Hi all,
I'm new to networking/routing, and even if I am an IT guy, is not my competence!
I'm seeking tuning/better configuration tips/settings, as for sure there will be some beginner mistakes.
Thanks in advance for any corrections/better configurations!
My network diagram is kind of/like this (apologies for the incorrect diagram icons!) https://drive.google.com/file/d/15KrwVi ... drive_link
this is the configuration of GW00-TBUK
this is the configuration of AP00-TBUK
I'm new to networking/routing, and even if I am an IT guy, is not my competence!
I'm seeking tuning/better configuration tips/settings, as for sure there will be some beginner mistakes.
Thanks in advance for any corrections/better configurations!
My network diagram is kind of/like this (apologies for the incorrect diagram icons!) https://drive.google.com/file/d/15KrwVi ... drive_link
this is the configuration of GW00-TBUK
Code:
# 2024-02-05 20:18:46 by RouterOS 7.13.3# software id = JFZQ-1JBT## model = RB960PGS# serial number = HFA098RB8ZH/interface bridgeadd admin-mac=78:9A:18:A4:7D:F4 auto-mac=no name=bridge/interface wireguardadd listen-port=13231 mtu=1420 name=IT_wireguard/interface vlanadd interface=ether2 name=gst_vlan200 vlan-id=200add interface=ether2 name=iot_vlan30 vlan-id=30add interface=ether2 name=mmx_vlan20 vlan-id=20add interface=ether2 name=net_vlan10 vlan-id=10add interface=ether2 name=vit_vlan40 vlan-id=40/interface pppoe-clientadd add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 use-peer-dns=yes user=XXXXXXXXX/interface listadd name=WANadd name=LANadd name=IT_LAN/ip hotspot profileset [ find default=yes ] html-directory=hotspot/ip pooladd name=mgm_pool ranges=192.168.88.10-192.168.88.254add name=vit_pool ranges=192.168.40.20-192.168.40.254add name=gst_pool ranges=192.168.200.20-192.168.200.254add name=net_pool ranges=192.168.10.20-192.168.10.254add name=mmx_pool ranges=192.168.20.20-192.168.20.254add name=iot_pool ranges=192.168.30.20-192.168.30.254/ip dhcp-serveradd address-pool=mgm_pool interface=bridge lease-time=1w1d name=main_dhcpadd address-pool=gst_pool interface=gst_vlan200 lease-time=5m name=gst_dhcpadd address-pool=net_pool interface=net_vlan10 lease-time=1d name=net_dhcpadd address-pool=mmx_pool interface=mmx_vlan20 lease-time=1d name=mmx_dhcpadd address-pool=iot_pool interface=iot_vlan30 lease-time=2d name=iot_dhcpadd address-pool=vit_pool interface=vit_vlan40 name=vit_dhcp/ip vrfadd interfaces=IT_LAN name=it_vrf/interface bridge portadd bridge=bridge interface=ether2 internal-path-cost=10 path-cost=10add bridge=bridge interface=ether3add bridge=bridge interface=ether4add bridge=bridge interface=ether5add bridge=bridge interface=sfp1/ip neighbor discovery-settingsset discover-interface-list=all/ipv6 settingsset disable-ipv6=yes/interface detect-internetset detect-interface-list=all/interface list memberadd interface=bridge list=LANadd interface=pppoe-out1 list=WANadd interface=net_vlan10 list=LANadd interface=mmx_vlan20 list=LANadd interface=gst_vlan200 list=LANadd interface=iot_vlan30 list=LANadd interface=vit_vlan40 list=IT_LANadd interface=IT_wireguard list=IT_LANadd interface=UK_wireguard list=UK_LANadd interface=vuk_vlan41 list=UK_LAN/interface wireguard peersadd allowed-address=0.0.0.0/0 endpoint-address=149.102.237.129 endpoint-port=51820 interface=\ IT_wireguard persistent-keepalive=25m private-key="XXXXXX" public-key="XXXXXX"/ip addressadd address=192.168.88.1/24 interface=bridge network=192.168.88.0add address=192.168.200.1/24 interface=gst_vlan200 network=192.168.200.0add address=192.168.10.1/24 interface=net_vlan10 network=192.168.10.0add address=192.168.20.1/24 interface=mmx_vlan20 network=192.168.20.0add address=192.168.30.1/24 interface=iot_vlan30 network=192.168.30.0add address=192.168.40.1/24 interface=vit_vlan40 network=192.168.40.0add address=10.2.0.2 interface=IT_wireguard network=10.2.0.0add address=10.2.0.3 disabled=yes interface=UK_wireguard network=10.2.0.0add address=192.168.41.1/24 disabled=yes interface=vuk_vlan41 network=192.168.41.0/ip dhcp-server leaseadd address=192.168.20.20 client-id=1:4:b9:e3:f5:f8:ca comment="MMX Tv" mac-address=XXXXXXX server=mmx_dhcpadd address=192.168.30.128 mac-address=XXXXXXX server=iot_dhcpadd address=192.168.10.88 mac-address=XXXXXXX server=net_dhcp/ip dhcp-server networkadd address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1add address=192.168.30.0/24 dns-server=192.168.30.1 gateway=192.168.30.1add address=192.168.40.0/24 dns-server=10.2.0.1,192.168.40.1 gateway=192.168.40.1add address=192.168.41.0/24 dns-server=10.2.0.1,192.168.41.1 gateway=192.168.41.1add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1add address=192.168.200.0/24 dns-server=192.168.200.1 gateway=192.168.200.1/ip dnsset allow-remote-requests=yes/ip dns staticadd address=192.168.88.1 comment=defconf name=gateway.lan/ip firewall filteradd action=accept chain=input comment="defconf: accept established,related,untracked" \ connection-state=established,related,untrackedadd action=drop chain=input comment="defconf: drop invalid" connection-state=invalidadd action=accept chain=input comment="defconf: accept ICMP" protocol=icmpadd action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" \ dst-address=127.0.0.1add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LANadd action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsecadd action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsecadd action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\ established,related hw-offload=yesadd action=accept chain=forward comment="defconf: accept established,related, untracked" \ connection-state=established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" connection-state=invalidadd action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \ connection-nat-state=!dstnat connection-state=new in-interface-list=WAN/ip firewall natadd action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=\ out,none out-interface-list=WANadd action=masquerade chain=srcnat out-interface=IT_wireguard src-address=192.168.40.0/24add action=masquerade chain=srcnat out-interface-list=WAN/ip routeadd disabled=no dst-address=0.0.0.0/0 gateway=IT_wireguard@it_vrf routing-table=it_vrf \ suppress-hw-offload=noadd disabled=no distance=1 dst-address=XXXXXX/32 gateway=pppoe-out1 pref-src="" \ routing-table=main scope=30 suppress-hw-offload=no target-scope=10/ipv6 firewall address-listadd address=::/128 comment="defconf: unspecified address" list=bad_ipv6add address=::1/128 comment="defconf: lo" list=bad_ipv6add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6add address=100::/64 comment="defconf: discard only " list=bad_ipv6add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6/ipv6 firewall filteradd action=accept chain=input comment="defconf: accept established,related,untracked" \ connection-state=established,related,untrackedadd action=drop chain=input comment="defconf: drop invalid" connection-state=invalidadd action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=\ udpadd action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=\ 546 protocol=udp src-address=fe80::/10add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udpadd action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ahadd action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-espadd action=accept chain=input comment="defconf: accept all that matches ipsec policy" \ ipsec-policy=in,ipsecadd action=drop chain=input comment="defconf: drop everything else not coming from LAN" \ in-interface-list=!LANadd action=accept chain=forward comment="defconf: accept established,related,untracked" \ connection-state=established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" connection-state=invalidadd action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=\ bad_ipv6add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=\ bad_ipv6add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 \ protocol=icmpv6add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6add action=accept chain=forward comment="defconf: accept HIP" protocol=139add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udpadd action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ahadd action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-espadd action=accept chain=forward comment="defconf: accept all that matches ipsec policy" \ ipsec-policy=in,ipsecadd action=drop chain=forward comment="defconf: drop everything else not coming from LAN" \ in-interface-list=!LAN/system clockset time-zone-name=Europe/London/system identityset name=GW00-TBUK/system noteset show-at-login=no/tool graphing interfaceadd interface=mmx_vlan20add interface=net_vlan10add interface=iot_vlan30add interface=gst_vlan200add interface=vit_vlan40/tool graphing queueadd/tool graphing resourceadd/tool mac-serverset allowed-interface-list=LAN/tool mac-server mac-winboxset allowed-interface-list=LAN/tool snifferset filter-interface=ether2 streaming-enabled=yes streaming-server=192.168.10.80this is the configuration of AP00-TBUK
Code:
# 2024-02-05 20:26:06 by RouterOS 7.13.3# software id = UYDE-VHID## model = C53UiG+5HPaxD2HPaxD# serial number = HF8090WQCPE/interface bridgeadd admin-mac=78:9A:18:94:B4:2A auto-mac=no disabled=yes name=lan_bridge \ port-cost-mode=shortadd frame-types=admit-only-untagged-and-priority-tagged name=wan_bridge \ protocol-mode=mstp vlan-filtering=yes/interface vlanadd disabled=yes interface=ether1 name=vlan40 vlan-id=40/interface listadd name=WANadd name=LAN/interface wifi channeladd band=2ghz-ax disabled=no name=net_2ax skip-dfs-channels=10min-cac width=\ 20/40mhzadd band=5ghz-ax disabled=no name=net_5ax skip-dfs-channels=10min-cac width=\ 20/40/80mhzadd band=2ghz-ax disabled=no name=iot_2ax skip-dfs-channels=10min-cac width=\ 20/40mhzadd band=5ghz-ax disabled=no name=iot_5ax skip-dfs-channels=10min-cac width=\ 20/40/80mhzadd band=2ghz-ax disabled=no name=vit_2axadd band=5ghz-ax disabled=no name=vit_5axadd band=2ghz-ax disabled=no name=mmx_2ax skip-dfs-channels=10min-cac width=\ 20/40mhzadd band=5ghz-ax disabled=no name=mmx_5ax skip-dfs-channels=10min-cac width=\ 20/40/80mhzadd band=5ghz-ax disabled=no name=gst_5ax skip-dfs-channels=10min-cac width=\ 20/40/80mhzadd band=2ghz-ax disabled=no name=gst_2ax skip-dfs-channels=10min-cac width=\ 20/40mhz/interface wifi securityadd authentication-types=wpa2-psk,wpa3-psk connect-priority=0 disabled=no name=\ net_secadd authentication-types=wpa2-psk,wpa3-psk connect-priority=0 disabled=no name=\ mmx_secadd authentication-types=wpa2-psk,wpa3-psk connect-priority=0 disabled=no name=\ gst_secadd authentication-types=wpa2-psk,wpa3-psk disabled=no name=vit_secadd authentication-types=wpa-psk,wpa2-psk connect-priority=0 disabled=no name=\ iot_sec/interface wifi configurationadd channel=net_5ax country="United Kingdom" disabled=no hide-ssid=no mode=ap \ name=net_5g_conf security=net_sec security.connect-priority=0 ssid=XS4TBNETadd channel=gst_2ax country="United Kingdom" disabled=no hide-ssid=no mode=ap \ name=gst_2g_conf security=gst_sec security.connect-priority=0 ssid=XS4TBGSTadd channel=mmx_5ax country="United Kingdom" disabled=no hide-ssid=yes mode=ap \ name=mmx_5g_conf security=mmx_sec security.connect-priority=0 ssid=XS4TBMMXadd channel=net_2ax country="United Kingdom" disabled=no hide-ssid=no mode=ap \ name=net_2g_conf security=net_sec security.connect-priority=0 ssid=XS4TBNETadd channel=mmx_2ax country="United Kingdom" disabled=no hide-ssid=yes mode=ap \ name=mmx_2g_conf security=mmx_sec security.connect-priority=0 ssid=XS4TBMMXadd channel=gst_5ax country="United Kingdom" disabled=no hide-ssid=no mode=ap \ name=gst_5g_conf security=gst_sec security.connect-priority=0 ssid=XS4TBGSTadd channel=iot_5ax country="United Kingdom" disabled=no hide-ssid=yes mode=ap \ name=iot_5g_conf security=iot_sec security.connect-priority=0 ssid=XS4TBIOTadd channel=iot_2ax country="United Kingdom" disabled=no hide-ssid=yes mode=ap \ name=iot_2g_conf security=iot_sec security.connect-priority=0 ssid=XS4TBIOTadd channel=vit_5ax country="United Kingdom" disabled=no hide-ssid=no mode=ap \ name=vit_5g_conf security=vit_sec security.connect-priority=0 ssid=XS4TBVITadd channel=vit_2ax country="United Kingdom" disabled=no hide-ssid=no mode=ap \ name=vit_2g_conf security=vit_sec security.connect-priority=0 ssid=XS4TBVIT/interface wifiset [ find default-name=wifi2 ] configuration=net_2g_conf configuration.mode=ap \ disabled=no name=net_wifi_2Gset [ find default-name=wifi1 ] configuration=net_5g_conf \ configuration.hide-ssid=yes .mode=ap disabled=no name=net_wifi_5G \ security.connect-priority=0add channel=vit_2ax configuration=vit_2g_conf configuration.mode=ap disabled=no \ mac-address=7A:9A:18:94:B4:2E master-interface=net_wifi_2G name=vit_wifi_2g \ security.connect-priority=0add channel=gst_5ax configuration=gst_5g_conf configuration.mode=ap disabled=no \ mac-address=7A:9A:18:94:B4:31 master-interface=net_wifi_5G name=gst_wifi_5G \ security.connect-priority=0add channel=iot_2ax configuration=iot_2g_conf configuration.mode=ap disabled=no \ mac-address=7A:9A:18:94:B4:2F master-interface=net_wifi_2G name=iot_wifi_2g \ security.connect-priority=0add channel=iot_5ax configuration=iot_5g_conf configuration.mode=ap \ mac-address=7A:9A:18:94:B4:2F master-interface=net_wifi_5G name=iot_wifi_5g \ security.connect-priority=0add channel=mmx_5ax configuration=mmx_5g_conf configuration.mode=ap disabled=no \ mac-address=7A:9A:18:94:B4:32 master-interface=net_wifi_5G name=mmx_wifi_5g/ip pooladd name=pool ranges=192.168.1.10-192.168.1.254/ip dhcp-serveradd address-pool=pool disabled=yes interface=lan_bridge name=dhcp/interface bridge portadd bridge=wan_bridge interface=net_wifi_5G internal-path-cost=10 path-cost=10 \ pvid=10 tag-stacking=yesadd bridge=wan_bridge interface=ether1 internal-path-cost=20 path-cost=20add bridge=wan_bridge interface=ether3 pvid=10 tag-stacking=yesadd bridge=wan_bridge interface=ether2 pvid=20 tag-stacking=yesadd bridge=wan_bridge interface=ether4 pvid=10 tag-stacking=yesadd bridge=wan_bridge interface=ether5 pvid=40 tag-stacking=yesadd bridge=wan_bridge interface=gst_wifi_5G pvid=200 tag-stacking=yesadd bridge=wan_bridge interface=mmx_wifi_5g pvid=20 tag-stacking=yesadd bridge=wan_bridge interface=iot_wifi_5g pvid=30 tag-stacking=yesadd bridge=wan_bridge interface=vit_wifi_2g pvid=40 tag-stacking=yesadd bridge=wan_bridge interface=net_wifi_2G internal-path-cost=10 path-cost=10 \ pvid=10 tag-stacking=yesadd bridge=wan_bridge interface=iot_wifi_2g pvid=30 tag-stacking=yes/ip neighbor discovery-settingsset discover-interface-list=all lldp-med-net-policy-vlan=1/ipv6 settingsset disable-ipv6=yes/interface bridge vlanadd bridge=wan_bridge tagged=ether1 untagged=\ net_wifi_2G,net_wifi_5G,wan_bridge,ether4,ether3 vlan-ids=10add bridge=wan_bridge tagged=ether1 untagged=mmx_wifi_5g,ether2 vlan-ids=20add bridge=wan_bridge tagged=ether1 untagged=gst_wifi_5G vlan-ids=200add bridge=wan_bridge tagged=ether1 untagged=iot_wifi_2g,iot_wifi_5g vlan-ids=\ 30add bridge=wan_bridge tagged=ether1 untagged=vit_wifi_2g,ether5 vlan-ids=40/interface detect-internetset detect-interface-list=all/interface list memberadd disabled=yes interface=lan_bridge list=LANadd interface=wan_bridge list=WAN/ip addressadd address=192.168.1.1/24 disabled=yes interface=lan_bridge network=\ 192.168.1.0/ip dhcp-clientadd interface=wan_bridgeadd disabled=yes interface=vlan40/ip dhcp-server networkadd address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1/ip dnsset allow-remote-requests=yes/ip dns staticadd address=192.168.1.1 comment=defconf name=router.lan/ip firewall filteradd action=accept chain=forward comment="defconf: accept in ipsec policy" \ disabled=yes ipsec-policy=in,ipsecadd action=accept chain=forward comment="defconf: accept out ipsec policy" \ disabled=yes ipsec-policy=out,ipsecadd action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ connection-state=established,related disabled=yes hw-offload=yesadd action=accept chain=forward comment=\ "defconf: accept established,related, untracked" connection-state=\ established,related,untracked disabled=yesadd action=drop chain=forward comment="defconf: drop invalid" connection-state=\ invalid disabled=yesadd action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \ connection-nat-state=!dstnat connection-state=new disabled=yes \ in-interface-list=WANadd action=drop chain=forward disabled=yes in-interface=lan_bridge \ out-interface=*19add action=drop chain=forward disabled=yes in-interface=*19 out-interface=\ lan_bridge/ip firewall natadd action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \ ipsec-policy=out,none out-interface-list=WAN/ip firewall service-portset ftp disabled=yesset tftp disabled=yesset h323 disabled=yesset sip disabled=yesset pptp disabled=yes/ipv6 firewall address-listadd address=::/128 comment="defconf: unspecified address" list=bad_ipv6add address=::1/128 comment="defconf: lo" list=bad_ipv6add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6add address=100::/64 comment="defconf: discard only " list=bad_ipv6add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6/ipv6 firewall filteradd action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalidadd action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6add action=accept chain=input comment="defconf: accept UDP traceroute" port=\ 33434-33534 protocol=udpadd action=accept chain=input comment=\ "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\ udp src-address=fe80::/10add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \ protocol=udpadd action=accept chain=input comment="defconf: accept ipsec AH" protocol=\ ipsec-ahadd action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\ ipsec-espadd action=accept chain=input comment=\ "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsecadd action=drop chain=input comment=\ "defconf: drop everything else not coming from LAN" in-interface-list=!LANadd action=accept chain=forward comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" connection-state=\ invalidadd action=drop chain=forward comment="defconf: drop packets with bad src ipv6" \ src-address-list=bad_ipv6add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" \ dst-address-list=bad_ipv6add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \ hop-limit=equal:1 protocol=icmpv6add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\ icmpv6add action=accept chain=forward comment="defconf: accept HIP" protocol=139add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 \ protocol=udpadd action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\ ipsec-ahadd action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\ ipsec-espadd action=accept chain=forward comment=\ "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsecadd action=drop chain=forward comment=\ "defconf: drop everything else not coming from LAN" in-interface-list=!LAN/system clockset time-zone-name=Europe/London/system identityset name=AP00-TBUK/system noteset show-at-login=no/tool graphing interfaceadd interface=*17add interface=gst_wifi_5Gadd interface=*19add interface=*34/tool snifferset filter-interface=ether3Statistics: Posted by thebox — Mon Feb 05, 2024 10:39 pm