Created
November 2, 2022 06:21
-
-
Save nntu/442e8d97ceeea7074662252caa1a9f3f to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # nov/02/2022 13:13:38 by RouterOS 7.6 | |
| # software id = HCC0-4FJR | |
| # | |
| /interface bridge | |
| add dhcp-snooping=yes igmp-snooping=yes name=bridge1 | |
| /interface ethernet | |
| set [ find default-name=ether8 ] disable-running-check=no mac-address=\ | |
| 00:02:B6:45:34:F4 name=B | |
| set [ find default-name=ether1 ] disable-running-check=no name=C | |
| set [ find default-name=ether2 ] disable-running-check=no name=D | |
| set [ find default-name=ether3 ] disable-running-check=no name=E | |
| set [ find default-name=ether4 ] disable-running-check=no name=F | |
| set [ find default-name=ether5 ] disable-running-check=no name=G | |
| set [ find default-name=ether6 ] disable-running-check=no name=H | |
| set [ find default-name=ether7 ] disable-running-check=no name=ether14 | |
| /interface pppoe-client | |
| add add-default-route=yes allow=pap,chap disabled=no interface=H name=\ | |
| pppoe-viettel-H use-peer-dns=yes | |
| add add-default-route=yes allow=pap,chap disabled=no interface=G \ | |
| keepalive-timeout=disabled name=pppoe-vnpt-G use-peer-dns=yes | |
| /interface list | |
| add name=WAN | |
| add name=LAN | |
| /interface wireless security-profiles | |
| set [ find default=yes ] supplicant-identity=MikroTik | |
| /ip pool | |
| add name=pool1 ranges=172.16.1.2-172.16.255.254 | |
| add name=dhcp ranges=172.16.0.0/16 | |
| add name=dhcp_pool2 ranges=172.16.4.2-172.16.10.254 | |
| /ip dhcp-server | |
| add add-arp=yes address-pool=dhcp_pool2 interface=bridge1 lease-time=3h30m \ | |
| name=dhcp1 | |
| /port | |
| set 0 name=serial0 | |
| set 1 name=serial1 | |
| /queue type | |
| add kind=pcq name=PCQ_Downstream pcq-classifier=dst-address \ | |
| pcq-dst-address6-mask=64 pcq-src-address6-mask=64 | |
| add kind=pcq name=PCQ_Upstream pcq-classifier=src-address \ | |
| pcq-dst-address6-mask=64 pcq-src-address6-mask=64 | |
| /queue tree | |
| add max-limit=120M name="pppoe-vnpt-G Downstream" parent=global queue=\ | |
| PCQ_Downstream | |
| add max-limit=70M name="pppoe-vnpt-G Upstream" parent=pppoe-vnpt-G queue=\ | |
| PCQ_Upstream | |
| add name="pppoe-vnpt-G - Browsing - rx" packet-mark=browsing-pppoe-vnpt-G \ | |
| parent="pppoe-vnpt-G Downstream" priority=3 queue=PCQ_Downstream | |
| add name="pppoe-vnpt-G - Browsing - tx" packet-mark=browsing parent=\ | |
| "pppoe-vnpt-G Upstream" priority=3 queue=PCQ_Upstream | |
| add name="pppoe-vnpt-G - DNS - rx" packet-mark=dns-pppoe-vnpt-G parent=\ | |
| "pppoe-vnpt-G Downstream" priority=2 queue=PCQ_Downstream | |
| add name="pppoe-vnpt-G - DNS - tx" packet-mark=dns parent=\ | |
| "pppoe-vnpt-G Upstream" priority=2 queue=PCQ_Upstream | |
| add name="pppoe-vnpt-G - Managment - rx" packet-mark=\ | |
| managment-fw-pppoe-vnpt-G parent="pppoe-vnpt-G Downstream" priority=2 \ | |
| queue=PCQ_Downstream | |
| add name="pppoe-vnpt-G - Managment - tx" packet-mark=managment-fw parent=\ | |
| "pppoe-vnpt-G Upstream" priority=2 queue=PCQ_Upstream | |
| add limit-at=1M max-limit=2M name="pppoe-vnpt-G - ICMP - rx" packet-mark=\ | |
| icmp-pppoe-vnpt-G parent="pppoe-vnpt-G Downstream" priority=1 queue=\ | |
| PCQ_Downstream | |
| add limit-at=700k max-limit=1M name="pppoe-vnpt-G - ICMP - tx" packet-mark=\ | |
| icmp parent="pppoe-vnpt-G Upstream" priority=1 queue=PCQ_Upstream | |
| add name="pppoe-vnpt-G - Other - rx" packet-mark=other-pppoe-vnpt-G parent=\ | |
| "pppoe-vnpt-G Downstream" queue=PCQ_Downstream | |
| add name="pppoe-vnpt-G - Other - tx" packet-mark=other parent=\ | |
| "pppoe-vnpt-G Upstream" queue=PCQ_Upstream | |
| add max-limit=100M name="pppoe-viettel-H Downstream" parent=global queue=\ | |
| PCQ_Downstream | |
| add max-limit=70M name="pppoe-viettel-H Upstream" parent=pppoe-viettel-H \ | |
| queue=PCQ_Upstream | |
| add name="pppoe-viettel-H - Browsing - rx" packet-mark=\ | |
| browsing-pppoe-viettel-H parent="pppoe-viettel-H Downstream" priority=3 \ | |
| queue=PCQ_Downstream | |
| add name="pppoe-viettel-H - DNS - rx" packet-mark=dns-pppoe-viettel-H parent=\ | |
| "pppoe-viettel-H Downstream" priority=2 queue=PCQ_Downstream | |
| add name="pppoe-viettel-H - ICMP - rx" packet-mark=icmp-pppoe-viettel-H \ | |
| parent="pppoe-viettel-H Downstream" priority=1 queue=PCQ_Downstream | |
| add name="pppoe-viettel-H - Managment - rx" packet-mark=\ | |
| managment-fw-pppoe-viettel-H parent="pppoe-viettel-H Downstream" \ | |
| priority=2 queue=PCQ_Downstream | |
| add name="pppoe-viettel-H - Other - rx" packet-mark=other-pppoe-viettel-H \ | |
| parent="pppoe-viettel-H Downstream" queue=PCQ_Downstream | |
| add name="pppoe-viettel-H - Browsing - tx" packet-mark=browsing parent=\ | |
| "pppoe-viettel-H Upstream" priority=3 queue=PCQ_Upstream | |
| add name="pppoe-viettel-H - DNS - tx" packet-mark=dns parent=\ | |
| "pppoe-viettel-H Upstream" priority=2 queue=PCQ_Upstream | |
| add name="pppoe-viettel-H - ICMP - tx" packet-mark=icmp parent=\ | |
| "pppoe-viettel-H Upstream" priority=1 queue=PCQ_Upstream | |
| add name="pppoe-viettel-H - Managment - tx" packet-mark=managment-fw parent=\ | |
| "pppoe-viettel-H Upstream" priority=2 queue=PCQ_Upstream | |
| add name="pppoe-viettel-H - Other - tx" packet-mark=other parent=\ | |
| "pppoe-viettel-H Upstream" queue=PCQ_Upstream | |
| add name="pppoe-viettel-H - Zalo - rx" packet-mark=zalo-pppoe-viettel-H \ | |
| parent="pppoe-viettel-H Downstream" priority=2 queue=PCQ_Downstream | |
| add name="pppoe-viettel-H - Zalo - tx" packet-mark=zalo parent=\ | |
| "pppoe-viettel-H Upstream" priority=2 queue=PCQ_Upstream | |
| add name="pppoe-vnpt-G - Zalo- rx" packet-mark=zalo-pppoe-vnpt-G parent=\ | |
| "pppoe-vnpt-G Downstream" priority=2 queue=PCQ_Downstream | |
| add name="pppoe-vnpt-G - Zalo - tx" packet-mark=zalo parent=\ | |
| "pppoe-vnpt-G Upstream" priority=2 queue=PCQ_Upstream | |
| add name="pppoe-viettel-H - tiktok - rx" packet-mark=tiktok-pppoe-viettel-H \ | |
| parent="pppoe-viettel-H Downstream" priority=3 queue=PCQ_Downstream | |
| add name="pppoe-viettel-H - tiktok - tx" packet-mark=tiktok parent=\ | |
| "pppoe-viettel-H Upstream" priority=3 queue=PCQ_Upstream | |
| add name="pppoe-vnpt-G - tiktok- rx" packet-mark=tiktok-pppoe-vnpt-G parent=\ | |
| "pppoe-vnpt-G Downstream" priority=3 queue=PCQ_Downstream | |
| add name="pppoe-vnpt-G - tiktok - tx" packet-mark=tiktok parent=\ | |
| "pppoe-vnpt-G Upstream" priority=3 queue=PCQ_Upstream | |
| add name="pppoe-viettel-H - YOUTUBE - rx" packet-mark=YOUTUBE-pppoe-viettel-H \ | |
| parent="pppoe-viettel-H Downstream" priority=4 queue=PCQ_Downstream | |
| add name="pppoe-viettel-H - YOUTUBE - tx" packet-mark=YOUTUBE parent=\ | |
| "pppoe-viettel-H Upstream" priority=4 queue=PCQ_Upstream | |
| add name="pppoe-vnpt-G - YOUTUBE- rx" packet-mark=YOUTUBE-pppoe-vnpt-G \ | |
| parent="pppoe-vnpt-G Downstream" priority=4 queue=PCQ_Downstream | |
| add name="pppoe-vnpt-G - YOUTUBE - tx" packet-mark=YOUTUBE parent=\ | |
| "pppoe-vnpt-G Upstream" priority=4 queue=PCQ_Upstream | |
| /routing table | |
| add comment="LB By BNT" fib name=to-pppoe-viettel-H | |
| add comment="LB By BNT" fib name=to-pppoe-vnpt-G | |
| /interface bridge port | |
| add bridge=bridge1 interface=B | |
| add bridge=bridge1 interface=C | |
| add bridge=bridge1 interface=D | |
| add bridge=bridge1 interface=E | |
| add bridge=bridge1 interface=F | |
| /ip firewall connection tracking | |
| set tcp-syn-sent-timeout=10m5s | |
| /ip neighbor discovery-settings | |
| set discover-interface-list=!WAN | |
| /ip settings | |
| set rp-filter=loose | |
| /interface list member | |
| add interface=bridge1 list=LAN | |
| add interface=pppoe-viettel-H list=WAN | |
| add interface=pppoe-vnpt-G list=WAN | |
| /ip address | |
| add address=172.16.1.1/16 interface=bridge1 network=172.16.0.0 | |
| add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0 | |
| /ip dhcp-client | |
| add interface=bridge1 | |
| add disabled=yes interface=G | |
| /ip dhcp-server lease | |
| add address=172.16.2.90 client-id=1:90:2e:16:3d:cf:11 mac-address=\ | |
| 90:2E:16:3D:CF:11 server=dhcp1 | |
| /ip dhcp-server network | |
| add address=172.16.0.0/16 dns-server=172.16.2.6 gateway=172.16.1.1 netmask=16 \ | |
| ntp-server=172.16.1.1 | |
| /ip dns | |
| set allow-remote-requests=yes max-concurrent-queries=5000 \ | |
| max-concurrent-tcp-sessions=100 servers=\ | |
| 1.1.1.1,8.8.8.8,8.8.4.4,94.140.14.14,94.140.15.15 use-doh-server=\ | |
| https://dns.nextdns.io/5abc42 verify-doh-cert=yes | |
| /ip dns static | |
| add address=94.140.14.14 name=dns.adguard.com | |
| add address=94.140.15.15 name=dns.adguard.com | |
| add address=172.16.1.5 name=bidvct.duckdns.org | |
| add address=1.1.1.1 name=cloudflare-dns.com | |
| add address=8.8.8.8 name=dns.google ttl=1h | |
| add address=8.8.4.4 name=dns.google ttl=1h | |
| add address=2001:4860:4860::8888 name=dns.google ttl=1h type=AAAA | |
| add address=2001:4860:4860::8844 name=dns.google ttl=1h type=AAAA | |
| add address=2606:4700::6810:f8f9 name=cloudflare-dns.com type=AAAA | |
| add address=2606:4700::6810:f9f9 name=cloudflare-dns.com type=AAAA | |
| add address=104.16.248.249 name=cloudflare-dns.com | |
| add address=104.16.249.249 name=cloudflare-dns.com | |
| add address=45.90.28.0 name=dns.nextdns.io | |
| add address=45.90.30.0 name=dns.nextdns.io | |
| add address=2a07:a8c0:: name=dns.nextdns.io type=AAAA | |
| add address=2a07:a8c1:: name=dns.nextdns.io type=AAAA | |
| /ip firewall address-list | |
| add address=118.102.0.0/21 list="IP ZALO" | |
| add address=172.16.0.0/16 list="IP LAN" | |
| add address=116.102.98.0/24 list=connected | |
| add address=98.44.166.78 list=Blacklist | |
| add address=116.102.98.224 list=WAN | |
| add address=192.168.0.0/16 comment="LB By BNT" list=LOCAL-IP | |
| add address=172.16.0.0/16 comment="LB By BNT" list=LOCAL-IP | |
| add address=10.0.0.0/8 comment="LB By BNT" list=LOCAL-IP | |
| add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet | |
| add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet | |
| add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet | |
| add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet | |
| add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet | |
| add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet | |
| add address=224.0.0.0/4 comment=Multicast list=not_in_internet | |
| add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet | |
| add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet | |
| add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet | |
| add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet | |
| add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet | |
| add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet | |
| add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet | |
| add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\ | |
| not_in_internet | |
| add address=171.244.25.0/24 list="IP ZALO" | |
| add address=222.255.114.0/24 list="IP ZALO" | |
| add address=103.39.92.0/24 list="IP ZALO" | |
| add address=49.213.78.0/24 list="IP ZALO" | |
| add address=123.31.31.0/24 list="IP ZALO" | |
| add address=123.30.58.0/24 list="IP ZALO" | |
| add address=49.213.114.0/24 list="IP ZALO" | |
| add address=42.119.138.0/24 list="IP ZALO" | |
| add address=49.213.103.0/24 list="IP ZALO" | |
| add address=210.245.64.0/24 list="IP ZALO" | |
| add address=49.213.106.0/24 list="IP ZALO" | |
| add address=58.187.8.0/24 list="IP ZALO" | |
| add address=116.102.98.224 list=connected | |
| add address=113.161.211.110 list=connected | |
| add address=118.69.0.0/16 list="IP TIKTOK" | |
| add address=27.77.83.0/24 list="IP TIKTOK" | |
| add address=23.220.203.0/24 list="IP TIKTOK" | |
| add address=27.77.82.0/24 list="IP TIKTOK" | |
| add address=31.13.0.0/16 list="IP FACEBOOK" | |
| add address=27.67.51.0/24 list="IP TIKTOK" | |
| add address=27.71.113.0/24 list="IP TIKTOK" | |
| add address=23.210.250.0/24 list="IP TIKTOK" | |
| add address=23.219.172.0/24 list="IP TIKTOK" | |
| add address=157.240.217.0/24 list="IP FACEBOOK" | |
| add address=157.240.199.0/24 list="IP FACEBOOK" | |
| add address=157.240.218.0/24 list="IP FACEBOOK" | |
| add address=171.244.47.0/24 list="IP TIKTOK" | |
| add address=113.171.231.0/24 list="IP TIKTOK" | |
| add address=23.40.241.0/24 list="IP TIKTOK" | |
| add address=113.171.12.0/24 list="IP TIKTOK" | |
| /ip firewall filter | |
| add action=accept chain=input comment="allow WireGuard" dst-port=13231 \ | |
| protocol=udp | |
| add action=accept chain=input comment="allow WireGuard traffic" src-address=\ | |
| 192.168.100.0/24 | |
| add action=accept chain=input comment=\ | |
| "defconf: accept established,related,untracked" connection-state=\ | |
| established,related,untracked | |
| add action=drop chain=input comment="defconf: drop invalid" connection-state=\ | |
| invalid | |
| add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp | |
| add action=drop chain=input comment="defconf: drop all not coming from LAN" \ | |
| in-interface-list=!LAN | |
| add action=accept chain=forward comment="defconf: accept in ipsec policy" \ | |
| ipsec-policy=in,ipsec | |
| add action=accept chain=forward comment="defconf: accept out ipsec policy" \ | |
| ipsec-policy=out,ipsec | |
| add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ | |
| connection-state=established,related hw-offload=yes | |
| add action=accept chain=forward comment=\ | |
| "defconf: accept established,related, untracked" connection-state=\ | |
| established,related,untracked | |
| add action=drop chain=forward comment="defconf: drop invalid" \ | |
| connection-state=invalid | |
| add action=drop chain=forward comment=\ | |
| "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ | |
| connection-state=new in-interface-list=WAN | |
| /ip firewall mangle | |
| add action=accept chain=prerouting dst-address-list=LOCAL-IP \ | |
| src-address-list=LOCAL-IP | |
| add action=mark-connection chain=prerouting connection-mark=no-mark \ | |
| dst-address-list=WAN new-connection-mark=hairpinnat passthrough=yes \ | |
| src-address-list=LOCAL-IP | |
| add action=accept chain=prerouting disabled=yes in-interface=bridge1 \ | |
| src-address=172.16.1.5 | |
| add action=accept chain=prerouting disabled=yes dst-address-list="IP ZALO" | |
| add action=mark-connection chain=input comment="LB By BNT" connection-mark=\ | |
| no-mark disabled=yes in-interface=pppoe-viettel-H new-connection-mark=\ | |
| cm-pppoe-viettel-H passthrough=yes | |
| add action=mark-connection chain=input comment="LB By BNT" connection-mark=\ | |
| no-mark disabled=yes in-interface=pppoe-vnpt-G new-connection-mark=\ | |
| cm-pppoe-vnpt-G passthrough=yes | |
| add action=mark-routing chain=output comment="LB By BNT" connection-mark=\ | |
| cm-pppoe-viettel-H disabled=yes new-routing-mark=to-pppoe-viettel-H \ | |
| passthrough=yes | |
| add action=mark-routing chain=output comment="LB By BNT" connection-mark=\ | |
| cm-pppoe-vnpt-G disabled=yes new-routing-mark=to-pppoe-vnpt-G \ | |
| passthrough=yes | |
| add action=mark-connection chain=forward connection-mark=no-mark \ | |
| in-interface=pppoe-viettel-H new-connection-mark=vietel-lan passthrough=\ | |
| yes | |
| add action=mark-connection chain=forward connection-mark=no-mark \ | |
| in-interface=pppoe-vnpt-G new-connection-mark=vnpt-lan passthrough=yes | |
| add action=mark-routing chain=prerouting connection-mark=vietel-lan \ | |
| new-routing-mark=to-pppoe-viettel-H passthrough=yes src-address-list=\ | |
| LOCAL-IP | |
| add action=mark-routing chain=prerouting connection-mark=vnpt-lan \ | |
| new-routing-mark=to-pppoe-vnpt-G passthrough=yes src-address-list=\ | |
| LOCAL-IP | |
| add action=mark-connection chain=prerouting comment="LB By BNT" disabled=yes \ | |
| dst-address-list=!LOCAL-IP dst-address-type=!local new-connection-mark=\ | |
| cm-pppoe-viettel-H passthrough=yes per-connection-classifier=\ | |
| both-addresses:2/0 src-address-list=LOCAL-IP | |
| add action=mark-connection chain=prerouting comment="LB By BNT" disabled=yes \ | |
| dst-address-list=!LOCAL-IP dst-address-type=!local new-connection-mark=\ | |
| cm-pppoe-vnpt-G passthrough=yes per-connection-classifier=\ | |
| both-addresses:2/1 src-address-list=LOCAL-IP | |
| add action=mark-routing chain=prerouting comment="LB By BNT" connection-mark=\ | |
| cm-pppoe-viettel-H disabled=yes dst-address-list=!LOCAL-IP \ | |
| new-routing-mark=to-pppoe-viettel-H passthrough=yes src-address-list=\ | |
| LOCAL-IP | |
| add action=mark-routing chain=prerouting comment="LB By BNT" connection-mark=\ | |
| cm-pppoe-vnpt-G disabled=yes dst-address-list=!LOCAL-IP new-routing-mark=\ | |
| to-pppoe-vnpt-G passthrough=yes src-address-list=LOCAL-IP | |
| add action=mark-connection chain=input comment="Mark Routing - pppoe-vnpt-G" \ | |
| in-interface=pppoe-vnpt-G new-connection-mark=pppoe-vnpt-G passthrough=\ | |
| yes | |
| add action=mark-connection chain=input comment=\ | |
| "Mark Routing - pppoe-viettel-H" in-interface=pppoe-viettel-H \ | |
| new-connection-mark=pppoe-viettel-H passthrough=yes | |
| add action=mark-connection chain=prerouting comment="Mark - DNS" dst-port=53 \ | |
| new-connection-mark=dns passthrough=yes protocol=udp | |
| add action=mark-connection chain=prerouting dst-port=53 new-connection-mark=\ | |
| dns passthrough=yes protocol=tcp | |
| add action=mark-packet chain=prerouting connection-mark=dns in-interface=\ | |
| pppoe-vnpt-G new-packet-mark=dns-pppoe-vnpt-G passthrough=no | |
| add action=mark-packet chain=prerouting connection-mark=dns in-interface=\ | |
| pppoe-viettel-H new-packet-mark=dns-pppoe-viettel-H passthrough=no | |
| add action=mark-packet chain=prerouting connection-mark=dns new-packet-mark=\ | |
| dns passthrough=no | |
| add action=mark-connection chain=prerouting comment="Mark - zalo" \ | |
| dst-address-list="IP ZALO" new-connection-mark=zalo passthrough=yes | |
| add action=mark-packet chain=prerouting connection-mark=zalo in-interface=\ | |
| pppoe-vnpt-G new-packet-mark=zalo-pppoe-vnpt-G passthrough=no | |
| add action=mark-packet chain=prerouting connection-mark=zalo in-interface=\ | |
| pppoe-viettel-H new-packet-mark=zalo-pppoe-viettel-H passthrough=no | |
| add action=mark-packet chain=prerouting connection-mark=zalo new-packet-mark=\ | |
| zalo passthrough=no | |
| add action=mark-connection chain=prerouting comment="Mark - TIKTOK" \ | |
| dst-address-list="IP TIKTOK" new-connection-mark=tiktok passthrough=yes | |
| add action=mark-packet chain=prerouting connection-mark=tiktok in-interface=\ | |
| pppoe-vnpt-G new-packet-mark=tiktok-pppoe-vnpt-G passthrough=no | |
| add action=mark-packet chain=prerouting connection-mark=tiktok in-interface=\ | |
| pppoe-viettel-H new-packet-mark=tiktok-pppoe-viettel-H passthrough=no | |
| add action=mark-packet chain=prerouting connection-mark=tiktok \ | |
| new-packet-mark=tiktok passthrough=no | |
| add action=mark-connection chain=prerouting comment="Mark - YOUTUBE" \ | |
| dst-address-list="IP YOUTUBE" new-connection-mark=YOUTUBE passthrough=yes | |
| add action=mark-packet chain=prerouting connection-mark=YOUTUBE in-interface=\ | |
| pppoe-vnpt-G new-packet-mark=YOUTUBE-pppoe-vnpt-G passthrough=no | |
| add action=mark-packet chain=prerouting connection-mark=YOUTUBE in-interface=\ | |
| pppoe-viettel-H new-packet-mark=YOUTUBE-pppoe-viettel-H passthrough=no | |
| add action=mark-packet chain=prerouting connection-mark=YOUTUBE \ | |
| new-packet-mark=YOUTUBE passthrough=no | |
| add action=mark-connection chain=prerouting comment="Mark - Browsing" \ | |
| connection-bytes=0-1000000 dst-port=80,443 new-connection-mark=browsing \ | |
| passthrough=yes protocol=tcp | |
| add action=mark-packet chain=prerouting connection-bytes=0-1000000 \ | |
| connection-mark=browsing in-interface=pppoe-vnpt-G new-packet-mark=\ | |
| browsing-pppoe-vnpt-G passthrough=no | |
| add action=mark-packet chain=prerouting connection-bytes=0-1000000 \ | |
| connection-mark=browsing in-interface=pppoe-viettel-H new-packet-mark=\ | |
| browsing-pppoe-viettel-H passthrough=no | |
| add action=mark-packet chain=prerouting connection-bytes=0-1000000 \ | |
| connection-mark=browsing new-packet-mark=browsing passthrough=no | |
| add action=mark-connection chain=prerouting comment=\ | |
| "Mark - Managment (Forward)" dst-port=8291,8728,8729,22,23 \ | |
| new-connection-mark=managment-fw passthrough=yes protocol=tcp | |
| add action=mark-packet chain=prerouting connection-mark=managment-fw \ | |
| in-interface=pppoe-vnpt-G new-packet-mark=managment-fw-pppoe-vnpt-G \ | |
| passthrough=no | |
| add action=mark-packet chain=prerouting connection-mark=managment-fw \ | |
| in-interface=pppoe-viettel-H new-packet-mark=managment-fw-pppoe-viettel-H \ | |
| passthrough=no | |
| add action=mark-packet chain=prerouting connection-mark=managment-fw \ | |
| new-packet-mark=managment-fw passthrough=no | |
| add action=mark-connection chain=prerouting comment="Mark - ICMP" \ | |
| new-connection-mark=icmp passthrough=yes protocol=icmp | |
| add action=mark-packet chain=prerouting connection-mark=icmp in-interface=\ | |
| pppoe-vnpt-G new-packet-mark=icmp-pppoe-vnpt-G passthrough=no protocol=\ | |
| icmp | |
| add action=mark-packet chain=prerouting connection-mark=icmp in-interface=\ | |
| pppoe-viettel-H new-packet-mark=icmp-pppoe-viettel-H passthrough=no \ | |
| protocol=icmp | |
| add action=mark-packet chain=prerouting connection-mark=icmp new-packet-mark=\ | |
| icmp passthrough=no protocol=icmp | |
| add action=mark-connection chain=prerouting comment="Mark - order" \ | |
| new-connection-mark=other passthrough=yes | |
| add action=mark-packet chain=prerouting connection-mark=other in-interface=\ | |
| pppoe-vnpt-G new-packet-mark=other-pppoe-vnpt-G passthrough=no | |
| add action=mark-packet chain=prerouting connection-mark=other in-interface=\ | |
| pppoe-viettel-H new-packet-mark=other-pppoe-viettel-H passthrough=no | |
| add action=mark-packet chain=prerouting connection-mark=other \ | |
| new-packet-mark=other passthrough=no | |
| /ip firewall nat | |
| add action=masquerade chain=srcnat connection-mark=hairpinnat disabled=yes | |
| add action=redirect chain=dstnat comment=\ | |
| "Transparent proxy all DNS queries from your LAN" disabled=yes dst-port=\ | |
| 53 in-interface-list=LAN protocol=udp | |
| add action=src-nat chain=srcnat disabled=yes log=yes src-address=\ | |
| 192.168.100.0/24 to-addresses=172.16.1.1 | |
| add action=masquerade chain=srcnat comment="HAIRPIN NAT" dst-address=\ | |
| 172.16.0.0/16 src-address=172.16.0.0/16 | |
| add action=masquerade chain=srcnat out-interface-list=WAN | |
| add action=masquerade chain=srcnat comment="LB By BNT" out-interface=\ | |
| pppoe-viettel-H | |
| add action=masquerade chain=srcnat comment="LB By BNT" out-interface=\ | |
| pppoe-vnpt-G | |
| /ip firewall raw | |
| add action=add-dst-to-address-list address-list="IP ZALO" \ | |
| address-list-timeout=none-dynamic chain=prerouting comment="IP ZALO" \ | |
| content=.chat.zalo.me dst-address-list=!CONNECTED src-address-list=\ | |
| "IP LAN" | |
| add action=add-dst-to-address-list address-list="IP ZALO" \ | |
| address-list-timeout=none-dynamic chain=prerouting content=.zalo.me \ | |
| dst-address-list=!CONNECTED src-address-list="IP LAN" | |
| add action=add-dst-to-address-list address-list="IP ZALO" \ | |
| address-list-timeout=none-dynamic chain=prerouting content=\ | |
| log.api.zaloapp.com dst-address-list=!CONNECTED src-address-list="IP LAN" | |
| add action=add-dst-to-address-list address-list="IP ZALO" \ | |
| address-list-timeout=none-dynamic chain=prerouting content=.zadn.vn \ | |
| dst-address-list=!CONNECTED src-address-list="IP LAN" | |
| add action=add-dst-to-address-list address-list="IP YOUTUBE" \ | |
| address-list-timeout=30m chain=prerouting comment="IP YOUTUBE" content=\ | |
| googlevideo.com dst-address-list=!CONNECTED src-address-list="IP LAN" | |
| add action=add-dst-to-address-list address-list="IP YOUTUBE" \ | |
| address-list-timeout=30m chain=prerouting content=.youtube \ | |
| dst-address-list=!CONNECTED src-address-list="IP LAN" | |
| add action=add-dst-to-address-list address-list="IP YOUTUBE" \ | |
| address-list-timeout=30m chain=prerouting content=ytimg.com \ | |
| dst-address-list=!CONNECTED src-address-list="IP LAN" | |
| add action=add-dst-to-address-list address-list="IP FACEBOOK" \ | |
| address-list-timeout=30m chain=prerouting comment="IP FACEBOOK" content=\ | |
| .facebook.com dst-address-list=!CONNECTED src-address-list="IP LAN" | |
| add action=add-dst-to-address-list address-list="IP FACEBOOK" \ | |
| address-list-timeout=30m chain=prerouting content=.facebook.net \ | |
| dst-address-list=!CONNECTED src-address-list="IP LAN" | |
| add action=add-dst-to-address-list address-list="IP FACEBOOK" \ | |
| address-list-timeout=30m chain=prerouting content=.fbcdn.net \ | |
| dst-address-list=!CONNECTED src-address-list="IP LAN" | |
| add action=add-dst-to-address-list address-list="IP INSTAGRAM" \ | |
| address-list-timeout=30m chain=prerouting comment="IP INSTAGRAM" content=\ | |
| .cdninstagram.com disabled=yes dst-address-list=!CONNECTED \ | |
| src-address-list="IP LAN" | |
| add action=add-dst-to-address-list address-list="IP INSTAGRAM" \ | |
| address-list-timeout=30m chain=prerouting content=\ | |
| scontent-sin6-2.cdninstagram.com disabled=yes dst-address-list=!CONNECTED \ | |
| src-address-list="IP LAN" | |
| add action=add-dst-to-address-list address-list="IP INSTAGRAM" \ | |
| address-list-timeout=30m chain=prerouting content=.instagram.com \ | |
| disabled=yes dst-address-list=!CONNECTED src-address-list="IP LAN" | |
| add action=add-dst-to-address-list address-list="IP TIKTOK" \ | |
| address-list-timeout=30m chain=prerouting comment="IP TIKTOK" content=\ | |
| tiktokcdn.com dst-address-list=!CONNECTED src-address-list="IP LAN" | |
| add action=add-dst-to-address-list address-list="IP TIKTOK" \ | |
| address-list-timeout=30m chain=prerouting content=tiktokv.com \ | |
| dst-address-list=!CONNECTED src-address-list="IP LAN" | |
| add action=add-dst-to-address-list address-list="IP TIKTOK" \ | |
| address-list-timeout=30m chain=prerouting content=.amemv.com \ | |
| dst-address-list=!CONNECTED src-address-list="IP LAN" | |
| add action=add-dst-to-address-list address-list="IP TIKTOK" \ | |
| address-list-timeout=30m chain=prerouting content=.musical.ly \ | |
| dst-address-list=!CONNECTED src-address-list="IP LAN" | |
| /ip route | |
| add check-gateway=bfd disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\ | |
| pppoe-viettel-H pref-src=0.0.0.0 routing-table=to-pppoe-viettel-H scope=\ | |
| 30 suppress-hw-offload=no target-scope=10 | |
| add check-gateway=bfd disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\ | |
| pppoe-vnpt-G pref-src=0.0.0.0 routing-table=to-pppoe-vnpt-G scope=30 \ | |
| suppress-hw-offload=no target-scope=10 | |
| add check-gateway=bfd disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\ | |
| pppoe-viettel-H pref-src=0.0.0.0 routing-table=to-pppoe-viettel-H scope=\ | |
| 30 suppress-hw-offload=no target-scope=10 | |
| add check-gateway=bfd disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\ | |
| pppoe-vnpt-G pref-src=0.0.0.0 routing-table=to-pppoe-vnpt-G scope=30 \ | |
| suppress-hw-offload=no target-scope=10 | |
| /ip service | |
| set telnet disabled=yes | |
| set ftp disabled=yes | |
| set www address=172.16.0.0/16,192.168.100.0/24 | |
| set ssh disabled=yes | |
| set api address=172.16.0.0/16 | |
| set api-ssl address=172.16.0.0/16 | |
| /ip traffic-flow | |
| set enabled=yes | |
| /ip traffic-flow target | |
| add dst-address=172.16.2.90 src-address=172.16.1.1 | |
| /routing rule | |
| add action=lookup disabled=no src-address=172.16.0.0/16 table=main | |
| /system clock | |
| set time-zone-name=Asia/Ho_Chi_Minh | |
| /system hardware | |
| set allow-x86-64=yes | |
| /system logging | |
| add action=disk topics=error | |
| add action=disk prefix=Camera_ topics=firewall,info | |
| /system ntp client | |
| set enabled=yes | |
| /system ntp server | |
| set broadcast=yes enabled=yes multicast=yes | |
| /system ntp client servers | |
| add address=162.159.200.1 | |
| add address=216.239.35.8 | |
| /system script | |
| add dont-require-permissions=no name=getwanip owner=admin policy=\ | |
| ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\ | |
| global wanInterface \"pppoe-viettel-H\"\r\ | |
| \n:global wanIP \"\$wanIP\"\r\ | |
| \n\r\ | |
| \n# Get the current IP on the interface\r\ | |
| \n:local currentIPtemp [/ip address get [find interface=\"\$wanInterface\"\ | |
| \_disabled=no] address];\r\ | |
| \n\r\ | |
| \n# IP without netmask\r\ | |
| \n:local currentIP [:pick \$currentIPtemp 0 ([:len \$currentIPtemp]-3)];\r\ | |
| \n\r\ | |
| \n:if (\$currentIP != \$wanIP) do={\r\ | |
| \n /log info \"wan ip changed from \$wanIP to \$currentIP\"\r\ | |
| \n :set wanIP \$currentIP\r\ | |
| \n \r\ | |
| \n}" | |
| /tool graphing interface | |
| add interface=pppoe-viettel-H | |
| add interface=pppoe-vnpt-G | |
| /tool mac-server | |
| set allowed-interface-list=LAN | |
| /tool mac-server mac-winbox | |
| set allowed-interface-list=LAN | |
| /tool traffic-monitor | |
| add interface=bridge1 name=tmon1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment