# model: CCR1036-8G-2S+ # serial-number: 91A509E11ADD # firmware-type: tilegx # current-firmware: 6.48.6 # installed-version: 6.48.6 # Flags: U - undoable, R - redoable, F - floating-undo # ACTION BY POLICY # # software id = VGKH-6HG8 # # model = CCR1036-8G-2S+ # serial number = 91A509E11ADD /interface bridge add fast-forward=no name=loopback /interface ethernet set [ find default-name=ether1 ] speed=100Mbps set [ find default-name=ether2 ] speed=100Mbps set [ find default-name=ether3 ] speed=100Mbps set [ find default-name=ether4 ] speed=100Mbps set [ find default-name=ether5 ] speed=100Mbps set [ find default-name=ether6 ] speed=100Mbps set [ find default-name=ether7 ] speed=100Mbps set [ find default-name=ether8 ] speed=100Mbps set [ find default-name=sfp-sfpplus1 ] advertise=10M-full,100M-full,1000M-full comment=agg.p9 name=sfpplus1 set [ find default-name=sfp-sfpplus2 ] advertise=10M-full,100M-full,1000M-full comment=agg.p10 name=sfpplus2 /interface eoip add local-address=93.171.5.1 mac-address=02:F8:0A:5F:A5:C0 name=eoip-tunnel1 remote-address=91.231.206.80 tunnel-id=777 /interface vlan add interface=sfpplus2 name=3363-Omega vlan-id=3363 add interface=sfpplus2 name=3401_UARNet-BACKUP vlan-id=3401 add interface=sfpplus2 name=3687_Uarnet vlan-id=3687 add interface=sfpplus1 name=4001-Backbone vlan-id=4001 add interface=sfpplus1 name=4002-khod.mgnt vlan-id=4002 add interface=sfpplus1 name=4004-khod.billing vlan-id=4004 add interface=sfpplus1 name=4005-p2p.nat.khodoriv vlan-id=4005 /interface list add name=winbox add name=OSPF_int /ip pool add name=pool1 ranges=93.171.5.245 /ip dhcp-server add address-pool=pool1 interface=4001-Backbone name=server1 /ppp profile add change-tcp-mss=yes name=profile-pptp only-one=yes use-compression=no use-encryption=yes use-mpls=no use-upnp=no add change-tcp-mss=yes dns-server=93.171.5.248,93.171.5.249 local-address=100.71.1.1 name=profile-SSTP only-one=yes rate-limit=10M/10M use-encryption=yes use-mpls=no use-upnp=no /queue type set 0 pfifo-limit=50000 set 1 pfifo-limit=50000 set 9 pfifo-limit=100000 /routing bgp instance set default as=20536 router-id=146.158.74.1 /routing ospf area set [ find default=yes ] disabled=yes /routing ospf instance set [ find default=yes ] disabled=yes router-id=93.171.5.1 /snmp community set [ find default=yes ] addresses=146.158.74.12/32,95.46.108.3/32 name=snmpKhod /system logging action set 0 memory-lines=500 set 3 bsd-syslog=yes remote=93.171.5.254 src-address=93.171.5.241 syslog-facility=local0 /user group set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp" /ip neighbor discovery-settings set discover-interface-list=winbox /interface l2tp-server server set allow-fast-path=yes authentication=mschap2 caller-id-type=number enabled=yes ipsec-secret=aeNgeePee0kei0cahVa8Eizah9Yae5 keepalive-timeout=10 mrru=1600 one-session-per-host=yes use-ipsec=yes /interface list member add interface=4001-Backbone list=winbox add interface=4001-Backbone list=OSPF_int add interface=4002-khod.mgnt list=OSPF_int add interface=4004-khod.billing list=OSPF_int add interface=4005-p2p.nat.khodoriv list=OSPF_int add interface=4002-khod.mgnt list=winbox add interface=ether2 list=winbox add interface=4005-p2p.nat.khodoriv list=winbox /interface pptp-server server set authentication=chap default-profile=profile-pptp /interface sstp-server server set authentication=mschap2 certificate=vpn.diminternet.lviv.ua default-profile=profile-SSTP enabled=yes force-aes=yes keepalive-timeout=30 max-mru=1400 max-mtu=1400 mrru=1600 tls-version=only-1.2 /ip address add address=194.44.124.210/30 interface=3687_Uarnet network=194.44.124.208 add address=193.37.251.19 interface=3363-Omega network=193.37.251.18 add address=100.70.1.1/24 comment=4002-khod.mgnt interface=4002-khod.mgnt network=100.70.1.0 add address=192.168.10.1/24 interface=4004-khod.billing network=192.168.10.0 add address=194.44.14.18/30 comment=bgp-backup interface=3401_UARNet-BACKUP network=194.44.14.16 add address=146.158.74.1/27 interface=4005-p2p.nat.khodoriv network=146.158.74.0 /ip dhcp-server network add address=93.171.5.240/28 dns-server=93.171.5.249,93.171.5.248 gateway=93.171.5.241 netmask=28 /ip dns set servers=93.171.5.249 /ip firewall address-list add address=95.213.0.0/18 list=blockedsites add address=87.240.128.0/18 list=blockedsites add address=95.142.192.0/21 list=blockedsites add address=95.213.64.0/18 list=blockedsites add address=93.186.224.0/21 list=blockedsites add address=95.142.192.0/20 list=blockedsites add address=185.32.248.0/22 list=blockedsites add address=5.61.16.0/21 list=blockedsites add address=217.20.149.62 list=blockedsites add address=217.20.146.246 list=blockedsites add address=217.20.150.253 list=blockedsites add address=80.93.124.193 list=bgp-peer add address=193.37.251.18 list=bgp-peer add address=10.140.65.161 list=bgp-peer add address=194.44.124.209 list=bgp-peer add address=95.47.136.14 list=adm add address=100.71.1.0/24 list=adm add address=195.206.233.235 list=adm add address=194.44.214.162 list=adm add address=194.44.14.17 list=bgp-peer add address=78.102.87.168 list=adm add address=194.44.214.3 list=adm add address=194.44.192.220 list=adm add address=100.70.1.15 list=port25_allow add address=10.0.0.0/8 list=SIP_allow add address=195.206.233.246 list=adm add address=95.46.108.0/24 list=adm add address=145.224.100.1 list=adm add address=145.224.100.42 list=adm add address=91.225.37.78 list=adm add address=91.225.37.81 list=adm add address=146.158.75.2 list=adm add address=146.158.74.0/24 list=SIP_allow add address=146.158.75.3 list=adm add address=146.158.74.0/27 list=adm add address=146.158.75.0/24 list=SIP_allow add address=95.46.108.0/24 list=SIP_allow add address=91.225.37.79 comment=bohdan_request list=adm /ip firewall filter add action=fasttrack-connection chain=forward add action=drop chain=input comment=VPN_ddos src-address=216.218.206.0/24 add action=add-src-to-address-list address-list=stage_1 address-list-timeout=5s chain=input comment=knock_knock dst-address=146.158.74.1 dst-port=12543 protocol=tcp add action=add-src-to-address-list address-list=stage_2 address-list-timeout=5s chain=input dst-address=146.158.74.1 protocol=icmp src-address-list=stage_1 add action=add-src-to-address-list address-list=stage_3 address-list-timeout=5s chain=input dst-address=146.158.74.1 dst-port=34125 protocol=udp src-address-list=stage_2 add action=add-src-to-address-list address-list=stage_4 address-list-timeout=5s chain=input dst-address=146.158.74.1 dst-port=28431 protocol=tcp src-address-list=stage_3 add action=add-src-to-address-list address-list=SIP_allow address-list-timeout=8h chain=input dst-address=146.158.74.1 dst-port=43210 protocol=udp src-address-list=stage_4 add action=accept chain=input comment=ICMP limit=50/5s,2:packet protocol=icmp add action=accept chain=forward comment=DIC connection-state=established add action=accept chain=forward connection-state=related add action=accept chain=forward comment=SMTP dst-address-list=port25_allow add action=accept chain=forward src-address-list=port25_allow add action=drop chain=forward dst-port=25 protocol=tcp add action=accept chain=input protocol=gre add action=accept chain=input dst-port=500,1701,4500 protocol=udp add action=accept chain=input comment=BGP dst-port=179 protocol=tcp src-address-list=bgp-peer add action=accept chain=input comment=adm src-address-list=adm add action=accept chain=input connection-state=established add action=accept chain=input connection-state=related add action=drop chain=input connection-nat-state=!dstnat add action=accept chain=input comment=OSPF in-interface-list=OSPF_int protocol=ospf add action=accept chain=input dst-port=520 protocol=udp src-address=146.158.74.2/31 add action=accept chain=forward src-address=100.71.1.0/24 add action=accept chain=forward src-address=100.70.1.0/24 add action=accept chain=forward src-address=192.168.10.2 add action=accept chain=forward dst-address=100.70.1.15 add action=accept chain=forward src-address=100.70.1.15 add action=accept chain=forward dst-address=192.168.10.2 add action=accept chain=forward dst-address=100.70.1.20 src-address-list=adm add action=drop chain=forward dst-address=100.70.1.0/24 add action=drop chain=forward out-interface=4002-khod.mgnt add action=accept chain=forward comment=access_2_billing disabled=yes dst-address=146.158.74.10 src-address=146.158.74.0/27 add action=accept chain=forward dst-address=146.158.74.10 src-address-list=adm add action=accept chain=forward dst-address=146.158.74.10 dst-port=443 protocol=tcp add action=accept chain=forward dst-address=146.158.74.10 dst-port=80 protocol=tcp add action=accept chain=forward dst-address=146.158.74.10 dst-port=52222 protocol=tcp add action=accept chain=forward dst-address=146.158.74.10 dst-port=5060 protocol=udp src-address-list=SIP_allow add action=accept chain=forward dst-address=146.158.74.10 dst-port=5060 protocol=tcp src-address-list=SIP_allow add action=accept chain=forward dst-address=146.158.74.10 dst-port=5061 protocol=udp src-address-list=SIP_allow add action=accept chain=forward dst-address=146.158.74.10 dst-port=5061 protocol=tcp src-address-list=SIP_allow add action=drop chain=forward dst-address=146.158.74.10 /ip firewall nat add action=accept chain=srcnat dst-address=192.168.10.0/24 src-address=100.71.1.0/24 add action=dst-nat chain=dstnat comment=QNAP_TMP disabled=yes dst-port=8081 protocol=tcp src-address-list=adm to-addresses=100.70.1.15 to-ports=443 add action=masquerade chain=srcnat disabled=yes dst-address=100.70.1.15 src-address-list=adm add action=dst-nat chain=dstnat comment=TMP_pve2 disabled=yes dst-address=146.158.74.1 dst-port=8006 protocol=tcp to-addresses=100.70.1.20 add action=masquerade chain=srcnat disabled=yes dst-address=100.70.1.20 add action=src-nat chain=srcnat comment=NAT_4_pptp dst-address=!100.70.1.0/24 src-address=100.71.1.0/24 to-addresses=93.171.5.1 add action=masquerade chain=srcnat src-address=100.70.1.0/24 add action=masquerade chain=srcnat comment=NAT_4_HW src-address=100.70.1.15 add action=dst-nat chain=dstnat dst-address=146.158.74.1 dst-port=8888 protocol=tcp src-address-list=adm to-addresses=100.70.1.15 to-ports=443 add action=masquerade chain=srcnat dst-address=100.70.1.15 add action=src-nat chain=srcnat src-address=192.168.10.0/24 to-addresses=146.158.74.1 /ip firewall service-port set sip disabled=yes sip-timeout=5m /ip route add comment=novaposhta distance=1 dst-address=91.240.48.0/24 gateway=194.44.124.209 add comment=novaposhta distance=1 dst-address=91.240.50.0/24 gateway=194.44.124.209 add distance=1 dst-address=146.158.74.0/24 gateway=loopback add distance=1 dst-address=146.158.74.3/32 gateway=4005-p2p.nat.khodoriv add distance=1 dst-address=146.158.74.3/32 gateway=4005-p2p.nat.khodoriv add comment=srcnat_nas-1 distance=1 dst-address=146.158.74.64/26 gateway=146.158.74.2 add comment=srcnat_nas-2 distance=1 dst-address=146.158.74.128/26 gateway=146.158.74.3 add comment=srcnat_nas-2 distance=1 dst-address=146.158.74.192/26 gateway=146.158.74.3 add distance=1 dst-address=146.158.75.0/24 gateway=loopback add comment=https://portal.pfu.gov.ua/ distance=1 dst-address=212.1.76.113/32 gateway=194.44.124.209 /ip service set telnet disabled=yes set ftp disabled=yes set www-ssl certificate=mikroTik.ca.cert.pem_0 set api disabled=yes set api-ssl disabled=yes /ip ssh set allow-none-crypto=yes forwarding-enabled=remote /ppp secret add name=Dyakiv1 password=19821993lv profile=profile-SSTP remote-address=100.71.1.10 add name=in password=KHOD-admin profile=profile-SSTP remote-address=100.71.1.13 service=sstp add name=azart88 password=qpowf11 profile=profile-SSTP remote-address=100.71.1.11 /routing bgp network add disabled=yes network=93.171.5.0/24 synchronize=no add network=146.158.74.0/23 synchronize=no /routing bgp peer add in-filter=bgp-full-view-in name=Uar-net out-filter=bgp-uarnet-out remote-address=194.44.124.209 remote-as=3255 ttl=default add in-filter=bgp-full-view-in keepalive-time=10s name=OmegaTelecom out-filter=bgp-omega-out remote-address=193.37.251.18 remote-as=199995 ttl=default add in-filter=bgp-full-view-in-2 name=bgp-uarnet-backup out-filter=bgp-uarnet-out-2 remote-address=194.44.14.17 remote-as=3255 ttl=default /routing filter add action=discard chain=AS199995-in prefix=10.0.10.0/24 add action=accept chain=AS3255-bgp-in set-bgp-prepend-path=2 add action=accept chain=AS199995-in add action=discard chain=AS199995-out add action=discard chain=AS3255-bgp-out add action=accept chain=bgp-omega-out prefix=146.158.74.0/23 prefix-length=23 set-bgp-med=100 add action=accept chain=bgp-omega-out prefix=146.158.74.0/24 prefix-length=24 set-bgp-med=100 add action=accept chain=bgp-uarnet-out prefix=146.158.74.0/23 prefix-length=23 set-bgp-med=100 add action=accept chain=bgp-uarnet-out prefix=146.158.74.0/24 prefix-length=24 set-bgp-med=100 add action=accept chain=bgp-default-in prefix=0.0.0.0/0 set-bgp-local-pref=300 set-bgp-weight=200 add action=discard chain=bgp-default-in add action=discard chain=bgp-omega-in prefix=10.0.0.0/8 prefix-length=0-128 add action=discard chain=bgp-omega-in prefix=192.168.0.0/16 prefix-length=0-128 add action=discard chain=bgp-omega-in prefix=172.16.0.0/12 prefix-length=0-128 add action=discard chain=bgp-omega-in prefix=169.254.0.0/16 prefix-length=0-128 add action=discard chain=bgp-omega-in prefix=224.0.0.0/4 prefix-length=0-128 add action=discard chain=bgp-omega-in prefix=240.0.0.0/4 prefix-length=0-128 add action=discard chain=bgp-omega-in prefix=127.0.0.0/8 prefix-length=0-128 add action=discard chain=bgp-full-view-in prefix=10.0.0.0/8 prefix-length=0-128 add action=discard chain=bgp-full-view-in prefix=192.168.0.0/16 prefix-length=0-128 add action=discard chain=bgp-full-view-in prefix=172.16.0.0/12 prefix-length=0-128 add action=discard chain=bgp-full-view-in prefix=169.254.0.0/16 prefix-length=0-128 add action=discard chain=bgp-full-view-in prefix=224.0.0.0/4 prefix-length=0-128 add action=discard chain=bgp-full-view-in prefix=240.0.0.0/4 prefix-length=0-128 add action=discard chain=bgp-full-view-in prefix=127.0.0.0/8 prefix-length=0-128 add action=accept chain=bgp-full-view-in set-bgp-local-pref=200 add action=accept chain=ospf-in prefix=10.0.0.0/8 prefix-length=24 add action=discard chain=ospf-in add action=discard chain=ospf-in prefix=0.0.0.0/0 prefix-length=0-128 add action=discard chain=ospf-out add action=discard chain=ospf-out prefix=0.0.0.0/0 prefix-length=0-128 add action=discard chain=bgp-omega-in prefix=91.240.50.0/24 add action=discard chain=bgp-omega-in prefix=91.240.50.0/24 prefix-length=24 add action=accept chain=bgp-omega-in add action=accept chain=bgp-full-view-in-2 set-bgp-local-pref=100 add action=accept chain=bgp-uarnet-out-2 prefix=146.158.74.0/23 prefix-length=23 set-bgp-med=100 set-bgp-prepend-path=20536 add action=accept chain=bgp-uarnet-out-2 prefix=146.158.74.0/24 prefix-length=24 set-bgp-med=100 add action=accept chain=bgp-uarnet-out-2 prefix=146.158.75.0/24 prefix-length=24 set-bgp-med=100 add action=discard chain=bgp-uarnet-out-2 set-bgp-med=200 set-bgp-prepend-path=20536 add action=accept chain=bgp-uarnet-out prefix=146.158.75.0/24 prefix-length=24 set-bgp-med=100 add action=discard chain=bgp-uarnet-out set-bgp-med=100 add action=accept chain=bgp-omega-out prefix=146.158.75.0/24 prefix-length=24 set-bgp-med=100 set-bgp-prepend-path=20536 add action=discard chain=bgp-omega-out /routing ospf interface add authentication=simple authentication-key=khodoriv disabled=yes interface=4005-p2p.nat.khodoriv network-type=broadcast /routing ospf network add area=backbone disabled=yes network=10.0.0.0/8 add area=backbone disabled=yes network=93.171.5.0/29 add area=backbone disabled=yes network=172.16.0.0/12 add area=backbone disabled=yes network=192.168.0.0/24 /routing prefix-lists add chain=rip-in prefix=10.0.0.0/8 prefix-length=0-24 add chain=rip-in prefix=146.158.74.0/23 add action=discard chain=rip-in prefix-length=0-128 add action=discard chain=rip-in add action=discard chain=rip-out prefix-length=0-128 add action=discard chain=rip-out add chain=RIP-in /routing rip interface add authentication=md5 authentication-key=3636d9f13dfdcbe8dd0d4466277381e3 in-prefix-list=rip-in interface=4005-p2p.nat.khodoriv out-prefix-list=rip-out receive=v2 /routing rip neighbor add address=93.171.5.2 add address=93.171.5.3 add address=93.171.5.4 add address=146.158.74.2 add address=146.158.74.3 /routing rip network add network=93.171.5.0/29 add network=146.158.74.0/27 /snmp set contact=hostmaster enabled=yes location=Khodoriv trap-version=3 /system clock set time-zone-name=Europe/Kiev /system identity set name="khod #BGP" /system logging set 3 topics=info add action=remote topics=error add action=remote topics=info add action=remote topics=warning add action=remote topics=critical /system ntp client set enabled=yes server-dns-names=0.ua.pool.ntp.org,1.ua.pool.ntp.org,2.ua.pool.ntp.org /tool bandwidth-server set authenticate=no /tool mac-server set allowed-interface-list=winbox /tool mac-server mac-winbox set allowed-interface-list=winbox /tool mac-server ping set enabled=no /tool romon set enabled=yes secrets=khodROMON