Scribd
Upload
314 views79 pages

Router OS

The document provides configuration settings for basic network and security settings on a Mikrotik router. It configures interfaces, IP addresses, firewall rules, DNS settings, user accounts, services, and logging. Interface, address, firewall and user settings are defined to configure the router's network interfaces and restrict access. Logging and email alerts are configured to monitor critical events on the router.

Uploaded by

Alexander Hernandez
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
314 views79 pages

Router OS

The document provides configuration settings for basic network and security settings on a Mikrotik router. It configures interfaces, IP addresses, firewall rules, DNS settings, user accounts, services, and logging. Interface, address, firewall and user settings are defined to configure the router's network interfaces and restrict access. Logging and email alerts are configured to monitor critical events on the router.

Uploaded by

Alexander Hernandez
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd

-----------------------------------------------------------------------------------

-----
-----------------------------------------------------------------------------------
-----
--------------------------- ( [Link]-Config ) --------------------- [ INI ]
-----------------------------------------------------------------------------------
-----
-----------------------------------------------------------------------------------
-----
# SO: RouterOS (Mikrotik), config general x (8) etherX.
# Interfaces: WAN (1…5) LAN (6…19) [Link] (20…89) SOS/RES (90…99).
# Tormenta ARP (Interface-Loop):.
# [Link] (+anti-LOOPs): --------------------------------------------
/interface ethernet set 0 name=”WAN1” loop-protect=on loop-protect-send-interval=5s
loop-protect-disable-time=1mcomment=”WAN1.[ TELCO ]”;
/interface ethernet set 1 name=”WAN2” loop-protect=on loop-protect-send-interval=5s
loop-protect-disable-time=1mcomment=”WAN2.[ … ]”;
/interface ethernet set 2 name=”WAN3” loop-protect=on loop-protect-send-interval=5s
loop-protect-disable-time=1mcomment=”WAN3.[ … ]”;
/interface ethernet set 3 name=”LAN1” loop-protect=on loop-protect-send-interval=5s
loop-protect-disable-time=1mcomment=”LAN1.[ WR.1-1 ]”;
/interface ethernet set 4 name=”LAN2” loop-protect=on loop-protect-send-interval=5s
loop-protect-disable-time=1mcomment=”LAN2.[ WR.2-2 ]”;
/interface ethernet set 5 name=”LAN3” loop-protect=on loop-protect-send-interval=5s
loop-protect-disable-time=1mcomment=”LAN3.[ … ]”;
/interface ethernet set 6 name=”SOS1” loop-protect=on loop-protect-send-interval=5s
loop-protect-disable-time=1mcomment=”SOS1.[ … ]”;
/interface ethernet set 7 name=”RES1” loop-protect=on loop-protect-send-interval=5s
loop-protect-disable-time=1mcomment=”RES1.[ … ]”;
# …
# Nota: descubre (loops de paquetes en capa.2 ® ([Link]=src-MAC=dst-MAC).
# [Link]:
------------------------------------------------------------------------
/ip address add address=X.Y.Z.W/24 interface=WAN1 comment=”01R>: WAN1.
[ TELCO.[Link] ]” disable=yes;
/ip address add address=1...21/32 interface=WAN2 comment=”02Rx: WAN2.[ … ]”
disable=yes;
/ip address add address=1...21/32 interface=WAN3 comment=”03Rx: WAN3.[ … ]”
disable=yes;
/ip address add address=1...1/24 interface=LAN1 comment=”06R+: LAN1.[ Gateway+DNS1.
]” disable=yes;
/ip address add address=1...1/24 interface=LAN1 comment=”07Rx: LAN1.[ Gateway+DNS1.
]” disable=yes;
/ip address add address=1...1/24 interface=LAN2 comment=”08R+: LAN2.[ Gateway+DNS1.
]” disable=yes;
/ip address add address=1...1/24 interface=LAN2 comment=”09R+: LAN2.[ Gateway+DNS1.
]” disable=yes;
/ip address add address=1...1/24 interface=LAN3 comment=”10Rx: LAN3.[ Gateway+DNS1.
]” disable=yes;
/ip address add address=1...1/24 interface=LAN3 comment=”11Rx: LAN3.[ Gateway+DNS1.
]” disable=yes;
/ip address add address=1...2/32 interface=SOS1 comment=”90R+: EMERGENCY1.[ … ]”
disable=yes;
/ip address add address=1.../32 interface=RES1 comment=”91R+: RESERVADO1.[ … ]”
disable=yes;
# …
# Agrupar Interfaces (WANs):
----------------------------------------------------------
/interface list member add interface=WAN1 list=WANs comment=”01R+: [Link] (WAN1)”
disable=yes;
/interface list member add interface=WAN2 list=WANs comment=”02Rx: [Link] (WAN2)”
disable=yes;
/interface list member add interface=WAN3 list=WANs comment=”03Rx: [Link] (WAN3)”
disable=yes;
# …
# Agrupar Interfaces (LANs):
-----------------------------------------------------------
/interface list member add interface=LAN1 list=LANs comment=”06R+: [Link] (LAN1)”
disable=yes;
/interface list member add interface=LAN2 list=LANs comment=”07R+: [Link] (LAN2)”
disable=yes;
/interface list member add interface=LAN3 list=LANs comment=”08Rx: [Link] (LAN3)”
disable=yes;
# …
# Nota: comenzar las LANs con el puerto (físico:4, lógico:3) x ([Link]). En
caso de usar Wireless (WLAN1, usar: interface=bridge1).
# Establecer [Link]: ------------------------------------- (FUNDAMENTAL)
/queue interface set WAN1 queue=ethernet-default; # ® PFIFO(50p)
/queue interface set WAN2 queue=ethernet-default;
/queue interface set WAN3 queue=ethernet-default;
/queue interface set LAN1 queue=ethernet-default;
/queue interface set LAN2 queue=ethernet-default;
/queue interface set LAN3 queue=ethernet-default;
/queue interface set SOS1 queue=ethernet-default;
/queue interface set RES1 queue=ethernet-default;
# …
# Nota: continuar hasta cubrir all interafaces usadas (cambiar según eficiencia).
# [Link]:
----------------------------------------------------------------------------
/ip dns set servers=[Link],[Link],[Link],[Link];
/ip dns set allow-remote-requests=yes; # Uso el [Link] x capturar IPs
/ip dns set max-udp-packet-size=4096;
/ip dns set cache-size=51200; # (50MB, el [Link], no es persistente
/ip dns set cache-max-ttl=1d; # (1d, para mitigar ataques: (Type=unknown)
# [Link]:
-------------------------------------------------------------------------
/ip route add gateway=[Link] check-gateway=ping comment=”01R>: Ruta.WAN1, hacia
[Link]-Border.....1” disable=yes;
# Nota: (AS: Active and Static Conextion), (CD: Conected and Dinamic), (X:
Deshabilitada), (ping: chequea c/10s – check-gateway=ping –).
# [Link]:
-------------------------------------------------------------
/ip firewall nat add chain=srcnat out-interface-list=WANs comment=”100R>: NAT.C-
IPPri (WANs)” action=masquerade disable=yes;
/ip firewall nat add chain=srcnat out-interface=WAN1 comment=”101R<: NAT.C-IPPri
(WAN1)” action=masquerade disable=yes;
/ip firewall nat add chain=srcnat out-interface=WAN2 comment=”102R<: NAT.C-IPPri
(WAN2)” action=masquerade disable=yes;
/ip firewall nat add chain=srcnat out-interface=WAN3 comment=”103R<: NAT.C-IPPri
(WAN3)” action=masquerade disable=yes;
# Nota: establece y restringe, acceso desde LANs a Internet, a travez de WANs.
# Reglas para transparentar ([Link]-Cache): ---------------------------------------
/ip firewall nat add chain=dstnat protocol=udp dst-port=53 in-interface-list=LANs
comment=”110R+: [Link]-Trafic a [Link]” action=redirect to-ports=53
disable=yes;
/ip firewall nat add chain=dstnat protocol=tcp dst-port=53 in-interface-list=LANs
comment=”111R+: [Link]-Trafic a [Link]” action=redirect to-ports=53
disable=yes;
# Nota: redirecciona (peticiones de DNS) y permite, establecer any-IP en
[Link].
# [Link]:
--------------------------------------------------------------------
/system ntp client set primary-ntp=[Link] secondary-ntp=[Link]
enable=yes;
# [Link]:
---------------------------------------------------------------------------
/tool e-mail set address=[Link];
/tool e-mail set port=587;
/tool e-mail set from=xxx@[Link]; # [Link]
/tool e-mail set user=xxx;
/tool e-mail set password=[Link]; # o la clave de 2da autenticación
/tool e-mail set start-tls=yes; # Cifrado entre el RB y
[Link]
# Nota: (2da autenti: [Link]
#
-----------------------------------------------------------------------------------
--------

# Configuración básica de seguridad del RB:


# [Link]:
-----------------------------------------------------------------------
/system identity set name="[Link] [ .... ]"; # cambiar según RB
/user set 0 name="user(x)" password=”[Link](x)” group=full comment=“xxx.RB01
”; # dejar espacio final y cambiar según RB
# --------------------------------------------------
/user add name="user(y)" password="zzzzzzza” group=write comment=“xxx.RB01 ”
disable=yes; # dejar espacio final y cambiar según RB
/user add name="user(z)" password="zzzzzzzb” group=read comment=“xxx.RB01 ”
disable=yes; # dejar espacio final y cambiar según RB
# Nota: modificar permisos (read a full), según corresponda.
# [Link]:
------------------------------------------------------------
/ip service disable telnet,ftp,www,www-ssl,api-ssl,ssh;
/ip service enable winbox,api;
/ip service set api-ssl port=3333; # Activar, solo si logre resolver: (SSL)
/ip service set www-ssl port=3334; # Activar, solo si logre resolver: (SSL)
/ip service set winbox port=3335;
# Nota: o cerrarlo por ej.: address=.....
/ip service set api port=3336;
# Nota: o cerrarlo por ej.: address=..... solo x ([Link])
# [Link]:
----------------------------------------------------------
/tool mac-server mac-winbox set allowed-interface-list=all; # none, drop Winbox-
[Link] (actualmente, permito acceso por MAC).
/tool mac-server set allowed-interface-list=none; # Ignora MAC-Telnet Services
/tool mac-server ping set enabled=no; # Ignora ping
a MAC
/ip neighbor discovery-settings set discover-interface-list=none; # Oculta
MAC
# [Link] Alert:
--------------------------------------------------------------------
/system logging action add name=EmailCriticalAlert target=email email-
to=xxx@[Link];
/system logging action add name=EmailCriticalAlert target=email email-
to=xxx@[Link];
/system logging add topics=critical,system,error prefix=([/system identity get
name].“.LoginFailed”) action=EmailCriticalAlert; # Se da, cuando acontece un acceso
fallido.
/system logging add topics=interface,warning prefix=([/system identity get
name].“.EthernetLoop”) action=EmailCriticalAlert; # Se da, cuando acontece un loop-
ethernet.
# Creo listas static de IPs, según necesidad:
----------------------------------------
# ---------------------------------- [[Link]]
/ip firewall address-list add address=X.Y.Z.W list=[Link] comment=”R+:
[Link] (Public)” disable=yes;
/ip firewall address-list add address=X.Y.Z.W1 list=[Link] comment=”R+:
[Link] (WiFi)” disable=yes;
/ip firewall address-list add address=1...120 list=[Link] comment=”R+:
[Link] (Private)” disable=yes;
/ip firewall address-list add address=1...120 list=[Link] comment=”R+:
[Link] (Private)” disable=yes;
/ip firewall address-list add address=1...120 list=[Link] comment=”Rx:
[Link] (Private)” disable=yes;
/ip firewall address-list add address=1...120 list=[Link] comment=”R+:
[Link] (Private)” disable=yes;
/ip firewall address-list add address=1...120 list=[Link] comment=”R+:
[Link] (Private)” disable=yes;
# Nota: si la ([Link]), se encuentra en el rango del ([Link]), debo
agregar la ([Link]) como permitida.
# --------------------------------------- [[Link]]
/ip firewall address-list add address=1...0/24 list=[Link] comment=”C+:
IPs.LAN1 permitidas” disable=yes;
/ip firewall address-list add address=1...0/24 list=[Link] comment=”C+:
IPs.LAN2 permitidas” disable=yes;
/ip firewall address-list add address=1...0/24 list=[Link] comment=”C+:
IPs.LAN2 permitidas” disable=yes;
/ip firewall address-list add address=1...0/24 list=[Link] comment=”Cx:
IPs.LAN3 permitidas” disable=yes;
# Nota: LANs, habilitadas en el RB.
# --------------------------------------- [[Link]]
/ip firewall address-list add address=X.Y.Z.W/32 list=[Link] comment=”Rx:
BGP/[Link] permitido” disable=yes;
/ip firewall address-list add address=[Link]/32 list=[Link] comment=”Rx:
[Link] permitido” disable=yes;
/ip firewall address-list add address=[Link]/32 list=[Link] comment=”Rx:
[Link] permitido” disable=yes;
/ip firewall address-list add address=[Link]/32 list=[Link]
comment=”Rx: [Link] permitido” disable=yes;
/ip firewall address-list add address=[Link]/32 list=[Link]
comment=”Rx: [Link] permitido” disable=yes;
# …

# ----------------------------------------- [[Link] (especiales)]


# /ip firewall address-list add address=1...11/32 list=[Link] comment=”Rx:
[Link] (ID: Zarate.Omni5G)” disable=yes;
# /ip firewall address-list add address=1...12/32 list=[Link] comment=”Rx:
[Link] (ID: [Link])” disable=yes;
# …

# Nota: especificas IPs (no [Link]), habilitadas x Nateo de Ports en el RB.


# ---------------------------------------- [[Link]]
/ip firewall address-list add address=X.Y.Z.W1 list=[Link] comment=”R+:
[Link] (ID: [Link])” disable=yes;
/ip firewall address-list add address=[Link] list=[Link] comment=”R+:
[Link] (ID: [Link])” disable=yes;
/ip firewall address-list add address=[Link] list=[Link] comment=”R+:
[Link] (ID: [Link])” disable=yes;
/ip firewall address-list add address=[Link]/32 list=[Link]
comment=”R+: [Link] (ID: [Link])” disable=yes;
/ip firewall address-list add address=[Link]/32 list=[Link]
comment=”R+: [Link] (ID: [Link])” disable=yes;
# …

Nota: ¿desbloquear (#), si fuese necesario, responder ping de los DNS?


# ----------------------------------- [[Link]] ([Link])
/ip firewall address-list add address=X.Y.Z.W10-X.Y.Z.W42 list=[Link]
comment=”R+: [Link] (ID: Familia )” disable=yes;
# …
# ---------------------------------------- [[Link]]
/ip firewall address-list add address=1...120 list=[Link] comment=”R+:
[Link] (ID: [Link])” disable=yes;
/ip firewall address-list add address=1...121 list=[Link] comment=”R+:
[Link] (ID: [Link])” disable=yes;
/ip firewall address-list add address=1...123 list=[Link] comment=”R+:
[Link] (ID: ______,________________ )” disable=yes;
# …

# Nota: Se usará solo x ataque. Add [Link], según requerimiento del Client.
# ---------------------------------------- [[Link]]
/ip firewall address-list add address=X.Y.Z.0/24 list=[Link]
comment=”R+: [Link] (ID: Pool/[Link])” disable=yes;
/ip firewall address-list add address=[Link] list=[Link] comment=”Rx:
[Link] (ID: [Link])” disable=yes;
/ip firewall address-list add address=[Link] list=[Link] comment=”Rx:
[Link] (ID: [Link])” disable=yes;
/ip firewall address-list add address=[Link]/32 list=[Link]
comment=”Rx: [Link] (ID: [Link])” disable=yes;
/ip firewall address-list add address=[Link]/32 list=[Link]
comment=”Rx: [Link] (ID: [Link])” disable=yes;
# …
Nota: ¿desbloquear (#), si fuese necesario, emitir ping a los DNS?
# ----------------------------- [BOGON IPs]
/ip firewall address-list add address=[Link]/16 list=[Link] comment=”R+:
BOGONIP: Rango [Link]” disable=yes;
/ip firewall address-list add address=[Link]/8 list=[Link] comment=”R+:
BOGONIP: ” disable=yes;
/ip firewall address-list add address=[Link]/8 list=[Link] comment=”R:
BOGONIP: --- ” disable=yes;
/ip firewall address-list add address=[Link]/24 list= [Link] comment=”R+:
BOGONIP: --- ” disable=yes;
/ip firewall address-list add address=[Link]/24 list=[Link] comment=”R+:
BOGONIP: --- ” disable=yes;
/ip firewall address-list add address=[Link]/15 list=[Link] comment=”R+:
BOGONIP: --- ” disable=yes;
/ip firewall address-list add address=[Link]/24 list=[Link]
comment=”R+: BOGONIP: --- ” disable=yes;
/ip firewall address-list add address=[Link]/24 list=[Link] comment=”R+:
BOGONIP: --- ” disable=yes;
/ip firewall address-list add address=[Link]/4 list=[Link] comment=”R+:
BOGONIP: --- ” disable=yes;
# Nota: (ips, actualmente, no asignadas a ninguna entidad, hay un monton mas).
# -------------------------------------------- [IP Public especiales]
# --------------------- [[Link]]
/ip firewall address-list add address=1..255 list=[Link] comment=”Rx: [Link]
([Link])” disable=yes;
/ip firewall address-list add address=1..255 list=[Link] comment=”Rx:
[Link] ([Link])” disable=yes;
# --------------------- [BLACKHOLE]

/ip firewall address-list add address=10..1 list=[Link] comment=”R+:


[Link] ([Link]: PRIVATE-ADDRESS-ABLK-RFC1918-IANA-RESERVED)” disable=yes;
# --------------------- [[Link]]
# …
# --------------------- [[Link]]
/ip firewall address-list add address=1..1 list=[Link] comment=”Cx:
[Link] (Accept x ENACOM (ID: ______,________________ ))” disable=yes;
# …

# Nota: CuevanaÌ(AS13335 - NetName: CLOUDFLARENET), limitar rangos.


# --------------------------------------------- [[Link]]
# --------------------------------------------------------------------------- [x
Routers]
/ip firewall address-list add address=X.Y.Z.W/32 list=[Link]
comment=”Rx: Alta-Conectividad (BGP/[Link])” disable=yes;
/ip firewall address-list add address=X.A.B.W/32 list=[Link]
comment=”Rx: Alta-Conectividad (BGP/[Link])” disable=yes;
# ------------------------------------------
/ip firewall address-list add address=[Link]/32 list=[Link]
comment=”Rx: Alta-Conectividad ([Link]: [Link])” disable=yes;
/ip firewall address-list add address=[Link]/32 list=[Link]
comment=”Rx: Alta-Conectividad ([Link]: [Link])” disable=yes;
/ip firewall address-list add address=[Link]/32 list=[Link]
comment=”Rx: Alta-Conectividad ([Link]: [Link])” disable=yes;
/ip firewall address-list add address=[Link]/32 list=[Link]
comment=”Rx: Alta-Conectividad ([Link]: [Link])” disable=yes;
/ip firewall address-list add address=[Link]/32 list=[Link]
comment=”Rx: Alta-Conectividad ([Link]: [Link])” disable=yes;
/ip firewall address-list add address=[Link]/32 list=[Link]
comment=”Rx: Alta-Conectividad ([Link]: [Link])” disable=yes;
# ------------------------------------------
/ip firewall address-list add address=1...1/32 list=[Link]
comment=”R+: Alta-Conectividad ([Link]: 1...1)” disable=yes;
/ip firewall address-list add address=2...2/32 list=[Link]
comment=”R+: Alta-Conectividad ([Link]: 2...2)” disable=yes;
# --------------------------------------------------------------------------- [x
Clientes]
/ip firewall address-list add address=1...1 list=[Link]
comment=”Cx: Alta-Conectividad (ID: ______,________________)” disable=yes;
# …

# --------------------------------------------- [[Link]-Horaria]
/ip firewall address-list add address=1..1 list=[Link] comment=”C+:
[Link] (S-D)” disable=yes;
/ip firewall address-list add address=1..1 list=[Link] comment=”C+:
[Link] (L-V)” disable=yes;
/ip firewall address-list add address=1..1 list=[Link] comment=”Cx:
[Link] ([Link]ñanas)” disable=yes;
/ip firewall address-list add address=1..1 list=[Link] comment=”Cx:
[Link] ([Link])” disable=yes;
/ip firewall address-list add address=1..1 list=[Link] comment=”Cx:
[Link] (<Nombre>: 000D, expira el: 00/00/0000)” disable=yes;
# Nota: [Link], [Link] hasta comment (fecha expira<fecha actual).
# --------------------------------------------- [[Link]-Media]
/ip firewall address-list add address=1..1 list=C-PROMO![Link] comment=”Cx:
[Link] (![Link])” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMO![Link] comment=”Cx:
[Link] (![Link])” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMO![Link] comment=”Cx:
[Link] (![Link])” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMO![Link] comment=”Cx:
[Link] (![Link])” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMO![Link] comment=”Cx:
[Link] (![Link])” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMO![Link] comment=”Cx:
[Link] (![Link])” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMO![Link] comment=”Cx:
[Link] (![Link])” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMO![Link] comment=”Cx:
[Link] (![Link])” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMO![Link] comment=”Cx:
[Link] (![Link])” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMO![Link] comment=”Cx:
[Link] (![Link])” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMO![Link] comment=”Cx:
[Link] (![Link])” disable=yes;
/ip firewall address-list add address=1..1 list=C-PROMO![Link] comment=”Cx:
[Link] (![Link])” disable=yes;
# ---------------------------------------------------------------
[[Link]]
/ip firewall address-list add address=”[Link]”
list=[Link] comment=”Cx: QoS ( [Link] de Netflix: probe-dradis-
[Link])” disable=yes;
/ip firewall address-list add address=”[Link]”
list=[Link] comment=”Cx: QoS ( [Link] de Netflix: probe-
[Link] )” disable=yes;
/ip firewall address-list add address=”[Link]”
list=[Link] comment=”Cx: QoS ( [Link] de Netflix: [Link]-
[Link] )” disable=yes;
# …

# --------------------------------------------- [Drop [Link]]


/ip firewall address-list add address=[Link] list="[Link]"
comment=”Cx: [Link] (ID: ______,________________ )” disable=yes;
# --------------------------------------------------------------------------
[(UltraSurf)]
/ip firewall address-list add address=[Link]/24 list="[Link]"
comment=”Cx: [Link]-DDNS ([Link] [Link])” disable=yes;
/ip firewall address-list add address=[Link]/24 list="[Link]"
comment=”Cx: [Link]-DDNS ([Link] [Link])” disable=yes;
# ------------------------------------
/ip firewall address-list add address=[Link]/17 list="[Link]"
comment=”Cx: [Link]-DDNS ([Link] [Link])” disable=yes;
/ip firewall address-list add address=[Link]/16 list="[Link]" comment=”Cx:
[Link]-DDNS ([Link] [Link])” disable=yes;
/ip firewall address-list add address=[Link]/16 list="[Link]" comment=”Cx:
[Link]-DDNS ([Link] [Link])” disable=yes;
/ip firewall address-list add address=[Link]/16 list="[Link]" comment=”Cx:
[Link]-DDNS ([Link] [Link])” disable=yes;
/ip firewall address-list add address=[Link]/18 list="[Link]"
comment=”Cx: [Link]-DDNS ([Link] [Link])” disable=yes;
/ip firewall address-list add address=[Link]/17 list="[Link]" comment=”Cx:
[Link]-DDNS ([Link] [Link])” disable=yes;
/ip firewall address-list add address=[Link]/19 list="[Link]"
comment=”Cx: [Link]-DDNS ([Link] [Link])” disable=yes;
# -------------------------------------------------------------------------
[(------------)]
# …

# Nota: recordar que, según entiendo, las reglas de (Raw, Mangle y Filter), no
marcaran/bloquearan [Link] de las IPP Fijas dadas a Clientes.
# [Link] (Config y Protection): ------------------------------- [en
construcción]
/ip proxy set enabled=no; # Desactivo el
([Link])
# ---------------------------------------------
# /ip proxy set enabled=yes; # Activo el
Web-Proxy
# /ip firewall nat add chain=dstnat protocol=tcp dst-port=80 in-interface-list=LANs
comment=”Rx: [Link] (Redireciona Port (80 a 8070)” action=redirect to-port=8070
disable=yes;
# Nota: si (on), redireccionar port (80a8070) y bloquear pedidos desde (WANs).
# [Link] (Config y Protection): ------------------------------- [en
construcción]

# [Link]:
---------------------------------------------------------------------
/system scheduler add name=”TP ([Link]-Cheq)“ start-date=dec/01/2017 start-
time=hh:mm:ss interval=1d on-event=”[Link]-Cheq” comment="C+: ( [Link]-
Cheq )" disabled=yes;
# --------------------------------------------
/system scheduler add name=”TP ([Link] (RedesSociales)“
start-date=dec/01/2017 start-time=hh:mm:ss interval=1d on-event=”[Link]
(Redes Sociales)” comment="C+: ( [Link] (Redes Sociales) )" disabled=yes;
# --------------------------------------------
/system scheduler add name=”TP ([Link]-Change)“ start-date=dec/01/2017 start-
time=hh:mm:ss interval=1d on-event=”[Link]-ChangeWAN1” comment="R+: ( [Link]-
Change )" disabled=yes;
# --------------------------------------------
/system scheduler add name="TP ([Link])" on-event="/system reboot" start-
date=dec/01/2017 start-time=hh:mm:ss interval=x[Link] comment="Rx:
( [Link] )" disabled=yes;
# --------------------------------------------
/system scheduler add name=”TP ([Link]%)“ start-date=dec/01/2017 start-
time=hh:mm:ss interval=1d on-event=”[Link]% (xRate)” comment="Cx:
( [Link]% (xRate) )" disabled=yes;
# --------------------------------------------
/ system scheduler add name="TP ([Link]-Config)" on-event="[Link]-Config"
start-date=dec/01/2017 start-time=hh:mm:ss interval=1d comment="R+: ( [Link]-
Config )" disabled=yes;
# --------------------------------------------
/system scheduler add name=”TP ([Link]-AddressList (RSC))“
start-date=dec/01/2017 start-time=hh:mm:ss interval=1d on-event=”[Link]-
AddressListRSC” comment="Rx: ( [Link]-AddressList (RSC) )" disabled=yes;
# --------------------------------------------
/system scheduler add name=”TP ([Link]-Stadistic)“ start-date=dec/01/2017 start-
time=hh:mm:ss interval=1d on-event=[Link]-Stadistic comment="C+: ( [Link]-Stadistic
)" disabled=yes;
# --------------------------------------------
/system scheduler add name=”TP ([Link]-Log)“ start-date=dec/01/2017 start-
time=hh:mm:ss interval=1d on-event=[Link]-Log comment="C+: ( [Link]-Log )"
disabled=yes;
# --------------------------------------------
/system scheduler add name=”TP ([Link]-Alert)“
start-date=dec/01/2017 start-time=start interval=hh:mm:ss on-
event=”[Link]-Alert” comment="R+: ( [Link]-Alert )"
disabled=yes;
# --------------------------------------------
/system scheduler add name=”TP ([Link])“ start-date=dec/01/2017 start-
time=start interval=hh:mm:ss on-event=”[Link]” comment="C+: ( [Link] )"
disabled=yes;
# --------------------------------------------
/system scheduler add name=”TP ([Link]-RSociales)“
start-date=dec/01/2017 start-time=start interval=hh:mm:ss on-
event=”[Link]-RSociales” comment="C+: ( [Link]-RSociales )"
disabled=yes;
# --------------------------------------------
/system scheduler add name=”TP ([Link] (ServicesIPChange)“ start-
date=dec/01/2017 start-time=start interval=hh:mm:ss on-event=”[Link]
(ServicesIPChange)” comment="C+: ( [Link] (Services IP Change) )"
disabled=yes;
# --------------------------------------------
/system scheduler add name=”TP ([Link] (ABTemp)“ start-date=dec/01/2017 start-
time=start interval=hh:mm:ss on-event=”[Link] (ABTemp)” comment="C+:
( [Link] (ABTemp) )" disabled=yes;
# --------------------------------------------
/system scheduler add name=”TP ([Link]-RBLink)“ start-date=dec/01/2017
start-time=start interval=hh:mm:ss on-event=”[Link]-RBLink” comment="Rx:
( [Link]-RBList )" disabled=yes;
# [Link]:
---------------------------------------------------------------------
/ip socks set enabled=no;
/ip upnp set enabled=no;
/tool bandwidth-server set enabled=no;
/ip firewall connection tracking set enabled=yes; # Necesario x FastTrack
/ip settings set tcp-syncookies=yes; # Mitiga (DDoS)
/ip settings set rp-filter=strict; # Mitiga
(IPSpoofing: no test)
/snmp set enabled=no;
/ip cloud set ddns-enabled=yes update-time=yes; # Auto-Update [Link]
# Nota: bloquea el RB.([Link]) para monitoreo externo ([Link] (161-
162)ÌSNMP). Un [Link], almacena y recupera información tal como se definio por
el fabricante en las especificas (MIBs: lo que un [Link] (NMS) puede
preguntar a un [Link]) de éste (SNMPv3).
#
-----------------------------------------------------------------------------------
--------

/system scheduler add name=[Link] on-event="/system reboot" start-time=([/system


clock get time]+[Link]); # Reiniciando (RB) en 10s

# [ 02 ] --------------------------- [ RB reinciando ]
------------------------------
# ---------------------------- [ Connections
Types ]-----------------------------------
# NEW: Intenta crear una nueva conexión.
# ESTABLISHED: El paquete forma parte de una conexión ya existente.
# RELATED: El paquete está relacionado, aunque realmente no forma parte de una
conexión existente.
# INVALID: El paquete ni es parte de una conexión existente ni intenta crear una
nueva conexión.
#
-----------------------------------------------------------------------------------
--------

/system scheduler set [/system scheduler get [find name=”[Link]”] value-


name=name] disable=yes; # Deshabilito tarea ([Link] anterior)

# ------------------------------------------------------------------------------
[INI]
#
-----------------------------------------------------------------------------------
--
# -------------------------- Reglas básica del Firewall:
---------------------------
#
-----------------------------------------------------------------------------------
--
#
-----------------------------------------------------------------------------------
--
# Recorre, en forma descendente, las listas del firewall, hasta cumplirse las
condiciones de una regla (accept o drop). Ergo: disponer, las mas probables arriba
y en secuencia (de estar relacionadas).

#
-----------------------------------------------------------------------------------
[INI]
# ------------------------------------------ [Raw]
---------------------------------------
#
-----------------------------------------------------------------------------------
-------

# Reglas x Mitigar (DoS Attacks): ---------------------------------------------


[INI]
# El ([Link]), es previo a ([Link]-Tracking [Link], [Link] y [Link]). Ergo:
RAM-, e igual efectividad que el firewall (CPU-) y sirve, tanto x (Forward) como x
(Input). Ante un ataque masivo, mis reglas no son efectivas. (log=yes – save MAC –,
only x ataque).
# -------------------------------------------------------------- [x
[Link]]
/ip firewall raw add chain=prerouting protocol=tcp dst-port=53 in-interface-
list=WANs comment=“001Rx: Guardo.1h (src-IP en [Link] x
[Link] desde WANs)” action=add-src-to-address-list log=no log-
prefix="[[Link]]: " address-list=[Link] address-list-
timeout=1h disable=yes;
/ip firewall raw add chain=prerouting protocol=tcp dst-port=53 in-interface-
list=WANs comment="002R+: Mitiga ([Link])" action=drop disable=yes;

# ------------------------------------------------------------- [x [Link]]
/ip firewall raw add chain=prerouting protocol=udp dst-port=53 in-interface-
list=WANs comment=“003Rx: Guardo.1h (src-IP en [Link] x
[Link] desde WANs)” action=add-src-to-address-list log=no log-
prefix="[[Link]]: " address-list=[Link] address-list-
timeout=1h disable=yes;
/ip firewall raw add chain=prerouting protocol=udp dst-port=53 in-interface-
list=WANs comment="004R+: Mitiga ([Link])" action=drop disable=yes;
# Nota: crea redundancia, pues en (Filter), bloqueo lo no-aceptado; pero sirve para
proteger ([Link] (53)).

# ------------------------------------------------------- [x [Link]/LAN]
/ip firewall raw add chain=output protocol=icmp out-interface-list=WANs dst-
address-list=![Link] icmp-options=3:3 limit=1000/5s,5:packet
comment=“005Cx: Guardo.1h (src-IP en [Link] x [Link])”
action=add-dst-to-address-list log=no log-prefix="[[Link]]: " address-
list=[Link] address-list-timeout=1h disable=yes;
/ip firewall raw add chain=output protocol=icmp out-interface-list=WANs dst-
address-list=![Link] icmp-options=3:3 limit=1000/5s,5:packet
comment="006R+: Mitigo ([Link] x [Link] [ 3:3 port unreachable ])"
action=drop disable=yes;
# Nota: cuando el RB recibe un [Link] (Port), revisa si existen programas
escuchando dicho (Port), de no existir, envia un ([Link], 3:3) al origen,
avisando que (destino unreachable). Cuidado con (dst-address-list).

# ------------------------------------------------------------------ [x
[Link]]
# ACK: Confirma conexión.
# PSH: Fuerza priorización del paquete en destino y obliga esperar otro.
# RST: Indica que se debe reiniciar la conexión.
# SYN: Indica que se pretende iniciar una conexión.
# FIN: Indica la finalización de una conexión.
/ip firewall raw add chain=prerouting in-interface-list=LANs src-address-list=!A-
[Link] comment=“007Rx: Guardo.1h (src-IP en [Link] x
Input/[Link] desde ![Link])” action=add-src-to-address-list log=yes log-
prefix="[DOS-IPSPOOFLAN.BCP38]: " address-list=[Link] address-list-
timeout=1h disable=yes;
/ip firewall raw add chain=prerouting in-interface-list=LANs src-address-list=!A-
[Link] comment="008R+: [Link] (x Input/[Link] desde !A-
[Link])" action=drop disable=yes;

# ----------------------------------------------------------------- [x
[Link]]
# ------------------------------------ [x [Link] (WAN)]
/ip firewall raw add chain=prerouting protocol=icmp in-interface-list=WANs dst-
address-list=[Link] limit=50/5s,5:packet comment=“009Cx: Guardo.1h (src-
IP en [Link] x [Link])” action=add-src-to-address-list
log=no log-prefix="[[Link]]: " address-list=[Link]
address-list-timeout=1h disable=yes;
/ip firewall raw add chain=prerouting protocol=icmp in-interface-list=WANs dst-
address-list=[Link] limit=50/5s,5:packet comment=“010C+:
[Link]-Limitado (desde src-IP hacia [Link])” action=accept
disable=yes;
# Nota: tambien se supera (limit=50/5s,5:p) con (ping x.x.x.x –l 8873 –t).

# ---------------------------------------- [x [Link] (WAN)]


# Regla x RBACCESS (x ByteKnocking - ICMP): ---------------------------- [INI]
# (A: Administrativo), (P: Privilegiado – durante ataques –) y (L: Liberado).
# ------------------------------------------ [Acceso Administrativo (x PKnocking)]
/ip firewall raw add chain=prerouting protocol=icmp packet-size=700 in-interface-
list=WANs src-address-list=![Link] limit=50/5s,5:packet log=no log-
prefix="[ BKnocking1-1 (A) ]: " action=add-src-to-address-list comment=“011R>:
BKnocking1-1 (A) (Add.60s src-IP a [Link] x [Link])” address-list=A-
[Link] address-list-timeout=60s disable=yes;

# --------------------------------------------- [Acceso Privilegiado (x PKnocking)]


/ip firewall raw add chain=prerouting protocol=icmp packet-size=800 in-interface-
list=WANs src-address-list=![Link] limit=50/5s,5:packet log=no log-
prefix="[ BKnocking1-1 (P) ]: " action=add-src-to-address-list comment=“011R<:
BKnocking1-1 (P) (Add.60s src-IP a [Link] x [Link])” address-list=A-
[Link] address-list-timeout=60s disable=yes;

# --------------------------------------------------------- [Acceso Liberado (x


Port)]
/ip firewall raw add chain=prerouting protocol=icmp in-interface-list=WANs
limit=50/5s,5:packet log=no log-prefix="[ [Link] (L) ]: " action=add-src-to-
address-list comment=“011R*: [Link] (L) (Add.60s src-IP a [Link] x
[Link])” address-list=[Link] address-list-timeout=60s disable=yes;
# Nota: 60s+, y la IP deja de ser valida (ping IP -l {700/800=((672/772)+(28 –
cabezera de paquete TCP –))}.
# Regla x RBACCESS (x ByteKnocking - ICMP): ---------------------------- [FIN]

/ip firewall raw add chain=prerouting protocol=icmp in-interface-list=WANs src-


address-list=[Link] limit=100/5s,5:packet comment=“012R+:
[Link]-Limitado (desde [Link])” action=accept disable=yes;
# Nota: tambien se supera (limit=100/5s,5:p) con (ping x.x.x.x –l 17753 –t). Dado
que, ([Link]) no llega hasta (Filter), es necesario un ([Link]).
/ip firewall raw add chain=prerouting protocol=icmp in-interface-list=WANs src-
address-list=![Link] comment=“013Rx: Guardo.1h (src-IP en T-
[Link] x ![Link], posible [Link])” action=add-src-to-
address-list log=no log-prefix="[[Link]]: " address-list=T-
[Link] address-list-timeout=1h disable=yes;
# Nota: no graba, si el ataque: (es de src-A-ICMPWANSRC y supera limit).
/ip firewall raw add chain=prerouting protocol=icmp in-interface-list=WANs
comment=“014R+: [Link] de [Link] (hacia WANs)” action=drop
disable=yes;
# Nota: Si (icmp-type=!0:0 action=drop), el RB, pide y recibe ecos, mas no los
responde.

# ----------------------------------------------------------------- [x
[Link]]
# ------------------------------------ [x [Link] (src-LANs)]
/ip firewall raw add chain=prerouting protocol=icmp in-interface-list=LANs src-
address-list=[Link] limit=50/5s,5:packet comment=“015Rx:
[Link]-Limitado (desde [Link])” action=accept disable=yes;
/ip firewall raw add chain=prerouting protocol=icmp in-interface-list=LANs src-
address-list=![Link] comment=“016Rx: Guardo.1h (src-IP en T-
[Link] x ![Link], debido a [Link])” action=add-src-
to-address-list log=no log-prefix="[[Link]]: " address-list=T-
[Link] address-list-timeout=1h disable=yes;
/ip firewall raw add chain=prerouting protocol=icmp in-interface-list=LANs
comment=“017Rx: [Link] de [Link] (desde LANs)” action=drop
disable=yes;
# Nota: activar solo x uso de [Link] (desactivar Forward [Link]) o
[Link]-Attack.

# ------------------------------------ [x [Link] (dst-LANs)]


/ip firewall raw add chain=output protocol=icmp in-interface-list=LANs dst-address-
list=[Link] limit=50/5s,5:packet comment=“018Rx: [Link]-
Limitado (hacia [Link])” action=accept disable=yes;
/ip firewall raw add chain=output protocol=icmp in-interface-list=LANs dst-address-
list=![Link] comment=“019Rx: Guardo.1h (src-IP en [Link] x
![Link], debido a [Link])” action=add-src-to-address-list log=no
log-prefix="[[Link]]: " address-list=[Link] address-
list-timeout=1h disable=yes;
/ip firewall raw add chain=output protocol=icmp in-interface-list=LANs
comment=“020Rx: [Link] de [Link] (hacia LANs)” action=drop
disable=yes;
# Nota: activar solo x uso de [Link] (desactivar Forward [Link]) o
[Link]-Attack.
# Reglas x Mitigar (DoS Attacks): ---------------------------------------------
[FIN]

# Reglas x [Link] (x [Link] x [Link]): -------- [INI]


# Eficiencia+, pero CPU+ que usar reglas en ([Link]/Forward).
# ------------------------------------------------------------- [x [Link]-
P53]
/ip firewall raw add chain=prerouting protocol=udp dst-port=53 in-interface-
list=LANs src-address-list="[Link]" comment=”050Cx: [Link]
(src-Address de [Link] x [Link])” action=drop disable=yes;
/ip firewall raw add chain=prerouting protocol=tcp dst-port=53 in-interface-
list=LANs src-address-list="[Link]" comment=”051Cx: [Link]
(src-Address de [Link] x [Link])” action=drop disable=yes;
# Nota: (src-address-list="[Link]"), usado x [Link]-DDNS.

# --------------------------------------------------------------------- [x
[Link]]
/ip firewall raw add chain=prerouting in-interface-list=LANs src-address-list=C-
[Link] comment=”060Cx: Bloqueo (Input/[Link] desde C-
[Link])” action=drop disable=yes;

#... (constituir seguidamente, solo x ataque desde ([Link]), el resto de


reglas de Control de Clientes (Drop), antes de los (Accept) de (Filter)).
Desactivar, homónimos en (Filter).
# Reglas x [Link] (x [Link] x [Link]): -------- [FIN]

#
-----------------------------------------------------------------------------------
[FIN]
# ------------------------------------------ [Raw]
---------------------------------------
#
-----------------------------------------------------------------------------------
-------

#
-----------------------------------------------------------------------------------
[INI]
# ----------------------------------------- [Filter]
---------------------------------------
#
-----------------------------------------------------------------------------------
--------

# Reglas x Aceleracion de Tráfico: ------------------------------------------ [INI]


/ip firewall filter add chain=forward connection-state=established,related
comment=”001C+: Acepto ([Link]=Establecidas y Relacionadas)” action=accept
disable=yes;
/ip firewall filter add chain=input connection-state=established,related
comment=”002R+: Acepto ([Link]=Establecidas y Relacioadas)” action=accept
disable=yes;
/ip firewall filter add chain=forward connection-state=invalid comment=”003C+:
Rechazo ([Link]=Invalidas)” action=drop disable=yes;
/ip firewall filter add chain=input connection-state=invalid comment=”004R+:
Rechazo ([Link]=Invalidas)” action=drop disable=yes;
# Reglas x Aceleracion de Tráfico: ------------------------------------------ [FIN]
# Reglas x Mitigar (DoS Attacks): ---------------------------------------------
[INI]
# ---------------------------------- Opcion.01 (>) ------------------------ [INI]
# (A), referencia una regla que tanto puede aplicarse a (R) como a (C). Recomiendan
que: (burst>=rate).
# ---------------------------------------------------------------- [x TCPFlood/src-
dst]
/ip firewall filter add chain=forward comment=”005A>: [Link] ([Link] to
[Link])” action=jump jump-target=[Link] disable=yes;
/ip firewall filter add chain=[Link] dst-limit=164,164,src-and-dst-addresses/10s
comment=”006A>: Acepto (hasta un Packet-Limit=164p/s-Burst=164p/s x src-dst)”
action=return disable=yes;
/ip firewall filter add chain=[Link] src-address-list=[Link]
dst-limit=512,512,src-and-dst-addresses/10s action=return log=no log-prefix="[DOS-
[Link]/Excepcion.C]: " comment=”007A>: Acepto [Link]-Limit (desde
[Link], hasta 512p/s-Burst=512p/s x src-dst)” disable=yes;
/ip firewall filter add chain=[Link] src-address-list=![Link]
log=no log-prefix="[[Link]/src]: " comment=”008A>: Add.5m (src-Address a T-
[Link] si src-Address=![Link])” action=add-src-to-
address-list address-list=[Link] address-list-timeout=5m disable=yes;
/ip firewall filter add chain=[Link] src-address-list=![Link]
log=no log-prefix="[[Link]/dst]: " comment=”009A>: Add.5m (dst-Address a T-
[Link] si src-Address=![Link])” action=add-dst-to-
address-list address-list=[Link] address-list-timeout=5m disable=yes;
/ip firewall filter add chain=forward src-address-list=[Link] dst-
address-list=[Link] action=drop log=no log-prefix="[[Link]/src-
dst]: " comment=”010A>: Bloqueo (src-dst x Packet-Limit+)” disable=yes;
# Nota: acepto (src-A-AltaC, dst-C-AltaC), rechazo (src-C-AltaC, dst-A-AltaC) y
rechazo (src-C-AltaC, dst-C-AltaC). Habilitar (Rx: A-AltaC), solo en caso de
([Link]).
# ---------------------------------- Opcion.01 (>) -----------------------------
[FIN]

# ---------------------------------- Opcion.02 (<) -----------------------------


[INI]
# --------------------------------------------------------------------- [x
TCPFlood/32]
# En (Raw), dropearia cada connection TCP (new o establecida) de T-
DOSTCPF____.List, provocando en las LANs, un [Link]. Siendo que, lo que
busco, es limitar las connection x IP a (IN: 200+/32)/FW: 400+/32).
# --------------------------------------------- [x TCPFlood/[Link]]
/ip firewall filter add chain=input protocol=tcp src-address-list=[Link]
connection-limit=20,32 comment="005R<: Limito (a 20/32 [Link]
(ralentizadas) a los de [Link])" action=tarpit disabled=yes;
/ip firewall filter add chain=input protocol=tcp src-address-list=!C-
[Link] connection-limit=200,32 comment="006R<: Guardo.1h (src-IPs en
[Link] x 200+/32 [Link])” action=add-src-to-address-list log=yes log-
prefix="[[Link]/IN32]: " address-list=[Link] address-list-
timeout=1h disabled=yes;

# --------------------------------------------- [x TCPFlood/[Link]]
/ip firewall filter add chain=forward protocol=tcp src-address-list=T-
[Link] connection-limit=40,32 comment="007R<: Limito (a 40/32
[Link] (ralentizadas) a los de [Link])" action=tarpit
disabled=yes;
/ip firewall filter add chain=forward protocol=tcp src-address-list=!C-
[Link] connection-limit=400,32 comment="008R<: Guardo.1h (src-IPs en
[Link] x 400+/32 [Link])” action=add-src-to-address-list log=yes
log-prefix="[[Link]/FW32]: " address-list=[Link] address-list-
timeout=1h disabled=yes;
# … (reservado hasta 011R)

# Nota: (Tarpit), usa CPU+ que (Drop), ya que mantiene la conexión establecida,
reduciendo su trafico hasta cero, evitando asi, que el atacante cree una new-
connection al hacerle nosotros un (Drop).

# -------------------------------------------------------------------------- [x
SYNFlood]
# En (Raw), dropearia cada connection SYN (new o establecida) de T-DOSSYN____.List,
provocando en las LANs, un [Link]. Siendo que, lo que busco, es limitar las
connection x Chain a (IN: 150+/s)/FW: 600+/s). Activar, las next 4 reglas, solo en
caso de ([Link]), estando usando (Opcion.02) y determinar valores
reales para: (IN/FW).
# ------------------------------------------------------- [x [Link]]
/ip firewall filter add chain=input protocol=tcp tcp-flags=syn limit=150,5:packet
comment="012Cx: Guardo.1h (src-IP en [Link] x posible [Link])"
action=add-src-to-address-list log=no log-prefix="[[Link]]: " address-
list=[Link] address-list-timeout=1h disable=yes;
/ip firewall filter add chain=input protocol=tcp tcp-flags=syn limit=150,5:packet
comment="013Cx: Bloqueo (x 150+/s [Link]-Conn simultaneas x posible
[Link])" action=drop disabled=yes;

# ------------------------------------------------------- [x [Link]]
/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn limit=600,5:packet
comment="014Cx: Guardo.1h (src-IP en [Link] x posible [Link])"
action=add-src-to-address-list log=no log-prefix="[[Link]]: "
address-list=[Link] address-list-timeout=1h disable=yes;
/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn limit=600,5:packet
comment="015Cx: Bloqueo (x 600+/s [Link]-Conn simultaneas x posible
[Link])" action=drop disabled=yes;
# Nota: x descubrir ([Link]), cambiar en (IN/FW) a: (action=add-dst-to-address-
list).
# ---------------------------------- Opcion.02 (<) -----------------------------
[FIN]

# ------------------------------------------------------------------- [x
[Link]]
/ip firewall filter add chain=input protocol=udp dst-port=123 in-interface-
list=WANs comment="016Rx: Guardo.1h (src-IPs en [Link] x posible
[Link])" action=add-src-to-address-list log=no log-prefix="[DOS-
[Link]]: " address-list=[Link] address-list-timeout=1h
disabled=yes;
/ip firewall filter add chain=input protocol=udp dst-port=123 in-interface-
list=WANs comment="017R+: Bloqueo (src-IP x posible [Link])" action=drop
disabled=yes;
# Nota: x posicionarse después de (Aceleracion de Trafico), no pregunto x
(connection-state=new), para asegurarme que solo bloquee trafico NTP iniciado
externamente. No puede hacerla funcionar en (Raw).

# ------------------------------------------------------------ [x dst-
[Link]]
/ip firewall filter add chain=forward in-interface-list=WANs dst-address-list=A-
BLACKHOLE comment=“018Cx: Guardo.1h (src-IP en [Link] x [Link] no
permitido hacia [Link])” action=add-src-to-address-list log=no log-
prefix="[[Link]]: " address-list=[Link] address-
list-timeout=1h disable=yes;
/ip firewall filter add chain=forward in-interface-list=WANs dst-address-list=A-
BLACKHOLE comment="019C+: [Link] (ForwardConn no permitido hacia
[Link])" action=drop disable=yes;
# Nota: considerar usar (tarpit) o mandarlo a un [Link].

# -------------------------------------------------------------- [x dst-
[Link]]
/ip firewall filter add chain=forward in-interface-list=WANs dst-address-list=!A-
[Link] comment=“020Rx: Guardo.1h (src-IP en [Link] x [Link]
hacia ![Link])” action=add-src-to-address-list log=no log-prefix="[DOS-
[Link]]: " address-list=[Link] address-list-timeout=1h
disable=yes;
/ip firewall filter add chain=forward in-interface-list=WANs dst-address-list=!A-
[Link] comment="021R+: [Link] (x [Link] hacia ![Link])"
action=drop disable=yes;

# ------------------------------------------------------------- [x
[Link]/LAN]
/ip firewall filter add chain=input protocol=tcp psd=21,3s,3,1 comment="022Rx:
Guardo.1h (src-IPs en [Link] x posible [Link])" action=add-src-
to-address-list log=no log-prefix="[[Link]]: " address-list=T-
[Link] address-list-timeout=1h disabled=yes;
/ip firewall filter add chain=input protocol=tcp psd=21,3s,3,1 comment="023R+:
Bloqueo (src-IP x posible [Link])" action=drop disabled=yes;
# … (reservado hasta 025R)

# Nota: no uso (src-address-list=![Link]) x posible infeccion. Cuidado: si,


el atacante, usa las IPs de mis [Link] ([Link]), termino por auto-
bloquearme. Alternativa de amplio expectro: (tcp-flags=fin,syn,rst,psh,ack,urg).
# Reglas x Mitigar (DoS Attacks): ---------------------------------------------
[FIN]

# Regla x Drop ([Link] desde Input): -----------------------------------------


/ip firewall filter add chain=input src-address-list=[Link] comment=”026Rx:
Rechazo ([Link] desde [Link])” action=drop disable=yes;
# Nota: Precisión-, al excluir (in-interface-list=WANs), para CPU-.

# Regla x Accept ([Link] desde Input): -------------------------------------


/ip firewall filter add chain=input src-address-list=[Link] comment=”027Rx:
Acepto ([Link] desde [Link])” action=accept disable=yes;
# Nota: Precisión-, al excluir (in-interface-list=WANs), para CPU-.

# Regla x Accept ([Link] desde [Link]): -----------------------


/ip firewall filter add chain=input protocol=icmp in-interface-list=WANs src-
address-list=[Link] limit=100/5s,5:packet comment=“028R+:
[Link]-Limitado (desde [Link])” action=accept disable=yes;

# Regla x RBACCESS (x [Link] - WINBOX): -------------------------- [INI]


# (A: Administrativo), (P: Privilegiado – durante ataques –) y (L: Liberado).
# ------------------------------------------ [Acceso Administrativo (x PKnocking)]
/ip firewall filter add chain=input protocol=tcp dst-port=3335-3336 src-address-
list=[Link] comment="029R>: Acepto (A) (only [Link] desde [Link])"
action=accept disable=yes;

# --------------------------------------------- [Acceso Privilegiado (x PKnocking)]


/ip firewall filter add chain=input protocol=tcp dst-port=3333-3334 src-address-
list=[Link] comment="029R<: Acepto (P) (only [Link] desde [Link])"
action=accept disable=yes;

# --------------------------------------------------------- [Acceso Liberado (x


Port)]
/ip firewall filter add chain=input protocol=tcp dst-port=3333-3334 comment="029R*:
Acepto (L) (only [Link] desde AnyIP)" action=accept disable=yes;
# Nota: only [Link] (debo cambiar los ports de IP/Services).
# Regla x RBACCESS (x [Link] - WINBOX): -------------------------- [FIN]

# Regla x RBACCESS (x PortKnocking - WINBOX): ------------------------ [INI]


# ------------------------------------------ [Acceso Administrativo (x PKnocking)]
/ip firewall filter add chain=input protocol=tcp dst-port=111 comment=“030R>:
PKnocking1-3 (A) (Add.30s src-IP a [Link] x [Link])” log=no log-
prefix="[ PKnocking1-3 (A) ]: " action=add-src-to-address-list address-list=T-
[Link] address-list-timeout=30s disable=yes;
/ip firewall filter add chain=input protocol=tcp dst-port=112 src-address-list=T-
[Link] comment=“031R>: PKnocking2-3 (A) (Add.30s src-IP a [Link] x
[Link])” log=no log-prefix="[ PKnocking2-3 (A) ]: " action=add-src-to-address-
list address-list=[Link] address-list-timeout=30s disable=yes;
/ip firewall filter add chain=input protocol=tcp dst-port=113 src-address-list=T-
[Link] comment=“032R>: PKnocking3-3 (A) (Add.15m src-IP a [Link] x
[Link])” log=no log-prefix="[ PKnocking3-3 (A) ]: " action=add-src-to-address-
list address-list=[Link] address-list-timeout=15m disable=yes;

# --------------------------------------------- [Acceso Privilegiado (x PKnocking)]


/ip firewall filter add chain=input protocol=tcp dst-port=22 comment=“030R<:
PKnocking1-3 (P) (Add.30s src-IP a [Link] x [Link])” log=no log-
prefix="[ PKnocking1-3 (P) ]: " action=add-src-to-address-list address-list=T-
[Link] address-list-timeout=30s disable=yes;
/ip firewall filter add chain=input protocol=tcp dst-port=33 src-address-list=T-
[Link] comment=“031R<: PKnocking2-3 (P) (Add.30s src-IP a [Link] x
[Link])” log=no log-prefix="[ PKnocking2-3 (P) ]: " action=add-src-to-address-
list address-list=[Link] address-list-timeout=30s disable=yes;
/ip firewall filter add chain=input protocol=tcp dst-port=44 src-address-list=T-
[Link] comment=“032R<: PKnocking3-3 (P) (Add.15m src-IP a [Link] x
[Link])” log=no log-prefix="[ PKnocking3-3 (P) ]: " action=add-src-to-address-
list address-list=[Link] address-list-timeout=15m disable=yes;
# Nota: +30s, y la IP deja de ser valida. Hasta que, la sesión (conexión no
finalice: winbox o ping) no se de por finalizada, la IP en cuestion, continuara
habilitada por mas tiempo que (15m o 60s).
# Regla x RBACCESS (x PortKnocking - WINBOX): ------------------------ [FIN]

# Regla x RBACCESS (save src-![Link] - WINBOX): ----------------------


/ip firewall filter add chain=input src-address-list=![Link] protocol=tcp
dst-port=3333-3336 comment=“033Rx: Guardo.1d (src-IP en [Link] x
[Link] desde ![Link])” action=add-src-to-address-list log=no log-
prefix="[[Link]]: " address-list=[Link] address-list-timeout=1d
disable=yes;

# Nota: x secuenciación de mí (Firewall), sin +reglas, no puedo evitar usar algunos


(port).

# Reglas x [Link] (x [Link]): -------------------------------------


/ip firewall filter add chain=input in-interface-list=LANs src-address-list=C-
[Link] comment=”034Cx: Bloqueo ([Link] desde [Link])”
action=drop disable=yes;
# Nota: regla escasamente relevante, tan solo, aumenta el nivel de bloqueo.

# Regla x Accept ([Link]-Autorizado): ----------------------------------


/ip firewall filter add chain=input in-interface-list=LANs src-address-list=A-
[Link] comment=“035R+: Acepto (only [Link] desde [Link])”
action=accept disable=yes;
# Nota: precisión-, dado que, no especifico segmento IP permitido x interface.

# Regla x Drop ([Link]-Trafic):


-------------------------------------------------
/ip firewall filter add chain=input comment=“036R+: Bloqueo (resto de [Link])”
action=drop disable=yes;
# … (reservado hasta 041R)

# Nota: x CPU-, las reglas que save IPs (ej: no-PKnocking), deben deshabilitarse o
eliminarse, dejando solo el bloqueo de las mismas.

# Regla x Drop ([Link]): --------------------------------------------------


/ip firewall filter add chain=forward dst-address-list=[Link] comment="042C+:
Bloqueo ([Link] desde [Link])" action=drop disable=yes;
# Nota: precisión-, al excluir la condicion (out-interface-list=WANs), para CPU-.

# Reglas x Mitigar ([Link]):


----------------------------------------------------
/ip firewall filter add chain=forward protocol=tcp dst-port=25,110,587,993,995
connection-limit=30,32 limit=30/1m,0 comment="043Cx: Guardo.1h (src-IP en T-
[Link] x posible [Link])" action=add-src-to-address-list log=no log-
prefix="[[Link]]: " address-list=[Link] address-list-timeout=1h
disabled=yes;
/ip firewall filter add chain=forward protocol=tcp dst-port=25,110,587,993,995
connection-limit=30,32 limit=30/1m,0 comment="044Cx: [Link] ([Link]
[ 25,110,587,993,995 ] x posible [Link])" action=drop disabled=yes;

# Reglas x [Link] (Estado): -----------------------------------------------


[INI]
# En (Raw), dropearian mas eficientemente, pero implicaria CPU+.
# Reglas x [Link]-Basic (x [Link]): -----------------------------
/ip firewall filter add chain=forward in-interface-list=LANs src-address-list=C-
[Link] comment=”045C+: Bloqueo ([Link] desde [Link])”
action=drop disable=yes;
# Nota: Precisión+, al incluir la condicion (in-interface-list=LANs), CPU+. Dada la
posición en ([Link]), es necesario eliminar sus conexiones existentes en
(Connections), para surtir efecto al agregar IP a (Address-List).

# Reglas x [Link]-Franjas (x C-PPROMO__CLIENT.List): ----------- [INI]


/ip firewall filter add chain=forward in-interface-list=LANs src-address-list=C-
[Link] comment=”046C+: [Link] (bloqueo [Link] desde C-
[Link])” time=[Link]-1d,mon,tue,wed,thu,fri action=drop disable=yes;
/ip firewall filter add chain=forward in-interface-list=LANs src-address-list=C-
[Link] comment=”047C+: [Link] (bloqueo [Link] desde C-
[Link])” time=[Link]-1d,sat,sun action=drop disable=yes;
/ip firewall filter add chain=forward in-interface-list=LANs src-address-list=C-
[Link] comment=”048Cx: [Link] (bloqueo [Link] desde C-
[Link])” time=[Link]-[Link],mon,tue,wed,thu,fri,sat,sun action=drop
disable=yes;
/ip firewall filter add chain=forward in-interface-list=LANs src-address-list=C-
[Link] comment=”049Cx: [Link] (bloqueo [Link] desde C-
[Link])” time=[Link]-[Link],mon,tue,wed,thu,fri,sat,sun action=drop
disable=yes;
# … (reservado hasta 055C)

# Nota: precisión+, al incluir la condicion (in-interface=LANs), aunque CPU+.


Importante: el [Link] de ([Link]) se hace x script.
# Reglas x [Link]-Franjas (x C-PPROMO__CLIENT.List): ----------- [FIN]
# Reglas x [Link]-SocialMedia (x C-PPROMO______.List): --------- [INI]
/ip firewall filter add chain=forward in-interface-list=LANs src-address-list=C-
PROMO![Link] dst-address-list=[Link] comment=”056Cx: [Link]
(bloqueo [Link] x src-IP of C-PROMO![Link])” action=drop
disable=yes;
/ip firewall filter add chain=forward in-interface-list=LANs src-address-list=C-
PROMO![Link] dst-address-list=[Link] comment=”057Cx: [Link]
(bloqueo [Link] x src-IP of C-PROMO![Link])” action=drop
disable=yes;
/ip firewall filter add chain=forward in-interface-list=LANs src-address-list=C-
PROMO![Link] dst-address-list=[Link] comment=”058Cx: [Link]
(bloqueo [Link] x src-IP of C-PROMO![Link])” action=drop
disable=yes;
/ip firewall filter add chain=forward in-interface-list=LANs src-address-list=C-
PROMO![Link] dst-address-list=[Link] comment=”059Cx: [Link]
(bloqueo [Link] x src-IP of C-PROMO![Link])” action=drop
disable=yes;
/ip firewall filter add chain=forward in-interface-list=LANs src-address-list=C-
PROMO![Link] dst-address-list=[Link] comment=”060Cx: [Link]
(bloqueo [Link] x src-IP of C-PROMO![Link])” action=drop
disable=yes;
/ip firewall filter add chain=forward in-interface-list=LANs src-address-list=C-
PROMO![Link] dst-address-list=[Link] comment=”061Cx: [Link]
(bloqueo [Link] x src-IP of C-PROMO![Link])” action=drop
disable=yes;
/ip firewall filter add chain=forward in-interface-list=LANs src-address-list=C-
PROMO![Link] dst-address-list=[Link] comment=”062Cx: [Link] (bloqueo
[Link] x src-IP of C-PROMO![Link])” action=drop disable=yes;
/ip firewall filter add chain=forward in-interface-list=LANs src-address-list=C-
PROMO![Link] dst-address-list=[Link] comment=”063Cx: [Link]
(bloqueo [Link] x src-IP of C-PROMO![Link])” action=drop
disable=yes;
/ip firewall filter add chain=forward in-interface-list=LANs src-address-list=C-
PROMO![Link] dst-address-list=[Link] comment=”064Cx: [Link]
(bloqueo [Link] x src-IP of C-PROMO![Link])” action=drop
disable=yes;
/ip firewall filter add chain=forward in-interface-list=LANs src-address-list=C-
PROMO![Link] dst-address-list=[Link] comment=”065Cx: [Link]
(bloqueo [Link] x src-IP of C-PROMO![Link])” action=drop
disable=yes;
/ip firewall filter add chain=forward in-interface-list=LANs src-address-list=C-
PROMO![Link] dst-address-list=[Link] comment=”066Cx: [Link]
(bloqueo [Link] x src-IP of C-PROMO![Link])” action=drop disable=yes;
/ip firewall filter add chain=forward in-interface-list=LANs src-address-list=C-
PROMO![Link] dst-address-list=[Link] comment=”067Cx: [Link] (bloqueo
[Link] x src-IP of C-PROMO![Link])” action=drop disable=yes;
# … (reservado hasta 077C)

# Nota: precisión+, al incluir la condicion (in-interface-list=WANs), CPU+.


# Reglas x [Link]-SocialMedia (x C-PPROMO______.List): --------- [FIN]
# Reglas x [Link] (Estado): -----------------------------------------------
[FIN]

# Reglas x Drop (específicos [Link]): -----------------------------------


[INI]
/ip firewall filter add chain=forward in-interface-list=LANs src-address-list=!A-
[Link] dst-address-list=[Link] comment=”078C+: Bloqueo
([Link] x ENACOM NO-2019-16651442)” action=drop disable=yes;
/ip firewall filter add chain=forward in-interface-list=WANs protocol=tcp dst-
port=443 tls-host=”*[Link]*” comment=”079Cx: [Link]
([Link] action=drop disable=yes;
# … (reservado hasta 088C)

# Nota: (tls-host), usa TCP, mientra que (QUIC: google), usa UDP.
# Reglas x Drop (específicos [Link]): ----------------------------------
[FIN]

# Reglas x [Link] ICMP/TCP/UDP (new Chain x Protect): ------------ [INI]


/ip firewall filter add chain=forward protocol=icmp comment=”089C+: [Link]
([Link] to [Link])” action=jump jump-target=[Link]
disable=yes;
/ip firewall filter add chain=forward protocol=tcp comment=”090C+: [Link]
([Link] to [Link])” action=jump jump-target=[Link]
disable=yes;
/ip firewall filter add chain=forward protocol=udp comment=”091C+: [Link]
([Link] to [Link])” action=jump jump-target=[Link]
disable=yes;
# Reglas x [Link] ICMP/TCP/UDP (new Chain x Protect): ------------ [FIN]

# Reglas x Ctrl ([Link] x [Link]-ICMP): --------------- [INI]


/ip firewall filter add chain=[Link] protocol=icmp icmp-options=8:0
limit=50/5s,5:packet action=accept comment="092C+: Acepto ([Link] [ 8:0 ]
limitado x allow echo request)" disable=yes;
/ip firewall filter add chain=[Link] protocol=icmp icmp-options=0:0
limit=50/5s,5:packet comment="093C+: Acepto ([Link] [ 0:0 ] limitado x echo
reply)" action=accept disable=yes;
/ip firewall filter add chain=[Link] protocol=icmp icmp-options=11:0
limit=50/5s,5:packet action=accept comment="094C+: Acepto ([Link] [ 11:0 ]
limitado x allow time exceed)" disable=yes;
/ip firewall filter add chain=[Link] protocol=icmp icmp-options=3:0-1
limit=50/5s,5:packet comment="095C+: Acepto ([Link] [ 3:0-1 ] limitado x
net/host unreachable)" action=accept disable=yes;
/ip firewall filter add chain=[Link] protocol=icmp icmp-options=3:4
limit=50/5s,5:packet comment="096C+: Acepto ([Link] [ 3:4 ] limitado x host
unreachable fragmentation required)" action=accept disable=yes;
/ip firewall filter add chain=[Link] comment="097C+: Bloqueo (all other types
of [Link])" action=drop disable=yes;
# Nota: determinar, conveniencia de (limit=50/5s,5:packet) en cada regla.
# Reglas x Ctrl ([Link] x [Link]-ICMP): --------------- [FIN]

# Reglas x Drop ([Link] x [Link]-TCPPort): ------------ [INI]


/ip firewall filter add chain=[Link] protocol=tcp dst-port=67-68
comment="098C+: Bloqueo ([Link] [ 67-68 ] x posible DHCP)" action=drop
disable=yes;
/ip firewall filter add chain=[Link] protocol=tcp dst-port=69 comment="099C+:
Bloqueo ([Link] [ 69 ] x posible TFTP)" action=drop disable=yes;
/ip firewall filter add chain=[Link] protocol=tcp dst-port=111 comment="100C+:
Bloqueo ([Link] [ 111 ] x posible RPC portmapper)" action=drop disable=yes;
/ip firewall filter add chain=[Link] protocol=tcp dst-port=135 comment="101C+:
Bloqueo ([Link] [ 135 ] x posible RPC portmapper)" action=drop disable=yes;
/ip firewall filter add chain=[Link] protocol=tcp dst-port=137-139
comment="102C+: Bloqueo ([Link] [ 137-139 ] x posible NBT)" action=drop
disable=yes;
/ip firewall filter add chain=[Link] protocol=tcp dst-port=445 comment="103C+:
Bloqueo ([Link] [ 445 ] x posible CIFS)" action=drop disable=yes;
/ip firewall filter add chain=[Link] protocol=tcp dst-port=2049
comment="104C+: Bloqueo ([Link] [ 2049 ] x posible NFS)" action=drop
disable=yes;
/ip firewall filter add chain=[Link] protocol=tcp dst-port=3133
comment="105C+: Bloqueo ([Link] [ 3133 ] x posible BackOriffice)" action=drop
disable=yes;
/ip firewall filter add chain=[Link] protocol=tcp dst-port=12345-12346
comment="106C+: Bloqueo ([Link] [ 12345-12346 ] x posible NetBus)" action=drop
disable=yes;
/ip firewall filter add chain=[Link] protocol=tcp dst-port=20034
comment="107C+: Bloqueo ([Link] [ 20034 ] x posible NetBus)" action=drop
disable=yes;
# Reglas x Drop ([Link] x [Link]-TCPPort): ------------ [FIN]

# Reglas x Drop ([Link] x [Link]-UDPPort): ----------- [INI]


/ip firewall filter add chain=[Link] protocol=udp dst-port=69 comment="108C+:
Bloqueo ([Link] [ 69 ] x posible TFTP)" action=drop disable=yes;
/ip firewall filter add chain=[Link] protocol=udp dst-port=111 comment="109C+:
Bloqueo ([Link] [ 111 ] x posible PRC portmapper)" action=drop disable=yes;
/ip firewall filter add chain=[Link] protocol=udp dst-port=135 comment="110C+:
Bloqueo ([Link] [ 135 ] x posible PRC portmapper)" action=drop disable=yes;
/ip firewall filter add chain=[Link] protocol=udp dst-port=137-139
comment="111C+: Bloqueo ([Link] [ 137-139 ] x posible NBT)" action=drop
disable=yes;
/ip firewall filter add chain=[Link] protocol=udp dst-port=2049
comment="112C+: Bloqueo ([Link] [ 2049 ] x posible NFS)" action=drop
disable=yes;
/ip firewall filter add chain=[Link] protocol=udp dst-port=3133
comment="113C+: Bloqueo ([Link] [ 3133 ] x posible BackOriffice)" action=drop
disable=yes;
# Reglas x Drop ([Link] x [Link]-UDPPort): ----------- [FIN]

# Reglas x Drop ([Link]): --------------------------------------------------


[INI]
/ip firewall filter add chain=forward protocol=udp dst-port=500,1194,4500 src-
address-list=!”[Link]” comment=”200Cx: Add.1h (src-Address a T-
[Link] x [Link])” action=add-src-to-address-list log=no log-
prefix=”[[Link]]: ” address-list=[Link] address-list-timeout=1h
disable=yes;
/ip firewall filter add chain=forward protocol=udp dst-port=500,1194,4500 src-
address-list=!”[Link]” comment=”201Cx: Bloqueo ([Link])”
action=drop log=no log-prefix=”[[Link]]: ” disable=yes;
/ip firewall filter add chain=forward protocol=tcp dst-port=1194,1701,1723 src-
address-list=!”[Link]” comment=”202Cx: Add.1h (dst-Address a T-
[Link] x [Link])” action=add-dst-to-address-list log=no log-
prefix=”[[Link]]: ” address-list=[Link] address-list-timeout=1h
disable=yes;
/ip firewall filter add chain=forward protocol=tcp dst-port=1194,1701,1723 src-
address-list=!”[Link]” comment=”203Cx: Bloqueo ([Link])”
action=drop log=no log-prefix=”[[Link]]: ” disable=yes;
# ------------------------------------
/ip firewall filter add chain=forward protocol=gre src-address-list=!”V-
[Link]” comment=”204Cx: Add.1h (src-Address a [Link] x VPN-
[Link])” action=add-src-to-address-list log=no log-prefix=”[[Link]]: ”
address-list=[Link] address-list-timeout=1h disable=yes;
/ip firewall filter add chain=forward protocol=gre src-address-list=!”V-
[Link]” comment=”205Cx: Bloqueo ([Link])” action=drop log=no log-
prefix=”[[Link]]: ” disable=yes;
/ip firewall filter add chain=forward protocol=ipsec-esp src-address-list=!”V-
[Link]” comment=”206Cx: Add.1h (src-Address a [Link] x
[Link])” action=add-src-to-address-list log=no log-prefix=”[VPN-
[Link]]: ” address-list=[Link] address-list-timeout=1h
disable=yes;
/ip firewall filter add chain=forward protocol=ipsec-esp src-address-list=!”V-
[Link]” comment=”207Cx: Bloqueo ([Link])” action=drop log=no
log-prefix=”[[Link]]: ” disable=yes;
/ip firewall filter add chain=forward protocol=ipsec-ah src-address-list=!”V-
[Link]” comment=”208Cx: Add.1h (src-Address a [Link] x
[Link])” action=add-src-to-address-list log=no log-prefix=”[VPN-
[Link]]: ” address-list=[Link] address-list-timeout=1h
disable=yes;
/ip firewall filter add chain=forward protocol=ipsec-ah src-address-list=!”V-
[Link]” comment=”209Cx: Bloqueo ([Link])” action=drop log=no
log-prefix=”[[Link]]:” disable=yes;
/ip firewall filter add chain=forward protocol=ipencap src-address-list=!”V-
[Link]” comment=”210Cx: Add.1h (src-Address a [Link] x
[Link])” action=add-src-to-address-list log=no log-prefix=”[VPN-
[Link]]: ” address-list=[Link] address-list-timeout=1h
disable=yes;
/ip firewall filter add chain=forward protocol=ipencap src-address-list=!”V-
[Link]” comment=”211Cx: Bloqueo ([Link])” action=drop
log=no log-prefix=”[[Link]]: ” disable=yes;
# ------------------------------------
/ip firewall filter add chain=forward in-interface-list=LANs src-address-list=!”V-
[Link]” dst-address-list="[Link]" comment=”212Cx: Add.30s (src-
Address a [Link] x [Link] y ![Link])” action=add-src-
to-address-list address-list="[Link]" address-list-timeout=30s
disable=yes;
/ip firewall filter add chain=forward in-interface-list=LANs src-address-list=!”V-
[Link]” dst-address-list="[Link]" comment=”213Cx: Add.1d (src-
Address a [Link] x [Link] y ![Link])” action=add-src-
to-address-list address-list="[Link]" address-list-timeout=1d
disable=yes;
# ------------------------------------
/ip firewall filter add chain=forward in-interface-list=LANs src-address-list="V-
[Link]" comment=”214Cx: Drop (src-Address a [Link] x
[Link])” action=drop disable=yes;
# Nota: Only drop standart [Link] (neither SSTP-TCP.433, except include V-
[Link]). Recordar que, según entiendo, las reglas de (Raw, Mangle y Filter), no
marcaran/bloquearan [Link] de las IPP Fijas dadas a Clientes.
# Reglas x Drop ([Link]): --------------------------------------------------
[FIN]

#
-----------------------------------------------------------------------------------
[INI]
# ------------------------------------------ [NAT]
----------------------------------------
#
-----------------------------------------------------------------------------------
--------

# Nateo ([Link] y [Link]): ----- [Opcional] ------ ( 1x [Link]/[Link] )


# ------------------------------------------------- [ [Link] (costo extra x IP)]
/ip firewall nat add chain=dstnat dst-address=X.Y.Z.(x) protocol=tcp dst-
port=22,23,53,67-69,111,135,137-139,161,162,445,2049,3133,20034 comment=”002Cx:
NAT.C-IPPub ([Link]-Port –> 10..1, IN : ______,________________)” to-
address=10..1 action=dst-nat disable=yes;
/ip firewall nat add chain=dstnat dst-address=X.Y.Z.(x) protocol=udp dst-
port=22,23,53,69,111,135,137-139,161,162,445,2049,3133 comment=”003Cx: NAT.C-IPPub
([Link]-Port –> 10..1, IN : ______,________________)” to-address=10..1
action=dst-nat disable=yes;
# …
# Nota: Posicionar antes de (to-address=IPPriClient) y Activar solo en caso de
necesitar un Firewall x IPPubClient. Siendo (10.1), una [Link] inexistente en LANs
o la [Link] de una [Link].
/ip firewall nat add chain=dstnat dst-address=X.Y.Z.(x) comment=”004C+: NAT.C-IPPub
(IN : ______,________________)” to-address=1..(x).(y) action=dst-nat disable=yes;
/ip firewall nat add chain=srcnat scr-address=1..(x).(y) comment=”005C+: NAT.C-
IPPub (OUT: ______,________________)” to-address=X.Y.Z.(x) action=src-nat
disable=yes;
# Nota: agregar (in/out-interface-list=WANs x IN/OUT, serian casi redundantes).
# ------------------------------------------------- [ [Link] (resta Port disp. en
RB)]
/ip firewall nat add chain=dstnat protocol=udp dst-port=9XXX comment=”110C+:
Redirec [Link]-Port to RB.IPPub24 to (IPPriClient,PortDstClient (IN/OUT:
______,________________)” to-address=1..(x).(y) to-port=9YYY action=dst-nat
disable=yes;
# …
# Nota: para los puertos especiales (x [Link] o x [Link]: camera, shh,
telnet, etc.), deben implementarse los redireccionamientos mediante el agregado de
reglas de Nateo (IPPubClient o [Link]), puesto que, el (/IP Firewall Nat)
se chequea antes del (/IP Firewall Filter).

#
-----------------------------------------------------------------------------------
[FIN]
# ------------------------------------------ [NAT]
----------------------------------------
#
-----------------------------------------------------------------------------------
--------

QoS (Leyer7+AddressList+Mangle+QueueTree): ---------------------- [ INI ]


Layer 7 (RegExp):
------------------------------------------------------------------------
(^): implica, coincidir desde el principio del string.
(.): implica, coincidir con al menos un carácter.
(+): cuantificador que define cuantos caracteres anteriores deben repetirse (+,
significa 1 o cualquier repetición).
(*): cuantificador que define cuantos caracteres anteriores deben repetirse (*,
significa 0 o cualquier repetición).
(\.): (\), se usa para definir (.), y evitar asi, su confusión con un punto.
($): implica, coincidencia con el fin del string.
Nota: el (protocolo layer 7), es un método de búsqueda de patrones (expresiones
regulares: regexp) en flujos (ICMP/TCP/UDP), pudiendo usarse, para bloqueo por
dominio. En base a los 1eros 10 paquetes de una new conection (o 2KB) – de no
encontrarse el patrón, se lo declara: no coincidente –.

...

...

# HTB (Leyer7 Rules): ----------------------------------------------------- [ INI ]


# En análisis de HTB, es previo al de [Link] en el Flow de RouterOS.
# Down (¿50M?):
------------------------------------------------------------------------
/ip firewall layer7-protocol add name=[Link] regexp="^.+\\.(exe|rar|zip|7z|cab|
asf|mov|vob|wmv|mpg|mpeg|mkv|avi|flv|wav|rm|mp3|mp|ram|rmvb|dat|daa|iso|nrg|bin|
vcd|3gp|aac|ace|aif|arj|bz2|gz|gzip|img|lzh|m4a|m4v|mpa|mpe|msi|msu|ogg|ogv|pdf|
plj|pps|ppt|qt|ro*|r1*|ra|rm|sea|sit|sitx|tar|tif|tiff|z|001|002|003|004|005).*\$"
comment="028C+: L7 (Patron regular de [Link])";
/ip firewall layer7-protocol add name=[Link] regexp=”^.+(videoplayback|
video).*\$” comment="001C+: L7 (Patron regular de VideoStream)";
/ip firewall layer7-protocol add name=[Link] regexp="^.+(get|GET).+(torrent|
thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|vertor|h33t|
zoozle|bitnova|bitsoup|meganova|fulldls|btbot|fenopy|gpirate|commonbits).*\$"
comment="002C+: L7 (Patron regular de [Link])";
/ip firewall layer7-protocol add name=[Link] regexp="^.+(torrent|thepiratebay|
isohunt|entertane|demonoid|btjunkie|mininova|flixflux|vertor|h33t|zoozle|bitnova|
bitsoup|meganova|fulldls|btbot|fenopy|gpirate|commonbits).*\$" comment="003C+: L7
(Patron regular de [Link])";
/ip firewall layer7-protocol add name=[Link] regexp="^.+(\\x13bittorrent
protocol|azver\\x01\$|get /scrape\\\?info_hash=get /announce\\\?info_hash=|get
/client/bitcomet/|GET /data\\\?fid=)|[Link]id20:|\\x08'7P\\)[RP].*\$"
comment="004C+: L7 (Patron regular de [Link])";
# Nota: BitTorrent: (6881-6999)
/ip firewall layer7-protocol add name=[Link] regexp="^.+(\\x13bittorrent
protocol|azver\\x01\$|get /scrape\\\?info_hash=get /announce\\\?info_hash=|get
/client/bitcomet/|GET/data\\\?fid=)|[Link]id20:|\\x08'7P\\)[RP].*\$"
comment="005C+: L7 (Patron regular de [Link]-Expert)";
# [Link]:
-----------------------------------------------------------------------
/ip firewall layer7-protocol add name=SpeedTest regexp="^.+([Link]|
[Link]|spe [Link]|[Link]|
[Link]|[Link]).*\$" comment="006C+: L7 (Patron
regular de SpeedTest)";
# [Link]:
---------------------------------------------------------------------------
# …

# HTB (Mangle Rules): ---------------------------------------------------- [ INI ]


# Mecanismo similar a Firewall, salvo que agrega un condicional (passthrough=no),
evita que continue descendiendo.
# VoIP (Mangle Rules):
-----------------------------------------------------------------
/ip firewall mangle add chain=forward dst-address=X.X.X.X protocol=udp port=10000-
20000 connection-state=newcomment="001Cx: Marco ([Link])" action=mark-
connection new-connection-mark=[Link] passthrough=yesdisable=yes;
/ip firewall mangle add chain=forward connection-mark=[Link] comment="002Cx:
Marco (VoIP-RTP.1erPacket)" action=mark-packet log=no log-prefix=[Link] new-
packet-mark=[Link] passthrough=no disable=yes;
# Nota: (87.2k x Call. Cambiar [Link] (C-Telefonica y [Link]). RTP, se usa
para el intercambio de voz)
/ip firewall mangle add chain=forward dst-address=X.X.X.X protocol=tcp dst-
port=5060-5061 connection-state=newcomment="003Cx: Marco ([Link])"
action=mark-connection new-connection-mark=[Link]=yes
disable=yes;
/ip firewall mangle add chain=forward connection-mark=[Link]
comment="004Cx: Marco (VoIP-SIPTCP.1erPacket)" action=mark-packet log=no log-
prefix=[Link] new-packet-mark=[Link]=no disable=yes;X
/ip firewall mangle add chain=forward dst-address=X.X.X.X protocol=udp dst-
port=5060-5061 connection-state=newcomment="005Cx: Marco ([Link])"
action=mark-connection new-connection-mark=[Link]=yes
disable=yes;
/ip firewall mangle add chain=forward connection-mark=[Link]
comment="006Cx: Marco (VoIP-SIPUDP.1erPacket)" action=mark-packet log=no log-
prefix=[Link] new-packet-mark=[Link]=no disable=yes;
# Nota: (65k x Call. Cambiar [Link] (C-Telefonica y [Link]: VPN(x)), TCP y
UDP. SIP, se usa para iniciar sesión (RING))
/ip firewall mangle add chain=prerouting in-interface-list=WANs packet-mark=VoIP-
[Link] comment="007Cx: Change ([Link] Of Service)" action=change-dscp
log=no log-prefix=”[Link] (Change)“ new-dscp=10 passthrough=nodisable=yes;
/ip firewall mangle add chain=postrouting out-interface-list=LANs packet-mark=VoIP-
[Link] comment="008Cx: Change([Link] Of Service)" action=change-dscp
log=no log-prefix=”[Link] (Change)“ new-dscp=46passthrough=no disable=yes;
# Nota: efectivo, en redes que soportan tratamiento por DSCP (priorización de
paquetes: 01-64) – obviamente, debe coincidir con config de [Link] –. Se
recomienda, crear VLAN(x) x (out-interface) exclusiva para VoIP.

# IPTV (Mangle Rules): --------------------------------------------------------


[ HLS ]
/ip firewall mangle add chain=forward dst-address=X.X.X.X protocol=tcp port=80
connection-state=new comment="009Cx: Marco([Link])" action=mark-connection new-
connection-mark=[Link] passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=[Link] comment="010Cx:
Marco (IPTV.1erPacket)" action=mark-packet log=no log-prefix=[Link] new-packet-
mark=[Link] passthrough=no disable=yes;
# Nota: (790k x Señal, en H.265). Es un servicio intranet. Fundamental: priorizar
paquetes TCP (SYN – inicio de negociación–/ACK – acuse de recibo –)).

# DNS (Mangle Rules): -------------------------------------------- [[Link]=ON]


/ip firewall mangle add chain=prerouting protocol=udp dst-port=53 connection-
state=new comment="011C+: Marco ([Link])" action=mark-connection new-
connection-mark=[Link] passthrough=yes disable=yes;
/ip firewall mangle add chain=prerouting connection-mark=[Link]
comment="012C+: Marco (DNS-UDP.1erPacket)" action=mark-packet log=no log-
prefix=[Link] new-packet-mark=[Link] passthrough=no disable=yes;
# Nota: (UDP), solicitud de resolución de nombre y (respuesta < 512b).
/ip firewall mangle add chain=prerouting protocol=tcp dst-port=53 connection-
state=new comment="013C+: Marco ([Link])" action=mark-connection new-
connection-mark=[Link] passthrough=yes disable=yes;
/ip firewall mangle add chain=prerouting connection-mark=[Link]
comment="014C+: Marco (DNS-TCP.1erPacket)" action=mark-packet log=no log-
prefix=[Link] new-packet-mark=[Link] passthrough=no disable=yes;
# Nota: (TCP), only x (respuesta >= 512b) y x CPU--, no estableci: (in-interface-
list=LANs).

# ICMP (Mangle Rules):


-----------------------------------------------------------------
/ip firewall mangle add chain=forward protocol=icmp connection-state=new
comment="015C+: Marco ([Link])" action=mark-connection new-connection-
mark=[Link] passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=[Link] comment="016C+:
Marco (ICMP.1erPacket)" action=mark-packet log=no log-prefix=[Link] new-packet-
mark=[Link] passthrough=no disable=yes;
# Nota: x CPU--, no estableci: (in-interface-list=LANs).

# [Link] (Mangle Rules):


--------------------------------------------------------
/ip firewall mangle add chain=forward connection-state=new dst-address-list=S-
[Link] comment="017C+: Marco([Link])" action=mark-connection new-
connection-mark=[Link] passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=[Link] comment="018C+:
Marco (Youtube.1erPacket)" action=mark-packet log=no log-prefix=[Link] new-
packet-mark=[Link] passthrough=no disable=yes;
/ip firewall mangle add chain=forward connection-state=new dst-address-list=S-
[Link] comment="019C+: Marco([Link])" action=mark-connection new-
connection-mark=[Link] passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=[Link] comment="020C+:
Marco (Facebook.1erPacket)" action=mark-packet log=no log-prefix=[Link] new-
packet-mark=[Link] passthrough=no disable=yes;
/ip firewall mangle add chain=forward connection-state=new dst-address-list=S-
[Link] comment="021C+: Marco([Link])" action=mark-connection new-
connection-mark=[Link] passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=[Link] comment="022C+:
Marco (Twitter.1erPacket)" action=mark-packet log=no log-prefix=[Link] new-
packet-mark=[Link] passthrough=no disable=yes;
/ip firewall mangle add chain=forward connection-state=new dst-address-list=S-
[Link] comment="023C+: Marco([Link])" action=mark-connection new-
connection-mark=[Link] passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=[Link]
comment="024C+: Marco (Instagram.1erPacket)" action=mark-packet log=no log-
prefix=[Link] new-packet-mark=[Link] passthrough=no disable=yes;
/ip firewall mangle add chain=forward connection-state=new dst-address-list=S-
[Link] comment="025C+: Marco([Link])" action=mark-connection new-
connection-mark=[Link] passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=[Link] comment="026C+:
Marco (Netflix.1erPacket)" action=mark-packet log=no log-prefix=[Link] new-
packet-mark=[Link] passthrough=no disable=yes;
/ip firewall mangle add chain=forward connection-state=new dst-address-list=S-
[Link] comment="027C+: Marco([Link])" action=mark-connection new-
connection-mark=[Link] passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=[Link] comment="028C+:
Marco (Whatsapp.1erPacket)" action=mark-packet log=no log-prefix=[Link] new-
packet-mark=[Link] passthrough=no disable=yes;
# Nota: [Link]=TCP: (4244,5222,5223,5228,5242), TCP/UDP: (50318,59234) y
UDP: (3478,45395).
/ip firewall mangle add chain=forward connection-state=new dst-address-list=S-
[Link] comment="029C+: Marco([Link])" action=mark-connection new-
connection-mark=[Link] passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=[Link] comment="030C+:
Marco (Skype.1erPacket)" action=mark-packet log=no log-prefix=[Link] new-
packet-mark=[Link] passthrough=no disable=yes;
/ip firewall mangle add chain=forward connection-state=new dst-address-list=S-
[Link] comment="031C+: Marco([Link])" action=mark-connection new-
connection-mark=[Link] passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=[Link] comment="032C+:
Marco (Spotify.1erPacket)" action=mark-packet log=no log-prefix=[Link] new-
packet-mark=[Link] passthrough=no disable=yes;
/ip firewall mangle add chain=forward connection-state=new dst-address-list=S-
[Link] comment="033C+: Marco([Link])" action=mark-connection new-
connection-mark=[Link] passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=[Link] comment="034C+:
Marco (Snapchat.1erPacket)" action=mark-packet log=no log-prefix=[Link] new-
packet-mark=[Link] passthrough=no disable=yes;
/ip firewall mangle add chain=forward connection-state=new dst-address-list=S-
[Link] comment="035C+: Marco([Link])" action=mark-connection new-
connection-mark=[Link] passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=[Link] comment="036C+:
Marco (Telegram.1erPacket)" action=mark-packet log=no log-prefix=[Link] new-
packet-mark=[Link] passthrough=no disable=yes;
/ip firewall mangle add chain=forward connection-state=new dst-address-list=S-
[Link] comment="037C+: Marco([Link])" action=mark-connection new-
connection-mark=[Link] passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=[Link] comment="038C+:
Marco (Twitch.1erPacket)" action=mark-packet log=no log-prefix=[Link] new-
packet-mark=[Link] passthrough=no disable=yes;
/ip firewall mangle add chain=forward connection-state=new dst-address-list=S-
[Link] comment="039C+: Marco([Link])" action=mark-connection new-
connection-mark=[Link] passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=[Link] comment="040C+:
Marco (Vimeo.1erPacket)" action=mark-packet log=no log-prefix=[Link] new-
packet-mark=[Link] passthrough=no disable=yes;
# Nota: Deje Space x (17) reglas social media mas.

# HTTPS (Mangle Rules):


---------------------------------------------------------------
/ip firewall mangle add chain=forward protocol=udp dst-port=443 connection-
state=new comment="075C+: Marco ([Link])" action=mark-connection new-
connection-mark=[Link] passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=[Link]
comment="076C+: Marco (HTTPS-UDP.1erPacket)" action=mark-packet log=no log-
prefix=[Link] new-packet-mark=[Link] passthrough=no disable=yes;
/ip firewall mangle add chain=forward protocol=tcp dst-port=443 connection-
state=new comment="077C+: Marco ([Link])" action=mark-connection new-
connection-mark=[Link] passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=[Link]
comment="078C+: Marco (HTTPS-TCP.1erPacket)" action=mark-packet log=no log-
prefix=[Link] new-packet-mark=[Link] passthrough=no disable=yes;

# HTTP (Mangle Rules):


-----------------------------------------------------------------
/ip firewall mangle add chain=forward protocol=tcp dst-port=80,8080 connection-
state=new comment="079C+: Marco([Link])" action=mark-connection new-connection-
mark=[Link] passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=[Link] comment="080C+:
Marco (HTTP.1erPacket)" action=mark-packet log=no log-prefix=[Link] new-packet-
mark=[Link] passthrough=no disable=yes;

# Down (¿50M?) (Mangle Rules):


-----------------------------------------------------
/ip firewall mangle add chain=forward connection-state=new layer7-
protocol=[Link] connection-bytes=50M comment="111Cx: Marco ([Link]) :: "
action=mark-connection new-connection-mark=[Link] passthrough=yes
disable=yes;
/ip firewall mangle add chain=forward connection-mark=[Link] comment="112Cx:
Marco (FileDown.1erPacket) :: " action=mark-packet log=no log-prefix=[Link]
new-packet-mark=[Link] passthrough=no disable=yes;
/ip firewall mangle add chain=forward connection-state=new layer7-
protocol=[Link] connection-bytes=50M comment="113Cx: Marco
([Link]) :: " action=mark-connection new-connection-
mark=[Link] passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=[Link]
comment="114Cx: Marco (VideoStreaming.1erPacket) :: " action=mark-packet log=no
log-prefix=[Link] new-packet-mark=[Link] passthrough=no
disable=yes;
/ip firewall mangle add chain=forward connection-state=new layer7-protocol=[Link]
connection-bytes=50M comment="115Cx: Marco ([Link]) :: " action=mark-
connection new-connection-mark=[Link] passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=[Link] comment="116Cx:
Marco (P2PWWW.1erPacket) :: " action=mark-packet log=no log-prefix=[Link]
new-packet-mark=[Link] passthrough=no disable=yes;
/ip firewall mangle add chain=forward connection-state=new layer7-protocol=[Link]
connection-bytes=50M comment="117Cx: Marco ([Link]) :: " action=mark-
connection new-connection-mark=[Link] passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=[Link] comment="118Cx:
Marco (P2PDNS.1erPacket) :: " action=mark-packet log=no log-prefix=[Link]
new-packet-mark=[Link] passthrough=no disable=yes;
/ip firewall mangle add chain=forward connection-state=new layer7-protocol=[Link]
connection-bytes=50M comment="119Cx: Marco ([Link]) :: " action=mark-
connection new-connection-mark=[Link] passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=[Link] comment="120Cx:
Marco (P2PBitTorrent.1erPacket) :: " action=mark-packet log=no log-prefix=P2P-
[Link] new-packet-mark=[Link] passthrough=no disable=yes;
/ip firewall mangle add chain=forward connection-state=new layer7-
protocol=[Link] connection-bytes=50M comment="121Cx: Marco ([Link])
:: " action=mark-connection new-connection-mark=[Link] passthrough=yes
disable=yes;
/ip firewall mangle add chain=forward connection-mark=[Link] comment="122Cx:
Marco (P2PBitTorrentE.1erPacket) :: " action=mark-packet log=no log-prefix=P2P-
[Link] new-packet-mark=[Link] passthrough=no disable=yes;
# Nota: decidir si conviene o no usar (connection-bytes=50M).

# [Link] (Mangle Rules):


---------------------------------------------------
# VPN (Mangle Rules):
-----------------------------------------------------------------
/ip firewall mangle add chain=forward protocol=udp dst-port=500,1194,4500
connection-state=new comment="123C+: Marco ([Link]) :: " action=mark-
connection new-connection-mark=[Link] passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=[Link] comment="124C+:
Marco (VPN-UDP.1erPacket) :: " action=mark-packet log=no log-prefix=[Link]
new-packet-mark=[Link] passthrough=no disable=yes;
/ip firewall mangle add chain=forward protocol=tcp dst-port=1194,1701,1723
connection-state=new comment="125C+: Marco ([Link]) :: " action=mark-
connection new-connection-mark=[Link] passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=[Link] comment="126C+:
Marco (VPN-TCP.1erPacket) :: " action=mark-packet log=no log-prefix=[Link]
new-packet-mark=[Link] passthrough=no disable=yes;
/ip firewall mangle add chain=forward protocol=gre connection-state=new
comment="127C+: Marco ([Link]) :: " action=mark-connection new-connection-
mark=[Link] passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=[Link] comment="128C+:
Marco (VPN-GRE.1erPacket) :: " action=mark-packet log=no log-prefix=[Link]
new-packet-mark=[Link] passthrough=no disable=yes;
/ip firewall mangle add chain=forward protocol=ipsec-esp connection-state=new
comment="129C+: Marco ([Link]) :: " action=mark-connection new-
connection-mark=[Link] passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=[Link]
comment="130C+: Marco (VPN-IPSECESP.1erPacket) :: " action=mark-packet log=no log-
prefix=[Link] new-packet-mark=[Link] passthrough=no
disable=yes;
/ip firewall mangle add chain=forward protocol=ipsec-ah connection-state=new
comment="131C+: Marco ([Link]) :: " action=mark-connection new-
connection-mark=[Link] passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=[Link]
comment="132C+: Marco (VPN-IPSECAH.1erPacket) :: " action=mark-packet log=no log-
prefix=[Link] new-packet-mark=[Link] passthrough=no
disable=yes;
/ip firewall mangle add chain=forward protocol=ipencap connection-state=new
comment="133C+: Marco ([Link]) :: " action=mark-connection new-
connection-mark=[Link] passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=[Link]
comment="134C+: Marco (VPN-IPENCAP.1erPacket) :: " action=mark-packet log=no log-
prefix=[Link] new-packet-mark=[Link] passthrough=no
disable=yes;
/ip firewall mangle add chain=forward connection-state=new dst-address-list=V-
[Link] comment="135C+: Marco ([Link]) :: " action=mark-connection new-
connection-mark=[Link] passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=[Link] comment="136C+:
Marco (VPN-DDNS.1erPacket) :: " action=mark-packet log=no log-prefix=[Link]
new-packet-mark=[Link] passthrough=no disable=yes;
# Nota: only drop standart [Link] (neither SSTP-TCP.433, except include V-
[Link]).

# FTP/SFTP (Mangle Rules):


------------------------------------------------------------
/ip firewall mangle add chain=forward protocol=tcp dst-port=20-23 packet-size=1400-
1500 connection-state=new comment="140C+: Marco (FTP/[Link]) :: " action=mark-
connection new-connection-mark=[Link] passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=[Link] comment="141C+:
Marco (FTP.1erPacket) :: " action=mark-packet log=no log-prefix=[Link] new-
packet-mark=[Link] passthrough=no disable=yes;

# SpeedTest (Mangle Rules):


-----------------------------------------------------------
/ip firewall mangle add chain=forward connection-state=new layer7-
protocol=SpeedTest comment="142Cx: Marco ([Link]) :: " action=mark-
connection new-connection-mark=[Link] passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=[Link]
comment="143Cx: Marco (SpeedTest.1erPacket) :: " action=mark-packet log=no log-
prefix=[Link] new-packet-mark=[Link] passthrough=no disable=yes;
# … (reservado hasta 179C)

# Resto de conexiones (Mangle Rules):


----------------------------------------------
/ip firewall mangle add chain=forward connection-state=new comment="180C+: Marco
([Link]) :: " action=mark-connection new-connection-mark=[Link]
passthrough=yes disable=yes;
/ip firewall mangle add chain=forward connection-mark=[Link] comment="181C+:
Marco (Resto.1erPacket) :: " action=mark-packet log=no log-prefix=[Link] new-
packet-mark=[Link] passthrough=no disable=yes;
# Nota: (asignar AB restante hasta [Link]-limit).

# -------------------------- HTB (QueueTree Rules): ----------------- [ INI: 01 ]


# En QueueTree, no es posible usar interface-list (LANs), solo interface (etherX).
# [Link] (Crea Variables):
---------------------------------------------------
# [Link]
:global InterfWAN1 “ether1”; # RB1.WAN1 (interface) [ ISP.01 ]
:global InterfWAN2 “ether2”; # RB1.WAN2 (interface) [ ISP.02 ]
:global InterfLAN1 “ether3”; # RB1.LAN1 (interface) [ ]
:global InterfLAN2 “ether4”; # RB1.LAN2 (interface) [ ]
:global InterfLAN3 “ether5”; # RB1.LAN2 (interface) [ ]
# ---------------------------------------------
# [Link]
:global InterfWAN1 “ether1”; # RB1.WAN1 (interface) [ ISP.01 ]
:global InterfWAN2 “ether2”; # RB1.WAN2 (interface) [ ISP.02 ]
:global InterfLAN1 “ether4”; # RB2.LAN1 (interface) [ ]
:global InterfLAN2 “ether5”; # RB2.LAN2 (interface) [ ]
# ---------------------------------------------
# [Link]
:global InterfWAN1 “ether4”; # RB1.WAN1 (interface) [ ISP.01 ]
:global InterfLAN1 “ether-HFC”; # RB3.LAN1 (interface) [ CMTS ]

# QoS conections (QueueTree Rules): -------------------------------------------


# -----------------------------------------------------------------------------
[ INI ]

# [Link] conections (QueueTree Rules): ----------------------------------


# -----------------------------------------------------------------------------
[ INI ]

# [ Nivel 01 ] -------------------------------------------------------------------
[ INI ]
/queue tree add name=010000.WAN1 parent=$InterfWAN1 limit-at=0 max-limit=0
priority=8 queue=ethernet-default comment="001C+: QoS ([Link]) :: " disable=yes;

# [ Nivel 02 ] ---------------------------------------------------------- [ INI ]


/queue tree add name=[Link] parent=010000.WAN1 limit-at=0 max-limit=0
priority=1 queue=ethernet-default comment="002Cx: QoS ([Link]) :: "
disable=yes;

# [ Nivel 03 ] ------------------------------------------------- [ INI ]


/queue tree add name=[Link] parent=[Link] packet-mark=[Link] limit-
at=0 max-limit=0 priority=1 queue=ethernet-default comment="003Cx: QoS ([Link]-
RTP) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=1 queue=ethernet-default comment="004Cx: QoS
([Link]-SIPTCP) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=1 queue=ethernet-default comment="005Cx: QoS
([Link]-SIPUDP) :: " disable=yes;
# [ Nivel 03 ] ------------------------------------------------- [ FIN ]

/queue tree add name=[Link] parent=010000.WAN1 packet-mark=[Link] limit-


at=0 max-limit=0 priority=2 queue=ethernet-default comment="006Cx: QoS ([Link])
:: " disable=yes;
/queue tree add name=[Link] parent=010000.WAN1 limit-at=256k max-limit=512k
priority=2 queue=ethernet-default comment="007C+: QoS ([Link]) :: " disable=yes;

# [ Nivel 03 ] ------------------------------------------------- [ INI ]


/queue tree add name=[Link]-UDP parent=[Link] packet-mark=[Link]
limit-at=128k max-limit=256k priority=2 queue=ethernet-default comment="008C+: QoS
([Link]-UDP) :: " disable=yes;
/queue tree add name=[Link]-TCP parent=[Link] packet-mark=[Link]
limit-at=128k max-limit=256k priority=2 queue=ethernet-default comment="009C+: QoS
([Link]-TCP) :: " disable=yes;
# [ Nivel 03 ] ------------------------------------------------- [ FIN ]

/queue tree add name=[Link] parent=010000.WAN1 packet-mark=[Link] limit-


at=128k max-limit=256k priority=2 queue=ethernet-default comment="010C+: QoS
([Link]) :: " disable=yes;
/queue tree add name=[Link] parent=010000.WAN1 limit-at=0 max-limit=0
priority=3 queue=ethernet-default comment="011C+: QoS ([Link]) :: "
disable=yes;

# [ Nivel 03 ] ------------------------------------------------- [ INI ]


/queue tree add name=[Link] parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=3 queue=ethernet-default comment="012C+: QoS
([Link]) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=3 queue=ethernet-default comment="013C+: QoS
([Link]) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-
mark=[Link] limit-at=0 max-limit=0 priority=3 queue=ethernet-default
comment="014C+: QoS ([Link]) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-
mark=[Link] limit-at=0 max-limit=0 priority=3 queue=ethernet-default
comment="015C+: QoS ([Link]) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=3 queue=ethernet-default comment="016C+: QoS
([Link]) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-
mark=[Link] limit-at=0 max-limit=0 priority=3 queue=ethernet-default
comment="017C+: QoS ([Link]) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=3 queue=ethernet-default comment="018C+: QoS
([Link]) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=3 queue=ethernet-default comment="019C+: QoS
([Link]) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-
mark=[Link] limit-at=0 max-limit=0 priority=3 queue=ethernet-default
comment="020C+: QoS ([Link]) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-
mark=[Link] limit-at=0 max-limit=0 priority=3 queue=ethernet-default
comment="021C+: QoS ([Link]) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=3 queue=ethernet-default comment="022C+: QoS
([Link]) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=3 queue=ethernet-default comment="023C+: QoS
([Link]) :: " disable=yes;
# [ Nivel 03 ] ------------------------------------------------- [ FIN ]

/queue tree add name=[Link] parent=010000.WAN1 packet-mark=[Link]


limit-at=0 max-limit=0 priority=4 queue=ethernet-default comment="041C+: QoS
([Link]-TCP) :: " disable=yes;
/queue tree add name=[Link] parent=010000.WAN1 packet-mark=[Link]
limit-at=0 max-limit=0 priority=4 queue=ethernet-default comment="042C+: QoS
([Link]-UDP) :: " disable=yes;
/queue tree add name=[Link] parent=010000.WAN1 packet-mark=[Link] limit-
at=0 max-limit=0 priority=4 queue=ethernet-default comment="043C+: QoS
([Link]) :: " disable=yes;
/queue tree add name=[Link] parent=010000.WAN1 limit-at=0 max-limit=0
priority=5 queue=ethernet-default comment="044C+: QoS ([Link]) :: " disable=yes;

# [ Nivel 03 ] ------------------------------------------------- [ INI ]


/queue tree add name=[Link] parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=5 queue=ethernet-default comment="045C+: QoS
([Link]-TCP) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=5 queue=ethernet-default comment="046C+: QoS
([Link]-UDP) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=5 queue=ethernet-default comment="047C+: QoS
([Link]-GRE) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-mark=VPN-
[Link] limit-at=0 max-limit=0 priority=5 queue=ethernet-default
comment="048C+: QoS ([Link]-IPSECESP) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-mark=VPN-
[Link] limit-at=0 max-limit=0 priority=5 queue=ethernet-default
comment="049C+: QoS ([Link]-IPSECAH) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-mark=VPN-
[Link] limit-at=0 max-limit=0 priority=5 queue=ethernet-default
comment="050C+: QoS ([Link]-IPENCAP) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=5 queue=ethernet-default comment="051C+: QoS
([Link]-DDNS) :: " disable=yes;
# [ Nivel 03 ] ------------------------------------------------- [ FIN ]

/queue tree add name=[Link] parent=010000.WAN1 packet-mark=[Link] limit-at=0


max-limit=0 priority=5 queue=ethernet-default comment="052C+: QoS
([Link]/SFTP) :: " disable=yes;
/queue tree add name=[Link] parent=010000.WAN1 packet-mark=[Link]
limit-at=0 max-limit=0 priority=5 queue=ethernet-default comment="053Cx: QoS
([Link]) :: " disable=yes;
/queue tree add name=[Link] parent=010000.WAN1 limit-at=0 max-limit=0
priority=6 queue=ethernet-default comment="060Cx: QoS ([Link]) :: "
disable=yes;

# [ Nivel 03 ] ------------------------------------------------- [ INI ]


/queue tree add name=[Link] parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=6 queue=ethernet-default comment="061Cx: QoS
([Link] Down) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-
mark=[Link] limit-at=0 max-limit=0 priority=6 queue=ethernet-default
comment="062Cx: QoS ([Link]) :: " disable=yes;
/queue tree add name=011503.P2PWWW parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=6 queue=ethernet-default comment="063Cx: QoS
(WAN1.P2PWWW) :: " disable=yes;
/queue tree add name=011504.P2PDNS parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=6 queue=ethernet-default comment="064Cx: QoS
(WAN1.P2PDNS) :: " disable=yes;
/queue tree add name=011505.P2PBitT parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=6 queue=ethernet-default comment="065Cx: QoS
(WAN1.P2PBitTorrent) :: " disable=yes;
/queue tree add name=011506.P2PBitTE parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=6 queue=ethernet-default comment="066Cx: QoS
(WAN1.P2PBitTorrentExp) :: " disable=yes;
# [ Nivel 03 ] ------------------------------------------------- [ FIN ]

/queue tree add name=[Link] parent=010000.WAN1 packet-mark=[Link] limit-


at=0 max-limit=0 priority=7 queue=ethernet-default comment="099C+: QoS
([Link]) :: " disable=yes;
# [ Nivel 02 ] -------------------------------------------------------------------
[ FIN ]
# [ Nivel 01 ] -------------------------------------------------------------------
[ FIN ]

# [Link] conections (QueueTree Rules): ---------------------------------


# -----------------------------------------------------------------------------
[ INI ]

# [ Nivel 01 ] -------------------------------------------------------------------
[ INI ]
/queue tree add name=020000.LAN1 parent=$InterfLAN1 limit-at=0 max-limit=0
priority=8 queue=ethernet-default comment="101C+: QoS ([Link]) :: "
disable=yes;
# [ Nivel 02 ] ---------------------------------------------------------- [ INI ]
/queue tree add name=[Link] parent=020000.LAN1 limit-at=0 max-limit=0
priority=1 queue=ethernet-default comment="102Cx: QoS ([Link]) :: "
disable=yes;

# [ Nivel 03 ] ------------------------------------------------- [ INI ]


/queue tree add name=[Link] parent=[Link] packet-mark=[Link] limit-
at=0 max-limit=0 priority=1 queue=ethernet-default comment="103Cx: QoS ([Link]-
RTP) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=1 queue=ethernet-default comment="104Cx: QoS
([Link]-SIPTCP) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=1 queue=ethernet-default comment="105Cx: QoS
([Link]-SIPUTP) :: " disable=yes;
# [ Nivel 03 ] ------------------------------------------------- [ FIN ]

/queue tree add name=[Link] parent=020000.LAN1 packet-mark=[Link] limit-


at=0 max-limit=0 priority=2 queue=ethernet-default comment="106Cx: QoS ([Link])
:: " disable=yes;
/queue tree add name=[Link] parent=020000.LAN1 limit-at=256k max-limit=512k
priority=2 queue=ethernet-default comment="107C+: QoS ([Link]) :: " disable=yes;

# [ Nivel 03 ] ------------------------------------------------- [ INI ]


/queue tree add name=[Link]-UDP parent=[Link] packet-mark=[Link]
limit-at=128k max-limit=256k priority=2 queue=ethernet-default comment="108C+: QoS
([Link]-UDP) :: " disable=yes;
/queue tree add name=[Link]-TCP parent=[Link] packet-mark=[Link]
limit-at=128k max-limit=256k priority=2 queue=ethernet-default comment="109C+: QoS
([Link]-TCP) :: " disable=yes;
# [ Nivel 03 ] ------------------------------------------------- [ FIN ]

/queue tree add name=[Link] parent=020000.LAN1 packet-mark=[Link] limit-


at=128k max-limit=256k priority=2 queue=ethernet-default comment="110C+: QoS
([Link]) :: " disable=yes;
/queue tree add name=[Link] parent=020000.LAN1 limit-at=0 max-limit=0
priority=3 queue=ethernet-default comment=“111C+: QoS ([Link]) :: "
disable=yes;

# [ Nivel 03 ] ------------------------------------------------- [ INI ]


/queue tree add name=[Link] parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=3 queue=ethernet-default comment="112C+: QoS
([Link]) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=3 queue=ethernet-default comment="113C+: QoS
([Link]) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-
mark=[Link] limit-at=0 max-limit=0 priority=3 queue=ethernet-default
comment="114C+: QoS ([Link]) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-
mark=[Link] limit-at=0 max-limit=0 priority=3 queue=ethernet-default
comment="115C+: QoS ([Link]) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=3 queue=ethernet-default comment="116C+: QoS
([Link]) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-
mark=[Link] limit-at=0 max-limit=0 priority=3 queue=ethernet-default
comment="117C+: QoS ([Link]) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=3 queue=ethernet-default comment="118C+: QoS
([Link]) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=3 queue=ethernet-default comment="119C+: QoS
([Link]) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-
mark=[Link] limit-at=0 max-limit=0 priority=3 queue=ethernet-default
comment="120C+: QoS ([Link]) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-
mark=[Link] limit-at=0 max-limit=0 priority=3 queue=ethernet-default
comment="121C+: QoS ([Link]) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=3 queue=ethernet-default comment="122C+: QoS
([Link]) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=3 queue=ethernet-default comment="123C+: QoS
([Link]) :: " disable=yes;
# [ Nivel 03 ] ------------------------------------------------- [ FIN ]

/queue tree add name=[Link] parent=020000.LAN1 packet-mark=[Link]


limit-at=0 max-limit=0 priority=4 queue=ethernet-default comment="141C+: QoS
([Link]-TCP) :: " disable=yes;
/queue tree add name=[Link] parent=020000.LAN1 packet-mark=[Link]
limit-at=0 max-limit=0 priority=4 queue=ethernet-default comment=“142C+: QoS
([Link]-UDP) :: " disable=yes;
/queue tree add name=[Link] parent=020000.LAN1 packet-mark=[Link] limit-
at=0 max-limit=0 priority=4 queue=ethernet-default comment="143C+: QoS
([Link]) :: " disable=yes;
/queue tree add name=[Link] parent=020000.LAN1 limit-at=0 max-limit=0
priority=5 queue=ethernet-default comment="144C+: QoS ([Link]) :: " disable=yes;

# [ Nivel 03 ] ------------------------------------------------- [ INI ]


/queue tree add name=[Link] parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=5 queue=ethernet-default comment="145C+: QoS
([Link]-TCP) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=5 queue=ethernet-default comment="146C+: QoS
([Link]-UDP) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=5 queue=ethernet-default comment="147C+: QoS
([Link]-GRE) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-mark=VPN-
[Link] limit-at=0 max-limit=0 priority=5 queue=ethernet-default
comment="148C+: QoS ([Link]-IPSECESP) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-mark=VPN-
[Link] limit-at=0 max-limit=0 priority=5 queue=ethernet-default
comment="149C+: QoS ([Link]-IPSECAH) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-mark=VPN-
[Link] limit-at=0 max-limit=0 priority=5 queue=ethernet-default
comment="150C+: QoS ([Link]-IPENCAP) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=5 queue=ethernet-default comment="151C+: QoS
([Link]-DDNS) :: " disable=yes;
# [ Nivel 03 ] ------------------------------------------------- [ FIN ]

/queue tree add name=[Link] parent=020000.LAN1 packet-mark=[Link] limit-at=0


max-limit=0 priority=5 queue=ethernet-default comment="152C+: QoS
([Link]/SFTP) :: " disable=yes;
/queue tree add name=[Link] parent=020000.LAN1 packet-mark=[Link]
limit-at=0 max-limit=0 priority=5 queue=ethernet-default comment="153Cx: QoS
([Link]) :: " disable=yes;
/queue tree add name=[Link] parent=020000.LAN1 limit-at=0 max-limit=0
priority=6 queue=ethernet-default comment="160Cx: QoS ([Link]) :: "
disable=yes;

# [ Nivel 03 ] ------------------------------------------------- [ INI ]


/queue tree add name=[Link] parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=6 queue=ethernet-default comment="161Cx: QoS
([Link] Down) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=6 queue=ethernet-default comment="162Cx: QoS
([Link]) :: " disable=yes;
/queue tree add name=021503.P2PWWW parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=6 queue=ethernet-default comment="163Cx: QoS
(LAN1.P2PWWW) :: " disable=yes;
/queue tree add name=021504.P2PDNS parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=6 queue=ethernet-default comment="164Cx: QoS
(LAN1.P2PDNS) :: " disable=yes;
/queue tree add name=021505.P2PBitT parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=6 queue=ethernet-default comment="165Cx: QoS
(LAN1.P2PBitTorrent) :: " disable=yes;
/queue tree add name=021506.P2PBitTE parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=6 queue=ethernet-default comment="166Cx: QoS
(LAN1.P2PBitTorrentExp) :: " disable=yes;
# [ Nivel 03 ] ------------------------------------------------- [ FIN ]

/queue tree add name=[Link] parent=020000.LAN1 packet-mark=[Link] limit-


at=0 max-limit=0 priority=7 queue=ethernet-default comment="199C+: QoS
([Link]) :: " disable=yes;
# [ Nivel 02 ] ---------------------------------------------------------- [ FIN ]
# [ Nivel 01 ] -------------------------------------------------------------------
[ FIN ]

# [ Nivel 01 ] -------------------------------------------------------------------
[ INI ]
/queue tree add name=030000.LAN2 parent=$InterfLAN2 limit-at=0 max-limit=0
priority=8 queue=ethernet-default comment="201C+: QoS ([Link]) :: "
disable=yes;

# [ Nivel 02 ] ---------------------------------------------------------- [ INI ]


/queue tree add name=[Link] parent=030000.LAN2 limit-at=0 max-limit=0
priority=1 queue=ethernet-default comment="202Cx: QoS ([Link]) :: "
disable=yes;

# [ Nivel 03 ] ------------------------------------------------- [ INI ]


/queue tree add name=[Link] parent=[Link] packet-mark=[Link] limit-
at=0 max-limit=0 priority=1 queue=ethernet-default comment="203Cx: QoS ([Link]-
RTP) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=1 queue=ethernet-default comment="204Cx: QoS
([Link]-SIPTCP) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=1 queue=ethernet-default comment="205Cx: QoS
([Link]-SIPUTP) :: " disable=yes;
# [ Nivel 03 ] ------------------------------------------------- [ FIN ]

/queue tree add name=[Link] parent=030000.LAN2 packet-mark=[Link] limit-


at=0 max-limit=0 priority=2 queue=ethernet-default comment="206Cx: QoS ([Link])
:: " disable=yes;
/queue tree add name=[Link] parent=030000.LAN2 limit-at=256k max-limit=512k
priority=2 queue=ethernet-default comment="207C+: QoS ([Link]) :: " disable=yes;

# [ Nivel 03 ] ------------------------------------------------- [ INI ]


/queue tree add name=[Link]-UDP parent=[Link] packet-mark=[Link]
limit-at=128k max-limit=256k priority=2 queue=ethernet-default comment="208C+: QoS
([Link]-UDP) :: " disable=yes;
/queue tree add name=[Link]-TCP parent=[Link] packet-mark=[Link]
limit-at=128k max-limit=256k priority=2 queue=ethernet-default comment="209C+: QoS
([Link]-TCP) :: " disable=yes;
# [ Nivel 03 ] ------------------------------------------------- [ FIN ]

/queue tree add name=[Link] parent=030000.LAN2 packet-mark=[Link] limit-


at=128k max-limit=256k priority=2 queue=ethernet-default comment="210C+: QoS
([Link]) :: " disable=yes;
/queue tree add name=[Link] parent=030000.LAN2 limit-at=0 max-limit=0
priority=3 queue=ethernet-default comment="211C+: QoS ([Link]) :: "
disable=yes;

# [ Nivel 03 ] ------------------------------------------------- [ INI ]


/queue tree add name=[Link] parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=3 queue=ethernet-default comment="212C+: QoS
([Link]) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=3 queue=ethernet-default comment="213C+: QoS
([Link]) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-
mark=[Link] limit-at=0 max-limit=0 priority=3 queue=ethernet-default
comment="214C+: QoS ([Link]) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-
mark=[Link] limit-at=0 max-limit=0 priority=3 queue=ethernet-default
comment="215C+: QoS ([Link]) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=3 queue=ethernet-default comment="216C+: QoS
([Link]) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-
mark=[Link] limit-at=0 max-limit=0 priority=3 queue=ethernet-default
comment="217C+: QoS ([Link]) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=3 queue=ethernet-default comment="218C+: QoS
([Link]) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=3 queue=ethernet-default comment="219C+: QoS
([Link]) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-
mark=[Link] limit-at=0 max-limit=0 priority=3 queue=ethernet-default
comment="220C+: QoS ([Link]) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-
mark=[Link] limit-at=0 max-limit=0 priority=3 queue=ethernet-default
comment="221C+: QoS ([Link]) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=3 queue=ethernet-default comment="222C+: QoS
([Link]) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=3 queue=ethernet-default comment="223C+: QoS
([Link]) :: " disable=yes;
# [ Nivel 03 ] ------------------------------------------------- [ FIN ]
/queue tree add name=[Link] parent=030000.LAN2 packet-mark=[Link]
limit-at=0 max-limit=0 priority=4 queue=ethernet-default comment="241C+: QoS
([Link]-TCP) :: " disable=yes;
/queue tree add name=[Link] parent=030000.LAN2 packet-mark=[Link]
limit-at=0 max-limit=0 priority=4 queue=ethernet-default comment="242C+: QoS
([Link]-UDP) :: " disable=yes;
/queue tree add name=[Link] parent=030000.LAN2 packet-mark=[Link] limit-
at=0 max-limit=0 priority=4 queue=ethernet-default comment="243C+: QoS
([Link]) :: " disable=yes;
/queue tree add name=[Link] parent=030000.LAN2 limit-at=0 max-limit=0
priority=5 queue=ethernet-default comment="244C+: QoS ([Link]) :: " disable=yes;

# [ Nivel 03 ] ------------------------------------------------- [ INI ]


/queue tree add name=[Link] parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=5 queue=ethernet-default comment="245C+: QoS
([Link]-TCP) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=5 queue=ethernet-default comment="246C+: QoS
([Link]-UDP) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=5 queue=ethernet-default comment="247C+: QoS
([Link]-GRE) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-mark=VPN-
[Link] limit-at=0 max-limit=0 priority=5 queue=ethernet-default
comment="248C+: QoS ([Link]-IPSECESP) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-mark=VPN-
[Link] limit-at=0 max-limit=0 priority=5 queue=ethernet-default
comment="249C+: QoS ([Link]-IPSECAH) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-mark=VPN-
[Link] limit-at=0 max-limit=0 priority=5 queue=ethernet-default
comment="250C+: QoS ([Link]-IPENCAP) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=5 queue=ethernet-default comment="251C+: QoS
([Link]-DDNS) :: " disable=yes;
# [ Nivel 03 ] ------------------------------------------------- [ FIN ]

/queue tree add name=[Link] parent=030000.LAN2 packet-mark=[Link] limit-at=0


max-limit=0 priority=5 queue=ethernet-default comment="252C+: QoS
([Link]/SFTP) :: " disable=yes;
/queue tree add name=[Link] parent=030000.LAN2 packet-mark=[Link]
limit-at=0 max-limit=0 priority=5 queue=ethernet-default comment="253Cx: QoS
([Link]) :: " disable=yes;
/queue tree add name=[Link] parent=030000.LAN2 limit-at=0 max-limit=0
priority=6 queue=ethernet-default comment="260Cx: QoS ([Link]) :: "
disable=yes;

# [ Nivel 03 ] ------------------------------------------------- [ INI ]


/queue tree add name=[Link] parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=6 queue=ethernet-default comment="261Cx: QoS
([Link] Down) :: " disable=yes;
/queue tree add name=[Link] parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=6 queue=ethernet-default comment="262Cx: QoS
([Link]) :: " disable=yes;
/queue tree add name=031503.P2PWWW parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=6 queue=ethernet-default comment="263Cx: QoS
(LAN2.P2PWWW) :: " disable=yes;
/queue tree add name=031504.P2PDNS parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=6 queue=ethernet-default comment="264Cx: QoS
(LAN2.P2PDNS) :: " disable=yes;
/queue tree add name=031505.P2PBitT parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=6 queue=ethernet-default comment="265Cx: QoS
(LAN2.P2PBitTorrent) :: " disable=yes;
/queue tree add name=031506.P2PBitTE parent=[Link] packet-mark=[Link]
limit-at=0 max-limit=0 priority=6 queue=ethernet-default comment="266Cx: QoS
(LAN2.P2PBitTorrentExp) :: " disable=yes;
# [ Nivel 03 ] ------------------------------------------------- [ FIN ]

/queue tree add name=[Link] parent=030000.LAN2 packet-mark=[Link] limit-


at=0 max-limit=0 priority=7 queue=ethernet-default comment="299C+: QoS
([Link]) :: " disable=yes;
# [ Nivel 02 ] ---------------------------------------------------------- [ FIN ]
# [ Nivel 01 ] -------------------------------------------------------------------
[ FIN ]

# QoS conections (QueueTree Rules): -------------------------------------------


# -----------------------------------------------------------------------------
[ FIN ]

# [Link] (Remove Variables): --------------------------------------- [ INI ]


/system script environment remove [find name="InterfWAN1"];
/system script environment remove [find name="InterfWAN2"];
/system script environment remove [find name="InterfLAN1"];
/system script environment remove [find name="InterfLAN2"];
/system script environment remove [find name="InterfLAN3"];
# [Link] (Remove Variables): --------------------------------------- [ FIN ]
# -------------------------- HTB (QueueTree Rules): ----------------- [ FIN: 01 ]

# [Link] (QueueType Rules): ------- [ act. no usado ] ------ [ INI ]


# /queue type add kind=pcq name=[Link] pcq-burst-rate=0 pcq-burst-threshold=0
pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 pcq-dst-
address6-mask=128 pcq-limit=50 pcq-rate=384k pcq-src-address-mask=32 pcq-src-
address6-mask=128 pcq-total-limit=2000 comment=”C: PCQ (Down.384k)”;
# /queue type add kind=pcq name=[Link] pcq-burst-rate=0 pcq-burst-threshold=0 pcq-
burst-time=10s pcq-classifier=src-addresspcq-dst-address-mask=32 pcq-dst-address6-
mask=128 pcq-limit=50 pcq-rate=128k pcq-src-address-mask=32 pcq-src-address6-
mask=128 pcq-total-limit=2000 comment=”C: PCQ (Up.128k)”;
# Nota: (pcq-total-limit), maxino nro de datos en cola (tree). (pcq-limit), tamaño
de cola (tree). (pcq-rate), velocidad máxima disponible para cada cola (tree).
# [Link] (QueueType Rules): ------- [ act. no usado ] ------ [ FIN ]

#
-----------------------------------------------------------------------------------
--
# [FINALMENTE]: --------------------------------------------------------- [ INI ]
#
-----------------------------------------------------------------------------------
--
# Marcar como activas (comment=“+:”, “>:” y “+VL:”) y no-activas (comment=“x:”,
“<:” y “xVL:”), según corresponda.
# Filtrar: /ip firewall x (comment=”+:”) y habilitar reglas filtradas (en Address-
List, Firewall, NAT, Mangle y Raw).
# Filtrar: /ip firewall x (comment=(”>:”: userX) o (”<:”: userR-W)), según
corresponda y habilitar reglas filtradas.
# Filtrar: /ip firewall x (comment=(”+VL:”) o (”xVL:”)), según corresponda y
habilitar reglas filtradas.
# Listo.
#
-----------------------------------------------------------------------------------
--
# [FINALMENTE]: --------------------------------------------------------- [ FIN ]
#
-----------------------------------------------------------------------------------
--

-----------------------------------------------------------------------------------
-----
-----------------------------------------------------------------------------------
-----
--------------------------- ( [Link]-Config ) --------------------- [ FIN ]
-----------------------------------------------------------------------------------
-----
-----------------------------------------------------------------------------------
-----

[Link] (Basic 01-02)


--------------------------------------------------------------------------------
[ INI ]
-----------------------------------------------------------------------------------
-----
----------------------------- Scripts (basicos):
-------------------------------------
-----------------------------------------------------------------------------------
-----
-----------------------------------------------------------------------------------
-----
# [Link]-RedesSociales:
----------------------------------------------------
# Name: [Link]-RSociales
# comment="C+: ( [Link]-RedesSociales )"
# ---------------------------------------------
:local TTL; # establezco como guardable todo
([Link]>5m)
:local HoraINI;
:local HoraFIN;
:local Type ””;
:local Address ([Link]);
:local Data “”;
:local Name “”;
:local Lista;
# ---------------------------------------
:local CountProcc 0;
:foreach x in [/system script job find (script="[Link]-RSociales" or
script="[Link] (RedesSociales)")] do {:set CountProcc ($CountProcc+1);};
# Cant de éste process vinculantes activos
:if ($CountProcc=1) do={
# --------------------------------------- [[Link] (x Off Proccess Vinculant)]
# :global AddressListAdd “[ $AddressListTAdd ] - ”;
:global AddressListTAdd; :set HoraINI ([/system clock get time]); :log info
message=("[[Link]-RSociales (INI: Pre-Foreach)]");
# ---------------------------------------------------
:foreach i in=[/ip dns cache all find ((name~"whatsapp" or name~"youtube" or
name~"googlevideo" or name~"twitter" or name~"facebook" or name~"instagram" or
name~"netflix" or name~"skype" or name~”spotify” or name~"snapchat" or
name~”telegram” or name~”twitch” or name~”vimeo”) and ((type="A" or type="CNAME")
and !negative))] do={
# --------------------------------------------------- [[Link] (Foreach Find Out)]
# :if ($CountProcc=1) do={:set CountProcc ($CountProcc+1); :log info
message=("[[Link]-RSociales (INI: Pos-Foreach(Find))]");};
# ---------------------------------------------------
:set Name ([/ip dns cache get $i name]); :set Type ([/ip dns cache all get $i
type]); :set TTL ([/ip dns cache get $i ttl]); :if ($TTL>5m) do={:if ($Type=”A”)
do={:set Address ([/ip dns cache get $i address]); :set Address ([toip $Address]);
# ----------------- [Type=A (name=Dominio data=[Link])]
# :log info message=("[[Link]-RSociales [Link], Addr: (".
($Address).") – Type: (".($Type).") – Name: (".($Name).") – TTL: (".($TTL).") =
[ ".([typeof $Address])." ]]");
} else={:set Data ([/ip dns cache all get $i data]); :do {
# ----------------- [Type=CNAME] (name=resolve([Link]) data=Dominio)]
:set Address ([resolve $Name]);
# :log info message=("[[Link]-RSociales [Link], Addr: (".
($Address).") – Data: (".($Data).") – Type: (".($Type).") – Name: (".($Name).") –
TTL: (".($TTL).") = [ ".([typeof $Address])." ]]");
} on-error={
# -------------------------------------------------- [[Link]]
:set Address ([Link]); :log error message=("[[Link]-RSociales
[Link]-Failure, Data: (".($Data).") – Type: (".($Type).") – Name: (".
($Name).") – D: (".($TTL).")]");}}; :if ([len $Name]>0 and $Address!=[Link]) do={
# -------------------------------------------------- [Establece (Lista)]
:if ($Name~"whatsapp") do={:set Lista (“[Link]”);} else={:if
($Name~"youtube" or $Name~"googlevideo") do={:set Lista (“[Link]”);}
else={:if ($Name~"facebook") do={:set Lista (“[Link]”);} else={:if
($Name~"twitter") do={:set Lista (“[Link]”);} else={:if ($Name~"instagram")
do={:set Lista (“[Link]”);} else={:if ($Name~"netflix") do={:set Lista
(“[Link]”);} else={:if ($Name~"skype") do={:set Lista (“[Link]”);}
else={:if ($Name~"spotify") do={:set Lista (“[Link]”);} else={:if
($Name~"snapchat") do={:set Lista (“[Link]”);} else={:if
($Name~"telegram") do={:set Lista (“[Link]”);} else={:if ($Name~"twitch")
do={:set Lista (“[Link]”);} else={:if ($Name~"vimeo") do={:set Lista (“S-
[Link]”);}}}}}}}}}}}};
# --------------------------------------------------
:if ([/ip firewall address-list find (address=$Address and !disabled)]="") do={
# -------------------------------------------------- [[Link]]
# :log info message=("[[Link]-RSociales [Link], Addr: (".
($Address).") – Lista: (".($Lista).") – Type: (".($Type).") – Name: (".($Name).") –
TTL: (".($TTL).") = [ ".([typeof $Address])." ]]");
# --------------------------------------------------
/ip firewall address-list add address=$Address list=$Lista timeout=$TTL
comment="C+: QoS ( [ $Name ] – [ $Type ] – [ $TTL ] )"; :set AddressListTAdd
($AddressListTAdd+1);} else={
# -------------------------------------------------- [[Link] x [Link]]
:local X (1);
# :foreach i in=[/ip firewall address-list find (address=$Address and !disabled)]
do={:log info message=("[[Link]-RSociales [Link] ( ".($X)." ,
".([/ip firewall address-list get $i list]=$Lista)." ), Addr: (".($Address).") –
Lista: (".($Lista).") – [Link]: (".([/ip firewall address-list get $i list]).") –
[Link]: (".([/ip firewall address-list get $i creation-time]).")]"); :set X
($X+1);};
# --------------------------------------------------
:if ($X>2) do={/ip firewall address-list remove [find (address=$Address and list!
=$Lista and !disabled)]; :log error message=("[[Link]-RSociales
Duplicate-Info ( ".($X-1)." ), A: (".($Address).") – Lista: (".($Lista).")]");}}}};
:delay 10ms;};
# -------------------------------------------------- [[Link]]
:set HoraFIN ([/system clock get time]); :log warning message=(“[[Link]-
RSociales (FIN), duracion: (”.($HoraFIN-$HoraINI).”)]”);} else={:log error
message=(“[[Link]-RSociales Activos: ( “.($CountProcc-1).” )]”);};
/system script environment remove [find name="AddressListTAdd"];
# Nota: mientras mas veces se ejecuta, mejor marca dicho trafico. Se producen
algunos (script error: no such item (4)), que infiero se debe a un error interno
del proceso (find (…) del foreach). (!negative), excluye los (type=unknown).

# [Link] (RedesSociales):
-----------------------------------------------------
# Name: [Link] (RedesSociales)
# comment=”C+: ( [Link] (Redes Sociales) )”
# -----------------------------------------------
# Funcion transforma Fecha en Nro (Fecha+Hora)
:local DateTimeToNro do={:local NroX; :local MC
("jan","feb","mar","apr","may","jun","jul","aug","sep","oct","nov","dec"); :local
DiaX ([pick $1 4 6]); :local MesCX ([pick $1 0 3]); :local MesX ([find $MC $MesCX -
1]+1); :if ($MesX<10) do={:set MesX (“0”.$MesX);}; :local AnioX ([pick $1 7
11]); :set NroX ($AnioX.$MesX.$DiaX); :if ([len $1]>12) do={:local HoraX ([pick $1
12 14]); :local MinX ([pick $1 15 17]); :local SegX ([pick $1 18 20]); :set NroX
($NroX.$HoraX.$MinX.$SegX);} else={:set NroX ($NroX.”000000”);}; return ([tonum
$NroX]);}
# -----------------------------------------------
# Funcion Incrementa Fecha en Dias (DiaMesAnioNr, DiasToIncr)
:local FechaIncr do={
# -------------------------
# Funcion calcula Dias del Mes (Mes, Anio)
{f de f}
:local DiasMes do={:local Dias; :if ($1=1 or $1=3 or $1=5 or $1=7 or $1=8 or $1=10
or $1=12) do={:set Dias (31);} else={:if ($1=4 or $1=6 or $1=9 or $1=11) do={:set
Dias (30);} else={:if ((((($2)/400)*400)=$2) or ((((($2)/4)*4)=$2) and
(((($2)/100)*100)!=$2))) do={:set Dias (29);} else={:set Dias (28);}}}; :return
([tonum $Dias]);}

# ----------------------------------------------- (Code Main de FechaIncr)


:local FechaHoraStr ([tostr $1]); :local AnioX ([tonum [pick $FechaHoraStr 0
4]]); :local MesX ([tonum [pick $FechaHoraStr 4 6]]); :local DiaX ([tonum [pick
$FechaHoraStr 6 8]]); :local HoraX ([tonum [pick $FechaHoraStr 8 14]]); :local
DiasToIncr ($2); :while ($DiasToIncr>[$DiasMes $MesX $AnioX]) do={:set DiasToIncr
($DiasToIncr-[$DiasMes $MesX $AnioX]); :if ($MesX<12) do={:set MesX ($MesX+1);}
else={:set AnioX ($AnioX+1); :set MesX (1);}}; :if (($DiaX+$DiasToIncr)>[$DiasMes
$MesX $AnioX]) do={:set DiasToIncr ($DiasToIncr-([$DiasMes $MesX $AnioX]-
$DiaX)); :set DiaX ($DiasToIncr); :if ($MesX<12) do={:set MesX ($MesX+1);}
else={:set AnioX ($AnioX+1); :set MesX (1);}} else={:set DiaX ($DiaX+
$DiasToIncr);}; :return (((($AnioX*10000)+($MesX*100)+($DiaX))*1000000)+[tonum
$HoraX]);}

# ------------------------------------ (Code Main de [Link]


(RedesSociales))
:local TimeDisableQoS ([tonum 180]); #
(en dias)
:local TimeRemoveQoS ([tonum 365]); #
(en dias)
# Nota: si (TimeRemoveSIC>0), sii (TimeDisableSIC<TimeRemoveSIC).
# -------------------------------------
:local HoraINI;
:local HoraFIN;
:local CountProcc 0;
:foreach x in [/system script job find (script="[Link]-RSociales" or
script="[Link] (RedesSociales)")] do {:set CountProcc ($CountProcc+1);};
# Cant de proccess vinculantes activos
:if ($CountProcc=1) do={
# --------------------------------------- [[Link] (x Off Proccess Vinculant)]
:set HoraINI ([/system clock get time]);
# ------------------------------ [Address-List (RS).Disable/Remove]
# :log info message=("[[Link] (RedesSociales) (INI:
Disable/Remove)]"); :if ($TimeDisableQoS>0) do={:local DateTimeAct ([/system clock
get date].” ”.[/system clock get time]); :local CreationTime; :foreach i in=[/ip
firewall address-list find (comment~”C\\+: QoS \\( ”)] do={:set CreationTime ([/ip
firewall address-list get $i creation-time]); :if ($TimeRemoveQoS>0 and
(([$FechaIncr ([$DateTimeToNro $CreationTime]) $TimeRemoveQoS])<=[$DateTimeToNro
$DateTimeAct])) do={[/ip firewall address-list set $i disable=no]; [/ip firewall
address-list set $i timeout=10s];} else={:if (([$FechaIncr ([$DateTimeToNro
$CreationTime]) $TimeDisableQoS])<=[$DateTimeToNro $DateTimeAct]) do={[/ip firewall
address-list set $i disable=yes];}}}};
# ------------------------------ [Address-List (RS).[Link]]
:log info message=("[[Link] (RedesSociales) (INI: [Link])]");
# Opciones a ponderar: (comment~”C\\+: QoS \\( ”) vs (list~“S-“)
# --------------------------------------- [[Link]]
:local CNAMECant (0); :local ACant (0); :local noDNSCacheCant (0); :local ErrorCant
(0); :local TotalS; :local Comment; :foreach i in=[/ip firewall address-list find
(list~“S-“ and !disabled)] do={:set Comment ([/ip firewall address-list get $i
comment]); :if ([find $Comment ”- [ CNAME ] -” 0]>0) do={:set CNAMECant
($CNAMECant+1);} else={:if ([find $Comment ”- [ A ] -” 0]>0) do={:set ACant
($ACant+1);} else={:if ([find $Comment ”- [ no-DNSCache ] -” 0]>0) do={:set
noDNSCacheCant ($noDNSCacheCant+1);} else={:set ErrorCant ($ErrorCant
+1);}}}}; :set TotalS ($CNAMECant+$ACant+$noDNSCacheCant+$ErrorCant);
# ---------------------------------------
:log info message=("[ [Link] (RedesSociales) [Link]-Info,
CNAME: (".($CNAMECant).") – A: (".($ACant).") – no-DNSCache: (".
($noDNSCacheCant).") – Error: (".($ErrorCant).") – Total: (".($TotalS).")]");
# ---------------------------------------
:local CreationTime; :local Address; :local X; :local PosT (1); :foreach i in=[/ip
firewall address-list find (list~“S-“ and !disabled)] do={:set Address ([/ip
firewall address-list get $i address]); :set CreationTime (“jan/01/2000 [Link]”);
:set X (1); :foreach j in=[/ip firewall address-list find (address=$Address and !
disabled)] do={:if ([$DateTimeToNro $CreationTime]<=[$DateTimeToNro ([/ip firewall
address-list get $j creation-time])]) do={:set CreationTime ([/ip firewall address-
list get $j creation-time]);};
# --------------------------------------------------
# :log info message=("[[Link] (RedesSociales) Specific-Info ( ".($X)." ,
".($TotalS-$PosT)." ), [Link]: (".([/ip firewall address-list get $j address]).") –
[Link]: (".([/ip firewall address-list get $j list]).") – [Link]: (".([/ip firewall
address-list get $j creation-time]).")]"); :set X ($X+1); :set PosT ($PosT+1);
# --------------------------------------------------
}; :if ($X>2) do={/ip firewall address-list remove [find (address=$Address and
creation-time!=$CreationTime and !disabled)]; :log error
message=("[[Link] (RedesSociales) Duplicate-Info ( ".($X-1)." ), Addr:
(".($Address).") – CT: (".($CreationTime).")]");}; :delay 10ms;};
# -------------------------------------------------- [[Link]]
:set HoraFIN ([/system clock get time]); :log warning message=(“[[Link]
(RedesSociales) (FIN), duracion: (”.($HoraFIN-$HoraINI).”)]”);} else={
# --------------------------------------- [[Link]-Error]
:log error message=(“[[Link] (RedesSociales) Activos: ( “.($CountProcc-
1).” )]”);};

# [Link] (ServicesIPChange):
-------------------------------------------------
# (Add), aun las que no cambian periodicamente.
# Name: [Link] (ServicesIPChange)
# comment=”C+: ( [Link] (Services IP Change) )”
# -----------------------------------------------
# Funcion transforma Fecha en Nro (Fecha+Hora)
:local DateTimeToNro do={:local NroX; :local MC
("jan","feb","mar","apr","may","jun","jul","aug","sep","oct","nov","dec"); :local
DiaX ([pick $1 4 6]); :local MesCX ([pick $1 0 3]); :local MesX ([find $MC $MesCX -
1]+1); :if ($MesX<10) do={:set MesX (“0”.$MesX);}; :local AnioX ([pick $1 7
11]); :set NroX ($AnioX.$MesX.$DiaX); :if ([len $1]>12) do={:local HoraX ([pick $1
12 14]); :local MinX ([pick $1 15 17]); :local SegX ([pick $1 18 20]); :set NroX
($NroX.$HoraX.$MinX.$SegX);} else={:set NroX ($NroX.”000000”);}; return ([tonum
$NroX]);}
# -----------------------------------------------
# Funcion Incrementa Fecha en Dias (DiaMesAnioNr, DiasToIncr)
:local FechaIncr do={
# -------------------------
# Funcion calcula Dias del Mes (Mes, Anio)
{f de f}
:local DiasMes do={:local Dias; :if ($1=1 or $1=3 or $1=5 or $1=7 or $1=8 or $1=10
or $1=12) do={:set Dias (31);} else={:if ($1=4 or $1=6 or $1=9 or $1=11) do={:set
Dias (30);} else={:if ((((($2)/400)*400)=$2) or ((((($2)/4)*4)=$2) and
(((($2)/100)*100)!=$2))) do={:set Dias (29);} else={:set Dias (28);}}}; :return
([tonum $Dias]);}

# ----------------------------------------------- (Code Main de FechaIncr)


:local FechaHoraStr ([tostr $1]); :local AnioX ([tonum [pick $FechaHoraStr 0
4]]); :local MesX ([tonum [pick $FechaHoraStr 4 6]]); :local DiaX ([tonum [pick
$FechaHoraStr 6 8]]); :local HoraX ([tonum [pick $FechaHoraStr 8 14]]); :local
DiasToIncr ($2); :while ($DiasToIncr>[$DiasMes $MesX $AnioX]) do={:set DiasToIncr
($DiasToIncr-[$DiasMes $MesX $AnioX]); :if ($MesX<12) do={:set MesX ($MesX+1);}
else={:set AnioX ($AnioX+1); :set MesX (1);}}; :if (($DiaX+$DiasToIncr)>[$DiasMes
$MesX $AnioX]) do={:set DiasToIncr ($DiasToIncr-([$DiasMes $MesX $AnioX]-
$DiaX)); :set DiaX ($DiasToIncr); :if ($MesX<12) do={:set MesX ($MesX+1);}
else={:set AnioX ($AnioX+1); :set MesX (1);}} else={:set DiaX ($DiaX+
$DiasToIncr);}; :return (((($AnioX*10000)+($MesX*100)+($DiaX))*1000000)+[tonum
$HoraX]);}

# -------------------------------- (Code Main de [Link]


(ServicesIPChange))
:local TimeDisableSIC ([tonum 30]);
# (en dias)
:local TimeRemoveSIC ([tonum 60]); #
(en dias)
# Nota: si (TimeRemoveSIC>0), sii (TimeDisableSIC<TimeRemoveSIC).
# -----------------------------------------------
:local DNSX;
:local AddressX;
:local ListX;
:local IPtoResolver (“[Link]:A-
[Link]@Dynamic*[Link]:[Link]@Dynamic
*[Link]:[Link]@Static*[Link]:A-
[Link]@Static*[Link]:[Link]@Static*”);
# Constituir según necesidades, ordenadas por ListX (Dynamic/Static).
:local IPtoResolverX ($IPtoResolver);
:local IPtoResolverX1 ($IPtoResolver);
# ------------------------------------------------------------------- [Address-
[Link]]
:while ([len $IPtoResolver]>0) do={:set DNSX ([pick $IPtoResolver 0 ([find
$IPtoResolver “:”])]); :set ListX ([pick $IPtoResolver ([find $IPtoResolver “:”]+1)
([find $IPtoResolver “@”])]); :set IPtoResolver ([pick $IPtoResolver ([find
$IPtoResolver “*”]+1) [len $IPtoResolver]]); :do {:set AddressX ([resolve $DNSX]);}
on-error={:set AddressX ([Link]); :log error message=("[AddressList-
[Link]: (".($AddressX).") – (".($DNSX).") – (".($ListX).")]");}; :if
($AddressX!=[Link] and [/ip firewall address-list find (list=$ListX and
address=$AddressX)]=””) do={/ip firewall address-list add list=$ListX
address=$AddressX comment=(“C+: SIC ( [ ”.($ListX).” ] – [ “.($DNSX).” ] )”)
disable=no;}};
# --------------------------- [Address-List (ServiceIPChange).Disable/Remove]
:if ($TimeDisableSIC>0) do={:local ListXAnt (””); :local CommentX; :local
TypeX; :local DateTimeAct ([/system clock get date].” ”.[/system clock get
time]); :while ([len $IPtoResolverX]>0) do={:set ListX ([pick $IPtoResolverX ([find
$IPtoResolverX “:”]+1) ([find $IPtoResolverX “@”])]); :set TypeX ([pick
$IPtoResolverX ([find $IPtoResolverX “@”]+1) ([find $IPtoResolverX “*”])]); :set
IPtoResolverX ([pick $IPtoResolverX ([find $IPtoResolverX “*”]+1) [len
$IPtoResolverX]]); :if ($ListX!=$ListXAnt) do={:set ListXAnt ($ListX); :local
CreationTime; :foreach i in=[/ip firewall address-list find (list=$ListX)] do={:set
CreationTime ([/ip firewall address-list get $i creation-time]); :set CommentX
([/ip firewall address-list get $i comment]); :set DNSX ([pick $CommentX ([find
$CommentX “ ] – [ “]+7) ([find $CommentX “ )“]-2)]); :set TypeX ([pick
$IPtoResolverX1 ([find $IPtoResolverX1 $DNSX]) ([len $IPtoResolverX1])]); :set
TypeX ([pick $TypeX ([find $TypeX “@”]+1) ([find $TypeX “*”])]); :if
($TypeX=”Dynamic”) do={:if ($TimeRemoveSIC>0 and (([$FechaIncr ([$DateTimeToNro
$CreationTime]) $TimeRemoveSIC])<=[$DateTimeToNro $DateTimeAct])) do={[/ip firewall
address-list set $i disable=no]; [/ip firewall address-list set $i timeout=10s];}
else={:if (([$FechaIncr ([$DateTimeToNro $CreationTime])
$TimeDisableSIC])<=[$DateTimeToNro $DateTimeAct]) do={[/ip firewall address-list
set $i disable=yes];}}}}}}};
# Nota: usado, para (Add IPs) de servicios que la cambian x time. Ahora, si además
de cambiarlas, las reiutiliza para otros servicios, tendría que establecerse un
TimeLaps. Recordar que: address-list [Link], aun si existe, pero (disabled).

# [Link]-ImportnoDNSCache: ------------------------------------------------
# Name: [Link]-ImportnoDNSCache
# comment=”R+: ( [Link]-ImportnoDNSCache )”
# ------------------------------------------------
:local File “[Link]”;
:local ListaXContenido;
:local ListX;
:local CommentX;
:local AddressX;
:local AddressSX;
:if ([len [/file find name=$File]]!=0) do={:set ListaXContenido ([/file get $File
contents]); :if ([len $ListaXContenido]>0) do={:set ListX ([pick $ListaXContenido 0
([find $ListaXContenido “\n”])]); :set ListaXContenido ([pick $ListaXContenido
([find $ListaXContenido “\n”]+1) ([len $ListaXContenido])]); :set CommentX (“C+:
QoS ( [ “.([pick $ListX 2 ([find $ListX “.List”])]).” ] - [ no-DNSCache ] -
[ -------- ] )”); :while ([len $ListaXContenido]>0) do={:if ([find $ListaXContenido
“ ”]<0 or [find $ListaXContenido “ ”]>[find $ListaXContenido “\n”]) do={:set
AddressX ([pick $ListaXContenido 0 ([find $ListaXContenido “\n”])]);} else={:set
AddressX ([pick $ListaXContenido 0 ([find $ListaXContenido “ ”])]);}; :set
AddressSX ($AddressX);
# -------------------------------------------------- [Manejo de [Link] (no-
Funca)]
# :set AddressX ([toip $AddressX]); :if ([typeof $AddressX]!=”ip”) do={:do {
# -------------------------------------------------- [[Link]]
# :set AddressX ([resolve $AddressX]);} on-error={
# -------------------------------------------------- [[Link]]
# :log error message=("[[Link] [Link]-Failure, Addr: (".
($AddressSX).")]"); :set AddressX ([Link]);}};
# --------------------------------------------------
:if ($AddressX!=[Link]) do={/ip firewall address-list remove [find
(address=$AddressX and list=$ListX)]; /ip firewall address-list add list=$ListX
address=$AddressX comment=$CommentX disable=yes;};
# --------------------------------------------------
:set ListaXContenido ([pick $ListaXContenido ([find $ListaXContenido “\n”]+1) ([len
$ListaXContenido])]);}}; /file remove $File;} else={:log error
message=(“[[Link]-List ImportnoDNSCache]: Empty”);};
# Nota: ([Link]: Lista\n + <IP, IP/XX, [Link], DNS>\n + \n\r).

# [Link]-ExportSpecificList:
--------------------------------------------------
# Name: [Link]-ExportSpecificList
# comment=”Rx: ( [Link]-ExportSpecificList )”
# /ip firewall address-list print file=”Address-L” where (list="A-
[Link]"); # Alternativa poco eficiente en
tamaño.
:local ListaXContenido ””; # Error, si
(tamaño>4K)
:local File “Address-L”;
:foreach x in=[/ip firewall address-list find (list="[Link]")] do={:set
ListaXContenido ($ListaXContenido.[/ip firewall address-list get $x
list].”&:&“.[/ip firewall address-list get $x address].”&-&“.[/ip firewall address-
list get $x creation-time].”&+&“.[/ip firewall address-list get $x
comment].”&*&“);}; :if ([len $ListaXContenido]>0 and [len $ListaXContenido]<4097)
do={/file print file=$File; :delay 2s; /file set $File contents=$ListaXContenido;}
else={:log error message=(“[[Link]-List ExportSpecificList]: (>4K)”);};
# Nota: establecer condición: (list=”__.List”…) según corresponda.

# [Link]-ImportSpecificList:
--------------------------------------------------
# Name: [Link]-ImportSpecificList
# comment=”Rx: ( [Link]-ImportSpecificList )”;
:local File “[Link]”;
:local ListaXContenido;
:local ListX;
:local AddressX;
:local CreationTimeX;
:local CommentX;
:if ([len [/file find name=$File]]!=0) do={:set ListaXContenido ([/file get $File
contents]); :if ([len $ListaXContenido]>0) do={:while ([len $ListaXContenido]>0)
do={:set ListX ([pick $ListaXContenido 0 ([find $ListaXContenido “&:&”])]); :set
AddressX ([pick $ListaXContenido ([find $ListaXContenido “&:&”]+3) ([find
$ListaXContenido “&-&”])]); :set CreationTimeX ([pick $ListaXContenido ([find
$ListaXContenido “&-&”]+3) ([find $ListaXContenido “&+&”])]); :set CommentX ([pick
$ListaXContenido ([find $ListaXContenido “&+&”]+3) ([find $ListaXContenido
“&*&”])]); :set ListaXContenido ([pick $ListaXContenido ([find $ListaXContenido
“&*&”]+3) [len $ListaXContenido]]); :if ([/ip firewall address-list find
(list=$ListX and address=$AddressX)]=””) do={/ip firewall address-list add
list=$ListX address=$AddressX comment=$CommentX disable=yes;}}}; /file remove
$File;} else={:log error message=(“[[Link]-List ImportSpecificList]:
Empty”);};

# [Link]-AddressListRSC:
----------------------------------------------------------
# Name: RB. Restore-AddressListRSC
# comment=”Rx: ( [Link] AddressList (RSC) )”
/ip firewall address-list remove [find]; # Borra all
[Link]
/import file=[Link];

# [Link]-AddressListRSC:
----------------------------------------------------------
# Name: [Link]-AddressListRSC
# comment=”R+: ( [Link]-AddressList (RSC) )”
# -----------------------------------------------
# Función [Link]: (IP,PacketSend,PacketLossLimit,AvgLimit,PacketSize,Proceso)
:local TestConn do={:local PLoss ($3+1); :local AvgRTT ($4+1); :local
MaxRTT; :local PRecibidos; :local PEnviados; :local LogMsg; :local DisabledIP
(false); :if ([/ip firewall address-list find (address=$1 and list=”A-
[Link]”)]="") do={/ip firewall address-list add address=$1 list=“A-
[Link]“ comment=”T+: (TemporalIP x ICMP)” timeout=1m disable=no;}
else={:if ([/ip firewall address-list get value-name=disabled [find (address=$1 and
list=”[Link]”)]]) do={/ip firewall address-list enable [/ip firewall
address-list find (address=$1 and list=”[Link]”)]; :set DisabledIP
(true);}}; delay 10ms; /tool flood-ping $1 count=$2 size=$5 do={:if ($sent=$2)
do={:set AvgRTT ($”avg-rtt”); :set MaxRTT ($”max-rtt”); :set PEnviados $sent; :set
PRecibidos $received;}}; :if ($DisabledIP) do={/ip firewall address-list disable
[/ip firewall address-list find (address=$1)];}; :set PLoss (100-
(($PRecibidos*100)/$PEnviados)); :set LogMsg ("[ $6 – ping ( $1 – $5 b ) ]:
latencia media ( $([:tostr $AvgRTT])ms ) – latencia maxima: ( $([:tostr $MaxRTT])ms
) – paquetes perdidos: ( $([:tostr $PLoss])% )"); :if ($PLoss<=$3 and $AvgRTT<=$4)
do={:log info message=($LogMsg); :return (“OK”)} else={:log error
message=($LogMsg); :return (“KO”)}};
# Nota: Asegurarse que IP este en Address-List (do={:beep frequency=550
length=494ms;}).
# -----------------------------------------------
/ip firewall address-list export file=AddressList; :delay 5s;
# ----------------------------------------------- [[Link]]
:if ([$TestConn "[Link]" 10 30 100 64 ”[Link]-AddressListRSC”]=”OK”) do={
# ----------------------------------------------- [[Link]]
:local Subjet (([/user get [find name=user(x)] comment]).([pick ([/system scrip get
[find name=”[Link]-AddressListRSC”] comment]) 4 ([len ([/system scrip get [find
name=”[Link]-AddressListRSC”] comment])])])); /tool e-mail send
to="xxx@[Link]" subject=$Subjet body=“System : ($[/system identity get
name]) \r\nFecha : ($[/system clock get date]) \r\nHora : ($[/system
clock get time]) \r\nModelo : ($[/system resource get board-name]) \r\nIPWAN1
: ($[/ip address get [find comment~”TELCO.2.2.2.x”] value-name=address]) \r\
nEtherAux : ($[/ip address get [find comment~”EMERGENCY1”] value-
name=interface]) \r\nIPEtherAux : ($[/ip address get [find comment~”EMERGENCY1”]
value-name=address])” file=[Link];}

# [Link]-Alert:
---------------------------------------------------------
# Name: [Link]-Alert
# comment=”R+: ( [Link]-Alert )”
# ---------------------------------------------------
# Función [Link]: (IP, Count)
:local TracertIP do={
# ------------------------
# Función Transforma de [Link]: (StrBidim, StrExtra) {f
de f}
:local BidiToUniStr do={:local BStr ($1); :local LineStr ””; :while ([len $BStr]>0)
do={:set LineStr ($LineStr.[pick $BStr 0 ([find $BStr “\r\n”])].$2); :set BStr
([pick $BStr ([find $BStr“\r\n”]+2) [len $BStr]]);}; :return ($LineStr);}
# ------------------------
# Función Transforma de [Link]: (TStrBidim, StrExtra) {f de f}
:local TBidiToUniStr do={
# ------------------------
# Función Elimina [Link]: (StrX, Direction) {f
de f de f}
:local KillChar255 do={:local StrXA ($1); :local X (0); :local Bloq (1); :if
($2=”Der.”) do={:set X ([len $1]-1); :set Bloq (-1);}; :if ([len $StrXA]>0)
do={:while ([pick $StrXA $X]=” ”) do={:set X ($X+$Bloq);}; :if ($2=“Izq.”) do={:set
StrXA ([pick $StrXA $X [len $StrXA]]);} else={:set StrXA ([pick $StrXA 0
($X+1)]);}}; :return ($StrXA);}

# ------------------------------------- (Code Main de TBidiToUniStr)


:local BStr ($1); :local LineStr ””; :local LineStrX ””; :local LineX (1); :while
([len $BStr]>0) do={:set LineStrX ([pick $BStr 0 ([find $BStr “\r\n”])]); :if ([len
$LineStrX]>53) do={:if ([pick $LineStrX 3 5]!=” “) do={:set LineStr
($LineStr.“[ ”.$LineX.” ]: ”.([$KillChar255 ([pick $LineStrX 3 35]) “Der.”]).” – “.
([pick $LineStrX 36 40]).” – “.([pick $LineStrX 46 53]).$2);} else={:set LineStr
($LineStr.“[ ”.$LineX.” ]: ( ----- ) – “.([pick $LineStrX 36 40]).” – “.([pick
$LineStrX 46 53]).$2);}; :set LineX ($LineX+1);}; :set BStr ([pick $BStr ([find
$BStr “\r\n”]+2) [len $BStr]]);}; :return ($LineStr);}

# ------------------------------------- (Code Main de TracertIP)


:global IPT ($1); :global Count ($2); /ip firewall raw set [find comment=”014R+:
[Link] de [Link] (hacia WANs)”] disable=yes; :execute {tool
traceroute count=$Count use-dns=yes $IPT} file=[Link]; :delay 5s; /ip
firewall raw set [find comment=”014R+: [Link] de [Link] (hacia
WANs)”] disable=no; :local STracerIP ([/file get “[Link]” contents]); /file
remove “[Link]”; :if ($STracerIP!=”failure: could not start”) do={:set
STracerIP ([pick $STracerIP ([find $STracerIP “\r\n”]+2) ([len $STracerIP])]); :set
STracerIP (“[ Tracert. ”.$IPT.” ]:
--------------------------------------------------------------- ”.[$TBidiToUniStr
$STracerIP " ; "]);} else={:set STracerIP (“[ Tracert. “.$IPT.” ]:
--------------------------------------------------------------- ”.$STracerIP);};
/system script environment remove [find name="IPT"]; /system script environment
remove [find name="Count"]; :return ($STracerIP);}
# Nota: por alguna razón (IPT/Count {cant. de intentos}), debe ser global.
# ------------------------------------------------
# Función devuelve Time Absoluto según concatenación de Dia+Hora: (Fecha,Hora)
:local AbsTime do={:local TimeX “”; :local Mx
("jan","feb","mar","apr","may","jun","jul","aug","sep","oct","nov","dec"); :local
MesAct ([find $Mx ([pick $1 0 3]) -1]+1); :if ($MesAct<10) do={:set MesAct (“0”.
$MesAct);}; :set TimeX ([pick $1 7 11].$MesAct.[pick $1 4 6].[pick $2 0 2].[pick $2
3 5].[pick $2 6 8]); :return ($TimeX);}

# ---------------------------------------- (Code Main de [Link]-


Alert)
:global DOSRegistroH; # En caso de ataque masivo, limpiar manualmente
:local TracertSend “NO”; # Envio TelegramAlert con (tracerout IP)
:local TimeAct ([$AbsTime ([/system clock get date]) ([/system clock get time])]);
:local DOSRegistro “”;
:local Listx “”;
:local IPx;
:local TimeOx;
:local Commentx “”;
:local Cont 0;
:local TimeLastC;
:local PosTF;
:local TimeCreatx;
:if ([/ip firewall address-list find (list~"T-DOS" and timeout>59s)]!=””)
do={/system script run [Link]-Client; /system script run
[Link]-Address; :delay 10s; :foreach x in=[/ip firewall address-list
find (list~"T-DOS" and timeout>29s)] do={:set Listx ([/ip firewall address-list get
$x list]); :set IPx ([/ip firewall address-list get $x address]); :set TimeOx ([/ip
firewall address-list get $x timeout]); :set Commentx ([/ip firewall address-list
get $x comment]); :if ([len $Commentx]=0) do={:set Commentx (“---([Link]-
Ident)---”);}; :set TimeCreatx ([/ip firewall address-list get $x creation-
time]); :set TimeCreatx ([$AbsTime [pick $TimeCreatx 0 11] [pick $TimeCreatx 12
21]]); :if ($DOSRegistroH~($IPx.”&”.$Listx.”%”)) do={:set PosTF ([find
$DOSRegistroH ($IPx.”&”.$Listx.”%”)]+[len [tostr $IPx]]+[len $Listx]+2); :set
TimeLastC ([pick $DOSRegistroH $PosTF ($PosTF+14)]); :if ($TimeCreatx>$TimeLastC)
do={:set Cont ($Cont+1); :set DOSRegistro ($DOSRegistro.(”[ ”.$Cont.” : ”.$Listx.”
”.$IPx.” “.$TimeOx.” ”.[pick $Commentx 0 450].” ] ”)); :set $DOSRegistroH ([pick
$DOSRegistroH 0 $PosTF].$TimeAct.[pick $DOSRegistroH ($PosTF+14) [len
$DOSRegistroH]]);}} else={:set Cont ($Cont+1); :set DOSRegistro ($DOSRegistro.
(”[ ”.$Cont.” : ”.$Listx.” ”.$IPx.” “.$TimeOx.” ”.[pick $Commentx 0 450].” ]
”)); :set DOSRegistroH ($DOSRegistroH.$IPx.”&”.$Listx.”%”.$TimeAct.”*”);}}; :if
([len $DOSRegistro]>0) do={:global TelegramMessage (“[[Link]]:
------------ ( ”.([/system identity get name]).” ) -------------- ”.
($DOSRegistro)); /system script run [Link]-MessageAlert; :delay 2s; :if
($TracertSend=“SI”) do={:global TelegramMessage ([$TracertIP $IPx 1]); /system
script run [Link]-MessageAlert; :delay 2s;}}} else={:set DOSRegistroH (“”);};

# [Link]-!A!SComment:
----------------------------------------------------
# Name: [Link]-!A!SComment
# comment=”Rx: ( Limpia AddressList.(!A+!S)-Comment )”
:foreach x in=[/ip firewall address-list find (!(list~"A-" or list~"S-"))] do={/ip
firewall address-list set $x comment=””};

# [Link]-CComent:
---------------------------------------------------------
# Name: [Link]-CComment
# comment=”Rx: ( Limpia AddressList.(C)-Comment )”
:foreach x in=[/ip firewall address-list find (list~"C-")] do={/ip firewall
address-list set $x comment=””};

# [Link]-TComment:
-------------------------------------------------------
# Name: [Link]-TComment
# comment=”Rx: ( Limpia AddressList.(T)-Comment )”
:foreach x in=[/ip firewall address-list find (list~"T-")] do={/ip firewall
address-list set $x comment=””};

# [Link]-Address:
------------------------------------------------------------
# Name: [Link]-Address
# comment=”R+: ( [Link]-Address )”
# Es aconsejable, previamente borrar el (log)/([Link]) – por duplicaciones – y,
remover la variable global (MACLANDrop) al finalizar análisis de MACs.
# ----------------------------------------------
# Función cambia a mayúscula una MAC: (MAC)
:local UpCaseMAC do={
# ------------------------
# Función cambia a mayúscula una [Link]: (Char) {función de función}
:local UpCaseHexL do={:local HexDw (“abcdef”); :local HexUp (“ABCDEF”); :if ([tonum
$1]<0 and !([find $HexDw $1]<0)) do={:set $1 [pick $HexUp ([find $HexDw $1]) ([find
$HexDw $1]+1)];}; return ($1)}
# ------------------------
:local MACUpC “”; :local z 0; :while (z<16) do={:set MACUpC ($MACUpC.[$UpCaseHexL
([pick $1 $z ($z+1)])].[$UpCaseHexL ([pick $1 ($z+1) ($z+2)])].”:”); :set z
($z+3);}; :return ([pick $MACUpC 0 ([:len $MACUpC]-1)])}
# ----------------------------------------------
# Función Identifica IP: (IP,MAC)
# Solo funciona con (/24).
:local IPIdent do={
# ------------------------------
# Función devuelve Whois IP-Public: (IP-Public)
{f de f}
:local WhoisIP do={
# ----------------------------------------------
# Función Elimina [Link]: (StrX, Direction) {f
de f de f}
:local KillChar255 do={:local StrXA ($1); :local X (0); :local Bloq (1); :if
($2=”Der.”) do={:set X ([len $1]-1); :set Bloq (-1);}; :if ([len $StrXA]>0)
do={:while ([pick $StrXA $X]=” ”) do={:set X ($X+$Bloq);}; :if ($2=“Izq.”) do={:set
StrXA ([pick $StrXA $X [len $StrXA]]);} else={:set StrXA ([pick $StrXA 0
($X+1)]);}}; :return ($StrXA);}
# --------------------------
# Función Elimina [Link]: (StrX, Direction, StrCharsOk) {f de f de
f}
:local KillChar255xURL do={:local StrXA ($1); :local X (0); :local CharX; :local
Bloq (1); :if ($2=”Der.”) do={:set X ([len $1]-1); :set Bloq (-1);}; :if ([len
$StrXA]>0) do={:while ([pick $StrXA $X]=” ”) do={:set X ($X+$Bloq);}; :if
($2=“Izq.”) do={:set StrXA ([pick $StrXA $X [len $StrXA]]);} else={:set StrXA
([pick $StrXA 0 ($X+1)]);}};
# ------------ (Kill x no-encontrarse en $3)
:for rx from=0 to=([len $StrXA]-1) do={:while ([find $3 ([pick $StrXA $rx])]<0)
do={:set CharX ([pick $StrXA $rx]); :set StrXA (([pick $StrXA 0 ([find $StrXA
$CharX])]).“ ”.([pick $StrXA ([find $StrXA $CharX]+1) [len $StrXA]]));}};
# ------------ (Kill x encontrarse en $3, no funciona en RouterOS: “ñÑ$#&¿?”)
# :for rx from=0 to=([len $3]-1) do={:while ([find $StrXA ([pick $3 $rx])]>=0)
do={:set CharX ([pick $3 $rx]); :set StrXA (([pick $StrXA 0 ([find $StrXA
$CharX])]).“ ”.([pick $StrXA ([find $StrXA $CharX]+1) [len $StrXA]]));}};
# ------------
:return ($StrXA);}

# ---------------------------------------------- (Code Main de WhoisIP)


:local ICANN (“(ARIN): [Link]-Sajona*(RIPE NCC): Europa, [Link] y
[Link]*(APNIC): Asia y [Link]*(LACNIC): [Link] y el
Caribe*(AfriNIC): Africa*(Direct Assignment): Ubicacion desconocida*”); :local
Owner (” “); :local NetName (” “); :local NetType (” “); :local IPGPS (” “); :local
OriginAS (” “); :local Country (” “); :local Responsible (” “); :local Address (”
“); :local Phone (” “); :local Organization (” “); :local City (” “); :local CIDR
(” “); :local Email (” “); :local WhoisX (“”); :local Type; :local FileT
(“[Link]“); # o ("\?q=".
$1);
# ----------------------
/tool fetch url=(”[Link] mode=http dst-
path=($FileT);
# /tool fetch url=(“[Link] mode=https dst-
path=($FileT);
# Nota: Limitacion: (FileT<=4K). El (X/X/X), banearon nuestros IPv4 en (RIPE NCC x
[Link]
# ----------------------
:delay 2s; # usado too, x reducir la prob. de baneo x alguna entidad de (ICANN).
:local IPWhoisX ([/file get ($FileT) contents]); :local IPWhoisX1 (“”); :local
SCharsOk (“abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789–-*/@.;,)
(_:[]{%}”); /file remove ($FileT);
:if ([len $IPWhoisX]>0) do={
# ----------------------
:if ([find $IPWhoisX “NetType:”]>0) do={:set IPWhoisX1 ([pick $IPWhoisX ([find
$IPWhoisX “NetType:”]) ([len $IPWhoisX])]); :set NetType ([$KillChar255xURL ([pick
$IPWhoisX1 ([find $IPWhoisX1 “:”]+1) [find $IPWhoisX1 “\n”]]) “Izq.”
$SCharsOk]); :if ([find $NetType “to”]>0) do={:set NetType ([pick $NetType ([find
$NetType “to”]+3) ([len $NetType])]); :set Type ($NetType);} else={:set Type ([pick
$NetType 0 7]);}; :set IPGPS ([pick $ICANN [find $ICANN $Type] [len $ICANN]]); :set
IPGPS ([pick $IPGPS ([find $IPGPS “):”]+3) ([find $IPGPS “*”])]); :set WhoisX
($WhoisX.$IPGPS.” - ”); :set WhoisX ($WhoisX.$NetType.” - ”);};
# ----------------------
:if ([find $IPWhoisX “owner:”]>0) do={:set IPWhoisX1 ([pick $IPWhoisX ([find
$IPWhoisX “owner:”]) ([len $IPWhoisX])]); :set Owner ([$KillChar255xURL ([pick
$IPWhoisX1 ([find $IPWhoisX1 “:”]+1) [find $IPWhoisX1 “\n”]]) “Izq.”
$SCharsOk]); :set WhoisX ($WhoisX.$Owner.” - ”);};
# ----------------------
:if ([find $IPWhoisX “responsible:”]>0) do={:set IPWhoisX1 ([pick $IPWhoisX ([find
$IPWhoisX “responsible:”]) ([len $IPWhoisX])]); :set Responsible ([$KillChar255xURL
([pick $IPWhoisX1 ([find $IPWhoisX1 “:”]+1) [find $IPWhoisX1 “\n”]]) “Izq.”
$SCharsOk]); :set WhoisX ($WhoisX.$Responsible.” - ”);};
# ----------------------
:if ([find $IPWhoisX “ddress:”]>0) do={:set IPWhoisX1 ($IPWhoisX); :while ([find
$IPWhoisX1 “ddress:”]>0) do={:set IPWhoisX1 ([pick $IPWhoisX1 ([find $IPWhoisX1
“ddress:”]+6) ([len $IPWhoisX1])]); :set Address ([$KillChar255xURL ([pick
$IPWhoisX1 ([find $IPWhoisX1 “:”]+1) [find $IPWhoisX1 “\n”]]) “Izq.”
$SCharsOk]); :if ([find $WhoisX ($Address.” - ”)]=-1) do={:set WhoisX ($WhoisX.
$Address.” - ”);}}};
# ----------------------
:if ([find $IPWhoisX “hone:”]>0) do={:set IPWhoisX1 ($IPWhoisX); :while ([find
$IPWhoisX1 “hone:”]>0) do={:set IPWhoisX1 ([pick $IPWhoisX1 ([find $IPWhoisX1
“hone:”]+4) ([len $IPWhoisX1])]); :set Phone ([$KillChar255xURL ([pick $IPWhoisX1
([find $IPWhoisX1 “:”]+1) [find $IPWhoisX1 “\n”]]) “Izq.” $SCharsOk]); :if ([find
$WhoisX ($Phone.” - ”)]=-1) do={:set WhoisX ($WhoisX.$Phone.” - ”);}}};
# ----------------------
:if ([find $IPWhoisX “City:”]>0) do={:set IPWhoisX1 ([pick $IPWhoisX ([find
$IPWhoisX “City:”]) ([len $IPWhoisX])]); :set City ([$KillChar255xURL ([pick
$IPWhoisX1 ([find $IPWhoisX1 “:”]+1) [find $IPWhoisX1 “\n”]]) “Izq.”
$SCharsOk]); :set WhoisX ($WhoisX.$City.” - ”);};
# ----------------------
:if ([find $IPWhoisX “country:”]>0) do={:set IPWhoisX1 ([pick $IPWhoisX ([find
$IPWhoisX “country:”]) ([len $IPWhoisX])]); :set Country ([$KillChar255xURL ([pick
$IPWhoisX1 ([find $IPWhoisX1 “:”]+1) [find $IPWhoisX1 “\n”]]) “Izq.”
$SCharsOk]); :set WhoisX ($WhoisX.$Country.” - ”);};
# ----------------------
:if ([find $IPWhoisX “Organization:”]>0) do={:set IPWhoisX1 ([pick $IPWhoisX ([find
$IPWhoisX “Organization:”]) ([len $IPWhoisX])]); :set Organization
([$KillChar255xURL ([pick $IPWhoisX1 ([find $IPWhoisX1 “:”]+1) [find $IPWhoisX1 “\
n”]]) “Izq.” $SCharsOk]); :set WhoisX ($WhoisX.$Organization.” - ”);};
# ----------------------
:if ([find $IPWhoisX “NetName:”]>0) do={:set IPWhoisX1 ([pick $IPWhoisX ([find
$IPWhoisX “NetName:”]) ([len $IPWhoisX])]); :set NetName ([$KillChar255xURL ([pick
$IPWhoisX1 ([find $IPWhoisX1 “:”]+1) [find $IPWhoisX1 “\n”]]) “Izq.”
$SCharsOk]); :set WhoisX ($WhoisX.$NetName.” - ”);};
# ----------------------
:if ([find $IPWhoisX “mail:”]>0) do={:set IPWhoisX1 ($IPWhoisX); :while ([find
$IPWhoisX1 “mail:”]>0) do={:set IPWhoisX1 ([pick $IPWhoisX1 ([find $IPWhoisX1
“mail:”]+4) ([len $IPWhoisX1])]); :set Email ([$KillChar255xURL ([pick $IPWhoisX1
([find $IPWhoisX1 “:”]+1) [find $IPWhoisX1 “\n”]]) “Izq.” $SCharsOk]); :if ([find
$WhoisX ($Email.” - ”)]=-1) do={:set WhoisX ($WhoisX.$Email.” - ”);}}};
# ----------------------
:if ([find $IPWhoisX “CIDR:”]>0) do={:set IPWhoisX1 ([pick $IPWhoisX ([find
$IPWhoisX “CIDR:”]) ([len $IPWhoisX])]); :set CIDR ([$KillChar255xURL ([pick
$IPWhoisX1 ([find $IPWhoisX1 “:”]+1) [find $IPWhoisX1 “\n”]]) “Izq.”
$SCharsOk]); :set WhoisX ($WhoisX.$CIDR.” - ”);};
# ----------------------
:if ([find $IPWhoisX “OriginAS:”]>0) do={:set IPWhoisX1 ([pick $IPWhoisX ([find
$IPWhoisX “OriginAS:”]) ([len $IPWhoisX])]); :set OriginAS ([$KillChar255xURL
([pick $IPWhoisX1 ([find $IPWhoisX1 “:”]+1) [find $IPWhoisX1 “\n”]]) “Izq.”
$SCharsOk]); :set WhoisX ($WhoisX.$OriginAS.” - ”);};
# ----------------------
:set WhoisX ([pick $WhoisX 0 ([len $WhoisX]-3)]);} else={:set WhoisX
(“[Link]-Inaccesible”);}; :return ($WhoisX);}
# ------------------------------
# Función Identifica-Cliente: (IP,Rango1,Rango2,Rango3,…) {f
de f}
:local ClientIdent do={
:local RegistroX (“[Link]”);
:if ([pick $1 0 [len $2]]=$2 or [pick $1 0 [len $3]]=$3 or [pick $1 0 [len $4]]=$4)
do={:if ([/queue simple find (target=($1."/32"))]!="") do={:set RegistroX ([/queue
simple get value-name=name [find target=($1."/32")]]); :if ([find $RegistroX
“_Libre ”]<0) do={:set RegistroX ([pick $RegistroX 0 77]);} else={:set RegistroX
(”( Libre )”);}} else={:set RegistroX (”[[Link]]”);}}; :return
($RegistroX);}
# Nota: disponer en fila, los rangos de IP sin ceros a la izq., según corresponda.

# ------------------------------ (Code Main de IPIdent)


:global ICANNCont; :local IDOut (“[Link]”); :local RegistroY; :if ([len $2]>0
and [/ip arp find (mac-address=$2)]!=””) do={:set RegistroY ([$ClientIdent ([/ip
arp get [/ip arp find mac-address=$2] address]) ”1.2.A” ”1.2.B” ”1.2.C”]); :set
IDOut (($2).”,(”.([pick $RegistroY 0 25]).“=”.[/ip arp get [/ip arp find mac-
address=$2] address].”).”.[/ip arp get [/ip arp find mac-address=$2] interface]);}
else={:if ([/ip arp find (address=$1)]!=””) do={:set IDOut ([/ip arp get [/ip arp
find address=$1] mac-address].”,(”.($1).”).”.[/ip arp get [/ip arp find address=$1]
interface]);} else={:if ($ICANNCont<10) do={:set IDOut ([$WhoisIP $1]); :set
ICANNCont ($ICANNCont+1);} else={:set IDOut (“[Link]-LimitAlcanzado”);}; :if
([len $2]>0) do={:set IDOut ($2.”,(”.$IDOut.”).WANX”);}}}; :return ($IDOut)}
# Nota: recordar que (10*[Link]<Min([Link]-Consult)).

# ------------------------------------- [Code Main de [Link]-Address]


# -------------------------------------[Registro Regional de Internet: NRO+]
# (ARIN): [Link]-Sajona.
# (RIPE NCC): Europa, [Link] y [Link].
# (APNIC): Asia y [Link].
# (LACNIC): [Link] y el Caribe.
# (AfriNIC): Africa.
# (Direct Assignment/Allocation): Ubicación desconocida.
# -------------------------------------
:global MACLANDrop “”; # Guarda all (MAC) de T-DOS___.List (empty)
:global ICANNCont (0); # Contador de consultas a entidades ICANN
:local IPx;
:local Listx;
:local IDClientx;
:local MACx “”;
:local Registro “”;
:local Encontrado;
:foreach x in=[/ip firewall address-list find (!comment and list~"T-")] do={:set
IPx ([/ip firewall address-list get $x address]); :set Listx ([/ip firewall
address-list get $x list]); :if (($Listx~"T-DOS" and [/log find (message~"DOS-” and
message~"src-mac” and message~$IPx)]!=””) or ($Listx~"T-VPN" and [/log find
(message~"VPN-” and message~"src-mac” and message~$IPx)]!=””)) do={:foreach y
in=[(($Listx~"T-DOS" and [/log find (message~"DOS-” and message~"src-mac” and
message~$IPx)]!=””) or ($Listx~"T-VPN" and [/log find (message~"VPN-” and
message~"src-mac” and message~$IPx)]!=””))] do={:set Registro ([/log get $y
message]);}; :set MACx ([pick $Registro ([find $Registro "src-mac”]+8) ([find
$Registro "src-mac”]+25)]); :set MACx ([$UpCaseMAC $MACx]); :set IDClientx
([$IPIdent $IPx $MACx]); :set MACLANDrop ($MACLANDrop.$MACx.”\r\n”); :set IDClientx
(“( “.($IDClientx).” ) – ( “.([pick $Registro ([find $Registro $IPx]) ([len
$Registro])]).” )”); /ip firewall address-list set $x comment=($IDClientx);}
else={/ip firewall address-list set $x comment=(”( ”.([$IPIdent $IPx ””]).” )”);}};
/system script environment remove [find name="ICANNCont"];
# /system script environment remove [find name="MACLANDrop"];
# Nota: usar (aplicación: WireShark), filtro ([Link] == [Link]), para
identificar cambios de IP. Exportar log: (/log print file=[Link]).

# [Link]-Client:
--------------------------------------------------------------
# Name: [Link]-Client
# comment=”C+: ( [Link]-Client )”
# Solo funciona con (/24).
# -----------------------------------------------
# Función Identifica-Cliente: (IP,Rango1,Rango2,Rango3,…)
:local ClientIdent do={
:local RegistroX (“[Link]”);
:if ([pick $1 0 [len $2]]=$2 or [pick $1 0 [len $3]]=$3 or [pick $1 0 [len $4]]=$4)
do={:if ([/queue simple find (target=($1."/32"))]!="") do={:set RegistroX ([/queue
simple get value-name=name [find target=($1."/32")]]); :if ([find $RegistroX
“_Libre ”]<0) do={:set RegistroX ([pick $RegistroX 0 77]);} else={:set RegistroX
(”( Libre )”);}} else={:set RegistroX (”[[Link]]”);}}; :return
($RegistroX);}
# Nota: disponer en fila, los rangos de IP sin ceros a la izq., según corresponda.
# -----------------------------------------------
:local IPAL;
:local Registro;
:foreach x in=[/ip firewall address-list find (!comment)] do={:set IPAL ([/ip
firewall address-list get $x address]); :set Registro ([$ClientIdent $IPAL ”1.2.A”
”1.2.B” ”1.2.C”]); :if ($Registro!=“[Link]”) do={/ip firewall address-list set
$x comment=$Registro;};};
# Nota: (77), depende de la longitud del formato para nombre de QS. (Error), no
detecta multiples IPs x Client. Run, antes de ([Link]-Address). Ej.
multiple target: ([/queue simple get value-name=name [find
target=("[Link]/32”,”[Link]/32”,”[Link]/32")]]).

# [Link] (ABTemp):
--------------------------------------------------------------------
# Name: [Link] (ABTemp)
# comment=”C+: ( [Link] (ABTemp) )”
# -----------------------------------------------
# (+T: ).Comm: (all initial line) [+TE=20XX/0X/0X 0Xh&&ABUp%%ABDw]
# -----------------------------------------------
# Nota: (20XX/0X/0X 0Xh), fecha y hora final. (xTE=), regla inactiva.
:local Mx
("jan","feb","mar","apr","may","jun","jul","aug","sep","oct","nov","dec");
:local DateAct ([/system clock get date]);
:local DiaAct ([pick $DateAct 4 6]);
:local MesActP ([pick $DateAct 0 3]);
:local MesAct ([find $Mx $MesActP -1]+1);
:local AnioAct ([pick $DateAct 7 11]);
:local TimeAct ([/system clock get time]);
:local HoraAct ([pick $TimeAct 0 2]);
:if ($MesAct<10) do={:set MesAct (“0”.$MesAct);};
:local DateTimeAct ($AnioAct.$MesAct.$DiaAct.$HoraAct);
# -----------------------------------------------
:local DatePromo;
:local DiaPromo;
:local MesPromo; # No olvidar el (0) a la izquierda para
(<10).
:local AnioPromo;
:local HoraPromo;
:local DateTimePromo;
# ----------------------------------------------- [Ajustar, según actualizaciones]
:local QoSRelacion 8; # relación (max-limit(8):limit-at(1)) [Link]=64k
:local QoSPBurstThres 75; # porcentaje (max-limit(1): limit-at(0,75))
:local QoSBurstL 2; # relación (max-limit(1):burst-limit(2))
:local UnidadUp; # x algoritmo: max-limit (min)=500k/500k
:local UnidadDw;
# -----------------------------------------------
:local QSComment;
:local QSName;
:local MaxLimitUp 0;
:local MaxLimitDw 0;
:local MaxLimitUpT “”;
:local MaxLimitDwT “”;
:local MaxLimit; # unidad: (k)
:local LimitAtUp 0;
:local LimitAtDw 0;
:local LimitAt; # unidad: (k)
:local BurstLimitUp 0;
:local BurstLimitDw 0;
:local BurstLimit;
:local BurstThresholdUp 0;
:local BurstThresholdDw 0;
:local BurstThreshold; # unidad: (k)
# -----------------------------------------------
:foreach x in=[/queue simple find (name~”\\+T: ”)] do={:set QSComment ([/queue
simple get $x comment]);
# ------------------------------------------------ [Existe (+T: )?]
:if ($QSComment~”\\+TE=”) do={:set DiaPromo ([pick $QSComment ([find $QSComment
“+TE=”]+12) ([find $QSComment “+TE=”]+14)]); :set MesPromo ([pick $QSComment ([find
$QSComment “+TE=”]+09) ([find $QSComment “+TE=”]+11)]); :set AnioPromo ([pick
$QSComment ([find $QSComment “+TE=”]+04) ([find $QSComment “+TE=”]+08)]); :set
HoraPromo ([pick $QSComment ([find $QSComment “+TE=”]+15) ([find $QSComment “+TE=”]
+17)]); :set DateTimePromo ($AnioPromo.$MesPromo.$DiaPromo.$HoraPromo);
# ------------------------------------------------ [Alcanzado Limite?]
:if ([tonum $DateTimeAct]>[tonum $DateTimePromo]) do={:set QSName ([/queue simple
get $x name]); :set QSName ([pick $QSName 4 [len $QSName]]); :set MaxLimitUpT
([pick $QSComment ([find $QSComment “&&”]+2) ([find $QSComment “%%”])]); :set
MaxLimitDwT ([pick $QSComment ([find $QSComment “%%”]+2) ([find $QSComment “]”])]);
# ------------------------------------------------ [[Link]]
:set QSComment ([pick $QSComment 0 ([find $QSComment “+TE=”])].”x”.([pick
$QSComment ([find $QSComment “TE=”]) [len $QSComment]]));
# :set QSComment ([pick $QSComment ([find $QSComment “]”]+1) [len $QSComment]]);
(limpieza de Comment alternativa)
# ------------------------------------------------ [[Link]]
/queue simple set $x name=($QSName); /queue simple set $x
comment=($QSComment); :set MaxLimitUp ([tonum [pick $MaxLimitUpT 0 ([len
$MaxLimitUpT]-1)]]); :set MaxLimitDw ([tonum [pick $MaxLimitDwT 0 ([len
$MaxLimitDwT]-1)]]); :set UnidadUp ([pick $MaxLimitUpT ([len $MaxLimitUpT]-1) ([len
$MaxLimitUpT])]); :set UnidadDw ([pick $MaxLimitDwT ([len $MaxLimitDwT]-1) ([len
$MaxLimitDwT])]); :if ($UnidadUp=”M”) do={:set MaxLimitUp ($MaxLimitUp*1000);}; :if
($UnidadDw=”M”) do={:set MaxLimitDw ($MaxLimitDw*1000);}; :set LimitAtUp
($MaxLimitUp/$QoSRelacion);
:set LimitAtDw ($MaxLimitDw/$QoSRelacion); :set LimitAt ($LimitAtUp."k/".
$LimitAtDw."k"); :set MaxLimit ($MaxLimitUp."k/".$MaxLimitDw."k"); /queue simple
set $x limit-at=$LimitAt; /queue simple set $x burst-time=16/16; /queue simple set
$x max-limit=$MaxLimit; :set BurstThresholdUp
(($MaxLimitUp*$QoSPBurstThres)/100); :set BurstThresholdDw
(($MaxLimitDw*$QoSPBurstThres)/100); :set BurstThreshold ($BurstThresholdUp."k/".
$BurstThresholdDw."k"); /queue simple set $x burst-threshold=$BurstThreshold; :set
BurstLimitUp ($MaxLimitUp*$QoSBurstL); :set BurstLimitDw
($MaxLimitDw*$QoSBurstL); :set BurstLimit ($BurstLimitUp."k/".
$BurstLimitDw."k"); /queue simple set $x burst-limit=$BurstLimit; /queue simple set
$x queue=ethernet-default/ethernet-default; /queue simple set $x priority=8/8;
# ------------------------------------------------ [[Link]]
:log warning message=("[[Link] (Expire: $QSName) – ($DateTimeAct >
$DateTimePromo)]"); :global TelegramMessage (“[[Link] (Expire: $QSName) –
($DateTimeAct>$DateTimePromo)]”); /system script run [Link]-MessageAlert;}}};
# -----------------------------------------------
# Nota: En caso de no definir (+TE=), debera aplicarse un proceso manual.

# [Link]:
--------------------------------------------------------------------
# Name: [Link]
# comment="Rx: ( [Link] )"
/ip dns cache print file=[Link]; :delay 2s;
/ip dns cache flush; #
Borra all [Link]

# [Link]:
-----------------------------------------------------------------------------
# Name: [Link]
# comment="Rx: ( [Link] )"
/log print file=[Link]; :delay 2s;
/system logging action set memory memory-lines=1; :delay 2s; # Borra all log
/system logging action set memory memory-lines=1000; # Limita a 1000L

# [Link]:
-------------------------------------------------------------------------
# Name: [Link]
# comment=”C+: ( [Link]: 00/00 ] o [Link]/Act.Año] )”
# (QoSBurstT/16), determina el periodo de cada análisis (media de consumo de
target). Si esa media, es inferior a burst-threshold, activo ráfaga.
# -----------------------------------------------
# Función Convierte MesL en MesN (Fecha) {mejor usar
arreglo}
:local ConvertMLToN do={:local Anio ([pick $1 7 11]); :local MesL ([pick $1 0
3]); :local MesN “Error”; :if ($MesL=”jan”) do={:set MesN (“01”)} else={:if
($MesL=”feb”) do={:set MesN (“02”)} else={:if ($MesL=”mar”) do={:set MesN (“03”)}
else={:if ($MesL=”apr”) do={:set MesN (“04”)} else={:if ($MesL=”may”) do={:set MesN
(“05”)} else={:if ($MesL=”jun”) do={:set MesN (“06”)} else={:if ($MesL=”jul”)
do={:set MesN (“07”)} else={:if ($MesL=”aug”) do={:set MesN (“08”)} else={:if
($MesL=”sep”) do={:set MesN (“09”)} else={:if ($MesL=”oct”) do={:set MesN (“10”)}
else={:if ($MesL=”nov”) do={:set MesN (“11”)} else={:if ($MesL=”dec”) do={:set MesN
(“12”)}}}}}}}}}}}}; :return ($MesN.”/”.[pick $Anio 2 4])};
# ----------------------------------------------- (ajustar según actualizaciones)
:local QoSRelacion 8; # relación (max-limit(8):limit-at(1)) [Link]=64k
:local QoSPBurstThres 75; # porcentaje (max-limit(1): limit-at(0,75))
:local QoSBurstL 2; # relación (max-limit(1):burst-limit(2))
:local UnidadUp; # x algoritmo: max-limit (min)=500k/500k
:local UnidadDw;
# -----------------------------------------------
:local MaxLimitUp 0;
:local MaxLimitDw 0;
:local MaxLimit; # unidad: (k)
:local LimitAtUp 0;
:local LimitAtDw 0;
:local LimitAt; # unidad: (k)
:local BurstLimitUp 0;
:local BurstLimitDw 0;
:local BurstLimit;
:local BurstThresholdUp 0;
:local BurstThresholdDw 0;
:local BurstThreshold; # unidad: (k)
:local ActMesAnio ([$ConvertMLToN [/system clock get date]].” ]”);
:foreach x in=[/queue simple find (name~$ActMesAnio or name~”00/00 ]”)] do={:set
MaxLimit ([/queue simple get $x max-limit]); :set MaxLimitUp ([tonum [pick
$MaxLimit 0 ([find $MaxLimit "/"]-1)]]); :set MaxLimitDw ([tonum [pick $MaxLimit
([find $MaxLimit "/"]+1) ([len $MaxLimit]-1)]]); :set UnidadUp ([pick $MaxLimit
([find $MaxLimit "/"]-1) ([find $MaxLimit "/"])]); :set UnidadDw ([pick $MaxLimit
([len $MaxLimit]-1) [len $MaxLimit]]); :if ($UnidadUp=”M”) do={:set MaxLimitUp
($MaxLimitUp*1000);}; :if ($UnidadDw=”M”) do={:set MaxLimitDw
($MaxLimitDw*1000)}; :set LimitAtUp ($MaxLimitUp/$QoSRelacion); :set LimitAtDw
($MaxLimitDw/$QoSRelacion); :set LimitAt ($LimitAtUp."k/".$LimitAtDw."k"); /queue
simple set $x limit-at=$LimitAt; /queue simple set $x burst-time=16/16; :set
BurstThresholdUp (($MaxLimitUp*$QoSPBurstThres)/100); :set BurstThresholdDw
(($MaxLimitDw*$QoSPBurstThres)/100); :set BurstThreshold ($BurstThresholdUp."k/".
$BurstThresholdDw."k"); /queue simple set $x burst-threshold=$BurstThreshold; :set
BurstLimitUp ($MaxLimitUp*$QoSBurstL); :set BurstLimitDw
($MaxLimitDw*$QoSBurstL); :set BurstLimit ($BurstLimitUp."k/".
$BurstLimitDw."k"); /queue simple set $x burst-limit=$BurstLimit; /queue simple set
$x queue=ethernet-default/ethernet-default; /queue simple set $x priority=8/8;
/queue simple set $x parent=none; /queue simple set $x total-queue=ethernet-
default;};
# ------------------------------------------------ (Restaura.__/__ ])
:local Nombre “-”;
:foreach x in=[/queue simple find (name~”00/00 ]”)] do={:set Nombre ([/queue simple
get $x name]); :set Nombre ([pick $Nombre 0 [find $Nombre “00/00
]“]].“__/__ ]“); /queue simple set $x name=$Nombre}};
# ------------------------------------------------
# Nota: RouterOS, no maneja bien los decimales, por eso ((valor*porcentaje)/100).
[Link] (max-limit=burst-threshold).

# [Link]-DNSCache (Email):
-------------------------------------------------------
# Name: [Link]-DNSCache
# comment="R+: ( [Link]-DNSCache )"
# -----------------------------------------------
# Función [Link]: (IP,PacketSend,PacketLossLimit,AvgLimit,PacketSize,Proceso)
:local TestConn do={:local PLoss ($3+1); :local AvgRTT ($4+1); :local
MaxRTT; :local PRecibidos; :local PEnviados; :local LogMsg; :local DisabledIP
(false); :if ([/ip firewall address-list find (address=$1 and list=”A-
[Link]”)]="") do={/ip firewall address-list add address=$1 list=“A-
[Link]“ comment=”T+: (TemporalIP x ICMP)” timeout=1m disable=no;}
else={:if ([/ip firewall address-list get value-name=disabled [find (address=$1 and
list=”[Link]”)]]) do={/ip firewall address-list enable [/ip firewall
address-list find (address=$1 and list=”[Link]”)]; :set DisabledIP
(true);}}; delay 10ms; /tool flood-ping $1 count=$2 size=$5 do={:if ($sent=$2)
do={:set AvgRTT ($”avg-rtt”); :set MaxRTT ($”max-rtt”); :set PEnviados $sent; :set
PRecibidos $received;}}; :if ($DisabledIP) do={/ip firewall address-list disable
[/ip firewall address-list find (address=$1)];}; :set PLoss (100-
(($PRecibidos*100)/$PEnviados)); :set LogMsg ("[ $6 – ping ( $1 – $5 b ) ]:
latencia media ( $([:tostr $AvgRTT])ms ) – latencia maxima: ( $([:tostr $MaxRTT])ms
) – paquetes perdidos: ( $([:tostr $PLoss])% )"); :if ($PLoss<=$3 and $AvgRTT<=$4)
do={:log info message=($LogMsg); :return (“OK”)} else={:log error
message=($LogMsg); :return (“KO”)}};
# Nota: Asegurarse que IP este en Address-List (do={:beep frequency=550
length=494ms;}).
# -----------------------------------------------
# Función agrega caracteres (Izq/Der) hasta len: (Var, Donde, Char, Long)
:local AddCToLen do={:if ([len $1]<$4) do={:for r from=[len $1] to=($4-1) do={:if
($2=”Izq.”) do={:set $1 ($3.$1)} else={:set $1 ($1.$3)}}}; :return ($1)};
# ----------------------------------------------- [[Link]]
:if ([$TestConn "[Link]" 10 30 100 64 ”[Link]-DNSCache”]=”OK”) do={
# ----------------------------------------------- [[Link]]
:local FileName ([/system resource get board-name].”(DNSCache)[01].txt”);
/ip dns cache print detail file=$FileName; :delay 4s;
# ----------------------------------------------- [Inactivo debido a limit size 4K]
# /file print file=$FileName; :delay 2s; # Crea File
# /file set [find name=$FileName] contents=""; # Borra contenido x def. File-0X
# :local Line “”;
# :local TTL; # establezco como guardable todo
([Link]>10seg)
# :local Type ””;
# :local Address ([Link]);
# :local AddressS “”;
# :local Name “”;
# :foreach i in=[/ip dns cache all find] do={:set Name ([/ip dns cache get $i
name]); :set AddressS ([/ip dns cache all get $i data]); :set Type ([/ip dns cache
all get $i type]); :set TTL ([/ip dns cache get $i ttl]); :if ([len $Type]>0 and
$TTL>10s) do={:set Line ($Address." – ".$AddressS." – ".$Type." – ".$Name." – ".
$TTL. " – ".[typeof $Address]); /file set $FileName contents=([/file get $FileName
contents].$Line.”\r\n”);}};
# -----------------------------------------------
:local Subjet (([/user get [find name=user(x)] comment]).([pick ([/system scrip get
[find name=”[Link]-DNSCache”] comment]) 4 ([len ([/system scrip get [find
name=”[Link]-DNSCache”] comment])])])); /tool e-mail send to="xxx@[Link]"
subject=$Subjet body=“System : ($[/system identity get name]) \r\nFecha
: ($[/system clock get date]) \r\nHora : ($[/system clock get time]) \r\
nModelo : ($[/system resource get board-name]) \r\nIPWAN1 : ($[/ip
address get [find comment~”TELCO.2.2.2.x”] value-name=address]) \r\nEtherAux :
($[/ip address get [find comment~”EMERGENCY1”] value-name=interface]) \r\
nIPEtherAux : ($[/ip address get [find comment~”EMERGENCY1”] value-
name=address])” file=$FileName;};

# [Link]-Config (Email):
------------------------------------------------------------
# Name: [Link]-Config
# comment="R+: ( [Link]-Config )"
# -----------------------------------------------
# Función [Link]: (IP,PacketSend,PacketLossLimit,AvgLimit,PacketSize,Proceso)
:local TestConn do={:local PLoss ($3+1); :local AvgRTT ($4+1); :local
MaxRTT; :local PRecibidos; :local PEnviados; :local LogMsg; :local DisabledIP
(false); :if ([/ip firewall address-list find (address=$1 and list=”A-
[Link]”)]="") do={/ip firewall address-list add address=$1 list=“A-
[Link]“ comment=”T+: (TemporalIP x ICMP)” timeout=1m disable=no;}
else={:if ([/ip firewall address-list get value-name=disabled [find (address=$1 and
list=”[Link]”)]]) do={/ip firewall address-list enable [/ip firewall
address-list find (address=$1 and list=”[Link]”)]; :set DisabledIP
(true);}}; delay 10ms; /tool flood-ping $1 count=$2 size=$5 do={:if ($sent=$2)
do={:set AvgRTT ($”avg-rtt”); :set MaxRTT ($”max-rtt”); :set PEnviados $sent; :set
PRecibidos $received;}}; :if ($DisabledIP) do={/ip firewall address-list disable
[/ip firewall address-list find (address=$1)];}; :set PLoss (100-
(($PRecibidos*100)/$PEnviados)); :set LogMsg ("[ $6 – ping ( $1 – $5 b ) ]:
latencia media ( $([:tostr $AvgRTT])ms ) – latencia maxima: ( $([:tostr $MaxRTT])ms
) – paquetes perdidos: ( $([:tostr $PLoss])% )"); :if ($PLoss<=$3 and $AvgRTT<=$4)
do={:log info message=($LogMsg); :return (“OK”)} else={:log error
message=($LogMsg); :return (“KO”)}};
# Nota: Asegurarse que IP este en address-list (do={:beep frequency=550
length=494ms;}).
# -----------------------------------------------
# Función agrega caracteres (Izq/Der) hasta len: (Var, Donde, Char, Long)
:local AddCToLen do={:if ([len $1]<$4) do={:for r from=[len $1] to=($4-1) do={:if
($2=”Izq.”) do={:set $1 ($3.$1)} else={:set $1 ($1.$3)}}}; :return ($1)};
# ----------------------------------------------- [[Link]]
:if ([$TestConn "[Link]" 10 30 100 64 ”[Link]-Config”]=”OK”) do={
# ----------------------------------------------- [[Link]]
:local MACList “”; :local IPList “”;
:foreach x in=[/interface find] do={:set MACList ($MACList.”(“.[$AddCToLen
[/interface get $x name] "Der." " " 12].” – “.[$AddCToLen [/interface get $x mac-
address] "Der." " " 18].” – “.[$AddCToLen [/interface get $x comment] "Der." " "
50].” – Disable=“.[$AddCToLen [/interface get $x disabled] "Der." " " 5].”)\r\
n“);};
:foreach x in=[/ip address find] do={:set IPList ($IPList.”(“.[$AddCToLen [/ip
address get $x interface] "Der." " " 12].” – “.[$AddCToLen [/ip address get $x
address] "Der." " " 18].” – “.[$AddCToLen [/ip address get $x comment] "Der." " "
50].” – Disable=“.[$AddCToLen [/ip address get $x disabled] "Der." " " 5].”)\r\
n“);};
# -----------------------------------------------
:local Name ([/system resource get board-name].”[01].backup”);
/system backup save name=$Name dont-encrypt=no encryption=aes-sha256
password=”xxx”; :delay 2s; :local Subjet (([/user get [find name=user(x)]
comment]).([pick ([/system scrip get [find name=”[Link]-Config”] comment]) 4
([len ([/system scrip get [find name=”[Link]-Config”] comment])])])); /tool e-
mail send to="xxx@[Link]" subject=$Subjet body=“System : ($[/system
identity get name]) \r\nFecha : ($[/system clock get date]) \r\nHora
: ($[/system clock get time]) \r\nModelo : ($[/system resource get board-
name]) \r\nIPWAN1 : ($[/ip address get [find comment~”TELCO.2.2.2.x”] value-
name=address] \r\nEtherAux : ($[/ip address get [find comment~”EMERGENCY1”]
value-name=interface]) \r\nIPEtherAux : ($[/ip address get [find
comment~”EMERGENCY1”] value-name=address]) \r\n\r\[Link] :\r\n$MACList \r\
[Link] :\r\n$IPList” file=$Name;}
# Nota: (Restore BackUp)
# 1- Actualizar Firmware (al menos, hasta v6.43).
# 2- Reset Config: /system reset-configuration no-defaults=yes skip-backup=yes
# 3- Copy [Link] into (/file) y buscar su (Password Encript).
# 4- Restore Config: /system backup load name=”[Link]”
# 5- Reset MAC Interface: /interface ethernet reset-mac-address [find];
# 6- Change MAC Interface: /interface ethernet set [find orig-mac-
address=X[Link] mac-address=[Link];

Actualización DDNS:
-------------------------------------------------------------------- [ INI ]
# Crear un script especifico y con distinto nombre, para cada WAN(x) a actualizar
(diferenciando los identificadores en DuckDNS) y agregarlos a una única tarea TP
([Link]-Change). En ([Link] ir a install seleccionar (identity y
mikrotik) copiar y pegar en un nuevo Script ([Link]). Finalmente, cambiar
(interface=MATRIX) por (comment=WAN(x).[ (x) ]).
# [Link]-WAN(x): ---------------------------------------------------------
# Name: [Link]-WAN(x)
# comment="R+: ( [Link]-WAN(x) )"
# --------------------------------------------------
:global actualIP value=[/ip address get [find where comment~”TELCO.2.2.2.x”] value-
name=address]; :global actualIP value=[:pick $actualIP -1 [:find $actualIP "/" -
1]]; :if ([:len [/file find where name=[Link]]]<1) do={/file print
file=[Link] where name=[Link]; /delay delay-time=2; /file set [Link]
contents="[Link]";}; :global previousIP value=[/file get [find where
name=[Link]] value-name=contents]; :if ($previousIP!=$actualIP) do={:log info
message=("[Try to Update DuckDNS]: a actual-IP ".$actualIP." - anterior-IP es ".
$previousIP);
# ------------------------
/tool fetch mode=https keep-result=yes dst-path=[Link]
address=[:resolve [Link]] port=443 host=[Link] src-path=("<<<
Token dado por duckdns >>>=".$actualIP);
# ------------------------
:delay 5s; :global lastChange value=[/file get [find where name=[Link]]
value-name=contents]; :global previousIP value=$actualIP; /file set [Link]
contents=$actualIP; :if ($lastChange="OK") do={:log warning message=("[DuckDNS
update successfull]: a actual-IP ".$actualIP);}; :if ($lastChange="KO") do={:log
error ("[Fail to update DuckDNS]: a actual-IP ".$actualIP);};};
# Nota: Alternativa+, (c/15-60s UDP.15252): (/ip cloud set ddns-enabled=yes;).
Actualización DDNS:
------------------------------------------------------------------- [ FIN ]

# [Link]-Log (Email):
---------------------------------------------------------------
# Name: [Link]-Log
# comment="R+: ( [Link]-Log )"
# -----------------------------------------------
# Función [Link]: (IP,PacketSend,PacketLossLimit,AvgLimit,PacketSize,Proceso)
:local TestConn do={:local PLoss ($3+1); :local AvgRTT ($4+1); :local
MaxRTT; :local PRecibidos; :local PEnviados; :local LogMsg; :local DisabledIP
(false); :if ([/ip firewall address-list find (address=$1 and list=”A-
[Link]”)]="") do={/ip firewall address-list add address=$1 list=“A-
[Link]“ comment=”T+: (TemporalIP x ICMP)” timeout=1m disable=no;}
else={:if ([/ip firewall address-list get value-name=disabled [find (address=$1 and
list=”[Link]”)]]) do={/ip firewall address-list enable [/ip firewall
address-list find (address=$1 and list=”[Link]”)]; :set DisabledIP
(true);}}; delay 10ms; /tool flood-ping $1 count=$2 size=$5 do={:if ($sent=$2)
do={:set AvgRTT ($”avg-rtt”); :set MaxRTT ($”max-rtt”); :set PEnviados $sent; :set
PRecibidos $received;}}; :if ($DisabledIP) do={/ip firewall address-list disable
[/ip firewall address-list find (address=$1)];}; :set PLoss (100-
(($PRecibidos*100)/$PEnviados)); :set LogMsg ("[ $6 – ping ( $1 – $5 b ) ]:
latencia media ( $([:tostr $AvgRTT])ms ) – latencia maxima: ( $([:tostr $MaxRTT])ms
) – paquetes perdidos: ( $([:tostr $PLoss])% )"); :if ($PLoss<=$3 and $AvgRTT<=$4)
do={:log info message=($LogMsg); :return (“OK”)} else={:log error
message=($LogMsg); :return (“KO”)}};
# Nota: Asegurarse que IP este en Address-List (do={:beep frequency=550
length=494ms;}).
# -----------------------------------------------
# Función agrega caracteres (Izq/Der) hasta len: (Var, Donde, Char, Long)
:local AddCToLen do={:if ([len $1]<$4) do={:for r from=[len $1] to=($4-1) do={:if
($2=”Izq.”) do={:set $1 ($3.$1)} else={:set $1 ($1.$3)}}}; :return ($1)};
# ----------------------------------------------- [[Link]]
:if ([$TestConn "[Link]" 10 30 100 64 ”[Link]-Log”]=”OK”) do={
# ----------------------------------------------- [[Link]]
:local MACList “”; :local IPList “”;
:foreach x in=[/interface find] do={:set MACList ($MACList.”(“.[$AddCToLen
[/interface get $x name] "Der." " " 12].” – “.[$AddCToLen [/interface get $x mac-
address] "Der." " " 18].” – “.[$AddCToLen [/interface get $x comment] "Der." " "
50].” – Disable=“.[$AddCToLen [/interface get $x disabled] "Der." " " 5].”)\r\
n“);};
:foreach x in=[/ip address find] do={:set IPList ($IPList.”(“.[$AddCToLen [/ip
address get $x interface] "Der." " " 12].” – “.[$AddCToLen [/ip address get $x
address] "Der." " " 18].” – “.[$AddCToLen [/ip address get $x comment] "Der." " "
50].” – Disable=“.[$AddCToLen [/ip address get $x disabled] "Der." " " 5].”)\r\
n“);};
# -----------------------------------------------
:local Name ([/system resource get board-name].”(Log)[01].txt”);
/log print file=$Name; :delay 2s;
# /system logging action set memory memory-lines=1; :delay 2s; # Borra all log
# /system logging action set memory memory-lines=1000; # Limita a 1000L
# -----------------------------------------------
:local Subjet (([/user get [find name=user(x)] comment]).([pick ([/system scrip get
[find name=”[Link]-Log”] comment]) 4 ([len ([/system scrip get [find
name=”[Link]-Log”] comment])])])); /tool e-mail send to=xxx@[Link]"
subject=$Subjet body=“System : ($[/system identity get name]) \r\nFecha
: ($[/system clock get date]) \r\nHora : ($[/system clock get time]) \r\
nModelo : ($[/system resource get board-name]) \r\nIPWAN1 : ($[/ip
address get [find comment~”TELCO.2.2.2.x”] value-name=address] \r\nEtherAux :
($[/ip address get [find comment~”EMERGENCY1”] value-name=interface]) \r\
nIPEtherAux : ($[/ip address get [find comment~”EMERGENCY1”] value-name=address])
\r\n\r\[Link] :\r\n$MACList \r\[Link] :\r\n$IPList” file=$Name;};

# [Link]-ChangeWAN(x):
-----------------------------------------------------------------
# Es aconsejable, al finalizar la tarea, remover las variables globales
(previousIP, lastChange y actualIP).
# Name: [Link]-ChangeWAN(x)
# comment=”R+: ( [Link]-ChangeWAN(x) )”
# -----------------------------------------------
# Función [Link]: (IP,PacketSend,PacketLossLimit,AvgLimit,PacketSize,Proceso)
:local TestConn do={:local PLoss ($3+1); :local AvgRTT ($4+1); :local
MaxRTT; :local PRecibidos; :local PEnviados; :local LogMsg; :local DisabledIP
(false); :if ([/ip firewall address-list find (address=$1 and list=”A-
[Link]”)]="") do={/ip firewall address-list add address=$1 list=“A-
[Link]“ comment=”T+: (TemporalIP x ICMP)” timeout=1m disable=no;}
else={:if ([/ip firewall address-list get value-name=disabled [find (address=$1 and
list=”[Link]”)]]) do={/ip firewall address-list enable [/ip firewall
address-list find (address=$1 and list=”[Link]”)]; :set DisabledIP
(true);}}; delay 10ms; /tool flood-ping $1 count=$2 size=$5 do={:if ($sent=$2)
do={:set AvgRTT ($”avg-rtt”); :set MaxRTT ($”max-rtt”); :set PEnviados $sent; :set
PRecibidos $received;}}; :if ($DisabledIP) do={/ip firewall address-list disable
[/ip firewall address-list find (address=$1)];}; :set PLoss (100-
(($PRecibidos*100)/$PEnviados)); :set LogMsg ("[ $6 – ping ( $1 – $5 b ) ]:
latencia media ( $([:tostr $AvgRTT])ms ) – latencia maxima: ( $([:tostr $MaxRTT])ms
) – paquetes perdidos: ( $([:tostr $PLoss])% )"); :if ($PLoss<=$3 and $AvgRTT<=$4)
do={:log info message=($LogMsg); :return (“OK”)} else={:log error
message=($LogMsg); :return (“KO”)}};
# Nota: Asegurarse que IP este en address-list (do={:beep frequency=550
length=494ms;}).
# ----------------------------------------------- [[Link]]
:if ([$TestConn "[Link]" 10 30 100 64 ”[Link]-ChangeWAN1”]=”OK”) do={
# ----------------------------------------------- [[Link]]

# Establece [Link]:
----------------------------------------------------------------------
# -----------------------------------------------
# Función convierte IPv4 en número entero:
:local FIPaNr do={:local IPstr ($1."."); :local IPnum ""; :for x from=1 to=4
do={:set IPnum ($IPnum.[:pick $IPstr 0 [:find $IPstr "." -1]]); :set IPstr ([:pick
$IPstr ([:find $IPstr "." 0]+1) [:len $IPstr]]);}; :return [:tonum $IPnum]};
# -----------------------------------------------
:local IniIP value=[Link]; # sin ceros a la
izquierda
:local UltIP value=[Link]; # sin ceros a la izquierda
# -----------------------------------------------
:local ActualIP value=[/ip address get [find comment~”TELCO.2.2.2.x”] value-
name=address];
:local ActualX value=[:pick $ActualIP -1 [:find $ActualIP "/" -1]];
<<< Mecanismo x descubrir la nueva IP >>>}; /ip address set [/ip address find
address=$ActualIP] address=$ActualX; :delay 2s;

# Actualiza DDNS:
------------------------------------------------------------------------
# /system script run [Link]-WAN(x); :delay 3s; # UpDate [Link](x)

# Envia Email informativo:


---------------------------------------------------------------
:local IntervaloT value=[/system scheduler get [find name=”TP ([Link]-Change)”]
value-name=interval]; :global lastChange; :global QoSDropList; :local Subjet
(([/user get [find name=user(x)] comment]).([pick ([/system scrip get [find
name=”[Link]-ChangeWAN(x)”] comment]) 4 ([len ([/system scrip get [find name=”[Link]-
ChangeWAN(x)”] comment])])])); /tool e-mail send to="xxx@[Link]" subject=$Subjet
body=“System : ($[/system identity get name]) \r\nFecha : ($[/system
clock get date]) \r\nHora : ($[/system clock get time]) \r\[Link] :
($ActualX/24) \r\[Link] : ($lastChange) \r\[Link]: ($IntervaloT) \r\
[Link] : ($IniIP/24 - $UltIP/24) \r\[Link] : \r\n[$QoSDropList]”;
/system script environment remove [find name="previousIP"]; /system script
environment remove [find name="lastChange"]; /system script environment remove
[find name="actualIP"];};
# Nota: si bien, provoca un script error, aborta un script: /system script job
remove [/system script job find script=[Link]-ChangeWAN(x)];

# [Link]-Cheq:
-----------------------------------------------------------------
# Name: [Link]-Cheq
# comment="C+: ( [Link]-Cheq )"
# -----------------------------------------------
:local Mx
("jan","feb","mar","apr","may","jun","jul","aug","sep","oct","nov","dec");
:local DateAct ([/system clock get date]);
:local DiaAct ([pick $DateAct 4 6]);
:local MesActP ([pick $DateAct 0 3]);
:local MesAct ([find $Mx $MesActP -1]+1);
:local AnioAct ([pick $DateAct 7 11]);
:local DatePromo;
:local DiaPromo;
:local MesPromo; # No olvidar el (0) a la izquierda para
(<10).
:local AnioPromo;
:local Comment;
:local QSName;
:local CTimePromo;
:local IPPromo;
:if ($MesAct<10) do={:set MesAct (“0”.$MesAct);};
:set DateAct ($AnioAct.$MesAct.$DiaAct);
:local DateActF ($DiaAct.”/”.$MesAct.”/”.([pick $AnioAct 2 4]));
:log info message=("[[Link]-Cheq (INI)]");
:foreach x in=[/ip firewall address-list find (list=”[Link]” and !
disabled)] do={:set IPPromo ([/ip firewall address-list get $x address]); :set
CTimePromo ([/ip firewall address-list get $x creation-time]); :set Comment ([/ip
firewall address-list get $x comment]); :set DiaPromo ([pick $Comment ([find
$Comment “expira”]+11) ([find $Comment “expira”]+13)]); :set MesPromo ([pick
$Comment ([find $Comment “expira”]+14) ([find $Comment “expira”]+16)]); :set
AnioPromo ([pick $Comment ([find $Comment “expira”]+17) ([find $Comment “expira”]
+21)]); :set DatePromo ($AnioPromo.$MesPromo.$DiaPromo); :if ([tonum
$DateAct]>[tonum $DatePromo]) do={/ip firewall address-list set $x list=”C-
[Link]”; :set QSName ([/queue simple get [find target=($IPPromo."/32")]
value-name=name]); :set QSName ([pick $QSName 0 ([find $QSName “::”]+3)].$DateActF.
[pick $QSName ([find $QSName “::”]+11) [len $QSName]]); /queue simple set [find
target=($IPPromo."/32")] name=(“S: ”.$QSName); /queue simple set [find
target=($IPPromo."/32")] disable=yes; :log warning message=("[[Link]-Cheq
(Expire: $QSName) – ($DateAct > $DatePromo)]"); :global TelegramMessage
(“[[Link]-Cheq (Expire: $QSName) – ($DateAct>$DatePromo)]”); /system script
run [Link]-MessageAlert;}};

...

# [Link]% (Empty):
------------------------------------------------------------
# Name: [Link]% (Empty)
# comment="Rx: ( [Link]% (Empty) )"
# -----------------------------------------------
:local Comment;
# ------------------------------------------------------
/queue tree disable [/queue tree find]; # All [Link]
disabled
/ip firewall mangle disable [/ip firewall mangle find]; # All [Link]
disabled
# ------------------------------- [[Link]-Stat: (Empty)]
:foreach x in=[/ip firewall mangle find] do={:set Comment ([pick ([/ip firewall
mangle get $x comment]) 0 ([find ([/ip firewall mangle get $x comment]) “::”]+3)]);
/ip firewall mangle set $x comment=($Comment);};
# ------------------------------- [[Link]-Stat: (Empty)]
:foreach y in=[/queue tree find] do={:set Comment ([pick ([/queue tree get $y
comment]) 0 ([find ([/queue tree get $y comment]) “::”]+3)]); /queue tree set $y
limit-at=0; /queue tree set $y max-limit=0; /queue tree set $y
comment=($Comment);};
# ------------------------------------------------------
/queue tree reset-counters-all; # Reset all QueueTree
contadores
/ip firewall mangle reset-counters-all; # Reset all Mangle
contadores
:foreach i in=[/queue tree find (comment~”C\\+: ”)] do={[/queue tree set $i
disable=no];}; # [Link] (Comment~C+) enabled
:foreach i in=[/ip firewall mangle find (comment~”C\\+: ”)] do={[/ip firewall
mangle set $i disable=no];}; # [Link] (Comment~C+) enabled

# [Link]% (xBytes): ---------------------------------------------- [ x


Bytes ]
# Name: [Link]% (xBytes)
# comment="Rx: ( [Link]% (xBytes) )"
# Limite para /queue tree max-limit=(4294M)
# -----------------------------------------------
# Función agrega caracteres (Izq/Der) hasta len: (Var, Donde, Char, Long)
:local AddCToLen do={:if ([len $1]<$4) do={:for r from=[len $1] to=($4-1) do={:if
($2=”Izq.”) do={:set $1 ($3.$1)} else={:set $1 ($1.$3)}}}; :return ($1)};
# -----------------------------------------------
# Función [Link]: (IP,PacketSend,PacketLossLimit,AvgLimit,PacketSize,Proceso)
:local TestConn do={:local PLoss ($3+1); :local AvgRTT ($4+1); :local
MaxRTT; :local PRecibidos; :local PEnviados; :local LogMsg; :local DisabledIP
(false); :if ([/ip firewall address-list find (address=$1 and list=”A-
[Link]”)]="") do={/ip firewall address-list add address=$1 list=“A-
[Link]“ comment=”T+: (TemporalIP x ICMP)” timeout=1m disable=no;}
else={:if ([/ip firewall address-list get value-name=disabled [find (address=$1 and
list=”[Link]”)]]) do={/ip firewall address-list enable [/ip firewall
address-list find (address=$1 and list=”[Link]”)]; :set DisabledIP
(true);}}; delay 10ms; /tool flood-ping $1 count=$2 size=$5 do={:if ($sent=$2)
do={:set AvgRTT ($”avg-rtt”); :set MaxRTT ($”max-rtt”); :set PEnviados $sent; :set
PRecibidos $received;}}; :if ($DisabledIP) do={/ip firewall address-list disable
[/ip firewall address-list find (address=$1)];}; :set PLoss (100-
(($PRecibidos*100)/$PEnviados)); :set LogMsg ("[ $6 – ping ( $1 – $5 b ) ]:
latencia media ( $([:tostr $AvgRTT])ms ) – latencia maxima: ( $([:tostr $MaxRTT])ms
) – paquetes perdidos: ( $([:tostr $PLoss])% )"); :if ($PLoss<=$3 and $AvgRTT<=$4)
do={:log info message=($LogMsg); :return (“OK”)} else={:log error
message=($LogMsg); :return (“KO”)}};
# Nota: Asegurarse que IP este en address-list.
# ------------------------------------------------------
:local MinLimitAt 512; # (no usado) Minimo limit-at para ([Link]=0)
:local MinRate 256; # (no usado) Minimo rate para
([Link]=0)
:local PLimitAt 75; # % limit-at (75%) de
max-limit
:local PWAN 25; # % [Link]-limit (25%) de [Link]-limit
:local ABMTLAN1 140; # [Link] de Dw (en Mbps) x RB.LAN1
:local ABMTLAN2 80; # [Link] de Dw (en Mbps) x RB.LAN2
:local ABMTLAN3 0; # [Link] de Dw (en Mbps) x RB.LAN3
:local ABMTWAN1 ((($ABMTLAN1+$ABMTLAN2+$ABMTLAN3)*$PWAN)/100); # [Link] de Up x
RBX.WAN1
# ------------------------------------------------------
:local AuxSMPacket;
:local AuxSQTEtherA;
:local AuxSQTEtherD;
:local PCalc;
:local Comment;
:local BytesAEtherX;
:local BytesDEtherX;
:local RateAEtherX;
:local RateDEtherX;
:local MPacket “”;
# [Link]
:local MPBytes 0; #
[Link] del paquete
:local LimitAt 0;
:local MaxLimit 0;
# ------------------------------------------------------
/queue tree disable [/queue tree find]; # All [Link]
disabled
/ip firewall mangle disable [/ip firewall mangle find]; # All [Link]
disabled
# ------------------------------- [[Link]-Stat: (SMPacket, TMPBytes)]
:global SMPacket “”; # Str,
[Link]”=”bytes”*”
:local TMPBytes 0; # Sumatoria ([Link]) x all
paquetes
:foreach x in=[/ip firewall mangle find (action=mark-packet)] do={:set MPBytes
([/ip firewall mangle get $x bytes]); :set TMPBytes ($TMPBytes+$MPBytes); :set
MPacket ([/ip firewall mangle get $x new-packet-mark]); :if ([/queue tree find
(packet-mark=$MPacket)]!=””) do={:set SMPacket ($SMPacket.$MPacket.”=”.
$MPBytes.”*”);} else={:log error message=(”[[Link] (MangleRule inexistente en
QT): $MPacket]”);}};
# ------------------------------- [[Link]%]
:set AuxSMPacket ($SMPacket); :while ([len $AuxSMPacket]>0) do={:set MPacket ([pick
$AuxSMPacket 0 ([find $AuxSMPacket ”=”])]); :set MPBytes ([pick $AuxSMPacket ([find
$AuxSMPacket ”=”]+1) ([find $AuxSMPacket ”*”])]); :set Comment ([/ip firewall
mangle get value-name=comment [find new-packet-mark=$MPacket]]); :set PCalc
(([:tonum $MPBytes]*100)/[:tonum $TMPBytes]); :if (([len $Comment]-[find $Comment
“::”])<145) do={/ip firewall mangle set [find new-packet-mark=$MPacket]
comment=($Comment.([$AddCToLen ([:tostr $PCalc]) "Izq." "0" 2])."%");} else={/ip
firewall mangle set [find new-packet-mark=$MPacket] comment=(([:pick $Comment 0
([:find $Comment “::”]+3)]).([$AddCToLen ([:tostr $PCalc]) "Izq." "0"
2])."%");}; :set AuxSMPacket ([pick $AuxSMPacket ([find $AuxSMPacket ”*”]+1) [len
$AuxSMPacket]]);};
# Nota: (145=48hs scheduler.1h).
# ------------------------------------------------------ [[Link]-Stat]
:global SQTPacket “”; # Str, [Link] (ID”=”bytes” ”ID”=”bytes“ ”…)”*”
# Nota: Los SQTEtherX, guardan totales por interfaces ([Link] y [Link]).
:set AuxSMPacket ($SMPacket); :while ([len $AuxSMPacket]>0) do={:set MPacket ([pick
$AuxSMPacket 0 ([find $AuxSMPacket ”=”])]); :set SQTPacket ($SQTPacket.$MPacket.”
(“); :foreach y in=[/queue tree find (packet-mark=$MPacket)] do={:set SQTPacket
($SQTPacket.([/queue tree get $y name]).”=“.([/queue tree get $y
bytes]).”+“.([/queue tree get $y rate]).” “);}; :set SQTPacket
($SQTPacket.”)*“); :set AuxSMPacket ([pick $AuxSMPacket ([find $AuxSMPacket ”*”]+1)
[len $AuxSMPacket]]);};
# ------------------------------------------------------ [[Link]-ChangeStat]
:global SQTEtherA “”; # Str, {[Link]: ID[0-6].Abu}”=”bytes”+”rate”*”
:global SQTEtherD (“010000=$($ABMTWAN1*1000000)+0*020000=$
($ABMTLAN1*1000000)+0*030000=$($ABMTLAN2*1000000)+0*040000=$
($ABMTLAN3*1000000)+0*”); # [Link] ([Link]).: Str, {[Link]: ID[0-
6].Abu}”=”bytes”+”rate”*”
:foreach y in=[/queue tree find (name~”0000”)] do={:set SQTEtherA ($SQTEtherA.
([pick ([/queue tree get $y name]) 0 6]).”=“.([/queue tree get $y
bytes]).”+“.([/queue tree get $y rate]).”*”);};
# ------------------------------------------------------ [[Link]-Stat]
:if (([len $SQTPacket]+[len $SMPacket]+29)<=4000) do={:if ([len [/file find
name=”[Link]”]]=0) do={/file print file=”[Link]”; :delay 2s; /file set
[find name=”[Link]”] contents="";}; :if (([/file get [/file find
name=”[Link]”] value-name=size]+[len $SQTPacket]+[len $SMPacket]+29)>4000) do={
# ----------------------------------------------- [[Link]]
:if ([$TestConn "[Link]" 10 30 100 64 ”[Link]-Stat”]=”OK”) do={
# ----------------------------------------------- [[Link]]
:local Subjet (([/user get [find name=user(x)] comment]).([pick ([/system scrip get
[find name=”[Link]% (xBytes)”] comment]) 4 ([len ([/system scrip get [find
name=”[Link]% (xBytes)”] comment])])])); /tool e-mail send to="xxx@[Link]"
subject=$Subjet body=“System : ($[/system identity get name]) \r\nFecha
: ($[/system clock get date]) \r\nHora : ($[/system clock get time]) \r\
nModelo : ($[/system resource get board-name])” file=[Link]; :delay 5s;};
/file set [find name=”[Link]”] contents="";}; /file set ”[Link]”
contents=([/file get ”[Link]” contents].”SMPacket:\r\n$SMPacket\r\n\r\
nSQTPacket:\r\n$SQTPacket\r\n\r\n”);} else={:log error message=(”[[Link]
(Registro>4k, imposible enviar en un solo email)]”);};
# ------------------------------------------------------
:set AuxSQTEtherA ($SQTEtherA); :set AuxSQTEtherD ($SQTEtherD); :foreach y
in=[/queue tree find] do={:if (!([/queue tree get $y name]~”0000”)) do={:set
Comment ([/queue tree get $y comment]); :set PCalc (([/queue tree get $y
bytes]*100)/[:tonum $BytesAEtherX]); :set MaxLimit ([tonum
(($PCalc*$BytesDEtherX)/100)]); :set LimitAt ([tonum (($MaxLimit*$PLimitAt)/100)]);
/queue tree set $y limit-at=0; /queue tree set $y max-limit=0; /queue tree set $y
max-limit=($MaxLimit); /queue tree set $y limit-at=($LimitAt);
# ------------------------------- [[Link]%]
:if (([len $Comment]-[find $Comment “::”])<144) do={/queue tree set $y
comment=($Comment.([$AddCToLen ([:tostr $PCalc]) "Izq." "0" 2])."%");} else={/queue
tree set $y comment=(([:pick $Comment 0 ([:find $Comment “::”]+3)]).([$AddCToLen
([:tostr $PCalc]) "Izq." "0" 2])."%");};
# -------------------------------
} else={:set BytesAEtherX ([tonum [pick $AuxSQTEtherA ([find $AuxSQTEtherA “=”]+1)
([find $AuxSQTEtherA “+”])]]); :set RateAEtherX ([tonum [pick $AuxSQTEtherA ([find
$AuxSQTEtherA “+”]+1) ([find $AuxSQTEtherA “*”])]]); :set AuxSQTEtherA ([pick
$AuxSQTEtherA ([find $AuxSQTEtherA “*”]+1) [len $AuxSQTEtherA]]); :set BytesDEtherX
([tonum [pick $AuxSQTEtherD ([find $AuxSQTEtherD “=”]+1) ([find $AuxSQTEtherD
“+”])]]); :set RateDEtherX ([tonum [pick $AuxSQTEtherD ([find $AuxSQTEtherD “+”]+1)
([find $AuxSQTEtherD “*”])]]); :set AuxSQTEtherD ([pick $AuxSQTEtherD ([find
$AuxSQTEtherD “*”]+1) [len $AuxSQTEtherD]]); /queue tree set $y limit-at=0; /queue
tree set $y max-limit=0; /queue tree set $y max-limit=($BytesDEtherX); /queue tree
set $y limit-at=(($BytesDEtherX*$PLimitAt)/100);};};
# Nota: Desestimo los ([Link]=0), puesto que, serán acotados al consumir.
# ------------------------------------------------------
/system script environment remove [find name="PWAN"];
/system script environment remove [find name="PLimitAt"];
/system script environment remove [find name="SMPacket"];
/system script environment remove [find name="SQTPacket"];
/system script environment remove [find name="SQTEtherA"];
/system script environment remove [find name="SQTEtherD"];
/queue tree reset-counters-all; # Reset all QueueTree
contadores
/ip firewall mangle reset-counters-all; # Reset all Mangle
contadores
:foreach i in=[/queue tree find (comment~”C\\+: ”)] do={[/queue tree set $i
disable=no];}; # [Link] (Comment~C+) enabled
:foreach i in=[/ip firewall mangle find (comment~”C\\+: ”)] do={[/ip firewall
mangle set $i disable=no];}; # [Link] (Comment~C+) enabled
# ------------------------ (Comando alternativo de habilitación, si fuese total)
# /queue tree enable [/queue tree find]; # All [Link] enabled
# /ip firewall mangle enable [/ip firewall mangle find]; # All MangleRule enabled
# Nota: (considerar [Link] (tasa promedio de transferencia), en el calculo
de mark-pack.%).

# [Link]% (xDropBytes): ----------------------------------- [ x DropBytes ]


# Name: [Link]% (xDropBytes)
# comment="Cx: ( [Link]% (xDropBytes) )"
# Limite para /queue tree max-limit=(4294M)
# ---------------------------------------------------
:global QoSDropList; # Dejar public y no remover x email
diario
:local QoSDropName;
:local Increment 0;
:local TIncrement 0;
:local PIncMaxLimit 10; # %.Inc de
(max-limit)
:local MaxLimit;
:local LimitAt;
:local Comment;
:local NroRegla;
:local DLAux;
:local DLRest;
:local TDrop;
:local NodoID;
:local CountProcc 0;
:foreach x in [/system script job find (script="[Link]% (xDropBytes)")] do
{:set CountProcc ($CountProcc+1);}; # Cant de éste proc activos
:if ($CountProcc=1) do={:foreach x in=[/queue tree find (dropped>1000)] do={:set
QoSDropName ([/queue tree get $x name]); :set MaxLimit ([/queue tree get [find
name=$QoSDropName] value-name=max-limit]); :set LimitAt ([/queue tree get [find
name=$QoSDropName] value-name=limit-at]); :set Comment ([/queue tree get [find
name=$QoSDropName] value-name=comment]); :set Increment
(($MaxLimit*$PIncMaxLimit)/100); :if ($Increment<1000) do={:set Increment (1000);};
:if ($MaxLimit+$Increment<4294000000) do={:if ($QoSDropList~$QoSDropName) do={:set
DLAux ($QoSDropList); :set QoSDropList ([pick $QoSDropList 0 ([find $QoSDropList
$QoSDropName]-1)]); :set DLAux ([pick $DLAux ([find $DLAux $QoSDropName]-1) [len
$DLAux]]); :set DLRest ([pick $DLAux ([find $DLAux ”)”]+1) [len $DLAux]]); :set
TDrop ([tonum ([pick $DLAux ([find $DLAux “=”]+1) ([find $DLAux “+”]-1)])]); :set
TDrop ([tostr ($TDrop+(([/queue tree get $x dropped])/1000))].”k”); :set TIncrement
([tonum ([pick $DLAux ([find $DLAux “+”]+1) ([find $DLAux “)”]-1)])]); :set
TIncrement ([tostr ($TIncrement+(($Increment)/1000))].”k”); :set QoSDropList
($QoSDropList.”(“.$QoSDropName.”=”.$TDrop.”+”.$TIncrement.”)”.$DLRest);} else={:set
TDrop ([tostr (([/queue tree get $x dropped])/1000)].”k”); :set TIncrement ([tostr
(($Increment)/1000)].”k”); :set QoSDropList ($QoSDropList.”(“.($QoSDropName).”=”.
$TDrop.”+”.$TIncrement.”)”);}; /queue tree set [find name=$QoSDropName] max-
limit=($MaxLimit+$Increment); /queue tree set [find name=$QoSDropName] limit-
at=($LimitAt+$Increment); :if ([pick $QoSDropName 4 6]!=”00”) do={:set NodoID
([pick $QoSDropName 0 4].”00”); :set MaxLimit ([/queue tree get [find name~$NodoID]
value-name=max-limit]); :set LimitAt ([/queue tree get [find name~$NodoID] value-
name=limit-at]); /queue tree set [find name~$NodoID] max-limit=($MaxLimit+
$Increment); /queue tree set [find name~$NodoID] limit-at=($LimitAt+
$Increment);}; :set NodoID ([pick $QoSDropName 0 2].”0000”); :set MaxLimit ([/queue
tree get [find name~$NodoID] value-name=max-limit]); :set LimitAt ([/queue tree get
[find name~$NodoID] value-name=limit-at]); /queue tree set [find name~$NodoID] max-
limit=($MaxLimit+$Increment); /queue tree set [find name~$NodoID] limit-
at=($LimitAt+$Increment); :set NroRegla ([tonum [pick $Comment 0 3]]-1); /queue
tree reset-counters numbers=($NroRegla);} else={:log error message=("[[Link]%
(xDropBytes), [Link]: (".($QoSDropName).") – [Link]: (".([/queue tree get $x
dropped]).")]");}}};
# /system script environment remove [find name="QoSDropList"];
# Nota: /queue tree reset-counters-all (resetea all contadores x next-Tarea).

# [Link]% (xRate): ------------------------------------------------ [ x


Rate ]
# Name: [Link]% (xRate)
# comment="Rx: ( [Link]% (xRate) )"
# Limite para /queue tree max-limit=(4294M)
# ------------------------------------------------------
:local PMaxLimit 25; # % incremento de max-limit respecto de rate
:local QoSName;
:local RateX 0;
:local LimitAt 0;
:local MaxLimit 0;
# ------------------------------------------------------
/queue tree disable [/queue tree find]; # All [Link]
disabled
/ip firewall mangle disable [/ip firewall mangle find]; # All [Link]
disabled
# ------------------------------------------------------
:foreach x in=[/queue tree find] do={:set QoSName ([/queue tree get $x name]); :set
RateX ([/queue tree get $x rate]); :if ($RateX>0) do={:set LimitAt ($RateX); :set
RateX ($RateX+(($RateX*$PMaxLimit)/100)); :if ($RateX<4294000000) do={/queue tree
set $x limit-at=0; /queue tree set $x max-limit=0; /queue tree set $x max-
limit=($RateX); /queue tree set $x limit-at=($LimitAt);} else={:log error
message=("[[Link]% (xRate), [Link]: (".($QoSName).") – [Link]: (".([/queue
tree get $x rate]).")]");}}};
# ------------------------------------------------------
:foreach i in=[/queue tree find (comment~”C\\+: ”)] do={[/queue tree set $i
disable=no];}; # [Link] (Comment~C+) enabled
:foreach i in=[/ip firewall mangle find (comment~”C\\+: ”)] do={[/ip firewall
mangle set $i disable=no];}; # [Link] (Comment~C+) enabled
# ------------------------ (Comando alternativo de habilitación, si fuese total)
# /queue tree enable [/queue tree find]; # All [Link] enabled
# /ip firewall mangle enable [/ip firewall mangle find]; # All MangleRule enabled

#
-----------------------------------------------------------------------------------
[INI]
# -------------------------------- [TOOLS/Netwatch]
---------------------------------
#
-----------------------------------------------------------------------------------
--------

# [Link] ([Link]): ------------------------------------------


[NetWatch]
# Name: [Link]-ISPLink
# comment="R: ( [Link]-ISPLink )"
# --------------------------------------------------- [ x [Link] ]
/tool netwatch add down-script="global TelegramMessage \"[[Link]-AP
(DW)]\"; :log error message=(\"[[Link]-AP (DW)]\");\r\n/system script run
[Link]-MessageAlert" host=[Link] interval=1m up-script="global
TelegramMessage \"[[Link]-AP (UP)]\"; :log warning message=(\"[[Link]-AP
(UP)]\");\r\n/system script run [Link]-MessageAlert" comment=("R:
( [Link] [ ST-AP ] )") disable=yes;

#
-----------------------------------------------------------------------------------
[FIN]
# -------------------------------- [TOOLS/Netwatch]
---------------------------------
#
-----------------------------------------------------------------------------------
--------

# [Link] (RBLink):
-----------------------------------------------------------
# ------------------------------------------------------------- [Independiente del
script]
:global AntFlagDDNS01 (“OK”); # No copiar dentro del script
:global AntFlagDDNS02 (“OK”); # No copiar dentro del script
:global AntFlagDDNS03 (“OK”); # No copiar dentro del script
# ------------------------------------------------------------- [Independiente del
script]
# Name: [Link]-RBLink
# comment="R: ( [Link]-RBLink )"
# Función [Link]: (IP,PacketSend,PacketLossLimit,AvgLimit,PacketSize,Proceso)
:local TestConn do={:local PLoss ($3+1); :local AvgRTT ($4+1); :local
MaxRTT; :local PRecibidos; :local PEnviados; :local LogMsg; :local DisabledIP
(false); :if ([/ip firewall address-list find (address=$1 and list=”A-
[Link]”)]="") do={/ip firewall address-list add address=$1 list=“A-
[Link]“ comment=”T+: (TemporalIP x ICMP)” timeout=1m disable=no;}
else={:if ([/ip firewall address-list get value-name=disabled [find (address=$1 and
list=”[Link]”)]]) do={/ip firewall address-list enable [/ip firewall
address-list find (address=$1 and list=”[Link]”)]; :set DisabledIP
(true);}}; delay 10ms; /tool flood-ping $1 count=$2 size=$5 do={:if ($sent=$2)
do={:set AvgRTT ($”avg-rtt”); :set MaxRTT ($”max-rtt”); :set PEnviados $sent; :set
PRecibidos $received;}}; :if ($DisabledIP) do={/ip firewall address-list disable
[/ip firewall address-list find (address=$1)];}; :set PLoss (100-
(($PRecibidos*100)/$PEnviados)); :set LogMsg ("[ $6 – ping ( $1 – $5 b ) ]:
latencia media ( $([:tostr $AvgRTT])ms ) – latencia maxima: ( $([:tostr $MaxRTT])ms
) – paquetes perdidos: ( $([:tostr $PLoss])% )"); :if ($PLoss<=$3 and $AvgRTT<=$4)
do={:log info message=($LogMsg); :return (“OK”)} else={:log error
message=($LogMsg); :return (“KO”)}};
# Nota: Asegurarse que IP este en address-list (do={:beep frequency=550
length=494ms;}).
# ---------------------------------------------------
:local FlagDDNS01 ([$TestConn ([resolve "[Link]"]) 10 30 100 XXX
”[Link]”]=”OK”);
:local FlagDDNS02 ([$TestConn ([resolve "[Link]"]) 10 30 100 XXX
”[Link]”]=”OK”);
:local FlagDDNS03 ([$TestConn ([resolve "[Link]"]) 10 30 100 XXX
”[Link]”]=”OK”);
:if ($FlagDDNS01!=$AntFlagDDNS01) do={:if ($FlagDDNS01=”KO”) do={:global
TelegramMessage (“[ [Link] (DW) ]”); :log error message=("[xxx-
[Link] (DW)]"); /system script run [Link]-MessageAlert;}
else={:global TelegramMessage (“[[Link] (UP)]”); :log error
message=("[[Link] (UP)]"); /system script run [Link]-
MessageAlert;}};
:if ($FlagDDNS02!=$AntFlagDDNS02) do={:if ($FlagDDNS02=”KO”) do={:global
TelegramMessage (“[[Link] (DW)]”); :log error message=("[xxx-
[Link] (DW)]"); /system script run [Link]-MessageAlert;}
else={:global TelegramMessage (“[[Link] (UP)]”); :log error
message=("[[Link] (UP)]"); /system script run [Link]-
MessageAlert;}};
:if ($FlagDDNS03!=$AntFlagDDNS03) do={:if ($FlagDDNS03=”KO”) do={:global
TelegramMessage (“[[Link] (DW)]”); :log error message=("[xxx-
[Link] (DW)]"); /system script run [Link]-MessageAlert;}
else={:global TelegramMessage (“[[Link] (UP)]”); :log error
message=("[[Link] (UP)]"); /system script run [Link]-
MessageAlert;}};
:global AntFlagDDNS01 ($FlagDDNS01); :global AntFlagDDNS02 ($FlagDDNS02); :global
AntFlagDDNS03 ($FlagDDNS03);

# [Link]-MessageAlert:
-----------------------------------------------------------
# Name: [Link]-MessageAlert
# comment="R: ( [Link]-MensageAlert )"
# --------------------------------------------------- [Telegram proccess]
# Find: @botfather (/newbot, ej: xxx_telegram_bot, vci_telegram_bot)
# [Link]: (ej: <<< Paste1 >>>)
# Create Grup: (ej: [Link], add vci_telegram_bot, find and add @getidbot)
# [Link]: (ej: <<< Paste2 >>>)
# ------------------------------------------------------------ [Copy-Paste en
consola]
/system script add dont-require-permissions=yes name=[Link]-MessageAlert
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#
Name: [Link]-MessageAlert\r\n# comment=\"R: ( [Link]-MensageAlert )\";\r\
n# --------------------------------------------------- [Telegram proccess]\r\n#
Find: @botfather (/newbot, xxx_telegram_bot, vci_telegram_bot)\r\n# [Link]:
(ej: <<< Paste1 >>>)\r\n# Create Grup: (ej: [Link], add vci_telegram_bot, find
and add @getidbot)\r\n# [Link]: (ej: <<< Paste2 >>>)\r\n#
------------------------------------------------------------------------------\r\
n:global TelegramMessage;\r\n:local BotID (\"<<< Paste1 >>>\");\r\n:local ChatID
(\"<<< Paste2 >>>\”);\r\n:if (\$TelegramMessage!=\"\") do={\r\n /tool fetch
url=\"[Link]
$TelegramMessage\" keep-result=no\r\n}; /system script environment remove [find
name=\"TelegramMessage\"];" comment=("R: ( [Link] )");
# Nota: al [Link] ([Link]), no acepta ni tildes ni [Link]. Some
[Link], pueden enviarse via [Link] (URL), por ej.: (\$\?).

# [Link]-SharedOFF (x PKnocking): ----------------------------------------------


# Name: [Link]-SharedOFF
# comment="R: [Link]-SharedOFF" # verificar que user(x), sea (0)
:if ([/user get 0 name]~”xxx” and [/user get 0 disable]=no) do={/user set 1
disable=yes; /user set 2 disable=yes;} else={:log error message=("[Error, en la
secuenciacion de Users]”);};
:foreach x in=[/ip firewall filter find (comment~”<:”)] do={/ip firewall filter set
$x disable=yes;};
:foreach x in=[/ip firewall filter find (comment~”*:”)] do={/ip firewall filter set
$x disable=yes;};
:if ([len $WinboxP]>0 and [len $Api]>0) do={/ip service set winbox
port=$WinboxP; /ip service set api port=$ApiP;} else={/ip service set winbox
port=3335; /ip service set api port=3336;}
/system script environment remove [find name="WinboxP"]; /system script environment
remove [find name="ApiP"];

# [Link]-SharedON (x [Link]): -------------------------------------


# Name: [Link]-SharedON(SPKnocking) # verificar que user(x), sea (0)
# comment="R: [Link]-SharedON (SPKnocking)"
:if ([/user get 0 name]~”xxx” and [/user get 0 disable]=no) do={/user set 1
disable=no; /user set 2 disable=no;} else={:log error message=("[Error, en la
secuenciacion de Users]”);};
:foreach x in=[/ip firewall filter find (comment~”<:”)] do={/ip firewall filter set
$x disable=no;};
:global WinboxP ([/ip service get [find (name=”winbox”)] port]);
:global ApiP ([/ip service get [find (name=”api”)] port]);
/ip service set winbox port=3333; /ip service set api port=3334;
# Nota: x motivos de retrocompatibilidad, uso las [Link] (WinboxP y ApiP).

# [Link]-SharedON (x [Link]):
---------------------------------------------
# Name: [Link]-SharedON(SPort) # verificar que user(x), sea (0)
# comment="R: [Link]-SharedON (SPort)"
:if ([/user get 0 name]~”xxx” and [/user get 0 disable]=no) do={/user set 1
disable=no; /user set 2 disable=no;} else={:log error message=("[Error, en la
secuenciacion de Users]”);};
:foreach x in=[/ip firewall filter find (comment~”*:”)] do={/ip firewall filter set
$x disable=no;};
:global WinboxP ([/ip service get [find (name=”winbox”)] port]);
:global ApiP ([/ip service get [find (name=”api”)] port]);
/ip service set winbox port=3333; /ip service set api port=3334;
# Nota: x motivos de retrocompatibilidad, uso las [Link] (WinboxP y ApiP). x
secuenciación de mí (Firewall), sin +reglas, no puedo evitar usar algunos (port).

-------------------------------------------------------------------------------
[ FIN ]
-----------------------------------------------------------------------------------
-----
----------------------------- Scripts (basicos):
-------------------------------------
-----------------------------------------------------------------------------------
-----
-----------------------------------------------------------------------------------
-----

[Link] (Accesorios 01-01)


-------------------------------------------------------------------------------
[ INI ]
-----------------------------------------------------------------------------------
-----
--------------------------- Scripts (accesorios):
-----------------------------------
-----------------------------------------------------------------------------------
-----
-----------------------------------------------------------------------------------
-----

[Link]: ------------------------------------------------ [ INI ]


# Esquema general para ([Link]): ---------------------------------
# Establecer ([Link]) en especifica ([Link]).
# Run: QueueSimple.Add255 y AddressList.Add255.
# Modificar QueueSimple-Admin(36-40).Name, [Link].
# Remove [Link](DNS1).
# Marcar [Link] a clonar: (dos opciones)
# 1- Run: GuardaTXT ([Link]).
# Marcar cada línea de ([Link]) con (M{x}M), según corresponda.
# Run: RestauraTXT ([Link]).
# 2- Marcar cada ([Link]) con (#1), según corresponda.
# Run: [Link] ([Link]) (identifico clones con (#2)).
# Run: [Link] (limpio comentario de [Link]).
# Run: [Link] ([Link] limpias en Address-List).
# Run: [Link] (Remove.#2) (remove (#2) y !“S: ”).
# Modificar manualmente ([Link]), según corresponda (#1).
# Run: [Link] (Rename.#1) (Name (#1)=“_Libre…”).
# Run: [Link] (Add.#1) (Add.#1 y comment “( Libre )”).

# GuardaTXT ([Link]): ------------------------------------------


# ------------------------------------------------
# Función agrega caracteres (Izq/Der) hasta len: (Var, Donde, Char, Long)
:local AddCToLen do={:if ([len $1]<$4) do={:for r from=[len $1] to=($4-1) do={:if
($2=”Izq.”) do={:set $1 ($3.$1)} else={:set $1 ($1.$3)}}}; :return ($1)};
# ------------------------------------------------
# Función devuelve Octeto(x) de IP: (IP, NroOcteto)
:local FIPaOctX do={:local IPstr ($1."."); :local IPnum ""; :if ($2>1) do={:for x
from=1 to=($2-1) do={:set IPstr ([:pick $IPstr ([:find $IPstr "." 0]+1) [:len
$IPstr]])}}; :set IPnum ($IPnum.[:pick $IPstr 0 [:find $IPstr "." -1]]); :return
[:tonum $IPnum]};
# ------------------------------------------------
:local SubNet1 2; # Establecer redes a
dividir (1-2)
:local SubNet2 3; # Establecer redes a
dividir (2-2)
:local Plant (“M{}M - N{}N - I{}I”); # Patron de líneas
(LANDivision)
:local Body “”; # Opcional: copy-
paste en (TXT)
:local Nro 1;
:local Iter 1;
:local Name “---”;
:local IPx “…“;
:local Date ([/system clock get date]);
:local Time ([/system clock get time]);
:local File ("LANDivision (".[:pick $Date 7 11]."-".[:pick $Date 0 3]."-".[:pick
$Date 4 6]."-".[:pick $Time 0 2]."-".[:pick $Time 3 5]."-".[:pick $Time 6
8].”).txt”); #
[Link] de prueba
:local File ("[Link]”); # auto-Limitado a
4k=(4096b)
# ------------------------------------------------
/file remove [find name~"LANDivision"]; :delay 2s; # Dell All File (LANDivision)
/file print file=$File; :delay 2s; # Crea File
/file set [find name=$File] contents=""; # Borra contenido x def.
File-0X
# ------------------------------------------------
:foreach x in=[/queue simple find] do={:set IPx [:tostr ([/queue simple get $x
target])]; :set IPx ([:pick $IPx 0 ([:len $IPx]-3)]); :if (($SubNet1=([$FIPaOctX
$IPx 3])) or ($SubNet2=([$FIPaOctX $IPx 3]))) do={:set Name ([/queue simple get $x
name]); :set Name ([:pick $Name 0 26]); :set Plant (“M{}M - N{”.[$AddCToLen $Name
"Der." " " 26].”}N - I{”.(([$AddCToLen ([:tostr [$FIPaOctX $IPx 1]]) "Izq." “0"
3]).”.”.([$AddCToLen([:tostr [$FIPaOctX $IPx 2]]) "Izq." “0" 3]).”.”. ([$AddCToLen
([:tostr [$FIPaOctX $IPx 3]]) "Izq." “0" 3]).”.”.([$AddCToLen ([:tostr
[$FIPaOctX$IPx 4]]) "Izq." “0" 3])).“}I”); :if ($Iter<52) do={:set Iter ($Iter+1);}
else={:set Iter (1); :set Nro ($Nro+1); :set File ([:pick $File 0 ([find $File“-”
0]+1)].([$AddCToLen ([:tostr $Nro]) "Izq." “0" 2]).”.txt”); /file print file=$File;
:delay 2s; /file set [find name=$File] contents="";}; /file set
$Filecontents=([/file get $File contents].$Plant.”\r\n”); :set Body ($Body.”\r\n”.
$Plant);}};
#Nota: creara (05 files) por cada (255 [Link]).

# RestauraTXT ([Link]): --------------------------------------


# comment=”( [Link]-LANDivision )”
# ------------------------------------------------
# Función agrega caracteres (Izq/Der) hasta len: (Var, Donde, Char, Long)
:local AddCToLen do={:if ([len $1]<$4) do={:for r from=[len $1] to=($4-1) do={:if
($2=”Izq.”) do={:set $1 ($3.$1)} else={:set $1 ($1.$3)}}}; :return $1};
# ------------------------------------------------
# Función devuelve Octeto(x) de IP: (IP, NroOcteto)
:local FIPaOctX do={:local IPstr ($1."."); :local IPnum ""; :if ($2>1) do={:for x
from=1 to=($2-1) do={:set IPstr ([:pick $IPstr ([:find $IPstr "." 0]+1) [:len
$IPstr]])}}; :set IPnum ($IPnum.[:pick $IPstr 0 [:find $IPstr "." -1]]); :return
[:tonum $IPnum]};
# ------------------------------------------------
:local File ("LANDivision-”);
:local Body “---”;
:local Name “---”;
:local IPx “…”;
:local FileCant 10; # Establecer cantidad de files (LANDivision-
[Link])
:for x from=1 to=$FileCant step=1 do={:set File ([:pick $File 0 ([:find $File “-” -
1]+1)].([$AddCToLen ([:tostr $x]) "Izq." “0" 2]).”.txt”); :set Body([/file get
$File contents]); :while ([:find $Body “M{x}M” 0]>0) do={:set Body ([:pick $Body
([:find $Body “M{x}M” -1]+5) [:len $Body]]); :setIPx ([pick $Body ([:find $Body
“I{” -1]+2) ([:find $Body “}I” -1])]); :set IPx (([:tostr [$FIPaOctX $IPx 1]]).”.”.
([:tostr [$FIPaOctX $IPx 2]]).”.”.([:tostr [$FIPaOctX $IPx 3]]).”.”.([:tostr
[$FIPaOctX $IPx 4]])); :set Name ([/queue simple get value-name=name [find
target=($IPx."/32")]].”#1”); /queue simple set [find (target=($IPx."/32"))]
name=$Name;}}
# Nota: luego de comprobar, eliminar todos los files ([Link]).

# [Link] ([Link]): ------------------------- [#1®#2]


# comment=”( [Link] ([Link]) )”
# ------------------------------------------------
# Función devuelve Octeto(x) de IP: (IP, NroOcteto)
:local FIPaOctX do={:local IPstr ($1."."); :local IPnum ""; :if ($2>1) do={:for x
from=1 to=($2-1) do={:set IPstr ([:pick $IPstr ([:find $IPstr "." 0]+1) [:len
$IPstr]])}}; :set IPnum ($IPnum.[:pick $IPstr 0 [:find $IPstr "." -1]]); :return
[:tonum $IPnum]};
# ------------------------------------------------
:local SubNetN 4; # Cambiar según (NewRed)
:local Octeto4N 50; # Establecer según cantidad de marcas (#1)
:local IPO;
:local IPN;
:local Name;
:local MaxLimit;
:local LimitAt;
:local BurstLimit;
:local BurstTime;
:local BurstThreshold;
:local Parent;
:local Queue;
:local Priority;
:foreach x in=[/queue simple find (name~”#1”)] do={:set IPO ([/queue simple get $x
target]); :set Name (([:pick ([/queue simple get $x name]) 0 ([:len [/queue simple
get $x name]]-1)])."2"); :set MaxLimit ([/queue simple get $x max-limit]); :set
LimitAt ([/queue simple get $x limit-at]); :setBurstLimit ([/queue simple get $x
burst-limit]); :set BurstTime ([/queue simple get $x burst-time]); :set
BurstThreshold ([/queue simple get $x burst-threshold]); :set Queue ([/queue simple
get $x queue]); :set Priority ([/queue simple get $x priority]); :set Parent
([/queue simple get $x parent]); :set IPN ((:tostr [$FIPaOctX $IPO 1]).”.”.(:tostr
[$FIPaOctX $IPO 2]).”.”. ($SubNetN).”.”. (:tostr [$Octeto4N])); /queue simple set
[find (target=($IPN."/32"))] name=$Name; /queue simple set [find
(target=($IPN."/32"))] max-limit=$MaxLimit; /queue simple set [find
(target=($IPN."/32"))] limit-at=$LimitAt; /queue simple set [find
(target=($IPN."/32"))] burst-limit=$BurstLimit; /queue simple set [find
(target=($IPN."/32"))] burst-time=$BurstTime; /queue simple set [find
(target=($IPN."/32"))] burst-threshold=$BurstThreshold; /queue simple set [find
(target=($IPN."/32"))] queue=$Queue; /queue simple set [find (target=($IPN."/32"))]
priority=$Priority; /queue simple set [find (target=($IPN."/32"))]
parent=$Parent; :set Octeto4N ($Octeto4N+1);}

# [Link] (Remove.#2):
----------------------------------------------
/ip firewall address-list remove [find (comment~"#2" and !(comment~"S: "))]; #
necesita de una previa limpia e identificación de IPs.
# [Link] (Add.#1):
---------------------------------------------------
:foreach x in=[/ip queue simple find (name~"#1")] do={/ip firewall address-list add
list=[Link] address=$x target; comment=”( Libre )”; disable=yes;}

[Link] (Rename.#1): ----------------------------------------------


# -----------------------------------------------
# Función agrega caracteres (Izq/Der) hasta len: (Var, Donde, Char, Long)
:local AddCToLen do={:if ([len $1]<$4) do={:for r from=[len $1] to=($4-1) do={:if
($2=”Izq.”) do={:set $1 ($3.$1)} else={:set $1 ($1.$3)}}}; :return ($1)};
# -----------------------------------------------
# Función devuelve Octeto(x) de IP: (IP, NroOcteto)
:local FIPaOctX do={:local IPstr ($1."."); :local IPnum ""; :if ($2>1) do={:for x
from=1 to=($2-1) do={:set IPstr ([:pick $IPstr ([:find $IPstr "." 0]+1) [:len
$IPstr]])}}; :set IPnum ($IPnum.[:pick $IPstr 0 [:find $IPstr "." -1]]); :return
[:tonum $IPnum]};
# -----------------------------------------------
:local y ”4”; #
cambiar según LAN
:local IPx;
:local Nombre “-”;
:foreach x in=[/ip queue simple find (name~"#1")] do={:set IPx ($x target); :set
Nombre ("_Libre 1.2.".[$AddCToLen $y "Izq." "0" 3].”.”.[$AddCToLen (:tostr
[$FIPaOctX $IPx 4]) "Izq." "0" 3]." [ 00000 :: __/__/__=__/__/__+__/__ ]");
disable=yes;}
# Nota: ([Link]=25).

# Exportar [Link] y [Link]:


---------------------------------------------------
# /queue export file=[Link]
# /ip arp export file=[Link]

# Importar [Link] y [Link]:


---------------------------------------------------
# /import [Link]
# /import [Link]
[Link]: ------------------------------------------------ [ FIN ]

#
-----------------------------------------------------------------------------------
[INI]
# -------------------------------- [Protocolo BGP]
-------------------------------------
#
-----------------------------------------------------------------------------------
--------
# Reglas para (BGP):
--------------------------------------------------------------------
# Fundamentalmente, BGP (protocolo de router de pasarela externa: utiliza el puerto
179 TCP), conecta AS (sistemas autónomos: conjunto de redes/dispositivos bajo un
mismo dominio administrativo. Poseen, un bloque de IPv4/IPv6, que publican al resto
de AS, para poder ser alcanzados). Interconexion dentro de dominion
administrativos. Cada AS, tiene un ASN (numero de sistema autónomo). De (1 a 64511:
16b), reservados para uso público. De (64512 a 65534: 16b), para uso privado.
LACNIC, posee los ASN (4.0 a 4.1023). Las sesiones BGP, se establecen con otros
routers configurando (peers BGP). Los peers (pares BGP), son los routers vecinos
con los que comparto redes. (eBGP): si los peers vecinos pertenecen a otro AS (lo
utilizamos para conectarnos con roveedores de Internet u otras entidades que tengan
AS). (iBGP): si los peers vecinos pertenecen a nuestro AS (lo utilizamos para
distribuir rutas dentro de nuestro AS, generalmente iBGP se apoya en otro método de
ruteo (ruteo estátio, RIP, OSPF)). Algunos atributos conocidos son: Weight
("peso"), Local Preference ("preferencia local"), AS Path ("camino de AS"). Si dos
(peers), publican la misma ruta, se prioriza la de mayor peso (weight). Si dos
(routers) dentro de un mismo AS, permiten alcanzar las mismas rutas, se prioriza el
de mayor (local reference). BGP, utiliza el (as path) para que las redes destino se
alcancen tomando el camino que atraviese menos cantidad de AS. Bogons GBP servers:
(65332:888). Lista negra BGP servers (6549:666).

# ---------------------------------------------- (Constantes BGP)


:global BGPISP1IP30 [Link]/30; # ARSAT-VCI.BGPIP30 (de ARSAT)
:global BGPISP2IP30 [Link]/30; # TELCO-VCI.BGPIP30 (de TELCO)
:global BGPVCI1IP30 [Link]/30; # VCI-ARSAT.BGPIP30 (de ARSAT)
:global BGPVCI2IP30 [Link]/30; # VCI-TELCO.BGPIP30 (de TELCO)
# -----------------------
:global BGPISP1WAN “WAN1”; # [Link] (de ARSAT)
:global BGPISP2WAN “WAN1”; # [Link] (de TELCO)
:global BGPVCI1WAN “WAN1”; # [Link]
:global BGPVCI2WAN “WAN2”; # [Link]
# -----------------------
:global BGPISP1GW [Link]/22; # [Link] (de ARSAT)
:global BGPISP2GW [Link]/22; # [Link] (de TELCO)
:global BGPVCI1GWA [Link]/24; # [Link]
:global BGPVCI1GWB [Link]/23; # [Link]
# -----------------------
:global BGPISP1LAN “LAN1”; # [Link] (de ARSAT)
:global BGPISP2LAN “LAN1”; # [Link] (de TELCO)
:global BGPVCI1LANA “LAN1”; # [Link]
:global BGPVCI1LANB “LAN2”; # [Link]
# -----------------------
:global BGPISP1ASN 64513; # [Link] (de ARSAT)
:global BGPISP2ASN 64514; # [Link] (de TELCO)
:global BGPVCI1ASN 64515; # [Link]
# -----------------------
:global BGPISP1IPP [Link]/22; # [Link] (de ARSAT)
:global BGPISP2IPP [Link]/22; # [Link] (de TELCO)
:global BGPVCI1IPPA [Link]/24; # [Link]
:global BGPVCI1IPPB [Link]/23; # [Link]
# -------------------------------------------------
:global BGPISP1LBMAC [Link]; # [Link] (de ARSAT)
:global BGPISP2LBMAC [Link]; # [Link] (de TELCO)
:global BGPVCI1LBMAC [Link]; # [Link]
# -----------------------
:global BGPISP1LBIP [Link]; # [Link] (de ARSAT)
:global BGPISP2LBIP [Link]; # [Link] (de TELCO)
:global BGPVCI1LBIP [Link]; # [Link]
# ----------------------- (si no uso: [Link])
:global BGPISP1RID ([pick [tostr $BGPISP1IP30] 0 ([len [tostr $BGPISP1IP30]]-3)]);
# [Link] de ARSAT)
:global BGPISP2RID ([pick [tostr $BGPISP2IP30] 0 ([len [tostr $BGPISP2IP30]]-3)]);
# [Link] (de TELCO)
:global BGPVCI1RID ([pick [tostr $BGPVCI1IP30] 0 ([len [tostr $BGPVCI1IP30]]-3)]);
# [Link] (de ARSAT)
:global BGPVCI2RID ([pick [tostr $BGPVCI2IP30] 0 ([len [tostr $BGPVCI2IP30]]-3)]);
# [Link] (de TELCO)

# [Link] ([Link]): ---------------------------- [switch (CISCO.3560G)]


# ------------------------------------------ (Estableciendo [Link])
/interface bridge add name=”[Link]” admin-mac=$BGPVCI1LBMAC auto-mac=no
comment=”R+: BGP (BGP.VIC1LB Interface)” disable=yes;
/ip address add address=$BGPVCI1LBIP interface=”[Link]” comment=”R+: BGP
(BGP.VCI1LB IP)” disable=yes;
# ------------------------------------------ (Estableciendo [Link])
/ip address add address=$BGPVCI1IP30 interface=$BGPVCI1WAN comment=”R+: BGP
(IPP/30, dispuesta x VCI1 x su S/[Link])” disable=yes;
/ip address add address=$BGPVCI2IP30 interface=$BGPVCI2WAN comment=”R+: BGP
(IPP/30, dispuesta x VCI2 x su S/[Link])” disable=yes;
# ------------------------------------------ (Estableciendo [Link])
/ip address add address=$BGPVCI1GW interface=$BGPVCI1LAN comment=”R+: BGP (IPP/24,
dispuesta x VCI1 x su [Link])” disable=yes;
/ip address add address=$BGPVCI2GW interface=$BGPVCI2LAN comment=”R+: BGP (IPP/23,
dispuesta x VCI1 x su [Link])” disable=yes;
# ------------------------------------------ (Estableciendo [Link])
/routing bgp instance set 0 router-id=$BGPVCI1RID as=$BGPVCI1ASN comment=”R+: BGP
([Link])”;
# ------------------------------------------ (Estableciendo [Link])
/routing bgp peer add name=”[Link]-ARSAT” remote-address=$BGPISP1RID remote-
as=$BGPISP1ASN default-originate=if-installed comment=”R+: BGP (Estableciendo
relación con [Link]-VCI)” disable=yes;
# --------------------
/routing bgp peer add name=”[Link]-TELCO” remote-address=$BGPISP2RID remote-
as=$BGPISP2ASN default-originate=if-installed comment=”R+: BGP (Estableciendo
relación con [Link]-VCI)” disable=yes;
# ------------------------------------------ (Estableciendo [Link])
/routing bgp network add network=$BGPVCI1IPPA synchronize=no comment=”R+: BGP
([Link] de VCI1A)” disable=yes;
# --------------------
/routing bgp network add network=$BGPVCI1IPPB synchronize=no comment=”R+: BGP
([Link] de VCI1B)” disable=yes;
# …

# [Link] ([Link]): ------------------------ [switch (CISCO.--------)]


/interface bridge add name=”[Link]” admin-mac=$BGPISP1LBMAC auto-mac=no
comment=”R+: BGP (BGP.ISP1LB Interface)” disable=yes;
/ip address add address=$BGPISP1LBIP interface=”[Link]” comment=”R+: BGP
(BGP.ISP1LB IP)” disable=yes;
# ------------------------------------------ (Estableciendo [Link])
/ip address add address=$BGPISP1IP30 interface=$BGPISP1WAN comment=”R+: BGP
(IPP/30, dispuesta x ISP1 x su S/[Link])” disable=yes;
# ------------------------------------------ (Estableciendo [Link])
/ip address add address=$BGPISP1GW interface=$BGPISP1LAN comment=”R+: BGP (IPP/22,
dispuesta x ISP1 x su [Link])” disable=yes;
# ------------------------------------------ (Estableciendo [Link])
/routing bgp instance set 0 router-id=$BGPISP1RID as=$BGPISP1ASN comment=”R+: BGP
([Link])”;
# ------------------------------------------ (Estableciendo [Link])
/routing bgp peer add name=”[Link]-VCI” remote-address=$BGPVCI1RID remote-
as=$BGPVCI1ASN default-originate=if-installed comment=”R+: BGP (Estableciendo
relación con [Link]-VCI)” disable=yes;
# ------------------------------------------ (Estableciendo [Link])
/routing bgp network add network=$BGPISP1IPP synchronize=no comment=”R+: BGP
([Link] de ISP1)” disable=yes;
# …

# [Link] ([Link]): ------------------------ [switch (CISCO.--------)]


/interface bridge add name=”[Link]” admin-mac=$BGPISP2LBMAC auto-mac=no
comment=”R+: BGP (BGP.ISP2LB Interface)” disable=yes;
/ip address add address=$BGPISP2LBIP interface=”[Link]” comment=”R+: BGP
(BGP.ISP2LB IP)” disable=yes;
# ------------------------------------------ (Estableciendo [Link])
/ip address add address=$BGPISP2IP30 interface=$BGPISP2WAN comment=”R+: BGP
(IPP/30, dispuesta x ISP2 x su S/[Link])” disable=yes;
# ------------------------------------------ (Estableciendo [Link])
/ip address add address=$BGPISP2GW interface=$BGPISP2LAN comment=”R+: BGP (IPP/22,
dispuesta x ISP2 x su [Link])” disable=yes;
# ------------------------------------------ (Estableciendo [Link])
/routing bgp instance set 0 router-id=$BGPISP2RID as=$BGPISP2ASN comment=”R+: BGP
([Link])”;
# ------------------------------------------ (Estableciendo [Link])
/routing bgp peer add name=”[Link]-VCI” remote-address=$BGPVCI2RID remote-
as=$BGPVCI1ASN default-originate=if-installed comment=”R+: BGP (Estableciendo
relación con [Link]-VCI)” disable=yes;
# ------------------------------------------ (Estableciendo [Link])
/routing bgp network add network=$BGPISP2IPP synchronize=no comment=”R+: BGP
([Link] de ISP2)” disable=yes;
# …
#
-----------------------------------------------------------------------------------
[FIN]
# -------------------------------- [Protocolo BGP]
-------------------------------------
#
-----------------------------------------------------------------------------------
--------

#
-----------------------------------------------------------------------------------
[INI]
# ------------------------------ [Protocolo Romon]
-----------------------------------
#
-----------------------------------------------------------------------------------
-------
# (Access via Leyer.2): aplicar en c/Route que use x alcanzar ([Link]) desde
([Link]=[Link]).
/tool romon set enable=yes secrets=private; # Secret=password
/tool romon port add interface=LAN1 disable=no; # Add (interfaces-Romon)
/tool romon port set forbid=yes [find (interface=all)]; # Block (interfaces-Romon)
# /tool romon port remove [find interface=LAN1]; # Dell (interfaces-Romon)
#
-----------------------------------------------------------------------------------
[FIN]
# ------------------------------ [Protocolo Romon]
-----------------------------------
#
-----------------------------------------------------------------------------------
-------

#
-----------------------------------------------------------------------------------
[INI]
# ----------------------------- [Balanceos de Carga]
---------------------------------
#
-----------------------------------------------------------------------------------
-------
# Reglas para (Balanceo de Carga): ----------------------------------- (no probado)
# Fundamentalmente, divide la carga (conexiones) entre diferentes
out-interfaces/enlaces. Existen tres tipos de balanceos de carga: (ECMP/NTH/PCC).

# Reglas para (Balanceo de Carga): ---------------------------------------- [ECMP]


# Activar reglas ([Link]: R<:), según corresponda (diferentes Gateways de
igual Mbps).
/ip firewall mangle add chain=input in-interface=WAN1 action=mark-connection new-
connection-mark=ISP1Conn log=no log-prefix=”[Link] ([Link]: ISP1Conn)”
comment=”001R<: [Link] ([Link]: ISP1Conn)” disable=yes;
/ip firewall mangle add chain=output new-connection-mark=ISP1Conn action=mark-
routing log=no log-prefix=”[Link] ([Link]: toISP1)” new-routing=toISP1
comment=”002R<: [Link] ([Link]: toISP1)” disable=yes;
/ip firewall mangle add chain=input in-interface=WAN2 action=mark-connection new-
connection-mark=ISP2Conn log=no log-prefix=”[Link] ([Link]: ISP2Conn)”
comment=”003R<: [Link] ([Link]: ISP2Conn)” disable=yes;
/ip firewall mangle add chain=output new-connection-mark=ISP2Conn action=mark-
routing log=no log-prefix=”[Link] ([Link]: toISP2)” new-routing=toISP2
comment=”004R<: [Link] ([Link]: toISP2)” disable=yes;
# …

# ------------------------------------------- [distintos Gateways y distintas


Interfaces]
/ip route add check-gateway=ping gateway=[Link],[Link] comment="10R<: BC-
[Link] ([Link])" disable=yes; # Gateway distintos y distintos ISP.
/ip route add check-gateway=ping gateway=[Link] routing-mark=toISP1 comment="20R<:
[Link] ([Link])" disable=yes;
/ip route add check-gateway=ping gateway=[Link] routing-mark=toISP2 comment="21R<:
[Link] ([Link])" disable=yes;
# …

# ------------------------------------------- [mismo Gateway y distintas


Interfaces]
# /ip route add check-gateway=ping gateway=[Link]%WAN1,[Link]%WAN2 comment="10R<:
[Link] ([Link])" disable=yes;
# /ip route add check-gateway=ping gateway=[Link]%WAN1 routing-mark=toISP1
comment="20R<: [Link] ([Link])" disable=yes;
# /ip route add check-gateway=ping gateway=[Link]%WAN2 routing-mark=toISP2
comment="21R<: [Link] ([Link])" disable=yes;
# …

# Reglas para (Balanceo de Carga): ------------------------------------------ [NTH]


# Activar reglas ([Link]: R<:), según corresponda. (nth=2,1), donde (2) es
el nro de WANx activas.
/ip firewall mangle add chain=prerouting in-interface-list=LANs connection-
state=new nth=2,1 action=mark-connection new-connection-mark=ISP1Conn log=no log-
prefix=”[Link] ([Link]: ISP1Conn)” comment=”001R<: [Link] ([Link]:
ISP1Conn)” passthrough=yes disable=yes;
/ip firewall mangle add chain=prerouting in-interface-list=LANs connection-
mark=ISP1Conn action=mark-routing new-routing-mark=toISP1 log=no log-prefix=”BC-
[Link] ([Link]: toISP1)” comment=”002R<: [Link] ([Link]: toISP1)”
passthrough=no disable=yes;
/ip firewall mangle add chain=prerouting in-interface-list=LANs connection-
state=new nth=2,2 action=mark-connection new-connection-mark=ISP2Conn log=no log-
prefix=”[Link] ([Link]: ISP2Conn)” comment=”001R<: [Link] ([Link]:
ISP2Conn)” passthrough=yes disable=yes;
/ip firewall mangle add chain=prerouting in-interface-list=LANs connection-
mark=ISP2Conn action=mark-routing new-routing-mark=toISP2 log=no log-prefix=”BC-
[Link] ([Link]: toISP1)” comment=”002R<: [Link] ([Link]: toISP1)”
passthrough=no disable=yes;
# …

# ------------------------------------------- [distintos Gateways y distintas


Interfaces]
/ip route add check-gateway=ping gateway=[Link] routing-mark=toISP1 comment="20R<:
[Link] ([Link])" disable=yes;
/ip route add check-gateway=ping gateway=[Link] routing-mark=toISP2 comment="21R<:
[Link] ([Link])" disable=yes;
/ip route add check-gateway=ping gateway=[Link] comment="22R<: [Link]
([Link] x routing-mark=no-mark)" disable=yes;

# Reglas para (Balanceo de Carga): -------------------------------------------


[PCC]
# Activar reglas ([Link]: R<:), según corresponda. (src-address-and-
port:X/0)/(both-addresses:X/0), siendo (X), la cantidad de WANs (activas) o una
forma de ponderar interface (WANx) por sobre el resto (por tener mas Mbps).
/ip firewall mangle add chain=prerouting dst-address=[Link]/24 action=accept in-
interface-list=LANs comment="001R<: [Link] (LANs to ISP1Conn)" disable=yes;
/ip firewall mangle add chain=prerouting dst-address=[Link]/24 action=accept in-
interface-list=LANs comment="002R<: [Link] (LANs to ISP2Conn)" disable=yes;
# …

# -------------------------------------------
/ip firewall mangle add chain=prerouting in-interface=WAN1 connection-mark=no-mark
action=mark-connection new-connection-mark=ISP1Conn log=no log-prefix=”[Link]
([Link]: ISP1Conn)” comment=”003R<: [Link] ([Link]: ISP1Conn)” disable=yes;
/ip firewall mangle add chain=prerouting in-interface=WAN2 connection-mark=no-mark
action=mark-connection new-connection-mark=ISP2Conn log=no log-prefix=”[Link]
([Link]: ISP2Conn)” comment=”004R<: [Link] ([Link]: ISP2Conn)” disable=yes;
# …

# -------------------------------------------
/ip firewall mangle add chain=prerouting in-interface-list=LANs connection-mark=no-
mark per-connection-classifier=src-address-and-port:2/0 action=mark-connection dst-
address-type=!local new-connection-mark=ISP1Conn log=no log-prefix=”[Link]
([Link]: ISP1Conn)” comment=”005R<: [Link] ([Link]: ISP1Conn)” disable=yes;
# /ip firewall mangle add chain=prerouting in-interface-list=LANs connection-
mark=no-mark per-connection-classifier=both-addresses:2/0 action=mark-connection
dst-address-type=!local new-connection-mark=ISP1Conn log=no log-prefix=”BC-
[Link] ([Link]: ISP1Conn)” comment=”005Rx: [Link] ([Link]: ISP1Conn)”
disable=yes;
/ip firewall mangle add chain=prerouting in-interface-list=LANs connection-mark=no-
mark per-connection-classifier=src-address-and-port:2/1 action=mark-connection dst-
address-type=!local new-connection-mark=ISP2Conn log=no log-prefix=”[Link]
([Link]: ISP2Conn)” comment=”006R<: [Link] ([Link]: ISP2Conn)” disable=yes;
# /ip firewall mangle add chain=prerouting in-interface-list=LANs connection-
mark=no-mark per-connection-classifier=both-addresses:2/1 action=mark-connection
dst-address-type=!local new-connection-mark=ISP2Conn log=no log-prefix=”BC-
[Link] ([Link]: ISP2Conn)” comment=”006Rx: [Link] ([Link]: ISP2Conn)”
disable=yes;
# …

# ---------------------
/ip firewall mangle add chain=prerouting in-interface-list=LANs connection-
mark=ISP1Conn action=mark-routing new-routing-mark=toISP1 log=no log-prefix=”BC-
[Link] ([Link]: toISP1)” comment=”007R<: [Link] ([Link]: toISP1)”
disable=yes;
/ip firewall mangle add chain=prerouting in-interface-list=LANs connection-
mark=ISP2Conn action=mark-routing new-routing-mark=toISP2 log=no log-prefix=”BC-
[Link] ([Link]: toISP2)” comment=”008R<: [Link] ([Link]: toISP2)”
disable=yes;
# …

# ---------------------
/ip firewall mangle add chain=output connection-mark=ISP1Conn action=mark-routing
new-routing-mark=toISP1 log=no log-prefix=”[Link] ([Link]: toISP1)”
comment=”009R<: [Link] ([Link]: toISP1)” passthrough=no disable=yes;
/ip firewall mangle add chain=output connection-mark=ISP2Conn action=mark-routing
new-routing-mark=toISP2 log=no log-prefix=”[Link] ([Link]: toISP2)”
comment=”010R<: [Link] ([Link]: toISP2)” disable=yes;
# …

# ------------------------------------------- [distintos Gateways y distintas


Interfaces]
/ip route add check-gateway=ping gateway=[Link] routing-mark=toISP1 comment="20R<:
[Link] ([Link])" disable=yes;
/ip route add check-gateway=ping gateway=[Link] routing-mark=toISP2 comment="21R<:
[Link] ([Link])" disable=yes;
/ip route add check-gateway=ping gateway=[Link] scope=1 comment="22R<: [Link]
([Link]-Failover)" disable=yes;
/ip route add check-gateway=ping gateway=[Link] scope=2 comment="23R<: [Link]
([Link]-Failover)" disable=yes;

#
-----------------------------------------------------------------------------------
[FIN]
# ----------------------------- [Balanceos de Carga]
---------------------------------
#
-----------------------------------------------------------------------------------
-------

#
-----------------------------------------------------------------------------------
[INI]
# ------------------------------------ [Bonding]
----------------------------------------
#
-----------------------------------------------------------------------------------
-------
# Reglas para (Bonding): ---- [agregación de interfaces en un unico enlace virtual]
# Sumatoria de interfaces. Se necesitan dos router/switch (uno en cada punta de los
enlaces) y conectar cada puerto con cada AP/ST (enlaces).
# ------------------------------------------- [[Link]]
/interface bonding add name=VCIBonding slaves=WAN1,WAN2 mode=balance-rr
comment=”01R<: [Link] (Bonding [Link])” disable=yes;
# ------------------------
/ip address add address=[Link]/30 interface=VCIBonding comment=”01R<:
[Link] (AP-ST)” disable=yes;
/ip address add address=[Link]/30 interface=WAN1 comment=”01R>: BondingWAN1.[
Elisa (AP:[Link]-ST:[Link]) ]” disable=yes;
/ip address add address=[Link]/30 interface=WAN2 comment=”02R>: BondingWAN2.[
Elisa (AP:[Link]-ST:[Link]) ]” disable=yes;
# …

# ------------------------------------------- [[Link]-Local]
/interface bonding add name=VCIBonding slaves=WAN1,WAN2 mode=balance-rr
comment=”01R>: [Link] (Bonding [Link]-Local)” disable=yes;
# ------------------------
/ip address add address=[Link]/30 interface=VCIBonding comment=”01R>:
[Link] (ST-AP)” disable=yes;
/ip address add address=[Link]/30 interface=WAN1 comment=”01R>: BondingWAN1.[
Elisa (ST:[Link]-AP:[Link]) ]” disable=yes;
/ip address add address=[Link]/30 interface=WAN2 comment=”02R>: BondingWAN2.[
Elisa (ST:[Link]-AP:[Link]) ]” disable=yes;
# …
#
-----------------------------------------------------------------------------------
[FIN]
# ------------------------------------ [Bonding]
----------------------------------------
#
-----------------------------------------------------------------------------------
-------

-------------------------------------------------------------------------------
[ FIN ]
-----------------------------------------------------------------------------------
-----
--------------------------- Scripts (accesorios):
-----------------------------------
-----------------------------------------------------------------------------------
-----
-----------------------------------------------------------------------------------
-----

You might also like