#              model: CCR1009-8G-1S-1S+
#      serial-number: 4AB204AC0543
#      firmware-type: tilegx
#   current-firmware: 6.47
#   installed-version: 7.12.1
# Flags: U - UNDOABLE
# Columns: ACTION, BY, POLICY, TIME
#   ACTION                         BY             POLICY  TIME               
# U changed snmp settings          cfnadmin       write   2025-12-01 08:37:46
# U changed snmp settings          cfnadmin       write   2025-12-01 08:37:19
# U nat rule changed               cfnadmin       write   2025-12-01 08:27:47
# U nat rule added                 cfnadmin       write   2025-12-01 08:26:10
# U dhcp server dhcp2 added        cfnadmin       write   2025-12-01 08:15:12
# U dhcp network added             cfnadmin       write   2025-12-01 08:15:12
# U pool dhcp_pool4 added          cfnadmin       write   2025-12-01 08:15:12
# U address list entry added       cfnadmin       write   2025-07-31 13:17:42
# U config changed                 valvenetworks  write   2025-07-24 22:48:44
# U interface list member added    valvenetworks  write   2025-07-24 22:48:39
# U config changed                 valvenetworks  write   2025-07-24 22:48:27
# U interface list member removed  valvenetworks  write   2025-07-24 22:48:15
# U ntp server record added                       read    1970-01-02 10:00:09
# 
# software id = 2D7C-UWNA
#
# model = CCR1009-8G-1S-1S+
# serial number = 4AB204AC0543
/interface bridge
add name=bridge-intercomm protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether1-NBN-Backhaul-1
set [ find default-name=ether2 ] name=ether2-NBN-Backhaul-2
set [ find default-name=ether8 ] comment="temp 4g backhaul"
/interface vlan
add comment=Management interface=sfp-sfpplus1 name=sfp-sfpplus1.95 vlan-id=95
add comment="TrueTelco - Intercom" interface=sfp-sfpplus1 name=sfp-sfpplus1.101 vlan-id=101
add comment=Management interface=sfp-sfpplus1 name=sfp-sfpplus1.199 vlan-id=199
add comment=Backhaul interface=sfp-sfpplus1 name=sfp-sfpplus1.3644 vlan-id=3644
add comment="GPON Management" interface=sfp-sfpplus1.3644 name=sfp-sfpplus1.3644.99 vlan-id=99
add comment="PPPoE MLB CORE" interface=sfp-sfpplus1.3644 name=sfp-sfpplus1.3644.100 vlan-id=100
add comment="Intercom from GPON" interface=sfp-sfpplus1.3644 name=sfp-sfpplus1.3644.101 vlan-id=101
/interface pppoe-client
add add-default-route=yes default-route-distance=4 disabled=no interface=ether1-NBN-Backhaul-1 max-mru=1500 max-mtu=1500 name=pppoe-out-valve-1 password=2tsrfBh5 use-peer-dns=yes user=cobram-nbn-1@nbn.truetelco.com.au
add add-default-route=yes default-route-distance=5 disabled=no interface=ether2-NBN-Backhaul-2 max-mru=1500 max-mtu=1500 name=pppoe-out-valve-2 password=2tsrfBh5 use-peer-dns=yes user=cobram-nbn-2@nbn.truetelco.com.au
add add-default-route=yes disabled=no interface=sfp-sfpplus1.3644.100 max-mru=1500 max-mtu=1500 name=pppoe-out-valve-primary password=AEna6cmK use-peer-dns=yes user=cobram-nbn-3@cobram.truetelco.com.au
/disk
set micro-sd slot=micro-sd type=hardware
/interface list
add name=WAN
add name=no-neighbor-discovery-interface-list
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.199.199.1-10.199.199.253
add name=CGNAT1 ranges=100.64.0.2-100.64.0.254
add name=VPN-Pool ranges=192.168.255.11-192.168.255.249
add name=dhcp_pool3 ranges=10.199.198.20-10.199.198.200
add name=dhcp_pool4 ranges=192.168.90.101-192.168.90.199
/ip dhcp-server
add address-pool=dhcp_pool0 interface=sfp-sfpplus1.199 lease-time=10m name=dhcp1
add address-pool=dhcp_pool3 interface=bridge-intercomm lease-time=10m name=intercom
add address-pool=dhcp_pool4 interface=sfp-sfpplus1.95 name=dhcp2
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
add dns-server=8.8.8.8,8.8.4.4 local-address=103.96.5.148 name=RADIUS remote-address=CGNAT1
add dns-server=8.8.8.8,8.8.4.4 local-address=192.168.255.1 name=L2TP-VPN remote-address=VPN-Pool use-encryption=required
add change-tcp-mss=yes name=OVPN-SmartOLT only-one=yes use-encryption=required use-mpls=no
/interface ovpn-client
add certificate=SmartOLT-Client cipher=aes256-cbc connect-to=corefibre.smartolt.com mac-address=FE:18:B5:3F:26:32 name=SmartOLT-VPN password=d8J5RiQeCLf1 port=12220 profile=OVPN-SmartOLT user=Cobram@corefibre.smartolt.com verify-server-certificate=yes
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
add disabled=no name=default-v3 version=3
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
add disabled=yes instance=default-v3 name=backbone-v3
/routing table
add fib name=via_nbn_1
add fib name=via_mobile
add fib name=via_nbn_2
add fib name=odd
add fib name=even
add fib name=via_primary
/snmp community
set [ find default=yes ] disabled=yes
add addresses=14.202.159.113/32 name=ttCOM
add addresses=::/0 name=valve
add addresses=::/0 name=CFNCOM
/interface bridge port
add bridge=bridge-intercomm ingress-filtering=no interface=sfp-sfpplus1.101
add bridge=bridge-intercomm ingress-filtering=no interface=sfp-sfpplus1.3644.101
/ip neighbor discovery-settings
set discover-interface-list=!no-neighbor-discovery-interface-list
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set max-neighbor-entries=8192
/interface l2tp-server server
set allow-fast-path=yes default-profile=L2TP-VPN enabled=yes ipsec-secret=TrueTelco1#42 use-ipsec=yes
/interface list member
add interface=pppoe-out-valve-1 list=WAN
add interface=pppoe-out-valve-2 list=WAN
add interface=pppoe-out-valve-primary list=WAN
add interface=SmartOLT-VPN list=no-neighbor-discovery-interface-list
/interface ovpn-server server
set auth=sha1,md5
/interface pppoe-server server
add authentication=pap,chap default-profile=RADIUS disabled=no interface=sfp-sfpplus1.3644.100 max-mru=1492 max-mtu=1492 pado-delay=1000 service-name=Cobram-PPPoE
/ip address
add address=10.11.104.254/24 interface=sfp-sfpplus1.199 network=10.11.104.0
add address=10.116.0.254/24 interface=sfp-sfpplus1.3644.99 network=10.116.0.0
add address=10.199.199.254/24 interface=sfp-sfpplus1.199 network=10.199.199.0
add address=192.168.90.1/24 interface=sfp-sfpplus1.95 network=192.168.90.0
add address=10.199.198.1/24 interface=bridge-intercomm network=10.199.198.0
/ip dhcp-client
add default-route-distance=10 interface=ether8
/ip dhcp-server lease
add address=10.199.199.253 client-id=1:dc:2c:6e:b1:9a:28 mac-address=DC:2C:6E:B1:9A:28 server=dhcp1
add address=10.199.198.29 client-id=1:0:18:ae:e4:6d:7d mac-address=00:18:AE:E4:6D:7D server=intercom
add address=10.199.198.28 client-id=1:c:11:5:17:77:c4 mac-address=0C:11:05:17:77:C4 server=intercom
add address=10.199.198.21 client-id=1:c:11:5:16:0:98 mac-address=0C:11:05:16:00:98 server=intercom
add address=10.199.198.20 client-id=1:c:11:5:19:21:61 mac-address=0C:11:05:19:21:61 server=intercom
add address=10.199.198.30 client-id=1:c:11:5:19:21:89 mac-address=0C:11:05:19:21:89 server=intercom
add address=10.199.198.26 client-id=1:c:11:5:16:0:a0 mac-address=0C:11:05:16:00:A0 server=intercom
add address=10.199.198.22 client-id=1:c:11:5:16:4:f9 mac-address=0C:11:05:16:04:F9 server=intercom
add address=10.199.198.24 client-id=1:c:11:5:19:1c:69 mac-address=0C:11:05:19:1C:69 server=intercom
add address=10.199.198.25 client-id=1:c:11:5:16:4:e9 mac-address=0C:11:05:16:04:E9 server=intercom
add address=10.199.198.23 client-id=1:c:11:5:16:0:5c mac-address=0C:11:05:16:00:5C server=intercom
add address=10.199.198.31 client-id=1:c:11:5:1c:63:b6 mac-address=0C:11:05:1C:63:B6 server=intercom
/ip dhcp-server network
add address=10.199.198.0/24 dns-server=192.168.2.1,8.8.8.8,8.8.4.4 gateway=10.199.198.1
add address=10.199.199.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.199.199.254
add address=192.168.90.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.90.1
/ip firewall address-list
add address=valve-space-router.qld.valvenetworks.net comment="valve office" list=TrustedIPs
add address=valve-koki-router.vic.valvenetworks.net comment="valve office" list=TrustedIPs
add address=nms.valvenetworks.net comment=NMS list=TrustedIPs
add address=oxidized.valvenetworks.net comment=Rancid list=TrustedIPs
add address=149.28.177.108 list=SmartOLT
add address=14.202.159.113 comment="TT NMS" list=TrustedIPs
add address=portal.truetelco.com.au list=TrustedIPs
add address=103.67.56.0/23 list=TrustedIPs
add address=zabbix.corefibre.com.au list=TrustedIPs
add address=acl.manisp.au list=TrustedIPs
add address=acl.watti.tools comment=acl.manisp.au list=TrustedIPs
add address=43.224.182.114 comment=Zabbix list=TrustedIPs
/ip firewall filter
add action=accept chain=input comment="Allow ICMP in WAN" in-interface-list=WAN protocol=icmp
add action=accept chain=input comment="Allow input from trusted ips" src-address-list=TrustedIPs
add action=accept chain=input comment="Allow ports for L2TP in WAN" dst-port=500,1701,4500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Allow established & related in WAN" connection-state=established,related in-interface-list=WAN
add action=drop chain=input comment="Drop all in WAN" in-interface-list=WAN
add action=accept chain=forward comment="Allow established & related forwards" connection-state=established,related
add action=drop chain=forward comment="Drop invalid forwards" connection-state=invalid
/ip firewall mangle
add action=mark-connection chain=input comment="Mark connections in NBN 1" in-interface=pppoe-out-valve-1 new-connection-mark=nbn_conn_1 passthrough=yes
add action=mark-connection chain=input comment="Mark connections in NBN 2" in-interface=pppoe-out-valve-2 new-connection-mark=nbn_conn_2 passthrough=yes
add action=mark-connection chain=input comment="Mark connections in NBN 2" in-interface=pppoe-out-valve-primary new-connection-mark=nbn_conn_primary passthrough=yes
add action=mark-connection chain=input comment="Mark connections in Mobile" disabled=yes in-interface=ether8 new-connection-mark=mobile_conn passthrough=yes
add action=mark-routing chain=output comment="Mark routing for NBN 1 output" connection-mark=nbn_conn_1 new-routing-mark=via_nbn_1 passthrough=yes
add action=mark-routing chain=output comment="Mark routing for NBN 2 output" connection-mark=nbn_conn_2 new-routing-mark=via_nbn_2 passthrough=yes
add action=mark-routing chain=output comment="Mark routing for NBN 2 output" connection-mark=nbn_conn_primary new-routing-mark=via_primary passthrough=yes
add action=mark-routing chain=output comment="Mark routing for Mobile output" connection-mark=nbn_conn_2 disabled=yes new-routing-mark=via_mobile passthrough=yes
add action=mark-connection chain=prerouting comment="NTH load balancing for the clients over the NBN connections" connection-state=new new-connection-mark=odd nth=2,1 passthrough=yes src-address=100.64.0.0/24
add action=add-src-to-address-list address-list=odd address-list-timeout=1d chain=prerouting comment="NTH load balancing for the clients over the NBN connections" connection-mark=odd src-address=100.64.0.0/24
add action=mark-routing chain=prerouting comment="NTH load balancing for the clients over the NBN connections" connection-mark=odd new-routing-mark=odd passthrough=no src-address=100.64.0.0/24
add action=mark-connection chain=prerouting comment="NTH load balancing for the clients over the NBN connections" connection-state=new new-connection-mark=even nth=2,2 passthrough=yes src-address=100.64.0.0/24
add action=add-src-to-address-list address-list=even address-list-timeout=1d chain=prerouting comment="NTH load balancing for the clients over the NBN connections" connection-mark=even src-address=100.64.0.0/24
add action=mark-routing chain=prerouting comment="NTH load balancing for the clients over the NBN connections" connection-mark=even new-routing-mark=even passthrough=no src-address=100.64.0.0/24
/ip firewall nat
add action=accept chain=srcnat comment="SmartOLT-VPN traffic excluded from NAT" out-interface=SmartOLT-VPN
add action=masquerade chain=srcnat comment="temp for testing" disabled=yes dst-address=10.199.198.0/24 src-address=192.168.90.0/24
add action=masquerade chain=srcnat comment="NAT out WAN" out-interface-list=WAN
add action=dst-nat chain=dstnat comment="SmartOLT Telnet to OLT" dst-port=2333 in-interface-list=WAN protocol=tcp src-address-list=SmartOLT to-addresses=10.11.104.2 to-ports=23
add action=dst-nat chain=dstnat comment=NVR dst-port=8080 in-interface-list=WAN protocol=tcp to-addresses=10.199.198.29 to-ports=80
add action=dst-nat chain=dstnat comment="SmartOLT SNMP to OLT" dst-port=2161 in-interface-list=WAN protocol=udp src-address-list=SmartOLT to-addresses=10.11.104.2 to-ports=161
add action=dst-nat chain=dstnat comment="Winbox to Cobram-SW1.CFN.VIC.intervisp.net" dst-port=8292 in-interface-list=WAN protocol=tcp src-address-list=TrustedIPs to-addresses=10.199.199.253 to-ports=8291
add action=dst-nat chain=dstnat comment="SNMP to Cobram-SW1.CFN.VIC.intervisp.net" dst-port=162 protocol=udp src-address-list=TrustedIPs to-addresses=10.199.199.253 to-ports=161
add action=dst-nat chain=dstnat comment="SNMP to Cobram-SW1.CFN.VIC.intervisp.net" dst-port=163 protocol=udp src-address-list=TrustedIPs to-addresses=10.199.199.253 to-ports=161
add action=dst-nat chain=dstnat comment="SSH Switch" dst-port=2222 protocol=tcp src-address-list=TrustedIPs to-addresses=10.199.199.253 to-ports=22
add action=dst-nat chain=dstnat comment="SSH Switch" dst-port=222 protocol=tcp to-addresses=192.168.90.198 to-ports=22
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=pppoe-out-valve-2 routing-table=via_nbn_1
add disabled=no dst-address=0.0.0.0/0 gateway=ether8 routing-table=via_mobile
add disabled=no dst-address=0.0.0.0/0 gateway=pppoe-out-valve-2 routing-table=via_nbn_2
add comment="for Nth load-balancing" disabled=no dst-address=0.0.0.0/0 gateway=pppoe-out-valve-2 routing-table=odd scope=255
add comment="for Nth load-balancing" disabled=no dst-address=0.0.0.0/0 gateway=pppoe-out-valve-2 routing-table=even scope=255
add disabled=no dst-address=0.0.0.0/0 gateway=pppoe-out-valve-primary routing-table=via_primary
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 nd
set [ find default=yes ] advertise-dns=no
/ppp aaa
set interim-update=30m use-radius=yes
/ppp secret
add name=ttadmin password="Tru3t3lc0@\$" profile=L2TP-VPN service=l2tp
/radius
add address=103.16.129.23 comment=radius-1.intervisp.net.au secret="xnsa\$!ufgb2x" service=ppp,login timeout=3s
add address=43.229.61.238 comment=radius-2.intervisp.net.au secret="xnsa\$!ufgb2x" service=ppp,login timeout=3s
add address=112.213.37.223 comment=portal.truetelco.com.au secret="xnsa\$!ufgb2x" service=ppp,login src-address=103.96.5.148 timeout=3s
/radius incoming
set accept=yes
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/snmp
set contact=noc@corefibre.com.au enabled=yes location="143 Campbell Road, Cobram, VIC 3644" trap-community=CFNCOM trap-generators="" trap-version=2
/system clock
set time-zone-name=Australia/Brisbane
/system identity
set name=Cobram-R1.CFN.VIC.intervisp.net
/system logging
add disabled=yes topics=radius
add disabled=yes topics=pppoe
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=au.pool.ntp.org
/user aaa
set use-radius=yes