# model: CubeG-5ac60ay # serial-number: HDE08B79AVE # firmware-type: ipq4000L # current-firmware: 6.49.7 # installed-version: 7.15.2 # Flags: U - UNDOABLE # Columns: ACTION, BY, POLICY, TIME # ACTION BY POLICY TIME # U user mentes added admin write 2024-08-02 12:46:00 # policy # U user group backup added admin write 2024-08-02 12:46:00 # policy # U address removed admin write 2024-07-08 12:51:58 # # software id = YGA0-VI1B # # model = CubeG-5ac60ay # serial number = HDE08B79AVE /interface bridge add admin-mac=18:FD:74:89:60:7E auto-mac=no name=bridge port-cost-mode=short /interface ethernet set [ find default-name=ether1 ] l2mtu=1620 mtu=1600 /interface wireless set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=no_country_set disabled=no frequency=auto frequency-mode=superchannel l2mtu=1620 mode=bridge mtu=1600 nv2-preshared-key=dsjnf999 nv2-security=enabled ssid=RLAN_NEAR wireless-protocol=nv2 /interface wireless nstreme set wlan1 enable-nstreme=yes framer-policy=best-fit /interface w60g set [ find ] disabled=no frequency=66960 mode=bridge name=wlan60-1 password=dsjnf999 region=no-region-set ssid=RLAN_NEAR /interface w60g station add mac-address=04:CE:14:F7:93:D5 mtu=1600 name=wlan60-station-1 parent=wlan60-1 remote-address=04:CE:14:FA:5D:EA /interface bonding add mode=active-backup mtu=1600 name=bond1 primary=wlan60-station-1 slaves=wlan60-station-1,wlan1 /interface lte apn set [ find default=yes ] ip-type=ipv4 use-network-apn=no /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /ip smb users set [ find default=yes ] disabled=yes /routing bgp template set default disabled=no output.network=bgp-networks /routing ospf instance add disabled=no name=default-v2 /routing ospf area add disabled=yes instance=default-v2 name=backbone-v2 /snmp community set [ find default=yes ] addresses=86.109.64.0/27 /system logging action set 3 remote=86.109.64.16 /interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether1 internal-path-cost=10 path-cost=10 add bridge=bridge comment=defconf ingress-filtering=no interface=bond1 internal-path-cost=10 path-cost=10 /ip firewall connection tracking set udp-timeout=10s /ipv6 settings set disable-ipv6=yes max-neighbor-entries=8192 /interface ovpn-server server set auth=sha1,md5 /ip address add address=10.48.0.36/24 interface=bond1 network=10.48.0.0 /ip dns set servers=86.109.64.5,86.109.64.66 /ip firewall address-list add address=86.109.64.0/27 list=support add address=10.0.0.0/8 list=support add address=86.109.64.0/19 comment="Ez torolheto" list=support add address=192.168.88.0/24 list=support /ip firewall filter add action=accept chain=input comment=telnet,ssh,ftp dst-port=21-23 protocol=tcp src-address-list=support add action=drop chain=input comment=telnet,ssh,ftp dst-port=21-23 protocol=tcp add action=accept chain=input comment="Bandwidth test" protocol=tcp src-address-list=support src-port=2000 add action=accept chain=input comment="Bandwidth test" dst-port=2000 protocol=tcp src-address-list=support add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp tcp-flags=syn add action=drop chain=input comment="Drop to syn flood list" src-address-list=Syn_Flooder add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="Port Scanner Detect" protocol=tcp psd=21,3s,3,1 add action=drop chain=input comment="Drop to port scan list" src-address-list=Port_Scanner add action=jump chain=input comment="Jump for icmp input flow" jump-target=ICMP protocol=icmp add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg add action=drop chain=input comment="Block all access to the winbox - except to support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT ADDRESS LIST" dst-port=8291 protocol=tcp src-address-list=!support add action=accept chain=input comment="Accept to established connections" connection-state=established add action=accept chain=input comment="Accept to related connections" connection-state=related add action=accept chain=input comment="Full access to SUPPORT address list" src-address-list=support add action=accept chain=input dst-address=255.255.255.255 add action=log chain=input comment="Drop anything else! # DO NOT ENABLE THIS RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" disabled=yes add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" icmp-options=8:0 limit=20,30:packet protocol=icmp add action=accept chain=input comment=telnet,ssh,ftp dst-port=21-23 protocol=tcp src-address-list=support add action=drop chain=input comment=telnet,ssh,ftp dst-port=21-23 protocol=tcp add action=accept chain=input comment="Bandwidth test" protocol=tcp src-address-list=support src-port=2000 add action=accept chain=input comment="Bandwidth test" dst-port=2000 protocol=tcp src-address-list=support add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp tcp-flags=syn add action=drop chain=input comment="Drop to syn flood list" src-address-list=Syn_Flooder add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="Port Scanner Detect" protocol=tcp psd=21,3s,3,1 add action=drop chain=input comment="Drop to port scan list" src-address-list=Port_Scanner add action=jump chain=input comment="Jump for icmp input flow" jump-target=ICMP protocol=icmp add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg add action=drop chain=input comment="Block all access to the winbox - except to support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT ADDRESS LIST" dst-port=8291 protocol=tcp src-address-list=!support add action=accept chain=input comment="Accept to established connections" connection-state=established add action=accept chain=input comment="Accept to related connections" connection-state=related add action=accept chain=input comment="Full access to SUPPORT address list" src-address-list=support add action=accept chain=input dst-address=255.255.255.255 add action=log chain=input comment="Drop anything else! # DO NOT ENABLE THIS RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" disabled=yes add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" icmp-options=8:0 limit=20,30:packet protocol=icmp add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp add action=accept chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 protocol=icmp add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP protocol=icmp add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes add action=accept chain=forward connection-state=established,related add action=accept chain=input comment=telnet,ssh,ftp dst-port=21-23 protocol=tcp src-address-list=support add action=drop chain=input comment=telnet,ssh,ftp dst-port=21-23 protocol=tcp add action=accept chain=input comment="Bandwidth test" protocol=tcp src-address-list=support src-port=2000 add action=accept chain=input comment="Bandwidth test" dst-port=2000 protocol=tcp src-address-list=support add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp tcp-flags=syn add action=drop chain=input comment="Drop to syn flood list" src-address-list=Syn_Flooder add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="Port Scanner Detect" protocol=tcp psd=21,3s,3,1 add action=drop chain=input comment="Drop to port scan list" src-address-list=Port_Scanner add action=jump chain=input comment="Jump for icmp input flow" jump-target=ICMP protocol=icmp add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg add action=drop chain=input comment="Block all access to the winbox - except to support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT ADDRESS LIST" dst-port=8291 protocol=tcp src-address-list=!support add action=accept chain=input comment="Accept to established connections" connection-state=established add action=accept chain=input comment="Accept to related connections" connection-state=related add action=accept chain=input comment="Full access to SUPPORT address list" src-address-list=support add action=accept chain=input dst-address=255.255.255.255 add action=log chain=input comment="Drop anything else! # DO NOT ENABLE THIS RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" disabled=yes add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" icmp-options=8:0 limit=20,30:packet protocol=icmp add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp add action=accept chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 protocol=icmp add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP protocol=icmp add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes add action=accept chain=forward connection-state=established,related /ip route add disabled=no dst-address=0.0.0.0/0 gateway=10.48.0.1 add disabled=no dst-address=0.0.0.0/0 gateway=10.48.0.1 add disabled=no dst-address=0.0.0.0/0 gateway=10.48.0.1 /ip service set www address=86.109.64.0/27 set api address=86.109.64.0/27 set api-ssl address=86.109.64.0/27 /ip smb shares set [ find default=yes ] directory=/pub /routing bfd configuration add disabled=no add disabled=no /snmp set contact=admin@rlan.hu enabled=yes location=Budapest /system clock set time-zone-name=Europe/Budapest /system identity set name=gw-ozdnemzetor-arpadiskola /system logging add action=remote topics=info add action=remote topics=critical add action=remote topics=error add action=remote topics=warning add action=remote topics=info add action=remote topics=critical add action=remote topics=error add action=remote topics=warning /system note set show-at-login=no /system ntp client set enabled=yes /system ntp client servers add address=time.rlan.hu /system scheduler add interval=6d name=mentes on-event=mentes policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2020-03-28 start-time=06:48:29 /system script add dont-require-permissions=no name=mentes owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/export file=export\r\n/tool e-mail send from=\"backup@rlan.hu\" to=\"backup@rlan.hu\" subject=([/system identity get name] . \" export\") file=export.rsc \r\n/system backup save name=backup\r\n/tool e-mail send from=\"backup@rlan.hu\" to=\"backup@rlan.hu\" subject=([/system identity get name] . \" Backup\") file=backup.backup\r\n" /tool e-mail set from=gw-ozdnemzetor-arpadiksola@magicnet.hu server=86.109.64.10 /tool graphing interface add add /tool graphing queue add add /tool graphing resource add add /user group add name=backup policy="ssh,read,sensitive,!local,!telnet,!ftp,!reboot,!write,!policy,!test,!winbox,!password,!web,!sniff,!api,!romon,!rest-api"