naks
February 20, 2025, 12:57am
1
I only bought mikrotik hAP ac² because my friend suggested it. I’ve made it working by following youtube guides.
Here is the config that’s made by AI
# ===============================
# 🔹 INTERFACE & VLAN CONFIGURATION
# ===============================
/interface bridge
add name=bridge vlan-filtering=yes protocol-mode=none
/interface vlan
add interface=bridge name=vlan20 vlan-id=20
add interface=bridge name=vlan30 vlan-id=30
add interface=bridge name=vlan40 vlan-id=40
/interface bridge port
add bridge=bridge interface=ether2 pvid=20 frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge interface=ether3 pvid=30 frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge interface=ether4 pvid=40 frame-types=admit-only-untagged-and-priority-tagged
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether2 vlan-ids=20
add bridge=bridge tagged=bridge untagged=ether3 vlan-ids=30
add bridge=bridge tagged=bridge untagged=ether4 vlan-ids=40
/interface list
add name=WAN
add name=LAN
/interface list member
add interface=ether1 list=WAN
add interface=ether5 list=WAN
add interface=bridge list=LAN
# ===============================
# 🔹 WAN CONFIGURATION (DYNAMIC IPs & FAILOVER)
# ===============================
/ip dhcp-client
add interface=ether1 use-peer-dns=no use-peer-ntp=no add-default-route=no comment="DHCP Client for ISP1"
add interface=ether5 use-peer-dns=no use-peer-ntp=no add-default-route=no comment="DHCP Client for ISP2"
/ip address
add address=192.168.10.2/24 interface=ether1 comment="Static IP for ISP1"
add address=192.168.11.2/24 interface=ether5 comment="Static IP for ISP2"
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.10.1 check-gateway=ping distance=1 comment="Primary Default Route for ISP1"
add dst-address=0.0.0.0/0 gateway=192.168.11.1 check-gateway=ping distance=2 comment="Backup Default Route for ISP2"
# Improved Auto-Failover Script
/system script
add name=check-isp-failover source="
:if ([/ping 192.168.10.1 count=3] = 0) do={
/ip route set [find comment=\"Primary Default Route for ISP1\"] disabled=yes;
/ip route set [find comment=\"Backup Default Route for ISP2\"] disabled=no;
} else={
/ip route set [find comment=\"Primary Default Route for ISP1\"] disabled=no;
/ip route set [find comment=\"Backup Default Route for ISP2\"] disabled=yes;
}"
/system scheduler
add name=isp-monitor interval=30s on-event=check-isp-failover
# ===============================
# 🔹 VLAN DHCP & LOCAL NETWORK CONFIGURATION
# ===============================
/ip address
add address=192.168.2.1/24 interface=vlan20
add address=192.168.3.1/24 interface=vlan30
add address=192.168.4.1/24 interface=vlan40
/ip pool
add name=pool20 ranges=192.168.2.2-192.168.2.254
add name=pool30 ranges=192.168.3.2-192.168.3.254
add name=pool40 ranges=192.168.4.2-192.168.4.254
/ip dhcp-server
add name=dhcp20 interface=vlan20 address-pool=pool20 disabled=no lease-time=1h
add name=dhcp30 interface=vlan30 address-pool=pool30 disabled=no lease-time=1h
add name=dhcp40 interface=vlan40 address-pool=pool40 disabled=no lease-time=1h
/ip dhcp-server network
add address=192.168.2.0/24 gateway=192.168.2.1 dns-server=8.8.8.8,1.1.1.1 domain=lan20.local
add address=192.168.3.0/24 gateway=192.168.3.1 dns-server=8.8.8.8,1.1.1.1 domain=lan30.local
add address=192.168.4.0/24 gateway=192.168.4.1 dns-server=8.8.8.8,1.1.1.1 domain=lan40.local
# ===============================
# 🔹 NAT CONFIGURATION (RouterOS 7 Compatible)
# ===============================
/ip firewall nat
add chain=srcnat out-interface-list=WAN action=masquerade comment="NAT for both ISPs"
# ===============================
# 🔹 SECURITY & FIREWALL CONFIGURATION (Optimized)
# ===============================
/ip firewall filter
# Allow Established & Related Connections
add chain=input connection-state=established,related action=accept comment="Allow Established & Related"
add chain=forward connection-state=established,related action=accept comment="Allow Established & Related"
# Drop Invalid Connections
add chain=input connection-state=invalid action=drop comment="Drop Invalid"
add chain=forward connection-state=invalid action=drop comment="Drop Invalid"
# Allow VLAN-to-VLAN Traffic
add chain=forward in-interface-list=LAN out-interface-list=LAN action=accept comment="Allow VLAN-to-VLAN Traffic"
# Protect Router from External Attacks
add chain=input in-interface-list=WAN action=drop comment="Drop All Other WAN to Router Traffic"
# Block External DNS Requests
add chain=input in-interface-list=WAN protocol=udp port=53 action=drop comment="Block External DNS Requests"
# Rate Limit SSH/Winbox Access
add chain=input protocol=tcp dst-port=22,8291 src-address-list=!allowed_ips action=drop comment="Protect SSH & Winbox"
# Drop All Unwanted Traffic
add chain=input action=drop comment="Drop All Other Input Traffic"
add chain=forward action=drop comment="Drop All Other Forward Traffic"
# ===============================
# 🔹 SAFE MODE RECOVERY (Prevents Lockouts)
# ===============================
/system watchdog
set watchdog-timer=yes no-ping-delay=5s ping-address=8.8.8.8
No, the VLAN part is not good. Because the config uses Bridge VLAN Filtering and you have a hAP ac². The hAP ac² has hardware offload support for VLAN but not if you use Bridge VLAN Filtering. For this router you need to configure VLAN the old way, using the /interface ethernet switch menu. Follow the examples here, especially the “Inter-VLAN routing” section:
https://help.mikrotik.com/docs/spaces/ROS/pages/15302988/Switch+Chip+Features#SwitchChipFeatures-SetupExamples
Keep in mind that anything mentioning Atheros8327 in that documentation applies to the hAP ac² (because that’s the switch chip inside it).
naks
February 20, 2025, 5:47am
3
No, the VLAN part is not good. Because the config uses Bridge VLAN Filtering and you have a hAP ac². The hAP ac² has hardware offload support for VLAN but not if you use Bridge VLAN Filtering. For this router you need to configure VLAN the old way, using the /interface ethernet switch menu. Follow the examples here, especially the “Inter-VLAN routing” section:
Switch Chip Features - RouterOS - MikroTik Documentation
Keep in mind that anything mentioning Atheros8327 in that documentation applies to the hAP ac² (because that’s the switch chip inside it).
I’ve also turned on the 5ghz wifi.
Here is the revised AI Config based on your reply:
# ===============================
# 🔹 INTERFACE & VLAN CONFIGURATION
# ===============================
/interface bridge
add name=bridge
/interface ethernet switch
add name=switch1
/interface ethernet switch port
add switch=switch1 port=ether2 pvid=20
add switch=switch1 port=ether3 pvid=30
add switch=switch1 port=ether4 pvid=40
add switch=switch1 port=wlan2 pvid=20 ### ✅ Wi-Fi to VLAN20
add switch=switch1 port=switch1-cpu vlan-mode=secure
/interface ethernet switch vlan
add switch=switch1 vlan-id=20 ports=ether2,wlan2,switch1-cpu
add switch=switch1 vlan-id=30 ports=ether3,switch1-cpu
add switch=switch1 vlan-id=40 ports=ether4,switch1-cpu
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=wlan2 ### ✅ Wi-Fi to VLAN20
/interface vlan
add interface=bridge name=vlan20 vlan-id=20
add interface=bridge name=vlan30 vlan-id=30
add interface=bridge name=vlan40 vlan-id=40
/interface list
add name=WAN
add name=LAN
/interface list member
add interface=ether1 list=WAN
add interface=ether5 list=WAN
add interface=bridge list=LAN
# ===============================
# 🔹 DHCP CLIENT CONFIGURATION FOR DYNAMIC WAN IPs
# ===============================
/ip dhcp-client
add interface=ether1 use-peer-dns=no use-peer-ntp=no add-default-route=no comment="DHCP Client for ISP1"
add interface=ether5 use-peer-dns=no use-peer-ntp=no add-default-route=no comment="DHCP Client for ISP2"
# ===============================
# 🔹 STATIC WAN IP ADDRESSES & FAILOVER CONFIGURATION
# ===============================
/ip address
add address=192.168.10.2/24 interface=ether1 comment="Static IP for ISP1"
add address=192.168.11.2/24 interface=ether5 comment="Static IP for ISP2"
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.10.1 check-gateway=ping distance=1 comment="Primary Default Route for ISP1"
add dst-address=0.0.0.0/0 gateway=192.168.11.1 check-gateway=ping distance=2 comment="Backup Default Route for ISP2"
# Failover Script (Auto-switch back to ISP1)
/system script
add name=check-isp-failover source="\
:if ([/ping 192.168.10.1 count=3] = 0) do={\
/ip route set [find comment='Primary Default Route for ISP1'] disabled=yes;\
/ip route set [find comment='Backup Default Route for ISP2'] disabled=no;\
} else={\
/ip route set [find comment='Primary Default Route for ISP1'] disabled=no;\
/ip route set [find comment='Backup Default Route for ISP2'] disabled=yes;\
}"
/system scheduler
add name=isp-monitor interval=30s on-event=check-isp-failover
# ===============================
# 🔹 LAN IP ADDRESSES & DHCP CONFIGURATION
# ===============================
/ip address
add address=192.168.2.1/24 interface=vlan20
add address=192.168.3.1/24 interface=vlan30
add address=192.168.4.1/24 interface=vlan40
/ip pool
add name=pool20 ranges=192.168.2.2-192.168.2.254
add name=pool30 ranges=192.168.3.2-192.168.3.254
add name=pool40 ranges=192.168.4.2-192.168.4.254
/ip dhcp-server
add name=dhcp20 interface=vlan20 address-pool=pool20 disabled=no lease-time=1h
add name=dhcp30 interface=vlan30 address-pool=pool30 disabled=no lease-time=1h
add name=dhcp40 interface=vlan40 address-pool=pool40 disabled=no lease-time=1h
/ip dhcp-server network
add address=192.168.2.0/24 gateway=192.168.2.1 dns-server=8.8.8.8,1.1.1.1 domain=lan20.local
add address=192.168.3.0/24 gateway=192.168.3.1 dns-server=8.8.8.8,1.1.1.1 domain=lan30.local
add address=192.168.4.0/24 gateway=192.168.4.1 dns-server=8.8.8.8,1.1.1.1 domain=lan40.local
# ===============================
# 🔹 PCC LOAD BALANCING
# ===============================
/ip firewall mangle
add chain=prerouting dst-address-type=!local per-connection-classifier=both-addresses:2/0 action=mark-connection new-connection-mark=WAN1_conn
add chain=prerouting dst-address-type=!local per-connection-classifier=both-addresses:2/1 action=mark-connection new-connection-mark=WAN2_conn
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.10.1 routing-mark=WAN1_conn comment="Load Balance WAN1"
add dst-address=0.0.0.0/0 gateway=192.168.11.1 routing-mark=WAN2_conn comment="Load Balance WAN2"
# ===============================
# 🔹 DNS CONFIGURATION
# ===============================
/ip dns
set allow-remote-requests=yes cache-size=2048KiB servers=8.8.8.8,1.1.1.1
# Block External DNS Requests
/ip firewall filter
add chain=input in-interface-list=WAN protocol=udp port=53 action=drop comment="Block External DNS Requests"
# ===============================
# 🔹 NAT CONFIGURATION
# ===============================
/ip firewall nat
add chain=srcnat out-interface-list=WAN action=masquerade comment="NAT for both ISPs"
# ===============================
# 🔹 FIREWALL SECURITY RULES
# ===============================
/ip firewall filter
add chain=input connection-state=established,related action=accept comment="Allow Established & Related"
add chain=forward connection-state=established,related action=accept comment="Allow Established & Related"
add chain=input connection-state=invalid action=drop comment="Drop Invalid"
add chain=forward connection-state=invalid action=drop comment="Drop Invalid"
add chain=input in-interface-list=WAN action=drop comment="Drop All Other WAN to Router Traffic"
add chain=forward in-interface-list=LAN out-interface-list=LAN action=accept comment="Allow VLAN-to-VLAN Traffic"
add chain=input protocol=tcp dst-port=22,8291 src-address-list=!allowed_ips action=drop comment="Rate Limit SSH/Winbox Access"
add chain=input action=drop log=yes log-prefix="Input-Dropped" comment="Log Dropped Input Traffic"
add chain=forward action=drop log=yes log-prefix="Forward-Dropped" comment="Log Dropped Forward Traffic"
# ===============================
# 🔹 5GHz Wi-Fi CONFIGURATION
# ===============================
/interface wireless
set [find name=wlan2] mode=ap-bridge ssid="The Aerie" country=philippines \
band=5ghz-a/n/ac channel-width=20/40/80mhz hide-ssid=no \
wmm-support=enabled security-profile=wpa2-psk tx-power=20 vlan-mode=no-tag \
multicast-helper=default
# ===============================
# 🔹 SAFE MODE RECOVERY (Prevents Lockouts)
# ===============================
/system watchdog
set
watchdog-timer=yes no-ping-delay=5s ping-address=8.8.8.8
It would be nice to teach the so called AI using code tags for code.
naks
February 20, 2025, 7:10am
5
What do you mean? Sorry I don’t have an IT background.
I told the AI to make it simple so I can easily copy paste the config.
itimo01
February 20, 2025, 7:15am
6
Why do you have VLANs if you just allow all traffic between them?
naks
February 20, 2025, 7:31am
7
How about this firewall rules?
===============================
>
===============================
Allow Established & Related connections (important for normal operation)
add chain=forward connection-state=established,related action=accept comment=“Allow Established & Related”
Drop Invalid connections
add chain=forward connection-state=invalid action=drop comment=“Drop Invalid”
Block VLAN-to-VLAN Traffic (Isolation Rules)
add chain=forward src-address=192.168.2.0/24 dst-address=192.168.3.0/24 action=drop comment=“Block VLAN20 to VLAN30”
Allow Internet Access for VLANs
add chain=forward in-interface-list=LAN out-interface-list=WAN action=accept comment=“Allow VLANs to Access Internet”
Drop all other forward traffic (final catch-all rule)
add chain=forward action=drop log=yes log-prefix=“Blocked-Forward” comment=“Block All Other Forward Traffic”
===============================
>
===============================
Block External DNS Requests
add chain=input in-interface-list=WAN protocol=udp port=53 action=drop comment=“Block External DNS Requests”
Drop All Other WAN to Router Traffic
add chain=input in-interface-list=WAN action=drop comment=“Drop All Other WAN to Router Traffic”
Rate Limit SSH/Winbox Access
add chain=input protocol=tcp dst-port=22,8291 src-address-list=!allowed_ips action=drop comment=“Rate Limit SSH/Winbox Access”
Log Dropped Input Traffic
add chain=input action=drop log=yes log-prefix=“Input-Dropped” comment=“Log Dropped Input Traffic”
itimo01
February 20, 2025, 7:36am
8
There’s a button in the forum called “code”.
naks
February 20, 2025, 7:40am
9
Thank you. I’ll try this with new config. Changes based on the replies.
# # ===============================
# 🔹 INTERFACE & VLAN CONFIGURATION
# ===============================
/interface bridge
add name=bridge vlan-filtering=no
/interface ethernet switch
set switch1 vlan-mode=secure
/interface ethernet switch port
add switch=switch1 port=ether2 pvid=20
add switch=switch1 port=ether3 pvid=30
add switch=switch1 port=ether4 pvid=40
add switch=switch1 port=wlan2 pvid=20
add switch=switch1 port=switch1-cpu vlan-mode=secure
/interface ethernet switch vlan
add switch=switch1 vlan-id=20 ports=ether2,wlan2,switch1-cpu
add switch=switch1 vlan-id=30 ports=ether3,switch1-cpu
add switch=switch1 vlan-id=40 ports=ether4,switch1-cpu
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=wlan2
/interface vlan
add interface=switch1 name=vlan20 vlan-id=20
add interface=switch1 name=vlan30 vlan-id=30
add interface=switch1 name=vlan40 vlan-id=40
/interface list
add name=WAN
add name=LAN
/interface list member
add interface=ether1 list=WAN
add interface=ether5 list=WAN
add interface=bridge list=LAN
# ===============================
# 🔹 DHCP CLIENT CONFIGURATION
# ===============================
/ip dhcp-client
add interface=ether1 use-peer-dns=no use-peer-ntp=no add-default-route=no
add interface=ether5 use-peer-dns=no use-peer-ntp=no add-default-route=no
# ===============================
# 🔹 STATIC WAN IP ADDRESSES & FAILOVER CONFIGURATION
# ===============================
/ip address
add address=192.168.10.2/24 interface=ether1
add address=192.168.11.2/24 interface=ether5
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.10.1 check-gateway=ping distance=1
add dst-address=0.0.0.0/0 gateway=192.168.11.1 check-gateway=ping distance=2
# ===============================
# 🔹 DHCP SERVER CONFIGURATION (For VLANs)
# ===============================
/ip address
add address=192.168.2.1/24 interface=vlan20
add address=192.168.3.1/24 interface=vlan30
add address=192.168.4.1/24 interface=vlan40
/ip pool
add name=pool20 ranges=192.168.2.10-192.168.2.254
add name=pool30 ranges=192.168.3.10-192.168.3.254
add name=pool40 ranges=192.168.4.10-192.168.4.254
/ip dhcp-server
add name=dhcp20 interface=vlan20 address-pool=pool20 lease-time=1h
add name=dhcp30 interface=vlan30 address-pool=pool30 lease-time=1h
add name=dhcp40 interface=vlan40 address-pool=pool40 lease-time=1h
/ip dhcp-server network
add address=192.168.2.0/24 gateway=192.168.2.1 dns-server=8.8.8.8,1.1.1.1 domain=lan20.local
add address=192.168.3.0/24 gateway=192.168.3.1 dns-server=8.8.8.8,1.1.1.1 domain=lan30.local
add address=192.168.4.0/24 gateway=192.168.4.1 dns-server=8.8.8.8,1.1.1.1 domain=lan40.local
# ===============================
# 🔹 VLAN ISOLATION (BLOCK INTER-VLAN TRAFFIC)
# ===============================
/ip firewall filter
add chain=forward connection-state=established,related action=accept
add chain=forward connection-state=invalid action=drop
add chain=forward src-address=192.168.2.0/24 dst-address=192.168.3.0/24 action=drop
add chain=forward src-address=192.168.2.0/24 dst-address=192.168.4.0/24 action=drop
add chain=forward src-address=192.168.3.0/24 dst-address=192.168.2.0/24 action=drop
add chain=forward src-address=192.168.3.0/24 dst-address=192.168.4.0/24 action=drop
add chain=forward src-address=192.168.4.0/24 dst-address=192.168.2.0/24 action=drop
add chain=forward src-address=192.168.4.0/24 dst-address=192.168.3.0/24 action=drop
add chain=forward in-interface-list=LAN out-interface-list=WAN action=accept
add chain=forward action=drop log=yes log-prefix="Blocked-Forward"
# ===============================
# 🔹 NAT & PCC LOAD BALANCING
# ===============================
/ip firewall nat
add chain=srcnat out-interface-list=WAN action=masquerade
/ip firewall mangle
add chain=prerouting connection-mark=no-mark in-interface-list=LAN action=mark-connection new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=both-addresses:2/0
add chain=prerouting connection-mark=no-mark in-interface-list=LAN action=mark-connection new-connection-mark=WAN2_conn passthrough=yes per-connection-classifier=both-addresses:2/1
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.10.1 routing-mark=WAN1_conn
add dst-address=0.0.0.0/0 gateway=192.168.11.1 routing-mark=WAN2_conn
# ===============================
# 🔹 Wi-Fi CONFIGURATION
# ===============================
/interface wireless
set [find name=wlan2] mode=ap-bridge ssid="The Aerie" country=philippines \
band=5ghz-a/n/ac channel-width=20/40/80mhz hide-ssid=no security-profile=wpa2-psk vlan-mode=no-tag
# ===============================
# 🔹 SAFE MODE RECOVERY (Prevents Lockouts)
# ===============================
/system watchdog
set watchdog-timer=yes no-ping-delay=5s ping-address=8.8.8.8
itimo01
February 20, 2025, 8:00am
10
im not gonna say much about that firewall config (thats other peoples job
But, there’s 2 things:
You dont have an chain=input rule, so you would lose access to the router itself.
You have a drop rule all the way at the bottom so as long as your traffic doesnt match any accept rule it will be dropped. So your plenty of drop rules (ig for the vlans?) are unnecessary and currently would just add clutter
But if you want to go the easy way you can get the default firewall rules from your router (there’s a command but i forgot ^^) and just add what you need (im guessing just a little bit of Inter-VLAN). Maybe the AI will be more helpful then aswell.
EDIT: the command is /system default-configuration print
naks
February 20, 2025, 8:09am
11
im not gonna say much about that firewall config (thats other peoples job
But, there’s 2 things:
You dont have an chain=input rule, so you would lose access to the router itself.
You have a drop rule all the way at the bottom so as long as your traffic doesnt match any accept rule it will be dropped. So your plenty of drop rules (ig for the vlans?) are unnecessary and currently would just add clutter
But if you want to go the easy way you can get the default firewall rules from your router (there’s a command but i forgot ^^) and just add what you need (im guessing just a little bit of Inter-VLAN). Maybe the AI will be more helpful then aswell.
EDIT: the command is /system default-configuration print
# ===============================
# 🔹 INTERFACE & VLAN CONFIGURATION
# ===============================
/interface bridge
add name=bridge vlan-filtering=no
/interface ethernet switch
set switch1 vlan-mode=secure
/interface ethernet switch port
add switch=switch1 port=ether2 pvid=20
add switch=switch1 port=ether3 pvid=30
add switch=switch1 port=ether4 pvid=40
add switch=switch1 port=wlan2 pvid=20
add switch=switch1 port=switch1-cpu vlan-mode=enabled # ✅ FIXED for correct CPU VLAN access
/interface ethernet switch vlan
add switch=switch1 vlan-id=20 ports=ether2,wlan2,switch1-cpu
add switch=switch1 vlan-id=30 ports=ether3,switch1-cpu
add switch=switch1 vlan-id=40 ports=ether4,switch1-cpu
/interface vlan
add interface=switch1 name=vlan20 vlan-id=20
add interface=switch1 name=vlan30 vlan-id=30
add interface=switch1 name=vlan40 vlan-id=40
/interface list
add name=WAN
add name=LAN
add name=VLANs
/interface list member
add interface=ether1 list=WAN
add interface=ether5 list=WAN
add interface=bridge list=LAN
add interface=vlan20 list=VLANs
add interface=vlan30 list=VLANs
add interface=vlan40 list=VLANs
# ===============================
# 🔹 DHCP CLIENT CONFIGURATION
# ===============================
/ip dhcp-client
add interface=ether1 use-peer-dns=no use-peer-ntp=no add-default-route=no
add interface=ether5 use-peer-dns=no use-peer-ntp=no add-default-route=no
# ===============================
# 🔹 STATIC WAN IP ADDRESSES & FAILOVER CONFIGURATION
# ===============================
/ip address
add address=192.168.10.2/24 interface=ether1
add address=192.168.11.2/24 interface=ether5
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.10.1 check-gateway=ping distance=1
add dst-address=0.0.0.0/0 gateway=192.168.11.1 check-gateway=ping distance=2
# ===============================
# 🔹 DHCP SERVER CONFIGURATION (For VLANs)
# ===============================
/ip address
add address=192.168.2.1/24 interface=vlan20
add address=192.168.3.1/24 interface=vlan30
add address=192.168.4.1/24 interface=vlan40
/ip pool
add name=pool20 ranges=192.168.2.10-192.168.2.254
add name=pool30 ranges=192.168.3.10-192.168.3.254
add name=pool40 ranges=192.168.4.10-192.168.4.254
/ip dhcp-server
add name=dhcp20 interface=vlan20 address-pool=pool20 lease-time=1h
add name=dhcp30 interface=vlan30 address-pool=pool30 lease-time=1h
add name=dhcp40 interface=vlan40 address-pool=pool40 lease-time=1h
/ip dhcp-server network
add address=192.168.2.0/24 gateway=192.168.2.1 dns-server=8.8.8.8,1.1.1.1 domain=lan20.local
add address=192.168.3.0/24 gateway=192.168.3.1 dns-server=8.8.8.8,1.1.1.1 domain=lan30.local
add address=192.168.4.0/24 gateway=192.168.4.1 dns-server=8.8.8.8,1.1.1.1 domain=lan40.local
# ===============================
# 🔹 FIREWALL & VLAN ISOLATION
# ===============================
/ip firewall filter
# Allow established & related connections
add chain=input connection-state=established,related action=accept comment="Allow Established & Related"
add chain=forward connection-state=established,related action=accept
# Allow access to the router from VLAN20 (adjust if needed)
add chain=input src-address=192.168.2.0/24 action=accept comment="Allow VLAN20 to Access Router"
# Drop invalid connections
add chain=input connection-state=invalid action=drop
add chain=forward connection-state=invalid action=drop
# Block VLAN-to-VLAN Traffic (Single Efficient Rule)
add chain=forward in-interface-list=VLANs out-interface-list=VLANs action=drop comment="Block Inter-VLAN Traffic"
# Allow LAN to WAN traffic
add chain=forward in-interface-list=LAN out-interface-list=WAN action=accept
# FastTrack Rule for Performance
add chain=forward action=fasttrack-connection connection-state=established,related
# Drop all other traffic (Final Rule)
add chain=input action=drop comment="Drop All Other Traffic"
add chain=forward action=drop comment="Drop Unmatched Forward Traffic"
# ===============================
# 🔹 NAT & PCC LOAD BALANCING
# ===============================
/ip firewall nat
add chain=srcnat out-interface-list=WAN action=masquerade
/ip firewall mangle
add chain=prerouting connection-mark=no-mark in-interface-list=LAN action=mark-connection new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=both-addresses:2/0
add chain=prerouting connection-mark=no-mark in-interface-list=LAN action=mark-connection new-connection-mark=WAN2_conn passthrough=yes per-connection-classifier=both-addresses:2/1
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.10.1 routing-mark=WAN1_conn
add dst-address=0.0.0.0/0 gateway=192.168.11.1 routing-mark=WAN2_conn
# ===============================
# 🔹 Wi-Fi CONFIGURATION
# ===============================
/interface wireless
set [find name=wlan2] mode=ap-bridge ssid="The Aerie" country=philippines \
band=5ghz-a/n/ac channel-width=20/40/80mhz hide-ssid=no security-profile=wpa2-psk vlan-mode=no-tag
# ===============================
# 🔹 SAFE MODE RECOVERY (Prevents Lockouts)
# ===============================
/system watchdog
set watchdog-timer=yes no-ping-delay=5s ping-address=8.8.8.8
It’s a little annoying that we are asked to correct AI results “feedig” that AI.http://forum.mikrotik.com/t/gpt4-and-writing-scripts-for-mikrotik/171187/17
It’s called “training the model”.
naks
February 20, 2025, 12:44pm
14
Sorry. I just can’t pay someone right now to help me with my config.
But you do expect anyone here to filter out all problems / mistakes for free ?
naks
February 20, 2025, 12:50pm
16
Sorry, I didn’t know that there’s a kind of transaction here.
I just assumed that because this is a forum site, that I can just ask questions.
mkx
February 20, 2025, 12:56pm
17
In my book there’s a difference between “I tried to do it this way but I have such problems” and “this is what AI told me to do, but it doesn’t work, fix it so that it will work”.
In other words: I’m here to help people learn (understand, etc.) ROS … I’m not here to fix flawed configurations … even less so if they’re result of AI (or a wannabe hot-shot know-it-all ROS admin for that matter).
naks
February 20, 2025, 1:01pm
18
In my book there’s a difference between “I tried to do it this way but I have such problems” and “this is what AI told me to do, but it doesn’t work, fix it so that it will work”.
In other words: I’m here to help people learn (understand, etc.) ROS … I’m not here to fix flawed configurations … even less so if they’re result of AI (or a wannabe hot-shot know-it-all ROS admin for that matter).
I’ve already told that I have zero IT background and I only learned thru youtube videos. It just that I can’t find a guide for what I want to implement specifically. That’s why I’ve resulted in using AI.
Maybe my option is to sell this router and buy a router with dual wan built in.
The “transaction” is simple: People help People.
Let me describe that repairing AI result leaves same kind&level of disgust as helping kids with their homework if you know that they even didn’t try to solve the problem themselves. Thay assume that thay could ask others for help what means: do it instead of me.
Why don’t you ask AI again and again to repair the solution as answers are wrong?
itimo01
February 20, 2025, 1:21pm
20
If you want the easy way then go for it. Mikrotik seems to be the wrong brand for you then.
People here on the forum help not by giving you the configuration but by helping you learn about things your doing wrong so you can fix them urself.
For example this amazing forum post about Multi Wanhttp://forum.mikrotik.com/t/multiwan-with-routeros/163698/1
> FIREWALL SECURITY RULES (VLAN ISOLATION)
)