# routerboard: yes # board-name: hEX # model: RB750Gr3 # serial-number: 8B0109DAF248 # firmware-type: mt7621L # factory-firmware: 3.41 # current-firmware: 6.49.18 # upgrade-firmware: 6.49.18 # # channel: long-term # installed-version: 6.49.18 # # Flags: U - undoable, R - redoable, F - floating-undo # ACTION BY POLICY # U SNTP client configuration changed marcos write # U device changed emilio write # U device changed emilio write # U user group pnet changed marcos write # policy # U ip service changed marcos write # U ip service changed marcos write # U dns changed marcos write # U device changed marcos write # U device changed andres write # U device changed andres write # U script removed andres write # U script removed andres write # U script removed andres write # U script removed andres write # U script removed andres write # U user fabian removed andres write # policy # U item changed andres write # # software id = PCLB-YEMA # # model = RB750Gr3 # serial number = 8B0109DAF248 /interface bridge add dhcp-snooping=yes fast-forward=no igmp-snooping=yes igmp-version=3 multicast-querier=yes name=bridge_LAN add name=bridge_vlan99 /interface ethernet set [ find default-name=ether1 ] comment="Servicio casa/negocio" set [ find default-name=ether2 ] comment="Enlace 2 SB - DOWN" set [ find default-name=ether3 ] comment=Pbox1 set [ find default-name=ether4 ] comment="Sensor de Linea (TP-Link) - 172.22.5.42" set [ find default-name=ether5 ] comment="MGMT - UNTAGGED VLAN99" /interface vlan add interface=ether2 name=vlan50 vlan-id=50 add interface=ether2 name=vlan99 vlan-id=99 /interface list add name=MGMT /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /port set 0 name=serial0 /snmp community add addresses=192.168.200.253/32,192.168.200.155/32 authentication-protocol=SHA1 encryption-protocol=AES name=pnet /system logging action add disk-file-count=5 disk-file-name=Error name=ErrorLogs target=disk add disk-file-count=5 disk-file-name=Info name=InfoLogs target=disk add disk-file-count=5 disk-file-name=Critical name=CriticalLogs target=disk add disk-file-count=5 disk-file-name=Interfaces name=InterfacesLogs target=disk add disk-file-count=5 disk-file-name=Warning name=WarningLogs target=disk add name=DudeLogs remote=192.168.200.253 target=remote add bsd-syslog=yes name=GrayLogs remote=192.168.200.194 remote-port=1514 syslog-facility=syslog target=remote /user group set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp" add name=dude policy="local,reboot,read,write,test,winbox,web,dude,!telnet,!ssh,!ftp,!policy,!password,!sniff,!sensitive,!api,!romon,!tikapp" add name=oxidized policy="ssh,read,!local,!telnet,!ftp,!reboot,!write,!policy,!test,!winbox,!password,!web,!sniff,!sensitive,!api,!romon,!dude,!tikapp" add name=pnet policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,web,sniff,sensitive,api,romon,dude,tikapp,!password" #error exporting /interface bridge calea /interface bridge filter add action=drop chain=forward in-bridge=bridge_LAN in-interface=ether1 out-bridge=bridge_LAN out-interface=ether3 add action=drop chain=forward in-bridge=bridge_LAN in-interface=ether1 out-bridge=bridge_LAN out-interface=ether4 add action=drop chain=forward in-bridge=bridge_LAN in-interface=ether3 out-bridge=bridge_LAN out-interface=ether1 add action=drop chain=forward in-bridge=bridge_LAN in-interface=ether3 out-bridge=bridge_LAN out-interface=ether4 add action=drop chain=forward in-bridge=bridge_LAN in-interface=ether4 out-bridge=bridge_LAN out-interface=ether1 add action=drop chain=forward in-bridge=bridge_LAN in-interface=ether4 out-bridge=bridge_LAN out-interface=ether3 /interface bridge port add bridge=bridge_LAN interface=ether1 add bridge=bridge_LAN interface=ether3 add bridge=bridge_LAN interface=ether4 add bridge=bridge_vlan99 interface=ether5 add bridge=bridge_vlan99 interface=vlan99 /ip neighbor discovery-settings set discover-interface-list=MGMT /ip settings set tcp-syncookies=yes /interface list member add interface=bridge_vlan99 list=MGMT add interface=ether4 list=MGMT /ip address add address=172.22.5.1/24 interface=bridge_LAN network=172.22.5.0 add address=10.10.0.126/29 interface=vlan50 network=10.10.0.120 add address=10.99.0.74/24 comment=MGMT interface=bridge_vlan99 network=10.99.0.0 /ip dhcp-relay add dhcp-server=10.10.0.121 disabled=no interface=bridge_LAN local-address=172.22.5.1 name=Relay_BRS /ip dns set servers=8.8.8.8,2001:4860:4860::8888,1.1.1.1,2606:4700:4700::1111 /ip firewall address-list add address=172.22.0.0/24 comment=R60 list=nodos-privadas add address=172.22.8.0/23 comment=R50 list=nodos-privadas add address=172.22.4.0/24 comment=SR list=nodos-privadas add address=172.22.6.0/23 comment=SB list=nodos-privadas add address=172.22.12.0/24 comment=PEDREGAL list=nodos-privadas add address=172.22.2.0/23 comment=FLB list=nodos-privadas add address=172.22.11.0/24 comment=FO list=nodos-privadas add address=172.22.13.0/24 comment=3RA list=nodos-privadas add address=172.22.15.0/24 comment=JDN list=nodos-privadas add address=172.22.14.0/24 comment=BNT list=nodos-privadas add address=172.22.1.0/24 comment=MEC-CMP list=nodos-privadas add address=172.22.10.0/24 comment=RDM list=nodos-privadas add address=172.22.16.0/24 comment=MLK list=nodos-privadas add address=172.22.17.0/24 comment=VQZ list=nodos-privadas add address=172.22.18.0/24 comment=CBL list=nodos-privadas add address=172.16.0.0/23 comment=GPON_SB list=nodos-privadas add address=172.16.2.0/23 comment=GPON_R50 list=nodos-privadas add address=172.16.4.0/23 comment=GPON_FO list=nodos-privadas add address=172.16.6.0/23 comment=GPON_FLB list=nodos-privadas #error exporting /ip firewall calea /ip firewall filter add action=drop chain=input comment="Drop invalid connections" connection-state=invalid add action=accept chain=input comment="Allow Established/Related/Untracked connections" connection-state=established,related,untracked add action=accept chain=input comment="Allow UDP" protocol=udp add action=accept chain=input comment="Allow ICMP" protocol=icmp add action=accept chain=input comment=Oxidized dst-port=22 in-interface=bridge_vlan99 protocol=tcp add action=accept chain=input comment="Allow Winbox" dst-port=3380,8240,8291 protocol=tcp add action=accept chain=input comment="BW test" dst-port=2000 protocol=tcp add action=jump chain=input comment="synflood policy3" disabled=yes jump-target=syn-flood protocol=tcp tcp-flags=syn add action=accept chain=syn-flood disabled=yes limit=100,5:packet add action=drop chain=syn-flood disabled=yes add action=log chain=input comment="Log everything else" disabled=yes log-prefix="DROP INPUT" add action=drop chain=input comment="Drop everything else" add action=drop chain=forward comment="Drop para trafico dirigido a las redes PRIVADAS de los NODOS (Address Lists)" dst-address-list=nodos-privadas src-address=172.22.5.0/24 add action=jump chain=forward comment="SYN Flood protect" connection-state=new jump-target=SYN-Protect protocol=tcp tcp-flags=syn add action=accept chain=SYN-Protect connection-state=new limit=400,5:packet protocol=tcp tcp-flags=syn add action=drop chain=SYN-Protect connection-state=new protocol=tcp tcp-flags=syn /ip firewall raw add action=drop chain=prerouting comment="BCP38 - BRS" in-interface=bridge_LAN src-address=!172.22.5.0/24 /ip firewall service-port set ftp disabled=yes set tftp disabled=yes set irc disabled=yes set h323 disabled=yes set sip disabled=yes set pptp disabled=yes set udplite disabled=yes set dccp disabled=yes set sctp disabled=yes /ip route add distance=10 gateway=10.10.0.121 add comment=RED_VPN distance=1 dst-address=10.100.0.0/24 gateway=10.99.0.1 add comment="Red VPN-WireGuard" distance=1 dst-address=10.100.2.0/24 gateway=10.99.0.1 add comment="Red DMZ" distance=1 dst-address=192.168.200.0/24 gateway=10.99.0.1 /ip service set telnet disabled=yes set ftp disabled=yes set www disabled=yes set ssh address=192.168.200.155/32 set api disabled=yes set api-ssl disabled=yes /snmp set contact=pnet@puntonetinternet.com enabled=yes location="Nodo BRS" trap-community=pnet trap-generators=interfaces trap-interfaces=bridge_vlan99 trap-version=2 /system clock set time-zone-name=America/Argentina/Mendoza /system identity set name="BRS_Nodo (750Gr3)" /system logging set 0 action=InfoLogs set 1 action=ErrorLogs set 2 action=WarningLogs set 3 action=CriticalLogs add action=GrayLogs topics=interface add action=GrayLogs topics=account /system ntp client set enabled=yes primary-ntp=192.168.200.1 secondary-ntp=10.99.0.1 /system package update set channel=long-term /system routerboard settings set auto-upgrade=yes /system scheduler add interval=2w1d name="Envio de Backups por Correo" on-event=backup_mail policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=apr/05/2023 start-time=04:00:00 add disabled=yes interval=4w2d name="Package upgrade" on-event="system package update install" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=mar/12/2019 start-time=05:05:00 add disabled=yes interval=4w2d name="Routerboard Upgrade" on-event=":global Var1\r\n:global Var2\r\n:set Var1 \"\$[/system package get system version]\"\r\n:set Var2 \"\$[/system routerboard get current-firmware]\"\r\n:if (\$Var1>\$Var2) do={/system routerboard upgrade;\r\n/system reboot;\r\n}" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=mar/12/2019 start-time=05:10:00 add name=Reinicio-1 on-event="/system reboot" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=apr/12/2025 start-time=05:00:00 add disabled=yes interval=30s name=InterfaceState on-event=InterfaceState policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-time=startup add interval=10m name=Monitor_power on-event=voltmon policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-time=startup add name=Reinicio-2 on-event="/system reboot" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=apr/12/2025 start-time=05:10:00 add disabled=yes interval=10m name=Monitor_power_test on-event=voltmon policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-time=startup /system script add dont-require-permissions=no name=voltmon owner=marcos policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":global lowvoltalarm 210\r\n:global highvolt\r\n:global lowvolt\r\n:global starttime\r\n:global hivolttime\r\n:global lovolttime\r\n:global vh\r\n:local thisbox [/system identity get name]\r\n:global voltage [/system health get voltage]\r\n:local thistime [/system clock get time]\r\n:local thisdate [/system clock get date]\r\n:local thishour [:pick \$thistime 0 2]\r\n:local emessage (\$thisbox . \" voltage is \" . [:pick \$voltage 0 2] . \".\" . [:pick \$voltage 2 3])\r\n:if ([:len \$lowvolt] < 1) do={:set lowvolt 999; :set highvolt 0}\r\n# set your email address in the next line\r\n:if (\$voltage <= \$lowvoltalarm) do={/tool e-mail send to=mjbenegas@gmail.com subject=\"\$thisbox low voltage\" body=\$emessage}\r\n:if (\$voltage > \$highvolt) do={:set highvolt \$voltage; :set hivolttime (\$thistime . \" \" . \$thisdate)}\r\n:if (\$voltage < \$lowvolt) do={:set lowvolt \$voltage; :set lovolttime (\$thistime . \" \" . \$thisdate)}\r\n:if ([:len \$vh] > 0) do={:set vh ([:toarray \$voltage] + \$vh)} else={:set vh [:toarray \$voltage]}\r\n:if ([:len \$starttime] < 1) do={:set starttime (\$thistime . \" \" . \$thisdate)}\r\n:if (\$thishour = \"23\") do={:voltajereport}" /system watchdog set automatic-supout=no ping-start-after-boot=1m40s ping-timeout=10s watchdog-timer=no /tool e-mail set address=mail.puntonetinternet.com from="BRS_NODO (750Gr3) " password=***** port=465 start-tls=yes user=noc@puntonetinternet.com /tool graphing interface add interface=vlan50 /tool netwatch add comment=BRS_SurAC down-script="/tool e-mail send to=pozziandres@gmail.com cc=mjbenegas@gmail.com,emi.puntonet@gmail.com from=\"MKT BRS_Nodo (750Gr3)\_\" subject=\"BRS_SurAC - Nodo BRS - 172.22.5.38 is DOWN\" body=\" \"" host=172.22.5.38 interval=3m up-script="/tool e-mail send to=pozziandres@gmail.com cc=mjbenegas@gmail.com,emi.puntonet@gmail.com from=\"MKT BRS_Nodo (750Gr3) \" subject=\"BRS_SurAC - Nodo BRS - 172.22.5.38 is UP\" body = \" \"" add comment=BRS_AMO down-script="/tool e-mail send to=pozziandres@gmail.com cc=mjbenegas@gmail.com,emi.puntonet@gmail.com from=\"MKT BRS_Nodo (750Gr3) \" subject=\"BRS_AMO - Nodo BRS - 172.22.5.11 is DOWN\" body=\" \"" host=172.22.5.11 interval=3m up-script="/tool e-mail send to=pozziandres@gmail.com cc=mjbenegas@gmail.com,emi.puntonet@gmail.com from=\"MKT BRS_Nodo (750Gr3) \" subject=\"BRS_AMO - Nodo BRS - 172.22.5.11 is UP\" body = \" \"" add comment=BRS_NorOesteAC down-script="/tool e-mail send to=pozziandres@gmail.com cc=mjbenegas@gmail.com,emi.puntonet@gmail.com from=\"MKT BRS_Nodo (750Gr3) \" subject=\"BRS_NorOesteAC - Nodo BRS - 172.22.5.57 is DOWN\" body=\" \"" host=172.22.5.57 interval=3m up-script="/tool e-mail send to=pozziandres@gmail.com cc=mjbenegas@gmail.com,emi.puntonet@gmail.com from=\"MKT BRS_Nodo (750Gr3) \" subject=\"BRS_NorOesteAC - Nodo BRS - 172.22.5.57 is UP\" body = \" \"" add comment=BRS_NorteAC down-script="/tool e-mail send to=pozziandres@gmail.com cc=mjbenegas@gmail.com,emi.puntonet@gmail.com from=\"MKT BRS_Nodo (750Gr3) \" subject=\"BRS_NorOesteAC - Nodo BRS - 172.22.5.71 is DOWN\" body=\" \"" host=172.22.5.71 interval=3m up-script="/tool e-mail send to=pozziandres@gmail.com cc=mjbenegas@gmail.com,emi.puntonet@gmail.com from=\"MKT BRS_Nodo (750Gr3) \" subject=\"BRS_NorOesteAC - Nodo BRS - 172.22.5.71 is UP\" body = \" \"" add comment="Sensor de Linea (OpenWrt) - 172.22.5.42" down-script="/tool e-mail send to=pozziandres@gmail.com cc=mjbenegas@gmail.com,emi.puntonet@gmail.com,axelboliva2016@gmail.com from=\"MKT BRS_Nodo (750Gr3) \" subject=\"Sensor de Linea - Nodo BRS - 172.22.5.42 is DOWN!\"\_body = \" \"" host=172.22.5.42 interval=3m up-script="/tool e-mail send to=pozziandres@gmail.com cc=mjbenegas@gmail.com,emi.puntonet@gmail.com,axelboliva2016@gmail.com from=\"MKT BRS_Nodo (750Gr3) \" subject=\"Sensor de Linea - Nodo BRS - 172.22.5.42 is UP!\" body = \" \""