# version: 7.20.4 (stable) # factory-software: 7.9.2 # total-memory: 1024.0MiB # cpu: ARM # cpu-count: 4 # total-hdd-space: 512.0MiB # architecture-name: arm # board-name: RB4011iGS+ # platform: MikroTik # installed-version: 7.20.4 # Flags: U - UNDOABLE # Columns: ACTION, BY, POLICY, TIME # ACTION BY POLICY TIME # U log action changed sysadmin write 2025-11-10 12:31:23 # U log action changed sysadmin write 2025-11-10 12:31:23 # U log action changed sysadmin write 2025-11-10 12:31:23 # U log action changed sysadmin write 2025-11-10 12:31:23 # # software id = IJ93-KX4U # # model = RB4011iGS+ # serial number = HEP0922JQKP /interface bridge add name=br-Omnis add name=br-locales add name=lobridge /interface ethernet set [ find default-name=ether2 ] name=ether2-Switch set [ find default-name=ether3 ] name=ether3-Prueba set [ find default-name=ether6 ] name=ether6-RadioDos set [ find default-name=ether7 ] name=ether7-Radio set [ find default-name=ether8 ] name=ether8-AP set [ find default-name=ether9 ] name=ether9-Clientes set [ find default-name=ether10 ] name=ether10-Locales set [ find default-name=sfp-sfpplus1 ] name=sfp-Enlace /interface l2tp-client add connect-to=rpsa.redesprivadas.com.ar disabled=no ipsec-secret=***** name=IPsec-rpsa password=***** use-ipsec=yes user=CuchilloCo /interface wireguard add listen-port=46427 mtu=1420 name=wg1 private-key=***** /interface vlan add interface=ether2-Switch name=vlan93-Paneles vlan-id=93 add interface=sfp-Enlace name=vlan130-Sfp vlan-id=130 add interface=sfp-Enlace name=vlan2502-olt vlan-id=2502 /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /ip pool add name=PPPoE-Pool ranges=10.94.11.100-10.94.11.250 add name=dhcp_pool1 ranges=192.168.94.20-192.168.94.250 add name=dhcp_ubnt_pool ranges=192.168.1.20 add name=vpn-Pool ranges=192.168.93.200-192.168.93.250 add name=dhcp_pool4 ranges=10.94.21.200-10.94.21.250 /ip dhcp-server # No IP address on interface add address-pool=dhcp_pool1 interface=br-locales lease-time=2h name=dhcp1 # Interface not running add address-pool=dhcp_ubnt_pool interface=ether8-AP name=dhcp_ether9 add address-pool=dhcp_pool4 interface=ether2-Switch name=dhcp2 /port set 0 name=serial0 set 1 name=serial1 /ppp profile add dns-server=8.8.8.8,4.4.4.4 local-address=172.16.52.94 name=radius-profile remote-address=PPPoE-Pool session-timeout=1w use-encryption=yes add local-address=10.93.202.1 name=ovpn-Profile only-one=yes remote-address=vpn-Pool /queue type add cake-diffserv=diffserv4 cake-rtt-scheme=internet kind=cake name=cake_queue set 10 pfifo-limit=100 /routing bgp instance add as=93 name=bgp-instance-1 router-id=10.93.1.2 /routing bgp template set default as=93 multihop=yes output.network=bgp-networks .no-client-to-client-reflection=yes .redistribute=connected /snmp community set [ find default=yes ] addresses=10.93.0.0/16 add addresses=10.0.0.0/8 name=Rpsa_performance /system logging action set 0 memory-lines=20000 set 1 disk-lines-per-file=20000 set 3 remote=10.93.202.3 /user group add name=CallCenter policy="read,web,!local,!telnet,!ssh,!ftp,!reboot,!write,!policy,!test,!winbox,!password,!sniff,!sensitive,!api,!romon,!rest-api" skin=call add name=backup policy="ssh,read,!local,!telnet,!ftp,!reboot,!write,!policy,!test,!winbox,!password,!web,!sniff,!sensitive,!api,!romon,!rest-api" /interface bridge port add bridge=br-locales disabled=yes interface=ether6-RadioDos add bridge=br-locales interface=ether10-Locales add bridge=br-locales disabled=yes interface=ether3-Prueba add bridge=br-Omnis interface=ether6-RadioDos add bridge=br-Omnis interface=ether7-Radio /ip firewall connection tracking set udp-timeout=10s /ip neighbor discovery-settings set discover-interface-list=!dynamic /interface ovpn-server server add certificate=cert_export_funsadu.crt_0 cipher=aes256-cbc,aes256-gcm default-profile=ovpn-Profile keepalive-timeout=1200 mac-address=FE:03:57:01:74:F6 name=ovpn-server1 /interface pppoe-server server add authentication=pap,chap,mschap1 default-profile=radius-profile disabled=no interface=br-Omnis one-session-per-host=yes service-name=ccUrbano add authentication=pap,chap,mschap1 default-profile=radius-profile disabled=no interface=ether2-Switch service-name=ccCampos add default-profile=radius-profile disabled=no interface=ether3-Prueba service-name=ccPruebas add authentication=pap,chap,mschap1 default-profile=radius-profile disabled=no interface=vlan2502-olt service-name=ccFibra /interface wireguard peers add allowed-address=10.0.0.0/8 interface=wg1 name=Raul public-key="G+kDx8qrD7vrOpTe1sxSzwxaRBu/jkiVgG9F+Lru4jc=" /ip address add address=10.93.1.2/24 interface=vlan130-Sfp network=10.93.1.0 add address=10.94.10.1/24 interface=br-Omnis network=10.94.10.0 add address=181.114.219.253/30 interface=vlan130-Sfp network=181.114.219.252 add address=10.93.0.1/24 interface=ether2-Switch network=10.93.0.0 add address=10.94.21.1/24 interface=ether2-Switch network=10.94.21.0 add address=10.93.21.17/29 disabled=yes interface=br-Omnis network=10.93.21.16 add address=10.95.21.1/24 disabled=yes interface=ether2-Switch network=10.95.21.0 add address=192.168.1.1/24 disabled=yes interface=ether2-Switch network=192.168.1.0 add address=192.168.1.1/24 disabled=yes interface=br-locales network=192.168.1.0 add address=181.114.219.30/29 interface=vlan130-Sfp network=181.114.219.24 add address=181.114.219.201/30 interface=ether3-Prueba network=181.114.219.200 add address=192.168.1.1/24 comment=ConfigurarCliente interface=ether9-Clientes network=192.168.1.0 add address=192.168.1.1/24 comment=ConfigurarAP disabled=yes interface=ether8-AP network=192.168.1.0 add address=10.94.21.1/24 disabled=yes interface=ether8-AP network=10.94.21.0 add address=10.94.21.1/24 disabled=yes interface=ether9-Clientes network=10.94.21.0 add address=10.94.21.82/29 disabled=yes interface=ether9-Clientes network=10.94.21.80 add address=9.9.9.9/20 disabled=yes interface=lobridge network=9.9.0.0 add address=9.9.9.9/12 disabled=yes interface=lobridge network=9.0.0.0 add address=10.94.1.1/24 interface=wg1 network=10.94.1.0 add address=10.94.10.1/24 disabled=yes interface=ether8-AP network=10.94.10.0 /ip arp add address=10.94.10.209 disabled=yes interface=ether9-Clientes mac-address=F4:92:BF:E5:21:E2 /ip dhcp-client # Interface not active add interface=ether4 /ip dhcp-server network add address=10.94.21.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=10.94.21.1 add address=192.168.1.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=192.168.1.1 add address=192.168.94.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=192.168.94.1 /ip dns set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1 /ip dns static add address=10.93.202.2 name=radius type=A add address=192.168.1.20 name=nuevo type=A add address=192.168.1.20 name=n type=A add address=192.168.1.20 name=nuevo.funsadu.ar type=A add address=181.114.219.105 name=padc1 type=A add address=181.114.219.106 name=padc2 type=A /ip firewall address-list add address=10.94.10.0/24 list=locales add address=10.94.11.0/24 list=locales add address=192.168.94.0/24 list=locales add address=10.94.21.0/24 list=locales add address=10.0.0.0/8 list=gestion add address=192.168.0.0/16 list=gestion add address=192.168.1.20 list=locales add address=41.184.156.64 list=ssh_blacklist add address=219.128.250.146 list=ssh_blacklist add address=45.238.18.152 list=ssh_blacklist add address=196.188.136.79 list=ssh_blacklist add address=187.188.9.111 list=ssh_blacklist add address=170.254.165.220 list=ssh_blacklist add address=118.123.213.221 list=ssh_blacklist add address=171.107.199.98 list=ssh_blacklist add address=185.138.132.216 list=ssh_blacklist add address=182.150.48.140 list=ssh_blacklist add address=185.132.249.251 list=ssh_blacklist add address=185.132.249.241 list=ssh_blacklist add address=220.174.25.172 list=ssh_blacklist add address=218.92.153.5 list=ssh_blacklist add address=185.180.143.147 list=ssh_blacklist add address=41.100.225.231 list=ssh_blacklist add address=181.46.138.69 list=autorizados add address=185.0.0.0/8 list=ssh_blacklist add address=10.93.0.0/16 list=autorizados add address=10.94.0.0/16 list=autorizados add address=192.168.18.0/24 list=locales add address=red.rpsa.ar list=autorizados add address=181.114.219.254 list=autorizados add address=181.114.219.254 list=gestion add address=138.219.250.23 comment=VDP list=autorizados add address=138.219.250.23 comment=VDP list=gestion add address=192.168.99.0/24 list=gestion add address=192.168.99.0/24 list=autorizados add address=10.93.1.1 list=gestion add address=143.92.114.136 list=ssh_blacklist add address=37.248.179.106 list=ssh_blacklist /ip firewall filter add action=fasttrack-connection chain=forward comment="Deshabilitamos para usar planes en PPPoE" connection-state=established,related disabled=yes hw-offload=yes add action=accept chain=forward connection-state=established,related add action=drop chain=forward connection-state=invalid add action=accept chain=input src-address-list=autorizados add action=drop chain=input comment="ssh_blacklist DROP" src-address-list=ssh_blacklist add action=drop chain=forward comment="ssh_blacklist DROP" src-address-list=ssh_blacklist add action=accept chain=input dst-port=22001 protocol=tcp src-address-list=autorizados add action=jump chain=input comment="Si es SSH te esperamos" connection-state=new dst-port=22001 jump-target=ssh-analisys protocol=tcp src-address-list=!autorizados add action=drop chain=input comment="Drop invalid" connection-state=invalid add action=drop chain=input comment="drop ssh brute forcers IP" src-address-list=ssh_blacklist add action=accept chain=input port=60080 protocol=tcp add action=accept chain=input comment="Accept establecidas" connection-state=established add action=accept chain=input comment="Aceptar relacionadas" connection-state=related add action=accept chain=input comment=OpenVpn port=1194 protocol=tcp src-address-list=gestion add action=accept chain=input comment="Aceptar ICMP" protocol=icmp add action=accept chain=input port=53 protocol=udp src-address-list=gestion add action=accept chain=input comment=NTP port=123 protocol=udp src-address-list=gestion add action=accept chain=input protocol=gre add action=accept chain=input protocol=ipsec-esp add action=accept chain=input port=1701,500,4500 protocol=udp add action=accept chain=input comment=API port=8728 protocol=tcp src-address-list=gestion add action=accept chain=input comment=snmp port=161 protocol=udp src-address-list=gestion add action=accept chain=input comment=winbox port=8291 protocol=tcp src-address-list=gestion add action=accept chain=input comment="Radius Incomming" port=3799 protocol=udp src-address-list=gestion add action=accept chain=input comment=BGP port=179 protocol=tcp src-address-list=gestion add action=accept chain=input comment="desde Unanue" src-address=10.93.1.1 add action=drop chain=input comment="bloquear todo lo demas" add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=2w chain=ssh-analisys comment="ssh_blacklist CANDIDATE 3 - final strike " log=yes src-address-list=ssh_blacklist_CANDIDATE_2 add action=add-src-to-address-list address-list=ssh_blacklist_CANDIDATE_2 address-list-timeout=30s chain=ssh-analisys comment="ssh_blacklist CANDIDATE 2" src-address-list=ssh_blacklist_CANDIDATE_1 add action=add-src-to-address-list address-list=ssh_blacklist_CANDIDATE_1 address-list-timeout=30s chain=ssh-analisys comment="ssh_blacklist CANDIDATE 1" add action=accept chain=ssh-analisys comment="Allow SSH connections from outside" /ip firewall nat add action=masquerade chain=srcnat out-interface=ether8-AP add action=masquerade chain=srcnat src-address-list=locales add action=masquerade chain=srcnat disabled=yes dst-address=192.168.1.1 add action=masquerade chain=srcnat dst-address=192.168.1.20 add action=masquerade chain=srcnat disabled=yes dst-address=192.168.38.1 add action=masquerade chain=srcnat disabled=yes dst-address=10.94.10.254 add action=masquerade chain=srcnat disabled=yes dst-address=192.168.1.2 add action=masquerade chain=srcnat out-interface=ether9-Clientes add action=masquerade chain=srcnat dst-address=10.94.21.213 add action=masquerade chain=srcnat out-interface=ether9-Clientes /ip ipsec profile set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5 /ip route add distance=1 gateway=181.114.219.254 add distance=1 dst-address=10.93.0.0/16 gateway=10.93.1.1 add check-gateway=ping distance=1 dst-address=10.168.0.0/16 gateway=10.93.1.1 add check-gateway=ping distance=1 dst-address=10.168.0.0/16 gateway=10.23.0.1 add distance=1 dst-address=181.114.219.0/24 gateway=181.114.219.254 add blackhole dst-address=10.0.0.0/8 add blackhole distance=1 dst-address=10.94.0.0/16 add blackhole distance=1 dst-address=192.168.0.0/16 add dst-address=10.95.0.0/16 gateway=181.114.219.254 /ip service set ftp disabled=yes set telnet disabled=yes set winbox address=10.0.0.0/8,192.168.93.0/24 set api address=10.0.0.0/8 set api-ssl disabled=yes set ssh port=22001 set www port=60080 /ip smb shares set [ find default=yes ] directory=/skins add directory=moab name=sharethis /ip ssh set forwarding-enabled=both strong-crypto=yes /ppp aaa set interim-update=5m use-radius=yes /ppp secret add name=GestionRadius password=***** remote-address=10.93.202.2 service=ovpn add name=GestionAircontrol2 password=***** remote-address=10.93.202.5 service=ovpn add name=Galpon-Cuchillo password=***** service=pppoe /radius add address=10.93.202.3 comment="Radius 2021" disabled=yes require-message-auth=no secret=***** service=ppp timeout=2s add address=10.93.202.2 comment="Radius Contabo" require-message-auth=no secret=***** service=ppp timeout=1s /radius incoming set accept=yes /routing bgp connection add comment=Unanue connect=yes instance=bgp-instance-1 listen=yes local.port=179 .role=ibgp name=Unanue remote.address=10.93.1.1 .as=93 templates=default /snmp set contact=tecnicos.funsadu@gmail.com enabled=yes location="CuchilloCo [-38.33384983670529, -64.64349365199425]" /system clock set time-zone-name=America/Argentina/Salta /system identity set name=4011-Cuchillo-Co /system logging set 0 topics=info,!pppoe set 1 action=disk topics=error,!pppoe set 2 action=disk set 3 action=disk add action=remote topics=warning,!pppoe add topics=error add disabled=yes topics=info /system ntp client set enabled=yes /system ntp server set enabled=yes /system ntp client servers add address=162.159.200.1 add address=168.96.251.226 /system routerboard settings set enter-setup-on=delete-key /system scheduler add interval=1w name=auto-bu-sch on-event=auto-bu policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2021-11-30 start-time=03:32:00 add comment="Reboot Router" name=Reboot_Router on-event="/system reboot" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2025-01-18 start-time=01:00:00 /system script add dont-require-permissions=no name=auto-bu owner=sysadmin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="{\r\n# Variables\r\n:local MailDestinatario \"backups@redesprivadas.com.ar\"\r\n:local MailCC \"backups@redesprivadas.com.ar\"\r\n# Codigo\r\n:local EquipoNombre [/system identity get name]\r\n:global MailFecha [/system clock get date]\r\n:local MailAsunto \"Backup automatico - \$EquipoNombre - \$MailFecha\"\r\n:local MailArchivos \"\$EquipoNombre.rsc,\$EquipoNombre.backup\"\r\n/export file=\$EquipoNombre\r\n/system backup save name=\$EquipoNombre\r\n/delay 5;\r\n/tool e-mail send to=\$MailDestinatario \\\r\nsubject=\$MailAsunto \\\r\ncc=\$MailCC \\\r\nbody=\"Te adjunto unos archivos para que los vayas guardando.\" \\\r\nfile=\$MailArchivos\r\n:delay 22;\r\n:delay 5;\r\n/log warning \"Autobackup ejecutado correctamente.\"\r\n}" add dont-require-permissions=yes name=pagelaup owner=sysadmin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":log warning \"Pagela Up!\"" add dont-require-permissions=yes name=pageladown owner=sysadmin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":log warning \"Pagela Down!\"" add dont-require-permissions=yes name=radiusdown owner=sysadmin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/tool fetch http-method=post http-data=\"Cayo Radius Cuchilloco\" url=\"https://ntfy.ar/rpsa\"\r\n:log warning \"Cayo la conexion con el Radius!\"" add dont-require-permissions=yes name=radiusup owner=sysadmin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/tool fetch http-method=post http-data=\"Levanto Radius Cuchilloco\" url=\"https://ntfy.ar/rpsa\"\r\n:log warning \"Levanto la conexion con el Radius!\"" add dont-require-permissions=yes name=cliente owner=sysadmin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="ip ad disable [find address=\"192.168.1.1/24\"]; ip ad en [find comment=ConfigurarCliente];:delay 1000ms;/tool fetch url=\"http://192.168.1.20\"" add dont-require-permissions=yes name=ap owner=sysadmin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="ip ad disable [find address=\"192.168.1.1/24\"]; ip ad en [find comment=ConfigurarAP];:delay 1000ms;/tool fetch url=\"http://192.168.1.20\"" /tool e-mail set from="Servicio de Respaldo " password=***** port=587 server=mail.covidelpi.com.ar user=raul@covidelpi.com.ar /tool graphing interface add /tool graphing resource add add add /tool netwatch add comment=Internet host=8.8.8.8 type=simple add comment=Unanue host=10.93.1.1 type=simple add comment=Radius disabled=no down-script=radiusdown host=10.93.202.2 type=simple up-script=radiusup add comment="Equipo reseteado" host=192.168.1.20 type=simple add comment=Casuccio host=10.94.21.45 type=simple