# ================================ # VARIƁVEIS PRINCIPAIS # ================================ :local ISP1_IF "ether1" :local ISP2_IF "ether2" :local LAN1_IF "ether3" :local LAN2_IF "ether4" :local LAN3_IF "ether5" :local ISP1_NAME "ISP1" :local ISP2_NAME "ISP2" :local LAN1_NAME "LAN1" :local LAN2_NAME "LAN2" :local LAN3_NAME "LAN3" :local PPPoE_NAME "pppoe-out1" :local PPPoE_USER "user@provedor.com.br" :local PPPoE_PASS "suaSenhaAqui" :local LAN_IP "192.168.6.1/24" :local LAN_NET "192.168.6.0" :local LAN_POOL "192.168.6.100-192.168.6.198" :local ISP2_IP "192.168.10.100/24" :local ISP2_NET "192.168.10.0" :local ISP2_NET_MASK "192.168.10.0/24" :local ISP2_GW "192.168.10.1" :local LAN_IP_NOMASK "192.168.6.1" :local LAN_NET_MASK "192.168.6.0/24" :local ROUTER_NAME "Abratel-Router" :local TIMEZONE "America/Sao_Paulo" :local EMAIL_FROM "alerts@abratel.com.br" :local EMAIL_USER "alerts@abratel.com.br" :local EMAIL_SERVER "smtp.ionos.com" :local EMAIL_PORT "587" :local IP_FORWARD "192.168.6.5" :local PORT_FORWARD "45678" :local EMAIL_CLIENT "email@gmail.com" /routing table add fib name=ISP1_ROUTE add fib name=ISP2_ROUTE add fib name=to_wan1 add fib name=to_wan2 /ip firewall filter add action=accept chain=input src-address-list=ips_lan add action=drop chain=output dst-address=200.160.0.8 out-interface=$ISP2_NAME add action=drop chain=output dst-address=1.1.1.1 out-interface=$ISP2_NAME add action=drop chain=output dst-address=1.0.0.1 out-interface=$PPPoE_NAME add action=drop chain=output dst-address=208.67.220.220 out-interface=\ $PPPoE_NAME add action=drop chain=input dst-port=53 in-interface=$PPPoE_NAME protocol=\ tcp add action=drop chain=input dst-port=53 in-interface=$ISP2_NAME protocol=tcp add action=drop chain=input dst-port=53 in-interface=$PPPoE_NAME protocol=\ udp add action=drop chain=input dst-port=53 in-interface=$ISP2_NAME protocol=udp add action=drop chain=input comment="drop WINBOX brute forcers" dst-port=81 \ protocol=tcp src-address-list=ssh_blacklist add action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=1m chain=input connection-state=new dst-port=81 \ protocol=tcp src-address-list=ssh_stage2 add action=add-src-to-address-list address-list=ssh_stage2 \ address-list-timeout=1m chain=input connection-state=new dst-port=81 \ protocol=tcp src-address-list=ssh_stage1 add action=add-src-to-address-list address-list=ssh_stage1 \ address-list-timeout=1m chain=input connection-state=new dst-port=81 \ protocol=tcp add action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=14w2d chain=input connection-state=new dst-port=81 \ hotspot="" protocol=tcp src-address-list=ssh_stage3 add action=accept chain=input dst-port=81 protocol=tcp add action=accept chain=forward add action=accept chain=output /ip firewall mangle add action=accept chain=prerouting dst-address=$LAN_NET_MASK src-address=\ $LAN_NET_MASK add action=mark-routing chain=prerouting dst-address-type=!local \ in-interface=bridge1 new-routing-mark=to_wan1 per-connection-classifier=\ src-address:2/0 add action=mark-routing chain=prerouting dst-address-type=!local \ in-interface=bridge1 new-routing-mark=to_wan2 per-connection-classifier=\ src-address:2/1 /ip route add comment="secondary gateway" disabled=no distance=3 dst-address=0.0.0.0/0 \ gateway=$ISP2_GW routing-table=main scope=30 suppress-hw-offload=no \ target-scope=10 add comment="primary gateway" disabled=no distance=2 dst-address=0.0.0.0/0 \ gateway=$PPPoE_NAME routing-table=main scope=30 suppress-hw-offload=no \ target-scope=10 add disabled=no distance=1 dst-address=1.0.0.1/32 gateway=$ISP2_GW \ routing-table=main scope=30 suppress-hw-offload=no target-scope=10 add disabled=no distance=1 dst-address=1.1.1.1/32 gateway=$PPPoE_NAME \ routing-table=main scope=30 suppress-hw-offload=no target-scope=10 add disabled=no distance=1 dst-address=200.160.0.8/32 gateway=$PPPoE_NAME \ routing-table=main scope=30 suppress-hw-offload=no target-scope=10 add disabled=no distance=1 dst-address=208.67.220.220/32 gateway=$ISP2_GW \ routing-table=main scope=30 suppress-hw-offload=no target-scope=10 add comment="marcacao 2" disabled=no distance=1 dst-address=0.0.0.0/0 \ gateway=$ISP2_GW routing-table=to_wan2 scope=30 suppress-hw-offload=\ no target-scope=10 add comment="marcacao 1" disabled=no distance=1 dst-address=0.0.0.0/0 \ gateway=$PPPoE_NAME routing-table=to_wan1 scope=30 suppress-hw-offload=\ no target-scope=10 /ip service set ftp disabled=yes set ssh disabled=yes set telnet disabled=yes set winbox port=81 set www disabled=yes port=8080 set api disabled=yes set api-ssl disabled=yes /system clock set time-zone-name=America/Sao_Paulo /system identity set name=Abratel-Router /system ntp client set enabled=yes /system ntp server set manycast=yes /system ntp client servers add address=200.160.0.8 add address=200.189.40.8 /system scheduler add interval=4h name=limparegistro on-event=limparegistrosip policy=\ ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \ start-date=2019-09-03 start-time=00:19:17 add interval=10m name=verificanat on-event=verificanat policy=\ ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \ start-date=2019-09-03 start-time=00:20:07 add interval=12h name=reboot-limparegistro on-event=delay-limparegistrosip \ policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \ start-time=startup add interval=4m name="Check Internet Provedor2" on-event=\ check_internet_provedor2 policy=\ ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \ start-time=startup add interval=2m name="Check Internet Provedor 1" on-event=\ check_internet_provedor1 policy=\ ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \ start-time=startup add interval=1d name="Lembrete Internet Provedor2" on-event=\ lembrete_provedor2 policy=\ ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \ start-date=2022-11-23 start-time=06:00:00 add interval=1d name="Lembrete Provedor1" on-event=lembrete_provedor1 policy=\ ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \ start-date=2022-11-23 start-time=06:12:30 /system script add dont-require-permissions=yes name=check_internet_provedor2 owner=admin \ policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \ source=":local reachable;\r\ \n :if ([/ping 1.0.0.1 count=8] > 0) do={:set reachable 1} else={:se\ t reachable 0}\r\ \n :local unreachable [/ip route print count-only where comment=\"ma\ rcacao 2\" && disabled=no]\r\ \n :local msg \"\"\r\ \n :put \"reachable is \$reachable \"\r\ \n\r\ \n # check the distance of the primary default gateway static route\ \r\ \n :if (\$unreachable = 1) do={\r\ \n :if (\$reachable = 0) do={\r\ \n :set msg \"Internet Secundaria parou de funcionar - OFF\"\ \r\ \n /ip route set [find comment=\"marcacao 2\"] disabled=yes\ \r\ \n \r\ \n } \r\ \n } else={\r\ \n if (\$reachable > 0) do={\r\ \n :set msg \"Internet secundaria voltou a funcionar - ON\ \"\r\ \n /ip route set [find comment=\"marcacao 2\"] disabled=no\r\ \n }\r\ \n }\r\ \n # output/feedback\r\ \n :if (\$msg != \"\") do={\r\ \n :log info \"\$msg\"\r\ \n :put \".:. \$msg\"\r\ \n }\r\ \n " add dont-require-permissions=yes name=check_internet_provedor1 owner=admin \ policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \ source=":local reachable;\r\ \n :if ([/ping 1.1.1.1 count=4] > 0) do={:set reachable 1} else={:se\ t reachable 0}\r\ \n :local unreachable [/ip route print count-only where comment=\"pr\ imary gateway\" && distance=2]\r\ \n :local msg \"\"\r\ \n :put \"reachable is \$reachable \"\r\ \n # check the distance of the primary default gateway static route\ \r\ \n :if (\$unreachable = 1) do={\r\ \n :if (\$reachable = 0) do={\r\ \n :set msg \"Internet provedor1 nao esta funcionando - OFF\ \"\r\ \n /ip route set [find comment=\"primary gateway\"] distance\ =3\r\ \n /ip route set [find comment=\"secondary gateway\"] distan\ ce=2\r\ \n /ip route set [find comment=\"marcacao 1\"] disabled=yes\ \r\ \n }\r\ \n } else={\r\ \n if (\$reachable > 0) do={\r\ \n :set msg \"Internet principal funcionando novamente - ON\ \"\r\ \n /ip route set [find comment=\"primary gateway\"] distanc\ e=2\r\ \n /ip route set [find comment=\"secondary gateway\"] dista\ nce=3\r\ \n /ip route set [find comment=\"marcacao 1\"] disabled=no\ \r\ \n }\r\ \n }\r\ \n # output/feedback\r\ \n :if (\$msg != \"\") do={\r\ \n :log info \"\$msg\"\r\ \n :put \".:. \$msg\"\r\ \n }" add dont-require-permissions=yes name=lembrete_provedor2 owner=admin policy=\ ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\ local reachable;\r\ \n :if ([/ping 1.0.0.1 count=6] > 0) do={:set reachable 1} else={:se\ t reachable 0}\r\ \n :local unreachable [/ip route print count-only where comment=\"m\ arcacao 2\" && disabled=yes]\r\ \n :local msg \"\"\r\ \n :put \"reachable is \$reachable \"\r\ \n\r\ \n # check the distance of the primary default gateway static route\ \r\ \n :if (\$unreachable = 1) do={\r\ \n :if (\$reachable = 0) do={\r\ \n :set msg \"Internet Secundaria continua sem funcionar. OF\ F\"\r\ \n /tool e-mail send to=\"$EMAIL_CLIENT\" \\\r\ \n subject=\"\$[/system identity get name]: Internet 4G c\ ontinua sem funcionar. OFF\" \\\r\ \n body=\"Lembrete que a internet secundaria continua sem funcion\ ar. Favor verificar reparo tecnico junto ao provedor.\"\r\ \n }\r\ \n } else={\r\ \n \r\ \n }\r\ \n # output/feedback\r\ \n :if (\$msg != \"\") do={\r\ \n :log info \"\$msg\"\r\ \n :put \".:. \$msg\"\r\ \n }" add dont-require-permissions=yes name=lembrete_provedor1 owner=admin policy=\ ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\ local reachable;\r\ \n :if ([/ping 1.1.1.1 count=6] > 0) do={:set reachable 1} else={:se\ t reachable 0}\r\ \n :local unreachable [/ip route print count-only where comment=\"pr\ imary gateway\" && distance=3]\r\ \n :local msg \"\"\r\ \n :put \"reachable is \$reachable \"\r\ \n\r\ \n # check the distance of the primary default gateway static route\ \r\ \n :if (\$unreachable = 1) do={\r\ \n :if (\$reachable = 0) do={\r\ \n :set msg \"Provedor Primaria continua sem funcionar. OFF\ \"\r\ \n /tool e-mail send to=\"$EMAIL_CLIENT\" \\\r\ \n subject=\"\$[/system identity get name]: Internet Prim\ aria Imicro continua sem funcionar. OFF\" \\\r\ \n body=\"Lembrete que a internet Provedor Primario conti\ nua sem funcionar. Favor verificar reparo tecnico junto ao provedor.\"\r\ \n }\r\ \n } else={\r\ \n \r\ \n }\r\ \n # output/feedback\r\ \n :if (\$msg != \"\") do={\r\ \n :log info \"\$msg\"\r\ \n :put \".:. \$msg\"\r\ \n }" /tool e-mail set from= port=587 server=smtp.ionos.com tls=yes user=\ alerts@abratel.com.br /tool netwatch add comment=provedor1 disabled=no down-script=check_internet_provedor1 host=\ 200.160.0.8 http-codes="" interval=10s name=CheckInternetProvedor1 \ test-script="" timeout=200ms type=simple up-script=\ check_internet_provedor1 add comment=provedor2 disabled=no down-script=check_internet_provedor2 host=\ 208.67.220.220 http-codes="" name=CheckInternetProvedor2 test-script="" \ type=simple up-script=check_internet_provedor2