File: /home/posscale/backup/MT_Backups/Bygreen/BACKUP-Austraw-2021oct14-204723.rsc
# oct/14/2021 20:47:23 by RouterOS 6.43.4
# software id = A9RJ-VGXE
#
# model = 960PGS
# serial number = 7D4F075D99AB
/interface bridge
add disabled=yes fast-forward=no name=LAN-Bridge
/interface ethernet
set [ find default-name=ether3 ] name=P3-WAN3 poe-out=off speed=100Mbps
set [ find default-name=ether4 ] disabled=yes name=P4-WAN2 poe-out=off speed=\
100Mbps
set [ find default-name=ether5 ] disabled=yes name=P5-WAN1-PBX poe-out=off \
speed=100Mbps
set [ find default-name=ether1 ] name="ether1 - Server" speed=100Mbps
set [ find default-name=ether2 ] name="ether2 - PBX" speed=100Mbps
set [ find default-name=sfp1 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface vlan
add interface="ether1 - Server" name="Guest-WiFi network" vlan-id=100
add interface=P3-WAN3 name=Netmode vlan-id=66
/interface list
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=pool1 ranges=192.168.0.25-192.168.0.50
add name=dhcp_pool1 ranges=192.168.0.2-192.168.0.254
add name=dhcp_pool2 ranges=192.168.100.2-192.168.100.254
/ip dhcp-server
add address-pool=dhcp_pool2 disabled=no interface="Guest-WiFi network" \
lease-time=30m name=dhcp1
/queue simple
add burst-limit=768k/0 burst-threshold=512k/0 burst-time=2s/0s disabled=yes \
dst=P4-WAN2 limit-at=256k/0 max-limit=384k/0 name=opendrive packet-marks=\
OpenDrive target=192.168.0.2/32
add disabled=yes dst=172.217.167.110/32 max-limit=256k/1M name=mac target=\
192.168.0.68/32
add disabled=yes name=Austraw target=""
/queue type
add kind=pcq name=Voip_Downstream pcq-classifier=dst-address \
pcq-dst-address6-mask=64 pcq-src-address6-mask=64
add kind=pcq name=Voip_Upstream pcq-classifier=src-address \
pcq-dst-address6-mask=64 pcq-src-address6-mask=64
/queue tree
add disabled=yes max-limit=2M name=Upload parent=P4-WAN2 priority=1 queue=\
default
add disabled=yes limit-at=500k max-limit=500k name=opendrive parent=Upload \
queue=default
/interface bridge port
add bridge=LAN-Bridge disabled=yes interface="ether1 - Server"
/interface list member
add interface=P4-WAN2 list=WAN
add interface=P5-WAN1-PBX list=WAN
add interface=P3-WAN3 list=WAN
add list=WAN
add interface=Netmode list=WAN
/ip address
add address=192.168.0.1/24 interface="ether1 - Server" network=192.168.0.0
add address=192.168.5.1/24 interface="ether2 - PBX" network=192.168.5.0
add address=103.98.87.3/27 interface=Netmode network=103.98.87.0
add address=192.168.100.1/24 interface="Guest-WiFi network" network=\
192.168.100.0
/ip dhcp-client
add dhcp-options=hostname,clientid interface=P5-WAN1-PBX
add add-default-route=no dhcp-options=hostname,clientid disabled=no \
interface=P4-WAN2
add add-default-route=no dhcp-options=hostname,clientid disabled=no \
interface=P3-WAN3
/ip dhcp-server network
add address=192.168.100.0/24 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip dns static
add address=3.105.22.41 name=unifi
/ip firewall address-list
add address=208.73.211.69 list=sip
add address=203.161.160.69 list=sip
add address=203.161.160.70 list=sip
add address=203.161.166.71 list=sip
add address=203.161.160.0/20 list=sip
add address=202.61.12.230 list=sip
add address=202.61.13.102 list=sip
add address=115.30.57.97 list=sip
add address=115.30.36.66 list=sip
add address=14.202.254.86 list=sip
add address=203.161.164.69 list=sip
add address=61.69.57.74 list=sip
add address=192.168.0.0/24 list=sip
add address=35.189.35.225 comment="RTP Voip IT UP" list=sip
add address=101.187.142.60 comment="Mick Home telstra NBN Connection" list=\
RDP
add address=61.69.57.74 comment="Jason Pos Scales Office IP" list=RDP
add address=192.168.16.1 comment="WAN 2 Telstra Modem NOT BRIDGED." list=RDP
add address=61.69.57.74 list=Support
add address=192.168.0.0/24 list=Support
add address=192.168.5.0/24 list=Support
add address=38.108.185.0/24 list=OpenDrive
add address=103.26.172.0/22 comment="NetSip IP Range" list=sip
add address=35.189.47.13 list=sip
add address=35.189.44.220 list=sip
add address=61.69.73.194 comment="Mick Home telstra NBN Connection" list=RDP
/ip firewall filter
add action=fasttrack-connection chain=input connection-state=\
established,related
add action=accept chain=input connection-state=established,related
add action=accept chain=input src-address-list=Support
add action=add-src-to-address-list address-list=Syn_Flooder \
address-list-timeout=30m chain=input comment=\
"Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
tcp-flags=syn
add action=add-src-to-address-list address-list=Port_Scanner \
address-list-timeout=1w chain=input comment="Port Scanner Detect" \
protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="drop DNS resolver requests from WAN" \
dst-port=53 in-interface-list=WAN protocol=udp
add action=drop chain=input comment="drop DNS resolver requests from WAN" \
dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="Drop port scan list" src-address-list=\
Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=\
ICMP protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except t\
o support list # DO NOT ENABLE BEFORE ADDING YOUR SUBNET TO SUPPORT ADDRES\
S LIST #" dst-port=8291 protocol=tcp src-address-list=!Support
add action=add-src-to-address-list address-list=ftp_Brute \
address-list-timeout=3h chain=input comment=\
"Add bruteforcers to list for 3 hours" connection-limit=30,32 content=\
"530 Login incorrect" dst-port=21 limit=10/1m,0:packet protocol=tcp
add action=drop chain=input comment="Drop ftp bruteforce" dst-port=21 \
protocol=tcp src-address-list=ftp_Brute
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS \
RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" \
in-interface-list=WAN log-prefix="INPUT DROP -->> "
add action=accept chain=forward connection-state=established,related \
in-interface-list=WAN
add action=accept chain=forward dst-port=33389 in-interface-list=WAN \
protocol=tcp src-address-list=RDP
add action=accept chain=forward dst-port=6000-6399 in-interface-list=WAN \
protocol=udp src-address-list=sip
add action=accept chain=forward dst-port=5060 in-interface-list=WAN protocol=\
udp src-address-list=sip
add action=accept chain=forward dst-port=5060 in-interface-list=WAN protocol=\
tcp src-address-list=sip
add action=drop chain=forward comment="Drop syn flood list" src-address-list=\
Syn_Flooder
add action=jump chain=forward comment="Jump for icmp forward flow" disabled=\
yes jump-target=ICMP protocol=icmp
add action=drop chain=input disabled=yes in-interface-list=WAN log=yes \
log-prefix="DROP INPUT>> "
add action=drop chain=input disabled=yes in-interface="!ether1 - Server"
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
Bogons
add action=add-src-to-address-list address-list=Spammers \
address-list-timeout=3h chain=forward comment=\
"Add Spammers to the list for 3 hours" connection-limit=30,32 disabled=\
yes dst-port=25,587 limit=30/1m,0:packet protocol=tcp
add action=add-src-to-address-list address-list=Spammers \
address-list-timeout=3h chain=forward comment=\
"Add Spammers to the list for 3 hours" connection-limit=30,32 disabled=\
yes dst-port=25,587 limit=30/1m,0:packet protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" disabled=yes \
dst-port=25,587 protocol=tcp src-address-list=Spammers
add action=tarpit chain=forward comment="Tarpit login bruteforce" dst-port=25 \
protocol=tcp src-address-list=smtp_Brute
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" \
icmp-options=8:0 limit=1,5:packet protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=drop chain=forward comment="Drop ALL From WAN NOT Dest-NAT" \
connection-nat-state=!dstnat disabled=yes in-interface-list=WAN log=yes \
log-prefix="DROP NOT DEST NAT>> "
add action=accept chain=output connection-state=established,related,new
add action=drop chain=forward connection-state=invalid in-interface-list=WAN
/ip firewall mangle
add action=add-dst-to-address-list address-list=SMTP_Brute \
address-list-timeout=10m chain=forward comment=\
"Add excessive login failures to list for 10 minutes" connection-state=\
established content=\
"535 5.7.8 Error: authentication failed: authentication failure" limit=\
!3/1m,3:packet protocol=tcp src-port=25
add action=accept chain=prerouting disabled=yes dst-address=192.168.16.0/24 \
in-interface="ether1 - Server"
add action=accept chain=prerouting disabled=yes dst-address=203.45.253.1 \
in-interface="ether2 - PBX"
add action=accept chain=prerouting disabled=yes dst-address=110.145.127.189 \
in-interface="ether2 - PBX"
add action=accept chain=prerouting disabled=yes dst-address=103.98.87.3 \
in-interface="ether2 - PBX"
add action=accept chain=prerouting disabled=yes dst-address=103.98.87.3 \
in-interface="ether1 - Server"
add action=accept chain=prerouting disabled=yes dst-address=203.45.253.1 \
in-interface="ether1 - Server"
add action=accept chain=prerouting disabled=yes dst-address=110.145.127.189 \
in-interface="ether1 - Server"
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes in-interface=*B new-connection-mark=WAN1_Conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes in-interface=P4-WAN2 new-connection-mark=WAN2_Conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes in-interface=Netmode new-connection-mark=WAN2_Conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes dst-address-type=!local in-interface="ether2 - PBX" \
new-connection-mark=WAN1_Conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes dst-address-type=!local in-interface="ether1 - Server" \
new-connection-mark=WAN2_Conn passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN1_Conn disabled=\
yes in-interface="ether2 - PBX" new-routing-mark=TO_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_Conn disabled=\
yes in-interface="ether1 - Server" new-routing-mark=TO_WAN2 passthrough=\
yes
add action=mark-routing chain=prerouting connection-mark=WAN1_Conn disabled=\
yes in-interface="ether1 - Server" new-routing-mark=TO_WAN1 passthrough=\
yes
add action=mark-routing chain=output connection-mark=WAN2_Conn disabled=yes \
new-routing-mark=TO_WAN2 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN1_Conn disabled=yes \
new-routing-mark=TO_WAN1 passthrough=yes
add action=mark-packet chain=forward disabled=yes dst-address-list=OpenDrive \
new-packet-mark=OpenDrive passthrough=yes src-address=192.168.0.2
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes log-prefix="PBX OUT >> " \
out-interface=*B src-address=192.168.5.5
add action=masquerade chain=srcnat disabled=yes out-interface=*B
add action=masquerade chain=srcnat out-interface=Netmode
add action=masquerade chain=srcnat log-prefix="Outbound Traffic: " \
out-interface=P4-WAN2
add action=masquerade chain=srcnat disabled=yes out-interface=*9
add action=dst-nat chain=dstnat dst-port=33389 in-interface-list=WAN \
log-prefix="RDP CONNECTION>> " protocol=tcp src-address-list=RDP \
to-addresses=192.168.0.2 to-ports=3389
add action=dst-nat chain=dstnat comment=\
"CCTV CMS POS Scales GRoup Update Test" dst-port=6036 in-interface-list=\
WAN log-prefix="CCTV CMS" protocol=tcp src-address-list=RDP to-addresses=\
192.168.0.69 to-ports=6036
add action=add-src-to-address-list address-list="BAD BLOCK LIST" \
address-list-timeout=2d3h16m56s chain=dstnat disabled=yes dst-port=33389 \
in-interface-list=WAN log=yes log-prefix=\
"BAD RDP Added to BlackList >> " protocol=tcp src-address-list=!RDP \
to-addresses=192.168.0.2 to-ports=3389
add action=dst-nat chain=dstnat dst-port=6000-6399 in-interface-list=WAN \
log-prefix="RTP PACKETS>> " protocol=udp src-address-list=sip \
to-addresses=192.168.5.5
add action=dst-nat chain=dstnat dst-port=5060 in-interface-list=WAN \
log-prefix="SIP PACKETS>> " protocol=tcp src-address-list=sip \
to-addresses=192.168.5.5
add action=dst-nat chain=dstnat dst-port=5060 in-interface-list=WAN \
log-prefix="SIP PACKETS>> " protocol=udp src-address-list=sip \
to-addresses=192.168.5.5
add action=dst-nat chain=dstnat disabled=yes dst-port=3478-3479 \
in-interface-list=WAN log-prefix="SIP PACKETS>> " protocol=tcp \
to-addresses=192.168.5.5
add action=dst-nat chain=dstnat disabled=yes dst-port=3478-3479 \
in-interface-list=all log-prefix="SIP PACKETS>> " protocol=udp \
to-addresses=192.168.5.5
add action=dst-nat chain=dstnat dst-port=80 in-interface-list=WAN log=yes \
log-prefix="PBX LOG IN >> " protocol=tcp src-address=61.69.57.74 \
to-addresses=192.168.5.5
add action=dst-nat chain=dstnat dst-port=443 in-interface-list=WAN \
log-prefix="PBX LOG IN >> " protocol=tcp src-address=61.69.57.74 \
to-addresses=192.168.5.5
/ip firewall raw
add action=drop chain=prerouting disabled=yes in-interface-list=WAN \
log-prefix="RAW - DROP BAD IP IN LIST :" src-address-list=\
"BAD BLOCK LIST"
add action=log chain=prerouting disabled=yes dst-port=443 in-interface-list=\
WAN log=yes log-prefix="443 ADD to BLACKLIST >" protocol=tcp \
src-address-list=!RDP
add action=drop chain=prerouting dst-port=3389 in-interface-list=WAN log=yes \
log-prefix="RAW 3389 Drop >" protocol=tcp src-address-list=!RDP
add action=add-src-to-address-list address-list="BAD BLOCK LIST" \
address-list-timeout=2d46m39s chain=prerouting disabled=yes dst-port=21 \
in-interface-list=WAN log=yes log-prefix="21 ADD to BLACKLIST >" \
protocol=tcp src-address-list=!RDP
add action=drop chain=prerouting dst-port=5060-5070 in-interface-list=WAN \
log=yes log-prefix="RAW 5060 DROP >> " protocol=udp src-address-list=\
!sip
/ip firewall service-port
set sip disabled=yes
/ip route
add distance=1 gateway=103.98.87.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-autodetect=no time-zone-name=Australia/Brisbane
/system identity
set name=Austraw
/system ntp client
set primary-ntp=192.168.0.1
/system routerboard settings
set silent-boot=no
/system scheduler
add interval=1w name=autobackup on-event=":local saveUserDB false\r\
\n:local saveSysBackup true\r\
\n:local encryptSysBackup false\r\
\n:local saveRawExport true\r\
\n\r\
\n:local FTPServer \"backup.posscales.com.au\"\r\
\n:local FTPPort 21\r\
\n:local FTPUser \"MT_Backups@backup.posscales.com.au\"\r\
\n:local FTPPass \"!Dgt.974082\"\r\
\n:local FTPdest \"/Bygreen\"\r\
\n\r\
\n:local ts [/system clock get time]\r\
\n:set ts ([:pick \$ts 0 2].[:pick \$ts 3 5].[:pick \$ts 6 8])\r\
\n:local ds [/system clock get date]\r\
\n:set ds ([:pick \$ds 7 11].[:pick \$ds 0 3].[:pick \$ds 4 6])\r\
\n\r\
\n:local fname (\"BACKUP-\".[/system identity get name].\"-\".\$ds.\"-\".\
\$ts)\r\
\n:local sfname (\"/\".\$fname)\r\
\n:if (\$saveUserDB) do={\r\
\n /tool user-manager database save name=(\$sfname.\".umb\")\r\
\n :log info message=\"User Manager DB Backup Finished\"\r\
\n}\r\
\n:if (\$saveSysBackup) do={\r\
\n :if (\$encryptSysBackup = true) do={ /system backup save name=(\$sfnam\
e.\".backup\") }\r\
\n :if (\$encryptSysBackup = false) do={ /system backup save dont-encrypt\
=yes name=(\$sfname.\".backup\") }\r\
\n :log info message=\"System Backup Finished\"\r\
\n}\r\
\nif (\$saveRawExport) do={\r\
\n /export file=(\$sfname.\".rsc\")\r\
\n :log info message=\"Raw configuration script export Finished\"\r\
\n}\r\
\n:local backupFileName \"\"\r\
\n:local backupDestPath \"\"\r\
\n:foreach backupFile in=[/file find] do={\r\
\n :set backupFileName (\"/\".[/file get \$backupFile name])\r\
\n :set backupDestPath (\$FTPdest.\$backupFileName)\r\
\n :if ([:typeof [:find \$backupFileName \$sfname]] != \"nil\") do={\r\
\n # :log warning message=\"/tool fetch address=\$FTPServer port=\$FTPPor\
t src-path=\$backupFileName user=\$FTPUser mode=ftp password=\$FTPPass dst\
-path=\$backupDestPath upload=yes\"\r\
\n\r\
\n /tool fetch address=\$FTPServer port=\$FTPPort src-path=\$backupFile\
Name user=\$FTPUser mode=ftp password=\$FTPPass dst-path=\$backupDestPath \
upload=yes\r\
\n }\r\
\n}\r\
\n:delay 5s\r\
\n:foreach backupFile in=[/file find] do={\r\
\n :if ([:typeof [:find [/file get \$backupFile name] \"BACKUP-\"]]!=\"ni\
l\") do={\r\
\n /file remove \$backupFile\r\
\n }\r\
\n}\r\
\n\r\
\n:log info message=\"Successfully removed Temporary Backup Files\"\r\
\n:log info message=\"Automatic Backup Completed Successfully\"" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=aug/05/2021 start-time=20:47:23
/tool bandwidth-server
set enabled=no
/tool netwatch
add down-script=":log debug message=(\" Internet Link is now : UP\");" host=\
1.1.1.1 up-script=\
":log debug message=(\" Internet Link is now : DOWN\");"