# model: CCR1009-7G-1C-1S+ # serial-number: E3200F01DD3F # firmware-type: tilegx # current-firmware: 6.47.9 # installed-version: 7.12.1 # Flags: U - UNDOABLE # Columns: ACTION, BY, POLICY, TIME # ACTION BY POLICY TIME # U address removed valvenetworks write 2025-10-21 13:54:10 # U address removed valvenetworks write 2025-10-21 13:53:44 # U interface list member added valvenetworks write 2025-10-21 13:53:14 # U device changed valvenetworks write 2025-10-21 13:52:33 # U route 0.0.0.0/0 removed valvenetworks write 2025-10-21 13:52:26 # U device added valvenetworks write 2025-10-21 13:51:17 # U address changed valvenetworks write 2025-10-21 13:48:36 # U pppoe server changed valvenetworks write 2025-10-21 13:47:51 # U RoMON configuration changed valvenetworks write 2025-10-21 13:42:29 # U address list entry added cfnadmin write 2025-07-31 13:08:43 # U wireguard peer entry added daniel write 2025-07-29 11:43:40 # U wireguard peer entry added daniel write 2025-07-29 11:43:21 # U wireguard peer entry added daniel write 2025-07-28 21:50:22 # U address added daniel write 2025-07-27 20:55:51 # U device added daniel write 2025-07-27 20:55:33 # U ntp server record added read 1970-01-02 10:00:13 # # software id = A0AK-Q11X # # model = CCR1009-7G-1C-1S+ # serial number = E3200F01DD3F /interface bridge add name=LOOPBACK add name=bridge-mgnt add name=bridge-pppoe /interface ethernet set [ find default-name=ether1 ] comment="Cust: 401 St Kilda Road [1000Mbit]" set [ find default-name=ether2 ] comment=5g /interface l2tp-client add connect-to=103.230.157.31 ipsec-secret=lkdh36aA name=l2tp-out1 password=zl3bfkmafrv use-ipsec=yes user=401stkilda-cfn /interface wireguard add listen-port=26781 mtu=1420 name=wg-iface private-key="CCjyGQZDs+C4LZPP+4491BzTJqohkOK4/SwSCNttuks=" /interface vlan add comment=MGNT-Access interface=bridge-mgnt name=bridge-mgnt.99 vlan-id=99 add comment="PPPoE- access" interface=bridge-mgnt name=bridge-mgnt.100 vlan-id=100 add comment="CCTV - Access" interface=bridge-mgnt name=bridge-mgnt.101 vlan-id=101 add interface=ether1 name=ether1.100 vlan-id=100 /interface pppoe-client add add-default-route=yes disabled=no interface=bridge-pppoe max-mru=1500 max-mtu=1500 name=pppoe-out-valve password=YO4Q4kbD use-peer-dns=yes user=401stkilda@corefibre.com.au /interface list add name=WAN /interface lte apn set [ find default=yes ] ip-type=ipv4 use-network-apn=no /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /ip pool add name=dhcp_pool0 ranges=192.168.99.20-192.168.99.200 add name=dhcp_pool1 ranges=192.168.95.20-192.168.95.200 add name=PPPoE_Pool ranges=100.64.0.1-100.64.0.20 /ip dhcp-server add address-pool=dhcp_pool0 interface=bridge-mgnt lease-time=10m name=dhcp1 add address-pool=dhcp_pool1 disabled=yes interface=bridge-mgnt.99 lease-time=10m name=dhcp2 /port set 0 name=serial0 set 1 name=serial1 /ppp profile add local-address=10.100.100.3 name=L2TP remote-address=10.100.100.4 add dns-server=8.8.8.8,8.8.4.4 local-address=103.96.4.33 name=PPPoE remote-address=PPPoE_Pool add name=RWB_sstp_profile /interface sstp-client add comment="Remote Winbox connection for 401StKildaRD" connect-to=vpn5.remotewinbox.com disabled=no http-proxy=0.0.0.0 name=RemoteWinboxVPN5 password=M4eW53nKZHEjLjJMATAWFx8L4BIN4u profile=RWB_sstp_profile user=KrkvAgGtLRMfapJ /routing bgp template set default disabled=no output.network=bgp-networks /routing ospf instance add disabled=no name=default-v2 add disabled=no name=default-v3 version=3 /routing ospf area add disabled=yes instance=default-v2 name=backbone-v2 add disabled=yes instance=default-v3 name=backbone-v3 /snmp community set [ find default=yes ] disabled=yes add addresses=::/0 name=CFNCOM add addresses=::/0 name=valve /interface bridge port add bridge=bridge-pppoe ingress-filtering=no interface=bridge-mgnt.100 add bridge=bridge-pppoe ingress-filtering=no interface=ether1.100 add bridge=bridge-mgnt ingress-filtering=no interface=sfp-sfpplus1 /ip settings set max-neighbor-entries=8192 /ipv6 settings set disable-ipv6=yes max-neighbor-entries=8192 /interface l2tp-server server set allow-fast-path=yes default-profile=L2TP enabled=yes ipsec-secret=TrueTelco1#42 one-session-per-host=yes use-ipsec=required /interface list member add interface=ether1 list=WAN add interface=pppoe-out-valve list=WAN /interface ovpn-server server set auth=sha1,md5 /interface pppoe-server server add authentication=pap,chap default-profile=PPPoE interface=bridge-pppoe max-mru=1492 max-mtu=1492 pado-delay=500 service-name=TrueTelco /interface wireguard peers add allowed-address=10.255.4.0/24,10.255.4.2/32 interface=wg-iface persistent-keepalive=30s public-key="tGk+ArIZC8KHYMxDjXTWr9yEiapYqqCBvGh8Pvu0TSQ=" add allowed-address=10.255.4.0/24,10.255.4.2/32 interface=wg-iface persistent-keepalive=30s public-key="GABCzUDNZn4YetJ0gyoDsWsgsFfKIra/ZrXH9jNWAQ8=" add allowed-address=10.255.4.0/24,10.255.4.2/32 interface=wg-iface persistent-keepalive=30s public-key="h71mCRYANo/Furm2P8lphrHvWwvwqq7UsPhxnQpX2Xc=" /ip address add address=192.168.90.1/24 interface=bridge-mgnt.99 network=192.168.90.0 add address=192.168.99.1/24 interface=bridge-mgnt network=192.168.99.0 add address=10.255.4.1/24 interface=wg-iface network=10.255.4.0 /ip dhcp-client add default-route-distance=5 interface=ether2 /ip dhcp-server lease add address=192.168.99.199 client-id=1:dc:2c:6e:45:36:80 mac-address=DC:2C:6E:45:36:80 server=dhcp1 /ip dhcp-server network add address=192.168.95.0/24 gateway=192.168.95.1 add address=192.168.99.0/24 gateway=192.168.99.1 /ip dns set servers=8.8.8.8 /ip firewall address-list add address=valve-space-router.qld.valvenetworks.net list=TrustedIPs add address=oxidized.valvenetworks.net list=TrustedIPs add address=nms.valvenetworks.net list=TrustedIPs add address=portal.truetelco.com.au list=TrustedIPs add address=radius-1.intervisp.net.au list=TrustedIPs add address=radius-2.intervisp.net.au list=TrustedIPs add address=103.96.4.252 list=TrustedIPs add address=103.96.5.254 comment=valve-space-router.qld.valvenetworks.net list=TrustedIPs add address=office.fixtel.com.au comment="True Telco Office Address" list=TrustedIPs add address=office.truetelco.com.au comment="True Telco Office Address" list=TrustedIPs add address=office.corefibre.com.au comment="True Telco Office Address" list=TrustedIPs add address=zabbix.corefibre.com.au comment=zabbix.corefibre.com.au list=TrustedIPs add address=103.67.56.0/23 list=TrustedIPs add address=acl.manisp.au list=TrustedIPs add address=43.224.182.114 comment=Zabbix list=TrustedIPs /ip firewall filter add action=accept chain=input comment="Allow ICMP input" in-interface-list=WAN protocol=icmp add action=accept chain=input comment="Allow Remote Winbox" in-interface=RemoteWinboxVPN5 add action=accept chain=input comment="Allow all TrustedIPs input" src-address-list=TrustedIPs add action=accept chain=input comment="Allow established & related in WAN" connection-state=established,related in-interface-list=WAN add action=drop chain=input comment="Drop all in WAN" in-interface-list=WAN add action=accept chain=forward comment="Allow established & related forwards" connection-state=established,related add action=drop chain=forward comment="Drop invalid forwards" connection-state=invalid /ip firewall nat add action=masquerade chain=srcnat comment="NAT out 5G" out-interface=ether2 add action=src-nat chain=srcnat comment="Mangle output for managerment interfaces" out-interface-list=WAN protocol=!ospf src-address=192.168.90.0/24 to-addresses=103.96.4.33 add action=src-nat chain=srcnat comment="Mangle output for managerment interfaces" out-interface-list=WAN protocol=!ospf src-address=192.168.99.0/24 to-addresses=103.96.4.33 add action=dst-nat chain=dstnat comment="Switch Access to Core" dst-address=103.96.4.33 dst-port=8292 in-interface-list=WAN protocol=tcp src-address-list=TrustedIPs to-addresses=192.168.99.199 to-ports=8291 add action=dst-nat chain=dstnat comment="SSH to switch" dst-address=103.96.4.33 dst-port=2222 in-interface-list=WAN protocol=tcp src-address-list=TrustedIPs to-addresses=192.168.99.199 to-ports=22 add action=dst-nat chain=dstnat comment="SNMP Switch" dst-address=103.96.4.33 dst-port=163 in-interface-list=WAN protocol=udp src-address-list=TrustedIPs to-addresses=192.168.99.199 to-ports=161 add action=dst-nat chain=dstnat comment="Truetelco managerment" dst-address=103.96.4.33 dst-port=10050 in-interface-list=WAN protocol=tcp src-address-list=TrustedIPs to-addresses=192.168.90.3 add action=dst-nat chain=dstnat comment="Truetelco managerment" dst-address=103.96.4.33 dst-port=8443 in-interface-list=WAN protocol=tcp src-address-list=TrustedIPs to-addresses=192.168.90.3 /ip route add check-gateway=ping disabled=no distance=10 dst-address=103.16.129.23/32 gateway=l2tp-out1 /ip service set telnet disabled=yes set ftp disabled=yes set www disabled=yes set api-ssl disabled=yes /ppp aaa set interim-update=30m use-radius=yes /ppp secret add name=ttadmin password="Tru3t3lc0@\$" profile=L2TP service=l2tp /radius add address=103.16.129.23 comment=radius-1.intervisp.net.au secret="xnsa\$!ufgb2x" service=ppp,login src-address=103.96.4.33 add address=43.229.61.238 comment=radius-2.intervisp.net.au secret="xnsa\$!ufgb2x" service=ppp,login src-address=103.96.4.33 /routing bfd configuration add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5 /snmp set contact=noc@corefibre.com.au enabled=yes location=Melbourne,Victoria,Australia trap-community=CFNCOM trap-version=2 /system clock set time-zone-name=Australia/Melbourne /system identity set name=401StKildaRd-R1.CFN.VIC.intervisp.net /system note set show-at-login=no /system ntp client set enabled=yes /system ntp client servers add address=au.pool.ntp.org /system scheduler add name=reboot-once on-event="/system reboot" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2022-07-25 start-time=04:00:00 add comment=RWB_IP_RESOLVER interval=5m name=RWB_IP_RESOLVER on-event=RWB_IP_RESOLVER policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2023-11-21 start-time=18:40:11 /system script add comment=RWB_IP_RESOLVER dont-require-permissions=no name=RWB_IP_RESOLVER owner=ZlZq5T5YNBi503f policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":global RWBDNSIP value=[/resolve myip.opendns.com server=resolver1.opendns.com]" /tool romon set enabled=yes secrets=VLV /user aaa set use-radius=yes