Big Config Sanity Check..

joshhboss · September 27, 2024, 12:06pm

Well I’ll open by saying this is a pretty big ask of the community. This is going to have two relatively medium/large configs from CCR2116s and (1) RB5009 acting as a DHCP server. My goal is to have this VRRP setup configured correctly and do all of the things I need it to do, (and yes this is my first ever VRRP setup.. works great in LAB - environment) but im about to unleash it on a festival network with potential 2k-4k Clients. (rate limiting happening on the APs as well). Also my way of introducing the RB as a dhcp server was not by doing relays or anything like that.,. just let it sit on the network and listen/acknowledge request.. again in practice seems to work fine. I apologize in advanced for the 2116s still having the dhcp in the config but its there disabled if for some reason the RB doesnt work or I dont get a response and go into this without it working right.

Really appreciate anyone and everyone who could take the time to look this over and point out and glaring flaws with the setup.

Also there are Netwatch triggers there, I wanted to basically enable and disable queues when or if the Primary internet connection goes down.
Oh yeah.. first time rolling out these queues btw the way lol so big leaps of faith going on with this.

for background ether1_WAN1 - internet connection 1Gig/1Gig
ether2_WAN2 - 1G/40M - Comcast sucks over coax..

Here we go …

Core 1 VRRP - Master

/interface vlan
add interface=sfp-sfpplus2_LAN name=10-ApManagement vlan-id=10
add interface=sfp-sfpplus2_LAN name=130Production vlan-id=130
add interface=sfp-sfpplus2_LAN name=140Ticketing vlan-id=140
add interface=sfp-sfpplus2_LAN name=150Vendors vlan-id=150
add interface=sfp-sfpplus2_LAN name=160Vlan vlan-id=160
add interface=sfp-sfpplus2_LAN name=169Vlan vlan-id=169
add interface=sfp-sfpplus2_LAN name=170Vlan vlan-id=170
add interface=sfp-sfpplus2_LAN name=179Vlan vlan-id=179
add interface=sfp-sfpplus2_LAN name=180Vlan vlan-id=180
add interface=sfp-sfpplus2_LAN name=189Vlan vlan-id=189
add interface=sfp-sfpplus2_LAN name=190Vlan vlan-id=190
add interface=sfp-sfpplus2_LAN name=192-Toasts vlan-id=192
add interface=sfp-sfpplus2_LAN name=200Management vlan-id=200
add interface=sfp-sfpplus2_LAN name=210Vlan vlan-id=210
add interface=sfp-sfpplus2_LAN name=230Vlan vlan-id=230
add interface=sfp-sfpplus2_LAN name=240Vlan vlan-id=240
add interface=sfp-sfpplus2_LAN name=250Vlan vlan-id=250
add interface=sfp-sfpplus2_LAN name=260Vlan vlan-id=260
add interface=sfp-sfpplus2_LAN name=269Vlan vlan-id=269
add interface=sfp-sfpplus2_LAN name=270Vlan vlan-id=270
add interface=sfp-sfpplus2_LAN name=279Vlan vlan-id=279
add interface=sfp-sfpplus2_LAN name=280Vlan vlan-id=280
add interface=sfp-sfpplus2_LAN name=289Vlan vlan-id=289
add interface=sfp-sfpplus2_LAN name=290Vlan vlan-id=290
[joshhboss@Core1-CCR2116] /interface/vlan> ..vrrp/
[joshhboss@Core1-CCR2116] /interface/vrrp> export

/interface vrrp
add interface=10-ApManagement name=vrrp1-vl10 vrid=10
add interface=130Production name=vrrp1-vl130 vrid=130
add interface=140Ticketing name=vrrp1-vl140 vrid=140
add interface=150Vendors name=vrrp1-vl150 vrid=150
add interface=160Vlan name=vrrp1-vl160 vrid=160
add interface=169Vlan name=vrrp1-vl169 vrid=169
add interface=170Vlan name=vrrp1-vl170 vrid=170
add interface=179Vlan name=vrrp1-vl179 vrid=179
add interface=180Vlan name=vrrp1-vl180 vrid=180
add interface=189Vlan name=vrrp1-vl189 vrid=189
add interface=190Vlan name=vrrp1-vl190 vrid=190
add interface=192-Toasts name=vrrp1-vl192 vrid=192
add interface=200Management name=vrrp1-vl200 vrid=200
add interface=210Vlan name=vrrp1-vl210 vrid=210
add interface=230Vlan name=vrrp1-vl230 vrid=230
add interface=240Vlan name=vrrp1-vl240 vrid=240
add interface=250Vlan name=vrrp1-vl250 vrid=250
add interface=260Vlan name=vrrp1-vl260 vrid=60
add interface=269Vlan name=vrrp1-vl269 vrid=69
add interface=270Vlan name=vrrp1-vl270 vrid=70
add interface=279Vlan name=vrrp1-vl279 vrid=79
add interface=280Vlan name=vrrp1-vl280 vrid=80
add interface=289Vlan name=vrrp1-vl289 vrid=89
add interface=290Vlan name=vrrp1-vl290 vrid=90
[joshhboss@Core1-CCR2116] /interface/vrrp> /ip address/
[joshhboss@Core1-CCR2116] /ip/address> export
/ip address
add address=192.168.13.1/24 comment=defconf interface=ether13 network=192.168.13.0
add address=10.6.6.13/24 comment=MiamiEventWG interface=miamieventwg1 network=10.6.6.0
add address=10.130.0.2/20 interface=130Production network=10.130.0.0
add address=10.140.0.2/22 interface=140Ticketing network=10.140.0.0
add address=10.150.0.2/20 interface=150Vendors network=10.150.0.0
add address=10.160.0.2/20 interface=160Vlan network=10.160.0.0
add address=10.169.0.2/16 interface=169Vlan network=10.169.0.0
add address=10.170.0.2/22 interface=170Vlan network=10.170.0.0
add address=10.180.0.2/22 interface=180Vlan network=10.180.0.0
add address=10.189.0.2/22 interface=189Vlan network=10.189.0.0
add address=10.190.0.2/22 interface=190Vlan network=10.190.0.0
add address=192.168.200.2/24 interface=200Management network=192.168.200.0
add address=192.168.192.2/23 interface=192-Toasts network=192.168.192.0
add address=10.179.0.2/22 interface=179Vlan network=10.179.0.0
add address=10.10.10.2/23 interface=10-ApManagement network=10.10.10.0
add address=xx.xx.xx.2/24 interface=2116chr network=xx.xx.xx.0
add address=10.21.0.2/22 interface=210Vlan network=10.21.0.0
add address=10.23.0.2/22 interface=230Vlan network=10.23.0.0
add address=10.24.0.2/22 interface=240Vlan network=10.24.0.0
add address=10.25.0.2/22 interface=250Vlan network=10.25.0.0
add address=10.26.0.2/22 interface=260Vlan network=10.26.0.0
add address=10.26.32.2/19 interface=269Vlan network=10.26.32.0
add address=10.27.0.2/22 interface=270Vlan network=10.27.0.0
add address=10.27.8.2/22 interface=279Vlan network=10.27.8.0
add address=10.28.0.2/22 interface=280Vlan network=10.28.0.0
add address=10.28.8.2/22 interface=289Vlan network=10.28.8.0
add address=10.29.0.2/22 interface=290Vlan network=10.29.0.0
add address=xx.xx.xx.57/24 interface=smallpf network=xx.xx.xx.0
add address=10.17.0.101/24 interface=sfp-sfpplus1_WAN network=10.17.0.0
add address=10.10.10.1 interface=vrrp1-vl10 network=10.10.10.1
add address=10.130.0.1 interface=vrrp1-vl130 network=10.130.0.1
add address=192.168.200.1 interface=vrrp1-vl200 network=192.168.200.1
add address=10.140.0.1 interface=vrrp1-vl140 network=10.140.0.1
add address=10.150.0.1 interface=vrrp1-vl150 network=10.150.0.1
add address=10.160.0.1 interface=vrrp1-vl160 network=10.160.0.1
add address=10.169.0.1 interface=vrrp1-vl169 network=10.169.0.1
add address=10.170.0.1 interface=vrrp1-vl170 network=10.170.0.1
add address=10.179.0.1 interface=vrrp1-vl179 network=10.179.0.1
add address=10.180.0.1 interface=vrrp1-vl180 network=10.180.0.1
add address=10.189.0.1 interface=vrrp1-vl189 network=10.189.0.1
add address=10.190.0.1 interface=vrrp1-vl190 network=10.190.0.1
add address=192.168.192.1 interface=vrrp1-vl192 network=192.168.192.1
add address=10.21.0.1 interface=vrrp1-vl210 network=10.21.0.1
add address=10.23.0.1 interface=vrrp1-vl230 network=10.23.0.1
add address=10.24.0.1 interface=vrrp1-vl240 network=10.24.0.1
add address=10.25.0.1 interface=vrrp1-vl250 network=10.25.0.1
add address=10.26.0.1 interface=vrrp1-vl260 network=10.26.0.1
add address=10.26.32.1 interface=vrrp1-vl269 network=10.26.32.1
add address=10.27.0.1 interface=vrrp1-vl270 network=10.27.0.1
add address=10.27.8.1 interface=vrrp1-vl279 network=10.27.8.1
add address=10.28.0.1 interface=vrrp1-vl280 network=10.28.0.1
add address=10.28.8.1 interface=vrrp1-vl289 network=10.28.8.1
add address=10.29.0.1 interface=vrrp1-vl290 network=10.29.0.1
add address=xx.xx.xx.155/29 interface=ether1_WAN1 network=xx.xx.xx.152
add address=xx.xx.xx.129/29 interface=ether2_WAN2 network=xx.xx.xx.128
[joshhboss@Core1-CCR2116] /ip/address> /ip dhcp-server/
[joshhboss@Core1-CCR2116] /ip/dhcp-server> export 
/ip dhcp-server
add address-pool=140Ticketing disabled=yes interface=vrrp1-vl140 lease-time=1d name=140Ticketing
add address-pool=150Vendors disabled=yes interface=vrrp1-vl150 lease-time=1d name=150Vendors
add address-pool=169Vlan disabled=yes interface=vrrp1-vl169 lease-time=3h name=169Vlan
add address-pool=170Vlan disabled=yes interface=vrrp1-vl170 lease-time=3h name=170Vlan
add address-pool=180Vlan disabled=yes interface=vrrp1-vl180 lease-time=3h name=180Vlan
add address-pool=189Vlan disabled=yes interface=vrrp1-vl189 lease-time=3h name=189Vlan
add address-pool=190Vlan disabled=yes interface=vrrp1-vl190 lease-time=3h name=190Vlan
add address-pool=160Vlan disabled=yes interface=vrrp1-vl160 lease-time=3h name=160Vlan
add address-pool=192-Toasts disabled=yes interface=vrrp1-vl192 lease-time=12h name=192-Toasts
add address-pool=179Vlan disabled=yes interface=vrrp1-vl179 lease-time=3h name=179Vlan
add address-pool=10Ap-Management disabled=yes interface=vrrp1-vl10 lease-time=1d name=10AP-Management
add address-pool=130Production disabled=yes interface=vrrp1-vl130 lease-time=1d name=130Production
add address-pool=210Vlan disabled=yes interface=vrrp1-vl210 lease-time=1d name=210Vlan
add address-pool=230Vlan disabled=yes interface=vrrp1-vl230 lease-time=1d name=230Vlan
add address-pool=240Vlan disabled=yes interface=vrrp1-vl240 lease-time=1d name=240Vlan
add address-pool=250Vlan disabled=yes interface=vrrp1-vl250 lease-time=1d name=250Vlan
add address-pool=260Vlan disabled=yes interface=vrrp1-vl260 lease-time=1d name=260Vlan
add address-pool=270Vlan disabled=yes interface=vrrp1-vl270 lease-time=1d name=270Vlan
add address-pool=279Vlan disabled=yes interface=vrrp1-vl279 lease-time=1d name=279Vlan
add address-pool=280Vlan disabled=yes interface=vrrp1-vl280 lease-time=1d name=280Vlan
add address-pool=289Vlan disabled=yes interface=vrrp1-vl289 lease-time=1d name=289Vlan
add address-pool=290Vlan disabled=yes interface=vrrp1-vl290 lease-time=1d name=290Vlan
add address-pool=Emergency interface=ether13 name=Emergency
add address-pool=269Vlan disabled=yes interface=vrrp1-vl269 lease-time=12h name=269Vlan

/ip dhcp-server network
add address=10.10.10.0/23 dhcp-option=eventcloud dns-server=10.10.10.1 gateway=10.10.10.1
add address=10.21.0.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.21.0.1
add address=10.23.0.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.23.0.1
add address=10.24.0.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.24.0.1
add address=10.25.0.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.25.0.1
add address=10.26.0.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.26.0.1
add address=10.26.8.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.26.8.1
add address=10.26.32.0/19 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.26.32.1
add address=10.27.0.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.27.0.1
add address=10.27.8.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.27.8.1
add address=10.28.0.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.28.0.1
add address=10.29.0.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.29.0.1
add address=10.130.0.0/20 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.130.0.1
add address=10.140.0.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.140.0.1
add address=10.150.0.0/20 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.150.0.1
add address=10.160.0.0/20 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.160.0.1
add address=10.169.0.0/16 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.169.0.1
add address=10.170.0.0/22 dhcp-option=effective dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.170.0.1
add address=10.179.0.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.179.0.1
add address=10.180.0.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.180.0.1
add address=10.189.0.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.189.0.1
add address=10.190.0.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.190.0.1
add address=192.168.13.0/24 gateway=192.168.13.1
add address=192.168.88.0/24 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=192.168.88.1
[joshhboss@Core1-CCR2116] /ip/dhcp-server> /ip/firewall/filter/
/ip firewall filter
add action=drop chain=output comment=Test-NetwatchFailover disabled=yes dst-address=1.1.1.1 out-interface=ether1_WAN1 protocol=icmp
add action=drop chain=output comment=ISP2-Drop-Ping-To-ISP1-DNS-Check dst-address=1.1.1.1 out-interface-list=ISP2 protocol=icmp
add action=drop chain=output comment=ISP1-Drop-Ping-To-ISP2-DNS-Check dst-address=1.0.0.1 out-interface-list=ISP1 protocol=icmp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment=AllowVRRP in-interface-list=VRRP-INPUT protocol=vrrp
add action=accept chain=input comment="defconf: accept ICMP" in-interface-list=!WAN protocol=icmp
add action=accept chain=input comment=UDP-DNS-NTP dst-port=53,123 protocol=udp src-address-list=NTP-DNS
add action=accept chain=input comment=TCP-DNS dst-port=53 protocol=tcp src-address-list=NTP-DNS
add action=accept chain=input comment="Allow Authorized" src-address-list=Authorized
add action=accept chain=input comment="Allow AP to Management - 8291" dst-address=192.168.200.1 dst-port=8291 protocol=tcp src-address-list=10AP-Management
add action=drop chain=input comment=DropALLElse
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-mark=no-mark connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment=Allow-AP-TO-Controllers dst-address-list=AllowRemoteControllers in-interface=vrrp1-vl10
add action=accept chain=forward comment="AllowInternet For LAN" in-interface-list=VRRP-LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow Authorized ALL" src-address-list=Authorized
add action=accept chain=forward comment=AllPortForwarding connection-nat-state=dstnat connection-state=new disabled=yes in-interface-list=WAN
add action=drop chain=forward comment="DROP ALL ELSE"
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
[joshhboss@Core1-CCR2116] /ip/firewall/filter> ..nat/
[joshhboss@Core1-CCR2116] /ip/firewall/nat> export
/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerade Internet Rule - Wan 1" out-interface=ether1_WAN1
add action=masquerade chain=srcnat comment="Masquerade Internet Rule - Wan 2" out-interface=ether2_WAN2
add action=masquerade chain=srcnat comment="Masquerade Internet Rule - Wan 3 DHCP" disabled=yes out-interface=ether3_WAN3
add action=dst-nat chain=dstnat dst-port=888 in-interface=smallpf protocol=tcp to-addresses=192.168.200.30 to-ports=80
[joshhboss@Core1-CCR2116] /ip/firewall/nat> /queue/
[joshhboss@Core1-CCR2116] /queue> export 
/queue simple
add comment=ISP1_QUE_TOTAL max-limit=800M/900M name=total target=192.168.0.0/16,10.0.0.0/8
add comment=ISP2_QUE_TOTAL disabled=yes max-limit=40M/500M name=total-ISP2 target=192.168.0.0/16,10.0.0.0/8
/queue type
add kind=pcq name=pcq-up-2M pcq-classifier=src-address pcq-rate=2M pcq-total-limit=5000KiB
add kind=pcq name=pcq-dl-20M pcq-classifier=dst-address pcq-rate=20M pcq-total-limit=5000KiB
add kind=fq-codel name=fq-codel-default
/queue simple
add comment=ISP1_QUE_ALOHA_CLOVER limit-at=200M/200M max-limit=750M/750M name=aloha-clover parent=total priority=5/5 queue=fq-codel-default/fq-codel-default target=10.150.0.0/20,192.168.192.0/23 total-queue=fq-codel-default
add comment=ISP1_QUE_STAFF_CAMERAS limit-at=200M/200M max-limit=750M/750M name=staff-cams parent=total priority=6/6 queue=fq-codel-default/fq-codel-default target=10.130.0.0/20 total-queue=fq-codel-default
add comment=ISP1_QUE_MANAGEMENT limit-at=200M/200M max-limit=800M/900M name=management-others parent=total priority=7/7 queue=fq-codel-default/fq-codel-default target=192.168.200.0/24,10.10.10.0/23,xx.xx.xx.0/24,xx.xx.xx.0/24 total-queue=\
    fq-codel-default
add comment=ISP_QUE_GUEST disabled=yes limit-at=5M/100M max-limit=38M/490M name=guests parent=total queue=pcq-up-2M/pcq-dl-20M target=10.169.0.0/16 total-queue=fq-codel-default
add comment=ISP2_QUE_ALOHA_CLOVER disabled=yes limit-at=10M/100M max-limit=38M/490M name=aloha-clover-ISP2 parent=total-ISP2 priority=5/5 queue=fq-codel-default/fq-codel-default target=10.150.0.0/20,192.168.192.0/24 total-queue=fq-codel-default
add comment=ISP2_QUE_STAFF_CAMERAS disabled=yes limit-at=15M/100M max-limit=38M/490M name=staff-cams-ISP2 parent=total-ISP2 priority=6/6 queue=fq-codel-default/fq-codel-default target=10.130.0.0/20 total-queue=fq-codel-default
add comment=ISP2_QUE_MANAGEMENT disabled=yes limit-at=5M/50M max-limit=38M/490M name=management-others-ISP2 parent=total-ISP2 priority=7/7 queue=fq-codel-default/fq-codel-default target=\
    192.168.200.0/24,10.10.10.0/23,192.168.8.0/24,xx.xx.xx.0/24,xx.xx.xx.0/24 total-queue=fq-codel-default
add comment=ISP2_QUE_GUEST disabled=yes limit-at=5M/100M max-limit=38M/490M name=guests-ISP2 parent=total-ISP2 queue=pcq-up-2M/pcq-dl-20M target=10.169.0.0/16 total-queue=fq-codel-default
[joshhboss@Core1-CCR2116] /queue> /ip/route/
[joshhboss@Core1-CCR2116] /ip/route> export
/ip route
add comment=WAN1 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=xx.xx.xx.153 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=WAN1-dns disabled=no distance=1 dst-address=1.1.1.1/32 gateway=xx.xx.xx.153 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=WAN1-21 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=xx.xx.xx.134 pref-src="" routing-table=WAN21 scope=30 suppress-hw-offload=no target-scope=10
add comment=WAN2-21 disabled=no distance=2 dst-address=0.0.0.0/0 gateway=xx.xx.xx.153 pref-src="" routing-table=WAN21 scope=30 suppress-hw-offload=no target-scope=10
add comment=WAN2 disabled=no distance=2 dst-address=0.0.0.0/0 gateway=xx.xx.xx.134 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=WAN2-dns disabled=no distance=1 dst-address=1.0.0.1/32 gateway=xx.xx.xx.134 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
[joshhboss@Core1-CCR2116] /ip/route> /tool/netwatch/export
/tool netwatch
add comment="Internet Test - WAN1" disabled=no down-script="ip route disable [find where comment=WAN1]\r\
    \n/queue/simple/disable [find where comment~\"ISP1\"]\r\
    \n/queue/simple/enable [find where comment~\"ISP2\"]" host=1.1.1.1 http-codes="" interval=10s packet-count=10 packet-interval=500ms test-script="" thr-avg=700ms thr-jitter=2s thr-max=2s thr-stdev=700ms timeout=5s type=simple up-script=\
    "/ip route enable [find where comment=WAN1]\r\
    \n/queue/simple/enable [find where comment~\"ISP1\"]\r\
    \n/queue/simple/disable [find where comment~\"ISP2\"]"
add comment="Internet Test - WAN2" disabled=no down-script="/ip route disable [find where comment=WAN1-21]\r\
    \n" host=1.0.0.1 http-codes="" test-script="" thr-avg=700ms thr-jitter=2s thr-max=2s thr-stdev=500ms type=simple up-script="/ip route enable [find where comment=WAN1-21]\r\
    \n"
add comment="Check CHR Server" disabled=no down-script="" host=xx.xx.xx.1 http-codes="" test-script="" type=icmp up-script=""

Core 2 - 2116 BackUp

add interface=sfp-sfpplus2_LAN name=10-ApManagement vlan-id=10
add interface=sfp-sfpplus2_LAN name=130Production vlan-id=130
add interface=sfp-sfpplus2_LAN name=140Ticketing vlan-id=140
add interface=sfp-sfpplus2_LAN name=150Vendors vlan-id=150
add interface=sfp-sfpplus2_LAN name=160Vlan vlan-id=160
add interface=sfp-sfpplus2_LAN name=169Vlan vlan-id=169
add interface=sfp-sfpplus2_LAN name=170Vlan vlan-id=170
add interface=sfp-sfpplus2_LAN name=179Vlan vlan-id=179
add interface=sfp-sfpplus2_LAN name=180Vlan vlan-id=180
add interface=sfp-sfpplus2_LAN name=189Vlan vlan-id=189
add interface=sfp-sfpplus2_LAN name=190Vlan vlan-id=190
add interface=sfp-sfpplus2_LAN name=192-Toasts vlan-id=192
add interface=sfp-sfpplus2_LAN name=200Management vlan-id=200
add interface=sfp-sfpplus2_LAN name=210Vlan vlan-id=210
add interface=sfp-sfpplus2_LAN name=230Vlan vlan-id=230
add interface=sfp-sfpplus2_LAN name=240Vlan vlan-id=240
add interface=sfp-sfpplus2_LAN name=250Vlan vlan-id=250
add interface=sfp-sfpplus2_LAN name=260Vlan vlan-id=260
add interface=sfp-sfpplus2_LAN name=269Vlan vlan-id=269
add interface=sfp-sfpplus2_LAN name=270Vlan vlan-id=270
add interface=sfp-sfpplus2_LAN name=279Vlan vlan-id=279
add interface=sfp-sfpplus2_LAN name=280Vlan vlan-id=280
add interface=sfp-sfpplus2_LAN name=289Vlan vlan-id=289
add interface=sfp-sfpplus2_LAN name=290Vlan vlan-id=290
[joshhboss@Core2-CCR2116] /interface/vlan> ..vrrp
[joshhboss@Core2-CCR2116] /interface/vrrp> export
/interface vrrp
add interface=10-ApManagement name=vrrp1-vl10 priority=50 vrid=10
add interface=130Production name=vrrp1-vl130 priority=50 vrid=130
add interface=140Ticketing name=vrrp1-vl140 priority=50 vrid=140
add interface=150Vendors name=vrrp1-vl150 priority=50 vrid=150
add interface=160Vlan name=vrrp1-vl160 priority=50 vrid=160
add interface=169Vlan name=vrrp1-vl169 priority=50 vrid=169
add interface=170Vlan name=vrrp1-vl170 priority=50 vrid=170
add interface=179Vlan name=vrrp1-vl179 priority=50 vrid=179
add interface=180Vlan name=vrrp1-vl180 priority=50 vrid=180
add interface=189Vlan name=vrrp1-vl189 priority=50 vrid=189
add interface=190Vlan name=vrrp1-vl190 priority=50 vrid=190
add interface=192-Toasts name=vrrp1-vl192 priority=50 vrid=192
add interface=200Management name=vrrp1-vl200 priority=50 vrid=200
add interface=210Vlan name=vrrp1-vl210 priority=50 vrid=210
add interface=230Vlan name=vrrp1-vl230 priority=50 vrid=230
add interface=240Vlan name=vrrp1-vl240 priority=50 vrid=240
add interface=250Vlan name=vrrp1-vl250 priority=50 vrid=250
add interface=260Vlan name=vrrp1-vl260 priority=50 vrid=60
add interface=269Vlan name=vrrp1-vl269 priority=50 vrid=69
add interface=270Vlan name=vrrp1-vl270 priority=50 vrid=70
add interface=279Vlan name=vrrp1-vl279 priority=50 vrid=79
add interface=280Vlan name=vrrp1-vl280 priority=50 vrid=80
add interface=289Vlan name=vrrp1-vl289 priority=50 vrid=89
add interface=290Vlan name=vrrp1-vl290 priority=50 vrid=90
[joshhboss@Core2-CCR2116] /interface/vrrp> /ip address/
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether13 network=192.168.88.0
add address=192.168.13.1/24 comment=defconf interface=ether13 network=192.168.13.0
add address=10.130.0.3/20 interface=130Production network=10.130.0.0
add address=10.140.0.3/22 interface=140Ticketing network=10.140.0.0
add address=10.150.0.3/20 interface=150Vendors network=10.150.0.0
add address=10.160.0.3/20 interface=160Vlan network=10.160.0.0
add address=10.169.0.3/16 interface=169Vlan network=10.169.0.0
add address=10.170.0.3/22 interface=170Vlan network=10.170.0.0
add address=10.180.0.3/22 interface=180Vlan network=10.180.0.0
add address=10.189.0.3/22 interface=189Vlan network=10.189.0.0
add address=10.190.0.3/22 interface=190Vlan network=10.190.0.0
add address=192.168.200.3/24 interface=200Management network=192.168.200.0
add address=192.168.192.3/23 interface=192-Toasts network=192.168.192.0
add address=10.179.0.3/22 interface=179Vlan network=10.179.0.0
add address=10.10.10.3/23 interface=10-ApManagement network=10.10.10.0
add address=10.21.0.3/22 interface=210Vlan network=10.21.0.0
add address=10.23.0.3/22 interface=230Vlan network=10.23.0.0
add address=10.24.0.3/22 interface=240Vlan network=10.24.0.0
add address=10.25.0.3/22 interface=250Vlan network=10.25.0.0
add address=10.26.0.3/22 interface=260Vlan network=10.26.0.0
add address=10.26.32.3/19 interface=269Vlan network=10.26.32.0
add address=10.27.0.3/22 interface=270Vlan network=10.27.0.0
add address=10.27.8.3/22 interface=279Vlan network=10.27.8.0
add address=10.28.0.3/22 interface=280Vlan network=10.28.0.0
add address=10.28.8.3/22 interface=289Vlan network=10.28.8.0
add address=10.29.0.3/22 interface=290Vlan network=10.29.0.0
add address=xx.xx.xx.2/24 interface=rllawg network=xx.xx.xx.0
add address=10.7.9.58/24 interface=smallpf network=10.7.9.0
add address=10.17.0.102/24 interface=sfp-sfpplus1_WAN network=10.17.0.0
add address=10.10.10.1 interface=vrrp1-vl10 network=10.10.10.1
add address=10.130.0.1 interface=vrrp1-vl130 network=10.130.0.1
add address=192.168.200.1 interface=vrrp1-vl200 network=192.168.200.1
add address=10.140.0.1 interface=vrrp1-vl140 network=10.140.0.1
add address=10.150.0.1 interface=vrrp1-vl150 network=10.150.0.1
add address=10.160.0.1 interface=vrrp1-vl160 network=10.160.0.1
add address=10.169.0.1 interface=vrrp1-vl169 network=10.169.0.1
add address=10.170.0.1 interface=vrrp1-vl170 network=10.170.0.1
add address=10.179.0.1 interface=vrrp1-vl179 network=10.179.0.1
add address=10.180.0.1 interface=vrrp1-vl180 network=10.180.0.1
add address=10.189.0.1 interface=vrrp1-vl189 network=10.189.0.1
add address=10.190.0.1 interface=vrrp1-vl190 network=10.190.0.1
add address=192.168.192.1 interface=vrrp1-vl192 network=192.168.192.1
add address=10.21.0.1 interface=vrrp1-vl210 network=10.21.0.1
add address=10.23.0.1 interface=vrrp1-vl230 network=10.23.0.1
add address=10.24.0.1 interface=vrrp1-vl240 network=10.24.0.1
add address=10.25.0.1 interface=vrrp1-vl250 network=10.25.0.1
add address=10.26.0.1 interface=vrrp1-vl260 network=10.26.0.1
add address=10.26.32.1 interface=vrrp1-vl269 network=10.26.32.1
add address=10.27.0.1 interface=vrrp1-vl270 network=10.27.0.1
add address=10.27.8.1 interface=vrrp1-vl279 network=10.27.8.1
add address=10.28.0.1 interface=vrrp1-vl280 network=10.28.0.1
add address=10.28.8.1 interface=vrrp1-vl289 network=10.28.8.1
add address=10.29.0.1 interface=vrrp1-vl290 network=10.29.0.1
add address=xx.xx.xx.156/29 interface=ether1_WAN1 network=xx.xx.xx.152
add address=xx.xx.xx.130/29 interface=ether2_WAN2 network=xx.xx.xx.128
add address=xx.xx.xx.11/24 interface=2116chr network=xx.xx.xx.0
[joshhboss@Core2-CCR2116] /ip/address> /ip dhcp-server/
[joshhboss@Core2-CCR2116] /ip/dhcp-server> export
/ip dhcp-server
add address-pool=140Ticketing disabled=yes interface=140Ticketing lease-time=3h name=140Ticketing
add address-pool=150Vendors disabled=yes interface=150Vendors lease-time=3h name=150Vendors
add address-pool=169Vlan disabled=yes interface=169Vlan lease-time=3h name=169Vlan
add address-pool=170Vlan disabled=yes interface=170Vlan lease-time=3h name=170Vlan
add address-pool=180Vlan disabled=yes interface=180Vlan lease-time=3h name=180Vlan
add address-pool=189Vlan disabled=yes interface=189Vlan lease-time=3h name=189Vlan
add address-pool=190Vlan disabled=yes interface=190Vlan lease-time=3h name=190Vlan
add address-pool=160Vlan disabled=yes interface=160Vlan lease-time=3h name=160Vlan
add address-pool=192-Toasts disabled=yes interface=192-Toasts lease-time=12h name=192-Toasts
add address-pool=179Vlan disabled=yes interface=179Vlan lease-time=3h name=179Vlan
add address-pool=10Ap-Management disabled=yes interface=10-ApManagement lease-time=1d name=10AP-Management
add address-pool=130Production disabled=yes interface=130Production lease-time=1d name=130Production
add address-pool=210Vlan disabled=yes interface=210Vlan lease-time=1d name=210Vlan
add address-pool=230Vlan disabled=yes interface=230Vlan lease-time=1d name=230Vlan
add address-pool=240Vlan disabled=yes interface=240Vlan lease-time=1d name=240Vlan
add address-pool=250Vlan disabled=yes interface=250Vlan lease-time=1d name=250Vlan
add address-pool=260Vlan disabled=yes interface=260Vlan lease-time=1d name=260Vlan
add address-pool=270Vlan disabled=yes interface=270Vlan lease-time=1d name=270Vlan
add address-pool=279Vlan disabled=yes interface=279Vlan lease-time=1d name=279Vlan
add address-pool=280Vlan disabled=yes interface=280Vlan lease-time=1d name=280Vlan
add address-pool=289Vlan disabled=yes interface=289Vlan lease-time=1d name=289Vlan
add address-pool=290Vlan disabled=yes interface=290Vlan lease-time=1d name=290Vlan
add address-pool=Emergency interface=ether13 name=Emergency
add address-pool=269Vlan disabled=yes interface=269Vlan lease-time=12h name=269Vlan
/ip dhcp-server network
add address=10.10.10.0/23 dhcp-option=rlunifi dns-server=10.10.10.1 gateway=10.10.10.1
add address=10.21.0.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.21.0.1
add address=10.23.0.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.23.0.1
add address=10.24.0.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.24.0.1
add address=10.25.0.0/20 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.25.0.1
add address=10.26.0.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.26.0.1
add address=10.26.32.0/19 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.26.32.1
add address=10.27.0.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.27.0.1
add address=10.27.8.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.27.8.1
add address=10.28.0.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.28.0.1
add address=10.28.8.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.28.8.1
add address=10.29.0.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.29.0.1
add address=10.130.0.0/20 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.130.0.1
add address=10.140.0.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.140.0.1
add address=10.150.0.0/20 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.150.0.1
add address=10.160.0.0/20 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.160.0.1
add address=10.169.0.0/16 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.169.0.1
add address=10.170.0.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.170.0.1
add address=10.179.0.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.179.0.1
add address=10.180.0.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.180.0.1
add address=10.189.0.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.189.0.1
add address=10.190.0.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.190.0.1
add address=192.168.13.0/24 gateway=192.168.13.1
add address=192.168.88.0/24 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=192.168.88.1
add address=192.168.192.0/23 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=192.168.192.1
[joshhboss@Core2-CCR2116] /ip/dhcp-server> /ip/firewall/filter/
[joshhboss@Core2-CCR2116] /ip/firewall/filter> export
/ip firewall filter
add action=drop chain=output comment=ISP2-Drop-Ping-To-ISP1-DNS-Check dst-address=1.1.1.1 out-interface-list=ISP2 protocol=icmp
add action=drop chain=output comment=ISP1-Drop-Ping-To-ISP2-DNS-Check dst-address=1.0.0.1 out-interface-list=ISP1 protocol=icmp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment=AllowVRRP-Router in-interface-list=VRRP-INPUT protocol=vrrp
add action=accept chain=input comment="defconf: accept ICMP" in-interface-list=!WAN protocol=icmp
add action=accept chain=input comment=UDP-DNS-NTP dst-port=53,123 protocol=udp src-address-list=NTP-DNS
add action=accept chain=input comment=TCP-DNS dst-port=53 protocol=tcp src-address-list=NTP-DNS
add action=accept chain=input comment="Allow Authorized" src-address-list=Authorized
add action=accept chain=input comment="Allow AP to Management - 8291" dst-address=192.168.200.1 dst-port=8291 protocol=tcp src-address-list=10AP-Management
add action=drop chain=input comment=DropALLElse
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-mark=no-mark connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment=Allow-AP-TO-Controllers dst-address-list=AllowRemoteControllers in-interface=vrrp1-vl10
add action=accept chain=forward comment="AllowInternet For LAN" in-interface-list=VRRP-LAN out-interface-list=WAN
add action=accept chain=forward comment=AllowVRRP-ALL in-interface-list=VRRP-LAN
add action=accept chain=forward comment="Allow Authorized ALL" src-address-list=Authorized
add action=accept chain=forward comment=AllPortForwarding connection-nat-state=dstnat connection-state="" in-interface-list=WAN
add action=drop chain=forward comment="DROP ALL ELSE"
[joshhboss@Core2-CCR2116] /ip/firewall/filter> /ip firewall/nat/export
/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerade Internet Rule - Wan 1" out-interface=ether1_WAN1
add action=masquerade chain=srcnat comment="Masquerade Internet Rule - Wan 2" out-interface=ether2_WAN2
add action=masquerade chain=srcnat comment="Masquerade Internet Rule - Wan 3 DHCP" disabled=yes out-interface=ether3_WAN3
[joshhboss@Core2-CCR2116] /ip/firewall/filter> /queue/export
/queue simple
add comment=ISP1_QUE_TOTAL max-limit=800M/900M name=total target=192.168.0.0/16,10.0.0.0/8
add comment=ISP2_QUE_TOTAL disabled=yes max-limit=40M/500M name=total-ISP2 target=192.168.0.0/16,10.0.0.0/8
/queue type
add kind=pcq name=pcq-up-2M pcq-classifier=src-address pcq-rate=2M pcq-total-limit=5000KiB
add kind=pcq name=pcq-dl-20M pcq-classifier=dst-address pcq-rate=20M pcq-total-limit=5000KiB
add kind=fq-codel name=fq-codel-default
/queue simple
add comment=ISP1_QUE_ALOHA_CLOVER limit-at=200M/200M max-limit=750M/750M name=aloha-clover parent=total priority=5/5 queue=fq-codel-default/fq-codel-default target=10.150.0.0/20,192.168.192.0/23 total-queue=fq-codel-default
add comment=ISP1_QUE_STAFF_CAMERAS limit-at=200M/200M max-limit=750M/750M name=staff-cams parent=total priority=6/6 queue=fq-codel-default/fq-codel-default target=10.130.0.0/20 total-queue=fq-codel-default
add comment=ISP1_QUE_MANAGEMENT limit-at=200M/200M max-limit=800M/900M name=management-others parent=total priority=7/7 queue=fq-codel-default/fq-codel-default target=192.168.200.0/24,10.10.10.0/23,xx.xx.xx.0/24,10.7.9.0/24 total-queue=\
    fq-codel-default
add comment=ISP_QUE_GUEST disabled=yes limit-at=5M/100M max-limit=38M/490M name=guests parent=total queue=pcq-up-2M/pcq-dl-20M target=10.169.0.0/16 total-queue=fq-codel-default
add comment=ISP2_QUE_ALOHA_CLOVER disabled=yes limit-at=10M/100M max-limit=38M/490M name=aloha-clover-ISP2 parent=total-ISP2 priority=5/5 queue=fq-codel-default/fq-codel-default target=10.150.0.0/20,192.168.192.0/24 total-queue=fq-codel-default
add comment=ISP2_QUE_STAFF_CAMERAS disabled=yes limit-at=15M/100M max-limit=38M/490M name=staff-cams-ISP2 parent=total-ISP2 priority=6/6 queue=fq-codel-default/fq-codel-default target=10.130.0.0/20 total-queue=fq-codel-default
add comment=ISP2_QUE_MANAGEMENT disabled=yes limit-at=5M/50M max-limit=38M/490M name=management-others-ISP2 parent=total-ISP2 priority=7/7 queue=fq-codel-default/fq-codel-default target=\
    192.168.200.0/24,10.10.10.0/23,192.168.8.0/24,xx.xx.xx.0/24,10.7.9.0/24 total-queue=fq-codel-default
add comment=ISP2_QUE_GUEST disabled=yes limit-at=5M/100M max-limit=38M/490M name=guests-ISP2 parent=total-ISP2 queue=pcq-up-2M/pcq-dl-20M target=10.169.0.0/16 total-queue=fq-codel-default
[joshhboss@Core2-CCR2116] /ip/firewall/filter> /ip/route/
[joshhboss@Core2-CCR2116] /ip/route> export

/ip route
add check-gateway=ping comment=WAN1 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=xx.xx.xx.153 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=WAN1-dns disabled=no distance=1 dst-address=1.1.1.1/32 gateway=xx.xx.xx.153 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=WAN2-dns disabled=no distance=1 dst-address=1.0.0.1/32 gateway=xx.xx.xx.134 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping comment=WAN2 disabled=no distance=2 dst-address=0.0.0.0/0 gateway=xx.xx.xx.134 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=WAN1-21 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=xx.xx.xx.134 pref-src="" routing-table=WAN21 scope=30 suppress-hw-offload=no target-scope=10
add comment=WAN2-21 disabled=no distance=2 dst-address=0.0.0.0/0 gateway=xx.xx.xx.153 pref-src="" routing-table=WAN21 scope=30 suppress-hw-offload=no target-scope=10
[joshhboss@Core2-CCR2116] /ip/route> /tool/netwatch/export
/tool netwatch
add comment="Internet Test - WAN1" disabled=no down-script="ip route disable [find where comment=WAN1]\r\
    \n/queue/simple/disable [find where comment~\"ISP1\"]\r\
    \n/queue/simple/enable [find where comment~\"ISP2\"]" host=1.1.1.1 http-codes="" interval=10s packet-count=10 packet-interval=500ms test-script="" thr-avg=700ms thr-jitter=2s thr-max=2s thr-stdev=700ms timeout=5s type=simple up-script=\
    "/ip route enable [find where comment=WAN1]\r\
    \n/queue/simple/enable [find where comment~\"ISP1\"]\r\
    \n/queue/simple/disable [find where comment~\"ISP2\"]"
add comment="Internet Test - WAN2" disabled=no down-script="/ip route disable [find where comment=WAN1-21]" host=1.0.0.1 http-codes="" interval=10s test-script="" thr-avg=700ms thr-jitter=2s thr-max=2s thr-stdev=500ms timeout=5s type=simple \
    up-script="/ip route enable [find where comment=WAN1-21]\r\
    \n\r\
    \n"
add comment=Test-2116-CCR-WG disabled=yes down-script="" host=xx.xx.xx.1 http-codes="" test-script="" type=icmp up-script=""

RB-DHCP- Server

[joshhboss@RB-DHCP-Sw4] > export 
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no
/interface vlan
add interface=bridge name=10-ApManagement vlan-id=10
add interface=bridge name=130Production vlan-id=130
add interface=bridge name=140Ticketing vlan-id=140
add interface=bridge name=150Vendors vlan-id=150
add interface=bridge name=160Vlan vlan-id=160
add interface=bridge name=169Vlan vlan-id=169
add interface=bridge name=170Vlan vlan-id=170
add interface=bridge name=179Vlan vlan-id=179
add interface=bridge name=180Vlan vlan-id=180
add interface=bridge name=189Vlan vlan-id=189
add interface=bridge name=190Vlan vlan-id=190
add interface=bridge name=192-Toasts vlan-id=192
add interface=bridge name=200Management vlan-id=200
add interface=bridge name=210Vlan vlan-id=210
add interface=bridge name=230Vlan vlan-id=230
add interface=bridge name=240Vlan vlan-id=240
add interface=bridge name=250Vlan vlan-id=250
add interface=bridge name=260Vlan vlan-id=260
add interface=bridge name=269Vlan vlan-id=269
add interface=bridge name=270Vlan vlan-id=270
add interface=bridge name=279Vlan vlan-id=279
add interface=bridge name=280Vlan vlan-id=280
add interface=bridge name=289Vlan vlan-id=289
add interface=bridge name=290Vlan vlan-id=290
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=Emergency8 ranges=192.168.8.2-192.168.8.254
add name=140Ticketing ranges=10.140.0.50-10.140.3.254
add name=150Vendors ranges=10.150.0.50-10.150.15.254
add name=169Vlan ranges=10.169.0.2-10.169.255.254
add name=170Vlan ranges=10.170.0.50-10.170.3.254
add name=180Vlan ranges=10.180.0.50-10.180.3.254
add name=189Vlan ranges=10.189.0.50-10.189.3.254
add name=190Vlan ranges=10.190.0.50-10.190.3.254
add name=160Vlan ranges=10.160.0.100-10.160.15.254
add name=192-Toasts ranges=192.168.192.50-192.168.193.250
add name=179Vlan ranges=10.179.0.100-10.179.3.254
add name=10Ap-Management ranges=10.10.10.100-10.10.11.254
add name=130Production ranges=10.130.0.100-10.130.15.254
add name=210Vlan ranges=10.21.0.100-10.21.3.254
add name=230Vlan ranges=10.23.0.100-10.23.3.254
add name=240Vlan ranges=10.24.0.100-10.24.3.254
add name=250Vlan ranges=10.25.0.100-10.25.3.254
add name=260Vlan ranges=10.26.0.100-10.26.3.254
add name=270Vlan ranges=10.27.0.100-10.27.3.254
add name=279Vlan ranges=10.27.8.100-10.27.11.254
add name=280Vlan ranges=10.28.0.100-10.28.3.254
add name=289Vlan ranges=10.28.8.100-10.28.11.254
add name=290Vlan ranges=10.29.0.100-10.29.3.254
add name=Emergency ranges=192.168.13.10-192.168.13.254
add name=269Vlan ranges=10.26.32.2-10.26.63.254
/ip dhcp-server
add address-pool=Emergency8 interface=ether8 name=Emergency8
add address-pool=140Ticketing interface=140Ticketing lease-time=1d name=140Ticketing
add address-pool=150Vendors interface=150Vendors lease-time=1d name=150Vendors
add address-pool=169Vlan interface=169Vlan lease-time=3h name=169Vlan
add address-pool=170Vlan interface=170Vlan lease-time=3h name=170Vlan
add address-pool=180Vlan interface=180Vlan lease-time=3h name=180Vlan
add address-pool=189Vlan interface=189Vlan lease-time=3h name=189Vlan
add address-pool=190Vlan interface=190Vlan lease-time=3h name=190Vlan
add address-pool=160Vlan interface=160Vlan lease-time=3h name=160Vlan
add address-pool=192-Toasts interface=192-Toasts lease-time=12h name=192-Toasts
add address-pool=179Vlan interface=179Vlan lease-time=3h name=179Vlan
add address-pool=10Ap-Management interface=10-ApManagement lease-time=1d name=10AP-Management
add address-pool=130Production interface=130Production lease-time=1d name=130Production
add address-pool=210Vlan interface=210Vlan lease-time=1d name=210Vlan
add address-pool=230Vlan interface=230Vlan lease-time=1d name=230Vlan
add address-pool=240Vlan interface=240Vlan lease-time=1d name=240Vlan
add address-pool=250Vlan interface=250Vlan lease-time=1d name=250Vlan
add address-pool=260Vlan interface=260Vlan lease-time=1d name=260Vlan
add address-pool=270Vlan interface=270Vlan lease-time=1d name=270Vlan
add address-pool=279Vlan interface=279Vlan lease-time=1d name=279Vlan
add address-pool=280Vlan interface=280Vlan lease-time=1d name=280Vlan
add address-pool=289Vlan interface=289Vlan lease-time=1d name=289Vlan
add address-pool=290Vlan interface=290Vlan lease-time=1d name=290Vlan
add address-pool=269Vlan interface=269Vlan lease-time=12h name=269Vlan
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.200.4/24 interface=200Management network=192.168.200.0
add address=192.168.8.1/24 interface=ether8 network=192.168.8.0
add address=10.130.0.4/20 interface=130Production network=10.130.0.0
add address=10.140.0.4/22 interface=140Ticketing network=10.140.0.0
add address=10.150.0.4/20 interface=150Vendors network=10.150.0.0
add address=10.160.0.4/20 interface=160Vlan network=10.160.0.0
add address=10.169.0.4/16 interface=169Vlan network=10.169.0.0
add address=10.170.0.4/22 interface=170Vlan network=10.170.0.0
add address=10.180.0.4/22 interface=180Vlan network=10.180.0.0
add address=10.189.0.4/22 interface=189Vlan network=10.189.0.0
add address=10.190.0.4/22 interface=190Vlan network=10.190.0.0
add address=192.168.192.4/23 interface=192-Toasts network=192.168.192.0
add address=10.179.0.4/22 interface=179Vlan network=10.179.0.0
add address=10.10.10.4/23 interface=10-ApManagement network=10.10.10.0
add address=10.21.0.4/22 interface=210Vlan network=10.21.0.0
add address=10.23.0.4/22 interface=230Vlan network=10.23.0.0
add address=10.24.0.4/22 interface=240Vlan network=10.24.0.0
add address=10.25.0.4/22 interface=250Vlan network=10.25.0.0
add address=10.26.0.4/22 interface=260Vlan network=10.26.0.0
add address=10.26.32.4/19 interface=269Vlan network=10.26.32.0
add address=10.27.0.4/22 interface=270Vlan network=10.27.0.0
add address=10.27.8.4/22 interface=279Vlan network=10.27.8.0
add address=10.28.0.4/22 interface=280Vlan network=10.28.0.0
add address=10.28.8.4/22 interface=289Vlan network=10.28.8.0
add address=10.29.0.4/22 interface=290Vlan network=10.29.0.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.10.10.0/23 dhcp-option=eventcloud dns-server=10.10.10.1 gateway=10.10.10.1
add address=10.21.0.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.21.0.1
add address=10.23.0.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.23.0.1
add address=10.24.0.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.24.0.1
add address=10.25.0.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.25.0.1
add address=10.26.0.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.26.0.1
add address=10.26.8.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.26.8.1
add address=10.26.32.0/19 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.26.32.1
add address=10.27.0.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.27.0.1
add address=10.27.8.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.27.8.1
add address=10.28.0.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.28.0.1
add address=10.29.0.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.29.0.1
add address=10.130.0.0/20 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.130.0.1
add address=10.140.0.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.140.0.1
add address=10.150.0.0/20 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.150.0.1
add address=10.160.0.0/20 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.160.0.1
add address=10.169.0.0/16 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.169.0.1
add address=10.170.0.0/22 dhcp-option=effective dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.170.0.1
add address=10.179.0.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.179.0.1
add address=10.180.0.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.180.0.1
add address=10.189.0.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.189.0.1
add address=10.190.0.0/22 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=10.190.0.1
add address=192.168.8.0/24 dns-server=8.8.8.8 gateway=192.168.8.1
add address=192.168.13.0/24 gateway=192.168.13.1
add address=192.168.88.0/24 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=192.168.88.1
add address=192.168.192.0/23 dns-server=8.8.8.8,9.9.9.9,208.67.222.222 gateway=192.168.192.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=10.7.9.0/24 list=Authorized
add address=10.4.1.0/24 list=Authorized
add address=192.168.200.0/24 list=Authorized
add address=192.168.8.0/24 list=Authorized
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=DHCP-TCP dst-port=67 protocol=tcp
add action=accept chain=input comment=DHCP-UDP dst-port=67 protocol=udp
add action=accept chain=input comment=AllowAuthorizedAll src-address-list=Authorized
add action=drop chain=input comment=DropALLElse
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.200.1 routing-table=main suppress-hw-offload=no
/system clock
set time-zone-autodetect=no time-zone-name=America/New_York
/system identity
set name=RB-DHCP-Sw4
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.200.1
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes

Amm0 · September 27, 2024, 10:25pm

Looks mostly right from a quick read. I’d make sure the VRRP in the same interface-list as the VLAN is, since traffic go in/out of VRRP directly (which might not be treated same as VLAN depending on specific FW rules).

Now its queuing strategy could use some work IMO. But I’m not the expert & some of “best” is kinda device-specific. In general, I’d probably do your queues in reverse – use /queue tree for the overall WAN(s), and use simple queue to throttle clients to some reasonable limit. Reasoning is WAN some capacity and /queue/tree will enforce nothing exceeds that, and same queue tree to enforce rules from all traffic from various VLANs (i.e. so “guest” VLAN can only use 50% max, while “ticketing” VLAN might have a limit-at to always ensure there is bandwidth. etc.) - with all VLAN below the WAN in the “tree”. Basically you want the “all traffic passes at once” to enforce the limits between the overall internet and each VLAN under that. With the simple queue, it does not work like that - so only use case I’ve found for it use throttle wifi/end-users to some speed well below limits in /queue/tree limits (i.e. so one client cannot hog all of one of the VLAN before it gets to the queue tree). (and I throttle client in non-mikrotik Wi-Fi system, etc. to avoid using any simple queues – since I do not find the simple queue, well, simple)

But… since you have a CCR2116… you’d likely be better off using the Switch Hardware QoS. So for your weekend reading, I’d recommend: https://help.mikrotik.com/docs/display/ROS/QoS+with+Switch+Chip
since the CCR2116 should support that.

RB5009 is not, so perhaps you may different approaches depending on the device. If the RB5009 is just to have a backup to CCR2116, perhaps more simplified queue scheme might be a good idea (just /queue/tree for overall WAN and fq_codel on interfaces) – so if your queue complexity is “too much”, you’d have simple config on the RB5009 so it can just route packets if something goes wrong with the CCR2116.

joshhboss · September 28, 2024, 12:13am

RB5009 is not, so perhaps you may different approaches depending on the device. If the RB5009 is just to have a backup to CCR2116, perhaps more simplified queue scheme might be a good idea (just /queue/tree for overall WAN and fq_codel on interfaces) – so if your queue complexity is “too much”, you’d have simple config on the RB5009 so it can just route packets if something goes wrong with the CCR2116.

The RB is just there specifically to do DHCP and nothing else.. I was messing around scripts and stuff to disable and re-enable on the two routers but was just getting confused and decided to just offload it to something else.. If the RB is just doing DHCP.. it should have CPU to hand out and store 4k or more DHCP leases..

But… since you have a CCR2116… you’d likely be better off using the Switch Hardware QoS. So for your weekend reading, I’d recommend: > https://help.mikrotik.com/docs/display/ > … witch+Chip

Going to check this out..

/queue tree for the overall WAN(s), and use simple queue to throttle clients to some reasonable limit. Reasoning is WAN some capacity and /queue/tree will enforce nothing exceeds that, and same queue tree to enforce rules from all traffic from various VLANs (i.e. so “guest” VLAN can only use 50% max, while “ticketing” VLAN might have a limit-at to always ensure there is bandwidth. etc.) - with all VLAN below the WAN in the “tree”. Basically you want the “all traffic passes at once” to enforce the limits between the overall internet and each VLAN under that. With the simple queue, it does not work like that - so only use case I’ve found for it use throttle wifi/end-users to some speed well below limits in /queue/tree limits (i.e. so one client cannot hog all of one of the VLAN before it gets to the queue tree). (and I throttle client in non-mikrotik Wi-Fi system, etc. to avoid using any simple queues – since I do not find the simple queue, well, simple)

and going to add researching this for the weekly reading.. I do still have another week or so before the event.. so I have time to make some changes.