# model: CCR1009-7G-1C-1S+ # serial-number: HD008A775V0 # firmware-type: tilegx # current-firmware: 7.16.2 # installed-version: 7.18.2 # # software id = Y9A1-NJLI # # model = CCR1009-7G-1C-1S+ # serial number = HD008A775V0 /interface bridge add ingress-filtering=no name=bridge port-cost-mode=short vlan-filtering=yes /interface ethernet set [ find default-name=combo1 ] l2mtu=9200 mtu=9000 set [ find default-name=ether1 ] l2mtu=9200 mtu=9000 set [ find default-name=ether2 ] l2mtu=9200 mtu=9000 set [ find default-name=ether3 ] l2mtu=9200 mtu=9000 set [ find default-name=ether4 ] l2mtu=9200 mtu=9000 set [ find default-name=ether5 ] l2mtu=9200 mtu=9000 set [ find default-name=ether6 ] l2mtu=9200 mtu=9000 set [ find default-name=ether7 ] l2mtu=9200 mtu=9000 set [ find default-name=sfp-sfpplus1 ] l2mtu=9200 mtu=9000 /interface vlan add interface=bridge mtu=9000 name=BR.VL5 vlan-id=5 add interface=bridge mtu=9000 name=BR.VL10 vlan-id=10 add interface=bridge mtu=9000 name=BR.VL11 vlan-id=11 add interface=bridge mtu=9000 name=BR.VL12 vlan-id=12 add interface=bridge mtu=9000 name=BR.VL42 vlan-id=42 add interface=bridge mtu=9000 name=BR.VL99 vlan-id=99 add interface=bridge mtu=9000 name=BR.VL442 vlan-id=442 add interface=bridge mtu=9000 name=BR.VL502 vlan-id=502 add interface=bridge mtu=9000 name=BR.VL3000 vlan-id=3000 add interface=BR.VL3000 mtu=9000 name=BR.VL3000.VL360 vlan-id=360 /interface pppoe-client add add-default-route=yes interface=BR.VL10 name=pppoe-out1 password=abc123 user=360elizabeth@nbn.truetelco.com.au add add-default-route=yes default-route-distance=2 disabled=no interface=BR.VL3000.VL360 name=pppoe-out2 password=qYWf0uOx user=360e-headend@nbn.truetelco.com.au /interface lte apn set [ find default=yes ] ip-type=ipv4 use-network-apn=no /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /ip pool add name=dhcp_pool0 ranges=192.168.11.2-192.168.11.254 add name=dhcp_pool1 ranges=192.168.12.2-192.168.12.254 add name=dhcp_pool2 ranges=192.168.99.111-192.168.99.119 add name=dhcp_pool3 ranges=10.44.2.2-10.44.2.254 add name=dhcp_pool4 ranges=10.50.2.2-10.50.2.254 /ip dhcp-server add address-pool=dhcp_pool0 interface=BR.VL11 lease-time=10m name=dhcp1 add address-pool=dhcp_pool1 interface=BR.VL12 lease-time=10m name=dhcp2 add address-pool=dhcp_pool2 interface=BR.VL99 lease-time=10m name=dhcp3 add address-pool=dhcp_pool3 interface=BR.VL442 name=dhcp4 add address-pool=dhcp_pool4 interface=BR.VL502 name=dhcp5 /ip smb users set [ find default=yes ] disabled=yes /port set 0 name=serial0 set 1 name=serial1 /routing bgp template set default disabled=no output.network=bgp-networks /routing ospf instance add disabled=no name=default-v2 /routing ospf area add disabled=yes instance=default-v2 name=backbone-v2 /snmp community add addresses=::/0 name=CFNCOM /system logging action add name=Syslog remote=172.16.0.250 src-address=172.16.4.1 target=remote /interface bridge port add bridge=bridge ingress-filtering=no interface=sfp-sfpplus1 internal-path-cost=10 multicast-router=disabled path-cost=10 add bridge=bridge ingress-filtering=no interface=ether7 internal-path-cost=10 path-cost=10 pvid=99 /ip firewall connection tracking set udp-timeout=10s /ip settings set max-neighbor-entries=8192 /ipv6 settings set disable-ipv6=yes max-neighbor-entries=8192 soft-max-neighbor-entries=8191 /interface bridge vlan add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=10 add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=11 add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=12 add bridge=bridge tagged=bridge,sfp-sfpplus1 untagged=ether7 vlan-ids=99 add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=42 add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=3000 add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=5 add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=442 add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=502 /interface ovpn-server server add auth=sha1,md5 mac-address=FE:04:2E:AF:0A:94 name=ovpn-server1 /interface pppoe-server server add disabled=no interface=BR.VL12 one-session-per-host=yes service-name=360E add interface=BR.VL42 one-session-per-host=yes service-name=L42 /ip address add address=192.168.88.1/24 comment=defconf interface=combo1 network=192.168.88.0 add address=192.168.1.1/24 interface=ether1 network=192.168.1.0 add address=10.0.0.1/24 interface=ether6 network=10.0.0.0 add address=192.168.11.1/24 interface=BR.VL11 network=192.168.11.0 add address=192.168.12.1/24 interface=BR.VL12 network=192.168.12.0 add address=192.168.99.254/24 interface=BR.VL99 network=192.168.99.0 add address=103.67.56.6/30 interface=BR.VL42 network=103.67.56.4 add address=172.16.4.1/16 interface=BR.VL5 network=172.16.0.0 add address=10.44.2.1/24 interface=BR.VL442 network=10.44.2.0 add address=10.50.2.1/24 interface=BR.VL502 network=10.50.2.0 /ip dhcp-server lease add address=10.44.2.10 mac-address=B0:26:28:50:5B:73 server=dhcp4 add address=10.44.2.11 mac-address=18:66:DA:85:5B:DE server=dhcp4 /ip dhcp-server network add address=10.44.2.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=10.44.2.1 add address=10.50.2.0/24 dns-server=203.57.50.102,203.29.240.136 gateway=10.50.2.1 add address=192.168.11.0/24 dns-server=203.57.50.102,203.29.240.136 gateway=192.168.11.1 add address=192.168.12.0/24 dns-server=203.57.50.102,203.29.240.136 gateway=192.168.12.1 add address=192.168.99.0/24 dns-server=203.57.50.102,203.29.240.136 gateway=192.168.99.254 /ip dns set servers=203.57.50.102,203.29.240.136 /ip firewall address-list add address=acl.watti.tools comment="Daniel's ACL" list=TrustedIPs add address=acl.manisp.au comment="ManISP's ACL" list=TrustedIPs add address=tools.corefibre.com.au comment="CoreFibre's ACL" list=TrustedIPs add address=172.16.0.0/16 comment="Internal Superset" list=TrustedIPs add address=103.67.56.0/23 comment=CF-Superset list=TrustedIPs add address=100.64.0.0/16 comment=CF-CGNat-Superset list=TrustedIPs add address=172.31.255.0/24 comment=172.31.255.0/24 list=TrustedIPs add address=172.16.0.0/16 list=list-NTP-Targets add address=172.16.0.0/16 list=list-DNS-Targets add address=172.16.0.0/16 list=list-SSH-Targets add address=172.16.0.0/16 list=list-SNMP-Targets add address=172.16.0.0/16 list=list-HTTP-Targets add address=172.16.0.0/16 list=list-HTTPS-Targets add address=172.16.0.0/16 list=list-Winbox-Targets add address=172.16.0.0/16 list=list-RADIUS-Targets add address=172.16.0.0/16 list=list-GRE-Targets add address=172.16.0.0/16 list=list-Core-Interconnects add address=172.16.0.0/16 list=list-Loopback-Address add address=1.1.1.1 list=DNS-Servers add address=8.8.8.8 list=DNS-Servers add address=8.8.4.4 list=DNS-Servers add address=9.9.9.9 list=DNS-Servers add address=valve-space-router.qld.valvenetworks.net comment=valve-space-router.qld.valvenetworks.net list=TrustedIPs /ip firewall filter add action=accept chain=input comment="Permit Established, Related" connection-state=established,related add action=jump chain=input comment="Shape ICMP Chain & Jump" jump-target=ICMP limit=512k,512k:bit protocol=icmp add action=accept chain=input comment="Permit UDP Traceroute" limit=512k,512k:bit log-prefix=Accepted-Traceroute port=33434-33534 protocol=udp add action=accept chain=input comment="Permit NTP" dst-port=123 limit=2M,2M:bit log-prefix=Accepted-NTP protocol=udp src-address-list=list-NTP-Targets add action=accept chain=input comment="Permit DNS" limit=10M,10M:bit log-prefix=Accepted-DNS port=53 protocol=udp src-address-list=TrustedIPs add action=accept chain=input comment="Permit DNS" limit=10M,10M:bit log-prefix=Accepted-DNS port=53 protocol=udp src-address-list=DNS-Servers add action=accept chain=input comment="Permit DNS" limit=10M,10M:bit log-prefix=Accepted-DNS port=53 protocol=udp src-address-list=list-DNS-Targets add action=accept chain=input comment="Permit SSH" dst-port=22 limit=10M,10M:bit log-prefix=Accepted-SSH protocol=tcp src-address-list=TrustedIPs add action=accept chain=input comment="Permit SSH" dst-port=22 limit=10M,10M:bit log-prefix=Accepted-SSH protocol=tcp src-address-list=list-SSH-Targets add action=accept chain=input comment="Permit SNMP" dst-port=161 limit=2M,2M:bit log-prefix=Accepted-SNMP protocol=udp src-address-list=TrustedIPs add action=accept chain=input comment="Permit SNMP" dst-port=161 limit=2M,2M:bit log-prefix=Accepted-SNMP protocol=udp src-address-list=list-SNMP-Targets add action=accept chain=input comment="Permit HTTP" dst-port=80 limit=10M,10M:bit log-prefix=Accepted-HTTP protocol=tcp src-address-list=list-HTTP-Targets add action=accept chain=input comment="Permit HTTPS" dst-port=443 limit=10M,10M:bit log-prefix=Accepted-HTTPS protocol=tcp src-address-list=list-HTTPS-Targets add action=accept chain=input comment="Permit Winbox" dst-port=8291 limit=10M,10M:bit log-prefix=Accepted-Winbox protocol=tcp src-address-list=TrustedIPs add action=accept chain=input comment="Permit Winbox" dst-port=8291 limit=10M,10M:bit log-prefix=Accepted-Winbox protocol=tcp src-address-list=list-Winbox-Targets add action=accept chain=input comment="Permit RADIUS" limit=10M,10M:bit log-prefix=Accepted-RADIUS port=1700 protocol=udp src-address-list=list-RADIUS-Targets add action=accept chain=input comment="Permit RADIUS Incoming" limit=10M,10M:bit log-prefix=Accepted-RADIUS port=3799 protocol=udp src-address-list=list-RADIUS-Targets add action=accept chain=input comment="Permit GRE" log-prefix=Accepted-GRE protocol=gre src-address-list=list-GRE-Targets add action=accept chain=input comment="Permit BFD" limit=2M,2M:bit log-prefix=Accepted-BFD port=3784 protocol=udp src-address-list=list-Core-Interconnects add action=accept chain=input comment="Permit OSPF" limit=2M,2M:bit log-prefix=Accepted-OSPF protocol=ospf src-address-list=list-Core-Interconnects add action=accept chain=input comment="Permit IBGP" dst-address-list=list-Loopback-Address limit=50M,50M:bit log-prefix=Accepted-IBGP port=179 protocol=tcp ttl=less-than:5 add action=accept chain=input comment="Permit Unprotected Direct EBGP" limit=10M,10M:bit log-prefix=Accepted-EBGP port=179 protocol=tcp ttl=equal:1 add action=accept chain=input comment="Permit RFC3682-Protected EBGP" limit=20M,20M:bit log-prefix=Accepted-RFC3682 port=179 protocol=tcp ttl=equal:255 add action=add-src-to-address-list address-list=list-SYN-Flooders address-list-timeout=30m chain=input comment="Restrict SYN Flooding" connection-limit=30,32 protocol=tcp tcp-flags=syn add action=add-src-to-address-list address-list=list-Port-Scanners address-list-timeout=1w chain=input comment="Restrict Port Scanning" protocol=tcp psd=21,3s,3,1 add action=drop chain=input comment="Drop SYN Flooders" disabled=yes src-address-list=list-SYN-Flooders add action=drop chain=input comment="Drop Port Scanners" disabled=yes src-address-list=list-Port-Scanners add action=drop chain=input comment="Drop Remaining Traffic" disabled=yes add action=drop chain=ICMP comment="Drop ICMP Fragments" disabled=yes fragment=yes protocol=icmp add action=accept chain=ICMP comment="Permit Type 8 - Echo Request" icmp-options=8:0 protocol=icmp add action=accept chain=ICMP comment="Permit Type 0 - Echo Reply" icmp-options=0:0 protocol=icmp add action=accept chain=ICMP comment="Permit Type 11 - Time Exceeded" icmp-options=11:0 protocol=icmp add action=accept chain=ICMP comment="Permit Type 3 - Destination Unreachable" icmp-options=3:0-1 protocol=icmp add action=accept chain=ICMP comment="Permit Type 3 - Path MTU Discovery" icmp-options=3:4 protocol=icmp add action=drop chain=ICMP comment="Drop Remaining ICMP Types" protocol=icmp /ip firewall nat add action=masquerade chain=srcnat out-interface=pppoe-out2 add action=dst-nat chain=dstnat dst-port=162 protocol=udp to-addresses=192.168.99.253 to-ports=161 add action=dst-nat chain=dstnat dst-port=163 protocol=udp to-addresses=192.168.99.252 to-ports=161 add action=dst-nat chain=dstnat dst-port=164 protocol=udp to-addresses=192.168.99.251 to-ports=161 add action=dst-nat chain=dstnat dst-port=221 protocol=tcp to-addresses=192.168.99.253 to-ports=22 add action=dst-nat chain=dstnat dst-port=222 protocol=tcp to-addresses=192.168.99.252 to-ports=22 add action=dst-nat chain=dstnat dst-port=223 protocol=tcp to-addresses=192.168.99.251 to-ports=22 /ip ipsec profile set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5 /ip route add disabled=no dst-address=103.67.57.11/32 gateway=172.16.0.1 routing-table=main suppress-hw-offload=no add disabled=no dst-address=103.248.50.200/29 gateway=172.16.0.1 routing-table=main suppress-hw-offload=no /ip service set telnet disabled=yes set ftp disabled=yes set www disabled=yes set api disabled=yes set api-ssl disabled=yes /ip smb shares set [ find default=yes ] directory=/pub /ppp secret add local-address=100.64.0.1 name=240552@nbn.truetelco.com.au password=lr72jr7l remote-address=100.64.0.2 service=pppoe /routing bfd configuration add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5 /snmp set contact=noc@corefibre.com.au enabled=yes location=Melbourne,Australia trap-community=CFNCOM trap-version=2 /system clock set time-zone-name=Australia/Melbourne /system identity set name=CR.360E.Mel.CFN.net.au /system logging add action=Syslog topics=warning add action=Syslog topics=info add action=Syslog topics=error add action=Syslog topics=critical /system note set show-at-login=no /system ntp client set enabled=yes /system ntp client servers add address=172.16.0.1 /system scheduler add name=reboot-at-10pm on-event=reboot-schedule policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2024-12-27 start-time=22:00:00 /system script add dont-require-permissions=no name=reboot-schedule owner=daniel policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/system reboot" /tool romon set enabled=yes secrets=CFN