# model: CRS309-1G-8S+ # serial-number: D8480C15BC90 # firmware-type: dx3230L # current-firmware: 6.48.3 # installed-version: 6.49.8 # Flags: U - undoable, R - redoable, F - floating-undo # ACTION BY POLICY # U item removed admin write # U item added admin write # U item changed admin write # U item added admin write # U item removed admin write # U item changed admin write # U item added admin write # U item changed admin write # U item added admin write # U item removed admin write # U user mentes added root write # policy # U user group mentes added root write # policy # U item changed admin write # U item changed admin write # U item added admin write # U item changed admin write # U item added admin write # U item changed admin write # U item changed admin write # U item changed admin write # U item changed admin write # U item changed admin write # U item changed admin write # U item changed admin write # U item added admin write # U item changed admin write # U item changed admin write # U item changed admin write # U item changed admin write # U item added admin write # U item changed admin write # U item changed admin write # U item added admin write # U item changed admin write # U item added admin write # U item removed admin write # U item changed admin write # U item changed admin write # U item changed admin write # U item changed admin write # U item changed admin write # U item changed admin write # U item added admin write # U item changed admin write # U item changed admin write # U item changed admin write # U item changed admin write # U item changed admin write # U item changed admin write # U item changed admin write # U item changed admin write # U item removed admin write # U item removed admin write # U item removed admin write # U item changed admin write # U item removed admin write # U item changed admin write # U item removed admin write # U item changed admin write # U item changed admin write # U item changed admin write # U item changed admin write # U item changed admin write # U device changed admin write # U device changed admin write # U item removed admin write # U item changed admin write # U item added admin write # U item changed admin write # U item added admin write # U device changed root write # U device changed root write # U device changed root write # U device changed root write # U item changed root write # U item changed root write # U item changed root write # U item changed root write # U item changed root write # U item changed root write # U item changed root write # U item changed root write # U item changed root write # U item changed root write # U item changed root write # U item changed root write # U item changed root write # U item changed root write # U item changed root write # U item changed root write # U item changed root write # U item changed root write # U item changed root write # U item changed root write # U device changed root write # U device changed root write # # software id = Z26J-XGMQ # # model = CRS309-1G-8S+ # serial number = D8480C15BC90 /interface bridge add name=bridge1 vlan-filtering=yes /interface ethernet set [ find default-name=ether1 ] l2mtu=1592 set [ find default-name=sfp-sfpplus1 ] comment="CRS-BUDAPEST Telekom Serverterem fele 10G" l2mtu=1620 mtu=1600 name=sfp-sfpplus1-crsbudapest set [ find default-name=sfp-sfpplus2 ] comment=DIGI l2mtu=1620 mtu=1600 name=sfp-sfpplus2-digi set [ find default-name=sfp-sfpplus3 ] comment=Ures l2mtu=1620 mtu=1600 set [ find default-name=sfp-sfpplus4 ] comment="KIFU 10G" l2mtu=1620 mtu=1600 name=sfp-sfpplus4-kifu set [ find default-name=sfp-sfpplus5 ] comment="SW-BUDAPEST 10G" l2mtu=1592 name=sfp-sfpplus5-sw-budapest set [ find default-name=sfp-sfpplus6 ] comment=BIX l2mtu=1592 name=sfp-sfpplus6-bix set [ find default-name=sfp-sfpplus7 ] comment=Rackforrest l2mtu=1592 name=sfp-sfpplus7-rackforrest set [ find default-name=sfp-sfpplus8 ] comment="FW-BUDAPEST 10G DAC" l2mtu=1592 name=sfp-sfpplus8-fw-budapest /interface vlan add interface=bridge1 name=vlan99-management vlan-id=99 /interface list add name=discover /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /snmp community set [ find default=yes ] addresses=86.109.64.0/27 /system logging action set 3 remote=86.109.64.16 /user group set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp" add name=mentes policy="ssh,read,sensitive,!local,!telnet,!ftp,!reboot,!write,!policy,!test,!winbox,!password,!web,!sniff,!api,!romon,!dude,!tikapp" #error exporting /interface bridge calea /interface bridge port add bridge=bridge1 interface=sfp-sfpplus1-crsbudapest add bridge=bridge1 interface=sfp-sfpplus8-fw-budapest multicast-router=disabled pvid=660 add bridge=bridge1 interface=sfp-sfpplus3 multicast-router=disabled add bridge=bridge1 interface=sfp-sfpplus4-kifu add bridge=bridge1 interface=sfp-sfpplus5-sw-budapest multicast-router=disabled add bridge=bridge1 interface=sfp-sfpplus6-bix add bridge=bridge1 interface=sfp-sfpplus7-rackforrest add bridge=bridge1 interface=sfp-sfpplus2-digi /interface bridge settings set use-ip-firewall-for-vlan=yes /ip neighbor discovery-settings set discover-interface-list=discover /interface bridge vlan add bridge=bridge1 tagged="bridge1,ether1,sfp-sfpplus1-crsbudapest,sfp-sfpplus5-sw-budapest,sfp-sfpplus8-fw-budapest" vlan-ids=99 add bridge=bridge1 comment="BAK OMV" tagged=sfp-sfpplus5-sw-budapest,sfp-sfpplus8-fw-budapest vlan-ids=2001 add bridge=bridge1 comment="Papa Celli ut OMV" tagged=sfp-sfpplus5-sw-budapest,sfp-sfpplus8-fw-budapest vlan-ids=2002 add bridge=bridge1 comment="Sopron Gyori ut OMV" tagged=sfp-sfpplus5-sw-budapest,sfp-sfpplus8-fw-budapest vlan-ids=2003 add bridge=bridge1 comment="Kistelek Kossuth ut OMV" tagged=sfp-sfpplus5-sw-budapest,sfp-sfpplus8-fw-budapest vlan-ids=2004 add bridge=bridge1 comment="Hajduszoboszlo Hovirag ut OMV" tagged=sfp-sfpplus5-sw-budapest,sfp-sfpplus8-fw-budapest vlan-ids=2005 add bridge=bridge1 comment="Mateszalka Jarmi ut OMV" tagged=sfp-sfpplus5-sw-budapest,sfp-sfpplus8-fw-budapest vlan-ids=2006 add bridge=bridge1 comment="Szentendre Amplifon" tagged=sfp-sfpplus5-sw-budapest,sfp-sfpplus8-fw-budapest vlan-ids=2007 add bridge=bridge1 comment="Jaszbereny Amplifon" tagged=sfp-sfpplus5-sw-budapest,sfp-sfpplus8-fw-budapest vlan-ids=2008 add bridge=bridge1 comment="Vodafone Tapolca Amplifon" tagged=sfp-sfpplus5-sw-budapest,sfp-sfpplus8-fw-budapest vlan-ids=2009 add bridge=bridge1 comment="Vodafone Mohacs Amplifon" tagged=sfp-sfpplus5-sw-budapest,sfp-sfpplus8-fw-budapest vlan-ids=2010 add bridge=bridge1 comment="Vodafone Papa Amplifon" tagged=sfp-sfpplus5-sw-budapest,sfp-sfpplus8-fw-budapest vlan-ids=2011 add bridge=bridge1 comment="Vodafone Pecs Amplifon" tagged=sfp-sfpplus5-sw-budapest,sfp-sfpplus8-fw-budapest vlan-ids=2012 add bridge=bridge1 comment="Vodafone Nagykanizsa Amplifon" tagged=sfp-sfpplus5-sw-budapest,sfp-sfpplus8-fw-budapest vlan-ids=2013 add bridge=bridge1 comment="Vodafone Gyor Amplifon" tagged=sfp-sfpplus5-sw-budapest,sfp-sfpplus8-fw-budapest vlan-ids=2014 add bridge=bridge1 comment="Vodafone Szolnok OMV benzinkut" tagged=sfp-sfpplus5-sw-budapest,sfp-sfpplus8-fw-budapest vlan-ids=2015 add bridge=bridge1 comment="Vodafone Pusztamonostor" tagged=sfp-sfpplus5-sw-budapest,sfp-sfpplus8-fw-budapest vlan-ids=2016 add bridge=bridge1 comment="Vodafone Hegyeshalom OMV" tagged=sfp-sfpplus5-sw-budapest,sfp-sfpplus8-fw-budapest vlan-ids=2017 add bridge=bridge1 comment="KIFU Bisinger setany" tagged=sfp-sfpplus8-fw-budapest,sfp-sfpplus4-kifu vlan-ids=2800 add bridge=bridge1 comment="KIFU Mezoors" tagged=sfp-sfpplus8-fw-budapest,sfp-sfpplus4-kifu vlan-ids=2801 add bridge=bridge1 comment="Kifu Dorog Eotvos Iskola" tagged=sfp-sfpplus8-fw-budapest,sfp-sfpplus4-kifu vlan-ids=2810 add bridge=bridge1 comment="Kifu Kiskunhalas Koztarsasag 9" tagged=sfp-sfpplus5-sw-budapest,sfp-sfpplus4-kifu vlan-ids=2809 add bridge=bridge1 comment="Kifu Gyor Szent Imre 33 Kolcsey" tagged=sfp-sfpplus8-fw-budapest,sfp-sfpplus4-kifu vlan-ids=2811 add bridge=bridge1 comment="Kifu CsornaErzsebet13TimaffyIskola" tagged=sfp-sfpplus5-sw-budapest,sfp-sfpplus4-kifu vlan-ids=2806 add bridge=bridge1 comment="KIFU CsornaErzsebet64PedSzakszolg" tagged=sfp-sfpplus5-sw-budapest,sfp-sfpplus4-kifu vlan-ids=2805 add bridge=bridge1 comment="KIFU Barcs Arany Janos Iskola" tagged=sfp-sfpplus5-sw-budapest,sfp-sfpplus4-kifu vlan-ids=2804 add bridge=bridge1 comment="KIFU Tiszaujvaros Eotvos" tagged=sfp-sfpplus5-sw-budapest,sfp-sfpplus4-kifu vlan-ids=2802 add bridge=bridge1 comment="Vodafone Mako Amplifon" tagged=sfp-sfpplus5-sw-budapest,sfp-sfpplus8-fw-budapest vlan-ids=2018 add bridge=bridge1 comment="Vodafone Esztergom Amplifon" tagged=sfp-sfpplus5-sw-budapest,sfp-sfpplus8-fw-budapest vlan-ids=2019 add bridge=bridge1 comment="Kifu Gyor Mora Iskola Kodaly Zoltan" tagged=sfp-sfpplus8-fw-budapest,sfp-sfpplus4-kifu vlan-ids=2815 add bridge=bridge1 comment="Kifu Kapuvar Tersegi Altalanos Iskola" tagged=sfp-sfpplus5-sw-budapest,sfp-sfpplus4-kifu vlan-ids=2816 add bridge=bridge1 comment="Kifu Ozd Arpad Vezer Iskola" tagged=sfp-sfpplus4-kifu,sfp-sfpplus8-fw-budapest vlan-ids=2817 add bridge=bridge1 comment="Kifu Ozd Gabor Aron Technikum" tagged=sfp-sfpplus8-fw-budapest,sfp-sfpplus4-kifu vlan-ids=2818 add bridge=bridge1 comment="KIFU Rabatamasi" tagged=sfp-sfpplus5-sw-budapest,sfp-sfpplus4-kifu vlan-ids=2814 add bridge=bridge1 comment="FHNP Lebeny" tagged=sfp-sfpplus5-sw-budapest,sfp-sfpplus4-kifu vlan-ids=2819 add bridge=bridge1 comment="FHNP Sopron" tagged=sfp-sfpplus5-sw-budapest,sfp-sfpplus4-kifu vlan-ids=2820 add bridge=bridge1 comment="KIFU Oriszentpeter" tagged=sfp-sfpplus5-sw-budapest,sfp-sfpplus4-kifu vlan-ids=2821 add bridge=bridge1 comment="KIFU Csorna Madarvarta" tagged=sfp-sfpplus5-sw-budapest,sfp-sfpplus4-kifu vlan-ids=2823 add bridge=bridge1 comment="KIFU Ofeherto Iskola" tagged=sfp-sfpplus5-sw-budapest,sfp-sfpplus4-kifu vlan-ids=2822 add bridge=bridge1 tagged=sfp-sfpplus8-fw-budapest,sfp-sfpplus5-sw-budapest vlan-ids=101 add bridge=bridge1 comment=Dravanet tagged=sfp-sfpplus1-crsbudapest,sfp-sfpplus5-sw-budapest vlan-ids=712,713,715,716,717,718,721,722,723,724,725 add bridge=bridge1 comment=MVMNET tagged=sfp-sfpplus1-crsbudapest,sfp-sfpplus5-sw-budapest vlan-ids=2500,2514,2515,2518,2519 add bridge=bridge1 comment=MVMNET tagged=sfp-sfpplus1-crsbudapest,sfp-sfpplus5-sw-budapest vlan-ids=2520,2521,2522,2523,2524,2525,2526,2527,2528,2529 add bridge=bridge1 comment=MVMNET tagged=sfp-sfpplus1-crsbudapest,sfp-sfpplus5-sw-budapest vlan-ids=2530,2531,2532,2533,2534,2535,2536,2537,2538,2539 add bridge=bridge1 comment=MVMNET tagged=sfp-sfpplus1-crsbudapest,sfp-sfpplus5-sw-budapest vlan-ids=2540,2541,2543,2544,2545,2546,2547,2548 add bridge=bridge1 comment=MVMNET tagged=sfp-sfpplus1-crsbudapest,sfp-sfpplus5-sw-budapest vlan-ids=2550,2551,2552,2554,2555,2556,2558 add bridge=bridge1 comment=MVMNET tagged=sfp-sfpplus1-crsbudapest,sfp-sfpplus5-sw-budapest vlan-ids=2560,2561,2562,2563,2564,2565,2566,2567,2569 add bridge=bridge1 comment=MVMNET tagged=sfp-sfpplus1-crsbudapest,sfp-sfpplus5-sw-budapest vlan-ids=2570 add bridge=bridge1 comment="KIFU Pais ideiglenes" tagged=sfp-sfpplus5-sw-budapest,sfp-sfpplus4-kifu vlan-ids=2824 add bridge=bridge1 comment=Olbo tagged=sfp-sfpplus4-kifu,sfp-sfpplus5-sw-budapest vlan-ids=2825 add bridge=bridge1 comment=Pilisszentkereszt tagged=sfp-sfpplus4-kifu,sfp-sfpplus5-sw-budapest vlan-ids=2826 add bridge=bridge1 comment=Pilisvorosvar tagged=sfp-sfpplus4-kifu,sfp-sfpplus5-sw-budapest vlan-ids=2827 add bridge=bridge1 comment="Szentendre Petzelt" tagged=sfp-sfpplus4-kifu,sfp-sfpplus5-sw-budapest vlan-ids=2828 add bridge=bridge1 comment="Sopron Doborjani" tagged=sfp-sfpplus4-kifu,sfp-sfpplus5-sw-budapest vlan-ids=2829 add bridge=bridge1 comment="Kifu Ozd Vasvar 37 Iskola" tagged=sfp-sfpplus8-fw-budapest,sfp-sfpplus4-kifu vlan-ids=2830 add bridge=bridge1 comment="Budapest DozsaGimnazium Fo ut 70" tagged=sfp-sfpplus4-kifu,sfp-sfpplus5-sw-budapest vlan-ids=2831 add bridge=bridge1 comment="Papa Reformatus kollegium" tagged=sfp-sfpplus4-kifu,sfp-sfpplus5-sw-budapest vlan-ids=2832 add bridge=bridge1 comment="Telekom pppoe" tagged=sfp-sfpplus1-crsbudapest,sfp-sfpplus5-sw-budapest vlan-ids=30 add bridge=bridge1 comment="Miskolc Bartok Iskola" tagged=sfp-sfpplus4-kifu,sfp-sfpplus5-sw-budapest vlan-ids=2833 add bridge=bridge1 comment="Sopron optika" tagged=sfp-sfpplus1-crsbudapest,sfp-sfpplus8-fw-budapest vlan-ids=400 add bridge=bridge1 tagged=sfp-sfpplus8-fw-budapest,sfp-sfpplus6-bix vlan-ids=10 add bridge=bridge1 tagged=sfp-sfpplus8-fw-budapest,sfp-sfpplus6-bix vlan-ids=20 add bridge=bridge1 tagged=sfp-sfpplus8-fw-budapest,sfp-sfpplus6-bix vlan-ids=21 add bridge=bridge1 tagged=sfp-sfpplus8-fw-budapest,sfp-sfpplus7-rackforrest vlan-ids=1000 add bridge=bridge1 comment="Ozd Petofi" tagged=sfp-sfpplus8-fw-budapest,sfp-sfpplus4-kifu vlan-ids=2835 add bridge=bridge1 comment="MVMNET Inota KNB Iroda" tagged=sfp-sfpplus1-crsbudapest,sfp-sfpplus5-sw-budapest vlan-ids=2571 add bridge=bridge1 comment="Digi vlan-ok" tagged=sfp-sfpplus8-fw-budapest,sfp-sfpplus2-digi vlan-ids=719,780,781,782,783,784 add bridge=bridge1 comment="Papa mvmnet iroda" tagged=sfp-sfpplus1-crsbudapest,sfp-sfpplus5-sw-budapest vlan-ids=2572 add bridge=bridge1 comment="KIFU BGP" tagged=sfp-sfpplus8-fw-budapest,sfp-sfpplus4-kifu vlan-ids=2000 add bridge=bridge1 comment="Velence Zoldliget" tagged=sfp-sfpplus4-kifu,sfp-sfpplus5-sw-budapest vlan-ids=2836 add bridge=bridge1 comment="Dorog Zsigmondy" tagged=sfp-sfpplus5-sw-budapest,sfp-sfpplus4-kifu vlan-ids=2834 add bridge=bridge1 comment="TOROLNI KELL KIFU MIGRACIO UTAN," tagged=sfp-sfpplus5-sw-budapest,sfp-sfpplus1-crsbudapest vlan-ids=2513 add bridge=bridge1 comment=Magyargencs tagged=sfp-sfpplus5-sw-budapest,sfp-sfpplus4-kifu vlan-ids=2837 add bridge=bridge1 comment=Vereb tagged=sfp-sfpplus5-sw-budapest,sfp-sfpplus4-kifu vlan-ids=2838 add bridge=bridge1 comment="Budapest Eotvos" tagged=sfp-sfpplus5-sw-budapest,sfp-sfpplus4-kifu vlan-ids=2839 add bridge=bridge1 tagged=sfp-sfpplus1-crsbudapest,sfp-sfpplus8-fw-budapest vlan-ids=3000 /interface list member add interface=vlan99-management list=discover add interface=ether1 list=discover add interface=sfp-sfpplus8-fw-budapest list=discover /ip address add address=10.0.9.4/24 interface=vlan99-management network=10.0.9.0 /ip dhcp-client add disabled=no interface=ether1 /ip dns set servers=86.109.64.5,86.109.64.66 /ip firewall address-list add address=86.109.64.0/27 list=support add address=192.168.88.0/24 list=support add address=10.0.0.0/8 list=support add address=86.109.64.0/19 comment="Ezt ki lehet torolni, csak a beallitashoz kell" list=support #error exporting /ip firewall calea /ip firewall filter add action=accept chain=input comment=telnet,ssh,ftp dst-port=21-23 protocol=tcp src-address-list=support add action=drop chain=input comment=telnet,ssh,ftp dst-port=21-23 protocol=tcp add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp tcp-flags=syn add action=drop chain=input comment="Drop to syn flood list" src-address-list=Syn_Flooder add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="Port Scanner Detect" protocol=tcp psd=21,3s,3,1 add action=drop chain=input comment="Drop to port scan list" src-address-list=Port_Scanner add action=jump chain=input comment="Jump for icmp input flow" jump-target=ICMP protocol=icmp add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg add action=drop chain=input comment="Block all access to the winbox - except to support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT ADDRESS LIST" dst-port=8291 protocol=tcp src-address-list=!support add action=accept chain=input comment="Accept to established connections" connection-state=established add action=accept chain=input comment="Accept to related connections" connection-state=related add action=accept chain=input comment="Full access to SUPPORT address list" src-address-list=support add action=accept chain=input dst-address=255.255.255.255 add action=log chain=input comment="Drop anything else! # DO NOT ENABLE THIS RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" disabled=yes add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" icmp-options=8:0 limit=10,15 protocol=icmp add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp add action=accept chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 protocol=icmp add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP protocol=icmp add action=fasttrack-connection chain=forward connection-state=established,related add action=accept chain=forward connection-state=established,related /ip route add check-gateway=ping distance=1 gateway=10.0.9.1 /snmp set enabled=yes /system clock set time-zone-name=Europe/Budapest /system identity set name=sw-rackforrest /system logging add action=remote topics=info add action=remote topics=critical add action=remote topics=error add action=remote topics=warning /system ntp client set enabled=yes server-dns-names=time.rlan.hu /system routerboard settings set boot-os=router-os /system scheduler add interval=6d name=mentes on-event=mentes policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=aug/02/2021 start-time=13:25:18 /system script add dont-require-permissions=no name=mentes owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/export file=export\r\n/tool e-mail send from=\"backup@rlan.hu\" to=\"backup@rlan.hu\" subject=([/system identity get name] . \" export\") file=export.rsc\r\n/system backup save name=backup\r\n/tool e-mail send from=\"backup@rlan.hu\" to=\"backup@rlan.hu\" subject=([/system identity get name] . \" Backup\") file=backup.backup" /tool e-mail set address=86.109.64.10 from=sw-rackforrest@magicnet.hu /tool graphing interface add /tool graphing queue add /tool graphing resource add