File: /home/posscale/backup/MT_Backups/Bygreen/BACKUP-Austraw-2023jun01-204723.rsc
# jun/01/2023 20:47:23 by RouterOS 6.49.7
# software id = A9RJ-VGXE
#
# model = 960PGS
# serial number = 7D4F075D99AB
/interface bridge
add disabled=yes fast-forward=no name=LAN-Bridge
add disabled=yes name="VPN EOIP LINK"
/interface ethernet
set [ find default-name=ether3 ] name=P3-WAN3-netmode poe-out=off speed=\
100Mbps
set [ find default-name=ether1 ] name="ether1 - Server" speed=100Mbps
set [ find default-name=ether2 ] name="ether2 - PBX" speed=100Mbps
set [ find default-name=ether4 ] disabled=yes poe-out=off speed=100Mbps
set [ find default-name=ether5 ] disabled=yes poe-out=off speed=100Mbps
set [ find default-name=sfp1 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface eoip
add disabled=yes mac-address=02:86:B6:AB:57:F0 name=eoip-tunnel-posscales \
remote-address=10.10.10.210 tunnel-id=0
/interface vlan
add interface="ether1 - Server" name="Guest-WiFi network" vlan-id=100
add interface=P3-WAN3-netmode name=Netmode-Vlan vlan-id=66
/interface list
add name=WAN
add name=L2TP-Connections
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool1 ranges=192.168.0.25-192.168.0.50
add name=dhcp_pool1 ranges=192.168.0.2-192.168.0.254
add name=dhcp_pool2 ranges=192.168.100.2-192.168.100.254
add name=VPN-Pool ranges=10.10.10.10-10.10.10.210
/ip dhcp-server
add address-pool=dhcp_pool2 disabled=no interface="Guest-WiFi network" \
lease-time=30m name=dhcp1
/ppp profile
add dns-server=8.8.8.8 interface-list=L2TP-Connections local-address=\
10.10.10.1 name="Bygreen VPN" remote-address=VPN-Pool use-encryption=\
required
/queue simple
add burst-limit=768k/0 burst-threshold=512k/0 burst-time=2s/0s disabled=yes \
dst=ether4 limit-at=256k/0 max-limit=384k/0 name=opendrive packet-marks=\
OpenDrive target=192.168.0.2/32
add disabled=yes dst=172.217.167.110/32 max-limit=256k/1M name=mac target=\
192.168.0.68/32
add disabled=yes name=Austraw target=""
/queue type
add kind=pcq name=Voip_Downstream pcq-classifier=dst-address \
pcq-dst-address6-mask=64 pcq-src-address6-mask=64
add kind=pcq name=Voip_Upstream pcq-classifier=src-address \
pcq-dst-address6-mask=64 pcq-src-address6-mask=64
/queue tree
add disabled=yes max-limit=2M name=Upload parent=ether4 priority=1 queue=\
default
add disabled=yes limit-at=500k max-limit=500k name=opendrive parent=Upload \
queue=default
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=LAN-Bridge disabled=yes interface="ether1 - Server"
add bridge="VPN EOIP LINK" interface=eoip-tunnel-posscales
add bridge="VPN EOIP LINK" interface="ether1 - Server"
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile="Bygreen VPN" enabled=yes \
ipsec-secret=!Pss.974082** use-ipsec=yes
/interface list member
add interface=P3-WAN3-netmode list=WAN
add interface=Netmode-Vlan list=WAN
add interface="ether1 - Server" list=LAN
add interface="ether2 - PBX" list=LAN
/ip address
add address=192.168.0.1/24 interface="ether1 - Server" network=192.168.0.0
add address=192.168.5.1/24 interface="ether2 - PBX" network=192.168.5.0
add address=103.98.87.3/27 interface=Netmode-Vlan network=103.98.87.0
add address=192.168.100.1/24 interface="Guest-WiFi network" network=\
192.168.100.0
/ip dhcp-client
add interface=ether5
add add-default-route=no disabled=no interface=ether4
add add-default-route=no disabled=no interface=P3-WAN3-netmode
/ip dhcp-server network
add address=192.168.100.0/24 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip dns static
add address=3.105.22.41 name=unifi
/ip firewall address-list
add address=208.73.211.69 list=sip
add address=203.161.160.69 list=sip
add address=203.161.160.70 list=sip
add address=203.161.166.71 list=sip
add address=203.161.160.0/20 list=sip
add address=202.61.12.230 list=sip
add address=202.61.13.102 list=sip
add address=115.30.57.97 list=sip
add address=115.30.36.66 list=sip
add address=14.202.254.86 list=sip
add address=203.161.164.69 list=sip
add address=61.69.57.74 list=sip
add address=192.168.0.0/24 list=sip
add address=35.189.35.225 comment="RTP Voip IT UP" list=sip
add address=101.187.142.60 comment="Mick Home telstra NBN Connection" list=\
RDP
add address=61.69.57.74 comment="Jason Pos Scales Office IP" list=RDP
add address=192.168.16.1 comment="WAN 2 Telstra Modem NOT BRIDGED." list=RDP
add address=61.69.57.74 list=Support
add address=192.168.0.0/24 list=Support
add address=192.168.5.0/24 list=Support
add address=38.108.185.0/24 list=OpenDrive
add address=103.26.172.0/22 comment="NetSip IP Range" list=sip
add address=35.189.47.13 list=sip
add address=35.189.44.220 list=sip
add address=61.69.73.194 comment="Mick Home telstra NBN Connection" list=RDP
add address=49.191.174.78 comment=C.Baxton list=RDP
add address=27.253.10.186 comment="Chad Home NBN Connection" list=RDP
/ip firewall filter
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input dst-port=1701 protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=fasttrack-connection chain=input connection-state=\
established,related
add action=accept chain=input connection-state=established,related
add action=accept chain=input in-interface-list=LAN
add action=accept chain=input src-address-list=Support
add action=add-src-to-address-list address-list=Syn_Flooder \
address-list-timeout=30m chain=input comment=\
"Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
tcp-flags=syn
add action=add-src-to-address-list address-list=Port_Scanner \
address-list-timeout=1w chain=input comment="Port Scanner Detect" \
protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="drop DNS resolver requests from WAN" \
dst-port=53 in-interface-list=WAN protocol=udp
add action=drop chain=input comment="drop DNS resolver requests from WAN" \
dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="Drop port scan list" src-address-list=\
Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=\
ICMP protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except t\
o support list # DO NOT ENABLE BEFORE ADDING YOUR SUBNET TO SUPPORT ADDRES\
S LIST #" dst-port=8291 protocol=tcp src-address-list=!Support
add action=add-src-to-address-list address-list=ftp_Brute \
address-list-timeout=3h chain=input comment=\
"Add bruteforcers to list for 3 hours" connection-limit=30,32 content=\
"530 Login incorrect" dst-port=21 limit=10/1m,0:packet protocol=tcp
add action=drop chain=input comment="Drop ftp bruteforce" dst-port=21 \
protocol=tcp src-address-list=ftp_Brute
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS \
RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" \
in-interface-list=WAN log-prefix="INPUT DROP -->> "
add action=accept chain=forward disabled=yes src-address=192.168.0.73
add action=accept chain=forward connection-state=established,related \
in-interface-list=WAN
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward dst-port=33389 in-interface-list=WAN \
protocol=tcp src-address-list=RDP
add action=accept chain=forward dst-port=6000-6399 in-interface-list=WAN \
protocol=udp src-address-list=sip
add action=accept chain=forward dst-port=5060 in-interface-list=WAN protocol=\
udp src-address-list=sip
add action=accept chain=forward dst-port=5060 in-interface-list=WAN protocol=\
tcp src-address-list=sip
add action=drop chain=forward comment="Drop syn flood list" src-address-list=\
Syn_Flooder
add action=jump chain=forward comment="Jump for icmp forward flow" disabled=\
yes jump-target=ICMP protocol=icmp
add action=drop chain=input disabled=yes in-interface-list=WAN log=yes \
log-prefix="DROP INPUT>> "
add action=drop chain=input disabled=yes in-interface="!ether1 - Server"
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
Bogons
add action=add-src-to-address-list address-list=Spammers \
address-list-timeout=3h chain=forward comment=\
"Add Spammers to the list for 3 hours" connection-limit=30,32 disabled=\
yes dst-port=25,587 limit=30/1m,0:packet protocol=tcp
add action=add-src-to-address-list address-list=Spammers \
address-list-timeout=3h chain=forward comment=\
"Add Spammers to the list for 3 hours" connection-limit=30,32 disabled=\
yes dst-port=25,587 limit=30/1m,0:packet protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" disabled=yes \
dst-port=25,587 protocol=tcp src-address-list=Spammers
add action=tarpit chain=forward comment="Tarpit login bruteforce" dst-port=25 \
protocol=tcp src-address-list=smtp_Brute
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" \
icmp-options=8:0 limit=1,5:packet protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=drop chain=forward comment="Drop ALL From WAN NOT Dest-NAT" \
connection-nat-state=!dstnat disabled=yes in-interface-list=WAN log=yes \
log-prefix="DROP NOT DEST NAT>> "
add action=accept chain=output connection-state=established,related,new
add action=drop chain=forward connection-state=invalid in-interface-list=WAN
/ip firewall mangle
add action=add-dst-to-address-list address-list=SMTP_Brute \
address-list-timeout=10m chain=forward comment=\
"Add excessive login failures to list for 10 minutes" connection-state=\
established content=\
"535 5.7.8 Error: authentication failed: authentication failure" limit=\
!3/1m,3:packet protocol=tcp src-port=25
add action=accept chain=prerouting disabled=yes dst-address=192.168.16.0/24 \
in-interface="ether1 - Server"
add action=accept chain=prerouting disabled=yes dst-address=203.45.253.1 \
in-interface="ether2 - PBX"
add action=accept chain=prerouting disabled=yes dst-address=110.145.127.189 \
in-interface="ether2 - PBX"
add action=accept chain=prerouting disabled=yes dst-address=103.98.87.3 \
in-interface="ether2 - PBX"
add action=accept chain=prerouting disabled=yes dst-address=103.98.87.3 \
in-interface="ether1 - Server"
add action=accept chain=prerouting disabled=yes dst-address=203.45.253.1 \
in-interface="ether1 - Server"
add action=accept chain=prerouting disabled=yes dst-address=110.145.127.189 \
in-interface="ether1 - Server"
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes in-interface=*B new-connection-mark=WAN1_Conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes in-interface=ether4 new-connection-mark=WAN2_Conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes in-interface=Netmode-Vlan new-connection-mark=WAN2_Conn passthrough=\
yes
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes dst-address-type=!local in-interface="ether2 - PBX" \
new-connection-mark=WAN1_Conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes dst-address-type=!local in-interface="ether1 - Server" \
new-connection-mark=WAN2_Conn passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN1_Conn disabled=\
yes in-interface="ether2 - PBX" new-routing-mark=TO_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_Conn disabled=\
yes in-interface="ether1 - Server" new-routing-mark=TO_WAN2 passthrough=\
yes
add action=mark-routing chain=prerouting connection-mark=WAN1_Conn disabled=\
yes in-interface="ether1 - Server" new-routing-mark=TO_WAN1 passthrough=\
yes
add action=mark-routing chain=output connection-mark=WAN2_Conn disabled=yes \
new-routing-mark=TO_WAN2 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN1_Conn disabled=yes \
new-routing-mark=TO_WAN1 passthrough=yes
add action=mark-packet chain=forward disabled=yes dst-address-list=OpenDrive \
new-packet-mark=OpenDrive passthrough=yes src-address=192.168.0.2
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=L2TP-Connections
add action=masquerade chain=srcnat out-interface=Netmode-Vlan
add action=masquerade chain=srcnat log-prefix="Outbound Traffic: " \
out-interface=ether4
add action=dst-nat chain=dstnat dst-port=33389 in-interface-list=WAN \
log-prefix="RDP CONNECTION>> " protocol=tcp src-address-list=RDP \
to-addresses=192.168.0.2 to-ports=3389
add action=dst-nat chain=dstnat comment=\
"CCTV CMS POS Scales GRoup Update Test" dst-port=6036 in-interface-list=\
WAN log-prefix="CCTV CMS" protocol=tcp src-address-list=RDP to-addresses=\
192.168.0.69 to-ports=6036
add action=add-src-to-address-list address-list="BAD BLOCK LIST" \
address-list-timeout=2d3h16m56s chain=dstnat disabled=yes dst-port=33389 \
in-interface-list=WAN log=yes log-prefix=\
"BAD RDP Added to BlackList >> " protocol=tcp src-address-list=!RDP \
to-addresses=192.168.0.2 to-ports=3389
add action=dst-nat chain=dstnat dst-port=6000-6399 in-interface-list=WAN \
log-prefix="RTP PACKETS>> " protocol=udp src-address-list=sip \
to-addresses=192.168.5.5
add action=dst-nat chain=dstnat dst-port=5060 in-interface-list=WAN \
log-prefix="SIP PACKETS>> " protocol=tcp src-address-list=sip \
to-addresses=192.168.5.5
add action=dst-nat chain=dstnat dst-port=5060 in-interface-list=WAN \
log-prefix="SIP PACKETS>> " protocol=udp src-address-list=sip \
to-addresses=192.168.5.5
add action=dst-nat chain=dstnat disabled=yes dst-port=3478-3479 \
in-interface-list=WAN log-prefix="SIP PACKETS>> " protocol=tcp \
to-addresses=192.168.5.5
add action=dst-nat chain=dstnat disabled=yes dst-port=3478-3479 \
in-interface-list=all log-prefix="SIP PACKETS>> " protocol=udp \
to-addresses=192.168.5.5
add action=dst-nat chain=dstnat dst-port=80 in-interface-list=WAN log=yes \
log-prefix="PBX LOG IN >> " protocol=tcp src-address=61.69.57.74 \
to-addresses=192.168.5.5
add action=dst-nat chain=dstnat dst-port=443 in-interface-list=WAN \
log-prefix="PBX LOG IN >> " protocol=tcp src-address=61.69.57.74 \
to-addresses=192.168.5.5
/ip firewall raw
add action=drop chain=prerouting disabled=yes in-interface-list=WAN \
log-prefix="RAW - DROP BAD IP IN LIST :" src-address-list=\
"BAD BLOCK LIST"
add action=log chain=prerouting disabled=yes dst-port=443 in-interface-list=\
WAN log=yes log-prefix="443 ADD to BLACKLIST >" protocol=tcp \
src-address-list=!RDP
add action=drop chain=prerouting dst-port=3389 in-interface-list=WAN log=yes \
log-prefix="RAW 3389 Drop >" protocol=tcp src-address-list=!RDP
add action=add-src-to-address-list address-list="BAD BLOCK LIST" \
address-list-timeout=2d46m39s chain=prerouting disabled=yes dst-port=21 \
in-interface-list=WAN log=yes log-prefix="21 ADD to BLACKLIST >" \
protocol=tcp src-address-list=!RDP
add action=drop chain=prerouting dst-port=5060-5070 in-interface-list=WAN \
log=yes log-prefix="RAW 5060 DROP >> " protocol=udp src-address-list=\
!sip
/ip firewall service-port
set sip disabled=yes
/ip route
add distance=1 gateway=103.98.87.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ppp l2tp-secret
add address=10.10.10.0/24 comment=!Pss.974082** secret=!Pss.974082**
/ppp secret
add comment="1YjqS\$sUb8" name=Mel.Erbsland password="1YjqS\$sUb8" profile=\
"Bygreen VPN"
add comment=Pss.974082 name=PosScalesOffice password=Pss.974082 profile=\
"Bygreen VPN"
/system clock
set time-zone-autodetect=no time-zone-name=Australia/Brisbane
/system identity
set name=Austraw
/system ntp client
set enabled=yes primary-ntp=162.159.200.123 secondary-ntp=159.196.3.239
/system ntp server
set enabled=yes
/system scheduler
add interval=1w name=autobackup on-event=":local saveUserDB false\r\
\n:local saveSysBackup true\r\
\n:local encryptSysBackup false\r\
\n:local saveRawExport true\r\
\n\r\
\n:local FTPServer \"backup.posscales.com.au\"\r\
\n:local FTPPort 21\r\
\n:local FTPUser \"MT_Backups@backup.posscales.com.au\"\r\
\n:local FTPPass \"!Dgt.974082\"\r\
\n:local FTPdest \"/Bygreen\"\r\
\n\r\
\n:local ts [/system clock get time]\r\
\n:set ts ([:pick \$ts 0 2].[:pick \$ts 3 5].[:pick \$ts 6 8])\r\
\n:local ds [/system clock get date]\r\
\n:set ds ([:pick \$ds 7 11].[:pick \$ds 0 3].[:pick \$ds 4 6])\r\
\n\r\
\n:local fname (\"BACKUP-\".[/system identity get name].\"-\".\$ds.\"-\".\
\$ts)\r\
\n:local sfname (\"/\".\$fname)\r\
\n:if (\$saveUserDB) do={\r\
\n /tool user-manager database save name=(\$sfname.\".umb\")\r\
\n :log info message=\"User Manager DB Backup Finished\"\r\
\n}\r\
\n:if (\$saveSysBackup) do={\r\
\n :if (\$encryptSysBackup = true) do={ /system backup save name=(\$sfnam\
e.\".backup\") }\r\
\n :if (\$encryptSysBackup = false) do={ /system backup save dont-encrypt\
=yes name=(\$sfname.\".backup\") }\r\
\n :log info message=\"System Backup Finished\"\r\
\n}\r\
\nif (\$saveRawExport) do={\r\
\n /export file=(\$sfname.\".rsc\")\r\
\n :log info message=\"Raw configuration script export Finished\"\r\
\n}\r\
\n:delay 10s\r\
\n:local backupFileName \"\"\r\
\n:local backupDestPath \"\"\r\
\n:foreach backupFile in=[/file find] do={\r\
\n :set backupFileName (\"/\".[/file get \$backupFile name])\r\
\n :set backupDestPath (\$FTPdest.\$backupFileName)\r\
\n :if ([:typeof [:find \$backupFileName \$sfname]] != \"nil\") do={\r\
\n # :log warning message=\"/tool fetch address=\$FTPServer port=\$FTPPor\
t src-path=\$backupFileName user=\$FTPUser mode=ftp password=\$FTPPass dst\
-path=\$backupDestPath upload=yes\"\r\
\n\r\
\n /tool fetch address=\$FTPServer port=\$FTPPort src-path=\$backupFile\
Name user=\$FTPUser mode=ftp password=\$FTPPass dst-path=\$backupDestPath \
upload=yes\r\
\n }\r\
\n}\r\
\n:delay 10s\r\
\n:foreach backupFile in=[/file find] do={\r\
\n :if ([:typeof [:find [/file get \$backupFile name] \"BACKUP-\"]]!=\"ni\
l\") do={\r\
\n /file remove \$backupFile\r\
\n }\r\
\n}\r\
\n\r\
\n:log info message=\"Successfully removed Temporary Backup Files\"\r\
\n:log info message=\"Automatic Backup Completed Successfully\"" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=aug/05/2021 start-time=20:47:23
/tool bandwidth-server
set enabled=no
/tool netwatch
add down-script=":log debug message=(\" Internet Link is now : UP\");" host=\
1.1.1.1 up-script=\
":log debug message=(\" Internet Link is now : DOWN\");"