Il y a la dedans plein de bordel qui traine de ma config orange... Bon courage pour faire le tri...
A savoir aussi, le mikrotik n'est pas mon serveur DHCP, c'est un Windows 2022. Il a une règle spécifique pour la MAC du boitier TV, pour lui filer les serveurs DNS bouygue nécessaires au fonctionnement.
# 2023-12-21 15:32:19 by RouterOS 7.12.1
# software id = 2GX6-31PR
#
# model = CCR2004-16G-2S+
# serial number = [....]
/interface bridge
add disabled=yes igmp-snooping=yes name=TV-BRIDGE
add disabled=yes fast-forward=no name=WAN-BRIDGE
/interface ethernet
set [ find default-name=ether1 ] disabled=yes name=ether1-TV
set [ find default-name=ether2 ] disabled=yes name=ether2-LIVEBOX
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=ether11 ] disabled=yes
set [ find default-name=ether12 ] disabled=yes
set [ find default-name=ether13 ] disabled=yes
set [ find default-name=ether14 ] disabled=yes
set [ find default-name=ether15 ] name=ether15-ADMIN
set [ find default-name=ether16 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] mac-address=F4:05:95:09:C8:A0 name=\
sfp1-WAN rx-flow-control=on tx-flow-control=on
set [ find default-name=sfp-sfpplus2 ] name=sfp2-LAN
/interface vlan
add interface=sfp1-WAN name="VLAN100 - WAN" vlan-id=100
add disabled=yes interface=ether2-LIVEBOX name="VLAN832 - LIVEBOX" vlan-id=\
832
add disabled=yes interface=sfp1-WAN name="VLAN832 - WAN" vlan-id=832
add disabled=yes interface=ether2-LIVEBOX name="VLAN840 - LIVEBOX" vlan-id=\
840
add disabled=yes interface=sfp1-WAN name="VLAN840 - TV" vlan-id=840
/interface list
add name=LAN
add name=WAN
add name=orange_tv
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-client option
add code=60 name="Vendor class identifier" value="'sagem'"
add code=77 name="User Class Information" value=\
"0x2b'FSVDSL_livebox.Internet.softathome.Livebox4'"
add code=90 name=Authentication value="0x00000000000000000000001a[....]"
add code=77 name=vod_userclass value=\
"'+FSVDSL_livebox.MLTV.softathome.Livebox4'"
add code=61 name=clienId_livebox value=0xe8d2ff3bcabc
add code=60 name=VendorID_Bouygues value="'BYGTELIAD'"
/ip dhcp-server option
add code=90 name=Authentification value=\
0x000000000000000000[....]
add code=120 name="SIP Server" value="0x0006[....]"
add code=125 name="Vendor Specific" value=\
0x0000[....]
/ip dhcp-server option sets
add name=setLivebox options="Authentification,SIP Server,Vendor Specific"
/ip pool
add name=pool-tv ranges=192.168.42.10-192.168.42.19
/ip dhcp-server
add address-pool=pool-tv dhcp-option-set=setLivebox interface=\
"VLAN832 - LIVEBOX" lease-time=1w1d name="WAN LIVEBOX"
/ipv6 dhcp-client option
add code=60 name=VendorID_Bouygues value="'BYGTELIAD'"
/port
set 0 name=serial0
set 1 name=serial1
/queue interface
set sfp1-WAN queue=ethernet-default
set sfp2-LAN queue=ethernet-default
/interface bridge filter
# VLAN832 - WAN not ready
# in/out-bridge-port matcher not possible when interface (VLAN832 - WAN) is not slave
add action=set-priority chain=output dst-port=67 ip-protocol=udp log=yes \
log-prefix="Set CoS 6 on DHCP requests" mac-protocol=ip new-priority=6 \
out-interface="VLAN832 - WAN" passthrough=yes
/interface bridge port
add bridge=WAN-BRIDGE ingress-filtering=no interface="VLAN832 - WAN"
add bridge=TV-BRIDGE interface="VLAN840 - TV" pvid=840
add bridge=TV-BRIDGE interface="VLAN840 - LIVEBOX" pvid=840
/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set protocol=cdp,lldp
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set accept-redirects=no accept-router-advertisements=no disable-ipv6=yes \
forward=no max-neighbor-entries=8192
/interface list member
add interface=sfp1-WAN list=WAN
add interface=sfp2-LAN list=LAN
add interface="VLAN840 - LIVEBOX" list=orange_tv
add interface="VLAN840 - TV" list=orange_tv
add interface="VLAN832 - LIVEBOX" list=orange_tv
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.88.1/24 comment="Configuration sur port 15" interface=\
ether15-ADMIN network=192.168.88.0
add address=192.168.0.3/24 interface=sfp2-LAN network=192.168.0.0
add address=192.168.100.2/24 comment="Sert \E0 acc\E9der \E0 l'ONU" \
interface=sfp1-WAN network=192.168.100.0
add address=192.168.42.254/24 comment="\"WAN\" LIVEBOX" disabled=yes \
interface="VLAN832 - LIVEBOX" network=192.168.42.0
/ip cloud
set update-time=no
/ip dhcp-client
add dhcp-options=\
"Vendor class identifier,clientid,User Class Information,Authentication" \
disabled=yes interface=WAN-BRIDGE
add dhcp-options=hostname,clientid,VendorID_Bouygues interface=\
"VLAN100 - WAN"
/ip dhcp-server network
add address=192.168.42.0/24 dns-server=81.253.149.2,80.10.246.132 gateway=\
192.168.42.254 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.0.0/24 list=support
add address=192.168.88.0/24 list=support
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A" disabled=yes \
list=bogons
add address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B" disabled=yes \
list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C" disabled=yes \
list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=orange.mackila.com list=WAN-IP
add address=212.195.48.0/24 comment="VOD Bouygues" list=VODReplay
add address=212.195.244.0/24 list=VODReplay
add address=62.34.201.0/24 list=VODReplay
add address=194.158.119.0/24 list=VODReplay
add address=195.36.152.0/24 list=VODReplay
add address=193.254.97.0/24 comment="TV Bouygues" list=TV
add address=89.86.97.0/24 list=TV
add address=176.165.8.0/24 list=TV
add address=89.86.96.0/24 list=TV
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
add action=accept chain=input comment=\
"Accepte tout concernant le d\E9codeur TV" disabled=yes \
in-interface-list=orange_tv
add action=accept chain=forward comment=\
"Accepte tout concernant le d\E9codeur TV" disabled=yes \
in-interface-list=orange_tv
add action=accept chain=input comment="Allow multicast TV Orange" disabled=\
yes dst-port=8200,8202 in-interface=TV-BRIDGE protocol=udp
add action=accept chain=input comment="Service Orange TV" disabled=yes \
dst-port=5678 in-interface-list=orange_tv protocol=udp
add action=accept chain=input comment="Allow IGMP for TV" in-interface=\
"VLAN100 - WAN" protocol=igmp
add action=accept chain=input comment="Accept IP flow for IGMP Proxy" \
dst-port=8200,8202 in-interface="VLAN100 - WAN" protocol=udp \
src-address-list=TV
add action=accept chain=forward comment="Accept IP flow for IGMP Proxy" \
dst-port=8200,8202 protocol=udp src-address-list=TV
add action=accept chain=forward comment="Accept IP flow for VOD" dst-port=\
20000-30000 in-interface="VLAN100 - WAN" protocol=udp src-address-list=\
VODReplay
add action=accept chain=forward comment="DNS/NTP pour le decodeur TV Orange" \
disabled=yes dst-port=53,123 in-interface="VLAN832 - LIVEBOX" \
out-interface=WAN-BRIDGE protocol=udp
add action=accept chain=forward comment="HTTP/S pour le decodeur TV Orange" \
disabled=yes dst-port=80,443 in-interface="VLAN832 - LIVEBOX" \
out-interface=WAN-BRIDGE protocol=tcp
add action=accept chain=forward comment="TV Orange" disabled=yes dst-port=\
8200,8202 in-interface=TV-BRIDGE protocol=udp
add action=add-src-to-address-list address-list=Syn_Flooder \
address-list-timeout=30m chain=input comment=\
"Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" \
src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
address-list-timeout=1w chain=input comment="Port Scanner Detect" \
protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" \
src-address-list=Port_Scanner
add action=drop chain=input comment="Drop incoming UDP DNS requests" \
dst-port=53 in-interface-list=WAN protocol=udp tcp-flags=""
add action=drop chain=forward comment=\
"Drop packets from GUESTS to LAN adresses" dst-address=192.168.0.0/24 \
src-address=192.168.20.0/24
add action=drop chain=forward comment="Drop packets from WAN to LAN adresses" \
connection-state=new dst-address=192.168.0.0/24 in-interface-list=WAN
add action=drop chain=forward comment="Drop packets from WAN to LAN adresses" \
connection-state=new dst-address=192.168.88.0/24 dst-address-list="" \
in-interface-list=WAN
add action=jump chain=input comment="Jump for icmp input flow" jump-target=\
ICMP protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except t\
o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP\
PORT ADDRESS LIST" dst-port=8291 protocol=tcp src-address-list=!support
add action=jump chain=forward comment="Jump for icmp forward flow" \
jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
bogons
add action=add-src-to-address-list address-list=spammers \
address-list-timeout=3h chain=forward comment=\
"Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=\
25,587 limit=30/1m,0:packet protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" protocol=tcp \
src-address-list=spammers
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp \
src-address-list=support
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp \
src-address-list=support
add action=accept chain=input comment="Accept to established connections" \
connection-state=established
add action=accept chain=input comment="Accept to related connections" \
connection-state=related
add action=accept chain=input comment="Full access to SUPPORT address list" \
src-address-list=support
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS \
RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED"
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" \
icmp-options=8:0 limit=1,5:packet protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
protocol=icmp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
/ip firewall nat
add action=masquerade chain=srcnat out-interface="VLAN100 - WAN"
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=80 protocol=\
tcp to-addresses=192.168.0.2 to-ports=80
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=443 \
protocol=tcp to-addresses=192.168.0.2 to-ports=443
[....]
add action=dst-nat chain=dstnat comment="Redirection flux TV VOD" dst-port=\
20000-30000 in-interface="VLAN100 - WAN" protocol=udp src-address-list=\
VODReplay to-addresses=192.168.0.120
/ip hotspot service-port
set ftp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.88.0/24,192.168.0.0/24
set api-ssl disabled=yes
/ipv6 dhcp-client
add add-default-route=yes disabled=yes interface="VLAN100 - WAN" pool-name=\
pool_bouygues pool-prefix-length=60 request=prefix use-interface-duid=yes
/ipv6 firewall filter
add action=drop chain=input
add action=drop chain=forward
add action=drop chain=output
add action=accept chain=input disabled=yes
add action=accept chain=forward disabled=yes
add action=accept chain=output disabled=yes
/routing igmp-proxy
set quick-leave=yes
/routing igmp-proxy interface
add alternative-subnets=0.0.0.0/0 interface="VLAN100 - WAN" upstream=yes
add alternative-subnets=0.0.0.0/0 interface=sfp2-LAN
/system clock
set time-zone-name=Europe/Paris
/system identity
set name=CCR2004
/system logging
add topics=dhcp
/system note
set show-at-login=no
/tool bandwidth-server
set enabled=no
/tool graphing interface
add
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
/tool sniffer
set file-limit=10000KiB file-name=capture832livebox filter-interface=\
"VLAN832 - LIVEBOX"