#Шаблон подготовил Александр bafista.ru
#
#firewall взято тут: https://smartadm.ru/mikrotik-nastrojka-firewall/
#
#QOS взято тут https://mum.mikrotik.com/presentations/US19/presentation_6425_1554933623.pdf
#
#ether1 - внешний, ether2 - внутренний
#Внешний и внутренний определяется тому, которому навешан ISP лист



#Нужно заменить LSP на свое
/interface list
add name=WAN
/interface list member
add interface=ether1 list=WAN

#Настройка фаервола
/ip firewall connection tracking
set tcp-established-timeout=2h

/ip firewall filter
add action=accept chain=input comment=\
    "Allow established & related connections" connection-state=\
    established,related,untracked
add action=drop chain=input comment="Drop invalid connections" \
    connection-state=invalid
add action=accept chain=input comment="allow to local" in-interface-list=!WAN
add action=drop chain=input comment="Dropping all blacklisted IP" \
    src-address-list=BAN_black_list
add action=drop chain=input src-address-list=BAN-BruteForce
add action=add-src-to-address-list address-list=BAN_black_list \
    address-list-timeout=30m chain=input comment=\
    "Add Syn Flood IP to the list" connection-limit=30,32 connection-state=\
    new in-interface-list=WAN protocol=tcp tcp-flags=syn
add action=add-src-to-address-list address-list=BAN_black_list \
    address-list-timeout=2w chain=input comment="Port scanners to list" \
    in-interface-list=WAN protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=BAN_black_list \
    address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
    in-interface-list=WAN protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=BAN_black_list \
    address-list-timeout=2w chain=input comment="SYN/FIN scan" \
    in-interface-list=WAN protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=BAN_black_list \
    address-list-timeout=2w chain=input comment="SYN/RST scan" \
    in-interface-list=WAN protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=BAN_black_list \
    address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" \
    in-interface-list=WAN protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=BAN_black_list \
    address-list-timeout=2w chain=input comment="ALL/ALL scan" \
    in-interface-list=WAN protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=BAN_black_list \
    address-list-timeout=2w chain=input comment="NMAP NULL scan" \
    in-interface-list=WAN protocol=tcp tcp-flags=\
    !fin,!syn,!rst,!psh,!ack,!urg
add action=jump chain=input comment=\
    "All new connection to port 8291 go to chain \"anti-BruteForce\"" \
    connection-state=new dst-port=8291 in-interface-list=WAN jump-target=\
    anti-BruteForce protocol=tcp
add action=return chain=anti-BruteForce comment="Checking the connection" \
    dst-limit=5/1m,1,src-address/1m40s
add action=add-src-to-address-list address-list=BAN-BruteForce \
    address-list-timeout=1w chain=anti-BruteForce comment=\
    "Add to black list \"BAN-BruteForce\""
add action=accept chain=input comment="Ping access" protocol=icmp
add action=accept chain=input comment=WinBox dst-port=8291 protocol=tcp
add action=drop chain=input comment="Drop other connections"
add action=accept chain=forward comment=\
    "Allow established & related connections" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="Drop invalid connections" \
    connection-state=invalid
add action=drop chain=forward comment="Dropping all blacklisted IP" \
    src-address-list=BAN_black_list
add action=drop chain=forward comment=\
    "Drop All connections except NAT to WAN interface" connection-nat-state=\
    !dstnat in-interface-list=WAN
/ip firewall raw
add action=drop chain=prerouting dst-port=8291 in-interface-list=WAN \
    protocol=tcp src-address-list=BAN-BruteForce

#Включение функционала NAT
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1


#Настройка классификации пакетов
/ip firewall mangle
add action=mark-connection chain=prerouting comment="HTTP traffic" \
    connection-state=new new-connection-mark=HTTP-connect passthrough=yes \
    port=80,443 protocol=tcp
add action=mark-packet chain=prerouting connection-mark=HTTP-connect \
    new-packet-mark=Applications passthrough=yes
add action=mark-connection chain=prerouting comment="Winbox traffic" \
    connection-state=new new-connection-mark=Winbox-connect passthrough=yes \
    port=8291 protocol=tcp
add action=mark-packet chain=prerouting connection-mark=Winbox-connect \
    new-packet-mark=Controll passthrough=yes
add action=mark-connection chain=prerouting comment="RealTime traffic" \
    connection-state=new dscp=46 new-connection-mark=dscp-EF-connect \
    passthrough=yes
add action=mark-packet chain=prerouting connection-mark=dscp-EF-connect \
    new-packet-mark=RealTime passthrough=yes
add action=mark-connection chain=prerouting comment="SIP traffic" \
    connection-state=new new-connection-mark=SIP-connect passthrough=yes \
    port=1060,1061,5060,5061 protocol=udp
add action=mark-packet chain=prerouting connection-mark=SIP-connect \
    new-packet-mark=RealTime passthrough=yes
add action=mark-connection chain=prerouting comment="RTP traffic" \
    connection-state=new new-connection-mark=RTP-connect passthrough=yes \
    port=10000-20000 protocol=udp
add action=mark-packet chain=prerouting connection-mark=RTP-connect \
    new-packet-mark=RealTime passthrough=yes
add action=mark-connection chain=prerouting comment="Steam traffic RealTime" \
    connection-state=new new-connection-mark=SteamRemotePlay-connect \
    passthrough=yes port=27000-27100 protocol=udp
add action=mark-connection chain=prerouting connection-state=new \
    new-connection-mark=SteamRemotePlay-connect passthrough=yes port=27036 \
    protocol=tcp
add action=mark-connection chain=prerouting connection-state=new \
    new-connection-mark=SteamRemotePlay-connect passthrough=yes port=4380 \
    protocol=udp
add action=mark-packet chain=prerouting connection-mark=\
    SteamRemotePlay-connect new-packet-mark=RealTime passthrough=yes
add action=mark-packet chain=prerouting comment="DNS traffic" \
    new-packet-mark=Controll passthrough=yes port=53 protocol=udp
add action=mark-connection chain=prerouting comment="PlexStream traffic" \
    connection-state=new new-connection-mark=PlexStream-connect passthrough=\
    yes port=1900,32400 protocol=udp
add action=mark-packet chain=prerouting connection-mark=PlexStream-connect \
    new-packet-mark=RealTime passthrough=yes
add action=mark-connection chain=prerouting comment="Plex traffic" \
    connection-state=new new-connection-mark=Plex-connect passthrough=yes \
    port=32400 protocol=tcp
add action=mark-packet chain=prerouting connection-mark=Plex-connect \
    new-packet-mark=RealTime passthrough=yes
add action=mark-connection chain=prerouting comment="NAS traffic" \
    connection-state=new new-connection-mark=NAS-connect passthrough=yes \
    port=5000,5001,8008,8443,3808,38443,6690,5005,5006 protocol=tcp
add action=mark-connection chain=prerouting connection-state=new \
    new-connection-mark=NAS-connect passthrough=yes port=\
    21,20,143,993,110,995,25,465 protocol=tcp
add action=mark-packet chain=prerouting connection-mark=NAS-connect \
    new-packet-mark=Applications passthrough=yes
add action=mark-connection chain=prerouting comment=WorldOfTanks \
    connection-state=new new-connection-mark=WOT-connect passthrough=yes \
    port=32800-32900 protocol=udp
add action=mark-packet chain=prerouting connection-mark=WOT-connect \
    new-packet-mark=RealTime passthrough=yes



#Настройка очередей
/queue tree
add max-limit=100M name=Uplink parent=ether1 queue=ethernet-default
add limit-at=50M max-limit=100M name=Prior3 packet-mark=RealTime parent=\
    Uplink priority=3 queue=ethernet-default
add limit-at=10M max-limit=100M name=Prior1 packet-mark=Controll parent=\
    Uplink priority=1 queue=ethernet-default
add limit-at=30M max-limit=100M name=Prior4 packet-mark=Applications parent=Uplink \
    priority=4 queue=synchronous-default
add max-limit=100M name=Prior8 packet-mark=no-mark parent=Uplink queue=\
    synchronous-default
add name=LocalNET parent=ether2 queue=ethernet-default
add limit-at=10M max-limit=1G name=queue1 packet-mark=Controll parent=\
    LocalNET queue=ethernet-default
add limit-at=50M max-limit=1G name=queue3 packet-mark=RealTime parent=\
    LocalNET priority=3 queue=ethernet-default
add limit-at=30M max-limit=1G name=queue4 packet-mark=Applications parent=LocalNET \
    priority=4 queue=synchronous-default
add max-limit=1G name=queue8 packet-mark=no-mark parent=LocalNET queue=\
    synchronous-default
add limit-at=10M max-limit=100M name=Controll packet-mark=Controll parent=\
    global priority=1 queue=ethernet-default