bst configuration with capsman for 2 different accesspoints

RouterOS Wireless Networking
21

I give up. The more I do, the slower everything gets.
And the worst thing is, I cannot go back, because every step back to like it was before, makes it even worse.
Meanwhile I am a 1 mbps up and down, with all devices.
It’s enough to get 3 mails per day, but I don’t want to lose that, too.
For iphone and ipads I will buy those cablenetwork adaptors.
And the meross stuff doesn’t work anymore, but ok, I have the mechanical switches to replace everything.
Ovens and dishwasher…? pfff, don’t need them in wifi.

Was a /nice/ journey, but (again) a very bad experience with mikrotik. Could go back to my Cisco devices, at least they provided 1,3gbps, which resultet in nearly 80 mBps on this desktop computer.

22

Too bad it isn’t working for you. Unfortunately, MikroTik is not the right tool for everyone.
I would really have liked to get you a working environment, hte hardware is more than capable.

Especially the code @meki provided should have given you a working environment.
Apart from the fact that US has to be changed to Austria (and use corresponding frequencies), something like:

/interface wifi channel
add disabled=no frequency=2412,2437,2462 name=channel-2G width=20mhz
add disabled=no frequency=5180,5260,5500,5660 name=channel-5G width=20/40/80mhz

/interface wifi datapath
add bridge=BRIDGE1 disabled=no name=datapath1

/interface wifi security
add authentication-types=wpa2-psk disabled=no name=security-clients
add authentication-types=wpa2-psk disabled=no name=security-IoT
add authentication-types=wpa2-psk disabled=no name=security-AC

/interface wifi configuration
add channel=channel-5G country="Austria"  datapath=datapath1 disabled=no mode=ap name=config-clients-5G security=security-clients ssid=R403
add channel=channel-2G country="Austria"  datapath=datapath1 disabled=no mode=ap name=config-clients-2G security=security-clients ssid=R403
add channel=channel-2G country="Austria"  datapath=datapath1 disabled=no mode=ap name=config-IoT-2G security=security-IoT ssid=R403IoT
add channel=channel-2G country="Austria"  datapath=datapath1 disabled=no mode=ap name=config-AC-2G security=security-AC ssid=R403AC

/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=config-clients-5G supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=config-clients-2G supported-bands=2ghz-ax slave-configurations=config-IoT-2G,config-AC-2G
add action=create-dynamic-enabled disabled=no master-configuration=config-clients-5G supported-bands=5ghz-ac
add action=create-dynamic-enabled disabled=no master-configuration=config-clients-2G supported-bands=2ghz-n slave-configurations=config-IoT-2G,config-AC-2G

If you remove all wifi settings you have and replace it with the above, no errors should be shown and you should have a working wireless network.

Feel free to give it another try and please post all relevant info on any update:

  • used config
  • RX and TX rates (to get insights on the connection of the wireless devices
23

You use US as country, I must use Austria.

If there are police officers running around with antennas hunting casual home owners with misconfigured wifi routers then you are right :slight_smile:

SSIDs were just meaningless proposal, you were talking about allowed and disallowed characters in it…

Anyway, you should narrow down your issue, so pick one CAP and disable the remainging two. Also post config exports, whole configs, for both devices. (make three new lines between code blocks)

24

yes, in Austria there are checks and you get charged.
But that’s not a problem for the config, I searched for the valid frequency. It’s just 2 that are allowed and running in combination with the 20MHz.
All other allowed frequencies are just not working with the accesspoints and 20MHz.

I just checked how much influence a smaller distance between AP and PC has. I get 32 mbps with 3m between.

I have a budget of 600 euro to put myself into a plane and search for an implementation with the same accesspoints and a gigabit speed… mikrotik says there’s more possible, but 1.000 mbps are enough. Where can I see that live?

25

If only copy-paste would work... But I have to type my current config down into the notepad (as backup).
Then I have to type in your config after cleanup. And if that doesn't end in a running config (what I expect), I have to type in my own config again...

26

Do you know that you can export to file? You don’t need to type anything… (ecxept of the export command)

Use

export file=anynameyouwish

Then download created file and thats it. You can then open that .rsc file in notepad.

I’m now really wondering about another important thing: How exactly are you testing the speed?

27

this config makes all wifis end in "no ssid set".
great!

28

I know how to export the complete config, but in this case I just need to copy / paste the relevant part.
I have an ssh session now. That proves, that the winbox-builtin terminal is also NOT READY!!
Copy-paste in ssh is done. As I wrote, erlinden’s config made a bunch of “no ssid set”, and my complete wifi went down.

29

I replaced dynamic enabled by “create enabled”.
I thought that this should be clear already, that “dynamic” never worked…
I have some wifis in grey now… As I said at the beginning, such simple provisionings don’t work at all…

30

Hit: It’s common for terminals that you must use CTRL+SHIFT+C instead of CTRL+C


Difference in create-enabled and create-dynamic-enabled is that create-enabled allows you to manually change settings of created interfaces. You can completely ignore that for now.

31

on iphone and ipad with the app “rtr netztest”. Thats a brilliant app from the austrian regulatory authority.
on windows:

  1. website netztest.at
  2. website www.speedtest.net
  3. transmitting files in my local network from my local server which all deliver more than 1Gbps. Tested with 5GB ISO files. No jumbo-packets, only standard. Including the accesspoints there are 2 devices between pc and server (2nd is a HP Aruba 2530 switch). Servers are connected with 2-cable lb/failover. With cable I get the full 128MBps. With wifi only 300-500 kBps.
  4. no test, just what windows says in wifi connection (win11, the new user interface that shows information about the wifi connection, it says “transmit speed xxx/yyy (Mbps)”. Mostly far beneath 100. Sometimes only 6 to 11 Mbps with ax in 5ghz. With ax in 2,4ghz I get around 229/229, but it drops to under 10 under speedtest load.

With the current config of erlinden I get 229/229 in the new ux, only 24 mbps in the old interface (control → network…), and speedtest.net says 3mbps down, 6 up.

32

sorry, no, I cannot ignore that, because with dynamic I get “no ssid set” on all wifis

CTRL+SHIFT+C instead of CTRL+C
and paste? It’s not crtl+shift+v, that makes it worse :wink:

33

if I should mention that my iot things are all disconnect now…?
They don’t work with the 3 channels that erlinden told me to configure.

The more we do, the more we can see that my config “overall” did the best of all worlds.
Nothing so far improved anything…
ipads disconnect during speedtest (always!)
pc flaps connected/disconnected
iot things are all disconnected

as soon as I deactivate your proposals and reactivated my configs, everything connted back again.
and the desktop connects to wifi 5ax with at least 320mbit up and down.
It’s not what I call “performance”, because under the same circumstances I got over 850Mbps with Cisco wap371 ap’s, but it’s enough to do my homeoffice work without a cable.

34

Either you want to be helped…or not.

Provide all configs for all involved devices (I would expect four configs) and follow instructions afterwards by the letter. Again the hardware is capable, but it requires proper config. And from the error message you provided it is clear that your current config is messed up.

35

and why do I get 3mbps with provided configs and 350 with mine?
all accesspoints are simply out of the box and configured for capsman.
I already provided the config for the capsman controller... there's nothing more that would tell you more about the config, but I can post this stuff...

36 
[admin@SW.OG.1] > export
# 2024-10-24 21:41:47 by RouterOS 7.16.1
# software id = WZPE-N3D7
#
# model = CRS328-24P-4S+
# serial number = HD508BTMHMH
/caps-man channel
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled \
    frequency=5180 name=Ch36_20M
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled \
    frequency=2412 name=Ch1 skip-dfs-channels=yes
/interface bridge
add admin-mac=18:FD:74:A8:66:F9 auto-mac=no comment=defconf name=BRIDGE1 \
    port-cost-mode=short protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether01 poe-out=off
set [ find default-name=ether2 ] name=ether02
set [ find default-name=ether3 ] name=ether03
set [ find default-name=ether4 ] name=ether04
set [ find default-name=ether5 ] name=ether05
set [ find default-name=ether6 ] name=ether06
set [ find default-name=ether7 ] name=ether07
set [ find default-name=ether8 ] name=ether08
set [ find default-name=ether9 ] name=ether09
set [ find default-name=ether24 ] advertise=1G-baseT-half,1G-baseT-full \
    poe-out=off
/interface vlan
add interface=BRIDGE1 name=VLAN1-R403-intern vlan-id=1
add interface=ether01 name=VLAN2-R403-Heimautomatisierung vlan-id=1
add interface=ether17 name=gast vlan-id=1
/interface bonding
add name=Bond-MacPro slaves=ether07,ether08
/caps-man datapath
add bridge=BRIDGE1 client-to-client-forwarding=yes local-forwarding=yes name=\
    datapath1
/caps-man rates
add basic=6Mbps name="GN Only - No B rates" supported=\
    6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
/caps-man security
add authentication-types=wpa2-psk comment=.** disable-pmkid=yes \
    encryption=aes-ccm group-encryption=aes-ccm group-key-update=1h name=\
    R403.security
add authentication-types=wpa2-psk comment=** disable-pmkid=yes \
    encryption=aes-ccm group-encryption=aes-ccm group-key-update=1h name=\
    R403-Homekit.Security
/caps-man configuration
add country=austria datapath=datapath1 distance=indoors installation=any \
    mode=ap name=R403-HOME security=R403-Homekit.Security ssid=R403-HOME
add comment="R403 (5Ghz)" country=austria datapath=datapath1 installation=any \
    mode=ap name=R403 security=R403.security ssid=R403
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wifi channel
add band=2ghz-g disabled=no name=2.G.20 width=20mhz
add band=5ghz-n disabled=no name=5.A/N.20 width=20/40mhz-Ce
add band=5ghz-a disabled=no name=5.A
add band=2ghz-n disabled=no name=2.N.20 skip-dfs-channels=all width=20mhz
add band=5ghz-ax disabled=no frequency=5680 name=5.AX width=20/40/80mhz
add band=2ghz-ax disabled=no name=2.AX
add band=5ghz-ax disabled=no name=5.G.AX width=20/40/80mhz
add band=5ghz-ac disabled=no frequency=2300-7300 name=5.AC width=20/40/80mhz
add disabled=yes frequency=2412,2437,2462 name=alt.channel-2G width=20mhz
add disabled=yes frequency=5180,5260,5500,5660 name=alt.channel-5G width=\
    20/40/80mhz
add disabled=yes frequency=2412,2437,2462 name=channel-2G width=20mhz
add disabled=yes frequency=5180,5260,5500,5660 name=channel-5G width=\
    20/40/80mhz
/interface wifi datapath
add bridge=BRIDGE1 disabled=no name=datapath1
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=R403-Clients wps=\
    push-button
add authentication-types=wpa2-psk disabled=no name=R403-Heimautomatisierung
add authentication-types=wpa2-psk disabled=no name=R403-AC
add authentication-types=wpa2-psk disabled=no name=security-clients
add authentication-types=wpa2-psk disabled=no name=security-IoT
add authentication-types=wpa2-psk disabled=no name=security-AC
/interface wifi configuration
add channel=5.A/N.20 country=Austria datapath=datapath1 disabled=no mode=ap \
    name=Config:5A security=R403-Clients ssid=R403
add channel=2.G.20 country=Austria disabled=no mode=ap name=Config:2G \
    security=R403-Heimautomatisierung ssid=R403-2.4G
add channel=2.N.20 country=Austria datapath=datapath1 disabled=no mode=ap \
    name=Config:2N security=R403-Heimautomatisierung ssid=R403-2.4G
add channel=2.AX country=Austria datapath=datapath1 disabled=no mode=ap name=\
    Config:2.AX security=R403-Heimautomatisierung ssid=R403-2.4G
add channel=2.G.20 country=Austria datapath=datapath1 disabled=no mode=ap \
    name=Config.AC security=R403-AC ssid=R403.AC
add channel=5.AX country=Austria datapath=datapath1 disabled=no mode=ap name=\
    R403-5G-AX security=R403-Clients ssid=R403-5G-AX
add channel=5.AC country=Austria datapath=datapath1 disabled=no mode=ap name=\
    R403-5G-AC security=R403-Clients ssid=R403-5G-AC
add channel=channel-5G country=Austria datapath=datapath1 disabled=yes mode=\
    ap name=config-clients-5G security=security-clients ssid=R403
add channel=channel-2G country=Austria datapath=datapath1 disabled=yes mode=\
    ap name=config-clients-2G security=security-clients ssid=R403
add channel=channel-2G country=Austria datapath=datapath1 disabled=yes mode=\
    ap name=config-IoT-2G security=security-IoT ssid=R403-Heimautomatisierung
add channel=channel-2G country=Austria datapath=datapath1 disabled=yes mode=\
    ap name=config-AC-2G security=security-AC ssid=R403-AC
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group
add name=group1
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 dpd-interval=2m \
    dpd-maximum-failures=5 enc-algorithm=aes-256,3des hash-algorithm=sha256
add dh-group=modp1536 dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=\
    aes-256,aes-192,aes-128 name=IPsec-Profile-**
add dh-group=modp1024 dpd-interval=30s dpd-maximum-failures=3 enc-algorithm=\
    aes-256,aes-192,aes-128 name=Private-S2S-VPNs
/ip ipsec peer
add address=hff0915c2k1.sn.mynetname.net name=G21 profile=Private-S2S-VPNs
add address=** name=**profile=IPsec-Profile-**
/ip ipsec proposal
add auth-algorithms=sha1,md5 enc-algorithms=\
    aes-256-cbc,aes-256-gcm,aes-192-cbc,aes-192-ctr,aes-128-cbc,3des name=\
    proposal-**pfs-group=modp1536
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-192-cbc name=\
    proposal-R403 pfs-group=modp1536
/ip pool
add name=VLAN0-DHCP ranges=10.43.210.101-10.43.210.200
/ip dhcp-server
add add-arp=yes address-pool=VLAN0-DHCP authoritative=no interface=BRIDGE1 \
    lease-time=23h name=DHCP-INTERN
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/caps-man manager
set ca-certificate=auto certificate=auto upgrade-policy=require-same-version
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=BRIDGE1
/caps-man provisioning
add action=create-enabled master-configuration=R403 name-format=\
    prefix-identity name-prefix=Prefix- slave-configurations=R403-HOME
/ip smb
set domain=R403
/interface bridge port
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether01 \
    internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether02 \
    internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether03 \
    internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether04 \
    internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether05 \
    internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether06 \
    internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether09 \
    internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether10 \
    internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether11 \
    internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether12 \
    internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether13 \
    internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether14 \
    internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether15 \
    internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether19 \
    internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether20 \
    internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether21 \
    internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether22 \
    internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether23 \
    internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 ingress-filtering=no interface=sfp-sfpplus1 \
    internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 ingress-filtering=no interface=ether16 internal-path-cost=\
    10 path-cost=10
add bridge=BRIDGE1 ingress-filtering=no interface=ether17 internal-path-cost=\
    10 path-cost=10
add bridge=BRIDGE1 ingress-filtering=no interface=ether18 internal-path-cost=\
    10 path-cost=10
add bridge=BRIDGE1 interface=sfp-sfpplus4 internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 interface=sfp-sfpplus3 internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 interface=Bond-MacPro
add bridge=BRIDGE1 interface=sfp-sfpplus2
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=BRIDGE1 vlan-ids=1
/interface detect-internet
set detect-interface-list=WAN
/interface ethernet switch
set 0 name=SW1-OG
/interface list member
add interface=ether01 list=LAN
add interface=ether02 list=LAN
add interface=ether03 list=LAN
add interface=ether04 list=LAN
add interface=ether05 list=LAN
add interface=ether06 list=LAN
add interface=ether07 list=LAN
add interface=ether08 list=LAN
add interface=ether09 list=LAN
add interface=ether10 list=LAN
add interface=ether11 list=LAN
add interface=ether12 list=LAN
add interface=ether13 list=LAN
add interface=ether14 list=LAN
add interface=ether15 list=LAN
add interface=ether16 list=LAN
add interface=ether17 list=LAN
add interface=ether18 list=LAN
add interface=ether19 list=LAN
add interface=ether20 list=LAN
add interface=ether21 list=LAN
add interface=ether22 list=LAN
add interface=ether23 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
add interface=sfp-sfpplus3 list=LAN
add interface=sfp-sfpplus4 list=LAN
add interface=BRIDGE1 list=LAN
add interface=ether24 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wifi capsman
set enabled=yes interfaces=BRIDGE1 package-path="" require-peer-certificate=\
    no upgrade-policy=suggest-same-version
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=Config:2G \
    radio-mac=C4:AD:34:58:8A:AC slave-configurations=Config.AC,Config:2N
add action=create-dynamic-enabled disabled=no master-configuration=Config:2G \
    radio-mac=D4:01:C3:04:F4:01 slave-configurations=Config.AC,Config:2N
add action=create-dynamic-enabled disabled=no master-configuration=R403-5G-AX \
    radio-mac=D4:01:C3:94:99:A1 slave-configurations=R403-5G-AC
add action=create-dynamic-enabled disabled=no master-configuration=Config:2G \
    radio-mac=D4:01:C3:94:99:A2 slave-configurations=Config.AC,Config:2N
add action=create-dynamic-enabled disabled=no master-configuration=Config:5A \
    radio-mac=D4:01:C3:04:F4:02
add action=create-dynamic-enabled disabled=no master-configuration=Config:5A \
    radio-mac=C4:AD:34:58:8A:AD
add action=create-dynamic-enabled disabled=no master-configuration=R403-5G-AX \
    radio-mac=D4:01:C3:97:B1:06 slave-configurations=R403-5G-AC
add action=create-dynamic-enabled disabled=no master-configuration=Config:2G \
    radio-mac=D4:01:C3:97:B1:07 slave-configurations=Config.AC,Config:2N
add action=create-enabled disabled=yes master-configuration=config-clients-5G \
    supported-bands=5ghz-ax
add action=create-enabled disabled=yes master-configuration=config-clients-2G \
    slave-configurations=config-IoT-2G,config-AC-2G supported-bands=2ghz-g
add action=create-enabled disabled=yes master-configuration=config-clients-5G \
    supported-bands=5ghz-ac
add action=create-enabled disabled=yes master-configuration=config-AC-2G \
    slave-configurations=config-IoT-2G,config-clients-2G supported-bands=\
    2ghz-n
/ip address
add address=10.43.210.254/24 comment=defconf interface=BRIDGE1 network=\
    10.43.210.0
add address=93.83.243.146/30 interface=ether24 network=93.83.243.144
add address=10.43.220.254/24 interface=gast network=10.43.220.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip cloud advanced
set use-local-address=yes
/ip dhcp-server lease
add address=10.43.210.188 comment="Jal EG Wirtschaftsraum" mac-address=\
    48:E1:E9:A9:55:DB server=DHCP-INTERN
add address=10.43.210.34 client-id=1:dc:a9:4:88:53:ba comment="MacBook Erik" \
    mac-address=DC:A9:04:88:53:BA server=DHCP-INTERN
add address=10.43.210.181 comment="Jal OG Buero" mac-address=\
    48:E1:E9:A9:59:97 server=DHCP-INTERN
add address=10.43.210.182 comment="Jal OG Schlafzimmer" mac-address=\
    48:E1:E9:A2:4B:90 server=DHCP-INTERN
add address=10.43.210.183 comment="Jal OG Balkon" mac-address=\
    48:E1:E9:A9:6B:99 server=DHCP-INTERN
add address=10.43.210.184 comment="Jal EG Veranda" mac-address=\
    48:E1:E9:A2:4E:F6 server=DHCP-INTERN
add address=10.43.210.185 comment="Jal EG Kueche Sued" mac-address=\
    48:E1:E9:A9:54:76 server=DHCP-INTERN
add address=10.43.210.186 comment="Jal EG Kueche West" mac-address=\
    48:E1:E9:A9:51:6B server=DHCP-INTERN
add address=10.43.210.187 comment="Jal EG Wohnzimmer Nord" mac-address=\
    48:E1:E9:A9:6A:93 server=DHCP-INTERN
add address=10.43.210.189 comment="Jal EG Wohnzimmer West" mac-address=\
    48:E1:E9:A9:60:5B server=DHCP-INTERN
add address=10.43.210.201 comment="SWITCH HP ARUBA2530 48 POE OG" \
    mac-address=A0:1D:48:34:0A:00 server=DHCP-INTERN
add address=10.43.210.35 comment=MacPro6 mac-address=00:3E:E1:BD:F9:55 \
    server=DHCP-INTERN
add address=10.43.210.100 client-id=1:f0:92:1c:e7:4c:90 mac-address=\
    F0:92:1C:E7:4C:90 server=DHCP-INTERN
add address=10.43.210.203 mac-address=48:A9:8A:47:38:14 server=DHCP-INTERN
add address=10.43.210.91 client-id=1:4:79:b7:b0:1a:f1 comment=\
    "Wechselrichter Kostal" mac-address=04:79:B7:B0:1A:F1 server=DHCP-INTERN
add address=10.43.210.92 client-id=1:0:d0:93:4d:41:11 mac-address=\
    00:D0:93:4D:41:11 server=DHCP-INTERN
add address=10.43.210.212 client-id=1:d4:1:c3:94:99:9f mac-address=\
    D4:01:C3:94:99:9F server=DHCP-INTERN
add address=10.43.210.214 client-id=1:d4:1:c3:97:b1:4 mac-address=\
    D4:01:C3:97:B1:04 server=DHCP-INTERN
add address=10.43.210.211 client-id=1:c4:ad:34:58:8a:aa mac-address=\
    C4:AD:34:58:8A:AA server=DHCP-INTERN
add address=10.43.210.213 client-id=1:d4:1:c3:4:f3:ff mac-address=\
    D4:01:C3:04:F3:FF server=DHCP-INTERN
add address=10.43.210.3 client-id=1:0:8:9b:c3:cb:93 mac-address=\
    00:08:9B:C3:CB:93 server=DHCP-INTERN
add address=10.43.210.2 client-id=1:0:8:9b:f1:be:ba mac-address=\
    00:08:9B:F1:BE:BA server=DHCP-INTERN
add address=10.43.210.18 mac-address=F0:92:1C:E7:42:0F server=DHCP-INTERN
/ip dhcp-server network
add address=10.43.210.0/24 dns-server=\
    10.43.210.1,10.43.210.11,8.8.8.8,192.168.121.201 domain=r403.local \
    gateway=10.43.210.254 ntp-server=10.43.210.254
/ip dns
set allow-remote-requests=yes cache-max-ttl=1h servers=8.8.8.8
/ip firewall filter
add action=accept chain=input dst-port=4443,8291 protocol=tcp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward protocol=icmp
add action=accept chain=forward disabled=yes dst-address=192.168.0.0/16 \
    src-address=10.43.210.0/24
add action=drop chain=forward disabled=yes dst-address=10.43.210.0/24 \
    src-address=192.168.10.0/24
add action=accept chain=forward dst-address=10.43.210.0/24 src-address=\
    10.21.0.0/24
add action=accept chain=forward dst-address=10.21.0.0/24 src-address=\
    10.43.210.0/24
add action=accept chain=forward dst-address=10.43.210.1 dst-port=443 \
    protocol=tcp src-port=443
add action=accept chain=forward dst-address=213.33.98.136 dst-port=53 \
    protocol=udp
add action=accept chain=input dst-address=10.43.210.2 dst-port=5000 \
    in-interface-list=WAN protocol=tcp
add action=accept chain=forward dst-address=10.43.210.1 dst-port=443 \
    in-interface-list=WAN protocol=tcp
add action=accept chain=forward
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="defconf: accept in ipsec policy" \
    in-interface=all-ppp ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=input in-interface=ether24 protocol=ipsec-esp
add action=accept chain=input dst-port=500,1701,4500 in-interface=ether24 \
    protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=dstnat dst-address=10.43.210.11 dst-port=443 \
    in-interface=ether24 protocol=tcp
/ip firewall nat
add action=accept chain=srcnat dst-address=10.21.0.0/24 src-address=\
    10.43.210.0/24
add action=accept chain=srcnat dst-address=192.168.0.0/16 src-address=\
    10.43.210.0/24
add action=dst-nat chain=dstnat comment="Forwarding rule" dst-port=5000 \
    in-interface-list=WAN protocol=tcp src-port="" to-addresses=10.43.210.2 \
    to-ports=5000
add action=masquerade chain=srcnat out-interface=ether24
/ip ipsec identity
add peer=G21
add comment=HalloWelt403 mode-config=request-only peer=**
/ip ipsec policy
set 0 disabled=yes proposal=proposal-**
add dst-address=192.168.10.0/24 level=unique peer=**proposal=\
    proposal-**src-address=10.43.210.0/24 tunnel=yes
add dst-address=192.168.121.0/24 level=unique peer=**proposal=\
    proposal-**src-address=10.43.210.0/24 tunnel=yes
add dst-address=192.168.122.0/24 level=unique peer=**proposal=\
    proposal-**src-address=10.43.210.0/24 tunnel=yes
add dst-address=192.168.70.0/24 level=unique peer=**proposal=\
    proposal-**src-address=10.43.210.0/24 tunnel=yes
add dst-address=10.21.0.0/24 peer=G21 proposal=proposal-R403 src-address=\
    10.43.210.0/24 tunnel=yes
add dst-address=192.168.50.0/24 level=unique peer=**proposal=\
    proposal-*src-address=10.43.210.0/24 tunnel=yes
/ip proxy
set max-cache-size=100000KiB
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    93.83.243.145 pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.0.0.0/8
set ssh address=10.0.0.0/8
set www-ssl address=10.0.0.0/8 certificate=cert1 disabled=no port=8443
set winbox address=10.0.0.0/8
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/routing bfd configuration
add disabled=no interfaces=all min-rx=200us min-tx=200us multiplier=5
/system clock
set time-zone-name=Europe/Vienna
/system identity
set name=SW.OG.1
/system logging
add topics=debug,dhcp
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add address=178.189.127.148
/system package update
set channel=testing
/system routerboard settings
# Firmware upgraded successfully, please reboot for changes to take effect!
set auto-upgrade=yes
/tool graphing interface
add
37 
[admin@WAP.BALKON] > export
# 2024-10-24 21:45:29 by RouterOS 7.16.1
# software id = 9VJZ-MB0K
#
# model = RBwAPG-5HacD2HnD
# serial number = HFM09SMSG9E
/interface bridge
add admin-mac=D4:01:C3:04:F3:FF auto-mac=no comment=defconf name=bridgeLocal
/interface wifi
# managed by CAPsMAN
# mode: AP, SSID: R403-2.4G, channel: 2437/g
set [ find default-name=wifi1 ] configuration.manager=capsman-or-local .mode=ap disabled=no
# managed by CAPsMAN
# mode: AP, SSID: R403, channel: 5260/n/Ce
set [ find default-name=wifi2 ] configuration.manager=capsman-or-local .mode=ap disabled=no
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal interface=wifi1
add bridge=bridgeLocal interface=wifi2
add bridge=bridgeLocal interface=dynamic
/interface wifi cap
set caps-man-addresses=10.43.210.254 discovery-interfaces=bridgeLocal enabled=yes
/ip dhcp-client
add comment=defconf interface=bridgeLocal
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/system clock
set time-zone-name=Europe/Vienna
/system identity
set name=WAP.BALKON
/system note
set show-at-login=no
38 
[admin@WAP.KELLER] > export
# 2024-10-24 21:46:17 by RouterOS 7.16.1
# software id = PQFY-1VZU
#
# model = RBwAPGR-5HacD2HnD
# serial number = B7380B589768
/interface bridge
add admin-mac=C4:AD:34:58:8A:AA auto-mac=no comment=defconf name=bridgeLocal
/interface wifi
# managed by CAPsMAN
# mode: AP, SSID: R403-2.4G, channel: 2412/g
set [ find default-name=wifi1 ] configuration.manager=capsman-or-local .mode=ap disabled=no name=WAP.KELLER.wifi1
# managed by CAPsMAN
# mode: AP, SSID: R403, channel: 5500/n/Ce
set [ find default-name=wifi2 ] configuration.manager=capsman-or-local .mode=ap disabled=no name=WAP.KELLER.wifi2
/interface lte
set [ find default-name=lte1 ] allow-roaming=no band="" sms-protocol=auto sms-read=no
/interface bridge port
add bridge=bridgeLocal comment=defconf ingress-filtering=no interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal interface=WAP.KELLER.wifi1
add bridge=bridgeLocal interface=WAP.KELLER.wifi2
add bridge=bridgeLocal interface=dynamic
/interface wifi cap
set caps-man-addresses=10.43.210.254 discovery-interfaces=bridgeLocal enabled=yes
/ip dhcp-client
add comment=defconf interface=bridgeLocal
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/system clock
set time-zone-name=Europe/Vienna
/system identity
set name=WAP.KELLER
/system note
set show-at-login=no
/system routerboard settings
# Firmware upgraded successfully, please reboot for changes to take effect!
set auto-upgrade=yes
[admin@WAP.KELLER] >
39 
[admin@WAP.OG.BUERO] > export
# 2024-10-24 21:46:58 by RouterOS 7.16.1
# software id = 9J12-2RZ6
#
# model = cAPGi-5HaxD2HaxD
# serial number = HGD09JVZ8BG
/interface bridge
add admin-mac=D4:01:C3:94:99:9F auto-mac=no comment=defconf name=bridgeLocal
/interface wifi
# managed by CAPsMAN
# mode: AP, SSID: R403-5G-AX, channel: 5680/ax/eCee
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap disabled=no
# managed by CAPsMAN
# mode: AP, SSID: R403-2.4G, channel: 2437/g
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap disabled=no
/interface vlan
add interface=bridgeLocal name=vlan1 vlan-id=1
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal interface=wifi1
add bridge=bridgeLocal interface=wifi2
add bridge=bridgeLocal interface=dynamic
/interface wifi cap
set caps-man-addresses=10.43.210.254 discovery-interfaces=bridgeLocal enabled=yes
/ip dhcp-client
add comment=defconf interface=bridgeLocal
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/system clock
set time-zone-name=Europe/Vienna
/system identity
set name=WAP.OG.BUERO
/system note
set show-at-login=no
[admin@WAP.OG.BUERO] >
40 
[admin@WAP.EG.FLUR] > export
# 2024-10-24 21:47:44 by RouterOS 7.16.1
# software id = 07E9-A8LY
#
# model = cAPGi-5HaxD2HaxD
# serial number = HGD09QMH2N0
/interface bridge
add name=bridgeLocal
/interface wifi
# managed by CAPsMAN
# mode: AP, SSID: R403-5G-AX, channel: 5680/ax/eCee
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap disabled=no name=WAP.EG.FLUR.wifi1
# managed by CAPsMAN
# mode: AP, SSID: R403-2.4G, channel: 2412/g
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap disabled=no name=WAP.EG.FLUR.wifi2
/interface bridge port
add bridge=bridgeLocal ingress-filtering=no interface=ether1
add bridge=bridgeLocal interface=ether2
add bridge=bridgeLocal interface=*1A
add bridge=bridgeLocal interface=*1B
add bridge=bridgeLocal interface=WAP.EG.FLUR.wifi1
add bridge=bridgeLocal interface=WAP.EG.FLUR.wifi2
add bridge=bridgeLocal interface=dynamic
/ip firewall connection tracking
set udp-timeout=10s
/interface wifi cap
set caps-man-addresses=10.43.210.254 discovery-interfaces=bridgeLocal enabled=yes
/ip dhcp-client
add interface=bridgeLocal
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/system clock
set time-zone-name=Europe/Vienna
/system identity
set name=WAP.EG.FLUR
/system logging
add prefix="debug, dhcp" topics=debug
add topics=wireless
/system note
set show-at-login=no
[admin@WAP.EG.FLUR] >