# model: CCR1009-7G-1C-1S+ # serial-number: 914F0AD96227 # firmware-type: tilegx # current-firmware: 7.14beta4 # installed-version: 7.15.2 # Flags: U - UNDOABLE # Columns: ACTION, BY, POLICY, TIME # ACTION BY POLICY TIME # U nat rule changed admin write 2024-10-04 19:22:26 # U nat rule added admin write 2024-10-04 19:21:54 # U filter rule changed admin write 2024-08-28 15:08:29 # U filter rule added admin write 2024-08-28 15:08:14 # U wireguard peer entry added admin write 2024-08-28 14:50:16 # U wireguard peer entry added admin write 2024-08-27 08:34:52 # U filter rule changed admin write 2024-08-15 09:50:51 # U filter rule moved admin write 2024-08-15 09:50:39 # U filter rule added admin write 2024-08-15 09:50:37 # U address changed admin write 2024-08-15 09:44:27 # U address changed admin write 2024-08-15 09:44:25 # U address changed admin write 2024-08-15 09:42:56 # U wireguard peer entry added admin write 2024-08-15 09:40:24 # U wireguard peer entry changed admin write 2024-08-07 11:04:44 # U nat rule changed admin write 2024-08-05 12:38:29 # U nat rule changed admin write 2024-08-05 12:37:45 # U nat rule changed admin write 2024-08-05 10:51:11 # U nat rule changed admin write 2024-08-05 10:50:46 # U nat rule changed admin write 2024-08-05 10:44:29 # U nat rule changed admin write 2024-08-05 10:44:15 # U nat rule changed admin write 2024-08-05 10:43:52 # U nat rule changed admin write 2024-08-05 10:43:42 # U changed scheduled script settings admin write 2024-08-02 14:15:35 # U user mentes added admin write 2024-08-02 14:15:27 # policy # U user group backup changed admin write 2024-08-02 14:14:54 # policy # U user group mentes added admin write 2024-08-02 14:14:41 # policy # U nat rule changed admin write 2024-08-02 09:33:26 # U nat rule added admin write 2024-08-02 09:33:16 # U user group backup removed admin write 2024-07-18 13:00:34 # policy # U user mentes removed admin write 2024-07-18 13:00:33 # policy # U ip service changed admin write 2024-07-18 13:00:09 # U user mentes added admin write 2024-07-18 12:59:54 # policy # U user group backup added admin write 2024-07-18 12:59:54 # policy # U ip service changed admin write 2024-07-18 12:59:51 # U wireguard peer entry added admin write 2024-07-16 11:00:48 # U wireguard peer entry changed root write 2024-07-10 12:12:10 # U log rule changed admin write 2024-07-10 11:33:22 # U log rule changed admin write 2024-07-10 11:30:05 # U filter rule moved admin write 2024-06-30 08:18:47 # U filter rule moved admin write 2024-06-30 08:18:47 # U filter rule moved admin write 2024-06-30 08:18:47 # U filter rule moved admin write 2024-06-30 08:18:47 # U filter rule moved admin write 2024-06-30 08:18:47 # U nat rule changed admin write 2024-06-30 08:15:55 # U nat rule changed admin write 2024-06-30 08:15:09 # U nat rule moved admin write 2024-06-30 08:15:06 # # software id = YI0B-6GD3 # # model = CCR1009-7G-1C-1S+ # serial number = 914F0AD96227 /interface bridge add name=bridge-belsohalo port-cost-mode=short add name="bridge-plaza link" /interface ethernet set [ find default-name=ether1 ] comment=Uplink set [ find default-name=ether2 ] comment="Belso halo" set [ find default-name=ether5 ] comment="fw fele - Plaza linkben" set [ find default-name=ether6 ] comment="gw-eniac - Plaza linkben" set [ find default-name=ether7 ] auto-negotiation=no comment="plaza fele - Plaza linkben - fix 100Mbps" speed=100M-baseT-full /interface l2tp-server add name=l2tp-Ancsa user=Ancsa add name=l2tp-AncsaMobil user=AncsaMobil add disabled=yes name=l2tp-Csapod user=Csapod add name=l2tp-FustiLaptop user=FustiLaptop add name=l2tp-FustiMobil user=FustiMobil add disabled=yes name=l2tp-GG_Laptop user=GG_Laptop add disabled=yes name=l2tp-GaborMobil user=GaborMobil add name=l2tp-Kriszlaptop user=Kriszlaptop add name=l2tp-Kriszmobil user=Kriszmobil add name=l2tp-LaciMobil user=LaciMobil add name=l2tp-Laci_laptop user=Laci add name=l2tp-Nikimobil user=Nikimobil add name=l2tp-RakhelMobil user=RakhelMobil add name=l2tp-TinaMobil user=TinaMobil /interface eoip add allow-fast-path=no ipsec-secret=gUzsgu2gw7uigh mac-address=02:B3:BE:33:0A:79 name=eoip-apaca remote-address=86.109.64.250 tunnel-id=500 /interface wireguard add listen-port=13231 mtu=1400 name=wireguard1 private-key="0II49h9oDJFngo6ysvrk9fyYs33/y0gC6C7GjJyfpXY=" /interface vlan add interface=ether1 name=vlan111-uj-iroda-fele vlan-id=111 /ip ipsec proposal set [ find default=yes ] enc-algorithms=aes-128-cbc /ip pool add name=dhcp_pool0 ranges=10.0.1.100-10.0.1.200 add name=IPSEC ranges=10.0.2.100-10.0.2.200 /ip dhcp-server add address-pool=dhcp_pool0 interface=bridge-belsohalo lease-time=1h name=dhcp1 /ip smb users set [ find default=yes ] disabled=yes /port set 0 name=serial0 set 1 name=serial1 /ppp profile add local-address=10.0.2.1 name=ipsec remote-address=IPSEC /snmp community set [ find default=yes ] addresses=10.0.0.2/32,86.109.64.0/27 add addresses=10.0.0.2/32,86.109.64.0/27 name=partnerlogin /system logging action set 3 remote=86.109.64.16 /interface bridge port add bridge=bridge-belsohalo ingress-filtering=no interface=ether2 internal-path-cost=10 path-cost=10 add bridge="bridge-plaza link" interface=ether7 add bridge="bridge-plaza link" interface=ether6 add bridge="bridge-plaza link" interface=ether5 add bridge=bridge-belsohalo interface=vlan111-uj-iroda-fele /interface bridge settings set use-ip-firewall=yes /ip firewall connection tracking set udp-timeout=10s /ip neighbor discovery-settings set discover-interface-list=!dynamic /ipv6 settings set disable-ipv6=yes max-neighbor-entries=8192 /interface l2tp-server server set allow-fast-path=yes default-profile=ipsec enabled=yes ipsec-secret=BkWUe3cb2W keepalive-timeout=300 mrru=1500 use-ipsec=required /interface ovpn-server server set auth=sha1,md5 /interface wireguard peers add allowed-address=10.0.3.2/32 interface=wireguard1 name=krisz-telefon public-key="9mBIDrMasMx7I0vUWnQ4QNrCYzuxQpmxfcy7nolDSTs=" add allowed-address=10.0.3.3/32 interface=wireguard1 name=krisz-laptop public-key="PQCzy6wNSJ4IKQd474BoMXjze+xHZB97j0oS2RZKCXE=" add allowed-address=10.0.3.4/32 interface=wireguard1 name=k99-telefon public-key="PDdlUbuQm7pkvUQ/0pjhmGNQZRFVaKvEAX5hX3KZmTc=" add allowed-address=10.0.3.5/32 interface=wireguard1 name=k99-laptop public-key="2Pfq0t7feMHOtGOJTK5bvMmH0zOmgxE6prkjI+uMFFY=" add allowed-address=10.0.3.6/32 interface=wireguard1 name=david-laptop public-key="Zs9stx5XXurjr7WxkTmMuche42GROGGVNQJ0wdJPRx8=" add allowed-address=10.0.3.10/32 interface=wireguard1 name=fusti-laptop public-key="yE697L1Wd5xhnuLeMz5AvAa/ZYWLSUSImlg+ujstz1I=" add allowed-address=10.0.3.11/32 interface=wireguard1 name=laci-laptop public-key="ZWhxBsgroVpaaLYJipQaSdr07pfAGAmbaAFuPEYI/hA=" add allowed-address=10.0.3.12/32 interface=wireguard1 name=laci-telefon public-key="vFX01FQOP94q8oI5rLfXHH0/HComh/B2ulhhuqL8HlM=" add allowed-address=10.0.3.7/32 interface=wireguard1 name=ceges-telefon public-key="vtuBtPfHUXAiqtaqfv/8vzOPqDyEwwE76QZneirrV2M=" add allowed-address=10.0.3.13/32 interface=wireguard1 name=fusti-telefon public-key="UWEO+7LPsFmFKkkaviHjsNYvEy+uXugKKOhwGg6iOk0=" add allowed-address=10.0.3.8/32 interface=wireguard1 name=david-telefon public-key="o3/yjO4OMZ/c1G0vaxBzkJa2Aq3qi4HBqosfBvn5Bko=" /ip address add address=10.0.1.1/24 interface=ether2 network=10.0.1.0 add address=86.109.64.11/27 interface=ether1 network=86.109.64.0 add address=86.109.67.21/30 interface=bridge-belsohalo network=86.109.67.20 add address=192.168.1.1/24 interface=ether2 network=192.168.1.0 add address=192.168.0.1/24 disabled=yes interface=ether2 network=192.168.0.0 add address=192.168.88.2/24 disabled=yes interface=ether2 network=192.168.88.0 add address=192.168.2.1/24 disabled=yes interface=ether2 network=192.168.2.0 add address=10.0.2.1/24 disabled=yes interface=ether2 network=10.0.2.0 add address=10.0.3.1/24 interface=wireguard1 network=10.0.3.0 add address=10.0.3.253/30 interface=eoip-apaca network=10.0.3.252 add address=192.168.1.2/24 disabled=yes interface=bridge-belsohalo network=192.168.1.0 add address=192.168.66.2/24 interface=bridge-belsohalo network=192.168.66.0 /ip dhcp-server lease add address=10.0.1.99 mac-address=C8:D9:D2:20:AB:85 server=dhcp1 add address=10.0.1.231 comment="Samsung nyomtato/scanner" mac-address=30:CD:A7:9A:2A:DB server=dhcp1 add address=10.0.1.5 client-id=1:24:4b:fe:2d:b3:7 comment=fs disabled=yes mac-address=24:4B:FE:2D:B3:07 server=dhcp1 add address=10.0.1.4 comment="Paradox kozpont" mac-address=00:19:BA:16:67:51 server=dhcp1 /ip dhcp-server network add address=10.0.1.0/24 dns-server=10.0.1.1,86.109.64.66,8.8.8.8 gateway=10.0.1.1 /ip dns set allow-remote-requests=yes servers=86.109.64.5,86.109.64.66 /ip firewall address-list add address=86.109.64.0/27 list=support add address=192.168.88.0/24 list=support add address=10.0.0.0/8 list=support add address=86.109.64.0/19 comment="Ezt ki lehet torolni, csak a beallitashoz kell" list=support /ip firewall filter add action=accept chain=input dst-port=53 in-interface=!ether1 protocol=tcp add action=drop chain=input dst-port=53 protocol=tcp add action=accept chain=input dst-port=53 in-interface=!ether1 protocol=udp add action=drop chain=input dst-port=53 protocol=udp add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes protocol=tcp add action=accept chain=forward connection-state=established,related protocol=tcp add action=accept chain=input comment=Wireguard dst-address=86.109.64.11 dst-port=13231 protocol=udp add action=accept chain=input comment="l2tp ipsec" dst-port=500,1701,4500 protocol=udp add action=accept chain=input comment=ipsec protocol=ipsec-esp add action=accept chain=input comment=sstp disabled=yes dst-address=86.109.64.11 dst-port=443 protocol=tcp add action=accept chain=input comment=telnet,ssh,ftp dst-port=21-23 protocol=tcp src-address-list=support add action=accept chain=input comment="EOIP Apacakert" protocol=gre src-address=86.109.64.250 add action=drop chain=input comment=telnet,ssh,ftp dst-port=21-23 protocol=tcp add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp tcp-flags=syn add action=drop chain=input comment="Drop to syn flood list" src-address-list=Syn_Flooder add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="Port Scanner Detect" protocol=tcp psd=21,3s,3,1 add action=drop chain=input comment="Drop to port scan list" src-address-list=Port_Scanner add action=jump chain=input comment="Jump for icmp input flow" jump-target=ICMP protocol=icmp add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1h chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg add action=drop chain=input comment="Block all access to the winbox - except to support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT ADDRESS LIST" dst-port=8291 protocol=tcp src-address-list=!support add action=accept chain=input comment="Accept to established connections" connection-state=established add action=accept chain=input comment="Accept to related connections" connection-state=related add action=accept chain=input comment="Full access to SUPPORT address list" src-address-list=support add action=accept chain=input dst-address=255.255.255.255 add action=log chain=input comment="Drop anything else! # DO NOT ENABLE THIS RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" disabled=yes add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" icmp-options=8:0 limit=10,15 protocol=icmp add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp add action=accept chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 protocol=icmp add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP protocol=icmp add action=log chain=forward comment="Kimeno smb tiltas outlook hack miatt" dst-port=445 out-interface=ether1 protocol=tcp add action=drop chain=forward comment="Kimeno smb tiltas outlook hack miatt" dst-port=445 out-interface=ether1 protocol=tcp add action=accept chain=forward dst-address=10.0.2.0/24 src-address=10.0.1.0/24 add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp add action=accept chain=forward comment="Csak Truenas eleres vpn-rol" dst-address=10.0.1.5 src-address=10.0.2.0/24 add action=accept chain=forward comment="Csak Passbolt eleres vpn-rol" dst-address=10.0.1.6 src-address=10.0.2.0/24 add action=accept chain=forward comment="Server eleres vpn-rol" dst-address=10.0.1.10 src-address=10.0.2.0/24 add action=drop chain=forward comment="Csak Truenas eleres vpn-rol" dst-address=10.0.1.0/24 src-address=10.0.2.0/24 add action=accept chain=forward comment="Wireguard Csak Truenas eleres vpn-rol" dst-address=10.0.1.5 src-address=10.0.3.0/24 add action=accept chain=forward comment="Wireguard Csak Passbolt eleres vpn-rol" dst-address=10.0.1.6 src-address=10.0.3.0/24 add action=accept chain=forward comment="Wireguard server eleres vpn-rol" dst-address=10.0.1.10 src-address=10.0.3.0/24 add action=accept chain=forward comment="Ceges telefon internet eleres" dst-address=!10.0.1.0/24 src-address=10.0.3.7 add action=accept chain=forward comment="Wireguard Krisz mobil minden engedelyezes" src-address=10.0.3.2 add action=accept chain=forward comment="Wireguard Krisz laptop minden engedelyezes" src-address=10.0.3.3 add action=accept chain=forward comment="Wireguard k99 telefon minden engedelyezes" src-address=10.0.3.4 add action=accept chain=forward comment="Wireguard k99 laptop minden engedelyezes" src-address=10.0.3.5 add action=accept chain=forward comment="Wireguard d\E1vid laptop minden engedelyezes" src-address=10.0.3.6 add action=accept chain=forward comment="Wireguard d\E1vid telefon minden engedelyezes" src-address=10.0.3.8 add action=drop chain=forward comment="Wireguard Belso halo letiltas" dst-address=10.0.1.0/24 src-address=10.0.3.0/24 add action=drop chain=forward comment="Wiroguard minden mas eldobalasa" src-address=10.0.3.0/24 /ip firewall nat add action=accept chain=dstnat comment="remote desktop windows 10" dst-port=3389 in-interface=wireguard1 protocol=tcp src-address=10.0.3.0/24 to-addresses=10.0.1.99 add action=masquerade chain=srcnat comment="Wireguard vpn natolas" src-address=10.0.3.0/24 add action=masquerade chain=srcnat src-address=10.0.1.0/24 add action=masquerade chain=srcnat comment="vpn natolas" src-address=10.0.2.0/24 add action=masquerade chain=srcnat src-address=192.168.0.0/24 add action=masquerade chain=srcnat dst-address=86.109.64.10 src-address=86.109.67.22 add action=dst-nat chain=dstnat comment="22 port -> CRM fel\E9" disabled=yes dst-port=22 in-interface=ether1 protocol=tcp to-addresses=10.0.1.10 add action=dst-nat chain=dstnat comment="Kamera server sajat halozatbol" disabled=yes dst-port=80,8000,554,443 in-interface=ether1 protocol=tcp src-address=86.109.64.0/19 to-addresses=10.0.1.3 add action=dst-nat chain=dstnat comment="remote desktop windows 10" dst-port=3389 protocol=tcp src-address=86.109.64.106 to-addresses=10.0.1.99 add action=dst-nat chain=dstnat comment="remote desktop windows 10 fw-budapest config portjarol" dst-port=3389 in-interface=ether1 protocol=tcp src-address=10.0.66.0/24 to-addresses=10.0.1.99 add action=dst-nat chain=dstnat comment=Paradox dst-port=10000 in-interface=ether1 protocol=tcp src-address=86.109.64.0/19 to-addresses=10.0.1.4 add action=dst-nat chain=dstnat comment=Paradox dst-port=10000 in-interface=ether1 protocol=tcp src-address=10.0.1.0/24 to-addresses=10.0.1.4 add action=dst-nat chain=dstnat comment=Paradox dst-port=10000 in-interface=ether1 protocol=udp src-address=86.109.64.0/19 to-addresses=10.0.1.4 add action=dst-nat chain=dstnat comment=Paradox dst-port=10000 in-interface=ether1 protocol=udp src-address=10.0.1.0/24 to-addresses=10.0.1.4 add action=dst-nat chain=dstnat comment="trunas snmp monitorozas" dst-port=162 protocol=udp src-address=86.109.64.0/27 to-addresses=10.0.1.5 to-ports=161 add action=dst-nat chain=dstnat comment="Truenas bacula backup" dst-port=9102,9103 protocol=tcp src-address=86.109.64.16 to-addresses=10.0.1.5 add action=dst-nat chain=dstnat comment="partner server zabbix agent" dst-port=10060 protocol=tcp src-address=86.109.64.7 to-addresses=10.0.1.10 to-ports=10050 add action=dst-nat chain=dstnat comment="passbolt server zabbix agent" dst-port=10061 protocol=tcp src-address=86.109.64.7 to-addresses=10.0.1.6 to-ports=10050 add action=dst-nat chain=dstnat comment="radius server zabbix agent" dst-port=10062 protocol=tcp src-address=86.109.64.7 to-addresses=10.0.1.11 to-ports=10050 add action=dst-nat chain=dstnat comment="PowerDNS mysql eleres CRM-en" dst-address=86.109.64.11 dst-port=3306 protocol=tcp src-address=86.109.64.6 to-addresses=10.0.1.10 to-ports=3306 add action=dst-nat chain=dstnat comment="mail.rlaninternet.hu mysql eleres CRM-en" dst-address=86.109.64.11 dst-port=3306 protocol=tcp src-address=86.109.64.30 to-addresses=10.0.1.10 to-ports=3306 add action=dst-nat chain=dstnat comment="Backup mysql eleres CRM-en" dst-address=86.109.64.11 dst-port=3306 protocol=tcp src-address=86.109.64.16 to-addresses=10.0.1.10 to-ports=3306 /ip proxy set enabled=yes /ip route add disabled=no dst-address=0.0.0.0/0 gateway=86.109.64.1 /ip service set www address=10.0.1.0/24 set api address=86.109.64.0/27 set api-ssl address=86.109.64.0/27 /ip smb shares set [ find default=yes ] directory=/flash/pub /lcd set time-interval=hour /ppp secret add name=Ancsa profile=ipsec service=l2tp add disabled=yes name=Csapod profile=ipsec service=l2tp add disabled=yes name=GaborMobil profile=ipsec service=l2tp add name=Nikimobil profile=ipsec service=l2tp add name=Kriszlaptop profile=ipsec service=l2tp add disabled=yes name=GG_Laptop profile=ipsec service=l2tp add name=Laci profile=ipsec service=l2tp add name=LaciMobil profile=ipsec service=l2tp add name=FustiMobil profile=ipsec service=l2tp add name=FustiLaptop password=So76mrtXe profile=ipsec service=l2tp add name=Kriszmobil profile=ipsec service=l2tp add name=AncsaMobil profile=ipsec service=l2tp add name=RakhelMobil profile=ipsec service=l2tp add name=TinaMobil profile=ipsec service=l2tp /routing bfd configuration add disabled=no /routing fantasy add count=10000 disabled=yes dst-address=192.168.0.0/16 name=teszt prefix-length=32 add count=16000000 disabled=yes dst-address=192.168.0.0/8 name=teszt prefix-length=8 /snmp set contact=admin@rlan.hu enabled=yes location=Sopron /system clock set time-zone-name=Europe/Budapest /system identity set name=Sparta /system logging add action=remote topics=info add action=remote topics=critical add action=remote topics=error add action=remote topics=warning add disabled=yes topics=wireguard add disabled=yes topics=sstp /system note set show-at-login=no /system ntp client set enabled=yes /system ntp client servers add address=time.rlan.hu /system routerboard settings # Warning: cpu not running at default frequency set cpu-frequency=1000MHz /system scheduler add disabled=yes interval=6d name=mentes on-event=mentes policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=2016-06-09 start-time=09:10:31 /system script add dont-require-permissions=no name=mentes owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive source="/export\_file=export\r\n/tool e-mail send from=\"backup@rlan.hu\" to=\"backup@rlan.hu\" subject=([/system identity get name] . \" export\") file=export.rsc\r\n/system backup save name=backup\r\n/tool e-mail send from=\"backup@rlan.hu\" to=\"backup@rlan.hu\" subject=([/system identity get name] . \" Backup\") file=backup.backup\r\n" /system watchdog set auto-send-supout=yes send-email-from=sparta@magicnet.hu send-email-to=magic@magicnet.hu send-smtp-server=86.109.64.10 /tool e-mail set from=sparata@magicnet.hu server=86.109.64.10 /tool graphing interface add /tool graphing queue add /tool graphing resource add /user group add name=backup policy="ssh,read,sensitive,!local,!telnet,!ftp,!reboot,!write,!policy,!test,!winbox,!password,!web,!sniff,!api,!romon,!rest-api"