вроде как

/interface list add exclude=dynamic name=discover add name=mactel add name=mac-winbox /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /ip ipsec peer # This entry is unreachable add name=peer2 passive=yes /ip ipsec profile set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256,aes-128,3des /ip ipsec proposal set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc,3des /ip pool add name=dhcp ranges=192.168.0.10-192.168.0.200 add name=vpn ranges=192.168.0.201-192.168.0.210 /ip dhcp-server add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=bridge name=defconf /ipv6 pool add name=IPv6 prefix=2001:470:1cf6::/48 prefix-length=48 /ppp profile add change-tcp-mss=yes local-address=vpn name=VPN remote-address=vpn use-ipv6=no /snmp community set [ find default=yes ] addresses=0.0.0.0/0 name=tvvianet /interface bridge port add bridge=bridge comment=defconf interface=ether2-master add bridge=bridge comment=defconf interface=ether6-master add bridge=bridge comment=defconf hw=no interface=sfp1 add bridge=bridge disabled=yes interface=ether1 add bridge=bridge interface=ether3 add bridge=bridge interface=ether4 add bridge=bridge interface=ether5 add bridge=bridge interface=ether7 add bridge=bridge interface=ether8 add bridge=bridge interface=ether9 add bridge=bridge interface=ether10 /ip neighbor discovery-settings set discover-interface-list=discover /interface l2tp-server server set authentication=mschap2 default-profile=VPN enabled=yes ipsec-secret=xxxxxxxxxxx use-ipsec=required /interface list member add interface=ether2-master list=discover add interface=ether3 list=discover add interface=ether4 list=discover add interface=ether5 list=discover add interface=sfp1 list=discover add interface=ether6-master list=discover add interface=ether7 list=discover add interface=ether8 list=discover add interface=ether9 list=discover add interface=ether10 list=discover add interface=bridge list=discover add interface=sit1 list=discover add interface=ether2-master list=mactel add interface=ether6-master list=mactel add interface=ether2-master list=mac-winbox add interface=sfp1 list=mactel add interface=ether6-master list=mac-winbox add interface=sfp1 list=mac-winbox /ip address add address=192.168.0.254/24 comment=defconf interface=ether2-master network=192.168.0.0 /ip dhcp-client add comment=defconf dhcp-options=hostname,clientid interface=sfp1 add dhcp-options=hostname,clientid disabled=no interface=ether1 /ip dhcp-server network add address=192.168.0.0/24 comment=defconf dns-server=1.1.1.1,1.0.0.1 gateway=192.168.0.254 netmask=24 /ip dns set allow-remote-requests=yes /ip dns static add address=192.168.0.254 name=router add address=127.0.0.1 comment=ADBlock name=2975c.v.fwmrm.net add address=127.0.0.1 comment=ADBlock name=2mdn.net add address=127.0.0.1 comment=ADBlock name=ad-g.doubleclick.net add address=127.0.0.1 comment=ADBlock name=ad.doubleclick.net add address=127.0.0.1 comment=ADBlock name=ad.mo.doubleclick.net add address=127.0.0.1 comment=ADBlock name=ad.youtube.com add address=127.0.0.1 comment=ADBlock name=ads.doubleclick.net add address=127.0.0.1 comment=ADBlock name=ads.youtube.com add address=127.0.0.1 comment=ADBlock name=akamaiedge.net add address=127.0.0.1 comment=ADBlock name=akamaitechnologies.com add address=127.0.0.1 comment=ADBlock name=analytic-google.com add address=127.0.0.1 comment=ADBlock name=apis.google.com add address=127.0.0.1 comment=ADBlock name=clients1.google.com add address=127.0.0.1 comment=ADBlock name=clients6.google.com add address=127.0.0.1 comment=ADBlock name=doubleclick.net add address=127.0.0.1 comment=ADBlock name=dts.innovid.com add address=127.0.0.1 comment=ADBlock name=files.adform.net add address=127.0.0.1 comment=ADBlock name=fwmrm.net add address=127.0.0.1 comment=ADBlock name=googleadapis.l.google.com add address=127.0.0.1 comment=ADBlock name=googleads.g.doubleclick.net add address=127.0.0.1 comment=ADBlock name=googleads4.g.doubleclick.net add address=127.0.0.1 comment=ADBlock name=googleadservices.com add a

ddress=127.0.0.1 comment=ADBlock name=i1.ytimg.com add address=127.0.0.1 comment=ADBlock name=innovid.com add address=127.0.0.1 comment=ADBlock name=ocsp.comodoca.com add address=127.0.0.1 comment=ADBlock name=pagead.googlesyndication.com add address=127.0.0.1 comment=ADBlock name=pagead.l.doubleclick.net add address=127.0.0.1 comment=ADBlock name=pagead1.googlesyndication.com add address=127.0.0.1 comment=ADBlock name=pagead2.googlesyndication.com add address=127.0.0.1 comment=ADBlock name=pixel.moatads.com add address=127.0.0.1 comment=ADBlock name=pubads.g.doubleclick.net add address=127.0.0.1 comment=ADBlock name=r1---sn-vgqsen7z.googlevideo.com add address=127.0.0.1 comment=ADBlock name=r1.sn-vgqsen7z.googlevideo.com add address=127.0.0.1 comment=ADBlock name=r17---sn-vgqsenes.googlevideo.com add address=127.0.0.1 comment=ADBlock name=r2---sn-hp57yne7.googlevideo.com add address=127.0.0.1 comment=ADBlock name=r2---sn-vgqs7n7k.googlevideo.com add address=127.0.0.1 comment=ADBlock name=r20---sn-vgqs7ne7.googlevideo.com add address=127.0.0.1 comment=ADBlock name=r20.sn-vgqs7ne7.googlevideo.com add address=127.0.0.1 comment=ADBlock name=r3---sn-hp57knsl.googlevideo.com add address=127.0.0.1 comment=ADBlock name=r4---sn-vgqs7nez.googlevideo.com add address=127.0.0.1 comment=ADBlock name=r4.sn-vgqs7nez.googlevideo.com add address=127.0.0.1 comment=ADBlock name=r5---sn-hp57kn6e.googlevideo.com add address=127.0.0.1 comment=ADBlock name=r5.sn-32o-guhl.googlevideo.com add address=127.0.0.1 comment=ADBlock name=r6---sn-vgqseney.googlevideo.com add address=127.0.0.1 comment=ADBlock name=r7---sn-8p8v-bg0d.googlevideo.com add address=127.0.0.1 comment=ADBlock name=r8---sn-8p8v-bg0d.googlevideo.com add address=127.0.0.1 comment=ADBlock name=redirector.googlevideo.com add address=127.0.0.1 comment=ADBlock name=rtd.tubemogul.com add address=127.0.0.1 comment=ADBlock name=s.innovid.com add address=127.0.0.1 comment=ADBlock name=s0.2mdn.net add address=127.0.0.1 comment=ADBlock name=secure-ds.serving-sys.com add address=127.0.0.1 comment=ADBlock name=securepubads.g.doubleclick.net add address=127.0.0.1 comment=ADBlock name=ssl.google-analytics.com add address=127.0.0.1 comment=ADBlock name=static.doubleclick.net add address=127.0.0.1 comment=ADBlock name=stats.g.doubleclick.net add address=127.0.0.1 comment=ADBlock name=www-google-analytics.l.google.com add address=127.0.0.1 comment=ADBlock name=www-googletagmanager.l.google.com add address=127.0.0.1 comment=ADBlock name=www.analytic-google.com add address=127.0.0.1 comment=ADBlock name=www.googleadservices.com add address=127.0.0.1 comment=ADBlock name=www.googletagservices.com add address=127.0.0.1 comment=ADBlock name=www.youtube-nocookie.com add address=127.0.0.1 comment=ADBlock name=youtube-nocookie.com add address=127.0.0.1 comment=ADBlock name=devads.skypeassets.net add address=127.0.0.1 comment=ADBlock name=preads.skypeassets.net add address=127.0.0.1 comment=ADBlock name=qawww.skypeassets.net add address=127.0.0.1 comment=ADBlock name=static.skypeassets.com add address=127.0.0.1 comment=ADBlock name=devapps.skype.net add address=127.0.0.1 comment=ADBlock name=qaapi.skype.net add address=127.0.0.1 comment=ADBlock name=preapps.skype.net add address=127.0.0.1 comment=ADBlock name=apps.skype.com add address=127.0.0.1 comment=ADBlock name=api.skype.com add address=127.0.0.1 comment=ADBlock name=serving.plexop.net add address=127.0.0.1 comment=ADBlock name=preg.bforex.com add address=127.0.0.1 comment=ADBlock name=flex.msn.com add address=127.0.0.1 comment=ADBlock name=rad.msn.com add address=127.0.0.1 comment=ADBlock name=live.rads.msn.com add address=127.0.0.1 comment=ADBlock name=ads1.msn.com add address=127.0.0.1 comment=ADBlock name=g.msn.com add address=127.0.0.1 comment=ADBlock name=ac3.msn.com add address=127.0.0.1 comment=ADBlock name=ads1.msads.net add address=127.0.0.1 comment=ADBlock name=ads2.msads.net add address=127.0.0.1 comment=ADBlock name=a.ads2.msads.net add address=127.0.0.1 comment=ADBlock name=b.ads2.msads.net add address=127.0.0.1 comment=ADBlock name=sO.2m

dn.net add address=127.0.0.1 comment=ADBlock name=static.2mdn.net add address=127.0.0.1 comment=ADBlock name=cdn.adnxs.com add address=127.0.0.1 comment=ADBlock name=cdn.adnxs.com.edgesuite.net add address=127.0.0.1 comment=ADBlock name=aka-cdn-ns.adtech.de add address=127.0.0.1 comment=ADBlock name=cdn.atdmt.com add address=127.0.0.1 comment=ADBlock name=ec.atdmt.com add address=127.0.0.1 comment=ADBlock name=ad-emea.doubleclick.net add address=127.0.0.1 comment=ADBlock name=secure.flashtalking.com add address=127.0.0.1 comment=ADBlock name=msntest.serving-sys.com add address=127.0.0.1 comment=ADBlock name=cdn.bitmedianetwork.com add address=127.0.0.1 comment=ADBlock name=static.ap.bittorrent.com add address=127.0.0.1 comment=ADBlock name=bundles.bittorrent.com add address=127.0.0.1 comment=ADBlock name=apps.bittorrent.com add address=127.0.0.1 comment=ADBlock name=ads.bittorrent.com add address=127.0.0.1 comment=ADBlock name=offers.bittorrent.com add address=127.0.0.1 comment=ADBlock name=services.bunndle.com add address=127.0.0.1 comment=ADBlock name=cdn.ap.bittorrent.com add address=127.0.0.1 comment=ADBlock name=beta.bundles.bittorrent.com add address=127.0.0.1 comment=ADBlock name=ads.viber.com add address=127.0.0.1 comment=ADBlock name=ads.aws.viber.com add address=127.0.0.1 comment=ADBlock name=ads-d.viber.com add address=127.0.0.1 comment=ADBlock name=cdn.mbstatic.org add address=127.0.0.1 comment=ADBlock name=adselector.ru add address=127.0.0.1 comment=ADBlock name=pluso.ru add address=127.0.0.1 comment=ADBlock name=flash.begun.ru add address=127.0.0.1 comment=ADBlock name=ad.adriver.ru /ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related add action=accept chain=input dst-port=179 protocol=tcp add action=accept chain=forward comment="defconf: accept established,related" connection-state=\     established,related add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid add action=accept chain=input comment=VPN port=1701,500,4500 protocol=udp add action=accept chain=input protocol=ipsec-esp add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \     connection-state=new in-interface=ether1 add action=accept chain=input protocol=icmp add action=accept chain=input connection-state=established add action=accept chain=input connection-state=related add action=drop chain=input in-interface=ether1 add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment=\     "Port scanners to list " protocol=tcp psd=21,3s,3,1 add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment=\     "NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment=\     "SYN/FIN scan" protocol=tcp tcp-flags=fin,syn add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment=\     "SYN/RST scan" protocol=tcp tcp-flags=syn,rst add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment=\     "FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment=\     "ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment=\     "NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg add action=drop chain=input comment="dropping port scanners" src-address-list="port scanners" /ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1 add action=netmap chain=dstnat comment="VM Out SSH" disabled=yes dst-port=22 in-interface=ether1 protocol=tcp \     to-addresses=192.168.0.240 to-ports=22 add action=netmap c

hain=dstnat comment="SIP 3CX 5090" dst-port=5090 in-interface=ether1 protocol=tcp \     to-addresses=192.168.0.225 to-ports=5090 add action=netmap chain=dstnat dst-port=5090 in-interface=ether1 protocol=udp to-addresses=192.168.0.225 \     to-ports=5090 add action=netmap chain=dstnat comment="SIP Secure 3CX 5061" disabled=yes dst-port=5061 in-interface=ether1 \     protocol=tcp to-addresses=192.168.0.225 to-ports=5061 add action=netmap chain=dstnat disabled=yes dst-port=5061 in-interface=ether1 protocol=udp to-addresses=\     192.168.0.225 to-ports=5061 add action=netmap chain=dstnat disabled=yes dst-port=5060 in-interface=ether1 protocol=tcp to-addresses=\     192.168.0.225 to-ports=5060 add action=netmap chain=dstnat disabled=yes dst-port=5060 in-interface=ether1 protocol=udp to-addresses=\     192.168.0.225 to-ports=5060 add action=netmap chain=dstnat comment=DMR disabled=yes dst-port=62051 in-interface=ether1 protocol=tcp \     to-addresses=192.168.0.155 to-ports=62051 add action=netmap chain=dstnat disabled=yes dst-port=62052 in-interface=ether1 protocol=tcp to-addresses=\     192.168.0.155 to-ports=62052 add action=netmap chain=dstnat disabled=yes dst-port=62053 in-interface=ether1 protocol=tcp to-addresses=\     192.168.0.155 to-ports=62053 add action=netmap chain=dstnat disabled=yes dst-port=62051 in-interface=ether1 protocol=udp to-addresses=\     192.168.0.155 to-ports=62051 add action=netmap chain=dstnat disabled=yes dst-port=62052 in-interface=ether1 protocol=udp to-addresses=\     192.168.0.155 to-ports=62052 add action=netmap chain=dstnat disabled=yes dst-port=62053 in-interface=ether1 protocol=udp to-addresses=\     192.168.0.155 to-ports=62053 add action=netmap chain=dstnat comment=BGP dst-port=179 in-interface=ether1 protocol=tcp to-addresses=\     192.168.0.240 to-ports=179 /ip firewall service-port set sip ports=5060,5061,5090 /ip ipsec identity add generate-policy=port-override peer=peer2 remote-id=ignore secret=xxxxxxxxxx /ip service set telnet disabled=yes set ftp disabled=yes set www address=192.168.0.0/24 set ssh address=192.168.0.0/24 set api address=192.168.0.0/24 set winbox address=192.168.0.0/24 set api-ssl address=192.168.0.0/24 /ip ssh set allow-none-crypto=yes forwarding-enabled=remote /ipv6 firewall filter add action=accept chain=input comment="allow established and related" connection-state=established,related add action=accept chain=input comment="accept ICMPv6" protocol=icmpv6 add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp add action=accept chain=input comment="accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \     src-address=fe80::/16 add action=drop chain=input in-interface=sit1 log=yes log-prefix=dropLL_from_public src-address=fe80::/16 add action=accept chain=input comment="allow allowed addresses" src-address-list=allowed add action=drop chain=input add action=accept chain=forward comment=established,related connection-state=established,related add action=drop chain=forward comment=invalid connection-state=invalid log=yes log-prefix=ipv6,invalid add action=accept chain=forward comment=icmpv6 in-interface=!sit1 protocol=icmpv6 add action=accept chain=forward comment="local network" in-interface=!sit1 src-address-list=allowed add action=drop chain=forward disabled=yes log-prefix=IPV6 /ipv6 route add distance=1 dst-address=2000::/3 gateway=2001:470:1f1c:d85::1 /ppp secret add name=xxxxxx password="xxxxxxxxxxxx" profile=VPN service=l2tp /snmp set contact=xxxxxxxxxxxxx enabled=yes location="Bradford, UK" trap-version=2 /system clock set time-zone-name=Europe/London /system watchdog set watchdog-timer=no /tool mac-server set allowed-interface-list=mactel /tool mac-server mac-winbox set allowed-interface-list=mac-winbox /tool sniffer set streaming-enabled=yes streaming-server=192.168.0.5

@KoT_UK pastebin.com слышал?)

язабан

100500

не связано это с TTL. Я говорил про MTU, но с ним текущая ситуация тоже не связана.
При использовании IPsec снижается MTU и некоторые сайты становятся недоступны. В моём случае это рутрекер, пикабу, сбербанк.

я наверно в глаза обдолбался если увидел TTL в сообщении про MTU. Сори

ну ты конечно мдаааа

ща сделаю ip route print и сюда выложу

2 фулл вью+1,6 мульта ркн

лучше Войну и Мир, полезнее хоть, красивее

и сразу /selfban

Тебя Дуров забанит тогда

Это на Микротике?

да