# model: RBD52G-5HacD2HnD # serial-number: HCH080SJ4MZ # firmware-type: ipq4000L # current-firmware: 6.49.6 # installed-version: 6.49.10 # Flags: U - undoable, R - redoable, F - floating-undo # ACTION BY POLICY # # software id = WK8T-R29S # # model = RBD52G-5HacD2HnD # serial number = HCH080SJ4MZ /interface bridge add name=bridge-bejovo add name=bridge-mngmnt add name=bridge-wifi add name=bridge1 /interface ethernet set [ find default-name=ether1 ] comment="5G backup link" set [ find default-name=ether2 ] comment=60GHz set [ find default-name=ether3 ] comment="VPN router" set [ find default-name=ether4 ] comment="Client office" set [ find default-name=ether5 ] comment=Wifi /interface vlan add interface=ether2 name=vlan120-szelmero vlan-id=120 /caps-man security add authentication-types=wpa2-psk encryption=aes-ccm name=wpa2 passphrase=secl01** add authentication-types=wpa2-psk encryption=aes-ccm name=wscope passphrase=w-scope01** /caps-man configuration add country=hungary datapath.bridge=bridge-wifi mode=ap name=Samsung security=wpa2 ssid="Samsung E&A" add country=hungary datapath.bridge=bridge-wifi mode=ap name=W-Scope security=wscope ssid=W-Scope /caps-man interface add configuration=Samsung disabled=no l2mtu=1600 mac-address=18:FD:74:0F:CC:B9 master-interface=none name=wifi_01-1 radio-mac=18:FD:74:0F:CC:B9 radio-name=18FD740FCCB9 add configuration=Samsung disabled=no l2mtu=1600 mac-address=18:FD:74:0F:CC:BA master-interface=none name=wifi_01-2 radio-mac=18:FD:74:0F:CC:BA radio-name=18FD740FCCBA add configuration=Samsung disabled=no l2mtu=1600 mac-address=18:FD:74:0F:CD:1B master-interface=none name=wifi_02-1 radio-mac=18:FD:74:0F:CD:1B radio-name=18FD740FCD1B add configuration=Samsung disabled=no l2mtu=1600 mac-address=18:FD:74:0F:CD:1C master-interface=none name=wifi_02-2 radio-mac=18:FD:74:0F:CD:1C radio-name=18FD740FCD1C add configuration=Samsung disabled=no l2mtu=1600 mac-address=18:FD:74:0F:CC:91 master-interface=none name=wifi_03-1 radio-mac=18:FD:74:0F:CC:91 radio-name=18FD740FCC91 add configuration=Samsung disabled=no l2mtu=1600 mac-address=18:FD:74:0F:CC:92 master-interface=none name=wifi_03-2 radio-mac=18:FD:74:0F:CC:92 radio-name=18FD740FCC92 add configuration=Samsung disabled=no l2mtu=1600 mac-address=18:FD:74:7A:1D:CD master-interface=none name=wifi_05-1 radio-mac=18:FD:74:7A:1D:CD radio-name=18FD747A1DCD add configuration=Samsung disabled=no l2mtu=1600 mac-address=18:FD:74:7A:1D:CE master-interface=none name=wifi_05-2 radio-mac=18:FD:74:7A:1D:CE radio-name=18FD747A1DCE add configuration=Samsung disabled=no l2mtu=1600 mac-address=18:FD:74:7A:2B:20 master-interface=none name=wifi_06-1 radio-mac=18:FD:74:7A:2B:20 radio-name=18FD747A2B20 add configuration=Samsung disabled=no l2mtu=1600 mac-address=18:FD:74:7A:2B:21 master-interface=none name=wifi_06-2 radio-mac=18:FD:74:7A:2B:21 radio-name=18FD747A2B21 add configuration=Samsung disabled=no l2mtu=1600 mac-address=18:FD:74:7A:2E:F1 master-interface=none name=wifi_07-1 radio-mac=18:FD:74:7A:2E:F1 radio-name=18FD747A2EF1 add configuration=Samsung disabled=no l2mtu=1600 mac-address=18:FD:74:7A:2E:F2 master-interface=none name=wifi_07-2 radio-mac=18:FD:74:7A:2E:F2 radio-name=18FD747A2EF2 add configuration=Samsung disabled=no l2mtu=1600 mac-address=78:9A:18:32:1E:BE master-interface=none name=wifi_08-1 radio-mac=78:9A:18:32:1E:BE radio-name=789A18321EBE add configuration=Samsung disabled=no l2mtu=1600 mac-address=78:9A:18:32:1E:BF master-interface=none name=wifi_08-2 radio-mac=78:9A:18:32:1E:BF radio-name=789A18321EBF add configuration=Samsung disabled=no l2mtu=1600 mac-address=78:9A:18:33:01:F0 master-interface=none name=wifi_09-1 radio-mac=78:9A:18:33:01:F0 radio-name=789A183301F0 add configuration=Samsung disabled=no l2mtu=1600 mac-address=78:9A:18:33:01:F1 master-interface=none name=wifi_09-2 radio-mac=78:9A:18:33:01:F1 radio-name=789A183301F1 add configuration=Samsung disabled=no l2mtu=1600 mac-address=78:9A:18:33:02:58 master-interface=none name=wifi_10-1 radio-mac=78:9A:18:33:02:58 radio-name=789A18330258 add configuration=Samsung disabled=no l2mtu=1600 mac-address=78:9A:18:33:02:59 master-interface=none name=wifi_10-2 radio-mac=78:9A:18:33:02:59 radio-name=789A18330259 add configuration=Samsung disabled=no l2mtu=1600 mac-address=78:9A:18:33:02:60 master-interface=none name=wifi_11-1 radio-mac=78:9A:18:33:02:60 radio-name=789A18330260 add configuration=Samsung disabled=no l2mtu=1600 mac-address=78:9A:18:33:02:61 master-interface=none name=wifi_11-2 radio-mac=78:9A:18:33:02:61 radio-name=789A18330261 add configuration=W-Scope disabled=no l2mtu=1600 mac-address=78:9A:18:58:61:EA master-interface=none name=wifi_12-1 radio-mac=78:9A:18:58:61:EA radio-name=789A185861EA add configuration=W-Scope disabled=no l2mtu=1600 mac-address=78:9A:18:58:61:EB master-interface=none name=wifi_12-2 radio-mac=78:9A:18:58:61:EB radio-name=789A185861EB add configuration=W-Scope disabled=no l2mtu=1600 mac-address=48:A9:8A:CE:B4:F1 master-interface=none name=wifi_13-1 radio-mac=48:A9:8A:CE:B4:F1 radio-name=48A98ACEB4F1 add configuration=W-Scope disabled=no l2mtu=1600 mac-address=48:A9:8A:CE:B4:F2 master-interface=none name=wifi_13-2 radio-mac=48:A9:8A:CE:B4:F2 radio-name=48A98ACEB4F2 /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=wpa2 supplicant-identity="" wpa2-pre-shared-key=dsjnf999 /interface wireless set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode band=2ghz-g/n channel-width=20/40mhz-Ce comment="Management 2.4GHz" country=no_country_set disabled=no frequency-mode=superchannel mode=ap-bridge security-profile=wpa2 ssid=RLAN_MNGMNT wireless-protocol=802.11 wps-mode=disabled set [ find default-name=wlan2 ] adaptive-noise-immunity=ap-and-client-mode band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee comment="Management 5GHz" country=no_country_set disabled=no frequency-mode=superchannel mode=ap-bridge security-profile=wpa2 ssid=RLAN_MNGMNT wireless-protocol=802.11 wps-mode=disabled /interface wireless manual-tx-power-table set wlan1 comment="Management 2.4GHz" set wlan2 comment="Management 5GHz" /interface wireless nstreme set wlan1 comment="Management 2.4GHz" set wlan2 comment="Management 5GHz" /ip pool add name=dhcp_pool0 ranges=192.168.88.2-192.168.88.254 add name=dhcp_pool1 ranges=192.168.0.2-192.168.1.254 add name=dhcp_pool2 ranges=192.168.10.2-192.168.11.254 add name=dhcp_pool3 ranges=192.168.8.2-192.168.8.254 add name=dhcp_pool4 ranges=86.109.71.51 add name=dhcp_pool5 ranges=192.168.9.2-192.168.9.254 /ip dhcp-server add address-pool=dhcp_pool0 disabled=no interface=bridge-mngmnt name=dhcp-mngmnt add address-pool=dhcp_pool1 disabled=no interface=ether4 name=dhcp-client add address-pool=dhcp_pool2 disabled=no interface=bridge-wifi lease-time=30m name=dhcp-wifi add address-pool=dhcp_pool3 disabled=no interface=ether5 name=dhcp-wifieszkozok add address-pool=dhcp_pool4 disabled=no interface=bridge1 name=dhcp1 add address-pool=dhcp_pool5 disabled=no interface=vlan120-szelmero name=dhcp2 /queue simple add burst-limit=80M/80M burst-threshold=38M/38M burst-time=1m/1m disabled=yes max-limit=40M/40M name="Client Office" target=192.168.0.0/23 add max-limit=50M/50M name="Kapunyito rendszer" target=192.168.41.0/24 /queue type add kind=pcq name=pcw-upload-wifi pcq-classifier=src-address pcq-rate=20M add kind=pcq name=pcw-download-wifi pcq-classifier=dst-address pcq-rate=20M /queue simple add disabled=yes name="Wifi 20/20M" queue=pcq-upload-default/pcw-download-wifi target=192.168.10.0/23 /routing ospf instance set [ find default=yes ] redistribute-connected=as-type-1 router-id=10.42.1.11 /snmp community set [ find default=yes ] addresses=86.109.64.0/27 /system logging action set 0 memory-lines=20000 set 3 remote=86.109.64.16 /user group add name=backup policy="ssh,read,sensitive,!local,!telnet,!ftp,!reboot,!write,!policy,!test,!winbox,!password,!web,!sniff,!api,!romon,!dude,!tikapp" /caps-man access-list add action=accept allow-signal-out-of-range=10s disabled=no interface=any ssid-regexp=-88..120 add action=reject allow-signal-out-of-range=10s disabled=no interface=any ssid-regexp=-120..-89 /caps-man manager set ca-certificate=auto certificate=auto enabled=yes package-path=/firmware /caps-man manager interface set [ find default=yes ] forbid=yes add disabled=no interface=ether5 /caps-man provisioning add action=create-enabled master-configuration=Samsung name-format=prefix-identity #error exporting /interface bridge calea /interface bridge port add bridge=bridge1 interface=ether3 add bridge=bridge-bejovo interface=ether1 path-cost=20 add bridge=bridge-mngmnt interface=wlan1 add bridge=bridge-mngmnt interface=wlan2 add bridge=bridge-bejovo interface=ether2 /interface bridge settings set use-ip-firewall=yes /ip neighbor discovery-settings set discover-interface-list=!dynamic /ip address add address=86.109.71.49/28 interface=bridge1 network=86.109.71.48 add address=192.168.88.1/24 interface=bridge-mngmnt network=192.168.88.0 add address=10.42.1.11/24 interface=bridge-bejovo network=10.42.1.0 add address=192.168.0.1/23 disabled=yes interface=ether4 network=192.168.0.0 add address=86.109.71.57/28 comment="Client office" interface=bridge1 network=86.109.71.48 add address=86.109.71.58/28 comment=Wifi interface=bridge1 network=86.109.71.48 add address=192.168.10.1/23 interface=bridge-wifi network=192.168.10.0 add address=192.168.8.1/24 interface=ether5 network=192.168.8.0 add address=86.109.71.53/28 interface=bridge1 network=86.109.71.48 add address=192.168.41.1/24 interface=ether5 network=192.168.41.0 add address=192.168.9.1/24 interface=vlan120-szelmero network=192.168.9.0 /ip dhcp-server lease add address=192.168.8.2 client-id=1:18:fd:74:f:cc:b4 mac-address=18:FD:74:0F:CC:B4 server=dhcp-wifieszkozok add address=192.168.8.3 client-id=1:18:fd:74:f:cd:16 mac-address=18:FD:74:0F:CD:16 server=dhcp-wifieszkozok add address=192.168.8.4 client-id=1:18:fd:74:f:cc:8c mac-address=18:FD:74:0F:CC:8C server=dhcp-wifieszkozok add address=192.168.0.2 client-id=1:18:fd:74:f:cc:69 mac-address=18:FD:74:0F:CC:69 server=dhcp-client add address=192.168.8.5 client-id=1:0:80:91:b6:75:f4 mac-address=00:80:91:B6:75:F4 server=dhcp-wifieszkozok add address=192.168.8.6 client-id=1:18:fd:74:7a:1d:cb mac-address=18:FD:74:7A:1D:CB server=dhcp-wifieszkozok add address=192.168.8.7 client-id=1:18:fd:74:7a:2b:1e mac-address=18:FD:74:7A:2B:1E server=dhcp-wifieszkozok add address=192.168.8.8 client-id=1:18:fd:74:7a:2e:ef mac-address=18:FD:74:7A:2E:EF server=dhcp-wifieszkozok add address=192.168.8.12 client-id=1:cc:2d:e0:d:7d:c0 mac-address=CC:2D:E0:0D:7D:C0 server=dhcp-wifieszkozok add address=192.168.8.13 client-id=1:78:9a:18:32:1e:bc mac-address=78:9A:18:32:1E:BC server=dhcp-wifieszkozok add address=192.168.8.14 client-id=1:78:9a:18:33:1:ee mac-address=78:9A:18:33:01:EE server=dhcp-wifieszkozok add address=192.168.8.15 client-id=1:78:9a:18:33:2:56 mac-address=78:9A:18:33:02:56 server=dhcp-wifieszkozok add address=192.168.8.16 client-id=1:78:9a:18:33:2:5e mac-address=78:9A:18:33:02:5E server=dhcp-wifieszkozok /ip dhcp-server network add address=86.109.71.48/28 gateway=86.109.71.49 add address=192.168.0.0/23 gateway=192.168.0.1 add address=192.168.8.0/24 gateway=192.168.8.1 add address=192.168.9.0/24 gateway=192.168.9.1 add address=192.168.10.0/23 gateway=192.168.10.1 add address=192.168.88.0/24 gateway=192.168.88.1 /ip dns set max-udp-packet-size=512 servers=8.8.8.8,86.109.64.5 /ip firewall address-list add address=86.109.64.0/27 list=support add address=10.0.0.0/8 list=support add address=86.109.64.0/19 comment="Ez torolheto" list=support add address=192.168.88.0/24 list=support #error exporting /ip firewall calea /ip firewall filter add action=accept chain=input comment=telnet,ssh,ftp dst-port=21-23 protocol=tcp src-address-list=support add action=drop chain=input comment=telnet,ssh,ftp dst-port=21-23 protocol=tcp add action=accept chain=input comment="Bandwidth test" protocol=tcp src-address-list=support src-port=2000 add action=accept chain=input comment="Bandwidth test" dst-port=2000 protocol=tcp src-address-list=support add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp tcp-flags=syn add action=drop chain=input comment="Drop to syn flood list" src-address-list=Syn_Flooder add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="Port Scanner Detect" protocol=tcp psd=21,3s,3,1 add action=drop chain=input comment="Drop to port scan list" src-address-list=Port_Scanner add action=jump chain=input comment="Jump for icmp input flow" jump-target=ICMP protocol=icmp add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg add action=drop chain=input comment="Block all access to the winbox - except to support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT ADDRESS LIST" dst-port=8291 protocol=tcp src-address-list=!support add action=accept chain=input comment="Accept to established connections" connection-state=established add action=accept chain=input comment="Accept to related connections" connection-state=related add action=accept chain=input comment="Full access to SUPPORT address list" src-address-list=support add action=accept chain=input dst-address=255.255.255.255 add action=log chain=input comment="Drop anything else! # DO NOT ENABLE THIS RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" disabled=yes add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" icmp-options=8:0 limit=50,100:packet protocol=icmp add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp add action=accept chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 protocol=icmp add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP protocol=icmp /ip firewall nat add action=masquerade chain=srcnat comment=Management src-address=192.168.88.0/24 add action=src-nat chain=srcnat comment="Client office" src-address=192.168.0.0/23 to-addresses=86.109.71.57 add action=src-nat chain=srcnat comment=Wifi src-address=192.168.10.0/23 to-addresses=86.109.71.58 add action=src-nat chain=srcnat comment="Kapunyito rendzser" src-address=192.168.41.0/24 to-addresses=86.109.71.58 add action=src-nat chain=srcnat comment=Szelmero src-address=192.168.9.0/24 to-addresses=86.109.71.58 add action=src-nat chain=srcnat comment="Wifi eszkozok" src-address=192.168.8.0/24 to-addresses=86.109.71.58 add action=dst-nat chain=dstnat comment=wifi1 dst-address=10.42.1.11 dst-port=58291 protocol=tcp to-addresses=192.168.8.193 to-ports=8291 add action=dst-nat chain=dstnat dst-address=86.109.71.53 to-addresses=192.168.8.5 /ip route add check-gateway=ping distance=200 gateway=10.42.1.1 add distance=210 gateway=10.42.0.1 /ip service set www address=86.109.64.0/27 set api address=86.109.64.0/27 set api-ssl address=86.109.64.0/27 /routing filter add action=discard chain=ospf-out prefix=192.168.0.0/23 prefix-length=23 add action=discard chain=ospf-out prefix=192.168.10.0/24 prefix-length=24 add action=discard chain=ospf-out prefix=192.168.41.0/24 prefix-length=24 add action=discard chain=ospf-out prefix=192.168.88.0/24 prefix-length=24 add action=discard chain=ospf-out prefix=192.168.8.0/24 prefix-length=24 /routing ospf interface add interface=bridge-bejovo use-bfd=yes /routing ospf network add area=backbone network=10.42.1.0/24 add area=backbone disabled=yes network=10.42.0.0/24 /snmp set contact=admin@rlan.hu enabled=yes location=Nyiregyhaza /system clock set time-zone-autodetect=no time-zone-name=Europe/Budapest /system identity set name=gw-samsung /system logging add action=remote topics=info add action=remote topics=error add action=remote topics=critical add action=remote topics=warning /system ntp client set enabled=yes server-dns-names=time.rlan.hu /system routerboard settings set cpu-frequency=auto /system scheduler add interval=6d name=mentes on-event=mentes policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=jan/01/1970 start-time=00:00:00 /system script add dont-require-permissions=no name=mentes owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive source="/export\_file=export\r\n/tool e-mail send from=\"backup@rlan.hu\" to=\"backup@rlan.hu\" subject=([/system identity get name] . \" export\") file=export.rsc\r\n/system backup save name=backup\r\n/tool e-mail send from=\"backup@rlan.hu\" to=\"backup@rlan.hu\" subject=([/system identity get name] . \" Backup\") file=backup.backup " /tool e-mail set address=86.109.64.10 from=gw-samsung@magicnet.hu /tool graphing interface add /tool graphing queue add /tool graphing resource add /tool sniffer set file-name=xx filter-interface=ether4