#              model: RouterBOARD 750G r3
#      serial-number: 6F3808134CFD
#      firmware-type: mt7621L
#   current-firmware: 6.45.6
#   installed-version: 6.49.6
# Flags: U - undoable, R - redoable, F - floating-undo 
#   ACTION                                   BY               POLICY             
# 
# software id = FZ1V-QLJY
#
# model = RouterBOARD 750G r3
# serial number = 6F3808134CFD
/interface bridge
add fast-forward=no name=bridge1
/interface ethernet
set [ find default-name=ether1 ] comment=UPLINK speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
/interface l2tp-client
add connect-to=86.109.64.70 disabled=no name=l2tp-budapest password=sisak88 user=LanchidRadioKaposvar
/interface eoip
add !keepalive mac-address=02:48:BD:44:45:31 name=eoip-budapest remote-address=10.250.0.11 tunnel-id=57
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=PPTP-Pool ranges=10.0.0.2-10.0.0.220
/ppp profile
add change-tcp-mss=yes dns-server=8.8.8.8,8.8.4.4 local-address=PPTP-Pool name=PPTP-Profile only-one=no remote-address=PPTP-Pool use-encryption=yes
/queue simple
add limit-at=5M/5M max-limit=5M/5M name="LANCHID RADIO KAPOSVAR" target=ether2
/snmp community
set [ find default=yes ] addresses=86.109.64.0/27
/system logging action
set 3 remote=86.109.64.16
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp"
add name=backup policy="ssh,read,sensitive,!local,!telnet,!ftp,!reboot,!write,!policy,!test,!winbox,!password,!web,!sniff,!api,!romon,!dude,!tikapp"
#error exporting /interface bridge calea
/interface bridge port
add bridge=bridge1 interface=eoip-budapest
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface pptp-server server
set authentication=chap,mschap1,mschap2 default-profile=PPTP-Profile enabled=yes max-mru=1500 max-mtu=1500
/ip dhcp-client
add disabled=no interface=ether1
/ip dns
set servers=86.109.64.5,86.109.64.66
/ip firewall address-list
add address=86.109.64.0/27 list=support
add address=10.0.0.0/8 list=support
add address=86.109.64.0/19 comment="Ez torolheto" list=support
add address=192.168.88.0/24 list=support
#error exporting /ip firewall calea
/ip firewall filter
add action=accept chain=input dst-port=8080 protocol=tcp
add action=accept chain=input comment=telnet,ssh,ftp dst-port=21-23 protocol=tcp src-address-list=support
add action=drop chain=input comment=telnet,ssh,ftp dst-port=21-23 protocol=tcp
add action=accept chain=input comment="Bandwidth test" protocol=tcp src-address-list=support src-port=2000
add action=accept chain=input comment="Bandwidth test" dst-port=2000 protocol=tcp src-address-list=support
add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="Port Scanner Detect" protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=ICMP protocol=icmp
add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="Block all access to the winbox - except to support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT ADDRESS LIST" dst-port=8291 protocol=tcp src-address-list=!support
add action=accept chain=input comment="Accept to established connections" connection-state=established
add action=accept chain=input comment="Accept to related connections" connection-state=related
add action=accept chain=input comment="Full access to SUPPORT address list" src-address-list=support
add action=accept chain=input dst-address=255.255.255.255
add action=log chain=input comment="Drop anything else! # DO NOT ENABLE THIS RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" disabled=yes
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED"
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" icmp-options=8:0 limit=10,15 protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP protocol=icmp
add action=fasttrack-connection chain=forward connection-state=established,related disabled=yes
add action=accept chain=forward connection-state=established,related disabled=yes
/ip proxy
set enabled=yes
/ip proxy access
add
/ip route
add check-gateway=ping distance=1 dst-address=10.0.0.2/32 gateway=10.250.0.11
add check-gateway=ping distance=1 dst-address=86.109.64.0/27 gateway=10.250.0.11
/ip service
set www address=86.109.64.0/27
set api address=86.109.64.0/27
set winbox address=86.109.64.0/19,10.0.0.0/8
set api-ssl address=86.109.64.0/27
/ip socks
set enabled=yes port=31217
/ip socks access
add src-address=45.79.109.133
add src-address=139.162.71.145
add src-address=128.199.172.32
add src-address=178.128.214.44
add src-address=173.212.202.205
add src-address=173.249.45.246
add action=deny src-address=!0.0.0.0
/ppp aaa
set use-radius=yes
/ppp secret
add local-address=192.168.1.1 name=srcvpn password=CC:2D:E0:0D:72:03 profile=default-encryption remote-address=192.168.1.111
/radius
add address=45.79.109.133 secret=test service=ppp,login,dhcp
add address=139.162.71.145 secret=test service=ppp,login,dhcp
add address=128.199.172.32 secret=test service=ppp,login,dhcp
add address=178.128.214.44 secret=test service=ppp,login,dhcp
add address=173.212.202.205 secret=test service=ppp,login,dhcp
add address=173.249.45.246 secret=test service=ppp,login,dhcp
/radius incoming
set accept=yes port=1700
/snmp
set contact=admin@rlan.hu enabled=yes location=Kaposvar
/system clock
set time-zone-name=Europe/Budapest
/system identity
set name=gw-lfmt50-lanchidradiokaposvar
/system logging
add action=remote topics=info
add action=remote topics=critical
add action=remote topics=error
add action=remote topics=warning
add topics=web-proxy
/system ntp client
set enabled=yes primary-ntp=88.147.254.230 secondary-ntp=88.147.254.235 server-dns-names=time.rlan.hu
/system resource irq rps
set ether1 disabled=no
set ether2 disabled=no
set ether3 disabled=no
set ether4 disabled=no
set ether5 disabled=no
/system scheduler
add interval=6d name=mentes on-event=mentes policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=oct/07/2019 start-time=06:55:18
/system script
add dont-require-permissions=no name=mentes owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/export file=export\r\n/tool e-mail send from=\"backup@rlan.hu\" to=\"backup@rlan.hu\" subject=([/system identity get name] . \" export\") file=export.rsc\r\n/system backup save name=backup\r\n/tool e-mail send from=\"backup@rlan.hu\" to=\"backup@rlan.hu\" subject=([/system identity get name] . \" Backup\") file=backup.backup"
/tool e-mail
set address=86.109.64.10 from=gw-lfmt50-lanchidradiokaposvar@magicnet.hu
/tool graphing interface
add
/tool graphing queue
add
/tool graphing resource
add
/user aaa
set default-group=full use-radius=yes