Hello everyone,
this is my final configuration of the router board. I am not a networker, but thanks to you (especially thanks to Anav) I studied and made this configuration. I would like to ask you to look at it, judge it and if there is something to change tell me why and what.
Thanks to anyone who will spend time for me.
# 2025-04-02 15:03:21 by RouterOS 7.18.2
# model = RB5009UG+S+
/container mounts
add dst=/etc/pihole name=pihole_etc src=/usb2-part1/container_pihole/etc
/disk
set usb1 slot=usb1
add parent=usb1 partition-number=1 partition-offset="1 048 576" \
partition-size="500 104 200 704" type=partition
add parent=usb2 partition-number=1 partition-offset=512 partition-size=\
"500 107 861 504" type=partition
/interface bridge
add admin-mac=F6:2C:EA:E2:08:97 auto-mac=no comment=Capsman name=BR-Capsman \
port-cost-mode=short priority=0x1000 vlan-filtering=yes
add admin-mac=4A:89:21:54:BD:D4 auto-mac=no comment=PiHole mtu=1500 name=\
BR-PiHole port-cost-mode=short protocol-mode=none
add admin-mac=BA:C9:E8:55:EE:D8 auto-mac=no comment=-mDNS mtu=1500 name=\
BR-mDNS protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] l2mtu=1600
set [ find default-name=ether2 ] disabled=yes l2mtu=1600
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] l2mtu=1600
set [ find default-name=sfp-sfpplus1 ] l2mtu=1600
/interface veth
add address=192.168.55.55/26,fc00:db8:55::55/64 gateway=192.168.55.1 \
gateway6=fc00:db8:55::1 name=veth-pihole
/interface vlan
add comment=Lan interface=BR-Capsman name=100-Lan vlan-id=100
add comment=Mamma interface=BR-Capsman name=200-Mamma vlan-id=200
add comment=Guests interface=BR-Capsman name=300-Guest vlan-id=300
add comment=Domus interface=BR-Capsman name=400-Domus vlan-id=400
add comment=Control interface=BR-Capsman name=900-Control vlan-id=900
add comment=WAN interface=ether1 name=xxx-vlan vlan-id=xxx
/interface pppoe-client
add add-default-route=yes disabled=no interface=xxx-vlan name=\
xxx-pppoe user=xxx
/interface macvlan
add interface=100-Lan mac-address=BA:C9:E8:55:EE:D8 mode=private name=\
macvlan100
add interface=400-Domus mac-address=C2:AB:7F:29:3C:40 mode=private name=\
macvlan400
/interface list
add name=WAN
add name=LAN
add name=TRUSTED
add name=INTERNET
add name=BASE
/interface wifi channel
add band=2ghz-n disabled=yes frequency=2437 name=silent width=20/40mhz-Ce
add band=5ghz-ax disabled=no frequency=5180,5200,5220,5240 name=channel5Ghz \
skip-dfs-channels=10min-cac width=20/40/80mhz
add band=2ghz-ax disabled=no frequency=2412,2437,2462 name=channel1-6-11 \
width=20mhz
add band=2ghz-ax disabled=no frequency=2437 name=channel6 width=20mhz
/interface wifi datapath
add bridge=BR-Capsman disabled=no name=Wifi_Mamma vlan-id=200
add bridge=BR-Capsman disabled=no name=Wifi_Guest vlan-id=300
add bridge=BR-Capsman disabled=no name=Wifi_Lan vlan-id=100
add bridge=BR-Capsman disabled=no name=Wifi_Domus vlan-id=400
add bridge=BR-Capsman disabled=no name=Wifi_Silent vlan-id=200
/interface wifi security
add authentication-types=wpa2-psk disabled=no ft=yes ft-over-ds=yes name=\
guest
add authentication-types=wpa2-psk disabled=no name=silent
add authentication-types=wpa2-psk disabled=no encryption="" name=domus
add authentication-types=wpa2-psk disabled=no name=mamma
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes \
name=lan
/interface wifi configuration
add antenna-gain=2 country=Italy datapath=Wifi_Guest disabled=no name=guest \
security=guest ssid=Clochards
add country=Italy datapath=Wifi_Mamma disabled=no hide-ssid=yes mode=ap name=\
silent security=silent ssid=silent
add antenna-gain=10 channel=channel1-6-11 country=Italy datapath=Wifi_Domus \
disabled=no mode=ap name=studio_2ghz security=domus ssid=LimitService2G
add channel=channel1-6-11 country=Italy datapath=Wifi_Domus disabled=no mode=\
ap name=centro_2ghz security=domus ssid=LimitService2G
add channel=channel6 country=Italy datapath=Wifi_Domus disabled=no mode=ap \
name=server_2ghz security=domus ssid=LimitService2G
add antenna-gain=5 channel=channel1-6-11 country=Italy datapath=Wifi_Domus \
disabled=no mode=ap name=taverna_2ghz security=domus ssid=LimitService2G
add datapath=Wifi_Lan disabled=no mode=ap name=lan2G security=lan ssid=\
HyperLimitless
add channel=channel5Ghz country=Italy datapath=Wifi_Domus disabled=no mode=ap \
name=centro_5ghz security=domus ssid=LimitService5G
add datapath=Wifi_Lan disabled=no mode=ap name=lan5G security=lan ssid=\
HyperLimitless
add channel=channel5Ghz country=Italy datapath=Wifi_Domus disabled=no mode=ap \
name=esterno_5ghz security=domus ssid=LimitService5G
add antenna-gain=5 channel=channel5Ghz country=Italy datapath=Wifi_Domus \
disabled=no mode=ap name=server_5ghz security=domus ssid=LimitService5G
add antenna-gain=5 channel=channel5Ghz country=Italy datapath=Wifi_Domus \
disabled=no mode=ap name=studio_5ghz security=domus ssid=LimitService5G
add channel=channel5Ghz country=Italy datapath=Wifi_Domus disabled=no mode=ap \
name=taverna_5ghz security=domus ssid=LimitService5G
add channel=channel1-6-11 country=Italy datapath=Wifi_Domus disabled=no mode=\
ap name=esterno_2ghz security=domus ssid=LimitService2G
/interface wifi
# operated by CAP 48:A9:8A:0E:06:A3%BR-Capsman, traffic processing on CAP
add configuration=centro_5ghz disabled=no name=cap-wifi1 radio-mac=\
48:A9:8A:0E:06:A8
# operated by CAP 48:A9:8A:0E:06:A3%BR-Capsman, traffic processing on CAP
add configuration=lan5G disabled=no mac-address=4A:A9:8A:0E:06:A8 \
master-interface=cap-wifi1 name=cap-wifi1-virtual1
# operated by CAP 48:A9:8A:BC:A5:1F%BR-Capsman, traffic processing on CAP
# antenna-gain locked, using 6
add configuration=server_5ghz disabled=no name=cap-wifi2 radio-mac=\
48:A9:8A:BC:A5:24
# operated by CAP 48:A9:8A:BC:A5:1F%BR-Capsman, traffic processing on CAP
add configuration=lan5G disabled=no mac-address=4A:A9:8A:BC:A5:24 \
master-interface=cap-wifi2 name=cap-wifi2-virtual1
# operated by CAP 48:A9:8A:0E:09:58%BR-Capsman, traffic processing on CAP
add configuration=esterno_5ghz disabled=no name=cap-wifi3 radio-mac=\
48:A9:8A:0E:09:5D
# operated by CAP 48:A9:8A:0E:09:58%BR-Capsman, traffic processing on CAP
add configuration=lan5G disabled=no mac-address=4A:A9:8A:0E:09:5D \
master-interface=cap-wifi3 name=cap-wifi3-virtual1
# operated by CAP 48:A9:8A:0E:06:42%BR-Capsman, traffic processing on CAP
add configuration=taverna_5ghz disabled=no name=cap-wifi4 radio-mac=\
48:A9:8A:0E:06:47
# operated by CAP 48:A9:8A:0E:06:42%BR-Capsman, traffic processing on CAP
add configuration=lan5G disabled=no mac-address=4A:A9:8A:0E:06:47 \
master-interface=cap-wifi4 name=cap-wifi4-virtual1
# operated by CAP 48:A9:8A:0E:03:4C%BR-Capsman, traffic processing on CAP
add configuration=studio_2ghz configuration.mode=ap datapath.vlan-id=none \
disabled=no name=cap-wifi5 radio-mac=48:A9:8A:0E:03:52
# operated by CAP 48:A9:8A:0E:03:4C%BR-Capsman, traffic processing on CAP
add configuration=lan2G disabled=no mac-address=4A:A9:8A:0E:03:52 \
master-interface=cap-wifi5 name=cap-wifi5-virtual1
# operated by CAP 48:A9:8A:0E:03:4C%BR-Capsman, traffic processing on CAP
add configuration=guest disabled=no mac-address=4A:A9:8A:0E:03:53 \
master-interface=cap-wifi5 name=cap-wifi5-virtual2
# operated by CAP 48:A9:8A:0E:06:A3%BR-Capsman, traffic processing on CAP
add configuration=centro_2ghz configuration.mode=ap datapath.vlan-id=none \
disabled=no name=cap-wifi6 radio-mac=48:A9:8A:0E:06:A9
# operated by CAP 48:A9:8A:0E:06:A3%BR-Capsman, traffic processing on CAP
add configuration=lan2G disabled=no mac-address=4A:A9:8A:0E:06:A9 \
master-interface=cap-wifi6 name=cap-wifi6-virtual1
# operated by CAP 48:A9:8A:0E:06:A3%BR-Capsman, traffic processing on CAP
add configuration=guest disabled=no mac-address=4A:A9:8A:0E:06:AA \
master-interface=cap-wifi6 name=cap-wifi6-virtual2
# operated by CAP 48:A9:8A:0E:03:4C%BR-Capsman, traffic processing on CAP
# antenna-gain locked, using 6
add configuration=studio_5ghz disabled=no name=cap-wifi7 radio-mac=\
48:A9:8A:0E:03:51
# operated by CAP 48:A9:8A:0E:03:4C%BR-Capsman, traffic processing on CAP
add configuration=lan5G disabled=no mac-address=4A:A9:8A:0E:03:51 \
master-interface=cap-wifi7 name=cap-wifi7-virtual1
# operated by CAP 48:A9:8A:0E:09:58%BR-Capsman, traffic processing on CAP
add configuration=esterno_2ghz configuration.mode=ap datapath.vlan-id=none \
disabled=no name=cap-wifi8 radio-mac=48:A9:8A:0E:09:5E
# operated by CAP 48:A9:8A:0E:09:58%BR-Capsman, traffic processing on CAP
add configuration=lan2G disabled=no mac-address=4A:A9:8A:0E:09:5E \
master-interface=cap-wifi8 name=cap-wifi8-virtual1
# operated by CAP 48:A9:8A:0E:09:58%BR-Capsman, traffic processing on CAP
add configuration=guest disabled=no mac-address=4A:A9:8A:0E:09:5F \
master-interface=cap-wifi8 name=cap-wifi8-virtual2
# operated by CAP 48:A9:8A:BC:A5:1F%BR-Capsman, traffic processing on CAP
add configuration=server_2ghz configuration.mode=ap datapath.vlan-id=none \
disabled=no name=cap-wifi9 radio-mac=48:A9:8A:BC:A5:25
# operated by CAP 48:A9:8A:BC:A5:1F%BR-Capsman, traffic processing on CAP
add configuration=lan2G disabled=no mac-address=4A:A9:8A:BC:A5:25 \
master-interface=cap-wifi9 name=cap-wifi9-virtual1
# operated by CAP 48:A9:8A:BC:A5:1F%BR-Capsman, traffic processing on CAP
add configuration=guest disabled=no mac-address=4A:A9:8A:BC:A5:26 \
master-interface=cap-wifi9 name=cap-wifi9-virtual2
# operated by CAP 48:A9:8A:BC:A5:1F%BR-Capsman, traffic processing on CAP
add configuration=silent disabled=no mac-address=4A:A9:8A:BC:A5:27 \
master-interface=cap-wifi9 name=cap-wifi9-virtual3
# operated by CAP 48:A9:8A:0E:06:42%BR-Capsman, traffic processing on CAP
add configuration=taverna_2ghz configuration.mode=ap datapath.vlan-id=none \
disabled=no name=cap-wifi10 radio-mac=48:A9:8A:0E:06:48
# operated by CAP 48:A9:8A:0E:06:42%BR-Capsman, traffic processing on CAP
add configuration=lan2G disabled=no mac-address=4A:A9:8A:0E:06:48 \
master-interface=cap-wifi10 name=cap-wifi10-virtual1
# operated by CAP 48:A9:8A:0E:06:42%BR-Capsman, traffic processing on CAP
add configuration=guest disabled=no mac-address=4A:A9:8A:0E:06:49 \
master-interface=cap-wifi10 name=cap-wifi10-virtual2
/ip pool
add name=MammaPool ranges=10.255.255.50-10.255.255.230
add name=GuestsPool ranges=172.16.0.2-172.16.15.254
add name=DomusPool ranges=192.168.240.50-192.168.240.230
add name=LanPool ranges=192.168.0.50-192.168.0.230
add name=ControlPool ranges=10.10.0.2-10.10.0.254
/ip dhcp-server
add add-arp=yes address-pool=LanPool interface=100-Lan lease-script=lan2dns \
lease-time=1w name=Lan_dhcp
add add-arp=yes address-pool=MammaPool bootp-support=none interface=200-Mamma \
lease-time=1d name=Mamma_dchp
add add-arp=yes address-pool=GuestsPool interface=300-Guest lease-time=12h \
name=Guests_dhcp
add add-arp=yes address-pool=DomusPool interface=400-Domus lease-script=\
domus2dns lease-time=1w name=Domus_dhcp
add add-arp=yes address-pool=ControlPool interface=BR-Capsman lease-time=1w \
name=Control_dhcp
/ip smb users
set [ find default=yes ] disabled=yes
/ipv6 dhcp-server
add address-pool=DomusPool_v6 interface=400-Domus lease-time=1w name=\
Domus_dhcp_v6
add address-pool=LanPool_v6 interface=100-Lan lease-time=1w name=Lan_dhcp_v6
add address-pool=MammaPool_v6 interface=200-Mamma lease-time=1d name=\
Mamma_dchp_vv6
/ipv6 pool
add name=LanPool_v6 prefix=fc00:db8:100::/64 prefix-length=64
add name=DomusPool_v6 prefix=fc00:db8:240::/64 prefix-length=64
add name=MammaPool_v6 prefix=fc00:db8:255::/64 prefix-length=64
/container
add envlist=pihole_envs interface=veth-pihole mounts=pihole_etc root-dir=\
usb2-part1/pihole start-on-boot=yes workdir=/
/container config
set registry-url=https://registry-1.docker.io tmpdir=usb2-part1/pull
/container envs
add key=TZ name=pihole_envs value=Europe/Rome
add key=WEBPASSWORD name=pihole_envs value="xxx"
add key=DNSMASQ_USER name=pihole_envs value=root
add key=FTLCONF_LOCAL_IPV4 name=pihole_envs value=192.168.55.55
/ip smb
set enabled=no
/interface bridge filter
add action=accept chain=forward comment="Allow mDNS only" dst-address=\
224.0.0.251/32 dst-mac-address=01:00:5E:00:00:FB/FF:FF:FF:FF:FF:FF \
dst-port=5353 in-bridge=BR-mDNS ip-protocol=udp log-prefix="forward MDNS" \
mac-protocol=ip out-bridge=BR-mDNS src-port=5353
add action=accept chain=forward comment="Forward SSDP" dst-address=\
239.255.255.250/32 dst-mac-address=01:00:5E:7F:FF:FA/FF:FF:FF:FF:FF:FF \
dst-port=1900 in-bridge=BR-mDNS ip-protocol=udp log-prefix="forward SSDP" \
mac-protocol=ip out-bridge=BR-mDNS
add action=accept chain=forward comment="Forward HDHR" dst-address=\
255.255.255.255/32 dst-mac-address=FF:FF:FF:FF:FF:FF/FF:FF:FF:FF:FF:FF \
dst-port=65001 in-bridge=BR-mDNS ip-protocol=udp log-prefix=\
"forward HDHR" mac-protocol=ip out-bridge=BR-mDNS
add action=drop chain=forward comment="Drop all other L2 traffic" in-bridge=\
BR-mDNS out-bridge=BR-mDNS
/interface bridge nat
add action=src-nat chain=srcnat comment="mDNS - SNAT to Primary VLAN bridge" \
dst-mac-address=01:00:5E:00:00:FB/FF:FF:FF:FF:FF:FF log-prefix="NAT mdns" \
to-src-mac-address=F6:2C:EA:E2:08:97
add action=src-nat chain=srcnat comment="SSDP - SNAT to Primary VLAN bridge" \
dst-mac-address=01:00:5E:7F:FF:FA/FF:FF:FF:FF:FF:FF log-prefix="NAT ssdp" \
to-src-mac-address=F6:2C:EA:E2:08:97
add action=src-nat chain=srcnat comment="HDHR- SNAT to Primary VLAN bridge" \
dst-mac-address=FF:FF:FF:FF:FF:FF/FF:FF:FF:FF:FF:FF log-prefix="NAT HDHR" \
to-src-mac-address=F6:2C:EA:E2:08:97
/interface bridge port
add bridge=BR-Capsman interface=sfp-sfpplus1 internal-path-cost=10 path-cost=\
10
add bridge=BR-Capsman interface=ether8 internal-path-cost=10 path-cost=10 \
pvid=100
add bridge=BR-mDNS interface=macvlan100
add bridge=BR-mDNS interface=macvlan400
add bridge=BR-PiHole interface=veth-pihole internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/interface bridge vlan
add bridge=BR-Capsman comment="Mamma VLAN" tagged=BR-Capsman,sfp-sfpplus1 \
vlan-ids=200
add bridge=BR-Capsman comment="Guest VLAN" tagged=BR-Capsman,sfp-sfpplus1 \
vlan-ids=300
add bridge=BR-Capsman comment="Lan VLAN" tagged=BR-Capsman,sfp-sfpplus1 \
untagged=ether8 vlan-ids=100
add bridge=BR-Capsman comment="Control VLAN" tagged=BR-Capsman,sfp-sfpplus1 \
vlan-ids=900
add bridge=BR-Capsman comment="Domuns VLAN" tagged=BR-Capsman,sfp-sfpplus1 \
vlan-ids=400
/interface detect-internet
set detect-interface-list=INTERNET internet-interface-list=INTERNET \
lan-interface-list=LAN wan-interface-list=WAN
/interface list member
add interface=xxx-pppoe list=WAN
add interface=100-Lan list=LAN
add interface=xxx-vlan list=WAN
add interface=200-Mamma list=LAN
add interface=300-Guest list=LAN
add interface=400-Domus list=LAN
add interface=100-Lan list=TRUSTED
add interface=900-Control list=LAN
add interface=BR-Capsman list=LAN
add interface=BR-PiHole list=LAN
add interface=xxx-pppoe list=INTERNET
/interface wifi capsman
set enabled=yes interfaces=BR-Capsman package-path="" \
require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-enabled disabled=no master-configuration=studio_5ghz \
radio-mac=48:A9:8A:0E:03:51 slave-configurations=lan5G
add action=create-enabled disabled=no master-configuration=studio_2ghz \
radio-mac=48:A9:8A:0E:03:52 slave-configurations=lan2G,guest
add action=create-enabled disabled=no master-configuration=taverna_5ghz \
radio-mac=48:A9:8A:0E:06:47 slave-configurations=lan5G
add action=create-enabled disabled=no master-configuration=taverna_2ghz \
radio-mac=48:A9:8A:0E:06:48 slave-configurations=lan2G,guest
add action=create-enabled disabled=no master-configuration=centro_5ghz \
radio-mac=48:A9:8A:0E:06:A8 slave-configurations=lan5G
add action=create-enabled disabled=no master-configuration=centro_2ghz \
radio-mac=48:A9:8A:0E:06:A9 slave-configurations=lan2G,guest
add action=create-enabled disabled=no master-configuration=esterno_5ghz \
radio-mac=48:A9:8A:0E:09:5D slave-configurations=lan5G
add action=create-enabled disabled=no master-configuration=esterno_2ghz \
radio-mac=48:A9:8A:0E:09:5E slave-configurations=lan2G,guest
add action=create-enabled disabled=no master-configuration=server_5ghz \
radio-mac=48:A9:8A:BC:A5:24 slave-configurations=lan5G
add action=create-enabled disabled=no master-configuration=server_2ghz \
radio-mac=48:A9:8A:BC:A5:25 slave-configurations=lan2G,guest,silent
/ip address
add address=192.168.0.1/24 interface=100-Lan network=192.168.0.0
add address=172.16.0.1/20 interface=300-Guest network=172.16.0.0
add address=10.255.255.1/24 interface=200-Mamma network=10.255.255.0
add address=192.168.240.1/24 interface=400-Domus network=192.168.240.0
add address=10.10.0.1/24 interface=BR-Capsman network=10.10.0.0
add address=192.168.55.1/26 interface=BR-PiHole network=192.168.55.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1d
/ip dhcp-server lease
add address=192.168.240.120 comment=Presa-Meross-Lavastoviglie mac-address=\
48:E1:E9:14:6B:AA server=Domus_dhcp
...
add address=192.168.0.103 client-id=1:5a:32:3f:32:18:a8 comment=GalaxyWatch4 \
mac-address=5A:32:3F:32:18:A8 server=Lan_dhcp
...
add address=10.255.255.104 client-id=1:88:44:77:91:51:96 comment=ZIO-Honor6x \
mac-address=88:44:77:91:51:96 server=Mamma_dchp
...
add address=10.10.0.12 client-id=1:d4:1:c3:8c:62:1b comment=SW-Studio \
mac-address=D4:01:C3:8C:62:1B server=Control_dhcp
...
/ip dhcp-server network
add address=10.10.0.0/24 dns-none=yes gateway=10.10.0.1 netmask=24 \
ntp-server=10.10.0.1
add address=10.255.255.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.255.255.1 \
netmask=24 ntp-server=10.255.255.1
add address=172.16.0.0/20 dns-server=1.1.1.3,1.0.0.3 gateway=172.16.0.1 \
netmask=20 ntp-server=172.16.0.1
add address=192.168.0.0/24 dns-server=192.168.55.55,192.168.55.55 gateway=\
192.168.0.1 netmask=24 ntp-server=192.168.0.1
add address=192.168.240.0/24 dns-server=192.168.55.55,192.168.55.55 gateway=\
192.168.240.1 netmask=24 ntp-server=192.168.240.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1h cache-size=8192KiB \
max-udp-packet-size=8192 mdns-repeat-ifaces=100-Lan,400-Domus servers=\
1.1.1.1,8.8.4.4 use-doh-server=https://cloudflare-dns.com/dns-query \
verify-doh-cert=yes
/ip dns static
add address=104.16.248.249 name=cloudflare-dns.com type=A
add address=104.16.249.249 name=cloudflare-dns.com type=A
add address=192.168.240.116 comment=dhcp-lease-script_Domus_dhcp_comment \
name=Presa-Meross-IciaPlug ttl=15m type=A
...
/ip firewall address-list
add address=192.168.0.0/24 comment="Lan NET" list=net_lan
add address=10.255.255.0/24 comment="Mamma NET" list=net_mamma
add address=172.16.0.0/20 comment="Guest NET" list=net_guest
add address=10.255.255.0/24 comment="Excluded from PiHole" list=excluded
add address=172.16.0.0/20 comment="Excluded from PiHole" list=excluded
add address=192.168.55.55 comment="Excluded from PiHole" list=excluded
add address=192.168.240.0/24 comment="Domus NET" list=net_domus
add address=10.10.0.0/24 comment="Excluded from PiHole" list=excluded
add address=10.10.0.0/24 comment="Control NET" list=net_control
add address=xxx comment="Pubblic IP" list=PublicIP
add address=192.168.240.10 comment="Excluded from PiHole" list=excluded
add address=192.168.0.10 comment="Excluded from PiHole" list=excluded
add address=192.168.240.210 comment="Excluded from PiHole" list=excluded
add address=8.8.8.8 list=DNS-DOH
...
add address=81.83.14.63 list=DNS-DOH
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=\
"ONLY allow trusted subnet full access to router services" \
src-address-list=net_lan
add action=accept chain=input comment="SSH" dst-address=192.168.240.150 \
dst-port=22 protocol=tcp src-address=192.168.240.100
add action=accept chain=input comment="PiHole and NTP" dst-port=53,123 \
in-interface-list=LAN protocol=udp
add action=accept chain=input comment=PiHole dst-port=53 in-interface-list=\
LAN protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=drop chain=input comment="DROP ALL ELSE"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="allow access to PiHOLE" dst-address=\
192.168.55.55 in-interface-list=LAN src-address-list=!excluded
add action=drop chain=forward comment="BLOCK DOT" dst-address-list=DNS-DOH \
dst-port=443,853 in-interface-list=LAN protocol=udp src-address-list=\
!excluded
add action=drop chain=forward comment="BLOCK DOT" dst-address-list=DNS-DOH \
dst-port=443,853 in-interface-list=LAN protocol=tcp src-address-list=\
!excluded
add action=drop chain=forward comment="BLOCK DOH" dst-address-list=DNS-DOH \
in-interface-list=LAN src-address-list=!excluded
add action=accept chain=forward comment="allow access to ALL DomusNET" \
dst-address-list=net_domus src-address-list=net_lan
add action=accept chain=forward comment="allow access to ALL MammaNET" \
dst-address-list=net_mamma src-address-list=net_lan
add action=accept chain=forward comment="allow access to ALL ControlNET" \
dst-address-list=net_control src-address-list=net_lan
add action=accept chain=forward comment="allow access to AP Mamma" \
dst-address=10.255.255.2 src-address-list=net_lan
add action=accept chain=forward comment="allow access to MCZ from LAN" \
disabled=yes dst-address=192.168.120.1 src-address-list=net_lan
add action=accept chain=forward comment="allow access to MCZ from DOMUS" \
disabled=yes dst-address=192.168.120.1 src-address-list=net_domus
add action=accept chain=forward comment="allow access from HDHomeRun" \
dst-address-list=net_lan dst-address-type=unicast protocol=udp \
src-address=192.168.240.161 src-port=65001
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="port forwarding" \
connection-nat-state=dstnat
add action=accept chain=forward comment="internet traffic" in-interface-list=\
LAN out-interface-list=WAN src-address-list=!net_control
add action=drop chain=forward comment="DROP ALL ELSE"
/ip firewall mangle
add action=change-mss chain=forward comment=MTU new-mss=clamp-to-pmtu \
protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=Pihole dst-port=53 in-interface-list=\
LAN protocol=udp src-address-list=!excluded to-addresses=192.168.55.55
add action=dst-nat chain=dstnat comment=Pihole dst-port=53 in-interface-list=\
LAN protocol=tcp src-address-list=!excluded to-addresses=192.168.55.55
add action=masquerade chain=srcnat comment="Harping Nat" dst-address=\
192.168.240.xxx src-address=192.168.240.0/24
add action=dst-nat chain=dstnat comment=Harping-Domus dst-address-list=\
PublicIP dst-port=xxx protocol=tcp to-addresses=192.168.240.xxx to-ports=\
xxx
add action=dst-nat chain=dstnat comment=Harping-Strem dst-address-list=\
PublicIP dst-port=xxx protocol=tcp to-addresses=192.168.240.xxx to-ports=\
xxx
add action=dst-nat chain=dstnat comment="Port Online:Strem UDP" \
dst-address-list=PublicIP dst-port=xxx protocol=udp to-addresses=\
192.168.240.xxx to-ports=xxx
...
/ip firewall service-port
set ftp disabled=yes
set h323 disabled=yes
set pptp disabled=yes
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add comment=MCZ disabled=no distance=1 dst-address=192.168.120.0/24 gateway=\
192.168.240.7 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add comment=MCZ disabled=no distance=1 dst-address=192.168.120.0/24 gateway=\
10.10.0.7 routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ip upnp
set allow-disable-external-interface=yes
/ip upnp interfaces
add interface=xxx-pppoe type=external
add interface=100-Lan type=internal
add interface=400-Domus type=internal
add interface=xxx-vlan type=external
/ipv6 address
add address=fc00:db8:100::1 interface=100-Lan
add address=fc00:db8:240::1 interface=400-Domus
add address=fc00:db8:55::1 interface=BR-PiHole
add address=fc00:db8:255::1 interface=200-Mamma
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="DROP IPv6 TO INTERNET" \
out-interface-list=WAN src-address=::/0
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/ipv6 firewall raw
add action=drop chain=prerouting comment="RESOLVE ONLY IP4"
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=RB-Router
/system logging
set 2 disabled=yes
add action=echo disabled=yes topics=dhcp
add action=echo disabled=yes topics=dhcp
add disabled=yes topics=wireless
add action=echo disabled=yes topics=wireless
add action=remote disabled=yes topics=wireless
add disabled=yes prefix=dhcp topics=debug
add disabled=yes prefix=wireless topics=debug
add disabled=yes topics=wireless,debug,error,info,info
add action=echo disabled=yes topics=dhcp
add action=echo disabled=yes topics=dhcp
add disabled=yes topics=wireless
add action=echo disabled=yes topics=wireless
add action=remote disabled=yes topics=wireless
add disabled=yes prefix=dhcp topics=debug
add disabled=yes prefix=wireless topics=debug
add disabled=yes topics=wireless,debug,error,info,info
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set broadcast-addresses=10.10.0.1 enabled=yes local-clock-stratum=1 manycast=\
yes multicast=yes
/system ntp client servers
add address=time.cloudflare.com
/system scheduler
add interval=3w6d name=block-list on-event=BlockerImport policy=\
ftp,read,write,policy,test start-date=2024-05-01 start-time=02:00:00
/system script
add dont-require-permissions=no name=BlockerImport owner=RouterOS policy=\
ftp,read,write,policy,test source="# Turris Import by Blacklister and edit\
ed by Kato\r\
\n{\r\
\n# import config - delay for slow routers\r\
\n#:delay 1m\r\
\n:log warning \"Blocker script started\"\r\
\n/ip firewall address-list\r\
\n:local update do={\r\
\n \r\
\n :if (heirule != null) do={:set \$filtering \", filtering on: \$heirule\
\"}\r\
\n :put \"Start importing address-list: \$listname\$filtering\"\r\
\n :log warning \"Start importing address-list: \$listname\$filtering\"\r\
\n \r\
\n /tool fetch url=\$url dst-path=\"/\$listname.txt\" as-value\r\
\n # delay to wait file flush after fetch\r\
\n :delay 1\r\
\n :local filesize [/file get \"\$listname.txt\" size]\r\
\n :local start 0\r\
\n :local chunkSize 32767;\t\t# requested chunk size\r\
\n :local partnumber\t(\$filesize / \$chunkSize); # how many chunk are chu\
nkSize\r\
\n :local remainder\t(\$filesize % (\$chunkSize-512)); # the last partly c\
hunk and use reduced chunkSize\r\
\n :if (\$remainder > 0) do={ :set partnumber (\$partnumber + 1) }; # tota\
l number of chunks\r\
\n \r\
\n :local listCount [:len [find list=\$listname dynamic]]\r\
\n \r\
\n :put \"Deleting \$listCount entries (dynamic) from address-list: \$list\
name\"\r\
\n :log warning \"Deleting \$listCount entries (dynamic) from address-list\
: \$listname\"\r\
\n\r\
\n :if (\$heirule = null) do={:set \$heirule \".\"}\r\
\n\r\
\n # remove the current dynamic entries completely\r\
\n :do {remove [find where list=\$listname]} on-error={};\r\
\n \r\
\n :set \$listnameTemp (\$listname)\r\
\n \r\
\n :for x from=1 to=\$partnumber step=1 do={\r\
\n :local data ([:file read offset=\$start chunk-size=\$chunkSize file=\
\"\$listname.txt\" as-value]->\"data\")\r\
\n # Only remove the first line only if you are not at the start of list\
\r\
\n :if (\$start > 0) do={:set data [:pick \$data ([:find \$data \"\\n\"]\
+1) [:len \$data]]}\r\
\n :while ([:len \$data]!=0) do={\r\
\n :local line [:pick \$data 0 [:find \$data \"\\n\"]]; # create only \
once and checked twice as local variable\r\
\n :if (\$line~\"^[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1\
,3}\" && \$line~heirule) do={\r\
\n :local addr [:pick \$data 0 [:find \$data \$delimiter]]\r\
\n :do {add list=\$listnameTemp address=\$addr comment=\$description\
} on-error={}; # on error avoids any panics\r\
\n }; # if IP address && extra filter if present\r\
\n :set data [:pick \$data ([:find \$data \"\\n\"]+1) [:len \$data]]; \
# removes the just added IP from the data array\r\
\n # Cut of the end of the chunks by removing the last lines...very di\
rty but it works\r\
\n :if (([:len \$data] < 256) && (x < \$partnumber)) do={:set data [:t\
oarray \"\"]} \r\
\n }; # while\r\
\n\r\
\n #:set start (\$start + \$chunkSize)\r\
\n :set start ((\$start-512) + \$chunkSize); # shifts the subquential st\
arts back with 512\r\
\n }; #do for x\r\
\n \r\
\n /file remove \"\$listname.txt\"\r\
\n :put \"Deleted downloaded file: \$listname.txt\"\r\
\n :log warning \"Deleted downloaded file: \$listname.txt\"\r\
\n}; # do\r\
\n\$update url=https://public-dns.info/nameservers-all.txt delimiter=(\"\\\
n\") listname=DNS-DOH\r\
\n#\$update url=https://level2.netset delimiter=(\"\\n\") listname=z-block\
list-L2\r\
\n#\$update url=https://latest.csv listname=z-blocklist delimiter=, heirul\
e=http\r\
\n#\$update url=https://drop.txt delimiter=(\"\\_\") listname=z-blocklist-\
drop\r\
\n\r\
\n:log warning message=\"Blocker script COMPLETED running\"\r\
\n}}"
add dont-require-permissions=no name=domus2dns owner=RouterOS policy=\
read,write,policy,test source="###\
\n# Script originally adapted from <https://blog.pessoft.com/2019/09/06/mi\
krotik-script-automatic-dns-records-from-dhcp-leases>\
\n# Modifications made by eduarbo <https://gist.github.com/eduarbo/5f34ab1\
37d42c994c9c20461f90b5c9b>\
\n#\
\n# How it works:\
\n# - Creates static DNS records according to assigned DHCP lease.\
\n# - Deletes static DNS records according to unassigned DHCP lease.\
\n# - Deletes all related static DNS records, when new DNS record is being\
\_created to prevent duplicates. This can be done by IP and by hostname.\
\n# - DNS records hostname can use additional domain name or use short hos\
tname or both.\
\n# - Hostname for DNS record can be set from:\
\n# - Variable set from the lease (\$lease-hostname) quick solution, which\
\_uses hostname passed from client\
\n# - Hostname from the lease (host-name attribute) a bit more CPU intensi\
ve solution, which searches leases for related hostname, but is also more \
compatible, if previous option is not available\
\n# - Comment of the static lease (comment attribute) secure solution, whi\
ch uses hostname from comment of related static DHCP lease\
\n# - Supports separated deployment on multiple instances of DHCP server w\
ithin one MikroTik device.\
\n#\
\n# The script is intended to be called by DHCP lease scripts within the M\
ikroTik DHCP settings:\
\n# - Go to *IP -> DHCP Server -> YOUR_DHCP_SERVER* and in the *Lease Scri\
pt* option type `dhcp2dns`\
\n# - Go to *System -> Scripts*, add a new script called `dhcp2dns` and pa\
ste this script in *Source*\
\n#\
\n# Script entry point\
\n#\
\n# Expected environment variables - set internally when calling the lease\
\_script:\
\n# leaseBound 1 = lease bound, 0 = lease removed\
\n# leaseServerName Name of DHCP server\
\n# leaseActIP IP address of DHCP client\
\n# leaseActMAC MAC address of DHCP client\
\n# lease-hostname Host name provided by the DHCP client\
\n###\
\n\
\n# When \"1\" all DNS entries with IP address of DHCP lease are removed\
\n:local dnsRemoveAllByIp \"1\"\
\n# When \"1\" all DNS entries with hostname of DHCP lease are removed\
\n:local dnsRemoveAllByName \"1\"\
\n# When \"1\" addition and removal of DNS entries is always done also for\
\_non-FQDN hostname\
\n:local dnsAlwaysNonfqdn \"0\"\
\n# DNS TTL to set for DNS entries\
\n:local dnsTtl \"00:15:00\"\
\n# Source of DHCP client hostname, can be \"lease-hostname\" or any other\
\_lease attribute, like \"host-name\" or \"comment\"\
\n:local leaseClientHostnameSource \"comment\"\
\n\
\n:local leaseComment \"dhcp-lease-script_\$leaseServerName_\$leaseClientH\
ostnameSource\"\
\n:local leaseClientHostname\
\n\
\n:if (\$leaseClientHostnameSource = \"lease-hostname\") do={\
\n :set leaseClientHostname \$\"lease-hostname\"\
\n} else={\
\n :set leaseClientHostname ([:pick \\\
\n [/ip dhcp-server lease print as-value where server=\"\$leaseServerNa\
me\" address=\"\$leaseActIP\" mac-address=\"\$leaseActMAC\"] \\\
\n 0]->\"\$leaseClientHostnameSource\")\
\n}\
\n\
\n:local leaseClientHostnames \"\$leaseClientHostname\"\
\n:local dnsDomain [/ip dhcp-server network get [:pick [find \$leaseActIP \
in address] 0] domain]\
\n\
\n:if ([:len [\$dnsDomain]] > 0) do={\
\n :if (\$dnsAlwaysNonfqdn = \"1\") do={\
\n :set leaseClientHostnames \"\$leaseClientHostname.\$dnsDomain,\$leas\
eClientHostname\"\
\n } else={\
\n :set leaseClientHostnames \"\$leaseClientHostname.\$dnsDomain\"\
\n }\
\n}\
\n\
\n:if (\$dnsRemoveAllByIp = \"1\") do={\
\n /ip dns static remove [/ip dns static find comment=\"\$leaseComment\" \
and address=\"\$leaseActIP\"]\
\n}\
\n\
\n:foreach h in=[:toarray value=\"\$leaseClientHostnames\"] do={\
\n :if (\$dnsRemoveAllByName = \"1\") do={\
\n /ip dns static remove [/ip dns static find comment=\"\$leaseComment\
\" and name=\"\$h\"]\
\n }\
\n /ip dns static remove [/ip dns static find comment=\"\$leaseComment\" \
and address=\"\$leaseActIP\" and name=\"\$h\"]\
\n :if (\$leaseBound = \"1\") do={\
\n :delay 1\
\n /ip dns static add comment=\"\$leaseComment\" address=\"\$leaseActIP\
\" name=\"\$h\" ttl=\"\$dnsTtl\"\
\n }\
\n}"
add dont-require-permissions=no name=lan2dns owner=RouterOS policy=\
read,write,policy,test source="###\
\n# Script originally adapted from <https://blog.pessoft.com/2019/09/06/mi\
krotik-script-automatic-dns-records-from-dhcp-leases>\
\n# Modifications made by eduarbo <https://gist.github.com/eduarbo/5f34ab1\
37d42c994c9c20461f90b5c9b>\
\n#\
\n# How it works:\
\n# - Creates static DNS records according to assigned DHCP lease.\
\n# - Deletes static DNS records according to unassigned DHCP lease.\
\n# - Deletes all related static DNS records, when new DNS record is being\
\_created to prevent duplicates. This can be done by IP and by hostname.\
\n# - DNS records hostname can use additional domain name or use short hos\
tname or both.\
\n# - Hostname for DNS record can be set from:\
\n# - Variable set from the lease (\$lease-hostname) quick solution, which\
\_uses hostname passed from client\
\n# - Hostname from the lease (host-name attribute) a bit more CPU intensi\
ve solution, which searches leases for related hostname, but is also more \
compatible, if previous option is not available\
\n# - Comment of the static lease (comment attribute) secure solution, whi\
ch uses hostname from comment of related static DHCP lease\
\n# - Supports separated deployment on multiple instances of DHCP server w\
ithin one MikroTik device.\
\n#\
\n# The script is intended to be called by DHCP lease scripts within the M\
ikroTik DHCP settings:\
\n# - Go to *IP -> DHCP Server -> YOUR_DHCP_SERVER* and in the *Lease Scri\
pt* option type `dhcp2dns`\
\n# - Go to *System -> Scripts*, add a new script called `dhcp2dns` and pa\
ste this script in *Source*\
\n#\
\n# Script entry point\
\n#\
\n# Expected environment variables - set internally when calling the lease\
\_script:\
\n# leaseBound 1 = lease bound, 0 = lease removed\
\n# leaseServerName Name of DHCP server\
\n# leaseActIP IP address of DHCP client\
\n# leaseActMAC MAC address of DHCP client\
\n# lease-hostname Host name provided by the DHCP client\
\n###\
\n\
\n# When \"1\" all DNS entries with IP address of DHCP lease are removed\
\n:local dnsRemoveAllByIp \"1\"\
\n# When \"1\" all DNS entries with hostname of DHCP lease are removed\
\n:local dnsRemoveAllByName \"1\"\
\n# When \"1\" addition and removal of DNS entries is always done also for\
\_non-FQDN hostname\
\n:local dnsAlwaysNonfqdn \"0\"\
\n# DNS TTL to set for DNS entries\
\n:local dnsTtl \"00:15:00\"\
\n# Source of DHCP client hostname, can be \"lease-hostname\" or any other\
\_lease attribute, like \"host-name\" or \"comment\"\
\n:local leaseClientHostnameSource \"comment\"\
\n\
\n:local leaseComment \"dhcp-lease-script_\$leaseServerName_\$leaseClientH\
ostnameSource\"\
\n:local leaseClientHostname\
\n\
\n:if (\$leaseClientHostnameSource = \"lease-hostname\") do={\
\n :set leaseClientHostname \$\"lease-hostname\"\
\n} else={\
\n :set leaseClientHostname ([:pick \\\
\n [/ip dhcp-server lease print as-value where server=\"\$leaseServerNa\
me\" address=\"\$leaseActIP\" mac-address=\"\$leaseActMAC\"] \\\
\n 0]->\"\$leaseClientHostnameSource\")\
\n}\
\n\
\n:local leaseClientHostnames \"\$leaseClientHostname\"\
\n:local dnsDomain [/ip dhcp-server network get [:pick [find \$leaseActIP \
in address] 0] domain]\
\n\
\n:if ([:len [\$dnsDomain]] > 0) do={\
\n :if (\$dnsAlwaysNonfqdn = \"1\") do={\
\n :set leaseClientHostnames \"\$leaseClientHostname.\$dnsDomain,\$leas\
eClientHostname\"\
\n } else={\
\n :set leaseClientHostnames \"\$leaseClientHostname.\$dnsDomain\"\
\n }\
\n}\
\n\
\n:if (\$dnsRemoveAllByIp = \"1\") do={\
\n /ip dns static remove [/ip dns static find comment=\"\$leaseComment\" \
and address=\"\$leaseActIP\"]\
\n}\
\n\
\n:foreach h in=[:toarray value=\"\$leaseClientHostnames\"] do={\
\n :if (\$dnsRemoveAllByName = \"1\") do={\
\n /ip dns static remove [/ip dns static find comment=\"\$leaseComment\
\" and name=\"\$h\"]\
\n }\
\n /ip dns static remove [/ip dns static find comment=\"\$leaseComment\" \
and address=\"\$leaseActIP\" and name=\"\$h\"]\
\n :if (\$leaseBound = \"1\") do={\
\n :delay 1\
\n /ip dns static add comment=\"\$leaseComment\" address=\"\$leaseActIP\
\" name=\"\$h\" ttl=\"\$dnsTtl\"\
\n }\
\n}"
/tool mac-server
set allowed-interface-list=TRUSTED
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
/tool romon
set enabled=yes
