/interface bridge
add fast-forward=no name=bridge-hotspot
add name=bridge-local
add name=userman
/interface ethernet
set [ find default-name=ether1 ] comment=WAN1 name=ether1-WAN1
set [ find default-name=ether2 ] comment=LAN
set [ find default-name=ether4 ] comment=BROADBAND
/interface pptp-client
add allow=chap,mschap2 comment=VPN connect-to=sg-ded-1.purevpn.net \
dial-on-demand=yes disabled=no name=VPN user=xxxxx4338
/interface ethernet switch port
set 5 default-vlan-id=0 vlan-mode=disabled
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
group-ciphers=tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
unicast-ciphers=tkip,aes-ccm
add authentication-types=wpa-psk eap-methods="" group-ciphers=tkip \
management-protection=allowed mode=dynamic-keys name=station \
supplicant-identity="" unicast-ciphers=tkip
add authentication-types=wpa-psk,wpa2-psk eap-methods="" group-ciphers=\
tkip,aes-ccm management-protection=allowed mode=dynamic-keys name=wifi \
supplicant-identity="" unicast-ciphers=tkip,aes-ccm
add authentication-types=wpa-psk,wpa2-psk eap-methods="" name=hotspot \
supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] dns-name=hotspot.portal hotspot-address=172.16.50.1 \
html-directory=flash/darkcyanhotspot login-by=http-chap,http-pap name=\
hs-profile
/ip pool
add name=default-dhcp ranges=192.168.170.2-192.168.170.254
add name=wifi-secure ranges=150.150.150.2-150.150.150.254
add name=hs-bro1 ranges=10.5.10.0/24
/ip dhcp-server
add address-pool=default-dhcp authoritative=after-2sec-delay interface=\
bridge-local name=local-dhcp
add add-arp=yes address-pool=hs-unauthenticated bootp-support=none disabled=\
no interface=bridge-hotspot lease-time=6h name=hotspot-dhcp
/ip hotspot
add address-pool=hs-unauthenticated addresses-per-mac=unlimited disabled=no \
idle-timeout=none interface=bridge-hotspot name=WIFI
/ip hotspot user profile
set [ find default=yes ] address-pool=hs-hotspot name=ADMIN on-login="\r\
\n"
add address-pool=hs-hotspot !idle-timeout !keepalive-timeout name=VM-1 \
rate-limit=5M/10M
add address-pool=hs-hotspot idle-timeout=1h name=1hr on-login=":local username\
\_\$user;\r\
\n:local date [/system clock get date];\r\
\n:local time [/system clock get time];\r\
\n:log warning \"\$username has login - \$time\"; \r\
\n{\r\
\n:if ([/system scheduler find name=\$username]=\"\") do={ /ip hotspot use\
r set [find name=\$user] limit-uptime=10s \r\
\n/system scheduler add name=\$username interval=60d on-event=\"/ip hotspo\
t user set profile=EXPIRED [find name=\$username]\\r\\n/ip hotspot active \
remove [find user=\$username]\\r\\n/system scheduler remove [find name=\$u\
sername]\"\r\
\n}\r\
\n}\r\
\n\r\
\n/system script run moveICMP" rate-limit=5M/10M
/port
set 0 name=usb1
/ppp profile
add change-tcp-mss=yes comment="<-----VIP PLAN----->" dns-server=\
192.168.170.1 local-address=hs-unauthenticated name="VIP 599 7MB" \
only-one=yes remote-address=hs-bro1
/queue simple
add name=RESIDENTIAL target=10.5.10.0/24
add max-limit=3M/7M name="reyes badette" parent=RESIDENTIAL target=\
10.5.10.1/32
/queue tree
add disabled=yes name=X-Bro priority=1
add disabled=yes max-limit=100M name=bro-download parent=X-Bro priority=1
/queue type
add kind=pcq name=gaming-pcq-download pcq-classifier=dst-address,dst-port \
pcq-limit=40KiB
add kind=pcq name=gaming-pcq-upload pcq-classifier=src-address,src-port \
pcq-limit=40KiB
add kind=pcq name="limit dl" pcq-classifier=dst-address \
pcq-dst-address6-mask=64 pcq-rate=1M pcq-src-address6-mask=64
add kind=pcq name=main-pcq-download pcq-classifier=dst-address pcq-limit=\
40KiB
add kind=pcq name=main-pcq-upload pcq-classifier=src-address pcq-limit=40KiB
add kind=pfifo name=main-queue pfifo-limit=100
add kind=pcq name="UPLOAD Gaming" pcq-classifier=src-address \
pcq-dst-address6-mask=64 pcq-rate=1M pcq-src-address6-mask=64
add kind=pcq name="DOWNLOAD Games" pcq-classifier=dst-address \
pcq-dst-address6-mask=64 pcq-rate=1M pcq-src-address6-mask=64
add kind=pcq name="DOWNLOAD Browsing" pcq-classifier=dst-address \
pcq-dst-address6-mask=64 pcq-rate=1M pcq-src-address6-mask=64
add kind=pcq name="UPLOAD Browsing" pcq-classifier=src-address \
pcq-dst-address6-mask=64 pcq-rate=256k pcq-src-address6-mask=64
add kind=pcq name=PPPHOMEDL-15MBPSBURST pcq-classifier=dst-address \
pcq-dst-address6-mask=64 pcq-rate=15M pcq-src-address6-mask=64
add kind=pcq name=PPPHOMEUPLOAD pcq-classifier=src-address \
pcq-dst-address6-mask=64 pcq-rate=20M pcq-src-address6-mask=64
add kind=pcq name="ALL DOWNLOAD" pcq-classifier=dst-address \
pcq-dst-address6-mask=64 pcq-rate=50M pcq-src-address6-mask=64
add kind=pcq name="ALL UPLOAD" pcq-classifier=src-address \
pcq-dst-address6-mask=64 pcq-rate=50M pcq-src-address6-mask=64
/system logging action
set 1 disk-file-name=log
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
add name=admin policy="reboot,read,write,test,password,web,api,!local,!telnet,\
!ssh,!ftp,!policy,!winbox,!sniff,!sensitive,!romon,!dude,!tikapp"
add name=adminftp policy="ftp,reboot,read,write,password,api,!local,!telnet,!s\
sh,!policy,!test,!winbox,!web,!sniff,!sensitive,!romon,!dude,!tikapp"
add name=adminlast policy="reboot,read,write,test,password,web,api,!local,!tel\
net,!ssh,!ftp,!policy,!winbox,!sniff,!sensitive,!romon,!dude,!tikapp"
add name=techedit policy="ftp,reboot,read,write,test,winbox,password,web,api,!\
local,!telnet,!ssh,!policy,!sniff,!sensitive,!romon,!dude,!tikapp"
/interface bridge port
add bridge=bridge-local comment=LAN interface=ether3
add bridge=bridge-hotspot comment=HOTSPOT interface=ether4
add bridge=bridge-hotspot comment=BROADBAND interface=ether5
add bridge=bridge-local disabled=yes interface=*1
add bridge=bridge-hotspot disabled=yes interface=*E
add disabled=yes interface=*A
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface detect-internet
set detect-interface-list=all
/interface pppoe-server server
add disabled=no interface=bridge-hotspot keepalive-timeout=60 max-mru=1480 \
max-mtu=1480 one-session-per-host=yes service-name="GRACE"
/interface sstp-server server
set enabled=yes
/interface wireless access-list
add comment=ron mac-address=6E:5A:88:C7:0C:2A
add comment=rose mac-address=8C:F5:A3:F4:A4:7A
add comment=ron mac-address=90:97:F3:88:EA:C0
/ip address
add address=192.168.170.1/24 interface=bridge-local network=192.168.170.0
add address=172.16.50.1/24 interface=bridge-hotspot network=172.16.50.0
add address=192.168.171.1/24 interface=bridge-hotspot network=192.168.171.0
add address=192.168.87.1/24 interface=userman network=192.168.87.0
/ip cloud
set update-time=no
/ip dhcp-client
add add-default-route=no comment=WAN1 disabled=no interface=ether1-WAN1 \
use-peer-dns=no
/ip dhcp-server lease
add address=172.16.50.4 client-id=1:8c:f5:a3:f4:a4:7a comment=rose \
mac-address=8C:F5:A3:F4:A4:7A server=hotspot-dhcp
add address=172.16.50.2 client-id=1:cc:6e:a4:d8:c4:2d comment=samsung \
mac-address=CC:6E:A4:D8:C4:2D server=hotspot-dhcp
add address=172.16.50.3 client-id=1:34:f1:50:74:58:be comment=tcl \
mac-address=34:F1:50:74:58:BE server=hotspot-dhcp
/ip dhcp-server network
add address=150.150.150.0/24 dns-none=yes gateway=150.150.150.1
add address=172.16.50.0/24 gateway=172.16.50.1
add address=192.168.170.0/24 comment="default configuration" gateway=\
192.168.170.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.170.1 name=router
/ip firewall address-list
add address=172.16.50.0/24 list=local-address
add address=192.168.170.3-192.168.170.251 list=local-addressdns
/ip firewall mangle
add action=mark-routing chain=prerouting dst-port=\
1-52,54-1028,3478,3479,5228,8888 new-routing-mark=vpn_ian passthrough=no \
protocol=tcp src-address=10.5.10.0/24
add action=mark-routing chain=prerouting new-routing-mark=vpn_ian \
passthrough=no protocol=udp src-address=10.5.10.0/24
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment=WAN1 out-interface=ether1-WAN1
add action=masquerade chain=srcnat comment=VPN out-interface=VPN
/ip hotspot user
add limit-bytes-total=3000000000 limit-uptime=6h mac-address=\
70:8F:47:2D:B0:73 name=emem
add limit-bytes-total=3000000000 limit-uptime=6h mac-address=\
20:31:1C:E4:4C:F3 name=macmac
add limit-bytes-total=3000000000 limit-uptime=6h mac-address=\
6C:D9:4C:FF:5B:CD name=patrick
add address=172.16.61.254 name=oneil
add limit-bytes-total=3000000000 limit-uptime=6h mac-address=\
08:FA:79:DF:64:D3 name=talin
add name=bebe9365
add name=rose532
add mac-address=00:27:15:52:34:A1 name=ron1
/ip proxy
set cache-path=flash/webproxy enabled=yes max-cache-size=none
/ip proxy access
add action=deny dst-host=!192.168.175.1
/ip route
add comment=VPN distance=2 gateway=VPN routing-mark=vpn
add comment=WAN2 disabled=yes distance=1 gateway=2.2.2.2 routing-mark=PL1
add comment=WAN1 distance=1 gateway=192.168.2.1
add comment=WAN1_A disabled=yes distance=1 dst-address=50.100.10.12/32 \
gateway=192.168.2.1
add comment=WAN1_A disabled=yes distance=1 dst-address=xx.xx.104.116/32 \
gateway=192.168.2.1
/ip route rule
add dst-address=0.0.0.0/0 routing-mark=RT-PL1 src-address=0.0.0.0/0 table=PL1
add dst-address=0.0.0.0/0 routing-mark=RT-PL2 src-address=0.0.0.0/0 table=PL2
/ip service
set telnet disabled=yes
set www port=82
set winbox port=8292
set api-ssl disabled=yes
/port firmware
set ignore-directip-modem=yes
/ppp secret
add comment=PAID1 name="reyes badette" profile="VIP 599 7MB" routes=PAID.1MO \
service=pppoe
/radius
add address=192.168.87.1 service=login,hotspot
/system clock
set time-zone-autodetect=no
/system clock manual
set time-zone=+08:00
/system ntp client
set enabled=yes server-dns-names=asia.pool.ntp.org
/system watchdog
set automatic-supout=no watchdog-timer=no
/tool bandwidth-server
set authenticate=no enabled=no
/tool sms
set port=usb1
For responding to ping, you have to have this line in your firewall filter rules:
/ip firewall filter
add action=accept chain=input comment="accept ICMP" protocol=icmp
What do you mean by you can ping your gateway...is this from the internal network?
i dont have firewall
i dont know whats the problem
If you don't have a firewall, you have a problem. But I doubt you don't have one. Perhaps you can share your current configuration?
/export hide-sensitive file=anynameyoulike