# model: CCR1009-7G-1C-1S+ # serial-number: HD008DH2ZK6 # firmware-type: tilegx # current-firmware: 7.18.2 # installed-version: 7.18.2 # Flags: U - UNDOABLE # Columns: ACTION, BY, POLICY, TIME # ACTION BY POLICY TIME # U nat rule changed cfnadmin write 2025-12-03 10:36:04 # U nat rule added cfnadmin write 2025-12-03 10:35:55 # U nat rule added cfnadmin write 2025-12-03 10:31:19 # U nat rule added cfnadmin write 2025-12-03 10:31:09 # # software id = 8A85-VZQG # # model = CCR1009-7G-1C-1S+ # serial number = HD008DH2ZK6 /interface wireguard add listen-port=26781 mtu=1420 name=wg-iface private-key="iGOM4IFQkHAiOustDvU9pFA3qEs15cZhTn7Fyy/rwkY=" /interface vlan add comment="Monitoring Network" interface=sfp-sfpplus1 name=sfp-sfpplus1.90 vlan-id=90 add comment="Security Network" interface=sfp-sfpplus1 name=sfp-sfpplus1.91 vlan-id=91 add comment="Public Wifi Network" interface=sfp-sfpplus1 name=sfp-sfpplus1.92 vlan-id=92 add comment=Management interface=sfp-sfpplus1 name=sfp-sfpplus1.95 vlan-id=95 add comment="GPON management" interface=sfp-sfpplus1 name=sfp-sfpplus1.99 vlan-id=99 add comment="GPON management" interface=sfp-sfpplus1 name=sfp-sfpplus1.101 vlan-id=101 add comment="GPON voice" interface=sfp-sfpplus1 name=sfp-sfpplus1.200 vlan-id=200 add comment="Cust: Eloquence Moonee Ponds [1000Mbit]" interface=sfp-sfpplus1 name=sfp-sfpplus1.3830 vlan-id=3830 /interface pppoe-client add add-default-route=yes disabled=no interface=sfp-sfpplus1.3830 max-mru=1492 max-mtu=1492 name=pppoe-out1 password=f03bhslHFF use-peer-dns=yes user=95buckleySt@valvenetworks.net /interface list add name=WAN /interface lte apn set [ find default=yes ] ip-type=ipv4 use-network-apn=no /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /ip pool add name=dhcp_pool0 ranges=192.168.1.2-192.168.1.199 add name=dhcp_pool1 ranges=192.168.99.1-192.168.99.199 add name=dhcp_pool2 ranges=192.168.90.2-192.168.90.254 add name=dhcp_pool3 ranges=192.168.91.2-192.168.91.254 add name=dhcp_pool4 ranges=192.168.92.2-192.168.92.254 add name=L2TP ranges=192.168.255.2-192.168.255.249 add name=dhcp_pool6 ranges=10.200.0.1-10.200.0.253 /ip dhcp-server add address-pool=dhcp_pool0 interface=ether1 lease-time=10m name=dhcp1 add address-pool=dhcp_pool1 interface=sfp-sfpplus1.99 lease-time=10m name=dhcp2 add address-pool=dhcp_pool2 interface=sfp-sfpplus1.90 lease-time=10m name=dhcp3 add address-pool=dhcp_pool3 interface=sfp-sfpplus1.91 lease-time=10m name=dhcp4 add address-pool=dhcp_pool4 interface=sfp-sfpplus1.92 lease-time=10m name=dhcp5 add address-pool=dhcp_pool6 interface=sfp-sfpplus1.200 lease-time=10m name=dhcp6 /ip smb users set [ find default=yes ] disabled=yes /port set 0 name=serial0 set 1 name=serial1 /ppp profile add dns-server=8.8.8.8,8.8.4.4 local-address=192.168.255.1 name=L2TP remote-address=L2TP add change-tcp-mss=yes name=OVPN-SmartOLT only-one=yes use-encryption=required use-mpls=no /interface ovpn-client add certificate=SmartOLT-Client-95BuckleySt cipher=aes256-cbc connect-to=corefibre.smartolt.com mac-address=FE:70:F0:01:52:90 name=SmartOLT-VPN password=UTVuHxZnGrFQ port=12220 profile=OVPN-SmartOLT user=95BuckleySt@corefibre.smartolt.com verify-server-certificate=yes /routing bgp template set default disabled=no output.network=bgp-networks /routing ospf instance add disabled=no name=default-v2 /routing ospf area add disabled=yes instance=default-v2 name=backbone-v2 /snmp community set [ find default=yes ] disabled=yes add addresses=::/0 name=CFNCOM add addresses=::/0 name=valve /ip firewall connection tracking set udp-timeout=10s /ip settings set max-neighbor-entries=8192 /ipv6 settings set disable-ipv6=yes max-neighbor-entries=8192 soft-max-neighbor-entries=8191 /interface l2tp-server server set allow-fast-path=yes enabled=yes ipsec-secret=TrueTelco1#42 use-ipsec=yes /interface list member add interface=pppoe-out1 list=WAN /interface ovpn-server server add auth=sha1,md5 mac-address=FE:C0:CE:71:C5:5F name=ovpn-server1 /interface wireguard peers add allowed-address="192.168.90.0/24,192.168.91.0/24,192.168.92.0/24,192.168.99.0/24,10.255.6.4/32" interface=wg-iface name=peer-daniel persistent-keepalive=30s public-key="1olEzdm6k196NfiJWIxJLwQ9rWh00Gwe5rQOK8F6aWE=" responder=yes /ip address add address=192.168.1.1/24 comment=LAN interface=ether1 network=192.168.1.0 add address=192.168.99.254/24 comment="GPON management" interface=sfp-sfpplus1.99 network=192.168.99.0 add address=192.168.1.254/24 comment=LAN interface=ether1 network=192.168.1.0 add address=10.11.104.254/24 interface=sfp-sfpplus1 network=10.11.104.0 add address=192.168.90.1/24 interface=sfp-sfpplus1.90 network=192.168.90.0 add address=192.168.91.1/24 interface=sfp-sfpplus1.91 network=192.168.91.0 add address=192.168.92.1/24 interface=sfp-sfpplus1.92 network=192.168.92.0 add address=10.200.1.254/24 comment="ONU Management" interface=sfp-sfpplus1.99 network=10.200.1.0 add address=10.200.0.254/24 interface=sfp-sfpplus1.200 network=10.200.0.0 add address=10.255.6.1/24 interface=wg-iface network=10.255.6.0 /ip dhcp-server lease add address=192.168.91.253 client-id=1:e4:3d:1a:3c:78:9b mac-address=E4:3D:1A:3C:78:9B server=dhcp4 /ip dhcp-server network add address=10.200.0.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=10.200.0.254 add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.254 add address=192.168.90.0/24 gateway=192.168.90.1 add address=192.168.91.0/24 gateway=192.168.91.1 add address=192.168.92.0/24 gateway=192.168.92.1 add address=192.168.99.0/24 gateway=192.168.99.254 /ip dns set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4 /ip firewall address-list add address=valve-space-router.qld.valvenetworks.net comment="valve office" list=TrustedIPs add address=valve-koki-router.vic.valvenetworks.net comment="valve office" list=TrustedIPs add address=nms.valvenetworks.net comment=NMS list=TrustedIPs add address=oxidized.valvenetworks.net comment=Rancid list=TrustedIPs add address=103.96.4.252 comment=valve-space-router.qld.valvenetworks.net list=TrustedIPs add address=corefibre.smartolt.com list=TrustedIPs add address=office.fixtel.com.au list=TrustedIPs add address=103.67.56.0/23 list=TrustedIPs add address=zabbix.corefibre.com.au list=TrustedIPs add address=acl.manisp.au list=TrustedIPs add address=acl.watti.tools comment=acl.manisp.au list=TrustedIPs add address=portal.truetelco.com.au comment=acl.watti.tools list=TrustedIPs add address=103.96.6.254 comment=Zabbix disabled=yes list=TrustedIPs add address=43.224.182.114 comment=Zabbix list=TrustedIPs /ip firewall filter add action=accept chain=input comment="Allow ICMP in WAN" in-interface-list=WAN protocol=icmp add action=accept chain=input comment="Allow input from trusted ips" src-address-list=TrustedIPs add action=accept chain=input comment="Allow established & related in WAN" connection-state=established,related in-interface-list=WAN add action=drop chain=input comment="Drop all in WAN" in-interface-list=WAN log-prefix=DROP add action=accept chain=forward comment="Allow established & related forwards" connection-state=established,related add action=drop chain=forward comment="Drop invalid forwards" connection-state=invalid /ip firewall nat add action=accept chain=srcnat comment="SmartOLT-VPN traffic excluded from NAT" out-interface=SmartOLT-VPN add action=src-nat chain=srcnat comment="NAT to Voip Network" src-address=10.200.0.0/24 to-addresses=103.96.4.21 add action=masquerade chain=srcnat comment="NAT out WAN" out-interface-list=WAN add action=dst-nat chain=dstnat comment="Winbox to switch" dst-port=8292 in-interface-list=WAN protocol=tcp src-address-list=TrustedIPs to-addresses=192.168.99.199 to-ports=8291 add action=dst-nat chain=dstnat comment=Zabbix-Agent dst-port=10050 in-interface-list=WAN protocol=tcp to-addresses=192.168.90.2 to-ports=10050 add action=dst-nat chain=dstnat comment="SSH to switch" dst-port=2222 in-interface-list=WAN protocol=tcp src-address-list=TrustedIPs to-addresses=192.168.99.199 to-ports=22 add action=dst-nat chain=dstnat comment="SNMP to switch" dst-port=163 in-interface-list=WAN protocol=udp src-address-list=TrustedIPs to-addresses=192.168.99.199 to-ports=161 add action=dst-nat chain=dstnat comment="RDP UDP" dst-port=3389 in-interface-list=WAN protocol=udp to-addresses=192.168.90.2 to-ports=3389 add action=dst-nat chain=dstnat comment="RDP UDP" dst-port=3389 in-interface-list=WAN protocol=tcp to-addresses=192.168.90.2 to-ports=3389 add action=dst-nat chain=dstnat comment=ZabProx-SSH dst-port=222 in-interface-list=WAN protocol=tcp to-addresses=192.168.90.4 to-ports=22 add action=dst-nat chain=dstnat comment="Telnet to OLT" disabled=yes dst-address=103.96.4.21 dst-port=2333 protocol=tcp src-address-list=TrustedIPs to-addresses=10.11.104.2 to-ports=23 add action=dst-nat chain=dstnat comment="SNMP to OLT" dst-address=103.96.4.21 dst-port=2161 log-prefix=SNMP protocol=udp src-address-list=TrustedIPs to-addresses=10.11.104.2 to-ports=161 add action=dst-nat chain=dstnat comment="CCTV TCP 8081" dst-address=103.96.4.21 dst-port=8081 protocol=tcp to-addresses=192.168.91.253 to-ports=8081 add action=dst-nat chain=dstnat comment="CCTV TCP 8082" dst-address=103.96.4.21 dst-port=8082 protocol=tcp to-addresses=192.168.91.253 to-ports=8082 add action=dst-nat chain=dstnat comment="CCTV UDP 8081" dst-address=103.96.4.21 dst-port=8081 protocol=udp to-addresses=192.168.91.253 to-ports=8081 add action=dst-nat chain=dstnat comment="CCTV UDP 8081" dst-address=103.96.4.21 dst-port=8082 protocol=udp to-addresses=192.168.91.253 to-ports=8082 /ip ipsec profile set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5 /ip service set telnet disabled=yes set ftp disabled=yes set www disabled=yes set api disabled=yes set api-ssl disabled=yes /ip smb shares set [ find default=yes ] directory=/pub /ppp secret add name=corefibretech password="Lfh2ldh\$hg" profile=L2TP service=l2tp /radius add address=103.16.129.23 comment=radius-1.intervisp.net.au require-message-auth=no secret=cfbCXBV!!kk! service=login src-address=103.96.4.21 add address=43.229.61.238 comment=radius-2.intervisp.net.au require-message-auth=no secret=cfbCXBV!!kk! service=login src-address=103.96.4.21 /routing bfd configuration add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5 /snmp set contact=noc@corefibre.com.au enabled=yes location="Moonee Ponds, Victoria, Australia" trap-community=CFNCOM trap-version=2 /system clock set time-zone-name=Australia/Melbourne /system identity set name=95BuckleySt-R.CFN.VIC.intervisp.net /system note set show-at-login=no /system ntp client set enabled=yes /system ntp client servers add address=au.pool.ntp.org /tool romon set enabled=yes secrets=CFN /user aaa set use-radius=yes