# 2024-02-09 19:49:48 by RouterOS 7.13.3
# software id = METC-NDW4
#
# model = C52iG-5HaxD2HaxD
# serial number =
/interface bridge
add comment=mikrotik_lan_bridge_wifi_1_2 name=bridge1_LAN_eth_2_3_wifi_1_2 \
port-cost-mode=short
add comment=mikrotik_lan_bridge_ports_3_4 name=bridge2_LAN_eth_4 \
port-cost-mode=short
add name=bridge3_VLAN
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
set [ find default-name=ether2 ] name=ether2_LAN
set [ find default-name=ether3 ] name=ether3_LAN
set [ find default-name=ether4 ] name=ether4_LAN
set [ find default-name=ether5 ] name=ether5_LAN
/interface vlan
add interface=bridge3_VLAN name=vlan1_default_test vlan-id=1
add interface=bridge3_VLAN name=vlan_3 vlan-id=3
add interface=bridge3_VLAN name=vlan_4 vlan-id=4
add interface=bridge3_VLAN name=vlan_5 vlan-id=5
/interface wifi channel
add band=2ghz-ax disabled=no name=channel1 width=20/40mhz-eC
add band=5ghz-ax disabled=no frequency=5500,5660,5580,5180 name=channel2
/interface wifi
set [ find default-name=wifi1 ] channel=channel2 channel.band=5ghz-ax \
.skip-dfs-channels=disabled configuration.country=Italy .mode=ap .ssid=\
Mikrotik_5 disabled=no name=wifi1_5ghz security.authentication-types=\
wpa-psk,wpa2-psk
set [ find default-name=wifi2 ] channel=channel1 channel.band=2ghz-ax .width=\
20/40mhz configuration.country=Italy .mode=ap .ssid=Mikrotik_2 disabled=\
no name=wifi2_2ghz security.authentication-types=wpa-psk,wpa2-psk
add configuration.mode=ap .ssid=Mikrotik_guest_appa disabled=no mac-address=\
master-interface=wifi2_2ghz name=wifi3_guest \
security.authentication-types=wpa-psk,wpa2-psk
/ip pool
add name=dhcp_pool0 ranges=172.22.22.10-172.22.22.200
add name=dhcp_pool1 ranges=172.22.0.10-172.22.0.200
add name=dhcp_pool2 ranges=172.22.1.10-172.22.1.200
add name=dhcp_pool_VLAN_3 ranges=172.22.3.10-172.22.3.200
add name=dhcp_pool_VLAN_4 ranges=172.22.4.10-172.22.4.200
add name=dhcp_pool_VLAN_5 ranges=172.22.5.10-172.22.5.200
add name=dhcp_pool_VLAN_1_default ranges=172.22.11.10-172.22.11.200
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1_LAN_eth_2_3_wifi_1_2 \
lease-time=1d name=dhcp1
add address-pool=dhcp_pool1 interface=wifi3_guest lease-time=1d name=dhcp2
add address-pool=dhcp_pool2 interface=bridge2_LAN_eth_4 lease-time=1d name=\
dhcp3
add address-pool=dhcp_pool_VLAN_3 interface=vlan_3 lease-time=1d name=\
dhcp_VLAN_3
add address-pool=dhcp_pool_VLAN_4 interface=vlan_4 lease-time=1d name=\
dhcp_VLAN_4
add address-pool=dhcp_pool_VLAN_5 interface=vlan_5 lease-time=1d name=\
dhcp_VLAN_5
add address-pool=dhcp_pool_VLAN_1_default interface=vlan1_default_test \
lease-time=1d name=dhcp_VLAN_1
/interface bridge port
add bridge=bridge1_LAN_eth_2_3_wifi_1_2 interface=ether2_LAN \
internal-path-cost=10 path-cost=10
add bridge=bridge1_LAN_eth_2_3_wifi_1_2 interface=ether3_LAN \
internal-path-cost=10 path-cost=10
add bridge=bridge1_LAN_eth_2_3_wifi_1_2 interface=wifi1_5ghz \
internal-path-cost=10 path-cost=10
add bridge=bridge1_LAN_eth_2_3_wifi_1_2 interface=wifi2_2ghz \
internal-path-cost=10 path-cost=10
add bridge=bridge2_LAN_eth_4 interface=ether4_LAN internal-path-cost=10 \
path-cost=10
add bridge=bridge3_VLAN disabled=yes interface=vlan_3
add bridge=bridge3_VLAN interface=ether5_LAN
add bridge=bridge3_VLAN disabled=yes interface=vlan_4
add bridge=bridge3_VLAN disabled=yes interface=vlan_5
add bridge=bridge3_VLAN disabled=yes interface=vlan1_default_test
/interface bridge vlan
add bridge=bridge3_VLAN vlan-ids=3
add bridge=bridge3_VLAN vlan-ids=4
add bridge=bridge3_VLAN vlan-ids=5
/ip address
add address=172.22.22.1/24 interface=bridge1_LAN_eth_2_3_wifi_1_2 network=\
172.22.22.0
add address=172.22.0.1/24 interface=wifi3_guest network=172.22.0.0
add address=172.22.1.1/24 interface=bridge2_LAN_eth_4 network=172.22.1.0
add address=172.22.3.1/24 interface=vlan_3 network=172.22.3.0
add address=172.22.4.0/24 interface=vlan_4 network=172.22.4.0
add address=172.22.5.0/24 interface=vlan_5 network=172.22.5.0
add address=172.22.11.0/24 interface=vlan1_default_test network=172.22.11.0
/ip dhcp-client
add interface=ether1_WAN
/ip dhcp-server alert
add disabled=no interface=bridge1_LAN_eth_2_3_wifi_1_2 on-alert=\
": log error= \"not valid DHCP server Bridge_1\"" valid-server=\
add disabled=no interface=bridge2_LAN_eth_4 on-alert=\
":log error= \" not valid DHCP server bridge_2\"" valid-server=\
add disabled=no interface=wifi3_guest on-alert=\
":log error=\"not valid DHCP server wifi_guest\"" valid-server=\
/ip dhcp-server network
add address=172.22.0.0/24 gateway=172.22.0.1
add address=172.22.1.0/24 gateway=172.22.1.1
add address=172.22.3.0/24 gateway=172.22.3.1
add address=172.22.4.0/24 gateway=172.22.4.1
add address=172.22.5.0/24 gateway=172.22.5.1
add address=172.22.11.0/24 gateway=172.22.11.1
add address=172.22.22.0/24 comment=LAN_HOME gateway=172.22.22.1
/ip firewall address-list
add address=172.22.0.0/24 list=block_porn
add address=172.22.1.0/24 list=block_porn
add address=172.22.3.0/24 list=block_porn
add address=172.22.22.0/24 list=block_porn
/ip firewall filter
add action=drop chain=input comment="if not 172.22.22.0/24 drop ping" \
protocol=icmp src-address=172.22.0.0/24
add action=drop chain=input comment="block port scanners" src-address-list=\
port_scanners
add action=fasttrack-connection chain=forward connection-state=\
established,related hw-offload=no
add action=accept chain=forward connection-state=established,related
add action=add-src-to-address-list address-list=port_scanners \
address-list-timeout=1d chain=input comment="port scanner detector" \
protocol=tcp psd=21,3s,3,1
add action=drop chain=forward connection-nat-state="" connection-state=\
invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=\
new in-interface=ether1_WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1_WAN
add action=dst-nat chain=dstnat comment="block porn on guest wifi" dst-port=\
53 protocol=udp src-address-list=block_porn to-addresses=208.67.222.123 \
to-ports=53
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=172.22.22.0/24 port=2222
set api disabled=yes
set winbox address=172.22.1.0/24,172.22.22.0/24,172.22.3.0/24
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Rome
/system note
set show-at-login=no
/interface vlan
add interface=bridge name=vlan_2 vlan-id=2
add interface=bridge name=vlan_3 vlan-id=3
add interface=bridge name=vlan_4 vlan-id=4
add interface=bridge name=vlan_5 vlan-id=5
add address-pool=dhcp_pool_VLAN_1_default interface=vlan1_default_test \
lease-time=1d name=dhcp_VLAN_1
add address-pool=dhcp_pool_VLAN_2 interface=vlan_2 \
lease-time=1d name=dhcp_VLAN_2
add name=dhcp_pool_VLAN_2 ranges=172.22.11.10-172.22.11.200
/interface bridge port
add bridge=bridge1_LAN_eth_2_3_wifi_1_2 interface=ether2_LAN \
internal-path-cost=10 path-cost=10
add bridge=bridge1_LAN_eth_2_3_wifi_1_2 interface=ether3_LAN \
internal-path-cost=10 path-cost=10
add bridge=bridge1_LAN_eth_2_3_wifi_1_2 interface=wifi1_5ghz \
internal-path-cost=10 path-cost=10
add bridge=bridge1_LAN_eth_2_3_wifi_1_2 interface=wifi2_2ghz \
internal-path-cost=10 path-cost=10
add bridge=bridge2_LAN_eth_4 interface=ether4_LAN internal-path-cost=10 \
path-cost=10
add bridge=bridge3_VLAN disabled=yes interface=vlan_3
add bridge=bridge3_VLAN interface=ether5_LAN
add bridge=bridge3_VLAN disabled=yes interface=vlan_4
add bridge=bridge3_VLAN disabled=yes interface=vlan_5
add bridge=bridge3_VLAN disabled=yes interface=vlan1_default_test
/interface bridge port
add bridge=bridge interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge interface=wifi1 internal-path-cost=10 path-cost=10
add bridge=bridge interface=wifi2 internal-path-cost=10 path-cost=10
# software id = METC-NDW4
#
# model = C52iG-5HaxD2HaxD
# s
/interface bridge
add comment=mikrotik_lan_bridge_wifi_1_2 name=bridge1_LAN_eth_2_3_wifi_1_2 \
port-cost-mode=short
add comment=mikrotik_lan_bridge_ports_3_4 name=bridge2_LAN_eth_4 \
port-cost-mode=short
add name=bridge3_VLAN
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
set [ find default-name=ether2 ] name=ether2_LAN
set [ find default-name=ether3 ] name=ether3_LAN
set [ find default-name=ether4 ] name=ether4_LAN
set [ find default-name=ether5 ] name=ether5_LAN
/interface vlan
add interface=bridge3_VLAN name=vlan_2 vlan-id=2
add interface=bridge3_VLAN name=vlan_3 vlan-id=3
add interface=bridge3_VLAN name=vlan_4 vlan-id=4
add interface=bridge3_VLAN name=vlan_5 vlan-id=5
/interface wifi channel
add band=2ghz-ax disabled=no name=channel1 width=20/40mhz-eC
add band=5ghz-ax disabled=no frequency=5500,5660,5580,5180 name=channel2
/interface wifi
set [ find default-name=wifi1 ] channel=channel2 channel.band=5ghz-ax \
.skip-dfs-channels=disabled configuration.country=Italy .mode=ap .ssid=\
Mikrotik_5 disabled=no name=wifi1_5ghz security.authentication-types=\
wpa-psk,wpa2-psk
set [ find default-name=wifi2 ] channel=channel1 channel.band=2ghz-ax .width=\
20/40mhz configuration.country=Italy .mode=ap .ssid=Mikrotik_2 disabled=\
no name=wifi2_2ghz security.authentication-types=wpa-psk,wpa2-psk
add configuration.mode=ap .ssid=Mikrotik_guest_appa disabled=no mac-address=\
master-interface=wifi2_2ghz name=wifi3_guest \
security.authentication-types=wpa-psk,wpa2-psk
/ip pool
add name=dhcp_pool0 ranges=172.22.22.10-172.22.22.200
add name=dhcp_pool1 ranges=172.22.0.10-172.22.0.200
add name=dhcp_pool2 ranges=172.22.1.10-172.22.1.200
add name=dhcp_pool_VLAN_3 ranges=172.22.3.10-172.22.3.200
add name=dhcp_pool_VLAN_4 ranges=172.22.4.10-172.22.4.200
add name=dhcp_pool_VLAN_5 ranges=172.22.5.10-172.22.5.200
add name=dhcp_pool_VLAN_2 ranges=172.22.11.10-172.22.11.200
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1_LAN_eth_2_3_wifi_1_2 \
lease-time=1d name=dhcp1
add address-pool=dhcp_pool1 interface=wifi3_guest lease-time=1d name=dhcp2
add address-pool=dhcp_pool2 interface=bridge2_LAN_eth_4 lease-time=1d name=\
dhcp3
add address-pool=dhcp_pool_VLAN_3 interface=vlan_3 lease-time=1d name=\
dhcp_VLAN_3
add address-pool=dhcp_pool_VLAN_4 interface=vlan_4 lease-time=1d name=\
dhcp_VLAN_4
add address-pool=dhcp_pool_VLAN_5 interface=vlan_5 lease-time=1d name=\
dhcp_VLAN_5
add address-pool=dhcp_pool_VLAN_2 interface=vlan_2 lease-time=1d name=\
dhcp_VLAN_2
/interface bridge port
add bridge=bridge1_LAN_eth_2_3_wifi_1_2 interface=ether2_LAN \
internal-path-cost=10 path-cost=10
add bridge=bridge1_LAN_eth_2_3_wifi_1_2 interface=ether3_LAN \
internal-path-cost=10 path-cost=10
add bridge=bridge1_LAN_eth_2_3_wifi_1_2 interface=wifi1_5ghz \
internal-path-cost=10 path-cost=10
add bridge=bridge1_LAN_eth_2_3_wifi_1_2 interface=wifi2_2ghz \
internal-path-cost=10 path-cost=10
add bridge=bridge2_LAN_eth_4 interface=ether4_LAN internal-path-cost=10 \
path-cost=10
add bridge=bridge3_VLAN interface=ether5_LAN
/interface bridge vlan
add bridge=bridge3_VLAN vlan-ids=3
add bridge=bridge3_VLAN vlan-ids=4
add bridge=bridge3_VLAN vlan-ids=5
add bridge=bridge3_VLAN vlan-ids=2
/ip address
add address=172.22.22.1/24 interface=bridge1_LAN_eth_2_3_wifi_1_2 network=\
172.22.22.0
add address=172.22.0.1/24 interface=wifi3_guest network=172.22.0.0
add address=172.22.1.1/24 interface=bridge2_LAN_eth_4 network=172.22.1.0
add address=172.22.3.1/24 interface=vlan_3 network=172.22.3.0
add address=172.22.4.0/24 interface=vlan_4 network=172.22.4.0
add address=172.22.5.0/24 interface=vlan_5 network=172.22.5.0
add address=172.22.11.0/24 interface=vlan_2 network=172.22.11.0
/ip dhcp-client
add interface=ether1_WAN
/ip dhcp-server alert
add disabled=no interface=bridge1_LAN_eth_2_3_wifi_1_2 on-alert=\
": log error= \"not valid DHCP server Bridge_1\"" valid-server=\
add disabled=no interface=bridge2_LAN_eth_4 on-alert=\
":log error= \" not valid DHCP server bridge_2\"" valid-server=\
add disabled=no interface=wifi3_guest on-alert=\
":log error=\"not valid DHCP server wifi_guest\"" valid-server=\
/ip dhcp-server network
add address=172.22.0.0/24 gateway=172.22.0.1
add address=172.22.1.0/24 gateway=172.22.1.1
add address=172.22.3.0/24 gateway=172.22.3.1
add address=172.22.4.0/24 gateway=172.22.4.1
add address=172.22.5.0/24 gateway=172.22.5.1
add address=172.22.11.0/24 gateway=172.22.11.1
add address=172.22.22.0/24 comment=LAN_HOME gateway=172.22.22.1
/ip firewall address-list
add address=172.22.0.0/24 list=block_porn
add address=172.22.1.0/24 list=block_porn
add address=172.22.3.0/24 list=block_porn
add address=172.22.22.0/24 list=block_porn
/ip firewall filter
add action=drop chain=input comment="if not 172.22.22.0/24 drop ping" \
protocol=icmp src-address=172.22.0.0/24
add action=drop chain=input comment="block port scanners" src-address-list=\
port_scanners
add action=fasttrack-connection chain=forward connection-state=\
established,related hw-offload=no
add action=accept chain=forward connection-state=established,related
add action=add-src-to-address-list address-list=port_scanners \
address-list-timeout=1d chain=input comment="port scanner detector" \
protocol=tcp psd=21,3s,3,1
add action=drop chain=forward connection-nat-state="" connection-state=\
invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=\
new in-interface=ether1_WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1_WAN
add action=dst-nat chain=dstnat comment="block porn on guest wifi" dst-port=\
53 protocol=udp src-address-list=block_porn to-addresses=208.67.222.123 \
to-ports=53
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=172.22.22.0/24 port=2222
set api disabled=yes
set winbox address=172.22.1.0/24,172.22.22.0/24,172.22.3.0/24
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Rome
/system note
set show-at-login=no
# 2024-02-10 09:16:58 by RouterOS 7.13.3
# software id = METC-NDW4
#
# model = C52iG-5HaxD2HaxD
# serial number =
/interface bridge
add comment=mikrotik_lan_bridge_wifi_1_2 disabled=yes name=\
bridge1_LAN_eth_2_3_wifi_1_2 port-cost-mode=short
add comment=mikrotik_lan_bridge_ports_3_4 disabled=yes name=bridge2_LAN_eth_4 \
port-cost-mode=short
add disabled=yes name=bridge3_VLAN vlan-filtering=yes
add name=main_bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
set [ find default-name=ether2 ] name=ether2_LAN
set [ find default-name=ether3 ] name=ether3_LAN
set [ find default-name=ether4 ] name=ether4_LAN
set [ find default-name=ether5 ] name=ether5_LAN
/interface vlan
add interface=main_bridge name=vlan_2 vlan-id=2
add interface=main_bridge name=vlan_3 vlan-id=3
add interface=main_bridge name=vlan_4 vlan-id=4
add interface=main_bridge name=vlan_5 vlan-id=5
/interface wifi channel
add band=2ghz-ax disabled=no name=channel1 width=20/40mhz-eC
add band=5ghz-ax disabled=no frequency=5500,5660,5580,5180 name=channel2
/interface wifi
set [ find default-name=wifi1 ] channel=channel2 channel.band=5ghz-ax \
.skip-dfs-channels=disabled configuration.country=Italy .mode=ap .ssid=\
Mikrotik_5 disabled=no name=wifi1_5ghz security.authentication-types=\
wpa-psk,wpa2-psk
set [ find default-name=wifi2 ] channel=channel1 channel.band=2ghz-ax .width=\
20/40mhz configuration.country=Italy .mode=ap .ssid=Mikrotik_2 disabled=\
no name=wifi2_2ghz security.authentication-types=wpa-psk,wpa2-psk
add configuration.mode=ap .ssid=Mikrotik_guest_appa disabled=no mac-address=\
master-interface=wifi2_2ghz name=wifi3_guest \
security.authentication-types=wpa-psk,wpa2-psk
/ip pool
add name=dhcp_pool0 ranges=172.22.22.10-172.22.22.200
add name=dhcp_pool1 ranges=172.22.0.10-172.22.0.200
add name=dhcp_pool2 ranges=172.22.1.10-172.22.1.200
add name=dhcp_pool_VLAN_3 ranges=172.22.3.10-172.22.3.200
add name=dhcp_pool_VLAN_4 ranges=172.22.4.10-172.22.4.200
add name=dhcp_pool_VLAN_5 ranges=172.22.5.10-172.22.5.200
add name=dhcp_pool_VLAN_2 ranges=172.22.11.10-172.22.11.200
add name=dhcp_pool9 ranges=172.22.9.10-172.22.9.200
add name=dhcp_pool10 ranges=10.2.2.10-10.2.2.200
add name=dhcp_pool11 ranges=171.22.2.10-171.22.2.200
add name=dhcp_pool12 ranges=172.22.3.10-172.22.3.200
add name=dhcp_pool13 ranges=172.22.4.10-172.22.4.200
add name=dhcp_pool14 ranges=172.22.5.10-172.22.5.200
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=yes interface=\
bridge1_LAN_eth_2_3_wifi_1_2 lease-time=1d name=dhcp1
add address-pool=dhcp_pool1 interface=wifi3_guest lease-time=1d name=\
dhcp_wifi_guest
add address-pool=dhcp_pool2 disabled=yes interface=bridge2_LAN_eth_4 \
lease-time=1d name=dhcp3
add address-pool=dhcp_pool9 disabled=yes interface=bridge3_VLAN lease-time=1d \
name=dhcp4
add address-pool=dhcp_pool10 disabled=yes interface=ether5_LAN lease-time=1d \
name=dhcp5
add address-pool=dhcp_pool11 interface=vlan_2 lease-time=1d name=dhcp_VLAN_2
add address-pool=dhcp_pool12 interface=vlan_3 lease-time=1d name=dhcp_VLAN_3
add address-pool=dhcp_pool13 interface=vlan_4 lease-time=1d name=dhcp_VLAN_4
add address-pool=dhcp_pool14 interface=vlan_5 lease-time=1d name=dhcp_VLAN_5
/interface bridge port
add bridge=main_bridge interface=ether2_LAN internal-path-cost=10 path-cost=\
10
add bridge=main_bridge interface=ether3_LAN internal-path-cost=10 path-cost=\
10
add bridge=main_bridge interface=wifi1_5ghz internal-path-cost=10 path-cost=\
10
add bridge=main_bridge interface=wifi2_2ghz internal-path-cost=10 path-cost=\
10
add bridge=main_bridge interface=ether4_LAN internal-path-cost=10 path-cost=\
10
add bridge=main_bridge interface=ether5_LAN
add bridge=main_bridge disabled=yes interface=wifi3_guest
/interface bridge vlan
add bridge=main_bridge tagged=ether5_LAN,main_bridge vlan-ids=3
add bridge=main_bridge tagged=ether5_LAN,main_bridge vlan-ids=4
add bridge=main_bridge tagged=ether5_LAN,main_bridge vlan-ids=5
add bridge=main_bridge tagged=ether5_LAN,main_bridge vlan-ids=2
/ip address
add address=172.22.22.1/24 disabled=yes interface=\
bridge1_LAN_eth_2_3_wifi_1_2 network=172.22.22.0
add address=172.22.0.1/24 interface=wifi3_guest network=172.22.0.0
add address=172.22.1.1/24 disabled=yes interface=bridge2_LAN_eth_4 network=\
172.22.1.0
add address=172.22.3.1/24 interface=vlan_3 network=172.22.3.0
add address=172.22.4.1/24 interface=vlan_4 network=172.22.4.0
add address=172.22.5.1/24 interface=vlan_5 network=172.22.5.0
add address=172.22.9.1/24 disabled=yes interface=bridge3_VLAN network=\
172.22.9.0
add address=10.2.2.1/24 disabled=yes interface=ether5_LAN network=10.2.2.0
add address=171.22.2.1/24 interface=vlan_2 network=171.22.2.0
/ip dhcp-client
add interface=ether1_WAN
/ip dhcp-server alert
add disabled=no interface=bridge1_LAN_eth_2_3_wifi_1_2 on-alert=\
": log error= \"not valid DHCP server Bridge_1\"" valid-server=\
add disabled=no interface=bridge2_LAN_eth_4 on-alert=\
":log error= \" not valid DHCP server bridge_2\"" valid-server=\
add disabled=no interface=wifi3_guest on-alert=\
":log error=\"not valid DHCP server wifi_guest\"" valid-server=\
/ip dhcp-server network
add address=10.2.2.0/24 gateway=10.2.2.1
add address=10.22.22.0/24 gateway=10.22.22.1
add address=171.22.2.0/24 gateway=171.22.2.1
add address=172.22.0.0/24 gateway=172.22.0.1
add address=172.22.1.0/24 gateway=172.22.1.1
add address=172.22.3.0/24 gateway=172.22.3.1
add address=172.22.4.0/24 gateway=172.22.4.1
add address=172.22.5.0/24 gateway=172.22.5.1
add address=172.22.9.0/24 gateway=172.22.9.1
add address=172.22.11.0/24 gateway=172.22.11.1
add address=172.22.22.0/24 comment=LAN_HOME gateway=172.22.22.1
/ip firewall address-list
add address=172.22.0.0/24 list=block_porn
add address=172.22.1.0/24 list=block_porn
add address=172.22.3.0/24 list=block_porn
add address=172.22.22.0/24 list=block_porn
/ip firewall filter
add action=drop chain=input comment="if not 172.22.22.0/24 drop ping" \
protocol=icmp src-address=172.22.0.0/24
add action=drop chain=input comment="block port scanners" src-address-list=\
port_scanners
add action=fasttrack-connection chain=forward connection-state=\
established,related hw-offload=no
add action=accept chain=forward connection-state=established,related
add action=add-src-to-address-list address-list=port_scanners \
address-list-timeout=1d chain=input comment="port scanner detector" \
protocol=tcp psd=21,3s,3,1
add action=drop chain=forward connection-nat-state="" connection-state=\
invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=\
new in-interface=ether1_WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1_WAN
add action=dst-nat chain=dstnat comment="block porn on guest wifi" dst-port=\
53 protocol=udp src-address-list=block_porn to-addresses=208.67.222.123 \
to-ports=53
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=172.22.22.0/24 port=2222
set api disabled=yes
set winbox address=\
172.22.1.0/24,172.22.22.0/24,172.22.3.0/24,172.22.0.0/24,10.22.22.0/24
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Rome
/system note
set show-at-login=no
# 2024-02-10 11:00:09 by RouterOS 7.13.3
# software id = METC-NDW4
#
# model = C52iG-5HaxD2HaxD
# serial number =
/interface bridge
add name=main_bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
set [ find default-name=ether2 ] name=ether2_LAN
set [ find default-name=ether3 ] name=ether3_LAN
set [ find default-name=ether4 ] name=ether4_LAN
set [ find default-name=ether5 ] name=ether5_LAN
/interface vlan
add interface=main_bridge name=vlan_2 vlan-id=2
add interface=main_bridge name=vlan_3 vlan-id=3
add interface=main_bridge name=vlan_4 vlan-id=4
add interface=main_bridge name=vlan_5 vlan-id=5
/interface wifi channel
add band=2ghz-ax disabled=no name=channel1 width=20/40mhz-eC
add band=5ghz-ax disabled=no frequency=5500,5660,5580,5180 name=channel2
/interface wifi
set [ find default-name=wifi1 ] channel=channel2 channel.band=5ghz-ax \
.skip-dfs-channels=disabled configuration.country=Italy .mode=ap .ssid=\
Mikrotik_5 disabled=no name=wifi1_5ghz security.authentication-types=\
wpa-psk,wpa2-psk
set [ find default-name=wifi2 ] channel=channel1 channel.band=2ghz-ax .width=\
20/40mhz configuration.country=Italy .mode=ap .ssid=Mikrotik_2 disabled=\
no name=wifi2_2ghz security.authentication-types=wpa-psk,wpa2-psk
add configuration.mode=ap .ssid=Mikrotik_guest_appa disabled=no mac-address=\
master-interface=wifi2_2ghz name=wifi3_guest \
security.authentication-types=wpa-psk,wpa2-psk
/ip pool
add name=dhcp_pool_wifi_guest ranges=172.22.0.10-172.22.0.200
add name=dhcp_pool_VLAN_3 ranges=172.22.3.10-172.22.3.200
add name=dhcp_pool_VLAN_4 ranges=172.22.4.10-172.22.4.200
add name=dhcp_pool_VLAN_5 ranges=172.22.5.10-172.22.5.200
add name=dhcp_pool_VLAN_2 ranges=171.22.2.10-171.22.2.200
/ip dhcp-server
add address-pool=dhcp_pool_wifi_guest interface=wifi3_guest lease-time=1d \
name=dhcp_wifi_guest
add address-pool=dhcp_pool_VLAN_3 interface=vlan_3 lease-time=1d name=\
dhcp_VLAN_3
add address-pool=dhcp_pool_VLAN_4 interface=vlan_4 lease-time=1d name=\
dhcp_VLAN_4
add address-pool=dhcp_pool_VLAN_5 interface=vlan_5 lease-time=1d name=\
dhcp_VLAN_5
add address-pool=dhcp_pool_VLAN_2 interface=vlan_2 lease-time=1d name=\
dhcp_VLAN_2
/interface bridge port
add bridge=main_bridge interface=ether2_LAN internal-path-cost=10 path-cost=\
10
add bridge=main_bridge interface=ether3_LAN internal-path-cost=10 path-cost=\
10
add bridge=main_bridge interface=wifi1_5ghz internal-path-cost=10 path-cost=\
10
add bridge=main_bridge interface=wifi2_2ghz internal-path-cost=10 path-cost=\
10
add bridge=main_bridge interface=ether4_LAN internal-path-cost=10 path-cost=\
10
add bridge=main_bridge interface=ether5_LAN
add bridge=main_bridge disabled=yes interface=wifi3_guest
/interface bridge vlan
add bridge=main_bridge tagged=ether5_LAN,main_bridge vlan-ids=3
add bridge=main_bridge tagged=ether5_LAN,main_bridge vlan-ids=4
add bridge=main_bridge tagged=main_bridge untagged=ether5_LAN vlan-ids=5
add bridge=main_bridge tagged=ether5_LAN,main_bridge vlan-ids=2
/ip address
add address=172.22.0.1/24 interface=wifi3_guest network=172.22.0.0
add address=172.22.3.1/24 interface=vlan_3 network=172.22.3.0
add address=172.22.4.1/24 interface=vlan_4 network=172.22.4.0
add address=172.22.5.1/24 interface=vlan_5 network=172.22.5.0
add address=171.22.2.1/24 interface=vlan_2 network=171.22.2.0
/ip dhcp-client
add interface=ether1_WAN
/ip dhcp-server alert
add disabled=no interface=*8 on-alert=\
": log error= \"not valid DHCP server Bridge_1\"" valid-server=\
add disabled=no interface=*A on-alert=\
":log error= \" not valid DHCP server bridge_2\"" valid-server=\
add disabled=no interface=wifi3_guest on-alert=\
":log error=\"not valid DHCP server wifi_guest\"" valid-server=\
/ip dhcp-server network
add address=171.22.2.0/24 comment=VLAN2 gateway=171.22.2.1
add address=172.22.0.0/24 comment="wifi guest" gateway=172.22.0.1
add address=172.22.3.0/24 comment=VLAN3 gateway=172.22.3.1
add address=172.22.4.0/24 comment=VLAN4 gateway=172.22.4.1
add address=172.22.5.0/24 comment=VLAN5 gateway=172.22.5.1
/ip firewall address-list
add address=172.22.0.0/24 list=block_porn
add address=172.22.1.0/24 list=block_porn
add address=172.22.3.0/24 list=block_porn
add address=172.22.22.0/24 list=block_porn
/ip firewall filter
add action=drop chain=input comment="if not 172.22.22.0/24 drop ping" \
protocol=icmp src-address=172.22.0.0/24
add action=drop chain=input comment="block port scanners" src-address-list=\
port_scanners
add action=fasttrack-connection chain=forward connection-state=\
established,related hw-offload=no
add action=accept chain=forward connection-state=established,related
add action=add-src-to-address-list address-list=port_scanners \
address-list-timeout=1d chain=input comment="port scanner detector" \
protocol=tcp psd=21,3s,3,1
add action=drop chain=forward connection-nat-state="" connection-state=\
invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=\
new in-interface=ether1_WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1_WAN
add action=dst-nat chain=dstnat comment="block porn on guest wifi" dst-port=\
53 protocol=udp src-address-list=block_porn to-addresses=208.67.222.123 \
to-ports=53
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=172.22.22.0/24 port=2222
set api disabled=yes
set winbox address=\
172.22.1.0/24,172.22.22.0/24,172.22.3.0/24,172.22.0.0/24,10.22.22.0/24
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Rome
/system note
set show-at-login=no
# 2024-02-10 14:04:24 by RouterOS 7.13.3
# software id = METC-NDW4
#
# model = C52iG-5HaxD2HaxD
# serial number =
/interface bridge
add name=main_bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
set [ find default-name=ether2 ] name=ether2_LAN
set [ find default-name=ether3 ] name=ether3_LAN
set [ find default-name=ether4 ] name=ether4_LAN
set [ find default-name=ether5 ] name=ether5_LAN
/interface vlan
add interface=main_bridge name=vlan_2 vlan-id=2
add interface=main_bridge name=vlan_3 vlan-id=3
add interface=main_bridge name=vlan_4 vlan-id=4
add interface=main_bridge name=vlan_5 vlan-id=5
add interface=main_bridge name=vlan_wifi_2 vlan-id=10
add interface=main_bridge name=vlan_wifi_5 vlan-id=20
add interface=main_bridge name=vlan_wifi_guest vlan-id=30
/interface wifi channel
add band=2ghz-ax disabled=no name=channel1 width=20/40mhz-eC
add band=5ghz-ax disabled=no frequency=5500,5660,5580,5180 name=channel2
/interface wifi
set [ find default-name=wifi1 ] channel=channel2 channel.band=5ghz-ax \
.skip-dfs-channels=disabled configuration.country=Italy .mode=ap .ssid=\
Mikrotik_5 disabled=no name=wifi1_5ghz security.authentication-types=\
wpa-psk,wpa2-psk
set [ find default-name=wifi2 ] channel=channel1 channel.band=2ghz-ax .width=\
20/40mhz configuration.country=Italy .mode=ap .ssid=Mikrotik_2 \
datapath.interface-list=all disabled=no name=wifi2_2ghz \
security.authentication-types=wpa-psk,wpa2-psk
add configuration.mode=ap .ssid=Mikrotik_guest_appa disabled=no mac-address=\
master-interface=wifi2_2ghz name=wifi3_guest \
security.authentication-types=wpa-psk,wpa2-psk
/ip pool
add name=dhcp_pool_VLAN_3 ranges=172.22.3.10-172.22.3.200
add name=dhcp_pool_VLAN_4 ranges=172.22.4.10-172.22.4.200
add name=dhcp_pool_VLAN_5 ranges=172.22.5.10-172.22.5.200
add name=dhcp_pool_VLAN_2 ranges=172.22.2.10-172.22.2.200
add name=dhcp_pool_wifi_2 ranges=10.22.22.10-10.22.22.200
add name=dhcp_pool_wifi_5 ranges=10.22.20.10-10.22.20.200
add name=dhcp_pool18 ranges=10.22.0.10-10.22.0.200
/ip dhcp-server
add address-pool=dhcp_pool_VLAN_3 interface=vlan_3 lease-time=1d name=\
dhcp_VLAN_3
add address-pool=dhcp_pool_VLAN_4 interface=vlan_4 lease-time=1d name=\
dhcp_VLAN_4
add address-pool=dhcp_pool_VLAN_5 interface=vlan_5 lease-time=1d name=\
dhcp_VLAN_5
add address-pool=dhcp_pool_VLAN_2 interface=vlan_2 lease-time=1d name=\
dhcp_VLAN_2
add address-pool=dhcp_pool_wifi_2 interface=vlan_wifi_2 lease-time=1d name=\
dhcp_wifi_2
add address-pool=dhcp_pool_wifi_5 interface=vlan_wifi_5 lease-time=1d name=\
dhcp_wifi_5
add address-pool=dhcp_pool18 interface=vlan_wifi_guest lease-time=1d name=\
dhcp_wifi_guest
/interface bridge port
add bridge=main_bridge interface=ether2_LAN internal-path-cost=10 path-cost=\
10 pvid=2
add bridge=main_bridge interface=ether3_LAN internal-path-cost=10 path-cost=\
10 pvid=3
add bridge=main_bridge interface=wifi1_5ghz internal-path-cost=10 path-cost=\
10 pvid=20
add bridge=main_bridge interface=wifi2_2ghz internal-path-cost=10 path-cost=\
10 pvid=10
add bridge=main_bridge interface=ether4_LAN internal-path-cost=10 path-cost=\
10 pvid=4
add bridge=main_bridge interface=ether5_LAN pvid=5
add bridge=main_bridge interface=wifi3_guest pvid=30
/interface bridge vlan
add bridge=main_bridge tagged=main_bridge untagged=ether3_LAN vlan-ids=3
add bridge=main_bridge tagged=main_bridge untagged=ether4_LAN vlan-ids=4
add bridge=main_bridge tagged=main_bridge untagged=ether5_LAN vlan-ids=5
add bridge=main_bridge tagged=main_bridge untagged=ether2_LAN vlan-ids=2
add bridge=main_bridge tagged=main_bridge untagged=wifi2_2ghz vlan-ids=10
add bridge=main_bridge tagged=main_bridge untagged=wifi1_5ghz vlan-ids=20
add bridge=main_bridge tagged=main_bridge untagged=wifi3_guest vlan-ids=30
/ip address
add address=172.22.3.1/24 interface=vlan_3 network=172.22.3.0
add address=172.22.4.1/24 interface=vlan_4 network=172.22.4.0
add address=172.22.5.1/24 interface=vlan_5 network=172.22.5.0
add address=172.22.2.1/24 interface=vlan_2 network=172.22.2.0
add address=10.22.22.1/24 interface=vlan_wifi_2 network=10.22.22.0
add address=10.22.20.1/24 interface=vlan_wifi_5 network=10.22.20.0
add address=10.22.0.1/24 interface=vlan_wifi_guest network=10.22.0.0
/ip dhcp-client
add interface=ether1_WAN
/ip dhcp-server alert
add disabled=no interface=*8 on-alert=\
": log error= \"not valid DHCP server Bridge_1\"" valid-server=\
add disabled=no interface=*A on-alert=\
":log error= \" not valid DHCP server bridge_2\"" valid-server=\
add disabled=no interface=wifi3_guest on-alert=\
":log error=\"not valid DHCP server wifi_guest\"" valid-server=\
/ip dhcp-server network
add address=10.22.0.0/24 gateway=10.22.0.1
add address=10.22.20.0/24 comment=wifi_5 gateway=10.22.20.1
add address=10.22.22.0/24 comment=wifi_2 gateway=10.22.22.1
add address=172.22.0.0/24 comment="wifi guest" gateway=172.22.0.1
add address=172.22.2.0/24 comment=VLAN2 gateway=172.22.2.1
add address=172.22.3.0/24 comment=VLAN3 gateway=172.22.3.1
add address=172.22.4.0/24 comment=VLAN4 gateway=172.22.4.1
add address=172.22.5.0/24 comment=VLAN5 gateway=172.22.5.1
/ip firewall address-list
add address=10.22.0.0/24 list=block_porn
add address=10.22.20.0/24 list=block_porn
add address=10.22.22.0/24 list=block_porn
add address=172.22.2.0/24 list=block_porn
add address=172.22.3.0/24 list=block_porn
add address=172.22.4.0/24 list=block_porn
add address=172.22.5.0/24 list=block_porn
/ip firewall filter
add action=drop chain=input comment="if not 172.22.22.0/24 drop ping" \
protocol=icmp src-address=10.22.0.0/24
add action=drop chain=input comment="block port scanners" src-address-list=\
port_scanners
add action=fasttrack-connection chain=forward connection-state=\
established,related hw-offload=no
add action=accept chain=forward connection-state=established,related
add action=add-src-to-address-list address-list=port_scanners \
address-list-timeout=1d chain=input comment="port scanner detector" \
protocol=tcp psd=21,3s,3,1
add action=drop chain=forward connection-nat-state="" connection-state=\
invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=\
new in-interface=ether1_WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1_WAN
add action=dst-nat chain=dstnat comment="block porn on guest wifi" dst-port=\
53 protocol=udp src-address-list=block_porn to-addresses=208.67.222.123 \
to-ports=53
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=172.22.22.0/24 port=2222
set api disabled=yes
set winbox address="172.22.3.0/24,172.22.4.0/24,172.22.5.0/24,172.22.0.0/24,10\
.22.22.0/24,10.22.20.0/24,10.22.0.0/24"
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Rome
/system note
set show-at-login=no
I have 7 dhcp pools becaseu i have 7 VLANSDelete ip pools and dhcp servers you don't need, you have 4 VLANs, leave 4 dhcp servers.
No, but you don't get anymore the stern look of disapproval.do I get a prize for this?
well thats already something..No, but you don't get anymore the stern look of disapproval.do I get a prize for this?
# software id = METC-NDW4
#
# model = C52iG-5HaxD2HaxD
# serial number =
/interface bridge
add name=main_bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
set [ find default-name=ether2 ] name=ether2_LAN
set [ find default-name=ether3 ] name=ether3_LAN
set [ find default-name=ether4 ] name=ether4_LAN
set [ find default-name=ether5 ] name=ether5_LAN
/interface vlan
add interface=main_bridge name=vlan_2 vlan-id=2
add interface=main_bridge name=vlan_3 vlan-id=3
add interface=main_bridge name=vlan_4 vlan-id=4
add interface=main_bridge name=vlan_5 vlan-id=5
/interface wifi channel
add band=2ghz-ax disabled=no name=channel1 width=20/40mhz-eC
add band=5ghz-ax disabled=no frequency=5500,5660,5580,5180 name=channel2
/interface wifi
set [ find default-name=wifi1 ] channel=channel2 channel.band=5ghz-ax \
.skip-dfs-channels=disabled configuration.country=Italy .mode=ap .ssid=\
Mikrotik_5 disabled=no name=wifi1_5ghz security.authentication-types=\
wpa-psk,wpa2-psk
set [ find default-name=wifi2 ] channel=channel1 channel.band=2ghz-ax .width=\
20/40mhz configuration.country=Italy .mode=ap .ssid=Mikrotik_2 \
datapath.interface-list=all disabled=no name=wifi2_2ghz \
security.authentication-types=wpa-psk,wpa2-psk
add configuration.mode=ap .ssid=Mikrotik_guest_appa disabled=no mac-address=\
master-interface=wifi2_2ghz name=wifi3_guest \
security.authentication-types=wpa-psk,wpa2-psk
/ip pool
add name=dhcp_pool_VLAN_3 ranges=172.22.3.10-172.22.3.200
add name=dhcp_pool_VLAN_4 ranges=172.22.4.10-172.22.4.200
add name=dhcp_pool_VLAN_5 ranges=172.22.5.10-172.22.5.200
add name=dhcp_pool_VLAN_2 ranges=172.22.2.10-172.22.2.200
add name=dhcp_pool_wifi_2 ranges=10.22.22.10-10.22.22.200
add name=dhcp_pool_wifi_5 ranges=10.22.20.10-10.22.20.200
add name=dhcp_pool18 ranges=10.22.0.10-10.22.0.200
/ip dhcp-server
add address-pool=dhcp_pool_VLAN_3 interface=vlan_3 lease-time=1d name=\
dhcp_VLAN_3
add address-pool=dhcp_pool_VLAN_4 interface=vlan_4 lease-time=1d name=\
dhcp_VLAN_4
add address-pool=dhcp_pool_VLAN_5 interface=vlan_5 lease-time=1d name=\
dhcp_VLAN_5
add address-pool=dhcp_pool_VLAN_2 interface=vlan_2 lease-time=1d name=\
dhcp_VLAN_2
/interface bridge port
add bridge=main_bridge interface=ether2_LAN internal-path-cost=10 path-cost=\
10 pvid=2
add bridge=main_bridge interface=ether3_LAN internal-path-cost=10 path-cost=\
10 pvid=3
add bridge=main_bridge interface=wifi1_5ghz internal-path-cost=10 path-cost=\
10 pvid=2
add bridge=main_bridge interface=wifi2_2ghz internal-path-cost=10 path-cost=\
10 pvid=2
add bridge=main_bridge interface=ether4_LAN internal-path-cost=10 path-cost=\
10 pvid=4
add bridge=main_bridge interface=ether5_LAN pvid=5
add bridge=main_bridge interface=wifi3_guest pvid=3
/interface bridge vlan
add bridge=main_bridge tagged=main_bridge untagged=ether3_LAN vlan-ids=3
add bridge=main_bridge tagged=main_bridge untagged=ether4_LAN vlan-ids=4
add bridge=main_bridge tagged=main_bridge untagged=ether5_LAN vlan-ids=5
add bridge=main_bridge tagged=main_bridge vlan-ids=2
add bridge=main_bridge tagged=main_bridge untagged=wifi2_2ghz vlan-ids=10
add bridge=main_bridge tagged=main_bridge untagged=wifi1_5ghz vlan-ids=20
add bridge=main_bridge tagged=main_bridge untagged=wifi3_guest vlan-ids=30
/ip address
add address=172.22.3.1/24 comment=eth3_port/wifi_guest interface=vlan_3 \
network=172.22.3.0
add address=172.22.4.1/24 interface=vlan_4 network=172.22.4.0
add address=172.22.5.1/24 interface=vlan_5 network=172.22.5.0
add address=172.22.2.1/24 comment="eth2_port /wifi_2G/wifi_5G" interface=\
vlan_2 network=172.22.2.0
/ip dhcp-client
add interface=ether1_WAN
/ip dhcp-server alert
add disabled=no interface=vlan_2 on-alert=\
": log error= \"not valid DHCP server VLAN_2\"" valid-server=\
add disabled=no interface=vlan_3 on-alert=\
":log error= \" not valid DHCP server VLAN_3\"" valid-server=\
add disabled=no interface=vlan_4 on-alert=\
":log error=\"not valid DHCP server wifi_guest\"" valid-server=\
add disabled=no interface=vlan_5 on-alert=\
":log error=\"not valid DHCP server wifi_guest\"" valid-server=\
/ip dhcp-server network
add address=10.22.0.0/24 gateway=10.22.0.1
add address=10.22.20.0/24 comment=wifi_5 gateway=10.22.20.1
add address=10.22.22.0/24 comment=wifi_2 gateway=10.22.22.1
add address=172.22.0.0/24 comment="wifi guest" gateway=172.22.0.1
add address=172.22.2.0/24 comment=VLAN2 gateway=172.22.2.1
add address=172.22.3.0/24 comment=VLAN3 gateway=172.22.3.1
add address=172.22.4.0/24 comment=VLAN4 gateway=172.22.4.1
add address=172.22.5.0/24 comment=VLAN5 gateway=172.22.5.1
/ip firewall address-list
add address=10.22.0.0/24 list=block_porn
add address=10.22.20.0/24 list=block_porn
add address=10.22.22.0/24 list=block_porn
add address=172.22.2.0/24 list=block_porn
add address=172.22.3.0/24 list=block_porn
add address=172.22.4.0/24 list=block_porn
add address=172.22.5.0/24 list=block_porn
/ip firewall filter
add action=drop chain=input comment="if not 172.22.22.0/24 drop ping" \
protocol=icmp src-address=10.22.2.0/24
add action=drop chain=input comment="block port scanners" src-address-list=\
port_scanners
add action=fasttrack-connection chain=forward connection-state=\
established,related hw-offload=no
add action=accept chain=forward connection-state=established,related
add action=add-src-to-address-list address-list=port_scanners \
address-list-timeout=1d chain=input comment="port scanner detector" \
protocol=tcp psd=21,3s,3,1
add action=drop chain=forward connection-nat-state="" connection-state=\
invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=\
new in-interface=ether1_WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1_WAN
add action=dst-nat chain=dstnat comment="block porn on guest wifi" dst-port=\
53 protocol=udp src-address-list=block_porn to-addresses=208.67.222.123 \
to-ports=53
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=172.22.22.0/24 port=2222
set api disabled=yes
set winbox address=172.22.2.0/24,172.22.3.0/24,172.22.4.0/24,172.22.5.0/24
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Rome
/system note
set show-at-login=no
[/code
He wants to use OpenDNS (family shield) DNS 208.67.222.123One thing that catches my eye, how do you plan to block porn ? Do you have local DNS or something ?
thanks bartosz will do!!@antoniocerasuolo
Please DO use proper "code" tags when you post configuration and do please edit and correct your latest posts as they are "1 meter long" and hard to read.
I have edited some of your posts already.
hi Jclaz still awake st this time? ..He wants to use OpenDNS (family shield) DNS 208.67.222.123One thing that catches my eye, how do you plan to block porn ? Do you have local DNS or something ?
https://en.wikipedia.org/wiki/OpenDNS
..the original idea was to limit porn etc.. only in my guest network.. but i liked the way it works so i applied to all my networks.. but yes I may take it off… your approach to the matter is also my view.. people are empowered and should know what they’re doing ..Kids will find porn if they want too, if not at your house at a friends house, the best advice is education and talk about it.
Hey Giga,Let the people have some fun... Why don't you block porn on all networks then
Didn't even noticed OP is using OpenDNS. For winbox access you surely don't need access from all VLANs. You don't even have interface lists ?
am trying to create the interface Lists, but in the interfaces section there is the interface list tab but it only allows me to add an interface under an already existing interface list, how do I create the names of the lists??In short, interface list enables you to have easier management of your interfaces in for eg. firewall, you have input rule to drop all traffic coming to the router that is not originated from LAN. With interface list you just add all of your LAN side interfaces to the LAN interface list and then when making such rule in firewall you just specify interface list instead of interfaces.
Also when managing your router you can for eg create interface list mgmt and specify your mgmt vlan in it. Then you can specify that router can be accessed by winbox only on interfaces that are in that list.
thank you!Under Interface List you have button Lists. Here you can create your lists
ok thanks i’ll think about it..Go to Tools -> MAC server -> MAC Winbox server. Here you can select allowed interface list.
BE AWARE: Changing this could result in lockout... Be careful
I have no experience with OpenDNS, nor with this approach, it is better than nothing, but I doubt that it is particularly effective, I would classify it as a mitigation, not as a solution.
It will be interesting to see how (not when, not if) the kids will bypass or workaround the limitation.
Interface lists are - I believe - very useful as long (like all the other names you attribute to elements in RoS) as you are good at naming things in such a way that is clear today and will be clear (at least to you) in 6 months or one year from now when you'll want to change something, from the configurations I have seen it is sometimes very difficult to understand the naming.
absolutely not an issue.. an IP is an IP...Mikrotik usually give out addresses from end of the pool but this shouldn't present any problem for you.
just want to make everyones life easierThank you for edits Antonio. Now it's much easier to read
don't you get stiff arm or tennis elbow scrolling too much??I quite like scrolling through a long config, keeps my mouse finger in shape...............j/k much better!!
You need to tag VLANs that you want to send via trunk port, not untag them. You untag VLAN when you have access port, so port where your PC connects, or some other device.guys
as you know on the ax2,I currently have:
VLAN2 -> wifi2ghz,Wifi5ghz,eth_port2
VLAN3-> wifi_guest,eth_port3
VLAN4->eth_port4
VLAN5->eth_port5
working perfectly!
i should be receiving the CRS112 switch Next week , and was thinking of also sending all the VLANs down through eth_port5, and wanted have a heads up to know what to do on the ax2 not to waste too much time.
will the fact that each VLAN already has designated ports be an issue?
will I still be able to have VLAN's remain as coinfigured above and stillsend to the switch?
what would be the steps to achieve this on the ax2 ,would this simply mean adding the eth_port5 as untagged to each VLAN, except VLAN5 as it's already on that port??
You need to tag VLANs that you want to send via trunk port, not untag them. You untag VLAN when you have access port, so port where your PC connects, or some other device.guys
as you know on the ax2,I currently have:
VLAN2 -> wifi2ghz,Wifi5ghz,eth_port2
VLAN3-> wifi_guest,eth_port3
VLAN4->eth_port4
VLAN5->eth_port5
working perfectly!
i should be receiving the CRS112 switch Next week , and was thinking of also sending all the VLANs down through eth_port5, and wanted have a heads up to know what to do on the ax2 not to waste too much time.
will the fact that each VLAN already has designated ports be an issue?
will I still be able to have VLAN's remain as coinfigured above and stillsend to the switch?
what would be the steps to achieve this on the ax2 ,would this simply mean adding the eth_port5 as untagged to each VLAN, except VLAN5 as it's already on that port??
When you get your device then we will continue. While waiting read this post from @Mesquite: viewtopic.php?p=1055523#p1055523
Be careful, do not copy whole configuration from ax2 to ax3 because they are not same device !!hi Giga,
thanks sounds straightforward let's see what happens when i put hands on the thingy... thanks for the post from Mesquite!
in truth I just received also the AX3 for my second home (this is the real device i will use) , this is where I will install it upstream from the CRS112
I'm currently copying my AX2 config to the AX3 while waiting for the CRS112 to arrive!
If it wasn't for the simplified configuration for the VLAN's you guys showed me , it would have been a mess with 3 bridges and a sloppy configuration!
Thanks!!
Trieste....i'm in Milano!! ok next time if ever I'm in Trieste pizza and beer is on me!!Just saying... If you broke something you owe me pizza in Trieste
thanks!You are using CH132 which is DFS channel: https://www.aami.org/medical-device-con ... 20seconds.
If radar signal is detected router must immediately stop transmitting on 5GHz radio so there is no interference.
Move to some channel that is not DFS so you avoid getting this problem again.
viewtopic.php?t=204313#p1055121What are other frequencies ?
/interface wifi channel
add band=2ghz-ax disabled=no name=channel1 width=20/40mhz-eC
add band=5ghz-ax disabled=no frequency=5500,5660,5580,5180 name=channel2
i changed the frequiencies to the following:Maybe useful:
https://systemzone.net/mikrotik-wifi-fr ... planation/
thanks!! good idea!!Your switch has to get IP address from somewhere so if there is no management VLAN simply use VLAN you trust the most and that's it. That is how I do.
Delete configuration so you have clean start. And you can take one port off bridge and assign it with static IP. That port you can use for configuration and to prevent lockout.
All of that you can read in post i linked you here from Mr. Hyde
thanks .. I owe you a pizza. in Milano non Trieste ..You can, can't see the reason why not
To be fair, with a DHCP anyone can plug into that port and can start brute-forcing the login and password, not really instant.The reason I don't create a dhcp, is then anyone can plug into that port and get instant access.
The reason I don't create a dhcp, is then anyone can plug into that port and get instant access.
To be fair, with a DHCP anyone can plug into that port and can start brute-forcing the login and password, not really instant.
It would be however be logical (as a little added security element) to allow connection from only a single given IP (to be manually assigned to the PC used to connect).
The usual problem to this (and many other) security provisions (used outside professional environments) is that it is very likely that - before or later - the authorized user will be locked out.
Outside stories and TV series, in real life I would be much more preoccupied of what else an intruder with physical access to my house can steal or damage than to the possibility that he will connect to my router and gain access to it.
who are "they"?And remember, if "they" are after you, "they" will get you (or more likely "they" already got you).
Maybe someone wants to steal your pizza dough recipe... Be careful...guys,
my switch is in my kitchen ..
no one ever comes into my kitchen with a lan cable and a laptop..
Anyone with (much) more capabilities and power than you can imagine (legal, technical, financial. sheer force) , typically (in the US) three letters agencies, but also international hackers, the mafia, etc.who are "they"?
hey Giga,Maybe someone wants to steal your pizza dough recipe... Be careful...guys,
my switch is in my kitchen ..
no one ever comes into my kitchen with a lan cable and a laptop..
hey JclazAnyone with (much) more capabilities and power than you can imagine (legal, technical, financial. sheer force) , typically (in the US) three letters agencies, but also international hackers, the mafia, etc.who are "they"?
If you are a target, you will be hit.
Half to three quarter of the time security experts and researchers spend is about inventing possible (often overly complex) menaces/vulnerabilities in order to show off how good they are, and find some way to harass everyone, everyday, in real life a $5 spanner or wrench is easier and more effective, famous related xkcd's:
https://xkcd.com/538/
https://xkcd.com/936/
Will you break spaghetti in half so they can fit in cooking pot ??hey Giga,
i'm doing the unboxing video in my kitchen this evening.. while i'm cooking spaghetti & tomato sauce!
hey Giga,Will you break spaghetti in half so they can fit in cooking pot ??hey Giga,
i'm doing the unboxing video in my kitchen this evening.. while i'm cooking spaghetti & tomato sauce!
Not really, it is a sin only if you do it, in Italian culture a mother is always right, by definition.I hope there is no much Italians reading this... I thought it's a sin to break them in half...
Hi Giga,I hope there is no much Italians reading this... I thought it's a sin to break them in half...
On topic, is your switch working ?
# 2024-02-15 19:12:16 by RouterOS 7.13.4
# software id = Y9KM-R2BS
#
# model = C53UiG+5HPaxD2HPaxD
# serial number =
/interface bridge
add name=main_bridge_sacco port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
set [ find default-name=ether2 ] name=ether2_LAN
set [ find default-name=ether3 ] name=ether3_LAN
set [ find default-name=ether4 ] name=ether4_LAN
set [ find default-name=ether5 ] name=ether5_LAN
/interface vlan
add interface=main_bridge_sacco name=vlan_2 vlan-id=2
add interface=main_bridge_sacco name=vlan_3 vlan-id=3
add interface=main_bridge_sacco name=vlan_4 vlan-id=4
add interface=main_bridge_sacco name=vlan_5 vlan-id=5
/interface list
add name=VLANS
/interface wifi channel
add band=2ghz-ax disabled=no name=channel1 width=20/40mhz-eC
add band=5ghz-ax disabled=no frequency=5180,5200,5220,5240 name=channel2 \
skip-dfs-channels=all
/interface wifi
set [ find default-name=wifi2 ] channel=channel1 channel.band=2ghz-ax .width=\
20/40mhz-Ce configuration.country=Italy .mode=ap .ssid=mikrotik_2_sacco \
disabled=no name=wifi_2ghz security.authentication-types=\
wpa2-psk,wpa3-psk
set [ find default-name=wifi1 ] channel=channel2 configuration.country=Italy \
.mode=ap .ssid=mikrotik_5_sacco disabled=no name=wifi_5ghz \
security.authentication-types=wpa2-psk,wpa3-psk
/ip pool
add name=dhcp_pool_VLAN_3 ranges=172.11.3.10-172.11.3.200
add name=dhcp_pool_VLAN_4 ranges=172.11.4.10-172.11.4.200
add name=dhcp_pool_VLAN_5 ranges=172.11.5.10-172.11.5.200
add name=dhcp_pool_VLAN_2 ranges=172.11.2.10-172.11.2.200
/ip dhcp-server
add address-pool=dhcp_pool_VLAN_3 interface=vlan_3 lease-time=1d name=\
dhcp_VLAN_3
add address-pool=dhcp_pool_VLAN_4 interface=vlan_4 lease-time=1d name=\
dhcp_VLAN_4
add address-pool=dhcp_pool_VLAN_5 interface=vlan_5 lease-time=1d name=\
dhcp_VLAN_5
add address-pool=dhcp_pool_VLAN_2 interface=vlan_2 lease-time=1d name=\
dhcp_VLAN_2
/interface bridge port
add bridge=main_bridge_sacco interface=ether2_LAN internal-path-cost=10 \
path-cost=10 pvid=2
add bridge=main_bridge_sacco interface=ether3_LAN internal-path-cost=10 \
path-cost=10 pvid=3
add bridge=main_bridge_sacco interface=ether4_LAN internal-path-cost=10 \
path-cost=10 pvid=4
add bridge=main_bridge_sacco interface=ether5_LAN internal-path-cost=10 \
path-cost=10 pvid=5
add bridge=main_bridge_sacco interface=wifi_2ghz internal-path-cost=10 \
path-cost=10 pvid=2
add bridge=main_bridge_sacco interface=wifi_5ghz internal-path-cost=10 \
path-cost=10 pvid=2
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=main_bridge_sacco tagged=main_bridge_sacco,ether5_LAN untagged=\
ether2_LAN vlan-ids=2
add bridge=main_bridge_sacco tagged=main_bridge_sacco,ether5_LAN untagged=\
ether3_LAN vlan-ids=3
add bridge=main_bridge_sacco tagged=main_bridge_sacco,ether5_LAN untagged=\
ether4_LAN vlan-ids=4
add bridge=main_bridge_sacco tagged=main_bridge_sacco,ether5_LAN vlan-ids=5
/interface list member
add interface=vlan_2 list=VLANS
add interface=vlan_3 list=VLANS
add interface=vlan_4 list=VLANS
add interface=vlan_5 list=VLANS
/ip address
add address=172.11.3.1/24 interface=vlan_3 network=172.11.3.0
add address=172.11.4.1/24 interface=vlan_4 network=172.11.4.0
add address=172.11.5.1/24 interface=vlan_5 network=172.11.5.0
add address=172.11.2.1/24 interface=vlan_2 network=172.11.2.0
/ip dhcp-client
add interface=ether1_WAN
/ip dhcp-server network
add address=172.11.2.0/24 gateway=172.11.2.1
add address=172.11.3.0/24 gateway=172.11.3.1
add address=172.11.4.0/24 gateway=172.11.4.1
add address=172.11.5.0/24 gateway=172.11.5.1
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
add action=add-src-to-address-list address-list=port_scanners \
address-list-timeout=1d chain=input protocol=tcp
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=\
new in-interface=ether1_WAN
/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat dst-port=53 in-interface-list=VLANS protocol=\
udp to-addresses=208.67.222.123 to-ports=53
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Rome
/system note
set show-at-login=no
# jan/02/1970 01:16:05 by RouterOS 6.49.10
# software id = D234-TTJK
#
# model = CRS112-8G-4S
# serial number =
/interface bridge
add name=main_bridge_switch vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1_management
set [ find default-name=ether2 ] name=ether2_trunk
set [ find default-name=ether3 ] name=ether3_LAN
set [ find default-name=ether4 ] name=ether4_LAN
set [ find default-name=ether5 ] name=ether5_LAN
set [ find default-name=ether6 ] name=ether6_LAN
set [ find default-name=ether7 ] name=ether7_LAN
set [ find default-name=ether8 ] name=ether8_LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool_management ranges=10.11.11.10-10.11.11.200
/ip dhcp-server
add address-pool=dhcp_pool_management disabled=no interface=ether1_management \
lease-time=1d name=dhcp_management
/interface bridge port
add bridge=main_bridge_switch ingress-filtering=yes interface=ether3_LAN \
pvid=3
add bridge=main_bridge_switch ingress-filtering=yes interface=ether4_LAN \
pvid=3
add bridge=main_bridge_switch ingress-filtering=yes interface=ether5_LAN \
pvid=4
add bridge=main_bridge_switch ingress-filtering=yes interface=ether6_LAN \
pvid=4
add bridge=main_bridge_switch ingress-filtering=yes interface=ether7_LAN \
pvid=5
add bridge=main_bridge_switch ingress-filtering=yes interface=ether8_LAN \
pvid=5
add bridge=main_bridge_switch ingress-filtering=yes interface=ether2_trunk
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=main_bridge_switch tagged=ether2_trunk untagged=\
ether3_LAN,ether4_LAN vlan-ids=3
add bridge=main_bridge_switch tagged=ether2_trunk untagged=\
ether5_LAN,ether6_LAN vlan-ids=4
add bridge=main_bridge_switch tagged=ether2_trunk untagged=\
ether7_LAN,ether8_LAN vlan-ids=5
/ip address
add address=10.11.11.1/24 interface=ether1_management network=10.11.11.0
/ip dhcp-server network
add address=10.11.11.0/24 gateway=10.11.11.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
# feb/16/2024 01:12:04 by RouterOS 6.49.13
# software id = D234-TTJK
#
# model = CRS112-8G-4S
# serial number =
/interface bridge
add ingress-filtering=yes name=main_bridge_switch vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1_management
set [ find default-name=ether2 ] name=ether2_trunk
set [ find default-name=ether3 ] name=ether3_LAN
set [ find default-name=ether4 ] name=ether4_LAN
set [ find default-name=ether5 ] name=ether5_LAN
set [ find default-name=ether6 ] name=ether6_LAN
set [ find default-name=ether7 ] name=ether7_LAN
set [ find default-name=ether8 ] name=ether8_LAN
/interface vlan
add interface=main_bridge_switch name=vlan5_management vlan-id=5
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.2.2.10-10.2.2.200
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=ether1_management \
lease-time=1d name=dhcp_management
/interface bridge port
add bridge=main_bridge_switch ingress-filtering=yes interface=ether3_LAN \
pvid=2
add bridge=main_bridge_switch ingress-filtering=yes interface=ether4_LAN \
pvid=2
add bridge=main_bridge_switch ingress-filtering=yes interface=ether5_LAN \
pvid=3
add bridge=main_bridge_switch ingress-filtering=yes interface=ether6_LAN \
pvid=3
add bridge=main_bridge_switch ingress-filtering=yes interface=ether7_LAN \
pvid=5
add bridge=main_bridge_switch ingress-filtering=yes interface=ether8_LAN \
pvid=4
add bridge=main_bridge_switch ingress-filtering=yes interface=ether2_trunk
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=main_bridge_switch tagged=ether2_trunk untagged=\
ether3_LAN,ether4_LAN vlan-ids=2
add bridge=main_bridge_switch tagged=ether2_trunk untagged=\
ether5_LAN,ether6_LAN vlan-ids=3
add bridge=main_bridge_switch tagged=main_bridge_switch untagged=ether2_trunk \
vlan-ids=5
add bridge=main_bridge_switch tagged=ether2_trunk untagged=\
ether7_LAN,ether8_LAN vlan-ids=4
/ip address
add address=10.2.2.1/24 interface=ether1_management network=10.2.2.0
/ip dhcp-client
add disabled=no interface=vlan5_management
/ip dhcp-server network
add address=10.2.2.0/24 gateway=10.2.2.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Rome
add bridge=main_bridge_switch tagged=main_bridge_switch untagged=ether2_trunk \
vlan-ids=5
hey Giga,Do you have hardware offloading enabled ?
yes its checked on each general tab for each interface..When you open each interface you added to the bridge you will find check box hardware offloading. Its under general tab
thanks!!CRSxxx are switches. And all have L2 HW offload. It's just that on CRS1xx and 2xx bridge can HW offload only basic switching (non-VLAN aware, etc.) while on CRS3xx and CRS5xx bridge can offload VLANs as well. This is what HW property on bridge ports is all about.
But we didn't mention routing yet. Because: if device can run ROS, it can also route. But performance can be extremely low if CPU is not fast and CRS devices (out of a box) have terribly low routing performance. Alas, CRS3xx (and 5xx) support L3HW offload in certain scenarios and in this case they may route at wire speed.
You are still wrong, the 310 has two SFP+ ports, so its more like 10Gigs at least not 2.5!!I know, but that is for routing performance. I hope OP here plan to use it strictly as switch. Not router.
Point of repeating already provided information???Actually, the 310-8G, as a router should provide you somewhere around 180-200Mbps
If you are talking switching throughput 38Gigs.
yes it's enough i don't plan on opening an ISP company soonI missed that part... But anyway for OP is more than enough
Yeah, sure, they make very good company.But on CRS310, have one in my living room and soon one in my work room. Great little devices.
correct it’ a laptop so no battery issues.. but went into panic mode for some minutes!!@gigabyte091
I would presume that the ASUS ROG strix[1] has no need for a UPS (unless antonio is running it without a battery or a completely depleted one)
Back in the (good) ol' days, when the CIH virus struck:
https://en.wikipedia.org/wiki/CIH_(computer_virus)
we had no fancy dual Bioses, nor programmers (luxury!) and we did a lot of hot-swapping of the BIOS chips.
https://tinyapps.org/blog/200702250700_ ... y_day.html
... kids today ...
[1] it is a laptop
yes DPI /IDP for home use of course budget .. max 400EuroPlease define NEXT GEN - using cute buzz words means nothing to me.
If you looking for DPI and IDP subscription services, your barking up the wrong tree here.
Again, being vague is not helpful. Stating "relatively cheap" is another bogus statement that has no real meaning. WHat is your budget
https://eu.store.ui.com/eu/en/pro/products/ucg-ultrayes DPI /IDP for home use of course budget .. max 400Euro
I want a secure home free from attacks and hackers..I have one question, why all of that ?
Not knowing how to spend 400 Euro in excess?I have one question, why all of that ?
I am not a hacker, but if I were one, I would first find a way to get the list of IDS/IPS customers, they should be at the same time rich enough to be able to pay the service and gullible enough to believe that they are safe because of IDS/IPS (even if IDS/IPS protects them from some attacks they will be vulnerable in some other ways).I want a secure home free from attacks and hackers..
Then OP should ask his wife, she will know how to spend itNot knowing how to spend 400 Euro in excess?I have one question, why all of that ?
agree..If someone wants to hack you they will find a way. There is no perfect security but i think it's much better to educate your family how internet can be a dangerous place instead of buying expensive equipment.
I have VLANs and Adguard and never had any problem. IoT devices have their own VLAN. Cameras another, IPTV third and my trusted network fourth.
hi Giga,Save a little bit more money and buy this beauty: https://mikrotik.com/product/crs326_4c_20g_2q_rm
To bad it isn't poe...
Thank God my wife don't ask to many questions, she just doesn't want to see cables on the floor
@antoniocerasuoloprobably becasue the CRS310 has the 2.5 Gibit ports?
I also notice that the AX3 router has no switch chips ...
How secure is the quick connect on Synology?and i have abilitated the synology quick connect from internet
Its a good practise to learn about the technology you are using and not simply being a blind mouseQuickConnect Web Portal is secured by end-to-end encryption when the browser is redirected to the Synology NAS using LAN or WAN connection. Otherwise, the request is directed to the Portal Server.
thanksHow secure is the quick connect on Synology?and i have abilitated the synology quick connect from internetIts a good practise to learn about the technology you are using and not simply being a blind mouseQuickConnect Web Portal is secured by end-to-end encryption when the browser is redirected to the Synology NAS using LAN or WAN connection. Otherwise, the request is directed to the Portal Server.
thanks Giga,That's why @Mesquite proposed access via wireguard
@ antoniocerasuolobut iguess anyone that finds my url on the internet somehow.. can at lkeast gain access to my NAS and from there try to hack it?
to some extent you're right.. but struggling just the same as all of us..@ antoniocerasuolobut iguess anyone that finds my url on the internet somehow.. can at lkeast gain access to my NAS and from there try to hack it?
Apparently you do not comprehend how quick connect works …. And apparently All you want is to be hand held by others …
Without the proper userdID and Password that quick connect URL you speak of is utterly useless to a hacker
Giga,Did you port forward those ports on your ax2 ?
hi Giga,You can't just made up any port. To address means to internal IP address where your device you want to forward port resides not your public IP.
Think a little, you have DST-NAT, so you are forwarding all traffic coming to th router on port 6667 to your INTERNAL IP on that port (or it caen be different port but i don't think that's the case here.)
I think Normis did a great job explaining this in video.
Also to port is port you want to forward to, usually you put here in your case 6667.
For ISP router it's best to put it in bridge mode if possible... No need for double routers and double NAT.