# oct/27/2022 22:52:57 by RouterOS 6.47.10
# software id = JZ14-G2AH
#
# model = RB750Gr3
# serial number = D5030F65D248
/interface bridge
add name=LAN_NAT
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp_pool0 ranges=192.168.78.11-192.168.78.253
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=LAN_NAT name=dhcp1
/snmp community
add addresses=190.61.4.34/32,190.61.4.170/32,190.61.4.35/32,190.61.4.36/32 name=ifxcliente write-access=yes
/interface bridge port
add bridge=LAN_NAT interface=ether2
add bridge=WAN interface=ether1
add bridge=WAN interface=ether5
add bridge=WAN interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=181.78.104.22/24 interface=WAN network=181.78.104.0
add address=192.168.78.254/24 interface=LAN_NAT network=192.168.78.0
add address=10.35.36.126/30 interface=WAN network=10.35.36.124
/ip dhcp-server network
add address=192.168.78.0/24 dns-server=167.250.220.220,186.148.105.105 gateway=192.168.78.254
/ip firewall filter
add action=accept chain=forward connection-state=established,related
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=drop chain=input comment="drop Telnet brute forcers" dst-port=23 protocol=tcp src-address-list=telnet_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output content="530 Login incorrect" \
    protocol=tcp
add action=add-dst-to-address-list address-list=telnet_blacklist address-list-timeout=3h chain=output content=\
    "530 Login incorrect" protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=drop chain=input comment="drop telnet brute forcers" dst-port=23 protocol=tcp src-address-list=telnet_blacklist
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp
add action=add-src-to-address-list address-list=telnet_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=\
    23 protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=drop chain=input comment="drop Telnet brute forcers" dst-port=23 protocol=tcp src-address-list=telnet_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output content="530 Login incorrect" \
    protocol=tcp
add action=add-dst-to-address-list address-list=telnet_blacklist address-list-timeout=3h chain=output content=\
    "530 Login incorrect" protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=drop chain=input comment="drop telnet brute forcers" dst-port=23 protocol=tcp src-address-list=telnet_blacklist
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp
add action=add-src-to-address-list address-list=telnet_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=\
    23 protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
/ip firewall nat
add action=src-nat chain=srcnat out-interface=WAN src-address=192.168.78.0/24 to-addresses=181.78.104.22
add action=dst-nat chain=dstnat dst-address=181.78.104.22 dst-port=443 protocol=tcp to-addresses=192.168.78.1
/ip route
add distance=1 gateway=10.35.36.125
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address="190.60.0.0/16,190.61.0.0/16,172.16.0.0/16,172.17.0.0/16,10.0.120.0/24,200.62.0.0/16,200.91.0.0/16,187.168.28.42/\
    32,144.91.71.175/32"
set winbox address=190.60.0.0/16,200.62.0.0/16,200.91.0.0/16,187.168.28.42/32,144.91.71.175/32
/snmp
set enabled=yes trap-community=ifxcliente
/system clock
set time-zone-name=America/Guatemala
/system identity
set name=SID_1722039_FIPA_REFORMA
/system note
set note="**************************************************************\
    \n*                                                            *\
    \n*    ATENCION:  Este equipo es propiedad de IFX Networks     *\
    \n*     El uso no autorizado esta estrictamente prohibido.     *\
    \n*   Todos los usuarios son legalmente responsables de sus    *\
    \n* acciones sobre el sistema y toda actividad sera registrada *\
    \n*                                                            *\
    \n**************************************************************"