# /interface ethernet set 0 arp=enabled auto-negotiation=yes cable-settings=default comment=\ "Administration Network" disable-running-check=yes disabled=no \ full-duplex=yes mac-address=00:A0:C5:B2:B0:1F mtu=1500 name=lan speed=\ 100Mbps set 1 arp=enabled auto-negotiation=yes cable-settings=default comment=\ "Internet Network" disable-running-check=yes disabled=no full-duplex=yes \ mac-address=00:05:1C:15:23:BD mtu=1500 name=wan speed=100Mbps set 2 arp=reply-only auto-negotiation=yes cable-settings=default comment=\ "Hotspot Network" disable-running-check=yes disabled=no full-duplex=yes \ mac-address=00:05:1C:08:15:C4 mtu=1500 name=hotspot speed=100Mbps /ip dhcp-server option add code=46 name=nb-node-type-P value=2 /ip hotspot profile set default dns-name="" hotspot-address=0.0.0.0 html-directory=hotspot \ http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=cookie,http-chap \ name=default rate-limit="" smtp-server=0.0.0.0 split-user-domain=no \ use-radius=no add dns-name="" hotspot-address=192.168.182.1 html-directory=hotspot \ http-proxy=0.0.0.0:0 login-by=http-chap,https name=hsprof1 nas-port-type=\ wireless-802.11 radius-accounting=yes radius-default-domain="" \ radius-interim-update=1m radius-location-id="" radius-location-name=RACK \ radius-mac-format=XX:XX:XX:XX:XX:XX rate-limit="" smtp-server=0.0.0.0 \ split-user-domain=no ssl-certificate=cert2 use-radius=yes /ip hotspot user profile set default advertise=no keepalive-timeout=5m name=default open-status-page=\ always rate-limit=256k/64k shared-users=1 status-autorefresh=1m \ transparent-proxy=yes /ip pool add name=hs-pool-3 ranges=192.168.182.2-192.168.182.100 add name=ppp ranges=10.0.0.1-10.0.0.254 /ip dhcp-server add add-arp=yes address-pool=hs-pool-3 authoritative=after-2sec-delay \ bootp-support=static disabled=no interface=hotspot lease-time=1h name=\ dhcp1 /ip hotspot add address-pool=hs-pool-3 addresses-per-mac=2 disabled=no idle-timeout=10m \ interface=hotspot keepalive-timeout=none name=hotspot1 profile=hsprof1 /port set 0 baud-rate=9600 data-bits=8 flow-control=hardware name=serial0 parity=\ none stop-bits=1 /ppp profile set default address-list=pppoe change-tcp-mss=yes comment="" local-address=\ hs-pool-3 name=default only-one=yes remote-address=ppp use-compression=no \ use-encryption=no use-vj-compression=no set default-encryption change-tcp-mss=yes comment="" name=default-encryption \ only-one=default use-compression=default use-encryption=yes \ use-vj-compression=default /queue type set default kind=pfifo name=default pfifo-limit=50 set ethernet-default kind=pfifo name=ethernet-default pfifo-limit=50 set wireless-default kind=sfq name=wireless-default sfq-allot=1514 \ sfq-perturb=5 set synchronous-default kind=red name=synchronous-default red-avg-packet=1000 \ red-burst=20 red-limit=60 red-max-threshold=50 red-min-threshold=10 set hotspot-default kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=\ 5 add kind=pcq name=pcq-download pcq-classifier=dst-address pcq-limit=50 \ pcq-rate=0 pcq-total-limit=2000 add kind=pcq name=pcq-upload pcq-classifier=src-port pcq-limit=50 pcq-rate=0 \ pcq-total-limit=2000 add kind=pcq name="P2P Down" pcq-classifier=dst-address pcq-limit=20 \ pcq-rate=5000 pcq-total-limit=200 add kind=pcq name="P2P Up" pcq-classifier=src-address pcq-limit=20 pcq-rate=\ 5000 pcq-total-limit=200 set default-small kind=pfifo name=default-small pfifo-limit=10 /queue simple add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s comment="" \ direction=both disabled=no dst-address=0.0.0.0/0 interface=all limit-at=\ 0/0 max-limit=0/0 name=cache-hotspot packet-marks=cache-packets parent=\ none priority=1 queue=ethernet-default/ethernet-default total-queue=\ ethernet-default /queue tree add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=0 name=upload_wan1 packet-mark="" parent=global-out priority=4 \ queue=pcq-upload add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=0 name=icmp_down packet-mark=icmp_in parent=global-in priority=\ 1 queue=pcq-download add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=0 name=icmp_up packet-mark=icmp_out parent=global-out priority=\ 1 queue=pcq-upload add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=0 name=winbox_down packet-mark=winbox_in parent=global-in \ priority=1 queue=pcq-download add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=0 name=winbox_up packet-mark=winbox_out parent=global-out \ priority=1 queue=pcq-upload add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=0 name=dns_down packet-mark=dns_in parent=global-in priority=1 \ queue=pcq-download add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=0 name=dns_up packet-mark=dns_out parent=global-out priority=1 \ queue=pcq-upload add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=0 name=www_up packet-mark=www_out parent=upload_wan1 priority=2 \ queue=pcq-upload add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=0 name=ssl_up packet-mark=ssl_out parent=upload_wan1 priority=1 \ queue=pcq-upload add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=5k \ max-limit=5k name=p2p_up packet-mark=p2p parent=global-out priority=8 \ queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=0 name=udp_up packet-mark=udp_out parent=upload_wan1 priority=6 \ queue=pcq-upload add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=0 name=tcp_up packet-mark=tcp_out parent=upload_wan1 priority=4 \ queue=pcq-upload add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=0 name=other_up packet-mark=other_out parent=upload_wan1 \ priority=7 queue=pcq-upload add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=0 name=download_wan1 packet-mark="" parent=global-in priority=4 \ queue=pcq-download add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=0 name=www_down packet-mark=www_in parent=download_wan1 \ priority=2 queue=pcq-download add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=0 name=ssl_down packet-mark=ssl_in parent=download_wan1 \ priority=1 queue=pcq-download add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=10k \ max-limit=10k name=p2p_down packet-mark=p2p parent=global-in priority=8 \ queue=default add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=0 name=udp_down packet-mark=udp_in parent=download_wan1 \ priority=6 queue=default-small add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=0 name=tcp_down packet-mark=tcp_in parent=download_wan1 \ priority=4 queue=pcq-download add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=0 name=other packet-mark=other_in parent=download_wan1 \ priority=7 queue=pcq-download add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=0 name=ssh_down packet-mark=ssh_in parent=global-in priority=1 \ queue=pcq-download add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=0 name=ssh_up packet-mark=ssh_out parent=global-out priority=1 \ queue=pcq-upload add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=0 name=pop3_down packet-mark=pop3_in parent=download_wan1 \ priority=5 queue=pcq-download add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=0 name=smtp_down packet-mark=smtp_in parent=download_wan1 \ priority=5 queue=pcq-download add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=0 name=imap_down packet-mark=imap_in parent=download_wan1 \ priority=5 queue=pcq-download add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=0 name=imap_up packet-mark=imap_out parent=upload_wan1 \ priority=5 queue=pcq-upload add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=0 name=smtp_out packet-mark=smtp_out parent=upload_wan1 \ priority=5 queue=pcq-upload add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=0 name=pop3_up packet-mark=pop3_out parent=upload_wan1 \ priority=5 queue=pcq-upload add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=5k \ max-limit=5k name=ares_up packet-mark=ares parent=global-out priority=8 \ queue=default-small add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=10k \ max-limit=10k name=ares_down packet-mark=ares parent=global-in priority=8 \ queue=default-small /user add address=0.0.0.0/0 comment="system default user" disabled=no group=full \ name=admin /interface bridge settings set use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=\ no /interface ethernet mirror set /interface pppoe-server server add authentication=chap,mschap1,mschap2 default-profile=default disabled=no \ interface=hotspot keepalive-timeout=10 max-mru=1480 max-mtu=1480 \ max-sessions=0 mrru=disabled one-session-per-host=yes service-name=\ service1 /interface pptp-server server set authentication=mschap1,mschap2 default-profile=default-encryption \ enabled=no keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled /interface wireless align set active-mode=yes audio-max=-20 audio-min=-100 audio-monitor=\ 00:00:00:00:00:00 filter-mac=00:00:00:00:00:00 frame-size=300 \ frames-per-second=25 receive-all=no ssid-all=no /interface wireless sniffer set channel-time=200ms file-limit=10 file-name="" memory-limit=10 \ multiple-channels=no only-headers=no receive-errors=no streaming-enabled=\ no streaming-max-rate=0 streaming-server=0.0.0.0 /interface wireless snooper set channel-time=200ms multiple-channels=yes receive-errors=no /ip accounting set account-local-traffic=no enabled=no threshold=256 /ip accounting web-access set accessible-via-web=no address=0.0.0.0/0 /ip address add address=192.168.0.90/24 broadcast=192.168.0.255 comment=\ "Administration Network" disabled=no interface=lan network=192.168.0.0 add address=192.168.182.1/24 broadcast=192.168.182.255 comment=\ "Hotspot Network" disabled=no interface=hotspot network=192.168.182.0 add address=192.168.2.90/24 broadcast=192.168.2.255 comment=\ "Internet Network" disabled=no interface=wan network=192.168.2.0 /ip arp add address=192.168.182.250 comment="WRT54G static ARP" disabled=no interface=\ hotspot mac-address=xx:xx:xx:xx:xx:xx /ip dhcp-server config set store-leases-disk=5m /ip dhcp-server network add address=192.168.182.0/24 comment="hotspot network" dhcp-option=\ nb-node-type-P gateway=192.168.182.1 netmask=32 /ip dns set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \ max-udp-packet-size=512 primary-dns=80.58.61.250 secondary-dns=\ 80.58.61.254 /ip firewall address-list add address=192.168.2.0/24 comment="Internet Network" disabled=no list=ournetwork add address=192.168.0.0/24 comment="Administration Network" disabled=no list=\ ournetwork add address=192.168.182.0/24 comment="Hotspot Network" disabled=no list=\ ournetwork add address=10.0.0.0/24 comment="PPPOE Network" disabled=no list=pppoe /ip firewall connection tracking set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \ tcp-close-wait-timeout=10s tcp-established-timeout=1d \ tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \ tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=yes \ tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s /ip firewall filter add action=passthrough chain=unused-hs-chain comment=\ "place hotspot rules here" disabled=yes add action=drop chain=forward comment="Deny communication between clients" \ disabled=no dst-address=192.168.182.0/24 src-address=192.168.182.0/24 add action=drop chain=forward comment="" disabled=no dst-address=10.0.0.0/24 \ src-address=10.0.0.0/24 { SNIPPED ... FIREWALL RULES TO DROP VIRUS } add action=accept chain=input comment="Accept established connections" \ connection-state=established disabled=no add action=accept chain=input comment="Accept related connections" \ connection-state=related disabled=no add action=drop chain=input comment="Drop invalid connections" \ connection-state=invalid disabled=no add action=drop chain=forward comment="" disabled=no src-address=0.0.0.0/8 add action=drop chain=forward comment="" disabled=no dst-address=0.0.0.0/8 add action=drop chain=forward comment="" disabled=no src-address=127.0.0.0/8 add action=drop chain=forward comment="" disabled=no dst-address=127.0.0.0/8 add action=drop chain=forward comment="" disabled=no src-address=224.0.0.0/3 add action=drop chain=forward comment="" disabled=no dst-address=224.0.0.0/3 add action=accept chain=input comment=UDP disabled=no protocol=udp add action=accept chain=input comment="Allow limited pings" disabled=no \ limit=50/5s,2 protocol=icmp add action=drop chain=input comment="Drop excess pings" disabled=no protocol=\ icmp add action=accept chain=input comment=FTP disabled=no dst-port=21 protocol=\ tcp src-address-list=ournetwork add action=accept chain=input comment="SSH for secure shell" disabled=no \ dst-port=22 protocol=tcp src-address-list=ournetwork add action=accept chain=input comment=Telnet disabled=no dst-port=23 \ protocol=tcp src-address-list=ournetwork add action=accept chain=input comment=Web disabled=no dst-port=80 protocol=\ tcp src-address-list=ournetwork add action=accept chain=input comment=winbox disabled=no dst-port=8291 \ protocol=tcp src-address-list=ournetwork add action=accept chain=input comment=pptp-server disabled=no dst-port=1723 \ protocol=tcp add action=drop chain=input comment="Protect proxy from internet users" \ connection-state=new disabled=no dst-port=3128 in-interface=wan protocol=\ tcp add action=accept chain=input comment="our network" disabled=no \ src-address-list=ournetwork add action=drop chain=input comment="Drop everything else" disabled=no /ip firewall mangle add action=mark-packet chain=prerouting comment=icmp disabled=no \ in-interface=wan new-packet-mark=icmp_in passthrough=no protocol=icmp add action=mark-packet chain=postrouting comment="" disabled=no \ new-packet-mark=icmp_out out-interface=wan passthrough=no protocol=icmp add action=mark-connection chain=prerouting comment=p2p disabled=no limit=\ 10,32 new-connection-mark=p2p_conn p2p=all-p2p passthrough=yes add action=mark-packet chain=prerouting comment="" connection-mark=p2p_conn \ disabled=no limit=10,32 new-packet-mark=p2p passthrough=no add action=mark-connection chain=prerouting comment="p2p ares" disabled=no \ layer7-protocol=ares limit=10,32 new-connection-mark=ares_conn \ passthrough=yes add action=mark-packet chain=prerouting comment="" connection-mark=ares_conn \ disabled=no layer7-protocol=ares limit=10,32 new-packet-mark=ares \ passthrough=no add action=mark-connection chain=prerouting comment="p2p bittorrent" \ disabled=no layer7-protocol=bittorrent limit=10,32 new-connection-mark=\ bittorrent_con passthrough=yes add action=mark-packet chain=prerouting comment="" connection-mark=\ bittorrent_con disabled=no layer7-protocol=bittorrent limit=10,32 \ new-packet-mark=bittorrent passthrough=yes add action=mark-packet chain=prerouting comment="Limit YouTube" disabled=no \ layer7-protocol=http-video new-packet-mark=http-video passthrough=no add action=mark-packet chain=prerouting comment=pop3 disabled=no \ in-interface=wan new-packet-mark=pop3_in passthrough=no protocol=tcp \ src-port=110 add action=mark-packet chain=postrouting comment="" disabled=no dst-port=110 \ new-packet-mark=pop3_out out-interface=wan passthrough=no protocol=tcp add action=mark-packet chain=prerouting comment=smtp disabled=no \ in-interface=wan new-packet-mark=smtp_in passthrough=no protocol=tcp \ src-port=25 add action=mark-packet chain=postrouting comment="" disabled=no dst-port=25 \ new-packet-mark=smtp_out out-interface=wan passthrough=no protocol=tcp add action=mark-packet chain=prerouting comment=imap disabled=no \ in-interface=wan new-packet-mark=imap_in passthrough=no protocol=tcp \ src-port=143 add action=mark-packet chain=postrouting comment="" disabled=no dst-port=143 \ new-packet-mark=imap_out out-interface=wan passthrough=no protocol=tcp add action=mark-packet chain=prerouting comment=ssh disabled=no dst-port=22 \ in-interface=wan new-packet-mark=ssh_in passthrough=no protocol=tcp add action=mark-packet chain=postrouting comment="" disabled=no \ new-packet-mark=ssh_out out-interface=wan passthrough=no protocol=tcp \ src-port=22 add action=mark-packet chain=prerouting comment=winbox disabled=no dst-port=\ 8291 in-interface=wan new-packet-mark=winbox_in passthrough=no protocol=\ tcp add action=mark-packet chain=postrouting comment="" disabled=no \ new-packet-mark=winbox_out out-interface=wan passthrough=no protocol=tcp \ src-port=8291 add action=mark-packet chain=prerouting comment=dns disabled=no in-interface=\ wan new-packet-mark=dns_in passthrough=no protocol=udp src-port=53 add action=mark-packet chain=postrouting comment="" disabled=no dst-port=53 \ new-packet-mark=dns_out out-interface=wan passthrough=no protocol=udp add action=mark-packet chain=prerouting comment=www disabled=no in-interface=\ wan new-packet-mark=www_in passthrough=no protocol=tcp src-port=80 add action=mark-packet chain=postrouting comment="" disabled=no dst-port=80 \ new-packet-mark=www_out out-interface=wan passthrough=no protocol=tcp add action=mark-packet chain=prerouting comment=ssl disabled=no in-interface=\ wan new-packet-mark=ssl_in passthrough=no protocol=tcp src-port=443 add action=mark-packet chain=postrouting comment="" disabled=no dst-port=443 \ new-packet-mark=ssl_out out-interface=wan passthrough=no protocol=tcp add action=mark-packet chain=prerouting comment=udp disabled=no in-interface=\ wan new-packet-mark=udp_in passthrough=no protocol=udp add action=mark-packet chain=postrouting comment="" disabled=no \ new-packet-mark=udp_out out-interface=wan passthrough=no protocol=udp add action=mark-packet chain=prerouting comment=tcp disabled=no in-interface=\ wan new-packet-mark=tcp_in passthrough=no protocol=tcp add action=mark-packet chain=postrouting comment="" disabled=no \ new-packet-mark=tcp_out out-interface=wan passthrough=no protocol=tcp add action=mark-packet chain=prerouting comment=other disabled=no \ in-interface=wan new-packet-mark=other_in passthrough=no add action=mark-packet chain=postrouting comment="" disabled=no \ new-packet-mark=other_out out-interface=wan passthrough=no add action=mark-connection chain=prerouting comment="QOS with PPPOE" disabled=\ no new-connection-mark=pppoe_conn passthrough=yes src-address-list=pppoe add action=mark-packet chain=prerouting comment="" connection-mark=pppoe_conn \ disabled=no new-packet-mark=pppoe passthrough=yes add action=mark-packet chain=output comment=cache disabled=no dscp=4 \ new-packet-mark=cache-packets out-interface=hotspot passthrough=no /ip firewall nat add action=passthrough chain=unused-hs-chain comment=\ "place hotspot rules here" disabled=yes add action=masquerade chain=srcnat comment="masquerade hotspot network" \ disabled=no src-address=192.168.182.0/24 add action=masquerade chain=srcnat comment="masquerade pppoe network" \ disabled=no src-address=10.0.0.0/24 add action=redirect chain=dstnat comment="redirecting transparent proxy" \ disabled=yes dst-port=80 protocol=tcp src-address=192.168.182.0/24 \ to-ports=3128 add action=redirect chain=dstnat comment="" disabled=yes dst-port=80 \ protocol=tcp src-address=10.0.0.0/24 to-ports=3128 /ip firewall service-port set ftp disabled=yes ports=21 set tftp disabled=yes ports=69 set irc disabled=yes ports=6667 set h323 disabled=yes set sip disabled=yes ports=5060,5061 set pptp disabled=no /ip hotspot ip-binding add address=192.168.182.250 comment="Allow router WRT54G" \ disabled=no mac-address=xx:xx:xx:xx:xx:xx server=hotspot1 to-address=\ 192.168.182.250 type=bypassed /ip hotspot service-port set ftp disabled=yes ports=21 /ip hotspot walled-garden add action=allow comment="place hotspot rules here" disabled=yes /ip neighbor discovery set lan discover=yes set wan discover=yes set hotspot discover=no /ip proxy set always-from-cache=no cache-administrator=xxx@xxxxxx.com \ cache-hit-dscp=4 cache-on-disk=yes enabled=yes max-cache-size=1048576KiB \ max-client-connections=600 max-fresh-time=1w max-server-connections=600 \ parent-proxy=0.0.0.0 parent-proxy-port=0 port=3128 serialize-connections=\ no src-address=0.0.0.0 set file-limit=10 file-name="" filter-address1=0.0.0.0/0:0-65535 \ filter-address2=0.0.0.0/0:0-65535 filter-protocol=ip-only filter-stream=\ yes interface=hotspot memory-limit=10 only-headers=yes streaming-enabled=\ no streaming-server=0.0.0.0 /tool user-manager customer add comment="" date-format=%b/%d/%Y disabled=no login=admin parent=admin \ password=xxxxxx paypal-accept-pending=no paypal-allowed=no \ paypal-secure-response=no permissions=owner signup-allowed=no \ signup-email-body="Your authorization data:\ \nlogin: %login%\ \npassword: %password%\ \n\ \nTo check your status and buy extended time go to address %link%\ \n" signup-email-subject="Account info" subscriber=admin time-zone=+00:00 /tool user-manager router add comment="" disabled=yes ip-address=127.0.0.1 log=\ auth-ok,auth-fail,acct-fail name="This Mikrotik" shared-secret=xxxxxx \ subscriber=admin /tool user-manager user add comment="" disabled=yes name=radius password=radius rate-limit=\ " 256k/128k" subscriber=admin /user aaa set accounting=yes default-group=read interim-update=0s use-radius=no