Interacción entre dos routers
Se trata de estudiar las diferentes combinaciones para disponer de un router neutro, en nuestra oficina o casa, que se conecte al router proporcionado por el distribuidor de internet ISP. De esta manera se esperan conseguir mayores prestaciones y control de nuestra red que lo que permite el router de la compañía ISP.
Configuración de router Mikrotik para Vodafone con IPTV
#Creación de Bridge
/interface bridge
add name=switch0-lan priority=0x1000
#Asignación de nombres a interfaces
/interface ethernet
set [ find default-name=ether7 ] name=ether7-deco
set [ find default-name=ether8 ] name=ether8-wan
#Creación de VLANs sobre el puerto ethernet WAN
/interface vlan
add interface=ether8-wan name=eth8-vlan100 vlan-id=100
add comment=WAN-IPTV interface=ether8-wan name=eth8-vlan105 vlan-id=105
#Listas de interfaces
/interface list
add name=LAN-IPTV
add name=WAN-IPTV
add name=WAN
add name=LAN
add include=WAN,WAN-IPTV name=EXT-ALL
#DHCP Flag aplicado posteriormente en el DHP de la IPTV
/ip dhcp-server option
add code=12 name=VF_Tivo value="'TIVO'"
#Dos pool de direcciones. Uno para LAN y otro para IPTV
/ip pool
add name=dhcp-lan-pool ranges=192.168.0.100-192.168.0.200
add name=dhcp-iptv-pool ranges=192.168.10.10-192.168.10.15
#Creación de dos servidores DHCP
/ip dhcp-server
add address-pool=dhcp-lan-pool interface=switch0-lan name=dhcp-lan
add address-pool=dhcp-iptv-pool interface=ether7-deco name=dhcp-iptv
#Cliente PPPoE sobre la interfaz virtual creada con la VLAN de datos
/interface pppoe-client
add add-default-route=yes comment=WAN disabled=no interface=eth8-vlan100 max-mru=1492 max-mtu=1492 name=pppoe0-wan profile=default-encryption user=XXXXXXXXXX@vodafone
#Asignación de puertos al Bridge
/interface bridge port
add bridge=switch0-lan fast-leave=yes interface=ether1
add bridge=switch0-lan fast-leave=yes interface=ether2
add bridge=switch0-lan fast-leave=yes interface=ether3
add bridge=switch0-lan fast-leave=yes interface=ether4
#Asignación de interfaces a listas
/interface list member
add interface=ether7-deco list=LAN-IPTV
add interface=eth8-vlan105 list=WAN-IPTV
add interface=switch0-lan list=LAN
add interface=eth8-vlan100 list=WAN
add interface=pppoe0-wan list=WAN
add interface=ether8-wan list=WAN
#Asignación de direcciones IP a las interfaces
/ip address
add address=192.168.0.1/24 interface=switch0-lan network=192.168.0.0
add address=192.168.10.1/24 interface=ether7-deco network=192.168.10.0
#Cliente DHCP sobre la interfaz virtual creada con la VLAN de IPTV
/ip dhcp-client
add add-default-route=no interface=eth8-vlan105 use-peer-dns=no
#Asignaciones estáticas de servidor DHCP (incluyo la asignación del decodificador)
/ip dhcp-server lease
add address=192.168.10.10 comment="VF Deco TIVO" dhcp-option=VF_Tivo mac-address=XX:XX:XX:XX:XX:XX server=dhcp-iptv
#Creación de servidores DHCP
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1 netmask=24
add address=192.168.10.0/24 domain=Tivo gateway=192.168.10.1 netmask=24
#Configuración resolución DNS por DoH con Cloudflare
/ip dns
set allow-remote-requests=yes use-doh-server=https://1.1.1.2/dns-query verify-doh-cert=yes
#Listas de direcciones para firewall
/ip firewall address-list
add address=192.168.10.0/24 list=LAN-IPTV
add address=192.168.0.0/24 list=LAN
#Reglas de Firewall
/ip firewall filter
add action=accept chain=input comment="IN - Accept Winbox" dst-port=XXXXX,XXXXX in-interface-list=LAN protocol=tcp src-address-list=LAN
add action=add-src-to-address-list address-list=Blacklist address-list-timeout=10h chain=input comment="IN - Add Src to Blacklist" connection-state=new dst-port=20-25,80,110,161,443,445,3128,3306,3333,3389,7547,8291,8080-8082 \
in-interface-list=WAN log=yes log-prefix="FWALL- ADD BLACKLIST" protocol=tcp
add action=accept chain=input comment="IN - Accept Established and related" connection-state=established,related
add action=drop chain=input comment="IN - Drop Invalid" connection-state=invalid
add action=accept chain=input comment="IN - Accept ICMP" protocol=icmp
add action=accept chain=input comment="IN WAN IPTV - Allow IPTV Multicast UDP" in-interface-list=WAN-IPTV protocol=udp
add action=accept chain=input comment="IN WAN IPTV - Accept IGMP" in-interface-list=WAN-IPTV protocol=igmp
add action=accept chain=input comment="IN LAN - Accept 53 UDP (DNS)" dst-port=53 protocol=udp src-address-list=LAN
add action=accept chain=input comment="IN LAN IPTV - Allow IGMP" protocol=igmp src-address-list=LAN-IPTV
add action=accept chain=input comment="IN LAN IPTV - Allow UDP" protocol=udp src-address-list=LAN-IPTV
add action=drop chain=input comment="IN - Drop all not comming from LAN" log=yes log-prefix="FWALL - IN DROP" src-address-list=!LAN
add action=fasttrack-connection chain=forward comment="FW - FastTrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="FW - Accept Established and related" connection-state=established,related
add action=drop chain=forward comment="FW - Drop Invalid" connection-state=invalid
add action=accept chain=forward comment="FW WAN IPTV - Allow IPTV Multicast UDP" in-interface-list=WAN-IPTV protocol=udp
add action=drop chain=forward comment="FW - Drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=EXT-ALL log=yes log-prefix="FWALL - FW DROP"
#Priorizar paquetes de IPTV
/ip firewall mangle
add action=set-priority chain=postrouting new-priority=4 out-interface-list=WAN-IPTV passthrough=yes
add action=set-priority chain=postrouting new-priority=1 out-interface-list=WAN passthrough=no
#Reglas de NAT
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT - WAN-IPTV" out-interface-list=WAN-IPTV
add action=masquerade chain=srcnat comment="NAT - WAN" out-interface-list=WAN
/ip firewall raw
add action=drop chain=prerouting comment="Drop Address From Blacklist" log=yes log-prefix="FWALL - BLACKLIST DROP" src-address-list=Blacklist
add action=add-dst-to-address-list address-list=Blacklist address-list-timeout=10m chain=output comment="add a device performing unsuccessful authorization to BlackList" content="invalid user name or password" log=yes log-prefix=\
BRUTEFORCE
#Rutas estáticas necesarias para Vodafone IPTV
/ip route
add disabled=no distance=1 dst-address=10.8.57.0/24 gateway=10.214.80.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=10.8.58.0/24 gateway=10.214.80.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=10.8.59.0/24 gateway=10.214.80.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=10.15.220.0/24 gateway=10.214.80.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=10.179.32.0/23 gateway=10.214.80.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
#Deshabilito servicios de acceso al router por seguridad
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.0.0/24 port=XXXXXX
set www-ssl address=192.168.0.0/24 port=XXXX
set api disabled=yes
set winbox address=192.168.0.0/24 port=XXXXX
set api-ssl disabled=yes
#Configuración de IGMP Proxy
/routing igmp-proxy
set quick-leave=yes
/routing igmp-proxy interface
add alternative-subnets=0.0.0.0/0 interface=eth8-vlan105 upstream=yes
add interface=ether7-deco
#Configuración Reloj del sistema
/system clock
set time-zone-name=Europe/Madrid
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.es.pool.ntp.org
add address=1.es.pool.ntp.org
add address=2.es.pool.ntp.org
add address=3.es.pool.ntp.org
/system routerboard settings
set cpu-frequency=auto