CRS305 :
ONU sur port SFP+1
DAC vers CCR2004 sur port SFP+2
CCR2004 :
DAC vers CRS305 sur SFP+1
LAN sur SFP+2 (vers un S3900-24T4S, faut que je me motive à mettre le Ubiquiti à la place).
Config CRS305 :
# jun/04/2022 13:01:18 by RouterOS 7.3beta40
#
# model = CRS305-1G-4S+
/interface bridge
add name=br-lan
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] advertise="10M-half,10M-full,100M-half,\
100M-full,1000M-half,1000M-full,10000M-full,2500M-full,5000M-full" \
auto-negotiation=no speed=2.5Gbps
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/routing bgp template
set default disabled=no output.network=bgp-networks
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,rest-api"
/interface bridge port
add bridge=br-lan ingress-filtering=no interface=sfp-sfpplus1
add bridge=br-lan ingress-filtering=no interface=sfp-sfpplus2
add bridge=br-lan ingress-filtering=no interface=sfp-sfpplus3
add bridge=br-lan ingress-filtering=no interface=sfp-sfpplus4
add bridge=br-lan ingress-filtering=no interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/interface bridge vlan
add bridge=br-lan tagged=sfp-sfpplus1,sfp-sfpplus2 vlan-ids=832
/interface ethernet switch rule
add dst-port=67 mac-protocol=ip new-vlan-priority=6 ports=sfp-sfpplus1 \
protocol=udp switch=switch1 vlan-id=832
/interface list member
add interface=ether1 list=WAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
add interface=sfp-sfpplus3 list=LAN
add interface=sfp-sfpplus4 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/ip dhcp-client
add interface=br-lan
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.88.0/24,192.168.0.0/24
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Paris
/system identity
set name=CRS305
/system package update
set channel=testing
/system routerboard settings
set boot-os=router-os
/system swos
set identity="Mikrotik CRS305"
/tool bandwidth-server
set authenticate=no enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
Config CCR2004 :
# jun/04/2022 13:01:34 by RouterOS 7.2
#
# model = CCR2004-16G-2S+
/interface bridge
add igmp-snooping=yes name=TV-BRIDGE
add fast-forward=no name=WAN-BRIDGE
/interface ethernet
set [ find default-name=ether1 ] disabled=yes name=ether1-TV
set [ find default-name=ether2 ] name=ether2-LIVEBOX
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=ether11 ] disabled=yes
set [ find default-name=ether12 ] disabled=yes
set [ find default-name=ether13 ] disabled=yes
set [ find default-name=ether14 ] disabled=yes
set [ find default-name=ether15 ] name=ether15-ADMIN
set [ find default-name=ether16 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] name=sfp1-WAN
set [ find default-name=sfp-sfpplus2 ] name=sfp2-LAN
/interface vlan
add interface=ether2-LIVEBOX name="VLAN832 - LIVEBOX" vlan-id=832
add interface=sfp1-WAN name="VLAN832 - WAN" vlan-id=832
add interface=ether2-LIVEBOX name="VLAN840 - LIVEBOX" vlan-id=840
add disabled=yes interface=sfp1-WAN name="VLAN840 - TV" vlan-id=840
/interface list
add name=LAN
add name=WAN
add name=orange_tv
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-client option
add code=60 name="Vendor class identifier" value="'sagem'"
add code=77 name="User Class Information" value=\
"0x2b'FSVDSL_livebox.Internet.softathome.Livebox4'"
add code=90 name=Authentication value="0x00000000000000000000001a0900000558010\
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\
xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
add code=77 name=vod_userclass value=\
"'+FSVDSL_livebox.MLTV.softathome.Livebox4'"
add code=61 name=clienId_livebox value=0xe8d2ff3bcabc
/ip dhcp-server option
add code=90 name=Authentification value=\
0x000000000000000000000000000000646863706c697665626f786672323530
add code=120 name="SIP Server" value="0x000673626374336703424f5206616363657373\
116f72616e67652d6d756c74696d65646961036e657400"
add code=125 name="Vendor Specific" value=\
0x000005580c010a0001000000ffffffffff
/ip dhcp-server option sets
add name=setLivebox options="Authentification,SIP Server,Vendor Specific"
/ip pool
add name=pool-tv ranges=192.168.42.10-192.168.42.19
/ip dhcp-server
add address-pool=pool-tv dhcp-option-set=setLivebox interface=\
"VLAN832 - LIVEBOX" lease-time=1w1d name="WAN LIVEBOX"
/port
set 0 name=serial0
set 1 name=serial1
/queue interface
set sfp1-WAN queue=ethernet-default
set sfp2-LAN queue=ethernet-default
/interface bridge filter
add action=set-priority chain=output dst-port=67 ip-protocol=udp log=yes \
log-prefix="Set CoS 6 on DHCP requests" mac-protocol=ip new-priority=6 \
out-interface="VLAN832 - WAN" passthrough=yes
/interface bridge port
add bridge=WAN-BRIDGE ingress-filtering=no interface="VLAN832 - WAN"
add bridge=TV-BRIDGE interface="VLAN840 - TV" pvid=840
add bridge=TV-BRIDGE interface="VLAN840 - LIVEBOX" pvid=840
/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set protocol=cdp,lldp
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set accept-router-advertisements=no disable-ipv6=yes forward=no \
max-neighbor-entries=8192
/interface list member
add interface=sfp1-WAN list=WAN
add interface=sfp2-LAN list=LAN
add interface="VLAN840 - LIVEBOX" list=orange_tv
add interface="VLAN840 - TV" list=orange_tv
add interface="VLAN832 - LIVEBOX" list=orange_tv
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.88.1/24 comment="Configuration sur port 15" interface=\
ether15-ADMIN network=192.168.88.0
add address=192.168.0.3/24 interface=sfp2-LAN network=192.168.0.0
add address=192.168.1.16/24 comment="Sert \E0 acc\E9der \E0 l'ONU" interface=\
sfp1-WAN network=192.168.1.0
add address=192.168.42.254/24 comment="\"WAN\" LIVEBOX" interface=\
"VLAN832 - LIVEBOX" network=192.168.42.0
/ip dhcp-client
add dhcp-options=\
"Vendor class identifier,clientid,User Class Information,Authentication" \
interface=WAN-BRIDGE
/ip dhcp-server network
add address=192.168.42.0/24 dns-server=81.253.149.2,80.10.246.132 gateway=\
192.168.42.254 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.0.0/24 list=support
add address=192.168.88.0/24 list=support
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A" disabled=yes \
list=bogons
add address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B" disabled=yes \
list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C" disabled=yes \
list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=orange.mackila.com list=WAN-IP
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
add action=accept chain=input comment=\
"Accepte tout concernant le d\E9codeur TV" in-interface-list=orange_tv
add action=accept chain=forward comment=\
"Accepte tout concernant le d\E9codeur TV" in-interface-list=orange_tv
add action=accept chain=input comment="Allow multicast TV Orange" dst-port=\
8200,8202 in-interface=TV-BRIDGE protocol=udp
add action=accept chain=input comment="Service Orange TV" dst-port=5678 \
in-interface-list=orange_tv protocol=udp
add action=accept chain=input comment="Allow IGMP for Orange TV" \
in-interface-list=orange_tv protocol=igmp
add action=accept chain=forward comment="DNS/NTP pour le decodeur TV Orange" \
dst-port=53,123 in-interface="VLAN832 - LIVEBOX" out-interface=WAN-BRIDGE \
protocol=udp
add action=accept chain=forward comment="HTTP/S pour le decodeur TV Orange" \
dst-port=80,443 in-interface="VLAN832 - LIVEBOX" out-interface=WAN-BRIDGE \
protocol=tcp
add action=accept chain=forward comment="TV Orange" dst-port=8200,8202 \
in-interface=TV-BRIDGE protocol=udp
add action=add-src-to-address-list address-list=Syn_Flooder \
address-list-timeout=30m chain=input comment=\
"Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" \
src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
address-list-timeout=1w chain=input comment="Port Scanner Detect" \
protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" \
src-address-list=Port_Scanner
add action=drop chain=input comment="Drop incoming UDP DNS requests" \
dst-port=53 in-interface-list=WAN protocol=udp tcp-flags=""
add action=drop chain=forward comment=\
"Drop packets from GUESTS to LAN adresses" dst-address=192.168.0.0/24 \
src-address=192.168.20.0/24
add action=drop chain=forward comment="Drop packets from WAN to LAN adresses" \
connection-state=new dst-address=192.168.0.0/24 in-interface-list=WAN
add action=drop chain=forward comment="Drop packets from WAN to LAN adresses" \
connection-state=new dst-address=192.168.88.0/24 dst-address-list="" \
in-interface-list=WAN
add action=jump chain=input comment="Jump for icmp input flow" jump-target=\
ICMP protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except t\
o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP\
PORT ADDRESS LIST" dst-port=8291 protocol=tcp src-address-list=!support
add action=jump chain=forward comment="Jump for icmp forward flow" \
jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
bogons
add action=add-src-to-address-list address-list=spammers \
address-list-timeout=3h chain=forward comment=\
"Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=\
25,587 limit=30/1m,0:packet protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" protocol=tcp \
src-address-list=spammers
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp \
src-address-list=support
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp \
src-address-list=support
add action=accept chain=input comment="Accept to established connections" \
connection-state=established
add action=accept chain=input comment="Accept to related connections" \
connection-state=related
add action=accept chain=input comment="Full access to SUPPORT address list" \
src-address-list=support
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS \
RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED"
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" \
icmp-options=8:0 limit=1,5:packet protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
protocol=icmp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN-BRIDGE
/ip hotspot service-port
set ftp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.88.0/24,192.168.0.0/24
set api-ssl disabled=yes
/ipv6 firewall filter
add action=drop chain=input
add action=drop chain=forward
add action=drop chain=output
/system clock
set time-zone-name=Europe/Paris
/system identity
set name=CCR2004
/system logging
add topics=dhcp
/system package update
set channel=testing
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no