq-src-address-mask=32 pcq-src-address6-
mask=128 pcq-total-limit=2000 comment=”C: PCQ (Up.128k)”;
# Nota: (pcq-total-limit), maxino nro de datos en cola (tree). (pcq-limit), tamaño
de cola (tree). (pcq-rate), velocidad máxima disponible para cada cola (tree).
# QoS.QueueType (QueueType Rules): ------- [ act. no usado ] ------ [ FIN ]
#
-----------------------------------------------------------------------------------
--
# [FINALMENTE]: --------------------------------------------------------- [ INI ]
#
-----------------------------------------------------------------------------------
--
# Marcar como activas (comment=“+:”, “>:” y “+VL:”) y no-activas (comment=“x:”,
“<:” y “xVL:”), según corresponda.
# Filtrar: /ip firewall x (comment=”+:”) y habilitar reglas filtradas (en Address-
List, Firewall, NAT, Mangle y Raw).
# Filtrar: /ip firewall x (comment=(”>:”: userX) o (”<:”: userR-W)), según
corresponda y habilitar reglas filtradas.
# Filtrar: /ip firewall x (comment=(”+VL:”) o (”xVL:”)), según corresponda y
habilitar reglas filtradas.
# Listo.
#
-----------------------------------------------------------------------------------
--
# [FINALMENTE]: --------------------------------------------------------- [ FIN ]
#
-----------------------------------------------------------------------------------
--
-----------------------------------------------------------------------------------
-----
-----------------------------------------------------------------------------------
-----
--------------------------- ( RouterOS.Basic-Config ) --------------------- [ FIN ]
-----------------------------------------------------------------------------------
-----
-----------------------------------------------------------------------------------
-----
RouterOS.Script (Basic 01-02)

--------------------------------------------------------------------------------
[ INI ]
-----------------------------------------------------------------------------------
-----
----------------------------- Scripts (basicos):
-------------------------------------
-----------------------------------------------------------------------------------
-----
-----------------------------------------------------------------------------------
-----
# AddressList.AddIP-RedesSociales:
----------------------------------------------------
# Name: AddressList.AddIP-RSociales
# comment="C+: ( AddressList.AddIP-RedesSociales )"
# ---------------------------------------------
:local TTL; # establezco como guardable todo
(dns.ttl>5m)
:local HoraINI;
:local HoraFIN;
:local Type ””;
:local Address (0.0.0.0);
:local Data “”;
:local Name “”;
:local Lista;
# ---------------------------------------
:local CountProcc 0;
:foreach x in [/system script job find (script="AddressList.AddIP-RSociales" or
script="AddressList.Ctrl (RedesSociales)")] do {:set CountProcc ($CountProcc+1);};
# Cant de éste process vinculantes activos
:if ($CountProcc=1) do={
# --------------------------------------- [Proccess.Ini (x Off Proccess Vinculant)]
# :global AddressListAdd “[ $AddressListTAdd ] - ”;
:global AddressListTAdd; :set HoraINI ([/system clock get time]); :log info
message=("[AddressList.AddIP-RSociales (INI: Pre-Foreach)]");
# ---------------------------------------------------
:foreach i in=[/ip dns cache all find ((name~"whatsapp" or name~"youtube" or
name~"googlevideo" or name~"twitter" or name~"facebook" or name~"instagram" or
name~"netflix" or name~"skype" or name~”spotify” or name~"snapchat" or
name~”telegram” or name~”twitch” or name~”vimeo”) and ((type="A" or type="CNAME")
and !negative))] do={
# --------------------------------------------------- [LOG.Add (Foreach Find Out)]
# :if ($CountProcc=1) do={:set CountProcc ($CountProcc+1); :log info
message=("[AddressList.AddIP-RSociales (INI: Pos-Foreach(Find))]");};
# ---------------------------------------------------
:set Name ([/ip dns cache get $i name]); :set Type ([/ip dns cache all get $i
type]); :set TTL ([/ip dns cache get $i ttl]); :if ($TTL>5m) do={:if ($Type=”A”)
do={:set Address ([/ip dns cache get $i address]); :set Address ([toip $Address]);
# ----------------- [Type=A (name=Dominio data=IP.Dominio)]
# :log info message=("[AddressList.AddIP-RSociales Address.Direct, Addr: (".
($Address).") – Type: (".($Type).") – Name: (".($Name).") – TTL: (".($TTL).") =
[ ".([typeof $Address])." ]]");
} else={:set Data ([/ip dns cache all get $i data]); :do {
# ----------------- [Type=CNAME] (name=resolve(IP.subDominio) data=Dominio)]
:set Address ([resolve $Name]);
# :log info message=("[AddressList.AddIP-RSociales DNS.Resolve, Addr: (".
($Address).") – Data: (".($Data).") – Type: (".($Type).") – Name: (".($Name).") –
TTL: (".($TTL).") = [ ".([typeof $Address])." ]]");
} on-error={
# -------------------------------------------------- [Resolve.Failure]
:set Address (0.0.0.0); :log error message=("[AddressList.AddIP-RSociales
DNS.Resolve-Failure, Data: (".($Data).") – Type: (".($Type).") – Name: (".
($Name).") – D: (".($TTL).")]");}}; :if ([len $Name]>0 and $Address!=0.0.0.0) do={
# -------------------------------------------------- [Establece (Lista)]
:if ($Name~"whatsapp") do={:set Lista (“S-WHATSAPP.List”);} else={:if
($Name~"youtube" or $Name~"googlevideo") do={:set Lista (“S-YOUTUBE.List”);}
else={:if ($Name~"facebook") do={:set Lista (“S-FACEBOOK.List”);} else={:if
($Name~"twitter") do={:set Lista (“S-TWITTER.List”);} else={:if ($Name~"instagram")
do={:set Lista (“S-INSTAGRAM.List”);} else={:if ($Name~"netflix") do={:set Lista
(“S-NETFLIX.List”);} else={:if ($Name~"skype") do={:set Lista (“S-SKYPE.List”);}
else={:if ($Name~"spotify") do={:set Lista (“S-SPOTIFY.List”);} else={:if
($Name~"snapchat") do={:set Lista (“S-SNAPCHAT.List”);} else={:if
($Name~"telegram") do={:set Lista (“S-TELEGRAM.List”);} else={:if ($Name~"twitch")
do={:set Lista (“S-TWITCH.List”);} else={:if ($Name~"vimeo") do={:set Lista (“S-
VIMEO.List”);}}}}}}}}}}}};
# --------------------------------------------------
:if ([/ip firewall address-list find (address=$Address and !disabled)]="") do={
# -------------------------------------------------- [AddressList.Add]
# :log info message=("[AddressList.AddIP-RSociales AddressList.Add, Addr: (".
($Address).") – Lista: (".($Lista).") – Type: (".($Type).") – Name: (".($Name).") –
TTL: (".($TTL).") = [ ".([typeof $Address])." ]]");
# --------------------------------------------------
/ip firewall address-list add address=$Address list=$Lista timeout=$TTL
comment="C+: QoS ( [ $Name ] – [ $Type ] – [ $TTL ] )"; :set AddressListTAdd
($AddressListTAdd+1);} else={
# -------------------------------------------------- [AddressList.Del x DNS.Reuso]
:local X (1);
# :foreach i in=[/ip firewall address-list find (address=$Address and !disabled)]
do={:log info message=("[AddressList.AddIP-RSociales AddressList.Del ( ".($X)." ,
".([/ip firewall address-list get $i list]=$Lista)." ), Addr: (".($Address).") –
Lista: (".($Lista).") – L.AL: (".([/ip firewall address-list get $i list]).") –
CT.AL: (".([/ip firewall address-list get $i creation-time]).")]"); :set X
($X+1);};
# --------------------------------------------------
:if ($X>2) do={/ip firewall address-list remove [find (address=$Address and list!
=$Lista and !disabled)]; :log error message=("[AddressList.AddIP-RSociales
Duplicate-Info ( ".($X-1)." ), A: (".($Address).") – Lista: (".($Lista).")]");}}}};
:delay 10ms;};
# -------------------------------------------------- [Proccess.End]
:set HoraFIN ([/system clock get time]); :log warning message=(“[AddressList.AddIP-
RSociales (FIN), duracion: (”.($HoraFIN-$HoraINI).”)]”);} else={:log error
message=(“[AddressList.AddIP-RSociales Activos: ( “.($CountProcc-1).” )]”);};
/system script environment remove [find name="AddressListTAdd"];
# Nota: mientras mas veces se ejecuta, mejor marca dicho trafico. Se producen
algunos (script error: no such item (4)), que infiero se debe a un error interno
del proceso (find (…) del foreach). (!negative), excluye los (type=unknown).
# AddressList.Ctrl (RedesSociales):
-----------------------------------------------------
# Name: AddressList.Ctrl (RedesSociales)
# comment=”C+: ( AddressList.Ctrl (Redes Sociales) )”
# -----------------------------------------------
# Funcion transforma Fecha en Nro (Fecha+Hora)
:local DateTimeToNro do={:local NroX; :local MC
("jan","feb","mar","apr","may","jun","jul","aug","sep","oct","nov","dec"); :local
DiaX ([pick $1 4 6]); :local MesCX ([pick $1 0 3]); :local MesX ([find $MC $MesCX -
1]+1); :if ($MesX<10) do={:set MesX (“0”.$MesX);}; :local AnioX ([pick $1 7
11]); :set NroX ($AnioX.$MesX.$DiaX); :if ([len $1]>12) do={:local HoraX ([pick $1
12 14]); :local MinX ([pick $1 15 17]); :local SegX ([pick $1 18 20]); :set NroX
($NroX.$HoraX.$MinX.$SegX);} else={:set NroX ($NroX.”000000”);}; return ([tonum
$NroX]);}
# -----------------------------------------------
# Funcion Incrementa Fecha en Dias (DiaMesAnioNr, DiasToIncr)
:local FechaIncr do={
# -------------------------
# Funcion calcula Dias del Mes (Mes, Anio)
{f de f}
:local DiasMes do={:local Dias; :if ($1=1 or $1=3 or $1=5 or $1=7 or $1=8 or $1=10
or $1=12) do={:set Dias (31);} else={:if ($1=4 or $1=6 or $1=9 or $1=11) do={:set
Dias (30);} else={:if ((((($2)/400)*400)=$2) or ((((($2)/4)*4)=$2) and
(((($2)/100)*100)!=$2))) do={:set Dias (29);} else={:set Dias (28);}}}; :return
([tonum $Dias]);}
# ----------------------------------------------- (Code Main de FechaIncr)

:local FechaHoraStr ([tostr $1]); :local AnioX ([tonum [pick $FechaHoraStr 0
4]]); :local MesX ([tonum [pick $FechaHoraStr 4 6]]); :local DiaX ([tonum [pick
$FechaHoraStr 6 8]]); :local HoraX ([tonum [pick $FechaHoraStr 8 14]]); :local
DiasToIncr ($2); :while ($DiasToIncr>[$DiasMes $MesX $AnioX]) do={:set DiasToIncr
($DiasToIncr-[$DiasMes $MesX $AnioX]); :if ($MesX<12) do={:set MesX ($MesX+1);}
else={:set AnioX ($AnioX+1); :set MesX (1);}}; :if (($DiaX+$DiasToIncr)>[$DiasMes
$MesX $AnioX]) do={:set DiasToIncr ($DiasToIncr-([$DiasMes $MesX $AnioX]-
$DiaX)); :set DiaX ($DiasToIncr); :if ($MesX<12) do={:set MesX ($MesX+1);}
else={:set AnioX ($AnioX+1); :set MesX (1);}} else={:set DiaX ($DiaX+
$DiasToIncr);}; :return (((($AnioX*10000)+($MesX*100)+($DiaX))*1000000)+[tonum
$HoraX]);}
# ------------------------------------ (Code Main de AddressList.Ctrl

(RedesSociales))
:local TimeDisableQoS ([tonum 180]); #
(en dias)
:local TimeRemoveQoS ([tonum 365]); #
(en dias)
# Nota: si (TimeRemoveSIC>0), sii (TimeDisableSIC<TimeRemoveSIC).
# -------------------------------------
:local HoraINI;
:local HoraFIN;
:foreach x in [/system script job find (script="AddressList.AddIP-RSociales" or
script="AddressList.Ctrl (RedesSociales)")] do {:set CountProcc ($CountProcc+1);};
# Cant de proccess vinculantes activos
:if ($CountProcc=1) do={
# --------------------------------------- [Proccess.Ini (x Off Proccess Vinculant)]
:set HoraINI ([/system clock get time]);
# ------------------------------ [Address-List (RS).Disable/Remove]
# :log info message=("[AddressList.Ctrl (RedesSociales) (INI:
Disable/Remove)]"); :if ($TimeDisableQoS>0) do={:local DateTimeAct ([/system clock
get date].” ”.[/system clock get time]); :local CreationTime; :foreach i in=[/ip
firewall address-list find (comment~”C\\+: QoS \\( ”)] do={:set CreationTime ([/ip
firewall address-list get $i creation-time]); :if ($TimeRemoveQoS>0 and
(([$FechaIncr ([$DateTimeToNro $CreationTime]) $TimeRemoveQoS])<=[$DateTimeToNro
$DateTimeAct])) do={[/ip firewall address-list set $i disable=no]; [/ip firewall
address-list set $i timeout=10s];} else={:if (([$FechaIncr ([$DateTimeToNro
$CreationTime]) $TimeDisableQoS])<=[$DateTimeToNro $DateTimeAct]) do={[/ip firewall
address-list set $i disable=yes];}}}};
# ------------------------------ [Address-List (RS).DNS-Reuse.Remove]
:log info message=("[AddressList.Ctrl (RedesSociales) (INI: DNS-Reuse.Remove)]");
# Opciones a ponderar: (comment~”C\\+: QoS \\( ”) vs (list~“S-“)
# --------------------------------------- [AddressList-Services.Info]
:local CNAMECant (0); :local ACant (0); :local noDNSCacheCant (0); :local ErrorCant
(0); :local TotalS; :local Comment; :foreach i in=[/ip firewall address-list find
(list~“S-“ and !disabled)] do={:set Comment ([/ip firewall address-list get $i
comment]); :if ([find $Comment ”- [ CNAME ] -” 0]>0) do={:set CNAMECant
($CNAMECant+1);} else={:if ([find $Comment ”- [ A ] -” 0]>0) do={:set ACant
($ACant+1);} else={:if ([find $Comment ”- [ no-DNSCache ] -” 0]>0) do={:set
noDNSCacheCant ($noDNSCacheCant+1);} else={:set ErrorCant ($ErrorCant
+1);}}}}; :set TotalS ($CNAMECant+$ACant+$noDNSCacheCant+$ErrorCant);
# ---------------------------------------
:log info message=("[ AddressList.Ctrl (RedesSociales) AddressList.Total-Info,
CNAME: (".($CNAMECant).") – A: (".($ACant).") – no-DNSCache: (".
($noDNSCacheCant).") – Error: (".($ErrorCant).") – Total: (".($TotalS).")]");
# ---------------------------------------
:local CreationTime; :local Address; :local X; :local PosT (1); :foreach i in=[/ip
firewall address-list find (list~“S-“ and !disabled)] do={:set Address ([/ip
firewall address-list get $i address]); :set CreationTime (“jan/01/2000 00:00:00”);
:set X (1); :foreach j in=[/ip firewall address-list find (address=$Address and !
disabled)] do={:if ([$DateTimeToNro $CreationTime]<=[$DateTimeToNro ([/ip firewall
address-list get $j creation-time])]) do={:set CreationTime ([/ip firewall address-
list get $j creation-time]);};
# --------------------------------------------------
# :log info message=("[AddressList.Ctrl (RedesSociales) Specific-Info ( ".($X)." ,
".($TotalS-$PosT)." ), A.AL: (".([/ip firewall address-list get $j address]).") –
L.AL: (".([/ip firewall address-list get $j list]).") – CT.AL: (".([/ip firewall
address-list get $j creation-time]).")]"); :set X ($X+1); :set PosT ($PosT+1);
# --------------------------------------------------
}; :if ($X>2) do={/ip firewall address-list remove [find (address=$Address and
creation-time!=$CreationTime and !disabled)]; :log error
message=("[AddressList.Ctrl (RedesSociales) Duplicate-Info ( ".($X-1)." ), Addr:
(".($Address).") – CT: (".($CreationTime).")]");}; :delay 10ms;};
# -------------------------------------------------- [Proccess.End]
:set HoraFIN ([/system clock get time]); :log warning message=(“[AddressList.Ctrl
(RedesSociales) (FIN), duracion: (”.($HoraFIN-$HoraINI).”)]”);} else={
# --------------------------------------- [Proccess.End-Error]
:log error message=(“[AddressList.Ctrl (RedesSociales) Activos: ( “.($CountProcc-
1).” )]”);};
# AddressList.Ctrl (ServicesIPChange):
-------------------------------------------------
# (Add), aun las que no cambian periodicamente.
# Name: AddressList.Ctrl (ServicesIPChange)
# comment=”C+: ( AddressList.Ctrl (Services IP Change) )”
# -----------------------------------------------
# Funcion transforma Fecha en Nro (Fecha+Hora)
:local DateTimeToNro do={:local NroX; :local MC
DiaX ([pick $1 4 6]); :local MesCX ([pick $1 0 3]); :local MesX ([find $MC $MesCX -
1]+1); :if ($MesX<10) do={:set MesX (“0”.$MesX);}; :local AnioX ([pick $1 7
11]); :set NroX ($AnioX.$MesX.$DiaX); :if ([len $1]>12) do={:local HoraX ([pick $1
12 14]); :local MinX ([pick $1 15 17]); :local SegX ([pick $1 18 20]); :set NroX
($NroX.$HoraX.$MinX.$SegX);} else={:set NroX ($NroX.”000000”);}; return ([tonum
$NroX]);}
# -----------------------------------------------
# Funcion Incrementa Fecha en Dias (DiaMesAnioNr, DiasToIncr)
:local FechaIncr do={
# -------------------------
# Funcion calcula Dias del Mes (Mes, Anio)
{f de f}
:local DiasMes do={:local Dias; :if ($1=1 or $1=3 or $1=5 or $1=7 or $1=8 or $1=10
or $1=12) do={:set Dias (31);} else={:if ($1=4 or $1=6 or $1=9 or $1=11) do={:set
Dias (30);} else={:if ((((($2)/400)*400)=$2) or ((((($2)/4)*4)=$2) and
(((($2)/100)*100)!=$2))) do={:set Dias (29);} else={:set Dias (28);}}}; :return
([tonum $Dias]);}
# ----------------------------------------------- (Code Main de FechaIncr)

:local FechaHoraStr ([tostr $1]); :local AnioX ([tonum [pick $FechaHoraStr 0
4]]); :local MesX ([tonum [pick $FechaHoraStr 4 6]]); :local DiaX ([tonum [pick
$FechaHoraStr 6 8]]); :local HoraX ([tonum [pick $FechaHoraStr 8 14]]); :local
DiasToIncr ($2); :while ($DiasToIncr>[$DiasMes $MesX $AnioX]) do={:set DiasToIncr
($DiasToIncr-[$DiasMes $MesX $AnioX]); :if ($MesX<12) do={:set MesX ($MesX+1);}
else={:set AnioX ($AnioX+1); :set MesX (1);}}; :if (($DiaX+$DiasToIncr)>[$DiasMes
$MesX $AnioX]) do={:set DiasToIncr ($DiasToIncr-([$DiasMes $MesX $AnioX]-
$DiaX)); :set DiaX ($DiasToIncr); :if ($MesX<12) do={:set MesX ($MesX+1);}
else={:set AnioX ($AnioX+1); :set MesX (1);}} else={:set DiaX ($DiaX+
$DiasToIncr);}; :return (((($AnioX*10000)+($MesX*100)+($DiaX))*1000000)+[tonum
$HoraX]);}
# -------------------------------- (Code Main de AddressList.Ctrl

(ServicesIPChange))
:local TimeDisableSIC ([tonum 30]);
# (en dias)
:local TimeRemoveSIC ([tonum 60]); #
(en dias)
# Nota: si (TimeRemoveSIC>0), sii (TimeDisableSIC<TimeRemoveSIC).
# -----------------------------------------------
:local DNSX;
:local AddressX;
:local ListX;
:local IPtoResolver (“www.cuevana2.com:A-
ENACOMDROP.List@Dynamic*www.cuevana3.co:A-ENACOMDROP.List@Dynamic
*cuevana2espanol.com:A-ENACOMDROP.List@Static*www.cuevana.com:A-
ENACOMDROP.List@Static*cuevana.io:A-ENACOMDROP.List@Static*”);
# Constituir según necesidades, ordenadas por ListX (Dynamic/Static).
:local IPtoResolverX ($IPtoResolver);
:local IPtoResolverX1 ($IPtoResolver);
# ------------------------------------------------------------------- [Address-
List.Add]
:while ([len $IPtoResolver]>0) do={:set DNSX ([pick $IPtoResolver 0 ([find
$IPtoResolver “:”])]); :set ListX ([pick $IPtoResolver ([find $IPtoResolver “:”]+1)
([find $IPtoResolver “@”])]); :set IPtoResolver ([pick $IPtoResolver ([find
$IPtoResolver “*”]+1) [len $IPtoResolver]]); :do {:set AddressX ([resolve $DNSX]);}
on-error={:set AddressX (0.0.0.0); :log error message=("[AddressList-
Add.ServiceIPChange: (".($AddressX).") – (".($DNSX).") – (".($ListX).")]");}; :if
($AddressX!=0.0.0.0 and [/ip firewall address-list find (list=$ListX and
address=$AddressX)]=””) do={/ip firewall address-list add list=$ListX
address=$AddressX comment=(“C+: SIC ( [ ”.($ListX).” ] – [ “.($DNSX).” ] )”)
disable=no;}};
# --------------------------- [Address-List (ServiceIPChange).Disable/Remove]
:if ($TimeDisableSIC>0) do={:local ListXAnt (””); :local CommentX; :local
TypeX; :local DateTimeAct ([/system clock get date].” ”.[/system clock get
time]); :while ([len $IPtoResolverX]>0) do={:set ListX ([pick $IPtoResolverX ([find
$IPtoResolverX “:”]+1) ([find $IPtoResolverX “@”])]); :set TypeX ([pick
$IPtoResolverX ([find $IPtoResolverX “@”]+1) ([find $IPtoResolverX “*”])]); :set
IPtoResolverX ([pick $IPtoResolverX ([find $IPtoResolverX “*”]+1) [len
$IPtoResolverX]]); :if ($ListX!=$ListXAnt) do={:set ListXAnt ($ListX); :local
CreationTime; :foreach i in=[/ip firewall address-list find (list=$ListX)] do={:set
CreationTime ([/ip firewall address-list get $i creation-time]); :set CommentX
([/ip firewall address-list get $i comment]); :set DNSX ([pick $CommentX ([find
$CommentX “ ] – [ “]+7) ([find $CommentX “ )“]-2)]); :set TypeX ([pick
$IPtoResolverX1 ([find $IPtoResolverX1 $DNSX]) ([len $IPtoResolverX1])]); :set
TypeX ([pick $TypeX ([find $TypeX “@”]+1) ([find $TypeX “*”])]); :if
($TypeX=”Dynamic”) do={:if ($TimeRemoveSIC>0 and (([$FechaIncr ([$DateTimeToNro
$CreationTime]) $TimeRemoveSIC])<=[$DateTimeToNro $DateTimeAct])) do={[/ip firewall
address-list set $i disable=no]; [/ip firewall address-list set $i timeout=10s];}
else={:if (([$FechaIncr ([$DateTimeToNro $CreationTime])
$TimeDisableSIC])<=[$DateTimeToNro $DateTimeAct]) do={[/ip firewall address-list
set $i disable=yes];}}}}}}};
# Nota: usado, para (Add IPs) de servicios que la cambian x time. Ahora, si además
de cambiarlas, las reiutiliza para otros servicios, tendría que establecerse un
TimeLaps. Recordar que: address-list add.IP, aun si existe, pero (disabled).
# RB.AddressList-ImportnoDNSCache: ------------------------------------------------
# Name: RB.AddressList-ImportnoDNSCache
# comment=”R+: ( RB.AddressList-ImportnoDNSCache )”
# ------------------------------------------------
:local File “AddressList.noDNSCache.txt”;
:local ListaXContenido;
:local ListX;
:local CommentX;
:local AddressX;
:local AddressSX;
:if ([len [/file find name=$File]]!=0) do={:set ListaXContenido ([/file get $File
contents]); :if ([len $ListaXContenido]>0) do={:set ListX ([pick $ListaXContenido 0
([find $ListaXContenido “\n”])]); :set ListaXContenido ([pick $ListaXContenido
([find $ListaXContenido “\n”]+1) ([len $ListaXContenido])]); :set CommentX (“C+:
QoS ( [ “.([pick $ListX 2 ([find $ListX “.List”])]).” ] - [ no-DNSCache ] -
[ -------- ] )”); :while ([len $ListaXContenido]>0) do={:if ([find $ListaXContenido
“ ”]<0 or [find $ListaXContenido “ ”]>[find $ListaXContenido “\n”]) do={:set
AddressX ([pick $ListaXContenido 0 ([find $ListaXContenido “\n”])]);} else={:set
AddressX ([pick $ListaXContenido 0 ([find $ListaXContenido “ ”])]);}; :set
AddressSX ($AddressX);
# -------------------------------------------------- [Manejo de IP.Errors (no-
Funca)]
# :set AddressX ([toip $AddressX]); :if ([typeof $AddressX]!=”ip”) do={:do {
# -------------------------------------------------- [Resolve.Prob]
# :set AddressX ([resolve $AddressX]);} on-error={
# -------------------------------------------------- [Resolve.Failure]
# :log error message=("[AddressList.ImportnoDNSCache DNS.Resolve-Failure, Addr: (".
($AddressSX).")]"); :set AddressX (0.0.0.0);}};
# --------------------------------------------------
:if ($AddressX!=0.0.0.0) do={/ip firewall address-list remove [find
(address=$AddressX and list=$ListX)]; /ip firewall address-list add list=$ListX
address=$AddressX comment=$CommentX disable=yes;};
# --------------------------------------------------
:set ListaXContenido ([pick $ListaXContenido ([find $ListaXContenido “\n”]+1) ([len
$ListaXContenido])]);}}; /file remove $File;} else={:log error
message=(“[Error.Address-List ImportnoDNSCache]: Empty”);};
# Nota: (TXT.Conntent: Lista\n + <IP, IP/XX, IP.Ini-IP.Fin, DNS>\n + \n\r).
# RB.AddressListX-ExportSpecificList:
--------------------------------------------------
# Name: RB.AddressListX-ExportSpecificList
# comment=”Rx: ( RB.AddressListX-ExportSpecificList )”
# /ip firewall address-list print file=”Address-L” where (list="A-
ENACOMDROP.List"); # Alternativa poco eficiente en
tamaño.
:local ListaXContenido ””; # Error, si
(tamaño>4K)
:local File “Address-L”;
:foreach x in=[/ip firewall address-list find (list="A-ENACOMDROP.List")] do={:set
ListaXContenido ($ListaXContenido.[/ip firewall address-list get $x
list].”&:&“.[/ip firewall address-list get $x address].”&-&“.[/ip firewall address-
list get $x creation-time].”&+&“.[/ip firewall address-list get $x
comment].”&*&“);}; :if ([len $ListaXContenido]>0 and [len $ListaXContenido]<4097)
do={/file print file=$File; :delay 2s; /file set $File contents=$ListaXContenido;}
else={:log error message=(“[Error.Address-List ExportSpecificList]: (>4K)”);};
# Nota: establecer condición: (list=”__.List”…) según corresponda.
# RB.AddressListX-ImportSpecificList:
--------------------------------------------------
# Name: RB.AddressListX-ImportSpecificList
# comment=”Rx: ( RB.AddressListX-ImportSpecificList )”;
:local File “Address-L.txt”;
:local ListaXContenido;
:local ListX;
:local AddressX;
:local CreationTimeX;
:local CommentX;
:if ([len [/file find name=$File]]!=0) do={:set ListaXContenido ([/file get $File
contents]); :if ([len $ListaXContenido]>0) do={:while ([len $ListaXContenido]>0)
do={:set ListX ([pick $ListaXContenido 0 ([find $ListaXContenido “&:&”])]); :set
AddressX ([pick $ListaXContenido ([find $ListaXContenido “&:&”]+3) ([find
$ListaXContenido “&-&”])]); :set CreationTimeX ([pick $ListaXContenido ([find
$ListaXContenido “&-&”]+3) ([find $ListaXContenido “&+&”])]); :set CommentX ([pick
$ListaXContenido ([find $ListaXContenido “&+&”]+3) ([find $ListaXContenido
“&*&”])]); :set ListaXContenido ([pick $ListaXContenido ([find $ListaXContenido
“&*&”]+3) [len $ListaXContenido]]); :if ([/ip firewall address-list find
(list=$ListX and address=$AddressX)]=””) do={/ip firewall address-list add
list=$ListX address=$AddressX comment=$CommentX disable=yes;}}}; /file remove
$File;} else={:log error message=(“[Error.Address-List ImportSpecificList]:
Empty”);};
# RB.Restore-AddressListRSC:
----------------------------------------------------------
# Name: RB. Restore-AddressListRSC
# comment=”Rx: ( RB.Restaura AddressList (RSC) )”
/ip firewall address-list remove [find]; # Borra all
AddressList.IPs
/import file=AddressList.rsc;
# RB.BackUp-AddressListRSC:
----------------------------------------------------------
# Name: RB.BackUp-AddressListRSC
# comment=”R+: ( RB.BackUp-AddressList (RSC) )”
# -----------------------------------------------
# Función IP.Test: (IP,PacketSend,PacketLossLimit,AvgLimit,PacketSize,Proceso)
:local TestConn do={:local PLoss ($3+1); :local AvgRTT ($4+1); :local
MaxRTT; :local PRecibidos; :local PEnviados; :local LogMsg; :local DisabledIP
(false); :if ([/ip firewall address-list find (address=$1 and list=”A-
ICMPWANSRC.List”)]="") do={/ip firewall address-list add address=$1 list=“A-
ICMPWANSRC.List“ comment=”T+: (TemporalIP x ICMP)” timeout=1m disable=no;}
else={:if ([/ip firewall address-list get value-name=disabled [find (address=$1 and
list=”A-ICMPWANSRC.List”)]]) do={/ip firewall address-list enable [/ip firewall
address-list find (address=$1 and list=”A-ICMPWANSRC.List”)]; :set DisabledIP
(true);}}; delay 10ms; /tool flood-ping $1 count=$2 size=$5 do={:if ($sent=$2)
do={:set AvgRTT ($”avg-rtt”); :set MaxRTT ($”max-rtt”); :set PEnviados $sent; :set
PRecibidos $received;}}; :if ($DisabledIP) do={/ip firewall address-list disable
[/ip firewall address-list find (address=$1)];}; :set PLoss (100-
(($PRecibidos*100)/$PEnviados)); :set LogMsg ("[ $6 – ping ( $1 – $5 b ) ]:
latencia media ( $([:tostr $AvgRTT])ms ) – latencia maxima: ( $([:tostr $MaxRTT])ms
) – paquetes perdidos: ( $([:tostr $PLoss])% )"); :if ($PLoss<=$3 and $AvgRTT<=$4)
do={:log info message=($LogMsg); :return (“OK”)} else={:log error
message=($LogMsg); :return (“KO”)}};
# Nota: Asegurarse que IP este en Address-List (do={:beep frequency=550
length=494ms;}).
# -----------------------------------------------
/ip firewall address-list export file=AddressList; :delay 5s;
# ----------------------------------------------- [Test.Connection]
:if ([$TestConn "8.8.8.8" 10 30 100 64 ”RB.BackUp-AddressListRSC”]=”OK”) do={
# ----------------------------------------------- [Test.Connection]
:local Subjet (([/user get [find name=user(x)] comment]).([pick ([/system scrip get
[find name=”RB.BackUp-AddressListRSC”] comment]) 4 ([len ([/system scrip get [find
name=”RB.BackUp-AddressListRSC”] comment])])])); /tool e-mail send
to="xxx@gmail.com" subject=$Subjet body=“System : ($[/system identity get
name]) \r\nFecha : ($[/system clock get date]) \r\nHora : ($[/system
clock get time]) \r\nModelo : ($[/system resource get board-name]) \r\nIPWAN1
: ($[/ip address get [find comment~”TELCO.2.2.2.x”] value-name=address]) \r\
nEtherAux : ($[/ip address get [find comment~”EMERGENCY1”] value-
name=interface]) \r\nIPEtherAux : ($[/ip address get [find comment~”EMERGENCY1”]
value-name=address])” file=AddressList.rsc;}
# AddressList.DOSAttack-Alert:
---------------------------------------------------------
# Name: AddressList.DOSAttack-Alert
# comment=”R+: ( AddressList.DOSAttack-Alert )”
# ---------------------------------------------------
# Función Tracert.IP: (IP, Count)
:local TracertIP do={
# ------------------------
# Función Transforma de BidimUnidim.Str: (StrBidim, StrExtra) {f
de f}
:local BidiToUniStr do={:local BStr ($1); :local LineStr ””; :while ([len $BStr]>0)
do={:set LineStr ($LineStr.[pick $BStr 0 ([find $BStr “\r\n”])].$2); :set BStr
([pick $BStr ([find $BStr“\r\n”]+2) [len $BStr]]);}; :return ($LineStr);}
# ------------------------
# Función Transforma de Tracert-BidimaUnidim.Str: (TStrBidim, StrExtra) {f de f}
:local TBidiToUniStr do={
# ------------------------
# Función Elimina Char255.Izq: (StrX, Direction) {f
de f de f}
:local KillChar255 do={:local StrXA ($1); :local X (0); :local Bloq (1); :if
($2=”Der.”) do={:set X ([len $1]-1); :set Bloq (-1);}; :if ([len $StrXA]>0)
do={:while ([pick $StrXA $X]=” ”) do={:set X ($X+$Bloq);}; :if ($2=“Izq.”) do={:set
StrXA ([pick $StrXA $X [len $StrXA]]);} else={:set StrXA ([pick $StrXA 0
($X+1)]);}}; :return ($StrXA);}
# ------------------------------------- (Code Main de TBidiToUniStr)

:local BStr ($1); :local LineStr ””; :local LineStrX ””; :local LineX (1); :while
([len $BStr]>0) do={:set LineStrX ([pick $BStr 0 ([find $BStr “\r\n”])]); :if ([len
$LineStrX]>53) do={:if ([pick $LineStrX 3 5]!=” “) do={:set LineStr
($LineStr.“[ ”.$LineX.” ]: ”.([$KillChar255 ([pick $LineStrX 3 35]) “Der.”]).” – “.
([pick $LineStrX 36 40]).” – “.([pick $LineStrX 46 53]).$2);} else={:set LineStr
($LineStr.“[ ”.$LineX.” ]: ( ----- ) – “.([pick $LineStrX 36 40]).” – “.([pick
$LineStrX 46 53]).$2);}; :set LineX ($LineX+1);}; :set BStr ([pick $BStr ([find
$BStr “\r\n”]+2) [len $BStr]]);}; :return ($LineStr);}
# ------------------------------------- (Code Main de TracertIP)

:global IPT ($1); :global Count ($2); /ip firewall raw set [find comment=”014R+:
Bloqueo.Resto de InputICMP.Conn (hacia WANs)”] disable=yes; :execute {tool
traceroute count=$Count use-dns=yes $IPT} file=iptracert.txt; :delay 5s; /ip
firewall raw set [find comment=”014R+: Bloqueo.Resto de InputICMP.Conn (hacia
WANs)”] disable=no; :local STracerIP ([/file get “iptracert.txt” contents]); /file
remove “iptracert.txt”; :if ($STracerIP!=”failure: could not start”) do={:set
STracerIP ([pick $STracerIP ([find $STracerIP “\r\n”]+2) ([len $STracerIP])]); :set
STracerIP (“[ Tracert. ”.$IPT.” ]:
--------------------------------------------------------------- ”.[$TBidiToUniStr
$STracerIP " ; "]);} else={:set STracerIP (“[ Tracert. “.$IPT.” ]:
--------------------------------------------------------------- ”.$STracerIP);};
/system script environment remove [find name="IPT"]; /system script environment
remove [find name="Count"]; :return ($STracerIP);}
# Nota: por alguna razón (IPT/Count {cant. de intentos}), debe ser global.
# ------------------------------------------------
# Función devuelve Time Absoluto según concatenación de Dia+Hora: (Fecha,Hora)
:local AbsTime do={:local TimeX “”; :local Mx
MesAct ([find $Mx ([pick $1 0 3]) -1]+1); :if ($MesAct<10) do={:set MesAct (“0”.
$MesAct);}; :set TimeX ([pick $1 7 11].$MesAct.[pick $1 4 6].[pick $2 0 2].[pick $2
3 5].[pick $2 6 8]); :return ($TimeX);}
# ---------------------------------------- (Code Main de AddressList.DOSAttack-

Alert)
:global DOSRegistroH; # En caso de ataque masivo, limpiar manualmente
:local TracertSend “NO”; # Envio TelegramAlert con (tracerout IP)
:local TimeAct ([$AbsTime ([/system clock get date]) ([/system clock get time])]);
:local DOSRegistro “”;
:local Listx “”;
:local IPx;
:local TimeOx;
:local Commentx “”;
:local Cont 0;
:local TimeLastC;
:local PosTF;
:local TimeCreatx;
:if ([/ip firewall address-list find (list~"T-DOS" and timeout>59s)]!=””)
do={/system script run AddressList.Ident-Client; /system script run
AddressList.Ident-Address; :delay 10s; :foreach x in=[/ip firewall address-list
find (list~"T-DOS" and timeout>29s)] do={:set Listx ([/ip firewall address-list get
$x list]); :set IPx ([/ip firewall address-list get $x address]); :set TimeOx ([/ip
firewall address-list get $x timeout]); :set Commentx ([/ip firewall address-list
get $x comment]); :if ([len $Commentx]=0) do={:set Commentx (“---(Error.Script-
Ident)---”);}; :set TimeCreatx ([/ip firewall address-list get $x creation-
time]); :set TimeCreatx ([$AbsTime [pick $TimeCreatx 0 11] [pick $TimeCreatx 12
21]]); :if ($DOSRegistroH~($IPx.”&”.$Listx.”%”)) do={:set PosTF ([find
$DOSRegistroH ($IPx.”&”.$Listx.”%”)]+[len [tostr $IPx]]+[len $Listx]+2); :set
TimeLastC ([pick $DOSRegistroH $PosTF ($PosTF+14)]); :if ($TimeCreatx>$TimeLastC)
do={:set Cont ($Cont+1); :set DOSRegistro ($DOSRegistro.(”[ ”.$Cont.” : ”.$Listx.”
”.$IPx.” “.$TimeOx.” ”.[pick $Commentx 0 450].” ] ”)); :set $DOSRegistroH ([pick
$DOSRegistroH 0 $PosTF].$TimeAct.[pick $DOSRegistroH ($PosTF+14) [len
$DOSRegistroH]]);}} else={:set Cont ($Cont+1); :set DOSRegistro ($DOSRegistro.
(”[ ”.$Cont.” : ”.$Listx.” ”.$IPx.” “.$TimeOx.” ”.[pick $Commentx 0 450].” ]
”)); :set DOSRegistroH ($DOSRegistroH.$IPx.”&”.$Listx.”%”.$TimeAct.”*”);}}; :if
([len $DOSRegistro]>0) do={:global TelegramMessage (“[DOS-Attack.Alert]:
------------ ( ”.([/system identity get name]).” ) -------------- ”.
($DOSRegistro)); /system script run RB.Telegram-MessageAlert; :delay 2s; :if
($TracertSend=“SI”) do={:global TelegramMessage ([$TracertIP $IPx 1]); /system
script run RB.Telegram-MessageAlert; :delay 2s;}}} else={:set DOSRegistroH (“”);};
# AddressList.Empty-!A!SComment:
----------------------------------------------------
# Name: AddressList.Empty-!A!SComment
# comment=”Rx: ( Limpia AddressList.(!A+!S)-Comment )”
:foreach x in=[/ip firewall address-list find (!(list~"A-" or list~"S-"))] do={/ip
firewall address-list set $x comment=””};
# AddressList.Empty-CComent:
---------------------------------------------------------
# Name: AddressList.Empty-CComment
# comment=”Rx: ( Limpia AddressList.(C)-Comment )”
:foreach x in=[/ip firewall address-list find (list~"C-")] do={/ip firewall
address-list set $x comment=””};
# AddressList.Empty-TComment:
-------------------------------------------------------
# Name: AddressList.Empty-TComment
# comment=”Rx: ( Limpia AddressList.(T)-Comment )”
:foreach x in=[/ip firewall address-list find (list~"T-")] do={/ip firewall
address-list set $x comment=””};
# AddressList.Ident-Address:
------------------------------------------------------------
# Name: AddressList.Ident-Address
# comment=”R+: ( AddressList.Ident-Address )”
# Es aconsejable, previamente borrar el (log)/(RB.Reboot) – por duplicaciones – y,
remover la variable global (MACLANDrop) al finalizar análisis de MACs.
# ----------------------------------------------
# Función cambia a mayúscula una MAC: (MAC)
:local UpCaseMAC do={
# ------------------------
# Función cambia a mayúscula una Hex.Letra: (Char) {función de función}
:local UpCaseHexL do={:local HexDw (“abcdef”); :local HexUp (“ABCDEF”); :if ([tonum
$1]<0 and !([find $HexDw $1]<0)) do={:set $1 [pick $HexUp ([find $HexDw $1]) ([find
$HexDw $1]+1)];}; return ($1)}
# ------------------------
:local MACUpC “”; :local z 0; :while (z<16) do={:set MACUpC ($MACUpC.[$UpCaseHexL
([pick $1 $z ($z+1)])].[$UpCaseHexL ([pick $1 ($z+1) ($z+2)])].”:”); :set z
($z+3);}; :return ([pick $MACUpC 0 ([:len $MACUpC]-1)])}
# ----------------------------------------------
# Función Identifica IP: (IP,MAC)
# Solo funciona con (/24).
:local IPIdent do={
# ------------------------------
# Función devuelve Whois IP-Public: (IP-Public)
{f de f}
:local WhoisIP do={
# ----------------------------------------------
# Función Elimina Char255.Izq: (StrX, Direction) {f
de f de f}
:local KillChar255 do={:local StrXA ($1); :local X (0); :local Bloq (1); :if
($2=”Der.”) do={:set X ([len $1]-1); :set Bloq (-1);}; :if ([len $StrXA]>0)
do={:while ([pick $StrXA $X]=” ”) do={:set X ($X+$Bloq);}; :if ($2=“Izq.”) do={:set
StrXA ([pick $StrXA $X [len $StrXA]]);} else={:set StrXA ([pick $StrXA 0
($X+1)]);}}; :return ($StrXA);}
# --------------------------
# Función Elimina Char255.IzqxURL: (StrX, Direction, StrCharsOk) {f de f de
f}
:local KillChar255xURL do={:local StrXA ($1); :local X (0); :local CharX; :local
Bloq (1); :if ($2=”Der.”) do={:set X ([len $1]-1); :set Bloq (-1);}; :if ([len
$StrXA]>0) do={:while ([pick $StrXA $X]=” ”) do={:set X ($X+$Bloq);}; :if
($2=“Izq.”) do={:set StrXA ([pick $StrXA $X [len $StrXA]]);} else={:set StrXA
([pick $StrXA 0 ($X+1)]);}};
# ------------ (Kill x no-encontrarse en $3)
:for rx from=0 to=([len $StrXA]-1) do={:while ([find $3 ([pick $StrXA $rx])]<0)
do={:set CharX ([pick $StrXA $rx]); :set StrXA (([pick $StrXA 0 ([find $StrXA
$CharX])]).“ ”.([pick $StrXA ([find $StrXA $CharX]+1) [len $StrXA]]));}};
# ------------ (Kill x encontrarse en $3, no funciona en RouterOS: “ñÑ$#&¿?”)
# :for rx from=0 to=([len $3]-1) do={:while ([find $StrXA ([pick $3 $rx])]>=0)
do={:set CharX ([pick $3 $rx]); :set StrXA (([pick $StrXA 0 ([find $StrXA
$CharX])]).“ ”.([pick $StrXA ([find $StrXA $CharX]+1) [len $StrXA]]));}};
# ------------
:return ($StrXA);}
# ---------------------------------------------- (Code Main de WhoisIP)

:local ICANN (“(ARIN): America.Anglo-Sajona*(RIPE NCC): Europa, Oriente.Medio y
Asia.Central*(APNIC): Asia y Region.Pacifico*(LACNIC): America.Latina y el
Caribe*(AfriNIC): Africa*(Direct Assignment): Ubicacion desconocida*”); :local
Owner (” “); :local NetName (” “); :local NetType (” “); :local IPGPS (” “); :local
OriginAS (” “); :local Country (” “); :local Responsible (” “); :local Address (”
“); :local Phone (” “); :local Organization (” “); :local City (” “); :local CIDR
(” “); :local Email (” “); :local WhoisX (“”); :local Type; :local FileT
(“ipwhois.txt“); # o ("\?q=".
$1);
# ----------------------
/tool fetch url=(”http://whois.arin.net/rest/ip/$1.txt”) mode=http dst-
path=($FileT);
# /tool fetch url=(“https://api.hackertarget.com/whois/\?q=”.$1) mode=https dst-
path=($FileT);
# Nota: Limitacion: (FileT<=4K). El (X/X/X), banearon nuestros IPv4 en (RIPE NCC x
https://api.hackertarget.com/whois/).
# ----------------------
:delay 2s; # usado too, x reducir la prob. de baneo x alguna entidad de (ICANN).
:local IPWhoisX ([/file get ($FileT) contents]); :local IPWhoisX1 (“”); :local
SCharsOk (“abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789–-*/@.;,)
(_:[]{%}”); /file remove ($FileT);
:if ([len $IPWhoisX]>0) do={
# ----------------------
:if ([find $IPWhoisX “NetType:”]>0) do={:set IPWhoisX1 ([pick $IPWhoisX ([find
$IPWhoisX “NetType:”]) ([len $IPWhoisX])]); :set NetType ([$KillChar255xURL ([pick
$IPWhoisX1 ([find $IPWhoisX1 “:”]+1) [find $IPWhoisX1 “\n”]]) “Izq.”
$SCharsOk]); :if ([find $NetType “to”]>0) do={:set NetType ([pick $NetType ([find
$NetType “to”]+3) ([len $NetType])]); :set Type ($NetType);} else={:set Type ([pick
$NetType 0 7]);}; :set IPGPS ([pick $ICANN [find $ICANN $Type] [len $ICANN]]); :set
IPGPS ([pick $IPGPS ([find $IPGPS “):”]+3) ([find $IPGPS “*”])]); :set WhoisX
($WhoisX.$IPGPS.” - ”); :set WhoisX ($WhoisX.$NetType.” - ”);};
# ----------------------
:if ([find $IPWhoisX “owner:”]>0) do={:set IPWhoisX1 ([pick $IPWhoisX ([find
$IPWhoisX “owner:”]) ([len $IPWhoisX])]); :set Owner ([$KillChar255xURL ([pick
$SCharsOk]); :set WhoisX ($WhoisX.$Owner.” - ”);};
# ----------------------
:if ([find $IPWhoisX “responsible:”]>0) do={:set IPWhoisX1 ([pick $IPWhoisX ([find
$IPWhoisX “responsible:”]) ([len $IPWhoisX])]); :set Responsible ([$KillChar255xURL
([pick $IPWhoisX1 ([find $IPWhoisX1 “:”]+1) [find $IPWhoisX1 “\n”]]) “Izq.”
$SCharsOk]); :set WhoisX ($WhoisX.$Responsible.” - ”);};
# ----------------------
:if ([find $IPWhoisX “ddress:”]>0) do={:set IPWhoisX1 ($IPWhoisX); :while ([find
$IPWhoisX1 “ddress:”]>0) do={:set IPWhoisX1 ([pick $IPWhoisX1 ([find $IPWhoisX1
“ddress:”]+6) ([len $IPWhoisX1])]); :set Address ([$KillChar255xURL ([pick
$SCharsOk]); :if ([find $WhoisX ($Address.” - ”)]=-1) do={:set WhoisX ($WhoisX.
$Address.” - ”);}}};
# ----------------------
:if ([find $IPWhoisX “hone:”]>0) do={:set IPWhoisX1 ($IPWhoisX); :while ([find
$IPWhoisX1 “hone:”]>0) do={:set IPWhoisX1 ([pick $IPWhoisX1 ([find $IPWhoisX1
“hone:”]+4) ([len $IPWhoisX1])]); :set Phone ([$KillChar255xURL ([pick $IPWhoisX1
([find $IPWhoisX1 “:”]+1) [find $IPWhoisX1 “\n”]]) “Izq.” $SCharsOk]); :if ([find
$WhoisX ($Phone.” - ”)]=-1) do={:set WhoisX ($WhoisX.$Phone.” - ”);}}};
# ----------------------
:if ([find $IPWhoisX “City:”]>0) do={:set IPWhoisX1 ([pick $IPWhoisX ([find
$IPWhoisX “City:”]) ([len $IPWhoisX])]); :set City ([$KillChar255xURL ([pick
$SCharsOk]); :set WhoisX ($WhoisX.$City.” - ”);};
# ----------------------
:if ([find $IPWhoisX “country:”]>0) do={:set IPWhoisX1 ([pick $IPWhoisX ([find
$IPWhoisX “country:”]) ([len $IPWhoisX])]); :set Country ([$KillChar255xURL ([pick
$SCharsOk]); :set WhoisX ($WhoisX.$Country.” - ”);};
# ----------------------
:if ([find $IPWhoisX “Organization:”]>0) do={:set IPWhoisX1 ([pick $IPWhoisX ([find
$IPWhoisX “Organization:”]) ([len $IPWhoisX])]); :set Organization
([$KillChar255xURL ([pick $IPWhoisX1 ([find $IPWhoisX1 “:”]+1) [find $IPWhoisX1 “\
n”]]) “Izq.” $SCharsOk]); :set WhoisX ($WhoisX.$Organization.” - ”);};
# ----------------------
:if ([find $IPWhoisX “NetName:”]>0) do={:set IPWhoisX1 ([pick $IPWhoisX ([find
$IPWhoisX “NetName:”]) ([len $IPWhoisX])]); :set NetName ([$KillChar255xURL ([pick
$SCharsOk]); :set WhoisX ($WhoisX.$NetName.” - ”);};
# ----------------------
:if ([find $IPWhoisX “mail:”]>0) do={:set IPWhoisX1 ($IPWhoisX); :while ([find
$IPWhoisX1 “mail:”]>0) do={:set IPWhoisX1 ([pick $IPWhoisX1 ([find $IPWhoisX1
“mail:”]+4) ([len $IPWhoisX1])]); :set Email ([$KillChar255xURL ([pick $IPWhoisX1
([find $IPWhoisX1 “:”]+1) [find $IPWhoisX1 “\n”]]) “Izq.” $SCharsOk]); :if ([find
$WhoisX ($Email.” - ”)]=-1) do={:set WhoisX ($WhoisX.$Email.” - ”);}}};
# ----------------------
:if ([find $IPWhoisX “CIDR:”]>0) do={:set IPWhoisX1 ([pick $IPWhoisX ([find
$IPWhoisX “CIDR:”]) ([len $IPWhoisX])]); :set CIDR ([$KillChar255xURL ([pick
$SCharsOk]); :set WhoisX ($WhoisX.$CIDR.” - ”);};
# ----------------------
:if ([find $IPWhoisX “OriginAS:”]>0) do={:set IPWhoisX1 ([pick $IPWhoisX ([find
$IPWhoisX “OriginAS:”]) ([len $IPWhoisX])]); :set OriginAS ([$KillChar255xURL
([pick $IPWhoisX1 ([find $IPWhoisX1 “:”]+1) [find $IPWhoisX1 “\n”]]) “Izq.”
$SCharsOk]); :set WhoisX ($WhoisX.$OriginAS.” - ”);};
# ----------------------
:set WhoisX ([pick $WhoisX 0 ([len $WhoisX]-3)]);} else={:set WhoisX
(“Error.WhoisIP-Inaccesible”);}; :return ($WhoisX);}
# ------------------------------
# Función Identifica-Cliente: (IP,Rango1,Rango2,Rango3,…) {f
de f}
:local ClientIdent do={
:local RegistroX (“IP.OutRange”);
:if ([pick $1 0 [len $2]]=$2 or [pick $1 0 [len $3]]=$3 or [pick $1 0 [len $4]]=$4)
do={:if ([/queue simple find (target=($1."/32"))]!="") do={:set RegistroX ([/queue
simple get value-name=name [find target=($1."/32")]]); :if ([find $RegistroX
“_Libre ”]<0) do={:set RegistroX ([pick $RegistroX 0 77]);} else={:set RegistroX
(”( Libre )”);}} else={:set RegistroX (”[Error-QS.IPFaltante]”);}}; :return
($RegistroX);}
# Nota: disponer en fila, los rangos de IP sin ceros a la izq., según corresponda.
# ------------------------------ (Code Main de IPIdent)

:global ICANNCont; :local IDOut (“ID.UnKnown”); :local RegistroY; :if ([len $2]>0
and [/ip arp find (mac-address=$2)]!=””) do={:set RegistroY ([$ClientIdent ([/ip
arp get [/ip arp find mac-address=$2] address]) ”1.2.A” ”1.2.B” ”1.2.C”]); :set
IDOut (($2).”,(”.([pick $RegistroY 0 25]).“=”.[/ip arp get [/ip arp find mac-
address=$2] address].”).”.[/ip arp get [/ip arp find mac-address=$2] interface]);}
else={:if ([/ip arp find (address=$1)]!=””) do={:set IDOut ([/ip arp get [/ip arp
find address=$1] mac-address].”,(”.($1).”).”.[/ip arp get [/ip arp find address=$1]
interface]);} else={:if ($ICANNCont<10) do={:set IDOut ([$WhoisIP $1]); :set
ICANNCont ($ICANNCont+1);} else={:set IDOut (“Error.WhoisIP-LimitAlcanzado”);}; :if
([len $2]>0) do={:set IDOut ($2.”,(”.$IDOut.”).WANX”);}}}; :return ($IDOut)}
# Nota: recordar que (10*RB.Cant<Min(ICANN.Limit-Consult)).
# ------------------------------------- [Code Main de AddressList.Ident-Address]

# -------------------------------------[Registro Regional de Internet: NRO+]
# (ARIN): America.Anglo-Sajona.
# (RIPE NCC): Europa, Oriente.Medio y Asia.Central.
# (APNIC): Asia y Region.Pacifico.
# (LACNIC): America.Latina y el Caribe.
# (AfriNIC): Africa.
# (Direct Assignment/Allocation): Ubicación desconocida.
# -------------------------------------
:global MACLANDrop “”; # Guarda all (MAC) de T-DOS___.List (empty)
:global ICANNCont (0); # Contador de consultas a entidades ICANN
:local IPx;
:local Listx;
:local IDClientx;
:local MACx “”;
:local Registro “”;
:local Encontrado;
:foreach x in=[/ip firewall address-list find (!comment and list~"T-")] do={:set
IPx ([/ip firewall address-list get $x address]); :set Listx ([/ip firewall
address-list get $x list]); :if (($Listx~"T-DOS" and [/log find (message~"DOS-” and
message~"src-mac” and message~$IPx)]!=””) or ($Listx~"T-VPN" and [/log find
(message~"VPN-” and message~"src-mac” and message~$IPx)]!=””)) do={:foreach y
in=[(($Listx~"T-DOS" and [/log find (message~"DOS-” and message~"src-mac” and
message~$IPx)]!=””) or ($Listx~"T-VPN" and [/log find (message~"VPN-” and
message~"src-mac” and message~$IPx)]!=””))] do={:set Registro ([/log get $y
message]);}; :set MACx ([pick $Registro ([find $Registro "src-mac”]+8) ([find
$Registro "src-mac”]+25)]); :set MACx ([$UpCaseMAC $MACx]); :set IDClientx
([$IPIdent $IPx $MACx]); :set MACLANDrop ($MACLANDrop.$MACx.”\r\n”); :set IDClientx
(“( “.($IDClientx).” ) – ( “.([pick $Registro ([find $Registro $IPx]) ([len
$Registro])]).” )”); /ip firewall address-list set $x comment=($IDClientx);}
else={/ip firewall address-list set $x comment=(”( ”.([$IPIdent $IPx ””]).” )”);}};
/system script environment remove [find name="ICANNCont"];
# /system script environment remove [find name="MACLANDrop"];
# Nota: usar (aplicación: WireShark), filtro (eth.addr == 6C:3B:6B:A8:13:5E), para
identificar cambios de IP. Exportar log: (/log print file=log.txt).
# AddressList.Ident-Client:
--------------------------------------------------------------
# Name: AddressList.Ident-Client
# comment=”C+: ( AddressList.Ident-Client )”
# Solo funciona con (/24).
# -----------------------------------------------
# Función Identifica-Cliente: (IP,Rango1,Rango2,Rango3,…)
:local ClientIdent do={
:local RegistroX (“IP.OutRange”);
:if ([pick $1 0 [len $2]]=$2 or [pick $1 0 [len $3]]=$3 or [pick $1 0 [len $4]]=$4)
do={:if ([/queue simple find (target=($1."/32"))]!="") do={:set RegistroX ([/queue
simple get value-name=name [find target=($1."/32")]]); :if ([find $RegistroX
“_Libre ”]<0) do={:set RegistroX ([pick $RegistroX 0 77]);} else={:set RegistroX
(”( Libre )”);}} else={:set RegistroX (”[Error-QS.IPFaltante]”);}}; :return
($RegistroX);}
# Nota: disponer en fila, los rangos de IP sin ceros a la izq., según corresponda.
# -----------------------------------------------
:local IPAL;
:local Registro;
:foreach x in=[/ip firewall address-list find (!comment)] do={:set IPAL ([/ip
firewall address-list get $x address]); :set Registro ([$ClientIdent $IPAL ”1.2.A”
”1.2.B” ”1.2.C”]); :if ($Registro!=“IP.OutRange”) do={/ip firewall address-list set
$x comment=$Registro;};};
# Nota: (77), depende de la longitud del formato para nombre de QS. (Error), no
detecta multiples IPs x Client. Run, antes de (AddressList.Ident-Address). Ej.
multiple target: ([/queue simple get value-name=name [find
target=("1.2.3.4/32”,”1.2.3.5/32”,”1.2.3.7/32")]]).
# Client.Ctrl (ABTemp):
--------------------------------------------------------------------
# Name: Client.Ctrl (ABTemp)
# comment=”C+: ( Client.Ctrl (ABTemp) )”
# -----------------------------------------------
# (+T: ).Comm: (all initial line) [+TE=20XX/0X/0X 0Xh&&ABUp%%ABDw]
# -----------------------------------------------
# Nota: (20XX/0X/0X 0Xh), fecha y hora final. (xTE=), regla inactiva.
:local Mx
("jan","feb","mar","apr","may","jun","jul","aug","sep","oct","nov","dec");
:local DateAct ([/system clock get date]);
:local DiaAct ([pick $DateAct 4 6]);
:local MesActP ([pick $DateAct 0 3]);
:local MesAct ([find $Mx $MesActP -1]+1);
:local AnioAct ([pick $DateAct 7 11]);
:local TimeAct ([/system clock get time]);
:local HoraAct ([pick $TimeAct 0 2]);
:if ($MesAct<10) do={:set MesAct (“0”.$MesAct);};
:local DateTimeAct ($AnioAct.$MesAct.$DiaAct.$HoraAct);
# -----------------------------------------------
:local DatePromo;
:local DiaPromo;
:local MesPromo; # No olvidar el (0) a la izquierda para
(<10).
:local AnioPromo;
:local HoraPromo;
:local DateTimePromo;
# ----------------------------------------------- [Ajustar, según actualizaciones]
:local QoSRelacion 8; # relación (max-limit(8):limit-at(1)) MT.Default=64k
:local QoSPBurstThres 75; # porcentaje (max-limit(1): limit-at(0,75))
:local QoSBurstL 2; # relación (max-limit(1):burst-limit(2))
:local UnidadUp; # x algoritmo: max-limit (min)=500k/500k
:local UnidadDw;
# -----------------------------------------------
:local QSComment;
:local QSName;
:local MaxLimitUp 0;
:local MaxLimitDw 0;
:local MaxLimitUpT “”;
:local MaxLimitDwT “”;
:local MaxLimit; # unidad: (k)
:local LimitAtUp 0;
:local LimitAtDw 0;
:local LimitAt; # unidad: (k)
:local BurstLimitUp 0;
:local BurstLimitDw 0;
:local BurstLimit;
:local BurstThresholdUp 0;
:local BurstThresholdDw 0;
:local BurstThreshold; # unidad: (k)
# -----------------------------------------------
:foreach x in=[/queue simple find (name~”\\+T: ”)] do={:set QSComment ([/queue
simple get $x comment]);
# ------------------------------------------------ [Existe (+T: )?]
:if ($QSComment~”\\+TE=”) do={:set DiaPromo ([pick $QSComment ([find $QSComment
“+TE=”]+12) ([find $QSComment “+TE=”]+14)]); :set MesPromo ([pick $QSComment ([find
$QSComment “+TE=”]+09) ([find $QSComment “+TE=”]+11)]); :set AnioPromo ([pick
$QSComment ([find $QSComment “+TE=”]+04) ([find $QSComment “+TE=”]+08)]); :set
HoraPromo ([pick $QSComment ([find $QSComment “+TE=”]+15) ([find $QSComment “+TE=”]
+17)]); :set DateTimePromo ($AnioPromo.$MesPromo.$DiaPromo.$HoraPromo);
# ------------------------------------------------ [Alcanzado Limite?]
:if ([tonum $DateTimeAct]>[tonum $DateTimePromo]) do={:set QSName ([/queue simple
get $x name]); :set QSName ([pick $QSName 4 [len $QSName]]); :set MaxLimitUpT
([pick $QSComment ([find $QSComment “&&”]+2) ([find $QSComment “%%”])]); :set
MaxLimitDwT ([pick $QSComment ([find $QSComment “%%”]+2) ([find $QSComment “]”])]);
# ------------------------------------------------ [Comment.Change]
:set QSComment ([pick $QSComment 0 ([find $QSComment “+TE=”])].”x”.([pick
$QSComment ([find $QSComment “TE=”]) [len $QSComment]]));
# :set QSComment ([pick $QSComment ([find $QSComment “]”]+1) [len $QSComment]]);
(limpieza de Comment alternativa)
# ------------------------------------------------ [AB.Change]
/queue simple set $x name=($QSName); /queue simple set $x
comment=($QSComment); :set MaxLimitUp ([tonum [pick $MaxLimitUpT 0 ([len
$MaxLimitUpT]-1)]]); :set MaxLimitDw ([tonum [pick $MaxLimitDwT 0 ([len
$MaxLimitDwT]-1)]]); :set UnidadUp ([pick $MaxLimitUpT ([len $MaxLimitUpT]-1) ([len
$MaxLimitUpT])]); :set UnidadDw ([pick $MaxLimitDwT ([len $MaxLimitDwT]-1) ([len
$MaxLimitDwT])]); :if ($UnidadUp=”M”) do={:set MaxLimitUp ($MaxLimitUp*1000);}; :if
($UnidadDw=”M”) do={:set MaxLimitDw ($MaxLimitDw*1000);}; :set LimitAtUp
($MaxLimitUp/$QoSRelacion);
:set LimitAtDw ($MaxLimitDw/$QoSRelacion); :set LimitAt ($LimitAtUp."k/".
$LimitAtDw."k"); :set MaxLimit ($MaxLimitUp."k/".$MaxLimitDw."k"); /queue simple
set $x limit-at=$LimitAt; /queue simple set $x burst-time=16/16; /queue simple set
$x max-limit=$MaxLimit; :set BurstThresholdUp
(($MaxLimitUp*$QoSPBurstThres)/100); :set BurstThresholdDw
(($MaxLimitDw*$QoSPBurstThres)/100); :set BurstThreshold ($BurstThresholdUp."k/".
$BurstThresholdDw."k"); /queue simple set $x burst-threshold=$BurstThreshold; :set
BurstLimitUp ($MaxLimitUp*$QoSBurstL); :set BurstLimitDw
($MaxLimitDw*$QoSBurstL); :set BurstLimit ($BurstLimitUp."k/".
$BurstLimitDw."k"); /queue simple set $x burst-limit=$BurstLimit; /queue simple set
$x queue=ethernet-default/ethernet-default; /queue simple set $x priority=8/8;
# ------------------------------------------------ [Change.Stat]
:log warning message=("[RB.ABTemp (Expire: $QSName) – ($DateTimeAct >
$DateTimePromo)]"); :global TelegramMessage (“[RB.ABTemp (Expire: $QSName) –
($DateTimeAct>$DateTimePromo)]”); /system script run RB.Telegram-MessageAlert;}}};
# -----------------------------------------------
# Nota: En caso de no definir (+TE=), debera aplicarse un proceso manual.
# DNSCache.Empty:
--------------------------------------------------------------------
# Name: DNSCache.Empty
# comment="Rx: ( DNSCache.Empty )"
/ip dns cache print file=DNSCache.txt; :delay 2s;
/ip dns cache flush; #
Borra all DNS.Cache
# Log.Empty:
-----------------------------------------------------------------------------
# Name: Log.Empty
# comment="Rx: ( Log.Empty )"
/log print file=Log.txt; :delay 2s;
/system logging action set memory memory-lines=1; :delay 2s; # Borra all log
/system logging action set memory memory-lines=1000; # Limita a 1000L
# QS.ChangeAB:
-------------------------------------------------------------------------
# Name: QS.ChangeAB
# comment=”C+: ( QS.ChangeAB.Si: 00/00 ] o Act.Mes/Act.Año] )”
# (QoSBurstT/16), determina el periodo de cada análisis (media de consumo de
target). Si esa media, es inferior a burst-threshold, activo ráfaga.
# -----------------------------------------------
# Función Convierte MesL en MesN (Fecha) {mejor usar
arreglo}
:local ConvertMLToN do={:local Anio ([pick $1 7 11]); :local MesL ([pick $1 0
3]); :local MesN “Error”; :if ($MesL=”jan”) do={:set MesN (“01”)} else={:if
($MesL=”feb”) do={:set MesN (“02”)} else={:if ($MesL=”mar”) do={:set MesN (“03”)}
else={:if ($MesL=”apr”) do={:set MesN (“04”)} else={:if ($MesL=”may”) do={:set MesN
(“05”)} else={:if ($MesL=”jun”) do={:set MesN (“06”)} else={:if ($MesL=”jul”)
do={:set MesN (“07”)} else={:if ($MesL=”aug”) do={:set MesN (“08”)} else={:if
($MesL=”sep”) do={:set MesN (“09”)} else={:if ($MesL=”oct”) do={:set MesN (“10”)}
else={:if ($MesL=”nov”) do={:set MesN (“11”)} else={:if ($MesL=”dec”) do={:set MesN
(“12”)}}}}}}}}}}}}; :return ($MesN.”/”.[pick $Anio 2 4])};
# ----------------------------------------------- (ajustar según actualizaciones)
:local QoSRelacion 8; # relación (max-limit(8):limit-at(1)) MT.Default=64k
:local QoSPBurstThres 75; # porcentaje (max-limit(1): limit-at(0,75))
:local QoSBurstL 2; # relación (max-limit(1):burst-limit(2))
:local UnidadUp; # x algoritmo: max-limit (min)=500k/500k
:local UnidadDw;
# -----------------------------------------------
:local MaxLimitUp 0;
:local MaxLimitDw 0;
:local MaxLimit; # unidad: (k)
:local LimitAtUp 0;
:local LimitAtDw 0;
:local LimitAt; # unidad: (k)
:local BurstLimitUp 0;
:local BurstLimitDw 0;
:local BurstLimit;
:local BurstThresholdUp 0;
:local BurstThresholdDw 0;
:local BurstThreshold; # unidad: (k)
:local ActMesAnio ([$ConvertMLToN [/system clock get date]].” ]”);
:foreach x in=[/queue simple find (name~$ActMesAnio or name~”00/00 ]”)] do={:set
MaxLimit ([/queue simple get $x max-limit]); :set MaxLimitUp ([tonum [pick
$MaxLimit 0 ([find $MaxLimit "/"]-1)]]); :set MaxLimitDw ([tonum [pick $MaxLimit
([find $MaxLimit "/"]+1) ([len $MaxLimit]-1)]]); :set UnidadUp ([pick $MaxLimit
([find $MaxLimit "/"]-1) ([find $MaxLimit "/"])]); :set UnidadDw ([pick $MaxLimit
([len $MaxLimit]-1) [len $MaxLimit]]); :if ($UnidadUp=”M”) do={:set MaxLimitUp
($MaxLimitUp*1000);}; :if ($UnidadDw=”M”) do={:set MaxLimitDw
($MaxLimitDw*1000)}; :set LimitAtUp ($MaxLimitUp/$QoSRelacion); :set LimitAtDw
($MaxLimitDw/$QoSRelacion); :set LimitAt ($LimitAtUp."k/".$LimitAtDw."k"); /queue
simple set $x limit-at=$LimitAt; /queue simple set $x burst-time=16/16; :set
BurstThresholdUp (($MaxLimitUp*$QoSPBurstThres)/100); :set BurstThresholdDw
(($MaxLimitDw*$QoSPBurstThres)/100); :set BurstThreshold ($BurstThresholdUp."k/".
$BurstThresholdDw."k"); /queue simple set $x burst-threshold=$BurstThreshold; :set
BurstLimitUp ($MaxLimitUp*$QoSBurstL); :set BurstLimitDw
($MaxLimitDw*$QoSBurstL); :set BurstLimit ($BurstLimitUp."k/".
$BurstLimitDw."k"); /queue simple set $x burst-limit=$BurstLimit; /queue simple set
$x queue=ethernet-default/ethernet-default; /queue simple set $x priority=8/8;
/queue simple set $x parent=none; /queue simple set $x total-queue=ethernet-
default;};
# ------------------------------------------------ (Restaura.__/__ ])
:local Nombre “-”;
:foreach x in=[/queue simple find (name~”00/00 ]”)] do={:set Nombre ([/queue simple
get $x name]); :set Nombre ([pick $Nombre 0 [find $Nombre “00/00
]“]].“__/__ ]“); /queue simple set $x name=$Nombre}};
# ------------------------------------------------
# Nota: RouterOS, no maneja bien los decimales, por eso ((valor*porcentaje)/100).
QueueSimple.ABChange (max-limit=burst-threshold).
# RB.BackUp-DNSCache (Email):
-------------------------------------------------------
# Name: RB.BackUp-DNSCache
# comment="R+: ( RB.BackUp-DNSCache )"
# -----------------------------------------------
length=494ms;}).
# -----------------------------------------------
# Función agrega caracteres (Izq/Der) hasta len: (Var, Donde, Char, Long)
:local AddCToLen do={:if ([len $1]<$4) do={:for r from=[len $1] to=($4-1) do={:if
($2=”Izq.”) do={:set $1 ($3.$1)} else={:set $1 ($1.$3)}}}; :return ($1)};
# ----------------------------------------------- [Test.Connection]
:if ([$TestConn "8.8.8.8" 10 30 100 64 ”RB.BackUp-DNSCache”]=”OK”) do={
# ----------------------------------------------- [Test.Connection]
:local FileName ([/system resource get board-name].”(DNSCache)[01].txt”);
/ip dns cache print detail file=$FileName; :delay 4s;
# ----------------------------------------------- [Inactivo debido a limit size 4K]
# /file print file=$FileName; :delay 2s; # Crea File
# /file set [find name=$FileName] contents=""; # Borra contenido x def. File-0X
# :local Line “”;
# :local TTL; # establezco como guardable todo
(ddns.ttl>10seg)
# :local Type ””;
# :local Address (0.0.0.0);
# :local AddressS “”;
# :local Name “”;
# :foreach i in=[/ip dns cache all find] do={:set Name ([/ip dns cache get $i
name]); :set AddressS ([/ip dns cache all get $i data]); :set Type ([/ip dns cache
all get $i type]); :set TTL ([/ip dns cache get $i ttl]); :if ([len $Type]>0 and
$TTL>10s) do={:set Line ($Address." – ".$AddressS." – ".$Type." – ".$Name." – ".
$TTL. " – ".[typeof $Address]); /file set $FileName contents=([/file get $FileName
contents].$Line.”\r\n”);}};
# -----------------------------------------------
[find name=”RB.BackUp-DNSCache”] comment]) 4 ([len ([/system scrip get [find
name=”RB.BackUp-DNSCache”] comment])])])); /tool e-mail send to="xxx@gmail.com"
subject=$Subjet body=“System : ($[/system identity get name]) \r\nFecha
: ($[/system clock get date]) \r\nHora : ($[/system clock get time]) \r\
nModelo : ($[/system resource get board-name]) \r\nIPWAN1 : ($[/ip
address get [find comment~”TELCO.2.2.2.x”] value-name=address]) \r\nEtherAux :
($[/ip address get [find comment~”EMERGENCY1”] value-name=interface]) \r\
nIPEtherAux : ($[/ip address get [find comment~”EMERGENCY1”] value-
name=address])” file=$FileName;};
# RB.BackUp-Config (Email):
------------------------------------------------------------
# Name: RB.BackUp-Config
# comment="R+: ( RB.BackUp-Config )"
# -----------------------------------------------
# Nota: Asegurarse que IP este en address-list (do={:beep frequency=550
length=494ms;}).
# -----------------------------------------------
# ----------------------------------------------- [Test.Connection]
:if ([$TestConn "8.8.8.8" 10 30 100 64 ”RB.BackUp-Config”]=”OK”) do={
# ----------------------------------------------- [Test.Connection]
:local MACList “”; :local IPList “”;
:foreach x in=[/interface find] do={:set MACList ($MACList.”(“.[$AddCToLen
[/interface get $x name] "Der." " " 12].” – “.[$AddCToLen [/interface get $x mac-
address] "Der." " " 18].” – “.[$AddCToLen [/interface get $x comment] "Der." " "
50].” – Disable=“.[$AddCToLen [/interface get $x disabled] "Der." " " 5].”)\r\
n“);};
:foreach x in=[/ip address find] do={:set IPList ($IPList.”(“.[$AddCToLen [/ip
address get $x interface] "Der." " " 12].” – “.[$AddCToLen [/ip address get $x
address] "Der." " " 18].” – “.[$AddCToLen [/ip address get $x comment] "Der." " "
50].” – Disable=“.[$AddCToLen [/ip address get $x disabled] "Der." " " 5].”)\r\
n“);};
# -----------------------------------------------
:local Name ([/system resource get board-name].”[01].backup”);
/system backup save name=$Name dont-encrypt=no encryption=aes-sha256
password=”xxx”; :delay 2s; :local Subjet (([/user get [find name=user(x)]
comment]).([pick ([/system scrip get [find name=”RB.BackUp-Config”] comment]) 4
([len ([/system scrip get [find name=”RB.BackUp-Config”] comment])])])); /tool e-
mail send to="xxx@gmail.com" subject=$Subjet body=“System : ($[/system
identity get name]) \r\nFecha : ($[/system clock get date]) \r\nHora
: ($[/system clock get time]) \r\nModelo : ($[/system resource get board-
name]) \r\nIPWAN1 : ($[/ip address get [find comment~”TELCO.2.2.2.x”] value-
name=address] \r\nEtherAux : ($[/ip address get [find comment~”EMERGENCY1”]
value-name=interface]) \r\nIPEtherAux : ($[/ip address get [find
comment~”EMERGENCY1”] value-name=address]) \r\n\r\nMAC.Rango :\r\n$MACList \r\
nIP.Rango :\r\n$IPList” file=$Name;}
# Nota: (Restore BackUp)
# 1- Actualizar Firmware (al menos, hasta v6.43).
# 2- Reset Config: /system reset-configuration no-defaults=yes skip-backup=yes
# 3- Copy BackUp.File into (/file) y buscar su (Password Encript).
# 4- Restore Config: /system backup load name=”CCR1012.backup”
# 5- Reset MAC Interface: /interface ethernet reset-mac-address [find];
# 6- Change MAC Interface: /interface ethernet set [find orig-mac-
address=X4:FA:6C:F5:82:E1] mac-address=AA:AA:AA:AA:AA:AA;
Actualización DDNS:
-------------------------------------------------------------------- [ INI ]
# Crear un script especifico y con distinto nombre, para cada WAN(x) a actualizar
(diferenciando los identificadores en DuckDNS) y agregarlos a una única tarea TP
(RB.IP-Change). En (https://www.duckdns.org/), ir a install seleccionar (identity y
mikrotik) copiar y pegar en un nuevo Script (DDNS.UpDate). Finalmente, cambiar
(interface=MATRIX) por (comment=WAN(x).[ (x) ]).
# RB.DDNSUpDate-WAN(x): ---------------------------------------------------------
# Name: RB.DDNSUpDate-WAN(x)
# comment="R+: ( RB.DDNSUpDate-WAN(x) )"
# --------------------------------------------------
:global actualIP value=[/ip address get [find where comment~”TELCO.2.2.2.x”] value-
name=address]; :global actualIP value=[:pick $actualIP -1 [:find $actualIP "/" -
1]]; :if ([:len [/file find where name=ipstore.txt]]<1) do={/file print
file=ipstore.txt where name=ipstore.txt; /delay delay-time=2; /file set ipstore.txt
contents="0.0.0.0";}; :global previousIP value=[/file get [find where
name=ipstore.txt] value-name=contents]; :if ($previousIP!=$actualIP) do={:log info
message=("[Try to Update DuckDNS]: a actual-IP ".$actualIP." - anterior-IP es ".
$previousIP);
# ------------------------
/tool fetch mode=https keep-result=yes dst-path=duckdns-result.txt
address=[:resolve www.duckdns.org] port=443 host=www.duckdns.org src-path=("<<<
Token dado por duckdns >>>=".$actualIP);
# ------------------------
:delay 5s; :global lastChange value=[/file get [find where name=duckdns-result.txt]
value-name=contents]; :global previousIP value=$actualIP; /file set ipstore.txt
contents=$actualIP; :if ($lastChange="OK") do={:log warning message=("[DuckDNS
update successfull]: a actual-IP ".$actualIP);}; :if ($lastChange="KO") do={:log
error ("[Fail to update DuckDNS]: a actual-IP ".$actualIP);};};
# Nota: Alternativa+, (c/15-60s UDP.15252): (/ip cloud set ddns-enabled=yes;).
Actualización DDNS:
------------------------------------------------------------------- [ FIN ]
# RB.BackUp-Log (Email):
---------------------------------------------------------------
# Name: RB.BackUp-Log
# comment="R+: ( RB.BackUp-Log )"
# -----------------------------------------------
length=494ms;}).
# -----------------------------------------------
# ----------------------------------------------- [Test.Connection]
:if ([$TestConn "8.8.8.8" 10 30 100 64 ”RB.BackUp-Log”]=”OK”) do={
# ----------------------------------------------- [Test.Connection]
:local MACList “”; :local IPList “”;
:foreach x in=[/interface find] do={:set MACList ($MACList.”(“.[$AddCToLen
[/interface get $x name] "Der." " " 12].” – “.[$AddCToLen [/interface get $x mac-
address] "Der." " " 18].” – “.[$AddCToLen [/interface get $x comment] "Der." " "
50].” – Disable=“.[$AddCToLen [/interface get $x disabled] "Der." " " 5].”)\r\
n“);};
:foreach x in=[/ip address find] do={:set IPList ($IPList.”(“.[$AddCToLen [/ip
address get $x interface] "Der." " " 12].” – “.[$AddCToLen [/ip address get $x
address] "Der." " " 18].” – “.[$AddCToLen [/ip address get $x comment] "Der." " "
50].” – Disable=“.[$AddCToLen [/ip address get $x disabled] "Der." " " 5].”)\r\
n“);};
# -----------------------------------------------
:local Name ([/system resource get board-name].”(Log)[01].txt”);
/log print file=$Name; :delay 2s;
# /system logging action set memory memory-lines=1; :delay 2s; # Borra all log
# /system logging action set memory memory-lines=1000; # Limita a 1000L
# -----------------------------------------------
[find name=”RB.BackUp-Log”] comment]) 4 ([len ([/system scrip get [find
name=”RB.BackUp-Log”] comment])])])); /tool e-mail send to=xxx@gmail.com"
nModelo : ($[/system resource get board-name]) \r\nIPWAN1 : ($[/ip
address get [find comment~”TELCO.2.2.2.x”] value-name=address] \r\nEtherAux :
($[/ip address get [find comment~”EMERGENCY1”] value-name=interface]) \r\
nIPEtherAux : ($[/ip address get [find comment~”EMERGENCY1”] value-name=address])
\r\n\r\nMAC.Rango :\r\n$MACList \r\nIP.Rango :\r\n$IPList” file=$Name;};
# RB.IP-ChangeWAN(x):
-----------------------------------------------------------------
# Es aconsejable, al finalizar la tarea, remover las variables globales
(previousIP, lastChange y actualIP).
# Name: RB.IP-ChangeWAN(x)
# comment=”R+: ( RB.IP-ChangeWAN(x) )”
# -----------------------------------------------
length=494ms;}).
# ----------------------------------------------- [Test.Connection]
:if ([$TestConn "8.8.8.8" 10 30 100 64 ”RB.IP-ChangeWAN1”]=”OK”) do={
# ----------------------------------------------- [Test.Connection]
# Establece IP.New:
----------------------------------------------------------------------
# -----------------------------------------------
# Función convierte IPv4 en número entero:
:local FIPaNr do={:local IPstr ($1."."); :local IPnum ""; :for x from=1 to=4
do={:set IPnum ($IPnum.[:pick $IPstr 0 [:find $IPstr "." -1]]); :set IPstr ([:pick
$IPstr ([:find $IPstr "." 0]+1) [:len $IPstr]]);}; :return [:tonum $IPnum]};
# -----------------------------------------------
:local IniIP value=2.2.2.1; # sin ceros a la
izquierda
:local UltIP value=2.2.2.50; # sin ceros a la izquierda
# -----------------------------------------------
:local ActualIP value=[/ip address get [find comment~”TELCO.2.2.2.x”] value-
name=address];
:local ActualX value=[:pick $ActualIP -1 [:find $ActualIP "/" -1]];
<<< Mecanismo x descubrir la nueva IP >>>}; /ip address set [/ip address find
address=$ActualIP] address=$ActualX; :delay 2s;
# Actualiza DDNS:
------------------------------------------------------------------------
# /system script run RB.DDNSUpDate-WAN(x); :delay 3s; # UpDate DDNS.WAN(x)
# Envia Email informativo:

---------------------------------------------------------------
:local IntervaloT value=[/system scheduler get [find name=”TP (RB.IP-Change)”]
value-name=interval]; :global lastChange; :global QoSDropList; :local Subjet
(([/user get [find name=user(x)] comment]).([pick ([/system scrip get [find
name=”RB.IP-ChangeWAN(x)”] comment]) 4 ([len ([/system scrip get [find name=”RB.IP-
ChangeWAN(x)”] comment])])])); /tool e-mail send to="xxx@gmail.com" subject=$Subjet
body=“System : ($[/system identity get name]) \r\nFecha : ($[/system
clock get date]) \r\nHora : ($[/system clock get time]) \r\nIP.Actual :
($ActualX/24) \r\nDDNS.UpDate : ($lastChange) \r\nChange.Interv: ($IntervaloT) \r\
nIP.Pool : ($IniIP/24 - $UltIP/24) \r\nQoS.DropL : \r\n[$QoSDropList]”;
/system script environment remove [find name="previousIP"]; /system script
environment remove [find name="lastChange"]; /system script environment remove
[find name="actualIP"];};
# Nota: si bien, provoca un script error, aborta un script: /system script job
remove [/system script job find script=RB.IP-ChangeWAN(x)];
# RB.PromoXDay-Cheq:
-----------------------------------------------------------------
# Name: RB.PromoXDay-Cheq
# comment="C+: ( RB.PromoXDay-Cheq )"
# -----------------------------------------------
:local Mx
("jan","feb","mar","apr","may","jun","jul","aug","sep","oct","nov","dec");
:local DateAct ([/system clock get date]);
:local DiaAct ([pick $DateAct 4 6]);
:local MesActP ([pick $DateAct 0 3]);
:local MesAct ([find $Mx $MesActP -1]+1);
:local AnioAct ([pick $DateAct 7 11]);
:local DatePromo;
:local DiaPromo;
:local MesPromo; # No olvidar el (0) a la izquierda para
(<10).
:local AnioPromo;
:local Comment;
:local QSName;
:local CTimePromo;
:local IPPromo;
:if ($MesAct<10) do={:set MesAct (“0”.$MesAct);};
:set DateAct ($AnioAct.$MesAct.$DiaAct);
:local DateActF ($DiaAct.”/”.$MesAct.”/”.([pick $AnioAct 2 4]));
:log info message=("[RB.PromoXDay-Cheq (INI)]");
:foreach x in=[/ip firewall address-list find (list=”C-PROMOXDCLIENT.List” and !
disabled)] do={:set IPPromo ([/ip firewall address-list get $x address]); :set
CTimePromo ([/ip firewall address-list get $x creation-time]); :set Comment ([/ip
firewall address-list get $x comment]); :set DiaPromo ([pick $Comment ([find
$Comment “expira”]+11) ([find $Comment “expira”]+13)]); :set MesPromo ([pick
$Comment ([find $Comment “expira”]+14) ([find $Comment “expira”]+16)]); :set
AnioPromo ([pick $Comment ([find $Comment “expira”]+17) ([find $Comment “expira”]
+21)]); :set DatePromo ($AnioPromo.$MesPromo.$DiaPromo); :if ([tonum
$DateAct]>[tonum $DatePromo]) do={/ip firewall address-list set $x list=”C-
CLIENTDROP.List”; :set QSName ([/queue simple get [find target=($IPPromo."/32")]
value-name=name]); :set QSName ([pick $QSName 0 ([find $QSName “::”]+3)].$DateActF.
[pick $QSName ([find $QSName “::”]+11) [len $QSName]]); /queue simple set [find
target=($IPPromo."/32")] name=(“S: ”.$QSName); /queue simple set [find
target=($IPPromo."/32")] disable=yes; :log warning message=("[RB.PromoXDay-Cheq
(Expire: $QSName) – ($DateAct > $DatePromo)]"); :global TelegramMessage
(“[RB.PromoXDay-Cheq (Expire: $QSName) – ($DateAct>$DatePromo)]”); /system script
run RB.Telegram-MessageAlert;}};
...
# RB.QoSChange% (Empty):
------------------------------------------------------------
# Name: RB.QoSChange% (Empty)
# comment="Rx: ( RB.QoSChange% (Empty) )"
# -----------------------------------------------
:local Comment;
# ------------------------------------------------------
/queue tree disable [/queue tree find]; # All QueueTree.Rule
disabled
/ip firewall mangle disable [/ip firewall mangle find]; # All Mangle.Rule
disabled
# ------------------------------- [QoS.Mangle-Stat: (Empty)]
:foreach x in=[/ip firewall mangle find] do={:set Comment ([pick ([/ip firewall
mangle get $x comment]) 0 ([find ([/ip firewall mangle get $x comment]) “::”]+3)]);
/ip firewall mangle set $x comment=($Comment);};
# ------------------------------- [QoS.QT-Stat: (Empty)]
:foreach y in=[/queue tree find] do={:set Comment ([pick ([/queue tree get $y
comment]) 0 ([find ([/queue tree get $y comment]) “::”]+3)]); /queue tree set $y
limit-at=0; /queue tree set $y max-limit=0; /queue tree set $y
comment=($Comment);};
# ------------------------------------------------------
/queue tree reset-counters-all; # Reset all QueueTree
contadores
/ip firewall mangle reset-counters-all; # Reset all Mangle
contadores
:foreach i in=[/queue tree find (comment~”C\\+: ”)] do={[/queue tree set $i
disable=no];}; # QueueTree.Rule (Comment~C+) enabled
:foreach i in=[/ip firewall mangle find (comment~”C\\+: ”)] do={[/ip firewall
mangle set $i disable=no];}; # Mangle.Rule (Comment~C+) enabled
# RB.QoSChange% (xBytes): ---------------------------------------------- [ x

Bytes ]
# Name: RB.QoSChange% (xBytes)
# comment="Rx: ( RB.QoSChange% (xBytes) )"
# Limite para /queue tree max-limit=(4294M)
# -----------------------------------------------
# -----------------------------------------------
# Nota: Asegurarse que IP este en address-list.
# ------------------------------------------------------
:local MinLimitAt 512; # (no usado) Minimo limit-at para (QT.Bytes=0)
:local MinRate 256; # (no usado) Minimo rate para
(QT.Rate=0)
:local PLimitAt 75; # % limit-at (75%) de
max-limit
:local PWAN 25; # % WAN.max-limit (25%) de LANs.max-limit
:local ABMTLAN1 140; # AB.Max de Dw (en Mbps) x RB.LAN1
:local ABMTWAN1 ((($ABMTLAN1+$ABMTLAN2+$ABMTLAN3)*$PWAN)/100); # AB.Max de Up x
RBX.WAN1
# ------------------------------------------------------
:local AuxSMPacket;
:local AuxSQTEtherA;
:local AuxSQTEtherD;
:local PCalc;
:local Comment;
:local BytesAEtherX;
:local BytesDEtherX;
:local RateAEtherX;
:local RateDEtherX;
:local MPacket “”;
# M.packet
:local MPBytes 0; #
M.bytes del paquete
:local LimitAt 0;
:local MaxLimit 0;
# ------------------------------------------------------
disabled
disabled
# ------------------------------- [QoS.Mangle-Stat: (SMPacket, TMPBytes)]
:global SMPacket “”; # Str,
M.packet”=”bytes”*”
:local TMPBytes 0; # Sumatoria (M.bytes) x all
paquetes
:foreach x in=[/ip firewall mangle find (action=mark-packet)] do={:set MPBytes
([/ip firewall mangle get $x bytes]); :set TMPBytes ($TMPBytes+$MPBytes); :set
MPacket ([/ip firewall mangle get $x new-packet-mark]); :if ([/queue tree find
(packet-mark=$MPacket)]!=””) do={:set SMPacket ($SMPacket.$MPacket.”=”.
$MPBytes.”*”);} else={:log error message=(”[QoS.Error (MangleRule inexistente en
QT): $MPacket]”);}};
# ------------------------------- [Mangle-Rule.SetComment%]
:set AuxSMPacket ($SMPacket); :while ([len $AuxSMPacket]>0) do={:set MPacket ([pick
$AuxSMPacket 0 ([find $AuxSMPacket ”=”])]); :set MPBytes ([pick $AuxSMPacket ([find
$AuxSMPacket ”=”]+1) ([find $AuxSMPacket ”*”])]); :set Comment ([/ip firewall
mangle get value-name=comment [find new-packet-mark=$MPacket]]); :set PCalc
(([:tonum $MPBytes]*100)/[:tonum $TMPBytes]); :if (([len $Comment]-[find $Comment
“::”])<145) do={/ip firewall mangle set [find new-packet-mark=$MPacket]
comment=($Comment.([$AddCToLen ([:tostr $PCalc]) "Izq." "0" 2])."%");} else={/ip
firewall mangle set [find new-packet-mark=$MPacket] comment=(([:pick $Comment 0
([:find $Comment “::”]+3)]).([$AddCToLen ([:tostr $PCalc]) "Izq." "0"
2])."%");}; :set AuxSMPacket ([pick $AuxSMPacket ([find $AuxSMPacket ”*”]+1) [len
$AuxSMPacket]]);};
# Nota: (145=48hs scheduler.1h).
# ------------------------------------------------------ [QoS.QT-Stat]
:global SQTPacket “”; # Str, QT.packet (ID”=”bytes” ”ID”=”bytes“ ”…)”*”
# Nota: Los SQTEtherX, guardan totales por interfaces (RB.Act y RB.Disp).
:set AuxSMPacket ($SMPacket); :while ([len $AuxSMPacket]>0) do={:set MPacket ([pick
$AuxSMPacket 0 ([find $AuxSMPacket ”=”])]); :set SQTPacket ($SQTPacket.$MPacket.”
(“); :foreach y in=[/queue tree find (packet-mark=$MPacket)] do={:set SQTPacket
($SQTPacket.([/queue tree get $y name]).”=“.([/queue tree get $y
bytes]).”+“.([/queue tree get $y rate]).” “);}; :set SQTPacket
($SQTPacket.”)*“); :set AuxSMPacket ([pick $AuxSMPacket ([find $AuxSMPacket ”*”]+1)
[len $AuxSMPacket]]);};
# ------------------------------------------------------ [QoS.QT-ChangeStat]
:global SQTEtherA “”; # Str, {QT.name: ID[0-6].Abu}”=”bytes”+”rate”*”
:global SQTEtherD (“010000=$($ABMTWAN1*1000000)+0*020000=$
($ABMTLAN1*1000000)+0*030000=$($ABMTLAN2*1000000)+0*040000=$
($ABMTLAN3*1000000)+0*”); # AB.Disp (xEtherX.Ordenada).: Str, {QT.name: ID[0-
6].Abu}”=”bytes”+”rate”*”
:foreach y in=[/queue tree find (name~”0000”)] do={:set SQTEtherA ($SQTEtherA.
([pick ([/queue tree get $y name]) 0 6]).”=“.([/queue tree get $y
bytes]).”+“.([/queue tree get $y rate]).”*”);};
# ------------------------------------------------------ [QoS.Email-Stat]
:if (([len $SQTPacket]+[len $SMPacket]+29)<=4000) do={:if ([len [/file find
name=”qtstat.txt”]]=0) do={/file print file=”qtstat.txt”; :delay 2s; /file set
[find name=”qtstat.txt”] contents="";}; :if (([/file get [/file find
name=”qtstat.txt”] value-name=size]+[len $SQTPacket]+[len $SMPacket]+29)>4000) do={
# ----------------------------------------------- [Test.Connection]
:if ([$TestConn "8.8.8.8" 10 30 100 64 ”RB.QoS-Stat”]=”OK”) do={
# ----------------------------------------------- [Test.Connection]
[find name=”RB.QoSChange% (xBytes)”] comment]) 4 ([len ([/system scrip get [find
name=”RB.QoSChange% (xBytes)”] comment])])])); /tool e-mail send to="xxx@gmail.com"
nModelo : ($[/system resource get board-name])” file=qtstat.txt; :delay 5s;};
/file set [find name=”qtstat.txt”] contents="";}; /file set ”qtstat.txt”
contents=([/file get ”qtstat.txt” contents].”SMPacket:\r\n$SMPacket\r\n\r\
nSQTPacket:\r\n$SQTPacket\r\n\r\n”);} else={:log error message=(”[QoS.Error
(Registro>4k, imposible enviar en un solo email)]”);};
# ------------------------------------------------------
:set AuxSQTEtherA ($SQTEtherA); :set AuxSQTEtherD ($SQTEtherD); :foreach y
in=[/queue tree find] do={:if (!([/queue tree get $y name]~”0000”)) do={:set
Comment ([/queue tree get $y comment]); :set PCalc (([/queue tree get $y
bytes]*100)/[:tonum $BytesAEtherX]); :set MaxLimit ([tonum
(($PCalc*$BytesDEtherX)/100)]); :set LimitAt ([tonum (($MaxLimit*$PLimitAt)/100)]);
/queue tree set $y limit-at=0; /queue tree set $y max-limit=0; /queue tree set $y
max-limit=($MaxLimit); /queue tree set $y limit-at=($LimitAt);
# ------------------------------- [QT-Rule.SetComment%]
:if (([len $Comment]-[find $Comment “::”])<144) do={/queue tree set $y
comment=($Comment.([$AddCToLen ([:tostr $PCalc]) "Izq." "0" 2])."%");} else={/queue
tree set $y comment=(([:pick $Comment 0 ([:find $Comment “::”]+3)]).([$AddCToLen
([:tostr $PCalc]) "Izq." "0" 2])."%");};
# -------------------------------
} else={:set BytesAEtherX ([tonum [pick $AuxSQTEtherA ([find $AuxSQTEtherA “=”]+1)
([find $AuxSQTEtherA “+”])]]); :set RateAEtherX ([tonum [pick $AuxSQTEtherA ([find
$AuxSQTEtherA “+”]+1) ([find $AuxSQTEtherA “*”])]]); :set AuxSQTEtherA ([pick
$AuxSQTEtherA ([find $AuxSQTEtherA “*”]+1) [len $AuxSQTEtherA]]); :set BytesDEtherX
([tonum [pick $AuxSQTEtherD ([find $AuxSQTEtherD “=”]+1) ([find $AuxSQTEtherD
“+”])]]); :set RateDEtherX ([tonum [pick $AuxSQTEtherD ([find $AuxSQTEtherD “+”]+1)
([find $AuxSQTEtherD “*”])]]); :set AuxSQTEtherD ([pick $AuxSQTEtherD ([find
$AuxSQTEtherD “*”]+1) [len $AuxSQTEtherD]]); /queue tree set $y limit-at=0; /queue
tree set $y max-limit=0; /queue tree set $y max-limit=($BytesDEtherX); /queue tree
set $y limit-at=(($BytesDEtherX*$PLimitAt)/100);};};
# Nota: Desestimo los (QT.Bytes=0), puesto que, serán acotados al consumir.
# ------------------------------------------------------
/system script environment remove [find name="PWAN"];
/system script environment remove [find name="PLimitAt"];
/system script environment remove [find name="SMPacket"];
/system script environment remove [find name="SQTPacket"];
/system script environment remove [find name="SQTEtherA"];
/system script environment remove [find name="SQTEtherD"];
/queue tree reset-counters-all; # Reset all QueueTree
contadores
/ip firewall mangle reset-counters-all; # Reset all Mangle
contadores
# ------------------------ (Comando alternativo de habilitación, si fuese total)
# /queue tree enable [/queue tree find]; # All QueueTree.Rule enabled
# /ip firewall mangle enable [/ip firewall mangle find]; # All MangleRule enabled
# Nota: (considerar QueueTree.Rate (tasa promedio de transferencia), en el calculo
de mark-pack.%).
# RB.QoSChange% (xDropBytes): ----------------------------------- [ x DropBytes ]

# Name: RB.QoSChange% (xDropBytes)
# comment="Cx: ( RB.QoSChange% (xDropBytes) )"
# ---------------------------------------------------
:global QoSDropList; # Dejar public y no remover x email
diario
:local QoSDropName;
:local Increment 0;
:local TIncrement 0;
:local PIncMaxLimit 10; # %.Inc de
(max-limit)
:local MaxLimit;
:local LimitAt;
:local Comment;
:local NroRegla;
:local DLAux;
:local DLRest;
:local TDrop;
:local NodoID;
:foreach x in [/system script job find (script="RB.QoSChange% (xDropBytes)")] do
{:set CountProcc ($CountProcc+1);}; # Cant de éste proc activos
:if ($CountProcc=1) do={:foreach x in=[/queue tree find (dropped>1000)] do={:set
QoSDropName ([/queue tree get $x name]); :set MaxLimit ([/queue tree get [find
name=$QoSDropName] value-name=max-limit]); :set LimitAt ([/queue tree get [find
name=$QoSDropName] value-name=limit-at]); :set Comment ([/queue tree get [find
name=$QoSDropName] value-name=comment]); :set Increment
(($MaxLimit*$PIncMaxLimit)/100); :if ($Increment<1000) do={:set Increment (1000);};
:if ($MaxLimit+$Increment<4294000000) do={:if ($QoSDropList~$QoSDropName) do={:set
DLAux ($QoSDropList); :set QoSDropList ([pick $QoSDropList 0 ([find $QoSDropList
$QoSDropName]-1)]); :set DLAux ([pick $DLAux ([find $DLAux $QoSDropName]-1) [len
$DLAux]]); :set DLRest ([pick $DLAux ([find $DLAux ”)”]+1) [len $DLAux]]); :set
TDrop ([tonum ([pick $DLAux ([find $DLAux “=”]+1) ([find $DLAux “+”]-1)])]); :set
TDrop ([tostr ($TDrop+(([/queue tree get $x dropped])/1000))].”k”); :set TIncrement
([tonum ([pick $DLAux ([find $DLAux “+”]+1) ([find $DLAux “)”]-1)])]); :set
TIncrement ([tostr ($TIncrement+(($Increment)/1000))].”k”); :set QoSDropList
($QoSDropList.”(“.$QoSDropName.”=”.$TDrop.”+”.$TIncrement.”)”.$DLRest);} else={:set
TDrop ([tostr (([/queue tree get $x dropped])/1000)].”k”); :set TIncrement ([tostr
(($Increment)/1000)].”k”); :set QoSDropList ($QoSDropList.”(“.($QoSDropName).”=”.
$TDrop.”+”.$TIncrement.”)”);}; /queue tree set [find name=$QoSDropName] max-
limit=($MaxLimit+$Increment); /queue tree set [find name=$QoSDropName] limit-
at=($LimitAt+$Increment); :if ([pick $QoSDropName 4 6]!=”00”) do={:set NodoID
([pick $QoSDropName 0 4].”00”); :set MaxLimit ([/queue tree get [find name~$NodoID]
value-name=max-limit]); :set LimitAt ([/queue tree get [find name~$NodoID] value-
name=limit-at]); /queue tree set [find name~$NodoID] max-limit=($MaxLimit+
$Increment); /queue tree set [find name~$NodoID] limit-at=($LimitAt+
$Increment);}; :set NodoID ([pick $QoSDropName 0 2].”0000”); :set MaxLimit ([/queue
tree get [find name~$NodoID] value-name=max-limit]); :set LimitAt ([/queue tree get
[find name~$NodoID] value-name=limit-at]); /queue tree set [find name~$NodoID] max-
limit=($MaxLimit+$Increment); /queue tree set [find name~$NodoID] limit-
at=($LimitAt+$Increment); :set NroRegla ([tonum [pick $Comment 0 3]]-1); /queue
tree reset-counters numbers=($NroRegla);} else={:log error message=("[RB.QoSChange%
(xDropBytes), QT.Name: (".($QoSDropName).") – QT.DropBytes: (".([/queue tree get $x
dropped]).")]");}}};
# /system script environment remove [find name="QoSDropList"];
# Nota: /queue tree reset-counters-all (resetea all contadores x next-Tarea).
# RB.QoSChange% (xRate): ------------------------------------------------ [ x

Rate ]
# Name: RB.QoSChange% (xRate)
# comment="Rx: ( RB.QoSChange% (xRate) )"
# ------------------------------------------------------
:local PMaxLimit 25; # % incremento de max-limit respecto de rate
:local QoSName;
:local RateX 0;
:local LimitAt 0;
:local MaxLimit 0;
# ------------------------------------------------------
disabled
disabled
# ------------------------------------------------------
:foreach x in=[/queue tree find] do={:set QoSName ([/queue tree get $x name]); :set
RateX ([/queue tree get $x rate]); :if ($RateX>0) do={:set LimitAt ($RateX); :set
RateX ($RateX+(($RateX*$PMaxLimit)/100)); :if ($RateX<4294000000) do={/queue tree
set $x limit-at=0; /queue tree set $x max-limit=0; /queue tree set $x max-
limit=($RateX); /queue tree set $x limit-at=($LimitAt);} else={:log error
message=("[RB.QoSChange% (xRate), QT.Name: (".($QoSName).") – QT.Rate: (".([/queue
tree get $x rate]).")]");}}};
# ------------------------------------------------------
# ------------------------ (Comando alternativo de habilitación, si fuese total)
# /queue tree enable [/queue tree find]; # All QueueTree.Rule enabled
# /ip firewall mangle enable [/ip firewall mangle find]; # All MangleRule enabled
#
-----------------------------------------------------------------------------------
[INI]
# -------------------------------- [TOOLS/Netwatch]
---------------------------------
#
-----------------------------------------------------------------------------------
--------
# Alert.LinkChange (ISP.Link): ------------------------------------------

[NetWatch]
# Name: Alert.LinkChange-ISPLink
# comment="R: ( Alert.LinkChange-ISPLink )"
# --------------------------------------------------- [ x RB.BGP ]
/tool netwatch add down-script="global TelegramMessage \"[Enlace.ST-AP
(DW)]\"; :log error message=(\"[Enlace.ST-AP (DW)]\");\r\n/system script run
RB.Telegram-MessageAlert" host=xxx.duckdns.org interval=1m up-script="global
TelegramMessage \"[Enlace.ST-AP (UP)]\"; :log warning message=(\"[Enlace.ST-AP
(UP)]\");\r\n/system script run RB.Telegram-MessageAlert" comment=("R:
( Netwhatch.Enlace [ ST-AP ] )") disable=yes;
#
-----------------------------------------------------------------------------------
[FIN]
# -------------------------------- [TOOLS/Netwatch]
---------------------------------
#
-----------------------------------------------------------------------------------
--------
# Alert.LinkChange (RBLink):
-----------------------------------------------------------
# ------------------------------------------------------------- [Independiente del
script]
:global AntFlagDDNS01 (“OK”); # No copiar dentro del script
# ------------------------------------------------------------- [Independiente del
script]
# Name: Alert.LinkChange-RBLink
# comment="R: ( Alert.LinkChange-RBLink )"
length=494ms;}).
# ---------------------------------------------------
:local FlagDDNS01 ([$TestConn ([resolve "xxx-1.duckdns.org"]) 10 30 100 XXX
”RB.AlertLinkChange”]=”OK”);
:if ($FlagDDNS01!=$AntFlagDDNS01) do={:if ($FlagDDNS01=”KO”) do={:global
TelegramMessage (“[ xxx-R1.DuckDNS.org (DW) ]”); :log error message=("[xxx-
R01.DuckDNS.org (DW)]"); /system script run RB.Telegram-MessageAlert;}
else={:global TelegramMessage (“[xxx-R1.DuckDNS.org (UP)]”); :log error
message=("[xxx-R01.DuckDNS.org (UP)]"); /system script run RB.Telegram-
MessageAlert;}};
TelegramMessage (“[xxx-R2.DuckDNS.org (DW)]”); :log error message=("[xxx-
MessageAlert;}};
TelegramMessage (“[xxx-R3.DuckDNS.org (DW)]”); :log error message=("[xxx-
MessageAlert;}};
:global AntFlagDDNS01 ($FlagDDNS01); :global AntFlagDDNS02 ($FlagDDNS02); :global
AntFlagDDNS03 ($FlagDDNS03);
# RB.Telegram-MessageAlert:
-----------------------------------------------------------
# Name: RB.Telegram-MessageAlert
# comment="R: ( RB.Telegram-MensageAlert )"
# --------------------------------------------------- [Telegram proccess]
# Find: @botfather (/newbot, ej: xxx_telegram_bot, vci_telegram_bot)
# Copy.BotID: (ej: <<< Paste1 >>>)
# Create Grup: (ej: xxx.Chat, add vci_telegram_bot, find and add @getidbot)
# Copy.ChatID: (ej: <<< Paste2 >>>)
# ------------------------------------------------------------ [Copy-Paste en
consola]
/system script add dont-require-permissions=yes name=RB.Telegram-MessageAlert
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#
Name: RB.Telegram-MessageAlert\r\n# comment=\"R: ( RB.Telegram-MensageAlert )\";\r\
n# --------------------------------------------------- [Telegram proccess]\r\n#
Find: @botfather (/newbot, xxx_telegram_bot, vci_telegram_bot)\r\n# Copy.BotID:
(ej: <<< Paste1 >>>)\r\n# Create Grup: (ej: xxx.Chat, add vci_telegram_bot, find
and add @getidbot)\r\n# Copy.ChatID: (ej: <<< Paste2 >>>)\r\n#
------------------------------------------------------------------------------\r\
n:global TelegramMessage;\r\n:local BotID (\"<<< Paste1 >>>\");\r\n:local ChatID
(\"<<< Paste2 >>>\”);\r\n:if (\$TelegramMessage!=\"\") do={\r\n /tool fetch
url=\"https://api.telegram.org/bot\$BotID/sendMessage\?chat_id=\$ChatID&text=\
$TelegramMessage\" keep-result=no\r\n}; /system script environment remove [find
name=\"TelegramMessage\"];" comment=("R: ( Telegram.MensageAlert )");
# Nota: al Telegram.Bot (URL.Limit), no acepta ni tildes ni Special.Chars. Some
Special.Chars, pueden enviarse via Telegram.Bot (URL), por ej.: (\$\?).
# RB.Winbox-SharedOFF (x PKnocking): ----------------------------------------------

# Name: RB.Winbox-SharedOFF
# comment="R: RB.Winbox-SharedOFF" # verificar que user(x), sea (0)
:if ([/user get 0 name]~”xxx” and [/user get 0 disable]=no) do={/user set 1
disable=yes; /user set 2 disable=yes;} else={:log error message=("[Error, en la
secuenciacion de Users]”);};
:foreach x in=[/ip firewall filter find (comment~”<:”)] do={/ip firewall filter set
$x disable=yes;};
:foreach x in=[/ip firewall filter find (comment~”*:”)] do={/ip firewall filter set
$x disable=yes;};
:if ([len $WinboxP]>0 and [len $Api]>0) do={/ip service set winbox
port=$WinboxP; /ip service set api port=$ApiP;} else={/ip service set winbox
port=3335; /ip service set api port=3336;}
/system script environment remove [find name="WinboxP"]; /system script environment
remove [find name="ApiP"];
# RB.Winbox-SharedON (x PKnocking.Special): -------------------------------------

# Name: RB.Winbox-SharedON(SPKnocking) # verificar que user(x), sea (0)
# comment="R: RB.Winbox-SharedON (SPKnocking)"
disable=no; /user set 2 disable=no;} else={:log error message=("[Error, en la
:foreach x in=[/ip firewall filter find (comment~”<:”)] do={/ip firewall filter set
$x disable=no;};
:global WinboxP ([/ip service get [find (name=”winbox”)] port]);
:global ApiP ([/ip service get [find (name=”api”)] port]);
/ip service set winbox port=3333; /ip service set api port=3334;
# Nota: x motivos de retrocompatibilidad, uso las var.globales (WinboxP y ApiP).
# RB.Winbox-SharedON (x Port.Special):
---------------------------------------------
# Name: RB.Winbox-SharedON(SPort) # verificar que user(x), sea (0)
# comment="R: RB.Winbox-SharedON (SPort)"
disable=no; /user set 2 disable=no;} else={:log error message=("[Error, en la
:foreach x in=[/ip firewall filter find (comment~”*:”)] do={/ip firewall filter set
$x disable=no;};
:global WinboxP ([/ip service get [find (name=”winbox”)] port]);
:global ApiP ([/ip service get [find (name=”api”)] port]);
/ip service set winbox port=3333; /ip service set api port=3334;
# Nota: x motivos de retrocompatibilidad, uso las var.globales (WinboxP y ApiP). x
secuenciación de mí (Firewall), sin +reglas, no puedo evitar usar algunos (port).
-------------------------------------------------------------------------------
[ FIN ]
-----------------------------------------------------------------------------------
-----
----------------------------- Scripts (basicos):
-------------------------------------
-----------------------------------------------------------------------------------
-----
-----------------------------------------------------------------------------------
-----
RouterOS.Script (Accesorios 01-01)

-------------------------------------------------------------------------------
[ INI ]
-----------------------------------------------------------------------------------
-----
--------------------------- Scripts (accesorios):
-----------------------------------
-----------------------------------------------------------------------------------
-----
-----------------------------------------------------------------------------------
-----
QueueSimple.LANDivision: ------------------------------------------------ [ INI ]

# Esquema general para (QueueSimple.LANDivision): ---------------------------------
# Establecer (IP.NewLAN) en especifica (RB.Interface).
# Run: QueueSimple.Add255 y AddressList.Add255.
# Modificar QueueSimple-Admin(36-40).Name, QueueSimple-DNS1.Name.
# Remove C-CLIENTDROP.List(DNS1).
# Marcar QueueSimple.OldLAN a clonar: (dos opciones)
# 1- Run: GuardaTXT (QueueSimple.LANDivision).
# Marcar cada línea de (LANDivision.txt) con (M{x}M), según corresponda.
# Run: RestauraTXT (QuequeSimple.LANDivision).
# 2- Marcar cada (QueueSimple.Name) con (#1), según corresponda.
# Run: Clona.Marcados (QueueSimple.LANDivision) (identifico clones con (#2)).
# Run: AddressList-ClientIP.ComentEmpty (limpio comentario de C-xx.List).
# Run: AddressList.IdentificaClient (Identifica.IPs limpias en Address-List).
# Run: AddressList.LANDivision (Remove.#2) (remove (#2) y !“S: ”).
# Modificar manualmente (Client-Router.Config), según corresponda (#1).
# Run: QueueSimple.LANDivision (Rename.#1) (Name (#1)=“_Libre…”).
# Run: AddressList.LANDivision (Add.#1) (Add.#1 y comment “( Libre )”).
# GuardaTXT (QueueSimple.LANDivision): ------------------------------------------

# ------------------------------------------------
# ------------------------------------------------
# Función devuelve Octeto(x) de IP: (IP, NroOcteto)
:local FIPaOctX do={:local IPstr ($1."."); :local IPnum ""; :if ($2>1) do={:for x
from=1 to=($2-1) do={:set IPstr ([:pick $IPstr ([:find $IPstr "." 0]+1) [:len
$IPstr]])}}; :set IPnum ($IPnum.[:pick $IPstr 0 [:find $IPstr "." -1]]); :return
[:tonum $IPnum]};
# ------------------------------------------------
:local SubNet1 2; # Establecer redes a
dividir (1-2)
:local SubNet2 3; # Establecer redes a
dividir (2-2)
:local Plant (“M{}M - N{}N - I{}I”); # Patron de líneas
(LANDivision)
:local Body “”; # Opcional: copy-
paste en (TXT)
:local Nro 1;
:local Iter 1;
:local Name “---”;
:local IPx “…“;
:local Date ([/system clock get date]);
:local Time ([/system clock get time]);
:local File ("LANDivision (".[:pick $Date 7 11]."-".[:pick $Date 0 3]."-".[:pick
$Date 4 6]."-".[:pick $Time 0 2]."-".[:pick $Time 3 5]."-".[:pick $Time 6
8].”).txt”); #
File.Name de prueba
:local File ("LANDivision-01.txt”); # auto-Limitado a
4k=(4096b)
# ------------------------------------------------
/file remove [find name~"LANDivision"]; :delay 2s; # Dell All File (LANDivision)
/file print file=$File; :delay 2s; # Crea File
/file set [find name=$File] contents=""; # Borra contenido x def.
File-0X
# ------------------------------------------------
:foreach x in=[/queue simple find] do={:set IPx [:tostr ([/queue simple get $x
target])]; :set IPx ([:pick $IPx 0 ([:len $IPx]-3)]); :if (($SubNet1=([$FIPaOctX
$IPx 3])) or ($SubNet2=([$FIPaOctX $IPx 3]))) do={:set Name ([/queue simple get $x
name]); :set Name ([:pick $Name 0 26]); :set Plant (“M{}M - N{”.[$AddCToLen $Name
"Der." " " 26].”}N - I{”.(([$AddCToLen ([:tostr [$FIPaOctX $IPx 1]]) "Izq." “0"
3]).”.”.([$AddCToLen([:tostr [$FIPaOctX $IPx 2]]) "Izq." “0" 3]).”.”. ([$AddCToLen
([:tostr [$FIPaOctX $IPx 3]]) "Izq." “0" 3]).”.”.([$AddCToLen ([:tostr
[$FIPaOctX$IPx 4]]) "Izq." “0" 3])).“}I”); :if ($Iter<52) do={:set Iter ($Iter+1);}
else={:set Iter (1); :set Nro ($Nro+1); :set File ([:pick $File 0 ([find $File“-”
0]+1)].([$AddCToLen ([:tostr $Nro]) "Izq." “0" 2]).”.txt”); /file print file=$File;
:delay 2s; /file set [find name=$File] contents="";}; /file set
$Filecontents=([/file get $File contents].$Plant.”\r\n”); :set Body ($Body.”\r\n”.
$Plant);}};
#Nota: creara (05 files) por cada (255 Queue.Simple).
# RestauraTXT (QuequeSimple.LANDivision): --------------------------------------

# comment=”( RestauraTXT.QueueSimple-LANDivision )”
# ------------------------------------------------
($2=”Izq.”) do={:set $1 ($3.$1)} else={:set $1 ($1.$3)}}}; :return $1};
# ------------------------------------------------
[:tonum $IPnum]};
# ------------------------------------------------
:local File ("LANDivision-”);
:local Body “---”;
:local Name “---”;
:local IPx “…”;
:local FileCant 10; # Establecer cantidad de files (LANDivision-
0X.txt)
:for x from=1 to=$FileCant step=1 do={:set File ([:pick $File 0 ([:find $File “-” -
1]+1)].([$AddCToLen ([:tostr $x]) "Izq." “0" 2]).”.txt”); :set Body([/file get
$File contents]); :while ([:find $Body “M{x}M” 0]>0) do={:set Body ([:pick $Body
([:find $Body “M{x}M” -1]+5) [:len $Body]]); :setIPx ([pick $Body ([:find $Body
“I{” -1]+2) ([:find $Body “}I” -1])]); :set IPx (([:tostr [$FIPaOctX $IPx 1]]).”.”.
([:tostr [$FIPaOctX $IPx 2]]).”.”.([:tostr [$FIPaOctX $IPx 3]]).”.”.([:tostr
[$FIPaOctX $IPx 4]])); :set Name ([/queue simple get value-name=name [find
target=($IPx."/32")]].”#1”); /queue simple set [find (target=($IPx."/32"))]
name=$Name;}}
# Nota: luego de comprobar, eliminar todos los files (LANDivision-0X.txt).
# Clona.Marcados (QueueSimple.LANDivision): ------------------------- [#1®#2]

# comment=”( Clona.Marcados (QueueSimple.LANDivision) )”
# ------------------------------------------------
[:tonum $IPnum]};
# ------------------------------------------------
:local SubNetN 4; # Cambiar según (NewRed)
:local Octeto4N 50; # Establecer según cantidad de marcas (#1)
:local IPO;
:local IPN;
:local Name;
:local MaxLimit;
:local LimitAt;
:local BurstLimit;
:local BurstTime;
:local BurstThreshold;
:local Parent;
:local Queue;
:local Priority;
:foreach x in=[/queue simple find (name~”#1”)] do={:set IPO ([/queue simple get $x
target]); :set Name (([:pick ([/queue simple get $x name]) 0 ([:len [/queue simple
get $x name]]-1)])."2"); :set MaxLimit ([/queue simple get $x max-limit]); :set
LimitAt ([/queue simple get $x limit-at]); :setBurstLimit ([/queue simple get $x
burst-limit]); :set BurstTime ([/queue simple get $x burst-time]); :set
BurstThreshold ([/queue simple get $x burst-threshold]); :set Queue ([/queue simple
get $x queue]); :set Priority ([/queue simple get $x priority]); :set Parent
([/queue simple get $x parent]); :set IPN ((:tostr [$FIPaOctX $IPO 1]).”.”.(:tostr
[$FIPaOctX $IPO 2]).”.”. ($SubNetN).”.”. (:tostr [$Octeto4N])); /queue simple set
[find (target=($IPN."/32"))] name=$Name; /queue simple set [find
(target=($IPN."/32"))] max-limit=$MaxLimit; /queue simple set [find
(target=($IPN."/32"))] limit-at=$LimitAt; /queue simple set [find
(target=($IPN."/32"))] burst-limit=$BurstLimit; /queue simple set [find
(target=($IPN."/32"))] burst-time=$BurstTime; /queue simple set [find
(target=($IPN."/32"))] burst-threshold=$BurstThreshold; /queue simple set [find
(target=($IPN."/32"))] queue=$Queue; /queue simple set [find (target=($IPN."/32"))]
priority=$Priority; /queue simple set [find (target=($IPN."/32"))]
parent=$Parent; :set Octeto4N ($Octeto4N+1);}
# AddressList.LANDivision (Remove.#2):
----------------------------------------------
/ip firewall address-list remove [find (comment~"#2" and !(comment~"S: "))]; #
necesita de una previa limpia e identificación de IPs.
# AddressList.LANDivision (Add.#1):
---------------------------------------------------
:foreach x in=[/ip queue simple find (name~"#1")] do={/ip firewall address-list add
list=C-CLIENTDROP.List address=$x target; comment=”( Libre )”; disable=yes;}
QueueSimple.LANDivision (Rename.#1): ----------------------------------------------

# -----------------------------------------------
# -----------------------------------------------
[:tonum $IPnum]};
# -----------------------------------------------
:local y ”4”; #
cambiar según LAN
:local IPx;
:local Nombre “-”;
:foreach x in=[/ip queue simple find (name~"#1")] do={:set IPx ($x target); :set
Nombre ("_Libre 1.2.".[$AddCToLen $y "Izq." "0" 3].”.”.[$AddCToLen (:tostr
[$FIPaOctX $IPx 4]) "Izq." "0" 3]." [ 00000 :: __/__/__=__/__/__+__/__ ]");
disable=yes;}
# Nota: (Name.Len=25).
# Exportar Queue.Simple y ARP.List:

---------------------------------------------------
# /queue export file=QueueSimple.rsc
# /ip arp export file=ArpList.rsc
# Importar Queue.Simple y ARP.List:

---------------------------------------------------
# /import QueueSimple.rsc
# /import ArpList.rsc
QueueSimple.LANDivision: ------------------------------------------------ [ FIN ]
#
-----------------------------------------------------------------------------------
[INI]
# -------------------------------- [Protocolo BGP]
-------------------------------------
#
-----------------------------------------------------------------------------------
--------
# Reglas para (BGP):
--------------------------------------------------------------------
# Fundamentalmente, BGP (protocolo de router de pasarela externa: utiliza el puerto
179 TCP), conecta AS (sistemas autónomos: conjunto de redes/dispositivos bajo un
mismo dominio administrativo. Poseen, un bloque de IPv4/IPv6, que publican al resto
de AS, para poder ser alcanzados). Interconexion dentro de dominion
administrativos. Cada AS, tiene un ASN (numero de sistema autónomo). De (1 a 64511:
16b), reservados para uso público. De (64512 a 65534: 16b), para uso privado.
LACNIC, posee los ASN (4.0 a 4.1023). Las sesiones BGP, se establecen con otros
routers configurando (peers BGP). Los peers (pares BGP), son los routers vecinos
con los que comparto redes. (eBGP): si los peers vecinos pertenecen a otro AS (lo
utilizamos para conectarnos con roveedores de Internet u otras entidades que tengan
AS). (iBGP): si los peers vecinos pertenecen a nuestro AS (lo utilizamos para
distribuir rutas dentro de nuestro AS, generalmente iBGP se apoya en otro método de
ruteo (ruteo estátio, RIP, OSPF)). Algunos atributos conocidos son: Weight
("peso"), Local Preference ("preferencia local"), AS Path ("camino de AS"). Si dos
(peers), publican la misma ruta, se prioriza la de mayor peso (weight). Si dos
(routers) dentro de un mismo AS, permiten alcanzar las mismas rutas, se prioriza el
de mayor (local reference). BGP, utiliza el (as path) para que las redes destino se
alcancen tomando el camino que atraviese menos cantidad de AS. Bogons GBP servers:
(65332:888). Lista negra BGP servers (6549:666).
# ---------------------------------------------- (Constantes BGP)

:global BGPISP1IP30 10.1.1.10/30; # ARSAT-VCI.BGPIP30 (de ARSAT)
:global BGPISP2IP30 10.2.1.10/30; # TELCO-VCI.BGPIP30 (de TELCO)
:global BGPVCI1IP30 10.1.1.9/30; # VCI-ARSAT.BGPIP30 (de ARSAT)
:global BGPVCI2IP30 10.2.1.9/30; # VCI-TELCO.BGPIP30 (de TELCO)
# -----------------------
:global BGPISP1WAN “WAN1”; # ARSAT.BGPInterface (de ARSAT)
:global BGPISP2WAN “WAN1”; # TELCO.BGPInterface (de TELCO)
:global BGPVCI1WAN “WAN1”; # VCI-ARSAT.BGPInterface
:global BGPVCI2WAN “WAN2”; # VCI-TELCO.BGPInterface
# -----------------------
:global BGPISP1GW 10.10.100.1/22; # ARSAT.IPGW (de ARSAT)
:global BGPISP2GW 10.10.200.1/22; # TELCO.IPGW (de TELCO)
:global BGPVCI1GWA 192.168.252.1/24; # VCI.IPGWA
:global BGPVCI1GWB 192.168.253.1/23; # VCI.IPGWB
# -----------------------
:global BGPISP1LAN “LAN1”; # ARSAT.GWInterface (de ARSAT)
:global BGPISP2LAN “LAN1”; # TELCO.GWInterface (de TELCO)
:global BGPVCI1LANA “LAN1”; # VCI-ARSAT.GWAInterface
:global BGPVCI1LANB “LAN2”; # VCI-TELCO.GWBInterface
# -----------------------
:global BGPISP1ASN 64513; # ARSAT.ASN (de ARSAT)
:global BGPISP2ASN 64514; # TELCO.ASN (de TELCO)
:global BGPVCI1ASN 64515; # VCI.ASN
# -----------------------
:global BGPISP1IPP 10.100.12.0/22; # ARSAT.IPPublicadas (de ARSAT)
:global BGPISP2IPP 10.101.12.0/22; # TELCO.IPPublicadas (de TELCO)
:global BGPVCI1IPPA 192.168.252.0/24; # VCI.IPPublicadasA
:global BGPVCI1IPPB 192.167.252.0/23; # VCI.IPPublicadasB
# -------------------------------------------------
:global BGPISP1LBMAC 00:11:11:00:00:00; # ARSAT.LBMAC (de ARSAT)
:global BGPISP2LBMAC 00:11:22:00:00:00; # TELCO.LBMAC (de TELCO)
:global BGPVCI1LBMAC 00:11:55:00:00:00; # VCI.LBMAC
# -----------------------
:global BGPISP1LBIP 10.10.5.1; # ARSAT.LBIP (de ARSAT)
:global BGPISP2LBIP 10.10.5.2; # TELCO.LBIP (de TELCO)
:global BGPVCI1LBIP 10.10.5.5; # VCI.LBIP
# ----------------------- (si no uso: IP.LoopBack)
:global BGPISP1RID ([pick [tostr $BGPISP1IP30] 0 ([len [tostr $BGPISP1IP30]]-3)]);
# ARSAT-VCI.BGPRID de ARSAT)
:global BGPISP2RID ([pick [tostr $BGPISP2IP30] 0 ([len [tostr $BGPISP2IP30]]-3)]);
# TELCO-VCI.BGPRID (de TELCO)
:global BGPVCI1RID ([pick [tostr $BGPVCI1IP30] 0 ([len [tostr $BGPVCI1IP30]]-3)]);
# VCI-ARSAT.BGPRID (de ARSAT)
:global BGPVCI2RID ([pick [tostr $BGPVCI2IP30] 0 ([len [tostr $BGPVCI2IP30]]-3)]);
# VCI-TELCO.BGRID (de TELCO)
# GateWay.Border (VCI.BGP): ---------------------------- [switch (CISCO.3560G)]

# ------------------------------------------ (Estableciendo BGP.RIDs)
/interface bridge add name=”BGP.LoopBack” admin-mac=$BGPVCI1LBMAC auto-mac=no
comment=”R+: BGP (BGP.VIC1LB Interface)” disable=yes;
/ip address add address=$BGPVCI1LBIP interface=”BGP.LoopBack” comment=”R+: BGP
(BGP.VCI1LB IP)” disable=yes;
# ------------------------------------------ (Estableciendo WAN.IPs)
/ip address add address=$BGPVCI1IP30 interface=$BGPVCI1WAN comment=”R+: BGP
(IPP/30, dispuesta x VCI1 x su S/R.BGP)” disable=yes;
/ip address add address=$BGPVCI2IP30 interface=$BGPVCI2WAN comment=”R+: BGP
(IPP/30, dispuesta x VCI2 x su S/R.BGP)” disable=yes;
# ------------------------------------------ (Estableciendo iBGP.GWs)
/ip address add address=$BGPVCI1GW interface=$BGPVCI1LAN comment=”R+: BGP (IPP/24,
dispuesta x VCI1 x su IP.GWA)” disable=yes;
/ip address add address=$BGPVCI2GW interface=$BGPVCI2LAN comment=”R+: BGP (IPP/23,
dispuesta x VCI1 x su IP.GWB)” disable=yes;
# ------------------------------------------ (Estableciendo BGP.Instances)
/routing bgp instance set 0 router-id=$BGPVCI1RID as=$BGPVCI1ASN comment=”R+: BGP
(VCI1.ASN)”;
# ------------------------------------------ (Estableciendo BGP.Peers)
/routing bgp peer add name=”BGP.VCI-ARSAT” remote-address=$BGPISP1RID remote-
as=$BGPISP1ASN default-originate=if-installed comment=”R+: BGP (Estableciendo
relación con BGP.ARSAT-VCI)” disable=yes;
# --------------------
/routing bgp peer add name=”BGP.VCI-TELCO” remote-address=$BGPISP2RID remote-
as=$BGPISP2ASN default-originate=if-installed comment=”R+: BGP (Estableciendo
relación con BGP.TELCO-VCI)” disable=yes;
# ------------------------------------------ (Estableciendo BGP.Networks)
/routing bgp network add network=$BGPVCI1IPPA synchronize=no comment=”R+: BGP
(IP.Pool de VCI1A)” disable=yes;
# --------------------
/routing bgp network add network=$BGPVCI1IPPB synchronize=no comment=”R+: BGP
(IP.Pool de VCI1B)” disable=yes;
# …
# GateWay.Border (ARSAT.BGP): ------------------------ [switch (CISCO.--------)]

/interface bridge add name=”BGP.LoopBack” admin-mac=$BGPISP1LBMAC auto-mac=no
comment=”R+: BGP (BGP.ISP1LB Interface)” disable=yes;
/ip address add address=$BGPISP1LBIP interface=”BGP.LoopBack” comment=”R+: BGP
(BGP.ISP1LB IP)” disable=yes;
/ip address add address=$BGPISP1IP30 interface=$BGPISP1WAN comment=”R+: BGP
(IPP/30, dispuesta x ISP1 x su S/R.BGP)” disable=yes;
/ip address add address=$BGPISP1GW interface=$BGPISP1LAN comment=”R+: BGP (IPP/22,
dispuesta x ISP1 x su IP.GW)” disable=yes;
/routing bgp instance set 0 router-id=$BGPISP1RID as=$BGPISP1ASN comment=”R+: BGP
(ISP1.ASN)”;
/routing bgp peer add name=”BGP.ARSAT-VCI” remote-address=$BGPVCI1RID remote-
as=$BGPVCI1ASN default-originate=if-installed comment=”R+: BGP (Estableciendo
relación con BGP.ARSAT-VCI)” disable=yes;
/routing bgp network add network=$BGPISP1IPP synchronize=no comment=”R+: BGP
(IP.Pool de ISP1)” disable=yes;
# …
# GateWay.Border (TELCO.BGP): ------------------------ [switch (CISCO.--------)]

/interface bridge add name=”BGP.LoopBack” admin-mac=$BGPISP2LBMAC auto-mac=no
comment=”R+: BGP (BGP.ISP2LB Interface)” disable=yes;
/ip address add address=$BGPISP2LBIP interface=”BGP.LoopBack” comment=”R+: BGP
(BGP.ISP2LB IP)” disable=yes;
/ip address add address=$BGPISP2IP30 interface=$BGPISP2WAN comment=”R+: BGP
(IPP/30, dispuesta x ISP2 x su S/R.BGP)” disable=yes;
/ip address add address=$BGPISP2GW interface=$BGPISP2LAN comment=”R+: BGP (IPP/22,
dispuesta x ISP2 x su IP.GW)” disable=yes;
/routing bgp instance set 0 router-id=$BGPISP2RID as=$BGPISP2ASN comment=”R+: BGP
(ISP2.ASN)”;
/routing bgp peer add name=”BGP.TELCO-VCI” remote-address=$BGPVCI2RID remote-
as=$BGPVCI1ASN default-originate=if-installed comment=”R+: BGP (Estableciendo
relación con BGP.TELCO-VCI)” disable=yes;
/routing bgp network add network=$BGPISP2IPP synchronize=no comment=”R+: BGP
(IP.Pool de ISP2)” disable=yes;
# …
#
-----------------------------------------------------------------------------------
[FIN]
# -------------------------------- [Protocolo BGP]
-------------------------------------
#
-----------------------------------------------------------------------------------
--------
#
-----------------------------------------------------------------------------------
[INI]
# ------------------------------ [Protocolo Romon]
-----------------------------------
#
-----------------------------------------------------------------------------------
-------
# (Access via Leyer.2): aplicar en c/Route que use x alcanzar (Route.Dst) desde
(Route.Local=WinBox.RomonAgent).
/tool romon set enable=yes secrets=private; # Secret=password
/tool romon port add interface=LAN1 disable=no; # Add (interfaces-Romon)
/tool romon port set forbid=yes [find (interface=all)]; # Block (interfaces-Romon)
# /tool romon port remove [find interface=LAN1]; # Dell (interfaces-Romon)
#
-----------------------------------------------------------------------------------
[FIN]
# ------------------------------ [Protocolo Romon]
-----------------------------------
#
-----------------------------------------------------------------------------------
-------
#
-----------------------------------------------------------------------------------
[INI]
# ----------------------------- [Balanceos de Carga]
---------------------------------
#
-----------------------------------------------------------------------------------
-------
# Reglas para (Balanceo de Carga): ----------------------------------- (no probado)
# Fundamentalmente, divide la carga (conexiones) entre diferentes
out-interfaces/enlaces. Existen tres tipos de balanceos de carga: (ECMP/NTH/PCC).
# Reglas para (Balanceo de Carga): ---------------------------------------- [ECMP]

# Activar reglas (NAT.masquerade: R<:), según corresponda (diferentes Gateways de
igual Mbps).
/ip firewall mangle add chain=input in-interface=WAN1 action=mark-connection new-
connection-mark=ISP1Conn log=no log-prefix=”BC-ECMP.Marco (Conn.IN: ISP1Conn)”
comment=”001R<: BC-ECMP.Marco (Conn.IN: ISP1Conn)” disable=yes;
/ip firewall mangle add chain=output new-connection-mark=ISP1Conn action=mark-
routing log=no log-prefix=”BC-ECMP.Marco (Rout.OUT: toISP1)” new-routing=toISP1
comment=”002R<: BC-ECMP.Marco (Rout.OUT: toISP1)” disable=yes;
/ip firewall mangle add chain=input in-interface=WAN2 action=mark-connection new-
connection-mark=ISP2Conn log=no log-prefix=”BC-ECMP.Marco (Conn.IN: ISP2Conn)”
comment=”003R<: BC-ECMP.Marco (Conn.IN: ISP2Conn)” disable=yes;
/ip firewall mangle add chain=output new-connection-mark=ISP2Conn action=mark-
routing log=no log-prefix=”BC-ECMP.Marco (Rout.OUT: toISP2)” new-routing=toISP2
comment=”004R<: BC-ECMP.Marco (Rout.OUT: toISP2)” disable=yes;
# …
# ------------------------------------------- [distintos Gateways y distintas

Interfaces]
/ip route add check-gateway=ping gateway=1.2.3.1,1.2.4.1 comment="10R<: BC-
ECMP.Rutas (ISPs.Rutas)" disable=yes; # Gateway distintos y distintos ISP.
/ip route add check-gateway=ping gateway=1.2.3.1 routing-mark=toISP1 comment="20R<:
BC-ECMP.Ruta (ISP1.Ruta)" disable=yes;
BC-ECMP.Ruta (ISP2.Ruta)" disable=yes;
# …
# ------------------------------------------- [mismo Gateway y distintas

Interfaces]
# /ip route add check-gateway=ping gateway=1.2.3.1%WAN1,1.2.4.1%WAN2 comment="10R<:
BC-ECMP.Rutas (ISPs.Rutas)" disable=yes;
# /ip route add check-gateway=ping gateway=1.2.3.1%WAN1 routing-mark=toISP1
comment="20R<: BC-ECMP.Ruta (ISP1.Ruta)" disable=yes;
# /ip route add check-gateway=ping gateway=1.2.4.1%WAN2 routing-mark=toISP2
comment="21R<: BC-ECMP.Ruta (ISP2.Ruta)" disable=yes;
# …
# Reglas para (Balanceo de Carga): ------------------------------------------ [NTH]

# Activar reglas (NAT.masquerade: R<:), según corresponda. (nth=2,1), donde (2) es
el nro de WANx activas.
/ip firewall mangle add chain=prerouting in-interface-list=LANs connection-
state=new nth=2,1 action=mark-connection new-connection-mark=ISP1Conn log=no log-
prefix=”BC-NTH.Marco (Conn.IN: ISP1Conn)” comment=”001R<: BC-NTH.Marco (Conn.IN:
ISP1Conn)” passthrough=yes disable=yes;
mark=ISP1Conn action=mark-routing new-routing-mark=toISP1 log=no log-prefix=”BC-
NTH.Marco (Rout.OUT: toISP1)” comment=”002R<: BC-NTH.Marco (Rout.OUT: toISP1)”
passthrough=no disable=yes;
state=new nth=2,2 action=mark-connection new-connection-mark=ISP2Conn log=no log-
prefix=”BC-NTH.Marco (Conn.IN: ISP2Conn)” comment=”001R<: BC-NTH.Marco (Conn.IN:
ISP2Conn)” passthrough=yes disable=yes;
NTH.Marco (Rout.OUT: toISP1)” comment=”002R<: BC-NTH.Marco (Rout.OUT: toISP1)”
passthrough=no disable=yes;
# …

Interfaces]
BC-NTH.Ruta (ISP1.Ruta)" disable=yes;
BC-NTH.Ruta (ISP2.Ruta)" disable=yes;
/ip route add check-gateway=ping gateway=1.2.3.1 comment="22R<: BC-NTH.Ruta
(ISP1.Ruta x routing-mark=no-mark)" disable=yes;
# Reglas para (Balanceo de Carga): -------------------------------------------

[PCC]
# Activar reglas (NAT.masquerade: R<:), según corresponda. (src-address-and-
port:X/0)/(both-addresses:X/0), siendo (X), la cantidad de WANs (activas) o una
forma de ponderar interface (WANx) por sobre el resto (por tener mas Mbps).
/ip firewall mangle add chain=prerouting dst-address=1.2.3.0/24 action=accept in-
interface-list=LANs comment="001R<: BC-PCC.Accept (LANs to ISP1Conn)" disable=yes;
/ip firewall mangle add chain=prerouting dst-address=1.2.4.0/24 action=accept in-
interface-list=LANs comment="002R<: BC-PCC.Accept (LANs to ISP2Conn)" disable=yes;
# …
# -------------------------------------------
/ip firewall mangle add chain=prerouting in-interface=WAN1 connection-mark=no-mark
action=mark-connection new-connection-mark=ISP1Conn log=no log-prefix=”BC-PCC.Marco
(Conn.IN: ISP1Conn)” comment=”003R<: BC-PCC.Marco (Conn.IN: ISP1Conn)” disable=yes;
/ip firewall mangle add chain=prerouting in-interface=WAN2 connection-mark=no-mark
action=mark-connection new-connection-mark=ISP2Conn log=no log-prefix=”BC-PCC.Marco
# …
# -------------------------------------------
/ip firewall mangle add chain=prerouting in-interface-list=LANs connection-mark=no-
mark per-connection-classifier=src-address-and-port:2/0 action=mark-connection dst-
address-type=!local new-connection-mark=ISP1Conn log=no log-prefix=”BC-PCC.Marco
# /ip firewall mangle add chain=prerouting in-interface-list=LANs connection-
mark=no-mark per-connection-classifier=both-addresses:2/0 action=mark-connection
dst-address-type=!local new-connection-mark=ISP1Conn log=no log-prefix=”BC-
PCC.Marco (Conn.IN: ISP1Conn)” comment=”005Rx: BC-PCC.Marco (Conn.IN: ISP1Conn)”
disable=yes;
/ip firewall mangle add chain=prerouting in-interface-list=LANs connection-mark=no-
mark per-connection-classifier=src-address-and-port:2/1 action=mark-connection dst-
address-type=!local new-connection-mark=ISP2Conn log=no log-prefix=”BC-PCC.Marco
# /ip firewall mangle add chain=prerouting in-interface-list=LANs connection-
mark=no-mark per-connection-classifier=both-addresses:2/1 action=mark-connection
dst-address-type=!local new-connection-mark=ISP2Conn log=no log-prefix=”BC-
PCC.Marco (Conn.IN: ISP2Conn)” comment=”006Rx: BC-PCC.Marco (Conn.IN: ISP2Conn)”
disable=yes;
# …
# ---------------------
PCC.Marco (Rout.IN: toISP1)” comment=”007R<: BC-PCC.Marco (Rout.IN: toISP1)”
disable=yes;
PCC.Marco (Rout.IN: toISP2)” comment=”008R<: BC-PCC.Marco (Rout.IN: toISP2)”
disable=yes;
# …
# ---------------------
/ip firewall mangle add chain=output connection-mark=ISP1Conn action=mark-routing
new-routing-mark=toISP1 log=no log-prefix=”BC-PCC.Marco (Rout.OUT: toISP1)”
comment=”009R<: BC-PCC.Marco (Rout.OUT: toISP1)” passthrough=no disable=yes;
/ip firewall mangle add chain=output connection-mark=ISP2Conn action=mark-routing
new-routing-mark=toISP2 log=no log-prefix=”BC-PCC.Marco (Rout.OUT: toISP2)”
comment=”010R<: BC-PCC.Marco (Rout.OUT: toISP2)” disable=yes;
# …

Interfaces]
BC-PCC.Ruta (ISP1.Ruta)" disable=yes;
BC-PCC.Ruta (ISP2.Ruta)" disable=yes;
/ip route add check-gateway=ping gateway=1.2.3.1 scope=1 comment="22R<: BC-PCC.Ruta
(ISP1.Ruta-Failover)" disable=yes;
/ip route add check-gateway=ping gateway=1.2.4.1 scope=2 comment="23R<: BC-PCC.Ruta
(ISP2.Ruta-Failover)" disable=yes;
…
#
-----------------------------------------------------------------------------------
[FIN]
# ----------------------------- [Balanceos de Carga]
---------------------------------
#
-----------------------------------------------------------------------------------
-------
#
-----------------------------------------------------------------------------------
[INI]
# ------------------------------------ [Bonding]
----------------------------------------
#
-----------------------------------------------------------------------------------
-------
# Reglas para (Bonding): ---- [agregación de interfaces en un unico enlace virtual]
# Sumatoria de interfaces. Se necesitan dos router/switch (uno en cada punta de los
enlaces) y conectar cada puerto con cada AP/ST (enlaces).
# ------------------------------------------- [Router.Local]
/interface bonding add name=VCIBonding slaves=WAN1,WAN2 mode=balance-rr
comment=”01R<: VCIBondig.Add (Bonding Interface.Local)” disable=yes;
# ------------------------
/ip address add address=192.168.79.13/30 interface=VCIBonding comment=”01R<:
VCIBonding.Interface (AP-ST)” disable=yes;
/ip address add address=192.168.79.1/30 interface=WAN1 comment=”01R>: BondingWAN1.[
Elisa (AP:1.2.3.1-ST:1.2.3.2) ]” disable=yes;
Elisa (AP:1.2.3.4-ST:1.2.3.5) ]” disable=yes;
# …
# ------------------------------------------- [Router.no-Local]
/interface bonding add name=VCIBonding slaves=WAN1,WAN2 mode=balance-rr
comment=”01R>: VCIBondig.Add (Bonding Interface.no-Local)” disable=yes;
# ------------------------
/ip address add address=192.168.79.14/30 interface=VCIBonding comment=”01R>:
VCIBonding.Interface (ST-AP)” disable=yes;
Elisa (ST:1.2.3.1-AP:1.2.3.2) ]” disable=yes;
Elisa (ST:1.2.3.4-AP:1.2.3.5) ]” disable=yes;
# …
#
-----------------------------------------------------------------------------------
[FIN]
# ------------------------------------ [Bonding]
----------------------------------------
#
-----------------------------------------------------------------------------------
-------
-------------------------------------------------------------------------------
[ FIN ]
-----------------------------------------------------------------------------------
-----
--------------------------- Scripts (accesorios):
-----------------------------------
-----------------------------------------------------------------------------------
-----
-----------------------------------------------------------------------------------
-----

Router OS

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Router OS

Uploaded by

Copyright:

Available Formats

-----------------------------------------------------------------------------------

# Configuración básica de seguridad del RB:

# ----------------------------------------- [RBNAT.IPs (especiales)]

# Nota: especificas IPs (no A-LAN.List), habilitadas x Nateo de Ports en el RB.

Nota: ¿desbloquear (#), si fuese necesario, responder ping de los DNS?

/ip firewall address-list add address=10..1 list=A-BLACKHOLE.List comment=”R+:

# Nota: CuevanaÌ(AS13335 - NetName: CLOUDFLARENET), limitar rangos.

# --------------------------------------------- [Drop VPN.DDNS]

/system scheduler add name=RB.Reboot on-event="/system reboot" start-time=([/system

/system scheduler set [/system scheduler get [find name=”RB.Reboot”] value-

# Reglas x Mitigar (DoS Attacks): ---------------------------------------------

# ---------------------------------------- [x RB.IPPub (WAN)]

# --------------------------------------------- [Acceso Privilegiado (x PKnocking)]

# --------------------------------------------------------- [Acceso Liberado (x

/ip firewall raw add chain=prerouting protocol=icmp in-interface-list=WANs src-

# ------------------------------------ [x RB.IPPri (dst-LANs)]

# Reglas x Ctrl.Client (x C-CLIENTDROP.List x VPN-DDNS.List): -------- [INI]

#... (constituir seguidamente, solo x ataque desde (C-CLIENTDROP.List), el resto de

# Reglas x Aceleracion de Tráfico: ------------------------------------------ [INI]

# ---------------------------------- Opcion.02 (<) -----------------------------

# Nota: no uso (src-address-list=!A-ADMIN.List) x posible infeccion. Cuidado: si,

# Regla x Drop (A-DARK.List desde Input): -----------------------------------------

# Regla x Accept (A-WHITE.List desde Input): -------------------------------------

# Regla x Accept (Input.ICMP desde ICMPWANSRC.List): -----------------------

# Regla x RBACCESS (x Access.Type - WINBOX): -------------------------- [INI]

# --------------------------------------------- [Acceso Privilegiado (x PKnocking)]

# --------------------------------------------------------- [Acceso Liberado (x

# Regla x RBACCESS (x PortKnocking - WINBOX): ------------------------ [INI]

# --------------------------------------------- [Acceso Privilegiado (x PKnocking)]

# Regla x RBACCESS (save src-!A-ADMIN.List - WINBOX): ----------------------

# Nota: x secuenciación de mí (Firewall), sin +reglas, no puedo evitar usar algunos

# Reglas x Ctrl.Client (x C-CLIENTDROP.List): -------------------------------------

# Regla x Accept (LANInput.Trafic-Autorizado): ----------------------------------

# Regla x Drop (Input.Rest-Trafic):

# Regla x Drop (Forward.Bogons): --------------------------------------------------

# Reglas x Mitigar (Email.Spam):

# Reglas x Ctrl.Client (Estado): -----------------------------------------------

# Reglas x Ctrl.Promo-Franjas (x C-PPROMO__CLIENT.List): ----------- [INI]

# Nota: precisión+, al incluir la condicion (in-interface=LANs), aunque CPU+.

# Nota: precisión+, al incluir la condicion (in-interface-list=WANs), CPU+.

# Reglas x Drop (específicos Servicios.IP): -----------------------------------

# Reglas x JUMP.FW ICMP/TCP/UDP (new Chain x Protect): ------------ [INI]

# Reglas x Ctrl (ICMP.Jump x Amenazas.Forward-ICMP): --------------- [INI]

# Reglas x Drop (TCP.Jump x Amenazas.Forward-TCPPort): ------------ [INI]

# Reglas x Drop (UDP.Jump x Amenazas.Forward-UDPPort): ----------- [INI]

# Reglas x Drop (VPN.Conn): --------------------------------------------------

# Nateo (IP.Pub y RB.Port): ----- [Opcional] ------ ( 1x Client.IP/Client.Port )

QoS (Leyer7+AddressList+Mangle+QueueTree): ---------------------- [ INI ]

# HTB (Leyer7 Rules): ----------------------------------------------------- [ INI ]

# HTB (Mangle Rules): ---------------------------------------------------- [ INI ]

# IPTV (Mangle Rules): --------------------------------------------------------

# DNS (Mangle Rules): -------------------------------------------- [DNS.Cache=ON]

# ICMP (Mangle Rules):

# Social.Media (Mangle Rules):

# HTTPS (Mangle Rules):

# HTTP (Mangle Rules):

# Down (¿50M?) (Mangle Rules):

# Services.Special (Mangle Rules):

# FTP/SFTP (Mangle Rules):

# SpeedTest (Mangle Rules):

# Resto de conexiones (Mangle Rules):

# -------------------------- HTB (QueueTree Rules): ----------------- [ INI: 01 ]

# QoS conections (QueueTree Rules): -------------------------------------------