Bonjour a tous,
@Xommit voici la configuration:
# jan/05/2022 17:50:30 by RouterOS 7.1.1
/interface bridge
add name=bridge-Lan
/interface ethernet
set [ find default-name=ether1 ] comment="ONT Orange" name=ether1-WAN
set [ find default-name=ether2 ] comment=LIveBox name=ether2-LB
set [ find default-name=ether3 ] name=ether3-LB
set [ find default-name=ether6 ] name=ether6-PI
set [ find default-name=ether7 ] name=ether7-AP
set [ find default-name=ether8 ] name=ether8-Bureau
set [ find default-name=ether9 ] name=ether9-Cave
set [ find default-name=ether10 ] name=ether10-Salon poe-out=off
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=bridge-Lan name=VLAN2 vlan-id=2
add interface=bridge-Lan name=br2vlan1 vlan-id=10
add comment="Internet ONT" interface=ether1-WAN loop-protect-disable-time=0s \
loop-protect-send-interval=1s name=vlan832-internet vlan-id=832
add comment="Internet LiveBox" interface=ether2-LB loop-protect-disable-time=\
0s loop-protect-send-interval=1s name=vlan832-livebox vlan-id=832
/interface ethernet switch port
set 3 vlan-header=add-if-missing vlan-mode=secure
set 4 default-vlan-id=1 vlan-header=always-strip vlan-mode=secure
set 5 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 6 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 7 vlan-header=add-if-missing vlan-mode=secure
set 8 vlan-header=add-if-missing vlan-mode=secure
set 9 vlan-header=add-if-missing vlan-mode=secure
set 11 vlan-mode=secure
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-client option
add code=90 name=authsend value="Chaine d'autenfication version longue"
add code=60 name=class-identifier value="'sagem'"
add code=77 name=userclass value=\
"'+FSVDSL_livebox.Internet.softathome.Livebox4'"
/ip dhcp-server option
add code=90 name=authsend value=\
0x0000000000000000000000646863706c697665626f786672323530
add code=120 name=SIP value="A adapter"
add code=125 name=VendorSPecific value=0x000005580c010a0001000000ffffffffff
add code=119 name=domain-search value=\
0x0353545206616363657373116F72616E67652D6D756C74696D65646961036E657400
/ip pool
add name=pool-livebox ranges=192.168.100.2-192.168.100.10
add name=pool-iot ranges=192.168.0.100-192.168.0.200
add name=pool-lan ranges=192.168.1.100-192.168.1.199
/ip dhcp-server
add add-arp=yes address-pool=pool-livebox allow-dual-stack-queue=no \
interface=vlan832-livebox lease-time=1w1d name=Livebox
add add-arp=yes address-pool=pool-iot interface=VLAN2 lease-time=8h name=iot
add add-arp=yes address-pool=pool-lan interface=br2vlan1 lease-time=1w1d10m name=Lan
/ipv6 dhcp-client option
add code=16 name=class-identifer value=0x0000040e0005736167656d
add code=15 name=userclass value="0x002b46535644534c5f6c697665626f782e496e7465\
726e65742e736f66746174686f6d652e6c697665626f7834"
add code=11 name=authsend value="Authentification version longue"
/port
set 0 name=serial0
/queue interface
set ether1-WAN queue=ethernet-default
set ether2-LB queue=ethernet-default
set ether3-LB queue=ethernet-default
/routing bgp template
set default as=65530 disabled=no name=default output.network=bgp-networks
/routing ospf instance
add name=default-v2
add name=default-v3 version=3
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
add disabled=yes instance=default-v3 name=backbone-v3
/certificate crl
add url=http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl
/interface bridge port
add bridge=bridge-Lan interface=ether6-PI
add bridge=bridge-Lan interface=ether7-AP
add bridge=bridge-Lan interface=ether8-Bureau
add bridge=bridge-Lan interface=ether9-Cave
add bridge=bridge-Lan interface=ether10-Salon
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set accept-router-advertisements=yes max-neighbor-entries=8192
/interface ethernet switch rule
add dst-port=67 mac-protocol=ip new-vlan-priority=6 ports=switch1-cpu \
protocol=udp switch=switch1
add dst-mac-address=33:33:00:01:00:02/FF:FF:FF:FF:FF:FF mac-protocol=ipv6 \
new-vlan-priority=6 ports=switch1-cpu src-mac-address=\
2C:C8:1B:18:E6:FE/FF:FF:FF:FF:FF:FF switch=switch1
/interface ethernet switch vlan
add independent-learning=no ports=ether2-LB,ether5,ether4 switch=switch1 \
vlan-id=2
add independent-learning=no ports=ether3-LB switch=switch1 vlan-id=832
add independent-learning=yes ports=\
ether6-PI,ether8-Bureau,ether9-Cave,ether10-Salon,switch2-cpu,ether7-AP \
switch=switch2 vlan-id=10
add independent-learning=no ports=\
ether8-Bureau,ether9-Cave,ether10-Salon,switch2-cpu switch=switch2 \
vlan-id=2
/interface list member
add comment=defconf interface=ether1-WAN list=WAN
add interface=bridge-Lan list=LAN
/ip address
add address=192.168.100.1/24 comment="LAN Livebox" interface=vlan832-livebox \
network=192.168.100.0
add address=192.168.0.1/24 interface=VLAN2 network=192.168.0.0
add address=192.168.1.1/24 interface=br2vlan1 network=192.168.1.0
/ip dhcp-client
add dhcp-options=authsend,clientid,hostname,userclass interface=\
vlan832-internet
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=80.10.246.5,81.253.149.13 gateway=\
192.168.0.1
add address=192.168.1.0/24 dns-server=192.168.1.1 \
gateway=192.168.1.1 ntp-server=162.159.200.1,51.15.191.239
add address=192.168.100.0/24 dhcp-option=\
authsend,SIP,VendorSPecific,domain-search dns-server=\
81.253.149.2,80.10.246.132 domain=orange.fr gateway=192.168.100.1 \
netmask=24
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=192.168.1.2-192.168.1.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
not_in_internet
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward comment="Forward Livebox to WAN" \
in-interface=vlan832-livebox out-interface=vlan832-internet
add action=drop chain=forward dst-address=192.168.0.0/16 src-address=\
192.168.0.0/16
add action=accept chain=input comment="default configuration" \
connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=drop chain=input protocol=icmp
add action=drop chain=input
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
log-prefix=invalid
add action=drop chain=forward comment=\
"Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat \
connection-state=new in-interface=vlan832-internet log=yes log-prefix=\
!NAT
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
protocol=icmp
add action=drop chain=forward comment=\
"Drop incoming from internet which is not public IP" in-interface=\
vlan832-internet log=yes log-prefix=!public src-address-list=\
not_in_internet
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
protocol=icmp
add action=accept chain=icmp comment=\
"host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
protocol=icmp
add action=drop chain=icmp comment="deny all other types"
add action=drop chain=forward comment="Drop Weak IOT protocol" dst-port=32100 \
out-interface=vlan832-internet protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT LAN to WAN" out-interface=\
vlan832-internet
/ip firewall service-port
set sip disabled=yes
/ip service
set telnet address=192.168.1.0/24 disabled=yes
set ftp disabled=yes
set www address=192.168.1.0/24
set ssh address="192.168.1.0/24"
set api address=192.168.1.0/24 disabled=yes
set winbox address=192.168.1.0/24
set api-ssl address=192.168.1.0/24 disabled=yes
/ip ssh
set forwarding-enabled=local
/ipv6 address
add address=::1 from-pool=pool_FT_6 interface=br2vlan1
add address=::1 from-pool=pool_FT_6 interface=VLAN2
/ipv6 dhcp-client
add add-default-route=yes dhcp-options=authsend,userclass,class-identifer \
dhcp-options=authsend,userclass,class-identifer interface=\
vlan832-internet pool-name=pool_FT_6 rapid-commit=no request=prefix \
use-peer-dns=no
/ipv6 firewall address-list
add address=fe80::/16 list=allowed
add address=ff02::/16 comment=multicast list=allowed
add address=::1/128 comment="defconf: RFC6890 lo" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: RFC6890 IPv4 mapped" list=\
bad_ipv6
add address=2001::/23 comment="defconf: RFC6890" list=bad_ipv6
add address=2001:db8::/32 comment="defconf: RFC6890 documentation" list=\
bad_ipv6
add address=2001:10::/28 comment="defconf: RFC6890 orchid" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: RFC6890 Discard-only" list=\
not_global_ipv6
add address=2001::/32 comment="defconf: RFC6890 TEREDO" list=not_global_ipv6
add address=2001:2::/48 comment="defconf: RFC6890 Benchmark" list=\
not_global_ipv6
add address=fc00::/7 comment="defconf: RFC6890 Unique-Local" list=\
not_global_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_dst_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_src_ipv6
add address=ff00::/8 comment="defconf: multicast" list=bad_src_ipv6
add address=fc00::/7 comment="defconf: RFC6890 Unique-Local" list=\
bad_src_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"accept DHCPv6-Client prefix delegation." dst-port=546 in-interface=\
vlan832-internet protocol=udp src-address=fe80::/10 src-port=""
add action=accept chain=input comment="allow established and related" \
connection-state=established,related
add action=accept chain=input comment="accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=drop chain=input in-interface=vlan832-internet log=yes log-prefix=\
dropLL_from_public src-address=fe80::/16
add action=accept chain=input comment="allow allowed addresses" \
src-address-list=allowed
add action=drop chain=input log=yes
add action=accept chain=forward comment=established,related connection-state=\
established,related
add action=drop chain=forward comment=invalid connection-state=invalid \
log-prefix=ipv6,invalid
add action=accept chain=forward comment=icmpv6 protocol=icmpv6
add action=accept chain=forward comment="local network" in-interface=\
!vlan832-internet src-address-list=allowed
add action=drop chain=forward log-prefix=IPV6
add action=drop chain=forward comment="Block Vlan1 to Vlan2" in-interface=\
br2vlan1 out-interface=VLAN2
add action=drop chain=forward comment="Block Vlan2 to Vlan1" in-interface=\
VLAN2 out-interface=br2vlan1
/ipv6 nd
set [ find default=yes ] interface=br2vlan1 ra-interval=3m12s-10m
add advertise-dns=no interface=VLAN2 ra-interval=3m12s-10m
/ipv6 nd prefix default
set preferred-lifetime=1h valid-lifetime=1h
/lcd
set default-screen=stat-slideshow read-only-mode=yes
/lcd pin
set pin-number=2905
/system clock
set time-zone-name=Europe/Paris
/system logging
add disabled=yes topics=dhcp
add disabled=yes topics=firewall
/system ntp client
set enabled=yes
/system ntp server
set manycast=yes
/system ntp client servers
add address=5.196.160.139
add address=212.85.158.10
Elle est bien entendu à adapter en focntion de tes besoins.
Les points obligatoires sont:
- La chaine d'authentification en version longue
- L'option SIP 120 a créer en fonction du lieux de residence.
Bon dimanche