# version: 6.49.19 (stable) # factory-software: 6.46.2 # total-memory: 128.0MiB # cpu: MIPS 74Kc V4.12 # cpu-count: 1 # total-hdd-space: 128.0MiB # architecture-name: mipsbe # board-name: RB2011UiAS-2HnD # platform: MikroTik # installed-version: 6.49.19 # Flags: U - undoable, R - redoable, F - floating-undo # ACTION BY POLICY # U user group backup changed sysadmin write # policy # U user user_backup added sysadmin write # policy # U user group backup added sysadmin write # policy # U address changed sysadmin write # U address changed sysadmin write # U address added sysadmin write # U address changed sysadmin write # U address changed sysadmin write # U address changed sysadmin write # U address changed sysadmin write # U address changed sysadmin write # U device changed sysadmin write # U address added sysadmin write # U address changed sysadmin write # U new script added sysadmin write # U new script added sysadmin write # # software id = U8UD-RFV2 # # model = RB2011UiAS-2HnD # serial number = D5AE0CBA41A3 /interface bridge add name=br-locales add name=lobridge /interface ethernet set [ find default-name=ether3 ] full-duplex=no name=ether3-Enlace speed=100Mbps set [ find default-name=ether7 ] name=ether7-Radio set [ find default-name=ether8 ] name=ether8-AP set [ find default-name=ether9 ] name=ether9-Clientes set [ find default-name=ether10 ] name=ether10-Locales /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik add authentication-types=wpa-psk,wpa2-psk eap-methods="" group-ciphers=tkip,aes-ccm mode=dynamic-keys name=funsadu supplicant-identity="" wpa-pre-shared-key=***** wpa2-pre-shared-key=***** add eap-methods="" name=nada supplicant-identity="" /interface wireless set [ find default-name=wlan1 ] disabled=no frequency=2422 mode=ap-bridge security-profile=funsadu ssid=funsadu /ip pool add name=dchp_pool_Locales ranges=192.168.95.200-192.168.95.250 add name=PPPoE-Pool ranges=10.95.11.100-10.95.11.200 add name=dhcp_pool2 ranges=192.168.1.200-192.168.1.250 add name=vpn-Pool ranges=192.168.95.200-192.168.95.250 /ip dhcp-server add address-pool=dchp_pool_Locales disabled=no interface=br-locales name=dhcp-Locales add address-pool=dhcp_pool2 interface=ether9-Clientes name=dhcp1 /ppp profile add dns-server=10.95.21.1,1.1.1.1 local-address=172.16.52.94 name=radius-profile remote-address=PPPoE-Pool session-timeout=1w use-encryption=yes add dns-server=8.8.8.8,1.1.1.1 local-address=10.95.202.1 name=ovpn-Profile only-one=yes remote-address=vpn-Pool /routing bgp instance set default as=93 redistribute-connected=yes router-id=181.114.219.250 /snmp community set [ find default=yes ] addresses=10.94.0.0/16 add addresses=10.0.0.0/8 name=Rpsa_performance /system logging action set 0 memory-lines=20000 set 1 disk-lines-per-file=20000 set 3 remote=10.93.202.3 /user group add name=backup policy="ssh,read,!local,!telnet,!ftp,!reboot,!write,!policy,!test,!winbox,!password,!web,!sniff,!sensitive,!api,!romon,!dude,!tikapp" #error exporting /interface bridge calea /interface bridge port add bridge=br-locales interface=wlan1 add bridge=br-locales disabled=yes interface=ether6 add bridge=br-locales interface=ether10-Locales /interface l2tp-server server set default-profile=ovpn-Profile ipsec-secret=***** use-ipsec=yes /interface pppoe-server server add authentication=pap,chap,mschap1 default-profile=radius-profile disabled=no interface=ether7-Radio one-session-per-host=yes service-name=PPPoE-Ceferino add authentication=pap,chap,mschap1 default-profile=radius-profile disabled=no interface=ether6 service-name=PPPoE-Ceferino2 /interface wireless connect-list add interface=wlan1 security-profile=funsadu ssid=FUNSADU add interface=wlan1 ssid=Nodo-Municipalidad /ip address add address=10.93.68.4/24 interface=ether3-Enlace network=10.93.68.0 add address=181.114.219.250/30 interface=ether3-Enlace network=181.114.219.248 add address=192.168.95.1/24 interface=br-locales network=192.168.95.0 add address=10.93.21.254/24 interface=ether3-Enlace network=10.93.21.0 add address=192.168.1.1/24 comment=ConfigurarCliente interface=ether9-Clientes network=192.168.1.0 add address=192.168.38.2/24 disabled=yes interface=ether9-Clientes network=192.168.38.0 add address=10.93.10.254/24 interface=ether3-Enlace network=10.93.10.0 add address=10.95.10.1/24 interface=ether9-Clientes network=10.95.10.0 add address=10.95.21.1/24 interface=ether7-Radio network=10.95.21.0 add address=192.168.1.1/24 disabled=yes interface=ether7-Radio network=192.168.1.0 add address=10.95.21.81/29 disabled=yes interface=ether8-AP network=10.95.21.80 add address=192.168.1.20 disabled=yes interface=lobridge network=192.168.1.20 add address=192.168.1.1/24 comment=ConfigurarAP disabled=yes interface=ether8-AP network=192.168.1.0 add address=10.95.21.1/24 comment=ConfigurarCliente disabled=yes interface=ether9-Clientes network=10.95.21.0 /ip dhcp-client add add-default-route=no disabled=no interface=ether9-Clientes use-peer-dns=no use-peer-ntp=no /ip dhcp-server network add address=192.168.1.0/24 gateway=192.168.1.1 add address=192.168.95.0/24 dns-server=192.168.95.1 gateway=192.168.95.1 /ip dns set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8 /ip dns static add address=159.65.188.191 name=vpn.funsadu.ar add address=10.93.202.3 name=radius add address=10.93.1.2 name=cc add address=192.168.1.20 name=ubnt add address=10.93.202.3 name=radius.funsadu.ar add address=10.93.202.3 name=gestion.funsadu.ar add address=10.93.202.3 name=radio.funsadu.ar add address=10.93.202.3 name=radios.funsadu.ar add address=10.93.21.62 name=radio-Ceferino add address=10.93.21.61 name=radio-Unanue add address=10.93.21.1 name=unanue add address=10.93.21.62 name=radio add address=10.93.21.61 name=enlace add address=181.114.219.250 name=ceferino add address=181.114.219.106 name=test-server add address=192.168.1.20 name=n add address=10.95.21.254 name=prueba /ip firewall address-list add address=10.94.10.0/24 list=locales add address=10.94.11.0/24 list=locales add address=192.168.95.0/24 list=locales add address=10.94.21.0/24 list=locales add address=10.0.0.0/8 list=gestion add address=192.168.0.0/16 list=gestion add address=192.168.1.20 list=locales add address=41.184.156.64 list=ssh_blacklist add address=219.128.250.146 list=ssh_blacklist add address=45.238.18.152 list=ssh_blacklist add address=196.188.136.79 list=ssh_blacklist add address=187.188.9.111 list=ssh_blacklist add address=170.254.165.220 list=ssh_blacklist add address=118.123.213.221 list=ssh_blacklist add address=171.107.199.98 list=ssh_blacklist add address=185.138.132.216 list=ssh_blacklist add address=182.150.48.140 list=ssh_blacklist add address=192.168.252.249 list=ssh_blacklist add address=185.132.249.251 list=ssh_blacklist add address=185.132.249.241 list=ssh_blacklist add address=192.168.103.246 list=ssh_blacklist add address=220.174.25.172 list=ssh_blacklist add address=218.92.153.5 list=ssh_blacklist add address=185.180.143.147 list=ssh_blacklist add address=41.100.225.231 list=ssh_blacklist add address=181.46.138.69 list=autorizados add address=185.0.0.0/8 list=ssh_blacklist add address=10.93.0.0/16 list=autorizados add address=10.94.0.0/16 list=autorizados add address=192.168.18.0/24 list=locales add address=10.95.11.0/24 list=locales add address=10.95.21.0/24 list=locales add address=10.95.1.0/24 list=locales add address=10.93.68.1 list=locales add address=red.rpsa.ar list=autorizados add address=181.114.219.105 list=autorizados add address=181.114.219.201-202 list=autorizados add address=181.114.219.206 list=autorizados #error exporting /ip firewall calea /ip firewall filter add action=drop chain=input comment="ssh_blacklist DROP" src-address-list=ssh_blacklist add action=accept chain=input src-address-list=autorizados add action=drop chain=forward comment="ssh_blacklist DROP" src-address-list=ssh_blacklist add action=jump chain=input comment="Si es SSH te esperamos" connection-state=new dst-port=22001 jump-target=ssh-analisys protocol=tcp src-address-list=!autorizados add action=accept chain=input dst-port=22001 protocol=tcp src-address-list=autorizados add action=drop chain=input comment="Drop invalid" connection-state=invalid add action=drop chain=input comment="drop ssh brute forcers IP" src-address-list=ssh_blacklist add action=accept chain=input port=60080 protocol=tcp add action=accept chain=input comment="Accept establecidas" connection-state=established add action=accept chain=input comment="Aceptar relacionadas" connection-state=related add action=accept chain=input comment="Aceptar ICMP" protocol=icmp add action=accept chain=input port=53 protocol=udp src-address-list=locales add action=accept chain=input comment=NTP port=123 protocol=udp src-address-list=gestion add action=accept chain=input disabled=yes protocol=gre add action=accept chain=input disabled=yes protocol=ipsec-esp add action=accept chain=input disabled=yes port=1701,500,4500 protocol=udp add action=accept chain=input comment=API port=8728 protocol=tcp src-address-list=gestion add action=accept chain=input comment=snmp port=161 protocol=udp src-address-list=gestion add action=accept chain=input comment=winbox port=8291 protocol=tcp src-address-list=gestion add action=accept chain=input comment="Radius Incomming" port=3799 protocol=udp src-address-list=gestion add action=accept chain=input comment=BGP port=179 protocol=tcp src-address-list=gestion add action=accept chain=input comment="desde Unanue" src-address=10.93.1.1 add action=drop chain=input comment="bloquear todo lo demas" add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=2w chain=ssh-analisys comment="ssh_blacklist CANDIDATE 3 - final strike " log=yes src-address-list=ssh_blacklist_CANDIDATE_2 add action=add-src-to-address-list address-list=ssh_blacklist_CANDIDATE_2 address-list-timeout=30s chain=ssh-analisys comment="ssh_blacklist CANDIDATE 2" src-address-list=ssh_blacklist_CANDIDATE_1 add action=add-src-to-address-list address-list=ssh_blacklist_CANDIDATE_1 address-list-timeout=30s chain=ssh-analisys comment="ssh_blacklist CANDIDATE 1" add action=accept chain=ssh-analisys comment="Allow SSH connections from outside" /ip firewall nat add action=masquerade chain=srcnat src-address-list=locales add action=masquerade chain=srcnat dst-address=192.168.0.0/24 add action=masquerade chain=srcnat dst-address=192.168.1.20 add action=masquerade chain=srcnat dst-address=10.95.21.24/30 add action=masquerade chain=srcnat disabled=yes dst-address=10.95.21.82 add action=masquerade chain=srcnat disabled=yes dst-address=10.95.21.83 /ip route add distance=1 gateway=181.114.219.249 add distance=12 gateway=10.93.68.1 add distance=1 dst-address=10.93.202.0/24 gateway=10.93.68.1 /ip service set telnet disabled=yes set ftp disabled=yes set www port=60080 set ssh port=22001 /ip smb shares set [ find default=yes ] directory=/skins /ip ssh set forwarding-enabled=both strong-crypto=yes /ppp aaa set interim-update=10m use-radius=yes /ppp secret add disabled=yes name=Rodriguez-Ceferino password=***** remote-address=10.95.1.22 service=pppoe add name=Rpsa password=***** remote-address=10.93.201.1 service=l2tp /radius add address=10.93.202.3 comment="Radius 2021" disabled=yes require-message-auth=no secret=***** service=ppp timeout=2s add address=10.93.202.2 comment="Radius Contabo" require-message-auth=no secret=***** service=ppp /radius incoming set accept=yes /routing bgp peer add comment=Unanue multihop=yes name=Unanue remote-address=10.93.68.1 remote-as=93 /snmp set contact=tecnicosinternet@funsadu.ar enabled=yes location="Unanue [-37.54372195688438, -64.35209276259351]" /system clock set time-zone-name=America/Argentina/Salta /system identity set name=Ceferino /system logging set 1 action=disk set 2 action=disk set 3 action=disk add action=remote topics=info,!pppoe /system ntp client set enabled=yes primary-ntp=10.93.1.2 /system ntp server set enabled=yes /system scheduler add interval=1w name=auto-bu-sch on-event=auto-bu policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=may/31/2024 start-time=03:32:00 add disabled=yes interval=1h name=st on-event=speed-test policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=dec/15/2021 start-time=18:47:00 add comment="Borramos Archivos" disabled=yes interval=2m name=borrar on-event="/file remove [find ]" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=jul/10/2023 start-time=12:15:43 /system script add dont-require-permissions=no name=auto-bu owner=sysadmin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="{\r\n# Variables\r\n:local MailDestinatario \"backups@redesprivadas.com.ar\"\r\n:local MailCC \"backups@redesprivadas.com.ar\"\r\n# Codigo\r\n:local EquipoNombre [/system identity get name]\r\n:global MailFecha [/system clock get date]\r\n:local MailAsunto \"Backup automatico - \$EquipoNombre - \$MailFecha\"\r\n:local MailArchivos \"\$EquipoNombre.rsc,\$EquipoNombre.backup\"\r\n/export file=\$EquipoNombre\r\n/system backup save name=\$EquipoNombre\r\n/delay 5;\r\n/tool e-mail send to=\$MailDestinatario \\\r\nsubject=\$MailAsunto \\\r\ncc=\$MailCC \\\r\nbody=\"Te adjunto unos archivos para que los vayas guardando.\" \\\r\nfile=\$MailArchivos\r\n:delay 22;\r\n:delay 5;\r\n/log warning \"Autobackup ejecutado correctamente.\"\r\n}" add dont-require-permissions=yes name=speed-test owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":local txc\r\n:local txcA\r\n:local txcB\r\n:local txcC\r\n\r\n:local rxc\r\n:local rxcA\r\n:local rxcB\r\n:local rxcC\r\n\r\n:local rxta\r\n:local rxtaA\r\n:local rxtaB\r\n:local rxtaC\r\n\r\n:local txta\r\n:local txtaA\r\n:local txtaB\r\n:local txtaC\r\n\r\n:local sysname [/system identity get name]\r\n:local datetime \"\$[/system clock get date] \$[/system clock get time]\"\r\n\r\n:local month\r\n:local day\r\n:local year\r\n:local hour\r\n:local min\r\n:local filename\r\n:local result\r\n\r\n:set month [:pick \$datetime 0 3]\r\n:set day [:pick \$datetime 4 6]\r\n:set year [:pick \$datetime 7 11]\r\n:set hour [:pick \$datetime 12 14]\r\n:set min [:pick \$datetime 15 17]\r\n:set filename \"\$year\$month\$day-\$hour\$min-report.txt\"\r\n\r\n:log info \"Bandwidth-test start\"\r\n\r\n/tool bandwidth-test protocol=udp direction=both duration=25s local-udp-tx-size=1000 remote-udp-tx-size=1000 address=10.93.10.1 user=speed-test password=XRST986CUM11 do={\r\n\r\n:set \$txcA (\$\"tx-current\" / 1000)\r\n:set \$txcB (\$txcA / 1000 * 1000)\r\n:set \$txcC (\$txcA - \$txcB)\r\n:set \$txcB (\$txcB / 1000)\r\n:set \$txc \"\$txcB.\$txcC\"\r\n\r\n:set \$rxcA (\$\"rx-current\" / 1000)\r\n:set \$rxcB (\$rxcA / 1000 * 1000)\r\n:set \$rxcC (\$rxcA - \$rxcB)\r\n:set \$rxcB (\$rxcB / 1000)\r\n:set \$rxc \"\$rxcB.\$rxcC\"\r\n\r\n:set \$rxtaA (\$\"rx-total-average\" / 1000)\r\n:set \$rxtaB (\$rxtaA / 1000 * 1000)\r\n:set \$rxtaC (\$rxtaA - \$rxtaB)\r\n:set \$rxtaB (\$rxtaB / 1000)\r\n:set \$rxta \"\$rxtaB.\$rxtaC\"\r\n\r\n:set \$txtaA (\$\"tx-total-average\" / 1000)\r\n:set \$txtaB (\$txtaA / 1000 * 1000)\r\n:set \$txtaC (\$txtaA - \$txtaB)\r\n:set \$txtaB (\$txtaB / 1000)\r\n:set \$txta \"\$txtaB.\$txtaC\"\r\n\r\n:set result \$status\r\n\r\n}\r\n\r\n:log info \"Bandwidth-test done\"\r\n\r\n/file print file=\$filename\r\n:delay 5\r\n/file set \$filename contents=\"\$sysname\r\n\r\n\$datetime\r\n\r\n\r\n\r\nResult : \$result\r\n\r\nServer : Ceferino-Unanue\r\n\r\n\r\n\r\nUpload burst speed \$txc Mbps/s\r\nDownload burst speed \$rxc Mbps/s\r\n\r\nUpload total average \$txta Mbps/s\r\nDownload total average \$rxta Mbps/s\"\r\n\r\n:log info \"Speed test results written to \$filename\"" add dont-require-permissions=yes name=radiusdown owner=sysadmin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/tool fetch http-method=post http-data=\"Cayo Radius Ceferino\" url=\"https://ntfy.ar/rpsa\"\r\n:log warning \"Cayo la conexion con el Radius!\"" add dont-require-permissions=yes name=radiusup owner=sysadmin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/tool fetch http-method=post http-data=\"Levanto Radius Ceferino\" url=\"https://ntfy.ar/rpsa\"\r\n:log warning \"Levanto la conexion con el Radius!\"" add dont-require-permissions=yes name=slack_init owner=sysadmin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":global slackWebhook \"https://hooks.slack.com/services/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\"\n\n:global sendSlackMessage do={\n :global slackWebhook ;# <-- importante: enlaza la global dentro del do\n\n :local mensaje (\$1)\n\n # Escapar \\\" y \\\\ y saltos de lnea para JSON\n :local m \$mensaje\n :local out \"\"\n :for i from=0 to=([:len \$m]-1) do={\n :local ch [:pick \$m \$i]\n :if (\$ch = \"\\\\\") do={ :set out (\$out . \"\\\\\\\\\") } else={\n :if (\$ch = \"\\\"\") do={ :set out (\$out . \"\\\\\\\"\") }\_else={\n :if (\$ch = \"\\r\") do={ :set out (\$out . \"\\\\r\") }\_else={\n :if (\$ch = \"\\n\") do={ :set out (\$out . \"\\\\n\") } else={\n :set out (\$out . \$ch)\n }\n }\n }\n }\n }\n :set m \$out\n\n :local data (\"{\\\"text\\\":\\\"\" . \$m . \"\\\"}\")\n\n /tool fetch url=\$slackWebhook http-method=post http-data=\$data http-header-field=\"Content-Type: application/json\" keep-result=no\n}" add dont-require-permissions=yes name=cliente owner=sysadmin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="ip ad disable [find address=\"192.168.1.1/24\"]; ip ad en [find comment=ConfigurarCliente];:delay 1000ms;/tool fetch url=\"http://192.168.1.20\"" add dont-require-permissions=yes name=ap owner=sysadmin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="ip ad disable [find address=\"192.168.1.1/24\"]; ip ad en [find comment=ConfigurarAP];:delay 1000ms;/tool fetch url=\"http://192.168.1.20\"" /tool e-mail set address=mail.covidelpi.com.ar from="Servicio de Respaldo " password=***** port=587 start-tls=yes user=raul@covidelpi.com.ar /tool graphing interface add /tool graphing queue add /tool graphing resource add /tool netwatch add comment=Unanue host=10.93.68.1 add comment=Radius down-script=radiusdown host=181.114.219.249 up-script=radiusup add comment=RouterCeleste host=10.95.21.254 add comment="Equipo reseteado" down-script="\$sendSlackMessage (\"Se configuro en \" . [/system identity get name])" host=192.168.1.20 up-script="\$sendSlackMessage (\"Se reseteo un eq. en \"\_. [/system identity get name])"