#              model: CCR1009-7G-1C-1S+
#      serial-number: E3220D22063B     
#      firmware-type: tilegx           
#   current-firmware: 6.48.3           
#   installed-version: 7.19.3                      
# Flags: U - UNDOABLE
# Columns: ACTION, BY, POLICY, TIME
#   ACTION                      BY        POLICY  TIME               
# U address list entry added    cfnadmin  write   2025-07-31 13:12:20
# U wireguard peer entry added  cfnadmin  write   2025-07-28 21:56:55
# U address added               cfnadmin  write   2025-07-27 21:03:14
# U device added                cfnadmin  write   2025-07-27 21:02:45
# U ovpn server added                     read    2025-07-02 21:23:05
# U ntp server record added               read    2025-07-02 21:23:05
# 
# software id = V1A3-L6FP
#
# model = CCR1009-7G-1C-1S+
# serial number = E3220D22063B
/interface bridge
add name=PPPoE-bridge port-cost-mode=short
add admin-mac=00:03:43:1A:2B:3C auto-mac=no name=bridge-olt-service port-cost-mode=short protocol-mode=none
add name=loopback port-cost-mode=short protocol-mode=none
/interface ethernet
set [ find default-name=combo1 ] comment="Backhall to MLB NextDC M1"
set [ find default-name=ether1 ] comment="Connected to the Switch for mgnt usage"
set [ find default-name=ether2 ] name=ether2-backhaul
set [ find default-name=ether3 ] comment="Dslam 2 AG"
set [ find default-name=ether4 ] comment="Dslam 1 MGNT port"
set [ find default-name=ether5 ] comment="Dslam 2 MGNT port"
set [ find default-name=ether6 ] comment="Dslam 1 AG port"
set [ find default-name=ether7 ] comment="VOIP GRANDSTREAM WAN Interface"
set [ find default-name=sfp-sfpplus1 ] comment="Trunk to Switch SFP port 1"
/interface eoip
add allow-fast-path=no ipsec-secret=VK4twhftEp5V4vy3 local-address=103.96.4.20 mac-address=02:BC:D0:5E:A1:9D name=CFN remote-address=103.67.56.1 tunnel-id=3101
/interface wireguard
add listen-port=26781 mtu=1420 name=wg-iface private-key="kAF62qbw6EqC4B+297sBXsijtT15TnMPp4pJ1aw49W0="
/interface vlan
add comment="management True" interface=bridge-olt-service name=bridge-olt-service.90 vlan-id=90
add comment=management interface=bridge-olt-service name=bridge-olt-service.99 vlan-id=99
add comment=Internet interface=bridge-olt-service name=bridge-olt-service.100 vlan-id=100
add comment=Voice interface=bridge-olt-service name=bridge-olt-service.200 vlan-id=200
add comment="Client Network" interface=bridge-olt-service name=bridge-olt-service.250 vlan-id=250
add comment="CCTV Access" interface=bridge-olt-service name=bridge-olt-service.260 vlan-id=260
add comment="Internet for DSLAMS" interface=bridge-olt-service name=bridge-olt-service.2000 vlan-id=2000
add comment="Cust: TheLakesEstate [1000Mbit]" interface=ether2-backhaul name=ether2-backhaul.100 vlan-id=100
/interface list
add name=internal
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=192.168.10.1-192.168.10.253
add name=dhcp_pool2 ranges=192.168.20.1-192.168.20.253
add name=dhcp_pool3 ranges=192.168.30.1-192.168.30.253
add name=dhcp_pool5 ranges=192.168.99.1-192.168.99.200
add name=CGNAT2 ranges=100.64.2.1-100.64.2.60
add name=dhcp_pool7 ranges=10.99.2.100-10.99.2.220
add name=dhcp_pool8 ranges=10.200.0.1-10.200.0.253
add name=CGNAT1 next-pool=CGNAT2 ranges=100.64.1.1-100.64.1.60
add name=CGNAT0 next-pool=CGNAT1 ranges=100.64.0.1-100.64.0.60
add name=dhcp_pool10 ranges=192.168.10.100-192.168.10.200
add name=dhcp_pool11 ranges=192.168.90.30-192.168.90.100
add name=dhcp_pool12 ranges=192.168.160.100-192.168.160.200
/ip dhcp-server
add address-pool=dhcp_pool7 interface=bridge-olt-service.99 lease-time=10m name=dhcp1
add address-pool=dhcp_pool8 interface=bridge-olt-service.200 lease-time=10m name=dhcp2
add address-pool=dhcp_pool10 interface=ether7 lease-time=10m name=dhcp3
add address-pool=dhcp_pool11 interface=bridge-olt-service.90 lease-time=10m name=dhcp4
add address-pool=dhcp_pool12 interface=bridge-olt-service.260 lease-time=10m name=dhcp5
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 baud-rate=9600 name=serial0
set 1 name=serial1
/ppp profile
add local-address=192.168.255.1 name=l2tp
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no in-filter-chain=ospf-in name=default-v2 out-filter-chain=ospf-out redistribute=connected,static,vpn,dhcp,modem router-id=10.255.255.71
/routing ospf area
add disabled=no instance=default-v2 name=backbone-v2
/snmp community
set [ find default=yes ] disabled=yes
add addresses=::/0 name=valve
add addresses=::/0 name=CFNCOM
/interface bridge port
add bridge=bridge-olt-service ingress-filtering=no interface=ether1 internal-path-cost=10 path-cost=10
add bridge=bridge-olt-service ingress-filtering=no interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge-olt-service ingress-filtering=no interface=sfp-sfpplus1 internal-path-cost=10 path-cost=10
add bridge=PPPoE-bridge ingress-filtering=no interface=bridge-olt-service.100 internal-path-cost=10 path-cost=10
add bridge=PPPoE-bridge ingress-filtering=no interface=ether2-backhaul.100 internal-path-cost=10 path-cost=10
add bridge=bridge-olt-service ingress-filtering=no interface=ether6 internal-path-cost=10 path-cost=10
add bridge=PPPoE-bridge ingress-filtering=no interface=bridge-olt-service.2000 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192 soft-max-neighbor-entries=8191
/interface l2tp-server server
set enabled=yes ipsec-secret=TrueTelco1#42 one-session-per-host=yes use-ipsec=required
/interface list member
add interface=bridge-olt-service.99 list=internal
/interface ovpn-server server
add auth=sha1,md5 mac-address=FE:21:9A:9A:4F:FB name=ovpn-server1
/interface wireguard peers
add allowed-address="192.168.90.0/24,192.168.101.0/24,192.168.102.0/24,192.168.103.0/24,192.168.160.0/24,10.99.2.0/24,10.200.0.0/24,10.255.5.0/24,10.255.5.2/32" interface=wg-iface name=peer-daniel persistent-keepalive=30s public-key="Sz+7AhGZ3rjoJrL+vmP338f2Ki2PYNr7/IXPkiYvdwI="
/ip address
add address=10.210.201.2/30 interface=ether2-backhaul network=10.210.201.0
add address=10.99.2.254/24 comment="GPON Management VLAN" interface=bridge-olt-service.99 network=10.99.2.0
add address=10.200.0.254/24 comment="GPON Voice VLAN" interface=bridge-olt-service.200 network=10.200.0.0
add address=10.255.255.71 interface=loopback network=10.255.255.71
add address=103.96.4.20 interface=loopback network=103.96.4.20
add address=192.168.10.254/24 comment="Voip WAN Interface" interface=ether7 network=192.168.10.0
add address=192.168.0.3/24 interface=ether5 network=192.168.0.0
add address=192.168.101.1/24 comment="GPON Voice VLAN" interface=bridge-olt-service.200 network=192.168.101.0
add address=192.168.102.1/24 comment="GPON Voice VLAN" interface=bridge-olt-service.200 network=192.168.102.0
add address=192.168.103.1/24 comment="GPON Voice VLAN" interface=bridge-olt-service.200 network=192.168.103.0
add address=192.168.90.1/24 comment="True Telco - Managerement" interface=bridge-olt-service.90 network=192.168.90.0
add address=192.168.160.1/24 comment="GPON CCTV VLAN" interface=bridge-olt-service.260 network=192.168.160.0
add address=192.168.132.2/30 interface=CFN network=192.168.132.0
add address=10.203.1.2/30 interface=CFN network=10.203.1.0
add address=10.255.5.1/24 interface=wg-iface network=10.255.5.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server lease
add address=192.168.10.200 client-id=1:c0:74:ad:16:ca:f5 mac-address=C0:74:AD:16:CA:F5 server=dhcp3
add address=10.99.2.250 client-id=1:2c:c8:1b:12:97:6e mac-address=2C:C8:1B:12:97:6E server=dhcp1
add address=192.168.160.200 client-id=1:e4:24:6c:a:a0:43 mac-address=E4:24:6C:0A:A0:43 server=dhcp5
/ip dhcp-server network
add address=10.99.2.0/24 dns-server=10.99.2.254 gateway=10.99.2.254
add address=10.200.0.0/24 dns-server=10.200.0.254 gateway=10.200.0.254
add address=192.168.10.0/24 gateway=192.168.10.254
add address=192.168.90.0/24 gateway=192.168.90.1
add address=192.168.160.0/24 gateway=192.168.160.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=valve-space-router.qld.valvenetworks.net comment="valve office" list=TrustedIPs
add address=valve-koki-router.vic.valvenetworks.net comment="valve office" list=TrustedIPs
add address=nms.valvenetworks.net comment=NMS list=TrustedIPs
add address=rancid.valvenetworks.net comment=Rancid list=TrustedIPs
add address=10.210.201.0/30 comment="Office - For setup for now" list=TrustedIPs
add address=192.168.0.0/16 list=TrustedIPs
add address=110.175.218.210 comment="True Telco Office" list=TrustedIPs
add address=103.96.4.199 comment="Craigs home - as requested by TrueTelco - 21/07/2021" list=TrustedIPs
add address=office.fixtel.com.au comment="True Telco Office Address" list=TrustedIPs
add address=office.truetelco.com.au comment="True Telco Office Address" list=TrustedIPs
add address=office.corefibre.com.au comment="True Telco Office Address" list=TrustedIPs
add address=zabbix.corefibre.com.au comment=zabbix.corefibre.com.au list=TrustedIPs
add address=103.67.56.0/23 list=TrustedIPs
add address=acl.manisp.au list=TrustedIPs
add address=43.224.182.114 comment=Zabbix list=TrustedIPs
/ip firewall filter
add action=accept chain=input comment="Allow ICMP input" protocol=icmp
add action=accept chain=input comment="Allow all in management" in-interface-list=internal
add action=accept chain=input comment="Allow SNMP input from TrustedIPs" dst-port=161 protocol=udp src-address-list=TrustedIPs
add action=accept chain=input comment="Allow input from trusted addresses" src-address-list=TrustedIPs
add action=accept chain=input comment="Allow established & related input" connection-state=established,related in-interface=ether2-backhaul
add action=accept chain=input comment="L2TP VPN" dst-port=500,1701,4500 in-interface=ether2-backhaul protocol=udp
add action=accept chain=input comment="Allow OSPF" in-interface=ether2-backhaul protocol=ospf
add action=drop chain=input comment="Drop all in backhaul" in-interface=ether2-backhaul
add action=accept chain=forward comment="Allow established & related forwards" connection-state=established,related
/ip firewall nat
add action=src-nat chain=srcnat comment="Dont NAT traffic for OSPF" out-interface=ether2-backhaul protocol=!ospf to-addresses=103.96.4.20
add action=dst-nat chain=dstnat comment="Switch - testing only" dst-port=8292 in-interface=ether2-backhaul protocol=tcp src-address-list=TrustedIPs to-addresses=10.99.2.250 to-ports=8291
add action=dst-nat chain=dstnat comment="SNMP Switch" dst-port=163 in-interface=ether2-backhaul protocol=udp src-address-list=TrustedIPs to-addresses=10.99.2.250 to-ports=161
add action=dst-nat chain=dstnat comment="SSH Switch" dst-port=2222 in-interface=ether2-backhaul protocol=tcp src-address-list=TrustedIPs to-addresses=10.99.2.250 to-ports=22
add action=dst-nat chain=dstnat comment="CCTV - Portforward -16-01-2023" dst-port=8088 in-interface=ether2-backhaul protocol=tcp to-addresses=192.168.160.200 to-ports=80
add action=dst-nat chain=dstnat comment="CCTV - Portforward -16-01-2023" dst-port=37777,554,443 in-interface=ether2-backhaul protocol=tcp to-addresses=192.168.160.200
add action=dst-nat chain=dstnat comment="Truetelco Monotoring access" dst-port=10050 in-interface=ether2-backhaul protocol=tcp src-address-list=TrustedIPs to-addresses=192.168.90.3
add action=dst-nat chain=dstnat comment="Truetelco Monotoring access" dst-port=8443 in-interface=ether2-backhaul protocol=tcp src-address-list=TrustedIPs to-addresses=192.168.90.2 to-ports=443
add action=dst-nat chain=dstnat comment="Allow SIP in to grandstream from TrustedIPs" dst-port=5060-5080 in-interface=ether2-backhaul protocol=udp to-addresses=192.168.10.200 to-ports=5060-5080
add action=dst-nat chain=dstnat comment="Telnet to MA5616-1 from Trusted IPs" dst-address=103.96.4.20 dst-port=10023 protocol=tcp src-address-list=TrustedIPs to-addresses=10.99.2.2 to-ports=23
add action=dst-nat chain=dstnat comment="Telnet to MA5616-2 from Trusted IPs" dst-address=103.96.4.20 dst-port=11023 protocol=tcp src-address-list=TrustedIPs to-addresses=10.99.2.3 to-ports=23
add action=dst-nat chain=dstnat disabled=yes dst-port=8888 protocol=tcp to-addresses=10.200.0.10 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-port=8888 protocol=udp to-addresses=10.200.0.10 to-ports=80
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=10.210.201.1 pref-src=103.96.4.20
add disabled=no dst-address=192.168.1.0/24 gateway=192.168.132.1
/ip smb shares
set [ find default=yes ] directory=/pub
/lcd
set read-only-mode=yes
/lcd pin
set hide-pin-number=yes pin-number=0312
/ppp aaa
set use-radius=yes
/ppp secret
add name=ttadmin password="Tru3t3lc0@\$" profile=l2tp remote-address=192.168.255.2 service=l2tp
add name=ontech password="Tru3t3lc0@\$" profile=l2tp remote-address=192.168.255.3 service=l2tp
/radius
add address=103.67.56.1 require-message-auth=no secret=MR7ACxdeV8He service=login src-address=103.96.4.20 timeout=300ms
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/routing filter rule
add chain=ospf-out disabled=no rule="if (dst in 10.255.255.0/24 && dst-len in 24-32) { accept; }"
add chain=ospf-out disabled=no rule="if (dst in 103.96.4.0/22 && dst-len in 22-32) { accept; }"
add chain=ospf-out disabled=no rule="if (dst in 100.64.0.0/16 && dst-len in 16-32) { reject; }"
add chain=ospf-out disabled=no rule="if (dst in 10.0.0.0/8 && dst-len in 8-32) { reject; }"
add chain=ospf-out disabled=no rule="if (dst in 172.16.0.0/12 && dst-len in 12-32) { reject; }"
add chain=ospf-out disabled=no rule="if (dst in 192.168.0.0/16 && dst-len in 16-32) { reject; }"
add chain=ospf-out disabled=no rule="if (dst in 0.0.0.0/0 && dst-len in 0-32) { reject; }"
add chain=ospf-in disabled=no rule="if (dst in 100.64.0.0/16 && dst-len in 16-32) { reject; }"
add chain=ospf-in disabled=no rule="if (dst in 0.0.0.0/0 && dst-len in 0-32) { accept; }"
/routing ospf interface-template
add area=backbone-v2 disabled=no interfaces=ether2-backhaul networks=10.210.201.0/30 priority=1
/snmp
set contact=noc@corefibre.com.au enabled=yes location="Taylors Lakes,Victoria,Australia" trap-community=CFNCOM trap-version=2
/system clock
set time-zone-name=Australia/Melbourne
/system console
set [ find ] disabled=yes
/system identity
set name=800KingSt-R1.CFN.VIC.intervisp.net
/system ntp client
set enabled=yes
/system ntp client servers
add address=au.pool.ntp.org
/system scheduler
add name=reboot-once on-event="/system reboot" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2021-06-15 start-time=04:00:00
/tool sniffer
set filter-interface=bridge-olt-service.2000 filter-mac-protocol=pppoe-discovery,pppoe memory-scroll=no streaming-enabled=yes streaming-server=103.96.5.254
/user aaa
set default-group=full use-radius=yes