Script Mikrotik

lunes, 4 de mayo de 2026

Instalar Unbound servidor DNS Container RouterOS Mikrotik

/interface/bridge/add name=dockers

/ip/address/add address=172.20.0.254/24 interface=dockers

/interface/veth/add name=veth53 address=172.20.0.53/24 gateway=172.20.0.254

/interface/bridge/port add bridge=dockers interface=veth53

/container/config/set registry-url=https://registry-1.docker.io tmpdir=disk1/pull

/container/envs/add name=unbound_envs key=TZ value="Asia/Jerusalem"

/container/add dns=172.20.0.254 remote-image=elicro/unbound:latest interface=veth53 root-dir=disk1/unbound envlist=unbound_envs start-on-boot=yes

Fuente:

https://github.com/elico/unbound-container

jueves, 9 de abril de 2026

Proteccion DDoS para redes Mikroitk

/ip firewall filter

add action=add-src-to-address-list address-list=block-ddos \

address-list-timeout=1d chain=input comment="=============================\

=====Inicio controle DDoS==============" connection-limit=32,32 \

disabled=no protocol=tcp

add action=tarpit chain=input connection-limit=3,32 disabled=no protocol=tcp \

src-address-list=block-ddos

add action=jump chain=forward comment="SYN Flood protect" connection-state=\

new disabled=no jump-target=SYN-Protect protocol=tcp tcp-flags=syn

add action=accept chain=SYN-Protect connection-state=new disabled=no limit=\

400,5 protocol=tcp tcp-flags=syn

add action=drop chain=SYN-Protect comment=\

"=================Fin Control DDoS=============================" \

Script control ancho de banda por DHCP Mikrotik

:local queueName "Usuario del DHCP $leaseActMAC";

:if ($leaseBound = "1") do={

/queue simple add name=$queueName target=($leaseActIP . "/32") limit-at=5000k/10024k max-limit=10M/20M comment=[/ip dhcp-server lease get [find where active-mac-address=$leaseActMAC && active-address=$leaseActIP] host-name];

} else={

/queue simple remove $queueName

}

Bloqueo de Bittorrent y P2P

/ip firewall layer7-protocol

add comment="Block Bit Torrent" name=layer7-bittorrent-exp regexp="^(\\x13bitt\

orrent protocol|azver\\x01\$|get /scrape\\\?info_hash=get /announce\\\?inf\

o_hash=|get /client/bitcomet/|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[\

RP]"

/ip firewall filter

add action=add-src-to-address-list address-list=Torrent-Conn \

address-list-timeout=2m chain=forward layer7-protocol=\

layer7-bittorrent-exp src-address=192.168.2.0/24 src-address-list=\

!allow-bit

add action=drop chain=forward dst-port=\

!0-1024,8291,5900,5800,3389,14147,5222,59905 protocol=tcp \

src-address-list=Torrent-Conn

add action=drop chain=forward dst-port=\

!0-1024,8291,5900,5800,3389,14147,5222,59905 protocol=udp \

src-address-list=Torrent-Conn

-----------------------------------------------------------------------------------------

Fuente: https://medium.com/karlbooklover/como-censurar-al-internet-con-reglas-simples-en-routeros-c525c5bc245e

-----------------------------------------------------------------------------------------

# First, we block people from finding torrents Using MTKs layer 7 inspection(L7), we match http get requests for bit torrent sites and related sites. Here s my regex:

/ip firewall layer7-protocol

# Now we put in a firewall rule to block with this L7.

/ip firewall filter

add action=drop chain=forward comment="block torrent wwws" disabled=no layer7-protocol=torrent-wwws

# Lets block DNS queries based on the same regex.

/ip firewall layer7-protocol

# Here s the firewall rule to block:

/ip firewall filter

add action=drop chain=forward comment="block torrent dns" disabled=no dst-port=53 layer7-protocol=torrent-dns protocol=udp

Script de actualización simple de DYNDNS (freedns.afraid.org)

/tool fetch host="freedns.afraid.org" url="https://freedns.afraid.org/dynamic/update.php?CaMbiAr ClAvE.."

Fuente: https://forum.mikrotik.com/t/simple-dyndns-freedns-afraid-org-update-script/108821

Script para configurar Dynu DNS en MikroTik con IP dinámica

/tool fetch mode=http url="http://api.ipify.org" src-path="" dst-path=/dyn.html

:local currentIP [/file get dyn.html contents]

:log warning "Public IP Detected $currentIP"

######################################################

:global ddnsuser "USER"

:global ddnspass "PASSWORD"

:global ddnshost "DOMINIO"

:global ipddns [:resolve $ddnshost];

:log warning "Current DNS $ipddns"

/file/remove dyn.html

:if ($ipddns != $currentIP) do={

:log warning ("Updating IP = $currentIP")

:global str "/nic/update?username=$ddnsuser&password=$ddnspass&hostname=$ddnshost&myip=$currentIP"

/tool fetch address=api.dynu.com src-path=$str mode=https dst-path=("/Dynu.".$ddnshost)

:delay 1

:global str [/file find name="Dynu.$ddnshost"];

/file remove $str

:global ipddns $currentIP

:log info "DynuDDNS: IP updated to $currentIP!"

} else={

:log info "No Need to change, IP Already Updated";

} }

Configuracion Cake ( Algoritmo avanzado de gestión de colas y Calidad de Servicio) Mikrotik

Algoritmo avanzado de gestión de colas y Calidad de Servicio

/queue type
add kind=cake \
name=cake-rx \
cake-diffserv=besteffort \
cake-flowmode=dual-dsthost \
cake-rtt-scheme=regional \
cake-nat=yes
add kind=cake \
name=cake-tx \
cake-ack-filter=filter \
cake-diffserv=besteffort \
cake-flowmode=dual-srchost \
cake-rtt-scheme=regional \
cake-nat=yes

/queue simple
add name=queue1 \
max-limit=256M/24M \
queue=cake-rx/cake-tx \
target=ether1 \
total-queue=default

Fuente:

https://tangentsoft.com/mikrotik/wiki?name=CAKE+Configuration