#        routerboard: yes         
#              model: RB3011UiAS  
#      serial-number: 783F08DC1909
#      firmware-type: ipq8060     
#   factory-firmware: 3.41        
#   current-firmware: 7.19.4      
#   upgrade-firmware: 7.19.4      
# 
#             channel: stable
#   installed-version: 7.19.4
# 
# Flags: U - UNDOABLE
# Columns: ACTION, BY, POLICY, TIME
#   ACTION                             BY       POLICY  TIME               
# U radvd interface added              marcos   write   2025-09-26 21:14:50
# U radvd interface added              marcos   write   2025-09-26 21:14:44
# U radvd interface changed            marcos   write   2025-09-26 21:14:37
# U radvd interface changed            marcos   write   2025-09-26 21:14:35
# U item changed                       marcos   write   2025-09-26 21:13:31
# U ospf-area-3RA_v3 changed           marcos   write   2025-09-26 21:13:21
# U ospf-interface-3 changed           marcos   write   2025-09-26 21:13:18
# U ospf-interface-2 changed           marcos   write   2025-09-26 21:13:17
# U ospf-interface-4 removed           marcos   write   2025-09-26 21:13:15
# U ospf-instance-3RA_v3 changed       marcos   write   2025-09-26 21:13:12
# U address list entry removed         ispcube  write   2025-09-26 14:21:03
# U address list entry added           ispcube  write   2025-09-24 09:57:36
# U script removed                     marcos   write   2025-09-24 08:45:22
# U script removed                     marcos   write   2025-09-24 08:45:20
# U changed script settings            marcos   write   2025-09-22 16:41:35
# U script removed from scheduler      marcos   write   2025-09-22 16:40:56
# U changed scheduled script settings  marcos   write   2025-09-22 16:40:48
# U changed script settings            marcos   write   2025-09-10 14:40:29
# U address list entry removed         ispcube  write   2025-09-09 21:35:04
# U changed script settings            marcos   write   2025-09-05 14:24:42
# U script removed                     marcos   write   2025-09-05 14:24:31
# 
# 2025-10-01 06:16:14 by RouterOS 7.19.4
# software id = YJ5X-YIW2
#
# model = RB3011UiAS
# serial number = 783F08DC1909
/interface bridge
add dhcp-snooping=yes fast-forward=no igmp-snooping=yes igmp-version=3 mld-version=2 multicast-querier=yes name=bridge_LAN port-cost-mode=short
add name=bridge_TEMP port-cost-mode=short
add fast-forward=no igmp-snooping=yes igmp-version=3 mld-version=2 multicast-querier=yes name=bridge_vlan99 port-cost-mode=short
add igmp-snooping=yes igmp-version=3 mld-version=2 multicast-querier=yes name=bridge_vlan130
add name=bridge_vlan210 port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] comment="MGMT - UNTAGGED VLAN99"
set [ find default-name=ether3 ] comment=Carlitos
set [ find default-name=ether4 ] comment="3RA_ AMO"
set [ find default-name=ether5 ] comment="Irrigaci\F3n"
set [ find default-name=ether6 ] comment="Troncal SB-2-3RA : NETONIX"
set [ find default-name=ether8 ] comment="Troncal 3RA-2-PDG"
set [ find default-name=ether10 ] comment="Sensor de Linea (TP-Link) - 172.22.13.18"
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add comment="PtP AgroMalargue" interface=ether6 name=vlan13 vlan-id=13
add comment=Bck_TRR interface=ether6 name=vlan35_fromTRR vlan-id=35
add comment=TEMP interface=ether6 name=vlan36_TEMP vlan-id=36
add interface=ether6 name=vlan37_TMP vlan-id=37
add interface=ether6 name=vlan99 vlan-id=99
add interface=ether8 name=vlan120_PDG vlan-id=120
add interface=ether6 name=vlan130 vlan-id=130
add interface=ether6 name=vlan210 vlan-id=210
add interface=ether6 name=vlan501 vlan-id=501
add comment=NETVIDEO+IPTV interface=ether6 name=vlan1005 vlan-id=1005
add interface=ether8 name=vlan_99 vlan-id=99
/interface list
add name=MGMT
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip pool
add name=pool_3RA ranges=172.22.13.10-172.22.13.254
add name=pool_PDG ranges=172.22.12.10-172.22.12.254
/ip dhcp-server
add address-pool=pool_3RA interface=bridge_LAN lease-time=4h name=server_3RA
add address-pool=pool_PDG interface=vlan120_PDG lease-time=4h name=server_PDG relay=172.22.12.1
/ip smb users
set [ find default=yes ] disabled=yes
/ipv6 dhcp-server
add disabled=yes interface=bridge_LAN lease-time=1d name=server_AIRE prefix-pool=pool_WLAN
/ipv6 pool
add name=pool_WLAN prefix=2803:d8c0:4004::/48 prefix-length=60
/port
set 0 name=serial0
/queue simple
add max-limit=7168k/25600k name="Oueyt Valeria Lourdes - 172.22.12.230" priority=6/6 target=172.22.12.230/32
add max-limit=30720k/51200k name="Costa Luis - 172.22.12.249" priority=1/1 target=172.22.12.249/32
add max-limit=5120k/15360k name="Fernandez Rocio - 172.22.12.245" priority=7/7 target=172.22.12.245/32
add max-limit=7168k/25600k name="Roman Lucas Gustavo - 172.22.12.243" priority=6/6 target=172.22.12.243/32
add max-limit=5120k/15360k name="Oueyt Nora Adriana - 172.22.12.242" priority=7/7 target=172.22.12.242/32
add max-limit=5120k/15360k name="Ramos Gustavo Alberto - 172.22.12.241" priority=7/7 target=172.22.12.241/32
add max-limit=7168k/25600k name="Carrada Juan Carlos - 172.22.12.238" priority=6/6 target=172.22.12.238/32
add max-limit=5120k/15360k name="Pastrana Leandro Javier - 172.22.12.237" priority=7/7 target=172.22.12.237/32
add max-limit=7168k/25600k name="Vallejo Noemi Natali - 172.22.12.235" priority=6/6 target=172.22.12.235/32
add max-limit=7168k/25600k name="Vargas Eduardo Ezequiel - 172.22.13.22" priority=6/6 target=172.22.13.22/32
add max-limit=7168k/25600k name="Colombo Carlos Tercera zona - 172.22.13.20" priority=6/6 target=172.22.13.20/32
add max-limit=30720k/51200k name="Asociacion 3ra Zona de Riego Rio Mendoza - 172.22.13.23" priority=1/1 target=172.22.13.23/32
add max-limit=12288k/12288k name="Agro Malargue S.A. - 172.22.13.13" priority=1/1 target=172.22.13.13/32
add max-limit=5120k/15360k name="Fernandez Carlos Alberto - 172.22.13.19" priority=7/7 target=172.22.13.19/32
add max-limit=5120k/15360k name="Rios Monica Maria - 172.22.13.12" priority=7/7 target=172.22.13.12/32
add max-limit=5120k/15360k name="Gonzalez Diego Antonio - 172.22.13.10" priority=7/7 target=172.22.13.10/32
add max-limit=5120k/15360k name="Gutierrez Jonatan Ramon - 172.22.13.17" priority=7/7 target=172.22.13.17/32
add max-limit=12288k/12288k name="Himan Aceros S.A. - 172.22.13.26" priority=1/1 target=172.22.13.26/32
add max-limit=5120k/15360k name="Lara Romina Elizabeth - 172.22.13.27" priority=7/7 target=172.22.13.27/32
add max-limit=5120k/15360k name="Arroyo Elizabeth Nancy - 172.22.13.29" priority=7/7 target=172.22.13.29/32
add max-limit=7168k/25600k name="Fernandez Carlos Alberto - 172.22.13.16" priority=6/6 target=172.22.13.16/32
add max-limit=7168k/25600k name="Boglioli Jose Oscar - 172.22.12.226" priority=6/6 target=172.22.12.226/32
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing id
add disabled=no id=10.255.255.9 name=ospf_id select-dynamic-id=""
/routing ospf instance
add disabled=no name=ospf-backbone_v2 router-id=ospf_id
add disabled=yes name=ospf-instance-3RA_v3 router-id=ospf_id version=3
/routing ospf area
add disabled=no instance=ospf-backbone_v2 name=ospf-area-backbone_v2
add area-id=0.0.0.3 disabled=yes instance=ospf-instance-3RA_v3 name=ospf-area-3RA_v3
/snmp community
add addresses=192.168.200.253/32,192.168.200.155/32 authentication-protocol=SHA1 encryption-protocol=AES name=pnet
/system logging action
add disk-file-count=5 disk-file-name=Error name=ErrorLogs target=disk
add disk-file-count=5 disk-file-name=Info name=InfoLogs target=disk
add disk-file-count=5 disk-file-name=Interfaces name=InterfacesLogs target=disk
add disk-file-count=5 disk-file-name=Warning name=WarningLogs target=disk
add name=DudeLogs remote=192.168.200.253 remote-log-format=syslog syslog-facility=local6 target=remote
add name=GrafanaLogs remote=192.168.200.168 remote-log-format=syslog target=remote
add disk-file-count=5 disk-file-name=Critical name=CriticalLogs target=disk
add disk-file-count=5 disk-file-name=OSPF name=OSPFLogs target=disk
add disk-file-count=5 disk-file-name=Mails name=MailsLogs target=disk
add disk-file-count=5 disk-file-name=DHCP name=DHCPLogs target=disk
/user group
add name=dude policy="local,reboot,read,write,test,winbox,web,!telnet,!ssh,!ftp,!policy,!password,!sniff,!sensitive,!api,!romon,!rest-api"
add name=oxidized policy="ssh,read,!local,!telnet,!ftp,!reboot,!write,!policy,!test,!winbox,!password,!web,!sniff,!sensitive,!api,!romon,!rest-api"
add name=pnet policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,web,sniff,sensitive,api,romon,rest-api,!password"
/interface bridge filter
add action=drop chain=forward in-bridge=bridge_LAN in-interface=ether3 out-bridge=bridge_LAN out-interface=ether4
add action=drop chain=forward in-bridge=bridge_LAN in-interface=ether3 out-bridge=bridge_LAN out-interface=ether5
add action=drop chain=forward in-bridge=bridge_LAN in-interface=ether3 out-bridge=bridge_LAN out-interface=ether10
add action=drop chain=forward in-bridge=bridge_LAN in-interface=ether3 out-bridge=bridge_LAN out-interface=vlan13
add action=drop chain=forward in-bridge=bridge_LAN in-interface=ether4 out-bridge=bridge_LAN out-interface=ether3
add action=drop chain=forward in-bridge=bridge_LAN in-interface=ether4 out-bridge=bridge_LAN out-interface=ether5
add action=drop chain=forward in-bridge=bridge_LAN in-interface=ether4 out-bridge=bridge_LAN out-interface=ether10
add action=drop chain=forward in-bridge=bridge_LAN in-interface=ether4 out-bridge=bridge_LAN out-interface=vlan13
add action=drop chain=forward in-bridge=bridge_LAN in-interface=ether5 out-bridge=bridge_LAN out-interface=ether3
add action=drop chain=forward in-bridge=bridge_LAN in-interface=ether5 out-bridge=bridge_LAN out-interface=ether4
add action=drop chain=forward in-bridge=bridge_LAN in-interface=ether5 out-bridge=bridge_LAN out-interface=ether10
add action=drop chain=forward in-bridge=bridge_LAN in-interface=ether5 out-bridge=bridge_LAN out-interface=vlan13
/interface bridge port
add bridge=bridge_LAN ingress-filtering=no interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge_vlan210 ingress-filtering=no interface=vlan210 internal-path-cost=10 path-cost=10
add bridge=bridge_vlan210 ingress-filtering=no interface=ether8 internal-path-cost=10 path-cost=10
add bridge=bridge_LAN ingress-filtering=no interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge_LAN ingress-filtering=no interface=ether10 internal-path-cost=10 path-cost=10
add bridge=bridge_LAN ingress-filtering=no interface=vlan13 internal-path-cost=10 path-cost=10
add bridge=bridge_TEMP ingress-filtering=no interface=vlan36_TEMP internal-path-cost=10 path-cost=10
add bridge=bridge_LAN ingress-filtering=no interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge_vlan99 interface=ether1 internal-path-cost=10 path-cost=10
add bridge=bridge_vlan99 interface=vlan99 internal-path-cost=10 path-cost=10
add bridge=bridge_vlan99 interface=vlan_99 internal-path-cost=10 path-cost=10
add bridge=bridge_LAN interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface list member
add interface=ether10 list=MGMT
add interface=bridge_vlan99 list=MGMT
add interface=bridge_vlan210 list=MGMT
/interface ovpn-server server
add auth=sha1,md5 mac-address=FE:4C:7C:6B:18:FE name=ovpn-server1
/ip address
add address=172.22.13.1/24 interface=bridge_LAN network=172.22.13.0
add address=192.168.36.2/30 interface=bridge_TEMP network=192.168.36.0
add address=10.99.0.72/24 comment=MGMT interface=bridge_vlan99 network=10.99.0.0
add address=168.197.198.190/29 interface=vlan130 network=168.197.198.184
add address=168.197.198.186 interface=vlan130 network=168.197.198.186
add address=168.197.198.187 interface=vlan130 network=168.197.198.187
add address=168.197.198.188 disabled=yes interface=vlan130 network=168.197.198.188
add address=168.197.198.189 disabled=yes interface=vlan130 network=168.197.198.189
add address=10.10.0.177/29 comment="Troncal PDG" interface=vlan120_PDG network=10.10.0.176
add address=10.1.1.8/24 comment=NETVIDEO+IPTV interface=vlan1005 network=10.1.1.0
add address=10.255.255.9 comment=loopback interface=lo network=10.255.255.9
add address=192.168.37.2/30 interface=vlan37_TMP network=192.168.37.0
/ip dhcp-client
add add-default-route=no interface=vlan35_fromTRR use-peer-dns=no use-peer-ntp=no
/ip dhcp-relay
add dhcp-server=10.10.0.113 interface=bridge_LAN local-address=172.22.13.1 name=Relay_3RA
/ip dhcp-server lease
add address=172.22.13.20 client-id=1:30:b5:c2:4c:59:3 mac-address=30:B5:C2:4C:59:03 server=server_3RA
add address=172.22.13.22 client-id=1:68:72:51:6a:2d:c mac-address=68:72:51:6A:2D:0C server=server_3RA
add address=172.22.13.23 mac-address=10:FE:ED:06:7F:48 server=server_3RA
add address=172.22.13.18 mac-address=EC:08:6B:40:B0:AD server=server_3RA
add address=172.22.13.13 client-id=1:68:72:51:8:3b:13 mac-address=68:72:51:08:3B:13 server=server_3RA
add address=172.22.13.19 client-id=1:68:72:51:6a:2d:e5 mac-address=68:72:51:6A:2D:E5 server=server_3RA
add address=172.22.13.12 client-id=1:68:72:51:3a:bc:a mac-address=68:72:51:3A:BC:0A server=server_3RA
add address=172.22.13.10 client-id=1:68:72:51:66:45:7d mac-address=68:72:51:66:45:7D server=server_3RA
add address=172.22.13.17 client-id=1:68:72:51:4e:ce:93 mac-address=68:72:51:4E:CE:93 server=server_3RA
add address=172.22.13.24 client-id=1:68:72:51:64:5a:1b mac-address=68:72:51:64:5A:1B server=server_3RA
add address=172.22.13.25 client-id=1:64:d1:54:dc:c4:3e mac-address=64:D1:54:DC:C4:3E server=server_3RA
add address=172.22.13.26 client-id=1:68:72:51:3a:bc:da mac-address=68:72:51:3A:BC:DA server=server_3RA
add address=172.22.13.27 client-id=1:68:72:51:34:18:fb mac-address=68:72:51:34:18:FB server=server_3RA
add address=172.22.13.11 client-id=1:68:72:51:62:2e:e2 mac-address=68:72:51:62:2E:E2 server=server_3RA
add address=172.22.13.28 mac-address=C4:6E:1F:B1:48:C9 server=server_3RA
add address=172.22.13.29 client-id=1:68:72:51:44:ab:3e mac-address=68:72:51:44:AB:3E server=server_3RA
add address=172.22.13.16 client-id=1:68:72:51:70:30:4 mac-address=68:72:51:70:30:04 server=server_3RA
add address=172.22.12.249 client-id=1:0:c:42:e7:20:99 mac-address=00:0C:42:E7:20:99 server=server_PDG
add address=172.22.12.245 client-id=1:24:a4:3c:9e:34:cf mac-address=24:A4:3C:9E:34:CF server=server_PDG
add address=172.22.12.243 client-id=1:68:72:51:58:a0:d9 mac-address=68:72:51:58:A0:D9 server=server_PDG
add address=172.22.12.242 client-id=1:0:27:22:ee:30:34 mac-address=00:27:22:EE:30:34 server=server_PDG
add address=172.22.12.241 client-id=1:68:72:51:64:dc:a0 mac-address=68:72:51:64:DC:A0 server=server_PDG
add address=172.22.12.238 client-id=1:f0:9f:c2:ee:93:8e mac-address=F0:9F:C2:EE:93:8E server=server_PDG
add address=172.22.12.237 client-id=1:68:72:51:66:44:18 mac-address=68:72:51:66:44:18 server=server_PDG
add address=172.22.12.247 client-id=1:68:72:51:6e:e3:5c mac-address=68:72:51:6E:E3:5C server=server_PDG
add address=172.22.12.236 mac-address=98:DE:D0:2A:00:58 server=server_PDG
add address=172.22.12.248 client-id=1:cc:2d:e0:14:9b:74 mac-address=CC:2D:E0:14:9B:74 server=server_PDG
add address=172.22.12.235 client-id=1:dc:9f:db:32:36:b6 mac-address=DC:9F:DB:32:36:B6 server=server_PDG
add address=172.22.13.15 client-id=1:68:72:51:a:ec:fc mac-address=68:72:51:0A:EC:FC server=server_3RA
add address=172.22.12.230 client-id=1:30:de:4b:98:48:f3 mac-address=30:DE:4B:98:48:F3 server=server_PDG
add address=172.22.12.226 client-id=1:68:72:51:64:5b:75 mac-address=68:72:51:64:5B:75 server=server_PDG
add address=172.22.13.14 mac-address=18:D6:C7:43:F8:78 server=server_3RA
/ip dhcp-server network
add address=172.22.12.0/24 comment="RED PDG" dns-server=185.180.9.62 gateway=172.22.12.1
add address=172.22.13.0/24 comment="RED 3RA" dns-server=185.180.9.62 gateway=172.22.13.1
/ip dns
set servers=8.8.8.8,2001:4860:4860::8888,1.1.1.1,2606:4700:4700::1111
/ip firewall address-list
add address=172.22.0.0/24 comment=R60 list=nodos-privadas
add address=172.22.8.0/23 comment=R50 list=nodos-privadas
add address=172.22.5.0/24 comment=BRS list=nodos-privadas
add address=172.22.6.0/23 comment=SB list=nodos-privadas
add address=172.22.2.0/23 comment=FLB list=nodos-privadas
add address=172.22.11.0/24 comment=FO list=nodos-privadas
add address=172.22.14.0/24 comment=BNT list=nodos-privadas
add address=172.22.15.0/24 comment=JDN list=nodos-privadas
add address=172.22.10.0/24 comment=RDM list=nodos-privadas
add address=172.22.4.0/24 comment=SR list=nodos-privadas
add address=172.22.1.0/24 comment=MEC-CMP list=nodos-privadas
add address=172.22.16.0/24 comment=MLK list=nodos-privadas
add address=172.22.17.0/24 comment=VQZ list=nodos-privadas
add address=172.22.18.0/24 comment=CBL list=nodos-privadas
add address=172.22.20.0/23 comment=FO-New list=nodos-privadas
add address=172.22.28.0/22 comment=FLB-New list=nodos-privadas
add address=172.16.0.0/23 comment=GPON_SB list=nodos-privadas
add address=172.16.2.0/23 comment=GPON_R50 list=nodos-privadas
add address=172.16.4.0/23 comment=GPON_FO list=nodos-privadas
add address=172.16.6.0/23 comment=GPON_FLB list=nodos-privadas
add address=172.22.13.0/24 list=redes-locales
add address=7.7.7.7 list=Clientes-Cortados
add address=172.22.12.0/24 list=redes-locales
/ip firewall filter
add action=drop chain=input comment="Drop escaneadores de puertos" src-address-list="port scanners"
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=4w2d chain=input comment="------NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=4w2d chain=input comment="------SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=4w2d chain=input comment="------SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=4w2d chain=input comment="------FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=4w2d chain=input comment="------ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=4w2d chain=input comment="------NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=accept chain=input comment="Echo request - Evitar Ping Flood" disabled=yes icmp-options=8:0 limit=1,5:packet protocol=icmp
add action=accept chain=input comment="Echo reply" disabled=yes icmp-options=0:0 protocol=icmp
add action=drop chain=input comment="Drop ICMP" disabled=yes protocol=icmp
add action=tarpit chain=input comment="Drop to DOS attack list" connection-limit=3,32 protocol=tcp src-address=!168.197.196.100 src-address-list="DOS attack"
add action=add-src-to-address-list address-list="DOS attack" address-list-timeout=1d chain=input comment="------Add DOS attack src IP to the list" connection-limit=100,32 protocol=tcp
add action=drop chain=input comment="Drop to DOS UDP attack list" src-address=!192.168.200.155 src-address-list="DOS attack UDP"
add action=add-src-to-address-list address-list="DOS attack UDP" address-list-timeout=2w1d chain=input comment="------Add DOS UDP attack src IP to the list" connection-limit=100,32 protocol=udp src-address-list="!local address"
add action=accept chain=input comment="Allow Established/Related/Untracked connections" connection-state=established,related,untracked
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input comment="Allow OSPF" in-interface=bridge_vlan99 protocol=ospf
add action=accept chain=input comment="Allow UDP" protocol=udp
add action=accept chain=input comment=Oxidized dst-port=22 in-interface=bridge_vlan99 protocol=tcp
add action=accept chain=input comment="Allow Winbox" dst-port=3380,8240,8291 protocol=tcp
add action=accept chain=input comment="BW Test" dst-port=2000 protocol=tcp
add action=accept chain=input comment=API dst-port=8728 protocol=tcp
add action=log chain=input comment="Log everything else" disabled=yes log-prefix="DROP INPUT"
add action=drop chain=input comment="Drop everything else"
add action=drop chain=forward comment="Block Rule" dst-address=!192.168.200.0/24 dst-port=!9081,3380,3322,6680 protocol=tcp src-address-list=Clientes-Cortados
add action=drop chain=forward dst-address=!192.168.200.0/24 dst-port=!9081,3380,3322 protocol=udp src-address-list=Clientes-Cortados
add action=drop chain=forward comment="Drop para trafico dirigido a las redes PRIVADAS de los NODOS (Address Lists)" dst-address-list=nodos-privadas src-address=172.22.13.0/24
add action=drop chain=virus comment="Drop Spammer" dst-port=25 protocol=tcp src-address-list=spammer
add action=add-src-to-address-list address-list=spammer address-list-timeout=12w6d chain=virus comment="add to spammer list" connection-limit=30,32 dst-port=25 limit=50,5:packet protocol=tcp
add action=jump chain=forward comment="jump to the virus chain" jump-target=virus
add action=jump chain=forward comment="SYN Flood protect" connection-state=new jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=accept chain=SYN-Protect connection-state=new limit=350,5:packet protocol=tcp tcp-flags=syn
add action=drop chain=SYN-Protect connection-state=new protocol=tcp tcp-flags=syn
/ip firewall nat
add action=dst-nat chain=dstnat comment="DNAT Server Netvideo - 10.1.0.27" dst-address=10.100.1.2 src-address-list=redes-locales to-addresses=10.1.0.27
add action=src-nat chain=srcnat comment=168.197.198.186 out-interface=vlan130 src-address=172.22.13.0/24 to-addresses=168.197.198.186
add action=src-nat chain=srcnat comment=168.197.198.187 out-interface=vlan130 src-address=172.22.12.0/24 to-addresses=168.197.198.187
add action=masquerade chain=srcnat comment="SNAT INET" out-interface=vlan130
/ip firewall raw
add action=drop chain=prerouting comment="BCP38 - 3RA" in-interface=bridge_LAN src-address=!172.22.13.0/24
add action=notrack chain=prerouting comment="No track - OSPF" protocol=ospf
add action=notrack chain=output protocol=ospf
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip nat-pmp
set enabled=yes
/ip nat-pmp interfaces
add interface=bridge_LAN type=internal
add interface=vlan130 type=external
/ip route
add comment="RED VPN-WireGuard" disabled=yes distance=1 dst-address=10.100.2.0/24 gateway=10.99.0.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="RED VPN-L2TP" disabled=no distance=1 dst-address=10.100.0.0/24 gateway=10.99.0.1 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="RED DMZ" disabled=no distance=1 dst-address=192.168.200.0/24 gateway=10.99.0.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=10 dst-address=0.0.0.0/0 gateway=168.197.198.185 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="RED PDG" disabled=no dst-address=172.22.12.0/24 gateway=10.10.0.182 routing-table=main suppress-hw-offload=no
add comment="RED VPN-WireGuard-bck1" disabled=yes distance=1 dst-address=10.100.3.0/24 gateway=10.99.0.5 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="RED NETVIDEO - IPTV" disabled=no distance=1 dst-address=10.1.0.0/24 gateway=10.1.1.1 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=ISPCUBE disabled=yes distance=1 dst-address=168.197.196.100/32 gateway=10.99.0.76 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ipv6 route
add comment=GW_DEFAULT disabled=yes distance=10 dst-address=::/0 gateway=2803:d8c0:c000:4:a55:31ff:fe2b:4f45 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set ftp disabled=yes
set ssh address=192.168.200.155/32
set telnet disabled=yes
set www port=3380
set api address=168.197.196.100/32,192.168.200.10/32
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ipv6 address
add address=2803:d8c0:c000:4:ce2d:e0ff:fe54:e2e8 advertise=no eui-64=yes interface=vlan130
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept OSPF" protocol=ospf
add action=accept chain=input comment="defconf: accept WLAN" in-interface=bridge_LAN
add action=drop chain=input comment="defconf: drop everything"
/ipv6 nd
set [ find default=yes ] disabled=yes
add advertise-dns=no interface=bridge_vlan130 managed-address-configuration=yes other-configuration=yes
add advertise-dns=no interface=bridge_LAN managed-address-configuration=yes other-configuration=yes
/lcd
set backlight-timeout=never default-screen=stat-slideshow read-only-mode=yes touch-screen=disabled
/lcd interface
set ether1 disabled=yes
set ether2 disabled=yes
set ether3 disabled=yes
set ether4 disabled=yes
set ether5 disabled=yes
set sfp1 disabled=yes
set ether7 disabled=yes
set ether9 disabled=yes
set ether10 disabled=yes
/routing bfd configuration
add disabled=no
/routing ospf interface-template
add area=ospf-area-backbone_v2 disabled=no interfaces=bridge_vlan99
add area=ospf-area-3RA_v3 disabled=yes interfaces=bridge_vlan130 type=ptp
add area=ospf-area-3RA_v3 disabled=yes interfaces=bridge_LAN passive
add area=ospf-area-backbone_v2 disabled=no interfaces=lo passive
/snmp
set contact=pnet@puntonetinternet.com enabled=yes location="Nodo 3RA Zona" trap-community=pnet trap-generators=interfaces trap-interfaces=bridge_vlan99 trap-version=2
/system clock
set time-zone-name=America/Argentina/Mendoza
/system identity
set name="3RA_Nodo (RB3011UiAS)"
/system logging
set 1 action=ErrorLogs
set 2 action=WarningLogs
set 3 action=CriticalLogs
add action=InterfacesLogs topics=interface
add action=InfoLogs topics=info
add action=DudeLogs topics=info
add action=OSPFLogs topics=route,ospf
add action=GrafanaLogs topics=system,info
add action=GrafanaLogs topics=system,error
add action=GrafanaLogs topics=system,info,account
add action=MailsLogs topics=e-mail,info
add action=DHCPLogs topics=dhcp,info
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes
/system ntp client servers
add address=192.168.200.1
/system routerboard settings
set auto-upgrade=yes
/system scheduler
add disabled=yes interval=4w2d name="Package upgrade" on-event="system package update install" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2019-06-19 start-time=19:19:19
add disabled=yes interval=4w2d name="Routerboard upgrade" on-event=":global Var1\r\n:global Var2\r\n:set Var1 \"\$[/system package get system version]\"\r\n:set Var2 \"\$[/system routerboard get current-firmware]\"\r\n:if (\$Var1>\$Var2) do={/system routerboard upgrade;\r\n/system reboot;\r\n}" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2019-06-19 start-time=19:19:46
add interval=2w1d name=backup_mail on-event=backup_mail policy=reboot,read,write,test,sniff,sensitive,romon start-date=2023-04-05 start-time=04:00:00
add name=Reinicio-1 on-event="/system reboot" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2025-08-26 start-time=05:00:00
add interval=10m name=Monitor_power on-event=voltmon policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2020-01-17 start-time=17:00:00
add name=Reinicio-2 on-event="/system reboot" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2025-08-26 start-time=05:10:00
add disabled=yes interval=10m name=Monitor_power_test on-event=voltmon policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-time=startup
add interval=1d name=dhcp_delete_30d on-event=dhcp_delete_30d policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2025-03-21 start-time=06:00:00
add interval=1d name=dhcp_dynamic-to-static on-event=dhcp_dynamic-to-static policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2025-03-20 start-time=05:00:00
/system script
add dont-require-permissions=no name=backup_mail owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":log info \"backup beginning now\"\r\n:global backupfile ([/system identity get name] . \"-\" . [/system clock\_get time])\r\n/system backup save name=\$backupfile\r\n:log info \"backup pausing for 10s\"\r\n:delay 10s\r\n:log info \"backup being emailed\"\r\n/tool e-mail send to=puntonetinet@gmail.com subject=([/system identity get name] . \\ \" Backup\") from=\"MKT 3RA_Core (Distribucion y Acceso) <noc@puntonetinternet.com>\" file=\$backupfile \r\n:log info \"backup finished\""
add dont-require-permissions=no name=voltmon owner=marcos policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/system health\r\n:local tempSystem [:tonum ([get [find where name=temperature]]->\"value\")]\r\n:local voltSystem ([get [find where name=voltage]]->\"value\")\r\n:local tempMax    60\r\n:local voltMin    12\r\n\r\n# Check Temperature\r\n:if (\$tempSystem >= \$tempMax) do={\r\n    :log error \"HIGH Temperature: \$tempSystem\\C2\\BA\\43\"\r\n    /tool e-mail send to=pozziandres@gmail.com cc=emi.puntonet@gmail.com\_subject=\"HIGH Temperature: \$tempSystem\\C2\\BA\\43\"\r\n} else={\r\n    :log info \"Temperature OK: \$tempSystem\\BA\\43\"\r\n}\r\n\r\n# Check Voltage\r\n:if (\$voltSystem <= \$voltMin) do={\r\n   # Enviar log\r\n   #:log error \"LOW Voltage: \$voltSystem V\"\r\n   # Enviar mail\r\n   /tool e-mail send to=pozziandres@gmail.com cc=emi.puntonet@gmail.com subject=\"LOW Voltage: \$voltSystem V - Nodo: \$nodo\"\r\n   # Enviar Telegram\r\n   :local URL (\"https://api.telegram.org/bot8336052960:AAF-Iekdc8EbAD3nfpxiJSj6eQgKWnsxfIU/sendMessage\?chat_id=-373797011&text=LOW Voltage: \$voltSystem V - Nodo_3RA\");\r\n   /tool fetch url=\$URL keep-result=no;\r\n} else={\r\n    # Enviar log\r\n    :log info \"Voltage OK: \$voltSystem V\"\r\n}"
add dont-require-permissions=no name=dhcp_delete_30d owner=marcos policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":local delete \"30d\"\r\n/ip dhcp-server lease\r\n:foreach id in=[find where last-seen>[:totime \$delete]] do={\r\n    remove \$id\r\n    :log info message=\"Eliminada asignaci\F3n DHCP con ID \$id que lleva m\E1s de 30 d\EDas\"\r\n}\r\n"
add dont-require-permissions=no name=dhcp_dynamic-to-static owner=marcos policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/ip dhcp-server lease\r\n:foreach lease in=[find where dynamic=yes] do={\r\n    :local macAddress [get \$lease mac-address]\r\n    :local ipAddress [get \$lease address]\r\n    make-static \$lease\r\n    :log info message=\"Cambiada IP din\E1mica a est\E1tica: \$ipAddress\_para MAC: \$macAddress\"\r\n}"
/tool e-mail
set from="3RA_NODO (RB3011UiAS) <noc@puntonetinternet.com>" port=465 server=mail.puntonetinternet.com tls=yes user=noc@puntonetinternet.com
/tool graphing interface
add interface=vlan130
add interface=bridge_vlan210
add interface=ether5
/tool graphing resource
add
/tool netwatch
add comment=3RA_AMO disabled=yes down-script="/tool e-mail send to=pozziandres@gmail.com cc=mjbenegas@gmail.com,emi.puntonet@gmail.com from=\"MKT 3RA_Core (Distribucion y Acceso) <noc@puntonetinternet.com>\" subject=\"3RA_AMO - Nodo 3RA - 172.22.13.30 is DOWN!\" body=\" \"" host=172.22.13.30 http-codes="" interval=3m test-script="" timeout=3m type=simple up-script="/tool e-mail send to=pozziandres@gmail.com cc=mjbenegas@gmail.com,emi.puntonet@gmail.com from=\"MKT 3RA_Core (Distribucion y Acceso) <noc@puntonetinternet.com>\" subject=\"3RA_AMO - Nodo 3RA - 172.22.13.30 is UP!\" body= \" \""
add comment=Core_PDG disabled=no down-script="/tool e-mail send to=pozziandres@gmail.com cc=mjbenegas@gmail.com,emi.puntonet@gmail.com from=\"MKT 3RA_Core (RB3011UiAS) <noc@puntonetinternet.com>\" subject=\"Pedregal_Core - Nodo PDG - 10.99.0.75 is DOWN\" body=\" \"" host=10.99.0.75 http-codes="" interval=3m test-script="" timeout=3m type=simple up-script="/tool e-mail send to=pozziandres@gmail.com cc=mjbenegas@gmail.com,emi.puntonet@gmail.com from=\"MKT 3RA_Core (RB3011UiAS) <noc@puntonetinternet.com>\" subject=\"Pedregal_Core - Nodo PDG - 10.99.0.75 is UP\" body=\" \""
add comment="MKT Geo_Core " disabled=yes down-script="/tool e-mail send to=pozziandres@gmail.com cc=mjbenegas@gmail.com,emi.puntonet@gmail.com from=\"MKT 3RA_Core (Distribucion y Acceso) <noc@puntonetinternet.com>\" subject=\"MKT Geo_Core - 10.10.0.76 is DOWN!\" body=\" \"" host=10.10.0.76 http-codes="" interval=3m test-script="" timeout=3m type=simple up-script="/tool e-mail send to=pozziandres@gmail.com cc=mjbenegas@gmail.com,emi.puntonet@gmail.com from=\"MKT 3RA_Core (Distribucion y Acceso) <noc@puntonetinternet.com>\" subject=\"MKT Geo_Core - 10.10.0.76 is UP!\" body=\" \""
add comment=3RA_Netonix disabled=no down-script="/tool e-mail send to=pozziandres@gmail.com cc=mjbenegas@gmail.com,emi.puntonet@gmail.com from=\"MKT 3RA_Core (RB3011UiAS) <noc@puntonetinternet.com>\" subject=\"3RA_Netonix - Nodo 3RA - 10.99.0.26 is DOWN\" body=\" \"" host=10.99.0.26 http-codes="" interval=3m test-script="" timeout=3m type=simple up-script="/tool e-mail send to=pozziandres@gmail.com cc=mjbenegas@gmail.com,emi.puntonet@gmail.com from=\"MKT 3RA_Core (RB3011UiAS) <noc@puntonetinternet.com>\" subject=\"3RA_Netonix - Nodo 3RA - 10.99.0.26 is UP\" body=\" \""
add comment="Sensor de Linea (TP-Link) - 172.22.13.18" disabled=no down-script="/tool e-mail send to=pozziandres@gmail.com cc=mjbenegas@gmail.com,emi.puntonet@gmail.com,axelboliva2016@gmail.com,ignaciolucero578@gmail.com\r\n from=\"MKT 3RA_Core <noc@puntonetinternet.com>\" subject=\"CORTE DE ENERGIA EN NODO 3RA\" body=\" \"" host=172.22.13.18 http-codes="" interval=3m test-script="" timeout=3m type=simple up-script="/tool e-mail send to=pozziandres@gmail.com cc=mjbenegas@gmail.com,emi.puntonet@gmail.com,axelboliva2016@gmail.com,ignaciolucero578@gmail.com\r\n from=\"MKT 3RA_Core <noc@puntonetinternet.com>\" subject=\"ENERGIA RESTABLECIDA EN NODO 3RA\" body= \" \""