JScript mikrotik untuk memisahkan CCTV, NVR, NAS, dan Web server

Edit this post

# ============================ # 1) Reset optional (HATI-HATI: ini akan hapus konfigurasi jika di-uncomment) # ============================ ...

# ============================
# 1) Reset optional (HATI-HATI: ini akan hapus konfigurasi jika di-uncomment)
# ============================
# /system reset-configuration no-defaults=yes skip-backup=yes

# ============================
# 2) Basic: buat bridge dan assign ports
# ============================
/interface bridge
add name=br-upstream-lan comment="Bridge for Router A/B/C WAN links"

# tambahkan ether2, ether3, ether4 ke bridge
/interface bridge port
add bridge=br-upstream-lan interface=ether2
add bridge=br-upstream-lan interface=ether3
add bridge=br-upstream-lan interface=ether4

# ============================
# 3) IP Addresses
# ============================
# WAN ke Router Utama
/ip address
add address=192.168.0.2/24 interface=ether1 comment="WAN to Router Utama (gateway 192.168.0.1)"

# Bridge IP yang jadi gateway untuk Router A/B/C WAN
add address=192.168.1.1/24 interface=br-upstream-lan comment="LAN to Router A/B/C (their WANs)"

# (Opsional) IP local di interface lain jika perlu, contohnya buat management
# add address=192.168.254.1/24 interface=ether5 comment="management LAN"

# ============================
# 4) Routes (statics) ke subnet di belakang Router A/B/C
# ============================
/ip route
# Route ke CCTV network (Router A)
add dst-address=192.168.2.0/24 gateway=192.168.1.2 comment="Route to CCTV (via Router A)"
# Route ke Server network (Router B)
add dst-address=192.168.3.0/24 gateway=192.168.1.3 comment="Route to Servers (via Router B)"
# Route ke User network (Router C)
add dst-address=192.168.4.0/24 gateway=192.168.1.4 comment="Route to Users (via Router C)"
# Default route via upstream router
add dst-address=0.0.0.0/0 gateway=192.168.0.1 comment="Default route to Internet"

# ============================
# 5) Firewall: allow established/related first
# ============================
/ip firewall filter
add chain=forward connection-state=established,related action=accept comment="allow established/related"

# Allow router itself to access DNS/WWW if needed
add chain=input connection-state=established,related action=accept comment="input established"

# Allow Winbox/SSH/HTTP to Mikrotik from admin network (optional - adjust src)
/ip firewall filter
add chain=input action=accept protocol=tcp dst-port=8291 src-address=192.168.1.0/24 comment="allow Winbox from upstream LAN"
add chain=input action=accept protocol=tcp dst-port=22 src-address=192.168.1.0/24 comment="allow SSH from upstream LAN"

# ============================
# 6) Firewall: allow required internal flows (policy from plan)
# - NVR (192.168.3.3) <-> CCTV (192.168.2.0/24)
# - NVR (192.168.3.3) -> NAS (192.168.3.4)
# - Users (192.168.4.0/24) -> Servers (192.168.3.0/24)
# - Block Users -> CCTV (opsional)
# ============================

# Allow NVR to access all CCTV subnet (ONVIF/RTSP etc)
add chain=forward src-address=192.168.3.3 dst-address=192.168.2.0/24 action=accept comment="Allow NVR -> CCTV (ONVIF/RTSP)"

# Allow CCTV to reply back to NVR (bi-directional traffic replies handled by established rule, but to be explicit:)
add chain=forward src-address=192.168.2.0/24 dst-address=192.168.3.3 action=accept comment="Allow CCTV -> NVR replies"

# Allow NVR -> NAS (mounting NFS/SMB, write video)
add chain=forward src-address=192.168.3.3 dst-address=192.168.3.4 action=accept comment="Allow NVR -> NAS"

# Allow Users -> Servers (NVR/NAS/Web)
/ip firewall filter
add chain=forward src-address=192.168.4.0/24 dst-address=192.168.3.0/24 action=accept comment="Allow Users -> Servers"

# Optional: block Users -> CCTV
add chain=forward src-address=192.168.4.0/24 dst-address=192.168.2.0/24 action=drop comment="Block Users -> CCTV (optional)"

# Optional: restrict any other inter-LAN traffic (deny by default)
# Put a general drop for forwarding between subnets except allowed ones.
# Be careful: this will block other flows; ensure allowed rules are before this
add chain=forward src-address=192.168.2.0/24 dst-address=192.168.4.0/24 action=drop comment="Block CCTV -> Users (if desired)"
# You can add more specific allow rules above this line if needed

# NOTE: order matters — accept rules should be above drops. RouterOS processes top->bottom.

# ============================
# 7) NAT - masquerade ONLY outgoing Internet via ether1
# ============================
/ip firewall nat
# Masquerade for Internet only
add chain=srcnat out-interface=ether1 action=masquerade comment="NAT for internet"

# IMPORTANT: no NAT for internal subnets (we let routing handle internal communication)

# ============================
# 8) DNS static names for convenience
# ============================
/ip dns static
add name="nvr.local" address=192.168.3.3
add name="nas.local" address=192.168.3.4
add name="web.local" address=192.168.3.2

# Optionally set DNS servers for Mikrotik itself (use upstream or public)
# /ip dns set servers=8.8.8.8,1.1.1.1 allow-remote-requests=yes

# ============================
# 9) (Optional) Logging / Safe defaults
# ============================
# minimal input protection
add chain=input connection-state=invalid action=drop comment="drop invalid input"
add chain=forward connection-state=invalid action=drop comment="drop invalid forward"

# (Optional) limit ICMP to avoid abuse
add chain=input protocol=icmp action=accept comment="allow ping to router"

# ============================
# 10) Finish / notes
# ============================
/system scheduler
add name=note-mikrotik-config start-date=jan/01/1970 start-time=00:00:00 interval=0:00:00:00 on-event="/log info message=\"Mikrotik config loaded (custom script)\""



















heehehehehe





SHARE:

Twitter Facebook Google Pinterest
Name

Android,1,Bait casting,9,Daido,2,Daido Gorilla,1,Daiwa,4,download windows 10 terbaru,1,Fugu,1,G6,1,Hinomiya,1,Ikan,1,Info,2,Jigging,2,Kenzi,1,Kyoto,1,Maguro,1,Maguro Avengers,1,Penn,3,personal,1,PIE,1,reel,11,Relix,5,Review,3,shimano,1,Spinning,3,Spot,1,Stick,8,tips,6,
ltr
item
DA 1 M: JScript mikrotik untuk memisahkan CCTV, NVR, NAS, dan Web server
JScript mikrotik untuk memisahkan CCTV, NVR, NAS, dan Web server
https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoEuHeRr46a4xbHncf-2Nm3PGyttjuXY_3wII0I_3TssZnjawKDXZ3_sl31GJCaYqzXScz0EmCDiDt5bE7pj3MfYXODPzAND0Z0c1hC7HAI5W7HDEZjLOvECOHtMRkaY1udO2ZQeFoMpM/s320/IMG_0315.JPG
https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoEuHeRr46a4xbHncf-2Nm3PGyttjuXY_3wII0I_3TssZnjawKDXZ3_sl31GJCaYqzXScz0EmCDiDt5bE7pj3MfYXODPzAND0Z0c1hC7HAI5W7HDEZjLOvECOHtMRkaY1udO2ZQeFoMpM/s72-c/IMG_0315.JPG
DA 1 M
https://lorddaim.blogspot.com/2019/09/jalan-jalan-sambil-memancing.html
https://lorddaim.blogspot.com/
https://lorddaim.blogspot.com/
https://lorddaim.blogspot.com/2019/09/jalan-jalan-sambil-memancing.html
true
7362303933858372469
UTF-8
Loaded All Posts Not found any posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All RECOMMENDED FOR YOU LABEL ARCHIVE SEARCH ALL POSTS Not found any post match with your request Back Home Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago Followers Follow THIS PREMIUM CONTENT IS LOCKED STEP 1: Share to a social network STEP 2: Click the link on your social network Copy All Code Select All Code All codes were copied to your clipboard Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy Table of Content