File: /home/posscale/backup/MT_Backups/Reflections/BACKUP-Reflections_T2_Main-2022oct30-192245.rsc
# oct/30/2022 19:22:47 by RouterOS 6.49.4
# software id = L05X-CLSD
#
# model = CCR1009-7G-1C-1S+
# serial number = E3220F7681CD
/interface bridge
add name="GOD BRIDGE"
add admin-mac=DC:2C:6E:A3:33:27 auto-mac=no name=Guest-Bridge
add name="OFFICE 40 - Bridge"
add admin-mac=DC:2C:6E:A3:33:2E auto-mac=no comment=\
"VALN 10 OPS and Untaged AP" name=Ops-Bridge
add name=PPPoE-Unit-Bridge-Radius
add name="SMTV Cast - Bridge"
add name=Voice-Bridge
/interface ethernet
set [ find default-name=combo1 ] auto-negotiation=no comment=\
"Tower 1 Uplink Port Via WiFi Link\r\
\n"
set [ find default-name=ether1 ] comment=\
"NBN EE - 500Mbps - 60.240.32.226/30 - With Addon IP's"
set [ find default-name=ether2 ] comment="WAN2 - 115.187.157.231" disabled=\
yes
set [ find default-name=ether3 ] comment="Management PORT - OPS Network"
set [ find default-name=ether4 ] comment="PBX Vlan 50 Network"
set [ find default-name=ether5 ] comment=\
"Office Network 40 - CCTV Connection"
set [ find default-name=ether6 ] comment="LInk TO T2 Office Switch"
set [ find default-name=ether7 ] comment=Managemant
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no comment=\
"10G Link to T2 Distrobutions Fibre Router CCR-2004"
/interface l2tp-client
add connect-to=3.106.179.83 disabled=no ipsec-secret=!Pss.974082** name=\
Management-VPN password=A%b32!^*@o1EldFEbI use-ipsec=yes user=\
Reflections-Coolangatta-Beach
/interface eoip
add disabled=yes mac-address=02:A7:F6:D3:2B:FF mtu=1458 name=AWS_Domotz_EoIP \
remote-address=10.11.3.1 tunnel-id=1
/interface vlan
add interface=combo1 name="T1-NBN 1 - 999" vlan-id=999
add interface=combo1 name="T1-NBN 2 - 998" vlan-id=998
add interface=combo1 name="VLAN 50 - Voice Link - T1" vlan-id=50
add interface=combo1 name="Vlan 70 - Guest - T1" vlan-id=70
add interface=sfp-sfpplus1 name="Vlan 70 - Guest - T2" vlan-id=70
add interface=combo1 name=Vlan99_PPPoE_Tower1 vlan-id=99
add interface=sfp-sfpplus1 name=Vlan99_PPPoE_Tower2 vlan-id=99
add interface=combo1 name="vlan 20 - SMTV Cast - T1" vlan-id=20
add interface=sfp-sfpplus1 name="vlan 20 - SMTV Cast - T2" vlan-id=20
add comment="STAFF/ Managemant Wifi & Office Network " interface=combo1 \
name="vlan 40 - OFFICE-Tower 1" vlan-id=40
add comment="STAFF/ Managemant Wifi & Office Network " interface=\
sfp-sfpplus1 name="vlan 40 - OFFICE-Tower 2" vlan-id=40
add comment="Inforstucture Hardware and switches" interface=combo1 name=\
vlan10-OPS-Tower1 vlan-id=10
add comment="Inforstucture Hardware and switches" interface=sfp-sfpplus1 \
name=vlan10-OPS-Tower2 vlan-id=10
add comment="Chrome Cast Network for SMAART TV People." disabled=yes \
interface=Ops-Bridge name=vlan20-Casting-Ops-Bridge vlan-id=20
add comment="Phones and PA Network" disabled=yes interface=Ops-Bridge name=\
vlan50-Phones-OPS-Bridge vlan-id=50
add comment="Radius Seperation PPP from 2004" disabled=yes interface=\
Ops-Bridge name=vlan99-PPPoE-Unit vlan-id=99
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
add dns-name=login.voipitup hotspot-address=10.10.0.1 login-by=\
mac,cookie,http-pap mac-auth-password=Vo1p!tUp name=hsprof1 \
radius-interim-update=30m use-radius=yes
/ip hotspot
add addresses-per-mac=unlimited interface=Ops-Bridge name=hotspot1 profile=\
hsprof1
/ip pool
add name=Guest-Pool ranges=10.10.4.2-10.10.7.254
add name=OPS-Pool ranges=192.168.10.100-192.168.10.254
add name=VLAN_Unit_Pool ranges=192.168.20.10-192.168.23.254
add name="SMTV Cast - POOL" ranges=192.168.20.1-192.168.20.250
add name="OFFICE - POOL" ranges=192.168.40.170-192.168.40.250
add name="Voice Pool" ranges=192.168.50.100-192.168.50.250
add name=VPN-Pool ranges=10.10.10.10-10.10.10.200
/ip dhcp-server
add address-pool=Guest-Pool disabled=no interface=Guest-Bridge lease-time=1h \
name=Guest-DHCP
add address-pool=OPS-Pool disabled=no interface=Ops-Bridge lease-script="{\r\
\n:local Bound \$\"leaseBound\"\r\
\n:local leaseMAC \$\"leaseActMAC\"\r\
\n:local Vendor [:pick \"\$leaseMAC\" 0 8]\r\
\n:local dserver \$\"leaseServerName\"\r\
\n:local aip \$\"leaseActIP\"\r\
\n:local lhost \$\"lease-hostname\"\r\
\n# :local rmark \"\$interfacename-WG\"\r\
\n# :local DIS \"2\"\r\
\n#\t:local Mangleid [/ip firewall mangle find where comment=\"Mark wan2 c\
on\"]\r\
\n:log warning \"NEW OPS LEASE-> Bound: \$Bound MAC: \$leaseMAC \
\_ Vendor: \$Vendor\";\r\
\n\r\
\n\r\
\n\r\
\n\r\
\n:if (\$Bound=\"1\") do={\r\
\n# :log warning \"NEW OPS LEASE-> Bound: \$Bound MAC: \$leaseMAC \
\_ Vendor: \$Vendor\";\r\
\n\r\
\n\r\
\n:if ((\$Vendor = \"C0:74:AD\") || (\$Vendor = \"64:9D:99\") || (\$Vendor\
\_= \"2C:C8:1B\")) do={\r\
\n:log info \"OPS LEASE OK -> Bound: \$Bound MAC: \$leaseMAC \
\_ Vendor: \$Vendor\";\r\
\n# /tool e-mail send from=\"pbx@voipitup.com.au\" server=\"mail.voipitup.\
com.au\" body=\"Notice: \\r\\n \\r\\n NOT A Rogue Device has been connect\
ed to Reflections \\r\\n \\r\\n OK OPS LEASE-> Bound: \$Bound MAC: \
\_\$leaseMAC Vendor: \$Vendor \\r\\n \\r\\n DHCP SERVER: \$dserv\
er \\r\\n \\r\\n IP: \$aip \\r\\n \\r\\n Host Name: lhost \" subject=\
\"NOT a Rogue Device has been connected to Reflections Operations Infrastr\
ucture Network \" to=\"jloeken@posscales.com.au\" port=587 user=pbx@voipit\
up.com.au password=Pss.974082 start-tls=no\r\
\n\r\
\n\r\
\n} else={\r\
\n:log error \"BAD OPS LEASE-> Bound: \$Bound MAC: \$leaseMAC \
\_ Vendor: \$Vendor\";\r\
\n/tool e-mail send from=\"pbx@voipitup.com.au\" server=\"mail.voipitup.co\
m.au\" body=\"Notice: \\r\\n \\r\\n Rogue Device has been connected to Re\
flections Operations Infrastructure Network \\r\\n \\r\\n BAD OPS LEASE->\
\_ Bound: \$Bound MAC: \$leaseMAC Vendor: \$Vendor \\r\\n \
\\r\\n DHCP SERVER: \$dserver \\r\\n \\r\\n IP: \$aip \\r\\n \\r\\n H\
ost Name: \$lhost \" subject=\"Rogue Device has been connected to Reflecti\
ons Operations Infrastructure Network \" to=\"jloeken@posscales.com.au\" c\
c=\"info@harrisontech.com,admin@philscottcommunications.com.au\" port=587 \
user=pbx@voipitup.com.au password=Pss.974082 start-tls=no\r\
\n\r\
\n\r\
\n};\r\
\n}\r\
\n\r\
\n\r\
\n}" lease-time=1h10m name=OPS-DHCP
add address-pool="SMTV Cast - POOL" disabled=no interface=\
"SMTV Cast - Bridge" name="SMTV Cast - DHCP"
add address-pool="OFFICE - POOL" disabled=no interface="OFFICE 40 - Bridge" \
lease-time=1h10m name="OFFICE - DHCP"
add address-pool="Voice Pool" disabled=no interface=Voice-Bridge name=\
"Voice DHCP"
/ppp profile
add local-address=10.12.0.1 name=PPPoe-Units-Profile remote-address=\
VLAN_Unit_Pool
add name=dux
add dns-server=1.1.1.1,8.8.8.8 local-address=10.10.10.1 name=\
"Reflections Operations VPN" remote-address=VPN-Pool
/interface sstp-client
add connect-to=duxVPN.mel.duxadmin.com disabled=no name=duxVPN password=\
Vo1p!tUp profile=default-encryption user=Reflections \
verify-server-address-from-certificate=no
add comment="added by duxtel support" connect-to=203.21.76.254 disabled=no \
name=duxVPN-Support password=hmOWK-ymoh! profile=dux user=\
r5824911@support.duxtel
add connect-to=duxVPN.mel.duxadmin.com name=sstp-out1 password=Vo1p!tUp \
profile=default-encryption user=Reflections \
verify-server-address-from-certificate=no
/queue simple
add burst-time=10s/10s max-limit=5M/5M name=Guest- target=Guest-Bridge
/system logging action
set 0 memory-lines=4000
add disk-file-count=1 disk-file-name=PPPoE_LOGS name=PPPoELOGS target=disk
/user group
add name=Btest policy="test,!local,!telnet,!ssh,!ftp,!reboot,!read,!write,!pol\
icy,!winbox,!password,!web,!sniff,!sensitive,!api,!romon,!dude,!tikapp"
/interface bridge port
add bridge=PPPoE-Unit-Bridge-Radius horizon=20 interface=Vlan99_PPPoE_Tower1
add bridge=PPPoE-Unit-Bridge-Radius horizon=20 interface=Vlan99_PPPoE_Tower2
add bridge=Ops-Bridge horizon=20 interface=vlan10-OPS-Tower1
add bridge=Ops-Bridge horizon=20 interface=vlan10-OPS-Tower2
add bridge="SMTV Cast - Bridge" horizon=20 interface=\
"vlan 20 - SMTV Cast - T1"
add bridge="SMTV Cast - Bridge" horizon=20 interface=\
"vlan 20 - SMTV Cast - T2"
add bridge="OFFICE 40 - Bridge" interface="vlan 40 - OFFICE-Tower 1"
add bridge="OFFICE 40 - Bridge" interface="vlan 40 - OFFICE-Tower 2"
add bridge=Ops-Bridge interface=ether7
add bridge=Ops-Bridge disabled=yes interface=combo1
add bridge=Guest-Bridge horizon=20 interface="Vlan 70 - Guest - T1"
add bridge=Guest-Bridge horizon=20 interface="Vlan 70 - Guest - T2"
add bridge=Voice-Bridge interface="VLAN 50 - Voice Link - T1"
add bridge=Voice-Bridge interface=ether4
add bridge="OFFICE 40 - Bridge" interface=ether5
add bridge="OFFICE 40 - Bridge" interface=ether6
add bridge=Ops-Bridge interface=ether3
add bridge=Ops-Bridge disabled=yes interface=AWS_Domotz_EoIP
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set tcp-syncookies=yes
/interface l2tp-server server
set default-profile="Reflections Operations VPN" enabled=yes ipsec-secret=\
"\$#m7aEYbpT^6" use-ipsec=yes
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=WAN
add interface=ether3 list=WAN
add interface=Ops-Bridge list=LAN
add interface=Guest-Bridge list=LAN
add interface="OFFICE 40 - Bridge" list=LAN
add interface="SMTV Cast - Bridge" list=LAN
add interface=Voice-Bridge list=LAN
/interface pppoe-server server
add default-profile=PPPoe-Units-Profile disabled=no interface=\
PPPoE-Unit-Bridge-Radius service-name="Unit PPPoE Connections"
add default-profile=PPPoe-Units-Profile disabled=no interface=Ops-Bridge \
service-name=PPPoE-1
/ip address
add address=192.168.50.1/24 interface=Voice-Bridge network=192.168.50.0
add address=192.168.10.1/24 interface=Ops-Bridge network=192.168.10.0
add address=192.168.20.254/24 interface="SMTV Cast - Bridge" network=\
192.168.20.0
add address=10.10.4.1/22 interface=Guest-Bridge network=10.10.4.0
add address=192.168.40.1/24 interface="OFFICE 40 - Bridge" network=\
192.168.40.0
add address=172.31.32.0/20 disabled=yes interface=AWS_Domotz_EoIP network=\
172.31.32.0
add address=60.240.32.226/30 comment="Main NBN EE Connection" interface=\
ether1 network=60.240.32.224
add address=14.203.147.96/30 comment="AddON /30 SUBNET for PBX T1 & T2" \
interface=ether1 network=14.203.147.96
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add default-route-distance=2 disabled=no interface=ether2 use-peer-dns=no
add add-default-route=no interface=ether1 script="{\r\
\n:local interfacename \$\"interface\"\r\
\n:local portid [:pick \$interfacename 5]\r\
\n;local gw \$\"gateway-address\"\r\
\n:local leaseip \$\"lease-address\"\r\
\n:local gw2 \"\$gw%\$interfacename\"\r\
\n:local mark \"wan\$portid-out\"\r\
\n:local rmark \"AUTO_SNAT_By_DHCP-Client_Script_WAN\$portid\"\r\
\n:local Mangleid [/ip firewall mangle find where comment=\"Mark wan\$port\
id con\"]\r\
\n:local count [/ip firewall nat print count-only where comment=\$rmark]\r\
\n\r\
\n/log error \"\$interfacename >>> \$portid >>> \$gw2 >>> \$mark>>>\$rmark\
>>>\$Mangleid>>>COUNT>\$count>>>BOUND>\$bound\"\r\
\n\r\
\n :if (\$bound=1) do={\r\
\n/log warning \" entered Bound= 1 > Count = \$count\"\r\
\n :if (\$count = 0) do={\r\
\n/log warning \" /ip firewall nat add action=src-nat chain=srcnat \
comment=\$rmark out-interface=\$interfacename to-addresses=\$leaseip plac\
e-before=3\"\r\
\n/log warning \" /ip firewall mangle enable \$Mangleid\"\r\
\n/log warning \" /ip route add dst-address=0.0.0.0/0 gateway=\$gw2\
\_routing-mark=\$mark check-gateway=ping comment=\$mark\"\r\
\n/ip firewall nat add action=src-nat chain=srcnat out-interface=\$interfa\
cename to-addresses=\$leaseip place-before=[find comment=\"Insert_Point_Do\
_NOT_Remove\"] comment=\$rmark;\r\
\n/ip firewall mangle enable \$Mangleid\r\
\n/ip route add dst-address=0.0.0.0/0 gateway=\$gw2 routing-mark=\$mark ch\
eck-gateway=ping comment=\$mark\r\
\n# /ip firewall nat move [find comment=\$rmark] destination=3\r\
\n } else={\r\
\n :if (\$count = 1) do={\r\
\n :local test [/ip firewall nat find where comment=\$rmark\
]\r\
\n :if ([/ip firewall nat get \$test to-addresses] != \$\"l\
ease-address\") do={\r\
\n /ip firewall nat set \$test to-addresses=\$\"lease-a\
ddress\"\r\
\n }\r\
\n } else={\r\
\n /log error \" Multiple SRC-NST found with ID: \$r\
mark\"\r\
\n }\r\
\n }\r\
\n } else={\r\
\n/log warning \" Bound= \$bound > Count = \$count Removing fi\
rewall Rules\"\r\
\n \r\
\n/ip firewall nat remove [find comment=\$rmark]\r\
\n\r\
\n /ip firewall mangle disable \$Mangleid\r\
\n /ip route remove [find comment=\$mark]\r\
\n\r\
\n\t:foreach a in=[/ip firewall connection find connection-mark=\"wan\$por\
tid\"] do={/ip firewall connection remove \$a}\r\
\n/log warning \" \$a Rules Removed OK\"\r\
\n }\r\
\n:local gatewaylist \"\"\r\
\n:for i from=1 to=7 do={\r\
\n:local dhcpIP [/ip dhcp-client get [find interface=\"ether\$i\"] gateway\
];\r\
\n# /log error \" DATA ether\$i >\$dhcpIP<\"\r\
\n\r\
\n:if (\$dhcpIP = []) do={} else={\r\
\n:if (\$gatewaylist = \"\") do={:set \$gatewaylist \"\$dhcpIP%ether\$i\"\
\r\
\n} else={:set \$gatewaylist \"\$gatewaylist,\$dhcpIP%ether\$i\"}}}\r\
\n/log warning \" NEW Gateway List >\$gatewaylist<\"\r\
\n/log warning [/ip route get [find comment=base-ruel] gateway];\r\
\n/ip route set [find comment=base-ruel] gateway=\$gatewaylist\r\
\n/log warning \"Finished End script\"\r\
\n}" use-peer-dns=no
add add-default-route=no interface="T1-NBN 1 - 999" use-peer-dns=no
add add-default-route=no interface="T1-NBN 2 - 998" use-peer-dns=no
/ip dhcp-server alert
add disabled=no interface=Ops-Bridge on-alert=rogue-dhcp
add disabled=no interface="OFFICE 40 - Bridge" on-alert=rogue-dhcp
add disabled=no interface=Guest-Bridge
/ip dhcp-server lease
add address=192.168.10.81 block-access=yes client-id=1:84:57:33:fc:9b:a3 \
comment="Xbox should not be on oper\\ations networrk" mac-address=\
84:57:33:FC:9B:A3 server=OPS-DHCP
add address=192.168.10.80 block-access=yes comment=\
"SHould not be connected this to network" mac-address=A0:B5:3C:19:6C:5D \
server=OPS-DHCP
add address=192.168.10.132 client-id=1:98:43:fa:f2:97:cf comment=\
"Phill Scott laptop" mac-address=98:43:FA:F2:97:CF server=OPS-DHCP
add address=192.168.10.138 mac-address=A4:CF:12:C0:74:09 server=OPS-DHCP
add address=192.168.10.82 block-access=yes comment="Rogue Device" \
mac-address=7A:E8:A4:76:CA:99 server=OPS-DHCP
add address=192.168.10.90 client-id=1:b8:27:eb:70:b:2 comment="Management PI" \
mac-address=B8:27:EB:70:0B:02 server=OPS-DHCP
/ip dhcp-server network
add address=10.10.0.0/22 dns-server=10.10.0.1,8.8.8.8 gateway=10.10.0.1
add address=10.10.4.0/22 comment=Guest dns-server=10.10.4.1,8.8.8.8 gateway=\
10.10.4.1
add address=192.168.10.0/24 comment=OPS dns-server=192.168.10.1,8.8.8.8 \
gateway=192.168.10.1
add address=192.168.20.0/24 comment=SMTV dns-server=192.168.20.254,8.8.8.8 \
gateway=192.168.20.254
add address=192.168.40.0/24 comment=OFFICE dns-server=192.168.40.1,8.8.8.8 \
gateway=192.168.40.1
add address=192.168.50.0/24 comment=Voice dns-server=192.168.50.1,8.8.8.8 \
gateway=192.168.50.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,203.12.160.35,203.12.160.36
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment=\
"Private[RFC 1918] - CLASS A # Check if you need this" disabled=yes list=\
bogons
add address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment=\
"Private[RFC 1918] - CLASS B # Check if you need this" disabled=yes list=\
bogons
add address=192.168.0.0/16 comment=\
"Private[RFC 1918] - CLASS C # Check if you need this" disabled=yes list=\
bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment="MC, Class D, IANA # Check if you need this" \
disabled=yes list=bogons
add address=61.69.57.74 comment="IP's Used By Sip Provider" list=PBX
add address=61.69.57.74 comment="IP's Used For Remote access to ROUTER" list=\
support
add address=203.21.76.254 comment="duxtel support team" list=support
add address=10.0.0.10 comment="UNiFi Controller PC" list=support
add address=35.189.47.13 comment="IP's Used By Sip Provider" list=PBX
add address=35.189.44.220 comment="IP's Used By Sip Provider" list=PBX
add address=101.0.97.107 comment="IP's Used By Sip Provider" list=PBX
add address=101.0.97.109 comment="IP's Used By Sip Provider" list=PBX
add address=139.99.140.152 comment="IP's Used By Sip Provider" list=PBX
add address=139.99.140.153 comment="IP's Used By Sip Provider" list=PBX
add address=35.189.31.167 comment="IP's Used By Sip Provider" list=PBX
add address=35.189.35.225 comment="IP's Used By Sip Provider" list=PBX
add address=158.69.11.7 comment="IP's Used By Sip Provider" list=PBX
add address=10.10.10.0/24 comment="VPN ACCESS USERS" list=support
add address=10.10.10.0/24 comment="Access from VPN" list=PBX
add address=192.168.50.0/24 list=PBX
add address=203.174.130.70 comment="IP's Used For Remote access to ROUTER" \
list=support
add address=220.233.0.0/24 list=SIP
add address=208.73.211.69 list=SIP
add address=203.161.160.69 list=SIP
add address=203.161.160.70 list=SIP
add address=203.161.166.71 list=SIP
add address=203.161.160.0/20 list=SIP
add address=202.61.12.230 list=SIP
add address=202.61.13.102 list=SIP
add address=203.161.164.69 list=SIP
add address=61.69.57.74 list=SIP
add address=61.69.5.128/30 list=SIP
add address=101.0.97.107 disabled=yes list=SIP
add address=101.0.97.109 disabled=yes list=SIP
add address=139.99.140.152 comment="VoIP IT UP" list=SIP
add address=139.99.140.153 comment="VoIP IT UP" list=SIP
add address=35.189.31.167 disabled=yes list=SIP
add address=35.189.35.225 comment="VoIP IT UP" list=SIP
add address=35.189.47.13 comment="VoIP IT UP - SIP" list=SIP
add address=35.189.44.220 comment="VoIP IT UP - SIP" list=SIP
add address=61.69.5.130 list=SIP
add address=192.168.1.0/24 list=SIP
add address=172.30.0.0/24 list=SIP
add address=103.77.233.190 comment="VoIP IT UP" list=SIP
add address=35.244.94.36 comment="VoIP IT UP" list=SIP
add address=101.0.113.238 comment="VoIP IT UP" list=SIP
add address=35.197.165.191 comment="VoIP IT UP" list=SIP
add address=103.77.233.107 comment="VoIP IT UP" list=SIP
add address=35.201.30.11 comment="VoIP IT UP" list=SIP
add address=35.197.168.74 comment="VoIP IT UP (FAX RTP)" list=SIP
add address=35.189.26.1 comment="VoIP IT UP" list=SIP
add address=10.220.0.1 comment="Radius Server" list=support
add address=10.220.1.1 comment="Radius Server" list=support
add address=13.237.137.170 comment="Radius Server" list=support
add address=10.11.3.0/24 comment="VPN ACCESS USERS" list=support
add address=192.168.20.0/22 comment="VPN ACCESS USERS" disabled=yes list=\
support
add address=188.209.155.54 comment="Aresh Dux support" list=support
add address=192.168.0.0/24 comment=\
"POS Office IP for Setup only - Remove when commissioned" disabled=yes \
list=support
add address=172.19.1.1 comment="Radius Server" list=support
add address=192.168.20.0/24 list=White-Llist
add address=192.168.10.89 list=White-Llist
add address=192.168.50.10 list=T1-Phone-system
add address=192.168.50.11 list=T1-Phone-system
add address=192.168.50.20 list=T2-Phone-system
add address=192.168.50.21 list=T2-Phone-system
add address=120.22.145.231 comment=\
"IP's Used For Remote access to ROUTER Harrisontech " list=support
add address=35.156.114.39 list=GWN_Cloud
add address=52.57.82.70 list=GWN_Cloud
add address=203.175.179.9 comment="Radius Server" list=support
/ip firewall filter
add action=accept chain=input comment="DUX Radious VPN" in-interface=duxVPN
add action=accept chain=input comment="added by duxtel support" src-address=\
172.19.1.1
# no interface
add action=accept chain=forward in-interface=*F00B3E
add action=accept chain=input comment="WInbox on Infrastructure Network" \
dst-port=8291 protocol=tcp src-address=192.168.10.0/24
add action=accept chain=input comment=\
"Winbox acces from any Support Access List." dst-port=8291 protocol=tcp \
src-address-list=support
add action=accept chain=input dst-port=80 in-interface-list=WAN protocol=tcp \
src-address-list=support
add action=accept chain=input comment="Management VPN Access" in-interface=\
Management-VPN
add action=accept chain=input comment="Management VPN Access" dst-port=\
500,1701,4500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Management VPN Access" protocol=\
ipsec-esp
add action=accept chain=input comment="Management VPN Access" protocol=\
ipsec-ah
add action=drop chain=input comment="drop DNS resolver requests from WAN" \
dst-port=53 in-interface-list=WAN protocol=udp
add action=drop chain=input comment="drop DNS resolver requests from WAN" \
dst-port=53 in-interface-list=WAN protocol=tcp
add action=accept chain=forward disabled=yes out-interface=\
"SMTV Cast - Bridge" protocol=icmp
add action=drop chain=forward comment="Drop Trafic Between OPS Network" \
disabled=yes dst-address=192.168.10.0/24 src-address=192.168.10.0/24
add action=drop chain=forward comment=\
"drop all traffic from Guest 10.10.4.0/22 to Guest" disabled=yes \
dst-address=10.10.4.0/22 src-address=10.10.4.0/22
add action=drop chain=input comment=\
"drop all traffic from Unit Vlans with a destination of 10.0.0.0/22 OPS" \
disabled=yes dst-address=10.0.0.0/22 src-address=192.168.20.0/22
add action=accept chain=input disabled=yes protocol=icmp
add action=accept chain=input disabled=yes in-interface-list=WAN log=yes \
log-prefix="ICMP ACCEPT :> " protocol=icmp
add action=accept chain=input disabled=yes in-interface-list=WAN log=yes \
log-prefix="ICMP ACCEPT :> " protocol=igmp
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=fasttrack-connection chain=input comment=\
"Accept established and related connections" connection-state=\
established,related disabled=yes
add action=accept chain=input connection-state=established,related
add action=accept chain=input comment="Accept all from \"Support\" List" \
src-address-list=support
add action=accept chain=input in-interface-list=LAN src-address=\
192.168.10.0/24
add action=accept chain=input disabled=yes src-address=10.10.10.0/24
add action=log chain=forward disabled=yes log=yes log-prefix=\
"PRINTER IP -->> " src-address=10.0.0.200
# no interface
add action=accept chain=forward in-interface=*23
add action=accept chain=forward dst-port=5060,4000-6399 in-interface-list=WAN \
protocol=tcp
add action=accept chain=forward dst-port=5060,4000-6399,6089,5060 \
in-interface-list=WAN protocol=udp src-address-list=SIP
add action=accept chain=forward dst-port=5060,4000-6399,6089,5060 \
in-interface-list=WAN protocol=tcp src-address-list=SIP
add action=accept chain=forward in-interface-list=WAN src-address-list=SIP
add action=accept chain=forward comment="Grandstream GWN Cloud Server" \
in-interface-list=WAN src-address-list=GWN_Cloud
add action=accept chain=forward dst-port=443 in-interface-list=WAN \
log-prefix="Accept Forward On Support LIst -- >>>" protocol=tcp \
src-address-list=support
add action=accept chain=forward connection-nat-state=dstnat disabled=yes \
in-interface-list=WAN
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Accept Established and Related" \
connection-state=established,related in-interface-list=WAN
add action=accept chain=forward connection-nat-state=dstnat \
in-interface-list=WAN
add action=drop chain=forward connection-state=invalid in-interface-list=WAN \
log=yes log-prefix="DROP Forward -->>> "
add action=add-src-to-address-list address-list=Syn_Flooder \
address-list-timeout=30m chain=input comment=\
"Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
tcp-flags=syn
add action=drop chain=forward comment="Drop syn flood list" src-address-list=\
Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
address-list-timeout=1w chain=input comment="Port Scanner Detect" \
protocol=tcp psd=21,3s,3,1 src-address-list=!White-Llist
add action=drop chain=input comment="Drop port scan list" src-address-list=\
Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=\
ICMP protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except t\
o support list # DO NOT ENABLE BEFORE ADDING YOUR SUBNET TO SUPPORT ADDRES\
S LIST #" dst-port=8291 protocol=tcp src-address-list=!support
add action=jump chain=forward comment="Jump for icmp forward flow" \
jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
Bogons
add action=add-src-to-address-list address-list=Spammers \
address-list-timeout=3h chain=forward comment=\
"Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=\
25,587 limit=30/1m,0:packet protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
protocol=tcp src-address-list=Spammers
add action=add-src-to-address-list address-list=ftp_Brute \
address-list-timeout=3h chain=input comment=\
"Add bruteforcers to list for 3 hours" connection-limit=30,32 content=\
"530 Login incorrect" dst-port=21 limit=10/1m,0:packet protocol=tcp
add action=tarpit chain=forward comment="Tarpit login bruteforce" dst-port=25 \
protocol=tcp src-address-list=smtp_Brute
add action=drop chain=input comment="Drop ftp bruteforce" dst-port=21 \
protocol=tcp src-address-list=ftp_Brute
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS \
RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" \
in-interface-list=WAN log-prefix="Drop Imput -->> "
add action=accept chain=ICMP comment="Echo reply" in-interface-list=LAN \
protocol=icmp src-address=192.168.10.0/24
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" \
disabled=yes icmp-options=8:0 limit=1,5:packet protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0-255 \
protocol=icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=accept chain=ICMP log=yes log-prefix="Accept ICMP LAN --->> " \
src-address=10.0.0.0/21
add action=accept chain=ICMP in-interface=all-ppp protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" disabled=yes \
log-prefix="ICMP RULES DROP -->> " protocol=icmp
add action=accept chain=output connection-state=\
invalid,established,related,new,untracked disabled=yes log-prefix=\
"OUTPUT >>> "
add action=log chain=output disabled=yes log=yes log-prefix=\
"OUTPUT Midded >>> "
add action=drop chain=3CX-PBX log-prefix="3CX DRop -->> "
add action=drop chain=forward disabled=yes in-interface-list=WAN log=yes \
log-prefix="DROP ALL NOT ALLOWED- >>>"
/ip firewall mangle
add action=add-dst-to-address-list address-list=smtp_Brute \
address-list-timeout=10m chain=forward comment=\
"Add excessive login failures to list for 10 minutes" connection-state=\
established content=\
"535 5.7.8 Error: authentication failed: authentication failure" limit=\
!3/1m,3:packet protocol=tcp src-port=25
add action=mark-connection chain=prerouting comment="T1 phones Route" \
connection-mark=no-mark disabled=yes in-interface-list=LAN \
new-connection-mark=wan2 passthrough=yes src-address-list=T1-Phone-system
add action=mark-connection chain=prerouting comment=\
"TEMP ACCESS to MODEM From T1 Reception" connection-mark=no-mark \
disabled=yes in-interface-list=LAN new-connection-mark=wan2 passthrough=\
yes src-address=192.168.40.231
add action=mark-connection chain=prerouting comment="T2 phones Route" \
connection-mark=no-mark disabled=yes in-interface-list=LAN \
new-connection-mark=wan1 passthrough=yes src-address-list=T2-Phone-system
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes new-connection-mark=wan2 passthrough=yes src-address=192.168.50.0/24
add action=accept chain=prerouting disabled=yes dst-address=120.88.120.0/22 \
in-interface=all-vlan
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes dst-address=3.106.179.83 new-connection-mark=wan1 passthrough=yes
add action=mark-connection chain=prerouting comment="eth 1" connection-mark=\
no-mark disabled=yes in-interface=ether1 new-connection-mark=wan1 \
passthrough=yes
add action=mark-connection chain=prerouting comment="eth 2" connection-mark=\
no-mark disabled=yes in-interface=ether2 new-connection-mark=wan2 \
passthrough=yes
add action=mark-connection chain=prerouting comment="eth 3" connection-mark=\
no-mark disabled=yes in-interface=ether3 new-connection-mark=wan3 \
passthrough=yes
add action=mark-connection chain=prerouting comment="eth 5" connection-mark=\
no-mark disabled=yes in-interface="T1-NBN 1 - 999" new-connection-mark=\
T1-wan1 passthrough=yes
add action=mark-connection chain=prerouting comment="eth 5" connection-mark=\
no-mark disabled=yes in-interface="T1-NBN 2 - 998" new-connection-mark=\
T1-wan2 passthrough=yes
add action=mark-connection chain=prerouting comment="Mark wan1 con" \
connection-mark=no-mark disabled=yes dst-address-type=!local \
in-interface-list=LAN new-connection-mark=wan1 passthrough=yes \
per-connection-classifier=both-addresses:3/0
add action=mark-connection chain=prerouting comment="Mark wan2 con" \
connection-mark=no-mark disabled=yes dst-address-type=!local \
in-interface-list=LAN new-connection-mark=wan2 passthrough=yes \
per-connection-classifier=both-addresses:3/1
add action=mark-connection chain=prerouting comment="Mark wan3 con" \
connection-mark=no-mark disabled=yes dst-address-type=!local \
in-interface-list=LAN new-connection-mark=wan3 passthrough=yes \
per-connection-classifier=both-addresses:3/2
add action=mark-connection chain=prerouting comment="Mark T1-wan2 con" \
connection-mark=no-mark disabled=yes dst-address-type=!local \
in-interface-list=LAN new-connection-mark=T1-wan2 passthrough=yes \
per-connection-classifier=both-addresses:5/4
add action=mark-connection chain=prerouting comment="Mark T1-wan1 con" \
connection-mark=no-mark disabled=yes dst-address-type=!local \
in-interface-list=LAN new-connection-mark=T1-wan1 passthrough=yes \
per-connection-classifier=both-addresses:5/3
add action=mark-routing chain=prerouting comment="Mark Rout wan1" \
connection-mark=wan1 disabled=yes in-interface-list=LAN new-routing-mark=\
wan1-out passthrough=yes
add action=mark-routing chain=prerouting comment="Mark Rout wan2" \
connection-mark=wan2 disabled=yes in-interface-list=LAN new-routing-mark=\
wan2-out passthrough=yes
add action=mark-routing chain=prerouting comment="Mark Rout wan3" \
connection-mark=wan3 disabled=yes in-interface-list=LAN new-routing-mark=\
wan3-out passthrough=yes
add action=mark-routing chain=prerouting comment="Mark Rout T1" \
connection-mark=T1-wan1 disabled=yes in-interface-list=LAN \
new-routing-mark=T1wan1-out passthrough=yes
add action=mark-routing chain=prerouting comment="Mark Rout T1 -2" \
connection-mark=T1-wan2 disabled=yes in-interface-list=LAN \
new-routing-mark=T1wan2-out passthrough=yes
add action=mark-routing chain=output comment="Output rout mark wan 1" \
connection-mark=wan1 disabled=yes new-routing-mark=wan1-out passthrough=\
yes
add action=mark-routing chain=output comment="Output rout mark wan 2" \
connection-mark=wan2 disabled=yes new-routing-mark=wan2-out passthrough=\
yes
add action=mark-routing chain=output comment="Output rout mark wan 3" \
connection-mark=wan3 disabled=yes new-routing-mark=wan3-out passthrough=\
yes
add action=mark-routing chain=output comment="Output rout mark wan 5" \
connection-mark=T1-wan1 disabled=yes new-routing-mark=T1wan1-out \
passthrough=yes
add action=mark-routing chain=output comment="Output rout mark wan 5" \
connection-mark=T1-wan2 disabled=yes new-routing-mark=T1wan2-out \
passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat connection-mark=wan1 disabled=yes \
dst-address=3.106.179.83
# no interface
add action=masquerade chain=srcnat out-interface=*F00B3E
add action=masquerade chain=srcnat out-interface=duxVPN
add action=masquerade chain=srcnat disabled=yes out-interface=\
"SMTV Cast - Bridge" src-address=192.168.10.98
add action=masquerade chain=srcnat disabled=yes src-address-list=\
T1-Phone-system
add action=masquerade chain=srcnat out-interface=Management-VPN
add action=src-nat chain=srcnat comment="src-nat PBX T1 out set wan IP /30" \
out-interface-list=WAN src-address=192.168.50.8/29 to-addresses=\
14.203.147.97
add action=src-nat chain=srcnat comment="src-nat PBX T2 out set wan IP /30" \
out-interface-list=WAN src-address=192.168.50.16/29 to-addresses=\
14.203.147.98
add action=src-nat chain=srcnat comment=\
"AUTO_SNAT_By_DHCP-Client_Script_WAN T1 NBN1" disabled=yes out-interface=\
"T1-NBN 1 - 999" to-addresses=192.168.1.100
add action=src-nat chain=srcnat comment=\
"AUTO_SNAT_By_DHCP-Client_Script_ T1 NBN 2" disabled=yes out-interface=\
"T1-NBN 2 - 998" to-addresses=10.1.1.21
add action=masquerade chain=srcnat out-interface-list=WAN
add action=log chain=srcnat comment=Insert_Point_Do_NOT_Remove disabled=yes
add action=dst-nat chain=dstnat comment="PBX T1 Access over addon /30" \
dst-address=14.203.147.97 dst-port=5060,4000-6000,5065,6089 in-interface=\
ether1 protocol=tcp to-addresses=192.168.50.10
add action=dst-nat chain=dstnat comment="PBX T1 Access over addon /30" \
dst-address=14.203.147.97 dst-port=5060,4000-6000,5065,6089 in-interface=\
ether1 protocol=udp to-addresses=192.168.50.10
add action=dst-nat chain=dstnat comment="PBX T1 Access over addon /30" \
dst-address=14.203.147.97 dst-port=48901 in-interface=ether1 protocol=tcp \
to-addresses=192.168.50.10 to-ports=8080
add action=dst-nat chain=dstnat comment="PBX T1 Access over addon /30" \
dst-address=14.203.147.97 dst-port=48900 in-interface=ether1 protocol=tcp \
to-addresses=192.168.50.11 to-ports=80
add action=dst-nat chain=dstnat comment="PBX T2 Access over addon /30" \
dst-address=14.203.147.98 dst-port=5060,4000-6000,5065,6089 in-interface=\
ether1 protocol=tcp to-addresses=192.168.50.20
add action=dst-nat chain=dstnat comment="PBX T2 Access over addon /30" \
dst-address=14.203.147.98 dst-port=5060,4000-6000,5065,6089 in-interface=\
ether1 protocol=udp to-addresses=192.168.50.20
add action=dst-nat chain=dstnat comment="PBX T2 Access over addon /30" \
dst-address=14.203.147.98 dst-port=48901 in-interface=ether1 protocol=tcp \
to-addresses=192.168.50.20 to-ports=8080
add action=dst-nat chain=dstnat comment="PBX T2 Access over addon /30" \
dst-address=14.203.147.98 dst-port=48900 in-interface=ether1 protocol=tcp \
to-addresses=192.168.50.21 to-ports=80
add action=dst-nat chain=dstnat comment="PBX Access T1" disabled=yes \
dst-port=48900 in-interface-list=WAN protocol=tcp to-addresses=\
192.168.50.11 to-ports=80
add action=dst-nat chain=dstnat comment="SIP Card PBX Access T1" disabled=yes \
dst-port=48901 in-interface-list=WAN protocol=tcp to-addresses=\
192.168.50.10 to-ports=8080
add action=dst-nat chain=dstnat disabled=yes dst-port=5060,4000-6000 \
in-interface=ether2 protocol=tcp to-addresses=192.168.50.10
add action=dst-nat chain=dstnat disabled=yes dst-port=5060,4000-6000 \
in-interface=ether1 protocol=tcp to-addresses=192.168.50.20
add action=dst-nat chain=dstnat disabled=yes dst-port=\
5060,4000-6000,5065,6089 in-interface=ether2 protocol=udp to-addresses=\
192.168.50.10
add action=dst-nat chain=dstnat disabled=yes dst-port=\
5060,4000-6000,5065,6089 in-interface=ether1 protocol=udp to-addresses=\
192.168.50.20
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=src-nat chain=srcnat comment="src-nat guests" disabled=yes \
out-interface-list=WAN src-address=10.10.0.0/22 to-addresses=\
210.10.231.37
add action=src-nat chain=srcnat comment="src-nat guests - NEW VLANS" \
disabled=yes out-interface-list=WAN src-address=192.168.20.0/22 \
to-addresses=210.10.231.37
add action=src-nat chain=srcnat comment="src-nat guests" disabled=yes \
out-interface-list=WAN src-address=10.10.4.0/22 to-addresses=\
210.10.231.37
add action=src-nat chain=srcnat comment="src-nat ops" disabled=yes \
out-interface-list=WAN src-address=10.0.0.0/22 to-addresses=210.10.231.33
add action=masquerade chain=srcnat disabled=yes out-interface-list=WAN \
src-address=!210.10.231.32/29
/ip firewall service-port
set ftp disabled=yes
set sip disabled=yes
/ip hotspot walled-garden
add dst-host=voipitup.duxadmin.com
/ip route
add check-gateway=ping comment=wan1-out disabled=yes distance=1 gateway=\
60.240.32.225%ether1 routing-mark=wan1-out
add check-gateway=ping comment=wan2-out disabled=yes distance=1 gateway=\
192.168.1.1%ether2 routing-mark=wan2-out
add check-gateway=ping comment=base-ruel distance=1 gateway=\
60.240.32.225%ether1
add check-gateway=ping comment=base-ruel disabled=yes distance=3 gateway=\
192.168.1.1%ether2
add check-gateway=ping distance=1 dst-address=3.106.179.83/32 gateway=\
60.240.32.225%ether1
add check-gateway=ping disabled=yes distance=2 dst-address=3.106.179.83/32 \
gateway=192.168.100.1%ether2
add check-gateway=ping disabled=yes distance=3 dst-address=3.106.179.83/32 \
gateway=192.168.1.1%ether3
add distance=1 dst-address=172.16.27.0/24 gateway=duxVPN
add distance=1 dst-address=172.31.32.0/20 gateway=192.168.10.5
add disabled=yes distance=1 dst-address=192.168.10.30/31 gateway=combo1 \
pref-src=192.168.10.1
add distance=1 dst-address=203.175.179.43/32 gateway=duxVPN
/ip route rule
add action=drop disabled=yes dst-address=10.10.4.0/22 src-address=\
10.10.4.0/22
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp aaa
set interim-update=30m use-radius=yes
/ppp l2tp-secret
add address=10.10.10.0/24 comment="\$#m7aEYbpT^6" secret="\$#m7aEYbpT^6"
/ppp secret
add comment="\$dGt5649#0361" name=harrisontech password="\$dGt5649#0361" \
profile="Reflections Operations VPN"
/radius
add address=172.16.27.9 secret=becomme service=ppp,hotspot timeout=3s
add address=203.175.179.9 secret=becomme
/radius incoming
set accept=yes
/snmp
set enabled=yes trap-version=2
/system clock
set time-zone-autodetect=no time-zone-name=Australia/Brisbane
/system identity
set name=Reflections_T2_Main
/system logging
set 0 topics=info,!pppoe
set 1 topics=error,!pppoe
add disabled=yes topics=debug,radius
add topics=error
add topics=info
add action=PPPoELOGS disabled=yes topics=pppoe
add topics=ipsec,l2tp,debug
add topics=firewall,info
add disabled=yes topics=ppp,debug
add disabled=yes topics=radius,debug
/system scheduler
add interval=2d name=autobackup on-event=":local saveUserDB false\r\
\n:local saveSysBackup true\r\
\n:local encryptSysBackup false\r\
\n:local saveRawExport true\r\
\n\r\
\n:local FTPServer \"backup.posscales.com.au\"\r\
\n:local FTPPort 21\r\
\n:local FTPUser \"MT_Backups@backup.posscales.com.au\"\r\
\n:local FTPPass \"!Dgt.974082\"\r\
\n:local FTPdest \"/Reflections\"\r\
\n\r\
\n:local ts [/system clock get time]\r\
\n:set ts ([:pick \$ts 0 2].[:pick \$ts 3 5].[:pick \$ts 6 8])\r\
\n:local ds [/system clock get date]\r\
\n:set ds ([:pick \$ds 7 11].[:pick \$ds 0 3].[:pick \$ds 4 6])\r\
\n\r\
\n:local fname (\"BACKUP-\".[/system identity get name].\"-\".\$ds.\"-\".\
\$ts)\r\
\n:local sfname (\"/\".\$fname)\r\
\n:if (\$saveUserDB) do={\r\
\n /tool user-manager database save name=(\$sfname.\".umb\")\r\
\n :log info message=\"User Manager DB Backup Finished\"\r\
\n}\r\
\n:if (\$saveSysBackup) do={\r\
\n :if (\$encryptSysBackup = true) do={ /system backup save name=(\$sfnam\
e.\".backup\") }\r\
\n :if (\$encryptSysBackup = false) do={ /system backup save dont-encrypt\
=yes name=(\$sfname.\".backup\") }\r\
\n :log info message=\"System Backup Finished\"\r\
\n}\r\
\nif (\$saveRawExport) do={\r\
\n /export file=(\$sfname.\".rsc\")\r\
\n :log info message=\"Raw configuration script export Finished\"\r\
\n}\r\
\n:local backupFileName \"\"\r\
\n:local backupDestPath \"\"\r\
\n:foreach backupFile in=[/file find] do={\r\
\n :set backupFileName (\"/\".[/file get \$backupFile name])\r\
\n :set backupDestPath (\$FTPdest.\$backupFileName)\r\
\n :if ([:typeof [:find \$backupFileName \$sfname]] != \"nil\") do={\r\
\n # :log warning message=\"/tool fetch address=\$FTPServer port=\$FTPPor\
t src-path=\$backupFileName user=\$FTPUser mode=ftp password=\$FTPPass dst\
-path=\$backupDestPath upload=yes\"\r\
\n\r\
\n /tool fetch address=\$FTPServer port=\$FTPPort src-path=\$backupFile\
Name user=\$FTPUser mode=ftp password=\$FTPPass dst-path=\$backupDestPath \
upload=yes\r\
\n }\r\
\n}\r\
\n:delay 10s\r\
\n:foreach backupFile in=[/file find] do={\r\
\n :if ([:typeof [:find [/file get \$backupFile name] \"BACKUP-\"]]!=\"ni\
l\") do={\r\
\n /file remove \$backupFile\r\
\n }\r\
\n}\r\
\n\r\
\n:log info message=\"Successfully removed Temporary Backup Files\"\r\
\n:log info message=\"Automatic Backup Completed Successfully\"" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=mar/16/2022 start-time=19:22:45
/system script
add dont-require-permissions=no name=rogue-dhcp owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
"/log error \" Rogue DHCP server detected!\""
add dont-require-permissions=no name="Manual Backup" owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
local saveUserDB false\r\
\n:local saveSysBackup true\r\
\n:local encryptSysBackup false\r\
\n:local saveRawExport true\r\
\n\r\
\n:local FTPServer \"backup.posscales.com.au\"\r\
\n:local FTPPort 21\r\
\n:local FTPUser \"MT_Backups@backup.posscales.com.au\"\r\
\n:local FTPPass \"!Dgt.974082\"\r\
\n:local FTPdest \"/Reflections\"\r\
\n\r\
\n:local ts [/system clock get time]\r\
\n:set ts ([:pick \$ts 0 2].[:pick \$ts 3 5].[:pick \$ts 6 8])\r\
\n:local ds [/system clock get date]\r\
\n:set ds ([:pick \$ds 7 11].[:pick \$ds 0 3].[:pick \$ds 4 6])\r\
\n\r\
\n:local fname (\"BACKUP-\".[/system identity get name].\"-\".\$ds.\"-\".\
\$ts)\r\
\n:local sfname (\"/\".\$fname)\r\
\n:if (\$saveUserDB) do={\r\
\n /tool user-manager database save name=(\$sfname.\".umb\")\r\
\n :log info message=\"User Manager DB Backup Finished\"\r\
\n}\r\
\n:if (\$saveSysBackup) do={\r\
\n :if (\$encryptSysBackup = true) do={ /system backup save name=(\$sfnam\
e.\".backup\") }\r\
\n :if (\$encryptSysBackup = false) do={ /system backup save dont-encrypt\
=yes name=(\$sfname.\".backup\") }\r\
\n :log info message=\"System Backup Finished\"\r\
\n}\r\
\nif (\$saveRawExport) do={\r\
\n /export file=(\$sfname.\".rsc\")\r\
\n :log info message=\"Raw configuration script export Finished\"\r\
\n}\r\
\n:local backupFileName \"\"\r\
\n:local backupDestPath \"\"\r\
\n:foreach backupFile in=[/file find] do={\r\
\n :set backupFileName (\"/\".[/file get \$backupFile name])\r\
\n :set backupDestPath (\$FTPdest.\$backupFileName)\r\
\n :if ([:typeof [:find \$backupFileName \$sfname]] != \"nil\") do={\r\
\n # :log warning message=\"/tool fetch address=\$FTPServer port=\$FTPPor\
t src-path=\$backupFileName user=\$FTPUser mode=ftp password=\$FTPPass dst\
-path=\$backupDestPath upload=yes\"\r\
\n\r\
\n /tool fetch address=\$FTPServer port=\$FTPPort src-path=\$backupFile\
Name user=\$FTPUser mode=ftp password=\$FTPPass dst-path=\$backupDestPath \
upload=yes\r\
\n }\r\
\n}\r\
\n:delay 10s\r\
\n:foreach backupFile in=[/file find] do={\r\
\n :if ([:typeof [:find [/file get \$backupFile name] \"BACKUP-\"]]!=\"ni\
l\") do={\r\
\n /file remove \$backupFile\r\
\n }\r\
\n}\r\
\n\r\
\n:log info message=\"Successfully removed Temporary Backup Files\"\r\
\n:log info message=\"Automatic Backup Completed Successfully\""
/tool graphing interface
add
/tool graphing queue
add
/tool graphing resource
add
/tool netwatch
add host=8.8.8.8 up-script="/tool e-mail send from=\"pbx@voipitup.com.au\" ser\
ver=\"mail.voipitup.com.au\" body=\"Reflections Internet Router Back UP\" \
subject=\"Reflections Internet is back oonline \" to=\"jloeken@posscales.c\
om.au\" port=587 user=pbx@voipitup.com.au password=Pss.974082 start-tls=no\
"
/tool romon
set enabled=yes
/tool sniffer
set file-limit=10000KiB file-name=radius-DuxVPN.pcap filter-interface=duxVPN