thest1tch
/
docs
0
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update
continuous-integration/drone/push Build is failing Details

Browse Source
states/02
thest1tch 1 year ago
parent b02c3cff5c
commit 383af3f340
7 changed files with 260 additions and 26 deletions
Show Stats Download Patch File Download Diff File

0
docs/software/hass/package/budilnik.md → docs/hass/package/budilnik.md
Unescape Escape View File

0
docs/software/hass/package/index.md → docs/hass/package/index.md
Unescape Escape View File

0
docs/software/hass/zigbee2mqtt.md → docs/hass/zigbee2mqtt.md
Unescape Escape View File

12
docs/network/mikrotik/bgp.md
Unescape Escape View File

@ -1,12 +0,0 @@
# BGP на RouterOS 7
```
/routing bgp template
add as="ВАША ВЫДУМАННАЯ AS БЕЗ СКОБОК" disabled=no hold-time=4m input.filter=bgp_in .ignore-as-path-len=yes keepalive-time=1m multihop=yes name=antifilter routing-table=main
/routing bgp connection
add disabled=no hold-time=4m input.filter=bgp_in .ignore-as-path-len=yes keepalive-time=1m local.address= "ВАШ ВНУТРЕННИЙ ИП БЕЗ СКОБОК" .role=ebgp multihop=yes name=antifilter_bgp remote.address=45.154.73.71/32 .as=65432 router-id="ВАШ ВНЕШНИЙ ИП БЕЗ СКОБОК" routing-table=main templates=antifilter
/routing filter rule
add chain=bgp_in disabled=no rule="set gw "название VPN интерфейса"; accept;"
```

190
docs/network/mikrotik/chr.md
Unescape Escape View File

@ -1,14 +1,188 @@
# Cloud Hosted Router
У MikroTik CHR статический IP
## Установка IP адреса
```plaintext
/ip address add interface=ether1 address=10.103.0.111 netmask=255.255.255.0
/ip route add gateway=10.103.0.254 dst-address=0.0.0.0/0 distance=1
```
=== "У MikroTik CHR статический IP"
```
/ip address add interface=ether1 address=10.103.0.111 netmask=255.255.255.0
/ip route add gateway=10.103.0.254 dst-address=0.0.0.0/0 distance=1
```
=== "У MikroTik CHR автоматический IP(dhcp)"
У MikroTik CHR автоматический IP(dhcp)
```
/ip dhcp-client add disabled=no interface=ether1
```
```plaintext
/ip dhcp-client add disabled=no interface=ether1
## Настройка NTP
```
/system ntp client
set enabled=yes
/system ntp client servers
add address=193.171.23.163
add address=85.114.26.194
```
## Настройка Firewall
=== "Filter"
```
/ip firewall filter
add action=accept chain=input dst-port=22024,29514 in-interface=ether1 \
protocol=tcp src-address-list=Admin_IP
add action=accept chain=input comment="VPN Wireguard" dst-port=34567 \
in-interface=ether1 protocol=udp
add action=accept chain=input dst-port=34568 in-interface=ether1 protocol=udp \
src-address=5.189.70.251
add action=accept chain=input dst-port=34569 in-interface=ether1 protocol=udp
add action=accept chain=input comment=l2tp port=1701,500,4500 protocol=udp \
src-address=95.59.244.153
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input comment=Socks5 dst-port=24444 \
in-interface-list=VPN protocol=tcp
add action=drop chain=input dst-port=24444 in-interface-list=!VPN protocol=\
tcp
add action=accept chain=input comment="Web Proxy" dst-port=25555 \
in-interface-list=VPN log=yes log-prefix=webproxy protocol=tcp
add action=drop chain=input connection-state="" dst-port=8080 \
in-interface-list=!VPN port="" protocol=tcp src-port=""
add action=drop chain=input connection-state="" dst-port=25555 \
in-interface-list=!VPN port="" protocol=tcp src-port=""
add action=return chain=detect-ddos comment="Anti DDos" dst-limit=\
32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-target \
address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddos-attackers \
address-list-timeout=10m chain=detect-ddos
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s \
protocol=tcp tcp-flags=syn,ack
add action=fasttrack-connection chain=forward comment=" fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=input comment="\D0\E0\E7\F0\E5\F8\E0\E5\EC \F3\F1\F2\
\E0\ED\EE\E2\EB\E5\ED\ED\FB\E5 \E8 \F1\E2\FF\E7\E0\ED\ED\FB\E5 \E2\F5\EE\
\E4\F9\E8\E5 \F1\EE\E5\E4\E8\ED\E5\ED\E8\FF" connection-state=\
established,related,untracked
add action=accept chain=forward connection-state=\
established,related,untracked
add action=drop chain=input comment="Drop invalid" connection-state=invalid \
log-prefix=invalid
add action=drop chain=forward connection-state=invalid log-prefix=invalid
add action=drop chain=input connection-state="" dst-port=53 \
in-interface-list=WAN port="" protocol=udp src-port=""
add action=drop chain=input comment=NTP connection-state=new dst-port=123 \
in-interface-list=WAN log-prefix=" " protocol=tcp
add action=drop chain=input connection-state=new dst-port=123 \
in-interface-list=WAN log-prefix=" " protocol=udp
add action=drop chain=input comment="Drop SSH brutforce" dst-port=22-23 \
protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP after RAW" \
protocol=icmp
add action=accept chain=input comment="\F0\E0\E7\F0\E5\F8\E0\E5\EC \EF\EE\E4\
\EA\EB\FE\F7\E5\ED\E8\FF \E8\E7 \ED\E0\F8\E5\E9 \EB\EE\EA \F1\E5\F2\E8" \
in-interface=!ether1 src-address=192.168.3.0/24
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
dst-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
src-address-list=no_forward_ipv4
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!VPN log-prefix=drop
```
=== "NAT"
```
/ip firewall nat
add action=masquerade chain=srcnat
add action=masquerade chain=srcnat out-interface=ether1 src-address=\
192.168.3.1
```
=== "RAW"
```
/ip firewall raw
add action=accept chain=prerouting comment=\
"defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: accept DHCP discover" \
dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=\
udp src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" disabled=\
yes dst-address-list=bad_ipv4 log=yes log-prefix=132
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" disabled=\
yes dst-address-list=bad_dst_ipv4 log=yes
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
in-interface=ether1 src-address-list=not_global_ipv4
add action=drop chain=prerouting comment=\
"defconf: drop forward to local lan from WAN" dst-address=192.168.1.0/24 \
in-interface-list=WAN
add action=drop chain=prerouting comment=\
"defconf: drop local if not from default IP range" in-interface-list=LAN \
log=yes src-address=!192.168.3.0/24
add action=drop chain=prerouting comment="defconf: drop bad UDP" log-prefix=\
123 port=0 protocol=udp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" \
jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" \
jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment=\
"defconf: accept everything else from LAN" in-interface-list=VPN
add action=accept chain=prerouting comment=\
"defconf: accept everything else from WAN" in-interface-list=WAN
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 \
protocol=tcp
```
=== "Address List"
```
/ip firewall address-list
add address=192.168.1.2-192.168.88.254 list=allowed_to_router
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=\
bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=\
bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=\
bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=\
not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4
add list=ddos-attackers
add list=ddos-target
add address=5.189.70.251 list=Admin_IP
add address=10.0.10.2 list=Admin_IP
add address=95.59.244.153 list=Admin_IP
```

69
docs/network/mikrotik/unblock-site.md
Unescape Escape View File

@ -0,0 +1,69 @@
# Обход блокировок
Расписывать как поднять и настроить VPN через Wireguard или OpenVPN не буду. В сети достаточно инструкций. Чуть ниже слева есть еще одна от меня.
Варианта как обходить блокировки 2:
- через таблицу маршрутизации, куда вносим ресурсы руками или скриптами
- через BGP с одного "неизвестного" сайта
## Вариант 1: таблица маршрутизации
Статья о маркировке трафика, для отправки его в VPN: [Policy_Base_Routing](https://wiki.mikrotik.com/wiki/Policy_Base_Routing)
Формируем списки (`address-list`) для подсетей, трафик на которые будем гнать через VPN:
```
# auth.servarr.com - заблоченный ресурс
/ip firewall address-list add list=unblock address=auth.servarr.com
```
Вместо формирования руками, готовые списки можно выкачивать с [https://antifilter.download](https://antifilter.download)
Создаем таблицу маршрутизации
```
/routing table
add Disabled=no name=unblock fib
```
Настраиваем правила роутинга
```
/ip firewall mangle add disabled=no action=mark-routing chain=prerouting dst-address-list=unblock new-routing-mark=unblock passthrough=yes src-address=192.168.88.2-192.168.88.254
/ip route add disabled=no dst-address=0.0.0.0/0 type=unicast gateway=wireguard1 routing-mark=unblock scope=30 target-scope=10
/ip firewall nat add chain=srcnat src-address=192.168.88.0/24 out-interface=wireguard1 action=masquerade
```
## Вариант 2: BGP
Проверяем, что VPN жив и работает.
Выпускаем трафик BGP с маршрутизатора
```
/ip firewall filter add action=accept chain=output protocol=tcp dst-address=51.75.66.20 dst-port=179 out-interface=wireguard1
```
Прописываем маршрут до сервиса antifilter.network через VPN. Это нужно для того, чтобы если провайдер блочит или фильтрует BGP, на нас это не влияло.
```
/ip route add dst-address=51.75.66.20/32 gateway=wireguard1
```
Настраиваем пиринг с сервисом
!!! info "Mikrotik ROS7"
```
/routing bgp template
add as="64999" disabled=no hold-time=4m input.filter=bgp_in .ignore-as-path-len=yes keepalive-time=1m multihop=yes name=antifilter routing-table=main
/routing bgp connection
add as=64999 disabled=no hold-time=4m input.filter=bgp_in \
.ignore-as-path-len=yes keepalive-time=1m local.address=<local_IP> .role=\
ebgp multihop=yes name=bgp-antifilter.net output.filter-chain=discard \
remote.address=51.75.66.20/32 .as=65444 router-id=<WAN_IP> \
routing-table=main templates=antifilter
/routing filter rule
add chain=bgp_in disabled=no rule="set gw wireguard1; accept;
add chain=discard disabled=no rule=reject
```

15
mkdocs.yml
Unescape Escape View File

@ -78,11 +78,6 @@ nav:
- Stop-Process: software/powershell/stop-process.md
- Count-Pages: software/powershell/count-pages.md
- Send-Mail: software/powershell/send-mail.md
- Home Assistant:
- Zigbee2mqtt: software/hass/zigbee2mqtt.md
- Пакеты конфигураций:
- software/hass/package/index.md
- Будильник: software/hass/package/budilnik.md
- Chrome:
- Download bar: software/chrome/download-bar.md
- Windows:
@ -106,6 +101,14 @@ nav:
- Proxmox VE:
- index.md
- CT Template: proxmox/ct-template.md
- Home Assistant:
- Addons:
- Zigbee2mqtt: hass/zigbee2mqtt.md
- Package:
- hass/package/index.md
- Будильник: hass/package/budilnik.md
- Device:
Xiaomi Airpurifier: hass/device/xiaomi-airpurifier.md
- Другое:
- SSL для сайта: other/ssl-for-site.md
- Self Hosted: other/self-hosted.md
@ -152,7 +155,7 @@ nav:
- Split-DNS: network/mikrotik/split-dns.md
- Hairpin NAT: network/mikrotik/hairpin-nat.md
- UPnP: network/mikrotik/upnp.md
- BGP: network/mikrotik/bgp.md
- Обход блокировок: network/mikrotik/unblock-site.md
- Ubiquiti:
- Добавление новой точки: network/ubi/add-new-ap.md
- Ошибка обновления: network/ubi/failed-update.md

Write Preview
Loading…
Cancel
Save