# routerboard: yes # model: RB4011iGS+5HacQ2HnD # serial-number: 968909A8D3B9 # firmware-type: al2 # factory-firmware: 6.43.3 # current-firmware: 6.47.10 # upgrade-firmware: 6.47.10 # # channel: long-term # installed-version: 6.47.10 # # Flags: U - undoable, R - redoable, F - floating-undo # ACTION BY POLICY # U item changed protek write # U item changed protek write # U filter rule removed protek write # U filter rule changed protek write # U filter rule changed protek write # U filter rule changed protek write # U filter rule added protek write # U filter rule removed protek write # # software id = U7WT-1JKK # # model = RB4011iGS+5HacQ2HnD # serial number = 968909A8D3B9 /interface bridge add name=bdg-cam add name=bdg-dhcp add name=bdg-servers add name=loopbridge /interface ethernet set [ find default-name=ether1 ] comment=LINK name=ether1-link set [ find default-name=ether2 ] advertise="10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,2500M-full,5000M-full,10000M-full" comment=LOJA set [ find default-name=ether3 ] comment=CAMERAS set [ find default-name=ether4 ] name=ether4-IBM1 set [ find default-name=ether5 ] name=ether5-IBM1-adm set [ find default-name=ether6 ] name=ether6-IBM2 set [ find default-name=ether7 ] name=ether7-IBM2-adm set [ find default-name=ether8 ] comment="Adir - Casa" set [ find default-name=ether9 ] comment=CAMERA set [ find default-name=ether10 ] comment=Proxmox3 /interface ethernet switch port set 0 default-vlan-id=0 set 1 default-vlan-id=0 set 2 default-vlan-id=0 set 3 default-vlan-id=0 set 4 default-vlan-id=0 set 5 default-vlan-id=0 set 6 default-vlan-id=0 set 7 default-vlan-id=0 set 8 default-vlan-id=0 set 9 default-vlan-id=0 set 10 default-vlan-id=0 set 11 default-vlan-id=0 /interface wireless security-profiles set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk,wpa-eap,wpa2-eap mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=protek-info-12 wpa2-pre-shared-key=protek-info-12 add authentication-types=wpa-psk,wpa2-psk eap-methods="" group-ciphers=tkip,aes-ccm mode=dynamic-keys name=profile-protek supplicant-identity=MikroTik unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key=proteknet1 wpa2-pre-shared-key=proteknet1 add authentication-types=wpa-psk,wpa2-psk eap-methods="" group-ciphers=tkip,aes-ccm mode=dynamic-keys name=profile2 supplicant-identity=MikroTik unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key=proteknet1 wpa2-pre-shared-key=proteknet1 /interface wireless set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode ampdu-priorities=0,1,2,3,4,5,6,7 band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=brazil disabled=no frequency=5200 installation=indoor max-station-count=60 mode=ap-bridge security-profile=profile-protek ssid="ProtekNet 5g" set [ find default-name=wlan2 ] adaptive-noise-immunity=ap-and-client-mode band=2ghz-b/g/n country=brazil disabled=no frequency=2442 installation=indoor max-station-count=60 mode=ap-bridge security-profile=profile-protek ssid=ProtekNet /ip pool add name=dhcp_pool0 ranges=192.168.2.10-192.168.2.254 add name=dhcp_pool1 ranges=192.168.4.2-192.168.4.254 add name=pool-vpn ranges=192.168.40.5-192.168.40.20 add name=dhcp_pool3 ranges=192.168.2.2-192.168.2.254 /ip dhcp-server # DHCP server can not run on slave interface! add address-pool=dhcp_pool1 disabled=no interface=ether9 lease-time=5m name=dhcp2 add address-pool=dhcp_pool3 disabled=no interface=bdg-dhcp lease-time=5m name=dhcp1 /ppp profile set *FFFFFFFE local-address=192.168.40.1 remote-address=pool-vpn use-ipv6=no use-mpls=no /routing ospf instance set [ find default=yes ] redistribute-connected=as-type-1 redistribute-static=as-type-1 router-id=192.168.200.6 /routing ospf-v3 instance set [ find default=yes ] redistribute-connected=as-type-1 redistribute-static=as-type-1 router-id=192.168.200.6 /snmp community set [ find default=yes ] addresses=45.236.84.0/22,192.168.0.0/16,35.237.63.30/32 name=public-noway write-access=yes /system logging action set 3 remote=192.168.248.68 src-address=45.236.84.6 /user group set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp" /interface bridge port add bridge=bdg-dhcp interface=ether2 add bridge=bdg-dhcp interface=ether3 add bridge=bdg-dhcp interface=ether9 add bridge=bdg-servers interface=ether4-IBM1 add bridge=bdg-servers interface=ether5-IBM1-adm add bridge=bdg-servers interface=ether6-IBM2 add bridge=bdg-servers interface=ether7-IBM2-adm add bridge=bdg-servers interface=ether10 add bridge=bdg-dhcp interface=ether8 add bridge=bdg-dhcp interface=wlan1 add bridge=bdg-dhcp interface=wlan2 /ip neighbor discovery-settings set discover-interface-list=!dynamic /ip settings set rp-filter=loose tcp-syncookies=yes /interface pptp-server server set enabled=yes /ip address add address=45.236.84.34/30 interface=ether1-link network=45.236.84.32 add address=192.168.2.1/24 interface=bdg-dhcp network=192.168.2.0 add address=45.236.84.17/28 interface=bdg-servers network=45.236.84.16 add address=192.168.248.65/29 comment="proxmox1 e 2" interface=bdg-servers network=192.168.248.64 add address=192.168.200.6 interface=loopbridge network=192.168.200.6 add address=45.236.84.6 interface=loopbridge network=45.236.84.6 add address=192.168.248.73/29 comment="ether10 proxmox" interface=bdg-servers network=192.168.248.72 /ip dhcp-server lease add address=192.168.2.146 client-id=1:8:55:31:61:1:e mac-address=08:55:31:61:01:0E server=dhcp1 /ip dhcp-server network add address=192.168.2.0/24 dns-server=1.1.1.3,1.0.0.3 gateway=192.168.2.1 add address=192.168.4.0/24 dns-server=45.236.84.18,45.236.84.19 gateway=192.168.4.1 /ip dns set servers=45.236.84.18,2804:4de8:800:8000::18,2804:4de8:800:8000::19 /ip firewall address-list add address=45.236.84.18 list=dns_protek_recu add address=45.236.84.19 list=dns_protek_recu add address=45.236.84.20 list=dns_protek_auth add address=45.236.84.21 list=dns_protek_auth add address=1.1.1.3 list=dns-cloud-family add address=1.0.0.3 list=dns-cloud-family /ip firewall filter add action=accept chain=forward connection-state=established,related dst-address=192.168.2.0/24 add action=accept chain=forward dst-address=192.168.2.242 add action=accept chain=forward src-address=192.168.2.242 /ip firewall nat add action=dst-nat chain=dstnat dst-address=45.236.84.34 dst-port=31094 protocol=tcp to-addresses=192.168.2.146 to-ports=31094 add action=dst-nat chain=dstnat dst-address=45.236.84.34 dst-port=31095 protocol=tcp to-addresses=192.168.2.146 to-ports=443 add action=src-nat chain=srcnat src-address=192.168.2.0/24 to-addresses=45.236.84.34 add action=dst-nat chain=dstnat dst-address=45.236.84.6 dst-port=8006 protocol=tcp to-addresses=192.168.248.66 to-ports=8006 add action=dst-nat chain=dstnat dst-address=45.236.84.6 dst-port=8007 protocol=tcp to-addresses=192.168.248.67 to-ports=8006 add action=dst-nat chain=dstnat dst-address=45.236.84.6 dst-port=8005 protocol=tcp to-addresses=192.168.248.74 to-ports=8006 add action=src-nat chain=srcnat disabled=yes src-address=45.236.84.34 to-addresses=45.236.84.6 add action=src-nat chain=srcnat src-address=192.168.96.0/24 to-addresses=45.236.84.6 add action=accept chain=dstnat comment="DNS Rules: --*N\C3O APAGAR/DESABILITAR*-- DNS Autoritativo" dst-address-list=dns_protek_auth dst-port=53 protocol=udp add action=accept chain=dstnat dst-port=53 protocol=udp src-address-list=dns_protek_auth add action=dst-nat chain=dstnat comment="DNS Rules: aplicar se problema com DNS PROTEK" disabled=yes dst-address=45.236.84.18 dst-port=53 protocol=udp to-addresses=45.236.84.20 to-ports=53 add action=dst-nat chain=dstnat disabled=yes dst-address=45.236.84.19 dst-port=53 protocol=udp to-addresses=45.236.84.21 to-ports=53 add action=dst-nat chain=dstnat comment="DNS Rules: aplicar as 3 regras seguintes se DNS PROTEK OK" disabled=yes dst-address=1.1.1.1 dst-port=53 protocol=udp to-addresses=45.236.84.18 to-ports=53 add action=dst-nat chain=dstnat disabled=yes dst-address=8.8.8.8 dst-port=53 protocol=udp to-addresses=45.236.84.18 to-ports=53 add action=dst-nat chain=dstnat disabled=yes dst-address=8.8.4.4 dst-port=53 protocol=udp to-addresses=45.236.84.19 to-ports=53 add action=dst-nat chain=dstnat disabled=yes dst-address=208.67.222.222 dst-port=53 protocol=udp to-addresses=45.236.84.18 to-ports=53 add action=dst-nat chain=dstnat disabled=yes dst-address=208.67.220.220 dst-port=53 protocol=udp to-addresses=45.236.84.19 to-ports=53 add action=accept chain=dstnat dst-address=45.236.84.24 dst-port=80,443 protocol=tcp to-addresses=192.168.250.10 to-ports=80 add action=accept chain=srcnat dst-address=45.236.84.24 dst-port=80,443 protocol=tcp to-addresses=192.168.250.10 to-ports=80 add action=accept chain=dstnat dst-address=45.236.84.25 dst-port=80,443 protocol=tcp to-addresses=192.168.250.10 to-ports=80 add action=accept chain=srcnat dst-address=45.236.84.25 dst-port=80,443 protocol=tcp to-addresses=192.168.250.10 to-ports=80 add action=dst-nat chain=dstnat comment="Libera\E7\E3o Syntesis" dst-address=45.236.84.6 dst-port=22,80,3306 protocol=tcp to-addresses=192.168.250.10 add action=dst-nat chain=dstnat comment=proteknet.com.br disabled=yes dst-address=45.236.84.6 dst-port=80,443 protocol=tcp to-addresses=192.168.250.10 add action=dst-nat chain=dstnat comment="PG CORTE" dst-port=1-65535 protocol=tcp src-address-list=pgcorte to-addresses=192.168.250.10 to-ports=85 add action=dst-nat chain=dstnat comment="PG CORTE" dst-address=!192.168.250.2 protocol=tcp src-address-list=pgcorte to-addresses=192.168.250.10 to-ports=85 add action=dst-nat chain=dstnat dst-address-list=ext_addr dst-port=8081 protocol=tcp src-address-list=acesso-ok to-addresses=192.168.250.10 to-ports=443 add action=dst-nat chain=dstnat dst-address-list=ext_addr dst-port=50443 protocol=tcp src-address-list=acesso-ok to-addresses=192.168.250.10 to-ports=443 add action=dst-nat chain=dstnat dst-address-list=ext_addr dst-port=51306 protocol=tcp src-address-list=acesso-ok to-addresses=192.168.250.10 to-ports=3306 add action=netmap chain=dstnat dst-address-list=ext_addr dst-port=8080 protocol=tcp src-address-list=acesso-ok to-addresses=192.168.249.2 to-ports=8080 add action=netmap chain=dstnat dst-address-list=ext_addr dst-port=2229 protocol=tcp src-address-list=acesso-ok to-addresses=192.168.249.2 to-ports=2229 add action=netmap chain=dstnat dst-address-list=ext_addr dst-port=8022 protocol=tcp src-address-list=acesso-ok to-addresses=192.168.249.2 to-ports=2229 add action=src-nat chain=srcnat src-address=192.168.248.0/24 to-addresses=45.236.84.34 add action=dst-nat chain=dstnat dst-address-list=!dns-cloud-family dst-port=53 protocol=udp src-address=192.168.2.0/24 to-addresses=1.1.1.3 to-ports=53 add action=src-nat chain=srcnat src-address=192.168.4.0/24 to-addresses=45.236.84.6 add action=dst-nat chain=dstnat comment="Acesso HTTP ao NVR" dst-address=45.236.84.6 dst-port=8888 protocol=tcp to-addresses=192.168.2.200 to-ports=10080 add action=dst-nat chain=dstnat comment="Acesso HTTPS ao NVR" dst-address=45.236.84.6 dst-port=8889 protocol=tcp to-addresses=192.168.2.200 to-ports=443 add action=dst-nat chain=dstnat comment=ALARME dst-address=192.168.2.24 dst-port=9009 protocol=tcp to-addresses=192.168.2.200 to-ports=443 add action=dst-nat chain=dstnat comment=ALARME dst-address=192.168.2.24 dst-port=9010 protocol=tcp to-addresses=192.168.2.200 to-ports=443 add action=dst-nat chain=dstnat comment="Acesso pelo APP NVR" dst-address=45.236.84.6 dst-port=37777 protocol=tcp to-addresses=192.168.2.200 to-ports=37777 /ip route add distance=121 gateway=45.236.84.33 add distance=121 dst-address=45.236.87.255/32 gateway=45.236.84.26 /ip service set telnet disabled=yes set ftp address=192.168.0.0/16,45.236.84.0/22,100.64.0.0/10 port=10021 set www address=192.168.0.0/16,45.236.84.0/22,100.64.0.0/10 port=10080 set ssh address=45.236.84.0/22,192.168.2.0/24 port=10022 set api address=45.236.84.24/32,45.236.84.25/32,45.236.87.255/32 set winbox port=25000 set api-ssl address=45.236.84.24/32,45.236.84.25/32 disabled=yes /ip ssh set forwarding-enabled=remote /ipv6 address add address=2804:4de8:800:80::34 advertise=no interface=ether1-link add address=2804:4de8:800:8000::1 advertise=no interface=bdg-servers add address=2804:4de8:8400::1 interface=bdg-dhcp /ppp secret add name=nzm2 password=Protek@2011 profile=default-encryption service=pptp add local-address=45.236.84.6 name=acacio password=samsung12 profile=default-encryption service=pptp add name=nzm.enrique password=nzm@2018@ profile=default-encryption service=pptp add name=sergio.ixc password=kp260clg profile=default-encryption service=pptp add name=nzm.luciano password=Protek@2011 profile=default-encryption service=pptp /routing ospf interface add interface=ether1-link network-type=broadcast /routing ospf network add area=backbone network=45.236.84.32/30 /routing ospf-v3 interface add area=backbone interface=ether1-link network-type=broadcast /snmp set contact="Acacio Correa " enabled=yes location="[-26.42382277, -51.31382207]" trap-version=2 /system clock set time-zone-name=America/Sao_Paulo /system identity set name=Protek-Loja /system leds add interface=bdg-servers leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-led,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength add interface=bdg-servers leds=wlan2_tx-led type=interface-transmit add interface=bdg-servers leds=wlan2_rx-led type=interface-receive /system logging add action=remote topics=critical add action=remote topics=error add action=remote topics=info add action=remote topics=warning /system ntp client set enabled=yes primary-ntp=45.236.84.23 secondary-ntp=200.160.0.8 /system package update set channel=long-term /system scheduler add interval=52w1d name=upgrade_packages on-event="/system reboot" policy=ftp,reboot,read,write,policy start-date=may/15/2020 start-time=05:00:00 add disabled=yes interval=52w1d name=upgrade-firmware on-event="/system routerboard upgrade\r\n/system reboot" policy=ftp,reboot,read,write,policy start-date=may/15/2020 start-time=05:05:00 /tool romon set enabled=yes secrets=protek-info-12 /tool sniffer set file-limit=10000000KiB file-name=capsyn filter-interface=all filter-ip-address=45.236.87.255/32 filter-ip-protocol=tcp memory-limit=1000000KiB only-headers=yes