# model: RBD52G-5HacD2HnD # serial-number: D7160D5A5941 # firmware-type: ipq4000L # current-firmware: 6.49.5 # installed-version: 6.49.5 # Flags: U - undoable, R - redoable, F - floating-undo # ACTION BY POLICY # U device changed admin write # U device changed admin write # U device changed admin write # U device changed admin write # U filter rule added admin write # U filter rule moved admin write # U filter rule added admin write # U user mentes added admin write # policy # U user group backup added admin write # policy # U address changed admin write # U device removed admin write # U address changed admin write # U simple queue changed admin write # U simple queue changed admin write # U simple queue changed admin write # U address removed admin write # U address changed admin write # U address added admin write # U device added admin write # U address changed admin write # U address changed admin write # U bridge port removed admin write # U bridge port added admin write # U address changed admin write # U address changed admin write # U address removed admin write # U address added admin write # U address changed admin write # U address added admin write # U address added admin write # U device added admin write # U simple queue added admin write # U dhcp server dhcp-durer changed admin write # U dhcp server dhcp2 added admin write # U dhcp network added admin write # U pool dhcp_pool4 added admin write # U address added admin write # U route changed admin write # U device added admin write # U device changed admin write # U address changed admin write # U pool dhcp_pool3 removed admin write # U dhcp server dhcp2 removed admin write # U dhcp network removed admin write # U dhcp server dhcp2 added admin write # U dhcp network added admin write # U pool dhcp_pool3 added admin write # U route changed admin write # U address changed admin write # U address added admin write # U device added admin write # U simple queue changed admin write # U address changed admin write # U address changed admin write # U address changed admin write # U address changed admin write # U address changed admin write # U address removed admin write # U simple queue removed admin write # U address changed admin write # U device changed admin write # U device changed admin write # U route changed admin write # U route changed admin write # # software id = T76H-ALZR # # model = RBD52G-5HacD2HnD # serial number = D7160D5A5941 /interface bridge add name=bridge-hotspot add name=bridge1 /interface ethernet set [ find default-name=ether1 ] comment="UPLINK BOC" set [ find default-name=ether2 ] comment="RB2011 fele" set [ find default-name=ether3 ] comment="Rack fele" set [ find default-name=ether4 ] comment="KVASSAI-MUPA FELE Stadion epitkezes" set [ find default-name=ether5 ] comment="Kolto utca fele" /interface wireless set [ find default-name=wlan1 ] ssid=MikroTik station-roaming=enabled set [ find default-name=wlan2 ] ssid=MikroTik station-roaming=enabled /interface vlan add interface=ether2 name=vlan400-pppoe vlan-id=1 add interface=ether3 name=vlan400-pppoerack vlan-id=400 add interface=ether2 name=vlan401-durer-eszkozok vlan-id=401 add interface=ether2 name=vlan402-ensi vlan-id=402 add interface=vlan401-durer-eszkozok name=vlan600-Durer vlan-id=600 /caps-man configuration add country=hungary datapath.bridge=bridge-hotspot mode=ap name=Config ssid=BUDAPART /caps-man interface add configuration=Config disabled=no l2mtu=1600 mac-address=6C:3B:6B:6E:FB:C0 master-interface=none name=Hotspot-AP1-KopasziRendorsegEszak-1 radio-mac=6C:3B:6B:6E:FB:C0 radio-name=6C3B6B6EFBC0 add configuration=Config disabled=no l2mtu=1600 mac-address=6C:3B:6B:63:11:05 master-interface=none name=Hotspot-AP2-KopasziRendorsegDel-1 radio-mac=6C:3B:6B:63:11:05 radio-name=6C3B6B631105 add configuration=Config disabled=no l2mtu=1600 mac-address=6C:3B:6B:6C:EB:65 master-interface=none name=Hotspot-AP3-KopasziObolhazEszak-1 radio-mac=6C:3B:6B:6C:EB:65 radio-name=6C3B6B6CEB65 add configuration=Config disabled=no l2mtu=1600 mac-address=6C:3B:6B:6C:EB:64 master-interface=none name=Hotspot-AP3-KopasziObolhazEszak-2 radio-mac=6C:3B:6B:6C:EB:64 radio-name=6C3B6B6CEB64 add configuration=Config disabled=no l2mtu=1600 mac-address=6C:3B:6B:6C:A7:AD master-interface=none name=Hotspot-AP4-KopasziObolhazDel-1 radio-mac=6C:3B:6B:6C:A7:AD radio-name=6C3B6B6CA7AD add configuration=Config disabled=no l2mtu=1600 mac-address=6C:3B:6B:6E:45:E2 master-interface=none name=Hotspot-AP5-KopasziJatszohazEszak-1 radio-mac=6C:3B:6B:6E:45:E2 radio-name=6C3B6B6E45E2 add configuration=Config disabled=no l2mtu=1600 mac-address=6C:3B:6B:6E:45:E1 master-interface=none name=Hotspot-AP5-KopasziJatszohazEszak-2 radio-mac=6C:3B:6B:6E:45:E1 radio-name=6C3B6B6E45E1 add configuration=Config disabled=no l2mtu=1600 mac-address=6C:3B:6B:6E:FB:C8 master-interface=none name=Hotspot-AP6-KopasziJatszohazDel-1 radio-mac=6C:3B:6B:6E:FB:C8 radio-name=6C3B6B6EFBC8 add configuration=Config disabled=no l2mtu=1600 mac-address=6C:3B:6B:6C:EB:50 master-interface=none name="Hotspot-AP7-Kopaszi- Fruskaeszak-1" radio-mac=6C:3B:6B:6C:EB:50 radio-name=6C3B6B6CEB50 add configuration=Config disabled=no l2mtu=1600 mac-address=6C:3B:6B:6C:A7:B0 master-interface=none name=Hotspot-AP8-Kopaszi-Fruskadel-1 radio-mac=6C:3B:6B:6C:A7:B0 radio-name=6C3B6B6CA7B0 add configuration=Config disabled=no l2mtu=1600 mac-address=6C:3B:6B:6C:A7:AF master-interface=none name=Hotspot-AP8-Kopaszi-Fruskadel-2 radio-mac=6C:3B:6B:6C:A7:AF radio-name=6C3B6B6CA7AF add configuration=Config disabled=no l2mtu=1600 mac-address=B8:69:F4:6C:12:67 master-interface=none name=wifi-bocteto-1 radio-mac=B8:69:F4:6C:12:67 radio-name=B869F46C1267 add configuration=Config disabled=no l2mtu=1600 mac-address=B8:69:F4:6C:12:66 master-interface=none name=wifi-bocteto-2 radio-mac=B8:69:F4:6C:12:66 radio-name=B869F46C1266 add configuration=Config disabled=no l2mtu=1600 mac-address=CC:2D:E0:F3:A1:AC master-interface=none name=wifi-bocteto2-1 radio-mac=CC:2D:E0:F3:A1:AC radio-name=CC2DE0F3A1AC add configuration=Config disabled=no l2mtu=1600 mac-address=CC:2D:E0:F3:A1:AB master-interface=none name=wifi-bocteto2-2 radio-mac=CC:2D:E0:F3:A1:AB radio-name=CC2DE0F3A1AB add configuration=Config disabled=no l2mtu=1600 mac-address=48:8F:5A:B4:E2:57 master-interface=none name=wifi-bocteto3-1 radio-mac=48:8F:5A:B4:E2:57 radio-name=488F5AB4E257 add configuration=Config disabled=no l2mtu=1600 mac-address=48:8F:5A:B4:E8:CD master-interface=none name=wifi-boeteto-1 radio-mac=48:8F:5A:B4:E8:CD radio-name=488F5AB4E8CD /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /ip hotspot profile add dns-name=budapart.rlan.hu hotspot-address=192.168.16.1 html-directory=flash/hotspot name=hsprof1 radius-interim-update=5m smtp-server=86.109.64.10 use-radius=yes /ip hotspot user profile set [ find default=yes ] mac-cookie-timeout=12h rate-limit=2m/2m shared-users=2000 /ip pool add name=GW-KOPASZI.MAGICNET.HU/PPPOE/1 ranges=86.109.70.64/27 add name=TARTOZOK ranges=192.168.230.0/24 add name=hs-pool-14 ranges=192.168.16.2-192.168.23.254 add name=dhcp_pool4 ranges=86.109.70.6 /ip dhcp-server add address-pool=hs-pool-14 disabled=no interface=bridge-hotspot name=dhcp1 add address-pool=dhcp_pool4 disabled=no interface=vlan600-Durer name=dhcp-durer /ip hotspot add address-pool=hs-pool-14 addresses-per-mac=unlimited disabled=no idle-timeout=15m interface=bridge-hotspot name=hotspot1 profile=hsprof1 /ppp profile set *0 dns-server=86.109.64.5,86.109.64.66 local-address=10.1.20.1 only-one=yes rate-limit=20k/20k remote-address=GW-KOPASZI.MAGICNET.HU/PPPOE/1 /queue simple add limit-at=10M/10M max-limit=10M/10M name="PROPERTY KOPASZI HOTSPOT" target=86.109.67.86/32 add burst-limit=25M/25M burst-threshold=18M/18M burst-time=1m/1m limit-at=20M/20M max-limit=20M/20M name="ENSI Kopaszi" target=86.109.67.110/32 add burst-limit=25M/25M burst-threshold=18M/18M burst-time=1m/1m limit-at=20M/20M max-limit=20M/20M name="ENSI Kopaszi BOC" target=86.109.67.234/32 add burst-limit=120M/120M burst-threshold=90M/90M burst-time=1m/1m comment="ideiglensen 100/100-ra allitva 2021.07.28" limit-at=100M/100M max-limit=100M/100M name="MCMBETON KOPASZI 30/30M" target=86.109.67.142/32 add limit-at=2M/10M max-limit=2M/10M name="PONYVAREGENY KOPASZI" target=86.109.67.26/32 add limit-at=20M/20M max-limit=20M/20M name="ANTEUS RENDORSEGI EPULET" target=86.109.67.62/32 add burst-limit=70M/70M burst-threshold=45M/45M burst-time=1m/1m comment="20/20 teszteles miatt atallitva" limit-at=20M/20M max-limit=50M/50M name="Vizirendorseg kopaszi Gat" target=86.109.67.2/32,86.109.71.82/32 add limit-at=100M/100M max-limit=100M/100M name="PROPERTY RENDORSEGI EPULET" target=86.109.67.66/32 add limit-at=60M/60M max-limit=60M/60M name="PROPERTY MARKET KOPASZI GAT" target=86.109.66.86/32 add limit-at=50M/50M max-limit=50M/50M name="Kanizsai Magasepito" target=86.109.69.178/32 add limit-at=100M/100M max-limit=100M/100M name="WHB Atletikai Stidion" target=86.109.69.166/32 add burst-limit=30M/130M burst-threshold=18M/90M burst-time=1m/1m max-limit=20M/100M name="Durer Kert" target=86.109.70.6/32 /routing ospf area add area-id=0.0.0.230 name=pppoe230 /routing ospf instance set [ find default=yes ] redistribute-connected=as-type-1 redistribute-static=as-type-1 /snmp community set [ find default=yes ] addresses=86.109.64.0/27 /system logging action set 3 remote=86.109.64.16 /user group set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp" add name=backup policy="ssh,read,sensitive,!local,!telnet,!ftp,!reboot,!write,!policy,!test,!winbox,!password,!web,!sniff,!api,!romon,!dude,!tikapp" /caps-man access-list add action=accept allow-signal-out-of-range=10s disabled=no interface=any signal-range=-88..120 ssid-regexp="" add action=reject allow-signal-out-of-range=10s disabled=no interface=any signal-range=-120..-89 ssid-regexp="" /caps-man manager set ca-certificate=auto certificate=auto enabled=yes package-path=/firmware /caps-man provisioning add action=create-enabled master-configuration=Config name-format=prefix-identity #error exporting /interface bridge calea /interface bridge port add bridge=bridge1 interface=ether3 multicast-router=disabled add bridge=bridge1 interface=ether2 multicast-router=disabled /interface bridge settings set use-ip-firewall=yes use-ip-firewall-for-vlan=yes /ip neighbor discovery-settings set discover-interface-list=all /interface pppoe-server server add disabled=no interface=bridge1 one-session-per-host=yes service-name=rlan add disabled=no interface=vlan400-pppoe one-session-per-host=yes service-name=rlan add disabled=no interface=vlan400-pppoerack one-session-per-host=yes service-name=rlan /ip address add address=10.1.20.1/24 interface=bridge1 network=10.1.20.0 add address=86.109.66.85/30 comment="PROPERTY MARKET KOPASZI GAT" interface=bridge1 network=86.109.66.84 add address=86.109.67.25/30 comment="KOPASZI PONYVAREGENY PPPOE nem mukodott" interface=bridge1 network=86.109.67.24 add address=86.109.67.61/30 comment="ANTEUS RENDORSEGI EPULET" interface=bridge1 network=86.109.67.60 add address=86.109.67.65/30 comment="PROPERTY RENDORSEGI EPULET" interface=bridge1 network=86.109.67.64 add address=86.109.67.86/30 comment="HOTSPOT IP" interface=bridge1 network=86.109.67.84 add address=86.109.67.109/30 comment="ENSI Kopaszi" interface=vlan402-ensi network=86.109.67.108 add address=86.109.67.141/30 comment="MCMBETON KOPASZI BETONTELEP" interface=vlan402-ensi network=86.109.67.140 add address=86.109.67.233/30 comment="ENSI Kopaszi BOC" interface=vlan402-ensi network=86.109.67.232 add address=192.168.16.1/21 interface=bridge-hotspot network=192.168.16.0 add address=10.1.26.1/24 interface=ether4 network=10.1.26.0 add address=10.1.38.1/24 interface=ether5 network=10.1.38.0 add address=10.1.12.30/24 interface=ether1 network=10.1.12.0 add address=10.1.27.1/24 interface=vlan401-durer-eszkozok network=10.1.27.0 add address=86.109.70.5/30 interface=vlan600-Durer network=86.109.70.4 add address=10.1.23.1/24 interface=ether2 network=10.1.23.0 add address=10.1.43.1/24 interface=vlan402-ensi network=10.1.43.0 /ip dhcp-server network add address=86.109.70.4/30 gateway=86.109.70.5 add address=192.168.16.0/21 dns-server=86.109.64.66,86.109.64.5 gateway=192.168.16.1 /ip dns set servers=86.109.64.5,86.109.64.66 /ip firewall address-list add address=86.109.64.0/27 list=support add address=10.0.0.0/8 list=support add address=86.109.64.0/19 comment="Ez torolheto" list=support add address=192.168.88.0/24 list=support #error exporting /ip firewall calea /ip firewall filter add action=drop chain=forward dst-address=86.109.70.64/27 dst-port=53 protocol=udp add action=drop chain=forward dst-address=86.109.72.33 dst-port=53 protocol=udp add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes add action=accept chain=input comment=telnet,ssh,ftp dst-port=21-23 protocol=tcp src-address-list=support add action=drop chain=input comment=telnet,ssh,ftp dst-port=21-23 protocol=tcp add action=accept chain=input comment="Bandwidth test" protocol=tcp src-address-list=support src-port=2000 add action=accept chain=input comment="Bandwidth test" dst-port=2000 protocol=tcp src-address-list=support add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp tcp-flags=syn add action=drop chain=input comment="Drop to syn flood list" src-address-list=Syn_Flooder add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="Port Scanner Detect" protocol=tcp psd=21,3s,3,1 add action=drop chain=input comment="Drop to port scan list" src-address-list=Port_Scanner add action=jump chain=input comment="Jump for icmp input flow" jump-target=ICMP protocol=icmp add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg add action=drop chain=input comment="Block all access to the winbox - except to support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT ADDRESS LIST" dst-port=8291 protocol=tcp src-address-list=!support add action=accept chain=input comment="Accept to established connections" connection-state=established add action=accept chain=input comment="Accept to related connections" connection-state=related add action=accept chain=input comment="Full access to SUPPORT address list" src-address-list=support add action=accept chain=input dst-address=255.255.255.255 add action=log chain=input comment="Drop anything else! # DO NOT ENABLE THIS RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" disabled=yes add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" icmp-options=8:0 limit=20,30:packet protocol=icmp add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp add action=accept chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 protocol=icmp add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP protocol=icmp /ip firewall nat add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes /ip route add distance=200 gateway=10.1.27.1 add comment="Property telefonkozpont" distance=1 dst-address=10.1.16.0/24 gateway=10.1.20.15 add comment="Vizirendorseg Kopaszi gat" distance=1 dst-address=86.109.67.0/30 gateway=10.1.20.15 add comment="WHB atletikai stadion" distance=1 dst-address=86.109.69.164/30 gateway=10.1.26.9 add comment="Kanizsai Magasepito" distance=1 dst-address=86.109.69.176/30 gateway=10.1.26.9 add comment="Durer kert" disabled=yes distance=1 dst-address=86.109.70.4/30 gateway=10.1.23.6 add comment="WHB Kolto utca" distance=1 dst-address=86.109.71.64/30 gateway=10.1.38.8 add comment="Vizirendorseg 2. IP" distance=1 dst-address=86.109.71.80/30 gateway=10.1.20.15 /ip service set www address=86.109.64.0/27 set api address=86.109.64.0/27 set api-ssl address=86.109.64.0/27 /ppp aaa set interim-update=5m use-radius=yes /radius add address=86.109.64.21 secret=TiToK999 service=hotspot timeout=3s add address=86.109.64.22 secret=TiToK345 service=ppp timeout=3s add address=10.0.0.2 secret=TiToK345 service=ppp timeout=3s add address=86.109.64.14 secret=TiToK345 service=ppp timeout=3s /radius incoming set accept=yes port=1700 /routing filter add action=discard chain=ospf-out prefix=192.168.16.0/21 prefix-length=21 /routing ospf area range add area=pppoe230 range=86.109.70.64/27 add area=pppoe230 range=192.168.230.0/24 /routing ospf interface add interface=ether1 network-type=broadcast add network-type=broadcast passive=yes /routing ospf network add area=pppoe230 network=86.109.70.64/27 add area=pppoe230 network=192.168.230.0/24 add area=backbone network=10.1.12.0/24 /snmp set contact=admin@rlan.hu enabled=yes location=Budapest /system clock set time-zone-name=Europe/Budapest /system identity set name=GW-KOPASZI.MAGICNET.HU /system logging add action=remote topics=info add action=remote topics=error add action=remote topics=critical add action=remote topics=warning /system ntp client set enabled=yes primary-ntp=86.109.64.5 /system routerboard settings set cpu-frequency=auto /system scheduler add interval=6d name=mentes on-event=mentes policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=feb/22/2021 start-time=12:01:48 /system script add dont-require-permissions=no name=mentes owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/export file=export\r\n/tool e-mail send from=\"backup@rlan.hu\" to=\"backup@rlan.hu\" subject=([/system identity get name] . \" export\") file=export.rsc\r\n/system backup save name=backup\r\n/tool e-mail send from=\"backup@rlan.hu\" to=\"backup@rlan.hu\" subject=([/system identity get name] . \" Backup\") file=backup.backup" /tool e-mail set address=86.109.64.10 from=gw-kopaszi@magicnet.hu /tool graphing interface add /tool graphing queue add /tool graphing resource add