# model: RB1100x4 # serial-number: HF009APCP0H # firmware-type: al2 # current-firmware: 7.15.1 # installed-version: 7.15.1 # Flags: U - UNDOABLE # Columns: ACTION, BY, POLICY, TIME # ACTION BY POLICY TIME # U user zalialov changed zalialov write 2024-09-25 15:18:05 # policy # U user zalialov changed zalialov write 2024-09-25 15:18:04 # policy # U user zalialov changed zalialov write 2024-09-25 15:16:43 # policy # U user zalialov changed zalialov write 2024-09-25 15:16:43 # policy # U user zalialov changed zalialov write 2024-09-25 15:14:10 # policy # U user zalialov changed zalialov write 2024-09-25 15:14:10 # policy # U log action changed zalialov write 2024-09-25 15:13:59 # U user zalialov changed zalialov write 2024-09-25 13:13:45 # policy # U user zalialov changed zalialov write 2024-09-25 13:13:45 # policy # U user zalialov changed zalialov write 2024-09-25 13:13:27 # policy # U user zalialov changed zalialov write 2024-09-25 13:13:26 # policy # U log action changed zalialov write 2024-09-25 13:13:24 # U log rule changed zalialov write 2024-09-25 13:10:25 # U log rule changed zalialov write 2024-09-25 13:10:16 # U log rule changed zalialov write 2024-09-25 13:10:02 # U log rule changed zalialov write 2024-09-25 13:09:47 # U log rule removed zalialov write 2024-09-25 13:09:34 # U log rule changed zalialov write 2024-09-25 12:58:58 # U log rule removed zalialov write 2024-09-25 12:58:41 # U log rule removed zalialov write 2024-09-25 12:58:41 # U log rule removed zalialov write 2024-09-25 12:58:41 # U log rule removed zalialov write 2024-09-25 12:58:41 # U log rule removed zalialov write 2024-09-25 12:58:41 # U log rule changed zalialov write 2024-09-25 12:58:40 # U log rule changed zalialov write 2024-09-25 12:58:40 # U log rule changed zalialov write 2024-09-25 12:58:40 # U log rule changed zalialov write 2024-09-25 12:58:40 # U log rule changed zalialov write 2024-09-25 12:58:40 # U log rule changed zalialov write 2024-09-25 12:58:36 # U log rule changed zalialov write 2024-09-25 12:58:36 # U log rule changed zalialov write 2024-09-25 12:58:36 # U log rule changed zalialov write 2024-09-25 12:58:36 # U log rule changed zalialov write 2024-09-25 12:58:36 # U user zalialov changed zalialov write 2024-09-25 12:54:10 # policy # U user zalialov changed zalialov write 2024-09-25 12:54:10 # policy # U user zalialov changed zalialov write 2024-09-25 12:54:10 # policy # U user zalialov changed zalialov write 2024-09-25 12:54:09 # policy # U log action changed zalialov write 2024-09-25 12:54:06 # U user zalialov changed zalialov write 2024-09-25 12:47:36 # policy # U user zalialov changed zalialov write 2024-09-25 12:47:35 # policy # U user zalialov changed zalialov write 2024-09-25 12:46:02 # policy # U user zalialov changed zalialov write 2024-09-25 12:46:02 # policy # U user zalialov changed zalialov write 2024-09-25 12:45:51 # policy # U user zalialov changed zalialov write 2024-09-25 12:45:51 # policy # U user zalialov changed zalialov write 2024-09-25 12:38:38 # policy # U user zalialov changed zalialov write 2024-09-25 12:38:38 # policy # U user zalialov changed zalialov write 2024-09-25 12:38:38 # policy # U user zalialov changed zalialov write 2024-09-25 12:38:37 # policy # U log action changed zalialov write 2024-09-25 12:38:32 # U user zalialov changed zalialov write 2024-09-25 12:38:12 # policy # U user zalialov changed zalialov write 2024-09-25 12:38:11 # policy # U log action changed zalialov write 2024-09-25 12:37:49 # U user tages changed zalialov write 2024-09-25 12:29:48 # policy # U user tages changed zalialov write 2024-09-25 12:29:47 # policy # U user tages changed zalialov write 2024-09-25 12:29:47 # policy # U user tages changed zalialov write 2024-09-25 12:29:47 # policy # U user tages changed zalialov write 2024-09-25 12:29:46 # policy # U user tages changed zalialov write 2024-09-25 12:29:45 # policy # U user tages changed zalialov write 2024-09-25 12:29:45 # policy # U user tages changed zalialov write 2024-09-25 12:29:45 # policy # U log action changed zalialov write 2024-09-25 11:45:30 # U user tages changed zalialov write 2024-09-25 11:24:24 # policy # U user tages changed zalialov write 2024-09-25 11:24:24 # policy # U user tages changed zalialov write 2024-09-25 11:24:24 # policy # U user tages changed zalialov write 2024-09-25 11:24:23 # policy # U user tages changed zalialov write 2024-09-25 11:10:00 # policy # U user tages changed zalialov write 2024-09-25 11:09:58 # policy # U user tages changed zalialov write 2024-09-25 11:09:57 # policy # U user tages changed zalialov write 2024-09-25 11:09:27 # policy # U user tages changed zalialov write 2024-09-25 11:09:27 # policy # U user tages changed zalialov write 2024-09-25 11:09:26 # policy # U user tages changed zalialov write 2024-09-25 11:09:26 # policy # U user tages changed zalialov write 2024-09-25 11:09:26 # policy # U user tages changed zalialov write 2024-09-25 11:09:25 # policy # U user tages changed zalialov write 2024-09-25 11:09:25 # policy # U user tages changed zalialov write 2024-09-25 11:09:25 # policy # U user tages changed zalialov write 2024-09-25 11:09:24 # policy # U user tages changed zalialov write 2024-09-25 11:09:24 # policy # U user tages changed zalialov write 2024-09-25 11:09:24 # policy # U user tages changed zalialov write 2024-09-25 11:09:24 # policy # U log action changed zalialov write 2024-09-25 11:07:02 # U user zalialov changed zalialov write 2024-09-25 10:59:12 # policy # U user zalialov changed zalialov write 2024-09-25 10:59:12 # policy # U user zalialov changed zalialov write 2024-09-25 10:59:11 # policy # U user zalialov changed zalialov write 2024-09-25 10:59:11 # policy # U user zalialov changed zalialov write 2024-09-25 10:55:54 # policy # U user zalialov changed zalialov write 2024-09-25 10:55:54 # policy # U log action changed zalialov write 2024-09-25 10:55:51 # U user zalialov changed zalialov write 2024-09-24 18:13:36 # policy # U user zalialov changed zalialov write 2024-09-24 18:13:35 # policy # U user zalialov changed zalialov write 2024-09-24 17:59:41 # policy # U user zalialov changed zalialov write 2024-09-24 17:59:41 # policy # U user zalialov changed zalialov write 2024-09-24 17:59:40 # policy # U user zalialov changed zalialov write 2024-09-24 17:59:40 # policy # U user zalialov changed zalialov write 2024-09-24 17:57:59 # policy # U user zalialov changed zalialov write 2024-09-24 17:57:59 # policy # U user zalialov changed zalialov write 2024-09-24 17:57:58 # policy # U user zalialov changed zalialov write 2024-09-24 17:57:58 # policy # U user zalialov changed zalialov write 2024-09-24 17:57:58 # policy # U user zalialov changed zalialov write 2024-09-24 17:57:57 # policy # # software id = 9ZP6-YJYX # # model = RB1100x4 # serial number = HF009APCP0H /interface bridge add name=BRIDGE-IPMI add name=BRIDGE-LAN /interface ethernet set [ find default-name=ether1 ] comment=LAN-IPMI-HV-1 set [ find default-name=ether2 ] comment=LAN-IPMI-HV-2 set [ find default-name=ether3 ] comment=LAN-IPMI-BACKUP set [ find default-name=ether4 ] comment=LAN-HV-1-PORT-1 set [ find default-name=ether5 ] comment=LAN-HV-1-PORT-2 set [ find default-name=ether6 ] comment=LAN-HV-2-PORT-1 set [ find default-name=ether7 ] comment=LAN-HV-2-PORT-2 set [ find default-name=ether8 ] comment=LAN-BACKUP-PORT-1 set [ find default-name=ether9 ] comment=LAN-BACKUP-PORT-2 set [ find default-name=ether11 ] comment=WAN-MAIN set [ find default-name=ether12 ] comment=WAN-IPMI /interface gre add allow-fast-path=no local-address=185.73.214.42 name=gre-msk remote-address=185.165.162.143 add allow-fast-path=no local-address=185.73.214.42 name=gre-ufa remote-address=81.30.218.19 /interface list add name=WAN-IPMI add name=LAN-IPMI add name=LAN add name=WAN-MAIN add include=WAN-IPMI,WAN-MAIN name=WAN-ALL /interface lte apn set [ find default=yes ] ip-type=ipv4 use-network-apn=no /ip ipsec policy group add name=ikev2_ra /ip ipsec profile set [ find default=yes ] enc-algorithm=aes-256,aes-192,aes-128 add dh-group=modp2048 enc-algorithm=aes-256,aes-128 name=main add enc-algorithm=aes-256,aes-128 hash-algorithm=sha256 name=ikev2 /ip ipsec peer add address=185.165.162.143/32 name=msk profile=main add address=81.30.218.19/32 name=ufa profile=main add exchange-mode=ike2 name=ikev2 passive=yes profile=ikev2 send-initial-contact=no /ip ipsec proposal add name=main pfs-group=modp2048 add auth-algorithms=sha256,sha1 name=IKEV2_RA pfs-group=none /ip pool add name=eth11 ranges=91.142.82.222 add name=eth12 ranges=185.73.214.1 add name=OVPN ranges=10.8.8.10-10.8.8.99 add name=l2tp ranges=192.168.99.10-192.168.99.20 add name=SSTP ranges=10.8.9.10-10.8.9.99 add name=ikev2 ranges=10.8.10.5-10.8.10.50 /ip ipsec mode-config add address-pool=ikev2 address-prefix-length=32 name=ikev2 split-dns=corp.tages.ru split-include=10.0.0.0/20,192.168.99.100/32 static-dns=10.0.10.10,10.0.10.11 system-dns=no /port set 0 name=serial0 set 1 name=serial1 /ppp profile add dns-server=10.0.10.10 local-address=10.8.8.1 name=OVPN remote-address=OVPN use-ipv6=no add change-tcp-mss=yes local-address=192.168.99.1 name=l2tp remote-address=l2tp add dns-server=10.0.10.10 local-address=10.8.9.1 name=SSTP remote-address=SSTP use-ipv6=no /queue simple add disabled=yes max-limit=100M/100M name=global target="" add max-limit=60M/60M name=BACKUP target=10.0.10.23/32 /queue tree add max-limit=100M name=WAN parent=global priority=1 add limit-at=10M max-limit=100M name=RDP packet-mark=RDP parent=WAN priority=3 add name=other packet-mark=no-mark parent=WAN /queue simple add disabled=yes limit-at=10M/10M max-limit=100M/100M name=RDP packet-marks=RDP queue=pcq-upload-default/pcq-download-default target=10.8.8.0/24 /routing table add disabled=no fib name=ipmi /system logging action set 3 bsd-syslog=yes remote=178.154.206.90 remote-port=1514 syslog-facility=syslog /user group add name=prometheus policy="read,api,!local,!telnet,!ssh,!ftp,!reboot,!write,!policy,!test,!winbox,!password,!web,!sniff,!sensitive,!romon,!rest-api" add name=api_read policy="read,api,!local,!telnet,!ssh,!ftp,!reboot,!write,!policy,!test,!winbox,!password,!web,!sniff,!sensitive,!romon,!rest-api" /interface bridge port add bridge=BRIDGE-IPMI interface=ether1 add bridge=BRIDGE-IPMI interface=ether2 add bridge=BRIDGE-IPMI interface=ether3 add bridge=BRIDGE-LAN interface=ether4 add bridge=BRIDGE-LAN interface=ether5 add bridge=BRIDGE-LAN interface=ether6 add bridge=BRIDGE-LAN interface=ether7 add bridge=BRIDGE-LAN interface=ether8 add bridge=BRIDGE-LAN interface=ether9 /ip firewall connection tracking set udp-timeout=10s /ip neighbor discovery-settings set discover-interface-list=LAN-IPMI /ip settings set max-neighbor-entries=8192 /ipv6 settings set disable-ipv6=yes max-neighbor-entries=8192 /interface l2tp-server server set default-profile=default enabled=yes ipsec-secret=Q@12345678 use-ipsec=required /interface list member add interface=BRIDGE-LAN list=LAN add interface=BRIDGE-IPMI list=LAN-IPMI add comment="WAN for ipmi connections only" interface=ether12 list=WAN-IPMI add comment="WAN for all external connections" interface=ether11 list=WAN-MAIN /interface ovpn-server server set auth=sha256 certificate=OVPN-SERVER cipher=aes256-cbc default-profile=OVPN enabled=yes protocol=udp push-routes="10.0.10.0 255.255.255.0 10.8.8.1" require-client-certificate=yes tls-version=only-1.2 /interface sstp-server server set authentication=mschap1,mschap2 certificate=sslcert-autogen_2024-09-24T08:24:51Z default-profile=SSTP enabled=yes port=8443 /ip address add address=91.142.82.222/29 interface=ether11 network=91.142.82.216 add address=185.73.214.42/24 interface=ether12 network=185.73.214.0 add address=10.10.10.1/24 interface=BRIDGE-IPMI network=10.10.10.0 add address=10.10.100.1/24 interface=BRIDGE-LAN network=10.10.100.0 add address=192.168.10.1/24 interface=ether13 network=192.168.10.0 add address=10.0.1.1/24 interface=BRIDGE-IPMI network=10.0.1.0 add address=10.0.10.1/24 interface=BRIDGE-LAN network=10.0.10.0 add address=172.16.10.1/24 interface=*12 network=172.16.10.0 add address=10.10.0.2/30 interface=gre-msk network=10.10.0.0 add address=10.10.0.5/30 interface=gre-ufa network=10.10.0.4 /ip dns set allow-remote-requests=yes servers=8.8.8.8 /ip dns static add forward-to=10.0.10.10 regexp=".*\\.corp\\.tages\\.ru\$" type=FWD /ip firewall address-list add address=10.0.10.14 list=USER_ACCESS add address=10.0.10.13 list=USER_ACCESS add address=10.0.10.10 list=USER_ACCESS add address=172.21.20.0/24 comment=MSK_BUH list=1c_user add address=172.22.20.0/24 comment=UFA_BUH list=1c_user add address=192.168.99.100 list=USER_ACCESS /ip firewall filter add action=accept chain=input comment="ALLOW SSH OXIDIZED" dst-port=11209 protocol=tcp add action=accept chain=input comment="ACCEPT INPUT FROM MSK" dst-address=10.0.10.1 src-address=10.0.10.10 add action=accept chain=forward comment="PERMIT 1C_USERS TO USER_ACCESS" dst-address-list=USER_ACCESS src-address-list=1c_user add action=accept chain=input comment="PERMIT API" dst-port=8728 protocol=tcp add action=drop chain=forward comment="DROP 1C_USER ANY OTHER" disabled=yes src-address-list=1c_user add action=drop chain=input comment="DROP 1C_USER ANY OTHER" disabled=yes src-address-list=1c_user add action=accept chain=input comment="temporary filter rule" dst-port=80 protocol=tcp src-address=217.195.93.246 add action=accept chain=input comment="temporary filter rule" disabled=yes dst-port=443 protocol=tcp add action=accept chain=input comment="PERMIT SSTP" dst-port=8443 in-interface-list=WAN-ALL protocol=tcp add action=accept chain=input comment="PERMIT INPUT MSK GW" in-interface-list=WAN-ALL src-address=185.165.162.143 add action=accept chain=input comment="WinBox Wan Administration" dst-port=8291 protocol=tcp add action=accept chain=input comment="Allow OVPN" dst-port=1194 protocol=udp add action=accept chain=input comment="allow l2tp" dst-port=1701,500,4500 in-interface-list=WAN-ALL protocol=udp add action=accept chain=input comment="allow l2tp" in-interface-list=WAN-ALL protocol=ipsec-esp add action=accept chain=input comment=wireguard dst-port=13231 protocol=udp add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=input comment="drop invalid" connection-state=invalid add action=accept chain=input comment="accept ICMP" protocol=icmp add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=WAN-ALL add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked add action=drop chain=forward comment="drop invalid" connection-state=invalid add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat in-interface-list=WAN-ALL /ip firewall mangle add action=mark-packet chain=prerouting dst-port=3389 new-packet-mark=RDP passthrough=yes protocol=tcp add action=mark-packet chain=prerouting dst-port=3389 new-packet-mark=RDP passthrough=yes protocol=udp /ip firewall nat add action=masquerade chain=srcnat out-interface=ether11 add action=masquerade chain=srcnat out-interface=ether12 add action=masquerade chain=srcnat log-prefix=NAT_LAN out-interface=BRIDGE-LAN add action=masquerade chain=srcnat out-interface=BRIDGE-IPMI add action=netmap chain=dstnat comment=PROM_TO_SRV-BACKUP disabled=yes dst-address=185.73.214.42 dst-port=9091,9100,9177 protocol=tcp to-addresses=10.0.10.3 add action=dst-nat chain=dstnat disabled=yes dst-port=80,8888 protocol=tcp src-address=217.195.93.246 to-addresses=10.0.10.3 /ip ipsec identity add peer=msk secret=gRyiAtKoDiKPPH50M3F7 add auth-method=eap-radius certificate=sslcert-autogen_2024-09-24T08:24:51Z,r11.der_0 generate-policy=port-override mode-config=ikev2 peer=ikev2 policy-template-group=ikev2_ra remote-id=ignore add peer=ufa secret="-~*B.M^#uR7=xuh@12Q8" /ip ipsec policy set 0 disabled=yes add disabled=yes dst-address=94.228.243.216/32 level=unique peer=ikev2 proposal=IKEV2_RA src-address=185.73.214.42/32 add comment=ikev2_ra dst-address=0.0.0.0/0 group=ikev2_ra proposal=IKEV2_RA src-address=0.0.0.0/0 template=yes add dst-address=185.165.162.143/32 peer=msk proposal=main src-address=185.73.214.42/32 /ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=91.142.82.217 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10 add disabled=no distance=10 dst-address=0.0.0.0/0 gateway=185.73.214.1 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10 add disabled=no distance=1 dst-address=192.168.1.0/24 gateway=10.10.0.1 routing-table=main scope=30 suppress-hw-offload=no target-scope=10 add disabled=no dst-address=192.168.88.0/24 gateway=10.10.0.6 routing-table=main suppress-hw-offload=no add disabled=no dst-address=172.22.20.0/24 gateway=10.10.0.6 routing-table=main suppress-hw-offload=no add disabled=no dst-address=172.21.20.0/24 gateway=10.10.0.1 routing-table=main suppress-hw-offload=no add disabled=no distance=1 dst-address=192.168.99.0/24 gateway=10.10.0.1 routing-table=main scope=30 suppress-hw-offload=no target-scope=10 /ip service set telnet disabled=yes set ftp disabled=yes set www disabled=yes set ssh port=11209 set www-ssl certificate=sslcert-autogen_2024-09-24T08:24:51Z set api-ssl disabled=yes /ppp aaa set use-radius=yes /ppp secret add disabled=yes name=dmitry.smirnov password="Tage\$777mikrotik" profile=OVPN service=ovpn add name=sergei.danilov password="FA\$Eil9kGq1b" profile=OVPN routes="192.168.99.100 255.255.255.255 1" service=ovpn add disabled=yes name=tages password=Q@12345678 profile=l2tp add name=abror.ergashev password=Ek8KoMmrKX profile=SSTP service=sstp add name=dierbek.ilkhomov password=YF190EDhGd profile=SSTP service=sstp add name=liya.koval password=DhtPJJC6CF profile=SSTP service=sstp add name=madina.kuldosheva password=AVLJwL3QUL profile=SSTP service=sstp add name=natalie.kobzeva password=aizc4E3ooJ profile=SSTP service=sstp add name=shirin.tuichieva password=fB1ouabdjL profile=SSTP service=sstp add comment=lpYrI3wCopCGfpi name=anastasia.yakovleva password=AVE6Me3xnt profile=OVPN add name=vladimir.osokin password=t329YvP5iDD2 profile=OVPN service=ovpn add name=dng password=hpzMAE1acbec profile=SSTP service=sstp add name=railia.galieva password=X8b4zQxrGdvV profile=OVPN service=ovpn add name=yc-monitoring password=1nZ9CtGss1Qc profile=OVPN remote-address=10.8.8.100 service=ovpn add name=temur.lawtax password="U2B\$LxR1a_" profile=SSTP service=sstp add name=yana.makarenko password="b6\$qRtvbm8sw" profile=OVPN routes="10.0.10.0 255.255.255.0 10.8.8.1" service=ovpn add comment=M5CAoHJy7t6PkwNufgr5 name=maria.pavlova password=Rq2iLiGqNFME501Ri1qC profile=OVPN routes="10.0.1.0 255.255.255.0 10.8.8.1" service=ovpn add disabled=yes name=ppp1 password=hpzMAE1acbec profile=SSTP service=sstp add disabled=yes name=ppp2 password=hpzMAE1acbec profile=SSTP service=sstp add disabled=yes name=ppp3 password=hpzMAE1acbec profile=SSTP service=sstp /radius add address=10.0.10.10 require-message-auth=no secret="p_m]DtRB5eKt+)z7B0A6" service=ppp,ipsec src-address=10.0.10.1 timeout=900ms /routing bfd configuration add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5 /routing rule add action=lookup disabled=no src-address=10.10.10.0/24 table=ipmi /system clock set time-zone-name=Europe/Moscow /system identity set name=1c /system logging set 1 action=remote prefix=:Error set 2 action=remote prefix=:Warning set 3 action=remote prefix=:Critical add disabled=yes topics=sstp add disabled=yes topics=ipsec,!packet add action=disk disabled=yes topics=radius add disabled=yes topics=ovpn add disabled=yes topics=route add action=disk disabled=yes topics=ipsec,!packet add action=remote prefix=:Firewall topics=firewall add action=remote prefix=:Account topics=account add action=remote prefix=:Info topics=info,!dhcp add prefix=:Warning topics=warning add prefix=:Error topics=error add prefix=:Critical topics=critical add prefix=:Account topics=account add topics=ovpn add disabled=yes topics=radius /system note set show-at-login=no /tool bandwidth-server set authenticate=no /tool mac-server set allowed-interface-list=WAN-IPMI /tool mac-server mac-winbox set allowed-interface-list=LAN-IPMI /user aaa set use-radius=yes