Một số Scripts-MikroTik Tôi lượm lặt và có test một số cái
NO-IP.COM DDNS Update.txt (test X86 ok)
Mikrotik RouterOS Cloudflare Dynamic DNS Script and API Command for List Cloudflare Record ID.txt
Port Knocking Security.txt
Create [Script-MikroTik] Hairpin NAT.txt
PCC Load Balancing (2 WAN PPPoE) + VLAN + FailOver Netwatch.rsc
NO-IP.COM DDNS Update.txt (test X86 ok)
Mã:
# No-IP, Dynamic DNS Updater
# TechBlogClub by Krittin Srithong
#--------------- Change your information here ------------------
:local noipuser "enterNOIPUsername"
:local noippass "enterNOIPPassword"
:local noiphost "enterYOURhostname.ddns.net"
:local inetinterface "pppoe-out1"
#---------------------------------------------------------------
:if ([/interface get $inetinterface value-name=running]) do={
# Get the current IP on the interface
:local currentIP [/ip address get [find interface="$inetinterface" disabled=no] address]
# Strip the net mask off the IP address
:for i from=( [:len $currentIP] - 1) to=0 do={
:if ( [:pick $currentIP $i] = "/") do={
:set currentIP [:pick $currentIP 0 $i]
}
}
# The update URL. Note the "\3F" is hex for question mark (?). Required since ? is a special character in commands.
:local url "http://dynupdate.no-ip.com/nic/update\3Fmyip=$currentIP"
:local noiphostarray
:set noiphostarray [:toarray $noiphost]
:foreach host in=$noiphostarray do={
# Check 1 - resolved IP
:local resolvedIP [:resolve $host];
# Check 2 - Saved response from NO-IP
:local filename ("no-ip_ddns_update-" . $host . ".txt")
:local savedMatch -1
:local savedIP "No File";
if ( [:len [/file find name=$filename]] > 0 ) do={
:set savedIP [/file get $filename contents]
:set savedMatch [:find $savedIP $currentIP -1]
}
# If either check fails, update IP
:if (($currentIP = $resolvedIP) && ($savedMatch >= 0)) do={
:log info "No-IP: Host $host already on No-IP with IP $resolvedIP"
} else={
:log info "No-IP: Sending update for $host - $resolvedIP saved as $savedIP"
/tool fetch url=($url . "&hostname=$host") user=$noipuser password=$noippass mode=http dst-path=$filename
:log info "No-IP: Host $host updated on No-IP with IP $currentIP"
}
}
} else={
:log info "No-IP: $inetinterface is not currently running, so therefore will not update."
}Mikrotik RouterOS Cloudflare Dynamic DNS Script and API Command for List Cloudflare Record ID.txt
Mã:
# Cloudflare Dynamic DNS update script
# Required policy: read, write, test, policy
# Add this script to scheduler
# Install DigiCert root CA or disable check-certificate
# Configuration ---------------------------------------------------------------------
:local TOKEN "__APITOKEN__"
:local ZONEID "__ZONEIDENTIFIER__"
:local RECORDID "__RECORDIDENTIFIER__"
:local RECORDNAME "__DNSRECORD__"
:local WANIF "__WANINTERFACE__"
#------------------------------------------------------------------------------------
:global IP4NEW
:global IP4CUR
:local url "https://api.cloudflare.com/client/v4/zones/$ZONEID/dns_records/$RECORDID/"
:if ([/interface get $WANIF value-name=running]) do={
# Get the current public IP
:local requestip [tool fetch url="https://ipv4.icanhazip.com" mode=https check-certificate=no output=user as-value]
:set IP4NEW [:pick ($requestip->"data") 0 ([:len ($requestip->"data")]-1)]
# Check if IP has changed
:if ($IP4NEW != $IP4CUR) do={
:log info "CF-DDNS: Public IP changed to $IP4NEW, updating"
:local cfapi [/tool fetch http-method=put mode=https url=$url check-certificate=no output=user as-value \
http-header-field="Authorization: Bearer $TOKEN,Content-Type: application/json" \
http-data="{\"type\":\"A\",\"name\":\"$RECORDNAME\",\"content\":\"$IP4NEW\",\"ttl\":120,\"proxied\":false}"]
:set IP4CUR $IP4NEW
:log info "CF-DDNS: Host $RECORDNAME updated with IP $IP4CUR"
} else={
:log info "CF-DDNS: Previous IP $IP4NEW not changed, quitting"
}
} else={
:log info "CF-DDNS: $WANIF is not currently running, quitting"
}
* [API Command for List Cloudflare Record ID] *
curl -X GET "https://api.cloudflare.com/client/v4/zones/ZONE_ID/dns_records?name=SUB_DOMAIN" \
-H "X-Auth-Email: user@example.com" \
-H "X-Auth-Key: YOUR_API_KEY" \
-H "Content-Type: application/json"Port Knocking Security.txt
Mã:
/ip firewall filter
add action=accept chain=input comment="Port Knocking Security" connection-state=established,related
add action=add-src-to-address-list address-list=Temporary address-list-timeout=1m chain=input dst-port=1234 protocol=tcp
add action=add-src-to-address-list address-list=Valid address-list-timeout=1m chain=input dst-port=4321 protocol=tcp src-address-list=Temporary
add action=accept chain=input src-address-list=Valid
add action=drop chain=inputCreate [Script-MikroTik] Hairpin NAT.txt
Mã:
#TechBlogClub by Krittin Srithong
/ip firewall address-list
add address=192.168.50.0/24 list=LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Internel Hairpin NAT" dst-address=!192.168.50.1 src-address-list=LAN
add action=dst-nat chain=dstnat dst-address-type=local dst-port=80 protocol=tcp src-address-list=LAN to-addresses=192.168.50.100 to-ports=80
add action=dst-nat chain=dstnat comment="External Port Forwarding" dst-port=80 in-interface=WAN1 protocol=tcp to-addresses=192.168.50.100 to-ports=80Dynamic IP problem with manual created routes (DHCP-Client).txt
Mã:
IP > DHCP Client > Select Interface > Advance Tabs > Script:
################################################################################################
:if ($bound=1) do={
/ip route add distance=1 gateway=$"gateway-address" routing-mark=via-ISP2 comment="ISP2"
} else={
/ip route remove [/ip route find comment="ISP2"]
}
################################################################################################PCC Load Balancing (2 WAN PPPoE) + VLAN + FailOver Netwatch.rsc
Mã:
# jul/22/2023 13:22:28 by RouterOS 7.9.2
# software id =
#
/interface bridge
add name=Bridge-VLAN-TRUNKs
/interface pppoe-client
add disabled=no interface=ether1 name=pppoe-out1 user=ppp1
add disabled=no interface=ether2 name=pppoe-out2 user=ppp2
/interface vlan
add interface=Bridge-VLAN-TRUNKs name=vlan10 vlan-id=10
add interface=Bridge-VLAN-TRUNKs name=vlan20 vlan-id=20
/disk
set slot1 slot=slot1 type=hardware
/interface list
add name=Bridge-LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.88.2-192.168.88.254
add name=dhcp_pool1 ranges=10.10.10.2-10.10.10.254
add name=dhcp_pool2 ranges=10.20.20.2-10.20.20.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=Bridge-VLAN-TRUNKs lease-time=1d name=\
dhcp1
add address-pool=dhcp_pool1 interface=vlan10 lease-time=1d name=dhcp2
add address-pool=dhcp_pool2 interface=vlan20 lease-time=1d name=dhcp3
/port
set 0 name=serial0
/routing table
add disabled=no fib name=via-ISP1
add disabled=no fib name=via-ISP2
/interface bridge port
add bridge=Bridge-VLAN-TRUNKs interface=ether5
/interface list member
add interface=Bridge-VLAN-TRUNKs list=Bridge-LAN
add interface=vlan10 list=Bridge-LAN
add interface=vlan20 list=Bridge-LAN
/ip address
add address=192.168.88.1/24 interface=Bridge-VLAN-TRUNKs network=192.168.88.0
add address=10.10.10.1/24 interface=vlan10 network=10.10.10.0
add address=10.20.20.1/24 interface=vlan20 network=10.20.20.0
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=10.10.10.1 gateway=10.10.10.1
add address=10.20.20.0/24 dns-server=10.20.20.1 gateway=10.20.20.1
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip firewall address-list
add address=192.168.88.0/24 list=LAN
add address=10.10.10.0/24 list=LAN
add address=10.20.20.0/24 list=LAN
/ip firewall mangle
add action=accept chain=prerouting in-interface=pppoe-out1
add action=accept chain=prerouting in-interface=pppoe-out2
add action=accept chain=prerouting dst-address-list=LAN
add action=mark-connection chain=prerouting in-interface-list=Bridge-LAN \
new-connection-mark=ISP1_Conn passthrough=yes per-connection-classifier=\
both-addresses:2/0
add action=mark-routing chain=prerouting connection-mark=ISP1_Conn \
in-interface-list=Bridge-LAN new-routing-mark=via-ISP1 passthrough=no
add action=mark-connection chain=prerouting in-interface-list=Bridge-LAN \
new-connection-mark=ISP2_Conn passthrough=yes per-connection-classifier=\
both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=ISP2_Conn \
in-interface-list=Bridge-LAN new-routing-mark=via-ISP2 passthrough=no
add action=mark-connection chain=prerouting in-interface=pppoe-out1 \
new-connection-mark=ISP1_Conn passthrough=yes
add action=mark-routing chain=output connection-mark=ISP1_Conn \
new-routing-mark=via-ISP1 passthrough=no
add action=mark-connection chain=prerouting in-interface=pppoe-out2 \
new-connection-mark=ISP2_Conn passthrough=yes
add action=mark-routing chain=output connection-mark=ISP2_Conn \
new-routing-mark=via-ISP2 passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=masquerade chain=srcnat out-interface=pppoe-out2
/ip route
add comment=via-ISP1_To_ISP1 disabled=no distance=1 dst-address=0.0.0.0/0 \
gateway=pppoe-out1 pref-src="" routing-table=via-ISP1 scope=30 \
suppress-hw-offload=no target-scope=10
add comment=via-ISP2_To_ISP2 disabled=no distance=1 dst-address=0.0.0.0/0 \
gateway=pppoe-out2 pref-src="" routing-table=via-ISP2 scope=30 \
suppress-hw-offload=no target-scope=10
add comment="Redirect via-ISP1 To ISP2" disabled=no distance=2 dst-address=\
0.0.0.0/0 gateway=pppoe-out2 pref-src="" routing-table=via-ISP1 scope=30 \
suppress-hw-offload=no target-scope=10
add comment="Redirect via-ISP2 To ISP1" disabled=no distance=2 dst-address=\
0.0.0.0/0 gateway=pppoe-out1 pref-src="" routing-table=via-ISP2 scope=30 \
suppress-hw-offload=no target-scope=10
add comment=To-ISP1 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
pppoe-out1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add comment=To-ISP2 disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
pppoe-out2 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add comment="Netwatch ISP1 (Quad9 DNS)" disabled=no distance=1 dst-address=\
9.9.9.9/32 gateway=pppoe-out1 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add comment="Netwatch ISP2 (Google DNS)" disabled=no distance=1 dst-address=\
8.8.8.8/32 gateway=pppoe-out2 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
/system identity
set name=R1
/system note
set show-at-login=no
/tool netwatch
add comment=ISP1 disabled=no down-script="ip route disable [find comment=To-IS\
P1]\r\
\nip route disable [find comment=via-ISP1_To_ISP1]\r\
\n:log warning \"ISP1 is down\"\r\
\n/ip firewall connection remove [find]" host=9.9.9.9 http-codes="" \
interval=10s test-script="" timeout=800ms type=simple up-script="ip route \
enable [find comment=To-ISP1]\r\
\nip route enable [find comment=via-ISP1_To_ISP1]\r\
\n:log warning \"ISP1 is up\""
add comment=ISP2 disabled=no down-script="ip route disable [find comment=To-IS\
P2]\r\
\nip route disable [find comment=via-ISP2_To_ISP2]\r\
\n:log warning \"ISP1 is down\"\r\
\n/ip firewall connection remove [find]" host=8.8.8.8 http-codes="" \
interval=10s test-script="" timeout=800ms type=simple up-script="ip route \
enable [find comment=To-ISP2]\r\
\nip route enable [find comment=via-ISP2_To_ISP2]\r\
\n:log warning \"ISP2 is up\""PCC Load Balancing (2 WAN PPPoE).txt
Mã:
PCC Load Balancing (2 WAN PPPoE)
ISP1 - Download Speed: 1000 Mbps, Upload Speed: 500 Mbps
ISP2 - Download Speed: 1000 Mbps, Upload Speed: 500 Mbps
VLAN10 (10.10.10.0/24)
VLAN20 (10.20.20.0/24)
# 1. ALL LAN Address Lists
/ip firewall address-list
add address=10.10.10.0/24 list=LAN
add address=10.20.20.0/24 list=LAN
# 2. Create Route tables
2.1. Routing > Tables
For via-ISP1,
- Press "+"
- Name: via-ISP1
- FIB: Check
- Press "OK"
2.2 Routing > Tables
For via-ISP1,
- Press "+"
- Name: via-ISP1
- FIB: Check
- Press "OK"
# 3. Script PCC Load Balancing (2 WAN PPPoE)
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=!LAN new-routing-mark=via-ISP1 passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0 src-address-list=LAN
add action=mark-routing chain=prerouting dst-address-list=!LAN new-routing-mark=via-ISP2 passthrough=yes per-connection-classifier=both-addresses-and-ports:2/1 src-address-list=LAN
OR
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-type=!local new-routing-mark=via-ISP1 passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0 src-address-list=LAN
add action=mark-routing chain=prerouting dst-address-type=!local new-routing-mark=via-ISP2 passthrough=yes per-connection-classifier=both-addresses-and-ports:2/1 src-address-list=LAN
# 4. Create 2 routes to ISP1 and ISP2 with the mark routing that you have just created