# nov/25/2024 10:13:57 by RouterOS 6.49.

13
# software id = UGWH-4UJK
#
# model = 951Ui-2HnD
# serial number = 8157076077F7
/interface bridge
add admin-mac=64:D1:54:E4:79:3B auto-mac=no comment=defconf name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX
distance=indoors frequency=auto installation=indoor \
mode=ap-bridge ssid=Router-Ignis wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys
supplicant-identity=MikroTik wpa2-pre-shared-key=\
65fV5kK%r|5@
/ip pool
add name=dhcp_pool1 ranges=192.168.19.1-192.168.19.96,192.168.19.98-192.168.19.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=bridge1 name=dhcp1
/ipv6 dhcp-server
add address-pool=dhcpv6-1-delegado interface=bridge1 name=dhcp-server
/ipv6 pool
add name=dhcpv6-1-delegado prefix=2804:14c:87c2:2002::/64 prefix-length=64
/interface bridge port
add bridge=bridge1 comment=defconf interface=ether2
add bridge=bridge1 comment=defconf interface=ether3
add bridge=bridge1 comment=defconf interface=ether4
add bridge=bridge1 comment=defconf interface=ether5
add bridge=bridge1 comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge1 list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.19.97/24 comment=defconf interface=bridge1 network=192.168.19.0
add address=189.4.11.38/24 interface=ether1 network=189.4.11.0
/ip arp
add address=189.4.11.38 interface=ether1 mac-address=98:77:E7:7C:44:6C
/ip dhcp-relay
add dhcp-server=189.4.11.38 disabled=no interface=ether1 name=dhcp_relay-claro
/ip dhcp-server lease
add address=192.168.19.81 comment=Truenas mac-address=BC:24:11:F1:0E:42
server=dhcp1
add address=192.168.19.82 client-id=1:60:c7:27:2:6e:35 comment="notebook trabalho
lenovo" mac-address=60:C7:27:02:6E:35 server=\
dhcp1
add address=192.168.19.80 comment=Proxmox mac-address=78:2B:CB:C1:95:ED
server=dhcp1
add address=192.168.19.78 client-
id=ff:11:ab:e8:de:0:1:0:1:2e:18:1b:a0:bc:24:11:ab:e8:de comment=Deb_ftp mac-
address=\
BC:24:11:AB:E8:DE server=dhcp1
add address=192.168.19.77 client-id=1:bc:24:11:ab:e8:de comment="Outro ip deb_ftp"
mac-address=BC:24:11:AB:E8:DE server=dhcp1
/ip dhcp-server network
add address=192.168.19.0/24 domain=pbscbkp.ddns.net gateway=192.168.19.97
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="Porta FTP 2123" dst-port=2123 in-interface-
list=WAN protocol=tcp
add action=accept chain=forward comment="Portas FTP passivas 3123-3150" dst-
port=3123-3150 in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="defconf: accept
established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment="defconf: accept established,related,
untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-
state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for
CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-
interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-
policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-
policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-
state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed"
connection-nat-state=!dstnat connection-state=new \
in-interface-list=WAN
add action=accept chain=forward dst-port=9191 protocol=tcp
add action=accept chain=input comment="Permitir SSH somente de rede interna"
port=22 protocol=tcp src-address=192.168.19.0/24
add action=drop chain=input comment="Bloquear SSH vindo de fora" port=22
protocol=tcp
add action=accept chain=forward connection-state=established,related in-interface-
list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-
policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Portas passivas servidor ftp" dst-
port=3123-3150 in-interface-list=WAN protocol=tcp \
to-addresses=192.168.19.78 to-ports=3123-3150
add action=dst-nat chain=dstnat comment="Porta de entrada servidor ftp" dst-
port=2123 in-interface-list=WAN protocol=tcp \
to-addresses=192.168.19.78 to-ports=2123
/ip firewall raw
add action=passthrough chain=prerouting comment="Portas passivas servidor ftp" dst-
port=3123-3150 in-interface-list=WAN protocol=\
tcp
add action=passthrough chain=prerouting comment="Porta de entrada servidor ftp"
dst-port=2123 in-interface-list=WAN protocol=tcp
add action=passthrough chain=prerouting comment="Porta VNC para o user TOG"
disabled=yes dst-port=8787 in-interface-list=WAN log=\
yes log-prefix=VNC-TOG: protocol=tcp
add action=passthrough chain=prerouting comment="Porta VNC para o user ZE"
disabled=yes dst-port=8788 in-interface-list=WAN log=\
yes log-prefix=VNC-ZE: protocol=tcp
add action=passthrough chain=prerouting comment="Porta VNC para o user EVERTON"
disabled=yes dst-port=8789 in-interface-list=WAN \
log=yes log-prefix=VNC-EVERTON: protocol=tcp
/ip firewall service-port
set ftp ports=2123
/ip route
add check-gateway=ping distance=1 gateway=ether1
/ip service
set telnet disabled=yes
set ftp address=192.168.19.78/32 port=2123
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 address
add address=2804:14c:87c2:2002:9a77:e7ff:fe7c:446d interface=bridge1
add address=2804:14c:87c2:1020:990b:52f3:36fd:ae34 advertise=no interface=ether1
add from-pool=dhcpv6-1-delegado interface=bridge1
/ipv6 dhcp-client
add add-default-route=yes interface=ether1 pool-name=ipv6 request=prefix
/ipv6 dhcp-relay
add dhcp-server=fe80::2eb:d5ff:feec:e019%bridge1 interface=ether1 name=relay1
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept
established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-
state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-
port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix
delegation." dst-port=546 protocol=udp src-address=\
fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-
esp
add action=accept chain=input comment="defconf: accept all that matches ipsec
policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from
LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept
established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-
state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6"
src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6"
dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-
limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500
protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-
ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-
esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec
policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming
from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="Porta FTP 2123" dst-port=2123 in-
interface-list=WAN protocol=tcp
add action=accept chain=forward comment="Porta FTP 2123" dst-port=3123-3150 in-
interface-list=WAN protocol=tcp
add action=accept chain=input comment="SSH de IP interno (ex: IPv6)" port=22
protocol=tcp src-address=2001:db8::/32
add action=drop chain=input comment="Bloquear SSH vindo de fora" port=22
protocol=tcp
/ipv6 firewall raw
add action=accept chain=prerouting dst-port=2123 in-interface-list=WAN protocol=tcp
add action=accept chain=prerouting dst-port=3123-3150 protocol=tcp
/ipv6 nd
add interface=bridge1 managed-address-configuration=yes other-configuration=yes
/system clock
set time-zone-name=America/Sao_Paulo
/system identity
set name=Router-Ignis
/system script
add dont-require-permissions=no name=script1 owner=admin
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source="# interfaces\r\
\n:local entrada \"ether1\"\r\
\n:local saida \"bridge1\"\r\
\n\r\
\n:log info \"come\E7ando script\"\r\
\n:log info \"come\E7ando script\"\r\
\n:log info \"come\E7ando script\"\r\
\n\r\
\n# ipv6 a ether1\r\
\n:log info \"ipv6 2804:14c:87c2:1020:990b:52f3:36fd:ae34/64 \E0 interface \
$entrada\"\r\
\n/ipv6 address add address=2804:14c:87c2:1020:990b:52f3:36fd:ae34/64
interface=\$entrada\r\
\n\r\
\n# prefixo a entrada wan\r\
\n:log info \"prefixo o 2804:14c:87c2:2002:9a77:e7ff:fe7c:446d/64 a \
$entrada\"\r\
\n/ipv6 address add address=2804:14c:87c2:2002:9a77:e7ff:fe7c:446d/64
interface=\$entrada\r\
\n\r\
 \n# prefixo para a lan\r\
\n:log info \"criando pool com prefixo 2804:14c:87c2:2002::/64\"\r\
\n/ipv6 pool add name=dhcpv6-1-delegado prefix-length=64
prefix=2804:14c:87c2:2002::/64\r\
\n\r\
\n# dhcp6 para a bridge\r\
\n:log info \"pool de dhcp6 para lan com o prefixo 2804:14c:87c2:2002::/64\"\r\
\n/ipv6 dhcp-server add name=lan-server1 interface=brigde1 address-pool=dhcpv6-
1-delegado\r\
\n\r\
\n# servidor dhcp6 \E0 interface bridge1\r\
\n:log info \"servidor dhcp6 a bridge\"\r\
\n/ipv6 dhcp-server add name=dhcp-server interface=\$saida address-pool=dhcpv6-
1-delegado\r\
\n\r\
\n/ipv6 nd add interface=bridge1 managed-address-configuration=yes other-
configuration=yes advertise-dns=yes\r\
\n\r\
\n# rota padr\E3o para ipv6\r\
\n:log info \"rota padr\E3o para ipv6 e gateway 2804:14c:87c2:2002::1\"\r\
\n/ipv6 route add dst-address=::/0 gateway=2804:14c:87c2:2002::1\r\
\n\r\
\n# endere\E7o ipv6 \E0 bridge1\r\
\n:log info \"ipv6 2804:14c:87c2:2002::1/64 a brigde\"\r\
\n/ipv6 address add address=2804:14c:87c2:2002::1/64 interface=\$saida\r\
\n"
add dont-require-permissions=no name=ipv4 owner=admin
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source=" # Regras para IPv4\r\
\n /ip firewall filter\r\
\n\r\
\n # Permitir FTP nas portas 2123 e 3123-3150\r\
\n add chain=input protocol=tcp port=2123 action=accept comment=\"Porta FTP
2123\"\r\
\n add chain=input protocol=tcp port=3123-3150 action=accept
comment=\"Portas FTP e passivas 3123-3150\"\r\
\n\r\
\n # Permitir SSH somente de IP interno\r\
\n add chain=input protocol=tcp port=22 src-address=192.168.88.0/16
action=accept comment=\"Permitir SSH somente de rede in\
terna\"\r\
\n add chain=input protocol=tcp port=22 action=drop comment=\"Bloquear SSH
vindo de fora\"\r\
\n\r\
\n\r\
\n # Regras para IPv6\r\
\n /ipv6 firewall filter\r\
\n\r\
\n # Permitir FTP nas portas 2123 e 3123-3150\r\
\n add chain=input protocol=tcp port=2123 action=accept comment=\"Porta FTP
2123\"\r\
\n add chain=input protocol=tcp port=3123-3150 action=accept
comment=\"Portas FTP e passivas 3123-3150\"\r\
\n\r\
\n # Permitir SSH somente de IPs internos\r\
\n add chain=input protocol=tcp port=22 src-address=2001:db8::/32
action=accept comment=\"SSH de IP interno (ex: IPv6)\"\r\
\n add chain=input protocol=tcp port=22 action=drop comment=\"Bloquear SSH
vindo de fora\""
add dont-require-permissions=no name=noip owner=admin
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source="# Atualizacao automatica do No-IP com IPv6\r\
\n\r\
\n# Alterar as informacoes desta secao conforme os dados do seu login e host
no-ip\r\
\n:local noipuser \"8rdfxbv\"\r\
\n:local noippass \"jHExwgMERbf2\"\r\
\n:local noiphost \"all.ddnskey.com\"\r\
\n\r\
\n# Nome da interface que devera ter o endereco IP vinculado ao host do no-ip\
r\
\n:local inetinterface \"ether1\"\r\
\n\r\
\n:global previousIP\r\
\n\r\
\n:if ([/interface get \$inetinterface value-name=running]) do={\r\
\n # Obtendo informacao sobre o IP atual (IPv6)\r\
\n :local currentIP [/ipv6 address get [find interface=\"\$inetinterface\"
disabled=no] address]\r\
\n \r\
\n # Formatando o IP para remover o prefixo\r\
\n :for i from=( [:len \$currentIP] - 1) to=0 do={\r\
\n :if ( [:pick \$currentIP \$i] = \"/\") do={ \r\
\n :set currentIP [:pick \$currentIP 0 \$i]\r\
\n } \r\
\n }\r\
\n\r\
\n # Verificar se o IP atual \E9 diferente do IP anterior\r\
\n :if (\$currentIP != \$previousIP) do={\r\
\n :log info \"No-IP: IPv6 atual \$currentIP diferente do IP anterior,
atualizando.\"\r\
\n :set previousIP \$currentIP\r\
\n\r\
\n # Enviando o novo IP via HTTP\r\
\n :log info \"No-IP: Atualizando o host \$noiphost\"\r\
\n /tool fetch mode=http user=\$noipuser password=\$noippass
url=\"http://ip1.dynupdate6.no-ip.com/nic/update\?hostname\
=\$noiphost&myip=\$currentIP\" keep-result=no\r\
\n :log info \"No-IP: Host \$noiphost atualizado no No-IP = \
$currentIP\"\r\
\n }\r\
\n} else={\r\
\n :log info \"No-IP: \$inetinterface desconectada. Imposs\EDvel atualizar
No-IP.\"\r\
\n}\r\
\n"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN