1. Najpierw trzeba ustawić maskaradę na interfejsie WAN (jeśli adres IP WAN jest zmienny) lub srcnat (jeśli adres IP WAN jest stały).
IP > Firewall > [zakładka] NAT > [+] [zakładka] General Chain: srcnat Out Interface: ether1-WAN [zakładka] Action Action: masquerade OK
lub
IP > Firewall > [zakładka] NAT > [+] [zakładka] General Chain: srcnat Out Interface: ether1-WAN [zakładka] Action Action: src-nat To Addresses: 10.20.30.1 OK
2. Teraz wpuszczamy wszystkie połączenia nawiązane (Established, Related).
IP > Firewall > [zakładka] Filter Rules > [+] [zakładka] General Chain: forward Connection State: established,related [zakładka] Action Action: accept OK
3. Wpuszczamy połączenia do serwera DHCP
IP > Firewall > [zakładka] Filter Rules > [+] [zakładka] General Chain: input Protocol: 17 (udp) Dst: Port: 67,68 In Interface: bridge_lan [zakładka] Action Action: accept OK
4. Wpuszczamy wszystko w naszej podsieci
IP > Firewall > [zakładka] Filter Rules > [+] [zakładka] General Chain: forward Src. Address: 10.50.0.0/16 In Interface: bridge_lan
Out Interface: bridge_lan [zakładka] Action Action: accept OK
5. Blokujemy torrenty na portach 6881-6999
IP > Firewall > [zakładka] Filter Rules > [+] [zakładka] General Chain: forward Protocol: 17 (udp)
Dst. Port: 6881-6999 In Interface: bridge_lan
Out Interface: bridge_lan [zakładka] Action Action: drop OK
6. Blokujemy ruch z podsieci .100 (opcjonalnie)
IP > Firewall > [zakładka] Filter Rules > [+] [zakładka] General Chain: forward Src. Address: 10.50.100.0/24 In Interface: bridge_lan
Out Interface: bridge_lan [zakładka] Action Action: drop OK
7. Dopuszczamy sieci VPN
IP > Firewall > [zakładka] Address Lists > [+]
Name: vpn-nets Address: 10.10.0.0./16 [OK]
IP > Firewall > [zakładka] Address Lists > [+]
Name: vpn-nets Address: 10.30.0.0./16 [OK]
IP > Firewall > [zakładka] Filter Rules > [+]
[zakładka] General Chain: forward In Interface: bridge_lan Out Interface: bridge_lan [zakładka] Advanced Src. Address List: vpn-nets [zakładka] Action Action: accept [OK]
8. Blokujemy wszystko pozostałe
IP > Firewall > [zakładka] Filter Rules > [+] [zakładka] General Chain: forward In Interface: bridge_lan
Out Interface: bridge_lan [zakładka] Action Action: drop OK
Wiersz poleceń
/ip firewall nat add action=src-nat chain=srcnat out-interface=ether1-WAN to-addresses=10.50.30.1 /ip firewall filter add action=accept chain=forward comment="Accept Established, Related" connection-state=established,related /ip firewall filter add action=accept chain=input comment="Accept DHCP" dst-port=67,68 in-interface=bridge_lan protocol=udp /ip firewall filter add action=drop chain=forward comment="Drop Torrent" dst-port=6881-6999 in-interface=bridge_lan out-interface=bridge_lan protocol=udp /ip firewall filter add action=drop chain=forward comment="Drop forward from 10.50.100.0/24" in-interface=bridge_lan out-interface=bridge_lan src-address=10.50.100.0/24 /ip firewall filter add action=accept chain=forward comment="Accept from vpn-nets" in-interface=bridge_lan out-interface=bridge_lan src-address-list=vpn-nets /ip firewall filter add action=accept chain=forward comment="Accept from 10.50.0.0/16" in-interface=bridge_lan out-interface=bridge_lan src-address=10.50.0.0/16 /ip firewall filter add action=drop chain=forward comment="Drop All" in-interface=bridge_lan out-interface=bridge_lan
Kontynuacja postu: https://blog.cssoft.pl/post/mikrotik-wysylaj-maila-jesli-ktos-duzo-sciaga
IP -> Firewall -> [zakładka] Mangle -> [+]
Chain: prerouting [zakładka] Advanced Src. Address List: Download_1G [zakładka] Action Action: mark packet New Packet Mark: 1G_slow [ ] Passthrough #important! [OK]
Queues -> [zakładka] Simple Queues -> [+]
Name: 1G_slow Target: 0.0.0.0/0 #wszystkie adresy Target Upload Max Limit: 10M Target Download Max Limit: 10M [zakładka] Advanced Packet Marks: 1G_slow [OK]
IP -> Firewall -> [zakładka] Mangle -> [+]
Chain: prerouting Src. Address: 10.20.30.0/24 [zakładka] Advanced Src. Address List [!] download_1G #jeśli go nie ma na tej liście Connection Byte: 1000M-0 [zakładka] Action Action: add_src_to_address_list [check] Log Log Prefix: Download_1G Address List: download_1G Timeout: 24:00:00 Comment: 'Download > 1G' [OK]
System -> Logging -> [zakładka] Rules -> [+]
Topics: firewall action: email [OK]