Hello.
Short story: I want to separate two wireless networks and bridge(?) one of them to a wired interface, while upholding high security.
I have a 2011UiAS and 4 cAP ac running capsman. I also have 4 UniFi AP-AC Pro and some wired receipt printers (gastrofix POS). Todays setup works fine, but the UniFi's have died one after one. Now I'm down to only 1(!) working. All cAP ac are just fine.
The cAP ac is giving guest wifi (dhcp), while the UniFi's handle POS equipment (5 iPads and 4 iZettle, dhcp). Receipt printers are wired (with static IP).
The cAP ac's are connected to a managed Mikrotik POE switch (eth3) to eliminate the POE dongles, while UniFi's and receipt printers are all on an unmanaged switch (eth4) the cAP ac's could also be on a unmanaged switch (separate), i just used what I had). Broadband on eth1, switch for office computers on eth2.
Everything works fine today.
However, I need to quickly replace the dead UniFi's. So I was hoping to move the POS network over to my cAP ac's and separate guest and POS network into vlans. And bridge wired and wireless POS vlans.
It's very important that guests can't access anything else on the net than internet. And of course outsiders can't get into the network.
I've exported my current config and modified it to add the POS network (which was previously done locally in the UniFi APs). On the bottom is the current config.
Could someone check the script and tell me if I did something wrong, could be better or if I should set it up entirely different?
Also, I'm not sure if capsman has any pros or cons in my case? I might expand to 5 cAP ac's in the near future. And running a script locally on each AP if I change config some times isn't that big of a deal.
New, modified config (not tested yet).
Current config which runs today (without wireless POS, vlan, etc):
Short story: I want to separate two wireless networks and bridge(?) one of them to a wired interface, while upholding high security.
I have a 2011UiAS and 4 cAP ac running capsman. I also have 4 UniFi AP-AC Pro and some wired receipt printers (gastrofix POS). Todays setup works fine, but the UniFi's have died one after one. Now I'm down to only 1(!) working. All cAP ac are just fine.
The cAP ac is giving guest wifi (dhcp), while the UniFi's handle POS equipment (5 iPads and 4 iZettle, dhcp). Receipt printers are wired (with static IP).
The cAP ac's are connected to a managed Mikrotik POE switch (eth3) to eliminate the POE dongles, while UniFi's and receipt printers are all on an unmanaged switch (eth4) the cAP ac's could also be on a unmanaged switch (separate), i just used what I had). Broadband on eth1, switch for office computers on eth2.
Everything works fine today.
However, I need to quickly replace the dead UniFi's. So I was hoping to move the POS network over to my cAP ac's and separate guest and POS network into vlans. And bridge wired and wireless POS vlans.
It's very important that guests can't access anything else on the net than internet. And of course outsiders can't get into the network.
I've exported my current config and modified it to add the POS network (which was previously done locally in the UniFi APs). On the bottom is the current config.
Could someone check the script and tell me if I did something wrong, could be better or if I should set it up entirely different?
Also, I'm not sure if capsman has any pros or cons in my case? I might expand to 5 cAP ac's in the near future. And running a script locally on each AP if I change config some times isn't that big of a deal.
New, modified config (not tested yet).
Code:
# mar/07/2024 20:07:04 by RouterOS 6.49.13# software id = TRSV-ISX2## model = 2011UiAS/caps-man channeladd band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2412 name=Ch01_20M_24G tx-power=10add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2437 name=Ch06_20M_24G tx-power=10add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2462 name=Ch11_20M_24G tx-power=10add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2467 name=Ch12_20M_24G tx-power=10add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2472 name=Ch13_20M_24G tx-power=10add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5180 name=Ch36_20M_5G tx-power=20add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5200 name=Ch40_20M_5G tx-power=20add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5220 name=Ch44_20M_5G tx-power=20add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5240 name=Ch48_20M_5G tx-power=20#previous config (only guest APs)#/interface bridge#add fast-forward=no name=AP_bridge#add admin-mac=E4:8D:8C:2D:27:5A auto-mac=no comment=TrustedBridge name=WorkBridge/interface ethernetset [ find default-name=ether1 ] name=eth1_WANset [ find default-name=ether2 ] name=eth2_kontorset [ find default-name=ether3 ] name=eth3_MikrotikAPsset [ find default-name=ether4 ] name=eth4_gastrofix_wiredset [ find default-name=ether5 ] disabled=yesset [ find default-name=ether6 ] disabled=yesset [ find default-name=ether7 ] disabled=yesset [ find default-name=ether8 ] disabled=yesset [ find default-name=ether9 ] disabled=yesset [ find default-name=ether10 ] disabled=yesset [ find default-name=sfp1 ] disabled=yes#/caps-man datapath#add bridge=AP_bridge bridge-horizon=1 client-to-client-forwarding=no local-forwarding=no name="My Public"/interface vlanadd vlan-id=10 interface=eth2_kontor name=EmployeeLAN_VLANadd vlan-id=20 interface=eth3_MikrotikAPs name=GuestWIFI_VLANadd vlan-id=30 interface=eth3_MikrotikAPs name=GastrofixWIFI_VLANadd vlan-id=40 interface=eth4_gastrofix_wired name=GastrofixLAN_VLAN/interface bridgeadd name=Gastrofix_bridge/interface bridge portadd bridge=Gastrofix_bridge interface=GastrofixLAN_VLANadd bridge=Gastrofix_bridge interface=GastrofixWIFI_VLAN/caps-man ratesadd basic=9Mbps name="GN Only - No B rates" supported=9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps vht-basic-mcs=""#5GHz/caps-man configurationadd country=norway datapath.local-forwarding=yes datapath.vlan-id=30 datapath.vlan-mode=use-tag name="GastrofixConfig5G" distance=indoors installation=indoor mode=ap security.authentication-types=wpa-psk,wpa2-psk security.passphrase=Test1234 ssid="Gastrofix_5GHz"add country=norway datapath.local-forwarding=no datapath.vlan-id=20 datapath.vlan-mode=use-tag name="GuestPublicConfig5GHz" distance=indoors installation=indoor mode=ap ssid="Public" /caps-man interfaceadd channel=Ch36_20M_5G configuration="GastrofixConfig5G" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=C4:AD:34:14:34:2B master-interface=none radio-mac=C4:AD:34:14:34:2B radio-name=C4AD3414342B name=5GHz-AP_Kontoradd channel=Ch40_20M_5G configuration="GastrofixConfig5G" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=74:4D:28:F9:AF:1A master-interface=none radio-mac=74:4D:28:F9:AF:1A radio-name=744D28F9AF1A name=5GHz-AP_Bar#add channel=Ch44_20M_5G configuration="GastrofixConfig5G" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=xx master-interface=none radio-mac=xx radio-name=xx name=5GHz-AP_Messaninadd channel=Ch48_20M_5G configuration="GastrofixConfig5G" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=74:4D:28:F9:AA:6D master-interface=none radio-mac=74:4D:28:F9:AA:6D radio-name=744D28F9AA6D name=5GHz-AP_Chambre add channel=Ch36_20M_5G configuration="GuestPublicConfig5GHz" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=C4:AD:34:14:34:2B master-interface=none radio-mac=C4:AD:34:14:34:2B radio-name=C4AD3414342B name=5GHz-AP_Kontoradd channel=Ch40_20M_5G configuration="GuestPublicConfig5GHz" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=74:4D:28:F9:AF:1A master-interface=none radio-mac=74:4D:28:F9:AF:1A radio-name=744D28F9AF1A name=5GHz-AP_Bar#add channel=Ch44_20M_5G configuration="GuestPublicConfig5GHz" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=xx master-interface=none radio-mac=xx radio-name=xx name=5GHz-AP_Messaninadd channel=Ch48_20M_5G configuration="GuestPublicConfig5GHz" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=74:4D:28:F9:AA:6D master-interface=none radio-mac=74:4D:28:F9:AA:6D radio-name=744D28F9AA6D name=5GHz-AP_Chambre #2.4GHz/caps-man configurationadd country=norway datapath.local-forwarding=yes datapath.vlan-id=30 datapath.vlan-mode=use-tag name="GastrofixConfig24G" distance=indoors installation=indoor mode=ap security.authentication-types=wpa-psk,wpa2-psk security.passphrase=Test1234 ssid="Gastrofix_2.4GHz" rates="GN Only - No B rates"add country=norway datapath.local-forwarding=no datapath.vlan-id=20 datapath.vlan-mode=use-tag name="GuestPublicConfig24GHz" distance=indoors installation=indoor mode=ap ssid="Public" rates="GN Only - No B rates"/caps-man interfaceadd channel=Ch01_20M_24G configuration="GastrofixConfig24G" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=74:4D:28:F9:AF:19 master-interface=none radio-mac=74:4D:28:F9:AF:19 radio-name=744D28F9AF19 name=2.4GHz-AP_Baradd channel=Ch06_20M_24G configuration="GastrofixConfig24G" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=C4:AD:34:14:34:2A master-interface=none radio-mac=C4:AD:34:14:34:2A radio-name=C4AD3414342A name=2.4GHz-AP_Kontoradd channel=Ch11_20M_24G configuration="GastrofixConfig24G" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=74:4D:28:F9:AA:6C master-interface=none radio-mac=74:4D:28:F9:AA:6C radio-name=744D28F9AA6C name=2.4GHz-AP_Chambre#channel 12 or 13: add channel=Ch12_20M_24G configuration="GastrofixConfig24G" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=xx master-interface=none name=2.4GHz-AP_Messanin radio-mac=xx radio-name=xx add channel=Ch01_20M_24G configuration="GuestPublicConfig24GHz" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=74:4D:28:F9:AF:19 master-interface=none radio-mac=74:4D:28:F9:AF:19 radio-name=744D28F9AF19 name=2.4GHz-AP_Baradd channel=Ch06_20M_24G configuration="GuestPublicConfig24GHz" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=C4:AD:34:14:34:2A master-interface=none radio-mac=C4:AD:34:14:34:2A radio-name=C4AD3414342A name=2.4GHz-AP_Kontoradd channel=Ch11_20M_24G configuration="GuestPublicConfig24GHz" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=74:4D:28:F9:AA:6C master-interface=none radio-mac=74:4D:28:F9:AA:6C radio-name=744D28F9AA6C name=2.4GHz-AP_Chambre#channel 12 or 13: add channel=Ch12_20M_24G configuration="GuestPublicConfig24GHz" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=xx master-interface=none name=2.4GHz-AP_Messanin radio-mac=xx radio-name=xx/interface listadd name=WANadd name=LANadd name=WinboxAccess/interface wireless security-profilesset [ find default=yes ] supplicant-identity=MikroTik/ip pooladd name=gastrofix_dhcp_pool ranges=192.168.7.120-192.168.7.254add name=guest_dhcp_pool ranges=192.168.88.20-192.168.88.250/ip dhcp-serveradd address-pool=gastrofix_dhcp_pool disabled=no interface=GastrofixWIFI_VLAN lease-time=23h59m59s name=gastrofix_dhcp_serveradd address-pool=guest_dhcp_pool disabled=no interface=GuestWIFI_VLAN lease-time=2h59m name=guest_dhcp_server/system logging actionset 0 memory-lines=3000set 1 disk-file-count=10 disk-lines-per-file=3000/user groupset full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp"/caps-man access-listadd action=accept allow-signal-out-of-range=10s comment="-85..120 accept" disabled=no signal-range=-85..120 ssid-regexp=""add action=reject allow-signal-out-of-range=10s comment="-120..-86 reject" disabled=no signal-range=-120..-86 ssid-regexp=""/caps-man managerset ca-certificate=auto certificate=auto enabled=yes/caps-man manager interfaceset [ find default=yes ] forbid=yesadd disabled=no interface=eth3_MikrotikAPs/caps-man provisioningadd action=create-dynamic-enabled comment="2.4GHz 802.11g capable radios" hw-supported-modes=gn master-configuration="GastrofixConfig24G" name-format=prefix-identity name-prefix=2.4GHz-add action=create-dynamic-enabled comment="5GHz 802.11ac capable radios" hw-supported-modes=ac master-configuration="GastrofixConfig5G" name-format=prefix-identity name-prefix=5GHz-add action=create-dynamic-enabled comment="2.4GHz 802.11g capable radios" hw-supported-modes=gn master-configuration="GuestPublicConfig24GHz" name-format=prefix-identity name-prefix=2.4GHz-add action=create-dynamic-enabled comment="5GHz 802.11ac capable radios" hw-supported-modes=ac master-configuration="GuestPublicConfig5GHz" name-format=prefix-identity name-prefix=5GHz-#/interface bridge port#add bridge=AP_bridge interface=eth3_MikrotikAPs/ip neighbor discovery-settings#set discover-interface-list=all lldp-med-net-policy-vlan=1set discover-interface-list=WinboxAccess/interface list memberadd interface=eth1_WAN list=WANadd interface=eth2_kontor list=LANadd interface=eth3_MikrotikAPs list=LAN ##needed?add interface=eth4_gastrofix_wired list=LAN#add interface=AP_bridge list=LANadd interface=eth2_kontor list=WinboxAccess#add interface=GastrofixWIFI_VLAN list=WinboxAccess/ip addressadd address=x.x.x.x/24 network=x.x.x.0 interface=eth1_WAN #public IP hidden in forumadd address=192.168.1.1/24 network=192.168.1.0 interface=eth2_kontoradd address=192.168.7.1/24 network=192.168.7.0 interface=eth4_gastrofix_wiredadd address=192.168.88.1/24 network=192.168.88.0 interface=GuestWIFI_VLAN#add address=192.168.8.1/24 network=192.168.8.0 interface=ether5/ip arpadd address=192.168.7.41 interface=GastrofixWIFI_VLAN mac-address=FE:67:3A:11:0F:D0#add address=192.168.7.41 interface=eth4_gastrofix_wired mac-address=FE:67:3A:11:0F:D0/ip cloudset update-time=no/ip dhcp-server leaseadd address=192.168.7.247 client-id=1:78:8a:20:4b:4:a6 mac-address=78:8A:20:4B:04:A6 server=gastrofix_dhcp_server/ip dhcp-server networkadd address=192.168.7.0/24 comment="DHCP for Gastrofix" dns-server=193.75.75.75,192.168.7.1 gateway=192.168.7.1 netmask=24#add address=192.168.8.0/24 comment="DHCP for Gastrofix AP" dns-server=193.75.75.75,192.168.8.1 gateway=192.168.8.1add address=192.168.88.0/24 comment="DHCP for Guests" dns-server=193.75.75.75,193.75.75.193 gateway=192.168.88.1/ip dnsset allow-remote-requests=yes servers=193.75.75.75,193.75.75.193/ip firewall address-listadd list=AdminAccess address=192.168.1.0/24 add list=bogons address=0.0.0.0/8add list=bogons address=172.16.0.0/12add list=bogons address=10.0.0.0/8add list=bogons address=169.254.0.0/16add list=bogons address=127.0.0.0/8add list=bogons address=224.0.0.0/4add list=bogons address=198.18.0.0/15add list=bogons address=192.0.0.0/24add list=bogons address=192.0.2.0/24add list=bogons address=198.51.100.0/24add list=bogons address=203.0.113.0/24add list=bogons address=100.64.0.0/10add list=bogons address=240.0.0.0/4add list=bogons address=192.88.99.0/24/ip firewall filteradd action=accept chain=input comment="accept established,related" connection-state=established,relatedadd action=drop chain=input comment="drop invalid" connection-state=invalid#add action=drop chain=forward dst-address=77.66.21.133 in-interface=AP_bridgeadd action=drop chain=forward dst-address=77.66.21.133 in-interface=GuestWIFI_VLANadd action=accept chain=input comment="Admin Access to Router" src-address-list=AdminAccessadd action=accept chain=input comment="allow LAN to DNS-TCP" dst-port=53 in-interface-list=LAN protocol=tcpadd action=accept chain=input comment="allow LAN to DNS-UDP" dst-port=53 in-interface-list=LAN protocol=udpadd action=accept chain=input comment="accept ICMP" protocol=icmpadd action=accept chain=input comment="CAPsMAN accept all local traffic" dst-port=5246,5247 protocol=udp src-address=127.0.0.1add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 log=yes log-prefix="acceot local loopback CAPsMAN"add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address-type=local src-address-type=localadd action=drop chain=input comment="Drop All Else" log-prefix=DROP-FIREWALL#add action=drop chain=forward dst-address=77.66.21.133 in-interface=AP_bridgeadd action=drop chain=forward dst-address=77.66.21.133 in-interface=GuestWIFI_VLANadd action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,relatedadd action=accept chain=forward comment="accept established,related" connection-state=established,relatedadd action=drop chain=forward comment="drop invalid" connection-state=invalidadd action=accept chain=forward comment="Allow all LAN (Office, Guest and POS) Traffic to Internet" \ in-interface-list=LAN out-interface-list=WANadd action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsecadd action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsecadd action=drop chain=forward comment="DROP ALL Else"add action=accept chain=forward comment="Allow Port Fowarding if required" connection-nat-state=dstnatadd action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsecadd action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsecadd action=drop chain=forward comment="DROP All Else"/ip firewall natadd action=src-nat chain=srcnat comment="Source_NAT for All Users" ipsec-policy=out,none out-interface=eth1_WAN to-addresses=x.x.x.x #public IP hidden in forumadd action=redirect chain=dstnat comment="Force Users to Router DNS -TCP" dst-port=53 protocol=tcpadd action=redirect chain=dstnat comment="Force Users to Router DNS -UDP" dst-port=53 protocol=udpadd action=accept chain=srcnat disabled=yes ipsec-policy=out,none out-interface=eth1_WAN/ip firewall rawadd action=drop chain=prerouting comment="Drop all non-internet networks" src-address-list=bogons/ip routeadd distance=1 gateway=x.x.x.x #public IP hidden in forum/ip serviceset telnet disabled=yesset ftp disabled=yesset www disabled=yesset ssh disabled=yes port=2200set www-ssl disabled=noset api disabled=yesset winbox address=192.168.1.20/32,192.168.1.21/32#set winbox address=192.168.1.20/32,192.168.1.21/32,192.168.88.5/32set api-ssl disabled=yes/ip sshset strong-crypto=yes/lcdset default-screen=stat-slideshow/system clockset time-zone-name=Europe/Oslo/system identityset name=Router-Kontor/system loggingadd action=disk topics=info,critical,error,info/system ntp clientset enabled=yes primary-ntp=79.160.13.250 secondary-ntp=162.159.200.1/tool bandwidth-serverset enabled=no/tool mac-serverset allowed-interface-list=none/tool mac-server mac-winboxset allowed-interface-list=WinboxAccess/tool mac-server pingset enabled=no/tool romonset enabled=yesCurrent config which runs today (without wireless POS, vlan, etc):
Code:
# mar/07/2024 20:07:04 by RouterOS 6.49.13# software id = TRSV-ISX2## model = 2011UiAS/caps-man channeladd band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled \ frequency=2412 name=Ch01_20M_24G tx-power=10add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled \ frequency=2437 name=Ch06_20M_24G tx-power=10add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled \ frequency=2462 name=Ch11_20M_24G tx-power=10add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled \ frequency=5180 name=Ch36_20M_5G tx-power=20add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled \ frequency=5200 name=Ch40_20M_5G tx-power=20add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled \ frequency=5220 name=Ch44_20M_5G tx-power=20add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled \ frequency=5240 name=Ch48_20M_5G tx-power=20/interface bridgeadd fast-forward=no name=AP_bridgeadd admin-mac=E4:8D:8C:2D:27:5A auto-mac=no comment=TrustedBridge name=\ WorkBridge/interface ethernetset [ find default-name=ether1 ] name=eth1_WANset [ find default-name=ether2 ] name=eth2_kontorset [ find default-name=ether3 ] name=eth3_MikrotikAPsset [ find default-name=ether4 ] name=eth4_gastrofixset [ find default-name=ether5 ] disabled=yesset [ find default-name=ether6 ] disabled=yesset [ find default-name=ether7 ] disabled=yesset [ find default-name=ether8 ] disabled=yesset [ find default-name=ether9 ] disabled=yesset [ find default-name=ether10 ] disabled=yesset [ find default-name=sfp1 ] disabled=yes/caps-man datapathadd bridge=AP_bridge bridge-horizon=1 client-to-client-forwarding=no \ local-forwarding=no name="My Public"/caps-man configurationadd country=norway datapath="My Public" distance=indoors frame-lifetime=\ 10ms installation=indoor mode=ap name="My Public 5GHz" ssid=\ "My Restaurant"add country=norway datapath="My Public" distance=indoors frame-lifetime=\ 10ms installation=indoor mode=ap name="My Public 2.4GHz" ssid=\ "My Restaurant"/caps-man ratesadd basic=9Mbps name="GN Only - No B rates" supported=\ 9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps vht-basic-mcs=""/interface listadd name=WANadd name=LANadd name=WinboxAccess/interface wireless security-profilesset [ find default=yes ] supplicant-identity=MikroTik/ip pooladd name=gastrofix_dhcp ranges=192.168.7.120-192.168.7.254add name=guest_dhcp ranges=192.168.88.10-192.168.88.250add name=gastrofix_wifi_dhcp ranges=192.168.8.120-192.168.8.254/ip dhcp-serveradd address-pool=gastrofix_dhcp disabled=no interface=eth4_gastrofix \ lease-time=23h59m59s name=gastrofix_dhcpadd address-pool=guest_dhcp disabled=no interface=AP_bridge lease-time=2h30m \ name=guest_dhcpadd address-pool=gastrofix_wifi_dhcp disabled=no interface=ether5 lease-time=\ 23h59m59s name=gastrofix_wifi_dhcp/system logging actionset 0 memory-lines=3000set 1 disk-file-count=10 disk-lines-per-file=3000/user groupset full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\ sword,web,sniff,sensitive,api,romon,dude,tikapp"/caps-man access-listadd action=accept allow-signal-out-of-range=10s comment="-85..120 accept" \ disabled=no signal-range=-85..120 ssid-regexp=""add action=reject allow-signal-out-of-range=10s comment="-120..-86 reject" \ disabled=no signal-range=-120..-86 ssid-regexp=""/caps-man managerset ca-certificate=auto certificate=auto enabled=yes/caps-man manager interfaceset [ find default=yes ] forbid=yesadd disabled=no interface=AP_bridge/caps-man provisioningadd action=create-dynamic-enabled comment="2.4GHz 802.11g capable radios" \ hw-supported-modes=gn master-configuration="My Public 2.4GHz" \ name-format=prefix-identity name-prefix=2.4GHz-add action=create-dynamic-enabled comment="5GHz 802.11ac capable radios" \ hw-supported-modes=ac master-configuration="My Public 5GHz" \ name-format=prefix-identity name-prefix=5GHz-/interface bridge portadd bridge=AP_bridge interface=eth3_MikrotikAPs/ip neighbor discovery-settingsset discover-interface-list=all lldp-med-net-policy-vlan=1/interface list memberadd interface=eth1_WAN list=WANadd interface=eth2_kontor list=LANadd interface=eth4_gastrofix list=LANadd interface=AP_bridge list=LANadd interface=eth2_kontor list=WinboxAccessadd interface=eth4_gastrofix list=WinboxAccessadd interface=ether5 list=WinboxAccess/ip addressadd address=xxxx/24 interface=eth1_WAN network=xx.xxxadd address=192.168.1.1/24 interface=eth2_kontor network=192.168.1.0add address=192.168.7.1/24 interface=eth4_gastrofix network=192.168.7.0add address=192.168.88.1/24 interface=AP_bridge network=192.168.88.0add address=192.168.8.1/24 interface=ether5 network=192.168.8.0/ip arpadd address=192.168.7.41 interface=eth4_gastrofix mac-address=\ FE:67:3A:11:0F:D0/ip cloudset update-time=no/ip dhcp-server leaseadd address=192.168.7.247 client-id=1:78:8a:20:4b:4:a6 mac-address=\ 78:8A:20:4B:04:A6 server=gastrofix_dhcp/ip dhcp-server networkadd address=192.168.7.0/24 comment="DHCP for Gastrofix" dns-server=\ 193.75.75.75,192.168.7.1 gateway=192.168.7.1 netmask=24add address=192.168.8.0/24 comment="DHCP for Gastrofix AP" dns-server=\ 193.75.75.75,192.168.8.1 gateway=192.168.8.1add address=192.168.88.0/24 comment="DHCP for Guests" dns-server=\ 193.75.75.75,193.75.75.193 gateway=192.168.88.1/ip dnsset allow-remote-requests=yes servers=193.75.75.75,193.75.75.193/ip firewall address-listadd address=192.168.1.0/24 list=AdminAccessadd address=0.0.0.0/8 list=bogonsadd address=172.16.0.0/12 list=bogonsadd address=10.0.0.0/8 list=bogonsadd address=169.254.0.0/16 list=bogonsadd address=127.0.0.0/8 list=bogonsadd address=224.0.0.0/4 list=bogonsadd address=198.18.0.0/15 list=bogonsadd address=192.0.0.0/24 list=bogonsadd address=192.0.2.0/24 list=bogonsadd address=198.51.100.0/24 list=bogonsadd address=203.0.113.0/24 list=bogonsadd address=100.64.0.0/10 list=bogonsadd address=240.0.0.0/4 list=bogonsadd address=192.88.99.0/24 list=bogons/ip firewall filteradd action=accept chain=input comment="accept established,related" \ connection-state=established,relatedadd action=drop chain=input comment="drop invalid" connection-state=invalidadd action=drop chain=forward dst-address=77.66.21.133 in-interface=AP_bridgeadd action=accept chain=input comment="Admin Access to Router" \ src-address-list=AdminAccessadd action=accept chain=input comment="allow LAN to DNS-TCP" dst-port=53 \ in-interface-list=LAN protocol=tcpadd action=accept chain=input comment="allow LAN to DNS-UDP" dst-port=53 \ in-interface-list=LAN protocol=udpadd action=accept chain=input comment="accept ICMP" protocol=icmpadd action=accept chain=input comment="CAPsMAN accept all local traffic" \ dst-port=5246,5247 protocol=udp src-address=127.0.0.1add action=accept chain=input comment=\ "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 \ log=yes log-prefix="acceot local loopback CAPsMAN"add action=accept chain=input comment=\ "defconf: accept to local loopback (for CAPsMAN)" dst-address-type=local \ src-address-type=localadd action=drop chain=input comment="Drop All Else" log-prefix=DROP-FIREWALLadd action=drop chain=forward dst-address=77.66.21.133 in-interface=AP_bridgeadd action=fasttrack-connection chain=forward comment=fasttrack \ connection-state=established,relatedadd action=accept chain=forward comment="accept established,related" \ connection-state=established,relatedadd action=drop chain=forward comment="drop invalid" connection-state=invalidadd action=accept chain=forward comment=\ "Allow all LAN (Office, Guest and POS) Traffic to Internet" \ in-interface-list=LAN out-interface-list=WANadd action=accept chain=forward comment="accept in ipsec policy" \ ipsec-policy=in,ipsecadd action=accept chain=forward comment="accept out ipsec policy" \ ipsec-policy=out,ipsecadd action=drop chain=forward comment="DROP ALL Else"add action=accept chain=forward comment="Allow Port Fowarding if required" \ connection-nat-state=dstnatadd action=accept chain=forward comment="accept in ipsec policy" \ ipsec-policy=in,ipsecadd action=accept chain=forward comment="accept out ipsec policy" \ ipsec-policy=out,ipsecadd action=drop chain=forward comment="DROP All Else"/ip firewall natadd action=src-nat chain=srcnat comment="Source_NAT for All Users" \ ipsec-policy=out,none out-interface=eth1_WAN to-addresses=xxxxxxadd action=redirect chain=dstnat comment="Force Users to Router DNS -TCP" \ dst-port=53 protocol=tcpadd action=redirect chain=dstnat comment="Force Users to Router DNS -UDP" \ dst-port=53 protocol=udpadd action=accept chain=srcnat disabled=yes ipsec-policy=out,none \ out-interface=eth1_WAN/ip firewall rawadd action=drop chain=prerouting comment="Drop all non-internet networks" \ src-address-list=bogons/ip routeadd distance=1 gateway=xxxxx/ip serviceset telnet disabled=yesset ftp disabled=yesset www disabled=yesset ssh disabled=yes port=2200set www-ssl disabled=noset api disabled=yesset winbox address=192.168.1.20/32,192.168.1.21/32,192.168.88.5/32set api-ssl disabled=yes/ip sshset strong-crypto=yes/lcdset default-screen=stat-slideshow/system clockset time-zone-name=Europe/Oslo/system identityset name=Router-Kontor/system loggingadd action=disk topics=info,critical,error,info/system ntp clientset enabled=yes primary-ntp=79.160.13.250 secondary-ntp=162.159.200.1/tool bandwidth-serverset enabled=no/tool mac-serverset allowed-interface-list=none/tool mac-server mac-winboxset allowed-interface-list=WinboxAccess/tool mac-server pingset enabled=no/tool romonset enabled=yesStatistics: Posted by okw — Fri Mar 08, 2024 3:38 pm