# model: RB962UiGS-5HacT2HnT # serial-number: CC4F0F632382 # firmware-type: qca9550L # current-firmware: 7.20.4 # installed-version: 7.20.4 # Flags: U - UNDOABLE # Columns: ACTION, BY, POLICY, TIME # ACTION BY POLICY TIME # U dns changed adminKPP write 2026-03-26 11:12:45 # U dns changed adminKPP write 2026-03-26 11:12:15 # U dns changed adminKPP write 2026-03-26 11:11:45 # U dns changed adminKPP write 2026-03-26 11:11:15 # U dns changed adminKPP write 2026-03-26 11:10:45 # U dns changed adminKPP write 2026-03-26 11:10:15 # U dns changed adminKPP write 2026-03-26 11:09:45 # U dns changed adminKPP write 2026-03-26 11:09:15 # U dns changed adminKPP write 2026-03-26 11:08:45 # U dns changed adminKPP write 2026-03-26 11:08:15 # U dns changed adminKPP write 2026-03-26 11:07:45 # U dns changed adminKPP write 2026-03-26 11:07:15 # U dns changed adminKPP write 2026-03-26 11:06:45 # U dns changed adminKPP write 2026-03-26 11:06:15 # U dns changed adminKPP write 2026-03-26 11:05:45 # U dns changed adminKPP write 2026-03-26 11:05:15 # U dns changed adminKPP write 2026-03-26 11:04:45 # U dns changed adminKPP write 2026-03-26 11:04:15 # U dns changed adminKPP write 2026-03-26 11:03:45 # U dns changed adminKPP write 2026-03-26 11:03:15 # U dns changed adminKPP write 2026-03-26 11:02:45 # U dns changed adminKPP write 2026-03-26 11:02:16 # U dns changed adminKPP write 2026-03-26 11:01:46 # U dns changed adminKPP write 2026-03-26 11:01:15 # U dns changed adminKPP write 2026-03-26 11:00:45 # U dns changed adminKPP write 2026-03-26 11:00:15 # U dns changed adminKPP write 2026-03-26 10:59:45 # U dns changed adminKPP write 2026-03-26 10:59:15 # U dns changed adminKPP write 2026-03-26 10:58:45 # U dns changed adminKPP write 2026-03-26 10:58:15 # U dns changed adminKPP write 2026-03-26 10:57:45 # U dns changed adminKPP write 2026-03-26 10:57:15 # U dns changed adminKPP write 2026-03-26 10:56:45 # U dns changed adminKPP write 2026-03-26 10:56:15 # U dns changed adminKPP write 2026-03-26 10:55:45 # U dns changed adminKPP write 2026-03-26 10:55:15 # U dns changed adminKPP write 2026-03-26 10:54:45 # U dns changed adminKPP write 2026-03-26 10:54:15 # U dns changed adminKPP write 2026-03-26 10:53:46 # U dns changed adminKPP write 2026-03-26 10:53:15 # U dns changed adminKPP write 2026-03-26 10:52:45 # U dns changed adminKPP write 2026-03-26 10:52:15 # U dns changed adminKPP write 2026-03-26 10:51:45 # U dns changed adminKPP write 2026-03-26 10:51:15 # U dns changed adminKPP write 2026-03-26 10:50:45 # U dns changed adminKPP write 2026-03-26 10:50:15 # U dns changed adminKPP write 2026-03-26 10:49:45 # U dns changed adminKPP write 2026-03-26 10:49:15 # U dns changed adminKPP write 2026-03-26 10:48:45 # U dns changed adminKPP write 2026-03-26 10:48:15 # U dns changed adminKPP write 2026-03-26 10:47:45 # U dns changed adminKPP write 2026-03-26 10:47:15 # U dns changed adminKPP write 2026-03-26 10:46:45 # U dns changed adminKPP write 2026-03-26 10:46:15 # U dns changed adminKPP write 2026-03-26 10:45:45 # U dns changed adminKPP write 2026-03-26 10:45:15 # U dns changed adminKPP write 2026-03-26 10:44:45 # U dns changed adminKPP write 2026-03-26 10:44:15 # U dns changed adminKPP write 2026-03-26 10:43:45 # U dns changed adminKPP write 2026-03-26 10:43:15 # U dns changed adminKPP write 2026-03-26 10:42:45 # U dns changed adminKPP write 2026-03-26 10:42:15 # U dns changed adminKPP write 2026-03-26 10:41:45 # U dns changed adminKPP write 2026-03-26 10:41:15 # U dns changed adminKPP write 2026-03-26 10:40:45 # U dns changed adminKPP write 2026-03-26 10:40:15 # U dns changed adminKPP write 2026-03-26 10:39:45 # U dns changed adminKPP write 2026-03-26 10:39:15 # U dns changed adminKPP write 2026-03-26 10:38:45 # U dns changed adminKPP write 2026-03-26 10:38:15 # U dns changed adminKPP write 2026-03-26 10:37:45 # U dns changed adminKPP write 2026-03-26 10:37:16 # U dns changed adminKPP write 2026-03-26 10:36:45 # U dns changed adminKPP write 2026-03-26 10:36:15 # U dns changed adminKPP write 2026-03-26 10:35:45 # U dns changed adminKPP write 2026-03-26 10:35:15 # U dns changed adminKPP write 2026-03-26 10:34:45 # U dns changed adminKPP write 2026-03-26 10:34:15 # U dns changed adminKPP write 2026-03-26 10:33:45 # U dns changed adminKPP write 2026-03-26 10:33:15 # U dns changed adminKPP write 2026-03-26 10:32:45 # U dns changed adminKPP write 2026-03-26 10:32:15 # U dns changed adminKPP write 2026-03-26 10:31:45 # U dns changed adminKPP write 2026-03-26 10:31:15 # U dns changed adminKPP write 2026-03-26 10:30:45 # U dns changed adminKPP write 2026-03-26 10:30:15 # U dns changed adminKPP write 2026-03-26 10:29:45 # U dns changed adminKPP write 2026-03-26 10:29:15 # U dns changed adminKPP write 2026-03-26 10:28:45 # U dns changed adminKPP write 2026-03-26 10:28:15 # U dns changed adminKPP write 2026-03-26 10:27:45 # U dns changed adminKPP write 2026-03-26 10:27:15 # U dns changed adminKPP write 2026-03-26 10:26:45 # U dns changed adminKPP write 2026-03-26 10:26:15 # U dns changed adminKPP write 2026-03-26 10:25:45 # U dns changed adminKPP write 2026-03-26 10:25:15 # U dns changed adminKPP write 2026-03-26 10:24:45 # U dns changed adminKPP write 2026-03-26 10:24:15 # U dns changed adminKPP write 2026-03-26 10:23:45 # U dns changed adminKPP write 2026-03-26 10:23:15 # # 2026-03-26 11:12:47 by RouterOS 7.20.4 # software id = APVA-8WN6 # # model = RB962UiGS-5HacT2HnT # serial number = CC4F0F632382 /interface bridge add name=bridge-LAN.guest port-cost-mode=short add fast-forward=no name=bridge-lan port-cost-mode=short /interface ethernet set [ find default-name=sfp1 ] advertise=10M-baseT-half,10M-baseT-full,100M-baseT-half,100M-baseT-full disabled=yes /interface pppoe-client add add-default-route=yes default-route-distance=5 disabled=no interface=ether1 keepalive-timeout=20 name=pppoe-ISP password=PPytcuN9LU user=u133626_1 /interface wireguard add listen-port=51824 mtu=1420 name=wg-chr-c private-key="cEipiPl5Zr9Vn+BVGpzTPdSEO4o1bOLEvEf3Fea+rG4=" add listen-port=51820 mtu=1420 name=wg-x1-a private-key="+GTKxi65wD5CFTH78tnDouDijtr/yeSDCE1o4hPbFEQ=" add listen-port=51821 mtu=1420 name=wg-x1-b private-key="QNgFMGyEdKdHF2xiSj7o+3S2cS2R7TUsLVrpun0Jukg=" add listen-port=51822 mtu=1420 name=wg-x2-a private-key="4PF8DQfWSpZaif8DlamwePHo6z3FpStmU1LCWD5YMks=" add listen-port=51823 mtu=1420 name=wg-x2-b private-key="eDwKhdBZhINvFDTd3KBylFdnJXeevymc7xzORv/fMHo=" /interface list add name=mac-winbox add name=list-WAN add name=ovpn /interface wireless channels add band=2ghz-onlyn frequency=2412 list=2ghz_Channel name=ch1 width=20 add band=2ghz-onlyn frequency=2432 list=2ghz_Channel name=ch5 width=20 add band=2ghz-onlyn frequency=2452 list=2ghz_Channel name=ch9 width=20 add band=2ghz-onlyn frequency=2472 list=2ghz_Channel name=ch13 width=20 add band=5ghz-n/ac extension-channel=Ceee frequency=5260 list=5ghz_Channel_80MGz name="ch2_80_52(58)_5260" width=20 add band=5ghz-n/ac extension-channel=Ceee frequency=5580 list=5ghz_Channel_80MGz name="ch4_80_116(122)_5580" width=20 add band=5ghz-n/ac extension-channel=Ceee frequency=5660 list=5ghz_Channel_80MGz name="ch5_80_132(138)_5660" width=20 add band=5ghz-n/ac extension-channel=Ceee frequency=5765 list=5ghz_Channel_80MGz name="ch6_80_153(159)_5765" width=20 /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=profile-Strans supplicant-identity="" wpa2-pre-shared-key=45dF12Tv34 /interface wireless set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode antenna-gain=0 band=2ghz-onlyn country=ukraine disabled=no distance=indoors frequency=2462 hw-protection-mode=rts-cts hw-retries=4 installation=indoor max-station-count=20 mode=ap-bridge preamble-mode=short security-profile=profile-Strans ssid=Strans station-roaming=enabled tx-power=16 tx-power-mode=all-rates-fixed wireless-protocol=802.11 wps-mode=disabled set [ find default-name=wlan2 ] adaptive-noise-immunity=ap-and-client-mode antenna-gain=0 band=5ghz-n/ac channel-width=20/40mhz-Ce country=no_country_set distance=indoors frequency="ch2_80_52(58)_5260" frequency-mode=superchannel hw-protection-mode=rts-cts hw-retries=4 installation=indoor max-station-count=20 mode=ap-bridge preamble-mode=long security-profile=profile-Strans ssid=Strans station-roaming=enabled tx-power-mode=all-rates-fixed wireless-protocol=802.11 wps-mode=disabled add mac-address=DE:2C:6E:F9:C0:49 master-interface=wlan1 name=wlan3 ssid=Strans-guest station-roaming=enabled add mac-address=DE:2C:6E:F9:C0:48 master-interface=wlan2 name=wlan4 ssid=Strans-guest station-roaming=enabled /ip pool add name=pool-LAN.main ranges=192.168.223.100-192.168.223.200 add name=pool-LAN.guest ranges=10.10.10.100-10.10.10.130 /ip dhcp-server add address-pool=pool-LAN.main interface=bridge-lan lease-time=1h name=server-LAN.main add add-arp=yes address-pool=pool-LAN.guest interface=bridge-LAN.guest lease-time=1h name=server-LAN.guest /ip smb users set [ find default=yes ] disabled=yes /ppp profile add change-tcp-mss=yes name=profile-pptp only-one=yes use-compression=no use-encryption=no use-mpls=no use-upnp=no add change-tcp-mss=yes name=profile-l2tp use-compression=no use-encryption=yes use-mpls=no use-upnp=no add change-tcp-mss=yes name=profile-ovpn only-one=yes use-compression=no use-encryption=yes use-mpls=no use-upnp=no /queue simple add disabled=yes max-limit=20M/20M name=All target="" add disabled=yes dst=ether1 limit-at=5M/5M max-limit=20M/20M name=lan parent=All priority=5/5 queue=pcq-upload-default/pcq-download-default target=192.168.223.0/24 add disabled=yes limit-at=12M/12M max-limit=20M/20M name=queue-staff packet-marks=packet-staff parent=All priority=1/1 queue=pcq-upload-default/pcq-download-default target="" add disabled=yes max-limit=10M/10M name=guest parent=All queue=pcq-upload-default/pcq-download-default target=10.10.10.0/24 /snmp community set [ find default=yes ] authentication-protocol=SHA1 disabled=yes add addresses=100.127.255.252/30 encryption-protocol=AES name=25strans062013 /system logging action set 3 remote=100.127.255.254 remote-log-format=syslog src-address=192.168.223.1 syslog-facility=local3 add name=remote2 remote=100.127.255.253 remote-log-format=syslog src-address=192.168.223.1 syslog-facility=local1 target=remote /interface bridge port add bridge=bridge-lan hw=no ingress-filtering=no interface=ether2 internal-path-cost=10 path-cost=10 add bridge=bridge-lan hw=no ingress-filtering=no interface=ether3 internal-path-cost=10 path-cost=10 add bridge=bridge-lan hw=no ingress-filtering=no interface=ether4 internal-path-cost=10 path-cost=10 add bridge=bridge-LAN.guest ingress-filtering=no interface=wlan3 internal-path-cost=10 path-cost=10 trusted=yes add bridge=bridge-LAN.guest ingress-filtering=no interface=wlan4 internal-path-cost=10 path-cost=10 trusted=yes add bridge=bridge-lan ingress-filtering=no interface=wlan1 internal-path-cost=10 path-cost=10 trusted=yes add bridge=bridge-lan ingress-filtering=no interface=wlan2 internal-path-cost=10 path-cost=10 trusted=yes /ip firewall connection tracking set udp-timeout=10s /ip neighbor discovery-settings set discover-interface-list=mac-winbox /interface list member add interface=ether5 list=mac-winbox add interface=ether1 list=list-WAN add interface=ether4 list=mac-winbox add interface=pppoe-ISP list=list-WAN add interface=wg-x1-a list=mac-winbox add interface=wg-x1-b list=mac-winbox add interface=wg-chr-c list=mac-winbox /interface ovpn-server server add auth=sha1,md5 mac-address=FE:23:59:FD:DF:61 name=ovpn-server1 /interface wireguard peers add allowed-address=172.16.223.4/30,192.168.0.0/16,100.127.255.252/30 endpoint-address=core2.strans.info endpoint-port=51821 interface=wg-x1-b name=peer-x1-b persistent-keepalive=25s public-key="WnH2dwK834oXXWnc9e4jzm2jda3yR55kKj3xlBGwfFc=" add allowed-address=172.16.223.0/30,192.168.0.0/16,100.127.255.252/30 endpoint-address=core1.strans.info endpoint-port=51820 interface=wg-x1-a name=peer-x1-a persistent-keepalive=25s public-key="2XZUCmXZl6XEOSSI3zMXa3A0uRvrV1inZE2tFhZhohQ=" add allowed-address=172.18.223.0/30,192.168.0.0/16,100.127.255.252/30 endpoint-address=chr.strans.info endpoint-port=51822 interface=wg-chr-c name=peer-chr-c persistent-keepalive=25s public-key="1UOLZ6R28ePBeOslTM+A+nfZ8y0RRSg7pL1kalG0hGg=" add allowed-address=172.17.223.0/30,192.168.0.0/16,100.127.255.252/30 endpoint-address=core1-x2.strans.info endpoint-port=51820 interface=wg-x2-a name=peer-x2-a persistent-keepalive=25s public-key="+d2h9N+sTo021GNdeCdKc7F6QZD01lcSIS05xVOhqww=" add allowed-address=172.17.223.4/30,192.168.0.0/16,100.127.255.252/30 endpoint-address=core2-x2.strans.info endpoint-port=51821 interface=wg-x2-b name=peer-x2-b persistent-keepalive=25s public-key="l4cQjrXCqdA0gmtiU9Z55gCGfadeimZ0rnNwXBHXDgU=" /interface wireless cap set bridge=bridge-lan discovery-interfaces=*3F interfaces=wlan1,wlan2 /ip address add address=192.168.223.1/24 comment=LAN.main interface=bridge-lan network=192.168.223.0 add address=10.10.10.1/24 comment=guest interface=bridge-LAN.guest network=10.10.10.0 add address=172.16.223.2/30 interface=wg-x1-a network=172.16.223.0 add address=172.16.223.6/30 interface=wg-x1-b network=172.16.223.4 add address=172.18.223.2/30 interface=wg-chr-c network=172.18.223.0 add address=172.17.223.2/30 interface=wg-x2-a network=172.17.223.0 add address=172.17.223.6/30 interface=wg-x2-b network=172.17.223.4 /ip dhcp-client add disabled=yes interface=ether1 /ip dhcp-server lease add address=192.168.223.50 client-id=1:38:af:29:67:59:1d mac-address=38:AF:29:67:59:1D server=server-LAN.main /ip dhcp-server network add address=10.10.10.0/24 dns-server=8.8.8.8,8.8.4.4 domain=kpp.guest.lan gateway=10.10.10.1 netmask=24 add address=192.168.223.0/24 dns-server=192.168.223.1 domain=lviv.3.kpp gateway=192.168.223.1 netmask=24 /ip dns set allow-remote-requests=yes cache-max-ttl=1m servers=192.168.10.248,192.168.10.107 /ip dns static add address=192.168.223.50 name=video type=A add address=192.168.223.50 name=video.lv3.kpp.lan type=A /ip firewall address-list add address=95.47.136.14 list=adm add address=192.168.223.0/24 list=adm add address=95.47.136.9 list=adm add address=172.16.223.1 list=adm add address=home.2funoff.com list=adm add address=100.127.255.252/30 list=adm add address=10.20.1.0/24 list=adm add address=172.16.223.5 list=adm add address=192.168.10.0/24 list=adm /ip firewall filter add action=accept chain=input comment=ICMP protocol=icmp add action=accept chain=forward comment=drop_invalid connection-state=established add action=accept chain=forward connection-state=related add action=accept chain=input connection-state=established add action=accept chain=input connection-state=related add action=drop chain=forward connection-state=invalid add action=drop chain=input connection-state=invalid add action=accept chain=input comment=wg-core dst-port=51820-51824 protocol=udp add action=accept chain=input comment=Allow_from_adm src-address-list=adm add action=drop chain=input add action=accept chain=forward comment=Allow_forward_LAN.main src-address=192.168.223.0/24 add action=accept chain=forward out-interface=pppoe-ISP src-address=10.10.10.0/24 add action=accept chain=forward dst-address=192.168.223.48/30 add action=accept chain=forward src-address=192.168.10.4 add action=accept chain=forward src-address=192.168.17.0/24 add action=accept chain=forward src-address-list=adm add action=drop chain=forward /ip firewall mangle add action=mark-packet chain=prerouting dst-address=192.168.0.0/16 new-packet-mark=packet-staff src-address=192.168.223.0/24 add action=mark-packet chain=prerouting dst-address=192.168.223.0/24 new-packet-mark=packet-staff src-address=192.168.0.0/16 /ip firewall nat add action=masquerade chain=srcnat comment=NAT_4_LAN.main out-interface-list=list-WAN src-address=192.168.223.0/24 to-addresses=178.210.129.140 add action=masquerade chain=srcnat disabled=yes src-address=192.168.223.0/24 add action=masquerade chain=srcnat out-interface-list=list-WAN src-address=10.10.10.0/24 to-addresses=178.210.129.140 /ip hotspot profile set [ find default=yes ] html-directory=hotspot /ip ipsec profile set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5 /ip route add disabled=no dst-address=8.8.4.4/32 gateway="" add check-gateway=ping disabled=no dst-address=192.168.0.0/16 gateway=172.16.223.1 add check-gateway=ping disabled=no distance=2 dst-address=192.168.0.0/16 gateway=172.16.223.5 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10 add check-gateway=ping disabled=no distance=5 dst-address=192.168.0.0/16 gateway=172.18.223.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10 add check-gateway=ping disabled=no distance=1 dst-address=100.127.255.252/30 gateway=172.16.223.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10 add check-gateway=ping disabled=no distance=2 dst-address=100.127.255.252/30 gateway=172.16.223.5 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10 add check-gateway=ping disabled=no distance=5 dst-address=100.127.255.252/30 gateway=172.18.223.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10 add check-gateway=ping disabled=no distance=3 dst-address=100.127.255.252/30 gateway=172.17.223.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10 add check-gateway=ping disabled=no distance=4 dst-address=100.127.255.252/30 gateway=172.17.223.5 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10 add check-gateway=ping disabled=no distance=3 dst-address=192.168.0.0/16 gateway=172.17.223.1 routing-table=main scope=30 suppress-hw-offload=no target-scope=10 add check-gateway=ping disabled=no distance=4 dst-address=192.168.0.0/16 gateway=172.17.223.5 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10 /ip service set ftp disabled=yes set telnet disabled=yes set api disabled=yes set api-ssl disabled=yes /ip smb shares set [ find default=yes ] directory=/flash/pub /routing bfd configuration add disabled=no /routing filter rule add chain=ospf-out disabled=no rule="if (dst == 93.183.226.80) { reject; }" add chain=ospf-out disabled=no rule="if (dst == 192.168.97.0/24) { reject; }" add chain=ospf-in disabled=no rule="if (dst in 172.0.0.0/8 && dst-len in 0-128) { reject; }" add chain=ospf-in disabled=no rule="if (dst in 8.8.4.4 && dst-len == 32) { reject; }" add chain=ospf-in disabled=no rule="if (dst in 10.0.0.0/8 && dst-len in 0-128) { reject; }" add chain=ospf-out disabled=no rule="if (dst == 192.168.252.0/24) { accept; }" add chain=ospf-out disabled=no rule="if (dst in 0.0.0.0 && dst-len in 0-128) { reject; }" /snmp set contact=hostmaster@gal.net.ua enabled=yes location="lviv-3, S-TRANS" /system clock set time-zone-name=Europe/Kyiv /system identity set name=". ST_LV3-223-R" /system logging add action=remote topics=critical add action=remote topics=warning add action=remote topics=error add action=remote disabled=yes topics=info add action=remote2 topics=critical add action=remote2 topics=error add action=remote2 disabled=yes topics=info add action=remote2 topics=warning /system note set show-at-login=no /system ntp client set enabled=yes /system ntp client servers add address=3.ua.pool.ntp.org add address=2.ua.pool.ntp.org add address=1.ua.pool.ntp.org /system scheduler add interval=30s name=dns_failover_scheduler on-event="/system script run CheckDNSFailover" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2025-08-11 start-time=21:31:43 /system script add dont-require-permissions=yes name=CheckDNSFailover owner=adminKPP policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":log info \"Running enhanced DNS failover logic...\"\r\n\r\n:local dns1 \"\"\r\n:local dns2 \"\"\r\n\r\n:if ([/ping 192.168.10.248 count=2] > 0) do={\r\n :set dns1 \"192.168.10.248\"\r\n}\r\n:if ([/ping 192.168.10.107 count=2] > 0) do={\r\n :if (\$dns1 = \"\") do={\r\n :set dns1 \"192.168.10.107\"\r\n } else={\r\n :set dns2 \"192.168.10.107\"\r\n }\r\n}\r\n\r\n:if (\$dns1 != \"\" && \$dns2 != \"\") do={\r\n /ip dns set servers=\"\$dns1,\$dns2\"\r\n :log info \"Set DNS to \$dns1 and \$dns2\"\r\n} else={\r\n :if (\$dns1 != \"\") do={\r\n /ip dns set servers=\$dns1\r\n :log info \"Set DNS to \$dns1 only\"\r\n } else={\r\n /ip dns set servers=8.8.8.8\r\n :log warning \"Both DNS sources unavailable. Set to 8.8.8.8\"\r\n }\r\n}\r\n" /tool bandwidth-server set authenticate=no enabled=no /tool mac-server set allowed-interface-list=mac-winbox /tool mac-server mac-winbox set allowed-interface-list=mac-winbox /tool mac-server ping set enabled=no /tool romon set enabled=yes secrets=passkpp