Beginners Config for Home Network

Hi Guys, Firstly I am a total beginner at Router OS and networking.
I have pieced together the following config from reading various topics on the forum and trying to pick up things as I go.
I would be very grateful if some kind soul could give it a once over for any glaring mistakes before I apply it to my router.
I am also adding a rough sketch of the network I am hoping to achieve, (router, switch, CCTV, 2x cAP lite and 2x isolated network)
I am hoping to send TV traffic through IKEv2/IPSEC VPN and other 3 ports through normal PPPOE connection.

/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 user=puretelecom@puretel.ie

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot

/ip ipsec mode-config
add connection-mark=ZoogVPN name=ZoogVPN responder=no
set [ find name=ZoogVPN ] src-address-list=ZoogVPN
/ip ipsec policy group
add name=ZoogVPN
/ip ipsec profile
add dh-group=ecp521 enc-algorithm=aes-256 hash-algorithm=sha512 name=ZoogVPN
/ip ipsec peer
add address=uk6.zoogvpn.com exchange-mode=ike2 name=ZoogVPN profile=ZoogVPN
/ip ipsec proposal
add auth-algorithms=null enc-algorithms=aes-256-gcm lifetime=0s name=ZoogVPN pfs-group=modp4096
/ip pool
add name=".102 DHCP pool" ranges=192.168.102.100-192.168.102.119
add name=".103 DHCP pool" ranges=192.168.103.100-192.168.103.119
add name=".104 DHCP pool" ranges=192.168.104.100-192.168.104.109
add name=".105 DHCP pool" ranges=192.168.105.100-192.168.105.119
/ip dhcp-server
add address-pool=".102 DHCP pool" authoritative=after-2sec-delay disabled=no interface=E2-cAPL-D_102 lease-time=3h name=".102 DHCP server"
add address-pool=".103 DHCP pool" authoritative=after-2sec-delay disabled=no interface=E3-SW9-PNET_103 lease-time=3h name=".103 DHCP server"
add address-pool=".104 DHCP pool" authoritative=after-2sec-delay disabled=no interface=E4-CCTV_104 lease-time=3h name=".104 DHCP server"
add address-pool=".105 DHCP pool" authoritative=after-2sec-delay disabled=no interface=E5-SW1-TVS_105 lease-time=3h name=".105 DHCP server"

/interface ethernet
set [ find default-name=ether1 ] comment="Main PPPoE and ZoogVPN" name=E1-Internet
set [ find default-name=ether2 ] comment="Eth for RBcAPL-D Guest Wifi" name=E2-cAPL-D_102
set [ find default-name=ether3 ] comment="LAN Private Network" name=E3-SW9-PNET_103
set [ find default-name=ether4 ] comment="Eth for CCTV" name=E4-CCTV_104
set [ find default-name=ether5 ] comment="LAN for TV's" name=E5-SW1-TVS_105

/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=E2-cAPL-D_102 list=LAN
add comment=defconf interface=E3-SW9-PNET_103 list=LAN
add comment=defconf interface=E4-CCTV_104 list=LAN
add comment=defconf interface=E5-SW1-TVS_105 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN

/ip address
add address=192.168.102.251/24 interface=E2-cAPL-D_102 network=192.168.102.0
add address=192.168.103.251/24 interface=E3-SW9-PNET_103 network=192.168.103.0
add address=192.168.104.251/24 interface=E4-CCTV_104 network=192.168.104.0
add address=192.168.105.251/24 interface=E5-SW1-TVS_105 network=192.168.105.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.102.251/24 comment=E2-cAPL-D_102 gateway=192.168.102.0
add address=192.168.103.251/24 comment=E3-SW9-PNET_103 gateway=192.168.103.0
add address=192.168.104.251/24 comment=E4-CCTV_104 gateway=192.168.104.0
add address=192.168.105.251/24 comment=E5-SW1-TVS_105 gateway=192.168.105.0
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.104.1 comment=defconf name=router.lan
/ip firewall address-list
add address=******.ydns.eu list=PPPOE-WAN-IP
add address=192.168.104.0/24 comment="Private network - admin access" disabled=no list=adminaccess
add address=192.168.105.0/24 comment="VPN IP list" list=ZoogVPN

/ip firewall filter
 add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="allow admin access"   in-interface-list=LAN source-address-list=adminaccess
add action=accept chain=input in-interface-list=LAN comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input in-interface-list=lan comment="Accept DNS - TCP" port=53 protocol=tcp
 add action=drop chain=input comment="drop all else"     
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="allow lan to wan traffic) in-interface-list=LAN out-interface-list=WAN
add action=accept  chain=forward comment="if required to allow port forwarding" connection-nat-state=dstnat connection-state=new in-interface-list=WAN
 add action=drop chain=forward comment="drop all else"
 
 /ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=192.168.104.0/24 src-address=192.168.104.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN src-address=192.168.104.0/24
add action=masquerade chain=srcnat comment="Masquerade for Internet" out-interface=E1-Internet
add action=dst-nat chain=dstnat comment="Airsonic Port Forward" dst-address-list=PPPOE-WAN-IP dst-port=4040 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.x.x
add action=dst-nat chain=dstnat comment="NextCloud Port Forward" dst-address-list=PPPOE-WAN-IP dst-port=80 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.x.x
add action=dst-nat chain=dstnat comment="NextCloud Port Forward" dst-address-list=PPPOE-WAN-IP dst-port=443 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.x.x
 
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=ZoogVPN peer=ZoogVPN policy-template-group=ZoogVPN username=username
/ip ipsec policy
add dst-address=0.0.0.0/0 group=ZoogVPN proposal=ZoogVPN src-address=0.0.0.0/0 template=yes
# Implement a killswitch
/interface bridge add name=vpn_blackhole protocol-mode=none
/ip route add gateway=vpn_blackhole routing-mark=to_vpn
/ip firewall mangle add chain=prerouting src-address-list=under_vpn action=mark-routing new-routing-mark=to_vpn passthrough=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Dublin
/system scheduler
add interval=5s name=YDNS on-event="/tool fetch url=\"http://ydns.io/api/v1/update/\?host=******.ydns.eu\" mode=http user=\"username\" password=\"Pass\"" 
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=nov/16/2020 start-time=21:10:02
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Thanks so much in advance,
Mikeyt

If it’s not for link capacity then you don’t need dual connection between hEX and CSS, you can maintain subnet separation using VLANs.

Hi mkx,
Ok I didn’t know that, I thought it would just be easier to separate them as I wanted one of the subnets to go through the IPsec VPN, would it simplify things to go the Vlan route?

Regards M

If you do CSS segmentation properly it probably won’t make any difference. Your design might actually give better overall performance, hEX S seems to struggle with VLAN tagging and untagging.

Just noticed PoE mark on your diagram: you won’t be alke to power CSS off hEX S. Max rated output PoE power of hEX S is 500mA and at 24V it gives 12W. CSS power consumption OTOH is 19W. If you really need to power CSS over UTP, you better get a RBGPOE power injector and use power adapter supplied with CSS.

It seems to power it OK, I only have a few devices connected at the moment though.
Dont know if that would make a difference?

Actually thinking about it I am using two RBGPOE to power my cAP lites so could swap things around a bit and power one of them from the Eth5 from hex

Having only a few ether ports connected does make a difference. Experience with ether SFP modules shows that ether ports consume quite some energy. So you should expect to experience some random problems (packet drops, link downs, even device reboots) after you connect more devices and power consumption goes up. Even more, it could affect hEX S (worst case: PoE out damage).

IMO cAP lite is much better candidate tob e powered off hEX … but then it depends how you want to have LAN topology. Could be you’ll end up with another RBGPOE or powering CSS directly off power adapter (preferred solution if you have suitable power outlet near CSS location) - mind that UTP cables have pretty high losses which means (among other things) higher load on power adapter (faster ageing) and higher electricity bill.

Ok thanks mkx, so I am now powering the switch from the RBGPOE and have moved the cAP Lite to Eth5 from the HexS.

Apart from the port 1 on the switch only auto negotiating at 100mb all seems good. (I only have 100mb fibre anyway)

The cAP lite seems to be getting sufficient power also.

I am now re-writing the original config, however when I initially tried it on my hex s after a few typos sorted I had a working network but no internet,
maybe in the firewall rules id say.

RBGPOE should allow gigabit ethernet. Did cAP ac negotiate 1Gbps while being powered through the same RBGPOE unit? What about UTP cable between hEX S and CSS, what is its length, are connectors really (and I mean really) properly done? Any RJ45 wall outlet not done quite properly?

My own experience is that wiring should really be done by the code, specially if cables are longer than a few metres: I’ve had electrician pull the UTP cables (cat 5e) and connect wall outlets while I did the patch panels. All connections worked, only the farther-most played games occasionally. After a while I borrowed a professional UTP cable tester and none of them were adhering the 1Gbps standard. When I researched the problem, I found out that the electrician untwisted all pairs in wall outlets in length of 10-15 cm. After I re-twisted the wire pairs, all connections certified for 1Gbps operations.

Ok so the cable length between Hex and CSS is only 12" at the most, the patch leads may be the issue they were some Cat5E cheap ones I think.
I will look into changing these I think anyway just for power stability for the switch.

EDIT- Switch went down twice in an hour, have replaced leads now with some longer and better quality ones, so we will see.
How can I tell what speed is negotiated on the cAP Lite from Hex S now using winbox?


Here is the new config BTW if you could have a quick look i would really appreciate it,

[admin@MikroTik] > /export hide-sensitive
# dec/19/2020 14:49:23 by RouterOS 6.47.8
# software id = E93W-B4XQ
#
# model = RB760iGS
# serial number = A36A0BDA07AC
/interface bridge
add name=VPN-Blackhole protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] comment="Main PPPoE and Zoog-VPN" name=E1-Internet
set [ find default-name=ether2 ] comment="LAN for TV's" name=E2-TVS_102
set [ find default-name=ether3 ] comment="LAN Private Network" name=E3-PRIV_103
set [ find default-name=ether4 ] comment="Eth for CCTV" name=E4-CCTV_104
set [ find default-name=ether5 ] comment="POE for RBcAPL-D Guest Wifi" name=E5-cAPL-D_105
/interface pppoe-client
add add-default-route=yes disabled=no interface=E1-Internet name=pppoe-out user=puretelecom@puretel.ie
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec mode-config
add name=Zoog-VPN responder=no src-address-list=Under-Zoog-VPN
/ip ipsec policy group
add name=Zoog-VPN
/ip ipsec profile
add dh-group=ecp521 enc-algorithm=aes-256 hash-algorithm=sha512 name=Zoog-VPN
/ip ipsec peer
add address=uk6.Zoog-VPN.com exchange-mode=ike2 name=Zoog-VPN profile=Zoog-VPN
/ip ipsec proposal
add auth-algorithms="" enc-algorithms=aes-256-gcm lifetime=0s name=Zoog-VPN pfs-group=modp4096
/ip pool
add name=".102 DHCP pool" ranges=192.168.102.100-192.168.102.119
add name=".103 DHCP pool" ranges=192.168.103.100-192.168.103.119
add name=".104 DHCP pool" ranges=192.168.104.100-192.168.104.119
add name=".105 DHCP pool" ranges=192.168.105.100-192.168.105.119
//ip dhcp-server
add address-pool=".102 DHCP pool" authoritative=after-2sec-delay disabled=no interface=E2-TVS_102 lease-time=3h name=".102 DHCP server"
add address-pool=".103 DHCP pool" authoritative=after-2sec-delay disabled=no interface=E3-PRIV_103 lease-time=3h name=".103 DHCP server"
add address-pool=".104 DHCP pool" authoritative=after-2sec-delay disabled=no interface=E4-CCTV_104 lease-time=3h name=".104 DHCP server"
add address-pool=".105 DHCP pool" authoritative=after-2sec-delay disabled=no interface=E5-cAPL-D_105 lease-time=3h name=".105 DHCP server"
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=E2-TVS_102 list=LAN
add comment=defconf interface=E3-PRIV_103 list=LAN
add comment=defconf interface=E4-CCTV_104 list=LAN
add comment=defconf interface=E5-cAPL-D_105 list=LAN
add interface=pppoe-out list=WAN
add interface=E1-Internet list=WAN
/ip address
add address=192.168.102.1/24 interface=E2-TVS_102 network=192.168.102.0
add address=192.168.103.1/24 interface=E3-PRIV_103 network=192.168.103.0
add address=192.168.104.1/24 interface=E4-CCTV_104 network=192.168.104.0
add address=192.168.105.1/24 interface=E5-cAPL-D_105 network=192.168.105.0
/ip dhcp-client
add comment=defconf interface=E1-Internet
/ip dhcp-server network
add address=192.168.102.1/24 comment=E2-TVS_102 gateway=192.168.102.0
add address=192.168.103.1/24 comment=E3-PRIV_103 gateway=192.168.103.0
add address=192.168.104.1/24 comment=E4-CCTV_104 gateway=192.168.104.0
add address=192.168.105.1/24 comment=E5-cAPL-D_105 gateway=192.168.105.0
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.103.1 comment=defconf name=router.lan
/ip firewall address-list
add address=todds.ydns.eu list=PPPOE-WAN-IP
add address=192.168.103.0/24 comment="Private network - admin access" list=Admin-Access
add address=192.168.102.0/24 comment="VPN IP list" list=Under-Zoog-VPN
/ip firewall filter
add action=accept chain=input comment="Accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="Drop Invalid" connection-state=invalid
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=accept chain=input comment="Router Admin Access" in-interface-list=LAN src-address-list=Admin-Access
add action=accept chain=input comment="Accept DNS - UDP" in-interface-list=LAN port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" in-interface-list=LAN port=53 protocol=tcp
add action=drop chain=input comment="Drop All Else"
add action=accept chain=forward comment="Accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="Accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward src-address-list=Under-Zoog-VPN place-before=[find where action=fasttrack-connection]
add action=fasttrack-connection chain=forward comment="Fasttrack" connection-state=established,related
add action=accept chain=forward comment="Accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="Allow port forwarding" connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="Internet Access" in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment="Drop All Else"
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=To-Zoog-VPN passthrough=yes src-address-list=Under-Zoog-VPN
add action=change-mss chain=forward new-mss=1360 passthrough=yes protocol=tcp src-address-list=Under-Zoog-VPN tcp-flags=syn tcp-mss=!0-1360
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=192.168.103.0/24 src-address=192.168.103.0/24
add action=masquerade chain=srcnat comment="Masquerade for IPSec" ipsec-policy=out,none out-interface-list=WAN src-address=192.168.103.0
add action=masquerade chain=srcnat comment="Masquerade for Internet" out-interface=E1-Internet
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=ZoogVPN peer=ZoogVPN policy-template-group=Zoog-VPN username=user
/ip ipsec policy
add dst-address=0.0.0.0/0 group=Zoog-VPN proposal=Zoog-VPN src-address=0.0.0.0/0 template=yes
/ip route
add distance=1 gateway=VPN-Blackhole routing-mark=To-Zoog-VPN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Dublin
/system scheduler
add interval=5s name=YDNS on-event="/tool fetch url=\"http://ydns.io/api/v1/update/\?host=*******.ydns.eu\" mode=http user=\"username\" password=\"Pass\"" 
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=nov/22/2020 start-time=21:10:02
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik] >

Thanks Mikeyt

Go to Interfaces → Ethernet, click interface you want to check and go to Status tab.


As to the config: most of it looks fine, just a few (cosmetic?) remarks:

connection-state property in the rule above should not be necessary. You’ve already dealt with packets belonging to established, related , untracked and invalid connections. What remains is new connections.

For consistency of config, you should use out-interface-list=WAN, just like it’s used in other firewall rules.

I’d try to run this script a bit less frequently … unless it’s really vital to have almost zero delay when WAN IP changes.

Thanks for the pointers on the config, will sort those out this evening.
The switch shut down again so I have managed to move adaptors around and power it from mains.
The Eth connection from Hex is now showing 1G.

Go to Interfaces → Ethernet, click interface you want to check and go to Status tab.

Strangely the rate is showing as 100mb too from Hex to cAP?
I had the wiring done by a friend of mine who works in networking but reading your comment about the termination in the back box I may have a look myself at the terminations.

Thanks again, M

So I applied the config and all is good apart from no internet on eth1 to 5.
Can reach google.com and 8.8.8.8 with traceroute via pppoe but not with Eth ports.
When I try with Eth ports I get “host unreachable from (Draytek 130 IP address)”

I have checked every thing is applied from config correctly I think.
Am I missing some glaring error?

So, I changed -

/ip dhcp-server network
add address=192.168.102.1/24 comment=E2-TVS_102 gateway=192.168.102.0
add address=192.168.103.1/24 comment=E3-PRIV_103 gateway=192.168.103.0
add address=192.168.104.1/24 comment=E4-CCTV_104 gateway=192.168.104.0
add address=192.168.105.1/24 comment=E5-cAPL-D_105 gateway=192.168.105.0

To this -

/ip dhcp-server network
add address=192.168.102.0/24 comment=E2-PRIV_102 gateway=192.168.102.1
add address=192.168.103.0/24 comment=E3-TVS_103 gateway=192.168.103.1
add address=192.168.104.0/24 comment=E4-CCTV_104 gateway=192.168.104.1
add address=192.168.105.0/24 comment=E5-cAPL-D_105 gateway=192.168.105.1

and all started working after a bit.

Right … I didn’t look at DHCP server settings, I was more focused on connectivity and firewall stuff.

I’m glad you figured it out. Learning process finished with success

Yep I will be checking that in the future.
Thanks for all your help mkx

Dont feel bad mkx, I made the same omission recently, It happens to the best of us even the Yoda’s of MT configurations.