# apr/19/2020 23:26:34 by RouterOS 6.46.5
# software id = 9QF2-G3ZZ
#
# model = RouterBOARD D52G-5HacD2HnD-TC
# serial number = 8A2A086301FB
/caps-man channel
add band=5ghz-n/ac control-channel-width=20mhz extension-channel=Ceee frequency=5180 name=channel5180B
add control-channel-width=20mhz extension-channel=XXXX frequency=5745 name=channel5745B
add band=2ghz-onlyn control-channel-width=20mhz extension-channel=disabled frequency=2452 name=2.4-09-2452 save-selected=yes
add band=2ghz-onlyn control-channel-width=20mhz extension-channel=disabled frequency=2472 name=2.4-13-2472 save-selected=yes tx-power=7
add band=2ghz-onlyn control-channel-width=20mhz extension-channel=disabled frequency=2457 name=2.4-08-2487 save-selected=yes
add band=5ghz-n/ac control-channel-width=20mhz extension-channel=Ceee frequency=5260 name=channel5260 save-selected=yes skip-dfs-channels=yes
add band=2ghz-onlyn control-channel-width=20mhz extension-channel=disabled frequency=2422 name=2.4-03-2422
add band=2ghz-onlyn control-channel-width=20mhz extension-channel=disabled frequency=2412 name=2.4-01-2412
add band=2ghz-onlyn control-channel-width=20mhz extension-channel=disabled frequency=2417 name=2.4-02-2417
add band=2ghz-onlyn control-channel-width=20mhz extension-channel=disabled frequency=2437 name=2.4-06-2437
add band=2ghz-b control-channel-width=20mhz extension-channel=disabled frequency=2484 name=2.4-14-2482 save-selected=yes tx-power=0
add band=5ghz-onlyac name=5GHz-auto-channel tx-power=17
/caps-man datapath
add client-to-client-forwarding=yes local-forwarding=yes name=datapathNoBLF
/interface bridge
add admin-mac=CC:2D:E0:9B:8A:B8 auto-mac=no dhcp-snooping=yes igmp-snooping=yes name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] loop-protect=off rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether2 ] loop-protect=off rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether3 ] disabled=yes loop-protect=off
set [ find default-name=ether4 ] comment="mad pc" loop-protect=off
set [ find default-name=ether5 ] comment="cap ac" loop-protect=off
/interface wireless
# managed by CAPsMAN
# channel: 2412/20/gn(18dBm), SSID: AMKRTK2, local forwarding
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n country=ukraine disabled=no frequency=2472 frequency-mode=manual-txpower ssid=MikroTik
# managed by CAPsMAN
# channel: 5745/20-Ceee/ac/P(18dBm), SSID: AMKRTK, local forwarding
set [ find default-name=wlan2 ] antenna-gain=0 country=no_country_set disabled=no frequency-mode=manual-txpower ssid=MikroTik
/caps-man datapath
add bridge=bridge-local client-to-client-forwarding=yes local-forwarding=yes name=datapathBLF
add bridge=bridge-local client-to-client-forwarding=yes local-forwarding=no name=datapath-no-lf
add bridge=bridge-local client-to-client-forwarding=yes local-forwarding=no name=datapathBNoLF
/caps-man rates
add basic=11Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps name=rate1 supported=11Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
add basic=1Mbps,2Mbps,5.5Mbps name=rate1-5 supported=1Mbps,2Mbps,5.5Mbps
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm,tkip group-encryption=aes-ccm group-key-update=1h name=security1
/caps-man configuration
add channel=5GHz-auto-channel channel.band=5ghz-onlyac channel.extension-channel=Ceee channel.tx-power=18 country=ukraine datapath=datapathBLF mode=ap name=MAIN5 rx-chains=0,1,2,3 security=security1 ssid=AMKRTK tx-chains=0,1,2,3
add channel=2.4-01-2412 channel.extension-channel=disabled channel.tx-power=18 country=ukraine datapath=datapathBLF mode=ap name=MAIN2 rx-chains=0,1,2,3 security=security1 ssid=AMKRTK2 tx-chains=0,1,2,3
add channel=5GHz-auto-channel channel.band=5ghz-onlyac channel.extension-channel=Ceee channel.tx-power=18 country=ukraine datapath=datapathBLF mode=ap name=KIT5 rx-chains=0,1,2,3 security=security1 ssid=AMKRTK tx-chains=0,1,2,3
add channel=2.4-13-2472 channel.extension-channel=disabled channel.tx-power=18 country=ukraine datapath=datapathBLF mode=ap name=KIT2 rx-chains=0,1,2,3 security=security1 ssid=AMKRTK2 tx-chains=0,1,2,3
add channel=2.4-13-2472 channel.tx-power=1 country=ukraine datapath=datapathBLF hw-retries=15 mode=ap name=cfgkit0.2 rx-chains=0,1,2,3 security=security1 ssid=AMKRTK2 tx-chains=0,1,2,3
/interface ethernet switch port
set 1 default-vlan-id=1 vlan-header=add-if-missing vlan-mode=secure
/interface list
add name=list-LAN
add name=list-wan
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall layer7-protocol
add name=YouTube regexp="^.+(youtube).*\$"
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec peer
add name=peer1 passive=yes
# This entry is unreachable
add name=peer2 passive=yes
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des
/ip pool
add name=dhcp_pool0 ranges=10.10.2.12-10.10.2.199
add name=vpn_pool ranges=10.10.3.2-10.10.3.254
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool0 always-broadcast=yes disabled=no interface=bridge-local lease-time=8h name=dhcp1
/port
set 0 name=serial0
/ppp profile
add change-tcp-mss=yes local-address=10.10.2.1 name=l2tp_profile remote-address=vpn_pool
/routing bgp instance
set default disabled=yes
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/caps-man access-list
add action=reject allow-signal-out-of-range=10s comment="TV BOX REJECT 01:00-09:00" disabled=yes mac-address=3C:CF:5B:B1:CA:24 signal-range=-120..120 ssid-regexp="" time=30m-8h,sun,mon,tue,wed,thu,fri,sat
add action=accept allow-signal-out-of-range=10s comment="TV BOX" disabled=no mac-address=3C:CF:5B:B1:CA:24 signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat
add action=accept allow-signal-out-of-range=10s comment=MIX2 disabled=no mac-address=04:D1:3A:63:67:6C signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat
add action=accept allow-signal-out-of-range=10s comment="MI BOX S" disabled=no mac-address=E4:DB:6D:AB:91:75 signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat
add action=accept allow-signal-out-of-range=10s comment="Mi5S Plus" disabled=no mac-address=78:02:F8:31:4E:CA signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat
add action=accept allow-signal-out-of-range=always comment=nook disabled=no mac-address=58:67:1A:95:9F:8F ssid-regexp=""
add action=accept allow-signal-out-of-range=always comment=RN3SE disabled=no mac-address=AC:C1:EE:44:B2:CB ssid-regexp=""
add action=reject allow-signal-out-of-range=10s comment=RN3SE disabled=yes mac-address=AC:C1:EE:44:B2:CB signal-range=-120..-75 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat
add action=accept allow-signal-out-of-range=10s comment=RN3Pro disabled=no mac-address=64:CC:2E:B9:38:7B signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat
add action=accept allow-signal-out-of-range=always comment=ESP disabled=no mac-address=84:F3:EB:7A:EF:75 ssid-regexp=""
add action=accept allow-signal-out-of-range=always comment="Verizon Wear24" disabled=no mac-address=A8:1E:84:4E:9E:22 ssid-regexp=""
add action=accept allow-signal-out-of-range=always comment=MiPad2 disabled=no mac-address=7C:1D:D9:96:B9:56 ssid-regexp=""
add action=accept allow-signal-out-of-range=10s comment="Meizu M5Note" disabled=no mac-address=2C:57:31:D6:7A:72 signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat
/caps-man manager
set enabled=yes
/caps-man manager interface
add disabled=no interface=bridge-local
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=MAIN5 name-format=prefix name-prefix=main5 radio-mac=CC:2D:E0:9B:8A:B9
add action=create-dynamic-enabled master-configuration=KIT5 name-format=prefix name-prefix=kit5 radio-mac=CC:2D:E0:EA:1A:5C
add action=create-dynamic-enabled master-configuration=MAIN2 name-format=prefix name-prefix=main2 radio-mac=CC:2D:E0:9B:8A:B8
add action=create-dynamic-enabled master-configuration=KIT2 name-format=prefix name-prefix=kit2 radio-mac=CC:2D:E0:EA:1A:5B
add action=create-dynamic-enabled master-configuration=cfgkit0.2 name-format=prefix name-prefix=kit0.2 radio-mac=64:D1:54:C1:BB:93
/interface bridge port
add bridge=bridge-local broadcast-flood=no interface=ether3 unknown-multicast-flood=no unknown-unicast-flood=no
add bridge=bridge-local interface=ether4 trusted=yes
add bridge=bridge-local interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=list-wan
/interface detect-internet
set detect-interface-list=list-wan
/interface ethernet switch vlan
add independent-learning=no ports=ether2,switch1-cpu switch=switch1 vlan-id=1
add independent-learning=no ports=ether2,switch1-cpu switch=switch1 vlan-id=100
/interface l2tp-server server
set authentication=mschap2 default-profile=l2tp_profile use-ipsec=yes
/interface list member
add interface=ether1 list=list-wan
add interface=ether1 list=WAN
/interface wireless cap
#
set bridge=bridge-local discovery-interfaces=bridge-local enabled=yes interfaces=wlan1,wlan2
/ip address
add address=10.10.2.1/24 interface=bridge-local network=10.10.2.0
/ip dhcp-client
add disabled=no interface=ether1 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=10.10.2.201 mac-address=B4:E6:2D:22:F2:57 server=dhcp1
add address=10.10.2.100 client-id=1:bc:5f:f4:d8:67:78 mac-address=BC:5F:F4:D8:67:78 server=dhcp1
add address=10.10.2.16 mac-address=2C:57:31:D6:7A:72 server=dhcp1
add address=10.10.2.102 client-id=1:78:2:f8:31:4e:ca mac-address=78:02:F8:31:4E:CA server=dhcp1
add address=10.10.2.120 client-id=1:e4:db:6d
91:75 comment="Mi box" mac-address=E4:DB:6D:AB:91:75 server=dhcp1
add address=10.10.2.101 client-id=1:4:d1:3a:63:67:6c mac-address=04:D1:3A:63:67:6C server=dhcp1
add address=10.10.2.103 client-id=1:7c:1d:d9:96:b9:56 mac-address=7C:1D:D9:96:B9:56 server=dhcp1
add address=10.10.2.121 client-id=1:0:e0:4c:36:2:18 comment="Mi box ethernet" mac-address=00:E0:4C:36:02:18 server=dhcp1
add address=10.10.2.190 client-id=1:3c:cf:5b:b1:ca:24 mac-address=3C:CF:5B:B1:CA:24 server=dhcp1
add address=10.10.2.104 client-id=1:64:cc:2e:b9:38:7b mac-address=64:CC:2E:B9:38:7B server=dhcp1
add address=10.10.2.105 client-id=1:ac:c1:ee:44:b2:cb mac-address=AC:C1:EE:44:B2:CB server=dhcp1
add address=10.10.2.2 client-id=1:cc:2d:e0:ea:1a:59 mac-address=CC:2D:E0:EA:1A:59 server=dhcp1
add address=10.10.2.191 client-id=1:4e:c7:40:95:2b:3e mac-address=4E:C7:40:95:2B:3E server=dhcp1
add address=10.10.2.192 client-id=1:b2:28:81:c8:7d:4b mac-address=B2:28:81:C8:7D:4B server=dhcp1
add address=10.10.2.193 client-id=1:66:df:28:56:f4:be mac-address=66:DF:28:56:F4:BE server=dhcp1
add address=10.10.2.194 client-id=1:72:ae:b0:3:fb:88 mac-address=72:AE:B0:03:FB:88 server=dhcp1
add address=10.10.2.195 client-id=1
67:8f:a2:4d:3a mac-address=0A:67:8F:A2:4D:3A server=dhcp1
/ip dhcp-server network
add address=10.10.2.0/24 dns-server=10.10.2.1 gateway=10.10.2.1 netmask=24 ntp-server=10.10.2.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1h servers=8.8.8.8,8.8.4.4
/ip dns static
add address=127.0.0.1 regexp=
www.youtube.com##.ytp-ce-element
add address=172.217.20.163 disabled=yes name=connectivitycheck.gstatic.com
add address=216.58.209.3 disabled=yes name=connectivitycheck.gstatic.com
add address=172.217.20.195 disabled=yes name=connectivitycheck.gstatic.com
add address=172.217.16.3 disabled=yes name=connectivitycheck.gstatic.com
add address=216.58.215.67 disabled=yes name=connectivitycheck.gstatic.com
/ip firewall address-list
add address=youtube.com list=Block
add address=10.10.0.0/16 list=Admin
add address=0.0.0.0/8 disabled=yes list=BOGON
add address=10.0.0.0/8 list=BOGON
add address=100.64.0.0/10 list=BOGON
add address=127.0.0.0/8 list=BOGON
add address=169.254.0.0/16 list=BOGON
add address=172.16.0.0/12 list=BOGON
add address=192.0.0.0/24 list=BOGON
add address=192.0.2.0/24 list=BOGON
add address=10.10.0.0/16 list=BOGON
add address=198.18.0.0/15 list=BOGON
add address=198.51.100.0/24 list=BOGON
add address=203.0.113.0/24 list=BOGON
add address=224.0.0.0/4 disabled=yes list=BOGON
add address=240.0.0.0/4 list=BOGON
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=input comment=Established/related connection-state=established,related
add action=accept chain=forward connection-state=established,related in-interface-list=WAN
add action=accept chain=forward connection-state=established,related in-interface-list=list-LAN
add action=reject chain=forward comment="mi box" disabled=yes reject-with=icmp-admin-prohibited src-address=10.10.2.120 time=5h30m-12h,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment=tbox reject-with=icmp-admin-prohibited src-address=10.10.2.190 time=15h-9h,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward comment="temp " disabled=yes reject-with=icmp-admin-prohibited src-address=10.10.2.190
add action=reject chain=forward disabled=yes reject-with=icmp-admin-prohibited src-address=10.10.2.16
add action=drop chain=forward connection-nat-state=!dstnat in-interface-list=WAN
add action=drop chain=input comment="Drop BOGON Wan" in-interface-list=WAN log=yes log-prefix=BOGON src-address-list=BOGON
add action=drop chain=input comment=invalid connection-state=invalid in-interface-list=WAN
add action=drop chain=forward connection-state=invalid in-interface-list=WAN
add action=drop chain=input comment=Perebor+portov_list_drop in-interface=ether1 src-address-list=perebor_portov_drop
add action=accept chain=input comment=winbox dst-port=8291 in-interface-list=!WAN protocol=tcp src-address-list=Admin
add action=accept chain=input comment=icmp icmp-options=8:0 in-interface-list=WAN packet-size=0-100 protocol=icmp
add action=reject chain=forward comment=other disabled=yes dst-port=443 protocol=tcp reject-with=tcp-reset src-address=10.10.2.12 tls-host=*.youtube.com
add action=accept chain=input dst-port=1701,500,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input disabled=yes dst-port=50000-50100 protocol=tcp
add action=accept chain=input disabled=yes dst-port=50000-50100 protocol=udp
add action=drop chain=input in-interface=ether1 log=yes src-address=78.37.74.36
add action=drop chain=input disabled=yes dst-address-list="" dst-port=23 in-interface=ether1 protocol=tcp
add action=add-src-to-address-list address-list=perebor_portov_drop address-list-timeout=3h chain=input comment=Perebor_portov_add_list dst-port=21,22,23,25,53,445,3389 in-interface=ether1 log-prefix=Attack_tcp protocol=tcp
add action=add-src-to-address-list address-list=perebor_portov_drop address-list-timeout=3h chain=input dst-port=53 in-interface=ether1 log-prefix=Attack_dns protocol=udp
add action=drop chain=input comment="drop all opened" dst-port=53 in-interface=ether1 log=yes log-prefix=DNS_ATT protocol=udp
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=tcp
add action=drop chain=input dst-port=80 in-interface=ether1 protocol=tcp
add action=drop chain=forward comment="Youtube drop" packet-mark=youtube_packet
add action=drop chain=input packet-mark=youtube_packet
add action=drop chain=input comment="drop all" in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark dst-port=53 layer7-protocol=YouTube new-connection-mark=youtube_conn passthrough=yes protocol=udp src-address=10.10.2.16
add action=mark-packet chain=prerouting connection-mark=youtube_conn new-packet-mark=youtube_packet passthrough=yes
/ip firewall nat
add action=netmap chain=dstnat dst-address=10.10.2.100 dst-port=50000-50100 in-interface=ether1 protocol=tcp to-addresses=10.10.2.100
add action=netmap chain=dstnat dst-address=10.10.2.100 dst-port=50000-50100 in-interface=ether1 protocol=udp to-addresses=192.168.1.100
add action=src-nat chain=srcnat dst-address=!10.10.0.0/16 out-interface=ether1 src-address=10.10.0.0/16 to-addresses=176.38.87.39
add action=masquerade chain=srcnat disabled=yes src-address=192.168.3.0/24
/ip ipsec identity
add generate-policy=port-override peer=peer1 remote-id=ignore
add generate-policy=port-override peer=peer2 remote-id=ignore
/ip service
set telnet address=10.10.2.0/24 disabled=yes
set ftp address=10.10.2.0/24 disabled=yes
set www address=10.10.2.0/24,192.168.3.0/24
set ssh address=10.10.2.0/24 disabled=yes
set www-ssl address=10.10.2.0/24,192.168.3.0/24 disabled=no
set api address=10.10.2.0/24
set winbox address=10.10.0.0/16
set api-ssl address=10.10.2.0/24
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1 type=external
add interface=bridge-local type=internal
/ppp secret
add name=ppp-mad profile=l2tp_profile service=l2tp
/routing bfd interface
set [ find default=yes ] disabled=yes
/system clock
set time-zone-name=Europe/Kiev
/system identity
set name=Main
/system logging
add disabled=yes topics=critical
add disabled=yes prefix=CAP topics=caps
add disabled=yes prefix=BRIDGE topics=bridge
add disabled=yes prefix=IF topics=interface
add prefix=STP topics=stp
/system ntp client
set enabled=yes primary-ntp=91.198.10.1 secondary-ntp=91.236.251.12
/system ntp server
set enabled=yes manycast=no
/system package update
set channel=testing
/system scheduler
add interval=23h59m59s name=Set-NTP on-event="/system script run set-ntp" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-time=startup
add name=schedule1 on-event="/system reboot" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=jan/22/2020 start-time=17:00:00
/system script
add dont-require-permissions=no name=set-ntp owner=mad policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":local progName \"SetNtpServers\";\
\n:local arrNtpSystems (\"0.ua.pool.ntp.org\", \"1.ua.pool.ntp.org\");\
\n:put \"\$progName: Running...\";\
\n:log info \"\$progName: Running...\";\
\n:set arrNtpSystems [ :toarray \$arrNtpSystems ];\
\n:if (( [ :len \$arrNtpSystems ] < 1 ) or ( [ :len \$arrNtpSystems ] > 2 )) do={\
\n:put \"\$progName: ERROR NTP Systems array (\\\$arrNtpSystems) must be either one or two DNS names.\";\
\n:log info \"\$progName: ERROR NTP Systems array (\\\$arrNtpSystems) must be either one or two DNS names.\";\
\n} else={\
\n:local arrRosNtpSetting (\"primary-ntp\", \"secondary-ntp\");\
\n:local i 0;\
\n:foreach strNtpSystem in (\$arrNtpSystems) do={\
\n:local ipAddrNtpSystem [ :resolve \$strNtpSystem ];\
\n:local strRosNtpSetting [ :pick \$arrRosNtpSetting \$i ];\
\n:local strCurrentNtpIp [ /system ntp client get \$strRosNtpSetting ];\
\n:put \"\$progName: NTP server DNS name \$strNtpSystem resolves to \$ipAddrNtpSystem.\";\
\n:log info \"\$progName: NTP server DNS name \$strNtpSystem resolves to \$ipAddrNtpSystem.\";\
\n:put \"\$progName: Current \$strRosNtpSetting setting is \$strCurrentNtpIp.\";\
\n:log info \"\$progName: Current \$strRosNtpSetting setting is \$strCurrentNtpIp.\";\
\n:if ( [ :toip \$ipAddrNtpSystem ] != [ :toip \$strCurrentNtpIp ] ) do={\
\n:put \"\$progName: Changing \$strRosNtpSetting setting to \$ipAddrNtpSystem.\";\
\n:log info \"\$progName: Changing \$strRosNtpSetting setting to \$ipAddrNtpSystem.\";\
\n:local strCommand [ :parse \"/system ntp client set \$strRosNtpSetting=\\\"\$ipAddrNtpSystem\\\"\" ];\
\n\$strCommand;\
\n} else={\
\n:put \"\$progName: No changes were made for the \$strRosNtpSetting NTP setting.\";\
\n:log info \"\$progName: No changes were made for the \$strRosNtpSetting NTP setting.\";\
\n}\
\n:set i (\$i + 1);\
\n}\
\n}\
\n:put \"\$progName: Done.\";\
\n:log info \"\$progName: Done.\";"
add dont-require-permissions=no name=GlobalVars owner=mad policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="# System configuration script - \"GlobalVars\"\r\
\n\r\
\n:put \"Setting system globals\";\r\
\n\r\
\n# System name\r\
\n:global SYSname [/system identity get name];\r\
\n\r\
\n# E-mail address to send notifications to\r\
\n#:global SYSsendemail \"madcat.uaW\";\r\
\n\r\
\n# E-mail address to send notifications from\r\
\n#:global SYSmyemail \"
routeros@my.address\";\r\
\n\r\
\n# Mail server to use\r\
\n#:global SYSemailserver \"1.2.3.4\";\r\
\n\r\
\n# NTP pools to use (check
www.pool.ntp.org)\r\
\n:global SYSntpa \"0.ua.pool.ntp.org\";\r\
\n:global SYSntpb \"1.ua.pool.ntp.org\";"
add dont-require-permissions=no name=setntppool owner=mad policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="# Check and set NTP servers - \"setntppool\"\r\
\n\r\
\n# We need to use the following globals which must be defined here even\r\
\n# though they are also defined in the script we call to set them.\r\
\n:global SYSname;\r\
\n:global SYSsendemail;\r\
\n:global SYSmyemail;\r\
\n:global SYSmyname;\r\
\n:global SYSemailserver;\r\
\n:global SYSntpa;\r\
\n:global SYSntpb;\r\
\n\r\
\n# Load the global variables with the system defaults\r\
\n/system script run GlobalVars\r\
\n\r\
\n# Resolve the two ntp pool hostnames\r\
\n:local ntpipa [:resolve \$SYSntpa];\r\
\n:local ntpipb [:resolve \$SYSntpb];\r\
\n\r\
\n# Get the current settings\r\
\n:local ntpcura [/system ntp client get primary-ntp];\r\
\n:local ntpcurb [/system ntp client get secondary-ntp];\r\
\n\r\
\n# Define a variable so we know if anything's changed.\r\
\n:local changea 0;\r\
\n:local changeb 0;\r\
\n\r\
\n# Debug output\r\
\n:put (\"Old: \" . \$ntpcura . \" New: \" . \$ntpipa);\r\
\n:put (\"Old: \" . \$ntpcurb . \" New: \" . \$ntpipb);\r\
\n\r\
\n# Change primary if required\r\
\n:if (\$ntpipa != \$ntpcura) do={\r\
\n :put \"Changing primary NTP\";\r\
\n /system ntp client set primary-ntp=\"\$ntpipa\";\r\
\n :set changea 1;\r\
\n }\r\
\n\r\
\n# Change secondary if required\r\
\n:if (\$ntpipb != \$ntpcurb) do={\r\
\n :put \"Changing secondary NTP\";\r\
\n /system ntp client set secondary-ntp=\"\$ntpipb\";\r\
\n :set changeb 1;\r\
\n }\r\
\n\r\
\n# If we've made a change, send an e-mail to say so.\r\
\n#:if ((\$changea = 1) || (\$changeb = 1)) do={\r\
\n# :put \"Sending e-mail.\";\r\
\n# /tool e-mail send \\\r\
\n# to=\$SYSsendemail \\\r\
\n# subject=(\$SYSname . \" NTP change\") \\\r\
\n# from=\$SYSmyemail \\\r\
\n# server=\$SYSemailserver \\\r\
\n# body=(\"Your NTP servers have just been changed:\\n\\nPrimary:\\nOld: \" . \$ntpcura . \"\\nNew: \" \\\r\
\n# . \$ntpipa . \"\\n\\nSecondary\\nOld: \" . \$ntpcurb . \"\\nNew: \" . \$ntpipb);\r\
\n# }"
add dont-require-permissions=no name="clear log" owner=mad policy=ftp,reboot,read,write,policy,test,password,sniff source="/system logging action set 0 memory-lines=1\r\
\n/system logging action set 0 memory-lines=1000"
/tool graphing
set store-every=hour
/tool graphing interface
add allow-address=10.10.0.0/16 interface=ether5
add allow-address=10.10.0.0/16 interface=wlan1
add allow-address=10.10.0.0/16 interface=wlan2
add allow-address=10.10.0.0/16 interface=ether1
/tool graphing resource
add allow-address=10.10.2.0/24
/tool mac-server
set allowed-interface-list=list-LAN
/tool mac-server mac-winbox
set allowed-interface-list=list-LAN