Community discussions

MikroTik App
 
User avatar
k6ccc
Forum Guru
Forum Guru
Topic Author
Posts: 1084
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)

Upgrade 4011 from 6.49.6 to 7.x - any expected issues?

Wed Oct 26, 2022 12:38 am

I am running a RB4011iGS+ with ROS 6.49.6, two Internet WANs (no failover), several AREDN (ham radio digital) networks, a pile of local LANs (no bridge), a bunch of DHCP, scripts. I am looking to move to ROS 7.x (7.6 is current as I type this). I have only sort of followed all the 7.x story, but it looks like most of the major bugs are worked out now. I know there are a few concepts that change. One of the largest reasons I am looking to upgrade is to add ZeroTier or WireGuard.
Any major gotchas I should watch out for? Any recommendation for ZeroTier vs WireGuard?

Since I know someone will ask to see my config, here is a somewhat sanitized extract. Some stuff I pulled out simply to shorten it (I doubt you really need to see 250 static DHCP leases for example).
# oct/24/2022 22:31:01 by RouterOS 6.49.6
# software id = <redacted>
#
# model = RB4011iGS+
# serial number = <redacted>
/interface ethernet
set [ find default-name=ether1 ] comment="Spectrum cable internet" name=\
    E01-pB2_Cable_Internet speed=100Mbps
set [ find default-name=ether2 ] comment="Cable Main home LAN" name=\
    E02-pB4_101 speed=100Mbps
set [ find default-name=ether3 ] comment="Cable Private WiFi LAN" name=\
    E03-pB6_103 speed=100Mbps
set [ find default-name=ether4 ] comment="CSS326 2B 802.1Q trunk" name=\
    E04-pB8_802.1Q speed=100Mbps
set [ find default-name=ether5 ] comment="CSS326 2A 802.1Q trunk" name=\
    E05-pA10_802.1Q speed=100Mbps
set [ find default-name=ether6 ] comment="Fiber Main home LAN" name=\
    E06-pA2_201
set [ find default-name=ether7 ] comment="Fiber Private WiFi LAN" name=\
    E07-pA4_203
set [ find default-name=ether8 ] comment="Fiber Internet of Things LAN" name=\
    E08-pA6_206
set [ find default-name=ether9 ] comment="Fiber LOREX Video LAN" name=\
    E09-pA8_207
set [ find default-name=ether10 ] comment="Frontier fiber internet" name=\
    E10_Fiber_Internet poe-out=off
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface vlan
add comment="AREDN hAP-at-Home LAN" interface=E05-pA10_802.1Q name=VLAN_005 \
    vlan-id=5
add comment="AREDN hAP-Portable LAN" interface=E04-pB8_802.1Q name=VLAN_006 \
    vlan-id=6
add comment="AREDN 3GHz at Johnstone to Pleasants Peak LAN interface" \
    interface=E04-pB8_802.1Q name=VLAN_011 vlan-id=11
add comment="AREDN 5GHz at Johnstone SW sector LAN interface" interface=\
    E04-pB8_802.1Q name=VLAN_012 vlan-id=12
add comment="AREDN 5GHz at Johnstone SE sector LAN interface" interface=\
    E04-pB8_802.1Q name=VLAN_013 vlan-id=13
add comment="AREDN Temp LHG in garage" interface=E04-pB8_802.1Q name=VLAN_014 \
    vlan-id=14
add comment="Cable Public WiFi LAN" interface=E04-pB8_802.1Q name=VLAN_102 \
    vlan-id=102
add comment="Cable Cactus/Red Cross LAN" interface=E04-pB8_802.1Q name=\
    VLAN_104 vlan-id=104
add comment="Cable VOIP phones LAN" interface=E04-pB8_802.1Q name=VLAN_105 \
    vlan-id=105
add comment="Cable Internet of Things LAN" interface=E04-pB8_802.1Q name=\
    VLAN_106 vlan-id=106
add comment="NTP server LAN" interface=E05-pA10_802.1Q name=VLAN_123 vlan-id=\
    123
add comment="E1.31 LAN" interface=E04-pB8_802.1Q name=VLAN_131 vlan-id=131
add comment="Fiber / Cable protected LAN" interface=E04-pB8_802.1Q name=\
    VLAN_151 vlan-id=151
add comment="Fiber Public WiFi LAN" interface=E05-pA10_802.1Q name=VLAN_202 \
    vlan-id=202
add comment="Fiber .204 Cactus LAN" interface=E05-pA10_802.1Q name=VLAN_204 \
    vlan-id=204
add comment="Fiber VOIP phones LAN" interface=E05-pA10_802.1Q name=VLAN_205 \
    vlan-id=205
add comment=".209 HARPUSA LAN" interface=E04-pB8_802.1Q name=VLAN_209 \
    vlan-id=209
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=LAN
add name=Router-access
add name=WAN
add name=LAN-to-Cable
add name=LAN-to-Fiber
add name="AREDN LAN"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=42 name=NTP value="'192.168.123.123'"
/ip firewall layer7-protocol
add name=local.mesh regexp=local.mesh
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=".101 DHCP pool" ranges=192.168.101.201-192.168.101.219
add name=".102 DHCP pool" ranges=192.168.102.201-192.168.102.219
add name=".103 DHCP pool" ranges=192.168.103.201-192.168.103.219
add name=".104 DHCP pool" ranges=192.168.104.201-192.168.104.209
add name=".106 DHCP pool" ranges=192.168.106.201-192.168.106.209
add name=".105 DHCP pool" ranges=192.168.105.201-192.168.105.209
add name=".151 DHCP pool" ranges=192.168.151.201-192.168.151.219
add name=".131 DHCP pool" ranges=192.168.131.201-192.168.131.209
add name=".201 DHCP pool" ranges=192.168.201.201-192.168.201.219
add name=".202 DHCP pool" ranges=192.168.202.201-192.168.202.219
add name=".203 DHCP pool" ranges=192.168.203.201-192.168.203.219
add name=".204 DHCP pool" ranges=192.168.204.201-192.168.204.209
add name=".209 DHCP pool" ranges=192.168.209.201-192.168.209.209
add name=".206 DHCP pool" ranges=192.168.206.201-192.168.206.219
add name=".205 DHCP pool" ranges=192.168.205.201-192.168.205.209
add name=".123 DHCP pool" ranges=192.168.123.124-192.168.123.126
add name=".207 DHCP pool" ranges=192.168.207.201-192.168.207.219
/ip dhcp-server
add address-pool=".101 DHCP pool" authoritative=after-2sec-delay disabled=no \
    interface=E02-pB4_101 lease-time=3h name=".101 DHCP server"
add address-pool=".102 DHCP pool" authoritative=after-2sec-delay disabled=no \
    interface=VLAN_102 lease-time=3h name=".102 DHCP server"
add address-pool=".103 DHCP pool" authoritative=after-2sec-delay disabled=no \
    interface=E03-pB6_103 lease-time=3h name=".103 DHCP server"
add address-pool=".104 DHCP pool" authoritative=after-2sec-delay disabled=no \
    interface=VLAN_104 lease-time=3h name=".104 DHCP server"
add address-pool=".106 DHCP pool" authoritative=after-2sec-delay disabled=no \
    interface=VLAN_106 lease-time=3h name=".106 DHCP server"
add address-pool=".105 DHCP pool" authoritative=after-2sec-delay disabled=no \
    interface=VLAN_105 lease-time=3h name=".105 DHCP server"
add address-pool=".151 DHCP pool" authoritative=after-2sec-delay disabled=no \
    interface=VLAN_151 lease-time=3h name=".151 DHCP server"
add address-pool=".131 DHCP pool" authoritative=after-2sec-delay disabled=no \
    interface=VLAN_131 lease-time=3h name=".131 DHCP server"
add address-pool=".201 DHCP pool" authoritative=after-2sec-delay disabled=no \
    interface=E06-pA2_201 lease-time=3h name=".201 DHCP server"
add address-pool=".202 DHCP pool" authoritative=after-2sec-delay disabled=no \
    interface=VLAN_202 lease-time=3h name=".202 DHCP server"
add address-pool=".205 DHCP pool" authoritative=after-2sec-delay disabled=no \
    interface=VLAN_205 lease-time=3h name=".205 DHCP server"
add address-pool=".203 DHCP pool" authoritative=after-2sec-delay disabled=no \
    interface=E07-pA4_203 lease-time=3h name=".203 DHCP server"
add address-pool=".209 DHCP pool" disabled=no interface=VLAN_209 lease-time=\
    3h name=".209 DHCP server"
add address-pool=".206 DHCP pool" authoritative=after-2sec-delay disabled=no \
    interface=E08-pA6_206 lease-time=3h name=".206 DHCP server"
add address-pool=".204 DHCP pool" authoritative=after-2sec-delay disabled=no \
    interface=VLAN_204 lease-time=3h name=".204 DHCP server"
add address-pool=".123 DHCP pool" authoritative=after-2sec-delay disabled=no \
    interface=VLAN_123 lease-time=6h name=".123 DHCP server"
add address-pool=".207 DHCP pool" authoritative=after-2sec-delay disabled=no \
    interface=E09-pA8_207 lease-time=3h name=".207 DHCP server"
/ipv6 dhcp-server
add address-pool=pool1 interface=E02-pB4_101 name=server1
/ipv6 pool
add name=pool1 prefix-length=56
/queue simple
add burst-limit=256k/512k burst-time=10s/10s limit-at=128k/256k max-limit=\
    128k/256k name="Test queue" target=192.168.103.182/32
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
set 3 remote=192.168.101.11 src-address=192.168.101.251
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
#error exporting /interface bridge calea
/ip firewall connection tracking
set loose-tcp-tracking=no tcp-established-timeout=1h
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set allow-fast-path=no
/interface list member
add interface=E02-pB4_101 list=mactel
add interface=E06-pA2_201 list=mac-winbox
add interface=E06-pA2_201 list=LAN
add interface=VLAN_202 list=LAN
add interface=E07-pA4_203 list=LAN
add interface=VLAN_204 list=LAN
add interface=E02-pB4_101 list=LAN
add interface=E03-pB6_103 list=LAN
add interface=VLAN_102 list=LAN
add interface=VLAN_104 list=LAN
add interface=VLAN_105 list=LAN
add interface=VLAN_106 list=LAN
add interface=VLAN_131 list=LAN
add interface=VLAN_151 list=LAN
add interface=E02-pB4_101 list=Router-access
add interface=E06-pA2_201 list=Router-access
add interface=E01-pB2_Cable_Internet list=WAN
add interface=E10_Fiber_Internet list=WAN
add interface=VLAN_205 list=LAN
add interface=E08-pA6_206 list=LAN
add interface=E02-pB4_101 list=LAN-to-Cable
add interface=E03-pB6_103 list=LAN-to-Cable
add interface=VLAN_102 list=LAN-to-Cable
add interface=VLAN_104 list=LAN-to-Cable
add interface=VLAN_105 list=LAN-to-Cable
add interface=VLAN_106 list=LAN-to-Cable
add interface=E06-pA2_201 list=LAN-to-Fiber
add interface=E07-pA4_203 list=LAN-to-Fiber
add interface=E08-pA6_206 list=LAN-to-Fiber
add interface=VLAN_202 list=LAN-to-Fiber
add interface=VLAN_204 list=LAN-to-Fiber
add interface=VLAN_205 list=LAN-to-Fiber
add interface=VLAN_151 list=LAN-to-Fiber
add interface=VLAN_151 list=LAN-to-Cable
add interface=VLAN_131 list=LAN-to-Cable
add interface=VLAN_209 list=LAN-to-Cable
add interface=VLAN_209 list=LAN
add interface=VLAN_005 list="AREDN LAN"
add interface=VLAN_006 list="AREDN LAN"
add interface=VLAN_011 list="AREDN LAN"
add interface=VLAN_012 list="AREDN LAN"
add interface=VLAN_013 list="AREDN LAN"
add interface=VLAN_014 list="AREDN LAN"
add interface=VLAN_123 list=LAN-to-Fiber
add interface=E02-pB4_101 list=mac-winbox
add interface=E06-pA2_201 list=mactel
add interface=E09-pA8_207 list=LAN-to-Fiber
add interface=E09-pA8_207 list=LAN
/ip accounting
set account-local-traffic=yes enabled=yes
/ip accounting web-access
set accessible-via-web=yes address=192.168.101.0/26
/ip address
add address=192.168.101.251/24 interface=E02-pB4_101 network=192.168.101.0
add address=192.168.102.251/24 interface=VLAN_102 network=192.168.102.0
add address=192.168.103.251/24 interface=E03-pB6_103 network=192.168.103.0
add address=192.168.104.251/24 interface=VLAN_104 network=192.168.104.0
add address=192.168.105.251/24 interface=VLAN_105 network=192.168.105.0
add address=192.168.106.251/24 interface=VLAN_106 network=192.168.106.0
add address=192.168.151.251/24 interface=VLAN_151 network=192.168.151.0
add address=192.168.204.251/24 interface=VLAN_204 network=192.168.204.0
add address=192.168.201.251/24 interface=E06-pA2_201 network=192.168.201.0
add address=192.168.202.251/24 interface=VLAN_202 network=192.168.202.0
add address=192.168.203.251/24 interface=E07-pA4_203 network=192.168.203.0
add address=192.168.209.251/24 interface=VLAN_209 network=192.168.209.0
add address=192.168.131.251/24 interface=VLAN_131 network=192.168.131.0
add address=192.168.206.251/24 interface=E08-pA6_206 network=192.168.206.0
add address=192.168.203.252/24 interface=E07-pA4_203 network=192.168.203.0
add address=192.168.205.251/24 interface=VLAN_205 network=192.168.205.0
add address=192.168.99.251/24 interface=VLAN_099 network=192.168.99.0
add address=192.168.0.251/24 interface=VLAN_131 network=192.168.0.0
add address=192.168.203.250/24 disabled=yes interface=E07-pA4_203 network=\
    192.168.203.0
add address=192.168.123.121/29 interface=VLAN_123 network=192.168.123.120
add address=192.168.207.251/24 interface=E09-pA8_207 network=192.168.207.0
/ip cloud
set update-time=no
/ip dhcp-client
add disabled=no interface=E01-pB2_Cable_Internet
add add-default-route=no disabled=no interface=VLAN_005 use-peer-ntp=no
add add-default-route=no disabled=no interface=VLAN_011 use-peer-dns=no \
    use-peer-ntp=no
add add-default-route=no disabled=no interface=VLAN_012 use-peer-dns=no \
    use-peer-ntp=no
add add-default-route=no disabled=no interface=VLAN_013 use-peer-dns=no \
    use-peer-ntp=no
add add-default-route=no disabled=no interface=E10_Fiber_Internet
add add-default-route=no disabled=no interface=VLAN_014 use-peer-dns=no \
    use-peer-ntp=no
add add-default-route=no disabled=no interface=VLAN_006 use-peer-ntp=no
/ip dhcp-server alert
add disabled=no interface=E02-pB4_101 on-alert="DHCP Alert" valid-server=\
    6C:3B:6B:7E:99:86
add disabled=no interface=E03-pB6_103 on-alert="DHCP Alert" valid-server=\
    6C:3B:6B:7E:99:87
add disabled=no interface=VLAN_104 on-alert="DHCP Alert" valid-server=\
    6C:3B:6B:7E:99:88
add disabled=no interface=VLAN_105 on-alert="DHCP Alert" valid-server=\
    6C:3B:6B:7E:99:88
add disabled=no interface=VLAN_106 on-alert="DHCP Alert" valid-server=\
    6C:3B:6B:7E:99:88
/ip dhcp-server lease
add address=192.168.106.181 client-id=1:a:bb:cc:dd:ee:ff comment=\
    "Jim's Moto Edge plus" mac-address=AA:BB:CC:DD:EE:FF server=\
    ".106 DHCP server"

<A few hundred more DHCP leases eliminated in this extract>

/ip dhcp-server network
add address=192.168.101.0/24 comment=".101 network" dns-server=\
    192.168.101.11,192.168.101.251 gateway=192.168.101.251 netmask=24
add address=192.168.102.0/24 comment=".102 network" dns-server=\
    192.168.102.251,8.8.8.8,4.2.2.2 gateway=192.168.102.251 netmask=24
add address=192.168.103.0/24 comment=".103 network" dns-server=\
    192.168.103.251,8.8.8.8,4.2.2.3 gateway=192.168.103.251 netmask=24
add address=192.168.104.0/24 comment=".104 network" dns-server=\
    192.168.104.251,8.8.8.8,4.2.2.4 gateway=192.168.104.251 netmask=24
add address=192.168.105.0/24 comment=".105 network" dns-server=\
    192.168.105.251,8.8.8.8,4.2.2.2 gateway=192.168.105.251 netmask=24
add address=192.168.106.0/24 comment=".106 network" dns-server=\
    192.168.106.251,8.8.8.8,4.2.2.4 gateway=192.168.106.251 netmask=24
add address=192.168.123.120/29 comment=".123 network" dns-server=\
    192.168.123.121,8.8.8.8,4.2.2.1 gateway=192.168.123.121 netmask=29
add address=192.168.131.0/24 comment=".131 network" dns-server=\
    192.168.131.251,8.8.8.8,4.2.2.1 gateway=192.168.131.251 netmask=24
add address=192.168.151.0/24 comment=".151 network" dns-server=\
    192.168.151.251,8.8.8.8,4.2.2.1 gateway=192.168.151.251 netmask=24
add address=192.168.201.0/24 comment=".201 network" dns-server=\
    192.168.201.11,192.168.201.251 gateway=192.168.201.251 netmask=24
add address=192.168.202.0/24 comment=".202 network" dns-server=\
    192.168.202.251,8.8.8.8,4.2.2.2 gateway=192.168.202.251 netmask=24
add address=192.168.203.0/24 comment=".203 network" dns-server=\
    192.168.203.251,8.8.8.8,4.2.2.3 gateway=192.168.203.251 netmask=24
add address=192.168.204.0/24 comment=".204 network" dns-server=\
    192.168.204.251,8.8.8.8,4.2.2.4 gateway=192.168.204.251 netmask=24
add address=192.168.205.0/24 comment=".205 network" dns-server=\
    192.168.205.251,8.8.8.8,4.2.2.4 gateway=192.168.205.251 netmask=24
add address=192.168.206.0/24 comment=".206 network" dns-server=\
    192.168.206.251,8.8.8.8,4.2.2.4 gateway=192.168.206.251 netmask=24
add address=192.168.207.0/24 comment=".207 network" dns-server=\
    192.168.207.251,8.8.8.8,4.2.2.4 gateway=192.168.207.251 netmask=24
add address=192.168.209.0/24 comment=".209 network" dns-server=\
    192.168.209.251,8.8.8.8,4.2.2.5 gateway=192.168.209.251 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,4.2.2.1
/ip dns static
add address=192.168.201.251 name=router
add address=10.9.60.81 name=local.mesh
/ip firewall address-list
add address=131.107.13.100 list="NTP servers"
add address=64.62.190.177 list="NTP servers"
add address=50.22.155.163 list="NTP servers"
add address=8.8.8.8 comment="Google #2" list="DNS servers"
add address=8.8.4.4 comment="Google #1" list="DNS servers"
add address=192.168.201.120-192.168.201.129 list="Open Mesh"
add address=192.168.201.140 list="Open Mesh"
add address=192.168.201.150-192.168.201.159 list="Open Mesh"
add address=10.9.60.81 comment="Mikrotik hAP-at-Home for AREDN" list=\
    hAP-at-Home
add address=192.73.242.152 list="NTP servers"
add address=132.163.97.4 list="NTP servers"
add address=5.188.210.4 comment="Regularly trying to hack web server" list=\
    "Manual Blacklist"
add address=192.168.103.71 comment="AREDN Raspberry Pi-3b on .103" list=RasPi
add address=192.168.103.79 comment="Spare Raspberry Pi-4 on .103" list=RasPi
add address=192.168.203.79 comment="Spare Raspberry Pi-4 on .101" list=RasPi
add address=192.168.203.72 comment="AREDN Raspberry Pi-4 on .203" list=RasPi
add address=192.168.101.42 comment="Old Family room PC on .101" list=\
add address=192.168.203.75 comment="Streaming Raspberry Pi-3b on .203" list=\
    RasPi
add address=192.168.206.75 comment="Streaming Raspberry Pi-3b on .206" list=\
    RasPi
add address=192.168.201.231 comment="AC Web Power Switch #1" list=\
    WebPowerSwitch
add address=192.168.201.232 comment="AC Web Power Switch #2" list=\
    WebPowerSwitch
add address=192.168.201.233 comment="DC Web Power Switch #1" list=\
    WebPowerSwitch
#error exporting /ip firewall calea
/ip firewall filter
add action=drop chain=input comment="Drop invalid packets on input chain" \
    connection-state=invalid
add action=jump chain=input comment="Jump to Attack chain to prevent Port scan\
    \_and DoS attacks from WAN interfaces" in-interface-list=WAN jump-target=\
    Attack
add action=jump chain=input comment=\
    "Jump to ICMP chain to prevent being ping flooded from WAN interfaces" \
    in-interface-list=WAN jump-target=ICMP protocol=icmp
add action=accept chain=input comment="Allow PING on all LAN interfaces." \
    in-interface-list=LAN protocol=icmp
add action=accept chain=input comment=\
    "Allow PING on all AREDN LAN interfaces." in-interface-list="AREDN LAN" \
    protocol=icmp
add action=accept chain=input comment="Allow DNS on all LAN interfaces." \
    dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="Drop Black list IP addresses." \
    src-address-list=Black_list
add action=jump chain=input comment="Packets on the relocated ports for FTP, H\
    TTP, SSH, Telnet, and WinBox jump to Management chain" dst-port=\
    <redacted> jump-target=Management protocol=tcp
add action=jump chain=input comment="Packets on the \"normal\" ports for FTP, \
    SSH, Telnet, and WinBox jump to Drop-Normal chain" dst-port=21,22,23,8291 \
    in-interface-list=WAN jump-target=Drop-Normal protocol=tcp
add action=drop chain=input comment="IP identification log blocker" dst-port=\
    64999 protocol=tcp src-address-list="Port identification"
add action=add-src-to-address-list address-list="Port identification" \
    address-list-timeout=1m chain=input comment=\
    "IP identification port - packet is dropped, but IP is logged." dst-port=\
    64999 log=yes log-prefix="IP identification port" protocol=tcp
add action=accept chain=input comment=\
    "Allow established and related connections to router" connection-state=\
    established,related
add action=drop chain=input comment=\
    "Drop any other input packets that get this far" log-prefix=\
    "Dropped connection"
add action=drop chain=forward comment="Drop invalid packets on forward chain" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "Drop all packets from IPs on the Manual Blacklist" log=yes log-prefix=\
    "Manual Blacklist" src-address-list="Manual Blacklist"
add action=drop chain=forward comment=\
    "Drop all packets from IPs on the Blacklist" log=yes log-prefix=\
    "Manual Blacklist" src-address-list=Black_list
add action=passthrough chain=forward comment="---- >>  For all packet counters\
    \_- Inbound refers to from Internet towards device - Outbound refers to fr\
    om device towards internet  <<---" connection-state="" disabled=yes \
    in-interface=E02-pB4_101 src-address=1.2.3.4
add action=passthrough chain=forward comment=\
    "Counter for inbound packets from Glendale" connection-state="" disabled=\
    yes in-interface=E10_Fiber_Internet src-address=<redacted>
add action=accept chain=forward comment=\
    "Accept for outbound UDP packets from NTP server to VLAN 5 (AREDN)" \
    connection-state="" disabled=yes in-interface=VLAN_123 log-prefix=\
    "NTP out" out-interface=VLAN_005 protocol=udp
add action=jump chain=forward comment=\
    "WAN packets to Web Power Switches jump to Ext-Safe chain" \
    dst-address-list=WebPowerSwitch dst-port=80 in-interface-list=WAN \
    jump-target=Ext-Safe protocol=tcp
add action=jump chain=forward comment=\
    "WAN SSH port packets to RasPis list jump to Ext-Safe chain" \
    dst-address-list=RasPi dst-port=22 in-interface-list=WAN jump-target=\
    Ext-Safe protocol=tcp
add action=jump chain=forward comment=\
    "Special ports to Jupiter jump to Ext-Safe chain" dst-address=\
    192.168.201.11 dst-port=<redacted> in-interface=E10_Fiber_Internet \
    jump-target=Ext-Safe protocol=tcp
add action=jump chain=forward comment=\
    "Special ports to NTP server jump to Ext-Safe chain" dst-address=\
    192.168.123.123 dst-port=22 in-interface=E10_Fiber_Internet jump-target=\
    Ext-Safe protocol=tcp
add action=accept chain=forward comment=\
    "Allow all packts to ubee modem from devices on Ubee access list" \
    dst-address=192.168.100.1 src-address-list="Ubee access"
add action=drop chain=forward comment="Drop all packts to ubee modem" \
    dst-address=192.168.100.1
add action=drop chain=forward comment=\
    "Drop all packts to Jupiter web server from E1.31 LAN" dst-address=\
    192.168.201.11 dst-port=80 in-interface=VLAN_131 protocol=tcp
add action=jump chain=forward comment="VNC traffic jumps to VNC chain" \
    dst-port=<redacted> in-interface-list=WAN \
    jump-target=VNC protocol=tcp
add action=jump chain=forward comment=\
    "Port 22 & 80 traffic to E1.31 devices jumps to E1.31 chain" dst-address=\
    192.168.131.0/24 dst-port=22,80 in-interface=E01-pB2_Cable_Internet \
    jump-target=E1.31 protocol=tcp
add action=accept chain=forward comment="Accept all that is DST NATed" \
    connection-nat-state=dstnat connection-state=new
add action=accept chain=forward comment="Accept all that is Source NATed" \
    connection-nat-state=srcnat connection-state=new
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "Accept established and related packets" connection-state=\
    established,related
add action=accept chain=forward comment=\
    "Allow outbound traffic from LAN-to-fiber list members to fiber internet" \
    in-interface-list=LAN-to-Fiber out-interface=E10_Fiber_Internet
add action=accept chain=forward comment=\
    "Allow outbound traffic from LAN-to-cable list members to Cable internet" \
    in-interface-list=LAN-to-Cable out-interface=E01-pB2_Cable_Internet
add action=accept chain=forward comment=\
    "Allow privileged PCs access to all other LANs" in-interface-list=LAN \
    out-interface-list=LAN src-address-list=Privileged
add action=accept chain=forward comment=\
    "Allow privileged PCs access to AREDN mesh LANs" in-interface-list=LAN \
    out-interface-list="AREDN LAN" src-address-list=Privileged
add action=accept chain=forward comment=\
    "Allow all LANs access to NTP server UDP port 123." dst-address=\
    192.168.123.123 dst-port=123 in-interface-list=LAN protocol=udp
add action=accept chain=forward comment=\
    "Allow all AREDN LANs access to NTP server UDP port 123." dst-address=\
    192.168.123.123 dst-port=123 in-interface-list="AREDN LAN" protocol=udp
add action=accept chain=forward comment=\
    "Allow privileged IPs access to NTP server TCP ports 22 and 80." \
    dst-address=192.168.123.123 dst-port=22,80 protocol=tcp src-address-list=\
    Privileged
add action=accept chain=forward comment=\
    "Allow privileged IPs ping access to NTP server." dst-address=\
    192.168.123.123 protocol=icmp src-address-list=Privileged
add action=accept chain=forward comment=\
    "Allow Management IPs TCP access to VLAN <redacted>." out-interface=VLAN_<redacted> \
    protocol=tcp src-address-list=Management
add action=drop chain=forward comment=\
    "Drop any forward packets that get this far"
add action=drop chain=Attack comment="Drop all invalid packets." \
    connection-state=invalid
add action=return chain=Attack comment=\
    "Return from Attach chain for safe list IPs" src-address-list=Safe
add action=drop chain=Attack comment=\
    "Drop all packets from IPs on the Manual Blacklist" log=yes log-prefix=\
    "Manual Blacklist" src-address-list="Manual Blacklist"
add action=drop chain=Attack comment=\
    "Detect and drop TCP port scan connections" protocol=tcp psd=21,3s,3,1
add action=drop chain=Attack comment=\
    "Detect and drop UDP port scan connections" protocol=udp psd=21,3s,3,1
add action=tarpit chain=Attack comment="Suppress DoS attack by tarpitting" \
    connection-limit=3,32 protocol=tcp src-address-list=DoS
add action=add-src-to-address-list address-list=DoS address-list-timeout=1d \
    chain=Attack comment="Detect DoS attack" connection-limit=10,32 log=yes \
    log-prefix=DoS protocol=tcp
add action=return chain=Attack comment="Return from Attack chain"
add action=accept chain=ICMP comment=\
    "Accept ICMP type 0:0 (Echo reply) and limit to 5 packets / sec" \
    icmp-options=0:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="Accept ICMP type 3:3 (Destination host u\
    nreachable) and limit to 5 packets / sec" icmp-options=3:3 limit=5,5 \
    protocol=icmp
add action=accept chain=ICMP comment="Accept ICMP type 3:4 (Fragmentation requ\
    ired) and limit to 5 packets / sec" icmp-options=3:4 limit=5,5 protocol=\
    icmp
add action=accept chain=ICMP comment=\
    "Accept ICMP type 8:0 (Echo request) and limit to 5 packets / sec" \
    icmp-options=8:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment=\
    "Accept ICMP type 11:0 (Time exceeded) and limit to 5 packets / sec" \
    icmp-options=11:0-255 limit=5,5 protocol=icmp
add action=drop chain=ICMP comment="Drop all other ICMP packets" protocol=\
    icmp
add action=return chain=ICMP comment="Return from ICMP chain"
add action=accept chain=Management comment=\
    "Allow WinBox access to router from IPs on the Management list." \
    connection-state=established,related,new dst-port=<redacted> in-interface-list=\
    !WAN protocol=tcp src-address-list=Management
add action=accept chain=Management comment=\
    "Allow HTTP access to router from IPs on the Management list." \
    connection-state=established,related,new dst-port=<redacted> in-interface-list=\
    !WAN protocol=tcp src-address-list=Management
add action=accept chain=Management comment=\
    "Allow HTTPS access to router from IPs on the Management list." \
    connection-state=established,related,new dst-port=<redacted> in-interface-list=\
    !WAN protocol=tcp src-address-list=Management
add action=accept chain=Management comment=\
    "Allow SSH access to router from IPs on the Management list." \
    connection-state=established,related,new dst-port=<redacted> in-interface-list=\
    !WAN protocol=tcp src-address-list=Management
add action=accept chain=Management comment=\
    "Allow FTP access to router from IPs on the Management list." \
    connection-state=established,related,new dst-port=<redacted> in-interface-list=\
    !WAN protocol=tcp src-address-list=Management
add action=add-src-to-address-list address-list=Safe address-list-timeout=5m \
    chain=Management comment=\
    "Safe list time reset via router WinBox port via WAN interfaces." \
    dst-port=<redacted> in-interface-list=WAN protocol=tcp src-address-list=Safe
add action=accept chain=Management comment=\
    "Allow Safe list WinBox access to router via WAN interfaces." dst-port=\
    <redacted> in-interface-list=WAN protocol=tcp src-address-list=Safe
add action=add-src-to-address-list address-list=Safe address-list-timeout=5m \
    chain=Management comment=\
    "Safe list time reset via router HTTP port via WAN interfaces." dst-port=\
    <redacted> in-interface-list=WAN protocol=tcp src-address-list=Safe
add action=accept chain=Management comment=\
    "Allow Safe list HTTP access to router via WAN interfaces." dst-port=<redacted> \
    in-interface-list=WAN protocol=tcp src-address-list=Safe
add action=add-src-to-address-list address-list=Safe address-list-timeout=5m \
    chain=Management comment=\
    "Safe list time reset via router HTTPS port via WAN interfaces." \
    dst-port=<redacted> in-interface-list=WAN protocol=tcp src-address-list=Safe
add action=accept chain=Management comment=\
    "Allow Safe list HTTPS access to router via WAN interfaces." dst-port=\
    <redacted> in-interface-list=WAN protocol=tcp src-address-list=Safe
add action=add-src-to-address-list address-list=Safe address-list-timeout=5m \
    chain=Management comment=\
    "Safe list time reset via router SSH port via WAN interfaces." dst-port=\
    <redacted> in-interface-list=WAN protocol=tcp src-address-list=Safe
add action=accept chain=Management comment=\
    "Allow Safe list SSH access to router via WAN interfaces." dst-port=<redacted> \
    in-interface-list=WAN protocol=tcp src-address-list=Safe
add action=add-src-to-address-list address-list=Safe address-list-timeout=5m \
    chain=Management comment=\
    "Safe list time reset via router FTP ports via WAN interfaces." disabled=\
    yes dst-port=<redacted> in-interface-list=WAN protocol=tcp src-address-list=\
    Safe
add action=accept chain=Management comment=\
    "Allow Safe list FTP access to router via WAN interfaces." disabled=yes \
    dst-port=<redacted> in-interface-list=WAN protocol=tcp src-address-list=Safe
add action=drop chain=Management comment=\
    "Drop any Management chain packets that get this far."
add action=add-src-to-address-list address-list=Safe address-list-timeout=5m \
    chain=Ext-Safe comment="Safe list time reset via Open Manage." \
    dst-address=192.168.201.11 dst-port=<redacted> in-interface=E10_Fiber_Internet \
    protocol=tcp src-address-list=Safe
add action=add-src-to-address-list address-list=Safe address-list-timeout=5m \
    chain=Ext-Safe comment="Safe list time reset via SSH to RasPis." \
    dst-address-list=RasPi dst-port=22 in-interface-list=WAN protocol=tcp \
    src-address-list=Safe
add action=accept chain=Ext-Safe comment=\
    "Allow Safe list SSH access to RasPis" dst-address-list=RasPi dst-port=22 \
    in-interface-list=WAN protocol=tcp src-address-list=Safe
add action=add-src-to-address-list address-list=Safe address-list-timeout=5m \
    chain=Ext-Safe comment="Safe list time reset via NTP server ports." \
    dst-address=192.168.123.123 dst-port=22,80 in-interface=\
    E10_Fiber_Internet protocol=tcp src-address-list=Safe
add action=accept chain=Ext-Safe comment=\
    "Allow Safe list access to NTP server." dst-address=192.168.123.123 \
    dst-port=22,80 in-interface=E10_Fiber_Internet protocol=tcp \
    src-address-list=Safe
add action=drop chain=Ext-Safe comment=\
    "Drop any Ext-Safe chain packets that get this far."
add action=accept chain=Uptime-Echo comment=\
    "Allow Uptime list access to Echo Dot #1." dst-address=192.168.206.11 \
    dst-port=<redacted> in-interface=E10_Fiber_Internet protocol=tcp \
    src-address-list=Uptime
add action=accept chain=Uptime-Echo comment=\
    "Allow Uptime list access to Echo Dot #2." dst-address=192.168.206.12 \
    dst-port=<redacted> in-interface=E10_Fiber_Internet protocol=tcp \
    src-address-list=Uptime
add action=accept chain=Uptime-Echo comment=\
    "Allow Uptime list access to Echo Dot #3." dst-address=192.168.206.13 \
    dst-port=<redacted> in-interface=E10_Fiber_Internet protocol=tcp \
    src-address-list=Uptime
add action=accept chain=Uptime-Echo comment=\
    "Allow Uptime list access to Echo Dot #4." dst-address=192.168.206.14 \
    dst-port=<redacted> in-interface=E10_Fiber_Internet protocol=tcp \
    src-address-list=Uptime
add action=accept chain=Uptime-Echo comment=\
    "Allow Uptime list access to Steven's Echo Dot." dst-address=\
    192.168.206.19 dst-port=<redacted> in-interface=E10_Fiber_Internet protocol=tcp \
    src-address-list=Uptime
add action=drop chain=Uptime-Echo comment=\
    "Drop any Uptime-Echo chain packets that get this far."
add action=add-src-to-address-list address-list=Black_list \
    address-list-timeout=1d chain=Drop-Normal comment="Add FTP attempts to rou\
    ter from internet via normal port 21 to Black-list for 24 hours." \
    dst-port=21 in-interface-list=WAN log-prefix="Invalid FTP p21" protocol=\
    tcp
add action=add-src-to-address-list address-list=Black_list \
    address-list-timeout=1d chain=Drop-Normal comment="Add SSH attempts to rou\
    ter from internet via normal port 22 to Black-list for 24 hours." \
    dst-port=22 in-interface-list=WAN log-prefix="Invalid SSH p22" protocol=\
    tcp
add action=add-src-to-address-list address-list=Black_list \
    address-list-timeout=1d chain=Drop-Normal comment="Add Telnet attempts to \
    router from internet via normal port 23 to Black-list for 24 hours." \
    dst-port=23 in-interface-list=WAN log-prefix="Invalid Telnet p23" \
    protocol=tcp
add action=add-src-to-address-list address-list=Black_list \
    address-list-timeout=1d chain=Drop-Normal comment="Add Winbox attempts to \
    router from internet via normal port 8921 to Black-list for 24 hours." \
    dst-port=8291 in-interface-list=WAN log-prefix="Invalid WinBox p8291" \
    protocol=tcp
add action=drop chain=Drop-Normal comment=\
    "Drop all Drop-Normal chain packets.."
add action=drop chain=PC-Boot comment="PC boot Port Knock step 1 log blocker" \
    dst-port=<redacted> in-interface-list=WAN protocol=tcp src-address-list=\
    "PCB Knock-1"
add action=add-src-to-address-list address-list="PCB Knock-1" \
    address-list-timeout=15s chain=PC-Boot comment=\
    "PC boot Port Knock step 1" dst-port=<redacted> in-interface-list=WAN log=yes \
    log-prefix="PC boot Port Knock step 1" protocol=tcp
add action=drop chain=PC-Boot comment="PC boot Port Knock step 2 log blocker" \
    dst-port=<redacted> in-interface-list=WAN protocol=tcp src-address-list=\
    "PCB Knock-2"
add action=add-src-to-address-list address-list="PCB Knock-2" \
    address-list-timeout=15s chain=PC-Boot comment=\
    "PC boot Port Knock step 2" dst-port=<redacted> in-interface-list=WAN log=yes \
    log-prefix="PC boot Port Knock step 2" protocol=tcp src-address-list=\
    "PCB Knock-1"
add action=drop chain=PC-Boot comment="PC boot Port Knock step 3 log blocker" \
    dst-port=<redacted> in-interface-list=WAN protocol=tcp src-address-list=\
    "PCB Knock-3"
add action=add-src-to-address-list address-list="PCB Knock-3" \
    address-list-timeout=15s chain=PC-Boot comment=\
    "PC boot Port Knock step 3" dst-port=<redacted> in-interface-list=WAN log=yes \
    log-prefix="PC boot Port Knock step 3" protocol=tcp src-address-list=\
    "PCB Knock-2"
add action=drop chain=PC-Boot comment=\
    "PC boot Port Knock Family room log blocker" dst-port=<redacted> \
    in-interface-list=WAN protocol=tcp src-address-list="PCB Knock-4"
add action=add-src-to-address-list address-list="PCB Knock-4" \
    address-list-timeout=15s chain=PC-Boot comment=\
    "PC boot Port Knock Family room" dst-port=<redacted> in-interface-list=WAN \
    log=yes log-prefix="PC boot Port Knock Family room" protocol=tcp \
    src-address-list="PCB Knock-3"
add action=drop chain=PC-Boot comment=\
    "PC boot Port Knock Light show log blocker" dst-port=<redacted> \
    in-interface-list=WAN protocol=tcp src-address-list="PCB Knock-4"
add action=add-src-to-address-list address-list="PCB Knock-4" \
    address-list-timeout=15s chain=PC-Boot comment=\
    "PC boot Port Knock Light show" dst-port=<redacted> in-interface-list=WAN log=\
    yes log-prefix="PC boot Port Knock Light show" protocol=tcp \
    src-address-list="PCB Knock-3"
add action=drop chain=PC-Boot comment=\
    "Drop any PC-Boot chain packets that get this far."
add action=add-src-to-address-list address-list=Safe address-list-timeout=15m \
    chain=VNC comment="Safe time reset via Family Room  2018 VNC port" \
    dst-address=192.168.201.43 dst-port=<redacted> in-interface-list=WAN protocol=\
    tcp src-address-list=Safe
add action=accept chain=VNC comment=\
    "Allow Safe list VNC to Family Room 2018." dst-address=192.168.201.43 \
    dst-port=<redacted> in-interface-list=WAN protocol=tcp src-address-list=Safe
add action=accept chain=VNC comment=\
    "Allow Privileged list VNC to Family Room 2018." dst-address=\
    192.168.201.43 dst-port=<redacted> protocol=tcp src-address-list=Privileged
add action=accept chain=VNC comment=\
    "Allow Uptime list access to LOR Show 2017 VNC port" dst-address=\
    192.168.201.22 dst-port=<redacted> in-interface-list=WAN protocol=tcp \
    src-address-list=Uptime
add action=add-src-to-address-list address-list=Safe address-list-timeout=15m \
    chain=VNC comment="Safe time reset via LOR-Show 2017 VNC port" \
    dst-address=192.168.201.22 dst-port=<redacted> in-interface-list=WAN protocol=\
    tcp src-address-list=Safe
add action=accept chain=VNC comment="Allow Safe list VNC to LOR-Show 2017." \
    dst-address=192.168.201.22 dst-port=<redacted> in-interface-list=WAN protocol=\
    tcp src-address-list=Safe
add action=accept chain=VNC comment=\
    "Allow Privileged list VNC to LOR Show 2017." dst-address=192.168.201.22 \
    dst-port=<redacted> protocol=tcp src-address-list=Privileged
add action=drop chain=VNC comment=\
    "Drop any VNC chain packets that get this far"
add action=add-src-to-address-list address-list=Safe address-list-timeout=15m \
    chain=E1.31 comment="Safe time reset via F16v3 #1 GUI port" dst-address=\
    192.168.131.91 dst-port=80 in-interface-list=WAN protocol=tcp \
    src-address-list=Safe
add action=accept chain=E1.31 comment=\
    "Allow Safe list access to F16v3 #1 GUI port" dst-address=192.168.131.91 \
    dst-port=80 protocol=tcp src-address-list=Safe
add action=add-src-to-address-list address-list=Safe address-list-timeout=15m \
    chain=E1.31 comment="Safe time reset via F16v3 #2 GUI port" dst-address=\
    192.168.131.92 dst-port=80 in-interface-list=WAN protocol=tcp \
    src-address-list=Safe
add action=accept chain=E1.31 comment=\
    "Allow Safe list access to F16v3 #2 GUI port" dst-address=192.168.131.92 \
    dst-port=80 protocol=tcp src-address-list=Safe
add action=add-src-to-address-list address-list=Safe address-list-timeout=15m \
    chain=E1.31 comment="Safe time reset via F16v3 #3 GUI port" dst-address=\
    192.168.131.93 dst-port=80 in-interface-list=WAN protocol=tcp \
    src-address-list=Safe
add action=accept chain=E1.31 comment=\
    "Allow Safe list access to F16v3 #3 GUI port" dst-address=192.168.131.93 \
    dst-port=80 protocol=tcp src-address-list=Safe
add action=add-src-to-address-list address-list=Safe address-list-timeout=15m \
    chain=E1.31 comment="Safe time reset via E6804 #2 GUI port" dst-address=\
    192.168.131.98 dst-port=80 in-interface-list=WAN protocol=tcp \
    src-address-list=Safe
add action=accept chain=E1.31 comment=\
    "Allow Safe list access to E6804 #2 GUI port" dst-address=192.168.131.98 \
    dst-port=80 protocol=tcp src-address-list=Safe
add action=add-src-to-address-list address-list=Safe address-list-timeout=15m \
    chain=E1.31 comment="Safe time reset via F4v3 #1 GUI port" dst-address=\
    192.168.131.99 dst-port=80 in-interface-list=WAN protocol=tcp \
    src-address-list=Safe
add action=accept chain=E1.31 comment=\
    "Allow Safe list access to F4v3 #1 GUI port" dst-address=192.168.131.99 \
    dst-port=80 protocol=tcp src-address-list=Safe
add action=drop chain=E1.31 comment=\
    "Drop any E1.31 chain packets that get this far" log=yes log-prefix=\
    "E1.31 drop"
/ip firewall mangle
add action=mark-connection chain=prerouting dst-address=192.168.101.251 \
    dst-port=53 layer7-protocol=local.mesh new-connection-mark=\
    local.mesh-forward passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting dst-address=192.168.101.251 \
    dst-port=53 layer7-protocol=local.mesh new-connection-mark=\
    local.mesh-forward passthrough=yes protocol=udp
add action=mark-connection chain=prerouting dst-address=192.168.201.251 \
    dst-port=53 layer7-protocol=local.mesh new-connection-mark=\
    local.mesh-forward passthrough=yes protocol=udp
add action=mark-packet chain=prerouting disabled=yes dst-address=\
    192.168.100.1 new-packet-mark=Cable-CPE passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerade for Fiber" \
    out-interface=E10_Fiber_Internet
add action=masquerade chain=srcnat comment="Masquerade for cable" \
    out-interface=E01-pB2_Cable_Internet
add action=masquerade chain=srcnat comment=\
    "Outbound masquerade for traffic to VLAN 11" dst-address=10.113.6.64/29
add action=masquerade chain=srcnat comment=\
    "Outbound masquerade for traffic to VLAN 12" dst-address=10.115.242.96/29
add action=masquerade chain=srcnat comment=\
    "Outbound masquerade for traffic to VLAN 13" dst-address=10.115.244.80/29
add action=masquerade chain=srcnat comment=\
    "Outbound masquerade for traffic to VLAN 14" dst-address=10.165.92.248/29
add action=masquerade chain=srcnat comment="Masquerade for AREDN LAN" \
    out-interface=VLAN_005
add action=masquerade chain=srcnat comment="Harpin NAT for HTTP on Jupiter" \
    dst-address=192.168.201.11 dst-port=80 protocol=tcp src-address=\
    192.168.201.0/24
add action=dst-nat chain=dstnat comment="VNC to Jupiter" dst-port=<redacted> \
    in-interface=E10_Fiber_Internet protocol=tcp src-address-list=Safe \
    to-addresses=192.168.201.11 to-ports=<redacted>
add action=dst-nat chain=dstnat comment="VNC to LOR Show 2017" dst-port=<redacted> \
    in-interface=E10_Fiber_Internet protocol=tcp to-addresses=192.168.201.22 \
    to-ports=<redacted>
add action=dst-nat chain=dstnat comment="Maintenance web Server on RasPi-4." \
    disabled=yes dst-port=80 in-interface-list=WAN protocol=tcp to-addresses=\
    192.168.203.72 to-ports=80
add action=dst-nat chain=dstnat comment="Web Server on Jupiter." \
    dst-address-type=local dst-port=80 in-interface=!VLAN_005 protocol=tcp \
    to-addresses=192.168.201.11 to-ports=80
add action=dst-nat chain=dstnat comment="Web Server on Jupiter." disabled=yes \
    dst-address-type=local dst-port=443 in-interface=!VLAN_005 protocol=tcp \
    to-addresses=192.168.201.11 to-ports=443
add action=dst-nat chain=dstnat comment="Web Server on Jupiter from AREDN." \
    dst-address-type=local dst-port=80 in-interface=VLAN_005 protocol=tcp \
    to-addresses=192.168.201.11 to-ports=80
add action=dst-nat chain=dstnat comment="Johnstone SuperGoose HTTP" dst-port=\
    <redacted> in-interface=E10_Fiber_Internet protocol=tcp to-addresses=\
    192.168.203.240 to-ports=80
add action=dst-nat chain=dstnat comment="Johnstone SuperGoose HTTPS" \
    dst-port=<redacted> in-interface=E10_Fiber_Internet protocol=tcp to-addresses=\
    192.168.203.240 to-ports=443
add action=dst-nat chain=dstnat comment="Garage IT Watchdog 1200 HTTP" \
    dst-port=<redacted> in-interface=E10_Fiber_Internet protocol=tcp to-addresses=\
    192.168.201.20 to-ports=<redacted>
add action=dst-nat chain=dstnat comment="Garage IT Watchdog 1200 HTTPS" \
    dst-port=<redacted> in-interface=E10_Fiber_Internet protocol=tcp to-addresses=\
    192.168.201.20 to-ports=<redacted>
add action=dst-nat chain=dstnat connection-mark=local.mesh-forward \
    to-addresses=10.9.60.81
add action=masquerade chain=srcnat connection-mark=local.mesh-forward
add action=dst-nat chain=dstnat comment="F16v3 #1 - Pixel tree" dst-port=\
    <redacted> in-interface=E01-pB2_Cable_Internet protocol=tcp to-addresses=\
    192.168.131.91 to-ports=80
add action=dst-nat chain=dstnat comment="F16v3 #2 - Roof & Eves" dst-port=\
    <redacted> in-interface=E01-pB2_Cable_Internet protocol=tcp to-addresses=\
    192.168.131.92 to-ports=80
add action=dst-nat chain=dstnat comment="F16v3 #3 - Perimeter & Candy canes" \
    dst-port=<redacted> in-interface=E01-pB2_Cable_Internet protocol=tcp \
    to-addresses=192.168.131.93 to-ports=80
add action=dst-nat chain=dstnat comment=\
    "E682 #4 - Temp Perimeter & Candy canes" dst-port=<redacted> in-interface=\
    E01-pB2_Cable_Internet protocol=tcp to-addresses=192.168.131.98 to-ports=\
    80
add action=dst-nat chain=dstnat comment="F4v3 #1 - Planter, Walkway, & Roses" \
    dst-port=<redacted> in-interface=E01-pB2_Cable_Internet protocol=tcp \
    to-addresses=192.168.131.99 to-ports=80
add action=dst-nat chain=dstnat comment="Echo Dot #1 for Uptime Robot" \
    dst-port=<redacted> in-interface=E10_Fiber_Internet protocol=tcp \
    src-address-list=Uptime to-addresses=192.168.206.11 to-ports=<redacted>
add action=dst-nat chain=dstnat comment="Echo Dot #2 for Uptime Robot" \
    dst-port=<redacted> in-interface=E10_Fiber_Internet protocol=tcp \
    src-address-list=Uptime to-addresses=192.168.206.12 to-ports=<redacted>
add action=dst-nat chain=dstnat comment="Echo Dot #3 for Uptime Robot " \
    dst-port=<redacted> in-interface=E10_Fiber_Internet protocol=tcp \
    src-address-list=Uptime to-addresses=192.168.206.13 to-ports=<redacted>
add action=dst-nat chain=dstnat comment="Echo Dot #4 for Uptime Robot" \
    dst-port=<redacted> in-interface=E10_Fiber_Internet protocol=tcp \
    src-address-list=Uptime to-addresses=192.168.206.14 to-ports=<redacted>
add action=dst-nat chain=dstnat comment="Echo Dot (Steven) for Uptime Robot" \
    dst-port=<redacted> in-interface=E10_Fiber_Internet protocol=tcp \
    src-address-list=Uptime to-addresses=192.168.206.19 to-ports=<redacted>
add action=dst-nat chain=dstnat comment="IceCast on Streaming RasPi-3b" \
    dst-port=<redacted> in-interface=E10_Fiber_Internet protocol=tcp to-addresses=\
    192.168.103.75 to-ports=<redacted>
add action=dst-nat chain=dstnat comment="IceCast on Streaming RasPi-3b" \
    dst-port=<redacted> in-interface=E10_Fiber_Internet protocol=udp to-addresses=\
    192.168.103.75 to-ports=<redacted>
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add comment="Frontier fiber optic" distance=1 gateway=<redacted> \
    routing-mark=via-FO
add comment="AREDN hAP-at-Home" distance=1 dst-address=10.0.0.0/8 gateway=\
    10.9.60.81
add distance=1 dst-address=172.16.0.0/12 gateway=10.9.60.81
add distance=1 dst-address=192.168.100.1/32 gateway=E01-pB2_Cable_Internet
/ip route rule
add action=lookup-only-in-table src-address=<redacted>/32 table=via-FO
add action=lookup-only-in-table dst-address=10.0.0.0/8 interface=E02-pB4_101 \
    table=main
add action=lookup-only-in-table dst-address=10.0.0.0/8 interface=E06-pA2_201 \
    table=main
add action=lookup-only-in-table dst-address=192.168.0.0/16 interface=\
    E06-pA2_201 table=main
add action=lookup-only-in-table interface=E06-pA2_201 table=via-FO
add action=lookup-only-in-table dst-address=192.168.0.0/16 interface=VLAN_202 \
    table=main
add action=lookup-only-in-table interface=VLAN_202 table=via-FO
add action=lookup-only-in-table dst-address=192.168.0.0/16 interface=\
    E07-pA4_203 table=main
add action=lookup-only-in-table interface=E07-pA4_203 table=via-FO
add action=lookup-only-in-table dst-address=192.168.0.0/16 interface=VLAN_204 \
    table=main
add action=lookup-only-in-table interface=VLAN_204 table=via-FO
add action=lookup-only-in-table dst-address=192.168.0.0/16 interface=VLAN_205 \
    table=main
add action=lookup-only-in-table interface=VLAN_205 table=via-FO
add action=lookup-only-in-table dst-address=192.168.0.0/16 interface=\
    E08-pA6_206 table=main
add action=lookup-only-in-table interface=E08-pA6_206 table=via-FO
add action=lookup-only-in-table dst-address=192.168.0.0/16 interface=\
    E09-pA8_207 table=main
add action=lookup-only-in-table interface=E09-pA8_207 table=via-FO
add action=lookup-only-in-table disabled=yes dst-address=192.168.0.0/16 \
    interface=E05-pA10_802.1Q table=main
add action=lookup-only-in-table disabled=yes interface=E05-pA10_802.1Q table=\
    via-FO
add action=lookup-only-in-table disabled=yes interface=VLAN_151 table=\
    Either-WAN
add dst-address=192.168.0.0/16 interface=VLAN_123 table=main
add dst-address=10.0.0.0/8 interface=VLAN_123 table=main
add dst-address=172.16.0.0/12 interface=VLAN_123 table=main
add interface=VLAN_123 table=via-FO
/ip service
set telnet disabled=yes
set ftp port=<redacted>
set www port=<redacted>
set ssh port=<redacted>
set www-ssl disabled=no port=<redacted>
set api disabled=yes
set winbox port=<redacted>
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ipv6 dhcp-client
add interface=E01-pB2_Cable_Internet pool-name="IPv6 pool 1" \
    pool-prefix-length=56 request=address,prefix
add add-default-route=yes interface=E10_Fiber_Internet pool-name=\
    "IPv6 pool 2" request=address,prefix
/ipv6 firewall filter
add action=accept chain=input comment=\
    "Accept Established and Related packets" connection-state=\
    established,related
add action=accept chain=input comment=\
    "Accept all ICMPv6 packets from WAN interfaces." in-interface-list=WAN \
    protocol=icmpv6
add action=accept chain=input comment=\
    "Accept all ICMPv6 packets from LAN interface list." in-interface-list=\
    LAN protocol=icmpv6
add action=drop chain=input comment="Drop all IPV6 packets from fiber" \
    disabled=yes in-interface=E10_Fiber_Internet log-prefix=IPV6
add action=drop chain=input comment="Drop all IPV6 packets from cable" \
    disabled=yes in-interface=E01-pB2_Cable_Internet log-prefix=IPV6
add action=drop chain=input comment="Drop all input IPV6 packets"
add action=accept chain=forward comment=\
    "Accept Established and Related packets" connection-state=\
    established,related
add action=accept chain=forward comment=\
    "Accept outbound IPv6 packets from .101 LAN" in-interface=E02-pB4_101
add action=accept chain=forward comment=\
    "Accept outbound IPv6 packets from .201 LAN" in-interface=E06-pA2_201
add action=drop chain=forward comment="Drop all forwarded IPV6 packets"
/ipv6 nd
set [ find default=yes ] advertise-dns=no disabled=yes
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name=RB4011iGS+
/system logging
set 1 disabled=yes
set 2 disabled=yes
add action=remote topics=info
add action=remote topics=error
add action=remote topics=critical
add action=disk topics=critical
add action=disk topics=error
add action=remote topics=warning
add action=disk topics=warning
add disabled=yes topics=critical
/system ntp client
set enabled=yes primary-ntp=192.168.123.123 secondary-ntp=132.163.97.4
/system package update
set channel=long-term
/system resource irq rps
set E01-pB2_Cable_Internet disabled=no
set E02-pB4_101 disabled=no
set E03-pB6_103 disabled=no
set E04-pB8_802.1Q disabled=no
set E05-pA10_802.1Q disabled=no
/system scheduler
add interval=1d name="Daily backup" on-event="Daily Backup" policy=\
    ftp,read,write,policy,test,password,sniff,sensitive start-date=\
    jul/12/2016 start-time=22:31:00
add name=Startup on-event="System startup" policy=read,test start-time=\
    startup
add comment="oct/24/2022 22:19:35" interval=1m name="Send Login alert" \
    on-event="Send login alert" policy=\
    ftp,read,write,policy,test,password,sniff,sensitive start-date=\
    jul/15/2016 start-time=00:00:50
add comment="may/19/2017 21:37:39" interval=1m name="Check Spectrum IP" \
    on-event="Check Spectrum IP" policy=read,write,policy,test start-date=\
    may/19/2017 start-time=00:00:30
add interval=10m name="Ping test" on-event="Ping test" policy=read,test \
    start-date=jun/12/2017 start-time=00:05:20
add interval=5m name="AREDN Ping test" on-event="AREDN ping test" policy=\
    read,write,test start-date=apr/16/2020 start-time=00:04:15
add interval=1h name="Wyze Ping" on-event="Wyze Ping" policy=read,test \
    start-date=jun/08/2020 start-time=00:02:15
add comment="may/19/2017 21:37:39" interval=1m name="Check Frontier IP" \
    on-event="Check Frontier IP" policy=read,write,policy,test start-date=\
    may/19/2017 start-time=00:00:40
add comment="sep/20/2022 10:38:17" interval=1m name=\
    "Family Rm PCB from Port Knock" on-event="Port knock FamRm boot" policy=\
    ftp,read,write,policy,test,password,sniff,sensitive start-date=\
    jul/15/2016 start-time=00:00:10
add comment="jul/17/2022 21:29:36" interval=1m name=\
    "Light Show PCB from Port Knock" on-event="Port knock LightShow boot" \
    policy=ftp,read,write,policy,test,password,sniff,sensitive start-date=\
    jul/15/2016 start-time=00:00:20
add comment="Temp script to export aredn ping results to a file." disabled=\
    yes interval=5m name=Meshoween on-event="File write test" policy=\
    ftp,read,write,policy,test,password,sniff,sensitive,romon start-date=\
    apr/16/2020 start-time=00:03:45
add interval=3m name="Dynu DDNS update" on-event="Dynu update" \
    policy=read,write,test start-date=nov/05/2021 start-time=00:01:30
add interval=4h name="Mail AREDN Pings" on-event="Mail AREDN Pings" policy=\
    read,write,test start-date=sep/21/2022 start-time=02:34:50
/system script
add dont-require-permissions=no name="Daily Backup" owner=<redacted> policy=\
    ftp,read,write,policy,test,password,sensitive source="# Policies needed:  \
    ftp, read, policy, sensitive, test, write\r\
    \n# Policies NOT needed:  password, reboot, sniff, romon\r\
    \n:log info \"Starting daily backup\";\r\
    \n/system backup save name=RB4011_Daily\r\
    \n/export file=RB4011_Daily\r\
    \n/system package print file=RB4011_Version.txt\r\
    \n:delay 00:00:01\r\
    \n/tool e-mail send file=RB4011_Daily.backup to=\"<redacted>\" body=\"4\
    011 Router daily backup file attached.\" \\\r\
    \n   subject=\"RB4011  \$[/system clock get date] at \$[/system clock get \
    time]  Backup\"\r\
    \n:delay 00:00:10\r\
    \n/tool e-mail send file=RB4011_Daily.rsc,RB4011_Version.txt,log.0.txt to=\
    \"<redacted>\" body=\"Router #1 daily script and version files attached\
    .\" \\\r\
    \n   subject=\"RB4011  \$[/system clock get date] at \$[/system clock get \
    time]  Script\"\r\
    \n:log info \"Daily backup script completed\"\r\
    \n"
add dont-require-permissions=no name="System startup" owner=<redacted> policy=\
    read,test source=":log info \"Starting System Startup script\"\r\
    \n:delay 00:00:20\r\
    \n:log info \"Sending System startup E-Mail to <redacted>\"\r\
    \n/tool e-mail send to=\"<redacted>\" body=\"\$[/system clock get date]\
    \_at \$[/system clock get time]  MikroTik RB4011 router has started 20 sec\
    onds ago.\" \\\r\
    \n   subject=\"RB4011 router startup\"\r\
    \n:delay 00:00:10\r\
    \n:log info \"Sending System startup E-Mail to <redacted>\"\r\
    \n/tool e-mail send to=\"<redacted>\" body=\"\$[/system clock get\
    \_date] at \$[/system clock get time]  MikroTik RB4011 router has started \
    30 seconds ago.\" \\\r\
    \n   subject=\"RB4011 startup\"\r\
    \n:log info \"System Startup script completed\"\r\
    \n"
add dont-require-permissions=no name="Send login alert" owner=<redacted> \
    policy=ftp,read,write,policy,test,password,sensitive source="# BEGIN SETUP\
    \r\
    \n:local scheduleName \"Send Login alert\"\r\
    \n:local emailAddress1 \"<redacted>\"\r\
    \n:local emailAddress2 \"<redacted>\"\r\
    \n:local startBuf [:toarray [/log find message~\"logged in\" || message~\"\
    login failure\" || message~\"logged out\"]]\r\
    \n:local removeThese {\"zippo\";\"whatever string you want\"}\r\
    \n# END SETUP\r\
    \n\r\
    \n# warn if schedule does not exist\r\
    \n:if ([:len [/system scheduler find name=\"\$scheduleName\"]] = 0) do={\r\
    \n  /log warning \"[LOGMON] ERROR: Schedule does not exist. Create schedul\
    e and edit script to match name\"\r\
    \n}\r\
    \n\r\
    \n# get last time\r\
    \n:local lastTime [/system scheduler get [find name=\"\$scheduleName\"] co\
    mment]\r\
    \n# for checking time of each log entry\r\
    \n:local currentTime\r\
    \n# log message\r\
    \n:local message\r\
    \n \r\
    \n\r\
    \n# final output\r\
    \n:local output\r\
    \n\r\
    \n:local keepOutput false\r\
    \n# if lastTime is empty, set keepOutput to true\r\
    \n:if ([:len \$lastTime] = 0) do={\r\
    \n  :set keepOutput true\r\
    \n}\r\
    \n\r\
    \n\r\
    \n:local counter 0\r\
    \n# loop through all log entries that have been found\r\
    \n:foreach i in=\$startBuf do={\r\
    \n \r\
    \n\r\
    \n# loop through all removeThese array items\r\
    \n  :local keepLog true\r\
    \n  :foreach j in=\$removeThese do={\r\
    \n#   if this log entry contains any of them, it will be ignored\r\
    \n    :if ([/log get \$i message] ~ \"\$j\") do={\r\
    \n      :set keepLog false\r\
    \n    }\r\
    \n  }\r\
    \n  :if (\$keepLog = true) do={\r\
    \n   \r\
    \n   :set message [/log get \$i message]\r\
    \n\r\
    \n#   LOG DATE\r\
    \n#   depending on log date/time, the format may be different. 3 known for\
    mats\r\
    \n#   format of jan/01/2002 00:00:00 which shows up at unknown date/time. \
    Using as default\r\
    \n    :set currentTime [ /log get \$i time ]\r\
    \n#   format of 00:00:00 which shows up on current day's logs\r\
    \n   :if ([:len \$currentTime] = 8 ) do={\r\
    \n     :set currentTime ([:pick [/system clock get date] 0 11].\" \".\$cur\
    rentTime)\r\
    \n    } else={\r\
    \n#     format of jan/01 00:00:00 which shows up on previous day's logs\r\
    \n     :if ([:len \$currentTime] = 15 ) do={\r\
    \n        :set currentTime ([:pick \$currentTime 0 6].\"/\".[:pick [/syste\
    m clock get date] 7 11].\" \".[:pick \$currentTime 7 15])\r\
    \n      }\r\
    \n   }\r\
    \n    \r\
    \n\r\
    \n#   if keepOutput is true, add this log entry to output\r\
    \n   :if (\$keepOutput = true) do={\r\
    \n     :set output (\$output.\$currentTime.\"  \".\$message.\"\\r\\n\\n\")\
    \r\
    \n   }\r\
    \n#   if currentTime = lastTime, set keepOutput so any further logs found \
    will be added to output\r\
    \n#   reset output in the case we have multiple identical date/time entrie\
    s in a row as the last matching logs\r\
    \n#   otherwise, it would stop at the first found matching log, thus all f\
    ollowing logs would be output\r\
    \n    :if (\$currentTime = \$lastTime) do={\r\
    \n     :set keepOutput true\r\
    \n     :set output \"\"\r\
    \n   }\r\
    \n  }\r\
    \n\r\
    \n#   if this is last log entry\r\
    \n  :if (\$counter = ([:len \$startBuf]-1)) do={\r\
    \n#   If keepOutput is still false after loop, this means lastTime has a v\
    alue, but a matching currentTime was never found.\r\
    \n#   This can happen if 1) The router was rebooted and matching logs stor\
    ed in memory were wiped, or 2) An item is added\r\
    \n#   to the removeThese array that then ignores the last log that determi\
    ned the lastTime variable.\r\
    \n#   This resets the comment to nothing. The next run will be like the fi\
    rst time, and you will get all matching logs\r\
    \n   :if (\$keepOutput = false) do={\r\
    \n#     if previous log was found, this will be our new lastTime entry    \
    \_ \r\
    \n     :if ([:len \$message] > 0) do={\r\
    \n        :set output (\$output.\$currentTime.\" \".\$message.\"\\r\\n\")\
    \r\
    \n      }\r\
    \n    }\r\
    \n  }\r\
    \n  :set counter (\$counter + 1)\r\
    \n}\r\
    \n\r\
    \n\r\
    \n# If we have output, save new date/time, and send email\r\
    \nif ([:len \$output] > 0) do={\r\
    \n  /log err \"[LOGMON] New login or logout logs found, sending E-Mail.\"\
    \r\
    \n  /system scheduler set [find name=\"\$scheduleName\"] comment=\$current\
    Time\r\
    \n  /tool e-mail send to=\"\$emailAddress1\" subject=\"MikroTik RB4011 rou\
    ter Log in or out alert \$currentTime\" body=\"Sent from Microtik RB4011 r\
    outer \\n \\n \$output\"\r\
    \n  /tool e-mail send to=\"\$emailAddress2\" subject=\"MikroTik RB4011 rou\
    ter Log in or out alert \$currentTime\" body=\"Sent from Microtik RB4011 r\
    outer \\n \\n \$output\"\r\
    \n  /log info \"Login / Logout update E-Mail sent.\"\r\
    \n}\r\
    \n"
add dont-require-permissions=no name="Boot scanner feed PC" owner=<redacted> \
    policy=test source="# Policy needed:  Test\r\
    \n:log info \"Sending WoL Magic Packet to Scanner Feed PC\"\r\
    \n# Need to edit next line to reflect actual MAC\r\
    \n/tool wol interface=VLAN_205 mac=12:23:34:45:56:67\r\
    \n:log info \"WoL script completed\"\r\
    \n\r\
    \n"
add dont-require-permissions=no name="Check Spectrum IP" owner=<redacted> \
    policy=read,write,policy,test source=":global CurrentCabIP;\r\
    \n:local NewIP [/ip address get [find interface=\"E01-pB2_Cable_Internet\"\
    ] address];\r\
    \n:local OldIP;\r\
    \n:local CurrentTime\r\
    \n:local CurrentDate\r\
    \n:set CurrentDate ([:pick [/system clock get date] 0 11]);\r\
    \n:set CurrentTime ([:pick [/system clock get time] 0 8]);\r\
    \n:if (\$NewIP != \$CurrentCabIP) do={\r\
    \n    :set OldIP \$CurrentCabIP;\r\
    \n    :set CurrentCabIP \$NewIP;\r\
    \n    :log info \"IP address of \$OldIP changed to new IP of \$NewIP\";\r\
    \n  /tool e-mail send to=\"<redacted>\" subject=\"Spectrum IP add\
    ress change\" body=\"\$CurrentDate at \$CurrentTime - Spectrum internet IP\
    \_address change.\\n \\n Old IP address was:  \$OldIP \\n New IP address i\
    s:  \$NewIP \\n If Old IP is blank, most likely a router startup. \\n\";\r\
    \n  /tool e-mail send to=\"<redacted>\" subject=\"Spectrum IP address c\
    hange\" body=\"\$CurrentDate at \$CurrentTime - Spectrum internet IP addre\
    ss change.\\n \\n Old IP address was:  \$OldIP \\n New IP address is:  \$N\
    ewIP \\n If Old IP is blank, most likely a router startup. \\n\";\r\
    \n\r\
    \n}\r\
    \n"
add dont-require-permissions=no name="Ping test" owner=<redacted> policy=\
    read,test source="# Ping address and send E-Mail if average RTT exceeds th\
    reshold.\r\
    \n# :log info \"Start ping test script\"\r\
    \n:local Themes \"Excessive ping time from Router #1.\"\r\
    \n# Set the monitored IP address\r\
    \n:local TestIP 8.8.4.4;\r\
    \n# Set the delay time in mSec\r\
    \n:local ErrorLevel 100\r\
    \n:local avgRtt;\r\
    \n/tool flood-ping \$TestIP count=10 do={\r\
    \n:if (\$sent = 10) do={\r\
    \n:set avgRtt \$\"avg-rtt\"\r\
    \n}}\r\
    \n:log info \"Average RTT to \$TestIP is:  \$avgRtt  Alarm threshold is:  \
    \$ErrorLevel\"\r\
    \n:if (\$avgRtt >= \$ErrorLevel) do={\r\
    \n# Send mail\r\
    \n/tool e-mail send to <redacted> subject=\$Themes body=(\"4011 router \
    \\nTest to IP:  \$TestIP \\nAverage ping RTT:  \$avgRtt ms \\nThreshold:  \
    \$ErrorLevel\")\r\
    \n/tool e-mail send to <redacted> subject=\$Themes body=(\"4011 R\
    outer1 \\nTest to IP:  \$TestIP \\nAverage ping RTT:  \$avgRtt ms \\nThres\
    hold \$ErrorLevel\")\r\
    \n:log err \"Excessive ping time E-Mail has been sent\";\r\
    \n}\r\
    \n:if (\$avgRtt = 0) do={\r\
    \n# Send mail\r\
    \n/tool e-mail send to <redacted> subject=\"Ping failure for 4011 route\
    r\" body=(\"4011 router \\nTest to IP:  \$TestIP \\nAverage ping RTT:  \$a\
    vgRtt ms\")\r\
    \n/tool e-mail send to <redacted> subject=\"Ping failure for 4011\
    \_router\" body=(\"4011 router \\nTest to IP:  \$TestIP \\nAverage ping RT\
    T:  \$avgRtt ms\")\r\
    \n:log err \"Ping failure E-Mail has been sent\";\r\
    \n}\r\
    \n# :log info \"End of script\"\r\
    \n"
add dont-require-permissions=no name="DHCP Alert" owner=<redacted> policy=\
    read,test source=":log info \"Starting Rogue DHCP server script\"\r\
    \n/tool e-mail send to=\"<redacted>\" body=\"\$[/system clock get date]\
    \_at \$[/system clock get time]  MikroTik RB4011 router has detected a rog\
    ue DHCP server.  See event log.\" \\\r\
    \n   subject=\"RB4011 router found rogue DHCP server\"\r\
    \n:delay 00:00:10\r\
    \n/tool e-mail send to=\"<redacted>\" body=\"\$[/system clock get\
    \_date] at \$[/system clock get time]  MikroTik RB4011 router has detected\
    \_a rogue DHCP server.  See event log.\" \\\r\
    \n   subject=\"RB4011 router found rogue DHCP server\"\r\
    \n:log info \"DHCP alert script completed\"\r\
    \n"
add dont-require-permissions=no name="Boot LOR Show 2017 via .201" owner=\
    <redacted> policy=test source="# Policy needed:  Test\r\
    \n:log info \"Sending WoL Magic Packet to LOR Show 2017 on .201\"\r\
    \n/tool wol interface=E06-pA2_201 mac=12:23:34:45:56:67\r\
    \n:delay 00:00:10\r\
    \n/tool wol interface=E06-pA2_201 mac=12:23:34:45:56:67\r\
    \n:delay 00:00:10\r\
    \n/tool wol interface=E06-pA2_201 mac=12:23:34:45:56:67\r\
    \n:log info \"WoL script completed\"\r\
    \n\r\
    \n\r\
    \n"
add dont-require-permissions=no name="Wyze Ping" owner=<redacted> policy=\
    read,test source="# Recent revisions (newest at top):\r\
    \n#  2021-05-05 0745  Corrected name on camera 4 (removed a space).\r\
    \n#  2021-08-06 1445  Added normal work hours exemption.\r\
    \n\r\
    \n# Ping address and send E-Mail if average RTT exceeds threshold.\r\
    \n:log info \"Starting Wyze Ping test script\";\r\
    \n\r\
    \n# First is calculate the day of the week (to be used in work hours exemp\
    tion).\r\
    \n\r\
    \n:local date [/system clock get date]\r\
    \n\r\
    \n# Math Calculation here\r\
    \n:local months [:toarray \"jan,feb,mar,apr,may,jun,jul,aug,sep,oct,nov,de\
    c\"]\r\
    \n:local monthtbl [:toarray \"0,3,3,6,1,4,6,2,5,0,3,5\"]\r\
    \n:local daytbl [:toarray \"sun,mon,tue,wed,thu,fri,sat\"]\r\
    \n\r\
    \n:local month [:pick \$date 0 3]\r\
    \n:local day [:pick \$date 4 6]\r\
    \n:local dayc [:pick \$date 5 6]\r\
    \n:local century [:pick \$date 7 9]\r\
    \n:local year [:pick \$date 9 11]\r\
    \n:local yearc [:pick \$date 10 11]\r\
    \n\r\
    \n# if the first char is a 0 (zero) only read last char, else script fails\
    \r\
    \n:if ([:pick \$date 4 5] = 0) do={ :set day (\$dayc)}\r\
    \n:if ([:pick \$date 9 10] = 0) do=[:set year (\$yearc)]\r\
    \n\r\
    \n:local sum 0\r\
    \n:local DoW 0\r\
    \n:set sum (\$sum + (2 * (3 - (\$century - ((\$century / 4) * 4)))))\r\
    \n:set sum (\$sum + (\$year / 4))\r\
    \n:set sum (\$sum + \$year + \$day)\r\
    \n:for mindex from=0 to=[:len \$months] do={\r\
    \n  :if ([:pick \$months \$mindex] = \$month) do={:set sum (\$sum + [:pick\
    \_\$monthtbl \$mindex]) }\r\
    \n}\r\
    \n:set DoW (\$sum - ((\$sum / 7) * 7))\r\
    \n# DoW is Day of Week where 0 = Sunday and 6 = Saturday\r\
    \n\r\
    \n# END Math Calculation\r\
    \n\r\
    \n# :log info \"Day of week = \$DoW\";\r\
    \n\r\
    \n# Set DoW to 1 for working day range\r\
    \n:if ((\$DoW > 0) and (\$DoW < 6)) do={:set DoW 1}\r\
    \n\r\
    \n# ------  End of DoW calculation -----\r\
    \n\r\
    \n# Then calculate the hour of the day (to be used in work hours exemption\
    ).\r\
    \n\r\
    \n:local time [/system clock get time]\r\
    \n:local ToD\r\
    \n\r\
    \n# Set ToD to hours\r\
    \n:set ToD [:pick \$time 0 2]\r\
    \n\r\
    \n# :log info \"Hour is  \$ToD\";\r\
    \n\r\
    \n# Set ToD to 1 for working hours\r\
    \n:if ((\$ToD > 5) and (\$ToD < 19)) do={:set ToD 1}\r\
    \n\r\
    \n# Lastly if DoW and ToD are both = 1 then set Working to 1\r\
    \n\r\
    \n:global Working 0\r\
    \n:if ((\$DoW = 1) and (\$ToD = 1)) do={:set Working 1}\r\
    \n# :log info \"Converted Hour = \$ToD   Converted Day of week = \$DoW   W\
    orking = \$Working\";\r\
    \n\r\
    \n\r\
    \n\r\
    \n# For each device set global variables for IP, name, and test enable\r\
    \n# For each device, set that device TestEn variable as follows:\r\
    \n#  0 = Disable testing\r\
    \n#  1 = Normal testing\r\
    \n#  2 = Normal testing EXCEPT during work hours\r\
    \n\r\
    \n:global TestIP 192.168.234.321;\r\
    \n:global TestIPname Wyze_camera-01_Matrix;\r\
    \n:global TestEn 1;\r\
    \n/system script run \"PingFunc\"\r\
    \n\r\

<lots of other devices deleted from this extract>

    \n:log info \"Wyze Ping script completed.\"\r\
    \n"
add dont-require-permissions=no name=PingFunc owner=<redacted> policy=read,test \
    source="# Start the Ping test function\r\
    \n# Setup global variables that will be imput from calling script\r\
    \n:global TestIP;\r\
    \n:global TestIPname;\r\
    \n:global TestEn;\r\
    \n:global Working;\r\
    \n\r\
    \n# Set up local variables\r\
    \n:local AvgRtt;\r\
    \n:local Sub1 \"Ping failure to\"\r\
    \n:local Sub2 \"from Router #1.\"\r\
    \n:local Bo1 \"Test to IP: \"\r\
    \n:local Bo2 \"Average ping RTT: \"\r\
    \n\r\
    \n# :log info \"TestIP = \$TestIP  TestEn = \$TestEn  Working = \$Working\
    \";\r\
    \n\r\
    \n:if ((\$TestEn = 1) or ((\$TestEn = 2) and (\$Working = 0))) do={\r\
    \n/tool flood-ping \$TestIP count=10 do={\r\
    \n:if (\$sent = 10) do={\r\
    \n:set AvgRtt \$\"avg-rtt\"\r\
    \n}}\r\
    \n:log info \"Average RTT to \$TestIP is:  \$AvgRtt mSec\";\r\
    \n:if (\$AvgRtt = 0) do={\r\
    \n:log err \"Ping failure to \$TestIP E-Mail is being sent\";\r\
    \n# Send mail\r\
    \n/tool e-mail send to <redacted> subject=(\"\$Sub1 \$TestIPname \$Sub2\
    \") body=(\"\$Bo1 \$TestIP  \$TestIPname \\n \$Bo2 \$AvgRtt mSec.\")\r\
    \n}} else={:log info \"\$TestIPname skipped.\"}\r\
    \n"
add dont-require-permissions=no name="Day of week" owner=<redacted> policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
    \_Calculates day of the week for a givien date\r\
    \n# Month: jan,feb ... nov,dec   (must be lower-case)\r\
    \n# Day: 1 - 31\r\
    \n# Year: 1900 - 2999\r\
    \n# mmm/dd/yyyy   same format as [/system clock get date]\r\
    \n# (ex. jul/22/2009)\r\
    \n\r\
    \n:local date [/system clock get date]\r\
    \n\r\
    \n\r\
    \n# Math Calculation here\r\
    \n:local result \"\"\r\
    \n:local months [:toarray \"jan,feb,mar,apr,may,jun,jul,aug,sep,oct,nov,de\
    c\"]\r\
    \n:local monthtbl [:toarray \"0,3,3,6,1,4,6,2,5,0,3,5\"]\r\
    \n:local daytbl [:toarray \"sun,mon,tue,wed,thu,fri,sat\"]\r\
    \n\r\
    \n:local month [:pick \$date 0 3]\r\
    \n:local day [:pick \$date 4 6]\r\
    \n:local dayc [:pick \$date 5 6]\r\
    \n:local century [:pick \$date 7 9]\r\
    \n:local year [:pick \$date 9 11]\r\
    \n:local yearc [:pick \$date 10 11]\r\
    \n\r\
    \n# if the first char is a 0 (zero) only read last char, else script fails\
    \r\
    \n:if ([:pick \$date 4 5] = 0) do={ :set day (\$dayc)}\r\
    \n:if ([:pick \$date 9 10] = 0) do=[:set year (\$yearc)]\r\
    \n\r\
    \n:local sum 0\r\
    \n:set sum (\$sum + (2 * (3 - (\$century - ((\$century / 4) * 4)))))\r\
    \n:set sum (\$sum + (\$year / 4))\r\
    \n:set sum (\$sum + \$year + \$day)\r\
    \n:for mindex from=0 to=[:len \$months] do={\r\
    \n  :if ([:pick \$months \$mindex] = \$month) do={:set sum (\$sum + [:pick\
    \_\$monthtbl \$mindex]) }\r\
    \n}\r\
    \n:set sum (\$sum - ((\$sum / 7) * 7))\r\
    \n:set result [:pick \$daytbl \$sum]\r\
    \n\r\
    \n# END Math Calculation\r\
    \n\r\
    \n:put ([:pick \$date 0 3] . \"/\" . [:pick \$date 4 6] . \"/\" . [:pick \
    \$date 7 9] . [:pick \$date 9 11] . \" is on a \" . \$result)\r\
    \n:put {\$sum}\r\
    \n\r\
    \n\r\
    \n"
add dont-require-permissions=no name="Check Frontier IP" owner=<redacted> \
    policy=read,write,policy,test source=":global CurrentFOIP;\r\
    \n:local NewIP [/ip address get [find interface=\"E10_Fiber_Internet\"] ad\
    dress];\r\
    \n:local OldIP;\r\
    \n:local CurrentTime\r\
    \n:local CurrentDate\r\
    \n:set CurrentDate ([:pick [/system clock get date] 0 11]);\r\
    \n:set CurrentTime ([:pick [/system clock get time] 0 8]);\r\
    \n:if (\$NewIP != \$CurrentFOIP) do={\r\
    \n    :set OldIP \$CurrentFOIP;\r\
    \n    :set CurrentFOIP \$NewIP;\r\
    \n    :log info \"Fiber IP address of \$OldIP changed to new IP of \$NewIP\
    \";\r\
    \n  /tool e-mail send to=\"<redacted>\" subject=\"Frontier IP add\
    ress change\" body=\"\$CurrentDate at \$CurrentTime - Frontier internet IP\
    \_address change.\\n \\n Old IP address was:  \$OldIP \\n New IP address i\
    s:  \$NewIP \\n If Old IP is blank, most likely a router startup. \\n\";\r\
    \n  /tool e-mail send to=\"<redacted>\" subject=\"Frontier IP address c\
    hange\" body=\"\$CurrentDate at \$CurrentTime - Frontier internet IP addre\
    ss change.\\n \\n Old IP address was:  \$OldIP \\n New IP address is:  \$N\
    ewIP \\n If Old IP is blank, most likely a router startup. \\n\";\r\
    \n\r\
    \n}\r\
    \n"
add dont-require-permissions=no name="Boot Family room 2018 PC on .201" \
    owner=<redacted> policy=test source="# Policy needed:  Test\r\
    \n:log info \"Sending WoL Magic Packet to Family room 2018 PC\"\r\
    \n/tool wol interface=E06-pA2_201 mac=12:23:34:45:56:67\r\
    \n:delay 00:00:10\r\
    \n/tool wol interface=E06-pA2_201 mac=12:23:34:45:56:67\r\
    \n:delay 00:00:10\r\
    \n/tool wol interface=E06-pA2_201 mac=12:23:34:45:56:67\r\
    \n:log info \"WoL script completed\"\r\
    \n\r\
    \n"
add dont-require-permissions=no name="Port knock FamRm boot" owner=<redacted> \
    policy=ftp,read,write,policy,test,password,sensitive source="# BEGIN SETUP\
    \r\
    \n:local scheduleName \"Family Rm PCB from Port Knock\"\r\
    \n:local emailAddress1 \"<redacted>\"\r\
    \n:local emailAddress2 \"<redacted>\"\r\
    \n:local startBuf [:toarray [/log find message~\"PC boot Port Knock Family\
    \_room\"]]\r\
    \n:local removeThese {\"zippo\";\"whatever string you want\"}\r\
    \n# END SETUP\r\
    \n\r\
    \n# warn if schedule does not exist\r\
    \n:if ([:len [/system scheduler find name=\"\$scheduleName\"]] = 0) do={\r\
    \n  /log warning \"[LOGMON] ERROR: Schedule does not exist. Create schedul\
    e and edit script to match name\"\r\
    \n}\r\
    \n\r\
    \n# get last time\r\
    \n:local lastTime [/system scheduler get [find name=\"\$scheduleName\"] co\
    mment]\r\
    \n# for checking time of each log entry\r\
    \n:local currentTime\r\
    \n# log message\r\
    \n:local message\r\
    \n \r\
    \n\r\
    \n# final output\r\
    \n:local output\r\
    \n\r\
    \n:local keepOutput false\r\
    \n# if lastTime is empty, set keepOutput to true\r\
    \n:if ([:len \$lastTime] = 0) do={\r\
    \n  :set keepOutput true\r\
    \n}\r\
    \n\r\
    \n\r\
    \n:local counter 0\r\
    \n# loop through all log entries that have been found\r\
    \n:foreach i in=\$startBuf do={\r\
    \n \r\
    \n\r\
    \n# loop through all removeThese array items\r\
    \n  :local keepLog true\r\
    \n  :foreach j in=\$removeThese do={\r\
    \n#   if this log entry contains any of them, it will be ignored\r\
    \n    :if ([/log get \$i message] ~ \"\$j\") do={\r\
    \n      :set keepLog false\r\
    \n    }\r\
    \n  }\r\
    \n  :if (\$keepLog = true) do={\r\
    \n   \r\
    \n   :set message [/log get \$i message]\r\
    \n\r\
    \n#   LOG DATE\r\
    \n#   depending on log date/time, the format may be different. 3 known for\
    mats\r\
    \n#   format of jan/01/2002 00:00:00 which shows up at unknown date/time. \
    Using as default\r\
    \n    :set currentTime [ /log get \$i time ]\r\
    \n#   format of 00:00:00 which shows up on current day's logs\r\
    \n   :if ([:len \$currentTime] = 8 ) do={\r\
    \n     :set currentTime ([:pick [/system clock get date] 0 11].\" \".\$cur\
    rentTime)\r\
    \n    } else={\r\
    \n#     format of jan/01 00:00:00 which shows up on previous day's logs\r\
    \n     :if ([:len \$currentTime] = 15 ) do={\r\
    \n        :set currentTime ([:pick \$currentTime 0 6].\"/\".[:pick [/syste\
    m clock get date] 7 11].\" \".[:pick \$currentTime 7 15])\r\
    \n      }\r\
    \n   }\r\
    \n    \r\
    \n\r\
    \n#   if keepOutput is true, add this log entry to output\r\
    \n   :if (\$keepOutput = true) do={\r\
    \n     :set output (\$output.\$currentTime.\"  \".\$message.\"\\r\\n\\n\")\
    \r\
    \n   }\r\
    \n#   if currentTime = lastTime, set keepOutput so any further logs found \
    will be added to output\r\
    \n#   reset output in the case we have multiple identical date/time entrie\
    s in a row as the last matching logs\r\
    \n#   otherwise, it would stop at the first found matching log, thus all f\
    ollowing logs would be output\r\
    \n    :if (\$currentTime = \$lastTime) do={\r\
    \n     :set keepOutput true\r\
    \n     :set output \"\"\r\
    \n   }\r\
    \n  }\r\
    \n\r\
    \n#   if this is last log entry\r\
    \n  :if (\$counter = ([:len \$startBuf]-1)) do={\r\
    \n#   If keepOutput is still false after loop, this means lastTime has a v\
    alue, but a matching currentTime was never found.\r\
    \n#   This can happen if 1) The router was rebooted and matching logs stor\
    ed in memory were wiped, or 2) An item is added\r\
    \n#   to the removeThese array that then ignores the last log that determi\
    ned the lastTime variable.\r\
    \n#   This resets the comment to nothing. The next run will be like the fi\
    rst time, and you will get all matching logs\r\
    \n   :if (\$keepOutput = false) do={\r\
    \n#     if previous log was found, this will be our new lastTime entry    \
    \_ \r\
    \n     :if ([:len \$message] > 0) do={\r\
    \n        :set output (\$output.\$currentTime.\" \".\$message.\"\\r\\n\")\
    \r\
    \n      }\r\
    \n    }\r\
    \n  }\r\
    \n  :set counter (\$counter + 1)\r\
    \n}\r\
    \n\r\
    \n\r\
    \n# If we have output, save new date/time, and send email\r\
    \nif ([:len \$output] > 0) do={\r\
    \n  /log err \"[LOGMON] Family room PC WoL from Port Knock.\"\r\
    \n  /system scheduler set [find name=\"\$scheduleName\"] comment=\$current\
    Time\r\
    \n  :log info \"Sending WoL Magic Packet to Family room 2018 PC\"\r\
    \n  /tool wol interface=E06-pA2_201 mac=12:23:34:45:56:67\r\
    \n  :delay 00:00:10\r\
    \n  /tool wol interface=E06-pA2_201 mac=12:23:34:45:56:67\r\
    \n  :delay 00:00:10\r\
    \n  /tool wol interface=E06-pA2_201 mac=12:23:34:45:56:67\r\
    \n  :log info \"WoL script completed\"\r\
    \n}\r\
    \n"
add dont-require-permissions=no name="Port knock LightShow boot" owner=\
    <redacted> policy=ftp,read,write,policy,test,password,sensitive source="# BE\
    GIN SETUP\r\
    \n:local scheduleName \"Light Show PCB from Port Knock\"\r\
    \n:local emailAddress1 \"<redacted>\"\r\
    \n:local emailAddress2 \"<redacted>\"\r\
    \n:local startBuf [:toarray [/log find message~\"PC boot Port Knock Light \
    show\"]]\r\
    \n:local removeThese {\"zippo\";\"whatever string you want\"}\r\
    \n# END SETUP\r\
    \n\r\
    \n# warn if schedule does not exist\r\
    \n:if ([:len [/system scheduler find name=\"\$scheduleName\"]] = 0) do={\r\
    \n  /log warning \"[LOGMON] ERROR: Schedule does not exist. Create schedul\
    e and edit script to match name\"\r\
    \n}\r\
    \n\r\
    \n# get last time\r\
    \n:local lastTime [/system scheduler get [find name=\"\$scheduleName\"] co\
    mment]\r\
    \n# for checking time of each log entry\r\
    \n:local currentTime\r\
    \n# log message\r\
    \n:local message\r\
    \n \r\
    \n\r\
    \n# final output\r\
    \n:local output\r\
    \n\r\
    \n:local keepOutput false\r\
    \n# if lastTime is empty, set keepOutput to true\r\
    \n:if ([:len \$lastTime] = 0) do={\r\
    \n  :set keepOutput true\r\
    \n}\r\
    \n\r\
    \n\r\
    \n:local counter 0\r\
    \n# loop through all log entries that have been found\r\
    \n:foreach i in=\$startBuf do={\r\
    \n \r\
    \n\r\
    \n# loop through all removeThese array items\r\
    \n  :local keepLog true\r\
    \n  :foreach j in=\$removeThese do={\r\
    \n#   if this log entry contains any of them, it will be ignored\r\
    \n    :if ([/log get \$i message] ~ \"\$j\") do={\r\
    \n      :set keepLog false\r\
    \n    }\r\
    \n  }\r\
    \n  :if (\$keepLog = true) do={\r\
    \n   \r\
    \n   :set message [/log get \$i message]\r\
    \n\r\
    \n#   LOG DATE\r\
    \n#   depending on log date/time, the format may be different. 3 known for\
    mats\r\
    \n#   format of jan/01/2002 00:00:00 which shows up at unknown date/time. \
    Using as default\r\
    \n    :set currentTime [ /log get \$i time ]\r\
    \n#   format of 00:00:00 which shows up on current day's logs\r\
    \n   :if ([:len \$currentTime] = 8 ) do={\r\
    \n     :set currentTime ([:pick [/system clock get date] 0 11].\" \".\$cur\
    rentTime)\r\
    \n    } else={\r\
    \n#     format of jan/01 00:00:00 which shows up on previous day's logs\r\
    \n     :if ([:len \$currentTime] = 15 ) do={\r\
    \n        :set currentTime ([:pick \$currentTime 0 6].\"/\".[:pick [/syste\
    m clock get date] 7 11].\" \".[:pick \$currentTime 7 15])\r\
    \n      }\r\
    \n   }\r\
    \n    \r\
    \n\r\
    \n#   if keepOutput is true, add this log entry to output\r\
    \n   :if (\$keepOutput = true) do={\r\
    \n     :set output (\$output.\$currentTime.\"  \".\$message.\"\\r\\n\\n\")\
    \r\
    \n   }\r\
    \n#   if currentTime = lastTime, set keepOutput so any further logs found \
    will be added to output\r\
    \n#   reset output in the case we have multiple identical date/time entrie\
    s in a row as the last matching logs\r\
    \n#   otherwise, it would stop at the first found matching log, thus all f\
    ollowing logs would be output\r\
    \n    :if (\$currentTime = \$lastTime) do={\r\
    \n     :set keepOutput true\r\
    \n     :set output \"\"\r\
    \n   }\r\
    \n  }\r\
    \n\r\
    \n#   if this is last log entry\r\
    \n  :if (\$counter = ([:len \$startBuf]-1)) do={\r\
    \n#   If keepOutput is still false after loop, this means lastTime has a v\
    alue, but a matching currentTime was never found.\r\
    \n#   This can happen if 1) The router was rebooted and matching logs stor\
    ed in memory were wiped, or 2) An item is added\r\
    \n#   to the removeThese array that then ignores the last log that determi\
    ned the lastTime variable.\r\
    \n#   This resets the comment to nothing. The next run will be like the fi\
    rst time, and you will get all matching logs\r\
    \n   :if (\$keepOutput = false) do={\r\
    \n#     if previous log was found, this will be our new lastTime entry    \
    \_ \r\
    \n     :if ([:len \$message] > 0) do={\r\
    \n        :set output (\$output.\$currentTime.\" \".\$message.\"\\r\\n\")\
    \r\
    \n      }\r\
    \n    }\r\
    \n  }\r\
    \n  :set counter (\$counter + 1)\r\
    \n}\r\
    \n\r\
    \n\r\
    \n# If we have output, save new date/time, and send email\r\
    \nif ([:len \$output] > 0) do={\r\
    \n  /log err \"[LOGMON] Light Show PC WoL from Port Knock.\"\r\
    \n  /system scheduler set [find name=\"\$scheduleName\"] comment=\$current\
    Time\r\
    \n:log info \"Sending WoL Magic Packet to LOR Show 2017 on .201\"\r\
    \n/tool wol interface=E06-pA2_201 mac=12:23:34:45:56:67\r\
    \n:delay 00:00:10\r\
    \n/tool wol interface=E06-pA2_201 mac=12:23:34:45:56:67\r\
    \n:delay 00:00:10\r\
    \n/tool wol interface=E06-pA2_201 mac=12:23:34:45:56:67\r\
    \n:log info \"WoL script completed\"\r\
    \n}\r\
    \n"
add dont-require-permissions=no name="Dynu update" owner=<redacted> \
    policy=read,write,test source=":global CabDDNSuser \"<redacted>\"\r\
    \n:global CabDDNSpass \"<redacted>\"\r\
    \n:global Cabinterface \"E01-pB2_Cable_Internet\"\r\
    \n:global CabDDNShost \"<redacted>\"\r\
    \n:global CabIPddns [:resolve \$CabDDNShost];\r\
    \n:global CabIPfresh [ /ip address get [/ip address find interface=\$Cabin\
    terface ] address ]\r\
    \n:if ([ :typeof \$CabIPfresh ] = nil ) do={\r\
    \n:log info (\"CabDynuDDNS: No IP address on \$CabIPinterface .\")\r\
    \n} else={\r\
    \n:for i from=( [:len \$CabIPfresh] - 1) to=0 do={\r\
    \n:if ( [:pick \$CabIPfresh \$i] = \"/\") do={\r\
    \n:set CabIPfresh [:pick \$CabIPfresh 0 \$i];\r\
    \n}\r\
    \n}\r\
    \n:if (\$CabIPddns != \$CabIPfresh) do={\r\
    \n:log info (\"CabDynuDDNS: Host = \$CabDDNShost\")\r\
    \n:log info (\"CabDynuDDNS: IP-Dynu = \$CabIPddns\")\r\
    \n:log info (\"CabDynuDDNS: IP-Fresh = \$CabIPfresh\")\r\
    \n:log info \"CabDynuDDNS: Update IP needed, Sending UPDATE...!\"\r\
    \n:global Cabstr \"/nic/update\?hostname=\$CabDDNShost&myip=\$CabIPfresh\"\
    \r\
    \n/tool fetch address=api.dynu.com src-path=\$Cabstr mode=http user=\$CabD\
    DNSuser password=\$CabDDNSpass dst-path=(\"/Dynu.\".\$CabDDNShost)\r\
    \n:delay 1\r\
    \n:global Cabstr [/file find name=\"Dynu.\$CabDDNShost\"];\r\
    \n/file remove \$Cabstr\r\
    \n:global CabIPddns \$CabIPfresh\r\
    \n:log info \"CabDynuDDNS: IP updated to \$CabIPfresh !\"\r\
    \n} else={\r\
    \n# :log info \"CabDynuDDNS: No changes needed.  IP = \$CabIPfresh\";\r\
    \n}\r\
    \n}\r\
    \n"
/tool e-mail
set address=<redacted> from="RB4011iGS+ Router" password=<redacted> \
    port=<redacted> start-tls=yes user=<redacted>
/tool graphing
set store-every=hour
/tool graphing interface
add allow-address=192.168.101.11/32
add allow-address=192.168.101.43/32
add allow-address=192.168.201.11/32
add allow-address=192.168.201.43/32
/tool graphing resource
add allow-address=192.168.101.11/32
add allow-address=192.168.101.43/32
add allow-address=192.168.201.11/32
add allow-address=192.168.201.43/32
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool sniffer
set file-name=<redacted> filter-interface=E09-pA8_207 filter-ip-address=\
    <redacted>
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14344
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Upgrade 4011 from 6.49.6 to 7.x - any expected issues?

Wed Oct 26, 2022 3:01 am

Should not be, most issues came from people upgrading from 7 betas mostly.

THe only thing that will be wonky are
a. recursive routes as vers7 has strict rules
b. Tables used in Routing rules and routes (need to create tables separately)
 
User avatar
k6ccc
Forum Guru
Forum Guru
Topic Author
Posts: 1084
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)

Re: Upgrade 4011 from 6.49.6 to 7.x - any expected issues?

Wed Oct 26, 2022 4:13 am

a. recursive routes as vers7 has strict rules
b. Tables used in Routing rules and routes (need to create tables separately)
Thanks. Can you elaborate on those a bit? And were those general statements, or based on things you saw in my config?
I am using routing rules so that different LANs route through one internet service and other LANs route through the other internet service.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14344
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Upgrade 4011 from 6.49.6 to 7.x - any expected issues?

Wed Oct 26, 2022 2:24 pm

No it was based on my experience didnt look at your config LOL.

You will need to add to tables and modify routes. Also you may have to get rid of the translation attempts duplication of 6.49 to vers7 (aka bit of cleanup)

Example.........
/routing table
add fib name=via-FO

/ip route
add comment="Frontier fiber optic" distance=1 gateway=<redacted> \
table=via-FO
 
User avatar
k6ccc
Forum Guru
Forum Guru
Topic Author
Posts: 1084
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)

Re: Upgrade 4011 from 6.49.6 to 7.x - any expected issues?

Wed Oct 26, 2022 4:56 pm

I did a quick read on the manual for routing last night, but only had a few minutes. I had seen FIBs before. Will spend some more time reading on that today if I have time.

Thanks for your time.
 
Moba
Frequent Visitor
Frequent Visitor
Posts: 79
Joined: Sun Sep 27, 2020 6:15 pm

Re: Upgrade 4011 from 6.49.6 to 7.x - any expected issues?

Thu Oct 27, 2022 12:03 am

CPU usage doubled on my box with v7 when I tested it (YMMV). It's not a bug, but to be expected with the upgraded kernel...
 
User avatar
k6ccc
Forum Guru
Forum Guru
Topic Author
Posts: 1084
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)

Re: Upgrade 4011 from 6.49.6 to 7.x - any expected issues?

Thu Oct 27, 2022 1:04 am

CPU usage doubled on my box with v7 when I tested it (YMMV). It's not a bug, but to be expected with the upgraded kernel...
Should not be a problem. My 4011 runs at about 1% most of the time.
Thanks for the info.

Who is online

Users browsing this forum: Ahrefs [Bot], Bing [Bot], Semrush [Bot] and 11 guests