# oct/11/2020 21:06:05 by RouterOS 6.47.4
#
# model = CCR1016-12G
/interface bridge
add disabled=yes name=bridge1 protocol-mode=none
add name=loopback
/interface ethernet
set [ find default-name=ether1 ] comment="WAN - XXXX - 957895511"
set [ find default-name=ether2 ] comment=APWISOC2 l2mtu=1600
set [ find default-name=ether3 ] comment=APWISOC3 l2mtu=1600
set [ find default-name=ether4 ] comment=APWISOC4 l2mtu=1600
set [ find default-name=ether5 ] comment=WIFISOCADA3 l2mtu=1600
set [ find default-name=ether6 ] comment=WIFISOCADA4 l2mtu=1600
set [ find default-name=ether7 ] comment=WIFISOCADA5 l2mtu=1600
set [ find default-name=ether8 ] comment=SERVIDOR-1 l2mtu=1600
set [ find default-name=ether9 ] comment=SERVIDOR-2
set [ find default-name=ether10 ] l2mtu=1600
set [ find default-name=ether11 ] comment="ELECTRODOMESTICOS ALAN" l2mtu=1600
set [ find default-name=ether12 ] comment="ROUTER TITA" l2mtu=1600
/interface vpls
add advertised-l2mtu=1530 disabled=no l2mtu=1530 mac-address=\
02:09:11:FE:8A:39 name=vpls_APENRIQUE remote-peer=172.22.3.36 vpls-id=\
172.22.3.36:0
add advertised-l2mtu=1530 disabled=no l2mtu=1530 mac-address=\
02:88:B1:BF:F1:CF name=vpls_APSIMON remote-peer=172.22.3.39 vpls-id=\
172.22.3.39:0
add advertised-l2mtu=1530 disabled=no l2mtu=1530 mac-address=\
02:38:5B:39:A1:62 name=vpls_PB_CORREDOR remote-peer=172.22.3.42 vpls-id=\
172.22.3.42:0
add advertised-l2mtu=1530 disabled=no l2mtu=1530 mac-address=\
02:D2:75:3F:75:9A name=vpls_PB_HUERTOS remote-peer=172.22.2.17 vpls-id=\
172.22.2.17:0
add advertised-l2mtu=1530 disabled=no l2mtu=1530 mac-address=\
02:31:09:CE:C3:1C name=vpls_PB_JOSE remote-peer=172.22.3.30 vpls-id=\
172.22.3.30:0
add advertised-l2mtu=1530 disabled=no l2mtu=1530 mac-address=\
02:24:1F:3E:6F:7D name=vpls_PB_MILANO remote-peer=172.22.3.35 vpls-id=\
172.22.3.35:0
add advertised-l2mtu=1530 disabled=no l2mtu=1530 mac-address=\
02:EE:49:D9:C8:13 name=vpls_PB_RICARDO remote-peer=172.22.3.26 vpls-id=\
172.22.3.26:0
add advertised-l2mtu=1530 mac-address=02:78:8D:16:60:8F name=\
vpls_PB_TIENDA_WI24 remote-peer=172.22.2.40 vpls-id=172.22.2.40:0
add advertised-l2mtu=1530 mac-address=02:2A:A0:F5:30:3A name=vpls_SWITCH_ALBA \
remote-peer=172.22.2.46 vpls-id=172.22.2.46:0
add advertised-l2mtu=1530 disabled=no l2mtu=1530 mac-address=\
02:95:1F:BD:99:1F name=vpls_SWITCH_ALCAPARRA remote-peer=172.22.4.13 \
vpls-id=172.22.4.13:0
add advertised-l2mtu=1530 disabled=no l2mtu=1530 mac-address=\
02:25:4C:06:0B:9E name=vpls_SWITCH_BOCANEGRA remote-peer=172.22.3.32 \
vpls-id=172.22.3.32:0
add advertised-l2mtu=1530 disabled=no l2mtu=1530 mac-address=\
02:4E:CE:15:7D:66 name=vpls_SWITCH_CORREGIDOR remote-peer=172.22.3.33 \
vpls-id=172.22.3.33:0
add advertised-l2mtu=1530 disabled=no l2mtu=1530 mac-address=\
02:BD:3B:96:53:4D name=vpls_SWITCH_CORREOS remote-peer=172.22.3.20 \
vpls-id=172.22.3.20:0
add advertised-l2mtu=1530 disabled=no l2mtu=1530 mac-address=\
02:5C:5F:45:00:60 name=vpls_SWITCH_DANI remote-peer=172.22.2.22 vpls-id=\
172.22.2.22:0
add advertised-l2mtu=1530 mac-address=02:94:21:AC:85:E1 name=\
vpls_SWITCH_JESUS remote-peer=172.22.2.36 vpls-id=172.22.2.36:0
add advertised-l2mtu=1530 mac-address=02:20:3B:6B:D7:9E name=vpls_SWITCH_NAVE \
remote-peer=172.22.2.47 vpls-id=172.22.2.47:0
add advertised-l2mtu=1530 mac-address=02:B0:BF:7D:93:BB name=vpls_WIFISOCADA1 \
remote-peer=172.22.2.25 vpls-id=1:0
add advertised-l2mtu=1530 disabled=no l2mtu=1530 mac-address=\
02:C5:3C:23:65:9D name=vpls_WIFISOCADA2 remote-peer=172.22.2.21 vpls-id=\
2:0
add advertised-l2mtu=1530 disabled=no l2mtu=1530 mac-address=\
02:F2:5F:3F:6D:3C name=vpls_WIFISOCADA2.1 remote-peer=172.22.2.39 \
vpls-id=2:1
add advertised-l2mtu=1530 disabled=no l2mtu=1530 mac-address=\
02:C0:13:D4:F0:5A name=vpls_WIFISOCADA4 remote-peer=172.22.6.10 vpls-id=\
4:0
add advertised-l2mtu=1530 disabled=no l2mtu=1530 mac-address=\
02:16:02:BD:E7:58 name=vpls_WIFISOCADA6 remote-peer=172.22.3.14 vpls-id=\
6:0
add advertised-l2mtu=1530 disabled=no l2mtu=1530 mac-address=\
02:08:56:A5:ED:5E name=vpls_WIFISOCADA7 remote-peer=172.22.4.14 vpls-id=\
7:0
add advertised-l2mtu=1530 disabled=no l2mtu=1530 mac-address=\
02:31:37:B1:E4:18 name=vpls_WIFISOCADA7.1 remote-peer=172.22.4.15 \
vpls-id=7:1
add advertised-l2mtu=1530 disabled=no l2mtu=1530 mac-address=\
02:EE:4E:44:02:C5 name=vpls_WIFISOCADA7.2 remote-peer=172.22.4.16 \
vpls-id=7:2
add advertised-l2mtu=1530 mac-address=02:A0:99:08:75:2E name=vpls_WIFISOCADA8 \
remote-peer=172.22.2.29 vpls-id=8:0
add advertised-l2mtu=1530 disabled=no l2mtu=1530 mac-address=\
02:0F:F1:46:45:F3 name=vpls_WIFISOCADA9 remote-peer=172.22.3.43 vpls-id=\
9:0
add advertised-l2mtu=1530 mac-address=02:90:09:14:E1:3B name=\
vpls_WIFISOCADA11 remote-peer=172.22.2.35 vpls-id=11:0
add advertised-l2mtu=1530 mac-address=02:2F:28:A1:5B:5A name=\
vpls_WIFISOCADA12 remote-peer=172.22.2.37 vpls-id=12:0
add advertised-l2mtu=1530 mac-address=02:F4:A1:BC:DE:0A name=\
vpls_WIFISOCADA12.1 remote-peer=172.22.2.32 vpls-id=12:1
add advertised-l2mtu=1530 disabled=no l2mtu=1530 mac-address=\
02:1D:EC:5D:6A:C2 name=vpls_WIFISOCADA13 remote-peer=172.22.2.18 vpls-id=\
13:0
add advertised-l2mtu=1530 disabled=no l2mtu=1530 mac-address=\
02:7E:C5:8D:1B:12 name=vpls_WIFISOCADA13.1 remote-peer=172.22.2.38 \
vpls-id=13:1
add advertised-l2mtu=1530 disabled=no l2mtu=1530 mac-address=\
02:AF:AC:BB:8A:7E name=vpls_WIFISOCADA13.2 remote-peer=172.22.2.19 \
vpls-id=13:2
add advertised-l2mtu=1530 disabled=no l2mtu=1530 mac-address=\
02:DB:BE:6C:34:62 name=vpls_WIFISOCADA14 remote-peer=172.22.3.21 vpls-id=\
14:0
add advertised-l2mtu=1530 disabled=no l2mtu=1530 mac-address=\
02:FA:62:EF:83:FF name=vpls_WIFISOCADA15 remote-peer=172.22.3.17 vpls-id=\
15:0
add advertised-l2mtu=1530 mac-address=02:01:FD:F4:5E:74 name=\
vpls_WIFISOCADA16 remote-peer=172.22.2.44 vpls-id=16:0
add advertised-l2mtu=1530 disabled=no l2mtu=1530 mac-address=\
02:4B:8D:A9:71:15 name=vpls_WIFISOCADA17 remote-peer=172.22.3.22 vpls-id=\
17:0
add advertised-l2mtu=1530 disabled=no l2mtu=1530 mac-address=\
02:60:32:3D:24:40 name=vpls_WIFISOCADA19 remote-peer=172.22.3.13 vpls-id=\
19:0
add advertised-l2mtu=1530 disabled=no l2mtu=1530 mac-address=\
02:D4:AD:48:0C:74 name=vpls_WIFISOCADA21 remote-peer=172.22.3.31 vpls-id=\
21:0
add advertised-l2mtu=1530 disabled=no l2mtu=1530 mac-address=\
02:04:CC:FE:D4:6B name=vpls_WIFISOCADA22 remote-peer=172.22.3.27 vpls-id=\
22:0
add advertised-l2mtu=1530 disabled=no l2mtu=1530 mac-address=\
02:9A:99:D7:AE:2E name=vpls_WIFISOCADA22.1 remote-peer=172.22.3.38 \
vpls-id=22:1
add advertised-l2mtu=1530 disabled=no l2mtu=1530 mac-address=\
02:A8:26:67:67:BA name=vpls_WIFISOCADA23 remote-peer=172.22.3.23 vpls-id=\
23:0
/interface vlan
add interface=vpls_SWITCH_CORREGIDOR name=vlan_APCORREGIDOR vlan-id=50
add interface=vpls_SWITCH_DANI name=vlan_FRANCESES vlan-id=50
add interface=vpls_WIFISOCADA7 name=vlan_QUIROS vlan-id=201
add disabled=yes interface=vpls_PB_TIENDA_WI24 name=vlan_WIFISOCADA24 \
vlan-id=50
/interface list
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-192,aes-128,3des
/ip pool
add name=VPN ranges=192.168.55.5-192.168.55.10
add name=pool-impagados ranges=172.22.16.2-172.22.16.254
add name=dhcp_eth2 ranges=172.22.2.91-172.22.2.99
add name=dhcp_eth4 ranges=172.22.4.91-172.22.4.99
add name=dhcp_eth3 ranges=172.22.3.91-172.22.3.99
add name=dhcp_eth5 ranges=172.22.5.91-172.22.5.99
add name=dhcp_eth6 ranges=172.22.6.91-172.22.6.99
add name=dhcp_eth7 ranges=172.22.7.91-172.22.7.99
add name=dhcp_eth8 ranges=172.22.8.91-172.22.8.99
add name=pool-pppoeInternos ranges=10.0.4.10-10.0.4.50
add name=pool-pppoe2 ranges=10.0.2.1-10.0.2.254
/ip dhcp-server
add address-pool=dhcp_eth2 interface=ether2 lease-time=1h name=eth2
add address-pool=dhcp_eth4 interface=ether4 lease-time=1h name=eth4
add address-pool=dhcp_eth3 interface=ether3 lease-time=1h name=eth3
add address-pool=dhcp_eth5 interface=ether5 lease-time=1h name=eth5
add address-pool=dhcp_eth6 interface=ether6 lease-time=1h name=eth6
add address-pool=dhcp_eth7 interface=ether7 lease-time=1h name=eth7
add address-pool=dhcp_eth8 interface=ether8 lease-time=1h name=eth8
/ip pool
add name=pool-pppoe1 next-pool=pool-pppoe2 ranges=10.0.0.50-10.0.0.254
/ppp profile
set *0 local-address=192.168.100.1 remote-address=pool-pppoe1
add change-tcp-mss=yes comment=VPN dns-server=8.8.8.8,8.8.4.4 local-address=\
192.168.100.1 name=vpn only-one=no rate-limit=100M/100M remote-address=\
VPN use-encryption=yes
add change-tcp-mss=yes comment="PERFIL BASIC 3MB" dns-server=8.8.8.8,8.8.4.4 \
local-address=192.168.100.1 name=basic only-one=no rate-limit=\
"1M/3M 2M/4M 800k/2M 16/16 8/8" remote-address=pool-pppoe1 \
use-encryption=no
add change-tcp-mss=yes comment="PERFIL STANDAR 7MB" dns-server=\
8.8.8.8,8.8.4.4 local-address=192.168.100.1 name=standar only-one=no \
rate-limit="2M/7M 4M/8M 2M/3M 16/16 8/8" remote-address=pool-pppoe1 \
use-encryption=no
add change-tcp-mss=yes comment="PERFIL PREMIUM 12MB" dns-server=\
8.8.8.8,8.8.4.4 local-address=192.168.100.1 name=premium only-one=no \
rate-limit="5M/20M 6M/21M 4M/18M 8/8 8/8" remote-address=pool-pppoe1 \
use-encryption=no
add change-tcp-mss=yes comment="PERFIL BASIC IMPAGADOS" local-address=\
192.168.100.1 name=IMPAGADOS only-one=no rate-limit=1k/1k remote-address=\
pool-impagados use-encryption=no
add change-tcp-mss=yes comment="PERFIL 17 MB" dns-server=8.8.8.8,8.8.4.4 \
local-address=192.168.100.1 name=pro only-one=no rate-limit=\
"10M/30M 11M/31M 8M/28M 8/8 8/8" remote-address=pool-pppoe1 \
use-encryption=no
add change-tcp-mss=yes comment="CONECTADOS DIRECTAMENTE A RED" dns-server=\
8.8.8.8,8.8.4.4 local-address=192.168.100.1 name=internos only-one=no \
rate-limit="2M/10M 3M/12M 2M/5M 16/16 8/8" remote-address=pool-pppoe1 \
use-encryption=no
add change-tcp-mss=yes comment="SOLO PARA PRUEBAS" dns-server=8.8.8.8,8.8.4.4 \
local-address=192.168.100.1 name=soloPruebas only-one=no rate-limit=\
600M/600M remote-address=pool-pppoe1 use-encryption=no
add change-tcp-mss=yes comment=NAVE dns-server=8.8.8.8,8.8.4.4 local-address=\
192.168.100.1 name=nave only-one=no rate-limit=\
"30M/25M 30M/27M 30M/10M 16/16 8/8" remote-address=pool-pppoe1 \
use-encryption=no
add change-tcp-mss=yes comment="PERFIL 22MB" dns-server=8.8.8.8,8.8.4.4 \
local-address=192.168.100.1 name=vip only-one=no rate-limit=\
"11M/22M 12M/25M 5M/10M 16/16 8/8" remote-address=pool-pppoe1 \
use-encryption=no
add change-tcp-mss=yes comment="PPPOE MOVISTAR" dns-server=8.8.8.8,8.8.4.4 \
name=movistar use-encryption=no
add change-tcp-mss=yes local-address=192.168.100.1 name=clientes \
remote-address=pool-pppoe1 use-encryption=no use-upnp=no
set *FFFFFFFE dns-server=8.8.8.8,8.8.4.4 local-address=192.168.100.1 \
only-one=no remote-address=pool-pppoe1
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 keepalive-timeout=60 \
max-mru=1492 max-mtu=1492 name=pppoe-out1 profile=movistar user=\
adslppp@telefonicanetpa
/queue type
set 1 pfifo-limit=300
/routing ospf area
add area-id=0.0.0.1 default-cost=1 inject-summary-lsas=no name=pppoe type=\
stub
/routing ospf instance
set [ find default=yes ] distribute-default=if-installed-as-type-1 \
redistribute-connected=as-type-1 redistribute-other-ospf=as-type-1 \
redistribute-static=as-type-1 router-id=10.254.254.1
/system logging action
set 0 memory-lines=40000
set 1 disk-file-count=10 disk-lines-per-file=10000
add name=remoto remote=172.22.8.5 src-address=172.22.2.1 target=remote
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge1 disabled=yes interface=vpls_PB_JOSE
add bridge=bridge1 disabled=yes interface=vpls_PB_MILANO
add bridge=bridge1 disabled=yes interface=vpls_PB_RICARDO
add bridge=bridge1 disabled=yes interface=vpls_WIFISOCADA22
add bridge=bridge1 disabled=yes interface=vpls_WIFISOCADA21
add bridge=bridge1 disabled=yes interface=vpls_WIFISOCADA23
add bridge=bridge1 disabled=yes interface=vpls_WIFISOCADA14
add bridge=bridge1 disabled=yes interface=vpls_WIFISOCADA17
add bridge=bridge1 disabled=yes interface=vpls_WIFISOCADA6
add bridge=bridge1 disabled=yes interface=vpls_WIFISOCADA19
add bridge=bridge1 disabled=yes interface=vpls_WIFISOCADA15
add bridge=bridge1 disabled=yes interface=vpls_SWITCH_CORREGIDOR
add bridge=bridge1 disabled=yes interface=ether3
/ip firewall connection tracking
set enabled=yes
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set rp-filter=loose tcp-syncookies=yes
/interface l2tp-server server
set authentication=mschap2 default-profile=vpn enabled=yes keepalive-timeout=\
disabled use-ipsec=required
/interface list member
add disabled=yes interface=ether2 list=LAN
add disabled=yes interface=ether3 list=LAN
add disabled=yes interface=ether4 list=LAN
add disabled=yes interface=ether5 list=LAN
add disabled=yes interface=ether6 list=LAN
add disabled=yes interface=ether7 list=LAN
add disabled=yes interface=ether8 list=LAN
add disabled=yes interface=ether9 list=LAN
add disabled=yes interface=ether10 list=LAN
add disabled=yes interface=ether11 list=LAN
add disabled=yes interface=ether12 list=LAN
/interface pppoe-server server
add default-profile=clientes interface=ether6 keepalive-timeout=30 max-mru=\
1492 max-mtu=1492 one-session-per-host=yes service-name=ETH6
add default-profile=clientes disabled=no interface=ether7 keepalive-timeout=\
30 max-mru=1492 max-mtu=1492 one-session-per-host=yes service-name=\
WIFISOCADA5
add default-profile=clientes interface=ether2 keepalive-timeout=30 max-mru=\
1492 max-mtu=1492 one-session-per-host=yes service-name=ETH2
add default-profile=clientes interface=ether4 keepalive-timeout=30 max-mru=\
1492 max-mtu=1492 one-session-per-host=yes service-name=ETH4
add default-profile=clientes disabled=no interface=ether3 keepalive-timeout=\
30 max-mru=1492 max-mtu=1492 one-session-per-host=yes service-name=ETH3
add default-profile=clientes disabled=no interface=ether5 keepalive-timeout=\
30 max-mru=1492 max-mtu=1492 one-session-per-host=yes service-name=\
WIFISOCADA3
add default-profile=clientes disabled=no interface=ether12 keepalive-timeout=\
30 max-mru=1492 max-mtu=1492 one-session-per-host=yes service-name=TITA
add default-profile=clientes disabled=no interface=vpls_WIFISOCADA6 \
keepalive-timeout=30 max-mru=1492 max-mtu=1492 one-session-per-host=yes \
service-name=WIFISOCADA6
add default-profile=clientes disabled=no interface=vpls_WIFISOCADA19 \
keepalive-timeout=30 max-mru=1492 max-mtu=1492 one-session-per-host=yes \
service-name=WIFISOCADA19
add default-profile=clientes disabled=no interface=vpls_WIFISOCADA15 \
keepalive-timeout=30 max-mru=1492 max-mtu=1492 one-session-per-host=yes \
service-name=WIFISOCADA15
add default-profile=clientes disabled=no interface=vpls_WIFISOCADA14 \
keepalive-timeout=30 max-mru=1492 max-mtu=1492 one-session-per-host=yes \
service-name=WIFISOCADA14
add default-profile=clientes disabled=no interface=vpls_WIFISOCADA17 \
keepalive-timeout=30 max-mru=1492 max-mtu=1492 one-session-per-host=yes \
service-name=WIFISOCADA17
add default-profile=clientes disabled=no interface=vpls_WIFISOCADA23 \
keepalive-timeout=30 max-mru=1492 max-mtu=1492 one-session-per-host=yes \
service-name=WIFISOCADA23
add default-profile=clientes disabled=no interface=vpls_WIFISOCADA21 \
keepalive-timeout=30 max-mru=1492 max-mtu=1492 one-session-per-host=yes \
service-name=WIFISOCADA21
add default-profile=clientes disabled=no interface=vpls_WIFISOCADA22 \
keepalive-timeout=30 max-mru=1492 max-mtu=1492 one-session-per-host=yes \
service-name=WIFISOCADA22
add default-profile=clientes disabled=no interface=vpls_PB_JOSE \
keepalive-timeout=30 max-mru=1492 max-mtu=1492 one-session-per-host=yes \
service-name=PB_JOSE
add default-profile=clientes disabled=no interface=vpls_PB_RICARDO \
keepalive-timeout=30 max-mru=1492 max-mtu=1492 one-session-per-host=yes \
service-name=PB_RICARDO
add default-profile=clientes disabled=no interface=vpls_PB_MILANO \
keepalive-timeout=30 max-mru=1492 max-mtu=1492 one-session-per-host=yes \
service-name=PB_MILANO
add default-profile=clientes disabled=no interface=vpls_WIFISOCADA7.2 \
keepalive-timeout=30 max-mru=1492 max-mtu=1492 one-session-per-host=yes \
service-name=WIFISOCADA7.2
add default-profile=clientes disabled=no interface=vpls_WIFISOCADA4 \
keepalive-timeout=30 max-mru=1492 max-mtu=1492 one-session-per-host=yes \
service-name=WIFISOCADA4
add default-profile=clientes disabled=no interface=vpls_WIFISOCADA7.1 \
keepalive-timeout=30 max-mru=1492 max-mtu=1492 one-session-per-host=yes \
service-name=WIFISOCADA7.1
add default-profile=clientes disabled=no interface=vpls_WIFISOCADA7 \
keepalive-timeout=30 max-mru=1492 max-mtu=1492 one-session-per-host=yes \
service-name=WIFISOCADA7
add default-profile=clientes interface=vpls_WIFISOCADA12.1 keepalive-timeout=\
30 max-mru=1492 max-mtu=1492 one-session-per-host=yes service-name=\
WIFISOCADA12.1
add default-profile=clientes interface=vpls_WIFISOCADA16 keepalive-timeout=30 \
max-mru=1492 max-mtu=1492 one-session-per-host=yes service-name=\
WIFISOCADA16
add default-profile=clientes disabled=no interface=vpls_WIFISOCADA2 \
keepalive-timeout=30 max-mru=1492 max-mtu=1492 one-session-per-host=yes \
service-name=WIFISOCADA2
add default-profile=clientes disabled=no interface=vpls_WIFISOCADA2.1 \
keepalive-timeout=30 max-mru=1492 max-mtu=1492 one-session-per-host=yes \
service-name=WIFISOCADA2.1
add default-profile=clientes disabled=no interface=vpls_WIFISOCADA13 \
keepalive-timeout=30 max-mru=1492 max-mtu=1492 one-session-per-host=yes \
service-name=WIFISOCADA13
add default-profile=clientes disabled=no interface=vpls_WIFISOCADA13.1 \
keepalive-timeout=30 max-mru=1492 max-mtu=1492 one-session-per-host=yes \
service-name=WIFISOCADA13.1
add default-profile=clientes disabled=no interface=vpls_WIFISOCADA13.2 \
keepalive-timeout=30 max-mru=1492 max-mtu=1492 one-session-per-host=yes \
service-name=WIFISOCADA13.2
add default-profile=clientes disabled=no interface=vpls_PB_HUERTOS \
keepalive-timeout=30 max-mru=1492 max-mtu=1492 one-session-per-host=yes \
service-name=PB_HUERTOS
add default-profile=clientes interface=vpls_WIFISOCADA1 keepalive-timeout=30 \
max-mru=1492 max-mtu=1492 one-session-per-host=yes service-name=\
WIFISOCADA1
add default-profile=clientes disabled=no interface=vpls_SWITCH_ALCAPARRA \
keepalive-timeout=30 max-mru=1492 max-mtu=1492 one-session-per-host=yes \
service-name=SWITCH_ALCAPARRA
add default-profile=clientes interface=vpls_PB_TIENDA_WI24 keepalive-timeout=\
30 max-mru=1492 max-mtu=1492 one-session-per-host=yes service-name=\
PB_TIENDA_WI24
add default-profile=clientes disabled=no interface=vpls_SWITCH_CORREGIDOR \
keepalive-timeout=30 max-mru=1492 max-mtu=1492 one-session-per-host=yes \
service-name=SWITCH_CORREGIDOR
add default-profile=clientes disabled=no interface=vpls_SWITCH_BOCANEGRA \
keepalive-timeout=30 max-mru=1492 max-mtu=1492 one-session-per-host=yes \
service-name=SWITCH_BOCANEGRA
add default-profile=clientes disabled=no interface=vpls_SWITCH_CORREOS \
keepalive-timeout=30 max-mru=1492 max-mtu=1492 one-session-per-host=yes \
service-name=SWITCH_CORREOS
add default-profile=clientes disabled=no interface=vpls_SWITCH_DANI \
keepalive-timeout=30 max-mru=1492 max-mtu=1492 one-session-per-host=yes \
service-name=SWITCH_DANI
add default-profile=clientes disabled=no interface=ether11 keepalive-timeout=\
30 max-mru=1492 max-mtu=1492 one-session-per-host=yes service-name=ALAN
add default-profile=clientes interface=vpls_WIFISOCADA12 keepalive-timeout=30 \
max-mru=1492 max-mtu=1492 one-session-per-host=yes service-name=\
WIFISOCADA12
add default-profile=clientes interface=vpls_WIFISOCADA8 keepalive-timeout=30 \
max-mru=1492 max-mtu=1492 one-session-per-host=yes service-name=\
WIFISOCADA8
add default-profile=clientes interface=vpls_SWITCH_ALBA keepalive-timeout=30 \
max-mru=1492 max-mtu=1492 one-session-per-host=yes service-name=\
SWITCH_ALBA
add default-profile=clientes interface=vpls_SWITCH_NAVE keepalive-timeout=30 \
max-mru=1492 max-mtu=1492 one-session-per-host=yes service-name=\
SWITCH_NAVE
add default-profile=clientes interface=vpls_WIFISOCADA11 keepalive-timeout=30 \
max-mru=1492 max-mtu=1492 one-session-per-host=yes service-name=\
WIFISOCADA11
add default-profile=clientes interface=vpls_SWITCH_JESUS keepalive-timeout=30 \
max-mru=1492 max-mtu=1492 one-session-per-host=yes service-name=\
SWITCH_JESUS
add default-profile=clientes disabled=no interface=vpls_APSIMON \
keepalive-timeout=30 max-mru=1492 max-mtu=1492 one-session-per-host=yes \
service-name=APSIMON
add default-profile=clientes disabled=no interface=vpls_WIFISOCADA22.1 \
keepalive-timeout=30 max-mru=1492 max-mtu=1492 one-session-per-host=yes \
service-name=WIFISOCADA22.1
add default-profile=clientes disabled=no interface=vpls_APENRIQUE \
keepalive-timeout=30 max-mru=1492 max-mtu=1492 one-session-per-host=yes \
service-name=APENRIQUE
add default-profile=clientes disabled=no interface=vpls_WIFISOCADA9 \
keepalive-timeout=30 max-mru=1492 max-mtu=1492 one-session-per-host=yes \
service-name=WIFISOCADA9
add default-profile=clientes disabled=no interface=vpls_PB_CORREDOR \
keepalive-timeout=30 max-mru=1492 max-mtu=1492 one-session-per-host=yes \
service-name=PB_CORREDOR
/interface pptp-server server
set default-profile=vpn keepalive-timeout=240
/ip address
add address=10.254.254.1 interface=loopback network=10.254.254.1
add address=172.22.6.1/25 interface=ether6 network=172.22.6.0
add address=172.22.7.1/25 interface=ether7 network=172.22.7.0
add address=172.22.2.1/25 interface=ether2 network=172.22.2.0
add address=172.22.3.1/25 interface=ether3 network=172.22.3.0
add address=172.22.4.1/25 interface=ether4 network=172.22.4.0
add address=172.22.5.1/25 interface=ether5 network=172.22.5.0
add address=172.22.8.1/25 interface=ether8 network=172.22.8.0
add address=172.22.12.1/25 interface=ether12 network=172.22.12.0
add address=172.22.9.1/25 interface=ether9 network=172.22.9.0
add address=10.254.245.9/30 interface=vlan_APCORREGIDOR network=10.254.245.8
add address=10.254.245.1/30 disabled=yes interface=vlan_WIFISOCADA24 network=\
10.254.245.0
add address=10.254.245.5/30 interface=vlan_FRANCESES network=10.254.245.4
add address=10.254.200.1/29 comment=ALAN interface=ether11 network=\
10.254.200.0
add address=10.254.240.1/30 interface=vlan_QUIROS network=10.254.240.0
add address=10.254.245.17/30 interface=vpls_PB_JOSE network=10.254.245.16
add address=192.168.1.2/24 comment="ROUTER MOVISTAR" disabled=yes interface=\
ether1 network=192.168.1.0
/ip dhcp-server network
add address=172.22.2.0/25 dns-server=8.8.8.8,8.8.4.4 gateway=172.22.2.1
add address=172.22.3.0/25 dns-server=8.8.8.8,8.8.4.4 gateway=172.22.3.1
add address=172.22.4.0/25 dns-server=8.8.8.8,8.8.4.4 gateway=172.22.4.1
add address=172.22.5.0/25 dns-server=8.8.8.8,8.8.4.4 gateway=172.22.5.1
add address=172.22.6.0/25 dns-server=8.8.8.8,8.8.4.4 gateway=172.22.6.1
add address=172.22.7.0/25 dns-server=8.8.8.8,8.8.4.4 gateway=172.22.7.1
add address=172.22.8.0/25 dns-server=8.8.8.8,8.8.4.4 gateway=172.22.8.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=10.253.0.0/30 list=admin
add address=62.81.86.34 list=admin
add address=192.168.0.0/24 list=admin
add address=192.168.2.0/24 list=admin
add address=172.22.0.0/25 list=admin
add address=172.22.4.0/25 list=admin
add address=172.22.5.0/25 list=admin
add address=172.22.6.0/25 list=admin
add address=172.22.7.0/25 list=admin
add address=172.22.8.0/25 list=admin
add address=172.22.9.0/25 list=admin
add address=192.168.3.0/24 list=admin
add address=207.32.194.24 comment="TEST ANCHO BANDA" list=admin
add address=10.0.0.11-10.0.4.254 list=clientes
add address=192.168.55.0/24 list=admin
add address=172.22.2.0/25 list=admin
add address=172.22.1.0/25 list=admin
add address=10.254.254.0/24 list=admin
add address=90.161.253.177 list=admin
add address=192.168.1.0/24 list=admin
add address=192.168.10.0/24 list=admin
add address=172.22.3.0/25 list=admin
add address=172.22.0.0/20 list=admin
add address=10.0.254.0/24 list=admin
add address=192.168.9.0/24 list=admin
add address=10.0.0.1-10.0.0.10 list=admin
add address=185.130.155.196 comment=VOIP list=admin
add address=185.130.155.196 comment=VOIP list=Servidores_VoIP
add address=192.168.4.0/24 list=admin
add address=172.22.10.0/25 list=admin
add address=172.22.11.0/25 list=admin
add address=172.22.12.0/25 list=admin
add address=172.22.13.0/25 list=admin
add address=10.254.250.0/29 list=admin
add address=80.28.220.114 list=admin
/ip firewall filter
add action=accept chain=input dst-port=1701,500,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input comment=SSTP disabled=yes dst-port=443 \
protocol=tcp
add action=accept chain=input comment=\
"CLIENTES ACEPTAR TODO COMO ADMINISTRACION" disabled=yes \
src-address-list=clientes
add action=accept chain=input comment="Conexion establecida y relacionada" \
connection-state=established,related
add action=drop chain=input comment="Drop conexiones invalidas" \
connection-state=invalid
add action=drop chain=input comment=\
"Detecta y dropea escaneo de conexiones de puertos" protocol=tcp psd=\
10,3s,3,1
add action=tarpit chain=input comment="Suprime DoS attack" connection-limit=\
3,32 protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list \
address-list-timeout=2d chain=input connection-limit=10,32 protocol=tcp \
src-address-list=!admin
add action=jump chain=input comment="Salto a Chain ICMP" jump-target=ICMP \
protocol=icmp
add action=accept chain=input comment=Administration src-address-list=admin
add action=accept chain=input comment="WINBOX DESDE CLIENTES" dst-port=8291 \
protocol=tcp src-address-list=clientes
add action=accept chain=input comment="Acepta ping" protocol=icmp
add action=drop chain=input comment=\
"Drop new connections from blacklisted IP's to this router" \
connection-state=new in-interface=pppoe-out1 log-prefix=\
"Intento intrusion de Blacklist" src-address-list=black_list
add action=add-src-to-address-list address-list="accesos 21-80" \
address-list-timeout=10m chain=input comment="not admin" dst-port=21-80 \
protocol=tcp src-address-list=!admin
add action=drop chain=input comment="not admin" log-prefix=\
"Intento de entrada puerto 21 80" src-address-list="accesos 21-80"
add action=drop chain=input comment="not admin winbox" dst-port=8291 log=yes \
log-prefix="Intento de entrada winbox" protocol=tcp src-address-list=\
!admin
add action=drop chain=input comment="BLOQUEO WINBOX EXTERNO" dst-port=8291 \
in-interface=pppoe-out1 protocol=tcp
add action=drop chain=input comment="Bloqueo de Webfig externo (SOCADA)" \
dst-port=81 in-interface=pppoe-out1 protocol=tcp
add action=drop chain=input comment="Bloqueo de Webproxy externo" dst-port=\
8080 in-interface=pppoe-out1 protocol=tcp
add action=drop chain=input comment="Bloqueo DNS cache externo" dst-port=53 \
in-interface=pppoe-out1 protocol=udp
add action=drop chain=input comment="Bloqueo DNS cache externo" dst-port=53 \
in-interface=pppoe-out1 protocol=tcp
add action=drop chain=input comment="Proteccion ataques via SSH Bruteforce" \
dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=drop chain=input comment="Bloquear Ataques FTP Bruteforce" \
dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=input comment="Permitir trafico Broadcast" \
dst-address-type=!broadcast
add action=add-src-to-address-list address-list=blocked-addr \
address-list-timeout=1m chain=input comment="Limit incoming connections" \
connection-limit=100,32 protocol=tcp
add action=tarpit chain=input comment="Action tarpit" connection-limit=3,32 \
protocol=tcp src-address-list=blocked-addr
add action=add-src-to-address-list address-list="Intrusion SSH" \
address-list-timeout=none-dynamic chain=input comment=\
"Intento de entrada por SSH" dst-port=22 protocol=tcp src-address-list=\
!admin
add action=drop chain=input comment="Intento de entrada por SSH" \
src-address-list="Intrusion SSH"
add action=accept chain=ICMP comment="0:0 and limit for 5pac/s" icmp-options=\
0:0-255 limit=50,5:packet protocol=icmp
add action=accept chain=ICMP comment="3:3 and limit for 5pac/s" icmp-options=\
3:3 limit=50,5:packet protocol=icmp
add action=accept chain=ICMP comment="3:4 and limit for 5pac/s" icmp-options=\
3:4 limit=50,5:packet protocol=icmp
add action=accept chain=ICMP comment="8:0 and limit for 5pac/s" icmp-options=\
8:0-255 limit=50,5:packet protocol=icmp
add action=accept chain=ICMP comment="11:0 and limit for 5pac/s" \
icmp-options=11:0-255 limit=50,5:packet protocol=icmp
add action=drop chain=ICMP comment="Drop everything else" protocol=icmp
add action=drop chain=input comment="Descarta todo lo demas"
add action=accept chain=forward comment=Administrador dst-address-list=admin
add action=accept chain=forward comment="default configuration" \
connection-state=established,related
add action=drop chain=forward comment="default configuration" \
connection-state=invalid
add action=jump chain=forward comment="Salto a Chain ICMP" jump-target=ICMP \
protocol=icmp
add action=accept chain=forward comment=Administrador src-address-list=admin
add action=drop chain=forward comment="Bloqueo Direcciones IP Bogon" \
src-address=0.0.0.0/8
add action=drop chain=forward dst-address=0.0.0.0/8
add action=drop chain=forward src-address=127.0.0.0/8
add action=drop chain=forward dst-address=127.0.0.0/8
add action=drop chain=forward src-address=224.0.0.0/3
add action=drop chain=forward dst-address=224.0.0.0/3
add action=accept chain=forward comment="Servidores SIP" dst-port=5060 \
in-interface=pppoe-out1 protocol=udp src-address-list=Servidores_VoIP
add action=accept chain=forward comment="Servidores SIP" dst-port=6999 \
in-interface=pppoe-out1 protocol=udp src-address-list=Servidores_VoIP
add action=drop chain=forward comment="Ataque SIP" in-interface=pppoe-out1 \
src-address-list="SIP Hacker"
add action=add-src-to-address-list address-list="SIP Hacker" \
address-list-timeout=1d chain=forward connection-state=new dst-port=5060 \
in-interface=pppoe-out1 protocol=udp src-address-list="SIP Trial"
add action=add-src-to-address-list address-list="SIP Trial" \
address-list-timeout=15s chain=forward connection-state=new dst-port=5060 \
in-interface=pppoe-out1 protocol=udp src-address=0.0.0.0/0
add action=jump chain=forward comment="SYN Flood protect" connection-state=\
new jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=accept chain=SYN-Protect connection-state=new limit=400,5:packet \
protocol=tcp tcp-flags=syn
add action=drop chain=SYN-Protect connection-state=new limit=400,5:packet \
protocol=tcp tcp-flags=syn
add action=drop chain=forward comment=unicast src-address-type=!unicast
add action=accept chain=output comment=Administrador dst-address-list=admin
add action=accept chain=output comment="Ataque FTP Bruteforce" content=\
"530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=output content="530 Login incorrect" \
protocol=tcp
add action=drop chain=output comment="TRANSLATION NAT BUG" connection-state=\
invalid protocol=icmp
add action=accept chain=input comment=ADMIN disabled=yes src-address-list=\
admin
/ip firewall mangle
add action=accept chain=prerouting comment=OSPF protocol=ospf
add action=accept chain=prerouting disabled=yes log-prefix=mpls port=646 \
protocol=tcp
add action=accept chain=prerouting disabled=yes log-prefix=mpls port=646 \
protocol=udp
add action=accept chain=prerouting comment=RADIUS in-interface=ether8 port=\
1813 protocol=udp
add action=accept chain=prerouting comment=RADIUS in-interface=ether8 port=\
1812 protocol=udp
add action=accept chain=prerouting comment=Admin src-address-list=admin
add action=set-priority chain=postrouting comment=MOVISTAR disabled=yes \
new-priority=1 out-interface=pppoe-out1 passthrough=yes
/ip firewall nat
add action=src-nat chain=srcnat out-interface=pppoe-out1 to-addresses=\
XXXX
/ip firewall service-port
set sip ports=5060,5061,6999 sip-timeout=10m
/ip route
add disabled=yes distance=1 gateway=pppoe-out1
add disabled=yes distance=1 gateway=192.168.10.1
add disabled=yes distance=1 gateway=172.22.2.5
add comment="PISO - ACTIVAR MASQUERADE" disabled=yes distance=1 gateway=\
172.22.2.10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb
set allow-guests=no
/ip smb users
add name=socada read-only=no
/ip ssh
set forwarding-enabled=remote host-key-size=4096 strong-crypto=yes
/lcd
set enabled=no touch-screen=disabled
/mpls interface
set [ find default=yes ] interface=ether2 mpls-mtu=1530
add interface=ether3 mpls-mtu=1530
add interface=ether4 mpls-mtu=1530
add interface=ether6 mpls-mtu=1530
/mpls ldp
set enabled=yes lsr-id=172.22.2.1 transport-address=172.22.2.1
/mpls ldp advertise-filter
add neighbor=172.22.2.10 prefix=10.0.0.0/21
add advertise=no prefix=10.0.0.0/21
/mpls ldp interface
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether6
/ppp aaa
set use-radius=yes
/radius
add address=172.22.8.6 service=ppp src-address=172.22.8.1
/radius incoming
set accept=yes port=1700
/routing bfd interface
set [ find default=yes ] disabled=yes
/routing ospf area range
add area=pppoe range=10.0.0.0/24
add area=pppoe range=10.0.4.0/24
add area=pppoe range=10.0.2.0/24
/routing ospf interface
add network-type=broadcast passive=yes
add interface=ether8 network-type=point-to-point priority=10
add interface=ether2 network-type=nbma priority=10
add interface=ether3 network-type=nbma passive=yes priority=10
/routing ospf nbma-neighbor
add address=172.22.2.5 poll-interval=20s priority=1
add address=172.22.2.10 poll-interval=20s priority=1
add address=172.2.2.25 poll-interval=20s
add address=172.2.3.13 disabled=yes poll-interval=20s
/routing ospf network
add area=backbone network=10.254.254.1/32
add area=backbone disabled=yes network=172.22.8.0/25
add area=backbone disabled=yes network=172.22.2.0/25
add area=backbone network=172.22.0.0/20
add area=pppoe network=10.0.0.0/24
add area=pppoe network=10.0.4.0/24
add area=pppoe network=172.22.16.0/24
add area=backbone network=10.254.254.0/24
add area=backbone network=10.254.250.0/29
add area=backbone network=10.254.240.0/24
add area=backbone network=192.168.4.0/24
/snmp
set trap-version=2
/system clock
set time-zone-name=Europe/Madrid
/system health
set use-fan=auxiliary
/system identity
set name=CCR_TITA
/system logging
add action=remoto prefix=CCR_TITA topics=info
add action=remoto prefix=CCR_TITA topics=error
add action=remoto prefix=CCR_TITA topics=warning
add action=remoto disabled=yes prefix=CCR_TITA_OSPF topics=ospf
add disabled=yes topics=debug,pppoe
add disabled=yes topics=debug,ppp
add action=remoto prefix=CCR_TITA topics=critical
add disabled=yes prefix=CCR_TITA_OSPF topics=ospf
add action=remoto prefix=CCR_TITA topics=interface,info
add action=remoto prefix=CCR_TITA topics=route,ospf,info
/system ntp client
set enabled=yes primary-ntp=130.206.3.166 secondary-ntp=150.214.94.5 \
server-dns-names=time.google.com
/system routerboard settings
set auto-upgrade=yes
/system scheduler
add comment="REINICIO AUTOMATICO CADA 10 DIAS 6 A.M." disabled=yes interval=\
1w3d name=reinicio on-event=reinicio policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=jan/01/1970 start-time=06:00:00
add comment="BACKUP ULTIMAS 12 HORAS" disabled=yes interval=12h name=\
sched_backup-12h on-event=backup-12h policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-time=startup
add comment="AUTO ACTUALIZAR" interval=1d name=autoUpdate on-event=autoUpdate \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=jan/01/1970 start-time=05:50:00
add comment="EXPORT AL CORREO" interval=1d name=export_mail on-event=\
export_mail policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=jan/01/1970 start-time=05:31:00
add comment="REINICIO AUTOMATICO PARA ACTUALIZAR ROUTERBOOT" interval=1d \
name=reinicioRouterboot on-event=autoRouterboot policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=jan/01/1970 start-time=06:05:00
add comment="BACKUP AL EMAIL" interval=1d name=backup_email on-event=\
backup_mail policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=jan/01/1970 start-time=05:30:00
/system script
add dont-require-permissions=no name=reinicio owner=socada policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive source="{/tool \
e-mail send to=\"socada.2@gmail.com\" subject=([/system identity get name]\
\_. [/system clock get time].\" Iniciando reinicio\") ; :log info \"Reinic\
io e-mail sent.\"; /system reboot;}\r\
\n"
add dont-require-permissions=no name=backup-12h owner=socada policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive source="/system\
\_backup save name=last12h\r\
\n:log info \"## Backup last12h Updated\""
add dont-require-permissions=no name=backup_mail owner=socada policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="{\
/system backup save name=email;\r\
\n/tool e-mail send to=\"socada.2@gmail.com\" subject=([/system identity g\
et name] . \" \" . [/system clock get time].\" backup\") file=email.backup\
;\r\
\n:log info \"Backup e-mail sent.\"; }"
add dont-require-permissions=no name=autoUpdate owner=socada policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
system package update\r\
\ncheck-for-updates once\r\
\n:delay 1s;\r\
\n:if ( [get status] = \"New version is available\") do={ install }"
add dont-require-permissions=no name=export_mail owner=socada policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="{\
/export file=export;\r\
\n/tool e-mail send to=\"socada.2@gmail.com\" subject=([/system identity g\
et name] . \" \" . [/system clock get time].\" export\") file=export.rsc;\
\r\
\n:log info \"Export e-mail sent.\"; }"
add dont-require-permissions=no name=autoRouterboot owner=socada policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
log info \"Checking firmware...\";\r\
\n/system routerboard\r\
\n:if ([get current-firmware] != [get upgrade-firmware]) do={\r\
\n :delay 30s\r\
\n /system reboot\r\
\n } else={\r\
\n :log info \"No update.\"\r\
\n }"
add dont-require-permissions=no name=voipreset owner=socada policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
ip firewall connection remove [/ip firewall connection find where connecti\
on-type=sip and assured=no] "
/system watchdog
set watchdog-timer=no
Thanks for the help.