I'm new to networking/routing, and even if I am an IT guy, is not my competence!
I'm seeking tuning/better configuration tips/settings, as for sure there will be some beginner mistakes.
Thanks in advance for any corrections/better configurations!
My network diagram is kind of/like this (apologies for the incorrect diagram icons!) https://drive.google.com/file/d/15KrwVi ... drive_link
this is the configuration of GW00-TBUK
Code: Select all
# 2024-02-05 20:18:46 by RouterOS 7.13.3
# software id = JFZQ-1JBT
#
# model = RB960PGS
# serial number = HFA098RB8ZH
/interface bridge
add admin-mac=78:9A:18:A4:7D:F4 auto-mac=no name=bridge
/interface wireguard
add listen-port=13231 mtu=1420 name=IT_wireguard
/interface vlan
add interface=ether2 name=gst_vlan200 vlan-id=200
add interface=ether2 name=iot_vlan30 vlan-id=30
add interface=ether2 name=mmx_vlan20 vlan-id=20
add interface=ether2 name=net_vlan10 vlan-id=10
add interface=ether2 name=vit_vlan40 vlan-id=40
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 use-peer-dns=yes user=XXXXXXXXX
/interface list
add name=WAN
add name=LAN
add name=IT_LAN
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=mgm_pool ranges=192.168.88.10-192.168.88.254
add name=vit_pool ranges=192.168.40.20-192.168.40.254
add name=gst_pool ranges=192.168.200.20-192.168.200.254
add name=net_pool ranges=192.168.10.20-192.168.10.254
add name=mmx_pool ranges=192.168.20.20-192.168.20.254
add name=iot_pool ranges=192.168.30.20-192.168.30.254
/ip dhcp-server
add address-pool=mgm_pool interface=bridge lease-time=1w1d name=main_dhcp
add address-pool=gst_pool interface=gst_vlan200 lease-time=5m name=gst_dhcp
add address-pool=net_pool interface=net_vlan10 lease-time=1d name=net_dhcp
add address-pool=mmx_pool interface=mmx_vlan20 lease-time=1d name=mmx_dhcp
add address-pool=iot_pool interface=iot_vlan30 lease-time=2d name=iot_dhcp
add address-pool=vit_pool interface=vit_vlan40 name=vit_dhcp
/ip vrf
add interfaces=IT_LAN name=it_vrf
/interface bridge port
add bridge=bridge interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=bridge list=LAN
add interface=pppoe-out1 list=WAN
add interface=net_vlan10 list=LAN
add interface=mmx_vlan20 list=LAN
add interface=gst_vlan200 list=LAN
add interface=iot_vlan30 list=LAN
add interface=vit_vlan40 list=IT_LAN
add interface=IT_wireguard list=IT_LAN
add interface=UK_wireguard list=UK_LAN
add interface=vuk_vlan41 list=UK_LAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=149.102.237.129 endpoint-port=51820 interface=\
IT_wireguard persistent-keepalive=25m private-key="XXXXXX" public-key="XXXXXX"
/ip address
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
add address=192.168.200.1/24 interface=gst_vlan200 network=192.168.200.0
add address=192.168.10.1/24 interface=net_vlan10 network=192.168.10.0
add address=192.168.20.1/24 interface=mmx_vlan20 network=192.168.20.0
add address=192.168.30.1/24 interface=iot_vlan30 network=192.168.30.0
add address=192.168.40.1/24 interface=vit_vlan40 network=192.168.40.0
add address=10.2.0.2 interface=IT_wireguard network=10.2.0.0
add address=10.2.0.3 disabled=yes interface=UK_wireguard network=10.2.0.0
add address=192.168.41.1/24 disabled=yes interface=vuk_vlan41 network=192.168.41.0
/ip dhcp-server lease
add address=192.168.20.20 client-id=1:4:b9:e3:f5:f8:ca comment="MMX Tv" mac-address=XXXXXXX server=mmx_dhcp
add address=192.168.30.128 mac-address=XXXXXXX server=iot_dhcp
add address=192.168.10.88 mac-address=XXXXXXX server=net_dhcp
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.30.1 gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=10.2.0.1,192.168.40.1 gateway=192.168.40.1
add address=192.168.41.0/24 dns-server=10.2.0.1,192.168.41.1 gateway=192.168.41.1
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
add address=192.168.200.0/24 dns-server=192.168.200.1 gateway=192.168.200.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=gateway.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" \
dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" \
connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=\
out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=IT_wireguard src-address=192.168.40.0/24
add action=masquerade chain=srcnat out-interface-list=WAN
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=IT_wireguard@it_vrf routing-table=it_vrf \
suppress-hw-offload=no
add disabled=no distance=1 dst-address=XXXXXX/32 gateway=pppoe-out1 pref-src="" \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=\
udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=\
546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" \
ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=\
bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=\
bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 \
protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" \
ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" \
in-interface-list=!LAN
/system clock
set time-zone-name=Europe/London
/system identity
set name=GW00-TBUK
/system note
set show-at-login=no
/tool graphing interface
add interface=mmx_vlan20
add interface=net_vlan10
add interface=iot_vlan30
add interface=gst_vlan200
add interface=vit_vlan40
/tool graphing queue
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=ether2 streaming-enabled=yes streaming-server=192.168.10.80
this is the configuration of AP00-TBUK
Code: Select all
# 2024-02-05 20:26:06 by RouterOS 7.13.3
# software id = UYDE-VHID
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = HF8090WQCPE
/interface bridge
add admin-mac=78:9A:18:94:B4:2A auto-mac=no disabled=yes name=lan_bridge \
port-cost-mode=short
add frame-types=admit-only-untagged-and-priority-tagged name=wan_bridge \
protocol-mode=mstp vlan-filtering=yes
/interface vlan
add disabled=yes interface=ether1 name=vlan40 vlan-id=40
/interface list
add name=WAN
add name=LAN
/interface wifi channel
add band=2ghz-ax disabled=no name=net_2ax skip-dfs-channels=10min-cac width=\
20/40mhz
add band=5ghz-ax disabled=no name=net_5ax skip-dfs-channels=10min-cac width=\
20/40/80mhz
add band=2ghz-ax disabled=no name=iot_2ax skip-dfs-channels=10min-cac width=\
20/40mhz
add band=5ghz-ax disabled=no name=iot_5ax skip-dfs-channels=10min-cac width=\
20/40/80mhz
add band=2ghz-ax disabled=no name=vit_2ax
add band=5ghz-ax disabled=no name=vit_5ax
add band=2ghz-ax disabled=no name=mmx_2ax skip-dfs-channels=10min-cac width=\
20/40mhz
add band=5ghz-ax disabled=no name=mmx_5ax skip-dfs-channels=10min-cac width=\
20/40/80mhz
add band=5ghz-ax disabled=no name=gst_5ax skip-dfs-channels=10min-cac width=\
20/40/80mhz
add band=2ghz-ax disabled=no name=gst_2ax skip-dfs-channels=10min-cac width=\
20/40mhz
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk connect-priority=0 disabled=no name=\
net_sec
add authentication-types=wpa2-psk,wpa3-psk connect-priority=0 disabled=no name=\
mmx_sec
add authentication-types=wpa2-psk,wpa3-psk connect-priority=0 disabled=no name=\
gst_sec
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=vit_sec
add authentication-types=wpa-psk,wpa2-psk connect-priority=0 disabled=no name=\
iot_sec
/interface wifi configuration
add channel=net_5ax country="United Kingdom" disabled=no hide-ssid=no mode=ap \
name=net_5g_conf security=net_sec security.connect-priority=0 ssid=XS4TBNET
add channel=gst_2ax country="United Kingdom" disabled=no hide-ssid=no mode=ap \
name=gst_2g_conf security=gst_sec security.connect-priority=0 ssid=XS4TBGST
add channel=mmx_5ax country="United Kingdom" disabled=no hide-ssid=yes mode=ap \
name=mmx_5g_conf security=mmx_sec security.connect-priority=0 ssid=XS4TBMMX
add channel=net_2ax country="United Kingdom" disabled=no hide-ssid=no mode=ap \
name=net_2g_conf security=net_sec security.connect-priority=0 ssid=XS4TBNET
add channel=mmx_2ax country="United Kingdom" disabled=no hide-ssid=yes mode=ap \
name=mmx_2g_conf security=mmx_sec security.connect-priority=0 ssid=XS4TBMMX
add channel=gst_5ax country="United Kingdom" disabled=no hide-ssid=no mode=ap \
name=gst_5g_conf security=gst_sec security.connect-priority=0 ssid=XS4TBGST
add channel=iot_5ax country="United Kingdom" disabled=no hide-ssid=yes mode=ap \
name=iot_5g_conf security=iot_sec security.connect-priority=0 ssid=XS4TBIOT
add channel=iot_2ax country="United Kingdom" disabled=no hide-ssid=yes mode=ap \
name=iot_2g_conf security=iot_sec security.connect-priority=0 ssid=XS4TBIOT
add channel=vit_5ax country="United Kingdom" disabled=no hide-ssid=no mode=ap \
name=vit_5g_conf security=vit_sec security.connect-priority=0 ssid=XS4TBVIT
add channel=vit_2ax country="United Kingdom" disabled=no hide-ssid=no mode=ap \
name=vit_2g_conf security=vit_sec security.connect-priority=0 ssid=XS4TBVIT
/interface wifi
set [ find default-name=wifi2 ] configuration=net_2g_conf configuration.mode=ap \
disabled=no name=net_wifi_2G
set [ find default-name=wifi1 ] configuration=net_5g_conf \
configuration.hide-ssid=yes .mode=ap disabled=no name=net_wifi_5G \
security.connect-priority=0
add channel=vit_2ax configuration=vit_2g_conf configuration.mode=ap disabled=no \
mac-address=7A:9A:18:94:B4:2E master-interface=net_wifi_2G name=vit_wifi_2g \
security.connect-priority=0
add channel=gst_5ax configuration=gst_5g_conf configuration.mode=ap disabled=no \
mac-address=7A:9A:18:94:B4:31 master-interface=net_wifi_5G name=gst_wifi_5G \
security.connect-priority=0
add channel=iot_2ax configuration=iot_2g_conf configuration.mode=ap disabled=no \
mac-address=7A:9A:18:94:B4:2F master-interface=net_wifi_2G name=iot_wifi_2g \
security.connect-priority=0
add channel=iot_5ax configuration=iot_5g_conf configuration.mode=ap \
mac-address=7A:9A:18:94:B4:2F master-interface=net_wifi_5G name=iot_wifi_5g \
security.connect-priority=0
add channel=mmx_5ax configuration=mmx_5g_conf configuration.mode=ap disabled=no \
mac-address=7A:9A:18:94:B4:32 master-interface=net_wifi_5G name=mmx_wifi_5g
/ip pool
add name=pool ranges=192.168.1.10-192.168.1.254
/ip dhcp-server
add address-pool=pool disabled=yes interface=lan_bridge name=dhcp
/interface bridge port
add bridge=wan_bridge interface=net_wifi_5G internal-path-cost=10 path-cost=10 \
pvid=10 tag-stacking=yes
add bridge=wan_bridge interface=ether1 internal-path-cost=20 path-cost=20
add bridge=wan_bridge interface=ether3 pvid=10 tag-stacking=yes
add bridge=wan_bridge interface=ether2 pvid=20 tag-stacking=yes
add bridge=wan_bridge interface=ether4 pvid=10 tag-stacking=yes
add bridge=wan_bridge interface=ether5 pvid=40 tag-stacking=yes
add bridge=wan_bridge interface=gst_wifi_5G pvid=200 tag-stacking=yes
add bridge=wan_bridge interface=mmx_wifi_5g pvid=20 tag-stacking=yes
add bridge=wan_bridge interface=iot_wifi_5g pvid=30 tag-stacking=yes
add bridge=wan_bridge interface=vit_wifi_2g pvid=40 tag-stacking=yes
add bridge=wan_bridge interface=net_wifi_2G internal-path-cost=10 path-cost=10 \
pvid=10 tag-stacking=yes
add bridge=wan_bridge interface=iot_wifi_2g pvid=30 tag-stacking=yes
/ip neighbor discovery-settings
set discover-interface-list=all lldp-med-net-policy-vlan=1
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=wan_bridge tagged=ether1 untagged=\
net_wifi_2G,net_wifi_5G,wan_bridge,ether4,ether3 vlan-ids=10
add bridge=wan_bridge tagged=ether1 untagged=mmx_wifi_5g,ether2 vlan-ids=20
add bridge=wan_bridge tagged=ether1 untagged=gst_wifi_5G vlan-ids=200
add bridge=wan_bridge tagged=ether1 untagged=iot_wifi_2g,iot_wifi_5g vlan-ids=\
30
add bridge=wan_bridge tagged=ether1 untagged=vit_wifi_2g,ether5 vlan-ids=40
/interface detect-internet
set detect-interface-list=all
/interface list member
add disabled=yes interface=lan_bridge list=LAN
add interface=wan_bridge list=WAN
/ip address
add address=192.168.1.1/24 disabled=yes interface=lan_bridge network=\
192.168.1.0
/ip dhcp-client
add interface=wan_bridge
add disabled=yes interface=vlan40
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid disabled=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new disabled=yes \
in-interface-list=WAN
add action=drop chain=forward disabled=yes in-interface=lan_bridge \
out-interface=*19
add action=drop chain=forward disabled=yes in-interface=*19 out-interface=\
lan_bridge
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" \
src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" \
dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/London
/system identity
set name=AP00-TBUK
/system note
set show-at-login=no
/tool graphing interface
add interface=*17
add interface=gst_wifi_5G
add interface=*19
add interface=*34
/tool sniffer
set filter-interface=ether3