Diferencia entre revisiones de «QMp al Jardí Botànic de Barcelona»

De Guifi.net - Wiki Hispano

(Página creada con «Esta instalación permite a los usuarios de Jardí Botànic conectarse a una red de nodos mesh en modo roaming para acceder a una aplicación web interna. Desde la nuve mes...»)
 
Línea 525: Línea 525:
 
set accounting=yes default-group=read interim-update=0s use-radius=no
 
set accounting=yes default-group=read interim-update=0s use-radius=no
 
</pre>
 
</pre>
 +
 +
= Agradecimientos/Colaboradores =
 +
* p4u: qMp
 +
* joanm: xsf
 +
* pablog: marsupi
 +
* al: marsupi
 +
* Blackhold: marsupi

Revisión de 16:51 29 jun 2012

Esta instalación permite a los usuarios de Jardí Botànic conectarse a una red de nodos mesh en modo roaming para acceder a una aplicación web interna. Desde la nuve mesh es posible acceder a los servicios de guifi.net pero a la fecha de escribir este manual cuando alguien quiere salir a una IP que no sea de guifi.net es redirigido al hotspot que lo lleva al servidor.

Estructura básica

  • Supernodo Guifi.net con 1 Rocket M5 + 1 Nanobridge 22db + 1 RB750GL
  • 1 servidor con contenedores openvz accesibles desde guifi.net
  • Red mesh de inicialmente 3 nodos y en total 6-7.

Configuración RB750GL

  • La boca 1 (ether1) se destina a la comunicación con el server, el server y la RB los separan un tramo de fibra óptica.
  • Las bocas 2 y 3 se destinan a comunicación del supernodo con guifi
  • La boca 5 (wlan4) se destina a la comunicación con los nodos mesh
    • Definimos una IP válida de guifi en wlan4
    • Creamos el NAT a la IP válida de guifi que le asignaremos al nodo mesh "NI".

Configuración nodos mesh

  • La instalación inicial consiste en 3 nodos mesh, 1 que es el que va conectado a la RB que lo llamaremos "NI" (nodo internet).
  • Inicialmente montamos y configuramos todos los nodos por igual: Instalación_de_qMp_en_RouterStation_Pro
  • Nos vamos a wizard y los ponemos todos en modo "roaming".
  • Definimos el mismo essid para todos (guifi.net-qMp-JB para la malla mesh a 5GHz wlan0 y JardiBotanic para los AP a 2,4GHz wlan1)
  • Desactivamos el hotspot en todos los dispositivos mesh (ya que el hotspot lo llevará la RB)
service tinyproxy disable
service tinyproxy stop
  • Separamos uno que lo llamaremos "GW" o "NI".

Configuración adicional "NI"

Configuración red

  • qMp > Xarxa:
    • LAN Devices: eth0, eth1 y wlan1
    • WAN Devices: eth0
    • MESH Devices: wlan0
  • qMp > Xarxa > Advanced Networking:
    • Force internet: Yes
    • Nameservers: Ponemos un DNS válido dentro de guifi.net (recordad, no sale a internet)
  • Administració > Xarxa > Interfícies > WAN0:
    • La ponemos a estática y definimos la IP que comunicará con la RB
  • Reiniciamos el dispositivo
reboot

Anunciar salida a guifi

La instalación en realidad no tiene salida a internet, así que tendremos que desactivar el gwck, que es un servicio que verifica cada x tiempo que el nodo tiene salida a internet

service gwck disable
service gwck stop
qmpcontrol offer_default_gw

También tendremos que comentar una línea del firewall ( /etc/firewall.user )

root@qmpc2:~# cat /etc/firewall.user 
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

#iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -d 10.0.0.0/8 -j RETURN iptables -t nat -A POSTROUTING -j MASQUERADE

Y reiniciamos el firewall

service firewall restart

Ahora podemos entrar a los otros nodos mesh y verificamos que pueden hacer ping a internet.


Configuración hotspot y RB

# jun/29/2012 15:45:36 by RouterOS 5.11
# software id = KQP1-MFE4
#
/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes \
    disabled=no forward-delay=15s l2mtu=65535 max-message-age=20s mtu=1500 \
    name=lan/lan priority=0x8000 protocol-mode=none transmit-hold-count=6
/interface ethernet
set 0 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited \
    disabled=no full-duplex=yes l2mtu=1598 mac-address=00:0C:42:C4:33:48 \
    master-port=none mtu=1500 name=ether1 speed=100Mbps
set 1 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    "ether2 ;; ROCKET M5 ;; BARCELONA" disabled=no full-duplex=yes l2mtu=1598 \
    mac-address=00:0C:42:C4:33:49 master-port=none mtu=1500 name=wlan1 speed=\
    100Mbps
set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    "ether3 ;; NANOBRIDGE 5 ;; ZF" disabled=no full-duplex=yes l2mtu=1598 \
    mac-address=00:0C:42:C4:33:4A master-port=none mtu=1500 name=wlan2 speed=\
    100Mbps
set 3 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    "ether4 ;; ROCKET M2 ;; CLIENTS" disabled=no full-duplex=yes l2mtu=1598 \
    mac-address=00:0C:42:C4:33:4B master-port=none mtu=1500 name=wlan3 speed=\
    100Mbps
set 4 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    "ether5 ;; NODE MESH" disabled=no full-duplex=yes l2mtu=1598 mac-address=\
    00:0C:42:C4:33:4C master-port=none mtu=1500 name=wlan4 speed=100Mbps
/interface ethernet switch
set switch1 mirror-source=none mirror-target=none name=switch1
/ip dhcp-server
add authoritative=after-2sec-delay bootp-support=static disabled=yes \
    interface=wlan4 lease-time=3d name=dhcp2
/ip hotspot profile
set default dns-name="" hotspot-address=0.0.0.0 html-directory=hotspot \
    http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=cookie,http-chap \
    name=default rate-limit="" smtp-server=0.0.0.0 split-user-domain=no \
    use-radius=no
add dns-name=Jardi.Botanic.hs hotspot-address=10.139.88.73 html-directory=\
    hotspot http-cookie-lifetime=4h http-proxy=0.0.0.0:0 login-by=\
    cookie,http-chap name=hsprof1 rate-limit="" smtp-server=0.0.0.0 \
    split-user-domain=no use-radius=no
/ip hotspot
add disabled=no idle-timeout=5m interface=wlan4 keepalive-timeout=none name=\
    hotspot1 profile=hsprof1
/ip hotspot user profile
set default idle-timeout=none keepalive-timeout=2m name=default shared-users=\
    100 status-autorefresh=1m transparent-proxy=no
add idle-timeout=none keepalive-timeout=45m name=Intranet_JB shared-users=2 \
    status-autorefresh=1m transparent-proxy=no
/ip ipsec proposal
set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m \
    name=default pfs-group=modp1024
/ip pool
add name=dhcp_wlan3 ranges=10.228.199.68-10.228.199.126
add name=hs-pool-5 ranges=10.139.88.74-10.139.88.78
/ip dhcp-server
add address-pool=dhcp_wlan3 authoritative=after-2sec-delay bootp-support=\
    static disabled=no interface=wlan3 lease-time=1h name=dhcp1
add address-pool=hs-pool-5 authoritative=after-2sec-delay bootp-support=\
    static disabled=no interface=wlan4 lease-time=1h name=dhcp3
/ppp profile
set default change-tcp-mss=yes name=default only-one=default use-compression=\
    default use-encryption=default use-mpls=default use-vj-compression=\
    default
set default-encryption change-tcp-mss=yes name=default-encryption only-one=\
    default use-compression=default use-encryption=yes use-mpls=default \
    use-vj-compression=default
/queue type
set default kind=pfifo name=default pfifo-limit=50
set ethernet-default kind=pfifo name=ethernet-default pfifo-limit=50
set wireless-default kind=sfq name=wireless-default sfq-allot=1514 \
    sfq-perturb=5
set synchronous-default kind=red name=synchronous-default red-avg-packet=1000 \
    red-burst=20 red-limit=60 red-max-threshold=50 red-min-threshold=10
set hotspot-default kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=\
    5
set only-hardware-queue kind=none name=only-hardware-queue
set multi-queue-ethernet-default kind=mq-pfifo mq-pfifo-limit=50 name=\
    multi-queue-ethernet-default
set default-small kind=pfifo name=default-small pfifo-limit=10
/routing bgp instance
set default as=35670 client-to-client-reflection=yes disabled=no \
    ignore-as-path-len=no name=default out-filter=ospf-out \
    redistribute-connected=yes redistribute-ospf=no redistribute-other-bgp=\
    yes redistribute-rip=no redistribute-static=no router-id=10.228.199.33 \
    routing-table=""
/routing ospf instance
set default disabled=no distribute-default=never in-filter=ospf-in \
    metric-bgp=auto metric-connected=20 metric-default=1 metric-other-ospf=\
    auto metric-rip=20 metric-static=20 name=default out-filter=ospf-out \
    redistribute-bgp=no redistribute-connected=no redistribute-other-ospf=no \
    redistribute-rip=no redistribute-static=no router-id=0.0.0.0
/routing ospf area
set backbone area-id=0.0.0.0 disabled=no instance=default name=backbone type=\
    default
/snmp
set contact=guifi@guifi.net enabled=yes engine-id="" location=BCNJardiBotanic \
    trap-target=0.0.0.0 trap-version=1
/snmp community
set public address=0.0.0.0/0 authentication-password="" \
    authentication-protocol=MD5 encryption-password="" encryption-protocol=\
    DES name=public read-access=yes security=none write-access=no
/system logging action
set memory memory-lines=100 memory-stop-on-full=no name=memory target=memory
set disk disk-file-count=2 disk-file-name=log disk-lines-per-file=100 \
    disk-stop-on-full=no name=disk target=disk
set echo name=echo remember=yes target=echo
set remote bsd-syslog=no name=remote remote-port=514 syslog-facility=daemon \
    syslog-severity=auto target=remote
/system routerboard settings
set boot-device=nand-if-fail-then-ethernet boot-protocol=bootp cpu-frequency=\
    400MHz force-backup-booter=no silent-boot=no
set boot-device=nand-if-fail-then-ethernet boot-protocol=bootp cpu-frequency=\
    400MHz force-backup-booter=no silent-boot=no
/user group
set read name=read policy="local,telnet,ssh,reboot,read,test,winbox,password,w\
    eb,sniff,sensitive,api,!ftp,!write,!policy" skin=default
set write name=write policy="local,telnet,ssh,reboot,read,write,test,winbox,pa\
    ssword,web,sniff,sensitive,api,!ftp,!policy" skin=default
set full name=full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,\
    winbox,password,web,sniff,sensitive,api" skin=default
/interface bridge port
add disabled=no edge=auto external-fdb=auto horizon=none interface=ether1 \
    path-cost=10 point-to-point=auto priority=0x80
add disabled=no edge=auto external-fdb=auto horizon=none interface=wlan1 \
    path-cost=10 point-to-point=auto priority=0x80
/interface bridge settings
set use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=\
    no
/interface ethernet switch port
set ether1 vlan-mode=disabled
set wlan1 vlan-mode=disabled
set wlan2 vlan-mode=disabled
set wlan3 vlan-mode=disabled
set wlan4 vlan-mode=disabled
set switch1_cpu vlan-mode=disabled
/interface l2tp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=\
    default-encryption enabled=no max-mru=1460 max-mtu=1460 mrru=disabled
/interface ovpn-server server
set auth=sha1,md5 certificate=none cipher=blowfish128,aes128 default-profile=\
    default enabled=no keepalive-timeout=60 mac-address=FE:5C:FA:D4:61:97 \
    max-mtu=1500 mode=ip netmask=24 port=1194 require-client-certificate=no
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption \
    enabled=no keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled
/interface sstp-server server
set authentication=pap,chap,mschap1,mschap2 certificate=none default-profile=\
    default enabled=no keepalive-timeout=60 max-mru=1500 max-mtu=1500 mrru=\
    disabled port=443 verify-client-certificate=no
/ip accounting
set account-local-traffic=no enabled=no threshold=256
/ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0
/ip address
add address=192.168.1.19/24 comment=BACKUP disabled=no interface=ether1 \
    network=192.168.1.0
add address=10.228.199.33/29 disabled=no interface=lan/lan network=\
    10.228.199.32
add address=172.25.48.169/29 comment=\
    "ROCKET M5 ;; BARCELONA peer_bcnrossello208" disabled=no interface=wlan1 \
    network=172.25.48.168
add address=172.25.48.177/29 comment="ROCKET M2 ;; CLIENTS" disabled=no \
    interface=wlan3 network=172.25.48.176
add address=10.228.199.65/26 comment="CLIENTS NETWORK" disabled=no interface=\
    wlan3 network=10.228.199.64
add address=172.25.48.185/29 comment="NANOBRIDGE ZF" disabled=no interface=\
    wlan2 network=172.25.48.184
add address=10.228.199.34/29 disabled=yes interface=lan/lan network=\
    10.228.199.32
add address=172.31.5.5/24 comment="LAN INTERNA JARDI BOTANIC" disabled=no \
    interface=ether1 network=172.31.5.0
add address=10.139.6.177/28 comment=SERVERS disabled=no interface=ether1 \
    network=10.139.6.176
add address=10.228.201.225/29 comment="CLIENTS T1 ;; TEMPORAL" disabled=no \
    interface=wlan1 network=10.228.201.224
add address=172.25.49.145/29 comment="WDS BCNOSI52" disabled=no interface=\
    wlan1 network=172.25.49.144
add address=172.25.32.29/30 comment=MESSHHH disabled=yes interface=wlan4 \
    network=172.25.32.28
add address=10.139.88.73/29 comment=MESSHHH disabled=no interface=wlan4 \
    network=10.139.88.72
add address=172.30.93.114/16 comment=MESSSSSSSSSSSHHHHHHHHHHHHH disabled=no \
    interface=wlan4 network=172.30.0.0
/ip dhcp-client
add comment="default configuration" default-route-distance=1 disabled=yes \
    interface=ether1
add default-route-distance=0 disabled=yes interface=wlan4
/ip dhcp-server config
set store-leases-disk=5m
/ip dhcp-server lease
add address=10.139.88.74 disabled=yes mac-address=00:15:6D:C9:C1:C2 server=\
    dhcp3
/ip dhcp-server network
add address=10.139.88.72/29 comment="hotspot network" gateway=10.139.88.73
add address=10.228.199.64/26 dns-server=10.228.199.65 domain=guifi.net \
    gateway=10.228.199.65
add address=172.25.32.28/30 gateway=172.25.32.29
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \
    max-udp-packet-size=512 servers=172.30.22.1,10.139.6.130
/ip dns static
add address=192.168.88.1 disabled=no name=router ttl=1d
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
    tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=reject chain=input comment="no permetre acces xarxa jb" disabled=\
    no dst-address=172.31.5.0/24 in-interface=wlan2 reject-with=\
    icmp-net-prohibited src-address=10.0.0.0/8
add action=reject chain=input comment="no permetre acces xarxa jb" disabled=\
    no dst-address=172.31.5.0/24 in-interface=wlan1 reject-with=\
    icmp-net-prohibited src-address=10.0.0.0/8
/ip firewall nat
add action=src-nat chain=srcnat comment=old disabled=yes dst-address=\
    !172.16.0.0/12 protocol=!ospf src-address=172.16.0.0/12 to-addresses=\
    10.228.199.33
add action=src-nat chain=srcnat comment=old disabled=yes dst-address=\
    !192.168.0.0/16 src-address=192.168.0.0/16 to-addresses=10.228.199.33
add action=src-nat chain=srcnat disabled=no dst-address=!172.16.0.0/12 \
    protocol=!ospf src-address=172.16.0.0/12 to-addresses=10.228.199.33
add action=src-nat chain=srcnat disabled=no dst-address=!192.168.0.0/16 \
    src-address=192.168.0.0/16 to-addresses=10.228.199.33
add action=dst-nat chain=dstnat comment="ROCKET M5" disabled=no dst-address=\
    10.228.199.34 to-addresses=172.25.48.171
add action=dst-nat chain=dstnat comment=NANOBRIDGE disabled=no dst-address=\
    10.228.199.35 to-addresses=172.25.48.187
add action=dst-nat chain=dstnat comment="ROCKET M2" disabled=no dst-address=\
    10.228.199.36 to-addresses=172.25.48.178
add action=dst-nat chain=dstnat comment="NANOBRIDGE ZF TEMPORAL" disabled=yes \
    dst-address=10.228.199.37 to-addresses=172.25.48.188
add action=dst-nat chain=dstnat comment=MESSSHHHH disabled=no dst-address=\
    10.228.199.37 to-addresses=10.139.88.74
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat disabled=yes out-interface=wlan4
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    disabled=yes src-address=172.25.32.28/30
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    disabled=yes src-address=10.139.88.72/29
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    disabled=no src-address=10.139.88.72/29
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no
/ip hotspot ip-binding
add comment=JM disabled=yes mac-address=00:19:D2:BE:C9:CB type=bypassed
add comment=Black disabled=yes mac-address=00:21:6A:A5:21:78 type=bypassed
/ip hotspot service-port
set ftp disabled=no ports=21
/ip hotspot user
add disabled=no name=admin password=1234 profile=Intranet_JB
/ip hotspot walled-garden
add action=allow comment="place hotspot rules here" disabled=yes
/ip hotspot walled-garden ip
add action=accept comment="permetre acc\E9s al server" disabled=no \
    dst-address=10.139.6.179 server=hotspot1
add action=accept comment="permetre acc\E9s a guifi" disabled=no dst-address=\
    10.0.0.0/8 server=hotspot1
add action=accept comment="permetre acc\E9s a la RB" disabled=no dst-address=\
    10.139.88.73 server=hotspot1
/ip neighbor discovery
set ether1 disabled=yes
set wlan1 disabled=no
set wlan2 disabled=no
set wlan3 disabled=no
set wlan4 disabled=no
set lan/lan disabled=no
/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 \
    cache-on-disk=no enabled=no max-cache-size=none max-client-connections=\
    600 max-fresh-time=3d max-server-connections=600 parent-proxy=0.0.0.0 \
    parent-proxy-port=0 port=8080 serialize-connections=no src-address=\
    0.0.0.0
/ip service
set telnet disabled=no port=23
set ftp disabled=no port=21
set www disabled=no port=80
set ssh disabled=no port=22
set www-ssl certificate=none disabled=yes port=443
set api disabled=yes port=8728
set winbox disabled=no port=8291
/ip socks
set connection-idle-timeout=2m enabled=no max-connections=200 port=1080
/ip ssh
set forwarding-enabled=no
/ip traffic-flow
set active-flow-timeout=30m cache-entries=4k enabled=no \
    inactive-flow-timeout=15s interfaces=all
/ip upnp
set allow-disable-external-interface=yes enabled=no show-dummy-rule=yes
/mpls
set dynamic-label-range=16-1048575 propagate-ttl=yes
/mpls interface
add disabled=no interface=all mpls-mtu=1508
/mpls ldp
set distribute-for-default-route=no enabled=no hop-limit=255 loop-detect=no \
    lsr-id=0.0.0.0 path-vector-limit=255 transport-address=0.0.0.0 \
    use-explicit-null=no
/port firmware
set directory=firmware
/ppp aaa
set accounting=yes interim-update=0s use-radius=no
/queue interface
set ether1 queue=ethernet-default
set wlan1 queue=ethernet-default
set wlan2 queue=ethernet-default
set wlan3 queue=ethernet-default
set wlan4 queue=ethernet-default
/radius incoming
set accept=no port=3799
/routing bfd interface
set all disabled=no interface=all interval=0.2sec min-rx=0.2sec multiplier=5
/routing bgp network
add disabled=no network=10.228.199.32/29 synchronize=yes
add disabled=no network=10.228.199.64/26 synchronize=yes
add disabled=no network=10.228.201.224/29 synchronize=yes
add disabled=no network=10.139.6.176/28 synchronize=yes
/routing bgp peer
add address-families=ip as-override=no default-originate=never disabled=no \
    hold-time=3m in-filter=ospf-in instance=default multihop=no name=\
    BCNrossello208RB1100 nexthop-choice=default out-filter=ospf-out passive=\
    no remote-address=172.25.48.170 remote-as=26325 remove-private-as=no \
    route-reflect=no tcp-md5-key="" ttl=1 use-bfd=no
add address-families=ip as-override=no default-originate=never disabled=no \
    hold-time=3m in-filter=ospf-in instance=default multihop=no name=\
    BCNosi52RB750 nexthop-choice=default out-filter=ospf-out passive=no \
    remote-address=172.25.49.146 remote-as=38104 remove-private-as=no \
    route-reflect=no tcp-md5-key="" ttl=1 use-bfd=no
/routing filter
add action=discard chain=ebgp-in comment=\
    "1. Discard insert non 10.x routes from BGP peer" disabled=yes \
    invert-match=no prefix=!10.0.0.0/8 prefix-length=!8-32
add action=discard chain=ebgp-out comment=\
    "2. Discard send non 10.x routes to BGP peer" disabled=yes invert-match=\
    no prefix=!10.0.0.0/8 prefix-length=!8-32
add action=accept chain=ospf-in comment=\
    "3. Accept insert 10.x routes from OSPF neighbor" disabled=yes \
    invert-match=no prefix=10.0.0.0/8 prefix-length=8-32
add action=accept chain=ospf-in comment=\
    "4. Accept insert 172.x routes from OSPF neighbor" disabled=yes \
    invert-match=no prefix=172.16.0.0/12 prefix-length=8-32
add action=discard chain=ospf-in comment=\
    "5. Discard insert non 10.x and 172.x from OSPF neighbor" disabled=yes \
    invert-match=no
add action=accept chain=ospf-out comment=\
    "6. Allow send 10.x routes to OSPF neighbor" disabled=yes invert-match=no \
    prefix=10.0.0.0/8 prefix-length=8-32
add action=accept chain=ospf-out comment=\
    "7. Allow send 172.x routes to OSPF neighbor" disabled=yes invert-match=\
    no prefix=172.16.0.0/12 prefix-length=8-32
add action=discard chain=ospf-out comment=\
    "8. Discard send non 10.x and 172.x to OSPF neighbor" disabled=yes \
    invert-match=no
add action=discard chain=ebgp-in comment=\
    "1. Discard insert non 10.x routes from BGP peer" disabled=no \
    invert-match=no prefix=!10.0.0.0/8 prefix-length=!8-32
add action=discard chain=ebgp-out comment=\
    "2. Discard send non 10.x routes to BGP peer" disabled=no invert-match=no \
    prefix=!10.0.0.0/8 prefix-length=!8-32
add action=accept chain=ospf-in comment=\
    "3. Accept insert 10.x routes from OSPF neighbor" disabled=no \
    invert-match=no prefix=10.0.0.0/8 prefix-length=8-32
add action=accept chain=ospf-in comment=\
    "4. Accept insert 172.x routes from OSPF neighbor" disabled=no \
    invert-match=no prefix=172.16.0.0/12 prefix-length=8-32
add action=discard chain=ospf-in comment=\
    "5. Discard insert non 10.x and 172.x from OSPF neighbor" disabled=no \
    invert-match=no
add action=accept chain=ospf-out comment=\
    "6. Allow send 10.x routes to OSPF neighbor" disabled=no invert-match=no \
    prefix=10.0.0.0/8 prefix-length=8-32
add action=accept chain=ospf-out comment=\
    "7. Allow send 172.x routes to OSPF neighbor" disabled=no invert-match=no \
    prefix=172.16.0.0/12 prefix-length=8-32
add action=discard chain=ospf-out comment=\
    "8. Discard send non 10.x and 172.x to OSPF neighbor" disabled=no \
    invert-match=no
/routing mme
set bidirectional-timeout=2 gateway-class=none gateway-keepalive=1m \
    gateway-selection=no-gateway origination-interval=5s preferred-gateway=\
    0.0.0.0 timeout=1m ttl=50
/routing ospf interface
add authentication=none authentication-key="" authentication-key-id=1 cost=10 \
    dead-interval=40s disabled=no hello-interval=10s instance-id=0 \
    network-type=default passive=no priority=1 retransmit-interval=5s \
    transmit-delay=1s use-bfd=no
/routing rip
set distribute-default=never garbage-timer=2m metric-bgp=1 metric-connected=1 \
    metric-default=1 metric-ospf=1 metric-static=1 redistribute-bgp=no \
    redistribute-connected=no redistribute-ospf=no redistribute-static=no \
    routing-table=main timeout-timer=3m update-timer=30s
/store
add disabled=no disk=system name=web-proxy1 type=web-proxy
/system clock
set time-zone-name=manual
/system clock manual
set dst-delta=+00:00 dst-end="jan/01/1970 00:00:00" dst-start=\
    "jan/01/1970 00:00:00" time-zone=+00:00
/system console
add disabled=no term=vt102
/system health
set
/system identity
set name=BCNJardiBotanic-RB750
/system logging
add action=memory disabled=no prefix="" topics=info
add action=memory disabled=no prefix="" topics=error
add action=memory disabled=no prefix="" topics=warning
add action=echo disabled=no prefix="" topics=critical
/system note
set note="" show-at-login=yes
/system ntp client
set enabled=yes mode=unicast primary-ntp=10.138.27.98 secondary-ntp=\
    10.138.27.194
/system resource irq
set 0 cpu=auto
set 1 cpu=auto
/system upgrade mirror
set check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=\
    0.0.0.0 user=""
/system watchdog
set auto-send-supout=no automatic-supout=yes no-ping-delay=5m watch-address=\
    none watchdog-timer=yes
/tool bandwidth-server
set allocate-udp-ports-from=2000 authenticate=no enabled=yes max-sessions=100
/tool e-mail
set address=0.0.0.0 from=<> password="" port=25 user=""
/tool graphing
set page-refresh=300 store-every=5min
/tool graphing interface
add allow-address=0.0.0.0/0 disabled=no interface=all store-on-disk=yes
add allow-address=0.0.0.0/0 disabled=no interface=all store-on-disk=yes
/tool mac-server
set (unknown) disabled=no interface=wlan1
set (unknown) disabled=no interface=wlan2
set (unknown) disabled=no interface=wlan3
set (unknown) disabled=no interface=wlan4
/tool mac-server ping
set enabled=yes
/tool sms
set allowed-number="" channel=0 keep-max-sms=0 receive-enabled=no secret=""
/tool sniffer
set file-limit=1000KiB file-name="" filter-stream=yes interface=all \
    memory-limit=100KiB memory-scroll=yes only-headers=no streaming-enabled=\
    no streaming-server=0.0.0.0
/tool traffic-generator
set latency-distribution-scale=10 test-id=0
/user aaa
set accounting=yes default-group=read interim-update=0s use-radius=no

Agradecimientos/Colaboradores

  • p4u: qMp
  • joanm: xsf
  • pablog: marsupi
  • al: marsupi
  • Blackhold: marsupi
Herramientas personales