sftp/SFTP-MK-Router
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Primeiro Commit - Backup Mikrotik

Browse Source
This commit is contained in:
Git SFTP
2025-12-08 12:05:06 -03:00
commit c1182721ac
20 changed files with 7443 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
03-12-2025.NAT01-CCR2004.backup Normal file
View File

Binary file not shown.

488
03-12-2025.NAT01-CCR2004.rsc Normal file
View File

@@ -0,0 +1,488 @@
# 2025-12-03 14:25:33 by RouterOS 7.18.2
# software id = 1MXX-5Y0X
#
# model = CCR2004-16G-2S+
# serial number = HG809WX52HQ
/interface ethernet
set [ find default-name=ether1 ] disabled=yes
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=ether11 ] disabled=yes
set [ find default-name=ether12 ] disabled=yes
set [ find default-name=ether13 ] disabled=yes
set [ find default-name=ether14 ] disabled=yes
set [ find default-name=ether15 ] disabled=yes
set [ find default-name=ether16 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] advertise="10M-baseT-full,100M-baseT-fu\
ll,1G-baseT-full,1G-baseX,10G-baseT,10G-baseSR-LR,10G-baseCR"
set [ find default-name=sfp-sfpplus2 ] disabled=yes
/interface vlan
add interface=sfp-sfpplus1 name=0024-GERENCIA-L2 vlan-id=24
add interface=sfp-sfpplus1 name=0025-VoIP-TR69 vlan-id=25
add interface=sfp-sfpplus1 name=0030-TIP-IXC vlan-id=30
add interface=sfp-sfpplus1 name=0041-Servicos-IPv4 vlan-id=41
add interface=sfp-sfpplus1 name=0124-GERENCIA-L3 vlan-id=124
add interface=sfp-sfpplus1 name=0610-Servicos-IPv6 vlan-id=610
add interface=sfp-sfpplus1 name=1441-itx-sw-hw-03 vlan-id=1441
add interface=sfp-sfpplus1 name=2133-OSPF-B1 vlan-id=2133
add interface=sfp-sfpplus1 name=2233-OSPF-B2 vlan-id=2233
/interface list
add name=OSPFv3
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip dhcp-server option
add code=43 name=acs_ip value="0x011F'http://acs.fixfibra.com.br:7547'"
/ip dhcp-server option sets
add name=acs_ip options=acs_ip
/ip pool
add name=TR69 ranges=10.25.0.50-10.25.63.200
add name=pool1 ranges=198.18.0.1-198.18.0.4
/ip dhcp-server
add address-pool=TR69 dhcp-option-set=acs_ip interface=0025-VoIP-TR69 \
lease-time=1d name=025-Gestao_TR69
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/ppp profile
add change-tcp-mss=yes local-address=10.0.24.35 name=L2VPN remote-address=\
pool1 use-encryption=yes use-ipv6=no use-mpls=no
/routing id
add disabled=no id=10.0.24.34 name=OSPF select-dynamic-id=only-static
/routing ospf instance
add disabled=no name=ospf out-filter-chain=OSPF-OUT redistribute=\
connected,static
add disabled=no name=ospfv3 out-filter-chain=OSPFv3-OUT redistribute=\
connected version=3
/routing ospf area
add disabled=no instance=ospf name=ospf-area-0
add disabled=no instance=ospfv3 name=ospfv3-area-0
/snmp community
set [ find default=yes ] addresses=10.0.0.0/8 name=ctcorp-lan
/system logging action
set 3 target=echo
add name=Gray remote=10.0.24.69 remote-log-format=syslog src-address=\
10.0.24.35 target=remote
/ip firewall connection tracking
set enabled=yes tcp-established-timeout=12h udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set max-neighbor-entries=8192 soft-max-neighbor-entries=8191
/interface l2tp-server server
set allow-fast-path=yes default-profile=L2VPN enabled=yes max-mru=1500 \
max-mtu=1500 use-ipsec=yes
/interface list member
add interface=2133-OSPF-B1 list=OSPFv3
add interface=2233-OSPF-B2 list=OSPFv3
add interface=0024-GERENCIA-L2 list=LAN
add interface=0124-GERENCIA-L3 list=LAN
add interface=0025-VoIP-TR69 list=LAN
/interface ovpn-server server
add auth=sha1,md5 mac-address=FE:4C:24:17:C5:80 name=ovpn-server1
/ip address
add address=10.0.24.35/24 comment="## MGNT L2" interface=0024-GERENCIA-L2 \
network=10.0.24.0
add address=10.1.21.34/30 comment="### OSPF -VS01" interface=2133-OSPF-B1 \
network=10.1.21.32
add address=10.1.22.34/30 comment="### OSPF -VS02" interface=2233-OSPF-B2 \
network=10.1.22.32
add address=45.228.244.9/29 comment="## POOL - TIP e IXC" interface=\
0030-TIP-IXC network=45.228.244.8
add address=10.25.0.35/18 comment="## GATEWAY VoIP E TR069" interface=\
0025-VoIP-TR69 network=10.25.0.0
add address=45.228.244.97/27 comment="### GTW 0041" interface=\
0041-Servicos-IPv4 network=45.228.244.96
add address=10.1.24.35/24 interface=0124-GERENCIA-L3 network=10.1.24.0
add address=45.228.244.31 comment="### LOOPBACK" interface=lo network=\
45.228.244.31
add address=10.0.5.5/30 comment="### OSPF - SWCORE" interface=\
1441-itx-sw-hw-03 network=10.0.5.4
add address=45.228.244.30 comment="### LOOPBACK" interface=lo network=\
45.228.244.30
/ip dhcp-server network
add address=10.25.0.0/18 dhcp-option=acs_ip gateway=10.25.0.35
/ip dns
set servers=45.228.244.121,45.228.246.122
/ip firewall address-list
add address=10.0.0.0/8 comment="REDE INTERNA" list=rede_local
add address=10.25.0.0/18 comment="REDE VOZ" list=rede_local
add address=198.18.0.1 list=POOL-GERENCIA
add address=198.18.0.2 list=POOL-GERENCIA
add address=198.18.0.3 list=POOL-GERENCIA
add address=198.18.0.4 list=POOL-GERENCIA
add address=100.64.0.0/10 comment=CGNAT list=rede_local
add address=45.228.244.4 list=ACPT-INPUT
add address=10.1.24.0/24 list=ACPT-INPUT
add address=45.228.246.4 list=ACPT-INPUT
add address=10.0.24.0/24 list=ACPT-INPUT
add address=10.1.21.32/30 list=ACPT-INPUT
add address=10.1.22.32/30 list=ACPT-INPUT
add address=10.25.0.0/18 list=ACPT-INPUT
add address=45.228.244.8/29 list=ACPT-INPUT
add address=45.228.244.96/27 list=ACPT-INPUT
add address=45.228.244.121 list=DNS-SERVERs
add address=45.228.246.122 list=DNS-SERVERs
add address=45.228.244.101 list=DNS-SERVERs
add address=45.228.246.102 list=DNS-SERVERs
add address=45.228.244.96/27 list=zabbix-agent
add address=45.228.246.96/27 list=zabbix-agent
add address=45.228.244.101 list=CWPs
add address=45.228.246.102 list=CWPs
add address=10.25.0.25 list=GeniACS
add address=45.228.246.105 list=GeniACS
add address=45.228.244.10 list=Zeus
add address=45.228.244.12 list=Zeus
add address=45.228.244.11 list=Zeus
add address=45.228.244.8/29 list=SERVIDORES
add address=45.228.244.4 disabled=yes list=CONFIAVEIS
add address=10.1.24.0/24 list=CONFIAVEIS
add address=45.228.246.4 disabled=yes list=CONFIAVEIS
add address=10.0.24.0/24 list=CONFIAVEIS
add address=10.25.0.0/18 list=CONFIAVEIS
add address=45.228.244.8/29 disabled=yes list=CONFIAVEIS
add address=45.228.244.96/27 disabled=yes list=CONFIAVEIS
add address=45.228.244.8/29 list=0030-SERVIDORES
add address=45.228.246.96/27 disabled=yes list=CONFIAVEIS
add address=100.64.0.0/10 list=CONFIAVEIS
add address=45.228.244.96/27 list=SERVIDORES
add address=10.64.69.0/30 list=CONFIAVEIS
add address=10.0.24.0/24 list=LOCAL-VPN-NAT
add address=198.18.0.0/30 list=LOCAL-VPN-NAT
add address=10.0.5.4/30 list=ACPT-INPUT
add address=45.228.244.0/22 list=BLOCO-FIX
add address=45.228.246.96/27 list=SERVIDORES
add address=45.228.246.100 list=DNS-SERVERs
add address=45.228.245.0/24 list=ACS-CPEs
add address=45.228.247.0/24 list=ACS-CPEs
add address=10.25.0.0/18 list=ACS-CPEs
add address=45.228.244.0/22 list=CONFIAVEIS
add address=10.0.13.0/24 list=CONFIAVEIS
add address=45.228.244.30 list=SERVIDORES
add address=100.64.0.0/10 list=ACPT-INPUT
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward comment="Permit - ICMP Protocol" protocol=\
icmp
add action=accept chain=input comment="Permit - ICMP" protocol=icmp
add action=accept chain=input comment="Permit - OSPF Protocol" \
in-interface-list=OSPFv3 protocol=ospf
add action=accept chain=input comment="Permit - IPsec Ports" dst-port=\
500,4500,1701 protocol=udp
add action=accept chain=input comment="Permit - IPsec Protocol" protocol=\
ipsec-esp
add action=accept chain=forward comment="Permit - Upload Src" \
src-address-list=CONFIAVEIS
add action=accept chain=forward comment="Permit - DNS" dst-address-list=\
DNS-SERVERs dst-port=53 protocol=tcp src-address-list=CONFIAVEIS
add action=accept chain=forward comment="Permit - DNS" dst-address-list=\
DNS-SERVERs dst-port=53 protocol=udp src-address-list=CONFIAVEIS
add action=accept chain=forward comment="Permit - NTPSec" dst-address-list=\
DNS-SERVERs dst-port=123 log-prefix=ntp- protocol=udp src-address-list=\
CONFIAVEIS
add action=accept chain=forward comment="Permit - TCP HTTPs" \
dst-address-list=SERVIDORES dst-port=80,443 protocol=tcp
add action=accept chain=forward comment="Permit - UDP HTTPs" \
dst-address-list=SERVIDORES dst-port=80,443 protocol=udp
add action=accept chain=forward comment="Permit - TCP ACS" dst-address-list=\
GeniACS dst-port=7547 log-prefix=ACS- protocol=tcp src-address-list=\
ACS-CPEs
add action=accept chain=forward comment="Permit - UDP ACS" dst-address-list=\
GeniACS dst-port=7547 protocol=udp src-address-list=ACS-CPEs
add action=accept chain=forward comment="Permit -TCP Others" \
dst-address-list=SERVIDORES dst-port=3000,3001 protocol=tcp
add action=accept chain=forward comment="Permit - UDP Others" \
dst-address-list=SERVIDORES dst-port=3000,3001,3478,5514,8443,8080 \
protocol=udp
add action=accept chain=forward comment="Permit - UniFi NATed (TCP)" \
dst-address=10.0.24.145 dst-port=80,6789,8080,8880,8843,27117 protocol=\
tcp
add action=accept chain=forward comment="Permit - UniFi NATed (UDP)" \
dst-address=10.0.24.145 dst-port=123,3478,5514 protocol=udp
add action=accept chain=forward comment="Permit - Servicos" dst-address-list=\
SERVIDORES src-address-list=SERVIDORES
add action=accept chain=forward comment="Permit - VLAN0030 All" \
dst-address-list=0030-SERVIDORES
add action=accept chain=input comment="Permit - Estab and Related" \
connection-state=established,related
add action=accept chain=input comment="Permit - L2TP Protocol" protocol=l2tp
add action=accept chain=input comment="Permit - DHCP Protocol" dst-port=67-68 \
in-interface=0025-VoIP-TR69 log-prefix=DHCP- protocol=udp
add action=accept chain=input comment="Permit - Unifi (TCP)" dst-address=\
45.228.244.30 dst-port=8443 protocol=tcp
add action=accept chain=input comment="Permit - Winbox Service" dst-port=8292 \
protocol=tcp src-address-list=ACPT-INPUT
add action=accept chain=input comment="Permit - Unifi (TCP) - External" \
dst-address=45.228.244.30 dst-port=80,6789,8080,8880,8843,27117 protocol=\
tcp
add action=accept chain=input comment="Permit - Unifi (UDP) - External" \
dst-address=45.228.244.30 dst-port=123,3478,5514 protocol=udp
add action=accept chain=input comment="Permit - Trusted" log-prefix=input- \
src-address-list=ACPT-INPUT
add action=accept chain=forward dst-address-list=CWPs
add action=drop chain=forward log-prefix=Drop-Ford-all-
add action=drop chain=input comment="DROP - GERAL" log-prefix=drop-input-
/ip firewall nat
add action=dst-nat chain=dstnat comment="UnifiControler - IN" dst-address=\
45.228.244.30 dst-port=80,443,6789,8080,8880,8843,8443 protocol=tcp \
to-addresses=10.0.24.145
add action=dst-nat chain=dstnat comment="UnifiControler - IN" dst-address=\
45.228.244.30 dst-port=80,3478 protocol=udp to-addresses=10.0.24.145
add action=src-nat chain=srcnat comment="UniFI - OUT" src-address=10.0.24.145 \
to-addresses=45.228.244.30
add action=src-nat chain=srcnat comment="Default NAT - VLAN 24" dst-address=\
!10.0.0.0/8 protocol=!ospf src-address-list=LOCAL-VPN-NAT to-addresses=\
45.228.244.31
add action=src-nat chain=srcnat comment=\
"#### NAT DA VPN PARA ACESSO A GERENCIA 10.0.24.0/24" dst-address=\
10.0.24.0/24 src-address-list=POOL-GERENCIA to-addresses=10.0.24.35
add action=src-nat chain=srcnat comment="## Regra UPDATE" disabled=yes \
dst-address=!10.0.0.0/8 protocol=!ospf to-addresses=45.228.244.31
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add blackhole comment=Blackhole disabled=no distance=255 dst-address=\
45.228.244.8/29 gateway="" pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add blackhole comment=Blackhole disabled=no distance=255 dst-address=\
45.228.244.16/28 gateway="" pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add blackhole comment=Blackhole disabled=no distance=255 dst-address=\
45.228.244.64/27 gateway="" pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add blackhole comment=Blackhole disabled=no distance=255 dst-address=\
45.228.244.96/27 gateway="" pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add disabled=no dst-address=10.0.13.0/24 gateway=10.0.24.23 routing-table=\
main suppress-hw-offload=no
/ipv6 route
add blackhole disabled=no distance=255 dst-address=2804:47e4:8002::/64 \
gateway="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add blackhole disabled=no distance=255 dst-address=2804:47e4:1::/64 gateway=\
"" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet address=10.0.0.0/8 disabled=yes port=2323
set ftp disabled=yes
set www address=2804:47e4:8c0::/48 disabled=yes port=8080
set ssh disabled=yes port=9022
set api address=10.0.0.0/8 disabled=yes
set winbox address=\
45.228.244.0/22,10.0.0.0/8,198.18.0.0/30,2804:47e4:8c0::/48 port=8292
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ip ssh
set ciphers=aes-gcm,aes-ctr,aes-cbc,3des-cbc,null forwarding-enabled=remote
/ip traffic-flow
set cache-entries=64k interfaces=2233-OSPF-B2
/ip traffic-flow target
add dst-address=10.0.24.128 port=9996 src-address=10.0.24.33 version=5
/ip upnp
set show-dummy-rule=no
/ipv6 address
add address=2804:47e4:0:1::12/126 advertise=no interface=2133-OSPF-B1
add address=2804:47e4:8000:1::12/126 advertise=no interface=2233-OSPF-B2
add address=2804:47e4:1::35 advertise=no comment=\
"# # Desativar o Advertase e depois desativar ND | BUG com Firewall" \
interface=0610-Servicos-IPv6
add address=2804:47e4:0:1::25/126 advertise=no interface=0024-GERENCIA-L2
/ipv6 firewall address-list
add address=2804:47e4::/32 list=FIX-MeuBloco
add address=2804:47e4:1::141/128 list=ACL-hosepdage
add address=2804:47e4:8002::142/128 list=ACL-hosepdage
add address=2804:47e4:1::125/128 list=ACL-hosepdage
add address=2804:47e4:1::122/128 list=ACL-hosepdage
add address=2804:47e4::/32 list=CONFIAVEIS
add address=2804:47e4:8002::/64 list=SERVIDORES
add address=2804:47e4:1::/64 list=SERVIDORES
add address=2804:47e4:1::120/128 list=DNS-SERVER
add address=2804:47e4:8002::124/128 list=DNS-SERVER
add address=2804:47e4:0:1::12/128 list=INPUT-OSPFv3
add address=2804:47e4:8000:1::12/128 list=INPUT-OSPFv3
add address=2804:47e4:8002::230/128 list=DNS-SERVER
add address=2804:47e4:8002::145/128 list=ACL-hosepdage
/ipv6 firewall filter
add action=accept chain=forward comment="Permit - ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="Permit - Established, related" \
connection-state=established,related
add action=accept chain=forward comment="Permit - DNS (udp)" \
dst-address-list=DNS-SERVER dst-port=53 protocol=udp src-address-list=\
FIX-MeuBloco
add action=accept chain=forward comment="Permit - DNS (tcp)" \
dst-address-list=DNS-SERVER dst-port=53 protocol=tcp src-address-list=\
FIX-MeuBloco
add action=accept chain=forward comment="Permit - Upload" src-address-list=\
FIX-MeuBloco
add action=accept chain=forward comment="Permit - All (excecao)" \
dst-address-list=ACL-hosepdage
add action=accept chain=forward comment="Permit - Web (tcp)" \
dst-address-list=SERVIDORES dst-port=443,3000,3001,6789,8080,8443,8880 \
protocol=tcp
add action=accept chain=forward comment="Permit - Servicos (all)" \
dst-address-list=SERVIDORES src-address-list=SERVIDORES
add action=accept chain=forward comment="Permit - Web (udp)" \
dst-address-list=SERVIDORES dst-port=443,3000,3001,8080,8443,8880 \
protocol=udp
add action=accept chain=input comment=ICMPV6 protocol=icmpv6
add action=accept chain=input comment="Permit - OSFPv3" in-interface-list=\
OSPFv3 protocol=ospf
add action=accept chain=input comment="Permit - Link Local" src-address=\
fe80::/10
add action=accept chain=input comment="Permit - Winbox" dst-port=8292 \
protocol=tcp src-address-list=FIX-MeuBloco
add action=accept chain=input comment="Permit - SSH" dst-port=9022 protocol=\
tcp src-address-list=FIX-MeuBloco
add action=accept chain=input comment="Permit - input - estab, related" \
connection-state=established,related
add action=drop chain=forward comment="Drop - All" log-prefix=telic-
add action=drop chain=input log-prefix=drop-input-
/ipv6 nd
set [ find default=yes ] advertise-dns=no disabled=yes \
managed-address-configuration=yes ra-preference=high
add advertise-dns=no interface=0610-Servicos-IPv6 \
managed-address-configuration=yes ra-preference=high
add advertise-dns=no interface=2233-OSPF-B2 managed-address-configuration=yes
add advertise-dns=no interface=2133-OSPF-B1 managed-address-configuration=yes
/ppp aaa
set use-radius=yes
/ppp secret
add name=andrefix profile=L2VPN service=l2tp
add name=danielfix profile=L2VPN service=l2tp
/radius
add address=10.1.24.138 service=login src-address=10.1.24.35
/radius incoming
set accept=yes
/routing bfd configuration
add disabled=yes interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/routing filter rule
add chain=OSPF-OUT disabled=no rule=\
"if (dst in 45.228.244.8/29 && dst-len > 29) {reject} else {accept}"
add chain=OSPF-OUT disabled=no rule=\
"if (dst in 45.228.244.16/28 && dst-len > 28) {reject} else {accept}"
add chain=OSPF-OUT disabled=no rule=\
"if (dst in 45.228.244.96/27 && dst-len > 27) {reject} else {accept}"
add chain=OSPF-OUT disabled=no rule=\
"if (dst in 10.25.0.0/18 && dst-len > 18) {reject} else {accept}"
add chain=OSPFv3-OUT disabled=no rule=\
"if (dst in 2804:47e4:1::/64 && dst-len > 64) {reject} else {accept}"
/routing ospf area range
add area=ospf-area-0 disabled=no prefix=10.25.0.0/18
add area=ospf-area-0 disabled=no prefix=45.228.244.96/27
add area=ospf-area-0 disabled=no prefix=45.228.244.16/28
add area=ospf-area-0 disabled=no prefix=45.228.244.8/29
/routing ospf interface-template
add area=ospf-area-0 auth=md5 auth-id=1 auth-key=123456 cost=20 disabled=no \
interfaces=2133-OSPF-B1 networks=10.1.21.32/30 priority=1 type=ptp
add area=ospf-area-0 auth=md5 auth-id=1 auth-key=123456 cost=100 disabled=no \
interfaces=2233-OSPF-B2 networks=10.1.22.32/30 priority=1 type=ptp
add area=ospfv3-area-0 cost=20 disabled=no interfaces=2133-OSPF-B1 priority=1 \
type=ptp
add area=ospfv3-area-0 cost=100 disabled=no interfaces=2233-OSPF-B2 priority=\
1 type=ptp
add area=ospf-area-0 disabled=no interfaces=all passive
add area=ospfv3-area-0 disabled=no interfaces=all passive
/snmp
set contact="FIX FIBRA" enabled=yes location=\
"\"R. Presidente Prudente, 496,Diadema,SP,BR\"" trap-version=2
/system clock
set time-zone-name=America/Sao_Paulo
/system identity
set name=NAT01-CCR2004
/system logging
set 0 topics=info,!dhcp
add action=echo disabled=yes prefix=test_ topics=\
debug,dhcp,!radvd,!dhcp,!ospf
add action=echo disabled=yes prefix=Firewall topics=debug,!radvd,!snmp
add action=Gray prefix=CRI topics=critical
add action=Gray prefix=BK topics=backup
add action=Gray prefix=INFO topics=info
add action=Gray prefix=WARM topics=warning
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=10.0.24.124
add address=200.20.186.76
/system resource irq rps
set sfp-sfpplus1 disabled=no
/system routerboard settings
set enter-setup-on=delete-key
/system scheduler
add name=atualizacao on-event="/system reboot" policy=reboot start-date=\
2025-03-18 start-time=05:30:50
/system script
add dont-require-permissions=yes name=backup-ftp owner=telicfix policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
log warning \"***************************************\"\r\
\n# Conex\E3o FTP\r\
\n:global host 10.0.24.137\r\
\n:global usuario backups\r\
\n:global senha backups@fixfibra2@\r\
\n:global diretorio /SFTP/backups/mikrotik/router/\r\
\n# Pega o nome do Router\r\
\n:global identifica [/system identity get name]\r\
\n# Gera data no formato AAAA-MM-DD\r\
\n:global data [/system clock get date]\r\
\n:global ano [:pick \$data 0 4]\r\
\n:global mes [:pick \$data 5 7]\r\
\n:global dia [:pick \$data 8 10]\r\
\n\r\
\n:log info \"Gerando backup: \$dia-\$mes-\$ano.\$identifica.backup\";\r\
\n/system backup save name=\"\$dia-\$mes-\$ano.\$identifica\";\r\
\n:log info \"Gerando export: \$dia-\$mes-\$ano.\$identifica.rsc\";\r\
\n/export file=\"\$dia-\$mes-\$ano.\$identifica\"\r\
\n:log info \"Processando...\";\r\
\n:delay 5s\r\
\n:log info \"Conectando FTP Server...\";\r\
\n:log info \"Enviando Backup [\$dia-\$mes-\$ano.\$identifica.backup] ...\
\";\r\
\n/tool fetch address=\$host src-path=\"\$dia-\$mes-\$ano.\$identifica.bac\
kup\" user=\"\$usuario\" password=\"\$senha\" port=21 upload=yes mode=ftp \
dst-path=\"\$diretorio/\$dia-\$mes-\$ano.\$identifica.backup\"\r\
\n:log info \"Enviando Export [\$dia-\$mes-\$ano.\$identifica.rsc] ...\";\
\r\
\n/tool fetch address=\$host src-path=\"\$dia-\$mes-\$ano.\$identifica.rsc\
\" user=\"\$usuario\" password=\"\$senha\" port=21 upload=yes mode=ftp dst\
-path=\"\$diretorio/\$dia-\$mes-\$ano.\$identifica.rsc\"\r\
\n:delay 1\r\
\n:log info \"Backup enviado com sucesso...\";\r\
\n:log info \"Removendo arquivos...\";\r\
\n/file remove \"\$dia-\$mes-\$ano.\$identifica.backup\"\r\
\n/file remove \"\$dia-\$mes-\$ano.\$identifica.rsc\"\r\
\n:log info \"Rotina de backup finalizada...\";\r\
\n:log warning \"***************************************\";"
/tool bandwidth-server
set enabled=no
/tool e-mail
set from=noc.fix@fixfibra.com. port=587 server=smtp.gmail.com user=\
noc.fix@fixfibra.com.b
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=static
/tool mac-server ping
set enabled=no
/tool romon
set enabled=yes
/user aaa
set use-radius=yes

BIN
04-12-2025.NAT01-CCR2004.backup Normal file
View File

Binary file not shown.

492
04-12-2025.NAT01-CCR2004.rsc Normal file
View File

@@ -0,0 +1,492 @@
# 2025-12-04 15:28:42 by RouterOS 7.18.2
# software id = 1MXX-5Y0X
#
# model = CCR2004-16G-2S+
# serial number = HG809WX52HQ
/interface ethernet
set [ find default-name=ether1 ] disabled=yes
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=ether11 ] disabled=yes
set [ find default-name=ether12 ] disabled=yes
set [ find default-name=ether13 ] disabled=yes
set [ find default-name=ether14 ] disabled=yes
set [ find default-name=ether15 ] disabled=yes
set [ find default-name=ether16 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] advertise="10M-baseT-full,100M-baseT-fu\
ll,1G-baseT-full,1G-baseX,10G-baseT,10G-baseSR-LR,10G-baseCR"
set [ find default-name=sfp-sfpplus2 ] disabled=yes
/interface vlan
add interface=sfp-sfpplus1 name=0024-GERENCIA-L2 vlan-id=24
add interface=sfp-sfpplus1 name=0025-VoIP-TR69 vlan-id=25
add interface=sfp-sfpplus1 name=0030-TIP-IXC vlan-id=30
add interface=sfp-sfpplus1 name=0041-Servicos-IPv4 vlan-id=41
add interface=sfp-sfpplus1 name=0124-GERENCIA-L3 vlan-id=124
add interface=sfp-sfpplus1 name=0610-Servicos-IPv6 vlan-id=610
add interface=sfp-sfpplus1 name=1441-itx-sw-hw-03 vlan-id=1441
add interface=sfp-sfpplus1 name=2133-OSPF-B1 vlan-id=2133
add interface=sfp-sfpplus1 name=2233-OSPF-B2 vlan-id=2233
/interface list
add name=OSPFv3
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip dhcp-server option
add code=43 name=acs_ip value="0x011F'http://acs.fixfibra.com.br:7547'"
/ip dhcp-server option sets
add name=acs_ip options=acs_ip
/ip pool
add name=TR69 ranges=10.25.0.50-10.25.63.200
add name=pool1 ranges=198.18.0.1-198.18.0.4
/ip dhcp-server
add address-pool=TR69 dhcp-option-set=acs_ip interface=0025-VoIP-TR69 \
lease-time=1d name=025-Gestao_TR69
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/ppp profile
add change-tcp-mss=yes local-address=10.0.24.35 name=L2VPN remote-address=\
pool1 use-encryption=yes use-ipv6=no use-mpls=no
/routing id
add disabled=no id=10.0.24.34 name=OSPF select-dynamic-id=only-static
/routing ospf instance
add disabled=no name=ospf out-filter-chain=OSPF-OUT redistribute=\
connected,static
add disabled=no name=ospfv3 out-filter-chain=OSPFv3-OUT redistribute=\
connected version=3
/routing ospf area
add disabled=no instance=ospf name=ospf-area-0
add disabled=no instance=ospfv3 name=ospfv3-area-0
/snmp community
set [ find default=yes ] addresses=10.0.0.0/8 name=ctcorp-lan
/system logging action
set 3 target=echo
add name=Gray remote=10.0.24.69 remote-log-format=syslog src-address=\
10.0.24.35 target=remote
/ip firewall connection tracking
set enabled=yes tcp-established-timeout=12h udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set max-neighbor-entries=8192 soft-max-neighbor-entries=8191
/interface l2tp-server server
set allow-fast-path=yes default-profile=L2VPN enabled=yes max-mru=1500 \
max-mtu=1500 use-ipsec=yes
/interface list member
add interface=2133-OSPF-B1 list=OSPFv3
add interface=2233-OSPF-B2 list=OSPFv3
add interface=0024-GERENCIA-L2 list=LAN
add interface=0124-GERENCIA-L3 list=LAN
add interface=0025-VoIP-TR69 list=LAN
/interface ovpn-server server
add auth=sha1,md5 mac-address=FE:4C:24:17:C5:80 name=ovpn-server1
/ip address
add address=10.0.24.35/24 comment="## MGNT L2" interface=0024-GERENCIA-L2 \
network=10.0.24.0
add address=10.1.21.34/30 comment="### OSPF -VS01" interface=2133-OSPF-B1 \
network=10.1.21.32
add address=10.1.22.34/30 comment="### OSPF -VS02" interface=2233-OSPF-B2 \
network=10.1.22.32
add address=45.228.244.9/29 comment="## POOL - TIP e IXC" interface=\
0030-TIP-IXC network=45.228.244.8
add address=10.25.0.35/18 comment="## GATEWAY VoIP E TR069" interface=\
0025-VoIP-TR69 network=10.25.0.0
add address=45.228.244.97/27 comment="### GTW 0041" interface=\
0041-Servicos-IPv4 network=45.228.244.96
add address=10.1.24.35/24 interface=0124-GERENCIA-L3 network=10.1.24.0
add address=45.228.244.31 comment="### LOOPBACK" interface=lo network=\
45.228.244.31
add address=10.0.5.5/30 comment="### OSPF - SWCORE" interface=\
1441-itx-sw-hw-03 network=10.0.5.4
add address=45.228.244.30 comment="### LOOPBACK" interface=lo network=\
45.228.244.30
/ip dhcp-server network
add address=10.25.0.0/18 dhcp-option=acs_ip gateway=10.25.0.35
/ip dns
set servers=45.228.244.121,45.228.246.122
/ip firewall address-list
add address=10.0.0.0/8 comment="REDE INTERNA" list=rede_local
add address=10.25.0.0/18 comment="REDE VOZ" list=rede_local
add address=198.18.0.1 list=POOL-GERENCIA
add address=198.18.0.2 list=POOL-GERENCIA
add address=198.18.0.3 list=POOL-GERENCIA
add address=198.18.0.4 list=POOL-GERENCIA
add address=100.64.0.0/10 comment=CGNAT list=rede_local
add address=45.228.244.4 list=ACPT-INPUT
add address=10.1.24.0/24 list=ACPT-INPUT
add address=45.228.246.4 list=ACPT-INPUT
add address=10.0.24.0/24 list=ACPT-INPUT
add address=10.1.21.32/30 list=ACPT-INPUT
add address=10.1.22.32/30 list=ACPT-INPUT
add address=10.25.0.0/18 list=ACPT-INPUT
add address=45.228.244.8/29 list=ACPT-INPUT
add address=45.228.244.96/27 list=ACPT-INPUT
add address=45.228.244.121 list=DNS-SERVERs
add address=45.228.246.122 list=DNS-SERVERs
add address=45.228.244.101 list=DNS-SERVERs
add address=45.228.246.102 list=DNS-SERVERs
add address=45.228.244.96/27 list=zabbix-agent
add address=45.228.246.96/27 list=zabbix-agent
add address=45.228.244.101 list=CWPs
add address=45.228.246.102 list=CWPs
add address=10.25.0.25 list=GeniACS
add address=45.228.246.105 list=GeniACS
add address=45.228.244.10 list=Zeus
add address=45.228.244.12 list=Zeus
add address=45.228.244.11 list=Zeus
add address=45.228.244.8/29 list=SERVIDORES
add address=45.228.244.4 disabled=yes list=CONFIAVEIS
add address=10.1.24.0/24 list=CONFIAVEIS
add address=45.228.246.4 disabled=yes list=CONFIAVEIS
add address=10.0.24.0/24 list=CONFIAVEIS
add address=10.25.0.0/18 list=CONFIAVEIS
add address=45.228.244.8/29 disabled=yes list=CONFIAVEIS
add address=45.228.244.96/27 disabled=yes list=CONFIAVEIS
add address=45.228.244.8/29 list=0030-SERVIDORES
add address=45.228.246.96/27 disabled=yes list=CONFIAVEIS
add address=100.64.0.0/10 list=CONFIAVEIS
add address=45.228.244.96/27 list=SERVIDORES
add address=10.64.69.0/30 list=CONFIAVEIS
add address=10.0.24.0/24 list=LOCAL-VPN-NAT
add address=198.18.0.0/30 list=LOCAL-VPN-NAT
add address=10.0.5.4/30 list=ACPT-INPUT
add address=45.228.244.0/22 list=BLOCO-FIX
add address=45.228.246.96/27 list=SERVIDORES
add address=45.228.246.100 list=DNS-SERVERs
add address=45.228.245.0/24 list=ACS-CPEs
add address=45.228.247.0/24 list=ACS-CPEs
add address=10.25.0.0/18 list=ACS-CPEs
add address=45.228.244.0/22 list=CONFIAVEIS
add address=10.0.13.0/24 list=CONFIAVEIS
add address=45.228.244.30 list=SERVIDORES
add address=100.64.0.0/10 list=ACPT-INPUT
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward comment="Permit - ICMP Protocol" protocol=\
icmp
add action=accept chain=input comment="Permit - ICMP" protocol=icmp
add action=accept chain=input comment="Permit - OSPF Protocol" \
in-interface-list=OSPFv3 protocol=ospf
add action=accept chain=input comment="Permit - IPsec Ports" dst-port=\
500,4500,1701 protocol=udp
add action=accept chain=input comment="Permit - IPsec Protocol" protocol=\
ipsec-esp
add action=accept chain=forward comment="Permit - Upload Src" \
src-address-list=CONFIAVEIS
add action=accept chain=forward comment="Permit - DNS" dst-address-list=\
DNS-SERVERs dst-port=53 protocol=tcp src-address-list=CONFIAVEIS
add action=accept chain=forward comment="Permit - DNS" dst-address-list=\
DNS-SERVERs dst-port=53 protocol=udp src-address-list=CONFIAVEIS
add action=accept chain=forward comment="Permit - NTPSec" dst-address-list=\
DNS-SERVERs dst-port=123 log-prefix=ntp- protocol=udp src-address-list=\
CONFIAVEIS
add action=accept chain=forward comment="Permit - TCP HTTPs" \
dst-address-list=SERVIDORES dst-port=80,443 protocol=tcp
add action=accept chain=forward comment="Permit - UDP HTTPs" \
dst-address-list=SERVIDORES dst-port=80,443 protocol=udp
add action=accept chain=forward comment="Permit - TCP ACS" dst-address-list=\
GeniACS dst-port=7547 log-prefix=ACS- protocol=tcp src-address-list=\
ACS-CPEs
add action=accept chain=forward comment="Permit - UDP ACS" dst-address-list=\
GeniACS dst-port=7547 protocol=udp src-address-list=ACS-CPEs
add action=accept chain=forward comment="Permit -TCP Others" \
dst-address-list=SERVIDORES dst-port=3000,3001 protocol=tcp
add action=accept chain=forward comment="Permit - UDP Others" \
dst-address-list=SERVIDORES dst-port=3000,3001,3478,5514,8443,8080 \
protocol=udp
add action=accept chain=forward comment="Permit - UniFi NATed (TCP)" \
dst-address=10.0.24.145 dst-port=80,6789,8080,8880,8843,27117 protocol=\
tcp
add action=accept chain=forward comment="Permit - UniFi NATed (UDP)" \
dst-address=10.0.24.145 dst-port=123,3478,5514 protocol=udp
add action=accept chain=forward comment="Permit - Servicos" dst-address-list=\
SERVIDORES src-address-list=SERVIDORES
add action=accept chain=forward comment="Permit - VLAN0030 All" \
dst-address-list=0030-SERVIDORES
add action=accept chain=input comment="Permit - Estab and Related" \
connection-state=established,related
add action=accept chain=input comment="Permit - L2TP Protocol" protocol=l2tp
add action=accept chain=input comment="Permit - DHCP Protocol" dst-port=67-68 \
in-interface=0025-VoIP-TR69 log-prefix=DHCP- protocol=udp
add action=accept chain=input comment="Permit - Unifi (TCP)" dst-address=\
45.228.244.30 dst-port=8443 protocol=tcp
add action=accept chain=input comment="Permit - Winbox Service" dst-port=8292 \
protocol=tcp src-address-list=ACPT-INPUT
add action=accept chain=input comment="Permit - Unifi (TCP) - External" \
dst-address=45.228.244.30 dst-port=80,6789,8080,8880,8843,27117 protocol=\
tcp
add action=accept chain=input comment="Permit - Unifi (UDP) - External" \
dst-address=45.228.244.30 dst-port=123,3478,5514 protocol=udp
add action=accept chain=input comment="Permit - Trusted" log-prefix=input- \
src-address-list=ACPT-INPUT
add action=accept chain=forward dst-address-list=CWPs
add action=drop chain=forward log-prefix=Drop-Ford-all-
add action=drop chain=input comment="DROP - GERAL" log-prefix=drop-input-
/ip firewall nat
add action=dst-nat chain=dstnat comment="UnifiControler - IN" dst-address=\
45.228.244.30 dst-port=80,443,6789,8080,8880,8843,8443 protocol=tcp \
to-addresses=10.0.24.145
add action=dst-nat chain=dstnat comment="UnifiControler - IN" dst-address=\
45.228.244.30 dst-port=80,3478 protocol=udp to-addresses=10.0.24.145
add action=src-nat chain=srcnat comment="UniFI - OUT" src-address=10.0.24.145 \
to-addresses=45.228.244.30
add action=src-nat chain=srcnat comment="Default NAT - VLAN 24" dst-address=\
!10.0.0.0/8 protocol=!ospf src-address-list=LOCAL-VPN-NAT to-addresses=\
45.228.244.31
add action=src-nat chain=srcnat comment=\
"#### NAT DA VPN PARA ACESSO A GERENCIA 10.0.24.0/24" dst-address=\
10.0.24.0/24 src-address-list=POOL-GERENCIA to-addresses=10.0.24.35
add action=src-nat chain=srcnat comment="## Regra UPDATE" disabled=yes \
dst-address=!10.0.0.0/8 protocol=!ospf to-addresses=45.228.244.31
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add blackhole comment=Blackhole disabled=no distance=255 dst-address=\
45.228.244.8/29 gateway="" pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add blackhole comment=Blackhole disabled=no distance=255 dst-address=\
45.228.244.16/28 gateway="" pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add blackhole comment=Blackhole disabled=no distance=255 dst-address=\
45.228.244.64/27 gateway="" pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add blackhole comment=Blackhole disabled=no distance=255 dst-address=\
45.228.244.96/27 gateway="" pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add disabled=no dst-address=10.0.13.0/24 gateway=10.0.24.23 routing-table=\
main suppress-hw-offload=no
/ipv6 route
add blackhole disabled=no distance=255 dst-address=2804:47e4:8002::/64 \
gateway="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add blackhole disabled=no distance=255 dst-address=2804:47e4:1::/64 gateway=\
"" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet address=10.0.0.0/8 disabled=yes port=2323
set ftp disabled=yes
set www address=2804:47e4:8c0::/48 disabled=yes port=8080
set ssh disabled=yes port=9022
set api address=10.0.0.0/8 disabled=yes
set winbox address=\
45.228.244.0/22,10.0.0.0/8,198.18.0.0/30,2804:47e4:8c0::/48 port=8292
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ip ssh
set ciphers=aes-gcm,aes-ctr,aes-cbc,3des-cbc,null forwarding-enabled=remote
/ip traffic-flow
set cache-entries=64k interfaces=2233-OSPF-B2
/ip traffic-flow target
add dst-address=10.0.24.128 port=9996 src-address=10.0.24.33 version=5
/ip upnp
set show-dummy-rule=no
/ipv6 address
add address=2804:47e4:0:1::12/126 advertise=no interface=2133-OSPF-B1
add address=2804:47e4:8000:1::12/126 advertise=no interface=2233-OSPF-B2
add address=2804:47e4:1::35 advertise=no comment=\
"# # Desativar o Advertase e depois desativar ND | BUG com Firewall" \
interface=0610-Servicos-IPv6
add address=2804:47e4:0:1::25/126 advertise=no interface=0024-GERENCIA-L2
/ipv6 firewall address-list
add address=2804:47e4::/32 list=FIX-MeuBloco
add address=2804:47e4:1::141/128 list=ACL-hosepdage
add address=2804:47e4:8002::142/128 list=ACL-hosepdage
add address=2804:47e4:1::125/128 list=ACL-hosepdage
add address=2804:47e4:1::122/128 list=ACL-hosepdage
add address=2804:47e4::/32 list=CONFIAVEIS
add address=2804:47e4:8002::/64 list=SERVIDORES
add address=2804:47e4:1::/64 list=SERVIDORES
add address=2804:47e4:1::120/128 list=DNS-SERVER
add address=2804:47e4:8002::124/128 list=DNS-SERVER
add address=2804:47e4:0:1::12/128 list=INPUT-OSPFv3
add address=2804:47e4:8000:1::12/128 list=INPUT-OSPFv3
add address=2804:47e4:8002::230/128 list=DNS-SERVER
add address=2804:47e4:8002::145/128 list=ACL-hosepdage
/ipv6 firewall filter
add action=accept chain=forward comment="Permit - ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="Permit - Established, related" \
connection-state=established,related
add action=accept chain=forward comment="Permit - DNS (udp)" \
dst-address-list=DNS-SERVER dst-port=53 protocol=udp src-address-list=\
FIX-MeuBloco
add action=accept chain=forward comment="Permit - DNS (tcp)" \
dst-address-list=DNS-SERVER dst-port=53 protocol=tcp src-address-list=\
FIX-MeuBloco
add action=accept chain=forward comment="Permit - Upload" src-address-list=\
FIX-MeuBloco
add action=accept chain=forward comment="Permit - All (excecao)" \
dst-address-list=ACL-hosepdage
add action=accept chain=forward comment="Permit - Web (tcp)" \
dst-address-list=SERVIDORES dst-port=443,3000,3001,6789,8080,8443,8880 \
protocol=tcp
add action=accept chain=forward comment="Permit - Servicos (all)" \
dst-address-list=SERVIDORES src-address-list=SERVIDORES
add action=accept chain=forward comment="Permit - Web (udp)" \
dst-address-list=SERVIDORES dst-port=443,3000,3001,8080,8443,8880 \
protocol=udp
add action=accept chain=input comment=ICMPV6 protocol=icmpv6
add action=accept chain=input comment="Permit - OSFPv3" in-interface-list=\
OSPFv3 protocol=ospf
add action=accept chain=input comment="Permit - Link Local" src-address=\
fe80::/10
add action=accept chain=input comment="Permit - Winbox" dst-port=8292 \
protocol=tcp src-address-list=FIX-MeuBloco
add action=accept chain=input comment="Permit - SSH" dst-port=9022 protocol=\
tcp src-address-list=FIX-MeuBloco
add action=accept chain=input comment="Permit - input - estab, related" \
connection-state=established,related
add action=drop chain=forward comment="Drop - All" log-prefix=telic-
add action=drop chain=input log-prefix=drop-input-
/ipv6 nd
set [ find default=yes ] advertise-dns=no disabled=yes \
managed-address-configuration=yes ra-preference=high
add advertise-dns=no interface=0610-Servicos-IPv6 \
managed-address-configuration=yes ra-preference=high
add advertise-dns=no interface=2233-OSPF-B2 managed-address-configuration=yes
add advertise-dns=no interface=2133-OSPF-B1 managed-address-configuration=yes
/ppp aaa
set use-radius=yes
/ppp secret
add name=andrefix profile=L2VPN service=l2tp
add name=danielfix profile=L2VPN service=l2tp
/radius
add address=10.1.24.138 service=login src-address=10.1.24.35
/radius incoming
set accept=yes
/routing bfd configuration
add disabled=yes interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/routing filter rule
add chain=OSPF-OUT disabled=no rule=\
"if (dst in 45.228.244.8/29 && dst-len > 29) {reject} else {accept}"
add chain=OSPF-OUT disabled=no rule=\
"if (dst in 45.228.244.16/28 && dst-len > 28) {reject} else {accept}"
add chain=OSPF-OUT disabled=no rule=\
"if (dst in 45.228.244.96/27 && dst-len > 27) {reject} else {accept}"
add chain=OSPF-OUT disabled=no rule=\
"if (dst in 10.25.0.0/18 && dst-len > 18) {reject} else {accept}"
add chain=OSPFv3-OUT disabled=no rule=\
"if (dst in 2804:47e4:1::/64 && dst-len > 64) {reject} else {accept}"
/routing ospf area range
add area=ospf-area-0 disabled=no prefix=10.25.0.0/18
add area=ospf-area-0 disabled=no prefix=45.228.244.96/27
add area=ospf-area-0 disabled=no prefix=45.228.244.16/28
add area=ospf-area-0 disabled=no prefix=45.228.244.8/29
/routing ospf interface-template
add area=ospf-area-0 auth=md5 auth-id=1 auth-key=123456 cost=20 disabled=no \
interfaces=2133-OSPF-B1 networks=10.1.21.32/30 priority=1 type=ptp
add area=ospf-area-0 auth=md5 auth-id=1 auth-key=123456 cost=100 disabled=no \
interfaces=2233-OSPF-B2 networks=10.1.22.32/30 priority=1 type=ptp
add area=ospfv3-area-0 cost=20 disabled=no interfaces=2133-OSPF-B1 priority=1 \
type=ptp
add area=ospfv3-area-0 cost=100 disabled=no interfaces=2233-OSPF-B2 priority=\
1 type=ptp
add area=ospf-area-0 disabled=no interfaces=all passive
add area=ospfv3-area-0 disabled=no interfaces=all passive
/snmp
set contact="FIX FIBRA" enabled=yes location=\
"\"R. Presidente Prudente, 496,Diadema,SP,BR\"" trap-version=2
/system clock
set time-zone-name=America/Sao_Paulo
/system identity
set name=NAT01-CCR2004
/system logging
set 0 topics=info,!dhcp
add action=echo disabled=yes prefix=test_ topics=\
debug,dhcp,!radvd,!dhcp,!ospf
add action=echo disabled=yes prefix=Firewall topics=debug,!radvd,!snmp
add action=Gray prefix=CRI topics=critical
add action=Gray prefix=BK topics=backup
add action=Gray prefix=INFO topics=info
add action=Gray prefix=WARM topics=warning
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=10.0.24.124
add address=200.20.186.76
/system resource irq rps
set sfp-sfpplus1 disabled=no
/system routerboard settings
set enter-setup-on=delete-key
/system scheduler
add name=atualizacao on-event="/system reboot" policy=reboot start-date=\
2025-03-18 start-time=05:30:50
add interval=2d name=backup-ftp on-event=backup-ftp policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2025-12-03 start-time=01:00:00
/system script
add dont-require-permissions=yes name=backup-ftp owner=danielfix policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
log warning \"***************************************\"\
\n# Conexao FTP\
\n:global host 2804:47e4:1::137\
\n:global usuario backups\
\n:global senha backups@fixfibra2@\
\n:global diretorio /SFTP/backups/mikrotik/router/\
\n# Pega o nome do Router\
\n:global identifica [/system identity get name]\
\n# Gera data no formato AAAA-MM-DD\
\n:global data [/system clock get date]\
\n:global ano [:pick \$data 0 4]\
\n:global mes [:pick \$data 5 7]\
\n:global dia [:pick \$data 8 10]\
\n\
\n:log info \"Gerando backup: \$dia-\$mes-\$ano.\$identifica.backup\";\
\n/system backup save name=\"\$dia-\$mes-\$ano.\$identifica\";\
\n:log info \"Gerando export: \$dia-\$mes-\$ano.\$identifica.rsc\";\
\n/export file=\"\$dia-\$mes-\$ano.\$identifica\"\
\n:log info \"Processando...\";\
\n:delay 5s\
\n\
\n:log info \"Conectando FTP Server...\";\
\n:log info \"Enviando Backup [\$dia-\$mes-\$ano.\$identifica.backup] ...\
\";\
\n/tool fetch address=\$host src-path=\"\$dia-\$mes-\$ano.\$identifica.bac\
kup\" user=\"\$usuario\" password=\"\$senha\" port=9022 upload=yes mode=sf\
tp dst-path=\"\$diretorio/\$dia-\$mes-\$ano.\$identifica.backup\"\
\n:log info \"Enviando Export [\$dia-\$mes-\$ano.\$identifica.rsc] ...\";\
\n/tool fetch address=\$host src-path=\"\$dia-\$mes-\$ano.\$identifica.rsc\
\" user=\"\$usuario\" password=\"\$senha\" port=9022 upload=yes mode=sftp \
dst-path=\"\$diretorio/\$dia-\$mes-\$ano.\$identifica.rsc\"\
\n:delay 1\
\n\
\n:log info \"Backup enviado com sucesso...\";\
\n:log info \"Removendo arquivos...\";\
\n/file remove \"\$dia-\$mes-\$ano.\$identifica.backup\"\
\n/file remove \"\$dia-\$mes-\$ano.\$identifica.rsc\"\
\n:log info \"Rotina de backup finalizada...\";\
\n:log warning \"***************************************\";"
/tool bandwidth-server
set enabled=no
/tool e-mail
set from=noc.fix@fixfibra.com. port=587 server=smtp.gmail.com user=\
noc.fix@fixfibra.com.b
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=static
/tool mac-server ping
set enabled=no
/tool romon
set enabled=yes
/user aaa
set use-radius=yes

BIN
05-12-2025.NAT01-CCR2004.backup Normal file
View File

Binary file not shown.

492
05-12-2025.NAT01-CCR2004.rsc Normal file
View File

@@ -0,0 +1,492 @@
# 2025-12-05 01:00:00 by RouterOS 7.18.2
# software id = 1MXX-5Y0X
#
# model = CCR2004-16G-2S+
# serial number = HG809WX52HQ
/interface ethernet
set [ find default-name=ether1 ] disabled=yes
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=ether11 ] disabled=yes
set [ find default-name=ether12 ] disabled=yes
set [ find default-name=ether13 ] disabled=yes
set [ find default-name=ether14 ] disabled=yes
set [ find default-name=ether15 ] disabled=yes
set [ find default-name=ether16 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] advertise="10M-baseT-full,100M-baseT-fu\
ll,1G-baseT-full,1G-baseX,10G-baseT,10G-baseSR-LR,10G-baseCR"
set [ find default-name=sfp-sfpplus2 ] disabled=yes
/interface vlan
add interface=sfp-sfpplus1 name=0024-GERENCIA-L2 vlan-id=24
add interface=sfp-sfpplus1 name=0025-VoIP-TR69 vlan-id=25
add interface=sfp-sfpplus1 name=0030-TIP-IXC vlan-id=30
add interface=sfp-sfpplus1 name=0041-Servicos-IPv4 vlan-id=41
add interface=sfp-sfpplus1 name=0124-GERENCIA-L3 vlan-id=124
add interface=sfp-sfpplus1 name=0610-Servicos-IPv6 vlan-id=610
add interface=sfp-sfpplus1 name=1441-itx-sw-hw-03 vlan-id=1441
add interface=sfp-sfpplus1 name=2133-OSPF-B1 vlan-id=2133
add interface=sfp-sfpplus1 name=2233-OSPF-B2 vlan-id=2233
/interface list
add name=OSPFv3
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip dhcp-server option
add code=43 name=acs_ip value="0x011F'http://acs.fixfibra.com.br:7547'"
/ip dhcp-server option sets
add name=acs_ip options=acs_ip
/ip pool
add name=TR69 ranges=10.25.0.50-10.25.63.200
add name=pool1 ranges=198.18.0.1-198.18.0.4
/ip dhcp-server
add address-pool=TR69 dhcp-option-set=acs_ip interface=0025-VoIP-TR69 \
lease-time=1d name=025-Gestao_TR69
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/ppp profile
add change-tcp-mss=yes local-address=10.0.24.35 name=L2VPN remote-address=\
pool1 use-encryption=yes use-ipv6=no use-mpls=no
/routing id
add disabled=no id=10.0.24.34 name=OSPF select-dynamic-id=only-static
/routing ospf instance
add disabled=no name=ospf out-filter-chain=OSPF-OUT redistribute=\
connected,static
add disabled=no name=ospfv3 out-filter-chain=OSPFv3-OUT redistribute=\
connected version=3
/routing ospf area
add disabled=no instance=ospf name=ospf-area-0
add disabled=no instance=ospfv3 name=ospfv3-area-0
/snmp community
set [ find default=yes ] addresses=10.0.0.0/8 name=ctcorp-lan
/system logging action
set 3 target=echo
add name=Gray remote=10.0.24.69 remote-log-format=syslog src-address=\
10.0.24.35 target=remote
/ip firewall connection tracking
set enabled=yes tcp-established-timeout=12h udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set max-neighbor-entries=8192 soft-max-neighbor-entries=8191
/interface l2tp-server server
set allow-fast-path=yes default-profile=L2VPN enabled=yes max-mru=1500 \
max-mtu=1500 use-ipsec=yes
/interface list member
add interface=2133-OSPF-B1 list=OSPFv3
add interface=2233-OSPF-B2 list=OSPFv3
add interface=0024-GERENCIA-L2 list=LAN
add interface=0124-GERENCIA-L3 list=LAN
add interface=0025-VoIP-TR69 list=LAN
/interface ovpn-server server
add auth=sha1,md5 mac-address=FE:4C:24:17:C5:80 name=ovpn-server1
/ip address
add address=10.0.24.35/24 comment="## MGNT L2" interface=0024-GERENCIA-L2 \
network=10.0.24.0
add address=10.1.21.34/30 comment="### OSPF -VS01" interface=2133-OSPF-B1 \
network=10.1.21.32
add address=10.1.22.34/30 comment="### OSPF -VS02" interface=2233-OSPF-B2 \
network=10.1.22.32
add address=45.228.244.9/29 comment="## POOL - TIP e IXC" interface=\
0030-TIP-IXC network=45.228.244.8
add address=10.25.0.35/18 comment="## GATEWAY VoIP E TR069" interface=\
0025-VoIP-TR69 network=10.25.0.0
add address=45.228.244.97/27 comment="### GTW 0041" interface=\
0041-Servicos-IPv4 network=45.228.244.96
add address=10.1.24.35/24 interface=0124-GERENCIA-L3 network=10.1.24.0
add address=45.228.244.31 comment="### LOOPBACK" interface=lo network=\
45.228.244.31
add address=10.0.5.5/30 comment="### OSPF - SWCORE" interface=\
1441-itx-sw-hw-03 network=10.0.5.4
add address=45.228.244.30 comment="### LOOPBACK" interface=lo network=\
45.228.244.30
/ip dhcp-server network
add address=10.25.0.0/18 dhcp-option=acs_ip gateway=10.25.0.35
/ip dns
set servers=45.228.244.121,45.228.246.122
/ip firewall address-list
add address=10.0.0.0/8 comment="REDE INTERNA" list=rede_local
add address=10.25.0.0/18 comment="REDE VOZ" list=rede_local
add address=198.18.0.1 list=POOL-GERENCIA
add address=198.18.0.2 list=POOL-GERENCIA
add address=198.18.0.3 list=POOL-GERENCIA
add address=198.18.0.4 list=POOL-GERENCIA
add address=100.64.0.0/10 comment=CGNAT list=rede_local
add address=45.228.244.4 list=ACPT-INPUT
add address=10.1.24.0/24 list=ACPT-INPUT
add address=45.228.246.4 list=ACPT-INPUT
add address=10.0.24.0/24 list=ACPT-INPUT
add address=10.1.21.32/30 list=ACPT-INPUT
add address=10.1.22.32/30 list=ACPT-INPUT
add address=10.25.0.0/18 list=ACPT-INPUT
add address=45.228.244.8/29 list=ACPT-INPUT
add address=45.228.244.96/27 list=ACPT-INPUT
add address=45.228.244.121 list=DNS-SERVERs
add address=45.228.246.122 list=DNS-SERVERs
add address=45.228.244.101 list=DNS-SERVERs
add address=45.228.246.102 list=DNS-SERVERs
add address=45.228.244.96/27 list=zabbix-agent
add address=45.228.246.96/27 list=zabbix-agent
add address=45.228.244.101 list=CWPs
add address=45.228.246.102 list=CWPs
add address=10.25.0.25 list=GeniACS
add address=45.228.246.105 list=GeniACS
add address=45.228.244.10 list=Zeus
add address=45.228.244.12 list=Zeus
add address=45.228.244.11 list=Zeus
add address=45.228.244.8/29 list=SERVIDORES
add address=45.228.244.4 disabled=yes list=CONFIAVEIS
add address=10.1.24.0/24 list=CONFIAVEIS
add address=45.228.246.4 disabled=yes list=CONFIAVEIS
add address=10.0.24.0/24 list=CONFIAVEIS
add address=10.25.0.0/18 list=CONFIAVEIS
add address=45.228.244.8/29 disabled=yes list=CONFIAVEIS
add address=45.228.244.96/27 disabled=yes list=CONFIAVEIS
add address=45.228.244.8/29 list=0030-SERVIDORES
add address=45.228.246.96/27 disabled=yes list=CONFIAVEIS
add address=100.64.0.0/10 list=CONFIAVEIS
add address=45.228.244.96/27 list=SERVIDORES
add address=10.64.69.0/30 list=CONFIAVEIS
add address=10.0.24.0/24 list=LOCAL-VPN-NAT
add address=198.18.0.0/30 list=LOCAL-VPN-NAT
add address=10.0.5.4/30 list=ACPT-INPUT
add address=45.228.244.0/22 list=BLOCO-FIX
add address=45.228.246.96/27 list=SERVIDORES
add address=45.228.246.100 list=DNS-SERVERs
add address=45.228.245.0/24 list=ACS-CPEs
add address=45.228.247.0/24 list=ACS-CPEs
add address=10.25.0.0/18 list=ACS-CPEs
add address=45.228.244.0/22 list=CONFIAVEIS
add address=10.0.13.0/24 list=CONFIAVEIS
add address=45.228.244.30 list=SERVIDORES
add address=100.64.0.0/10 list=ACPT-INPUT
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward comment="Permit - ICMP Protocol" protocol=\
icmp
add action=accept chain=input comment="Permit - ICMP" protocol=icmp
add action=accept chain=input comment="Permit - OSPF Protocol" \
in-interface-list=OSPFv3 protocol=ospf
add action=accept chain=input comment="Permit - IPsec Ports" dst-port=\
500,4500,1701 protocol=udp
add action=accept chain=input comment="Permit - IPsec Protocol" protocol=\
ipsec-esp
add action=accept chain=forward comment="Permit - Upload Src" \
src-address-list=CONFIAVEIS
add action=accept chain=forward comment="Permit - DNS" dst-address-list=\
DNS-SERVERs dst-port=53 protocol=tcp src-address-list=CONFIAVEIS
add action=accept chain=forward comment="Permit - DNS" dst-address-list=\
DNS-SERVERs dst-port=53 protocol=udp src-address-list=CONFIAVEIS
add action=accept chain=forward comment="Permit - NTPSec" dst-address-list=\
DNS-SERVERs dst-port=123 log-prefix=ntp- protocol=udp src-address-list=\
CONFIAVEIS
add action=accept chain=forward comment="Permit - TCP HTTPs" \
dst-address-list=SERVIDORES dst-port=80,443 protocol=tcp
add action=accept chain=forward comment="Permit - UDP HTTPs" \
dst-address-list=SERVIDORES dst-port=80,443 protocol=udp
add action=accept chain=forward comment="Permit - TCP ACS" dst-address-list=\
GeniACS dst-port=7547 log-prefix=ACS- protocol=tcp src-address-list=\
ACS-CPEs
add action=accept chain=forward comment="Permit - UDP ACS" dst-address-list=\
GeniACS dst-port=7547 protocol=udp src-address-list=ACS-CPEs
add action=accept chain=forward comment="Permit -TCP Others" \
dst-address-list=SERVIDORES dst-port=3000,3001 protocol=tcp
add action=accept chain=forward comment="Permit - UDP Others" \
dst-address-list=SERVIDORES dst-port=3000,3001,3478,5514,8443,8080 \
protocol=udp
add action=accept chain=forward comment="Permit - UniFi NATed (TCP)" \
dst-address=10.0.24.145 dst-port=80,6789,8080,8880,8843,27117 protocol=\
tcp
add action=accept chain=forward comment="Permit - UniFi NATed (UDP)" \
dst-address=10.0.24.145 dst-port=123,3478,5514 protocol=udp
add action=accept chain=forward comment="Permit - Servicos" dst-address-list=\
SERVIDORES src-address-list=SERVIDORES
add action=accept chain=forward comment="Permit - VLAN0030 All" \
dst-address-list=0030-SERVIDORES
add action=accept chain=input comment="Permit - Estab and Related" \
connection-state=established,related
add action=accept chain=input comment="Permit - L2TP Protocol" protocol=l2tp
add action=accept chain=input comment="Permit - DHCP Protocol" dst-port=67-68 \
in-interface=0025-VoIP-TR69 log-prefix=DHCP- protocol=udp
add action=accept chain=input comment="Permit - Unifi (TCP)" dst-address=\
45.228.244.30 dst-port=8443 protocol=tcp
add action=accept chain=input comment="Permit - Winbox Service" dst-port=8292 \
protocol=tcp src-address-list=ACPT-INPUT
add action=accept chain=input comment="Permit - Unifi (TCP) - External" \
dst-address=45.228.244.30 dst-port=80,6789,8080,8880,8843,27117 protocol=\
tcp
add action=accept chain=input comment="Permit - Unifi (UDP) - External" \
dst-address=45.228.244.30 dst-port=123,3478,5514 protocol=udp
add action=accept chain=input comment="Permit - Trusted" log-prefix=input- \
src-address-list=ACPT-INPUT
add action=accept chain=forward dst-address-list=CWPs
add action=drop chain=forward log-prefix=Drop-Ford-all-
add action=drop chain=input comment="DROP - GERAL" log-prefix=drop-input-
/ip firewall nat
add action=dst-nat chain=dstnat comment="UnifiControler - IN" dst-address=\
45.228.244.30 dst-port=80,443,6789,8080,8880,8843,8443 protocol=tcp \
to-addresses=10.0.24.145
add action=dst-nat chain=dstnat comment="UnifiControler - IN" dst-address=\
45.228.244.30 dst-port=80,3478 protocol=udp to-addresses=10.0.24.145
add action=src-nat chain=srcnat comment="UniFI - OUT" src-address=10.0.24.145 \
to-addresses=45.228.244.30
add action=src-nat chain=srcnat comment="Default NAT - VLAN 24" dst-address=\
!10.0.0.0/8 protocol=!ospf src-address-list=LOCAL-VPN-NAT to-addresses=\
45.228.244.31
add action=src-nat chain=srcnat comment=\
"#### NAT DA VPN PARA ACESSO A GERENCIA 10.0.24.0/24" dst-address=\
10.0.24.0/24 src-address-list=POOL-GERENCIA to-addresses=10.0.24.35
add action=src-nat chain=srcnat comment="## Regra UPDATE" disabled=yes \
dst-address=!10.0.0.0/8 protocol=!ospf to-addresses=45.228.244.31
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add blackhole comment=Blackhole disabled=no distance=255 dst-address=\
45.228.244.8/29 gateway="" pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add blackhole comment=Blackhole disabled=no distance=255 dst-address=\
45.228.244.16/28 gateway="" pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add blackhole comment=Blackhole disabled=no distance=255 dst-address=\
45.228.244.64/27 gateway="" pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add blackhole comment=Blackhole disabled=no distance=255 dst-address=\
45.228.244.96/27 gateway="" pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add disabled=no dst-address=10.0.13.0/24 gateway=10.0.24.23 routing-table=\
main suppress-hw-offload=no
/ipv6 route
add blackhole disabled=no distance=255 dst-address=2804:47e4:8002::/64 \
gateway="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add blackhole disabled=no distance=255 dst-address=2804:47e4:1::/64 gateway=\
"" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet address=10.0.0.0/8 disabled=yes port=2323
set ftp disabled=yes
set www address=2804:47e4:8c0::/48 disabled=yes port=8080
set ssh disabled=yes port=9022
set api address=10.0.0.0/8 disabled=yes
set winbox address=\
45.228.244.0/22,10.0.0.0/8,198.18.0.0/30,2804:47e4:8c0::/48 port=8292
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ip ssh
set ciphers=aes-gcm,aes-ctr,aes-cbc,3des-cbc,null forwarding-enabled=remote
/ip traffic-flow
set cache-entries=64k interfaces=2233-OSPF-B2
/ip traffic-flow target
add dst-address=10.0.24.128 port=9996 src-address=10.0.24.33 version=5
/ip upnp
set show-dummy-rule=no
/ipv6 address
add address=2804:47e4:0:1::12/126 advertise=no interface=2133-OSPF-B1
add address=2804:47e4:8000:1::12/126 advertise=no interface=2233-OSPF-B2
add address=2804:47e4:1::35 advertise=no comment=\
"# # Desativar o Advertase e depois desativar ND | BUG com Firewall" \
interface=0610-Servicos-IPv6
add address=2804:47e4:0:1::25/126 advertise=no interface=0024-GERENCIA-L2
/ipv6 firewall address-list
add address=2804:47e4::/32 list=FIX-MeuBloco
add address=2804:47e4:1::141/128 list=ACL-hosepdage
add address=2804:47e4:8002::142/128 list=ACL-hosepdage
add address=2804:47e4:1::125/128 list=ACL-hosepdage
add address=2804:47e4:1::122/128 list=ACL-hosepdage
add address=2804:47e4::/32 list=CONFIAVEIS
add address=2804:47e4:8002::/64 list=SERVIDORES
add address=2804:47e4:1::/64 list=SERVIDORES
add address=2804:47e4:1::120/128 list=DNS-SERVER
add address=2804:47e4:8002::124/128 list=DNS-SERVER
add address=2804:47e4:0:1::12/128 list=INPUT-OSPFv3
add address=2804:47e4:8000:1::12/128 list=INPUT-OSPFv3
add address=2804:47e4:8002::230/128 list=DNS-SERVER
add address=2804:47e4:8002::145/128 list=ACL-hosepdage
/ipv6 firewall filter
add action=accept chain=forward comment="Permit - ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="Permit - Established, related" \
connection-state=established,related
add action=accept chain=forward comment="Permit - DNS (udp)" \
dst-address-list=DNS-SERVER dst-port=53 protocol=udp src-address-list=\
FIX-MeuBloco
add action=accept chain=forward comment="Permit - DNS (tcp)" \
dst-address-list=DNS-SERVER dst-port=53 protocol=tcp src-address-list=\
FIX-MeuBloco
add action=accept chain=forward comment="Permit - Upload" src-address-list=\
FIX-MeuBloco
add action=accept chain=forward comment="Permit - All (excecao)" \
dst-address-list=ACL-hosepdage
add action=accept chain=forward comment="Permit - Web (tcp)" \
dst-address-list=SERVIDORES dst-port=443,3000,3001,6789,8080,8443,8880 \
protocol=tcp
add action=accept chain=forward comment="Permit - Servicos (all)" \
dst-address-list=SERVIDORES src-address-list=SERVIDORES
add action=accept chain=forward comment="Permit - Web (udp)" \
dst-address-list=SERVIDORES dst-port=443,3000,3001,8080,8443,8880 \
protocol=udp
add action=accept chain=input comment=ICMPV6 protocol=icmpv6
add action=accept chain=input comment="Permit - OSFPv3" in-interface-list=\
OSPFv3 protocol=ospf
add action=accept chain=input comment="Permit - Link Local" src-address=\
fe80::/10
add action=accept chain=input comment="Permit - Winbox" dst-port=8292 \
protocol=tcp src-address-list=FIX-MeuBloco
add action=accept chain=input comment="Permit - SSH" dst-port=9022 protocol=\
tcp src-address-list=FIX-MeuBloco
add action=accept chain=input comment="Permit - input - estab, related" \
connection-state=established,related
add action=drop chain=forward comment="Drop - All" log-prefix=telic-
add action=drop chain=input log-prefix=drop-input-
/ipv6 nd
set [ find default=yes ] advertise-dns=no disabled=yes \
managed-address-configuration=yes ra-preference=high
add advertise-dns=no interface=0610-Servicos-IPv6 \
managed-address-configuration=yes ra-preference=high
add advertise-dns=no interface=2233-OSPF-B2 managed-address-configuration=yes
add advertise-dns=no interface=2133-OSPF-B1 managed-address-configuration=yes
/ppp aaa
set use-radius=yes
/ppp secret
add name=andrefix profile=L2VPN service=l2tp
add name=danielfix profile=L2VPN service=l2tp
/radius
add address=10.1.24.138 service=login src-address=10.1.24.35
/radius incoming
set accept=yes
/routing bfd configuration
add disabled=yes interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/routing filter rule
add chain=OSPF-OUT disabled=no rule=\
"if (dst in 45.228.244.8/29 && dst-len > 29) {reject} else {accept}"
add chain=OSPF-OUT disabled=no rule=\
"if (dst in 45.228.244.16/28 && dst-len > 28) {reject} else {accept}"
add chain=OSPF-OUT disabled=no rule=\
"if (dst in 45.228.244.96/27 && dst-len > 27) {reject} else {accept}"
add chain=OSPF-OUT disabled=no rule=\
"if (dst in 10.25.0.0/18 && dst-len > 18) {reject} else {accept}"
add chain=OSPFv3-OUT disabled=no rule=\
"if (dst in 2804:47e4:1::/64 && dst-len > 64) {reject} else {accept}"
/routing ospf area range
add area=ospf-area-0 disabled=no prefix=10.25.0.0/18
add area=ospf-area-0 disabled=no prefix=45.228.244.96/27
add area=ospf-area-0 disabled=no prefix=45.228.244.16/28
add area=ospf-area-0 disabled=no prefix=45.228.244.8/29
/routing ospf interface-template
add area=ospf-area-0 auth=md5 auth-id=1 auth-key=123456 cost=20 disabled=no \
interfaces=2133-OSPF-B1 networks=10.1.21.32/30 priority=1 type=ptp
add area=ospf-area-0 auth=md5 auth-id=1 auth-key=123456 cost=100 disabled=no \
interfaces=2233-OSPF-B2 networks=10.1.22.32/30 priority=1 type=ptp
add area=ospfv3-area-0 cost=20 disabled=no interfaces=2133-OSPF-B1 priority=1 \
type=ptp
add area=ospfv3-area-0 cost=100 disabled=no interfaces=2233-OSPF-B2 priority=\
1 type=ptp
add area=ospf-area-0 disabled=no interfaces=all passive
add area=ospfv3-area-0 disabled=no interfaces=all passive
/snmp
set contact="FIX FIBRA" enabled=yes location=\
"\"R. Presidente Prudente, 496,Diadema,SP,BR\"" trap-version=2
/system clock
set time-zone-name=America/Sao_Paulo
/system identity
set name=NAT01-CCR2004
/system logging
set 0 topics=info,!dhcp
add action=echo disabled=yes prefix=test_ topics=\
debug,dhcp,!radvd,!dhcp,!ospf
add action=echo disabled=yes prefix=Firewall topics=debug,!radvd,!snmp
add action=Gray prefix=CRI topics=critical
add action=Gray prefix=BK topics=backup
add action=Gray prefix=INFO topics=info
add action=Gray prefix=WARM topics=warning
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=10.0.24.124
add address=200.20.186.76
/system resource irq rps
set sfp-sfpplus1 disabled=no
/system routerboard settings
set enter-setup-on=delete-key
/system scheduler
add name=atualizacao on-event="/system reboot" policy=reboot start-date=\
2025-03-18 start-time=05:30:50
add interval=2d name=backup-ftp on-event=backup-ftp policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2025-12-03 start-time=01:00:00
/system script
add dont-require-permissions=yes name=backup-ftp owner=danielfix policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
log warning \"***************************************\"\
\n# Conexao SFTP\
\n:global host 2804:47e4:1::137\
\n:global usuario backups\
\n:global senha backups@fixfibra2@\
\n:global diretorio /SFTP/backups/mikrotik/router/\
\n# Pega o nome do Router\
\n:global identifica [/system identity get name]\
\n# Gera data no formato AAAA-MM-DD\
\n:global data [/system clock get date]\
\n:global ano [:pick \$data 0 4]\
\n:global mes [:pick \$data 5 7]\
\n:global dia [:pick \$data 8 10]\
\n\
\n:log info \"Gerando backup: \$dia-\$mes-\$ano.\$identifica.backup\";\
\n/system backup save name=\"\$dia-\$mes-\$ano.\$identifica\";\
\n:log info \"Gerando export: \$dia-\$mes-\$ano.\$identifica.rsc\";\
\n/export file=\"\$dia-\$mes-\$ano.\$identifica\"\
\n:log info \"Processando...\";\
\n:delay 5s\
\n\
\n:log info \"Conectando SFTP Server...\";\
\n:log info \"Enviando Backup [\$dia-\$mes-\$ano.\$identifica.backup] ...\
\";\
\n/tool fetch address=\$host src-path=\"\$dia-\$mes-\$ano.\$identifica.bac\
kup\" user=\"\$usuario\" password=\"\$senha\" port=9022 upload=yes mode=sf\
tp dst-path=\"\$diretorio/\$dia-\$mes-\$ano.\$identifica.backup\"\
\n:log info \"Enviando Export [\$dia-\$mes-\$ano.\$identifica.rsc] ...\";\
\n/tool fetch address=\$host src-path=\"\$dia-\$mes-\$ano.\$identifica.rsc\
\" user=\"\$usuario\" password=\"\$senha\" port=9022 upload=yes mode=sftp \
dst-path=\"\$diretorio/\$dia-\$mes-\$ano.\$identifica.rsc\"\
\n:delay 1\
\n\
\n:log info \"Backup enviado com sucesso...\";\
\n:log info \"Removendo arquivos...\";\
\n/file remove \"\$dia-\$mes-\$ano.\$identifica.backup\"\
\n/file remove \"\$dia-\$mes-\$ano.\$identifica.rsc\"\
\n:log info \"Rotina de backup finalizada...\";\
\n:log warning \"***************************************\";"
/tool bandwidth-server
set enabled=no
/tool e-mail
set from=noc.fix@fixfibra.com. port=587 server=smtp.gmail.com user=\
noc.fix@fixfibra.com.b
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=static
/tool mac-server ping
set enabled=no
/tool romon
set enabled=yes
/user aaa
set use-radius=yes

BIN
05-12-2025.SEDE-4011.backup Normal file
View File

Binary file not shown.

606
05-12-2025.SEDE-4011.rsc Normal file
View File

@@ -0,0 +1,606 @@
# 2025-12-05 11:18:56 by RouterOS 7.20.5
# software id = HSR5-2Z4K
#
# model = RB4011iGS+
# serial number = D4440C82B0CE
/interface ethernet
set [ find default-name=ether1 ] name=ether1-PoEIN
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether10 ] name=ether10-PoE-Out poe-out=off
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no comment=\
"Sede x DataCom"
/interface vlan
add interface=sfp-sfpplus1 name=vlanif_13 vlan-id=13
add interface=sfp-sfpplus1 name=vlanif_24 vlan-id=24
add interface=sfp-sfpplus1 name=vlanif_26 vlan-id=26
add interface=sfp-sfpplus1 name=vlanif_69 vlan-id=69
add interface=sfp-sfpplus1 name=vlanif_70 vlan-id=70
add interface=sfp-sfpplus1 name=vlanif_71 vlan-id=71
add interface=sfp-sfpplus1 name=vlanif_72 vlan-id=72
add interface=sfp-sfpplus1 name=vlanif_124 vlan-id=124
add comment=uplink-vs01-IPv6 interface=sfp-sfpplus1 name=vlanif_199 vlan-id=\
199
add comment=uplink-vs02-IPv4 interface=sfp-sfpplus1 name=vlanif_299 vlan-id=\
299
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=069_SEDE_ADM ranges=192.168.0.50-192.168.0.220
add name=070_pool_TI_NOC ranges=192.168.70.50-192.168.70.100
add name=071_REDE_CELULARES ranges=192.168.71.50-192.168.71.200
add name=013-iOT-30-99 ranges=10.0.13.30-10.0.13.99
add name=013-iOT-150-199 ranges=10.0.13.150-10.0.13.199
add name=072-Hotspot-Unifi ranges=192.168.72.50-192.168.72.200
/ip dhcp-server
add address-pool=069_SEDE_ADM interface=vlanif_69 lease-time=1w name=\
069_SEDE_FIX
add address-pool=070_pool_TI_NOC interface=vlanif_70 lease-time=1w name=\
070_DHCP_TI_NOC
add address-pool=071_REDE_CELULARES disabled=yes interface=vlanif_71 \
lease-time=8h name=071_DHCP_SEDE_OUTROS
add add-arp=yes address-pool=013-iOT-30-99 interface=vlanif_13 lease-time=8h \
name=013-iOT
add add-arp=yes address-pool=072-Hotspot-Unifi interface=vlanif_72 \
lease-time=2h name=072-DHCP-HOTSPOT
/ipv6 pool
add name=v6_pool_LAN prefix=2804:47e4:8c0:3000::/52 prefix-length=64
add name=v6_pool_LAN_NOC prefix=2804:47e4:8c0:1000::/52 prefix-length=64
add name=v6_pool_LAN_CELULARES prefix=2804:47e4:8c0:2000::/52 prefix-length=\
64
add name=v6_pool_013_iot prefix=2804:47e4:8c0:4000::/52 prefix-length=64
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
add change-tcp-mss=no local-address=192.168.70.2 name=L2TP_NOC \
remote-address=070_pool_TI_NOC remote-ipv6-prefix-pool=v6_pool_LAN_NOC \
use-compression=no use-encryption=yes use-mpls=no use-upnp=no
add change-tcp-mss=no local-address=192.168.0.2 name=L2TP rate-limit=\
15MB/15MB remote-address=069_SEDE_ADM remote-ipv6-prefix-pool=v6_pool_LAN \
use-compression=no use-encryption=yes use-mpls=no use-upnp=no
/snmp community
set [ find default=yes ] name=ctcorp-lan
/system logging action
add name=Gray remote=10.0.24.69 remote-log-format=syslog src-address=\
10.0.24.23 target=remote
/disk settings
set auto-media-interface=*D auto-media-sharing=yes auto-smb-sharing=yes
/ip firewall connection tracking
set enabled=yes tcp-established-timeout=12h udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface l2tp-server server
set allow-fast-path=yes default-profile=L2TP enabled=yes keepalive-timeout=\
disabled max-mru=1500 max-mtu=1500 use-ipsec=required
/ip address
add address=10.0.24.23/24 interface=vlanif_24 network=10.0.24.0
add address=192.168.0.2/24 interface=vlanif_69 network=192.168.0.0
add address=10.0.13.23/24 interface=vlanif_13 network=10.0.13.0
add address=172.31.32.22/30 comment="Enlace B2" interface=vlanif_299 network=\
172.31.32.20
add address=172.31.31.22/30 comment="Enlace B1" interface=vlanif_199 network=\
172.31.31.20
add address=10.1.24.23/24 interface=vlanif_124 network=10.1.24.0
add address=192.168.70.2/24 interface=vlanif_70 network=192.168.70.0
add address=192.168.100.2/24 interface=vlanif_71 network=192.168.100.0
add address=45.228.244.4 interface=lo network=45.228.244.4
add address=45.228.246.4 interface=lo network=45.228.246.4
add address=10.0.26.23/24 interface=vlanif_26 network=10.0.26.0
add address=192.168.72.2/24 comment="GATEWAY HOTSPOT UNFI" interface=\
vlanif_72 network=192.168.72.0
add address=10.0.70.1/30 comment=fiore-teste interface=*1C network=10.0.70.0
add address=10.0.70.1/30 interface=*1D network=10.0.70.0
/ip arp
add address=10.0.13.95 comment=P2-SensorDeFase-Preta interface=vlanif_13 \
mac-address=18:DE:50:A4:6A:F6
add address=192.168.0.78 interface=vlanif_69 mac-address=98:E5:5B:1F:D5:C4
/ip cloud
set update-time=no
/ip dhcp-client
# Interface not active
add comment=defconf interface=ether1-PoEIN
/ip dhcp-server lease
add address=192.168.0.5 client-id=1:44:3b:32:52:67:5 comment=DVR mac-address=\
44:3B:32:52:67:05 server=069_SEDE_FIX
add address=192.168.0.7 client-id=1:dc:a6:32:99:e5:ac comment="TV NOC" \
mac-address=DC:A6:32:99:E5:AC server=069_SEDE_FIX
add address=192.168.0.9 client-id=1:c:96:e6:22:6a:9c comment="impressroa hp" \
mac-address=0C:96:E6:22:6A:9C server=069_SEDE_FIX
add address=192.168.0.12 comment="Impressora XEROX" mac-address=\
9C:93:4E:6D:39:E1 server=069_SEDE_FIX
add address=192.168.0.24 client-id=1:0:c:29:a8:3d:34 comment=\
"Servidor microsfot" mac-address=00:0C:29:A8:3D:34 server=069_SEDE_FIX
add address=192.168.0.41 client-id=1:24:52:6a:45:7:1 comment="NVR da SEDE" \
mac-address=24:52:6A:45:07:01 server=069_SEDE_FIX
add address=192.168.0.20 comment="#SW_2_andar - AP refeitorio" mac-address=\
00:00:00:00:00:20 server=069_SEDE_FIX
add address=192.168.0.105 client-id=1:44:3b:32:86:2d:7e comment=\
"CAMERA ESTOQUE" mac-address=44:3B:32:86:2D:7E server=069_SEDE_FIX
add address=192.168.0.97 client-id=1:b2:68:a6:2d:65:d5 mac-address=\
B2:68:A6:2D:65:D5 server=069_SEDE_FIX
add address=192.168.0.194 client-id=1:0:26:8b:a:92:ea comment=\
"TELEFONE IP CAROL" mac-address=00:26:8B:0A:92:EA server=069_SEDE_FIX
add address=192.168.0.6 comment="TARCILA - LDAP FS" mac-address=\
00:50:56:80:31:63 server=069_SEDE_FIX
add address=192.168.0.8 comment="PrintServer - OpenAudit" mac-address=\
00:00:00:00:00:03 server=069_SEDE_FIX
add address=192.168.0.11 comment="Impressora RICOH" mac-address=\
00:26:73:8D:9E:F3 server=069_SEDE_FIX
add address=192.168.0.17 comment="Nextcloud - FIX" mac-address=\
00:00:00:00:00:17 server=069_SEDE_FIX
add address=192.168.0.16 comment="REBECA - WIKI" mac-address=\
00:00:00:00:00:16 server=069_SEDE_FIX
add address=192.168.0.10 comment="Impressora RICOH" mac-address=\
00:00:00:00:00:10 server=069_SEDE_FIX
add address=192.168.0.99 client-id=1:d8:36:5f:40:5:4f comment="CAMERA PIA" \
mac-address=D8:36:5F:40:05:4F server=069_SEDE_FIX
add address=192.168.0.163 comment="### ALAMR INTEBRAS" mac-address=\
48:51:CF:DE:5E:11 server=069_SEDE_FIX
add address=192.168.0.50 client-id=1:bc:32:5f:f4:f6:82 mac-address=\
BC:32:5F:F4:F6:82 server=069_SEDE_FIX
add address=192.168.70.99 client-id=1:84:7b:57:e7:91:77 mac-address=\
84:7B:57:E7:91:77 server=070_DHCP_TI_NOC
add address=192.168.0.73 client-id=1:74:e5:f9:94:97:15 mac-address=\
74:E5:F9:94:97:15 server=069_SEDE_FIX
add address=192.168.0.202 client-id=1:7c:5c:f8:24:6f:fd mac-address=\
7C:5C:F8:24:6F:FD server=069_SEDE_FIX
add address=192.168.0.140 client-id=1:5c:cd:5b:d9:cc:b3 mac-address=\
5C:CD:5B:D9:CC:B3 server=069_SEDE_FIX
add address=10.0.13.181 client-id=1:dc:a6:32:99:e5:ac comment=\
"SEDE - Raspberry Pi" mac-address=DC:A6:32:99:E5:AC server=013-iOT
add address=192.168.0.61 client-id=1:74:e5:f9:3c:38:40 mac-address=\
74:E5:F9:3C:38:40 server=069_SEDE_FIX
add address=10.0.13.32 comment="SEDE - Sensor de temperatura" mac-address=\
FC:F5:C4:AB:4C:8A server=013-iOT
add address=10.0.13.39 comment="P4 - Ar condcionado" mac-address=\
1C:39:29:24:FC:BB server=013-iOT
add address=10.0.13.40 comment="P2 - Ar condcionado" mac-address=\
1C:39:29:03:FB:B4 server=013-iOT
add address=10.0.13.49 comment="SEDE - AR - Atendimento2" mac-address=\
1C:39:29:7F:A3:1A server=013-iOT
add address=10.0.13.50 comment="SEDE - AR - Atendimento1" mac-address=\
1C:39:29:7E:E2:53 server=013-iOT
add address=192.168.0.13 comment=CASAOS mac-address=00:00:00:00:00:13 server=\
069_SEDE_FIX
add address=10.0.13.96 comment=P1-F.VERMELHA mac-address=18:DE:50:38:BC:8E \
server=013-iOT
add address=10.0.13.93 comment="SEDE - IR-AC-ADM" mac-address=\
1C:90:FF:8E:95:83 server=013-iOT
add address=10.0.13.44 comment="P1 - Ar condcionado" mac-address=\
1C:39:29:15:78:F3 server=013-iOT
add address=10.0.13.57 comment="P4 - Ar condcionado 2" mac-address=\
1C:39:29:BD:44:49 server=013-iOT
add address=10.0.13.94 comment=P4-ALARME mac-address=44:3B:32:5A:CD:AC \
server=013-iOT
add address=10.0.13.51 comment=P4-F.VERMELHA mac-address=18:DE:50:AF:BF:85 \
server=013-iOT
add address=192.168.0.134 client-id=1:84:7b:57:e7:91:27 mac-address=\
84:7B:57:E7:91:27 server=069_SEDE_FIX
add address=10.0.13.35 comment=P3-F.VERMELHA mac-address=18:DE:50:A4:6E:9E \
server=013-iOT
add address=192.168.0.18 comment="NC container - PROXY" mac-address=\
00:00:00:00:00:18 server=069_SEDE_FIX
add address=10.0.13.97 comment=P2-F.VERMELHA mac-address=18:DE:50:AF:BE:27 \
server=013-iOT
add address=10.0.13.95 comment=P2-F.PRETA mac-address=18:DE:50:A4:6A:F6 \
server=013-iOT
add address=10.0.13.99 comment=P2-ALARME mac-address=30:E1:F1:A3:18:D9 \
server=013-iOT
add address=10.0.13.45 comment=P4-SONOFF mac-address=18:DE:50:A6:94:67 \
server=013-iOT
add address=10.0.13.36 comment=P3-F.PRETA mac-address=18:DE:50:A4:76:95 \
server=013-iOT
add address=10.0.13.56 comment=P4-F.PRETA mac-address=18:DE:50:A4:64:A7 \
server=013-iOT
add address=10.0.13.53 comment=P1-F.PRETA mac-address=18:DE:50:0A:CC:20 \
server=013-iOT
add address=10.0.13.54 comment=P1-PRETA-SABESP mac-address=18:DE:50:38:C1:44 \
server=013-iOT
add address=10.0.13.55 comment=P1-VERMELHA-SABESP mac-address=\
18:DE:50:38:C7:AF server=013-iOT
add address=10.0.13.52 comment=SEDE-FECHADURA-ESTOQUE mac-address=\
D8:1F:12:39:DE:F3 server=013-iOT
add address=10.0.13.41 comment=P4-TEMP-RACK mac-address=50:8B:B9:5E:39:84 \
server=013-iOT
add address=10.0.13.42 comment=P4-TEMP-GERADOR mac-address=1C:90:FF:F0:B7:E6 \
server=013-iOT
add address=10.0.13.58 comment=P1-TEMP-RACK mac-address=A8:80:55:18:AC:13 \
server=013-iOT
add address=10.0.13.34 comment=P4-TEMP_BATERIA mac-address=50:8B:B9:30:B6:26 \
server=013-iOT
add address=10.0.13.59 comment=P3-DETEC-FUMACA mac-address=1C:90:FF:B1:69:62 \
server=013-iOT
add address=10.0.13.31 client-id=1:f4:ce:23:a4:c1:58 comment=P3-TEMP-BATERIA \
mac-address=50:8B:B9:2D:C4:C3 server=013-iOT
add address=10.0.13.30 comment=P4-DETC_FUMACA mac-address=18:DE:50:C4:B7:E7 \
server=013-iOT
add address=10.0.13.48 client-id=1:46:ee:40:4f:14:91 comment=SEDE_CELULAR-TI \
mac-address=46:EE:40:4F:14:91 server=013-iOT
add address=10.0.13.33 comment=P3-TEMP_RACK mac-address=50:8B:B9:5E:1A:59 \
server=013-iOT
add address=10.0.13.62 comment=P2-DETEC_FUMACA mac-address=18:DE:50:C4:BF:D2 \
server=013-iOT
add address=10.0.13.174 comment=P2-TEMP_RACK mac-address=A8:80:55:1D:90:0A \
server=013-iOT
add address=10.0.13.175 comment=P2-TEMP_PORTA mac-address=A8:80:55:1B:67:1B \
server=013-iOT
add address=10.0.13.68 mac-address=FC:3C:D7:DD:B3:5D server=013-iOT
add address=192.168.0.19 comment="SW estoque" mac-address=00:00:00:00:00:19 \
server=069_SEDE_FIX
add address=192.168.0.21 comment="teste IA" mac-address=00:00:00:00:00:21 \
server=069_SEDE_FIX
add address=10.0.13.78 comment=P3-AC-LG-22Btu mac-address=34:E6:E6:57:1D:DC \
server=013-iOT
add address=10.0.13.69 mac-address=D8:C8:0C:02:B7:3C server=013-iOT
add address=10.0.13.70 mac-address=D8:C8:0C:02:B4:B5 server=013-iOT
add address=192.168.0.78 client-id=1:98:e5:5b:1f:d5:c4 mac-address=\
98:E5:5B:1F:D5:C4 server=069_SEDE_FIX
add address=192.168.0.53 client-id=1:b8:27:eb:7c:fd:82 mac-address=\
B8:27:EB:7C:FD:82 server=069_SEDE_FIX
add address=192.168.0.110 client-id=1:0:21:b7:b3:3c:4 mac-address=\
00:21:B7:B3:3C:04 server=069_SEDE_FIX
/ip dhcp-server network
add address=10.0.13.0/24 dns-server=45.228.246.122,45.228.244.121 domain=\
fixfibra.br gateway=10.0.13.23
add address=192.168.0.0/24 comment="DNS - sede 192.168.0.6" dns-server=\
192.168.0.6 domain=fixfibra.br gateway=192.168.0.2
add address=192.168.70.0/24 dns-server=192.168.0.6 domain=fixfibra.br \
gateway=192.168.70.2
add address=192.168.71.0/24 dns-server=45.228.244.121,45.228.246.122 domain=\
fixfibra.guest gateway=192.168.71.2
add address=192.168.72.0/24 dns-server=45.228.244.121,45.228.246.122 domain=\
fixfibra.guest gateway=192.168.72.2
/ip dns
set cache-max-ttl=1d servers=192.168.0.6,2804:47e4:1::120,2804:47e4:8002::124
/ip firewall address-list
add address=192.168.0.6 list=Allow_sede
add address=192.168.0.24 list=Allow_sede
add address=192.168.0.7 list=Allow_sede
add address=192.168.70.0/24 list=AL_CELULARES-DROP
add address=10.0.0.0/8 list=AL_CELULARES-DROP
add address=192.168.0.0/24 list=AL_CELULARES-DROP
add address=192.168.70.0/24 list=AL_SEDE-DROP
add address=10.0.0.0/8 list=AL_SEDE-DROP
add address=192.168.0.15 list=Allow_sede
add address=10.0.24.10 list=AL-ACP-FERNANDA-OLT
add address=10.0.24.12 list=AL-ACP-FERNANDA-OLT
add address=10.0.24.13 list=AL-ACP-FERNANDA-OLT
add address=10.0.24.14 list=AL-ACP-FERNANDA-OLT
add address=10.0.0.0/8 list=AL_SAIDA_RFC_4193
add address=192.168.0.0/16 list=AL_SAIDA_RFC_4193
add address=172.16.0.0/12 list=AL_SAIDA_RFC_4193
add address=10.0.24.0/24 list=AL_GERENCIA_TI-NOC
add address=10.1.24.0/24 list=AL_GERENCIA_TI-NOC
add address=192.168.0.47 list=Allow_sede
add address=192.168.0.46 list=Allow_sede
add address=192.168.0.45 list=Allow_sede
add address=192.168.0.20 list=Allow_sede
add address=192.168.0.16 list=Allow_sede
add address=192.168.0.11 list=Allow_sede
add address=192.168.0.12 list=Allow_sede
add address=192.168.0.13 list=Allow_sede
add address=192.168.0.202 comment=NOTE-DAVI list=Allow-RASP
add address=192.168.0.140 comment=NOTE-LEO list=Allow-RASP
add address=192.168.0.73 comment=NOTE-GILMAR list=Allow-RASP
add address=192.168.0.95 list=Allow_sede
add address=192.168.0.17 list=Allow_sede
add address=10.0.24.11 list=AL-ACP-FERNANDA-OLT
add address=192.168.0.5 list=Allow_sede
add address=192.168.0.206 list=Allow_sede
add address=192.168.100.0/24 list=AL-ALLOW-71-unifi
add address=192.168.0.250 list=Allow_sede
add address=192.168.0.22 list=Allow_sede
add address=192.168.0.35 list=Allow_sede
add address=192.168.0.34 list=Allow_sede
add address=192.168.0.21 list=Allow_sede
add address=192.168.0.30 list=Allow_sede
add address=192.168.0.32 list=Allow_sede
add address=192.168.0.31 list=Allow_sede
add address=192.168.0.19 list=Allow_sede
add address=192.168.0.18 list=Allow_sede
add address=192.168.0.36 list=Allow_sede
add address=192.168.0.14 list=Allow_sede
add address=192.168.0.37 list=Allow_sede
add address=192.168.0.40 list=Allow_sede
add address=10.25.0.0/18 list=AL_GERENCIA_TI-NOC
add address=192.168.0.8 list=Allow_sede
add address=192.168.0.9 list=Allow_sede
add address=192.168.0.85 list=Allow_sede
add address=10.0.26.0/24 list=AL_GERENCIA_TI-NOC
add address=192.168.0.50 list=Allow_sede
add address=192.168.0.108 list=Allow_sede
add address=192.168.0.27 list=Allow_sede
add address=192.168.0.54 list=Allow_sede
add address=191.9.20.40 list=CASA-ANDRE
add address=172.20.0.0/22 list=AL_GERENCIA_TI-NOC
add address=172.20.8.0/22 list=AL_GERENCIA_TI-NOC
add address=192.168.0.41 list=Allow_sede
add address=192.168.0.25 list=Allow_sede
add address=192.168.0.39 list=Allow_sede
add address=192.168.0.53 list=Allow_sede
add address=192.168.80.0/24 list=Allow_sede
add address=10.0.13.0/24 list=AL_GERENCIA_TI-NOC
add address=192.168.0.78 list=Allow_sede
add address=192.168.0.26 list=Allow_sede
add address=192.168.0.2 list=Allow_sede
add address=10.0.70.0/30 list=Allow_sede
add address=192.168.0.110 list=Allow_sede
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
/ip firewall nat
add action=dst-nat chain=dstnat comment="## NAT - NextCloud" dst-address=\
45.228.244.4 dst-port=443 protocol=tcp to-addresses=192.168.0.17 \
to-ports=443
add action=dst-nat chain=dstnat comment="## NAT TALK - NextCloud" \
dst-address=45.228.244.4 dst-port=5349 protocol=tcp to-addresses=\
192.168.0.17 to-ports=443
add action=dst-nat chain=dstnat comment="## NAT TALK - NextCloud" \
dst-address=45.228.244.4 dst-port=5349 protocol=udp to-addresses=\
192.168.0.17 to-ports=443
add action=dst-nat chain=dstnat comment="## NAT - NextCloud" dst-address=\
45.228.244.4 dst-port=80 protocol=tcp to-addresses=192.168.0.17 to-ports=\
80
add action=dst-nat chain=dstnat comment="## NAT - GERADOR POP 1" dst-address=\
45.228.244.4 dst-port=1351 protocol=tcp to-addresses=10.0.13.103 \
to-ports=1351
add action=src-nat chain=srcnat comment="## NAT PARA APP MAPEAMENTO DE PORTA" \
dst-address-list=AL-ACP-FERNANDA-OLT src-address=192.168.0.15 \
to-addresses=10.0.24.23
add action=src-nat chain=srcnat comment="## NAT WAN - IOT NAT 246.4" \
dst-address-list=!AL_SAIDA_RFC_4193 src-address=10.0.13.0/24 \
to-addresses=45.228.246.4
add action=src-nat chain=srcnat comment="## NAT WAN - SEDE 69" \
dst-address-list=!AL_SAIDA_RFC_4193 src-address=192.168.0.0/24 \
to-addresses=45.228.244.4
add action=src-nat chain=srcnat comment="## NAT WAN - NOC 70" \
dst-address-list=!AL_SAIDA_RFC_4193 src-address=192.168.70.0/24 \
to-addresses=45.228.244.4
add action=src-nat chain=srcnat comment="## NAT WAN - HOTSPOT 72" \
dst-address-list=!AL_SAIDA_RFC_4193 src-address=192.168.72.0/24 \
to-addresses=45.228.244.4
add action=src-nat chain=srcnat comment="## NAT - vlan 24 X TI-NOC" \
dst-address-list=AL_GERENCIA_TI-NOC src-address=192.168.70.0/24 \
to-addresses=10.0.24.23
add action=src-nat chain=srcnat comment="## NAT - vlan 124 X TI-NOC" \
dst-address-list=AL_GERENCIA_TI-NOC src-address=192.168.70.0/24 \
to-addresses=10.1.24.23
add action=src-nat chain=srcnat comment="## NAT WAN - UPDATE" disabled=yes \
dst-address-list=!AL_SAIDA_RFC_4193 to-addresses=45.228.244.4
/ip firewall raw
add action=accept chain=prerouting comment=\
"## Regra para portal de mapeamento" dst-address-list=AL-ACP-FERNANDA-OLT \
src-address=192.168.0.15
add action=accept chain=prerouting comment="## Regra para Teste GenieACS" \
dst-address=10.0.24.136 src-address=192.168.0.13
add action=accept chain=prerouting comment="## Liberacao - UNIFI - OUTROS" \
dst-address=192.168.0.24 src-address-list=AL-ALLOW-71-unifi
add action=accept chain=prerouting comment="## Regra de saida da VLAN 70" \
src-address=192.168.70.0/24
add action=accept chain=prerouting comment=\
"## Regra de liberacao da Vlan 70 para host da vlan 69" dst-address=\
192.168.70.0/24 src-address-list=Allow_sede
add action=drop chain=prerouting comment=\
"## Regra de bloqueio da vlan 69 para outras redes" dst-address-list=\
AL_SEDE-DROP src-address=192.168.0.0/24
add action=drop chain=prerouting comment=\
"## Regra de bloqueio da vlan 71 para outras redes" disabled=yes \
dst-address-list=AL_CELULARES-DROP src-address=192.168.100.0/24
add action=drop chain=prerouting comment=\
"## Regra de bloqueio da vlan 72 para outras redes" dst-address=\
!192.168.0.24 dst-address-list=AL_CELULARES-DROP src-address=\
192.168.72.0/24
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add check-gateway=ping comment="## Default Route - B2" disabled=no distance=\
20 dst-address=0.0.0.0/0 gateway=172.31.32.21 pref-src="" routing-table=\
main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=arp comment="## Default Route - B1" disabled=no distance=\
100 dst-address=0.0.0.0/0 gateway=172.31.31.21 routing-table=main scope=\
30 suppress-hw-offload=no target-scope=10
add comment="## GERENCIA 053-RADIOS" disabled=yes distance=1 dst-address=\
192.168.10.0/24 gateway=10.0.24.33 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add comment="Gerencia vlan 25" disabled=no distance=1 dst-address=\
10.25.0.0/18 gateway=10.0.24.35 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add comment="## Gerencia contratos bloqueados B2" disabled=no distance=1 \
dst-address=172.20.8.0/22 gateway=10.0.24.8 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add comment="## Gerencia contratos bloqueados B1" disabled=no distance=1 \
dst-address=172.20.0.0/22 gateway=10.0.24.9 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
/ipv6 route
add check-gateway=ping comment="## Default Route - VS01" disabled=no \
distance=20 dst-address=::/0 gateway=2804:47e4:0:1::15 routing-table=main \
scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping comment="## Default Route - VS02" disabled=no \
distance=100 dst-address=::/0 gateway=2804:47e4:8000:1::15 routing-table=\
main scope=30 suppress-hw-offload=no target-scope=10
add blackhole comment=BLACKHOLE disabled=no distance=255 dst-address=\
2804:47e4:8c0::/48 gateway="" routing-table=main scope=30 \
suppress-hw-offload=no
/ip service
set ftp disabled=yes
set telnet disabled=yes
set www disabled=yes
set winbox address=10.0.0.0/8,45.228.244.0/22,2804:47e4::/32,192.168.0.0/16 \
port=8292
set api disabled=yes
set api-ssl disabled=yes
set ssh address=2804:47e4:8c0::/48,10.1.24.0/24 port=9022
/ip upnp
set show-dummy-rule=no
/ipv6 address
add address=2804:47e4:0:1::16/126 advertise=no comment=Enlace-VS01 interface=\
vlanif_199
add address=::1 from-pool=v6_pool_LAN interface=vlanif_69
add address=::1 from-pool=v6_pool_LAN_NOC interface=vlanif_70
add address=::1 from-pool=v6_pool_013_iot interface=vlanif_13
add address=2804:47e4:8000:1::16/126 advertise=no comment=Enlace-VS02 \
interface=vlanif_299
add address=fe80::4a8f:5aff:fe7a:1c7e advertise=no interface=vlanif_71
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=2804:47e4:8c0::/48 list="Bloco Sede"
add address=2804:47e4::/32 list=FIX-MeuBloco
add address=2804:47e4:8c0:4000::13/128 comment="DVR IOT" list=Servicos_sede
add address=2804:47e4:8c0:3000::17/128 list=Servicos_sede
add address=fc00::/7 list=RFC-IPv6
add address=fe80::/64 list=RFC-IPv6
add address=ff00::/8 list=RFC-IPv6
add address=2001::/23 list=bad_ipv6
add address=2804:47e4:8002::124/128 list=Servicos_sede
add address=2804:47e4:8c0:3000::22/128 comment=OCS-INVETORY list=\
Servicos_sede
add address=2804:47e4:8c0:3000::5/128 comment="DVR SEDE" list=Servicos_sede
add address=2804:47e4:8c0:3000::5/128 comment="DVR SEDE" list=DVR
add address=2804:47e4:8c0:4000::13/128 comment="DVR IOT" list=DVR
/ipv6 firewall filter
add action=accept chain=input comment="Permit - ICPMv6" protocol=icmpv6
add action=accept chain=input comment="Permit - Link local" dst-address-list=\
RFC-IPv6 src-address-list=RFC-IPv6
add action=accept chain=input comment="Permit - Winbox" dst-port=8292 \
protocol=tcp src-address-list=FIX-MeuBloco
add action=accept chain=input comment="Permit - input - estab, related" \
connection-state=established,related
add action=drop chain=input comment="Drop - input " disabled=yes
add action=accept chain=forward comment="Permit - ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="Permit - foward - estab, related" \
connection-state=established,related
add action=accept chain=forward comment="Permit - Upload" src-address-list=\
"Bloco Sede"
add action=accept chain=forward comment="Permit - Dst Web" dst-address-list=\
Servicos_sede dst-port=80,443 protocol=tcp
add action=accept chain=forward comment="Permit - Dst Web" dst-address-list=\
DVR dst-port=37777 protocol=tcp
add action=accept chain=forward comment="TURN - TALK NC" dst-address=\
2804:47e4:8c0:3000::17/128 dst-port=5349 protocol=tcp
add action=accept chain=forward comment="TURN - TALK NC" dst-address=\
2804:47e4:8c0:3000::17/128 dst-port=5349 protocol=udp
add action=drop chain=forward disabled=yes
/ipv6 firewall raw
add action=accept chain=prerouting comment="Aceita ICMPv6" disabled=yes \
protocol=icmpv6
add action=accept chain=prerouting comment=\
"Aceita HTTP e HTTPS na interface WAN" disabled=yes dst-address-list=\
Servicos_sede dst-port=80,443 protocol=tcp
add action=accept chain=prerouting comment="Permit -RFC" disabled=yes \
dst-address-list=RFC-IPv6 src-address-list=RFC-IPv6
add action=accept chain=prerouting comment="Bloco FIX " disabled=yes \
dst-address-list=FIX-MeuBloco src-address-list=FIX-MeuBloco
add action=accept chain=prerouting comment=\
"Aceita com prefixo de origem a sede" disabled=yes src-address-list=\
"Bloco Sede"
add action=accept chain=prerouting comment="Aceita local Multicast" disabled=\
yes dst-address=ff02::/16
add action=drop chain=prerouting comment="Drop src bogon IP's" disabled=yes \
src-address-list=bad_ipv6
add action=drop chain=prerouting comment="Drop dst bogon IP's" disabled=yes \
dst-address-list=bad_ipv6
add action=accept chain=prerouting comment="Aceita todo o resto da WAN" \
disabled=yes in-interface=vlanif_199
add action=drop chain=prerouting comment="Descarta o resto" disabled=yes \
log-prefix=debug_
add action=accept chain=prerouting comment="Aceita DNS na interface WAN" \
disabled=yes dst-port=53 protocol=udp
/ipv6 nd
set [ find default=yes ] managed-address-configuration=yes \
other-configuration=yes
add dns=2804:47e4:8c0:3000::6 interface=vlanif_70 \
managed-address-configuration=yes other-configuration=yes ra-preference=\
high
add interface=vlanif_13 managed-address-configuration=yes \
other-configuration=yes
add dns=2804:47e4:8c0:3000::6 interface=vlanif_69 \
managed-address-configuration=yes other-configuration=yes ra-preference=\
high
add advertise-dns=no interface=vlanif_199 managed-address-configuration=yes \
ra-preference=low
add interface=vlanif_71 managed-address-configuration=yes \
other-configuration=yes ra-preference=high
/mpls settings
set allow-fast-path=no propagate-ttl=no
/ppp secret
add name=andrefix profile=L2TP_NOC remote-address=192.168.70.10 service=l2tp
add name=daniel.sato profile=L2TP_NOC remote-address=192.168.70.11 service=\
l2tp
add name=telicfix profile=L2TP_NOC remote-address=192.168.70.12 service=l2tp
add name=telicfix2 profile=L2TP_NOC remote-address=192.168.70.13 service=l2tp
add name=diego profile=L2TP service=l2tp
add disabled=yes name=diego2 profile=L2TP service=l2tp
add disabled=yes name=guilherme profile=L2TP_NOC remote-address=192.168.70.14 \
service=l2tp
add name=otaviofix profile=L2TP_NOC remote-address=192.168.70.12 service=l2tp
add name=mariana.batista profile=L2TP_NOC remote-address=192.168.70.14 \
service=l2tp
add name=ppp1 profile=L2TP_NOC remote-address=192.168.70.15 routes=\
192.168.70.2 service=l2tp
/radius
add address=10.1.24.138 comment="Radius - 10.1.24.138" require-message-auth=\
no service=login src-address=10.1.24.23 timeout=300ms
/radius incoming
set accept=yes
/snmp
set contact="FIX FIBRA" enabled=yes location="\"Av. Nossa Sra. dos Navegantes,\
\_1222 - Eldorado, Diadema - SP, 09972-260\"" src-address=10.0.24.23 \
trap-version=2
/system clock
set time-zone-name=America/Sao_Paulo
/system identity
set name=SEDE-4011
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=45.228.244.121
add address=45.228.246.122
add address=2804:47e4:1::120
add address=2894:47e4:8002::124
/system scheduler
add name="Reboot=UPD" on-event="/system reboot" policy=reboot start-date=\
2025-03-13 start-time=22:45:00
/system watchdog
set watchdog-timer=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add disabled=no down-script="/log info message=\"Deviando upload para rota de \
backup\"\r\
\n/ip route/disable [find comment=\"ROTA-DEFAULT-NAT01\"]\r\
\n" host=192.33.4.12 http-codes="" interval=1m test-script="" type=icmp \
up-script="/log info message=\"Deviando upload para rota princiapl\"\r\
\n/ip route/enable [find comment=\"ROTA-DEFAULT-NAT01\"]\r\
\n"
/tool romon
set enabled=yes
/user aaa
set use-radius=yes

BIN
CGNAT01/05-12-2025.CGNAT_FIX01.backup Normal file
View File

Binary file not shown.

1647
CGNAT01/05-12-2025.CGNAT_FIX01.rsc Normal file
View File

File diff suppressed because it is too large Load Diff

BIN
CGNAT02/05-12-2025.CGNAT_FIX02.backup Normal file
View File

Binary file not shown.

1647
CGNAT02/05-12-2025.CGNAT_FIX02.rsc Normal file
View File

File diff suppressed because it is too large Load Diff

BIN
CGNAT02/05-12-2025.NAT02-CCR2004.backup Normal file
View File

Binary file not shown.

468
CGNAT02/05-12-2025.NAT02-CCR2004.rsc Normal file
View File

@@ -0,0 +1,468 @@
# 2025-12-05 12:34:34 by RouterOS 7.20.5
# software id = R71A-HA5S
#
# model = CCR2004-16G-2S+
# serial number = HG809N0C8R9
/interface ethernet
set [ find default-name=ether1 ] disabled=yes
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=ether11 ] disabled=yes
set [ find default-name=ether12 ] disabled=yes
set [ find default-name=ether13 ] disabled=yes
set [ find default-name=ether14 ] disabled=yes
set [ find default-name=ether15 ] disabled=yes
set [ find default-name=ether16 ] disabled=yes
set [ find default-name=sfp-sfpplus2 ] disabled=yes
/interface vlan
add interface=sfp-sfpplus1 name=0024-GERENCIA-L2 vlan-id=24
add interface=sfp-sfpplus1 name=0042-Servicos-IPv4 vlan-id=42
add interface=sfp-sfpplus1 name=0124-GERENCIA-L3 vlan-id=124
add interface=sfp-sfpplus1 name=0620-Servicos-IPv6 vlan-id=620
add interface=sfp-sfpplus1 name=2142-OSPF_B1 vlan-id=2142
add interface=sfp-sfpplus1 name=2242-OSPF_B2 vlan-id=2242
add interface=sfp-sfpplus1 name=2602-IPv4-HEXA vlan-id=2602
add interface=sfp-sfpplus1 name=vlan1441-itx-sw-hw-04 vlan-id=1441
/interface list
add exclude=all include=static name=ospf-interfaces
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip pool
add name=pool1 ranges=198.18.0.5-198.18.0.8
/ip smb users
set [ find default=yes ] disabled=yes
/ipv6 pool
add name=pool-enlace prefix=2804:47e4:8000:1::1c/126 prefix-length=128
/port
set 0 name=serial0
/ppp profile
add change-tcp-mss=no local-address=10.0.24.33 name=L2TP remote-address=pool1 \
use-compression=no use-encryption=yes use-upnp=no
/routing id
add disabled=no id=10.0.24.33 name=OSPF select-dynamic-id=only-static
/routing ospf instance
add disabled=no name=ospf originate-default=never out-filter-chain=OSPF-OUT \
redistribute=connected,static router-id=OSPF routing-table=main
add disabled=no name=ospfv3 originate-default=never out-filter-chain=\
OSPFv3-OUT redistribute=connected router-id=OSPF version=3
/routing ospf area
add disabled=no instance=ospf name=ospf-area-0
add disabled=no instance=ospfv3 name=ospfv3-area-0
/snmp community
set [ find default=yes ] addresses=10.0.0.0/8 name=ctcorp-lan
/system logging action
add name=Gray remote=10.0.24.69 remote-log-format=syslog src-address=\
10.0.24.33 target=remote
/ip smb
set enabled=no
/ip firewall connection tracking
set enabled=yes udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set max-neighbor-entries=8192 soft-max-neighbor-entries=8191
/interface l2tp-server server
set allow-fast-path=yes authentication=chap,mschap1,mschap2 default-profile=\
L2TP enabled=yes keepalive-timeout=60 l2tpv3-ether-interface-list=all \
max-mru=1480 max-mtu=1480 one-session-per-host=yes use-ipsec=yes
/interface list member
add interface=2142-OSPF_B1 list=ospf-interfaces
add interface=2242-OSPF_B2 list=ospf-interfaces
/interface ovpn-server server
add mac-address=FE:6F:8A:36:83:70 name=ovpn-server1
/ip address
add address=10.0.24.33/24 interface=0024-GERENCIA-L2 network=10.0.24.0
add address=10.1.21.42/30 interface=2142-OSPF_B1 network=10.1.21.40
add address=10.1.22.42/30 interface=2242-OSPF_B2 network=10.1.22.40
add address=45.228.246.97/27 comment="### 246.97 - Gateway-042" interface=\
0042-Servicos-IPv4 network=45.228.246.96
add address=10.1.24.33/24 interface=0124-GERENCIA-L3 network=10.1.24.0
add address=45.228.246.31 interface=lo network=45.228.246.31
add address=45.228.246.16 interface=lo network=45.228.246.16
add address=10.0.5.9/30 interface=vlan1441-itx-sw-hw-04 network=10.0.5.8
add address=45.228.246.64 comment=IPv4-pub-NAT-HEXA interface=lo network=\
45.228.246.64
add address=10.95.200.1/24 comment=IPv4-priv-NAT-HEXA interface=\
2602-IPv4-HEXA network=10.95.200.0
/ip cloud
set update-time=no
/ip dns
set servers=45.228.246.122,45.228.244.121
/ip firewall address-list
add address=45.228.244.4 list=CONFIAVEIS
add address=45.228.246.4 list=CONFIAVEIS
add address=10.1.24.0/24 list=CONFIAVEIS
add address=10.0.24.0/24 list=CONFIAVEIS
add address=10.25.0.0/18 list=CONFIAVEIS
add address=45.228.244.8/29 list=CONFIAVEIS
add address=45.228.244.96/27 list=CONFIAVEIS
add address=45.228.246.96/27 list=CONFIAVEIS
add address=100.64.0.0/10 list=CONFIAVEIS
add address=10.64.69.0/30 list=CONFIAVEIS
add address=45.228.244.121 list=DNS-SERVERs
add address=45.228.246.122 list=DNS-SERVERs
add address=45.228.244.101 list=DNS-SERVERs
add address=45.228.246.102 list=DNS-SERVERs
add address=45.228.246.100 list=DNS-SERVERs
add address=45.228.244.8/29 list=0030-SERVIDORES
add address=45.228.244.96/27 list=SERVIDORES
add address=45.228.246.96/27 list=SERVIDORES
add address=10.25.0.25 list=GeniACS
add address=45.228.246.105 list=GeniACS
add address=45.228.245.0/24 list=ACS-CPEs
add address=45.228.247.0/24 list=ACS-CPEs
add address=10.25.0.0/18 list=ACS-CPEs
add address=198.18.0.8 list=POOL-GERENCIA
add address=198.18.0.7 list=POOL-GERENCIA
add address=198.18.0.6 list=POOL-GERENCIA
add address=198.18.0.5 list=POOL-GERENCIA
add address=10.0.24.0/24 list=LOCAL-VPN-NAT
add address=198.18.0.4/30 list=LOCAL-VPN-NAT
add address=45.228.244.0/22 list=BLOCO-FIX
add address=45.228.244.4 list=ACPT-INPUT
add address=10.1.24.0/24 list=ACPT-INPUT
add address=45.228.246.4 list=ACPT-INPUT
add address=10.0.24.0/24 list=ACPT-INPUT
add address=10.1.21.32/30 list=ACPT-INPUT
add address=10.1.22.32/30 list=ACPT-INPUT
add address=10.25.0.0/18 list=ACPT-INPUT
add address=45.228.244.8/29 list=ACPT-INPUT
add address=45.228.244.96/27 list=ACPT-INPUT
add address=10.0.5.4/30 list=ACPT-INPUT
add address=45.228.244.96/27 list=zabbix-agent
add address=45.228.246.96/27 list=zabbix-agent
add address=45.228.244.101 list=CWPs
add address=45.228.246.102 list=CWPs
add address=10.95.200.0/24 list=LAN-HEXA
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward comment="Permit - ICMP Protocol" disabled=yes \
protocol=icmp
add action=accept chain=forward comment="Permit - DNS REVERSO" disabled=yes \
dst-address=45.228.246.100 dst-port=53 protocol=tcp
add action=accept chain=forward comment="Permit - DNS REVERSO" disabled=yes \
dst-address=45.228.246.100 dst-port=53 protocol=udp
add action=accept chain=forward comment="Permit - acs - 7547 tcp" disabled=\
yes dst-address=45.228.246.105 dst-port=7547 protocol=tcp
add action=accept chain=forward comment="Permit - Upload SRC" disabled=yes \
src-address-list=CONFIAVEIS
add action=accept chain=forward comment="Permit - DNS (TCP)" disabled=yes \
dst-address-list=DNS-SERVERs dst-port=53 protocol=tcp src-address-list=\
CONFIAVEIS
add action=accept chain=forward comment="Permit - DNS (UDP)" disabled=yes \
dst-address-list=DNS-SERVERs dst-port=53 protocol=udp src-address-list=\
CONFIAVEIS
add action=accept chain=forward comment="Permit - NTPSec (UDP)" disabled=yes \
dst-address-list=DNS-SERVERs dst-port=123 protocol=udp src-address-list=\
CONFIAVEIS
add action=accept chain=forward comment="Permit - HTTPs (TCP)" disabled=yes \
dst-address-list=SERVIDORES dst-port=80,443 protocol=tcp
add action=accept chain=forward comment="Permit - HTTPs (UDP)" disabled=yes \
dst-address-list=SERVIDORES dst-port=80,443 protocol=udp
add action=accept chain=forward comment="Permit - Servicos (TCP)" disabled=\
yes dst-address-list=SERVIDORES dst-port=3000,3001,8443,8080 protocol=tcp
add action=accept chain=forward comment="Permit - Servicos (UDP)" disabled=\
yes dst-address-list=SERVIDORES dst-port=3000,3001,8443,8080 protocol=udp
add action=accept chain=forward comment="Permit - Servicos" disabled=yes \
dst-address-list=SERVIDORES src-address-list=SERVIDORES
add action=accept chain=forward comment="Permit - Radios" disabled=yes \
in-interface=*16
add action=accept chain=forward comment="Permit - Radios" disabled=yes \
out-interface=*16
add action=accept chain=forward comment="Permit - OpaSuite (exception)" \
disabled=yes dst-address=45.228.246.98
add action=accept chain=input comment="Permit - Estab and Related" \
connection-state=established,related disabled=yes
add action=accept chain=input comment="Permit - ICMP" disabled=yes protocol=\
icmp
add action=accept chain=input comment="Permit - OSPF Protocol" disabled=yes \
in-interface-list=ospf-interfaces protocol=ospf
add action=accept chain=input comment="Permit - IPsec Ports" disabled=yes \
dst-port=500,1701,4500 protocol=udp
add action=accept chain=input comment="Permit - IPsec Protocol" disabled=yes \
protocol=ipsec-esp
add action=accept chain=input comment="Permit - L2TP Protocol" disabled=yes \
protocol=l2tp
add action=accept chain=input comment="Permit - Winbox Service" disabled=yes \
dst-port=8292 protocol=tcp src-address-list=ACPT-INPUT
add action=accept chain=input comment="Permit - Trusted" disabled=yes \
src-address-list=ACPT-INPUT
add action=accept chain=forward disabled=yes dst-address-list=CWPs
add action=drop chain=forward disabled=yes log-prefix=drop-all-
add action=drop chain=input disabled=yes
/ip firewall nat
add action=src-nat chain=srcnat comment=\
"NAT DA VPN PARA ACESSO A GERENCIA 10.0.24.0/24" disabled=yes \
dst-address=10.0.24.0/24 src-address-list=POOL-GERENCIA to-addresses=\
10.0.24.33
add action=src-nat chain=srcnat comment="SRC-NAT-HEXA - 45.228.246.64" \
src-address-list=LAN-HEXA to-addresses=45.228.246.64
add action=src-nat chain=srcnat comment="DEFAULT NAT - 246.31" dst-address=\
!10.0.0.0/8 dst-address-list=!SERVIDORES protocol=!ospf src-address=\
10.0.24.0/24 to-addresses=45.228.246.31
add action=src-nat chain=srcnat comment="## regra UPDATE" disabled=yes \
dst-address-list=!POOL-GERENCIA protocol=!ospf to-addresses=45.228.246.31
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add blackhole comment="## Rota em Blackhole" disabled=no distance=255 \
dst-address=45.228.246.64/27 gateway="" pref-src="" routing-table=main \
scope=30 suppress-hw-offload=no target-scope=10
add blackhole comment="## Rota em Blackhole" disabled=no distance=255 \
dst-address=45.228.246.16/28 gateway="" pref-src="" routing-table=main \
scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=210 dst-address=0.0.0.0/0 gateway=10.1.22.41 \
pref-src="" routing-table=main scope=20 suppress-hw-offload=no \
target-scope=10
/ipv6 route
add disabled=no distance=200 dst-address=::/0 gateway=2804:47e4:8000:1::21 \
routing-table=main scope=30 target-scope=10
add disabled=yes distance=20 dst-address=::/0 gateway=2804:47e4:8000:1::19 \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set ftp disabled=yes
set ssh disabled=yes
set telnet disabled=yes
set www disabled=yes
set winbox address=45.228.244.0/22,10.0.0.0/8,198.18.0.0/30,2804:47e4::/32 \
port=8292
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ip traffic-flow
set active-flow-timeout=5m cache-entries=64k interfaces=2142-OSPF_B1
/ip traffic-flow target
add dst-address=10.0.24.128 port=9996 src-address=10.0.24.24 version=5
add dst-address=10.0.24.128 port=9996 src-address=10.0.24.24 version=5
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=*16 type=internal
add interface=2142-OSPF_B1 type=external
/ipv6 address
add address=2804:47e4:8002::33 advertise=no comment=\
"# Desativar o Advertase e depois desativar ND | BUG com Firewall" \
interface=0620-Servicos-IPv6
add address=2804:47e4:8000:1::22/126 advertise=no interface=2242-OSPF_B2
add address=2804:47e4:0:1::22/126 advertise=no interface=2142-OSPF_B1
add address=2804:47e4:8000:1::1a/126 advertise=no disabled=yes interface=\
2602-IPv4-HEXA
add address=2804:47e4:8002:2601::33 advertise=no comment="## LAN SAGE" \
disabled=yes interface=lo
/ipv6 firewall address-list
add address=2804:47e4::/32 list=FIX-MeuBloco
add address=2804:47e4:1::/64 list=AL-ACPT-SERVICOS
add address=2804:47e4:1::141/128 list=ACL-hosepdage
add address=2804:47e4:8002::142/128 list=ACL-hosepdage
add address=2804:47e4:1::125/128 list=ACL-hosepdage
add address=2804:47e4:8002::/64 list=AL-ACPT-SERVICOS
add address=2804:47e4:1::122/128 list=ACL-hosepdage
add address=2804:47e4::/32 list=CONFIAVEIS
add address=2804:47e4:8002::/64 list=SERVIDORES
add address=2804:47e4:1::/64 list=SERVIDORES
add address=2804:47e4:1::120/128 list=DNS-SERVER
add address=2804:47e4:8002::124/128 list=DNS-SERVER
add address=2804:47e4:0:1::22/128 list=INPUT-OSPFv3
add address=2804:47e4:8000:1::22/128 list=INPUT-OSPFv3
add address=2804:47e4:8002::7777/128 list=ACL-hosepdage
add address=2804:47e4:8002::230/128 list=DNS-SERVER
add address=2804:47e4:8002::110/128 list=ACL-hosepdage
add address=2804:47e4:8002::228/128 list=ACL-hosepdage
add address=2804:47e4:8002::145/128 list=ACL-hosepdage
add address=2804:47e4:8002::15/128 disabled=yes list=ACL-hosepdage
add address=2804:47e4:1::141/128 list=CWPs
add address=2804:47e4:8002::142/128 list=CWPs
/ipv6 firewall filter
add action=accept chain=input comment=ICMPV6 protocol=icmpv6
add action=accept chain=forward comment="Permit - Established, related" \
connection-state=established,related
add action=accept chain=forward comment="Permit - ICMPv6" protocol=icmpv6
add action=accept chain=input comment="Permit - input - estab, related" \
connection-state=established,related
add action=accept chain=input comment="Permit - OSPFv3" in-interface-list=\
ospf-interfaces protocol=ospf
add action=accept chain=input comment="Permit - Link Local" src-address=\
fe80::/10
add action=accept chain=forward comment="Permit - Upload" src-address-list=\
FIX-MeuBloco
add action=accept chain=forward comment="Permit - All (excecao)" \
dst-address-list=ACL-hosepdage
add action=accept chain=forward comment=IXC dst-address=\
2804:47e4:8002::15/128 dst-port=80,443 protocol=tcp
add action=accept chain=forward comment=IXC dst-address=\
2804:47e4:8002::15/128 dst-port=80,443 protocol=udp
add action=accept chain=forward comment="Permit - REVERSO" dst-address=\
2804:47e4:8002::230/128 dst-port=53 protocol=udp
add action=accept chain=forward comment="Permit - REVERSO" dst-address=\
2804:47e4:8002::230/128 dst-port=53 protocol=tcp
add action=accept chain=forward comment="Permit - Servicos (all)" \
dst-address-list=AL-ACPT-SERVICOS src-address-list=AL-ACPT-SERVICOS
add action=accept chain=forward comment="Permit - DNS (udp)" \
dst-address-list=DNS-SERVER dst-port=53 protocol=udp src-address-list=\
FIX-MeuBloco
add action=accept chain=forward comment="Permit - DNS (tcp)" \
dst-address-list=DNS-SERVER dst-port=53 protocol=tcp src-address-list=\
FIX-MeuBloco
add action=accept chain=forward comment="Permit - WebServer (udp)" \
dst-address-list=SERVIDORES dst-port=443,3000,3001,8080,8443,8880 \
protocol=udp
add action=accept chain=forward comment="Permit - WebServer (tcp)" \
dst-address-list=SERVIDORES dst-port=443,3000,3001,8080,8443,8880 \
protocol=tcp
add action=accept chain=input comment="Permit - Winbox" dst-port=8292 \
protocol=tcp src-address-list=FIX-MeuBloco
add action=accept chain=input comment="Permit - SSH" dst-port=9022 protocol=\
tcp src-address-list=FIX-MeuBloco
add action=accept chain=input comment="Permit - SSH" dst-address=\
2804:47e4:8002::f120/128 dst-port=9022 protocol=tcp
add action=accept chain=forward comment="Permit - CWP" dst-address-list=CWPs
add action=drop chain=input comment=drop-input
add action=drop chain=forward comment="drop - All" log-prefix=dropv6-
/ipv6 nd
set [ find default=yes ] advertise-dns=no disabled=yes \
managed-address-configuration=yes other-configuration=yes ra-preference=\
low
add advertise-dns=no interface=0620-Servicos-IPv6 \
managed-address-configuration=yes
add advertise-dns=no interface=2142-OSPF_B1 managed-address-configuration=yes
add advertise-dns=no interface=2242-OSPF_B2 managed-address-configuration=yes
/ppp secret
add name=andrefix profile=L2TP service=l2tp
add name=danielfix profile=L2TP service=l2tp
add name=otaviofix profile=L2TP service=l2tp
/radius
add address=10.0.24.24 disabled=yes require-message-auth=no service=login \
timeout=300ms
add address=10.0.24.24 disabled=yes require-message-auth=no service=login \
timeout=300ms
/routing bfd configuration
add disabled=yes interfaces=all min-rx=200us min-tx=200us multiplier=5
add disabled=yes interfaces=all min-rx=200us min-tx=200us multiplier=5
/routing filter rule
add chain=OSPF-OUT disabled=no rule=\
"if (dst in 45.228.246.96/27 && dst-len > 27) {reject} else {accept}"
add chain=OSPF-OUT disabled=no rule=\
"if (dst in 45.228.246.64/27 && dst-len > 27) {reject} else {accept}"
add chain=OSPF-OUT disabled=no rule=\
"if (dst in 45.228.246.16/28 && dst-len > 28) {reject} else {accept}"
add chain=OSPFv3-OUT disabled=no rule=\
"if (dst in 2804:47e4:8002::/48 && dst-len > 48) {reject} else {accept}"
/routing ospf area range
add area=ospf-area-0 disabled=no prefix=45.228.246.96/27
add area=ospfv3-area-0 disabled=no prefix=2804:47e4:8002::/64
add area=ospf-area-0 disabled=no prefix=45.228.246.64/27
/routing ospf interface-template
add area=ospf-area-0 auth=md5 auth-id=1 cost=20 disabled=no interfaces=\
2242-OSPF_B2 networks=10.1.22.40/30 priority=1 type=ptp
add area=ospf-area-0 auth=md5 auth-id=1 cost=100 disabled=no interfaces=\
2142-OSPF_B1 networks=10.1.21.40/30 priority=1 type=ptp
add area=ospfv3-area-0 cost=20 disabled=no interfaces=2242-OSPF_B2 networks=\
2804:47e4:8000:1::22/126 priority=1 type=ptp
add area=ospfv3-area-0 cost=100 disabled=no interfaces=2142-OSPF_B1 networks=\
2804:47e4:0:1::22/126 priority=1 type=ptp
add area=ospf-area-0 disabled=no interfaces=all passive
add area=ospfv3-area-0 disabled=no interfaces=all passive
/snmp
set contact="FIX FIBRA" enabled=yes location=\
"\"R. Antonio Dias Adorno, 375,Diadema,SP,BR\"" trap-version=2
/system clock
set time-zone-name=America/Sao_Paulo
/system identity
set name=NAT02-CCR2004
/system logging
add action=echo disabled=yes prefix=snmp_ topics=debug,snmp
add action=Gray disabled=yes prefix=snmp_ topics=debug,snmp
add action=Gray prefix=CRI topics=critical
add action=Gray prefix=BK topics=backup
add action=Gray prefix=INFO topics=info
add action=Gray prefix=WARM topics=warning
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=10.0.24.120
add address=10.0.24.124
/system routerboard settings
set enter-setup-on=delete-key
/system scheduler
add comment="Crodar dia 25/01 as 3 da manha" name=Atualizacao on-event=\
"/system reboot" policy=reboot start-date=2025-03-11 start-time=03:00:00
/system script
add dont-require-permissions=no name=backupSFTP owner=otaviofix policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
log warning \"***************************************\"\
\n#Conexao SFTP\
\n\
\n:global host 10.1.24.137\
\n:global usuario backups\
\n:global senha backups@fixfibra2@\
\n:global diretorio /SFTP/backups/mikrotik/router/CGNAT02\
\n\
\n#Pega o nome do Router\
\n\
\n:global identifica [/system identity get name]\
\n\
\n#Gera data no formato AAAA-MM-DD\
\n\
\n:global data [/system clock get date]\
\n:global ano [:pick \$data 0 4]\
\n:global mes [:pick \$data 5 7]\
\n:global dia [:pick \$data 8 10]\
\n\
\n:log info \"Gerando backup: \$dia-\$mes-\$ano.\$identifica.backup\";\
\n/system backup save name=\"\$dia-\$mes-\$ano.\$identifica\";\
\n:log info \"Gerando export: \$dia-\$mes-\$ano.\$identifica.rsc\";\
\n/export file=\"\$dia-\$mes-\$ano.\$identifica\"\
\n:log info \"Processando...\";\
\n:delay 5s\
\n\
\n:log info \"Conectando SFTP Server...\";\
\n:log info \"Enviando Backup [\$dia-\$mes-\$ano.\$identifica.backup] ...\
\";\
\n/tool fetch address=\$host src-path=\"\$dia-\$mes-\$ano.\$identifica.bac\
kup\" user=\"\$usuario\" password=\"\$senha\" port=9022 upload=yes mode=sf\
tp dst-path=\"\$diretorio/\$dia-\$mes-\$ano.\$identifica.backup\"\
\n:log info \"Enviando Export [\$dia-\$mes-\$ano.\$identifica.rsc] ...\";\
\n/tool fetch address=\$host src-path=\"\$dia-\$mes-\$ano.\$identifica.rsc\
\" user=\"\$usuario\" password=\"\$senha\" port=9022 upload=yes mode=sftp \
dst-path=\"\$diretorio/\$dia-\$mes-\$ano.\$identifica.rsc\"\
\n:delay 1\
\n\
\n:log info \"Backup enviado com sucesso...\";\
\n:log info \"Removendo arquivos...\";\
\n/file remove \"\$dia-\$mes-\$ano.\$identifica.backup\"\
\n/file remove \"\$dia-\$mes-\$ano.\$identifica.rsc\"\
\n:log info \"Rotina de backup finalizada...\";\
\n:log warning \"***************************************\";\
\n"
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/tool romon
set enabled=yes
/user aaa
set use-radius=yes

BIN
NAT01/05-12-2025.NAT01-CCR2004.backup Normal file
View File

Binary file not shown.

492
NAT01/05-12-2025.NAT01-CCR2004.rsc Normal file
View File

@@ -0,0 +1,492 @@
# 2025-12-05 12:31:39 by RouterOS 7.18.2
# software id = 1MXX-5Y0X
#
# model = CCR2004-16G-2S+
# serial number = HG809WX52HQ
/interface ethernet
set [ find default-name=ether1 ] disabled=yes
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=ether11 ] disabled=yes
set [ find default-name=ether12 ] disabled=yes
set [ find default-name=ether13 ] disabled=yes
set [ find default-name=ether14 ] disabled=yes
set [ find default-name=ether15 ] disabled=yes
set [ find default-name=ether16 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] advertise="10M-baseT-full,100M-baseT-fu\
ll,1G-baseT-full,1G-baseX,10G-baseT,10G-baseSR-LR,10G-baseCR"
set [ find default-name=sfp-sfpplus2 ] disabled=yes
/interface vlan
add interface=sfp-sfpplus1 name=0024-GERENCIA-L2 vlan-id=24
add interface=sfp-sfpplus1 name=0025-VoIP-TR69 vlan-id=25
add interface=sfp-sfpplus1 name=0030-TIP-IXC vlan-id=30
add interface=sfp-sfpplus1 name=0041-Servicos-IPv4 vlan-id=41
add interface=sfp-sfpplus1 name=0124-GERENCIA-L3 vlan-id=124
add interface=sfp-sfpplus1 name=0610-Servicos-IPv6 vlan-id=610
add interface=sfp-sfpplus1 name=1441-itx-sw-hw-03 vlan-id=1441
add interface=sfp-sfpplus1 name=2133-OSPF-B1 vlan-id=2133
add interface=sfp-sfpplus1 name=2233-OSPF-B2 vlan-id=2233
/interface list
add name=OSPFv3
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip dhcp-server option
add code=43 name=acs_ip value="0x011F'http://acs.fixfibra.com.br:7547'"
/ip dhcp-server option sets
add name=acs_ip options=acs_ip
/ip pool
add name=TR69 ranges=10.25.0.50-10.25.63.200
add name=pool1 ranges=198.18.0.1-198.18.0.4
/ip dhcp-server
add address-pool=TR69 dhcp-option-set=acs_ip interface=0025-VoIP-TR69 \
lease-time=1d name=025-Gestao_TR69
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/ppp profile
add change-tcp-mss=yes local-address=10.0.24.35 name=L2VPN remote-address=\
pool1 use-encryption=yes use-ipv6=no use-mpls=no
/routing id
add disabled=no id=10.0.24.34 name=OSPF select-dynamic-id=only-static
/routing ospf instance
add disabled=no name=ospf out-filter-chain=OSPF-OUT redistribute=\
connected,static
add disabled=no name=ospfv3 out-filter-chain=OSPFv3-OUT redistribute=\
connected version=3
/routing ospf area
add disabled=no instance=ospf name=ospf-area-0
add disabled=no instance=ospfv3 name=ospfv3-area-0
/snmp community
set [ find default=yes ] addresses=10.0.0.0/8 name=ctcorp-lan
/system logging action
set 3 target=echo
add name=Gray remote=10.0.24.69 remote-log-format=syslog src-address=\
10.0.24.35 target=remote
/ip firewall connection tracking
set enabled=yes tcp-established-timeout=12h udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set max-neighbor-entries=8192 soft-max-neighbor-entries=8191
/interface l2tp-server server
set allow-fast-path=yes default-profile=L2VPN enabled=yes max-mru=1500 \
max-mtu=1500 use-ipsec=yes
/interface list member
add interface=2133-OSPF-B1 list=OSPFv3
add interface=2233-OSPF-B2 list=OSPFv3
add interface=0024-GERENCIA-L2 list=LAN
add interface=0124-GERENCIA-L3 list=LAN
add interface=0025-VoIP-TR69 list=LAN
/interface ovpn-server server
add auth=sha1,md5 mac-address=FE:4C:24:17:C5:80 name=ovpn-server1
/ip address
add address=10.0.24.35/24 comment="## MGNT L2" interface=0024-GERENCIA-L2 \
network=10.0.24.0
add address=10.1.21.34/30 comment="### OSPF -VS01" interface=2133-OSPF-B1 \
network=10.1.21.32
add address=10.1.22.34/30 comment="### OSPF -VS02" interface=2233-OSPF-B2 \
network=10.1.22.32
add address=45.228.244.9/29 comment="## POOL - TIP e IXC" interface=\
0030-TIP-IXC network=45.228.244.8
add address=10.25.0.35/18 comment="## GATEWAY VoIP E TR069" interface=\
0025-VoIP-TR69 network=10.25.0.0
add address=45.228.244.97/27 comment="### GTW 0041" interface=\
0041-Servicos-IPv4 network=45.228.244.96
add address=10.1.24.35/24 interface=0124-GERENCIA-L3 network=10.1.24.0
add address=45.228.244.31 comment="### LOOPBACK" interface=lo network=\
45.228.244.31
add address=10.0.5.5/30 comment="### OSPF - SWCORE" interface=\
1441-itx-sw-hw-03 network=10.0.5.4
add address=45.228.244.30 comment="### LOOPBACK" interface=lo network=\
45.228.244.30
/ip dhcp-server network
add address=10.25.0.0/18 dhcp-option=acs_ip gateway=10.25.0.35
/ip dns
set servers=45.228.244.121,45.228.246.122
/ip firewall address-list
add address=10.0.0.0/8 comment="REDE INTERNA" list=rede_local
add address=10.25.0.0/18 comment="REDE VOZ" list=rede_local
add address=198.18.0.1 list=POOL-GERENCIA
add address=198.18.0.2 list=POOL-GERENCIA
add address=198.18.0.3 list=POOL-GERENCIA
add address=198.18.0.4 list=POOL-GERENCIA
add address=100.64.0.0/10 comment=CGNAT list=rede_local
add address=45.228.244.4 list=ACPT-INPUT
add address=10.1.24.0/24 list=ACPT-INPUT
add address=45.228.246.4 list=ACPT-INPUT
add address=10.0.24.0/24 list=ACPT-INPUT
add address=10.1.21.32/30 list=ACPT-INPUT
add address=10.1.22.32/30 list=ACPT-INPUT
add address=10.25.0.0/18 list=ACPT-INPUT
add address=45.228.244.8/29 list=ACPT-INPUT
add address=45.228.244.96/27 list=ACPT-INPUT
add address=45.228.244.121 list=DNS-SERVERs
add address=45.228.246.122 list=DNS-SERVERs
add address=45.228.244.101 list=DNS-SERVERs
add address=45.228.246.102 list=DNS-SERVERs
add address=45.228.244.96/27 list=zabbix-agent
add address=45.228.246.96/27 list=zabbix-agent
add address=45.228.244.101 list=CWPs
add address=45.228.246.102 list=CWPs
add address=10.25.0.25 list=GeniACS
add address=45.228.246.105 list=GeniACS
add address=45.228.244.10 list=Zeus
add address=45.228.244.12 list=Zeus
add address=45.228.244.11 list=Zeus
add address=45.228.244.8/29 list=SERVIDORES
add address=45.228.244.4 disabled=yes list=CONFIAVEIS
add address=10.1.24.0/24 list=CONFIAVEIS
add address=45.228.246.4 disabled=yes list=CONFIAVEIS
add address=10.0.24.0/24 list=CONFIAVEIS
add address=10.25.0.0/18 list=CONFIAVEIS
add address=45.228.244.8/29 disabled=yes list=CONFIAVEIS
add address=45.228.244.96/27 disabled=yes list=CONFIAVEIS
add address=45.228.244.8/29 list=0030-SERVIDORES
add address=45.228.246.96/27 disabled=yes list=CONFIAVEIS
add address=100.64.0.0/10 list=CONFIAVEIS
add address=45.228.244.96/27 list=SERVIDORES
add address=10.64.69.0/30 list=CONFIAVEIS
add address=10.0.24.0/24 list=LOCAL-VPN-NAT
add address=198.18.0.0/30 list=LOCAL-VPN-NAT
add address=10.0.5.4/30 list=ACPT-INPUT
add address=45.228.244.0/22 list=BLOCO-FIX
add address=45.228.246.96/27 list=SERVIDORES
add address=45.228.246.100 list=DNS-SERVERs
add address=45.228.245.0/24 list=ACS-CPEs
add address=45.228.247.0/24 list=ACS-CPEs
add address=10.25.0.0/18 list=ACS-CPEs
add address=45.228.244.0/22 list=CONFIAVEIS
add address=10.0.13.0/24 list=CONFIAVEIS
add address=45.228.244.30 list=SERVIDORES
add address=100.64.0.0/10 list=ACPT-INPUT
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward comment="Permit - ICMP Protocol" protocol=\
icmp
add action=accept chain=input comment="Permit - ICMP" protocol=icmp
add action=accept chain=input comment="Permit - OSPF Protocol" \
in-interface-list=OSPFv3 protocol=ospf
add action=accept chain=input comment="Permit - IPsec Ports" dst-port=\
500,4500,1701 protocol=udp
add action=accept chain=input comment="Permit - IPsec Protocol" protocol=\
ipsec-esp
add action=accept chain=forward comment="Permit - Upload Src" \
src-address-list=CONFIAVEIS
add action=accept chain=forward comment="Permit - DNS" dst-address-list=\
DNS-SERVERs dst-port=53 protocol=tcp src-address-list=CONFIAVEIS
add action=accept chain=forward comment="Permit - DNS" dst-address-list=\
DNS-SERVERs dst-port=53 protocol=udp src-address-list=CONFIAVEIS
add action=accept chain=forward comment="Permit - NTPSec" dst-address-list=\
DNS-SERVERs dst-port=123 log-prefix=ntp- protocol=udp src-address-list=\
CONFIAVEIS
add action=accept chain=forward comment="Permit - TCP HTTPs" \
dst-address-list=SERVIDORES dst-port=80,443 protocol=tcp
add action=accept chain=forward comment="Permit - UDP HTTPs" \
dst-address-list=SERVIDORES dst-port=80,443 protocol=udp
add action=accept chain=forward comment="Permit - TCP ACS" dst-address-list=\
GeniACS dst-port=7547 log-prefix=ACS- protocol=tcp src-address-list=\
ACS-CPEs
add action=accept chain=forward comment="Permit - UDP ACS" dst-address-list=\
GeniACS dst-port=7547 protocol=udp src-address-list=ACS-CPEs
add action=accept chain=forward comment="Permit -TCP Others" \
dst-address-list=SERVIDORES dst-port=3000,3001 protocol=tcp
add action=accept chain=forward comment="Permit - UDP Others" \
dst-address-list=SERVIDORES dst-port=3000,3001,3478,5514,8443,8080 \
protocol=udp
add action=accept chain=forward comment="Permit - UniFi NATed (TCP)" \
dst-address=10.0.24.145 dst-port=80,6789,8080,8880,8843,27117 protocol=\
tcp
add action=accept chain=forward comment="Permit - UniFi NATed (UDP)" \
dst-address=10.0.24.145 dst-port=123,3478,5514 protocol=udp
add action=accept chain=forward comment="Permit - Servicos" dst-address-list=\
SERVIDORES src-address-list=SERVIDORES
add action=accept chain=forward comment="Permit - VLAN0030 All" \
dst-address-list=0030-SERVIDORES
add action=accept chain=input comment="Permit - Estab and Related" \
connection-state=established,related
add action=accept chain=input comment="Permit - L2TP Protocol" protocol=l2tp
add action=accept chain=input comment="Permit - DHCP Protocol" dst-port=67-68 \
in-interface=0025-VoIP-TR69 log-prefix=DHCP- protocol=udp
add action=accept chain=input comment="Permit - Unifi (TCP)" dst-address=\
45.228.244.30 dst-port=8443 protocol=tcp
add action=accept chain=input comment="Permit - Winbox Service" dst-port=8292 \
protocol=tcp src-address-list=ACPT-INPUT
add action=accept chain=input comment="Permit - Unifi (TCP) - External" \
dst-address=45.228.244.30 dst-port=80,6789,8080,8880,8843,27117 protocol=\
tcp
add action=accept chain=input comment="Permit - Unifi (UDP) - External" \
dst-address=45.228.244.30 dst-port=123,3478,5514 protocol=udp
add action=accept chain=input comment="Permit - Trusted" log-prefix=input- \
src-address-list=ACPT-INPUT
add action=accept chain=forward dst-address-list=CWPs
add action=drop chain=forward log-prefix=Drop-Ford-all-
add action=drop chain=input comment="DROP - GERAL" log-prefix=drop-input-
/ip firewall nat
add action=dst-nat chain=dstnat comment="UnifiControler - IN" dst-address=\
45.228.244.30 dst-port=80,443,6789,8080,8880,8843,8443 protocol=tcp \
to-addresses=10.0.24.145
add action=dst-nat chain=dstnat comment="UnifiControler - IN" dst-address=\
45.228.244.30 dst-port=80,3478 protocol=udp to-addresses=10.0.24.145
add action=src-nat chain=srcnat comment="UniFI - OUT" src-address=10.0.24.145 \
to-addresses=45.228.244.30
add action=src-nat chain=srcnat comment="Default NAT - VLAN 24" dst-address=\
!10.0.0.0/8 protocol=!ospf src-address-list=LOCAL-VPN-NAT to-addresses=\
45.228.244.31
add action=src-nat chain=srcnat comment=\
"#### NAT DA VPN PARA ACESSO A GERENCIA 10.0.24.0/24" dst-address=\
10.0.24.0/24 src-address-list=POOL-GERENCIA to-addresses=10.0.24.35
add action=src-nat chain=srcnat comment="## Regra UPDATE" disabled=yes \
dst-address=!10.0.0.0/8 protocol=!ospf to-addresses=45.228.244.31
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add blackhole comment=Blackhole disabled=no distance=255 dst-address=\
45.228.244.8/29 gateway="" pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add blackhole comment=Blackhole disabled=no distance=255 dst-address=\
45.228.244.16/28 gateway="" pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add blackhole comment=Blackhole disabled=no distance=255 dst-address=\
45.228.244.64/27 gateway="" pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add blackhole comment=Blackhole disabled=no distance=255 dst-address=\
45.228.244.96/27 gateway="" pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add disabled=no dst-address=10.0.13.0/24 gateway=10.0.24.23 routing-table=\
main suppress-hw-offload=no
/ipv6 route
add blackhole disabled=no distance=255 dst-address=2804:47e4:8002::/64 \
gateway="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add blackhole disabled=no distance=255 dst-address=2804:47e4:1::/64 gateway=\
"" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet address=10.0.0.0/8 disabled=yes port=2323
set ftp disabled=yes
set www address=2804:47e4:8c0::/48 disabled=yes port=8080
set ssh disabled=yes port=9022
set api address=10.0.0.0/8 disabled=yes
set winbox address=\
45.228.244.0/22,10.0.0.0/8,198.18.0.0/30,2804:47e4:8c0::/48 port=8292
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ip ssh
set ciphers=aes-gcm,aes-ctr,aes-cbc,3des-cbc,null forwarding-enabled=remote
/ip traffic-flow
set cache-entries=64k interfaces=2233-OSPF-B2
/ip traffic-flow target
add dst-address=10.0.24.128 port=9996 src-address=10.0.24.33 version=5
/ip upnp
set show-dummy-rule=no
/ipv6 address
add address=2804:47e4:0:1::12/126 advertise=no interface=2133-OSPF-B1
add address=2804:47e4:8000:1::12/126 advertise=no interface=2233-OSPF-B2
add address=2804:47e4:1::35 advertise=no comment=\
"# # Desativar o Advertase e depois desativar ND | BUG com Firewall" \
interface=0610-Servicos-IPv6
add address=2804:47e4:0:1::25/126 advertise=no interface=0024-GERENCIA-L2
/ipv6 firewall address-list
add address=2804:47e4::/32 list=FIX-MeuBloco
add address=2804:47e4:1::141/128 list=ACL-hosepdage
add address=2804:47e4:8002::142/128 list=ACL-hosepdage
add address=2804:47e4:1::125/128 list=ACL-hosepdage
add address=2804:47e4:1::122/128 list=ACL-hosepdage
add address=2804:47e4::/32 list=CONFIAVEIS
add address=2804:47e4:8002::/64 list=SERVIDORES
add address=2804:47e4:1::/64 list=SERVIDORES
add address=2804:47e4:1::120/128 list=DNS-SERVER
add address=2804:47e4:8002::124/128 list=DNS-SERVER
add address=2804:47e4:0:1::12/128 list=INPUT-OSPFv3
add address=2804:47e4:8000:1::12/128 list=INPUT-OSPFv3
add address=2804:47e4:8002::230/128 list=DNS-SERVER
add address=2804:47e4:8002::145/128 list=ACL-hosepdage
/ipv6 firewall filter
add action=accept chain=forward comment="Permit - ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="Permit - Established, related" \
connection-state=established,related
add action=accept chain=forward comment="Permit - DNS (udp)" \
dst-address-list=DNS-SERVER dst-port=53 protocol=udp src-address-list=\
FIX-MeuBloco
add action=accept chain=forward comment="Permit - DNS (tcp)" \
dst-address-list=DNS-SERVER dst-port=53 protocol=tcp src-address-list=\
FIX-MeuBloco
add action=accept chain=forward comment="Permit - Upload" src-address-list=\
FIX-MeuBloco
add action=accept chain=forward comment="Permit - All (excecao)" \
dst-address-list=ACL-hosepdage
add action=accept chain=forward comment="Permit - Web (tcp)" \
dst-address-list=SERVIDORES dst-port=443,3000,3001,6789,8080,8443,8880 \
protocol=tcp
add action=accept chain=forward comment="Permit - Servicos (all)" \
dst-address-list=SERVIDORES src-address-list=SERVIDORES
add action=accept chain=forward comment="Permit - Web (udp)" \
dst-address-list=SERVIDORES dst-port=443,3000,3001,8080,8443,8880 \
protocol=udp
add action=accept chain=input comment=ICMPV6 protocol=icmpv6
add action=accept chain=input comment="Permit - OSFPv3" in-interface-list=\
OSPFv3 protocol=ospf
add action=accept chain=input comment="Permit - Link Local" src-address=\
fe80::/10
add action=accept chain=input comment="Permit - Winbox" dst-port=8292 \
protocol=tcp src-address-list=FIX-MeuBloco
add action=accept chain=input comment="Permit - SSH" dst-port=9022 protocol=\
tcp src-address-list=FIX-MeuBloco
add action=accept chain=input comment="Permit - input - estab, related" \
connection-state=established,related
add action=drop chain=forward comment="Drop - All" log-prefix=telic-
add action=drop chain=input log-prefix=drop-input-
/ipv6 nd
set [ find default=yes ] advertise-dns=no disabled=yes \
managed-address-configuration=yes ra-preference=high
add advertise-dns=no interface=0610-Servicos-IPv6 \
managed-address-configuration=yes ra-preference=high
add advertise-dns=no interface=2233-OSPF-B2 managed-address-configuration=yes
add advertise-dns=no interface=2133-OSPF-B1 managed-address-configuration=yes
/ppp aaa
set use-radius=yes
/ppp secret
add name=andrefix profile=L2VPN service=l2tp
add name=danielfix profile=L2VPN service=l2tp
/radius
add address=10.1.24.138 service=login src-address=10.1.24.35
/radius incoming
set accept=yes
/routing bfd configuration
add disabled=yes interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/routing filter rule
add chain=OSPF-OUT disabled=no rule=\
"if (dst in 45.228.244.8/29 && dst-len > 29) {reject} else {accept}"
add chain=OSPF-OUT disabled=no rule=\
"if (dst in 45.228.244.16/28 && dst-len > 28) {reject} else {accept}"
add chain=OSPF-OUT disabled=no rule=\
"if (dst in 45.228.244.96/27 && dst-len > 27) {reject} else {accept}"
add chain=OSPF-OUT disabled=no rule=\
"if (dst in 10.25.0.0/18 && dst-len > 18) {reject} else {accept}"
add chain=OSPFv3-OUT disabled=no rule=\
"if (dst in 2804:47e4:1::/64 && dst-len > 64) {reject} else {accept}"
/routing ospf area range
add area=ospf-area-0 disabled=no prefix=10.25.0.0/18
add area=ospf-area-0 disabled=no prefix=45.228.244.96/27
add area=ospf-area-0 disabled=no prefix=45.228.244.16/28
add area=ospf-area-0 disabled=no prefix=45.228.244.8/29
/routing ospf interface-template
add area=ospf-area-0 auth=md5 auth-id=1 auth-key=123456 cost=20 disabled=no \
interfaces=2133-OSPF-B1 networks=10.1.21.32/30 priority=1 type=ptp
add area=ospf-area-0 auth=md5 auth-id=1 auth-key=123456 cost=100 disabled=no \
interfaces=2233-OSPF-B2 networks=10.1.22.32/30 priority=1 type=ptp
add area=ospfv3-area-0 cost=20 disabled=no interfaces=2133-OSPF-B1 priority=1 \
type=ptp
add area=ospfv3-area-0 cost=100 disabled=no interfaces=2233-OSPF-B2 priority=\
1 type=ptp
add area=ospf-area-0 disabled=no interfaces=all passive
add area=ospfv3-area-0 disabled=no interfaces=all passive
/snmp
set contact="FIX FIBRA" enabled=yes location=\
"\"R. Presidente Prudente, 496,Diadema,SP,BR\"" trap-version=2
/system clock
set time-zone-name=America/Sao_Paulo
/system identity
set name=NAT01-CCR2004
/system logging
set 0 topics=info,!dhcp
add action=echo disabled=yes prefix=test_ topics=\
debug,dhcp,!radvd,!dhcp,!ospf
add action=echo disabled=yes prefix=Firewall topics=debug,!radvd,!snmp
add action=Gray prefix=CRI topics=critical
add action=Gray prefix=BK topics=backup
add action=Gray prefix=INFO topics=info
add action=Gray prefix=WARM topics=warning
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=10.0.24.124
add address=200.20.186.76
/system resource irq rps
set sfp-sfpplus1 disabled=no
/system routerboard settings
set enter-setup-on=delete-key
/system scheduler
add name=atualizacao on-event="/system reboot" policy=reboot start-date=\
2025-03-18 start-time=05:30:50
add interval=2d name=backup-ftp on-event=backup-ftp policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2025-12-03 start-time=01:00:00
/system script
add dont-require-permissions=yes name=backup-ftp owner=otaviofix policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
log warning \"***************************************\"\
\n# Conexao SFTP\
\n:global host 2804:47e4:1::137\
\n:global usuario backups\
\n:global senha backups@fixfibra2@\
\n:global diretorio /SFTP/backups/mikrotik/router/NAT01\
\n# Pega o nome do Router\
\n:global identifica [/system identity get name]\
\n# Gera data no formato AAAA-MM-DD\
\n:global data [/system clock get date]\
\n:global ano [:pick \$data 0 4]\
\n:global mes [:pick \$data 5 7]\
\n:global dia [:pick \$data 8 10]\
\n\
\n:log info \"Gerando backup: \$dia-\$mes-\$ano.\$identifica.backup\";\
\n/system backup save name=\"\$dia-\$mes-\$ano.\$identifica\";\
\n:log info \"Gerando export: \$dia-\$mes-\$ano.\$identifica.rsc\";\
\n/export file=\"\$dia-\$mes-\$ano.\$identifica\"\
\n:log info \"Processando...\";\
\n:delay 5s\
\n\
\n:log info \"Conectando SFTP Server...\";\
\n:log info \"Enviando Backup [\$dia-\$mes-\$ano.\$identifica.backup] ...\
\";\
\n/tool fetch address=\$host src-path=\"\$dia-\$mes-\$ano.\$identifica.bac\
kup\" user=\"\$usuario\" password=\"\$senha\" port=9022 upload=yes mode=sf\
tp dst-path=\"\$diretorio/\$dia-\$mes-\$ano.\$identifica.backup\"\
\n:log info \"Enviando Export [\$dia-\$mes-\$ano.\$identifica.rsc] ...\";\
\n/tool fetch address=\$host src-path=\"\$dia-\$mes-\$ano.\$identifica.rsc\
\" user=\"\$usuario\" password=\"\$senha\" port=9022 upload=yes mode=sftp \
dst-path=\"\$diretorio/\$dia-\$mes-\$ano.\$identifica.rsc\"\
\n:delay 1\
\n\
\n:log info \"Backup enviado com sucesso...\";\
\n:log info \"Removendo arquivos...\";\
\n/file remove \"\$dia-\$mes-\$ano.\$identifica.backup\"\
\n/file remove \"\$dia-\$mes-\$ano.\$identifica.rsc\"\
\n:log info \"Rotina de backup finalizada...\";\
\n:log warning \"***************************************\";"
/tool bandwidth-server
set enabled=no
/tool e-mail
set from=noc.fix@fixfibra.com. port=587 server=smtp.gmail.com user=\
noc.fix@fixfibra.com.b
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=static
/tool mac-server ping
set enabled=no
/tool romon
set enabled=yes
/user aaa
set use-radius=yes

BIN
NAT01/07-12-2025.NAT01-CCR2004.backup Normal file
View File

Binary file not shown.

492
NAT01/07-12-2025.NAT01-CCR2004.rsc Normal file
View File

@@ -0,0 +1,492 @@
# 2025-12-07 01:00:00 by RouterOS 7.18.2
# software id = 1MXX-5Y0X
#
# model = CCR2004-16G-2S+
# serial number = HG809WX52HQ
/interface ethernet
set [ find default-name=ether1 ] disabled=yes
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=ether11 ] disabled=yes
set [ find default-name=ether12 ] disabled=yes
set [ find default-name=ether13 ] disabled=yes
set [ find default-name=ether14 ] disabled=yes
set [ find default-name=ether15 ] disabled=yes
set [ find default-name=ether16 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] advertise="10M-baseT-full,100M-baseT-fu\
ll,1G-baseT-full,1G-baseX,10G-baseT,10G-baseSR-LR,10G-baseCR"
set [ find default-name=sfp-sfpplus2 ] disabled=yes
/interface vlan
add interface=sfp-sfpplus1 name=0024-GERENCIA-L2 vlan-id=24
add interface=sfp-sfpplus1 name=0025-VoIP-TR69 vlan-id=25
add interface=sfp-sfpplus1 name=0030-TIP-IXC vlan-id=30
add interface=sfp-sfpplus1 name=0041-Servicos-IPv4 vlan-id=41
add interface=sfp-sfpplus1 name=0124-GERENCIA-L3 vlan-id=124
add interface=sfp-sfpplus1 name=0610-Servicos-IPv6 vlan-id=610
add interface=sfp-sfpplus1 name=1441-itx-sw-hw-03 vlan-id=1441
add interface=sfp-sfpplus1 name=2133-OSPF-B1 vlan-id=2133
add interface=sfp-sfpplus1 name=2233-OSPF-B2 vlan-id=2233
/interface list
add name=OSPFv3
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip dhcp-server option
add code=43 name=acs_ip value="0x011F'http://acs.fixfibra.com.br:7547'"
/ip dhcp-server option sets
add name=acs_ip options=acs_ip
/ip pool
add name=TR69 ranges=10.25.0.50-10.25.63.200
add name=pool1 ranges=198.18.0.1-198.18.0.4
/ip dhcp-server
add address-pool=TR69 dhcp-option-set=acs_ip interface=0025-VoIP-TR69 \
lease-time=1d name=025-Gestao_TR69
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/ppp profile
add change-tcp-mss=yes local-address=10.0.24.35 name=L2VPN remote-address=\
pool1 use-encryption=yes use-ipv6=no use-mpls=no
/routing id
add disabled=no id=10.0.24.34 name=OSPF select-dynamic-id=only-static
/routing ospf instance
add disabled=no name=ospf out-filter-chain=OSPF-OUT redistribute=\
connected,static
add disabled=no name=ospfv3 out-filter-chain=OSPFv3-OUT redistribute=\
connected version=3
/routing ospf area
add disabled=no instance=ospf name=ospf-area-0
add disabled=no instance=ospfv3 name=ospfv3-area-0
/snmp community
set [ find default=yes ] addresses=10.0.0.0/8 name=ctcorp-lan
/system logging action
set 3 target=echo
add name=Gray remote=10.0.24.69 remote-log-format=syslog src-address=\
10.0.24.35 target=remote
/ip firewall connection tracking
set enabled=yes tcp-established-timeout=12h udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set max-neighbor-entries=8192 soft-max-neighbor-entries=8191
/interface l2tp-server server
set allow-fast-path=yes default-profile=L2VPN enabled=yes max-mru=1500 \
max-mtu=1500 use-ipsec=yes
/interface list member
add interface=2133-OSPF-B1 list=OSPFv3
add interface=2233-OSPF-B2 list=OSPFv3
add interface=0024-GERENCIA-L2 list=LAN
add interface=0124-GERENCIA-L3 list=LAN
add interface=0025-VoIP-TR69 list=LAN
/interface ovpn-server server
add auth=sha1,md5 mac-address=FE:4C:24:17:C5:80 name=ovpn-server1
/ip address
add address=10.0.24.35/24 comment="## MGNT L2" interface=0024-GERENCIA-L2 \
network=10.0.24.0
add address=10.1.21.34/30 comment="### OSPF -VS01" interface=2133-OSPF-B1 \
network=10.1.21.32
add address=10.1.22.34/30 comment="### OSPF -VS02" interface=2233-OSPF-B2 \
network=10.1.22.32
add address=45.228.244.9/29 comment="## POOL - TIP e IXC" interface=\
0030-TIP-IXC network=45.228.244.8
add address=10.25.0.35/18 comment="## GATEWAY VoIP E TR069" interface=\
0025-VoIP-TR69 network=10.25.0.0
add address=45.228.244.97/27 comment="### GTW 0041" interface=\
0041-Servicos-IPv4 network=45.228.244.96
add address=10.1.24.35/24 interface=0124-GERENCIA-L3 network=10.1.24.0
add address=45.228.244.31 comment="### LOOPBACK" interface=lo network=\
45.228.244.31
add address=10.0.5.5/30 comment="### OSPF - SWCORE" interface=\
1441-itx-sw-hw-03 network=10.0.5.4
add address=45.228.244.30 comment="### LOOPBACK" interface=lo network=\
45.228.244.30
/ip dhcp-server network
add address=10.25.0.0/18 dhcp-option=acs_ip gateway=10.25.0.35
/ip dns
set servers=45.228.244.121,45.228.246.122
/ip firewall address-list
add address=10.0.0.0/8 comment="REDE INTERNA" list=rede_local
add address=10.25.0.0/18 comment="REDE VOZ" list=rede_local
add address=198.18.0.1 list=POOL-GERENCIA
add address=198.18.0.2 list=POOL-GERENCIA
add address=198.18.0.3 list=POOL-GERENCIA
add address=198.18.0.4 list=POOL-GERENCIA
add address=100.64.0.0/10 comment=CGNAT list=rede_local
add address=45.228.244.4 list=ACPT-INPUT
add address=10.1.24.0/24 list=ACPT-INPUT
add address=45.228.246.4 list=ACPT-INPUT
add address=10.0.24.0/24 list=ACPT-INPUT
add address=10.1.21.32/30 list=ACPT-INPUT
add address=10.1.22.32/30 list=ACPT-INPUT
add address=10.25.0.0/18 list=ACPT-INPUT
add address=45.228.244.8/29 list=ACPT-INPUT
add address=45.228.244.96/27 list=ACPT-INPUT
add address=45.228.244.121 list=DNS-SERVERs
add address=45.228.246.122 list=DNS-SERVERs
add address=45.228.244.101 list=DNS-SERVERs
add address=45.228.246.102 list=DNS-SERVERs
add address=45.228.244.96/27 list=zabbix-agent
add address=45.228.246.96/27 list=zabbix-agent
add address=45.228.244.101 list=CWPs
add address=45.228.246.102 list=CWPs
add address=10.25.0.25 list=GeniACS
add address=45.228.246.105 list=GeniACS
add address=45.228.244.10 list=Zeus
add address=45.228.244.12 list=Zeus
add address=45.228.244.11 list=Zeus
add address=45.228.244.8/29 list=SERVIDORES
add address=45.228.244.4 disabled=yes list=CONFIAVEIS
add address=10.1.24.0/24 list=CONFIAVEIS
add address=45.228.246.4 disabled=yes list=CONFIAVEIS
add address=10.0.24.0/24 list=CONFIAVEIS
add address=10.25.0.0/18 list=CONFIAVEIS
add address=45.228.244.8/29 disabled=yes list=CONFIAVEIS
add address=45.228.244.96/27 disabled=yes list=CONFIAVEIS
add address=45.228.244.8/29 list=0030-SERVIDORES
add address=45.228.246.96/27 disabled=yes list=CONFIAVEIS
add address=100.64.0.0/10 list=CONFIAVEIS
add address=45.228.244.96/27 list=SERVIDORES
add address=10.64.69.0/30 list=CONFIAVEIS
add address=10.0.24.0/24 list=LOCAL-VPN-NAT
add address=198.18.0.0/30 list=LOCAL-VPN-NAT
add address=10.0.5.4/30 list=ACPT-INPUT
add address=45.228.244.0/22 list=BLOCO-FIX
add address=45.228.246.96/27 list=SERVIDORES
add address=45.228.246.100 list=DNS-SERVERs
add address=45.228.245.0/24 list=ACS-CPEs
add address=45.228.247.0/24 list=ACS-CPEs
add address=10.25.0.0/18 list=ACS-CPEs
add address=45.228.244.0/22 list=CONFIAVEIS
add address=10.0.13.0/24 list=CONFIAVEIS
add address=45.228.244.30 list=SERVIDORES
add address=100.64.0.0/10 list=ACPT-INPUT
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward comment="Permit - ICMP Protocol" protocol=\
icmp
add action=accept chain=input comment="Permit - ICMP" protocol=icmp
add action=accept chain=input comment="Permit - OSPF Protocol" \
in-interface-list=OSPFv3 protocol=ospf
add action=accept chain=input comment="Permit - IPsec Ports" dst-port=\
500,4500,1701 protocol=udp
add action=accept chain=input comment="Permit - IPsec Protocol" protocol=\
ipsec-esp
add action=accept chain=forward comment="Permit - Upload Src" \
src-address-list=CONFIAVEIS
add action=accept chain=forward comment="Permit - DNS" dst-address-list=\
DNS-SERVERs dst-port=53 protocol=tcp src-address-list=CONFIAVEIS
add action=accept chain=forward comment="Permit - DNS" dst-address-list=\
DNS-SERVERs dst-port=53 protocol=udp src-address-list=CONFIAVEIS
add action=accept chain=forward comment="Permit - NTPSec" dst-address-list=\
DNS-SERVERs dst-port=123 log-prefix=ntp- protocol=udp src-address-list=\
CONFIAVEIS
add action=accept chain=forward comment="Permit - TCP HTTPs" \
dst-address-list=SERVIDORES dst-port=80,443 protocol=tcp
add action=accept chain=forward comment="Permit - UDP HTTPs" \
dst-address-list=SERVIDORES dst-port=80,443 protocol=udp
add action=accept chain=forward comment="Permit - TCP ACS" dst-address-list=\
GeniACS dst-port=7547 log-prefix=ACS- protocol=tcp src-address-list=\
ACS-CPEs
add action=accept chain=forward comment="Permit - UDP ACS" dst-address-list=\
GeniACS dst-port=7547 protocol=udp src-address-list=ACS-CPEs
add action=accept chain=forward comment="Permit -TCP Others" \
dst-address-list=SERVIDORES dst-port=3000,3001 protocol=tcp
add action=accept chain=forward comment="Permit - UDP Others" \
dst-address-list=SERVIDORES dst-port=3000,3001,3478,5514,8443,8080 \
protocol=udp
add action=accept chain=forward comment="Permit - UniFi NATed (TCP)" \
dst-address=10.0.24.145 dst-port=80,6789,8080,8880,8843,27117 protocol=\
tcp
add action=accept chain=forward comment="Permit - UniFi NATed (UDP)" \
dst-address=10.0.24.145 dst-port=123,3478,5514 protocol=udp
add action=accept chain=forward comment="Permit - Servicos" dst-address-list=\
SERVIDORES src-address-list=SERVIDORES
add action=accept chain=forward comment="Permit - VLAN0030 All" \
dst-address-list=0030-SERVIDORES
add action=accept chain=input comment="Permit - Estab and Related" \
connection-state=established,related
add action=accept chain=input comment="Permit - L2TP Protocol" protocol=l2tp
add action=accept chain=input comment="Permit - DHCP Protocol" dst-port=67-68 \
in-interface=0025-VoIP-TR69 log-prefix=DHCP- protocol=udp
add action=accept chain=input comment="Permit - Unifi (TCP)" dst-address=\
45.228.244.30 dst-port=8443 protocol=tcp
add action=accept chain=input comment="Permit - Winbox Service" dst-port=8292 \
protocol=tcp src-address-list=ACPT-INPUT
add action=accept chain=input comment="Permit - Unifi (TCP) - External" \
dst-address=45.228.244.30 dst-port=80,6789,8080,8880,8843,27117 protocol=\
tcp
add action=accept chain=input comment="Permit - Unifi (UDP) - External" \
dst-address=45.228.244.30 dst-port=123,3478,5514 protocol=udp
add action=accept chain=input comment="Permit - Trusted" log-prefix=input- \
src-address-list=ACPT-INPUT
add action=accept chain=forward dst-address-list=CWPs
add action=drop chain=forward log-prefix=Drop-Ford-all-
add action=drop chain=input comment="DROP - GERAL" log-prefix=drop-input-
/ip firewall nat
add action=dst-nat chain=dstnat comment="UnifiControler - IN" dst-address=\
45.228.244.30 dst-port=80,443,6789,8080,8880,8843,8443 protocol=tcp \
to-addresses=10.0.24.145
add action=dst-nat chain=dstnat comment="UnifiControler - IN" dst-address=\
45.228.244.30 dst-port=80,3478 protocol=udp to-addresses=10.0.24.145
add action=src-nat chain=srcnat comment="UniFI - OUT" src-address=10.0.24.145 \
to-addresses=45.228.244.30
add action=src-nat chain=srcnat comment="Default NAT - VLAN 24" dst-address=\
!10.0.0.0/8 protocol=!ospf src-address-list=LOCAL-VPN-NAT to-addresses=\
45.228.244.31
add action=src-nat chain=srcnat comment=\
"#### NAT DA VPN PARA ACESSO A GERENCIA 10.0.24.0/24" dst-address=\
10.0.24.0/24 src-address-list=POOL-GERENCIA to-addresses=10.0.24.35
add action=src-nat chain=srcnat comment="## Regra UPDATE" disabled=yes \
dst-address=!10.0.0.0/8 protocol=!ospf to-addresses=45.228.244.31
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add blackhole comment=Blackhole disabled=no distance=255 dst-address=\
45.228.244.8/29 gateway="" pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add blackhole comment=Blackhole disabled=no distance=255 dst-address=\
45.228.244.16/28 gateway="" pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add blackhole comment=Blackhole disabled=no distance=255 dst-address=\
45.228.244.64/27 gateway="" pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add blackhole comment=Blackhole disabled=no distance=255 dst-address=\
45.228.244.96/27 gateway="" pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add disabled=no dst-address=10.0.13.0/24 gateway=10.0.24.23 routing-table=\
main suppress-hw-offload=no
/ipv6 route
add blackhole disabled=no distance=255 dst-address=2804:47e4:8002::/64 \
gateway="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add blackhole disabled=no distance=255 dst-address=2804:47e4:1::/64 gateway=\
"" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet address=10.0.0.0/8 disabled=yes port=2323
set ftp disabled=yes
set www address=2804:47e4:8c0::/48 disabled=yes port=8080
set ssh disabled=yes port=9022
set api address=10.0.0.0/8 disabled=yes
set winbox address=\
45.228.244.0/22,10.0.0.0/8,198.18.0.0/30,2804:47e4:8c0::/48 port=8292
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ip ssh
set ciphers=aes-gcm,aes-ctr,aes-cbc,3des-cbc,null forwarding-enabled=remote
/ip traffic-flow
set cache-entries=64k interfaces=2233-OSPF-B2
/ip traffic-flow target
add dst-address=10.0.24.128 port=9996 src-address=10.0.24.33 version=5
/ip upnp
set show-dummy-rule=no
/ipv6 address
add address=2804:47e4:0:1::12/126 advertise=no interface=2133-OSPF-B1
add address=2804:47e4:8000:1::12/126 advertise=no interface=2233-OSPF-B2
add address=2804:47e4:1::35 advertise=no comment=\
"# # Desativar o Advertase e depois desativar ND | BUG com Firewall" \
interface=0610-Servicos-IPv6
add address=2804:47e4:0:1::25/126 advertise=no interface=0024-GERENCIA-L2
/ipv6 firewall address-list
add address=2804:47e4::/32 list=FIX-MeuBloco
add address=2804:47e4:1::141/128 list=ACL-hosepdage
add address=2804:47e4:8002::142/128 list=ACL-hosepdage
add address=2804:47e4:1::125/128 list=ACL-hosepdage
add address=2804:47e4:1::122/128 list=ACL-hosepdage
add address=2804:47e4::/32 list=CONFIAVEIS
add address=2804:47e4:8002::/64 list=SERVIDORES
add address=2804:47e4:1::/64 list=SERVIDORES
add address=2804:47e4:1::120/128 list=DNS-SERVER
add address=2804:47e4:8002::124/128 list=DNS-SERVER
add address=2804:47e4:0:1::12/128 list=INPUT-OSPFv3
add address=2804:47e4:8000:1::12/128 list=INPUT-OSPFv3
add address=2804:47e4:8002::230/128 list=DNS-SERVER
add address=2804:47e4:8002::145/128 list=ACL-hosepdage
/ipv6 firewall filter
add action=accept chain=forward comment="Permit - ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="Permit - Established, related" \
connection-state=established,related
add action=accept chain=forward comment="Permit - DNS (udp)" \
dst-address-list=DNS-SERVER dst-port=53 protocol=udp src-address-list=\
FIX-MeuBloco
add action=accept chain=forward comment="Permit - DNS (tcp)" \
dst-address-list=DNS-SERVER dst-port=53 protocol=tcp src-address-list=\
FIX-MeuBloco
add action=accept chain=forward comment="Permit - Upload" src-address-list=\
FIX-MeuBloco
add action=accept chain=forward comment="Permit - All (excecao)" \
dst-address-list=ACL-hosepdage
add action=accept chain=forward comment="Permit - Web (tcp)" \
dst-address-list=SERVIDORES dst-port=443,3000,3001,6789,8080,8443,8880 \
protocol=tcp
add action=accept chain=forward comment="Permit - Servicos (all)" \
dst-address-list=SERVIDORES src-address-list=SERVIDORES
add action=accept chain=forward comment="Permit - Web (udp)" \
dst-address-list=SERVIDORES dst-port=443,3000,3001,8080,8443,8880 \
protocol=udp
add action=accept chain=input comment=ICMPV6 protocol=icmpv6
add action=accept chain=input comment="Permit - OSFPv3" in-interface-list=\
OSPFv3 protocol=ospf
add action=accept chain=input comment="Permit - Link Local" src-address=\
fe80::/10
add action=accept chain=input comment="Permit - Winbox" dst-port=8292 \
protocol=tcp src-address-list=FIX-MeuBloco
add action=accept chain=input comment="Permit - SSH" dst-port=9022 protocol=\
tcp src-address-list=FIX-MeuBloco
add action=accept chain=input comment="Permit - input - estab, related" \
connection-state=established,related
add action=drop chain=forward comment="Drop - All" log-prefix=telic-
add action=drop chain=input log-prefix=drop-input-
/ipv6 nd
set [ find default=yes ] advertise-dns=no disabled=yes \
managed-address-configuration=yes ra-preference=high
add advertise-dns=no interface=0610-Servicos-IPv6 \
managed-address-configuration=yes ra-preference=high
add advertise-dns=no interface=2233-OSPF-B2 managed-address-configuration=yes
add advertise-dns=no interface=2133-OSPF-B1 managed-address-configuration=yes
/ppp aaa
set use-radius=yes
/ppp secret
add name=andrefix profile=L2VPN service=l2tp
add name=danielfix profile=L2VPN service=l2tp
/radius
add address=10.1.24.138 service=login src-address=10.1.24.35
/radius incoming
set accept=yes
/routing bfd configuration
add disabled=yes interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/routing filter rule
add chain=OSPF-OUT disabled=no rule=\
"if (dst in 45.228.244.8/29 && dst-len > 29) {reject} else {accept}"
add chain=OSPF-OUT disabled=no rule=\
"if (dst in 45.228.244.16/28 && dst-len > 28) {reject} else {accept}"
add chain=OSPF-OUT disabled=no rule=\
"if (dst in 45.228.244.96/27 && dst-len > 27) {reject} else {accept}"
add chain=OSPF-OUT disabled=no rule=\
"if (dst in 10.25.0.0/18 && dst-len > 18) {reject} else {accept}"
add chain=OSPFv3-OUT disabled=no rule=\
"if (dst in 2804:47e4:1::/64 && dst-len > 64) {reject} else {accept}"
/routing ospf area range
add area=ospf-area-0 disabled=no prefix=10.25.0.0/18
add area=ospf-area-0 disabled=no prefix=45.228.244.96/27
add area=ospf-area-0 disabled=no prefix=45.228.244.16/28
add area=ospf-area-0 disabled=no prefix=45.228.244.8/29
/routing ospf interface-template
add area=ospf-area-0 auth=md5 auth-id=1 auth-key=123456 cost=20 disabled=no \
interfaces=2133-OSPF-B1 networks=10.1.21.32/30 priority=1 type=ptp
add area=ospf-area-0 auth=md5 auth-id=1 auth-key=123456 cost=100 disabled=no \
interfaces=2233-OSPF-B2 networks=10.1.22.32/30 priority=1 type=ptp
add area=ospfv3-area-0 cost=20 disabled=no interfaces=2133-OSPF-B1 priority=1 \
type=ptp
add area=ospfv3-area-0 cost=100 disabled=no interfaces=2233-OSPF-B2 priority=\
1 type=ptp
add area=ospf-area-0 disabled=no interfaces=all passive
add area=ospfv3-area-0 disabled=no interfaces=all passive
/snmp
set contact="FIX FIBRA" enabled=yes location=\
"\"R. Presidente Prudente, 496,Diadema,SP,BR\"" trap-version=2
/system clock
set time-zone-name=America/Sao_Paulo
/system identity
set name=NAT01-CCR2004
/system logging
set 0 topics=info,!dhcp
add action=echo disabled=yes prefix=test_ topics=\
debug,dhcp,!radvd,!dhcp,!ospf
add action=echo disabled=yes prefix=Firewall topics=debug,!radvd,!snmp
add action=Gray prefix=CRI topics=critical
add action=Gray prefix=BK topics=backup
add action=Gray prefix=INFO topics=info
add action=Gray prefix=WARM topics=warning
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=10.0.24.124
add address=200.20.186.76
/system resource irq rps
set sfp-sfpplus1 disabled=no
/system routerboard settings
set enter-setup-on=delete-key
/system scheduler
add name=atualizacao on-event="/system reboot" policy=reboot start-date=\
2025-03-18 start-time=05:30:50
add interval=2d name=backup-ftp on-event=backup-ftp policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2025-12-03 start-time=01:00:00
/system script
add dont-require-permissions=yes name=backup-ftp owner=otaviofix policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
log warning \"***************************************\"\
\n# Conexao SFTP\
\n:global host 2804:47e4:1::137\
\n:global usuario backups\
\n:global senha backups@fixfibra2@\
\n:global diretorio /SFTP/backups/mikrotik/router/NAT01\
\n# Pega o nome do Router\
\n:global identifica [/system identity get name]\
\n# Gera data no formato AAAA-MM-DD\
\n:global data [/system clock get date]\
\n:global ano [:pick \$data 0 4]\
\n:global mes [:pick \$data 5 7]\
\n:global dia [:pick \$data 8 10]\
\n\
\n:log info \"Gerando backup: \$dia-\$mes-\$ano.\$identifica.backup\";\
\n/system backup save name=\"\$dia-\$mes-\$ano.\$identifica\";\
\n:log info \"Gerando export: \$dia-\$mes-\$ano.\$identifica.rsc\";\
\n/export file=\"\$dia-\$mes-\$ano.\$identifica\"\
\n:log info \"Processando...\";\
\n:delay 5s\
\n\
\n:log info \"Conectando SFTP Server...\";\
\n:log info \"Enviando Backup [\$dia-\$mes-\$ano.\$identifica.backup] ...\
\";\
\n/tool fetch address=\$host src-path=\"\$dia-\$mes-\$ano.\$identifica.bac\
kup\" user=\"\$usuario\" password=\"\$senha\" port=9022 upload=yes mode=sf\
tp dst-path=\"\$diretorio/\$dia-\$mes-\$ano.\$identifica.backup\"\
\n:log info \"Enviando Export [\$dia-\$mes-\$ano.\$identifica.rsc] ...\";\
\n/tool fetch address=\$host src-path=\"\$dia-\$mes-\$ano.\$identifica.rsc\
\" user=\"\$usuario\" password=\"\$senha\" port=9022 upload=yes mode=sftp \
dst-path=\"\$diretorio/\$dia-\$mes-\$ano.\$identifica.rsc\"\
\n:delay 1\
\n\
\n:log info \"Backup enviado com sucesso...\";\
\n:log info \"Removendo arquivos...\";\
\n/file remove \"\$dia-\$mes-\$ano.\$identifica.backup\"\
\n/file remove \"\$dia-\$mes-\$ano.\$identifica.rsc\"\
\n:log info \"Rotina de backup finalizada...\";\
\n:log warning \"***************************************\";"
/tool bandwidth-server
set enabled=no
/tool e-mail
set from=noc.fix@fixfibra.com. port=587 server=smtp.gmail.com user=\
noc.fix@fixfibra.com.b
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=static
/tool mac-server ping
set enabled=no
/tool romon
set enabled=yes
/user aaa
set use-radius=yes

BIN
RB-SEDE/05-12-2025.SEDE-4011.backup Normal file
View File

Binary file not shown.

619
RB-SEDE/05-12-2025.SEDE-4011.rsc Normal file
View File

@@ -0,0 +1,619 @@
# 2025-12-05 11:50:43 by RouterOS 7.20.5
# software id = HSR5-2Z4K
#
# model = RB4011iGS+
# serial number = D4440C82B0CE
/interface ethernet
set [ find default-name=ether1 ] name=ether1-PoEIN
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether10 ] name=ether10-PoE-Out poe-out=off
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no comment=\
"Sede x DataCom"
/interface vlan
add interface=sfp-sfpplus1 name=vlanif_13 vlan-id=13
add interface=sfp-sfpplus1 name=vlanif_24 vlan-id=24
add interface=sfp-sfpplus1 name=vlanif_26 vlan-id=26
add interface=sfp-sfpplus1 name=vlanif_69 vlan-id=69
add interface=sfp-sfpplus1 name=vlanif_70 vlan-id=70
add interface=sfp-sfpplus1 name=vlanif_71 vlan-id=71
add interface=sfp-sfpplus1 name=vlanif_72 vlan-id=72
add interface=sfp-sfpplus1 name=vlanif_124 vlan-id=124
add comment=uplink-vs01-IPv6 interface=sfp-sfpplus1 name=vlanif_199 vlan-id=\
199
add comment=uplink-vs02-IPv4 interface=sfp-sfpplus1 name=vlanif_299 vlan-id=\
299
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=069_SEDE_ADM ranges=192.168.0.50-192.168.0.220
add name=070_pool_TI_NOC ranges=192.168.70.50-192.168.70.100
add name=071_REDE_CELULARES ranges=192.168.71.50-192.168.71.200
add name=013-iOT-30-99 ranges=10.0.13.30-10.0.13.99
add name=013-iOT-150-199 ranges=10.0.13.150-10.0.13.199
add name=072-Hotspot-Unifi ranges=192.168.72.50-192.168.72.200
/ip dhcp-server
add address-pool=069_SEDE_ADM interface=vlanif_69 lease-time=1w name=\
069_SEDE_FIX
add address-pool=070_pool_TI_NOC interface=vlanif_70 lease-time=1w name=\
070_DHCP_TI_NOC
add address-pool=071_REDE_CELULARES disabled=yes interface=vlanif_71 \
lease-time=8h name=071_DHCP_SEDE_OUTROS
add add-arp=yes address-pool=013-iOT-30-99 interface=vlanif_13 lease-time=8h \
name=013-iOT
add add-arp=yes address-pool=072-Hotspot-Unifi interface=vlanif_72 \
lease-time=2h name=072-DHCP-HOTSPOT
/ipv6 pool
add name=v6_pool_LAN prefix=2804:47e4:8c0:3000::/52 prefix-length=64
add name=v6_pool_LAN_NOC prefix=2804:47e4:8c0:1000::/52 prefix-length=64
add name=v6_pool_LAN_CELULARES prefix=2804:47e4:8c0:2000::/52 prefix-length=\
64
add name=v6_pool_013_iot prefix=2804:47e4:8c0:4000::/52 prefix-length=64
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
add change-tcp-mss=no local-address=192.168.70.2 name=L2TP_NOC \
remote-address=070_pool_TI_NOC remote-ipv6-prefix-pool=v6_pool_LAN_NOC \
use-compression=no use-encryption=yes use-mpls=no use-upnp=no
add change-tcp-mss=no local-address=192.168.0.2 name=L2TP rate-limit=\
15MB/15MB remote-address=069_SEDE_ADM remote-ipv6-prefix-pool=v6_pool_LAN \
use-compression=no use-encryption=yes use-mpls=no use-upnp=no
/snmp community
set [ find default=yes ] name=ctcorp-lan
/system logging action
add name=Gray remote=10.0.24.69 remote-log-format=syslog src-address=\
10.0.24.23 target=remote
/disk settings
set auto-media-interface=*D auto-media-sharing=yes auto-smb-sharing=yes
/ip firewall connection tracking
set enabled=yes tcp-established-timeout=12h udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface l2tp-server server
set allow-fast-path=yes default-profile=L2TP enabled=yes keepalive-timeout=\
disabled max-mru=1500 max-mtu=1500 use-ipsec=required
/ip address
add address=10.0.24.23/24 interface=vlanif_24 network=10.0.24.0
add address=192.168.0.2/24 interface=vlanif_69 network=192.168.0.0
add address=10.0.13.23/24 interface=vlanif_13 network=10.0.13.0
add address=172.31.32.22/30 comment="Enlace B2" interface=vlanif_299 network=\
172.31.32.20
add address=172.31.31.22/30 comment="Enlace B1" interface=vlanif_199 network=\
172.31.31.20
add address=10.1.24.23/24 interface=vlanif_124 network=10.1.24.0
add address=192.168.70.2/24 interface=vlanif_70 network=192.168.70.0
add address=192.168.100.2/24 interface=vlanif_71 network=192.168.100.0
add address=45.228.244.4 interface=lo network=45.228.244.4
add address=45.228.246.4 interface=lo network=45.228.246.4
add address=10.0.26.23/24 interface=vlanif_26 network=10.0.26.0
add address=192.168.72.2/24 comment="GATEWAY HOTSPOT UNFI" interface=\
vlanif_72 network=192.168.72.0
add address=10.0.70.1/30 comment=fiore-teste interface=*1C network=10.0.70.0
add address=10.0.70.1/30 interface=*1D network=10.0.70.0
/ip arp
add address=10.0.13.95 comment=P2-SensorDeFase-Preta interface=vlanif_13 \
mac-address=18:DE:50:A4:6A:F6
add address=192.168.0.78 interface=vlanif_69 mac-address=98:E5:5B:1F:D5:C4
/ip cloud
set update-time=no
/ip dhcp-client
# Interface not active
add comment=defconf interface=ether1-PoEIN
/ip dhcp-server lease
add address=192.168.0.5 client-id=1:44:3b:32:52:67:5 comment=DVR mac-address=\
44:3B:32:52:67:05 server=069_SEDE_FIX
add address=192.168.0.7 client-id=1:dc:a6:32:99:e5:ac comment="TV NOC" \
mac-address=DC:A6:32:99:E5:AC server=069_SEDE_FIX
add address=192.168.0.9 client-id=1:c:96:e6:22:6a:9c comment="impressroa hp" \
mac-address=0C:96:E6:22:6A:9C server=069_SEDE_FIX
add address=192.168.0.12 comment="Impressora XEROX" mac-address=\
9C:93:4E:6D:39:E1 server=069_SEDE_FIX
add address=192.168.0.24 client-id=1:0:c:29:a8:3d:34 comment=\
"Servidor microsfot" mac-address=00:0C:29:A8:3D:34 server=069_SEDE_FIX
add address=192.168.0.41 client-id=1:24:52:6a:45:7:1 comment="NVR da SEDE" \
mac-address=24:52:6A:45:07:01 server=069_SEDE_FIX
add address=192.168.0.20 comment="#SW_2_andar - AP refeitorio" mac-address=\
00:00:00:00:00:20 server=069_SEDE_FIX
add address=192.168.0.105 client-id=1:44:3b:32:86:2d:7e comment=\
"CAMERA ESTOQUE" mac-address=44:3B:32:86:2D:7E server=069_SEDE_FIX
add address=192.168.0.97 client-id=1:b2:68:a6:2d:65:d5 mac-address=\
B2:68:A6:2D:65:D5 server=069_SEDE_FIX
add address=192.168.0.194 client-id=1:0:26:8b:a:92:ea comment=\
"TELEFONE IP CAROL" mac-address=00:26:8B:0A:92:EA server=069_SEDE_FIX
add address=192.168.0.6 comment="TARCILA - LDAP FS" mac-address=\
00:50:56:80:31:63 server=069_SEDE_FIX
add address=192.168.0.8 comment="PrintServer - OpenAudit" mac-address=\
00:00:00:00:00:03 server=069_SEDE_FIX
add address=192.168.0.11 comment="Impressora RICOH" mac-address=\
00:26:73:8D:9E:F3 server=069_SEDE_FIX
add address=192.168.0.17 comment="Nextcloud - FIX" mac-address=\
00:00:00:00:00:17 server=069_SEDE_FIX
add address=192.168.0.16 comment="REBECA - WIKI" mac-address=\
00:00:00:00:00:16 server=069_SEDE_FIX
add address=192.168.0.10 comment="Impressora RICOH" mac-address=\
00:00:00:00:00:10 server=069_SEDE_FIX
add address=192.168.0.99 client-id=1:d8:36:5f:40:5:4f comment="CAMERA PIA" \
mac-address=D8:36:5F:40:05:4F server=069_SEDE_FIX
add address=192.168.0.163 comment="### ALAMR INTEBRAS" mac-address=\
48:51:CF:DE:5E:11 server=069_SEDE_FIX
add address=192.168.0.50 client-id=1:bc:32:5f:f4:f6:82 mac-address=\
BC:32:5F:F4:F6:82 server=069_SEDE_FIX
add address=192.168.70.99 client-id=1:84:7b:57:e7:91:77 mac-address=\
84:7B:57:E7:91:77 server=070_DHCP_TI_NOC
add address=192.168.0.73 client-id=1:74:e5:f9:94:97:15 mac-address=\
74:E5:F9:94:97:15 server=069_SEDE_FIX
add address=192.168.0.202 client-id=1:7c:5c:f8:24:6f:fd mac-address=\
7C:5C:F8:24:6F:FD server=069_SEDE_FIX
add address=192.168.0.140 client-id=1:5c:cd:5b:d9:cc:b3 mac-address=\
5C:CD:5B:D9:CC:B3 server=069_SEDE_FIX
add address=10.0.13.181 client-id=1:dc:a6:32:99:e5:ac comment=\
"SEDE - Raspberry Pi" mac-address=DC:A6:32:99:E5:AC server=013-iOT
add address=192.168.0.61 client-id=1:74:e5:f9:3c:38:40 mac-address=\
74:E5:F9:3C:38:40 server=069_SEDE_FIX
add address=10.0.13.32 comment="SEDE - Sensor de temperatura" mac-address=\
FC:F5:C4:AB:4C:8A server=013-iOT
add address=10.0.13.39 comment="P4 - Ar condcionado" mac-address=\
1C:39:29:24:FC:BB server=013-iOT
add address=10.0.13.40 comment="P2 - Ar condcionado" mac-address=\
1C:39:29:03:FB:B4 server=013-iOT
add address=10.0.13.49 comment="SEDE - AR - Atendimento2" mac-address=\
1C:39:29:7F:A3:1A server=013-iOT
add address=10.0.13.50 comment="SEDE - AR - Atendimento1" mac-address=\
1C:39:29:7E:E2:53 server=013-iOT
add address=192.168.0.13 comment=CASAOS mac-address=00:00:00:00:00:13 server=\
069_SEDE_FIX
add address=10.0.13.96 comment=P1-F.VERMELHA mac-address=18:DE:50:38:BC:8E \
server=013-iOT
add address=10.0.13.93 comment="SEDE - IR-AC-ADM" mac-address=\
1C:90:FF:8E:95:83 server=013-iOT
add address=10.0.13.44 comment="P1 - Ar condcionado" mac-address=\
1C:39:29:15:78:F3 server=013-iOT
add address=10.0.13.57 comment="P4 - Ar condcionado 2" mac-address=\
1C:39:29:BD:44:49 server=013-iOT
add address=10.0.13.94 comment=P4-ALARME mac-address=44:3B:32:5A:CD:AC \
server=013-iOT
add address=10.0.13.51 comment=P4-F.VERMELHA mac-address=18:DE:50:AF:BF:85 \
server=013-iOT
add address=192.168.0.134 client-id=1:84:7b:57:e7:91:27 mac-address=\
84:7B:57:E7:91:27 server=069_SEDE_FIX
add address=10.0.13.35 comment=P3-F.VERMELHA mac-address=18:DE:50:A4:6E:9E \
server=013-iOT
add address=192.168.0.18 comment="NC container - PROXY" mac-address=\
00:00:00:00:00:18 server=069_SEDE_FIX
add address=10.0.13.97 comment=P2-F.VERMELHA mac-address=18:DE:50:AF:BE:27 \
server=013-iOT
add address=10.0.13.95 comment=P2-F.PRETA mac-address=18:DE:50:A4:6A:F6 \
server=013-iOT
add address=10.0.13.99 comment=P2-ALARME mac-address=30:E1:F1:A3:18:D9 \
server=013-iOT
add address=10.0.13.45 comment=P4-SONOFF mac-address=18:DE:50:A6:94:67 \
server=013-iOT
add address=10.0.13.36 comment=P3-F.PRETA mac-address=18:DE:50:A4:76:95 \
server=013-iOT
add address=10.0.13.56 comment=P4-F.PRETA mac-address=18:DE:50:A4:64:A7 \
server=013-iOT
add address=10.0.13.53 comment=P1-F.PRETA mac-address=18:DE:50:0A:CC:20 \
server=013-iOT
add address=10.0.13.54 comment=P1-PRETA-SABESP mac-address=18:DE:50:38:C1:44 \
server=013-iOT
add address=10.0.13.55 comment=P1-VERMELHA-SABESP mac-address=\
18:DE:50:38:C7:AF server=013-iOT
add address=10.0.13.52 comment=SEDE-FECHADURA-ESTOQUE mac-address=\
D8:1F:12:39:DE:F3 server=013-iOT
add address=10.0.13.41 comment=P4-TEMP-RACK mac-address=50:8B:B9:5E:39:84 \
server=013-iOT
add address=10.0.13.42 comment=P4-TEMP-GERADOR mac-address=1C:90:FF:F0:B7:E6 \
server=013-iOT
add address=10.0.13.58 comment=P1-TEMP-RACK mac-address=A8:80:55:18:AC:13 \
server=013-iOT
add address=10.0.13.34 comment=P4-TEMP_BATERIA mac-address=50:8B:B9:30:B6:26 \
server=013-iOT
add address=10.0.13.59 comment=P3-DETEC-FUMACA mac-address=1C:90:FF:B1:69:62 \
server=013-iOT
add address=10.0.13.31 client-id=1:f4:ce:23:a4:c1:58 comment=P3-TEMP-BATERIA \
mac-address=50:8B:B9:2D:C4:C3 server=013-iOT
add address=10.0.13.30 comment=P4-DETC_FUMACA mac-address=18:DE:50:C4:B7:E7 \
server=013-iOT
add address=10.0.13.48 client-id=1:46:ee:40:4f:14:91 comment=SEDE_CELULAR-TI \
mac-address=46:EE:40:4F:14:91 server=013-iOT
add address=10.0.13.33 comment=P3-TEMP_RACK mac-address=50:8B:B9:5E:1A:59 \
server=013-iOT
add address=10.0.13.62 comment=P2-DETEC_FUMACA mac-address=18:DE:50:C4:BF:D2 \
server=013-iOT
add address=10.0.13.174 comment=P2-TEMP_RACK mac-address=A8:80:55:1D:90:0A \
server=013-iOT
add address=10.0.13.175 comment=P2-TEMP_PORTA mac-address=A8:80:55:1B:67:1B \
server=013-iOT
add address=10.0.13.68 mac-address=FC:3C:D7:DD:B3:5D server=013-iOT
add address=192.168.0.19 comment="SW estoque" mac-address=00:00:00:00:00:19 \
server=069_SEDE_FIX
add address=192.168.0.21 comment="teste IA" mac-address=00:00:00:00:00:21 \
server=069_SEDE_FIX
add address=10.0.13.78 comment=P3-AC-LG-22Btu mac-address=34:E6:E6:57:1D:DC \
server=013-iOT
add address=10.0.13.69 mac-address=D8:C8:0C:02:B7:3C server=013-iOT
add address=10.0.13.70 mac-address=D8:C8:0C:02:B4:B5 server=013-iOT
add address=192.168.0.78 client-id=1:98:e5:5b:1f:d5:c4 mac-address=\
98:E5:5B:1F:D5:C4 server=069_SEDE_FIX
add address=192.168.0.53 client-id=1:b8:27:eb:7c:fd:82 mac-address=\
B8:27:EB:7C:FD:82 server=069_SEDE_FIX
add address=192.168.0.110 client-id=1:0:21:b7:b3:3c:4 mac-address=\
00:21:B7:B3:3C:04 server=069_SEDE_FIX
/ip dhcp-server network
add address=10.0.13.0/24 dns-server=45.228.246.122,45.228.244.121 domain=\
fixfibra.br gateway=10.0.13.23
add address=192.168.0.0/24 comment="DNS - sede 192.168.0.6" dns-server=\
192.168.0.6 domain=fixfibra.br gateway=192.168.0.2
add address=192.168.70.0/24 dns-server=192.168.0.6 domain=fixfibra.br \
gateway=192.168.70.2
add address=192.168.71.0/24 dns-server=45.228.244.121,45.228.246.122 domain=\
fixfibra.guest gateway=192.168.71.2
add address=192.168.72.0/24 dns-server=45.228.244.121,45.228.246.122 domain=\
fixfibra.guest gateway=192.168.72.2
/ip dns
set cache-max-ttl=1d servers=192.168.0.6,2804:47e4:1::120,2804:47e4:8002::124
/ip firewall address-list
add address=192.168.0.6 list=Allow_sede
add address=192.168.0.24 list=Allow_sede
add address=192.168.0.7 list=Allow_sede
add address=192.168.70.0/24 list=AL_CELULARES-DROP
add address=10.0.0.0/8 list=AL_CELULARES-DROP
add address=192.168.0.0/24 list=AL_CELULARES-DROP
add address=192.168.70.0/24 list=AL_SEDE-DROP
add address=10.0.0.0/8 list=AL_SEDE-DROP
add address=192.168.0.15 list=Allow_sede
add address=10.0.24.10 list=AL-ACP-FERNANDA-OLT
add address=10.0.24.12 list=AL-ACP-FERNANDA-OLT
add address=10.0.24.13 list=AL-ACP-FERNANDA-OLT
add address=10.0.24.14 list=AL-ACP-FERNANDA-OLT
add address=10.0.0.0/8 list=AL_SAIDA_RFC_4193
add address=192.168.0.0/16 list=AL_SAIDA_RFC_4193
add address=172.16.0.0/12 list=AL_SAIDA_RFC_4193
add address=10.0.24.0/24 list=AL_GERENCIA_TI-NOC
add address=10.1.24.0/24 list=AL_GERENCIA_TI-NOC
add address=192.168.0.47 list=Allow_sede
add address=192.168.0.46 list=Allow_sede
add address=192.168.0.45 list=Allow_sede
add address=192.168.0.20 list=Allow_sede
add address=192.168.0.16 list=Allow_sede
add address=192.168.0.11 list=Allow_sede
add address=192.168.0.12 list=Allow_sede
add address=192.168.0.13 list=Allow_sede
add address=192.168.0.202 comment=NOTE-DAVI list=Allow-RASP
add address=192.168.0.140 comment=NOTE-LEO list=Allow-RASP
add address=192.168.0.73 comment=NOTE-GILMAR list=Allow-RASP
add address=192.168.0.95 list=Allow_sede
add address=192.168.0.17 list=Allow_sede
add address=10.0.24.11 list=AL-ACP-FERNANDA-OLT
add address=192.168.0.5 list=Allow_sede
add address=192.168.0.206 list=Allow_sede
add address=192.168.100.0/24 list=AL-ALLOW-71-unifi
add address=192.168.0.250 list=Allow_sede
add address=192.168.0.22 list=Allow_sede
add address=192.168.0.35 list=Allow_sede
add address=192.168.0.34 list=Allow_sede
add address=192.168.0.21 list=Allow_sede
add address=192.168.0.30 list=Allow_sede
add address=192.168.0.32 list=Allow_sede
add address=192.168.0.31 list=Allow_sede
add address=192.168.0.19 list=Allow_sede
add address=192.168.0.18 list=Allow_sede
add address=192.168.0.36 list=Allow_sede
add address=192.168.0.14 list=Allow_sede
add address=192.168.0.37 list=Allow_sede
add address=192.168.0.40 list=Allow_sede
add address=10.25.0.0/18 list=AL_GERENCIA_TI-NOC
add address=192.168.0.8 list=Allow_sede
add address=192.168.0.9 list=Allow_sede
add address=192.168.0.85 list=Allow_sede
add address=10.0.26.0/24 list=AL_GERENCIA_TI-NOC
add address=192.168.0.50 list=Allow_sede
add address=192.168.0.108 list=Allow_sede
add address=192.168.0.27 list=Allow_sede
add address=192.168.0.54 list=Allow_sede
add address=191.9.20.40 list=CASA-ANDRE
add address=172.20.0.0/22 list=AL_GERENCIA_TI-NOC
add address=172.20.8.0/22 list=AL_GERENCIA_TI-NOC
add address=192.168.0.41 list=Allow_sede
add address=192.168.0.25 list=Allow_sede
add address=192.168.0.39 list=Allow_sede
add address=192.168.0.53 list=Allow_sede
add address=192.168.80.0/24 list=Allow_sede
add address=10.0.13.0/24 list=AL_GERENCIA_TI-NOC
add address=192.168.0.78 list=Allow_sede
add address=192.168.0.26 list=Allow_sede
add address=192.168.0.2 list=Allow_sede
add address=10.0.70.0/30 list=Allow_sede
add address=192.168.0.110 list=Allow_sede
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
/ip firewall nat
add action=dst-nat chain=dstnat comment="## NAT - NextCloud" dst-address=\
45.228.244.4 dst-port=443 protocol=tcp to-addresses=192.168.0.17 \
to-ports=443
add action=dst-nat chain=dstnat comment="## NAT TALK - NextCloud" \
dst-address=45.228.244.4 dst-port=5349 protocol=tcp to-addresses=\
192.168.0.17 to-ports=443
add action=dst-nat chain=dstnat comment="## NAT TALK - NextCloud" \
dst-address=45.228.244.4 dst-port=5349 protocol=udp to-addresses=\
192.168.0.17 to-ports=443
add action=dst-nat chain=dstnat comment="## NAT - NextCloud" dst-address=\
45.228.244.4 dst-port=80 protocol=tcp to-addresses=192.168.0.17 to-ports=\
80
add action=dst-nat chain=dstnat comment="## NAT - GERADOR POP 1" dst-address=\
45.228.244.4 dst-port=1351 protocol=tcp to-addresses=10.0.13.103 \
to-ports=1351
add action=src-nat chain=srcnat comment="## NAT PARA APP MAPEAMENTO DE PORTA" \
dst-address-list=AL-ACP-FERNANDA-OLT src-address=192.168.0.15 \
to-addresses=10.0.24.23
add action=src-nat chain=srcnat comment="## NAT WAN - IOT NAT 246.4" \
dst-address-list=!AL_SAIDA_RFC_4193 src-address=10.0.13.0/24 \
to-addresses=45.228.246.4
add action=src-nat chain=srcnat comment="## NAT WAN - SEDE 69" \
dst-address-list=!AL_SAIDA_RFC_4193 src-address=192.168.0.0/24 \
to-addresses=45.228.244.4
add action=src-nat chain=srcnat comment="## NAT WAN - NOC 70" \
dst-address-list=!AL_SAIDA_RFC_4193 src-address=192.168.70.0/24 \
to-addresses=45.228.244.4
add action=src-nat chain=srcnat comment="## NAT WAN - HOTSPOT 72" \
dst-address-list=!AL_SAIDA_RFC_4193 src-address=192.168.72.0/24 \
to-addresses=45.228.244.4
add action=src-nat chain=srcnat comment="## NAT - vlan 24 X TI-NOC" \
dst-address-list=AL_GERENCIA_TI-NOC src-address=192.168.70.0/24 \
to-addresses=10.0.24.23
add action=src-nat chain=srcnat comment="## NAT - vlan 124 X TI-NOC" \
dst-address-list=AL_GERENCIA_TI-NOC src-address=192.168.70.0/24 \
to-addresses=10.1.24.23
add action=src-nat chain=srcnat comment="## NAT WAN - UPDATE" disabled=yes \
dst-address-list=!AL_SAIDA_RFC_4193 to-addresses=45.228.244.4
/ip firewall raw
add action=accept chain=prerouting comment=\
"## Regra para portal de mapeamento" dst-address-list=AL-ACP-FERNANDA-OLT \
src-address=192.168.0.15
add action=accept chain=prerouting comment="## Regra para Teste GenieACS" \
dst-address=10.0.24.136 src-address=192.168.0.13
add action=accept chain=prerouting comment="## Liberacao - UNIFI - OUTROS" \
dst-address=192.168.0.24 src-address-list=AL-ALLOW-71-unifi
add action=accept chain=prerouting comment="## Regra de saida da VLAN 70" \
src-address=192.168.70.0/24
add action=accept chain=prerouting comment=\
"## Regra de liberacao da Vlan 70 para host da vlan 69" dst-address=\
192.168.70.0/24 src-address-list=Allow_sede
add action=drop chain=prerouting comment=\
"## Regra de bloqueio da vlan 69 para outras redes" dst-address-list=\
AL_SEDE-DROP src-address=192.168.0.0/24
add action=drop chain=prerouting comment=\
"## Regra de bloqueio da vlan 71 para outras redes" disabled=yes \
dst-address-list=AL_CELULARES-DROP src-address=192.168.100.0/24
add action=drop chain=prerouting comment=\
"## Regra de bloqueio da vlan 72 para outras redes" dst-address=\
!192.168.0.24 dst-address-list=AL_CELULARES-DROP src-address=\
192.168.72.0/24
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add check-gateway=ping comment="## Default Route - B2" disabled=no distance=\
20 dst-address=0.0.0.0/0 gateway=172.31.32.21 pref-src="" routing-table=\
main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=arp comment="## Default Route - B1" disabled=no distance=\
100 dst-address=0.0.0.0/0 gateway=172.31.31.21 routing-table=main scope=\
30 suppress-hw-offload=no target-scope=10
add comment="## GERENCIA 053-RADIOS" disabled=yes distance=1 dst-address=\
192.168.10.0/24 gateway=10.0.24.33 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add comment="Gerencia vlan 25" disabled=no distance=1 dst-address=\
10.25.0.0/18 gateway=10.0.24.35 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add comment="## Gerencia contratos bloqueados B2" disabled=no distance=1 \
dst-address=172.20.8.0/22 gateway=10.0.24.8 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add comment="## Gerencia contratos bloqueados B1" disabled=no distance=1 \
dst-address=172.20.0.0/22 gateway=10.0.24.9 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
/ipv6 route
add check-gateway=ping comment="## Default Route - VS01" disabled=no \
distance=20 dst-address=::/0 gateway=2804:47e4:0:1::15 routing-table=main \
scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping comment="## Default Route - VS02" disabled=no \
distance=100 dst-address=::/0 gateway=2804:47e4:8000:1::15 routing-table=\
main scope=30 suppress-hw-offload=no target-scope=10
add blackhole comment=BLACKHOLE disabled=no distance=255 dst-address=\
2804:47e4:8c0::/48 gateway="" routing-table=main scope=30 \
suppress-hw-offload=no
/ip service
set ftp disabled=yes
set telnet disabled=yes
set www disabled=yes
set winbox address=10.0.0.0/8,45.228.244.0/22,2804:47e4::/32,192.168.0.0/16 \
port=8292
set api disabled=yes
set api-ssl disabled=yes
set ssh address=2804:47e4:8c0::/48,10.1.24.0/24,192.168.0.0/16 port=9022
/ip upnp
set show-dummy-rule=no
/ipv6 address
add address=2804:47e4:0:1::16/126 advertise=no comment=Enlace-VS01 interface=\
vlanif_199
add address=::1 from-pool=v6_pool_LAN interface=vlanif_69
add address=::1 from-pool=v6_pool_LAN_NOC interface=vlanif_70
add address=::1 from-pool=v6_pool_013_iot interface=vlanif_13
add address=2804:47e4:8000:1::16/126 advertise=no comment=Enlace-VS02 \
interface=vlanif_299
add address=fe80::4a8f:5aff:fe7a:1c7e advertise=no interface=vlanif_71
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=2804:47e4:8c0::/48 list=SEDE-2804-47e4-8c0/48
add address=2804:47e4::/32 list=FIX-2804-47e4/32
add address=2804:47e4:8c0:4000::13/128 comment="DVR IOT" list=Servicos_sede
add address=2804:47e4:8c0:3000::17/128 comment=NC-IPv6 list=Servicos_sede
add address=fc00::/7 list=RFC-IPv6
add address=fe80::/64 list=RFC-IPv6
add address=ff00::/8 list=RFC-IPv6
add address=2001::/23 list=bad_ipv6
add address=2804:47e4:8c0:3000::22/128 comment=OCS-INVETORY list=\
Servicos_sede
add address=2804:47e4:8c0:3000::5/128 comment="DVR SEDE" list=Servicos_sede
add address=2804:47e4:8c0:3000::5/128 comment="DVR SEDE" list=DVR
add address=2804:47e4:8c0:4000::13/128 comment="DVR IOT" list=DVR
/ipv6 firewall filter
add action=accept chain=input comment="Permit - ICPMv6" protocol=icmpv6
add action=accept chain=input comment="Permit - input - estab, related" \
connection-state=established,related
add action=accept chain=input comment="Permit - Winbox" dst-port=8292 \
protocol=tcp src-address-list=FIX-2804-47e4/32
add action=accept chain=forward comment="Permit - ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="Permit - foward - estab, related" \
connection-state=established,related
add action=accept chain=forward comment="Permit - Upload" src-address-list=\
SEDE-2804-47e4-8c0/48
add action=accept chain=forward comment="Permit - Dst Web" dst-address-list=\
Servicos_sede dst-port=80,443 protocol=tcp
add action=accept chain=forward comment="Permit - Dst Web" dst-address-list=\
DVR dst-port=37777 protocol=tcp
add action=drop chain=forward disabled=yes
/ipv6 nd
set [ find default=yes ] managed-address-configuration=yes \
other-configuration=yes
add dns=2804:47e4:8c0:3000::6 interface=vlanif_70 \
managed-address-configuration=yes other-configuration=yes ra-preference=\
high
add interface=vlanif_13 managed-address-configuration=yes \
other-configuration=yes
add dns=2804:47e4:8c0:3000::6 interface=vlanif_69 \
managed-address-configuration=yes other-configuration=yes ra-preference=\
high
add advertise-dns=no interface=vlanif_199 managed-address-configuration=yes \
ra-preference=low
add interface=vlanif_71 managed-address-configuration=yes \
other-configuration=yes ra-preference=high
/mpls settings
set allow-fast-path=no propagate-ttl=no
/ppp secret
add name=andrefix profile=L2TP_NOC remote-address=192.168.70.10 service=l2tp
add name=daniel.sato profile=L2TP_NOC remote-address=192.168.70.11 service=\
l2tp
add name=telicfix profile=L2TP_NOC remote-address=192.168.70.12 service=l2tp
add name=telicfix2 profile=L2TP_NOC remote-address=192.168.70.13 service=l2tp
add name=diego profile=L2TP service=l2tp
add disabled=yes name=diego2 profile=L2TP service=l2tp
add disabled=yes name=guilherme profile=L2TP_NOC remote-address=192.168.70.14 \
service=l2tp
add name=otaviofix profile=L2TP_NOC remote-address=192.168.70.12 service=l2tp
add name=mariana.batista profile=L2TP_NOC remote-address=192.168.70.14 \
service=l2tp
add name=ppp1 profile=L2TP_NOC remote-address=192.168.70.15 routes=\
192.168.70.2 service=l2tp
/radius
add address=10.1.24.138 comment="Radius - 10.1.24.138" require-message-auth=\
no service=login src-address=10.1.24.23 timeout=300ms
/radius incoming
set accept=yes
/snmp
set contact="FIX FIBRA" enabled=yes location="\"Av. Nossa Sra. dos Navegantes,\
\_1222 - Eldorado, Diadema - SP, 09972-260\"" src-address=10.0.24.23 \
trap-version=2
/system clock
set time-zone-name=America/Sao_Paulo
/system identity
set name=SEDE-4011
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=45.228.244.121
add address=45.228.246.122
add address=2804:47e4:1::120
add address=2894:47e4:8002::124
/system scheduler
add name="Reboot=UPD" on-event="/system reboot" policy=reboot start-date=\
2025-03-13 start-time=22:45:00
/system script
add dont-require-permissions=no name=backupSFTP owner=danielfix policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
log warning \"***************************************\"\
\n#Conexao SFTP\
\n:global host 10.1.24.137\
\n:global usuario backups\
\n:global senha backups@fixfibra2@\
\n:global diretorio /SFTP/backups/mikrotik/router/RB-SEDE\
\n\
\n#Pega o nome do Router\
\n:global identifica [/system identity get name]\
\n\
\n#Gera data no formato AAAA-MM-DD\
\n:global data [/system clock get date]\
\n:global ano [:pick \$data 0 4]\
\n:global mes [:pick \$data 5 7]\
\n:global dia [:pick \$data 8 10]\
\n\
\n:log info \"Gerando backup: \$dia-\$mes-\$ano.\$identifica.backup\";\
\n/system backup save name=\"\$dia-\$mes-\$ano.\$identifica\";\
\n:log info \"Gerando export: \$dia-\$mes-\$ano.\$identifica.rsc\";\
\n/export file=\"\$dia-\$mes-\$ano.\$identifica\"\
\n:log info \"Processando...\";\
\n:delay 5s\
\n\
\n:log info \"Conectando SFTP Server...\";\
\n:log info \"Enviando Backup [\$dia-\$mes-\$ano.\$identifica.backup] ...\
\";\
\n/tool fetch address=\$host src-path=\"\$dia-\$mes-\$ano.\$identifica.bac\
kup\" user=\"\$usuario\" password=\"\$senha\" port=9022 upload=yes mode=sf\
tp dst-path=\"\$diretorio/\$dia-\$mes-\$ano.\$identifica.backup\"\
\n:log info \"Enviando Export [\$dia-\$mes-\$ano.\$identifica.rsc] ...\";\
\n/tool fetch address=\$host src-path=\"\$dia-\$mes-\$ano.\$identifica.rsc\
\" user=\"\$usuario\" password=\"\$senha\" port=9022 upload=yes mode=sftp \
dst-path=\"\$diretorio/\$dia-\$mes-\$ano.\$identifica.rsc\"\
\n:delay 1\
\n\
\n:log info \"Backup enviado com sucesso...\";\
\n:log info \"Removendo arquivos...\";\
\n/file remove \"\$dia-\$mes-\$ano.\$identifica.backup\"\
\n/file remove \"\$dia-\$mes-\$ano.\$identifica.rsc\"\
\n:log info \"Rotina de backup finalizada...\";\
\n:log warning \"***************************************\";\
\n\
\n"
/system watchdog
set watchdog-timer=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add disabled=no down-script="/log info message=\"Deviando upload para rota de \
backup\"\r\
\n/ip route/disable [find comment=\"ROTA-DEFAULT-NAT01\"]\r\
\n" host=192.33.4.12 http-codes="" interval=1m test-script="" type=icmp \
up-script="/log info message=\"Deviando upload para rota princiapl\"\r\
\n/ip route/enable [find comment=\"ROTA-DEFAULT-NAT01\"]\r\
\n"
/tool romon
set enabled=yes
/user aaa
set use-radius=yes