#                   version: 6.49.18 (stable)
#              total-memory: 128.0MiB
#                       cpu: MIPS 74Kc V4.12
#                 cpu-count: 1
#           total-hdd-space: 128.0MiB
#         architecture-name: mipsbe
#                board-name: RB2011UiAS-2HnD
#                  platform: MikroTik
#   installed-version: 6.49.18
# Flags: U - undoable, R - redoable, F - floating-undo
#   ACTION                                   BY               POLICY
# 
# software id = 04T8-ZJNK
#
# model = 2011UiAS-2HnD
# serial number = 63FC05AFE74C
/interface bridge
add name=br-Locales
add name=br0
add name=lobridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-PC
set [ find default-name=ether2 ] name=ether2-Prueba
set [ find default-name=ether6 ] name=ether6-EnlaceCeferino
set [ find default-name=ether7 ] name=ether7-Radio
set [ find default-name=ether8 ] comment=ConfigurarAP
set [ find default-name=ether9 ] comment=ConfigurarCliente name=ether9-Clientes
set [ find default-name=ether10 ] name=ether10-Internet
/interface l2tp-client
add connect-to=rpsa.redesprivadas.com.ar ipsec-secret=***** name=L2tp-Rpsa password=***** use-ipsec=yes user=Unanue
/interface vlan
add interface=sfp1 name=vlan130-Sfp vlan-id=130
add interface=sfp1 name=vlan407-ADC vlan-id=407
/interface ovpn-client
add certificate=funsadu cipher=aes256 connect-to=vpn.funsadu.ar disabled=yes mac-address=FE:1A:E7:45:D2:D3 name=ovpn-Radius user=unanue
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" group-ciphers=tkip,aes-ccm mode=dynamic-keys name=funsadu supplicant-identity="" wpa-pre-shared-key=***** wpa2-pre-shared-key=*****
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no frequency=auto mode=ap-bridge security-profile=funsadu ssid=funsadu
/ip pool
add name=vpn-Pool ranges=192.168.93.200-192.168.93.250
add name=PPPoE-Pool ranges=192.168.80.0/20
add name=dhcp_Publicas ranges=181.114.219.34-181.114.219.46
add name=dhcp_pool5 ranges=10.93.10.20-10.93.10.250
add name=pool_ubiquiti ranges=192.168.1.18-192.168.1.20
add name=dhcp_pool11 ranges=10.93.68.20-10.93.68.24
add name=dhcp_pool12 ranges=181.114.219.34-181.114.219.46
/ip dhcp-server
add address-pool=pool_ubiquiti disabled=no interface=ether9-Clientes name=dhcp-ubiquiti
add address-pool=dhcp_pool11 interface=ether7-Radio name=dhcp3
add address-pool=dhcp_pool12 disabled=no interface=br-Locales name=dhcp-Locales
/ppp profile
add dns-server=172.16.52.93,8.8.8.8 local-address=172.16.52.93 name=ppp-Profile only-one=yes remote-address=PPPoE-Pool session-timeout=1w use-encryption=yes
add local-address=10.93.202.1 name=ovpn-Profile only-one=yes remote-address=vpn-Pool
/routing bgp instance
set default as=93 redistribute-connected=yes router-id=181.114.219.255
/snmp community
set [ find default=yes ] addresses=10.94.0.0/16
add addresses=10.0.0.0/8 name=Rpsa_performance
/system logging action
set 0 memory-lines=20000
set 1 disk-lines-per-file=20000
set 3 remote=10.93.202.3
/user group
add name=CallCenter policy="read,web,!local,!telnet,!ssh,!ftp,!reboot,!write,!policy,!test,!winbox,!password,!sniff,!sensitive,!api,!romon,!dude,!tikapp" skin=call
add name=backup policy="ssh,read,!local,!telnet,!ftp,!reboot,!write,!policy,!test,!winbox,!password,!web,!sniff,!sensitive,!api,!romon,!dude,!tikapp"
#error exporting /interface bridge calea
/interface bridge port
add bridge=br0 interface=ether3
add bridge=br0 interface=ether4
add bridge=br0 interface=ether5
add bridge=br-Locales interface=wlan1
add bridge=br-Locales interface=ether2-Prueba
/ip firewall connection tracking
set enabled=yes
/interface l2tp-server server
set default-profile=ovpn-Profile enabled=yes ipsec-secret=***** use-ipsec=yes
/interface ovpn-server server
set certificate=funsadu cipher=aes256 default-profile=ovpn-Profile enabled=yes keepalive-timeout=1200
/interface pppoe-server server
add authentication=pap,chap,mschap1 default-profile=ppp-Profile disabled=no interface=ether7-Radio service-name=PPPoE-Unanue
# Service is on a slave interface
add authentication=pap,chap,mschap1 default-profile=ppp-Profile disabled=no interface=ether2-Prueba
/interface wireless connect-list
add interface=wlan1 security-profile=funsadu ssid=FUNSADU
/ip address
add address=192.168.218.86/30 interface=vlan407-ADC network=192.168.218.84
add address=10.93.1.1/24 interface=vlan130-Sfp network=10.93.1.0
add address=10.93.10.1/24 interface=ether7-Radio network=10.93.10.0
add address=192.168.38.2/24 disabled=yes interface=ether9-Clientes network=192.168.38.0
add address=181.114.219.251 interface=lobridge network=181.114.219.251
add address=181.114.219.254/30 interface=vlan130-Sfp network=181.114.219.252
add address=192.168.1.1/24 comment=ConfigurarCliente interface=ether9-Clientes network=192.168.1.0
add address=10.93.21.1/24 interface=ether7-Radio network=10.93.21.0
add address=10.93.68.1/24 interface=ether7-Radio network=10.93.68.0
add address=181.114.219.249/30 interface=ether7-Radio network=181.114.219.248
add address=192.168.1.1/24 disabled=yes interface=ether7-Radio network=192.168.1.0
add address=181.114.219.25/29 interface=vlan130-Sfp network=181.114.219.24
add address=181.114.219.205/30 interface=ether7-Radio network=181.114.219.204
add address=10.93.21.57/29 disabled=yes interface=ether6-EnlaceCeferino network=10.93.21.56
add address=181.114.219.247 comment="prueba de monitor" interface=lobridge network=181.114.219.248
add address=192.168.1.1/24 disabled=yes interface=ether3 network=192.168.1.0
add address=192.168.1.1/29 disabled=yes interface=ether2-Prueba network=192.168.1.0
add address=192.168.1.1/24 comment=ConfigurarAP disabled=yes interface=ether8 network=192.168.1.0
add address=181.114.219.33/28 interface=br-Locales network=181.114.219.32
add address=10.93.10.1/24 disabled=yes interface=ether9-Clientes network=10.93.10.0
add address=10.93.10.1/24 disabled=yes interface=ether8 network=10.93.10.0
add address=10.93.21.1/24 disabled=yes interface=ether8 network=10.93.21.0
/ip dhcp-client
add add-default-route=no disabled=no interface=ether9-Clientes use-peer-dns=no
/ip dhcp-server network
add address=10.93.10.0/24 gateway=10.93.10.1
add address=10.93.68.0/24 gateway=10.93.68.1
add address=181.114.219.32/28 dns-server=1.1.1.1,1.1.1.1 gateway=181.114.219.33
add address=192.168.1.0/24 dns-server=8.8.8.8 gateway=192.168.1.2
add address=192.168.93.0/24 dns-server=172.16.52.93,8.8.8.8 gateway=192.168.93.1
/ip dns
set allow-remote-requests=yes servers=10.93.1.2
/ip dns static
add address=159.65.188.191 name=vpn.funsadu.ar
add address=10.93.202.2 name=radius
add address=10.93.1.2 name=cc
add address=192.168.1.20 name=ubnt
add address=10.93.202.2 name=radius.funsadu.ar
add address=10.93.202.2 name=gestion.funsadu.ar
add address=10.93.202.2 name=radio.funsadu.ar
add address=10.93.202.2 name=radios.funsadu.ar
add address=181.114.219.250 name=ceferino
add address=10.93.201.3 name=acha
add address=192.168.1.20 name=nuevo
add address=192.168.1.20 name=n
/ip firewall address-list
add address=192.168.93.0/24 list=locales
add address=10.93.10.0/24 list=locales
add address=10.0.0.0/8 list=gestion
add address=192.168.0.0/16 list=gestion
add address=170.254.205.98 list=ssh_blacklist
add address=47.242.108.116 list=ssh_blacklist
add address=181.46.138.70 list=permitidos
add address=120.198.71.132 list=ssh_blacklist
add address=41.184.156.64 list=ssh_blacklist
add address=219.128.250.146 list=ssh_blacklist
add address=45.238.18.152 list=ssh_blacklist
add address=196.188.136.79 list=ssh_blacklist
add address=187.188.9.111 list=ssh_blacklist
add address=170.254.165.220 list=ssh_blacklist
add address=118.123.213.221 list=ssh_blacklist
add address=171.107.199.98 list=ssh_blacklist
add address=185.138.132.216 list=ssh_blacklist
add address=182.150.48.140 list=ssh_blacklist
add address=192.168.252.249 list=ssh_blacklist
add address=185.132.249.251 list=ssh_blacklist
add address=185.132.249.241 list=ssh_blacklist
add address=192.168.103.246 list=ssh_blacklist
add address=220.174.25.172 list=ssh_blacklist
add address=218.92.153.5 list=ssh_blacklist
add address=185.180.143.147 list=ssh_blacklist
add address=41.100.225.231 list=ssh_blacklist
add address=181.46.138.69 list=autorizados
add address=45.93.201.126 list=ssh_blacklist
add address=146.88.240.4 list=ssh_blacklist
add address=74.120.14.42 list=ssh_blacklist
add address=167.248.133.114 list=ssh_blacklist
add address=192.168.0.0/16 list=locales
add address=10.93.0.0/16 disabled=yes list=locales
add address=10.93.0.0/24 list=permitidos
add address=10.94.0.0/16 list=permitidos
add address=10.93.0.0/16 list=permitidos
add address=181.117.241.17 list=autorizados
add address=181.46.138.66 list=autorizados
add address=red.rpsa.ar list=autorizados
add address=66.94.117.230 list=autorizados
add address=200.14.38.0/24 list=autorizados
add address=190.227.179.51 list=autorizados
add address=181.114.219.20 list=prueba
add address=10.93.202.2 list=autorizados
add address=10.94.21.0/24 list=locales
#error exporting /ip firewall calea
/ip firewall filter
add action=fasttrack-connection chain=forward comment="Deshabilitamos para usar planes en PPPoE" connection-state=established,related
add action=drop chain=forward dst-address-list=prueba
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=accept chain=input dst-port=22001 protocol=tcp src-address-list=autorizados
add action=drop chain=forward dst-address-list=prueba
add action=accept chain=input comment="aceptamos cc108" src-address=138.219.251.108
add action=drop chain=input comment="ssh_blacklist DROP" src-address-list=ssh_blacklist
add action=accept chain=input comment="Speed Test desde Belgrano" src-address=138.219.250.23
add action=drop chain=forward comment="ssh_blacklist DROP" src-address-list=ssh_blacklist
add action=jump chain=input comment="Si es SSH te esperamos" connection-state=new dst-port=22001 jump-target=ssh-analisys protocol=tcp src-address-list=!autorizados
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment=OpenVpn port=1194 protocol=tcp src-address-list=autorizados
add action=drop chain=input comment="Bloqueo delicados" port=4153 protocol=tcp src-address-list=!gestion
add action=drop chain=input comment="Bloqueo delicados" port=8291 protocol=tcp src-address-list=!gestion
add action=drop chain=input comment="Bloqueo delicados" port=8728 protocol=tcp src-address-list=!gestion
add action=drop chain=input comment="Bloqueo delicados" port=8729 protocol=tcp src-address-list=!gestion
add action=drop chain=input comment="Bloqueo delicados" port=3799 protocol=udp src-address-list=!gestion
add action=accept chain=input port=60080 protocol=tcp
add action=accept chain=input comment="Accept establecidas" connection-state=established
add action=accept chain=input comment="Aceptar relacionadas" connection-state=related
add action=accept chain=input comment="Aceptar ICMP" protocol=icmp
add action=accept chain=input comment="Aceptar ssh" dst-port=22001 protocol=tcp
add action=accept chain=input protocol=gre src-address-list=autorizados
add action=accept chain=input protocol=ipsec-esp src-address-list=autorizados
add action=accept chain=input port=1701,500,4500 protocol=udp src-address-list=autorizados
add action=accept chain=input comment="allow from internal interface" in-interface=!vlan407-ADC
add action=accept chain=input comment=snmp port=161 protocol=udp src-address-list=gestion
add action=accept chain=input comment=API port=8728 protocol=tcp src-address-list=gestion
add action=accept chain=input comment=winbox port=8291 protocol=tcp src-address-list=gestion
add action=accept chain=input comment="Radius Incomming" port=3799 protocol=udp src-address-list=gestion
add action=accept chain=input comment=BGP port=179 protocol=tcp src-address-list=gestion
add action=drop chain=forward dst-address=181.114.219.0/24 dst-port=443 protocol=tcp src-address-list=!permitidos
add action=drop chain=forward dst-address=181.114.219.0/24 dst-port=80 protocol=tcp src-address-list=!permitidos
add action=drop chain=forward dst-address=181.114.219.0/24 dst-port=22 protocol=tcp src-address-list=!permitidos
add action=accept chain=input comment=Ntp in-interface=!vlan407-ADC port=123 protocol=udp
add action=drop chain=input comment="bloquear todo lo demas"
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=2w chain=ssh-analisys comment="ssh_blacklist CANDIDATE 3 - final strike " log=yes src-address-list=ssh_blacklist_CANDIDATE_2
add action=add-src-to-address-list address-list=ssh_blacklist_CANDIDATE_2 address-list-timeout=30s chain=ssh-analisys comment="ssh_blacklist CANDIDATE 2" src-address-list=ssh_blacklist_CANDIDATE_1
add action=add-src-to-address-list address-list=ssh_blacklist_CANDIDATE_1 address-list-timeout=30s chain=ssh-analisys comment="ssh_blacklist CANDIDATE 1"
add action=accept chain=ssh-analisys comment="Allow SSH connections from outside"
/ip firewall nat
add action=masquerade chain=srcnat src-address-list=locales
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.1.1
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.1.20
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.38.1
add action=masquerade chain=srcnat disabled=yes dst-address=10.93.10.254
add action=masquerade chain=srcnat disabled=yes dst-address=190.108.36.0/24
add action=masquerade chain=srcnat disabled=yes dst-address=10.94.21.0/24
add chain=srcnat disabled=yes dst-address=192.168.0.1
add action=masquerade chain=srcnat out-interface=ether9-Clientes
add action=masquerade chain=srcnat disabled=yes dst-address=10.93.21.0/24
add action=masquerade chain=srcnat dst-address=10.93.10.249
add action=masquerade chain=srcnat disabled=yes out-interface=ether9-Clientes
add action=masquerade chain=srcnat disabled=yes dst-address=10.93.21.137
add action=masquerade chain=srcnat dst-address=10.93.21.0/24
add action=masquerade chain=srcnat dst-address=10.94.21.0/24
add action=masquerade chain=srcnat disabled=yes dst-address=10.95.21.0/24
add action=masquerade chain=srcnat src-address=192.168.1.20
add action=masquerade chain=srcnat dst-address=10.93.10.238
add action=masquerade chain=srcnat dst-address=10.94.21.245
/ip route
add distance=24 gateway=192.168.218.85
add distance=1 dst-address=10.0.0.0/8 type=blackhole
add distance=1 dst-address=10.93.0.0/16 type=blackhole
add distance=1 dst-address=10.93.21.21/32 gateway=ether7-Radio
add distance=1 dst-address=10.94.0.0/16 type=blackhole
add distance=1 dst-address=10.94.21.0/24 gateway=10.93.1.2
add distance=1 dst-address=10.168.2.0/24 gateway=10.93.201.1
add distance=1 dst-address=181.114.219.0/24 type=blackhole
add distance=1 dst-address=192.168.0.0/16 type=blackhole
add distance=1 dst-address=192.168.0.0/24 gateway=10.93.68.4
add comment=GralAcha disabled=yes distance=1 dst-address=192.168.1.20/32 gateway=10.93.201.3
add comment=Ceferino disabled=yes distance=1 dst-address=192.168.1.20/32 gateway=10.93.68.4
add comment=CuchilloCo disabled=yes distance=1 dst-address=192.168.1.20/32 gateway=10.93.1.2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=0.0.0.0/0 port=60080
set ssh port=22001
set api address=10.0.0.0/8
set winbox address=10.0.0.0/8,192.168.93.0/24
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=both strong-crypto=yes
/lcd
set time-interval=weekly
/lcd interface pages
set 0 interfaces="sfp1,ether1-PC,ether2-Prueba,ether3,ether4,ether5,ether6-EnlaceCeferino,ether7-Radio,ether8,ether9-Clientes,ether10-Internet"
/ppp aaa
set interim-update=5m use-radius=yes
/ppp secret
add name=Rpsa password=***** remote-address=10.93.201.1 service=l2tp
add name=GestionRadius password=***** remote-address=10.93.202.2 service=ovpn
add disabled=yes name=GestionAircontrol2 password=***** remote-address=10.93.202.3 service=ovpn
add disabled=yes name=SergioIglesias password=***** service=l2tp
add disabled=yes name=PignolOmar password=***** service=pppoe
add disabled=yes name=Fabio-Exner password=***** remote-address=181.114.219.114 service=pppoe
add name=GeneralAcha password=***** remote-address=10.93.201.3 service=l2tp
/radius
add address=10.93.202.2 comment="Radius Contabo" require-message-auth=no secret=***** service=ppp
/radius incoming
set accept=yes
/routing bgp peer
add comment=CuchilloCo multihop=yes name=CuchilloCo remote-address=10.93.1.2 remote-as=93
add comment=Ceferino multihop=yes name=Ceferino remote-address=10.93.68.4 remote-as=93
/snmp
set contact=tecnicosinternet@funsadu.ar enabled=yes location="Unanue [-37.54372195688438, -64.35209276259351]"
/system clock
set time-zone-name=America/Argentina/Buenos_Aires
/system identity
set name=Unanue
/system logging
set 0 topics=info,!pppoe
set 1 action=disk topics=error,!pppoe
set 2 action=disk topics=warning,!pppoe
add action=disk topics=critical
add action=remote topics=warning,!pppoe
/system ntp client
set enabled=yes primary-ntp=10.94.10.1 secondary-ntp=186.155.28.147
/system scheduler
add comment="Reboot Router" name="Reboot Router" on-event="/system reboot" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=jul/11/2023 start-time=01:00:00
add interval=1w name=auto-bu-sch on-event=auto-bu policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=may/31/2024 start-time=03:32:00
add name=inicializar on-event=inicializar policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-time=startup
/system script
add dont-require-permissions=no name=ap owner=sysadmin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="ip ad disable [find address=\"192.168.1.1/24\"]; ip ad en [find comment=ConfigurarAP];:delay 1000ms;/tool fetch url=\"http://192.168.1.20\""
add dont-require-permissions=no name=borrar owner=sysadmin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="ip route remove [find gateway=<l2tp-GeneralAcha> and static] "
add dont-require-permissions=no name=inicializar owner=sysadmin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=" \n\n:global creame do={/ip route add comment=borrame gateway=<l2tp-GeneralAcha>  dst-address=\$1 ; :put \"Ahora ruteamos: \$1\" }\n\n:global borrame do={/ip route remove [find comment=borrame]; :put \"Borradas\" }\n"
add dont-require-permissions=yes name=cliente owner=sysadmin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="ip ad disable [find address=\"192.168.1.1/24\"]; ip ad en [find comment=ConfigurarCliente];:delay 1000ms;/tool fetch url=\"http://192.168.1.20\""
add dont-require-permissions=no name=auto-bu owner=sysadmin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="{\r\n# Variables\r\n:local MailDestinatario \"backups@redesprivadas.com.ar\"\r\n:local MailCC \"backups@redesprivadas.com.ar\"\r\n# Codigo\r\n:local EquipoNombre [/system identity get name]\r\n:global MailFecha [/system clock get date]\r\n:local MailAsunto \"Backup automatico - \$EquipoNombre - \$MailFecha\"\r\n:local MailArchivos \"\$EquipoNombre.rsc,\$EquipoNombre.backup\"\r\n/export file=\$EquipoNombre\r\n/system backup save name=\$EquipoNombre\r\n/delay 5;\r\n/tool e-mail send to=\$MailDestinatario \\\r\nsubject=\$MailAsunto \\\r\ncc=\$MailCC \\\r\nbody=\"Te adjunto unos archivos para que los vayas guardando.\" \\\r\nfile=\$MailArchivos\r\n:delay 22;\r\n:delay 5;\r\n/log warning \"Autobackup ejecutado correctamente.\"\r\n}"
/tool e-mail
set address=mail.covidelpi.com.ar from="Servicio de Respaldo <backups@redesprivadas.com.ar>" password=***** port=587 start-tls=yes user=raul@covidelpi.com.ar
/tool graphing interface
add
/tool graphing resource
add
/tool netwatch
add comment=CuchilloCo host=181.114.219.253
add comment="Servidor de Gestion" host=10.93.202.2
add comment=Acha host=10.93.201.3 interval=10s
add host=192.168.1.20 interval=10s
add comment=Ceferino host=10.93.68.4
add comment="Equipo reseteado" host=192.168.1.20
/tool sniffer
set file-name=prueba.cap filter-ip-address=181.114.219.20/32 filter-size=65000