# model: CCR2004-16G-2S+ # serial-number: HJF0AV5PK3Y # firmware-type: al64 # current-firmware: 7.19.1 # installed-version: 7.19.1 # Flags: U - UNDOABLE # Columns: ACTION, BY, POLICY, TIME # ACTION BY POLICY TIME # U dhcp server dhcp6 added daniel write 2025-12-02 07:36:21 # U dhcp network added daniel write 2025-12-02 07:36:21 # U pool dhcp_pool6 added daniel write 2025-12-02 07:36:21 # U address added daniel write 2025-12-02 07:36:10 # U bridge port changed daniel write 2025-12-02 07:35:51 # U dhcp server dhcp3 changed daniel write 2025-12-02 07:35:42 # U dhcp server dhcp6 removed daniel write 2025-12-02 07:35:36 # U dhcp server dhcp6 added daniel write 2025-12-02 07:35:08 # U dhcp network added daniel write 2025-12-02 07:35:08 # U pool dhcp_pool5 added daniel write 2025-12-02 07:35:08 # U item changed daniel write 2025-12-02 07:34:29 # U bridge port added daniel write 2025-12-02 07:34:18 # U bridge port changed daniel write 2025-12-02 06:15:10 # U item changed daniel write 2025-12-02 06:15:04 # U nat rule added daniel write 2025-11-13 10:59:10 # U dhcp server dhcp5 added daniel write 2025-11-12 08:59:24 # U dhcp network added daniel write 2025-11-12 08:59:24 # U pool dhcp_pool4 added daniel write 2025-11-12 08:59:24 # U address added daniel write 2025-11-12 08:59:12 # U device added daniel write 2025-11-12 08:59:00 # U item added daniel write 2025-11-12 08:58:46 # U changed snmp settings daniel write 2025-09-30 11:38:24 # U item changed daniel write 2025-09-30 11:38:22 # U item changed daniel write 2025-09-30 11:38:21 # U item removed daniel write 2025-09-30 11:38:18 # U dhcp server dhcp4 added daniel write 2025-09-15 12:01:36 # U dhcp network added daniel write 2025-09-15 12:01:36 # U pool dhcp_pool3 added daniel write 2025-09-15 12:01:36 # U address added daniel write 2025-09-15 12:01:23 # U item added daniel write 2025-09-15 12:01:12 # U device added daniel write 2025-09-15 12:01:04 # U nat rule changed daniel write 2025-09-11 09:34:40 # U nat rule added daniel write 2025-09-11 09:29:39 # U simple queue removed daniel write 2025-09-08 12:38:38 # U simple queue removed daniel write 2025-09-08 12:38:36 # U item added daniel write 2025-09-04 12:12:49 # U address added daniel write 2025-09-04 12:11:48 # U device added daniel write 2025-09-04 12:11:18 # U simple queue changed daniel write 2025-09-01 14:19:30 # U simple queue changed daniel write 2025-09-01 14:16:51 # U device changed daniel write 2025-08-27 16:43:26 # U device changed daniel write 2025-08-27 16:43:23 # U device changed daniel write 2025-08-27 16:43:21 # U device changed daniel write 2025-08-27 16:43:18 # U device changed daniel write 2025-08-27 16:43:12 # U device changed daniel write 2025-08-27 16:42:44 # U device changed daniel write 2025-08-27 16:42:35 # U device changed daniel write 2025-08-27 16:42:32 # U device changed daniel write 2025-08-27 16:42:29 # U device changed daniel write 2025-08-27 16:42:27 # U device changed daniel write 2025-08-27 16:42:24 # U device changed daniel write 2025-08-27 16:42:21 # U device changed daniel write 2025-08-27 16:42:19 # U device changed daniel write 2025-08-27 16:42:16 # U device changed daniel write 2025-08-27 16:42:12 # U device changed daniel write 2025-08-27 16:42:09 # U device changed daniel write 2025-08-27 16:42:06 # U device changed daniel write 2025-08-27 16:42:04 # U device changed daniel write 2025-08-27 16:42:00 # U device changed daniel write 2025-08-27 16:41:57 # U device changed daniel write 2025-08-27 16:41:51 # U device changed daniel write 2025-08-27 16:41:33 # U queue type changed daniel write 2025-08-19 12:08:49 # U traffic generator stream changed daniel write 2025-08-19 11:57:11 # U traffic generator stream changed daniel write 2025-08-19 11:57:02 # U traffic generator packet template added daniel write 2025-08-19 11:55:10 # U simple queue changed daniel write 2025-08-19 07:28:28 # U address list entry added daniel write 2025-07-28 09:28:35 # U traffic generator stream changed daniel write 2025-07-27 14:39:03 # U traffic generator stream changed daniel write 2025-07-27 14:38:59 # U traffic generator stream added daniel write 2025-07-27 14:38:47 # U traffic generator packet template changed daniel write 2025-07-27 14:38:13 # U traffic generator packet template changed daniel write 2025-07-27 14:37:43 # U traffic generator packet template changed daniel write 2025-07-27 14:36:37 # U traffic generator packet template changed daniel write 2025-07-27 14:36:24 # U traffic generator packet template added daniel write 2025-07-27 14:35:23 # U device removed daniel write 2025-07-26 10:22:15 # U route 0.0.0.0/0 removed daniel write 2025-07-26 09:07:52 # U nat rule added daniel write 2025-07-26 09:07:32 # U device changed daniel write 2025-07-26 08:40:31 # U nat rule changed daniel write 2025-07-26 08:40:22 # U interface list member added daniel write 2025-07-26 08:40:12 # U interface list added daniel write 2025-07-26 08:40:06 # U route 0.0.0.0/0 added daniel write 2025-07-26 08:39:57 # U address changed daniel write 2025-07-26 08:39:20 # U address changed daniel write 2025-07-26 08:39:17 # U address added daniel write 2025-07-26 08:39:12 # U filter rule changed daniel write 2025-07-26 08:37:45 # U filter rule changed daniel write 2025-07-26 08:37:45 # U filter rule changed daniel write 2025-07-26 08:37:45 # U filter rule changed daniel write 2025-07-26 08:37:45 # U dhcp network changed daniel write 2025-07-26 07:55:40 # U dhcp network changed daniel write 2025-07-26 07:55:23 # U dns changed daniel write 2025-07-26 07:55:13 # U dhcp network changed daniel write 2025-07-26 07:55:09 # U filter rule changed daniel write 2025-07-26 07:50:48 # U address list entry added daniel write 2025-07-26 07:38:40 # U user valvenetworks added daniel write 2025-07-26 07:36:26 # policy # U dhcp server dhcp3 added daniel write 2025-07-25 10:58:20 # U dhcp network added daniel write 2025-07-25 10:58:20 # # software id = 9SK1-MPQ6 # # model = CCR2004-16G-2S+ # serial number = HJF0AV5PK3Y /interface bridge add name=bridge vlan-filtering=yes /interface ethernet set [ find default-name=ether1 ] l2mtu=9200 mtu=9000 set [ find default-name=ether2 ] l2mtu=9200 mtu=9000 set [ find default-name=ether3 ] l2mtu=9200 mtu=9000 set [ find default-name=ether4 ] l2mtu=9200 mtu=9000 set [ find default-name=ether5 ] l2mtu=9200 mtu=9000 set [ find default-name=ether6 ] l2mtu=9200 mtu=9000 set [ find default-name=ether7 ] l2mtu=9200 mtu=9000 set [ find default-name=ether8 ] l2mtu=9200 mtu=9000 set [ find default-name=ether9 ] l2mtu=9200 mtu=9000 set [ find default-name=ether10 ] l2mtu=9200 mtu=9000 set [ find default-name=ether11 ] l2mtu=9200 mtu=9000 set [ find default-name=ether12 ] l2mtu=9200 mtu=9000 set [ find default-name=ether13 ] l2mtu=9200 mtu=9000 set [ find default-name=ether14 ] l2mtu=9200 mtu=9000 set [ find default-name=ether15 ] l2mtu=9200 mtu=9000 set [ find default-name=ether16 ] l2mtu=9200 mtu=9000 set [ find default-name=sfp-sfpplus1 ] l2mtu=9200 mtu=9000 set [ find default-name=sfp-sfpplus2 ] l2mtu=9200 mtu=9000 /interface vlan add interface=bridge mtu=9000 name=BR.VL5 vlan-id=5 add interface=bridge name=BR.VL90 vlan-id=90 add interface=bridge mtu=9000 name=BR.VL91 vlan-id=91 add interface=bridge name=BR.VL141 vlan-id=141 add interface=bridge name=BR.VL142 vlan-id=142 add interface=bridge mtu=9000 name=BR.VL401 vlan-id=401 add interface=bridge mtu=9000 name=BR.VL3000 vlan-id=3000 /interface list add name=WAN /ip pool add name=dhcp_pool0 ranges=10.7.91.2-10.7.91.254 add name=dhcp_pool1 ranges=10.4.4.2-10.4.4.254 add name=dhcp_pool2 ranges=192.168.88.2-192.168.88.254 add name=dhcp_pool3 ranges=192.168.142.2-192.168.142.254 add name=dhcp_pool4 ranges=192.168.90.2-192.168.90.254 add name=dhcp_pool5 ranges=172.16.7.2-172.16.7.254 add name=dhcp_pool6 ranges=10.7.90.2-10.7.90.254 /ip dhcp-server add address-pool=dhcp_pool0 interface=BR.VL91 name=dhcp1 add address-pool=dhcp_pool1 interface=BR.VL401 name=dhcp2 add address-pool=dhcp_pool2 disabled=yes interface=ether10 name=dhcp3 add address-pool=dhcp_pool3 interface=BR.VL142 name=dhcp4 add address-pool=dhcp_pool4 interface=BR.VL90 name=dhcp5 add address-pool=dhcp_pool6 interface=ether14 name=dhcp6 /port set 0 name=serial0 /queue type set 9 pfifo-limit=500 /snmp community set [ find default=yes ] name=CFNCOM /system logging action add name=Syslog remote=172.16.0.254 target=remote /interface bridge port add bridge=bridge interface=ether1 pvid=5 add bridge=bridge interface=sfp-sfpplus1 add bridge=bridge disabled=yes interface=ether14 pvid=5 /ip neighbor discovery-settings set discover-interface-list=!dynamic /interface bridge vlan # ether14 not a bridge port add bridge=bridge tagged=bridge,sfp-sfpplus1 untagged=ether1,ether14 vlan-ids=5 add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=91 add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=3000 add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=401 add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=141 add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=142 add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=90 /interface list member add interface=BR.VL3000 list=WAN /interface ovpn-server server add mac-address=FE:EB:41:C9:D9:EE name=ovpn-server1 /ip address add address=172.16.7.1/16 interface=BR.VL5 network=172.16.0.0 add address=10.7.91.1/24 interface=BR.VL91 network=10.7.91.0 add address=10.4.4.1/24 interface=BR.VL401 network=10.4.4.0 add address=192.168.88.1/24 interface=ether10 network=192.168.88.0 add address=103.67.56.102/30 interface=BR.VL3000 network=103.67.56.100 add address=103.67.56.133/30 interface=BR.VL141 network=103.67.56.132 add address=192.168.142.1/24 interface=BR.VL142 network=192.168.142.0 add address=192.168.90.1/24 interface=BR.VL90 network=192.168.90.0 add address=10.7.90.1/24 interface=ether14 network=10.7.90.0 /ip dhcp-server network add address=10.4.4.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=10.4.4.1 add address=10.7.90.0/24 gateway=10.7.90.1 add address=10.7.91.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=10.7.91.1 add address=172.16.7.0/24 gateway=172.16.7.1 add address=192.168.88.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.88.1 add address=192.168.90.0/24 gateway=192.168.90.1 add address=192.168.142.0/24 gateway=192.168.142.1 /ip dns set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4 /ip firewall address-list add address=acl.watti.tools comment="Daniel's ACL" list=TrustedIPs add address=acl.manisp.au comment="ManISP's ACL" list=TrustedIPs add address=acl.corefibre.com.au comment="CoreFibre ACL" list=TrustedIPs add address=10.254.0.0/16 comment=Superset list=TrustedIPs add address=172.31.255.0/24 comment=172.31.255.0/24 list=TrustedIPs add address=acl.watti.tools list=list-NTP-Targets add address=acl.watti.tools list=list-DNS-Targets add address=172.31.255.0/24 list=list-SSH-Targets add address=172.31.255.0/24 list=list-SNMP-Targets add address=172.31.255.0/24 list=list-HTTP-Targets add address=172.31.255.0/24 list=list-HTTPS-Targets add address=acl.watti.tools list=list-Winbox-Targets add address=172.31.255.0/24 list=list-Winbox-Targets add address=10.0.0.0/8 list=list-RADIUS-Targets add address=172.16.0.0/24 list=list-Core-Interconnects add address=acl.watti.tools list=list-Loopback-Address add address=10.0.0.0/8 list=list-SSH-Targets add address=103.248.50.138 list=list-GRE-Targets add address=103.248.50.204 list=list-SNMP-Targets add address=103.248.50.204 list=list-SSH-Targets add address=103.96.6.254 comment=acl.watti.tools list=TrustedIPs add address=43.224.182.114 list=list-SNMP-Targets /ip firewall filter add action=accept chain=input comment=TrustedIPs src-address-list=TrustedIPs add action=accept chain=input comment="Permit Established, Related" connection-state=established,related add action=jump chain=input comment="Shape ICMP Chain & Jump" jump-target=ICMP limit=512k,512k:bit protocol=icmp add action=accept chain=input comment="Permit UDP Traceroute" limit=512k,512k:bit log-prefix=Accepted-Traceroute port=33434-33534 protocol=udp add action=accept chain=input comment="Permit NTP" dst-port=123 limit=2M,2M:bit log-prefix=Accepted-NTP protocol=udp src-address-list=list-NTP-Targets add action=accept chain=input comment="Permit DNS" limit=10M,10M:bit log-prefix=Accepted-DNS port=53 protocol=udp src-address-list=list-DNS-Targets add action=accept chain=input comment="Permit SSH" dst-port=22 limit=10M,10M:bit log-prefix=Accepted-SSH protocol=tcp src-address-list=list-SSH-Targets add action=accept chain=input comment="Permit SSH" dst-port=22 limit=10M,10M:bit log-prefix=Accepted-SSH protocol=tcp src-address-list=TrustedIPs add action=accept chain=input comment="Permit SNMP" dst-port=161 limit=2M,2M:bit log-prefix=Accepted-SNMP protocol=udp src-address-list=list-SNMP-Targets add action=accept chain=input comment="Permit SNMP" dst-port=161 limit=2M,2M:bit log-prefix=Accepted-SNMP protocol=udp src-address-list=TrustedIPs add action=accept chain=input comment="Permit HTTP" dst-port=80 limit=10M,10M:bit log-prefix=Accepted-HTTP protocol=tcp src-address-list=list-HTTP-Targets add action=accept chain=input comment="Permit HTTPS" dst-port=443 limit=10M,10M:bit log-prefix=Accepted-HTTPS protocol=tcp src-address-list=list-HTTPS-Targets add action=accept chain=input comment="Permit Winbox" dst-port=8291 limit=10M,10M:bit log-prefix=Accepted-Winbox protocol=tcp src-address-list=list-Winbox-Targets add action=accept chain=input comment="Permit Winbox" dst-port=8291 limit=10M,10M:bit log-prefix=Accepted-Winbox protocol=tcp src-address-list=TrustedIPs add action=accept chain=input comment="Permit RADIUS" limit=10M,10M:bit log-prefix=Accepted-RADIUS port=1700 protocol=udp src-address-list=list-RADIUS-Targets add action=accept chain=input comment="Permit RADIUS Incoming" limit=10M,10M:bit log-prefix=Accepted-RADIUS port=3799 protocol=udp src-address-list=list-RADIUS-Targets add action=accept chain=input comment="Permit GRE" log-prefix=Accepted-GRE protocol=gre src-address-list=list-GRE-Targets add action=accept chain=input comment="Permit BFD" limit=2M,2M:bit log-prefix=Accepted-BFD port=3784 protocol=udp src-address-list=list-Core-Interconnects add action=accept chain=input comment="Permit OSPF" limit=2M,2M:bit log-prefix=Accepted-OSPF protocol=ospf src-address-list=list-Core-Interconnects add action=accept chain=input comment="Permit IBGP" dst-address-list=list-Loopback-Address limit=50M,50M:bit log-prefix=Accepted-IBGP port=179 protocol=tcp ttl=less-than:5 add action=accept chain=input comment="Permit Unprotected Direct EBGP" limit=10M,10M:bit log-prefix=Accepted-EBGP port=179 protocol=tcp ttl=equal:1 add action=accept chain=input comment="Permit RFC3682-Protected EBGP" limit=20M,20M:bit log-prefix=Accepted-RFC3682 port=179 protocol=tcp ttl=equal:255 add action=add-src-to-address-list address-list=list-SYN-Flooders address-list-timeout=30m chain=input comment="Restrict SYN Flooding" connection-limit=30,32 protocol=tcp tcp-flags=syn add action=add-src-to-address-list address-list=list-Port-Scanners address-list-timeout=1w chain=input comment="Restrict Port Scanning" protocol=tcp psd=21,3s,3,1 add action=drop chain=input comment="Drop SYN Flooders" disabled=yes src-address-list=list-SYN-Flooders add action=drop chain=input comment="Drop Port Scanners" disabled=yes src-address-list=list-Port-Scanners add action=drop chain=input comment="Drop Remaining Traffic" disabled=yes in-interface=*19 add action=drop chain=ICMP comment="Drop ICMP Fragments" disabled=yes fragment=yes protocol=icmp add action=accept chain=ICMP comment="Permit Type 8 - Echo Request" icmp-options=8:0 protocol=icmp add action=accept chain=ICMP comment="Permit Type 0 - Echo Reply" icmp-options=0:0 protocol=icmp add action=accept chain=ICMP comment="Permit Type 11 - Time Exceeded" icmp-options=11:0 protocol=icmp add action=accept chain=ICMP comment="Permit Type 3 - Destination Unreachable" icmp-options=3:0-1 protocol=icmp add action=accept chain=ICMP comment="Permit Type 3 - Path MTU Discovery" icmp-options=3:4 protocol=icmp add action=drop chain=ICMP comment="Drop Remaining ICMP Types" protocol=icmp /ip firewall nat add action=masquerade chain=srcnat out-interface-list=WAN add action=dst-nat chain=dstnat dst-port=880 protocol=tcp to-addresses=10.4.4.196 to-ports=80 add action=dst-nat chain=dstnat dst-port=163 protocol=udp to-addresses=172.16.7.2 to-ports=161 add action=dst-nat chain=dstnat dst-port=165 protocol=udp to-addresses=192.168.90.254 to-ports=161 /ip route add disabled=no dst-address=0.0.0.0/0 gateway=103.67.56.101 routing-table=main suppress-hw-offload=no /ip service set ftp disabled=yes set telnet disabled=yes set www disabled=yes set api disabled=yes set api-ssl disabled=yes /radius add address=172.16.0.1 secret=CFNCOM service=login /snmp set contact=noc@corefibre.com.au enabled=yes location=Melbourne,Australia trap-version=2 /system clock set time-zone-name=Asia/Shanghai /system identity set name=CR01.2SB.GPT.CoreFibre.com.au /system logging add action=Syslog topics=info add action=Syslog topics=warning add action=Syslog topics=error add action=Syslog topics=critical /system note set show-at-login=no /system ntp client set enabled=yes /system ntp client servers add address=172.16.0.1 /system routerboard settings set enter-setup-on=delete-key /tool romon set enabled=yes secrets=CFN /tool traffic-generator packet-template add interface=BR.VL5 ip-dst=172.16.7.1 ip-gateway=172.16.0.1 mac-dst=78:9A:18:5A:B0:D4/FF:FF:FF:FF:FF:FF name=packet-template1 udp-dst-port=3000-4000 udp-src-port=1000-2000 add data=random name=random-template /tool traffic-generator stream add mbps=50 name=str1 packet-size=1500 tx-template=random-template