Code: Select all
# apr/16/2024 14:54:48 by RouterOS 6.49.10
# software id = IJH1-AHYL
#
# model = RBD52G-5HacD2HnD
# serial number = D7160D7D1923
/caps-man channel
add band=2ghz-b/g/n extension-channel=XX name="2.4Ghz(FA)"
add band=5ghz-a/n/ac extension-channel=XXXX name="5Ghz(FA)"
/interface bridge
add name=bridge_guest
add admin-mac=08:55:31:77:CF:07 auto-mac=no name=bridge_spa
/interface wireless
# managed by CAPsMAN
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
MikroTik-77CF0B wireless-protocol=802.11
# managed by CAPsMAN
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor \
mode=ap-bridge ssid=MikroTik-77CF0C wireless-protocol=802.11
/interface vlan
add interface=ether5 name=vlan_guest vlan-id=10
/caps-man datapath
add bridge=bridge_spa client-to-client-forwarding=yes local-forwarding=yes \
name=SPA_WIFI
add bridge=bridge_guest client-to-client-forwarding=yes local-forwarding=yes \
name=SPA_GUEST
/caps-man security
add authentication-types=wpa-psk,wpa2-psk disable-pmkid=no encryption=aes-ccm \
group-encryption=aes-ccm name=SPA_WIFI
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm \
group-encryption=aes-ccm group-key-update=10m name=SPA-GUEST
/caps-man configuration
add channel="2.4Ghz(FA)" channel.skip-dfs-channels=yes country=spain \
datapath=SPA_WIFI datapath.bridge=bridge_spa hw-retries=4 mode=ap \
multicast-helper=full name=SPA_WIFI_2.4GHz security=SPA_WIFI ssid=\
SPA_WIFI
add channel="5Ghz(FA)" channel.skip-dfs-channels=yes country=spain datapath=\
SPA_WIFI datapath.bridge=bridge_spa guard-interval=any hw-retries=4 mode=\
ap multicast-helper=full name=SPA_WIFI_5GHz security=SPA_WIFI ssid=\
SPA_WIFI
add channel="2.4Ghz(FA)" channel.skip-dfs-channels=yes country=spain \
datapath=SPA_GUEST hw-retries=4 mode=ap multicast-helper=full name=\
SPA_GUEST security=SPA-GUEST ssid=SPA_GUEST
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool0 ranges=192.168.101.80-192.168.101.99
add name=dhcp_pool1 ranges=192.168.99.2-192.168.99.15
/ip dhcp-server
add address-pool=pool0 disabled=no interface=bridge_spa name=SPA_WIFI
add address-pool=dhcp_pool1 disabled=no interface=bridge_guest name=SPA_GUEST
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge_spa
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=b,g,gn \
master-configuration=SPA_WIFI_2.4GHz name-format=identity \
slave-configurations=SPA_GUEST
add action=create-dynamic-enabled hw-supported-modes=a,an,ac \
master-configuration=SPA_WIFI_5GHz name-format=identity
/interface bridge port
add bridge=bridge_spa interface=ether2
add bridge=bridge_spa interface=ether3
add bridge=bridge_spa interface=ether4
add bridge=bridge_spa interface=ether5
add bridge=bridge_spa interface=wlan1
add bridge=bridge_spa interface=wlan2
add bridge=bridge_guest interface=vlan_guest
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge_spa list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireless cap
#
set bridge=bridge_spa discovery-interfaces=bridge_spa enabled=yes interfaces=\
wlan1,wlan2
/ip address
add address=192.168.101.195/24 interface=bridge_spa network=192.168.101.0
add address=192.168.99.1/24 interface=bridge_guest network=192.168.99.0
/ip dhcp-client
add disabled=no interface=bridge_spa
/ip dhcp-server network
add address=192.168.99.0/24 dns-server=8.8.8.8,8.8.4.4,1.1.1.1 gateway=\
192.168.99.1
add address=192.168.101.0/24 dns-server=192.168.101.1 gateway=192.168.101.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" in-interface-list=WAN \
src-address=192.168.99.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=SPA_WADMIN
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN