# model: RBSXTsqG-5acD # serial-number: E8DA0F37CA12 # firmware-type: ipq4000L # current-firmware: 6.49.6 # installed-version: 7.16 # Flags: U - UNDOABLE # Columns: ACTION, BY, POLICY, TIME # ACTION BY POLICY TIME # U user mentes added admin write 2024-10-03 13:19:03 # policy # U user group backup added admin write 2024-10-03 13:19:03 # policy # # software id = H8LB-EWA7 # # model = RBSXTsqG-5acD # serial number = E8DA0F37CA12 /interface bridge add name=bridge1 /interface wireless set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode band=5ghz-n/ac channel-width=20/40/80mhz-XXXX country=no_country_set disabled=no frequency-mode=superchannel mode=station-bridge nv2-preshared-key=dsjnf999 nv2-security=enabled scan-list=5000-6000 ssid=RLAN_OK wireless-protocol=nv2 /interface vlan add interface=wlan1 name=vlan500 vlan-id=500 /interface lte apn set [ find default=yes ] ip-type=ipv4 use-network-apn=no /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /snmp community set [ find default=yes ] addresses=86.109.64.0/27 /system logging action set 3 remote=86.109.64.16 /interface bridge port add bridge=bridge1 interface=ether1 add bridge=bridge1 interface=vlan500 /interface bridge settings set use-ip-firewall=yes /ip firewall connection tracking set udp-timeout=10s /ip neighbor discovery-settings set discover-interface-list=!dynamic /ipv6 settings set disable-ipv6=yes max-neighbor-entries=8192 /interface ovpn-server server set auth=sha1,md5 /ip address add address=10.75.0.7/24 interface=wlan1 network=10.75.0.0 /ip dns set servers=86.109.64.5,86.109.64.66 /ip firewall address-list add address=86.109.64.0/27 list=support add address=10.0.0.0/8 list=support add address=86.109.64.0/19 comment="Ez torolheto" list=support add address=192.168.88.0/24 list=support /ip firewall filter add action=accept chain=input comment=telnet,ssh,ftp dst-port=21-23 protocol=tcp src-address-list=support add action=drop chain=input comment=telnet,ssh,ftp dst-port=21-23 protocol=tcp add action=accept chain=input comment="Bandwidth test" protocol=tcp src-address-list=support src-port=2000 add action=accept chain=input comment="Bandwidth test" dst-port=2000 protocol=tcp src-address-list=support add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp tcp-flags=syn add action=drop chain=input comment="Drop to syn flood list" src-address-list=Syn_Flooder add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="Port Scanner Detect" protocol=tcp psd=21,3s,3,1 add action=drop chain=input comment="Drop to port scan list" src-address-list=Port_Scanner add action=jump chain=input comment="Jump for icmp input flow" jump-target=ICMP protocol=icmp add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg add action=drop chain=input comment="Block all access to the winbox - except to support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT ADDRESS LIST" dst-port=8291 protocol=tcp src-address-list=!support add action=accept chain=input comment="Accept to established connections" connection-state=established add action=accept chain=input comment="Accept to related connections" connection-state=related add action=accept chain=input comment="Full access to SUPPORT address list" src-address-list=support add action=accept chain=input dst-address=255.255.255.255 add action=log chain=input comment="Drop anything else! # DO NOT ENABLE THIS RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" disabled=yes add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" icmp-options=8:0 limit=10,15 protocol=icmp add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp add action=accept chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 protocol=icmp add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP protocol=icmp add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes add action=accept chain=forward connection-state=established,related /ip hotspot profile set [ find default=yes ] html-directory=hotspot /ip ipsec profile set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5 /ip route add gateway=10.75.0.1 /ip service set www address=86.109.64.0/27 set api address=86.109.64.0/27 set api-ssl address=86.109.64.0/27 /routing bfd configuration add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5 /snmp set contact=admin@rlan.hu enabled=yes location=Paks /system clock set time-zone-name=Europe/Budapest /system identity set name=gw-pakskontener-oszlop /system logging add action=remote topics=info add action=remote topics=error add action=remote topics=critical add action=remote topics=warning /system note set show-at-login=no /system ntp client set enabled=yes /system ntp client servers add address=time.rlan.hu /system scheduler add interval=6d name=mentes on-event=mentes policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2021-05-19 start-time=10:10:51 /system script add dont-require-permissions=no name=mentes owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/export file=export\r\n/tool e-mail send from=\"backup@rlan.hu\" to=\"backup@rlan.hu\" subject=([/system identity get name] . \" export\") file=export.rsc\r\n/system backup save name=backup\r\n/tool e-mail send from=\"backup@rlan.hu\" to=\"backup@rlan.hu\" subject=([/system identity get name] . \" Backup\") file=backup.backup" /tool e-mail set from=gw-pakskontener-oszlop@magicnet.hu server=mail.rlan.hu /tool graphing interface add /tool graphing queue add /tool graphing resource add /user group add name=backup policy="ssh,read,sensitive,!local,!telnet,!ftp,!reboot,!write,!policy,!test,!winbox,!password,!web,!sniff,!api,!romon,!rest-api"