Professional Documents
Culture Documents
Router OS
Router OS
-----
-----------------------------------------------------------------------------------
-----
--------------------------- ( RouterOS.Basic-Config ) --------------------- [ INI ]
-----------------------------------------------------------------------------------
-----
-----------------------------------------------------------------------------------
-----
# SO: RouterOS (Mikrotik), config general x (8) etherX.
# Interfaces: WAN (1…5) LAN (6…19) IPPu.Client (20…89) SOS/RES (90…99).
# Tormenta ARP (Interface-Loop):.
# Interfaces.Config (+anti-LOOPs): --------------------------------------------
/interface ethernet set 0 name=”WAN1” loop-protect=on loop-protect-send-interval=5s
loop-protect-disable-time=1mcomment=”WAN1.[ TELCO ]”;
/interface ethernet set 1 name=”WAN2” loop-protect=on loop-protect-send-interval=5s
loop-protect-disable-time=1mcomment=”WAN2.[ … ]”;
/interface ethernet set 2 name=”WAN3” loop-protect=on loop-protect-send-interval=5s
loop-protect-disable-time=1mcomment=”WAN3.[ … ]”;
/interface ethernet set 3 name=”LAN1” loop-protect=on loop-protect-send-interval=5s
loop-protect-disable-time=1mcomment=”LAN1.[ WR.1-1 ]”;
/interface ethernet set 4 name=”LAN2” loop-protect=on loop-protect-send-interval=5s
loop-protect-disable-time=1mcomment=”LAN2.[ WR.2-2 ]”;
/interface ethernet set 5 name=”LAN3” loop-protect=on loop-protect-send-interval=5s
loop-protect-disable-time=1mcomment=”LAN3.[ … ]”;
/interface ethernet set 6 name=”SOS1” loop-protect=on loop-protect-send-interval=5s
loop-protect-disable-time=1mcomment=”SOS1.[ … ]”;
/interface ethernet set 7 name=”RES1” loop-protect=on loop-protect-send-interval=5s
loop-protect-disable-time=1mcomment=”RES1.[ … ]”;
# …
# Nota: descubre (loops de paquetes en capa.2 ® (RB.MAC=src-MAC=dst-MAC).
# Address.Config:
------------------------------------------------------------------------
/ip address add address=X.Y.Z.W/24 interface=WAN1 comment=”01R>: WAN1.
[ TELCO.1.2.3.4 ]” disable=yes;
/ip address add address=1...21/32 interface=WAN2 comment=”02Rx: WAN2.[ … ]”
disable=yes;
/ip address add address=1...21/32 interface=WAN3 comment=”03Rx: WAN3.[ … ]”
disable=yes;
/ip address add address=1...1/24 interface=LAN1 comment=”06R+: LAN1.[ Gateway+DNS1.
]” disable=yes;
/ip address add address=1...1/24 interface=LAN1 comment=”07Rx: LAN1.[ Gateway+DNS1.
]” disable=yes;
/ip address add address=1...1/24 interface=LAN2 comment=”08R+: LAN2.[ Gateway+DNS1.
]” disable=yes;
/ip address add address=1...1/24 interface=LAN2 comment=”09R+: LAN2.[ Gateway+DNS1.
]” disable=yes;
/ip address add address=1...1/24 interface=LAN3 comment=”10Rx: LAN3.[ Gateway+DNS1.
]” disable=yes;
/ip address add address=1...1/24 interface=LAN3 comment=”11Rx: LAN3.[ Gateway+DNS1.
]” disable=yes;
/ip address add address=1...2/32 interface=SOS1 comment=”90R+: EMERGENCY1.[ … ]”
disable=yes;
/ip address add address=1.../32 interface=RES1 comment=”91R+: RESERVADO1.[ … ]”
disable=yes;
# …
# Agrupar Interfaces (WANs):
----------------------------------------------------------
/interface list member add interface=WAN1 list=WANs comment=”01R+: WANs.Add (WAN1)”
disable=yes;
/interface list member add interface=WAN2 list=WANs comment=”02Rx: WANs.Add (WAN2)”
disable=yes;
/interface list member add interface=WAN3 list=WANs comment=”03Rx: WANs.Add (WAN3)”
disable=yes;
# …
# Agrupar Interfaces (LANs):
-----------------------------------------------------------
/interface list member add interface=LAN1 list=LANs comment=”06R+: LANs.Add (LAN1)”
disable=yes;
/interface list member add interface=LAN2 list=LANs comment=”07R+: LANs.Add (LAN2)”
disable=yes;
/interface list member add interface=LAN3 list=LANs comment=”08Rx: LANs.Add (LAN3)”
disable=yes;
# …
# Nota: comenzar las LANs con el puerto (físico:4, lógico:3) x (WAN.Balanceo). En
caso de usar Wireless (WLAN1, usar: interface=bridge1).
# Establecer Queue.Interface: ------------------------------------- (FUNDAMENTAL)
/queue interface set WAN1 queue=ethernet-default; # ® PFIFO(50p)
/queue interface set WAN2 queue=ethernet-default;
/queue interface set WAN3 queue=ethernet-default;
/queue interface set LAN1 queue=ethernet-default;
/queue interface set LAN2 queue=ethernet-default;
/queue interface set LAN3 queue=ethernet-default;
/queue interface set SOS1 queue=ethernet-default;
/queue interface set RES1 queue=ethernet-default;
# …
# Nota: continuar hasta cubrir all interafaces usadas (cambiar según eficiencia).
# DNS.Config:
----------------------------------------------------------------------------
/ip dns set servers=1.1.1.1,1.0.0.1,209.244.0.3,209.244.0.4;
/ip dns set allow-remote-requests=yes; # Uso el DNS.Cache x capturar IPs
/ip dns set max-udp-packet-size=4096;
/ip dns set cache-size=51200; # (50MB, el DNS.cache, no es persistente
/ip dns set cache-max-ttl=1d; # (1d, para mitigar ataques: (Type=unknown)
# Routes.Config:
-------------------------------------------------------------------------
/ip route add gateway=1.2.3.1 check-gateway=ping comment=”01R>: Ruta.WAN1, hacia
XXX.GateWay-Border.....1” disable=yes;
# Nota: (AS: Active and Static Conextion), (CD: Conected and Dinamic), (X:
Deshabilitada), (ping: chequea c/10s – check-gateway=ping –).
# Enmascaramiento.Config:
-------------------------------------------------------------
/ip firewall nat add chain=srcnat out-interface-list=WANs comment=”100R>: NAT.C-
IPPri (WANs)” action=masquerade disable=yes;
/ip firewall nat add chain=srcnat out-interface=WAN1 comment=”101R<: NAT.C-IPPri
(WAN1)” action=masquerade disable=yes;
/ip firewall nat add chain=srcnat out-interface=WAN2 comment=”102R<: NAT.C-IPPri
(WAN2)” action=masquerade disable=yes;
/ip firewall nat add chain=srcnat out-interface=WAN3 comment=”103R<: NAT.C-IPPri
(WAN3)” action=masquerade disable=yes;
# Nota: establece y restringe, acceso desde LANs a Internet, a travez de WANs.
# Reglas para transparentar (RB.DNS-Cache): ---------------------------------------
/ip firewall nat add chain=dstnat protocol=udp dst-port=53 in-interface-list=LANs
comment=”110R+: NAT.DNS-Trafic a DNSCache.UDP” action=redirect to-ports=53
disable=yes;
/ip firewall nat add chain=dstnat protocol=tcp dst-port=53 in-interface-list=LANs
comment=”111R+: NAT.DNS-Trafic a DNSCache.TCP” action=redirect to-ports=53
disable=yes;
# Nota: redirecciona (peticiones de DNS) y permite, establecer any-IP en
Client.TarjetRed.
# SNTP-Client.Config:
--------------------------------------------------------------------
/system ntp client set primary-ntp=170.155.148.1 secondary-ntp=201.217.3.85
enable=yes;
# Email.Config:
---------------------------------------------------------------------------
/tool e-mail set address=64.233.186.108;
/tool e-mail set port=587;
/tool e-mail set from=xxx@gmail.com; # smtp.gmail.com
/tool e-mail set user=xxx;
/tool e-mail set password=Gmail.Key; # o la clave de 2da autenticación
/tool e-mail set start-tls=yes; # Cifrado entre el RB y
Gmail.Servers
# Nota: (2da autenti: https://security.google.com/settings/security/apppasswords)
#
-----------------------------------------------------------------------------------
--------
# Nota: Se usará solo x ataque. Add IP.LANs, según requerimiento del Client.
# ---------------------------------------- [ICMPLANDST.Permitidos]
/ip firewall address-list add address=X.Y.Z.0/24 list=A-ICMPLANDST.List
comment=”R+: ICMPLANDST.Permitido (ID: Pool/24.VCI)” disable=yes;
/ip firewall address-list add address=1.1.1.1 list=A-ICMPLANDST.List comment=”Rx:
ICMPLANDST.Permitido (ID: Publ.DNS)” disable=yes;
/ip firewall address-list add address=1.0.0.1 list=A-ICMPLANDST.List comment=”Rx:
ICMPLANDST.Permitido (ID: Publ.DNS)” disable=yes;
/ip firewall address-list add address=209.244.0.3/32 list=A-ICMPLANDST.List
comment=”Rx: ICMPLANDST.Permitido (ID: Publ.DNS)” disable=yes;
/ip firewall address-list add address=209.244.0.4/32 list=A-ICMPLANDST.List
comment=”Rx: ICMPLANDST.Permitido (ID: Publ.DNS)” disable=yes;
# …
Nota: ¿desbloquear (#), si fuese necesario, emitir ping a los DNS?
# ----------------------------- [BOGON IPs]
/ip firewall address-list add address=169.254.0.0/16 list=A-BOGON.List comment=”R+:
BOGONIP: Rango IP.Privadas” disable=yes;
/ip firewall address-list add address=127.0.0.0/8 list=A-BOGON.List comment=”R+:
BOGONIP: ” disable=yes;
/ip firewall address-list add address=0.0.0.0/8 list=A-BOGON.List comment=”R:
BOGONIP: --- ” disable=yes;
/ip firewall address-list add address=192.0.2.0/24 list= A-BOGON.List comment=”R+:
BOGONIP: --- ” disable=yes;
/ip firewall address-list add address=192.88.99.0/24 list=A-BOGON.List comment=”R+:
BOGONIP: --- ” disable=yes;
/ip firewall address-list add address=198.18.0.0/15 list=A-BOGON.List comment=”R+:
BOGONIP: --- ” disable=yes;
/ip firewall address-list add address=198.51.100.0/24 list=A-BOGON.List
comment=”R+: BOGONIP: --- ” disable=yes;
/ip firewall address-list add address=203.0.113.0/24 list=A-BOGON.List comment=”R+:
BOGONIP: --- ” disable=yes;
/ip firewall address-list add address=224.0.0.0/4 list=A-BOGON.List comment=”R+:
BOGONIP: --- ” disable=yes;
# Nota: (ips, actualmente, no asignadas a ninguna entidad, hay un monton mas).
# -------------------------------------------- [IP Public especiales]
# --------------------- [DOS.ATTACK]
/ip firewall address-list add address=1..255 list=A-DARK.List comment=”Rx: RB.Input
(IP.Drop)” disable=yes;
/ip firewall address-list add address=1..255 list=A-WHITE.List comment=”Rx:
RB.Input (IP.Accept)” disable=yes;
# --------------------- [BLACKHOLE]
# --------------------------------------------- [Promo.Franja-Horaria]
/ip firewall address-list add address=1..1 list=C-PROMO2DCLIENT.List comment=”C+:
Client.Promo (S-D)” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMO5DCLIENT.List comment=”C+:
Client.Promo (L-V)” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMO7MCLIENT.List comment=”Cx:
Client.Promo (7.Mañanas)” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMO7NCLIENT.List comment=”Cx:
Client.Promo (7.Noches)” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMOXDCLIENT.List comment=”Cx:
Client.Promo (<Nombre>: 000D, expira el: 00/00/0000)” disable=yes;
# Nota: Promo.XD, Script.Ctrl hasta comment (fecha expira<fecha actual).
# --------------------------------------------- [Promo.Social-Media]
/ip firewall address-list add address=1..1 list=C-PROMO!FACEBOOK.List comment=”Cx:
Client.Promo (!RS.Facebook)” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMO!YOUTUBE.List comment=”Cx:
Client.Promo (!RS.Youtube)” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMO!NETFLIX.List comment=”Cx:
Client.Promo (!RS.Netflix)” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMO!WHATSAPP.List comment=”Cx:
Client.Promo (!RS.Whatsapp)” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMO!TWITTER.List comment=”Cx:
Client.Promo (!RS.Twitter)” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMO!INSTAGRAM.List comment=”Cx:
Client.Promo (!RS.Instagram)” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMO!SKYPE.List comment=”Cx:
Client.Promo (!RS.Skype)” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMO!SPOTIFY.List comment=”Cx:
Client.Promo (!RS.Spotify)” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMO!SNAPCHAT.List comment=”Cx:
Client.Promo (!RS.Snapchat)” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMO!TELEGRAM.List comment=”Cx:
Client.Promo (!RS.Telegram)” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMO!TWITCH.List comment=”Cx:
Client.Promo (!RS.Twitch)” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMO!VIMEO.List comment=”Cx:
Client.Promo (!RS.Vimeo)” disable=yes;
# ---------------------------------------------------------------
[DNSs.Problematicos]
/ip firewall address-list add address=”probe-dradis-aws-only.prod.ftl.netflix.com”
list=S-NETFLIX.List comment=”Cx: QoS ( CDDNS.Problematico de Netflix: probe-dradis-
aws-only.prod.ftl.netflix.com)” disable=yes;
/ip firewall address-list add address=”probe-unified-aws-only.prod.ftl.netflix.com”
list=S-NETFLIX.List comment=”Cx: QoS ( DDDNS.Problematico de Netflix: probe-
unified-aws-only.prod.ftl.netflix.com )” disable=yes;
/ip firewall address-list add address=”oca-api.us-east-1.origin.prodaa.netflix.com”
list=S-NETFLIX.List comment=”Cx: QoS ( CDDNS.Problematico de Netflix: oca-api.us-
east-1.origin.prodaa.netflix.com )” disable=yes;
# …
# Nota: recordar que, según entiendo, las reglas de (Raw, Mangle y Filter), no
marcaran/bloquearan VPN.Conn de las IPP Fijas dadas a Clientes.
# Web.Proxy (Config y Protection): ------------------------------- [en
construcción]
/ip proxy set enabled=no; # Desactivo el
(Web.Proxy)
# ---------------------------------------------
# /ip proxy set enabled=yes; # Activo el
Web-Proxy
# /ip firewall nat add chain=dstnat protocol=tcp dst-port=80 in-interface-list=LANs
comment=”Rx: Web.Proxy (Redireciona Port (80 a 8070)” action=redirect to-port=8070
disable=yes;
# Nota: si (on), redireccionar port (80a8070) y bloquear pedidos desde (WANs).
# Web.Proxy (Config y Protection): ------------------------------- [en
construcción]
# Schedulers.Config:
---------------------------------------------------------------------
/system scheduler add name=”TP (RB.PromoXDay-Cheq)“ start-date=dec/01/2017 start-
time=hh:mm:ss interval=1d on-event=”RB.PromoXDay-Cheq” comment="C+: ( RB.PromoXDay-
Cheq )" disabled=yes;
# --------------------------------------------
/system scheduler add name=”TP (AddressList.Ctrl (RedesSociales)“
start-date=dec/01/2017 start-time=hh:mm:ss interval=1d on-event=”AddressList.Ctrl
(Redes Sociales)” comment="C+: ( AddressList.Ctrl (Redes Sociales) )" disabled=yes;
# --------------------------------------------
/system scheduler add name=”TP (RB.IP-Change)“ start-date=dec/01/2017 start-
time=hh:mm:ss interval=1d on-event=”RB.IP-ChangeWAN1” comment="R+: ( RB.IP-
Change )" disabled=yes;
# --------------------------------------------
/system scheduler add name="TP (RB.Reboot)" on-event="/system reboot" start-
date=dec/01/2017 start-time=hh:mm:ss interval=xd02:13:00 comment="Rx:
( RB.Reboot )" disabled=yes;
# --------------------------------------------
/system scheduler add name=”TP (RB.QoSChange%)“ start-date=dec/01/2017 start-
time=hh:mm:ss interval=1d on-event=”RB.QoSChange% (xRate)” comment="Cx:
( RB.QoSChange% (xRate) )" disabled=yes;
# --------------------------------------------
/ system scheduler add name="TP (RB.BackUp-Config)" on-event="RB.BackUp-Config"
start-date=dec/01/2017 start-time=hh:mm:ss interval=1d comment="R+: ( RB.BackUp-
Config )" disabled=yes;
# --------------------------------------------
/system scheduler add name=”TP (RB.BackUp-AddressList (RSC))“
start-date=dec/01/2017 start-time=hh:mm:ss interval=1d on-event=”RB.BackUp-
AddressListRSC” comment="Rx: ( RB.BackUp-AddressList (RSC) )" disabled=yes;
# --------------------------------------------
/system scheduler add name=”TP (RB.ISP-Stadistic)“ start-date=dec/01/2017 start-
time=hh:mm:ss interval=1d on-event=RB.ISP-Stadistic comment="C+: ( RB.ISP-Stadistic
)" disabled=yes;
# --------------------------------------------
/system scheduler add name=”TP (RB.BackUp-Log)“ start-date=dec/01/2017 start-
time=hh:mm:ss interval=1d on-event=RB.BackUp-Log comment="C+: ( RB.BackUp-Log )"
disabled=yes;
# --------------------------------------------
/system scheduler add name=”TP (AddressList.DOSAttack-Alert)“
start-date=dec/01/2017 start-time=start interval=hh:mm:ss on-
event=”AddressList.DOSAttack-Alert” comment="R+: ( AddressList.DOSAttack-Alert )"
disabled=yes;
# --------------------------------------------
/system scheduler add name=”TP (QS.ChangeAB)“ start-date=dec/01/2017 start-
time=start interval=hh:mm:ss on-event=”QS.ChangeAB” comment="C+: ( QS.ChangeAB )"
disabled=yes;
# --------------------------------------------
/system scheduler add name=”TP (AddressList.AddIP-RSociales)“
start-date=dec/01/2017 start-time=start interval=hh:mm:ss on-
event=”AddressList.AddIP-RSociales” comment="C+: ( AddressList.AddIP-RSociales )"
disabled=yes;
# --------------------------------------------
/system scheduler add name=”TP (AddressList.Ctrl (ServicesIPChange)“ start-
date=dec/01/2017 start-time=start interval=hh:mm:ss on-event=”AddressList.Ctrl
(ServicesIPChange)” comment="C+: ( AddressList.Ctrl (Services IP Change) )"
disabled=yes;
# --------------------------------------------
/system scheduler add name=”TP (Client.Ctrl (ABTemp)“ start-date=dec/01/2017 start-
time=start interval=hh:mm:ss on-event=”Client.Ctrl (ABTemp)” comment="C+:
( Client.Ctrl (ABTemp) )" disabled=yes;
# --------------------------------------------
/system scheduler add name=”TP (Alert.LinkChange-RBLink)“ start-date=dec/01/2017
start-time=start interval=hh:mm:ss on-event=”Alert.LinkChange-RBLink” comment="Rx:
( RB.Alert.LinkChange-RBList )" disabled=yes;
# Micelaneos.Config:
---------------------------------------------------------------------
/ip socks set enabled=no;
/ip upnp set enabled=no;
/tool bandwidth-server set enabled=no;
/ip firewall connection tracking set enabled=yes; # Necesario x FastTrack
/ip settings set tcp-syncookies=yes; # Mitiga (DDoS)
/ip settings set rp-filter=strict; # Mitiga
(IPSpoofing: no test)
/snmp set enabled=no;
/ip cloud set ddns-enabled=yes update-time=yes; # Auto-Update DDNS.Server
# Nota: bloquea el RB.(agente.SNMP) para monitoreo externo (TCP.UDP (161-
162)ÌSNMP). Un agente.SNMP, almacena y recupera información tal como se definio por
el fabricante en las especificas (MIBs: lo que un control.SNMP (NMS) puede
preguntar a un agente.SNMP) de éste (SNMPv3).
#
-----------------------------------------------------------------------------------
--------
# [ 02 ] --------------------------- [ RB reinciando ]
------------------------------
# ---------------------------- [ Connections
Types ]-----------------------------------
# NEW: Intenta crear una nueva conexión.
# ESTABLISHED: El paquete forma parte de una conexión ya existente.
# RELATED: El paquete está relacionado, aunque realmente no forma parte de una
conexión existente.
# INVALID: El paquete ni es parte de una conexión existente ni intenta crear una
nueva conexión.
#
-----------------------------------------------------------------------------------
--------
# ------------------------------------------------------------------------------
[INI]
#
-----------------------------------------------------------------------------------
--
# -------------------------- Reglas básica del Firewall:
---------------------------
#
-----------------------------------------------------------------------------------
--
#
-----------------------------------------------------------------------------------
--
# Recorre, en forma descendente, las listas del firewall, hasta cumplirse las
condiciones de una regla (accept o drop). Ergo: disponer, las mas probables arriba
y en secuencia (de estar relacionadas).
#
-----------------------------------------------------------------------------------
[INI]
# ------------------------------------------ [Raw]
---------------------------------------
#
-----------------------------------------------------------------------------------
-------
# ------------------------------------------------------------- [x DNSUDPFlood.WAN]
/ip firewall raw add chain=prerouting protocol=udp dst-port=53 in-interface-
list=WANs comment=“003Rx: Guardo.1h (src-IP en T-DOSDNSUDPWAN.List x
Input.DNSUDPConn desde WANs)” action=add-src-to-address-list log=no log-
prefix="[DOS-DNSUDPWAN.Flood]: " address-list=T-DOSDNSUDPWAN.List address-list-
timeout=1h disable=yes;
/ip firewall raw add chain=prerouting protocol=udp dst-port=53 in-interface-
list=WANs comment="004R+: Mitiga (DNSUDPWAN.Flood)" action=drop disable=yes;
# Nota: crea redundancia, pues en (Filter), bloqueo lo no-aceptado; pero sirve para
proteger (ClientIPPub.Port (53)).
# ------------------------------------------------------- [x UDPACKFlood.WAN/LAN]
/ip firewall raw add chain=output protocol=icmp out-interface-list=WANs dst-
address-list=!A-ICMPWANSRC.List icmp-options=3:3 limit=1000/5s,5:packet
comment=“005Cx: Guardo.1h (src-IP en T-DOSUDPACK.List x Input.UDPACKFlood)”
action=add-dst-to-address-list log=no log-prefix="[DOS-UDPACK.Flood]: " address-
list=T-DOSUDPACK.List address-list-timeout=1h disable=yes;
/ip firewall raw add chain=output protocol=icmp out-interface-list=WANs dst-
address-list=!A-ICMPWANSRC.List icmp-options=3:3 limit=1000/5s,5:packet
comment="006R+: Mitigo (UDPACK.Flood x ICMP.ACK [ 3:3 port unreachable ])"
action=drop disable=yes;
# Nota: cuando el RB recibe un UDP.Packet (Port), revisa si existen programas
escuchando dicho (Port), de no existir, envia un (ICMP.PortACK, 3:3) al origen,
avisando que (destino unreachable). Cuidado con (dst-address-list).
# ------------------------------------------------------------------ [x
IPSpoofing.LAN]
# ACK: Confirma conexión.
# PSH: Fuerza priorización del paquete en destino y obliga esperar otro.
# RST: Indica que se debe reiniciar la conexión.
# SYN: Indica que se pretende iniciar una conexión.
# FIN: Indica la finalización de una conexión.
/ip firewall raw add chain=prerouting in-interface-list=LANs src-address-list=!A-
LAN.List comment=“007Rx: Guardo.1h (src-IP en T-DOSIPSPOOFLAN.List x
Input/Forward.Conn desde !A-LAN.List)” action=add-src-to-address-list log=yes log-
prefix="[DOS-IPSPOOFLAN.BCP38]: " address-list=T-DOSIPSPOOFLAN.List address-list-
timeout=1h disable=yes;
/ip firewall raw add chain=prerouting in-interface-list=LANs src-address-list=!A-
LAN.List comment="008R+: Mitigo.IPSpoofingLAN (x Input/Forward.Conn desde !A-
LAN.List)" action=drop disable=yes;
# ----------------------------------------------------------------- [x
ICMPFlood.WAN]
# ------------------------------------ [x Client.IPPub (WAN)]
/ip firewall raw add chain=prerouting protocol=icmp in-interface-list=WANs dst-
address-list=A-ICMPWANDST.List limit=50/5s,5:packet comment=“009Cx: Guardo.1h (src-
IP en T-DOSICMPWANDST.List x ICMPWANDST.Flood)” action=add-src-to-address-list
log=no log-prefix="[DOS-ICMPWANDST.Flood]: " address-list=T-DOSICMPWANDST.List
address-list-timeout=1h disable=yes;
/ip firewall raw add chain=prerouting protocol=icmp in-interface-list=WANs dst-
address-list=A-ICMPWANDST.List limit=50/5s,5:packet comment=“010C+:
Acepto.InputICMP-Limitado (desde src-IP hacia ICMPWANDST.List)” action=accept
disable=yes;
# Nota: tambien se supera (limit=50/5s,5:p) con (ping x.x.x.x –l 8873 –t).
# ----------------------------------------------------------------- [x
ICMPFlood.LAN]
# ------------------------------------ [x RB.IPPri (src-LANs)]
/ip firewall raw add chain=prerouting protocol=icmp in-interface-list=LANs src-
address-list=A-ICMPLANSRC.List limit=50/5s,5:packet comment=“015Rx:
Acepto.InputICMP-Limitado (desde A-ICMPLANSRC.List)” action=accept disable=yes;
/ip firewall raw add chain=prerouting protocol=icmp in-interface-list=LANs src-
address-list=!A-ICMPLANSRC.List comment=“016Rx: Guardo.1h (src-IP en T-
DOSICMPLANSRC.List x !A-ICMPLANSRC.List, debido a ICMPLAN.Limit)” action=add-src-
to-address-list log=no log-prefix="[DOS-ICMPLANSRC.Flood]: " address-list=T-
DOSICMPLANSRC.List address-list-timeout=1h disable=yes;
/ip firewall raw add chain=prerouting protocol=icmp in-interface-list=LANs
comment=“017Rx: Bloqueo.Resto de InputICMP.Conn (desde LANs)” action=drop
disable=yes;
# Nota: activar solo x uso de ICMPLANSRC.Limit (desactivar Forward ICMP.Jump) o
ICMP.LAN-Attack.
# --------------------------------------------------------------------- [x
CLIENT.DROP]
/ip firewall raw add chain=prerouting in-interface-list=LANs src-address-list=C-
CLIENTDROP.List comment=”060Cx: Bloqueo (Input/Forward.Conn desde C-
CLIENTDROP.List)” action=drop disable=yes;
#
-----------------------------------------------------------------------------------
[FIN]
# ------------------------------------------ [Raw]
---------------------------------------
#
-----------------------------------------------------------------------------------
-------
#
-----------------------------------------------------------------------------------
[INI]
# ----------------------------------------- [Filter]
---------------------------------------
#
-----------------------------------------------------------------------------------
--------
# --------------------------------------------- [x TCPFlood/32.FW]
/ip firewall filter add chain=forward protocol=tcp src-address-list=T-
DOSTCPFFW.List connection-limit=40,32 comment="007R<: Limito (a 40/32
Forward.TarpitType (ralentizadas) a los de T-DOSTCPFFW.List)" action=tarpit
disabled=yes;
/ip firewall filter add chain=forward protocol=tcp src-address-list=!C-
ALTACONECTIVIDAD.List connection-limit=400,32 comment="008R<: Guardo.1h (src-IPs en
T-DOSTCPFFW.List x 400+/32 Forward.TCP)” action=add-src-to-address-list log=yes
log-prefix="[DOS-TCP.Flood/FW32]: " address-list=T-DOSTCPFFW.List address-list-
timeout=1h disabled=yes;
# … (reservado hasta 011R)
# Nota: (Tarpit), usa CPU+ que (Drop), ya que mantiene la conexión establecida,
reduciendo su trafico hasta cero, evitando asi, que el atacante cree una new-
connection al hacerle nosotros un (Drop).
# -------------------------------------------------------------------------- [x
SYNFlood]
# En (Raw), dropearia cada connection SYN (new o establecida) de T-DOSSYN____.List,
provocando en las LANs, un Client.IPDrop. Siendo que, lo que busco, es limitar las
connection x Chain a (IN: 150+/s)/FW: 600+/s). Activar, las next 4 reglas, solo en
caso de (DoSAttack.SYNFlood), estando usando (Opcion.02) y determinar valores
reales para: (IN/FW).
# ------------------------------------------------------- [x SYNFlood.IN]
/ip firewall filter add chain=input protocol=tcp tcp-flags=syn limit=150,5:packet
comment="012Cx: Guardo.1h (src-IP en T-DOSSYNIN.List x posible Input.SYNFlood)"
action=add-src-to-address-list log=no log-prefix="[DOS-InputSYN.Flood]: " address-
list=T-DOSSYNIN.List address-list-timeout=1h disable=yes;
/ip firewall filter add chain=input protocol=tcp tcp-flags=syn limit=150,5:packet
comment="013Cx: Bloqueo (x 150+/s Input.SYN-Conn simultaneas x posible
Input.SYNFlood)" action=drop disabled=yes;
# ------------------------------------------------------- [x SYNFlood.FW]
/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn limit=600,5:packet
comment="014Cx: Guardo.1h (src-IP en T-DOSSYNFW.List x posible Forward.SYNFlood)"
action=add-src-to-address-list log=no log-prefix="[DOS-ForwardSYN.Flood]: "
address-list=T-DOSSYNFW.List address-list-timeout=1h disable=yes;
/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn limit=600,5:packet
comment="015Cx: Bloqueo (x 600+/s Forward.SYN-Conn simultaneas x posible
Input.SYNFlood)" action=drop disabled=yes;
# Nota: x descubrir (IP.Externa), cambiar en (IN/FW) a: (action=add-dst-to-address-
list).
# ---------------------------------- Opcion.02 (<) -----------------------------
[FIN]
# ------------------------------------------------------------------- [x
NTPFlood.WAN]
/ip firewall filter add chain=input protocol=udp dst-port=123 in-interface-
list=WANs comment="016Rx: Guardo.1h (src-IPs en T-DOSNTPWAN.List x posible
Input.NTPWANFlood)" action=add-src-to-address-list log=no log-prefix="[DOS-
NTPWAN.Flood]: " address-list=T-DOSNTPWAN.List address-list-timeout=1h
disabled=yes;
/ip firewall filter add chain=input protocol=udp dst-port=123 in-interface-
list=WANs comment="017R+: Bloqueo (src-IP x posible DOSNTPWAN.Flood)" action=drop
disabled=yes;
# Nota: x posicionarse después de (Aceleracion de Trafico), no pregunto x
(connection-state=new), para asegurarme que solo bloquee trafico NTP iniciado
externamente. No puede hacerla funcionar en (Raw).
# ------------------------------------------------------------ [x dst-
LANIP.BlackHole]
/ip firewall filter add chain=forward in-interface-list=WANs dst-address-list=A-
BLACKHOLE comment=“018Cx: Guardo.1h (src-IP en T-BLACKHOLE.List x Forward.Conn no
permitido hacia RB.IPPubClient)” action=add-src-to-address-list log=no log-
prefix="[DOS-RBIPPubClient.BLACKHOLE]: " address-list=T-DOSBLACKHOLE.List address-
list-timeout=1h disable=yes;
/ip firewall filter add chain=forward in-interface-list=WANs dst-address-list=A-
BLACKHOLE comment="019C+: Mitigo.DOSIPPubClient (ForwardConn no permitido hacia
RB.IPPubClient)" action=drop disable=yes;
# Nota: considerar usar (tarpit) o mandarlo a un PC.Carnada.
# -------------------------------------------------------------- [x dst-
LANIP.UnKnow]
/ip firewall filter add chain=forward in-interface-list=WANs dst-address-list=!A-
LAN.List comment=“020Rx: Guardo.1h (src-IP en T-DOSdstLANIPUK.List x Forward.Conn
hacia !A-LAN.List)” action=add-src-to-address-list log=no log-prefix="[DOS-
dstLANIP.UnKnow]: " address-list=T-DOSdstLANIPUK.List address-list-timeout=1h
disable=yes;
/ip firewall filter add chain=forward in-interface-list=WANs dst-address-list=!A-
LAN.List comment="021R+: Mitigo.dstLANIPUnKnow (x Forward.Conn hacia !A-LAN.List)"
action=drop disable=yes;
# ------------------------------------------------------------- [x
PortScan.WAN/LAN]
/ip firewall filter add chain=input protocol=tcp psd=21,3s,3,1 comment="022Rx:
Guardo.1h (src-IPs en T-DOSPORTSCAN.List x posible Input.PortScan)" action=add-src-
to-address-list log=no log-prefix="[DOS-Input.PortScan]: " address-list=T-
DOSPORTSCAN.List address-list-timeout=1h disabled=yes;
/ip firewall filter add chain=input protocol=tcp psd=21,3s,3,1 comment="023R+:
Bloqueo (src-IP x posible Input.PortScan)" action=drop disabled=yes;
# … (reservado hasta 025R)
# Nota: x CPU-, las reglas que save IPs (ej: no-PKnocking), deben deshabilitarse o
eliminarse, dejando solo el bloqueo de las mismas.
# Nota: (tls-host), usa TCP, mientra que (QUIC: google), usa UDP.
# Reglas x Drop (específicos Servicios.IP): ----------------------------------
[FIN]
#
-----------------------------------------------------------------------------------
[INI]
# ------------------------------------------ [NAT]
----------------------------------------
#
-----------------------------------------------------------------------------------
--------
#
-----------------------------------------------------------------------------------
[FIN]
# ------------------------------------------ [NAT]
----------------------------------------
#
-----------------------------------------------------------------------------------
--------
...
...
# [ Nivel 01 ] -------------------------------------------------------------------
[ INI ]
/queue tree add name=010000.WAN1 parent=$InterfWAN1 limit-at=0 max-limit=0
priority=8 queue=ethernet-default comment="001C+: QoS (WAN1.Ups) :: " disable=yes;
# [ Nivel 01 ] -------------------------------------------------------------------
[ INI ]
/queue tree add name=020000.LAN1 parent=$InterfLAN1 limit-at=0 max-limit=0
priority=8 queue=ethernet-default comment="101C+: QoS (LAN1.Downs) :: "
disable=yes;
# [ Nivel 02 ] ---------------------------------------------------------- [ INI ]
/queue tree add name=020100.VoIP parent=020000.LAN1 limit-at=0 max-limit=0
priority=1 queue=ethernet-default comment="102Cx: QoS (WAN1.VoIPs) :: "
disable=yes;
# [ Nivel 01 ] -------------------------------------------------------------------
[ INI ]
/queue tree add name=030000.LAN2 parent=$InterfLAN2 limit-at=0 max-limit=0
priority=8 queue=ethernet-default comment="201C+: QoS (LAN2.Downs) :: "
disable=yes;
#
-----------------------------------------------------------------------------------
--
# [FINALMENTE]: --------------------------------------------------------- [ INI ]
#
-----------------------------------------------------------------------------------
--
# Marcar como activas (comment=“+:”, “>:” y “+VL:”) y no-activas (comment=“x:”,
“<:” y “xVL:”), según corresponda.
# Filtrar: /ip firewall x (comment=”+:”) y habilitar reglas filtradas (en Address-
List, Firewall, NAT, Mangle y Raw).
# Filtrar: /ip firewall x (comment=(”>:”: userX) o (”<:”: userR-W)), según
corresponda y habilitar reglas filtradas.
# Filtrar: /ip firewall x (comment=(”+VL:”) o (”xVL:”)), según corresponda y
habilitar reglas filtradas.
# Listo.
#
-----------------------------------------------------------------------------------
--
# [FINALMENTE]: --------------------------------------------------------- [ FIN ]
#
-----------------------------------------------------------------------------------
--
-----------------------------------------------------------------------------------
-----
-----------------------------------------------------------------------------------
-----
--------------------------- ( RouterOS.Basic-Config ) --------------------- [ FIN ]
-----------------------------------------------------------------------------------
-----
-----------------------------------------------------------------------------------
-----
# AddressList.Ctrl (RedesSociales):
-----------------------------------------------------
# Name: AddressList.Ctrl (RedesSociales)
# comment=”C+: ( AddressList.Ctrl (Redes Sociales) )”
# -----------------------------------------------
# Funcion transforma Fecha en Nro (Fecha+Hora)
:local DateTimeToNro do={:local NroX; :local MC
("jan","feb","mar","apr","may","jun","jul","aug","sep","oct","nov","dec"); :local
DiaX ([pick $1 4 6]); :local MesCX ([pick $1 0 3]); :local MesX ([find $MC $MesCX -
1]+1); :if ($MesX<10) do={:set MesX (“0”.$MesX);}; :local AnioX ([pick $1 7
11]); :set NroX ($AnioX.$MesX.$DiaX); :if ([len $1]>12) do={:local HoraX ([pick $1
12 14]); :local MinX ([pick $1 15 17]); :local SegX ([pick $1 18 20]); :set NroX
($NroX.$HoraX.$MinX.$SegX);} else={:set NroX ($NroX.”000000”);}; return ([tonum
$NroX]);}
# -----------------------------------------------
# Funcion Incrementa Fecha en Dias (DiaMesAnioNr, DiasToIncr)
:local FechaIncr do={
# -------------------------
# Funcion calcula Dias del Mes (Mes, Anio)
{f de f}
:local DiasMes do={:local Dias; :if ($1=1 or $1=3 or $1=5 or $1=7 or $1=8 or $1=10
or $1=12) do={:set Dias (31);} else={:if ($1=4 or $1=6 or $1=9 or $1=11) do={:set
Dias (30);} else={:if ((((($2)/400)*400)=$2) or ((((($2)/4)*4)=$2) and
(((($2)/100)*100)!=$2))) do={:set Dias (29);} else={:set Dias (28);}}}; :return
([tonum $Dias]);}
# AddressList.Ctrl (ServicesIPChange):
-------------------------------------------------
# (Add), aun las que no cambian periodicamente.
# Name: AddressList.Ctrl (ServicesIPChange)
# comment=”C+: ( AddressList.Ctrl (Services IP Change) )”
# -----------------------------------------------
# Funcion transforma Fecha en Nro (Fecha+Hora)
:local DateTimeToNro do={:local NroX; :local MC
("jan","feb","mar","apr","may","jun","jul","aug","sep","oct","nov","dec"); :local
DiaX ([pick $1 4 6]); :local MesCX ([pick $1 0 3]); :local MesX ([find $MC $MesCX -
1]+1); :if ($MesX<10) do={:set MesX (“0”.$MesX);}; :local AnioX ([pick $1 7
11]); :set NroX ($AnioX.$MesX.$DiaX); :if ([len $1]>12) do={:local HoraX ([pick $1
12 14]); :local MinX ([pick $1 15 17]); :local SegX ([pick $1 18 20]); :set NroX
($NroX.$HoraX.$MinX.$SegX);} else={:set NroX ($NroX.”000000”);}; return ([tonum
$NroX]);}
# -----------------------------------------------
# Funcion Incrementa Fecha en Dias (DiaMesAnioNr, DiasToIncr)
:local FechaIncr do={
# -------------------------
# Funcion calcula Dias del Mes (Mes, Anio)
{f de f}
:local DiasMes do={:local Dias; :if ($1=1 or $1=3 or $1=5 or $1=7 or $1=8 or $1=10
or $1=12) do={:set Dias (31);} else={:if ($1=4 or $1=6 or $1=9 or $1=11) do={:set
Dias (30);} else={:if ((((($2)/400)*400)=$2) or ((((($2)/4)*4)=$2) and
(((($2)/100)*100)!=$2))) do={:set Dias (29);} else={:set Dias (28);}}}; :return
([tonum $Dias]);}
# RB.AddressList-ImportnoDNSCache: ------------------------------------------------
# Name: RB.AddressList-ImportnoDNSCache
# comment=”R+: ( RB.AddressList-ImportnoDNSCache )”
# ------------------------------------------------
:local File “AddressList.noDNSCache.txt”;
:local ListaXContenido;
:local ListX;
:local CommentX;
:local AddressX;
:local AddressSX;
:if ([len [/file find name=$File]]!=0) do={:set ListaXContenido ([/file get $File
contents]); :if ([len $ListaXContenido]>0) do={:set ListX ([pick $ListaXContenido 0
([find $ListaXContenido “\n”])]); :set ListaXContenido ([pick $ListaXContenido
([find $ListaXContenido “\n”]+1) ([len $ListaXContenido])]); :set CommentX (“C+:
QoS ( [ “.([pick $ListX 2 ([find $ListX “.List”])]).” ] - [ no-DNSCache ] -
[ -------- ] )”); :while ([len $ListaXContenido]>0) do={:if ([find $ListaXContenido
“ ”]<0 or [find $ListaXContenido “ ”]>[find $ListaXContenido “\n”]) do={:set
AddressX ([pick $ListaXContenido 0 ([find $ListaXContenido “\n”])]);} else={:set
AddressX ([pick $ListaXContenido 0 ([find $ListaXContenido “ ”])]);}; :set
AddressSX ($AddressX);
# -------------------------------------------------- [Manejo de IP.Errors (no-
Funca)]
# :set AddressX ([toip $AddressX]); :if ([typeof $AddressX]!=”ip”) do={:do {
# -------------------------------------------------- [Resolve.Prob]
# :set AddressX ([resolve $AddressX]);} on-error={
# -------------------------------------------------- [Resolve.Failure]
# :log error message=("[AddressList.ImportnoDNSCache DNS.Resolve-Failure, Addr: (".
($AddressSX).")]"); :set AddressX (0.0.0.0);}};
# --------------------------------------------------
:if ($AddressX!=0.0.0.0) do={/ip firewall address-list remove [find
(address=$AddressX and list=$ListX)]; /ip firewall address-list add list=$ListX
address=$AddressX comment=$CommentX disable=yes;};
# --------------------------------------------------
:set ListaXContenido ([pick $ListaXContenido ([find $ListaXContenido “\n”]+1) ([len
$ListaXContenido])]);}}; /file remove $File;} else={:log error
message=(“[Error.Address-List ImportnoDNSCache]: Empty”);};
# Nota: (TXT.Conntent: Lista\n + <IP, IP/XX, IP.Ini-IP.Fin, DNS>\n + \n\r).
# RB.AddressListX-ExportSpecificList:
--------------------------------------------------
# Name: RB.AddressListX-ExportSpecificList
# comment=”Rx: ( RB.AddressListX-ExportSpecificList )”
# /ip firewall address-list print file=”Address-L” where (list="A-
ENACOMDROP.List"); # Alternativa poco eficiente en
tamaño.
:local ListaXContenido ””; # Error, si
(tamaño>4K)
:local File “Address-L”;
:foreach x in=[/ip firewall address-list find (list="A-ENACOMDROP.List")] do={:set
ListaXContenido ($ListaXContenido.[/ip firewall address-list get $x
list].”&:&“.[/ip firewall address-list get $x address].”&-&“.[/ip firewall address-
list get $x creation-time].”&+&“.[/ip firewall address-list get $x
comment].”&*&“);}; :if ([len $ListaXContenido]>0 and [len $ListaXContenido]<4097)
do={/file print file=$File; :delay 2s; /file set $File contents=$ListaXContenido;}
else={:log error message=(“[Error.Address-List ExportSpecificList]: (>4K)”);};
# Nota: establecer condición: (list=”__.List”…) según corresponda.
# RB.AddressListX-ImportSpecificList:
--------------------------------------------------
# Name: RB.AddressListX-ImportSpecificList
# comment=”Rx: ( RB.AddressListX-ImportSpecificList )”;
:local File “Address-L.txt”;
:local ListaXContenido;
:local ListX;
:local AddressX;
:local CreationTimeX;
:local CommentX;
:if ([len [/file find name=$File]]!=0) do={:set ListaXContenido ([/file get $File
contents]); :if ([len $ListaXContenido]>0) do={:while ([len $ListaXContenido]>0)
do={:set ListX ([pick $ListaXContenido 0 ([find $ListaXContenido “&:&”])]); :set
AddressX ([pick $ListaXContenido ([find $ListaXContenido “&:&”]+3) ([find
$ListaXContenido “&-&”])]); :set CreationTimeX ([pick $ListaXContenido ([find
$ListaXContenido “&-&”]+3) ([find $ListaXContenido “&+&”])]); :set CommentX ([pick
$ListaXContenido ([find $ListaXContenido “&+&”]+3) ([find $ListaXContenido
“&*&”])]); :set ListaXContenido ([pick $ListaXContenido ([find $ListaXContenido
“&*&”]+3) [len $ListaXContenido]]); :if ([/ip firewall address-list find
(list=$ListX and address=$AddressX)]=””) do={/ip firewall address-list add
list=$ListX address=$AddressX comment=$CommentX disable=yes;}}}; /file remove
$File;} else={:log error message=(“[Error.Address-List ImportSpecificList]:
Empty”);};
# RB.Restore-AddressListRSC:
----------------------------------------------------------
# Name: RB. Restore-AddressListRSC
# comment=”Rx: ( RB.Restaura AddressList (RSC) )”
/ip firewall address-list remove [find]; # Borra all
AddressList.IPs
/import file=AddressList.rsc;
# RB.BackUp-AddressListRSC:
----------------------------------------------------------
# Name: RB.BackUp-AddressListRSC
# comment=”R+: ( RB.BackUp-AddressList (RSC) )”
# -----------------------------------------------
# Función IP.Test: (IP,PacketSend,PacketLossLimit,AvgLimit,PacketSize,Proceso)
:local TestConn do={:local PLoss ($3+1); :local AvgRTT ($4+1); :local
MaxRTT; :local PRecibidos; :local PEnviados; :local LogMsg; :local DisabledIP
(false); :if ([/ip firewall address-list find (address=$1 and list=”A-
ICMPWANSRC.List”)]="") do={/ip firewall address-list add address=$1 list=“A-
ICMPWANSRC.List“ comment=”T+: (TemporalIP x ICMP)” timeout=1m disable=no;}
else={:if ([/ip firewall address-list get value-name=disabled [find (address=$1 and
list=”A-ICMPWANSRC.List”)]]) do={/ip firewall address-list enable [/ip firewall
address-list find (address=$1 and list=”A-ICMPWANSRC.List”)]; :set DisabledIP
(true);}}; delay 10ms; /tool flood-ping $1 count=$2 size=$5 do={:if ($sent=$2)
do={:set AvgRTT ($”avg-rtt”); :set MaxRTT ($”max-rtt”); :set PEnviados $sent; :set
PRecibidos $received;}}; :if ($DisabledIP) do={/ip firewall address-list disable
[/ip firewall address-list find (address=$1)];}; :set PLoss (100-
(($PRecibidos*100)/$PEnviados)); :set LogMsg ("[ $6 – ping ( $1 – $5 b ) ]:
latencia media ( $([:tostr $AvgRTT])ms ) – latencia maxima: ( $([:tostr $MaxRTT])ms
) – paquetes perdidos: ( $([:tostr $PLoss])% )"); :if ($PLoss<=$3 and $AvgRTT<=$4)
do={:log info message=($LogMsg); :return (“OK”)} else={:log error
message=($LogMsg); :return (“KO”)}};
# Nota: Asegurarse que IP este en Address-List (do={:beep frequency=550
length=494ms;}).
# -----------------------------------------------
/ip firewall address-list export file=AddressList; :delay 5s;
# ----------------------------------------------- [Test.Connection]
:if ([$TestConn "8.8.8.8" 10 30 100 64 ”RB.BackUp-AddressListRSC”]=”OK”) do={
# ----------------------------------------------- [Test.Connection]
:local Subjet (([/user get [find name=user(x)] comment]).([pick ([/system scrip get
[find name=”RB.BackUp-AddressListRSC”] comment]) 4 ([len ([/system scrip get [find
name=”RB.BackUp-AddressListRSC”] comment])])])); /tool e-mail send
to="xxx@gmail.com" subject=$Subjet body=“System : ($[/system identity get
name]) \r\nFecha : ($[/system clock get date]) \r\nHora : ($[/system
clock get time]) \r\nModelo : ($[/system resource get board-name]) \r\nIPWAN1
: ($[/ip address get [find comment~”TELCO.2.2.2.x”] value-name=address]) \r\
nEtherAux : ($[/ip address get [find comment~”EMERGENCY1”] value-
name=interface]) \r\nIPEtherAux : ($[/ip address get [find comment~”EMERGENCY1”]
value-name=address])” file=AddressList.rsc;}
# AddressList.DOSAttack-Alert:
---------------------------------------------------------
# Name: AddressList.DOSAttack-Alert
# comment=”R+: ( AddressList.DOSAttack-Alert )”
# ---------------------------------------------------
# Función Tracert.IP: (IP, Count)
:local TracertIP do={
# ------------------------
# Función Transforma de BidimUnidim.Str: (StrBidim, StrExtra) {f
de f}
:local BidiToUniStr do={:local BStr ($1); :local LineStr ””; :while ([len $BStr]>0)
do={:set LineStr ($LineStr.[pick $BStr 0 ([find $BStr “\r\n”])].$2); :set BStr
([pick $BStr ([find $BStr“\r\n”]+2) [len $BStr]]);}; :return ($LineStr);}
# ------------------------
# Función Transforma de Tracert-BidimaUnidim.Str: (TStrBidim, StrExtra) {f de f}
:local TBidiToUniStr do={
# ------------------------
# Función Elimina Char255.Izq: (StrX, Direction) {f
de f de f}
:local KillChar255 do={:local StrXA ($1); :local X (0); :local Bloq (1); :if
($2=”Der.”) do={:set X ([len $1]-1); :set Bloq (-1);}; :if ([len $StrXA]>0)
do={:while ([pick $StrXA $X]=” ”) do={:set X ($X+$Bloq);}; :if ($2=“Izq.”) do={:set
StrXA ([pick $StrXA $X [len $StrXA]]);} else={:set StrXA ([pick $StrXA 0
($X+1)]);}}; :return ($StrXA);}
# AddressList.Empty-!A!SComment:
----------------------------------------------------
# Name: AddressList.Empty-!A!SComment
# comment=”Rx: ( Limpia AddressList.(!A+!S)-Comment )”
:foreach x in=[/ip firewall address-list find (!(list~"A-" or list~"S-"))] do={/ip
firewall address-list set $x comment=””};
# AddressList.Empty-CComent:
---------------------------------------------------------
# Name: AddressList.Empty-CComment
# comment=”Rx: ( Limpia AddressList.(C)-Comment )”
:foreach x in=[/ip firewall address-list find (list~"C-")] do={/ip firewall
address-list set $x comment=””};
# AddressList.Empty-TComment:
-------------------------------------------------------
# Name: AddressList.Empty-TComment
# comment=”Rx: ( Limpia AddressList.(T)-Comment )”
:foreach x in=[/ip firewall address-list find (list~"T-")] do={/ip firewall
address-list set $x comment=””};
# AddressList.Ident-Address:
------------------------------------------------------------
# Name: AddressList.Ident-Address
# comment=”R+: ( AddressList.Ident-Address )”
# Es aconsejable, previamente borrar el (log)/(RB.Reboot) – por duplicaciones – y,
remover la variable global (MACLANDrop) al finalizar análisis de MACs.
# ----------------------------------------------
# Función cambia a mayúscula una MAC: (MAC)
:local UpCaseMAC do={
# ------------------------
# Función cambia a mayúscula una Hex.Letra: (Char) {función de función}
:local UpCaseHexL do={:local HexDw (“abcdef”); :local HexUp (“ABCDEF”); :if ([tonum
$1]<0 and !([find $HexDw $1]<0)) do={:set $1 [pick $HexUp ([find $HexDw $1]) ([find
$HexDw $1]+1)];}; return ($1)}
# ------------------------
:local MACUpC “”; :local z 0; :while (z<16) do={:set MACUpC ($MACUpC.[$UpCaseHexL
([pick $1 $z ($z+1)])].[$UpCaseHexL ([pick $1 ($z+1) ($z+2)])].”:”); :set z
($z+3);}; :return ([pick $MACUpC 0 ([:len $MACUpC]-1)])}
# ----------------------------------------------
# Función Identifica IP: (IP,MAC)
# Solo funciona con (/24).
:local IPIdent do={
# ------------------------------
# Función devuelve Whois IP-Public: (IP-Public)
{f de f}
:local WhoisIP do={
# ----------------------------------------------
# Función Elimina Char255.Izq: (StrX, Direction) {f
de f de f}
:local KillChar255 do={:local StrXA ($1); :local X (0); :local Bloq (1); :if
($2=”Der.”) do={:set X ([len $1]-1); :set Bloq (-1);}; :if ([len $StrXA]>0)
do={:while ([pick $StrXA $X]=” ”) do={:set X ($X+$Bloq);}; :if ($2=“Izq.”) do={:set
StrXA ([pick $StrXA $X [len $StrXA]]);} else={:set StrXA ([pick $StrXA 0
($X+1)]);}}; :return ($StrXA);}
# --------------------------
# Función Elimina Char255.IzqxURL: (StrX, Direction, StrCharsOk) {f de f de
f}
:local KillChar255xURL do={:local StrXA ($1); :local X (0); :local CharX; :local
Bloq (1); :if ($2=”Der.”) do={:set X ([len $1]-1); :set Bloq (-1);}; :if ([len
$StrXA]>0) do={:while ([pick $StrXA $X]=” ”) do={:set X ($X+$Bloq);}; :if
($2=“Izq.”) do={:set StrXA ([pick $StrXA $X [len $StrXA]]);} else={:set StrXA
([pick $StrXA 0 ($X+1)]);}};
# ------------ (Kill x no-encontrarse en $3)
:for rx from=0 to=([len $StrXA]-1) do={:while ([find $3 ([pick $StrXA $rx])]<0)
do={:set CharX ([pick $StrXA $rx]); :set StrXA (([pick $StrXA 0 ([find $StrXA
$CharX])]).“ ”.([pick $StrXA ([find $StrXA $CharX]+1) [len $StrXA]]));}};
# ------------ (Kill x encontrarse en $3, no funciona en RouterOS: “ñÑ$#&¿?”)
# :for rx from=0 to=([len $3]-1) do={:while ([find $StrXA ([pick $3 $rx])]>=0)
do={:set CharX ([pick $3 $rx]); :set StrXA (([pick $StrXA 0 ([find $StrXA
$CharX])]).“ ”.([pick $StrXA ([find $StrXA $CharX]+1) [len $StrXA]]));}};
# ------------
:return ($StrXA);}
# AddressList.Ident-Client:
--------------------------------------------------------------
# Name: AddressList.Ident-Client
# comment=”C+: ( AddressList.Ident-Client )”
# Solo funciona con (/24).
# -----------------------------------------------
# Función Identifica-Cliente: (IP,Rango1,Rango2,Rango3,…)
:local ClientIdent do={
:local RegistroX (“IP.OutRange”);
:if ([pick $1 0 [len $2]]=$2 or [pick $1 0 [len $3]]=$3 or [pick $1 0 [len $4]]=$4)
do={:if ([/queue simple find (target=($1."/32"))]!="") do={:set RegistroX ([/queue
simple get value-name=name [find target=($1."/32")]]); :if ([find $RegistroX
“_Libre ”]<0) do={:set RegistroX ([pick $RegistroX 0 77]);} else={:set RegistroX
(”( Libre )”);}} else={:set RegistroX (”[Error-QS.IPFaltante]”);}}; :return
($RegistroX);}
# Nota: disponer en fila, los rangos de IP sin ceros a la izq., según corresponda.
# -----------------------------------------------
:local IPAL;
:local Registro;
:foreach x in=[/ip firewall address-list find (!comment)] do={:set IPAL ([/ip
firewall address-list get $x address]); :set Registro ([$ClientIdent $IPAL ”1.2.A”
”1.2.B” ”1.2.C”]); :if ($Registro!=“IP.OutRange”) do={/ip firewall address-list set
$x comment=$Registro;};};
# Nota: (77), depende de la longitud del formato para nombre de QS. (Error), no
detecta multiples IPs x Client. Run, antes de (AddressList.Ident-Address). Ej.
multiple target: ([/queue simple get value-name=name [find
target=("1.2.3.4/32”,”1.2.3.5/32”,”1.2.3.7/32")]]).
# Client.Ctrl (ABTemp):
--------------------------------------------------------------------
# Name: Client.Ctrl (ABTemp)
# comment=”C+: ( Client.Ctrl (ABTemp) )”
# -----------------------------------------------
# (+T: ).Comm: (all initial line) [+TE=20XX/0X/0X 0Xh&&ABUp%%ABDw]
# -----------------------------------------------
# Nota: (20XX/0X/0X 0Xh), fecha y hora final. (xTE=), regla inactiva.
:local Mx
("jan","feb","mar","apr","may","jun","jul","aug","sep","oct","nov","dec");
:local DateAct ([/system clock get date]);
:local DiaAct ([pick $DateAct 4 6]);
:local MesActP ([pick $DateAct 0 3]);
:local MesAct ([find $Mx $MesActP -1]+1);
:local AnioAct ([pick $DateAct 7 11]);
:local TimeAct ([/system clock get time]);
:local HoraAct ([pick $TimeAct 0 2]);
:if ($MesAct<10) do={:set MesAct (“0”.$MesAct);};
:local DateTimeAct ($AnioAct.$MesAct.$DiaAct.$HoraAct);
# -----------------------------------------------
:local DatePromo;
:local DiaPromo;
:local MesPromo; # No olvidar el (0) a la izquierda para
(<10).
:local AnioPromo;
:local HoraPromo;
:local DateTimePromo;
# ----------------------------------------------- [Ajustar, según actualizaciones]
:local QoSRelacion 8; # relación (max-limit(8):limit-at(1)) MT.Default=64k
:local QoSPBurstThres 75; # porcentaje (max-limit(1): limit-at(0,75))
:local QoSBurstL 2; # relación (max-limit(1):burst-limit(2))
:local UnidadUp; # x algoritmo: max-limit (min)=500k/500k
:local UnidadDw;
# -----------------------------------------------
:local QSComment;
:local QSName;
:local MaxLimitUp 0;
:local MaxLimitDw 0;
:local MaxLimitUpT “”;
:local MaxLimitDwT “”;
:local MaxLimit; # unidad: (k)
:local LimitAtUp 0;
:local LimitAtDw 0;
:local LimitAt; # unidad: (k)
:local BurstLimitUp 0;
:local BurstLimitDw 0;
:local BurstLimit;
:local BurstThresholdUp 0;
:local BurstThresholdDw 0;
:local BurstThreshold; # unidad: (k)
# -----------------------------------------------
:foreach x in=[/queue simple find (name~”\\+T: ”)] do={:set QSComment ([/queue
simple get $x comment]);
# ------------------------------------------------ [Existe (+T: )?]
:if ($QSComment~”\\+TE=”) do={:set DiaPromo ([pick $QSComment ([find $QSComment
“+TE=”]+12) ([find $QSComment “+TE=”]+14)]); :set MesPromo ([pick $QSComment ([find
$QSComment “+TE=”]+09) ([find $QSComment “+TE=”]+11)]); :set AnioPromo ([pick
$QSComment ([find $QSComment “+TE=”]+04) ([find $QSComment “+TE=”]+08)]); :set
HoraPromo ([pick $QSComment ([find $QSComment “+TE=”]+15) ([find $QSComment “+TE=”]
+17)]); :set DateTimePromo ($AnioPromo.$MesPromo.$DiaPromo.$HoraPromo);
# ------------------------------------------------ [Alcanzado Limite?]
:if ([tonum $DateTimeAct]>[tonum $DateTimePromo]) do={:set QSName ([/queue simple
get $x name]); :set QSName ([pick $QSName 4 [len $QSName]]); :set MaxLimitUpT
([pick $QSComment ([find $QSComment “&&”]+2) ([find $QSComment “%%”])]); :set
MaxLimitDwT ([pick $QSComment ([find $QSComment “%%”]+2) ([find $QSComment “]”])]);
# ------------------------------------------------ [Comment.Change]
:set QSComment ([pick $QSComment 0 ([find $QSComment “+TE=”])].”x”.([pick
$QSComment ([find $QSComment “TE=”]) [len $QSComment]]));
# :set QSComment ([pick $QSComment ([find $QSComment “]”]+1) [len $QSComment]]);
(limpieza de Comment alternativa)
# ------------------------------------------------ [AB.Change]
/queue simple set $x name=($QSName); /queue simple set $x
comment=($QSComment); :set MaxLimitUp ([tonum [pick $MaxLimitUpT 0 ([len
$MaxLimitUpT]-1)]]); :set MaxLimitDw ([tonum [pick $MaxLimitDwT 0 ([len
$MaxLimitDwT]-1)]]); :set UnidadUp ([pick $MaxLimitUpT ([len $MaxLimitUpT]-1) ([len
$MaxLimitUpT])]); :set UnidadDw ([pick $MaxLimitDwT ([len $MaxLimitDwT]-1) ([len
$MaxLimitDwT])]); :if ($UnidadUp=”M”) do={:set MaxLimitUp ($MaxLimitUp*1000);}; :if
($UnidadDw=”M”) do={:set MaxLimitDw ($MaxLimitDw*1000);}; :set LimitAtUp
($MaxLimitUp/$QoSRelacion);
:set LimitAtDw ($MaxLimitDw/$QoSRelacion); :set LimitAt ($LimitAtUp."k/".
$LimitAtDw."k"); :set MaxLimit ($MaxLimitUp."k/".$MaxLimitDw."k"); /queue simple
set $x limit-at=$LimitAt; /queue simple set $x burst-time=16/16; /queue simple set
$x max-limit=$MaxLimit; :set BurstThresholdUp
(($MaxLimitUp*$QoSPBurstThres)/100); :set BurstThresholdDw
(($MaxLimitDw*$QoSPBurstThres)/100); :set BurstThreshold ($BurstThresholdUp."k/".
$BurstThresholdDw."k"); /queue simple set $x burst-threshold=$BurstThreshold; :set
BurstLimitUp ($MaxLimitUp*$QoSBurstL); :set BurstLimitDw
($MaxLimitDw*$QoSBurstL); :set BurstLimit ($BurstLimitUp."k/".
$BurstLimitDw."k"); /queue simple set $x burst-limit=$BurstLimit; /queue simple set
$x queue=ethernet-default/ethernet-default; /queue simple set $x priority=8/8;
# ------------------------------------------------ [Change.Stat]
:log warning message=("[RB.ABTemp (Expire: $QSName) – ($DateTimeAct >
$DateTimePromo)]"); :global TelegramMessage (“[RB.ABTemp (Expire: $QSName) –
($DateTimeAct>$DateTimePromo)]”); /system script run RB.Telegram-MessageAlert;}}};
# -----------------------------------------------
# Nota: En caso de no definir (+TE=), debera aplicarse un proceso manual.
# DNSCache.Empty:
--------------------------------------------------------------------
# Name: DNSCache.Empty
# comment="Rx: ( DNSCache.Empty )"
/ip dns cache print file=DNSCache.txt; :delay 2s;
/ip dns cache flush; #
Borra all DNS.Cache
# Log.Empty:
-----------------------------------------------------------------------------
# Name: Log.Empty
# comment="Rx: ( Log.Empty )"
/log print file=Log.txt; :delay 2s;
/system logging action set memory memory-lines=1; :delay 2s; # Borra all log
/system logging action set memory memory-lines=1000; # Limita a 1000L
# QS.ChangeAB:
-------------------------------------------------------------------------
# Name: QS.ChangeAB
# comment=”C+: ( QS.ChangeAB.Si: 00/00 ] o Act.Mes/Act.Año] )”
# (QoSBurstT/16), determina el periodo de cada análisis (media de consumo de
target). Si esa media, es inferior a burst-threshold, activo ráfaga.
# -----------------------------------------------
# Función Convierte MesL en MesN (Fecha) {mejor usar
arreglo}
:local ConvertMLToN do={:local Anio ([pick $1 7 11]); :local MesL ([pick $1 0
3]); :local MesN “Error”; :if ($MesL=”jan”) do={:set MesN (“01”)} else={:if
($MesL=”feb”) do={:set MesN (“02”)} else={:if ($MesL=”mar”) do={:set MesN (“03”)}
else={:if ($MesL=”apr”) do={:set MesN (“04”)} else={:if ($MesL=”may”) do={:set MesN
(“05”)} else={:if ($MesL=”jun”) do={:set MesN (“06”)} else={:if ($MesL=”jul”)
do={:set MesN (“07”)} else={:if ($MesL=”aug”) do={:set MesN (“08”)} else={:if
($MesL=”sep”) do={:set MesN (“09”)} else={:if ($MesL=”oct”) do={:set MesN (“10”)}
else={:if ($MesL=”nov”) do={:set MesN (“11”)} else={:if ($MesL=”dec”) do={:set MesN
(“12”)}}}}}}}}}}}}; :return ($MesN.”/”.[pick $Anio 2 4])};
# ----------------------------------------------- (ajustar según actualizaciones)
:local QoSRelacion 8; # relación (max-limit(8):limit-at(1)) MT.Default=64k
:local QoSPBurstThres 75; # porcentaje (max-limit(1): limit-at(0,75))
:local QoSBurstL 2; # relación (max-limit(1):burst-limit(2))
:local UnidadUp; # x algoritmo: max-limit (min)=500k/500k
:local UnidadDw;
# -----------------------------------------------
:local MaxLimitUp 0;
:local MaxLimitDw 0;
:local MaxLimit; # unidad: (k)
:local LimitAtUp 0;
:local LimitAtDw 0;
:local LimitAt; # unidad: (k)
:local BurstLimitUp 0;
:local BurstLimitDw 0;
:local BurstLimit;
:local BurstThresholdUp 0;
:local BurstThresholdDw 0;
:local BurstThreshold; # unidad: (k)
:local ActMesAnio ([$ConvertMLToN [/system clock get date]].” ]”);
:foreach x in=[/queue simple find (name~$ActMesAnio or name~”00/00 ]”)] do={:set
MaxLimit ([/queue simple get $x max-limit]); :set MaxLimitUp ([tonum [pick
$MaxLimit 0 ([find $MaxLimit "/"]-1)]]); :set MaxLimitDw ([tonum [pick $MaxLimit
([find $MaxLimit "/"]+1) ([len $MaxLimit]-1)]]); :set UnidadUp ([pick $MaxLimit
([find $MaxLimit "/"]-1) ([find $MaxLimit "/"])]); :set UnidadDw ([pick $MaxLimit
([len $MaxLimit]-1) [len $MaxLimit]]); :if ($UnidadUp=”M”) do={:set MaxLimitUp
($MaxLimitUp*1000);}; :if ($UnidadDw=”M”) do={:set MaxLimitDw
($MaxLimitDw*1000)}; :set LimitAtUp ($MaxLimitUp/$QoSRelacion); :set LimitAtDw
($MaxLimitDw/$QoSRelacion); :set LimitAt ($LimitAtUp."k/".$LimitAtDw."k"); /queue
simple set $x limit-at=$LimitAt; /queue simple set $x burst-time=16/16; :set
BurstThresholdUp (($MaxLimitUp*$QoSPBurstThres)/100); :set BurstThresholdDw
(($MaxLimitDw*$QoSPBurstThres)/100); :set BurstThreshold ($BurstThresholdUp."k/".
$BurstThresholdDw."k"); /queue simple set $x burst-threshold=$BurstThreshold; :set
BurstLimitUp ($MaxLimitUp*$QoSBurstL); :set BurstLimitDw
($MaxLimitDw*$QoSBurstL); :set BurstLimit ($BurstLimitUp."k/".
$BurstLimitDw."k"); /queue simple set $x burst-limit=$BurstLimit; /queue simple set
$x queue=ethernet-default/ethernet-default; /queue simple set $x priority=8/8;
/queue simple set $x parent=none; /queue simple set $x total-queue=ethernet-
default;};
# ------------------------------------------------ (Restaura.__/__ ])
:local Nombre “-”;
:foreach x in=[/queue simple find (name~”00/00 ]”)] do={:set Nombre ([/queue simple
get $x name]); :set Nombre ([pick $Nombre 0 [find $Nombre “00/00
]“]].“__/__ ]“); /queue simple set $x name=$Nombre}};
# ------------------------------------------------
# Nota: RouterOS, no maneja bien los decimales, por eso ((valor*porcentaje)/100).
QueueSimple.ABChange (max-limit=burst-threshold).
# RB.BackUp-DNSCache (Email):
-------------------------------------------------------
# Name: RB.BackUp-DNSCache
# comment="R+: ( RB.BackUp-DNSCache )"
# -----------------------------------------------
# Función IP.Test: (IP,PacketSend,PacketLossLimit,AvgLimit,PacketSize,Proceso)
:local TestConn do={:local PLoss ($3+1); :local AvgRTT ($4+1); :local
MaxRTT; :local PRecibidos; :local PEnviados; :local LogMsg; :local DisabledIP
(false); :if ([/ip firewall address-list find (address=$1 and list=”A-
ICMPWANSRC.List”)]="") do={/ip firewall address-list add address=$1 list=“A-
ICMPWANSRC.List“ comment=”T+: (TemporalIP x ICMP)” timeout=1m disable=no;}
else={:if ([/ip firewall address-list get value-name=disabled [find (address=$1 and
list=”A-ICMPWANSRC.List”)]]) do={/ip firewall address-list enable [/ip firewall
address-list find (address=$1 and list=”A-ICMPWANSRC.List”)]; :set DisabledIP
(true);}}; delay 10ms; /tool flood-ping $1 count=$2 size=$5 do={:if ($sent=$2)
do={:set AvgRTT ($”avg-rtt”); :set MaxRTT ($”max-rtt”); :set PEnviados $sent; :set
PRecibidos $received;}}; :if ($DisabledIP) do={/ip firewall address-list disable
[/ip firewall address-list find (address=$1)];}; :set PLoss (100-
(($PRecibidos*100)/$PEnviados)); :set LogMsg ("[ $6 – ping ( $1 – $5 b ) ]:
latencia media ( $([:tostr $AvgRTT])ms ) – latencia maxima: ( $([:tostr $MaxRTT])ms
) – paquetes perdidos: ( $([:tostr $PLoss])% )"); :if ($PLoss<=$3 and $AvgRTT<=$4)
do={:log info message=($LogMsg); :return (“OK”)} else={:log error
message=($LogMsg); :return (“KO”)}};
# Nota: Asegurarse que IP este en Address-List (do={:beep frequency=550
length=494ms;}).
# -----------------------------------------------
# Función agrega caracteres (Izq/Der) hasta len: (Var, Donde, Char, Long)
:local AddCToLen do={:if ([len $1]<$4) do={:for r from=[len $1] to=($4-1) do={:if
($2=”Izq.”) do={:set $1 ($3.$1)} else={:set $1 ($1.$3)}}}; :return ($1)};
# ----------------------------------------------- [Test.Connection]
:if ([$TestConn "8.8.8.8" 10 30 100 64 ”RB.BackUp-DNSCache”]=”OK”) do={
# ----------------------------------------------- [Test.Connection]
:local FileName ([/system resource get board-name].”(DNSCache)[01].txt”);
/ip dns cache print detail file=$FileName; :delay 4s;
# ----------------------------------------------- [Inactivo debido a limit size 4K]
# /file print file=$FileName; :delay 2s; # Crea File
# /file set [find name=$FileName] contents=""; # Borra contenido x def. File-0X
# :local Line “”;
# :local TTL; # establezco como guardable todo
(ddns.ttl>10seg)
# :local Type ””;
# :local Address (0.0.0.0);
# :local AddressS “”;
# :local Name “”;
# :foreach i in=[/ip dns cache all find] do={:set Name ([/ip dns cache get $i
name]); :set AddressS ([/ip dns cache all get $i data]); :set Type ([/ip dns cache
all get $i type]); :set TTL ([/ip dns cache get $i ttl]); :if ([len $Type]>0 and
$TTL>10s) do={:set Line ($Address." – ".$AddressS." – ".$Type." – ".$Name." – ".
$TTL. " – ".[typeof $Address]); /file set $FileName contents=([/file get $FileName
contents].$Line.”\r\n”);}};
# -----------------------------------------------
:local Subjet (([/user get [find name=user(x)] comment]).([pick ([/system scrip get
[find name=”RB.BackUp-DNSCache”] comment]) 4 ([len ([/system scrip get [find
name=”RB.BackUp-DNSCache”] comment])])])); /tool e-mail send to="xxx@gmail.com"
subject=$Subjet body=“System : ($[/system identity get name]) \r\nFecha
: ($[/system clock get date]) \r\nHora : ($[/system clock get time]) \r\
nModelo : ($[/system resource get board-name]) \r\nIPWAN1 : ($[/ip
address get [find comment~”TELCO.2.2.2.x”] value-name=address]) \r\nEtherAux :
($[/ip address get [find comment~”EMERGENCY1”] value-name=interface]) \r\
nIPEtherAux : ($[/ip address get [find comment~”EMERGENCY1”] value-
name=address])” file=$FileName;};
# RB.BackUp-Config (Email):
------------------------------------------------------------
# Name: RB.BackUp-Config
# comment="R+: ( RB.BackUp-Config )"
# -----------------------------------------------
# Función IP.Test: (IP,PacketSend,PacketLossLimit,AvgLimit,PacketSize,Proceso)
:local TestConn do={:local PLoss ($3+1); :local AvgRTT ($4+1); :local
MaxRTT; :local PRecibidos; :local PEnviados; :local LogMsg; :local DisabledIP
(false); :if ([/ip firewall address-list find (address=$1 and list=”A-
ICMPWANSRC.List”)]="") do={/ip firewall address-list add address=$1 list=“A-
ICMPWANSRC.List“ comment=”T+: (TemporalIP x ICMP)” timeout=1m disable=no;}
else={:if ([/ip firewall address-list get value-name=disabled [find (address=$1 and
list=”A-ICMPWANSRC.List”)]]) do={/ip firewall address-list enable [/ip firewall
address-list find (address=$1 and list=”A-ICMPWANSRC.List”)]; :set DisabledIP
(true);}}; delay 10ms; /tool flood-ping $1 count=$2 size=$5 do={:if ($sent=$2)
do={:set AvgRTT ($”avg-rtt”); :set MaxRTT ($”max-rtt”); :set PEnviados $sent; :set
PRecibidos $received;}}; :if ($DisabledIP) do={/ip firewall address-list disable
[/ip firewall address-list find (address=$1)];}; :set PLoss (100-
(($PRecibidos*100)/$PEnviados)); :set LogMsg ("[ $6 – ping ( $1 – $5 b ) ]:
latencia media ( $([:tostr $AvgRTT])ms ) – latencia maxima: ( $([:tostr $MaxRTT])ms
) – paquetes perdidos: ( $([:tostr $PLoss])% )"); :if ($PLoss<=$3 and $AvgRTT<=$4)
do={:log info message=($LogMsg); :return (“OK”)} else={:log error
message=($LogMsg); :return (“KO”)}};
# Nota: Asegurarse que IP este en address-list (do={:beep frequency=550
length=494ms;}).
# -----------------------------------------------
# Función agrega caracteres (Izq/Der) hasta len: (Var, Donde, Char, Long)
:local AddCToLen do={:if ([len $1]<$4) do={:for r from=[len $1] to=($4-1) do={:if
($2=”Izq.”) do={:set $1 ($3.$1)} else={:set $1 ($1.$3)}}}; :return ($1)};
# ----------------------------------------------- [Test.Connection]
:if ([$TestConn "8.8.8.8" 10 30 100 64 ”RB.BackUp-Config”]=”OK”) do={
# ----------------------------------------------- [Test.Connection]
:local MACList “”; :local IPList “”;
:foreach x in=[/interface find] do={:set MACList ($MACList.”(“.[$AddCToLen
[/interface get $x name] "Der." " " 12].” – “.[$AddCToLen [/interface get $x mac-
address] "Der." " " 18].” – “.[$AddCToLen [/interface get $x comment] "Der." " "
50].” – Disable=“.[$AddCToLen [/interface get $x disabled] "Der." " " 5].”)\r\
n“);};
:foreach x in=[/ip address find] do={:set IPList ($IPList.”(“.[$AddCToLen [/ip
address get $x interface] "Der." " " 12].” – “.[$AddCToLen [/ip address get $x
address] "Der." " " 18].” – “.[$AddCToLen [/ip address get $x comment] "Der." " "
50].” – Disable=“.[$AddCToLen [/ip address get $x disabled] "Der." " " 5].”)\r\
n“);};
# -----------------------------------------------
:local Name ([/system resource get board-name].”[01].backup”);
/system backup save name=$Name dont-encrypt=no encryption=aes-sha256
password=”xxx”; :delay 2s; :local Subjet (([/user get [find name=user(x)]
comment]).([pick ([/system scrip get [find name=”RB.BackUp-Config”] comment]) 4
([len ([/system scrip get [find name=”RB.BackUp-Config”] comment])])])); /tool e-
mail send to="xxx@gmail.com" subject=$Subjet body=“System : ($[/system
identity get name]) \r\nFecha : ($[/system clock get date]) \r\nHora
: ($[/system clock get time]) \r\nModelo : ($[/system resource get board-
name]) \r\nIPWAN1 : ($[/ip address get [find comment~”TELCO.2.2.2.x”] value-
name=address] \r\nEtherAux : ($[/ip address get [find comment~”EMERGENCY1”]
value-name=interface]) \r\nIPEtherAux : ($[/ip address get [find
comment~”EMERGENCY1”] value-name=address]) \r\n\r\nMAC.Rango :\r\n$MACList \r\
nIP.Rango :\r\n$IPList” file=$Name;}
# Nota: (Restore BackUp)
# 1- Actualizar Firmware (al menos, hasta v6.43).
# 2- Reset Config: /system reset-configuration no-defaults=yes skip-backup=yes
# 3- Copy BackUp.File into (/file) y buscar su (Password Encript).
# 4- Restore Config: /system backup load name=”CCR1012.backup”
# 5- Reset MAC Interface: /interface ethernet reset-mac-address [find];
# 6- Change MAC Interface: /interface ethernet set [find orig-mac-
address=X4:FA:6C:F5:82:E1] mac-address=AA:AA:AA:AA:AA:AA;
Actualización DDNS:
-------------------------------------------------------------------- [ INI ]
# Crear un script especifico y con distinto nombre, para cada WAN(x) a actualizar
(diferenciando los identificadores en DuckDNS) y agregarlos a una única tarea TP
(RB.IP-Change). En (https://www.duckdns.org/), ir a install seleccionar (identity y
mikrotik) copiar y pegar en un nuevo Script (DDNS.UpDate). Finalmente, cambiar
(interface=MATRIX) por (comment=WAN(x).[ (x) ]).
# RB.DDNSUpDate-WAN(x): ---------------------------------------------------------
# Name: RB.DDNSUpDate-WAN(x)
# comment="R+: ( RB.DDNSUpDate-WAN(x) )"
# --------------------------------------------------
:global actualIP value=[/ip address get [find where comment~”TELCO.2.2.2.x”] value-
name=address]; :global actualIP value=[:pick $actualIP -1 [:find $actualIP "/" -
1]]; :if ([:len [/file find where name=ipstore.txt]]<1) do={/file print
file=ipstore.txt where name=ipstore.txt; /delay delay-time=2; /file set ipstore.txt
contents="0.0.0.0";}; :global previousIP value=[/file get [find where
name=ipstore.txt] value-name=contents]; :if ($previousIP!=$actualIP) do={:log info
message=("[Try to Update DuckDNS]: a actual-IP ".$actualIP." - anterior-IP es ".
$previousIP);
# ------------------------
/tool fetch mode=https keep-result=yes dst-path=duckdns-result.txt
address=[:resolve www.duckdns.org] port=443 host=www.duckdns.org src-path=("<<<
Token dado por duckdns >>>=".$actualIP);
# ------------------------
:delay 5s; :global lastChange value=[/file get [find where name=duckdns-result.txt]
value-name=contents]; :global previousIP value=$actualIP; /file set ipstore.txt
contents=$actualIP; :if ($lastChange="OK") do={:log warning message=("[DuckDNS
update successfull]: a actual-IP ".$actualIP);}; :if ($lastChange="KO") do={:log
error ("[Fail to update DuckDNS]: a actual-IP ".$actualIP);};};
# Nota: Alternativa+, (c/15-60s UDP.15252): (/ip cloud set ddns-enabled=yes;).
Actualización DDNS:
------------------------------------------------------------------- [ FIN ]
# RB.BackUp-Log (Email):
---------------------------------------------------------------
# Name: RB.BackUp-Log
# comment="R+: ( RB.BackUp-Log )"
# -----------------------------------------------
# Función IP.Test: (IP,PacketSend,PacketLossLimit,AvgLimit,PacketSize,Proceso)
:local TestConn do={:local PLoss ($3+1); :local AvgRTT ($4+1); :local
MaxRTT; :local PRecibidos; :local PEnviados; :local LogMsg; :local DisabledIP
(false); :if ([/ip firewall address-list find (address=$1 and list=”A-
ICMPWANSRC.List”)]="") do={/ip firewall address-list add address=$1 list=“A-
ICMPWANSRC.List“ comment=”T+: (TemporalIP x ICMP)” timeout=1m disable=no;}
else={:if ([/ip firewall address-list get value-name=disabled [find (address=$1 and
list=”A-ICMPWANSRC.List”)]]) do={/ip firewall address-list enable [/ip firewall
address-list find (address=$1 and list=”A-ICMPWANSRC.List”)]; :set DisabledIP
(true);}}; delay 10ms; /tool flood-ping $1 count=$2 size=$5 do={:if ($sent=$2)
do={:set AvgRTT ($”avg-rtt”); :set MaxRTT ($”max-rtt”); :set PEnviados $sent; :set
PRecibidos $received;}}; :if ($DisabledIP) do={/ip firewall address-list disable
[/ip firewall address-list find (address=$1)];}; :set PLoss (100-
(($PRecibidos*100)/$PEnviados)); :set LogMsg ("[ $6 – ping ( $1 – $5 b ) ]:
latencia media ( $([:tostr $AvgRTT])ms ) – latencia maxima: ( $([:tostr $MaxRTT])ms
) – paquetes perdidos: ( $([:tostr $PLoss])% )"); :if ($PLoss<=$3 and $AvgRTT<=$4)
do={:log info message=($LogMsg); :return (“OK”)} else={:log error
message=($LogMsg); :return (“KO”)}};
# Nota: Asegurarse que IP este en Address-List (do={:beep frequency=550
length=494ms;}).
# -----------------------------------------------
# Función agrega caracteres (Izq/Der) hasta len: (Var, Donde, Char, Long)
:local AddCToLen do={:if ([len $1]<$4) do={:for r from=[len $1] to=($4-1) do={:if
($2=”Izq.”) do={:set $1 ($3.$1)} else={:set $1 ($1.$3)}}}; :return ($1)};
# ----------------------------------------------- [Test.Connection]
:if ([$TestConn "8.8.8.8" 10 30 100 64 ”RB.BackUp-Log”]=”OK”) do={
# ----------------------------------------------- [Test.Connection]
:local MACList “”; :local IPList “”;
:foreach x in=[/interface find] do={:set MACList ($MACList.”(“.[$AddCToLen
[/interface get $x name] "Der." " " 12].” – “.[$AddCToLen [/interface get $x mac-
address] "Der." " " 18].” – “.[$AddCToLen [/interface get $x comment] "Der." " "
50].” – Disable=“.[$AddCToLen [/interface get $x disabled] "Der." " " 5].”)\r\
n“);};
:foreach x in=[/ip address find] do={:set IPList ($IPList.”(“.[$AddCToLen [/ip
address get $x interface] "Der." " " 12].” – “.[$AddCToLen [/ip address get $x
address] "Der." " " 18].” – “.[$AddCToLen [/ip address get $x comment] "Der." " "
50].” – Disable=“.[$AddCToLen [/ip address get $x disabled] "Der." " " 5].”)\r\
n“);};
# -----------------------------------------------
:local Name ([/system resource get board-name].”(Log)[01].txt”);
/log print file=$Name; :delay 2s;
# /system logging action set memory memory-lines=1; :delay 2s; # Borra all log
# /system logging action set memory memory-lines=1000; # Limita a 1000L
# -----------------------------------------------
:local Subjet (([/user get [find name=user(x)] comment]).([pick ([/system scrip get
[find name=”RB.BackUp-Log”] comment]) 4 ([len ([/system scrip get [find
name=”RB.BackUp-Log”] comment])])])); /tool e-mail send to=xxx@gmail.com"
subject=$Subjet body=“System : ($[/system identity get name]) \r\nFecha
: ($[/system clock get date]) \r\nHora : ($[/system clock get time]) \r\
nModelo : ($[/system resource get board-name]) \r\nIPWAN1 : ($[/ip
address get [find comment~”TELCO.2.2.2.x”] value-name=address] \r\nEtherAux :
($[/ip address get [find comment~”EMERGENCY1”] value-name=interface]) \r\
nIPEtherAux : ($[/ip address get [find comment~”EMERGENCY1”] value-name=address])
\r\n\r\nMAC.Rango :\r\n$MACList \r\nIP.Rango :\r\n$IPList” file=$Name;};
# RB.IP-ChangeWAN(x):
-----------------------------------------------------------------
# Es aconsejable, al finalizar la tarea, remover las variables globales
(previousIP, lastChange y actualIP).
# Name: RB.IP-ChangeWAN(x)
# comment=”R+: ( RB.IP-ChangeWAN(x) )”
# -----------------------------------------------
# Función IP.Test: (IP,PacketSend,PacketLossLimit,AvgLimit,PacketSize,Proceso)
:local TestConn do={:local PLoss ($3+1); :local AvgRTT ($4+1); :local
MaxRTT; :local PRecibidos; :local PEnviados; :local LogMsg; :local DisabledIP
(false); :if ([/ip firewall address-list find (address=$1 and list=”A-
ICMPWANSRC.List”)]="") do={/ip firewall address-list add address=$1 list=“A-
ICMPWANSRC.List“ comment=”T+: (TemporalIP x ICMP)” timeout=1m disable=no;}
else={:if ([/ip firewall address-list get value-name=disabled [find (address=$1 and
list=”A-ICMPWANSRC.List”)]]) do={/ip firewall address-list enable [/ip firewall
address-list find (address=$1 and list=”A-ICMPWANSRC.List”)]; :set DisabledIP
(true);}}; delay 10ms; /tool flood-ping $1 count=$2 size=$5 do={:if ($sent=$2)
do={:set AvgRTT ($”avg-rtt”); :set MaxRTT ($”max-rtt”); :set PEnviados $sent; :set
PRecibidos $received;}}; :if ($DisabledIP) do={/ip firewall address-list disable
[/ip firewall address-list find (address=$1)];}; :set PLoss (100-
(($PRecibidos*100)/$PEnviados)); :set LogMsg ("[ $6 – ping ( $1 – $5 b ) ]:
latencia media ( $([:tostr $AvgRTT])ms ) – latencia maxima: ( $([:tostr $MaxRTT])ms
) – paquetes perdidos: ( $([:tostr $PLoss])% )"); :if ($PLoss<=$3 and $AvgRTT<=$4)
do={:log info message=($LogMsg); :return (“OK”)} else={:log error
message=($LogMsg); :return (“KO”)}};
# Nota: Asegurarse que IP este en address-list (do={:beep frequency=550
length=494ms;}).
# ----------------------------------------------- [Test.Connection]
:if ([$TestConn "8.8.8.8" 10 30 100 64 ”RB.IP-ChangeWAN1”]=”OK”) do={
# ----------------------------------------------- [Test.Connection]
# Establece IP.New:
----------------------------------------------------------------------
# -----------------------------------------------
# Función convierte IPv4 en número entero:
:local FIPaNr do={:local IPstr ($1."."); :local IPnum ""; :for x from=1 to=4
do={:set IPnum ($IPnum.[:pick $IPstr 0 [:find $IPstr "." -1]]); :set IPstr ([:pick
$IPstr ([:find $IPstr "." 0]+1) [:len $IPstr]]);}; :return [:tonum $IPnum]};
# -----------------------------------------------
:local IniIP value=2.2.2.1; # sin ceros a la
izquierda
:local UltIP value=2.2.2.50; # sin ceros a la izquierda
# -----------------------------------------------
:local ActualIP value=[/ip address get [find comment~”TELCO.2.2.2.x”] value-
name=address];
:local ActualX value=[:pick $ActualIP -1 [:find $ActualIP "/" -1]];
<<< Mecanismo x descubrir la nueva IP >>>}; /ip address set [/ip address find
address=$ActualIP] address=$ActualX; :delay 2s;
# Actualiza DDNS:
------------------------------------------------------------------------
# /system script run RB.DDNSUpDate-WAN(x); :delay 3s; # UpDate DDNS.WAN(x)
# RB.PromoXDay-Cheq:
-----------------------------------------------------------------
# Name: RB.PromoXDay-Cheq
# comment="C+: ( RB.PromoXDay-Cheq )"
# -----------------------------------------------
:local Mx
("jan","feb","mar","apr","may","jun","jul","aug","sep","oct","nov","dec");
:local DateAct ([/system clock get date]);
:local DiaAct ([pick $DateAct 4 6]);
:local MesActP ([pick $DateAct 0 3]);
:local MesAct ([find $Mx $MesActP -1]+1);
:local AnioAct ([pick $DateAct 7 11]);
:local DatePromo;
:local DiaPromo;
:local MesPromo; # No olvidar el (0) a la izquierda para
(<10).
:local AnioPromo;
:local Comment;
:local QSName;
:local CTimePromo;
:local IPPromo;
:if ($MesAct<10) do={:set MesAct (“0”.$MesAct);};
:set DateAct ($AnioAct.$MesAct.$DiaAct);
:local DateActF ($DiaAct.”/”.$MesAct.”/”.([pick $AnioAct 2 4]));
:log info message=("[RB.PromoXDay-Cheq (INI)]");
:foreach x in=[/ip firewall address-list find (list=”C-PROMOXDCLIENT.List” and !
disabled)] do={:set IPPromo ([/ip firewall address-list get $x address]); :set
CTimePromo ([/ip firewall address-list get $x creation-time]); :set Comment ([/ip
firewall address-list get $x comment]); :set DiaPromo ([pick $Comment ([find
$Comment “expira”]+11) ([find $Comment “expira”]+13)]); :set MesPromo ([pick
$Comment ([find $Comment “expira”]+14) ([find $Comment “expira”]+16)]); :set
AnioPromo ([pick $Comment ([find $Comment “expira”]+17) ([find $Comment “expira”]
+21)]); :set DatePromo ($AnioPromo.$MesPromo.$DiaPromo); :if ([tonum
$DateAct]>[tonum $DatePromo]) do={/ip firewall address-list set $x list=”C-
CLIENTDROP.List”; :set QSName ([/queue simple get [find target=($IPPromo."/32")]
value-name=name]); :set QSName ([pick $QSName 0 ([find $QSName “::”]+3)].$DateActF.
[pick $QSName ([find $QSName “::”]+11) [len $QSName]]); /queue simple set [find
target=($IPPromo."/32")] name=(“S: ”.$QSName); /queue simple set [find
target=($IPPromo."/32")] disable=yes; :log warning message=("[RB.PromoXDay-Cheq
(Expire: $QSName) – ($DateAct > $DatePromo)]"); :global TelegramMessage
(“[RB.PromoXDay-Cheq (Expire: $QSName) – ($DateAct>$DatePromo)]”); /system script
run RB.Telegram-MessageAlert;}};
...
# RB.QoSChange% (Empty):
------------------------------------------------------------
# Name: RB.QoSChange% (Empty)
# comment="Rx: ( RB.QoSChange% (Empty) )"
# -----------------------------------------------
:local Comment;
# ------------------------------------------------------
/queue tree disable [/queue tree find]; # All QueueTree.Rule
disabled
/ip firewall mangle disable [/ip firewall mangle find]; # All Mangle.Rule
disabled
# ------------------------------- [QoS.Mangle-Stat: (Empty)]
:foreach x in=[/ip firewall mangle find] do={:set Comment ([pick ([/ip firewall
mangle get $x comment]) 0 ([find ([/ip firewall mangle get $x comment]) “::”]+3)]);
/ip firewall mangle set $x comment=($Comment);};
# ------------------------------- [QoS.QT-Stat: (Empty)]
:foreach y in=[/queue tree find] do={:set Comment ([pick ([/queue tree get $y
comment]) 0 ([find ([/queue tree get $y comment]) “::”]+3)]); /queue tree set $y
limit-at=0; /queue tree set $y max-limit=0; /queue tree set $y
comment=($Comment);};
# ------------------------------------------------------
/queue tree reset-counters-all; # Reset all QueueTree
contadores
/ip firewall mangle reset-counters-all; # Reset all Mangle
contadores
:foreach i in=[/queue tree find (comment~”C\\+: ”)] do={[/queue tree set $i
disable=no];}; # QueueTree.Rule (Comment~C+) enabled
:foreach i in=[/ip firewall mangle find (comment~”C\\+: ”)] do={[/ip firewall
mangle set $i disable=no];}; # Mangle.Rule (Comment~C+) enabled
#
-----------------------------------------------------------------------------------
[INI]
# -------------------------------- [TOOLS/Netwatch]
---------------------------------
#
-----------------------------------------------------------------------------------
--------
#
-----------------------------------------------------------------------------------
[FIN]
# -------------------------------- [TOOLS/Netwatch]
---------------------------------
#
-----------------------------------------------------------------------------------
--------
# Alert.LinkChange (RBLink):
-----------------------------------------------------------
# ------------------------------------------------------------- [Independiente del
script]
:global AntFlagDDNS01 (“OK”); # No copiar dentro del script
:global AntFlagDDNS02 (“OK”); # No copiar dentro del script
:global AntFlagDDNS03 (“OK”); # No copiar dentro del script
# ------------------------------------------------------------- [Independiente del
script]
# Name: Alert.LinkChange-RBLink
# comment="R: ( Alert.LinkChange-RBLink )"
# Función IP.Test: (IP,PacketSend,PacketLossLimit,AvgLimit,PacketSize,Proceso)
:local TestConn do={:local PLoss ($3+1); :local AvgRTT ($4+1); :local
MaxRTT; :local PRecibidos; :local PEnviados; :local LogMsg; :local DisabledIP
(false); :if ([/ip firewall address-list find (address=$1 and list=”A-
ICMPWANSRC.List”)]="") do={/ip firewall address-list add address=$1 list=“A-
ICMPWANSRC.List“ comment=”T+: (TemporalIP x ICMP)” timeout=1m disable=no;}
else={:if ([/ip firewall address-list get value-name=disabled [find (address=$1 and
list=”A-ICMPWANSRC.List”)]]) do={/ip firewall address-list enable [/ip firewall
address-list find (address=$1 and list=”A-ICMPWANSRC.List”)]; :set DisabledIP
(true);}}; delay 10ms; /tool flood-ping $1 count=$2 size=$5 do={:if ($sent=$2)
do={:set AvgRTT ($”avg-rtt”); :set MaxRTT ($”max-rtt”); :set PEnviados $sent; :set
PRecibidos $received;}}; :if ($DisabledIP) do={/ip firewall address-list disable
[/ip firewall address-list find (address=$1)];}; :set PLoss (100-
(($PRecibidos*100)/$PEnviados)); :set LogMsg ("[ $6 – ping ( $1 – $5 b ) ]:
latencia media ( $([:tostr $AvgRTT])ms ) – latencia maxima: ( $([:tostr $MaxRTT])ms
) – paquetes perdidos: ( $([:tostr $PLoss])% )"); :if ($PLoss<=$3 and $AvgRTT<=$4)
do={:log info message=($LogMsg); :return (“OK”)} else={:log error
message=($LogMsg); :return (“KO”)}};
# Nota: Asegurarse que IP este en address-list (do={:beep frequency=550
length=494ms;}).
# ---------------------------------------------------
:local FlagDDNS01 ([$TestConn ([resolve "xxx-1.duckdns.org"]) 10 30 100 XXX
”RB.AlertLinkChange”]=”OK”);
:local FlagDDNS02 ([$TestConn ([resolve "xxx-2.duckdns.org"]) 10 30 100 XXX
”RB.AlertLinkChange”]=”OK”);
:local FlagDDNS03 ([$TestConn ([resolve "xxx-3.duckdns.org"]) 10 30 100 XXX
”RB.AlertLinkChange”]=”OK”);
:if ($FlagDDNS01!=$AntFlagDDNS01) do={:if ($FlagDDNS01=”KO”) do={:global
TelegramMessage (“[ xxx-R1.DuckDNS.org (DW) ]”); :log error message=("[xxx-
R01.DuckDNS.org (DW)]"); /system script run RB.Telegram-MessageAlert;}
else={:global TelegramMessage (“[xxx-R1.DuckDNS.org (UP)]”); :log error
message=("[xxx-R01.DuckDNS.org (UP)]"); /system script run RB.Telegram-
MessageAlert;}};
:if ($FlagDDNS02!=$AntFlagDDNS02) do={:if ($FlagDDNS02=”KO”) do={:global
TelegramMessage (“[xxx-R2.DuckDNS.org (DW)]”); :log error message=("[xxx-
R02.DuckDNS.org (DW)]"); /system script run RB.Telegram-MessageAlert;}
else={:global TelegramMessage (“[xxx-R2.DuckDNS.org (UP)]”); :log error
message=("[xxx-R02.DuckDNS.org (UP)]"); /system script run RB.Telegram-
MessageAlert;}};
:if ($FlagDDNS03!=$AntFlagDDNS03) do={:if ($FlagDDNS03=”KO”) do={:global
TelegramMessage (“[xxx-R3.DuckDNS.org (DW)]”); :log error message=("[xxx-
R03.DuckDNS.org (DW)]"); /system script run RB.Telegram-MessageAlert;}
else={:global TelegramMessage (“[xxx-R3.DuckDNS.org (UP)]”); :log error
message=("[xxx-R03.DuckDNS.org (UP)]"); /system script run RB.Telegram-
MessageAlert;}};
:global AntFlagDDNS01 ($FlagDDNS01); :global AntFlagDDNS02 ($FlagDDNS02); :global
AntFlagDDNS03 ($FlagDDNS03);
# RB.Telegram-MessageAlert:
-----------------------------------------------------------
# Name: RB.Telegram-MessageAlert
# comment="R: ( RB.Telegram-MensageAlert )"
# --------------------------------------------------- [Telegram proccess]
# Find: @botfather (/newbot, ej: xxx_telegram_bot, vci_telegram_bot)
# Copy.BotID: (ej: <<< Paste1 >>>)
# Create Grup: (ej: xxx.Chat, add vci_telegram_bot, find and add @getidbot)
# Copy.ChatID: (ej: <<< Paste2 >>>)
# ------------------------------------------------------------ [Copy-Paste en
consola]
/system script add dont-require-permissions=yes name=RB.Telegram-MessageAlert
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#
Name: RB.Telegram-MessageAlert\r\n# comment=\"R: ( RB.Telegram-MensageAlert )\";\r\
n# --------------------------------------------------- [Telegram proccess]\r\n#
Find: @botfather (/newbot, xxx_telegram_bot, vci_telegram_bot)\r\n# Copy.BotID:
(ej: <<< Paste1 >>>)\r\n# Create Grup: (ej: xxx.Chat, add vci_telegram_bot, find
and add @getidbot)\r\n# Copy.ChatID: (ej: <<< Paste2 >>>)\r\n#
------------------------------------------------------------------------------\r\
n:global TelegramMessage;\r\n:local BotID (\"<<< Paste1 >>>\");\r\n:local ChatID
(\"<<< Paste2 >>>\”);\r\n:if (\$TelegramMessage!=\"\") do={\r\n /tool fetch
url=\"https://api.telegram.org/bot\$BotID/sendMessage\?chat_id=\$ChatID&text=\
$TelegramMessage\" keep-result=no\r\n}; /system script environment remove [find
name=\"TelegramMessage\"];" comment=("R: ( Telegram.MensageAlert )");
# Nota: al Telegram.Bot (URL.Limit), no acepta ni tildes ni Special.Chars. Some
Special.Chars, pueden enviarse via Telegram.Bot (URL), por ej.: (\$\?).
# RB.Winbox-SharedON (x Port.Special):
---------------------------------------------
# Name: RB.Winbox-SharedON(SPort) # verificar que user(x), sea (0)
# comment="R: RB.Winbox-SharedON (SPort)"
:if ([/user get 0 name]~”xxx” and [/user get 0 disable]=no) do={/user set 1
disable=no; /user set 2 disable=no;} else={:log error message=("[Error, en la
secuenciacion de Users]”);};
:foreach x in=[/ip firewall filter find (comment~”*:”)] do={/ip firewall filter set
$x disable=no;};
:global WinboxP ([/ip service get [find (name=”winbox”)] port]);
:global ApiP ([/ip service get [find (name=”api”)] port]);
/ip service set winbox port=3333; /ip service set api port=3334;
# Nota: x motivos de retrocompatibilidad, uso las var.globales (WinboxP y ApiP). x
secuenciación de mí (Firewall), sin +reglas, no puedo evitar usar algunos (port).
-------------------------------------------------------------------------------
[ FIN ]
-----------------------------------------------------------------------------------
-----
----------------------------- Scripts (basicos):
-------------------------------------
-----------------------------------------------------------------------------------
-----
-----------------------------------------------------------------------------------
-----
# AddressList.LANDivision (Remove.#2):
----------------------------------------------
/ip firewall address-list remove [find (comment~"#2" and !(comment~"S: "))]; #
necesita de una previa limpia e identificación de IPs.
# AddressList.LANDivision (Add.#1):
---------------------------------------------------
:foreach x in=[/ip queue simple find (name~"#1")] do={/ip firewall address-list add
list=C-CLIENTDROP.List address=$x target; comment=”( Libre )”; disable=yes;}
#
-----------------------------------------------------------------------------------
[INI]
# -------------------------------- [Protocolo BGP]
-------------------------------------
#
-----------------------------------------------------------------------------------
--------
# Reglas para (BGP):
--------------------------------------------------------------------
# Fundamentalmente, BGP (protocolo de router de pasarela externa: utiliza el puerto
179 TCP), conecta AS (sistemas autónomos: conjunto de redes/dispositivos bajo un
mismo dominio administrativo. Poseen, un bloque de IPv4/IPv6, que publican al resto
de AS, para poder ser alcanzados). Interconexion dentro de dominion
administrativos. Cada AS, tiene un ASN (numero de sistema autónomo). De (1 a 64511:
16b), reservados para uso público. De (64512 a 65534: 16b), para uso privado.
LACNIC, posee los ASN (4.0 a 4.1023). Las sesiones BGP, se establecen con otros
routers configurando (peers BGP). Los peers (pares BGP), son los routers vecinos
con los que comparto redes. (eBGP): si los peers vecinos pertenecen a otro AS (lo
utilizamos para conectarnos con roveedores de Internet u otras entidades que tengan
AS). (iBGP): si los peers vecinos pertenecen a nuestro AS (lo utilizamos para
distribuir rutas dentro de nuestro AS, generalmente iBGP se apoya en otro método de
ruteo (ruteo estátio, RIP, OSPF)). Algunos atributos conocidos son: Weight
("peso"), Local Preference ("preferencia local"), AS Path ("camino de AS"). Si dos
(peers), publican la misma ruta, se prioriza la de mayor peso (weight). Si dos
(routers) dentro de un mismo AS, permiten alcanzar las mismas rutas, se prioriza el
de mayor (local reference). BGP, utiliza el (as path) para que las redes destino se
alcancen tomando el camino que atraviese menos cantidad de AS. Bogons GBP servers:
(65332:888). Lista negra BGP servers (6549:666).
#
-----------------------------------------------------------------------------------
[INI]
# ------------------------------ [Protocolo Romon]
-----------------------------------
#
-----------------------------------------------------------------------------------
-------
# (Access via Leyer.2): aplicar en c/Route que use x alcanzar (Route.Dst) desde
(Route.Local=WinBox.RomonAgent).
/tool romon set enable=yes secrets=private; # Secret=password
/tool romon port add interface=LAN1 disable=no; # Add (interfaces-Romon)
/tool romon port set forbid=yes [find (interface=all)]; # Block (interfaces-Romon)
# /tool romon port remove [find interface=LAN1]; # Dell (interfaces-Romon)
#
-----------------------------------------------------------------------------------
[FIN]
# ------------------------------ [Protocolo Romon]
-----------------------------------
#
-----------------------------------------------------------------------------------
-------
#
-----------------------------------------------------------------------------------
[INI]
# ----------------------------- [Balanceos de Carga]
---------------------------------
#
-----------------------------------------------------------------------------------
-------
# Reglas para (Balanceo de Carga): ----------------------------------- (no probado)
# Fundamentalmente, divide la carga (conexiones) entre diferentes
out-interfaces/enlaces. Existen tres tipos de balanceos de carga: (ECMP/NTH/PCC).
# -------------------------------------------
/ip firewall mangle add chain=prerouting in-interface=WAN1 connection-mark=no-mark
action=mark-connection new-connection-mark=ISP1Conn log=no log-prefix=”BC-PCC.Marco
(Conn.IN: ISP1Conn)” comment=”003R<: BC-PCC.Marco (Conn.IN: ISP1Conn)” disable=yes;
/ip firewall mangle add chain=prerouting in-interface=WAN2 connection-mark=no-mark
action=mark-connection new-connection-mark=ISP2Conn log=no log-prefix=”BC-PCC.Marco
(Conn.IN: ISP2Conn)” comment=”004R<: BC-PCC.Marco (Conn.IN: ISP2Conn)” disable=yes;
# …
# -------------------------------------------
/ip firewall mangle add chain=prerouting in-interface-list=LANs connection-mark=no-
mark per-connection-classifier=src-address-and-port:2/0 action=mark-connection dst-
address-type=!local new-connection-mark=ISP1Conn log=no log-prefix=”BC-PCC.Marco
(Conn.IN: ISP1Conn)” comment=”005R<: BC-PCC.Marco (Conn.IN: ISP1Conn)” disable=yes;
# /ip firewall mangle add chain=prerouting in-interface-list=LANs connection-
mark=no-mark per-connection-classifier=both-addresses:2/0 action=mark-connection
dst-address-type=!local new-connection-mark=ISP1Conn log=no log-prefix=”BC-
PCC.Marco (Conn.IN: ISP1Conn)” comment=”005Rx: BC-PCC.Marco (Conn.IN: ISP1Conn)”
disable=yes;
/ip firewall mangle add chain=prerouting in-interface-list=LANs connection-mark=no-
mark per-connection-classifier=src-address-and-port:2/1 action=mark-connection dst-
address-type=!local new-connection-mark=ISP2Conn log=no log-prefix=”BC-PCC.Marco
(Conn.IN: ISP2Conn)” comment=”006R<: BC-PCC.Marco (Conn.IN: ISP2Conn)” disable=yes;
# /ip firewall mangle add chain=prerouting in-interface-list=LANs connection-
mark=no-mark per-connection-classifier=both-addresses:2/1 action=mark-connection
dst-address-type=!local new-connection-mark=ISP2Conn log=no log-prefix=”BC-
PCC.Marco (Conn.IN: ISP2Conn)” comment=”006Rx: BC-PCC.Marco (Conn.IN: ISP2Conn)”
disable=yes;
# …
# ---------------------
/ip firewall mangle add chain=prerouting in-interface-list=LANs connection-
mark=ISP1Conn action=mark-routing new-routing-mark=toISP1 log=no log-prefix=”BC-
PCC.Marco (Rout.IN: toISP1)” comment=”007R<: BC-PCC.Marco (Rout.IN: toISP1)”
disable=yes;
/ip firewall mangle add chain=prerouting in-interface-list=LANs connection-
mark=ISP2Conn action=mark-routing new-routing-mark=toISP2 log=no log-prefix=”BC-
PCC.Marco (Rout.IN: toISP2)” comment=”008R<: BC-PCC.Marco (Rout.IN: toISP2)”
disable=yes;
# …
# ---------------------
/ip firewall mangle add chain=output connection-mark=ISP1Conn action=mark-routing
new-routing-mark=toISP1 log=no log-prefix=”BC-PCC.Marco (Rout.OUT: toISP1)”
comment=”009R<: BC-PCC.Marco (Rout.OUT: toISP1)” passthrough=no disable=yes;
/ip firewall mangle add chain=output connection-mark=ISP2Conn action=mark-routing
new-routing-mark=toISP2 log=no log-prefix=”BC-PCC.Marco (Rout.OUT: toISP2)”
comment=”010R<: BC-PCC.Marco (Rout.OUT: toISP2)” disable=yes;
# …
#
-----------------------------------------------------------------------------------
[INI]
# ------------------------------------ [Bonding]
----------------------------------------
#
-----------------------------------------------------------------------------------
-------
# Reglas para (Bonding): ---- [agregación de interfaces en un unico enlace virtual]
# Sumatoria de interfaces. Se necesitan dos router/switch (uno en cada punta de los
enlaces) y conectar cada puerto con cada AP/ST (enlaces).
# ------------------------------------------- [Router.Local]
/interface bonding add name=VCIBonding slaves=WAN1,WAN2 mode=balance-rr
comment=”01R<: VCIBondig.Add (Bonding Interface.Local)” disable=yes;
# ------------------------
/ip address add address=192.168.79.13/30 interface=VCIBonding comment=”01R<:
VCIBonding.Interface (AP-ST)” disable=yes;
/ip address add address=192.168.79.1/30 interface=WAN1 comment=”01R>: BondingWAN1.[
Elisa (AP:1.2.3.1-ST:1.2.3.2) ]” disable=yes;
/ip address add address=192.168.79.5/30 interface=WAN2 comment=”02R>: BondingWAN2.[
Elisa (AP:1.2.3.4-ST:1.2.3.5) ]” disable=yes;
# …
# ------------------------------------------- [Router.no-Local]
/interface bonding add name=VCIBonding slaves=WAN1,WAN2 mode=balance-rr
comment=”01R>: VCIBondig.Add (Bonding Interface.no-Local)” disable=yes;
# ------------------------
/ip address add address=192.168.79.14/30 interface=VCIBonding comment=”01R>:
VCIBonding.Interface (ST-AP)” disable=yes;
/ip address add address=192.168.79.2/30 interface=WAN1 comment=”01R>: BondingWAN1.[
Elisa (ST:1.2.3.1-AP:1.2.3.2) ]” disable=yes;
/ip address add address=192.168.79.6/30 interface=WAN2 comment=”02R>: BondingWAN2.[
Elisa (ST:1.2.3.4-AP:1.2.3.5) ]” disable=yes;
# …
#
-----------------------------------------------------------------------------------
[FIN]
# ------------------------------------ [Bonding]
----------------------------------------
#
-----------------------------------------------------------------------------------
-------
-------------------------------------------------------------------------------
[ FIN ]
-----------------------------------------------------------------------------------
-----
--------------------------- Scripts (accesorios):
-----------------------------------
-----------------------------------------------------------------------------------
-----
-----------------------------------------------------------------------------------
-----