File: /home/posscale/backup/MT_Backups/POS_Scales/BACKUP-POS_Scales-2023aug26-171730.rsc
# aug/26/2023 17:17:30 by RouterOS 6.48
# software id = IV33-Y7WA
#
# model = RouterBOARD 750 r2
# serial number = 67D4074D4CDC
/interface bridge
add name=Bygreen_VPN_Port5_Bridge
/interface ethernet
set [ find default-name=ether2 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
"Port 2 Phone system"
set [ find default-name=ether4 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
"Port4 Office PC Network"
set [ find default-name=ether3 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
"Test Bench Port 3"
set [ find default-name=ether1 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
"ether1 TPG Internet"
set [ find default-name=ether5 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface l2tp-client
add connect-to=103.98.87.3 ipsec-secret=!Pss.974082** name=\
"Bugreen COnnection to Port 5" password=Pss.974082 use-ipsec=yes user=\
PosScalesOffice
add connect-to=3.106.179.83 disabled=no ipsec-secret=!Pss.974082** name=\
MT-Management-VPN password=Pss.974082** use-ipsec=yes user=posscales
/interface pptp-client
add connect-to=us355.nordvpn.com mrru=1600 name=NordVPN-out1-out1 password=\
Pss.251255** user=jloeken@posscales.com.au
/interface ipip
add disabled=yes name=ipip-tunnel1-Bygreen remote-address=10.10.10.1
/interface eoip
add mac-address=02:EB:1F:CB:76:57 name=eoip-tunnel-Bygreen remote-address=\
10.10.10.1 tunnel-id=0
/interface vlan
add interface="ether1 TPG Internet" name=vlan100 vlan-id=100
/interface ovpn-client
add certificate=us708.nordvpn.com.tcp443.ovpn_0 connect-to=104.152.46.84 \
disabled=yes mac-address=02:B8:6A:2A:14:63 name=NOrd-OVPN-out1 password=\
Pss.251255** port=443 user=jloeken@posscales.com.au
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity="POS Scales"
add authentication-types=wpa-eap eap-methods=eap-tls management-protection=\
allowed mode=dynamic-keys name=profile1 radius-eap-accounting=yes \
radius-mac-accounting=yes radius-mac-authentication=yes \
supplicant-identity=""
/ip dhcp-server
add authoritative=after-2sec-delay disabled=no interface=\
"Port 2 Phone system" name=defconf
/ip dhcp-server option
add code=66 name=66 value=\
"'https://adept-3cx.voipitup.com.au/provisioning/gqofw8t294bqo0'"
add code=66 name="PSS TFTP 66" value="'192.168.0.1'"
add code=66 name="jason PC" value="'192.168.0.20'"
add code=66 name="Mikrotik tftp" value="'192.168.0.254'"
add code=66 name="66 Ready Movers" value=\
"'https://rm-3cx.voipitup.com.au/provisioning/ezj7wrwg1f'"
add code=66 name=PBX2-3cx value=\
"'https://pbx2-3cx.voipitup.com.au/provisioning/lrbvvfvg1e'"
add code=43 name=PSS-UniFi-Controller value="'3.105.22.41'"
/ip firewall layer7-protocol
add name=no-this
/ip kid-control
add disabled=yes fri=6h-1d,0s-1h mon=6h-23h name=Jayden sat=6h-1d,0s-1h sun=\
6h-23h thu=6h-23h tue=6h-23h wed=6h-23h
add disabled=yes fri=0s-1d,0s-1h mon=0s-1d name=Jason sat=4h-1d,0s-1h sun=\
2h-23h thu=0s-1d tue=0s-1d wed=0s-1d
/ip pool
add name="DHCP 1" ranges=192.168.1.100-192.168.1.250
add name="DHCP 2" ranges=192.168.2.100-192.168.2.200
add name="DHCP 3" ranges=192.168.3.100-192.168.3.200
add name=dhcp_pool1 ranges=192.168.0.30-192.168.0.99
add name=dhcp_pool5 ranges=192.168.5.50-192.168.5.254
/ip dhcp-server
add address-pool="DHCP 3" authoritative=after-2sec-delay disabled=no \
interface="Test Bench Port 3" name=server1
add address-pool=dhcp_pool1 authoritative=after-2sec-delay disabled=no \
interface="Port4 Office PC Network" name=dhcp1
# DHCP server can not run on slave interface!
add address-pool=dhcp_pool5 disabled=no interface=ether5 name=dhcp2
/interface l2tp-client
add connect-to=13.237.137.170 ipsec-secret="\$F3Yz#w8#qBsn73t" name=\
"Test To AMAZON TLC" password="\$dgt4437" profile=default use-ipsec=yes \
user=TLC-Manage
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
add name=NAS remote=192.168.0.101 target=remote
/user group
add name=btest policy="test,!local,!telnet,!ssh,!ftp,!reboot,!read,!write,!pol\
icy,!winbox,!password,!web,!sniff,!sensitive,!api,!romon,!dude,!tikapp"
/interface bridge port
add bridge=Bygreen_VPN_Port5_Bridge interface=ether5
add bridge=Bygreen_VPN_Port5_Bridge interface=eoip-tunnel-Bygreen
/ip firewall connection tracking
set udp-stream-timeout=10m udp-timeout=1m10s
/ip neighbor discovery-settings
set discover-interface-list=all
/interface list member
add interface="Port 2 Phone system" list=discover
add interface="Test Bench Port 3" list=discover
add interface="Port4 Office PC Network" list=discover
add interface=ether5 list=discover
add interface=NordVPN-out1-out1 list=discover
add interface=NOrd-OVPN-out1 list=discover
add interface="Port 2 Phone system" list=mactel
add interface="Port 2 Phone system" list=mac-winbox
add interface=vlan100 list=WAN
/ip address
add address=192.168.1.1/24 comment=LAN interface="Port 2 Phone system" \
network=192.168.1.0
add address=61.69.57.74/30 comment=WAN interface=vlan100 network=61.69.57.72
add address=192.168.3.1/24 interface="Test Bench Port 3" network=192.168.3.0
add address=192.168.0.254/24 comment="Pss office network" interface=\
"Port4 Office PC Network" network=192.168.0.0
add address=192.168.5.5/24 disabled=yes interface="ether1 TPG Internet" \
network=192.168.5.0
add address=192.168.20.254/24 interface="Port4 Office PC Network" network=\
192.168.20.0
add address=192.168.5.2/24 disabled=yes interface="Port4 Office PC Network" \
network=192.168.5.0
add address=192.168.7.101/24 interface="Port4 Office PC Network" network=\
192.168.7.0
add address=192.168.5.1/24 disabled=yes interface=ether5 network=192.168.5.0
add address=192.168.2.1/24 comment=LAN interface="Port4 Office PC Network" \
network=192.168.2.0
add address=192.168.1.99/24 interface="Port4 Office PC Network" network=\
192.168.1.0
add address=172.30.0.2/24 disabled=yes interface="Port4 Office PC Network" \
network=172.30.0.0
/ip arp
add address=192.168.0.203 interface="Port4 Office PC Network" mac-address=\
00:0B:82:7B:71:DB
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add add-default-route=no comment=defconf interface="Port4 Office PC Network"
/ip dhcp-server alert
add disabled=no interface="Port4 Office PC Network"
add disabled=no interface="Port 2 Phone system"
add disabled=no interface="Test Bench Port 3"
/ip dhcp-server lease
add address=192.168.0.54 client-id=1:fc:aa:14:78:b9:37 mac-address=\
FC:AA:14:78:B9:37 server=dhcp1
add address=192.168.0.41 client-id=1:0:15:65:cb:e2:8a comment=\
"Ready Movers Phone setup Before Going to Site" dhcp-option=\
"66 Ready Movers" mac-address=00:15:65:CB:E2:8A server=dhcp1
add address=192.168.0.70 client-id=1:f4:a9:97:8a:9d:43 mac-address=\
F4:A9:97:8A:9D:43 server=dhcp1
add address=192.168.0.49 client-id=1:b8:27:eb:e:97:f7 mac-address=\
B8:27:EB:0E:97:F7 server=dhcp1
add address=192.168.0.74 client-id=1:0:15:65:95:c7:e5 dhcp-option=PBX2-3cx \
mac-address=00:15:65:95:C7:E5 server=dhcp1
add address=192.168.0.203 allow-dual-stack-queue=no always-broadcast=yes \
client-id=00:0B:82:7B:71:DB dhcp-option="jason PC" mac-address=\
00:0B:82:7B:71:DB
add address=192.168.0.5 client-id=1:b8:27:eb:7:4b:8b comment=\
"Office SBC PI - posscales.3cx.com.au" disabled=yes mac-address=\
B8:27:EB:07:4B:8B server=dhcp1
add address=192.168.2.69 client-id=1:f4:92:bf:89:da:21 mac-address=\
F4:92:BF:89:DA:21 server=dhcp1
add address=192.168.0.43 client-id=1:44:fe:3b:6d:e:fc comment="Yamaha AMP " \
mac-address=44:FE:3B:6D:0E:FC server=dhcp1
add address=192.168.0.58 client-id=1:c4:ad:34:da:86:ea comment=\
"TEST mikrotik, for video intercom" mac-address=C4:AD:34:DA:86:EA \
server=dhcp1
add address=192.168.0.78 client-id=1:c:38:3e:39:be:8b comment=\
"Fanville Door Intercom" mac-address=0C:38:3E:39:BE:8B server=dhcp1
add address=192.168.0.82 client-id=1:0:a0:de:b3:4:8f comment=\
"Yamaha WXA-50 AMP" mac-address=00:A0:DE:B3:04:8F server=dhcp1
/ip dhcp-server network
add address=192.168.0.0/24 dhcp-option="PSS TFTP 66" dns-server=\
192.168.0.254,8.8.8.8 gateway=192.168.0.254
add address=192.168.1.0/24 dns-server=192.168.1.1,8.8.8.8 gateway=192.168.1.1
add address=192.168.2.0/24 dns-server=192.168.2.1,8.8.8.8 gateway=192.168.2.1 \
netmask=24
add address=192.168.3.0/24 dhcp-option="Mikrotik tftp" dns-server=192.168.3.1 \
gateway=192.168.3.1 netmask=24
add address=192.168.20.0/24 dns-server=1.1.1.1 gateway=192.168.20.254 \
netmask=24
/ip dns
set allow-remote-requests=yes servers=\
203.8.183.1,1.1.1.1,8.8.8.8,192.189.54.33
/ip dns static
add address=192.168.1.1 name=router
add address=3.105.22.41 name=unifi
/ip firewall address-list
add address=52.62.206.142 list=3cx_PBX
add address=54.79.1.213 comment=PBX2 list=3cx_PBX
add address=119.18.45.83 list=3cx_PBX
add address=192.168.0.49 disabled=yes list=vpn
add address=192.168.0.38 disabled=yes list=vpn
add address=192.168.0.75 list=vpn
add address=185.222.211.50 list=blacklist
add address=58.107.0.0/16 list=SIP
add address=35.189.35.225 list=SIP
add address=139.99.140.153 list=SIP
add address=139.99.140.152 list=SIP
add address=35.189.44.220 list=SIP
add address=35.189.47.13 list=SIP
add address=82.205.1.238 list=SIP
add address=124.150.0.0/16 list=SIP
add address=208.73.211.69 list=SIP
add address=203.161.160.69 list=SIP
add address=203.161.160.70 list=SIP
add address=203.161.166.71 list=SIP
add address=203.161.160.0/20 list=SIP
add address=223.252.35.13 list=SIP
add address=120.151.55.184 list=SIP
add address=27.111.14.65 list=SIP
add address=203.118.156.197 list=SIP
add address=27.111.14.0/24 list=SIP
add address=110.23.95.16 list=SIP
add address=220.233.0.0/24 list=SIP
add address=202.61.12.230 list=SIP
add address=202.61.13.102 list=SIP
add address=203.161.164.69 list=SIP
add address=61.69.57.74 list=SIP
add address=61.69.5.128/30 list=SIP
add address=61.69.5.130 list=SIP
add address=192.168.1.0/24 list=SIP
add address=172.30.0.0/24 list=SIP
add address=103.77.233.190 comment="VoIP IT UP" list=SIP
add address=35.244.94.36 comment="VoIP IT UP" list=SIP
add address=101.0.113.238 comment="VoIP IT UP" list=SIP
add address=35.197.165.191 comment="VoIP IT UP" list=SIP
add address=103.77.233.107 comment="VoIP IT UP" list=SIP
add address=35.201.30.11 comment="VoIP IT UP" list=SIP
add address=35.197.168.74 comment="VoIP IT UP (FAX RTP)" list=SIP
add address=35.189.26.1 comment="VoIP IT UP" list=SIP
add address=192.168.0.0/24 list=SIP
add address=192.168.20.0/24 list=SIP
add address=13.237.86.40 list=3cx_PBX
add address=3.104.169.66 comment="NSF 3cx" list=3cx_PBX
add address=52.65.160.212 comment="FMM.3cx test PBX as A softswitch" list=sip
add address=203.63.96.24/29 comment="AAPT BizPhone WEB" disabled=yes list=\
SIP2
add address=203.185.248.15 comment="AAPT BizPhone sip rtp" disabled=yes list=\
SIP2
add address=202.92.115.50 comment="AAPT BizPhone sip rtp" disabled=yes list=\
SIP2
add address=203.63.96.15 comment="AAPT BizPhone sip rtp" disabled=yes list=\
SIP2
add address=203.185.196.15 comment="AAPT BizPhone sip rtp" disabled=yes list=\
SIP2
add address=210.87.54.15 comment="AAPT BizPhone sip rtp" disabled=yes list=\
SIP2
add address=210.9.35.6 comment="AAPT BizPhone sip rtp" disabled=yes list=SIP2
add address=210.9.35.134 comment="AAPT BizPhone sip rtp" disabled=yes list=\
SIP2
add address=103.26.173.0/24 comment="NETSIP OTW" list=SIP
add address=103.26.174.0/24 comment="NETSIP OTW" list=SIP
add address=103.26.175.0/24 comment="NETSIP OTW" list=SIP
add address=60.240.192.44 comment="Dads new NBN At home" list=SIP
add address=52.65.160.212 list=3cx_PBX
add address=54.206.134.9 list=3cx_PBX
add address=103.26.172.0/24 comment="NETSIP OTW" list=SIP
add address=38.108.185.64 comment=Opendrive disabled=yes list="Labeled only"
add address=52.63.117.16 comment=Supernetics list=3cx_PBX
add address=3.105.22.41 comment="Unifi SERVER" list=SIP2
add address=3.25.15.255 comment="Sandstone World 3cx PBX" list=3cx_PBX
add address=13.237.181.178 comment="SmartAir 3cx" list=3cx_PBX
add address=199.87.144.0/21 comment=Callcentric list=SIP
add address=204.11.192.0/22 comment=Callcentric list=SIP
add address=54.252.70.3 comment="KC_Psych 3CX PBX" list=3cx_PBX
add address=13.237.30.128 comment=posscales.3cx.com.au list=SIP
add address=13.237.30.128 comment=posscales.3cx.com.au list=3cx_PBX
/ip firewall filter
add action=drop chain=forward disabled=yes dst-address=192.168.0.20 \
in-interface-list=WAN
add action=drop chain=forward disabled=yes out-interface-list=WAN \
src-address=192.168.0.20
add action=accept chain=forward disabled=yes protocol=udp src-port=\
33434-33625
add action=drop chain=forward comment="EVE PC MAC Drop " disabled=yes \
in-interface="Port4 Office PC Network" src-mac-address=60:A4:4C:41:13:16
add action=drop chain=forward comment="EVE School Laptop MAC Drop " disabled=\
yes in-interface="Port4 Office PC Network" src-mac-address=\
F0:D5:BF:4D:C4:84
add action=drop chain=forward comment="EVE Realme 6 MAC " disabled=yes \
in-interface="Port4 Office PC Network" src-mac-address=EA:5A:B9:84:A0:6C \
time=1h-6h,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward comment="ChromeCast-Ultra MAC BLOCK " \
disabled=yes in-interface="Port4 Office PC Network" src-mac-address=\
44:09:B8:66:97:AA
add action=drop chain=forward src-address-list=BLOCKED_MAC
add action=drop chain=input src-address-list=BLOCKED_MAC
add action=drop chain=forward comment="ChromeCast MAC BLOCK " disabled=yes \
in-interface="Port4 Office PC Network" src-mac-address=38:8B:59:92:96:4B
add action=drop chain=forward comment="Jayden PC room MAC Drop During" \
disabled=yes in-interface="Port4 Office PC Network" src-mac-address=\
10:C3:7B:A1:E8:7C time=21h-6h,sun,mon,tue,wed,thu
add action=drop chain=forward comment=\
"Jayden PC MAC Drop During School Hours" disabled=yes in-interface=\
"Port4 Office PC Network" src-mac-address=8C:89:A5:16:98:F4 time=\
21h-6h,sun,mon,tue,wed,thu
add action=drop chain=forward comment="Jayden TABLET MAC Drop" \
in-interface="Port4 Office PC Network" src-mac-address=54:27:58:6D:20:A0
add action=drop chain=forward comment="Jayden Armor 8 Phone MAC Drop" \
disabled=yes in-interface="Port4 Office PC Network" src-mac-address=\
42:8B:D0:C8:37:27 time=21h-6h,sun,mon,tue,wed,thu
# inactive time
add action=drop chain=forward comment=\
"Mitchell PC MAC Drop During School Hours" in-interface=\
"Port4 Office PC Network" src-mac-address=6C:F0:49:7D:86:3D time=\
22h-6h,sun,mon,tue,wed,thu
# inactive time
add action=drop chain=forward comment="Mitchell Tablet MAC Drop " \
in-interface="Port4 Office PC Network" src-mac-address=D0:F8:8C:F4:B1:60 \
time=22h-6h,sun,mon,tue,wed,thu
add action=drop chain=forward comment="Mitchell School Laptop MAC Drop " \
disabled=yes in-interface="Port4 Office PC Network" src-mac-address=\
5C:BA:EF:4D:7A:E9
add action=accept chain=forward out-interface=vlan100 src-address=\
192.168.5.20
add action=accept chain=forward in-interface-list=WAN src-address=\
20.188.240.183
add action=accept chain=forward src-address-list=SIP
add action=accept chain=forward comment="Reflections Coolangattor" \
in-interface-list=WAN src-address=60.240.32.226
add action=drop chain=input dst-port=53 in-interface=vlan100 log=yes \
protocol=tcp
add action=drop chain=input dst-port=53 in-interface=vlan100 protocol=udp
add action=drop chain=forward in-interface=vlan100 log=yes log-prefix=\
"Black LIST DROP: " src-address-list=blacklist
add action=drop chain=forward comment="Print Spooler Hacker Protection" \
disabled=yes dst-port=135,442 log=yes log-prefix="HACKER BLOCKED >>>" \
out-interface-list=WAN protocol=udp
add action=drop chain=output comment="Print Spooler Hacker Protection" \
disabled=yes dst-port=135,442 log=yes log-prefix="HACKER BLOCKED >>>" \
out-interface-list=WAN protocol=udp
add action=drop chain=forward comment="Print Spooler Hacker Protection" \
disabled=yes dst-port=135,442 log=yes log-prefix="HACKER BLOCKED >>>" \
out-interface-list=WAN protocol=tcp
add action=accept chain=forward disabled=yes in-interface=NordVPN-out1-out1
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=accept chain=forward in-interface-list=discover \
out-interface-list=WAN
add action=accept chain=forward comment="SIP Port" in-interface=vlan100 \
src-address-list=SIP2
add action=accept chain=forward comment="3CX PBX ALLOW LIST Accept" \
in-interface=vlan100 src-address-list=3cx_PBX
add action=accept chain=forward comment="3CX PBX ALLOW LIST Accept" \
dst-port=21 in-interface=vlan100 protocol=tcp
add action=accept chain=forward comment="SIP Port" dst-port=5062 \
in-interface=vlan100 protocol=udp
add action=accept chain=forward comment="SIP Port" dst-port=5090 \
in-interface=vlan100 protocol=udp
add action=accept chain=forward comment="SIP Port" dst-port=5090 \
in-interface=vlan100 protocol=tcp
add action=accept chain=forward dst-port=5062 in-interface=vlan100 protocol=\
tcp
add action=accept chain=forward disabled=yes dst-port=80 in-interface=vlan100 \
protocol=tcp
add action=accept chain=forward dst-port=645 in-interface=vlan100 protocol=\
tcp
add action=accept chain=forward dst-port=6500-6599 in-interface=vlan100 \
protocol=tcp
add action=accept chain=forward dst-port=6500-6599 in-interface=vlan100 \
protocol=udp
add action=accept chain=forward comment="Miner 1" disabled=yes log-prefix=\
"Miner 1 DATA Invalid\?\? allowed.. : " src-address=192.168.0.59
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" \
connection-state=established,related
add action=accept chain=input comment="defconf: accept established,related" \
disabled=yes in-interface="ether1 TPG Internet" log=yes src-address=\
13.237.137.170
add action=accept chain=forward comment="RDP Port to server" dst-port=5952 \
in-interface=vlan100 log=yes log-prefix="RDP Fire wall" protocol=tcp
add action=accept chain=forward dst-port=5955 in-interface=vlan100 protocol=\
tcp
add action=accept chain=forward dst-port=2005 in-interface=vlan100 protocol=\
tcp
add action=accept chain=forward dst-port=5900 in-interface=vlan100 log=yes \
log-prefix="PORT443 ::::: " protocol=tcp
add action=accept chain=forward comment="SIP Port" dst-port=5060 \
in-interface=vlan100 protocol=udp src-address-list=SIP
add action=accept chain=forward comment="SIP Port" in-interface=vlan100 \
src-address=54.79.1.213
add action=accept chain=forward comment="SIP Port" in-interface=vlan100 \
src-address=118.127.61.58
add action=accept chain=forward comment="Voice RTP Port" dst-port=6000-6399 \
in-interface=vlan100 protocol=udp
add action=accept chain=forward comment="Geovision Port" dst-port=56000 \
in-interface=vlan100 protocol=tcp
add action=accept chain=forward comment="Geovision Port" dst-port=9999 \
in-interface=vlan100 protocol=tcp
add action=accept chain=forward disabled=yes dst-port=6050 in-interface=\
vlan100 protocol=udp
add action=accept chain=input comment="Winbox Wan Access" dst-port=8291 \
in-interface="Port4 Office PC Network" protocol=tcp
add action=drop chain=input comment="defconf: drop all from WAN" \
in-interface=vlan100 log=yes
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid in-interface-list=WAN log=yes log-prefix=\
"Invalid DROP Rule:: "
add action=drop chain=forward connection-nat-state=!dstnat connection-state=\
new in-interface-list=WAN log=yes log-prefix="FireWall Drop - NEW"
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface="ether1 TPG Internet"
add action=accept chain=output out-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting comment="NORD VPN" disabled=yes \
new-routing-mark=vpn passthrough=yes src-address-list=vpn
add action=log chain=prerouting content=porn disabled=yes log=yes log-prefix=\
"Porn Site:"
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" disabled=yes \
dst-address=192.168.0.0/24 src-address=192.168.0.0/24
add action=dst-nat chain=dstnat disabled=yes dst-port=9000 protocol=tcp \
to-addresses=20.188.240.183 to-ports=11166
add action=dst-nat chain=dstnat disabled=yes in-interface=vlan100 \
src-address=20.188.240.183 to-addresses=192.168.0.69
add action=src-nat chain=srcnat disabled=yes dst-port=9000 out-interface=\
vlan100 protocol=tcp to-ports=11166
add action=masquerade chain=srcnat dst-address=10.11.3.0/24 out-interface=\
MT-Management-VPN
add action=masquerade chain=srcnat dst-address=10.10.0.0/22 out-interface=\
MT-Management-VPN
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface=vlan100
add action=dst-nat chain=dstnat dst-port=69 log=yes log-prefix=\
"GRANDSTREAM: " protocol=udp src-address=192.168.0.203 to-addresses=\
192.168.0.20
add action=dst-nat chain=dstnat comment="Test PBX" disabled=yes in-interface=\
vlan100 log-prefix="PBX: " src-address-list=SIP2 to-addresses=\
192.168.5.20
add action=dst-nat chain=dstnat comment="Test PBX" disabled=yes dst-port=5062 \
in-interface=vlan100 log-prefix="PBX: " protocol=tcp to-addresses=\
192.168.5.20
add action=dst-nat chain=dstnat disabled=yes dst-port=645 in-interface=\
vlan100 log-prefix="PBX: " protocol=tcp to-addresses=192.168.5.20
add action=dst-nat chain=dstnat disabled=yes dst-port=80 in-interface=vlan100 \
log-prefix="PBX: " protocol=tcp to-addresses=192.168.5.20
add action=dst-nat chain=dstnat disabled=yes dst-port=645 in-interface=\
vlan100 log-prefix="PBX: " protocol=udp to-addresses=192.168.5.20
add action=dst-nat chain=dstnat disabled=yes dst-port=6500-6599 in-interface=\
vlan100 log-prefix="PBX: " protocol=tcp to-addresses=192.168.5.20
add action=dst-nat chain=dstnat disabled=yes dst-port=5062 in-interface=\
vlan100 log-prefix="PBX: " protocol=udp to-addresses=192.168.5.20
add action=dst-nat chain=dstnat disabled=yes dst-port=6500-6599 in-interface=\
vlan100 log-prefix="PBX: " protocol=udp to-addresses=192.168.5.20
add action=dst-nat chain=dstnat comment="PBX NETWORK" disabled=yes dst-port=\
5060 in-interface=vlan100 log-prefix="PBX: " protocol=udp \
src-address-list=SIP to-addresses=192.168.1.2
add action=dst-nat chain=dstnat comment="PBX NETWORK" disabled=yes dst-port=\
5060 in-interface=vlan100 log-prefix="PBX: " protocol=tcp \
src-address-list=SIP to-addresses=192.168.1.2
add action=dst-nat chain=dstnat disabled=yes dst-port=6000-6399 in-interface=\
vlan100 log-prefix="PBX: " protocol=udp src-address-list=SIP \
to-addresses=192.168.1.2
add action=dst-nat chain=dstnat disabled=yes dst-port=6000-6399 in-interface=\
vlan100 log-prefix="PBX: " protocol=tcp src-address-list=SIP \
to-addresses=192.168.1.2
add action=dst-nat chain=dstnat disabled=yes dst-port=3478-3479 in-interface=\
vlan100 log-prefix="PBX: " protocol=tcp src-address-list=SIP \
to-addresses=192.168.1.2
add action=dst-nat chain=dstnat disabled=yes dst-port=5000-5001 in-interface=\
vlan100 log-prefix="PBX: " protocol=tcp to-addresses=192.168.0.77
add action=dst-nat chain=dstnat disabled=yes dst-port=5090 in-interface=\
vlan100 log-prefix="PBX: " protocol=tcp to-addresses=192.168.0.5
add action=dst-nat chain=dstnat comment="Hairpin NAT 3cx PBX Door bell" \
disabled=yes dst-address=61.69.57.74 dst-port=5090 log-prefix="PBX: " \
protocol=tcp to-addresses=192.168.0.77
add action=dst-nat chain=dstnat comment="Hairpin NAT 3cx PBX Door bell" \
disabled=yes dst-address=61.69.57.74 dst-port=5001 log-prefix="PBX: " \
protocol=tcp to-addresses=192.168.0.77
add action=dst-nat chain=dstnat comment="Hairpin NAT 3cx PBX Door bell" \
disabled=yes dst-address=61.69.57.74 dst-port=5090 log-prefix="PBX: " \
protocol=udp to-addresses=192.168.0.77
add action=dst-nat chain=dstnat disabled=yes dst-port=5090 in-interface=\
vlan100 log-prefix="PBX: " protocol=udp to-addresses=192.168.0.77
add action=dst-nat chain=dstnat disabled=yes dst-port=5064 in-interface=\
vlan100 log-prefix="PBX: " protocol=udp to-addresses=192.168.0.77
add action=dst-nat chain=dstnat disabled=yes dst-port=9000-10999 \
in-interface=vlan100 log-prefix="PBX: " protocol=udp to-addresses=\
192.168.0.77
add action=accept chain=dstnat comment="Allow Win Box Trafic" dst-port=8291 \
in-interface=vlan100 protocol=tcp
add action=accept chain=dstnat in-interface="ether1 TPG Internet" \
src-address=52.63.55.4
add action=dst-nat chain=dstnat comment="RDP Accesst to Server" disabled=yes \
dst-port=5952 in-interface=vlan100 log-prefix="RDP ACCESS" protocol=tcp \
to-addresses=192.168.0.200 to-ports=3389
add action=dst-nat chain=dstnat comment="RDP Accesst to Server ABETTA VM" \
disabled=yes dst-port=5955 in-interface=vlan100 log-prefix=\
"RDP ACCESS ABETTA" protocol=tcp to-addresses=192.168.0.150 to-ports=\
3389
add action=dst-nat chain=dstnat disabled=yes dst-port=5921 in-interface=\
vlan100 protocol=tcp src-address-list=3cx_PBX to-addresses=192.168.0.101 \
to-ports=21
add action=dst-nat chain=dstnat disabled=yes dst-port=5065 in-interface=\
vlan100 protocol=tcp src-address-list=3cx_PBX to-addresses=192.168.0.74
add action=dst-nat chain=dstnat disabled=yes dst-port=5065 in-interface=\
vlan100 protocol=udp src-address-list=3cx_PBX to-addresses=192.168.0.74
add action=dst-nat chain=dstnat disabled=yes dst-port=14000-14019 \
in-interface=vlan100 protocol=udp src-address-list=3cx_PBX to-addresses=\
192.168.0.74
add action=dst-nat chain=dstnat comment="GEO WEB Port" disabled=yes dst-port=\
9999 in-interface=vlan100 protocol=tcp to-addresses=192.168.0.54
add action=dst-nat chain=dstnat disabled=yes dst-port=56000 in-interface=\
vlan100 protocol=tcp to-addresses=192.168.0.54
add action=dst-nat chain=dstnat disabled=yes dst-port=8554 in-interface=\
vlan100 protocol=tcp to-addresses=192.168.0.54
add action=dst-nat chain=dstnat disabled=yes dst-port=17300-17380 \
in-interface=vlan100 protocol=udp to-addresses=192.168.0.54
add action=dst-nat chain=dstnat disabled=yes dst-port=6550 in-interface=\
vlan100 protocol=tcp to-addresses=192.168.0.54
add action=dst-nat chain=dstnat disabled=yes dst-port=4550 in-interface=\
vlan100 protocol=tcp to-addresses=192.168.0.54
add action=dst-nat chain=dstnat disabled=yes dst-port=5550 in-interface=\
vlan100 protocol=tcp to-addresses=192.168.0.54
add action=dst-nat chain=dstnat disabled=yes dst-port=5552 in-interface=\
vlan100 protocol=tcp to-addresses=192.168.0.54
add action=dst-nat chain=dstnat disabled=yes dst-port=8866 in-interface=\
vlan100 protocol=tcp to-addresses=192.168.0.54
add action=dst-nat chain=dstnat disabled=yes dst-port=5511 in-interface=\
vlan100 protocol=tcp to-addresses=192.168.0.54
add action=dst-nat chain=dstnat disabled=yes dst-port=5511 in-interface=\
vlan100 protocol=udp to-addresses=192.168.0.54
add action=dst-nat chain=dstnat comment="FTP IN to NAS" dst-port=21 \
in-interface=vlan100 log-prefix="FTP Connection IN: " protocol=tcp \
to-addresses=192.168.0.101
add action=dst-nat chain=dstnat comment="Test Network" disabled=yes dst-port=\
5059 in-interface=vlan100 protocol=tcp to-addresses=192.168.3.198
add action=dst-nat chain=dstnat disabled=yes dst-port=5090 in-interface=\
vlan100 protocol=udp to-addresses=192.168.3.198
add action=dst-nat chain=dstnat disabled=yes dst-port=6090 in-interface=\
vlan100 protocol=tcp to-addresses=192.168.3.198
add action=dst-nat chain=dstnat disabled=yes in-interface=vlan100 \
to-addresses=192.168.3.19
add action=dst-nat chain=dstnat comment="DMZ OFFICE NETWORK" disabled=yes \
in-interface=vlan100 to-addresses=192.168.3.198
add action=dst-nat chain=dstnat comment="EVE's XenServer" disabled=yes \
dst-port=2005 in-interface=vlan100 protocol=tcp to-addresses=\
192.168.0.210 to-ports=443
add action=dst-nat chain=dstnat comment="TOO THE HEnley 3CX PBX" disabled=yes \
dst-port=5062 in-interface=vlan100 protocol=tcp src-port="" to-addresses=\
192.168.0.52
add action=dst-nat chain=dstnat comment="TOO THE HEnley 3CX PBX" disabled=yes \
dst-port=5062 in-interface=vlan100 protocol=udp src-port="" to-addresses=\
192.168.0.52
add action=dst-nat chain=dstnat comment="EVE's XenServer" disabled=yes \
dst-port=22 in-interface=vlan100 protocol=tcp to-addresses=192.168.0.210
add action=dst-nat chain=dstnat comment="EVE's XenServer" disabled=yes \
dst-port=5900-5920 in-interface=vlan100 protocol=tcp to-addresses=\
192.168.0.210
/ip firewall raw
add action=drop chain=prerouting src-address-list=BLOCKED_MAC
add action=drop chain=prerouting dst-address-list=BLOCKED_MAC
add action=drop chain=output src-address-list=BLOCKED_MAC
/ip firewall service-port
set sip disabled=yes ports=5060,5061,5062
/ip kid-control device
add mac-address=42:8B:D0:C8:37:27 name="Jayden Armor 8" user=Jayden
add disabled=yes mac-address=D4:5D:64:D7:01:C0 name="Jason Work PC" user=\
Jason
/ip route
add check-gateway=ping disabled=yes distance=1 gateway=NordVPN-out1-out1 \
routing-mark=vpn
add distance=1 gateway=61.69.57.73
add distance=1 dst-address=10.10.0.0/22 gateway=MT-Management-VPN
add distance=1 dst-address=10.11.3.0/24 gateway=MT-Management-VPN
add distance=1 dst-address=52.221.130.73/32 gateway=192.168.0.254 pref-src=\
0.0.0.0
add disabled=yes distance=1 dst-address=192.168.1.0/24 gateway=192.168.0.58
add distance=1 dst-address=192.168.5.0/24 gateway="Port4 Office PC Network"
add disabled=yes distance=2 dst-address=192.168.5.0/24 gateway=\
"ether1 TPG Internet"
/ip route rule
add dst-address=52.221.130.73/32 interface="Port4 Office PC Network" \
src-address=192.168.0.203/32 table=main
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.0.0/24
set ssh address=192.168.0.0/24,192.168.1.0/24 port=2200
set api disabled=yes
set winbox address=192.168.0.0/24,192.168.1.0/24,13.237.137.170/32
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip tftp
add disabled=yes ip-addresses=192.168.3.1
add ip-addresses=192.168.0.0/24 real-filename=gxp1600fw.bin req-filename=.*
/ip traffic-flow
set active-flow-timeout=1m enabled=yes
/ip traffic-flow target
add dst-address=192.168.0.20
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface="Port 2 Phone system" type=internal
/snmp
set enabled=yes trap-version=2
/system clock
set time-zone-name=Australia/Brisbane
/system identity
set name=POS_Scales
/system logging
add topics=firewall
add action=NAS topics=dns
add disabled=yes topics=dhcp,debug
/system ntp client
set enabled=yes primary-ntp=192.168.1.1 server-dns-names=\
0.au.pool.ntp.org,1.au.pool.ntp.org,2.au.pool.ntp.org
/system scheduler
add interval=1w name=AUTO_FTP_Backup on-event=":local saveUserDB false\r\
\n:local saveSysBackup true\r\
\n:local encryptSysBackup false\r\
\n:local saveRawExport true\r\
\n\r\
\n:local FTPServer \"backup.posscales.com.au\"\r\
\n:local FTPPort 21\r\
\n:local FTPUser \"MT_Backups@backup.posscales.com.au\"\r\
\n:local FTPPass \"!Dgt.974082\"\r\
\n:local FTPdest \"/POS_Scales\"\r\
\n\r\
\n:local ts [/system clock get time]\r\
\n:set ts ([:pick \$ts 0 2].[:pick \$ts 3 5].[:pick \$ts 6 8])\r\
\n:local ds [/system clock get date]\r\
\n:set ds ([:pick \$ds 7 11].[:pick \$ds 0 3].[:pick \$ds 4 6])\r\
\n\r\
\n:local fname (\"BACKUP-\".[/system identity get name].\"-\".\$ds.\"-\".\
\$ts)\r\
\n:local sfname (\"/\".\$fname)\r\
\n:if (\$saveUserDB) do={\r\
\n /tool user-manager database save name=(\$sfname.\".umb\")\r\
\n :log info message=\"User Manager DB Backup Finished\"\r\
\n}\r\
\n:if (\$saveSysBackup) do={\r\
\n :if (\$encryptSysBackup = true) do={ /system backup save name=(\$sfnam\
e.\".backup\") }\r\
\n :if (\$encryptSysBackup = false) do={ /system backup save dont-encrypt\
=yes name=(\$sfname.\".backup\") }\r\
\n :log info message=\"System Backup Finished\"\r\
\n}\r\
\nif (\$saveRawExport) do={\r\
\n /export file=(\$sfname.\".rsc\")\r\
\n :log info message=\"Raw configuration script export Finished\"\r\
\n}\r\
\n:delay 10s\r\
\n:local backupFileName \"\"\r\
\n:local backupDestPath \"\"\r\
\n:foreach backupFile in=[/file find] do={\r\
\n :set backupFileName (\"/\".[/file get \$backupFile name])\r\
\n :set backupDestPath (\$FTPdest.\$backupFileName)\r\
\n :if ([:typeof [:find \$backupFileName \$sfname]] != \"nil\") do={\r\
\n # :log warning message=\"/tool fetch address=\$FTPServer port=\$FTPPor\
t src-path=\$backupFileName user=\$FTPUser mode=ftp password=\$FTPPass dst\
-path=\$backupDestPath upload=yes\"\r\
\n\r\
\n /tool fetch address=\$FTPServer port=\$FTPPort src-path=\$backupFile\
Name user=\$FTPUser mode=ftp password=\$FTPPass dst-path=\$backupDestPath \
upload=yes\r\
\n }\r\
\n}\r\
\n:delay 10s\r\
\n:foreach backupFile in=[/file find] do={\r\
\n :if ([:typeof [:find [/file get \$backupFile name] \"BACKUP-\"]]!=\"ni\
l\") do={\r\
\n /file remove \$backupFile\r\
\n }\r\
\n}\r\
\n\r\
\n:log info message=\"Successfully removed Temporary Backup Files\"\r\
\n:log info message=\"Automatic Backup Completed Successfully\"" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=jan/01/2022 start-time=17:17:30
/system script
add dont-require-permissions=no name=BackupFTP owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
local saveUserDB false\r\
\n:local saveSysBackup true\r\
\n:local encryptSysBackup false\r\
\n:local saveRawExport true\r\
\n\r\
\n:local FTPServer \"backup.posscales.com.au\"\r\
\n:local FTPPort 21\r\
\n:local FTPUser \"MT_Backups@backup.posscales.com.au\"\r\
\n:local FTPPass \"!Dgt.974082\"\r\
\n:local FTPdest \"/POS_Scales\"\r\
\n\r\
\n:local ts [/system clock get time]\r\
\n:set ts ([:pick \$ts 0 2].[:pick \$ts 3 5].[:pick \$ts 6 8])\r\
\n:local ds [/system clock get date]\r\
\n:set ds ([:pick \$ds 7 11].[:pick \$ds 0 3].[:pick \$ds 4 6])\r\
\n\r\
\n:local fname (\"BACKUP-\".[/system identity get name].\"-\".\$ds.\"-\".\
\$ts)\r\
\n:local sfname (\"/\".\$fname)\r\
\n:if (\$saveUserDB) do={\r\
\n /tool user-manager database save name=(\$sfname.\".umb\")\r\
\n :log info message=\"User Manager DB Backup Finished\"\r\
\n}\r\
\n:if (\$saveSysBackup) do={\r\
\n :if (\$encryptSysBackup = true) do={ /system backup save name=(\$sfnam\
e.\".backup\") }\r\
\n :if (\$encryptSysBackup = false) do={ /system backup save dont-encrypt\
=yes name=(\$sfname.\".backup\") }\r\
\n :log info message=\"System Backup Finished\"\r\
\n}\r\
\nif (\$saveRawExport) do={\r\
\n /export file=(\$sfname.\".rsc\")\r\
\n :log info message=\"Raw configuration script export Finished\"\r\
\n}\r\
\n:local backupFileName \"\"\r\
\n:local backupDestPath \"\"\r\
\n:foreach backupFile in=[/file find] do={\r\
\n :set backupFileName (\"/\".[/file get \$backupFile name])\r\
\n :set backupDestPath (\$FTPdest.\$backupFileName)\r\
\n :if ([:typeof [:find \$backupFileName \$sfname]] != \"nil\") do={\r\
\n :log warning message=\"/tool fetch address=\$FTPServer port=\$FTPPort \
src-path=\$backupFileName user=\$FTPUser mode=ftp password=\$FTPPass dst-p\
ath=\$backupDestPath upload=yes\"\r\
\n\r\
\n /tool fetch address=\$FTPServer port=\$FTPPort src-path=\$backupFile\
Name user=\$FTPUser mode=ftp password=\$FTPPass dst-path=\$backupDestPath \
upload=yes\r\
\n }\r\
\n}\r\
\n:delay 5s\r\
\n:foreach backupFile in=[/file find] do={\r\
\n :if ([:typeof [:find [/file get \$backupFile name] \"BACKUP-\"]]!=\"ni\
l\") do={\r\
\n /file remove \$backupFile\r\
\n }\r\
\n}\r\
\n\r\
\n:log info message=\"Successfully removed Temporary Backup Files\"\r\
\n:log info message=\"Automatic Backup Completed Successfully\""
add dont-require-permissions=no name=script1 owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\
\r\
\n:local return [/tool fetch http-method=post http-data=\"create_folder=ja\
son\" url=\"http://backup.posscales.com.au/FTPFolder.php\"];\r\
\n\r\
\n:log error \"\$return\";"
add dont-require-permissions=no name=ports owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="@\
echo off\r\
\ntitle ROUTEROS PORT TESTER BY BNT\r\
\n:Loop \r\
\necho.\r\
\necho =================================\r\
\necho -= ROUTEROS PORT TESTER BY BNT =-\r\
\necho =================================\r\
\necho.\r\
\nset /p ip=\"192.168.0.98: \"\r\
\necho.\r\
\necho PORT INFO:\r\
\necho - 8291 / Winbox\r\
\necho - 80 / WWW Webfig http\r\
\necho - 443 / WWW-SSL Webfig https\r\
\necho - 8728 / API\r\
\necho - 8729 / API-SSL\r\
\necho - 21 / FTP\r\
\necho - 22 / SSH\r\
\necho - 23 / Telnet\r\
\necho - 3128 / Open proxy\r\
\necho - 8080 / Open proxy\r\
\necho - 53 / DNS\r\
\necho - 2000 / Btest Server\r\
\necho.\r\
\necho Try for Scaning Port Please Wait...\r\
\necho.\r\
\nPortCheck %ip% 8291,80,443,8728,8729,21,22,23,3128,8080,53,2000\r\
\necho.\r\
\nIF %ERRORLEVEL%==1 echo - WARNING!! Open ports found, danger from attack\
!\r\
\necho - Please change your default port to another port\r\
\necho. \r\
\necho Scan Port Complete..\r\
\necho.\r\
\npause\r\
\ncls\r\
\ngoto loop"
add dont-require-permissions=no name=Block_Lease owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
""
/tool bandwidth-server
set authenticate=no
/tool graphing interface
add interface="ether1 TPG Internet"
add interface=vlan100
add interface="Test Bench Port 3"
add interface="Port 2 Phone system"
add interface="Port4 Office PC Network"
/tool graphing queue
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool romon
set enabled=yes
/tool sniffer
set file-limit=900000000KiB file-name=lift6.pcap filter-interface=\
"Port4 Office PC Network" filter-ip-address=192.168.1.0/24 memory-limit=\
2000KiB