update

docs/network/mikrotik/bgp.md

@@ -1,12 +0,0 @@
-# BGP на RouterOS 7 
-
-```
-/routing bgp template
-add as="ВАША ВЫДУМАННАЯ AS БЕЗ СКОБОК" disabled=no hold-time=4m input.filter=bgp_in .ignore-as-path-len=yes keepalive-time=1m multihop=yes name=antifilter routing-table=main
-
-/routing bgp connection
-add disabled=no hold-time=4m input.filter=bgp_in .ignore-as-path-len=yes keepalive-time=1m local.address= "ВАШ ВНУТРЕННИЙ ИП БЕЗ СКОБОК" .role=ebgp multihop=yes name=antifilter_bgp remote.address=45.154.73.71/32 .as=65432 router-id="ВАШ ВНЕШНИЙ ИП БЕЗ СКОБОК" routing-table=main templates=antifilter
-
-/routing filter rule
-add chain=bgp_in disabled=no rule="set gw "название VPN интерфейса"; accept;" 
-```

docs/network/mikrotik/chr.md

@@ -1,14 +1,188 @@
 # Cloud Hosted Router
 
-У MikroTik CHR статический IP
+## Установка IP адреса
 
-```plaintext
+=== "У MikroTik CHR статический IP"
+
+    ```
     /ip address add interface=ether1 address=10.103.0.111 netmask=255.255.255.0
     /ip route add gateway=10.103.0.254 dst-address=0.0.0.0/0 distance=1
     ```
 
-У MikroTik CHR автоматический IP(dhcp)
+=== "У MikroTik CHR автоматический IP(dhcp)"
 
-```plaintext
+    ```
     /ip dhcp-client add disabled=no interface=ether1
     ```
+
+## Настройка NTP
+
+```
+/system ntp client
+set enabled=yes
+/system ntp client servers
+add address=193.171.23.163
+add address=85.114.26.194
+```
+
+## Настройка Firewall
+
+=== "Filter"
+
+    ```
+    /ip firewall filter
+    add action=accept chain=input dst-port=22024,29514 in-interface=ether1 \
+        protocol=tcp src-address-list=Admin_IP
+    add action=accept chain=input comment="VPN Wireguard" dst-port=34567 \
+        in-interface=ether1 protocol=udp
+    add action=accept chain=input dst-port=34568 in-interface=ether1 protocol=udp \
+        src-address=5.189.70.251
+    add action=accept chain=input dst-port=34569 in-interface=ether1 protocol=udp
+    add action=accept chain=input comment=l2tp port=1701,500,4500 protocol=udp \
+        src-address=95.59.244.153
+    add action=accept chain=input protocol=ipsec-esp
+    add action=accept chain=input comment=Socks5 dst-port=24444 \
+        in-interface-list=VPN protocol=tcp
+    add action=drop chain=input dst-port=24444 in-interface-list=!VPN protocol=\
+        tcp
+    add action=accept chain=input comment="Web Proxy" dst-port=25555 \
+        in-interface-list=VPN log=yes log-prefix=webproxy protocol=tcp
+    add action=drop chain=input connection-state="" dst-port=8080 \
+        in-interface-list=!VPN port="" protocol=tcp src-port=""
+    add action=drop chain=input connection-state="" dst-port=25555 \
+        in-interface-list=!VPN port="" protocol=tcp src-port=""
+    add action=return chain=detect-ddos comment="Anti DDos" dst-limit=\
+        32,32,src-and-dst-addresses/10s
+    add action=add-dst-to-address-list address-list=ddos-target \
+        address-list-timeout=10m chain=detect-ddos
+    add action=add-src-to-address-list address-list=ddos-attackers \
+        address-list-timeout=10m chain=detect-ddos
+    add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s \
+        protocol=tcp tcp-flags=syn,ack
+    add action=fasttrack-connection chain=forward comment=" fasttrack" \
+        connection-state=established,related hw-offload=yes
+    add action=accept chain=input comment="\D0\E0\E7\F0\E5\F8\E0\E5\EC \F3\F1\F2\
+        \E0\ED\EE\E2\EB\E5\ED\ED\FB\E5 \E8 \F1\E2\FF\E7\E0\ED\ED\FB\E5 \E2\F5\EE\
+        \E4\F9\E8\E5 \F1\EE\E5\E4\E8\ED\E5\ED\E8\FF" connection-state=\
+        established,related,untracked
+    add action=accept chain=forward connection-state=\
+        established,related,untracked
+    add action=drop chain=input comment="Drop invalid" connection-state=invalid \
+        log-prefix=invalid
+    add action=drop chain=forward connection-state=invalid log-prefix=invalid
+    add action=drop chain=input connection-state="" dst-port=53 \
+        in-interface-list=WAN port="" protocol=udp src-port=""
+    add action=drop chain=input comment=NTP connection-state=new dst-port=123 \
+        in-interface-list=WAN log-prefix=" " protocol=tcp
+    add action=drop chain=input connection-state=new dst-port=123 \
+        in-interface-list=WAN log-prefix=" " protocol=udp
+    add action=drop chain=input comment="Drop SSH brutforce" dst-port=22-23 \
+        protocol=tcp
+    add action=accept chain=input comment="defconf: accept ICMP after RAW" \
+        protocol=icmp
+    add action=accept chain=input comment="\F0\E0\E7\F0\E5\F8\E0\E5\EC \EF\EE\E4\
+        \EA\EB\FE\F7\E5\ED\E8\FF \E8\E7 \ED\E0\F8\E5\E9 \EB\EE\EA \F1\E5\F2\E8" \
+        in-interface=!ether1 src-address=192.168.3.0/24
+    add action=drop chain=forward comment=\
+        "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
+        connection-state=new in-interface-list=WAN
+    add action=drop chain=forward comment="defconf: drop bad forward IPs" \
+        dst-address-list=no_forward_ipv4
+    add action=drop chain=forward comment="defconf: drop bad forward IPs" \
+        src-address-list=no_forward_ipv4
+    add action=drop chain=input comment="defconf: drop all not coming from LAN" \
+        in-interface-list=!VPN log-prefix=drop
+    ```
+
+=== "NAT"
+    ```
+    /ip firewall nat
+    add action=masquerade chain=srcnat
+    add action=masquerade chain=srcnat out-interface=ether1 src-address=\
+    192.168.3.1
+    ```
+
+=== "RAW"
+    ```
+    /ip firewall raw
+    add action=accept chain=prerouting comment=\
+        "defconf: enable for transparent firewall" disabled=yes
+    add action=accept chain=prerouting comment="defconf: accept DHCP discover" \
+        dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=\
+        udp src-address=0.0.0.0 src-port=68
+    add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
+        src-address-list=bad_ipv4
+    add action=drop chain=prerouting comment="defconf: drop bogon IP's" disabled=\
+        yes dst-address-list=bad_ipv4 log=yes log-prefix=132
+    add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
+        src-address-list=bad_src_ipv4
+    add action=drop chain=prerouting comment="defconf: drop bogon IP's" disabled=\
+        yes dst-address-list=bad_dst_ipv4 log=yes
+    add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
+        in-interface=ether1 src-address-list=not_global_ipv4
+    add action=drop chain=prerouting comment=\
+        "defconf: drop forward to local lan from WAN" dst-address=192.168.1.0/24 \
+        in-interface-list=WAN
+    add action=drop chain=prerouting comment=\
+        "defconf: drop local if not from default IP range" in-interface-list=LAN \
+        log=yes src-address=!192.168.3.0/24
+    add action=drop chain=prerouting comment="defconf: drop bad UDP" log-prefix=\
+        123 port=0 protocol=udp
+    add action=jump chain=prerouting comment="defconf: jump to ICMP chain" \
+        jump-target=icmp4 protocol=icmp
+    add action=jump chain=prerouting comment="defconf: jump to TCP chain" \
+        jump-target=bad_tcp protocol=tcp
+    add action=accept chain=prerouting comment=\
+        "defconf: accept everything else from LAN" in-interface-list=VPN
+    add action=accept chain=prerouting comment=\
+        "defconf: accept everything else from WAN" in-interface-list=WAN
+    add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp \
+        tcp-flags=!fin,!syn,!rst,!ack
+    add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
+    add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
+    add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
+    add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
+    add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
+    add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
+    add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 \
+        protocol=tcp
+    ```
+
+=== "Address List"
+
+    ```
+    /ip firewall address-list
+    add address=192.168.1.2-192.168.88.254 list=allowed_to_router
+    add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
+    add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
+    add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
+    add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
+    add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
+    add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
+    add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=\
+        bad_ipv4
+    add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=\
+        bad_ipv4
+    add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=\
+        bad_ipv4
+    add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
+    add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
+    add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
+    add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
+    add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
+    add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
+    add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
+    add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
+    add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=\
+        not_global_ipv4
+    add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
+    add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
+    add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
+    add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
+    add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4
+    add list=ddos-attackers
+    add list=ddos-target
+    add address=5.189.70.251 list=Admin_IP
+    add address=10.0.10.2 list=Admin_IP
+    add address=95.59.244.153 list=Admin_IP
+    ```

docs/network/mikrotik/unblock-site.md

@@ -0,0 +1,69 @@
+# Обход блокировок
+
+Расписывать как поднять и настроить VPN через Wireguard или OpenVPN не буду. В сети достаточно инструкций. Чуть ниже слева есть еще одна от меня.
+
+Варианта как обходить блокировки 2:
+
+- через таблицу маршрутизации, куда вносим ресурсы руками или скриптами
+- через BGP с одного "неизвестного" сайта
+
+## Вариант 1: таблица маршрутизации
+
+Статья о маркировке трафика, для отправки его в VPN: [Policy_Base_Routing](https://wiki.mikrotik.com/wiki/Policy_Base_Routing)
+
+Формируем списки (`address-list`) для подсетей, трафик на которые будем гнать через VPN:
+```
+# auth.servarr.com - заблоченный ресурс
+/ip firewall address-list add list=unblock address=auth.servarr.com
+```
+Вместо формирования руками, готовые списки можно выкачивать с [https://antifilter.download](https://antifilter.download)
+
+Создаем таблицу маршрутизации
+
+```
+/routing table
+add Disabled=no name=unblock fib
+```
+Настраиваем правила роутинга
+
+```
+/ip firewall mangle add disabled=no action=mark-routing chain=prerouting dst-address-list=unblock new-routing-mark=unblock passthrough=yes src-address=192.168.88.2-192.168.88.254
+/ip route add disabled=no dst-address=0.0.0.0/0 type=unicast gateway=wireguard1 routing-mark=unblock scope=30 target-scope=10
+/ip firewall nat add chain=srcnat src-address=192.168.88.0/24 out-interface=wireguard1 action=masquerade
+```
+
+## Вариант 2: BGP 
+
+Проверяем, что VPN жив и работает. 
+
+Выпускаем трафик BGP с маршрутизатора
+
+```
+/ip firewall filter add action=accept chain=output protocol=tcp dst-address=51.75.66.20 dst-port=179 out-interface=wireguard1
+```
+
+Прописываем маршрут до сервиса antifilter.network через VPN. Это нужно для того, чтобы если провайдер блочит или фильтрует BGP, на нас это не влияло.
+
+```
+/ip route add dst-address=51.75.66.20/32 gateway=wireguard1
+```
+
+Настраиваем пиринг с сервисом
+
+!!! info "Mikrotik ROS7"
+
+    ```
+    /routing bgp template
+    add as="64999" disabled=no hold-time=4m input.filter=bgp_in .ignore-as-path-len=yes keepalive-time=1m multihop=yes name=antifilter routing-table=main
+
+    /routing bgp connection
+    add as=64999 disabled=no hold-time=4m input.filter=bgp_in \
+    .ignore-as-path-len=yes keepalive-time=1m local.address=<local_IP> .role=\
+    ebgp multihop=yes name=bgp-antifilter.net output.filter-chain=discard \
+    remote.address=51.75.66.20/32 .as=65444 router-id=<WAN_IP> \
+    routing-table=main templates=antifilter
+
+    /routing filter rule
+    add chain=bgp_in disabled=no rule="set gw wireguard1; accept;
+    add chain=discard disabled=no rule=reject
+    ```

mkdocs.yml

@@ -78,11 +78,6 @@ nav:
       - Stop-Process: software/powershell/stop-process.md
       - Count-Pages: software/powershell/count-pages.md
       - Send-Mail: software/powershell/send-mail.md
-    - Home Assistant:
-      - Zigbee2mqtt: software/hass/zigbee2mqtt.md
-      - Пакеты конфигураций: 
-        - software/hass/package/index.md
-        - Будильник: software/hass/package/budilnik.md
     - Chrome:
       - Download bar: software/chrome/download-bar.md
     - Windows:
@@ -106,6 +101,14 @@ nav:
     - Proxmox VE:
       - index.md
       - CT Template: proxmox/ct-template.md
+  - Home Assistant:
+    - Addons:
+      - Zigbee2mqtt: hass/zigbee2mqtt.md
+    - Package: 
+      - hass/package/index.md
+      - Будильник: hass/package/budilnik.md
+    - Device:
+      Xiaomi Airpurifier: hass/device/xiaomi-airpurifier.md
   - Другое:
     - SSL для сайта: other/ssl-for-site.md
     - Self Hosted: other/self-hosted.md
@@ -152,7 +155,7 @@ nav:
       - Split-DNS: network/mikrotik/split-dns.md
       - Hairpin NAT: network/mikrotik/hairpin-nat.md
       - UPnP: network/mikrotik/upnp.md
-      - BGP: network/mikrotik/bgp.md
+      - Обход блокировок: network/mikrotik/unblock-site.md
     - Ubiquiti:
       - Добавление новой точки: network/ubi/add-new-ap.md
       - Ошибка обновления: network/ubi/failed-update.md