What packages do you have installed on wAPs and CRS?
ros and wifi-qcom 7.16.1 on all devices (wifi only on accesspoints)
So… Reset all CAPs to CAP MODE. This is NOT default config. It’s almost default, but with removed datapath option and manually added bridge ports. It is for sure causing issues with slave interfaces. For starter edit ONLY identity of the device.
For the CAPsMAN it looks like you have wireless package installed, there shouldn’t be any “caps-man” and “wireless” related options. Also remove all datapath options and definitions. And anything that mentions VLAN, start with VLAN interfaces.
…and disable your provisioning rules and enable those that I provided
Then post all four configs (you can do that in one post, just make 3 new lines between the code blocks)
Hi,
you may be surprised, but all CAPs are default config after reset and capsmode. I didn’t change anything! And they are all new, so I can exclude that someone before me has altered the config (which indeed should be reflashed after reset).
I have 2 more sets of wifis (family and a friend) which also bought new devices, one of them has exact the same set of devices like me, but without the two smaller CAPs, only the AX’s.
They looked identically when I reset them to CAP mode.
When I now reset one of them, and the config is the same like now, what then? I mean, in the 10 month I play around with them, I resetted those CAPs a hundred times… So my hope of expecting any difference is zero. But ok, I reset them and show you, that they are like now, just without the capsman entry…
edit: ok, wireless is scheduled for remove, will reboot in 3 hours
done!
all accesspoints react with
"--- SSID not set"
at least I don’t have a slow connection now … I have not one at all 
well, I deleted all of my configs and only inserted your config, just that I added the security part before to keep wpa2 settings and passphrases… well, the one for IoT is now simplified, I’ll test if meross and the AC are dealing with it…
I reset the AP that is 3m away from my desktop. It doesn’t show a registrated pc, but I see the registered pc on the accesspoint 10m away. And I get ~20mbit. I mean, why should I get more? The pc is connected with a slow 2,4ghz connection to a far away accesspoint, instead of 5ghz with the nearest (JUST RESET!!) CAP.
There is no way to tell this wifi card that it must use 5ghz, I can only deactivate 6ghz.
So, if all clients use 2,4ghz, I can delete the 5ghz config, which is what I will do now.
When we always do the same, why do we expect to receive a change?
edit: I removed all 5ghz config now, I’ll just stay on 2,4n. I don’t expect any improvements. At least I have a range of 10m.
Switch (capsman):
# 2024-10-25 09:54:12 by RouterOS 7.16.1
# software id = WZPE-N3D7
#
# model = CRS328-24P-4S+
# serial number = HD508BTMHMH
/interface wifi
add arp-timeout=auto disabled=yes mac-address=D4:01:C3:04:F4:02 name=cap-wifi1 radio-mac=D4:01:C3:04:F4:02
add arp-timeout=auto disabled=yes mac-address=D4:01:C3:94:99:A1 name=cap-wifi3 radio-mac=D4:01:C3:94:99:A1
add arp-timeout=auto disabled=yes mac-address=D4:01:C3:97:B1:06 name=cap-wifi4 radio-mac=D4:01:C3:97:B1:06
add arp-timeout=auto disabled=yes mac-address=C4:AD:34:58:8A:AD name=cap-wifi5 radio-mac=C4:AD:34:58:8A:AD
/interface wifi channel
add disabled=no frequency=2412,2437,2462 name=channel-2G width=20mhz
/interface wifi datapath
add bridge=BRIDGE1 disabled=no name=datapath1
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=R403-Clients wps=push-button
add authentication-types=wpa2-psk disabled=no name=R403-Heimautomatisierung
add authentication-types=wpa2-psk disabled=no name=R403-AC
add authentication-types=wpa2-psk disabled=no name=security-clients wps=push-button
add authentication-types=wpa2-psk disabled=no name=security-IoT
/interface wifi configuration
add channel=channel-2G country="United States" disabled=no mode=ap name=config-clients-2G security=security-clients ssid=R403
add channel=channel-2G country="United States" disabled=no mode=ap name=config-IoT-2G security=security-IoT ssid=R403.IoT
/interface wifi
add arp-timeout=auto configuration=config-clients-2G disabled=no mac-address=D4:01:C3:04:F4:01 name=cap-wifi2 radio-mac=D4:01:C3:04:F4:01
add arp-timeout=auto configuration=config-IoT-2G disabled=no mac-address=D6:01:C3:04:F4:01 master-interface=cap-wifi2 name=cap-wifi2-virtual1
add arp-timeout=auto configuration=config-clients-2G disabled=no mac-address=D4:01:C3:94:99:A2 name=cap-wifi6 radio-mac=D4:01:C3:94:99:A2
add arp-timeout=auto configuration=config-IoT-2G disabled=no mac-address=D6:01:C3:94:99:A2 master-interface=cap-wifi6 name=cap-wifi6-virtual1
add arp-timeout=auto configuration=config-clients-2G disabled=no mac-address=D4:01:C3:97:B1:07 name=cap-wifi7 radio-mac=D4:01:C3:97:B1:07
add arp-timeout=auto configuration=config-IoT-2G disabled=no mac-address=D6:01:C3:97:B1:07 master-interface=cap-wifi7 name=cap-wifi7-virtual1
add arp-timeout=auto configuration=config-clients-2G disabled=no mac-address=C4:AD:34:58:8A:AC name=cap-wifi8 radio-mac=C4:AD:34:58:8A:AC
add arp-timeout=auto configuration=config-IoT-2G disabled=no mac-address=C6:AD:34:58:8A:AC master-interface=cap-wifi8 name=cap-wifi8-virtual1
/interface wifi cap
set enabled=no
/interface wifi capsman
set enabled=yes interfaces=BRIDGE1 package-path="" require-peer-certificate=no upgrade-policy=suggest-same-version
/interface wifi provisioning
add action=create-enabled disabled=no master-configuration=config-clients-2G slave-configurations=config-IoT-2G supported-bands=2ghz-n
CAP1 after reset:
# 2024-10-25 09:56:54 by RouterOS 7.16.1
# software id = 07E9-A8LY
#
# model = cAPGi-5HaxD2HaxD
# serial number = HGD09QMH2N0
/interface bridge
add admin-mac=D4:01:C3:97:B1:04 auto-mac=no comment=defconf name=bridgeLocal
/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifi
# managed by CAPsMAN
set [ find default-name=wifi1 ] configuration.manager=capsman datapath=capdp
# managed by CAPsMAN
# mode: AP, SSID: R403, channel: 2462/ax
set [ find default-name=wifi2 ] configuration.manager=capsman datapath=capdp disabled=no
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
/interface wifi cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp
After seeing no improvement I don’t reset all the other caps, that’s just for ego. They are not manually configured in any way.
What they have, do they have after reset.
I have tried to reconnect my IoT devices. The meross do like they do when I made a shit config (like now):
They can be connected, they are online for some minutes, then the are not reachable in apple home anymore.
When should I decide what I can believe and what is better when I do it…? I mean:
PC: connection slower and unstable
iphones: connection unstable during speedtest
IoT meross: disconnected and gone after some minutes
IoT Bosch: not configured yet, it’s much too complicated to reset and reconfigure them (they have no wifi reset, they have to be reset completely, with loss of all settings, favourites, programs, bought cooking receipies, own programs are gone, etc… that’s a year of work I lose on 4 devices)
IoT AC: not configured yet, my motivation is gone
oh, didn’t i mention that meross is hating n mode and g mode and a mode, depending on the weather in the weather in Sahara and if their asian boss had s*x last night?
Today they don’t want to n today.
your config made 2,4 ax mode available. No one connects with 2,4 ghz ax.
It seemed to confuse meross more than it improved anything, so I set band to 2,4 ghz n only.
And suddenly apple device run a full speed test without interrupting the connection.
For which reasion do you propose 2,4 ax ? Trying to make a connection for the desktop faster?
PC runas at 130/130 now, speedtest makes around 25 up and down.
I guess more (+stable +working +IoT +AC) is not possible.
This is my current config on capsman:
# 2024-10-25 11:20:05 by RouterOS 7.16.1
# software id = WZPE-N3D7
#
# model = CRS328-24P-4S+
# serial number = HD508BTMHMH
/interface wifi
add name=cap-wifi1 radio-mac=D4:01:C3:04:F4:02
add name=cap-wifi3 radio-mac=D4:01:C3:94:99:A1
add name=cap-wifi4 radio-mac=D4:01:C3:97:B1:06
add name=cap-wifi5 radio-mac=C4:AD:34:58:8A:AD
/interface wifi channel
add band=2ghz-n disabled=no frequency=2412,2437,2462 name=channel-2G width=20mhz
/interface wifi datapath
add bridge=BRIDGE1 disabled=no name=datapath1
/interface wifi security
add authentication-types=wpa2-psk disabled=no name=security-clients wps=push-button
add authentication-types=wpa2-psk disabled=no name=security-IoT
/interface wifi configuration
add channel=channel-2G country="United States" disabled=no mode=ap name=config-clients-2G security=security-clients ssid=R403
add channel=channel-2G country="United States" disabled=no mode=ap name=config-IoT-2G security=security-IoT ssid=R403.IoT
/interface wifi
add configuration=config-clients-2G disabled=no name=cap-wifi2 radio-mac=D4:01:C3:04:F4:01
add configuration=config-IoT-2G disabled=no mac-address=D6:01:C3:04:F4:01 master-interface=cap-wifi2 name=cap-wifi2-virtual1
add configuration=config-clients-2G disabled=no name=cap-wifi6 radio-mac=D4:01:C3:94:99:A2
add configuration=config-IoT-2G disabled=no mac-address=D6:01:C3:94:99:A2 master-interface=cap-wifi6 name=cap-wifi6-virtual1
add configuration=config-clients-2G disabled=no name=cap-wifi7 radio-mac=D4:01:C3:97:B1:07
add configuration=config-IoT-2G disabled=no mac-address=D6:01:C3:97:B1:07 master-interface=cap-wifi7 name=cap-wifi7-virtual1
add configuration=config-clients-2G disabled=no name=cap-wifi8 radio-mac=C4:AD:34:58:8A:AC
add configuration=config-IoT-2G disabled=no mac-address=C6:AD:34:58:8A:AC master-interface=cap-wifi8 name=cap-wifi8-virtual1
/interface wifi capsman
set enabled=yes interfaces=BRIDGE1 package-path="" require-peer-certificate=no upgrade-policy=suggest-same-version
/interface wifi provisioning
add action=create-enabled disabled=no master-configuration=config-clients-2G slave-configurations=config-IoT-2G supported-bands=2ghz-n
[admin@SW.OG.1] /interface/wifi>
there’s no improvement after resetting this CAP compared to before … just that I cannot distinguish between the accesspoints respectively wifis anymore
Your attitude is really strange, you are asking for help and then sudently “know better”. If you won’t follow instructions or use them just partially then nobody will help you. Is that clear?
Saying that the configs were not altered in any way is simply lie.
Reset all CAPs to CAP MODE. This is NOT default config. It’s almost default, but with removed datapath option and manually added bridge ports. It is for sure causing issues with slave interfaces. For starter edit ONLY identity of the device.
You did reset just one CAP and even that was done just partialy because you chose not to do it all.
Hint: It is wise to choose something meaningful for the identity (cAP-ax-01, wAP-ac-01).
Post all, whole, configs of your CAPs after you finish this first task. Do not bother to post anything else…
nearest to PC:
CAP “1” (R403.CAP:EG.FLUR)
# model = cAPGi-5HaxD2HaxD
# serial number = HGD09QMH2N0
/interface bridge
add admin-mac=D4:01:C3:97:B1:04 ageing-time=5m arp=enabled arp-timeout=auto \
auto-mac=no comment=defconf dhcp-snooping=no disabled=no fast-forward=yes \
forward-delay=15s igmp-snooping=no max-learned-entries=auto \
max-message-age=20s mtu=auto mvrp=no name=bridgeLocal port-cost-mode=long \
priority=0x8000 protocol-mode=rstp transmit-hold-count=6 vlan-filtering=no
/interface ethernet
set [ find default-name=ether1 ] advertise="10M-baseT-half,10M-baseT-full,100M-b\
aseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full" arp=enabled \
arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
disabled=no l2mtu=1568 loop-protect=default loop-protect-disable-time=5m \
loop-protect-send-interval=5s mac-address=D4:01:C3:97:B1:04 mtu=1500 name=\
ether1 orig-mac-address=D4:01:C3:97:B1:04 rx-flow-control=off \
tx-flow-control=off
set [ find default-name=ether2 ] advertise="10M-baseT-half,10M-baseT-full,100M-b\
aseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full" arp=enabled \
arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
disabled=no l2mtu=1568 loop-protect=default loop-protect-disable-time=5m \
loop-protect-send-interval=5s mac-address=D4:01:C3:97:B1:05 mtu=1500 name=\
ether2 orig-mac-address=D4:01:C3:97:B1:05 poe-out=auto-on poe-priority=10 \
power-cycle-interval=none !power-cycle-ping-address \
power-cycle-ping-enabled=no !power-cycle-ping-timeout rx-flow-control=off \
tx-flow-control=off
/queue interface
set bridgeLocal queue=no-queue
/interface ethernet switch
set 0 !cpu-flow-control mirror-source=none mirror-target=none name=switch1
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
/interface ethernet switch port-isolation
set 0 !forwarding-override
set 1 !forwarding-override
set 2 !forwarding-override
/interface list
set [ find name=all ] comment="contains all interfaces" exclude="" include="" \
name=all
set [ find name=none ] comment="contains no interfaces" exclude="" include="" \
name=none
set [ find name=dynamic ] comment="contains dynamic interfaces" exclude="" \
include="" name=dynamic
set [ find name=static ] comment="contains static interfaces" exclude="" \
include="" name=static
/interface lte apn
set [ find default=yes ] add-default-route=yes apn=internet authentication=none \
default-route-distance=2 ip-type=auto name=default use-network-apn=yes \
use-peer-dns=yes
/interface macsec profile
set [ find default-name=default ] name=default server-priority=10
/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifi
# managed by CAPsMAN
set [ find default-name=wifi1 ] arp-timeout=auto configuration.manager=capsman \
datapath=capdp disabled=no l2mtu=1560 mac-address=D4:01:C3:97:B1:06 name=\
wifi1 radio-mac=D4:01:C3:97:B1:06
# managed by CAPsMAN
set [ find default-name=wifi2 ] arp-timeout=auto configuration.manager=capsman \
datapath=capdp disabled=no l2mtu=1560 mac-address=D4:01:C3:97:B1:07 name=\
wifi2 radio-mac=D4:01:C3:97:B1:07
/ip dhcp-client option
set clientid_duid code=61 name=clientid_duid value="0xff\$(CLIENT_DUID)"
set clientid code=61 name=clientid value="0x01\$(CLIENT_MAC)"
set hostname code=12 name=hostname value="\$(HOSTNAME)"
/ip hotspot profile
set [ find default=yes ] dns-name="" hotspot-address=0.0.0.0 html-directory=\
hotspot html-directory-override="" http-cookie-lifetime=3d http-proxy=\
0.0.0.0:0 install-hotspot-queue=no login-by=cookie,http-chap name=default \
smtp-server=0.0.0.0 split-user-domain=no use-radius=no
/ip hotspot user profile
set [ find default=yes ] add-mac-cookie=yes address-list="" idle-timeout=none \
!insert-queue-before keepalive-timeout=2m mac-cookie-timeout=3d name=\
default !parent-queue !queue-type shared-users=1 status-autorefresh=1m \
transparent-proxy=no
/ip ipsec mode-config
set [ find default=yes ] name=request-only responder=no use-responder-dns=\
exclusively
/ip ipsec policy group
set [ find default=yes ] name=default
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048,modp1024 dpd-interval=8s \
dpd-maximum-failures=4 enc-algorithm=aes-128,3des hash-algorithm=sha1 \
lifetime=1d name=default nat-traversal=yes proposal-check=obey
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=\
aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m name=default pfs-group=\
modp1024
/ip smb users
set [ find default=yes ] disabled=no name=guest read-only=yes
/ppp profile
set *0 address-list="" !bridge !bridge-horizon bridge-learning=default \
!bridge-path-cost !bridge-port-priority change-tcp-mss=yes !dns-server \
!idle-timeout !incoming-filter !insert-queue-before !interface-list \
!local-address name=default on-down="" on-up="" only-one=default \
!outgoing-filter !parent-queue !queue-type !rate-limit !remote-address \
!session-timeout use-compression=default use-encryption=default use-ipv6=\
yes use-mpls=default use-upnp=default !wins-server
set *FFFFFFFE address-list="" !bridge !bridge-horizon bridge-learning=default \
!bridge-path-cost !bridge-port-priority change-tcp-mss=yes !dns-server \
!idle-timeout !incoming-filter !insert-queue-before !interface-list \
!local-address name=default-encryption on-down="" on-up="" only-one=default \
!outgoing-filter !parent-queue !queue-type !rate-limit !remote-address \
!session-timeout use-compression=default use-encryption=yes use-ipv6=yes \
use-mpls=default use-upnp=default !wins-server
/queue type
set 0 kind=pfifo name=default pfifo-limit=50
set 1 kind=pfifo name=ethernet-default pfifo-limit=50
set 2 kind=sfq name=wireless-default sfq-allot=1514 sfq-perturb=5
set 3 kind=red name=synchronous-default red-avg-packet=1000 red-burst=20 \
red-limit=60 red-max-threshold=50 red-min-threshold=10
set 4 kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=5
set 5 kind=pcq name=pcq-upload-default pcq-burst-rate=0 pcq-burst-threshold=0 \
pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 \
pcq-dst-address6-mask=128 pcq-limit=50KiB pcq-rate=0 pcq-src-address-mask=\
32 pcq-src-address6-mask=128 pcq-total-limit=2000KiB
set 6 kind=pcq name=pcq-download-default pcq-burst-rate=0 pcq-burst-threshold=0 \
pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 \
pcq-dst-address6-mask=128 pcq-limit=50KiB pcq-rate=0 pcq-src-address-mask=\
32 pcq-src-address6-mask=128 pcq-total-limit=2000KiB
set 7 kind=none name=only-hardware-queue
set 8 kind=mq-pfifo mq-pfifo-limit=50 name=multi-queue-ethernet-default
set 9 kind=pfifo name=default-small pfifo-limit=10
/queue interface
set ether1 queue=only-hardware-queue
set ether2 queue=only-hardware-queue
# managed by CAPsMAN
set wifi1 queue=wireless-default
# managed by CAPsMAN
set wifi2 queue=wireless-default
/routing bgp template
set default as=65530 name=default
/snmp community
set [ find default=yes ] addresses=::/0 authentication-protocol=MD5 disabled=no \
encryption-protocol=DES name=public read-access=yes security=none \
write-access=no
/system logging action
set 0 memory-lines=1000 memory-stop-on-full=no name=memory target=memory
set 1 disk-file-count=2 disk-file-name=log disk-lines-per-file=1000 \
disk-stop-on-full=no name=disk target=disk
set 2 name=echo remember=yes target=echo
set 3 bsd-syslog=no name=remote remote=0.0.0.0 remote-port=514 src-address=\
0.0.0.0 syslog-facility=daemon syslog-severity=auto syslog-time-format=\
bsd-syslog target=remote
/user group
set read name=read policy="local,telnet,ssh,reboot,read,test,winbox,password,web\
,sniff,sensitive,api,romon,rest-api,!ftp,!write,!policy" skin=default
set write name=write policy="local,telnet,ssh,reboot,read,write,test,winbox,pass\
word,web,sniff,sensitive,api,romon,rest-api,!ftp,!policy" skin=default
set full name=full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,wi\
nbox,password,web,sniff,sensitive,api,romon,rest-api" skin=default
/certificate settings
set crl-download=no crl-store=ram crl-use=no
/console settings
set sanitize-names=no
/disk settings
set auto-media-interface=none auto-media-sharing=no auto-smb-sharing=no \
auto-smb-user=guest
/ip smb
set comment=MikrotikSMB domain=MSHOME enabled=auto interfaces=all
/interface bridge port
add auto-isolate=no bpdu-guard=no bridge=bridgeLocal broadcast-flood=yes \
comment=defconf disabled=no edge=auto fast-leave=no frame-types=admit-all \
horizon=none hw=yes ingress-filtering=yes interface=ether1 \
!internal-path-cost learn=auto multicast-router=temporary-query \
mvrp-applicant-state=normal-participant mvrp-registrar-state=normal \
!path-cost point-to-point=auto priority=0x80 pvid=1 restricted-role=no \
restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes \
unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridgeLocal broadcast-flood=yes \
comment=defconf disabled=no edge=auto fast-leave=no frame-types=admit-all \
horizon=none hw=yes ingress-filtering=yes interface=ether2 \
!internal-path-cost learn=auto multicast-router=temporary-query \
mvrp-applicant-state=normal-participant mvrp-registrar-state=normal \
!path-cost point-to-point=auto priority=0x80 pvid=1 restricted-role=no \
restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes \
unknown-unicast-flood=yes
/interface bridge port-controller
# disabled
set bridge=none cascade-ports="" switch=none
/interface bridge port-extender
# disabled
set control-ports="" excluded-ports="" switch=none
/interface bridge settings
set allow-fast-path=yes use-ip-firewall=no use-ip-firewall-for-pppoe=no \
use-ip-firewall-for-vlan=no
/ip firewall connection tracking
set enabled=auto generic-timeout=10m icmp-timeout=10s loose-tcp-tracking=yes \
tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-max-retrans-timeout=\
5m tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s \
tcp-time-wait-timeout=10s tcp-unacked-timeout=5m udp-stream-timeout=3m \
udp-timeout=30s
/ip neighbor discovery-settings
set discover-interface-list=static discover-interval=30s lldp-mac-phy-config=no \
lldp-max-frame-size=no lldp-med-net-policy-vlan=disabled lldp-poe-power=yes \
lldp-vlan-info=no mode=tx-and-rx protocol=cdp,lldp,mndp
/ip settings
set accept-redirects=no accept-source-route=no allow-fast-path=yes arp-timeout=\
30s icmp-rate-limit=10 icmp-rate-mask=0x1818 ip-forward=yes \
ipv4-multipath-hash-policy=l3 max-neighbor-entries=16384 rp-filter=no \
secure-redirects=yes send-redirects=yes tcp-syncookies=no
/ipv6 settings
set accept-redirects=yes-if-forwarding-disabled accept-router-advertisements=\
yes-if-forwarding-disabled disable-ipv6=no forward=yes \
max-neighbor-entries=14336 multipath-hash-policy=l3
/interface detect-internet
set detect-interface-list=none internet-interface-list=none lan-interface-list=\
none wan-interface-list=none
/interface l2tp-server server
set accept-proto-version=all accept-pseudowire-type=all allow-fast-path=no \
authentication=pap,chap,mschap1,mschap2 caller-id-type=ip-address \
default-profile=default-encryption enabled=no keepalive-timeout=30 \
l2tpv3-circuit-id="" l2tpv3-cookie-length=0 l2tpv3-digest-hash=md5 \
!l2tpv3-ether-interface-list max-mru=1450 max-mtu=1450 max-sessions=\
unlimited mrru=disabled one-session-per-host=no use-ipsec=no
/interface lte settings
set firmware-path=firmware mode=auto
/interface ovpn-server server
set auth=sha1,md5,sha256,sha512 certificate=*0 cipher=blowfish128,aes128-cbc \
default-profile=default enable-tun-ipv6=no enabled=no ipv6-prefix-len=64 \
keepalive-timeout=60 mac-address=FE:BD:2E:66:9A:B3 max-mtu=1500 mode=ip \
netmask=24 port=1194 protocol=tcp push-routes="" redirect-gateway=disabled \
reneg-sec=3600 require-client-certificate=no tls-version=any \
tun-server-ipv6=::
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN
protocol instead
set authentication=mschap1,mschap2 default-profile=default-encryption enabled=\
no keepalive-timeout=30 max-mru=1450 max-mtu=1450 mrru=disabled
/interface sstp-server server
set authentication=pap,chap,mschap1,mschap2 certificate=none ciphers=\
aes256-sha,aes256-gcm-sha384 default-profile=default enabled=no \
keepalive-timeout=60 max-mru=1500 max-mtu=1500 mrru=disabled pfs=no port=\
443 tls-version=any verify-client-certificate=no
/interface wifi cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp
/interface wifi capsman
set enabled=no
/ip cloud
set back-to-home-vpn=revoked-and-disabled ddns-enabled=no ddns-update-interval=\
none update-time=yes
/ip cloud advanced
set use-local-address=no
/ip dhcp-client
add add-default-route=yes comment=defconf default-route-distance=1 \
dhcp-options=hostname,clientid disabled=no interface=bridgeLocal \
use-peer-dns=yes use-peer-ntp=yes
/ip dhcp-server config
set accounting=yes interim-update=0s radius-password=empty store-leases-disk=5m
/ip dns
set address-list-extra-time=0s allow-remote-requests=no cache-max-ttl=1w \
cache-size=2048KiB doh-max-concurrent-queries=50 \
doh-max-server-connections=5 doh-timeout=5s max-concurrent-queries=100 \
max-concurrent-tcp-sessions=20 max-udp-packet-size=4096 mdns-repeat-ifaces=\
"" query-server-timeout=2s query-total-timeout=10s servers="" \
use-doh-server="" verify-doh-cert=no vrf=main
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=yes ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes sip-timeout=1h
set pptp disabled=no
set rtsp disabled=yes ports=554
set udplite disabled=no
set dccp disabled=no
set sctp disabled=no
/ip hotspot service-port
set ftp disabled=no ports=21
/ip hotspot user
set [ find default=yes ] comment="counters and limits for trial users" \
disabled=no name=default-trial
/ip ipsec policy
set 0 disabled=no dst-address=::/0 group=default proposal=default protocol=all \
src-address=::/0 template=yes
/ip ipsec settings
set accounting=yes interim-update=0s xauth-use-radius=no
/ip media settings
set thumbnails=""
/ip nat-pmp
set enabled=no
/ip proxy
set always-from-cache=no anonymous=no cache-administrator=webmaster \
cache-hit-dscp=4 cache-on-disk=no cache-path=web-proxy enabled=no \
max-cache-object-size=2048KiB max-cache-size=unlimited \
max-client-connections=600 max-fresh-time=3d max-server-connections=600 \
parent-proxy=:: parent-proxy-port=0 port=8080 serialize-connections=no \
src-address=::
/ip service
set telnet address="" disabled=no max-sessions=20 port=23 vrf=main
set ftp address="" disabled=no max-sessions=20 port=21
set www address="" disabled=no max-sessions=20 port=80 vrf=main
set ssh address="" disabled=no max-sessions=20 port=22 vrf=main
set www-ssl address="" certificate=none disabled=yes max-sessions=20 port=443 \
tls-version=any vrf=main
set api address="" disabled=no max-sessions=20 port=8728 vrf=main
set winbox address="" disabled=no max-sessions=20 port=8291 vrf=main
set api-ssl address="" certificate=none disabled=no max-sessions=20 port=8729 \
tls-version=any vrf=main
/ip smb shares
set [ find default=yes ] directory=pub disabled=yes invalid-users="" name=pub \
read-only=no require-encryption=no valid-users=""
/ip socks
set auth-method=none connection-idle-timeout=2m enabled=no max-connections=200 \
port=1080 version=4 vrf=main
/ip ssh
set allow-none-crypto=no always-allow-password-login=no forwarding-enabled=no \
host-key-size=2048 host-key-type=rsa strong-crypto=no
/ip tftp settings
set max-block-size=4096
/ip traffic-flow
set active-flow-timeout=30m cache-entries=256k enabled=no \
inactive-flow-timeout=15s interfaces=all packet-sampling=no \
sampling-interval=0 sampling-space=0
/ip traffic-flow ipfix
set bytes=yes dst-address=yes dst-address-mask=yes dst-mac-address=yes \
dst-port=yes first-forwarded=yes gateway=yes icmp-code=yes icmp-type=yes \
igmp-type=yes in-interface=yes ip-header-length=yes ip-total-length=yes \
ipv6-flow-label=yes is-multicast=yes last-forwarded=yes nat-dst-address=yes \
nat-dst-port=yes nat-events=no nat-src-address=yes nat-src-port=yes \
out-interface=yes packets=yes protocol=yes src-address=yes \
src-address-mask=yes src-mac-address=yes src-port=yes sys-init-time=yes \
tcp-ack-num=yes tcp-flags=yes tcp-seq-num=yes tcp-window-size=yes tos=yes \
ttl=yes udp-length=yes
/ip upnp
set allow-disable-external-interface=no enabled=no show-dummy-rule=yes
/ipv6 nd
set [ find default=yes ] advertise-dns=yes advertise-mac-address=yes disabled=\
no hop-limit=unspecified interface=all managed-address-configuration=no \
mtu=unspecified other-configuration=no ra-delay=3s ra-interval=3m20s-10m \
ra-lifetime=30m ra-preference=medium reachable-time=unspecified \
retransmit-interval=unspecified
/ipv6 nd prefix default
set autonomous=yes preferred-lifetime=1w valid-lifetime=4w2d
/mpls settings
set allow-fast-path=yes dynamic-label-range=16-1048575 propagate-ttl=yes
/ppp aaa
set accounting=yes enable-ipv6-accounting=no interim-update=0s \
use-circuit-id-in-nas-port-id=no use-radius=no
/radius incoming
set accept=no port=3799 vrf=main
/routing igmp-proxy
set query-interval=2m5s query-response-interval=10s quick-leave=no
/routing settings
set single-process=no
/snmp
set contact="" enabled=no engine-id-suffix="" location="" src-address=:: \
trap-community=public trap-generators=temp-exception trap-target="" \
trap-version=1 vrf=main
/system clock
set time-zone-autodetect=yes time-zone-name=Europe/Vienna
/system clock manual
set dst-delta=+00:00 dst-end="1970-01-01 00:00:00" dst-start=\
"1970-01-01 00:00:00" time-zone=+00:00
/system identity
set name=R403.CAP:EG.FLUR
/system leds
set 0 disabled=no leds=poe-led type=poe-out
/system leds settings
set all-leds-off=never
/system logging
set 0 action=memory disabled=no prefix="" topics=info
set 1 action=memory disabled=no prefix="" topics=error
set 2 action=memory disabled=no prefix="" topics=warning
set 3 action=echo disabled=no prefix="" topics=critical
/system note
set note="" show-at-cli-login=no show-at-login=no
/system ntp client
set enabled=no mode=unicast servers="" vrf=main
/system ntp server
set auth-key=none broadcast=no broadcast-addresses="" enabled=no \
local-clock-stratum=5 manycast=no multicast=no use-local-clock=no vrf=main
/system package update
set channel=long-term
/system resource irq
set 0 cpu=auto
set 1 cpu=auto
set 2 cpu=auto
set 3 cpu=auto
set 4 cpu=auto
set 5 cpu=auto
set 6 cpu=auto
set 7 cpu=auto
set 8 cpu=auto
set 9 cpu=auto
set 10 cpu=auto
set 11 cpu=auto
set 12 cpu=auto
set 13 cpu=auto
set 14 cpu=auto
set 15 cpu=auto
set 16 cpu=auto
set 17 cpu=auto
set 18 cpu=auto
set 19 cpu=auto
set 20 cpu=auto
set 21 cpu=auto
set 22 cpu=auto
set 23 cpu=auto
set 24 cpu=auto
set 25 cpu=auto
set 26 cpu=auto
set 27 cpu=auto
set 28 cpu=auto
set 29 cpu=auto
set 30 cpu=auto
set 31 cpu=auto
set 32 cpu=auto
set 33 cpu=auto
set 34 cpu=auto
set 35 cpu=auto
set 36 cpu=auto
set 37 cpu=auto
set 38 cpu=auto
set 39 cpu=auto
set 40 cpu=auto
set 41 cpu=auto
set 42 cpu=auto
set 43 cpu=auto
set 44 cpu=auto
set 45 cpu=auto
set 46 cpu=auto
set 47 cpu=auto
set 48 cpu=auto
/system resource irq rps
set ether1 disabled=yes
set ether2 disabled=yes
/system resource usb settings
set authorization=no
/system routerboard mode-button
set enabled=no hold-time=0s..1m on-event=""
/system routerboard reset-button
set enabled=no hold-time=0s..1m on-event=""
/system routerboard settings
set auto-upgrade=no boot-device=nand-if-fail-then-ethernet boot-protocol=bootp \
force-backup-booter=no preboot-etherboot=disabled preboot-etherboot-server=\
any protected-routerboot=disabled reformat-hold-button=20s \
reformat-hold-button-max=10m silent-boot=no
/system upgrade mirror
set check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=\
0.0.0.0 user=""
/system watchdog
set auto-send-supout=no automatic-supout=yes ping-start-after-boot=5m \
ping-timeout=1m watch-address=none watchdog-timer=yes
/tool bandwidth-server
set allocate-udp-ports-from=2000 authenticate=yes enabled=yes max-sessions=100
/tool e-mail
set from=<> port=25 server=0.0.0.0 tls=no user="" vrf=main
/tool graphing
set page-refresh=300 store-every=5min
/tool mac-server
set allowed-interface-list=all
/tool mac-server mac-winbox
set allowed-interface-list=all
/tool mac-server ping
set enabled=yes
/tool romon
set enabled=no id=00:00:00:00:00:00
/tool romon port
set [ find default=yes ] cost=100 disabled=no forbid=no interface=all
/tool sms
set allowed-number="" channel=0 polling=no port=none receive-enabled=no \
sms-storage=sim
/tool sniffer
set file-limit=1000KiB file-name="" filter-cpu="" filter-direction=any \
filter-dst-ip-address="" filter-dst-ipv6-address="" filter-dst-mac-address=\
"" filter-dst-port="" filter-interface="" filter-ip-address="" \
filter-ip-protocol="" filter-ipv6-address="" filter-mac-address="" \
filter-mac-protocol="" filter-operator-between-entries=or filter-port="" \
filter-size="" filter-src-ip-address="" filter-src-ipv6-address="" \
filter-src-mac-address="" filter-src-port="" filter-stream=no filter-vlan=\
"" memory-limit=100KiB memory-scroll=yes only-headers=no quick-rows=20 \
quick-show-frame=no streaming-enabled=no streaming-server=0.0.0.0:37008
/tool traffic-generator
set latency-distribution-max=100us measure-out-of-order=no \
stats-samples-to-keep=100 test-id=0
/user aaa
set accounting=yes default-group=read exclude-groups="" interim-update=0s \
use-radius=no
/user settings
set minimum-categories=0 minimum-password-length=0
CAP “2” (R403.CAP:OG.BALKON)
# model = RBwAPGR-5HacD2HnD
# serial number = B7380B589768
/interface bridge
add admin-mac=C4:AD:34:58:8A:AA ageing-time=5m arp=enabled arp-timeout=auto auto-mac=no comment=defconf dhcp-snooping=no disabled=no \
fast-forward=yes forward-delay=15s igmp-snooping=no max-learned-entries=auto max-message-age=20s mtu=auto mvrp=no name=bridgeLocal \
port-cost-mode=long priority=0x8000 protocol-mode=rstp transmit-hold-count=6 vlan-filtering=no
/interface ethernet
set [ find default-name=ether1 ] advertise=10M-baseT-half,10M-baseT-full,100M-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full arp=\
enabled arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no l2mtu=1598 loop-protect=default \
loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=C4:AD:34:58:8A:AA mtu=1500 name=ether1 orig-mac-address=\
C4:AD:34:58:8A:AA rx-flow-control=off tx-flow-control=off
set [ find default-name=ether2 ] advertise=10M-baseT-half,10M-baseT-full,100M-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full arp=\
enabled arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no l2mtu=1598 loop-protect=default \
loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=C4:AD:34:58:8A:AB mtu=1500 name=ether2 orig-mac-address=\
C4:AD:34:58:8A:AB rx-flow-control=off tx-flow-control=off
/queue interface
set bridgeLocal queue=no-queue
/interface ethernet switch
set 0 cpu-flow-control=yes mirror-source=none mirror-target=none name=switch1
/interface ethernet switch port
set 0 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 1 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 2 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
/interface ethernet switch port-isolation
set 0 !forwarding-override
set 1 !forwarding-override
set 2 !forwarding-override
/interface list
set [ find name=all ] comment="contains all interfaces" exclude="" include="" name=all
set [ find name=none ] comment="contains no interfaces" exclude="" include="" name=none
set [ find name=dynamic ] comment="contains dynamic interfaces" exclude="" include="" name=dynamic
set [ find name=static ] comment="contains static interfaces" exclude="" include="" name=static
/interface lte apn
set [ find default=yes ] add-default-route=yes apn=internet authentication=none default-route-distance=2 ip-type=auto name=default \
use-network-apn=yes use-peer-dns=yes
/interface lte
set [ find default-name=lte1 ] allow-roaming=no apn-profiles=default band="" disabled=no !modem-init mtu=1500 name=lte1 network-mode=\
gsm,3g,lte sms-protocol=auto sms-read=no
/queue interface
set lte1 queue=no-queue
/interface macsec profile
set [ find default-name=default ] name=default server-priority=10
/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifi
# managed by CAPsMAN
set [ find default-name=wifi1 ] arp-timeout=auto configuration.manager=capsman datapath=capdp disabled=no l2mtu=1560 mac-address=\
C4:AD:34:58:8A:AC name=wifi1 radio-mac=C4:AD:34:58:8A:AC
# managed by CAPsMAN
set [ find default-name=wifi2 ] arp-timeout=auto configuration.manager=capsman datapath=capdp disabled=no l2mtu=1560 mac-address=\
C4:AD:34:58:8A:AD name=wifi2 radio-mac=C4:AD:34:58:8A:AD
/ip dhcp-client option
set clientid_duid code=61 name=clientid_duid value="0xff\$(CLIENT_DUID)"
set clientid code=61 name=clientid value="0x01\$(CLIENT_MAC)"
set hostname code=12 name=hostname value="\$(HOSTNAME)"
/ip hotspot profile
set [ find default=yes ] dns-name="" hotspot-address=0.0.0.0 html-directory=hotspot html-directory-override="" http-cookie-lifetime=3d \
http-proxy=0.0.0.0:0 install-hotspot-queue=no login-by=cookie,http-chap name=default smtp-server=0.0.0.0 split-user-domain=no use-radius=\
no
/ip hotspot user profile
set [ find default=yes ] add-mac-cookie=yes address-list="" idle-timeout=none !insert-queue-before keepalive-timeout=2m mac-cookie-timeout=3d \
name=default !parent-queue !queue-type shared-users=1 status-autorefresh=1m transparent-proxy=no
/ip ipsec mode-config
set [ find default=yes ] name=request-only responder=no use-responder-dns=exclusively
/ip ipsec policy group
set [ find default=yes ] name=default
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048,modp1024 dpd-interval=8s dpd-maximum-failures=4 enc-algorithm=aes-128,3des hash-algorithm=sha1 \
lifetime=1d name=default nat-traversal=yes proposal-check=obey
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m name=default \
pfs-group=modp1024
/ip smb users
set [ find default=yes ] disabled=no name=guest read-only=yes
/ppp profile
set *0 address-list="" !bridge !bridge-horizon bridge-learning=default !bridge-path-cost !bridge-port-priority change-tcp-mss=yes !dns-server \
!idle-timeout !incoming-filter !insert-queue-before !interface-list !local-address name=default on-down="" on-up="" only-one=default \
!outgoing-filter !parent-queue !queue-type !rate-limit !remote-address !session-timeout use-compression=default use-encryption=default \
use-ipv6=yes use-mpls=default use-upnp=default !wins-server
set *FFFFFFFE address-list="" !bridge !bridge-horizon bridge-learning=default !bridge-path-cost !bridge-port-priority change-tcp-mss=yes \
!dns-server !idle-timeout !incoming-filter !insert-queue-before !interface-list !local-address name=default-encryption on-down="" on-up="" \
only-one=default !outgoing-filter !parent-queue !queue-type !rate-limit !remote-address !session-timeout use-compression=default \
use-encryption=yes use-ipv6=yes use-mpls=default use-upnp=default !wins-server
/queue type
set 0 kind=pfifo name=default pfifo-limit=50
set 1 kind=pfifo name=ethernet-default pfifo-limit=50
set 2 kind=sfq name=wireless-default sfq-allot=1514 sfq-perturb=5
set 3 kind=red name=synchronous-default red-avg-packet=1000 red-burst=20 red-limit=60 red-max-threshold=50 red-min-threshold=10
set 4 kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=5
set 5 kind=pcq name=pcq-upload-default pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=src-address \
pcq-dst-address-mask=32 pcq-dst-address6-mask=128 pcq-limit=50KiB pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=128 \
pcq-total-limit=2000KiB
set 6 kind=pcq name=pcq-download-default pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=dst-address \
pcq-dst-address-mask=32 pcq-dst-address6-mask=128 pcq-limit=50KiB pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=128 \
pcq-total-limit=2000KiB
set 7 kind=none name=only-hardware-queue
set 8 kind=mq-pfifo mq-pfifo-limit=50 name=multi-queue-ethernet-default
set 9 kind=pfifo name=default-small pfifo-limit=10
/queue interface
set ether1 queue=only-hardware-queue
set ether2 queue=only-hardware-queue
# managed by CAPsMAN
set wifi1 queue=wireless-default
# managed by CAPsMAN
set wifi2 queue=wireless-default
/routing bgp template
set default as=65530 name=default
/snmp community
set [ find default=yes ] addresses=::/0 authentication-protocol=MD5 disabled=no encryption-protocol=DES name=public read-access=yes security=\
none write-access=no
/system logging action
set 0 memory-lines=1000 memory-stop-on-full=no name=memory target=memory
set 1 disk-file-count=2 disk-file-name=flash/log disk-lines-per-file=1000 disk-stop-on-full=no name=disk target=disk
set 2 name=echo remember=yes target=echo
set 3 bsd-syslog=no name=remote remote=0.0.0.0 remote-port=514 src-address=0.0.0.0 syslog-facility=daemon syslog-severity=auto \
syslog-time-format=bsd-syslog target=remote
/user group
set read name=read policy=local,telnet,ssh,reboot,read,test,winbox,password,web,sniff,sensitive,api,romon,rest-api,!ftp,!write,!policy skin=\
default
set write name=write policy=local,telnet,ssh,reboot,read,write,test,winbox,password,web,sniff,sensitive,api,romon,rest-api,!ftp,!policy skin=\
default
set full name=full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,rest-api skin=\
default
/certificate settings
set crl-download=no crl-store=ram crl-use=no
/console settings
set sanitize-names=no
/disk settings
set auto-media-interface=none auto-media-sharing=no auto-smb-sharing=no auto-smb-user=guest
/ip smb
set comment=MikrotikSMB domain=MSHOME enabled=auto interfaces=all
/interface bridge port
add auto-isolate=no bpdu-guard=no bridge=bridgeLocal broadcast-flood=yes comment=defconf disabled=no edge=auto fast-leave=no frame-types=\
admit-all horizon=none hw=yes ingress-filtering=yes interface=ether1 !internal-path-cost learn=auto multicast-router=temporary-query \
mvrp-applicant-state=normal-participant mvrp-registrar-state=normal !path-cost point-to-point=auto priority=0x80 pvid=1 restricted-role=no \
restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridgeLocal broadcast-flood=yes comment=defconf disabled=no edge=auto fast-leave=no frame-types=\
admit-all horizon=none hw=yes ingress-filtering=yes interface=ether2 !internal-path-cost learn=auto multicast-router=temporary-query \
mvrp-applicant-state=normal-participant mvrp-registrar-state=normal !path-cost point-to-point=auto priority=0x80 pvid=1 restricted-role=no \
restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes unknown-unicast-flood=yes
/interface bridge port-controller
# disabled
set bridge=none cascade-ports="" switch=none
/interface bridge port-extender
# disabled
set control-ports="" excluded-ports="" switch=none
/interface bridge settings
set allow-fast-path=yes use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=no
/ip firewall connection tracking
set enabled=auto generic-timeout=10m icmp-timeout=10s loose-tcp-tracking=yes tcp-close-timeout=10s tcp-close-wait-timeout=10s \
tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-max-retrans-timeout=5m tcp-syn-received-timeout=5s \
tcp-syn-sent-timeout=5s tcp-time-wait-timeout=10s tcp-unacked-timeout=5m udp-stream-timeout=3m udp-timeout=30s
/ip neighbor discovery-settings
set discover-interface-list=static discover-interval=30s lldp-mac-phy-config=no lldp-max-frame-size=no lldp-med-net-policy-vlan=disabled \
lldp-vlan-info=no mode=tx-and-rx protocol=cdp,lldp,mndp
/ip settings
set accept-redirects=no accept-source-route=no allow-fast-path=yes arp-timeout=30s icmp-rate-limit=10 icmp-rate-mask=0x1818 ip-forward=yes \
ipv4-multipath-hash-policy=l3 max-neighbor-entries=4096 rp-filter=no secure-redirects=yes send-redirects=yes tcp-syncookies=no
/ipv6 settings
set accept-redirects=yes-if-forwarding-disabled accept-router-advertisements=yes-if-forwarding-disabled disable-ipv6=no forward=yes \
max-neighbor-entries=2048 multipath-hash-policy=l3
/interface detect-internet
set detect-interface-list=none internet-interface-list=none lan-interface-list=none wan-interface-list=none
/interface l2tp-server server
set accept-proto-version=all accept-pseudowire-type=all allow-fast-path=no authentication=pap,chap,mschap1,mschap2 caller-id-type=ip-address \
default-profile=default-encryption enabled=no keepalive-timeout=30 l2tpv3-circuit-id="" l2tpv3-cookie-length=0 l2tpv3-digest-hash=md5 \
!l2tpv3-ether-interface-list max-mru=1450 max-mtu=1450 max-sessions=unlimited mrru=disabled one-session-per-host=no use-ipsec=no
/interface lte settings
set firmware-path=firmware mode=auto
/interface ovpn-server server
set auth=sha1,md5,sha256,sha512 certificate=*0 cipher=blowfish128,aes128-cbc default-profile=default enable-tun-ipv6=no enabled=no \
ipv6-prefix-len=64 keepalive-timeout=60 mac-address=FE:E2:6D:B4:A3:7C max-mtu=1500 mode=ip netmask=24 port=1194 protocol=tcp push-routes=\
"" redirect-gateway=disabled reneg-sec=3600 require-client-certificate=no tls-version=any tun-server-ipv6=::
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set authentication=mschap1,mschap2 default-profile=default-encryption enabled=no keepalive-timeout=30 max-mru=1450 max-mtu=1450 mrru=disabled
/interface sstp-server server
set authentication=pap,chap,mschap1,mschap2 certificate=none ciphers=aes256-sha,aes256-gcm-sha384 default-profile=default enabled=no \
keepalive-timeout=60 max-mru=1500 max-mtu=1500 mrru=disabled pfs=no port=443 tls-version=any verify-client-certificate=no
/interface wifi cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp
/interface wifi capsman
set enabled=no
/ip cloud
set back-to-home-vpn=revoked-and-disabled ddns-enabled=no ddns-update-interval=none update-time=yes
/ip cloud advanced
set use-local-address=no
/ip dhcp-client
add add-default-route=yes comment=defconf default-route-distance=1 dhcp-options=hostname,clientid disabled=no interface=bridgeLocal \
use-peer-dns=yes use-peer-ntp=yes
/ip dhcp-server config
set accounting=yes interim-update=0s radius-password=empty store-leases-disk=5m
/ip dns
set address-list-extra-time=0s allow-remote-requests=no cache-max-ttl=1w cache-size=2048KiB doh-max-concurrent-queries=50 \
doh-max-server-connections=5 doh-timeout=5s max-concurrent-queries=100 max-concurrent-tcp-sessions=20 max-udp-packet-size=4096 \
mdns-repeat-ifaces="" query-server-timeout=2s query-total-timeout=10s servers="" use-doh-server="" verify-doh-cert=no vrf=main
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=yes ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes sip-timeout=1h
set pptp disabled=no
set rtsp disabled=yes ports=554
set udplite disabled=no
set dccp disabled=no
set sctp disabled=no
/ip hotspot service-port
set ftp disabled=no ports=21
/ip hotspot user
set [ find default=yes ] comment="counters and limits for trial users" disabled=no name=default-trial
/ip ipsec policy
set 0 disabled=no dst-address=::/0 group=default proposal=default protocol=all src-address=::/0 template=yes
/ip ipsec settings
set accounting=yes interim-update=0s xauth-use-radius=no
/ip media settings
set thumbnails=""
/ip nat-pmp
set enabled=no
/ip proxy
set always-from-cache=no anonymous=no cache-administrator=webmaster cache-hit-dscp=4 cache-on-disk=no cache-path=web-proxy enabled=no \
max-cache-object-size=2048KiB max-cache-size=unlimited max-client-connections=600 max-fresh-time=3d max-server-connections=600 \
parent-proxy=:: parent-proxy-port=0 port=8080 serialize-connections=no src-address=::
/ip service
set telnet address="" disabled=no max-sessions=20 port=23 vrf=main
set ftp address="" disabled=no max-sessions=20 port=21
set www address="" disabled=no max-sessions=20 port=80 vrf=main
set ssh address="" disabled=no max-sessions=20 port=22 vrf=main
set www-ssl address="" certificate=none disabled=yes max-sessions=20 port=443 tls-version=any vrf=main
set api address="" disabled=no max-sessions=20 port=8728 vrf=main
set winbox address="" disabled=no max-sessions=20 port=8291 vrf=main
set api-ssl address="" certificate=none disabled=no max-sessions=20 port=8729 tls-version=any vrf=main
/ip smb shares
set [ find default=yes ] directory=flash/pub disabled=yes invalid-users="" name=pub read-only=no require-encryption=no valid-users=""
/ip socks
set auth-method=none connection-idle-timeout=2m enabled=no max-connections=200 port=1080 version=4 vrf=main
/ip ssh
set allow-none-crypto=no always-allow-password-login=no forwarding-enabled=no host-key-size=2048 host-key-type=rsa strong-crypto=no
/ip tftp settings
set max-block-size=4096
/ip traffic-flow
set active-flow-timeout=30m cache-entries=32k enabled=no inactive-flow-timeout=15s interfaces=all packet-sampling=no sampling-interval=0 \
sampling-space=0
/ip traffic-flow ipfix
set bytes=yes dst-address=yes dst-address-mask=yes dst-mac-address=yes dst-port=yes first-forwarded=yes gateway=yes icmp-code=yes icmp-type=\
yes igmp-type=yes in-interface=yes ip-header-length=yes ip-total-length=yes ipv6-flow-label=yes is-multicast=yes last-forwarded=yes \
nat-dst-address=yes nat-dst-port=yes nat-events=no nat-src-address=yes nat-src-port=yes out-interface=yes packets=yes protocol=yes \
src-address=yes src-address-mask=yes src-mac-address=yes src-port=yes sys-init-time=yes tcp-ack-num=yes tcp-flags=yes tcp-seq-num=yes \
tcp-window-size=yes tos=yes ttl=yes udp-length=yes
/ip upnp
set allow-disable-external-interface=no enabled=no show-dummy-rule=yes
/ipv6 nd
set [ find default=yes ] advertise-dns=yes advertise-mac-address=yes disabled=no hop-limit=unspecified interface=all \
managed-address-configuration=no mtu=unspecified other-configuration=no ra-delay=3s ra-interval=3m20s-10m ra-lifetime=30m ra-preference=\
medium reachable-time=unspecified retransmit-interval=unspecified
/ipv6 nd prefix default
set autonomous=yes preferred-lifetime=1w valid-lifetime=4w2d
/mpls settings
set allow-fast-path=yes dynamic-label-range=16-1048575 propagate-ttl=yes
/ppp aaa
set accounting=yes enable-ipv6-accounting=no interim-update=0s use-circuit-id-in-nas-port-id=no use-radius=no
/radius incoming
set accept=no port=3799 vrf=main
/routing igmp-proxy
set query-interval=2m5s query-response-interval=10s quick-leave=no
/routing settings
set single-process=no
/snmp
set contact="" enabled=no engine-id-suffix="" location="" src-address=:: trap-community=public trap-generators=temp-exception trap-target="" \
trap-version=1 vrf=main
/system clock
set time-zone-autodetect=yes time-zone-name=Europe/Vienna
/system clock manual
set dst-delta=+00:00 dst-end="1970-01-01 00:00:00" dst-start="1970-01-01 00:00:00" time-zone=+00:00
/system identity
set name=R403.CAP:OG.BALKON
/system leds
set 0 disabled=no interface=lte1 leds=lte-led type=interface-activity
/system leds settings
set all-leds-off=never
/system logging
set 0 action=memory disabled=no prefix="" topics=info
set 1 action=memory disabled=no prefix="" topics=error
set 2 action=memory disabled=no prefix="" topics=warning
set 3 action=echo disabled=no prefix="" topics=critical
/system note
set note="" show-at-cli-login=no show-at-login=no
/system ntp client
set enabled=no mode=unicast servers="" vrf=main
/system ntp server
set auth-key=none broadcast=no broadcast-addresses="" enabled=no local-clock-stratum=5 manycast=no multicast=no use-local-clock=no vrf=main
/system resource irq
set 0 cpu=auto
set 1 cpu=auto
set 2 cpu=auto
set 3 cpu=auto
set 4 cpu=auto
set 5 cpu=auto
set 6 cpu=auto
/system resource irq rps
set ether1 disabled=yes
set ether2 disabled=yes
/system resource usb settings
set authorization=no
/system routerboard reset-button
set enabled=no hold-time=0s..1m on-event=""
/system routerboard settings
set auto-upgrade=yes boot-device=nand-if-fail-then-ethernet boot-protocol=bootp force-backup-booter=no preboot-etherboot=disabled \
preboot-etherboot-server=any protected-routerboot=disabled reformat-hold-button=20s reformat-hold-button-max=10m silent-boot=no
/system upgrade mirror
set check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=0.0.0.0 user=""
/system watchdog
set auto-send-supout=no automatic-supout=yes ping-start-after-boot=5m ping-timeout=1m watch-address=none watchdog-timer=yes
/tool bandwidth-server
set allocate-udp-ports-from=2000 authenticate=yes enabled=yes max-sessions=100
/tool e-mail
set from=<> port=25 server=0.0.0.0 tls=no user="" vrf=main
/tool graphing
set page-refresh=300 store-every=5min
/tool mac-server
set allowed-interface-list=all
/tool mac-server mac-winbox
set allowed-interface-list=all
/tool mac-server ping
set enabled=yes
/tool romon
set enabled=no id=00:00:00:00:00:00
/tool romon port
set [ find default=yes ] cost=100 disabled=no forbid=no interface=all
/tool sms
set allowed-number="" channel=0 polling=no port=none receive-enabled=no sms-storage=sim
/tool sniffer
set file-limit=1000KiB file-name="" filter-cpu="" filter-direction=any filter-dst-ip-address="" filter-dst-ipv6-address="" \
filter-dst-mac-address="" filter-dst-port="" filter-interface="" filter-ip-address="" filter-ip-protocol="" filter-ipv6-address="" \
filter-mac-address="" filter-mac-protocol="" filter-operator-between-entries=or filter-port="" filter-size="" filter-src-ip-address="" \
filter-src-ipv6-address="" filter-src-mac-address="" filter-src-port="" filter-stream=no filter-vlan="" memory-limit=100KiB memory-scroll=\
yes only-headers=no quick-rows=20 quick-show-frame=no streaming-enabled=no streaming-server=0.0.0.0:37008
/tool traffic-generator
set latency-distribution-max=100us measure-out-of-order=no stats-samples-to-keep=100 test-id=0
/user aaa
set accounting=yes default-group=read exclude-groups="" interim-update=0s use-radius=no
/user settings
set minimum-categories=0 minimum-password-length=0
CAP “3” (R403.CAP:OG.BUERO)
# model = cAPGi-5HaxD2HaxD
# serial number = HGD09JVZ8BG
/interface bridge
add admin-mac=D4:01:C3:94:99:9F ageing-time=5m arp=enabled arp-timeout=auto auto-mac=no comment=defconf dhcp-snooping=no disabled=no \
fast-forward=yes forward-delay=15s igmp-snooping=no max-learned-entries=auto max-message-age=20s mtu=auto mvrp=no name=bridgeLocal \
port-cost-mode=long priority=0x8000 protocol-mode=rstp transmit-hold-count=6 vlan-filtering=no
/interface ethernet
set [ find default-name=ether1 ] advertise=10M-baseT-half,10M-baseT-full,100M-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full arp=enabled \
arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no l2mtu=1568 loop-protect=default loop-protect-disable-time=5m \
loop-protect-send-interval=5s mac-address=D4:01:C3:94:99:9F mtu=1500 name=ether1 orig-mac-address=D4:01:C3:94:99:9F rx-flow-control=off \
tx-flow-control=off
set [ find default-name=ether2 ] advertise=10M-baseT-half,10M-baseT-full,100M-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full arp=enabled \
arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no l2mtu=1568 loop-protect=default loop-protect-disable-time=5m \
loop-protect-send-interval=5s mac-address=D4:01:C3:94:99:A0 mtu=1500 name=ether2 orig-mac-address=D4:01:C3:94:99:A0 poe-out=auto-on \
poe-priority=10 power-cycle-interval=none !power-cycle-ping-address power-cycle-ping-enabled=no !power-cycle-ping-timeout rx-flow-control=off \
tx-flow-control=off
/queue interface
set bridgeLocal queue=no-queue
/interface ethernet switch
set 0 !cpu-flow-control mirror-source=none mirror-target=none name=switch1
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
/interface ethernet switch port-isolation
set 0 !forwarding-override
set 1 !forwarding-override
set 2 !forwarding-override
/interface list
set [ find name=all ] comment="contains all interfaces" exclude="" include="" name=all
set [ find name=none ] comment="contains no interfaces" exclude="" include="" name=none
set [ find name=dynamic ] comment="contains dynamic interfaces" exclude="" include="" name=dynamic
set [ find name=static ] comment="contains static interfaces" exclude="" include="" name=static
/interface lte apn
set [ find default=yes ] add-default-route=yes apn=internet authentication=none default-route-distance=2 ip-type=auto name=default \
use-network-apn=yes use-peer-dns=yes
/interface macsec profile
set [ find default-name=default ] name=default server-priority=10
/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifi
# managed by CAPsMAN
set [ find default-name=wifi1 ] arp-timeout=auto configuration.manager=capsman datapath=capdp disabled=no l2mtu=1560 mac-address=\
D4:01:C3:94:99:A1 name=wifi1 radio-mac=D4:01:C3:94:99:A1
# managed by CAPsMAN
set [ find default-name=wifi2 ] arp-timeout=auto configuration.manager=capsman datapath=capdp disabled=no l2mtu=1560 mac-address=\
D4:01:C3:94:99:A2 name=wifi2 radio-mac=D4:01:C3:94:99:A2
/ip dhcp-client option
set clientid_duid code=61 name=clientid_duid value="0xff\$(CLIENT_DUID)"
set clientid code=61 name=clientid value="0x01\$(CLIENT_MAC)"
set hostname code=12 name=hostname value="\$(HOSTNAME)"
/ip hotspot profile
set [ find default=yes ] dns-name="" hotspot-address=0.0.0.0 html-directory=hotspot html-directory-override="" http-cookie-lifetime=3d \
http-proxy=0.0.0.0:0 install-hotspot-queue=no login-by=cookie,http-chap name=default smtp-server=0.0.0.0 split-user-domain=no use-radius=no
/ip hotspot user profile
set [ find default=yes ] add-mac-cookie=yes address-list="" idle-timeout=none !insert-queue-before keepalive-timeout=2m mac-cookie-timeout=3d \
name=default !parent-queue !queue-type shared-users=1 status-autorefresh=1m transparent-proxy=no
/ip ipsec mode-config
set [ find default=yes ] name=request-only responder=no use-responder-dns=exclusively
/ip ipsec policy group
set [ find default=yes ] name=default
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048,modp1024 dpd-interval=8s dpd-maximum-failures=4 enc-algorithm=aes-128,3des hash-algorithm=sha1 \
lifetime=1d name=default nat-traversal=yes proposal-check=obey
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m name=default pfs-group=\
modp1024
/ip smb users
set [ find default=yes ] disabled=no name=guest read-only=yes
/ppp profile
set *0 address-list="" !bridge !bridge-horizon bridge-learning=default !bridge-path-cost !bridge-port-priority change-tcp-mss=yes !dns-server \
!idle-timeout !incoming-filter !insert-queue-before !interface-list !local-address name=default on-down="" on-up="" only-one=default \
!outgoing-filter !parent-queue !queue-type !rate-limit !remote-address !session-timeout use-compression=default use-encryption=default \
use-ipv6=yes use-mpls=default use-upnp=default !wins-server
set *FFFFFFFE address-list="" !bridge !bridge-horizon bridge-learning=default !bridge-path-cost !bridge-port-priority change-tcp-mss=yes \
!dns-server !idle-timeout !incoming-filter !insert-queue-before !interface-list !local-address name=default-encryption on-down="" on-up="" \
only-one=default !outgoing-filter !parent-queue !queue-type !rate-limit !remote-address !session-timeout use-compression=default \
use-encryption=yes use-ipv6=yes use-mpls=default use-upnp=default !wins-server
/queue type
set 0 kind=pfifo name=default pfifo-limit=50
set 1 kind=pfifo name=ethernet-default pfifo-limit=50
set 2 kind=sfq name=wireless-default sfq-allot=1514 sfq-perturb=5
set 3 kind=red name=synchronous-default red-avg-packet=1000 red-burst=20 red-limit=60 red-max-threshold=50 red-min-threshold=10
set 4 kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=5
set 5 kind=pcq name=pcq-upload-default pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=\
32 pcq-dst-address6-mask=128 pcq-limit=50KiB pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=128 pcq-total-limit=2000KiB
set 6 kind=pcq name=pcq-download-default pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=dst-address \
pcq-dst-address-mask=32 pcq-dst-address6-mask=128 pcq-limit=50KiB pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=128 \
pcq-total-limit=2000KiB
set 7 kind=none name=only-hardware-queue
set 8 kind=mq-pfifo mq-pfifo-limit=50 name=multi-queue-ethernet-default
set 9 kind=pfifo name=default-small pfifo-limit=10
/queue interface
set ether1 queue=only-hardware-queue
set ether2 queue=only-hardware-queue
# managed by CAPsMAN
set wifi1 queue=wireless-default
# managed by CAPsMAN
set wifi2 queue=wireless-default
/routing bgp template
set default as=65530 name=default
/snmp community
set [ find default=yes ] addresses=::/0 authentication-protocol=MD5 disabled=no encryption-protocol=DES name=public read-access=yes security=none \
write-access=no
/system logging action
set 0 memory-lines=1000 memory-stop-on-full=no name=memory target=memory
set 1 disk-file-count=2 disk-file-name=log disk-lines-per-file=1000 disk-stop-on-full=no name=disk target=disk
set 2 name=echo remember=yes target=echo
set 3 bsd-syslog=no name=remote remote=0.0.0.0 remote-port=514 src-address=0.0.0.0 syslog-facility=daemon syslog-severity=auto \
syslog-time-format=bsd-syslog target=remote
/user group
set read name=read policy=local,telnet,ssh,reboot,read,test,winbox,password,web,sniff,sensitive,api,romon,rest-api,!ftp,!write,!policy skin=\
default
set write name=write policy=local,telnet,ssh,reboot,read,write,test,winbox,password,web,sniff,sensitive,api,romon,rest-api,!ftp,!policy skin=\
default
set full name=full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,rest-api skin=default
/certificate settings
set crl-download=no crl-store=ram crl-use=no
/console settings
set sanitize-names=no
/disk settings
set auto-media-interface=none auto-media-sharing=no auto-smb-sharing=no auto-smb-user=guest
/ip smb
set comment=MikrotikSMB domain=MSHOME enabled=auto interfaces=all
/interface bridge port
add auto-isolate=no bpdu-guard=no bridge=bridgeLocal broadcast-flood=yes comment=defconf disabled=no edge=auto fast-leave=no frame-types=\
admit-all horizon=none hw=yes ingress-filtering=yes interface=ether1 !internal-path-cost learn=auto multicast-router=temporary-query \
mvrp-applicant-state=normal-participant mvrp-registrar-state=normal !path-cost point-to-point=auto priority=0x80 pvid=1 restricted-role=no \
restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridgeLocal broadcast-flood=yes comment=defconf disabled=no edge=auto fast-leave=no frame-types=\
admit-all horizon=none hw=yes ingress-filtering=yes interface=ether2 !internal-path-cost learn=auto multicast-router=temporary-query \
mvrp-applicant-state=normal-participant mvrp-registrar-state=normal !path-cost point-to-point=auto priority=0x80 pvid=1 restricted-role=no \
restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes unknown-unicast-flood=yes
/interface bridge port-controller
# disabled
set bridge=none cascade-ports="" switch=none
/interface bridge port-extender
# disabled
set control-ports="" excluded-ports="" switch=none
/interface bridge settings
set allow-fast-path=yes use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=no
/ip firewall connection tracking
set enabled=auto generic-timeout=10m icmp-timeout=10s loose-tcp-tracking=yes tcp-close-timeout=10s tcp-close-wait-timeout=10s \
tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-max-retrans-timeout=5m tcp-syn-received-timeout=5s \
tcp-syn-sent-timeout=5s tcp-time-wait-timeout=10s tcp-unacked-timeout=5m udp-stream-timeout=3m udp-timeout=30s
/ip neighbor discovery-settings
set discover-interface-list=static discover-interval=30s lldp-mac-phy-config=no lldp-max-frame-size=no lldp-med-net-policy-vlan=disabled \
lldp-poe-power=yes lldp-vlan-info=no mode=tx-and-rx protocol=cdp,lldp,mndp
/ip settings
set accept-redirects=no accept-source-route=no allow-fast-path=yes arp-timeout=30s icmp-rate-limit=10 icmp-rate-mask=0x1818 ip-forward=yes \
ipv4-multipath-hash-policy=l3 max-neighbor-entries=16384 rp-filter=no secure-redirects=yes send-redirects=yes tcp-syncookies=no
/ipv6 settings
set accept-redirects=yes-if-forwarding-disabled accept-router-advertisements=yes-if-forwarding-disabled disable-ipv6=no forward=yes \
max-neighbor-entries=14336 multipath-hash-policy=l3
/interface detect-internet
set detect-interface-list=none internet-interface-list=none lan-interface-list=none wan-interface-list=none
/interface l2tp-server server
set accept-proto-version=all accept-pseudowire-type=all allow-fast-path=no authentication=pap,chap,mschap1,mschap2 caller-id-type=ip-address \
default-profile=default-encryption enabled=no keepalive-timeout=30 l2tpv3-circuit-id="" l2tpv3-cookie-length=0 l2tpv3-digest-hash=md5 \
!l2tpv3-ether-interface-list max-mru=1450 max-mtu=1450 max-sessions=unlimited mrru=disabled one-session-per-host=no use-ipsec=no
/interface lte settings
set firmware-path=firmware mode=auto
/interface ovpn-server server
set auth=sha1,md5,sha256,sha512 certificate=*0 cipher=blowfish128,aes128-cbc default-profile=default enable-tun-ipv6=no enabled=no \
ipv6-prefix-len=64 keepalive-timeout=60 mac-address=FE:C1:FB:44:85:24 max-mtu=1500 mode=ip netmask=24 port=1194 protocol=tcp push-routes="" \
redirect-gateway=disabled reneg-sec=3600 require-client-certificate=no tls-version=any tun-server-ipv6=::
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set authentication=mschap1,mschap2 default-profile=default-encryption enabled=no keepalive-timeout=30 max-mru=1450 max-mtu=1450 mrru=disabled
/interface sstp-server server
set authentication=pap,chap,mschap1,mschap2 certificate=none ciphers=aes256-sha,aes256-gcm-sha384 default-profile=default enabled=no \
keepalive-timeout=60 max-mru=1500 max-mtu=1500 mrru=disabled pfs=no port=443 tls-version=any verify-client-certificate=no
/interface wifi cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp
/interface wifi capsman
set enabled=no
/ip cloud
set back-to-home-vpn=revoked-and-disabled ddns-enabled=no ddns-update-interval=none update-time=yes
/ip cloud advanced
set use-local-address=no
/ip dhcp-client
add add-default-route=yes comment=defconf default-route-distance=1 dhcp-options=hostname,clientid disabled=no interface=bridgeLocal use-peer-dns=\
yes use-peer-ntp=yes
/ip dhcp-server config
set accounting=yes interim-update=0s radius-password=empty store-leases-disk=5m
/ip dns
set address-list-extra-time=0s allow-remote-requests=no cache-max-ttl=1w cache-size=2048KiB doh-max-concurrent-queries=50 \
doh-max-server-connections=5 doh-timeout=5s max-concurrent-queries=100 max-concurrent-tcp-sessions=20 max-udp-packet-size=4096 \
mdns-repeat-ifaces="" query-server-timeout=2s query-total-timeout=10s servers="" use-doh-server="" verify-doh-cert=no vrf=main
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=yes ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes sip-timeout=1h
set pptp disabled=no
set rtsp disabled=yes ports=554
set udplite disabled=no
set dccp disabled=no
set sctp disabled=no
/ip hotspot service-port
set ftp disabled=no ports=21
/ip hotspot user
set [ find default=yes ] comment="counters and limits for trial users" disabled=no name=default-trial
/ip ipsec policy
set 0 disabled=no dst-address=::/0 group=default proposal=default protocol=all src-address=::/0 template=yes
/ip ipsec settings
set accounting=yes interim-update=0s xauth-use-radius=no
/ip media settings
set thumbnails=""
/ip nat-pmp
set enabled=no
/ip proxy
set always-from-cache=no anonymous=no cache-administrator=webmaster cache-hit-dscp=4 cache-on-disk=no cache-path=web-proxy enabled=no \
max-cache-object-size=2048KiB max-cache-size=unlimited max-client-connections=600 max-fresh-time=3d max-server-connections=600 parent-proxy=\
:: parent-proxy-port=0 port=8080 serialize-connections=no src-address=::
/ip service
set telnet address="" disabled=no max-sessions=20 port=23 vrf=main
set ftp address="" disabled=no max-sessions=20 port=21
set www address="" disabled=no max-sessions=20 port=80 vrf=main
set ssh address="" disabled=no max-sessions=20 port=22 vrf=main
set www-ssl address="" certificate=none disabled=yes max-sessions=20 port=443 tls-version=any vrf=main
set api address="" disabled=no max-sessions=20 port=8728 vrf=main
set winbox address="" disabled=no max-sessions=20 port=8291 vrf=main
set api-ssl address="" certificate=none disabled=no max-sessions=20 port=8729 tls-version=any vrf=main
/ip smb shares
set [ find default=yes ] directory=pub disabled=yes invalid-users="" name=pub read-only=no require-encryption=no valid-users=""
/ip socks
set auth-method=none connection-idle-timeout=2m enabled=no max-connections=200 port=1080 version=4 vrf=main
/ip ssh
set allow-none-crypto=no always-allow-password-login=no forwarding-enabled=no host-key-size=2048 host-key-type=rsa strong-crypto=no
/ip tftp settings
set max-block-size=4096
/ip traffic-flow
set active-flow-timeout=30m cache-entries=256k enabled=no inactive-flow-timeout=15s interfaces=all packet-sampling=no sampling-interval=0 \
sampling-space=0
/ip traffic-flow ipfix
set bytes=yes dst-address=yes dst-address-mask=yes dst-mac-address=yes dst-port=yes first-forwarded=yes gateway=yes icmp-code=yes icmp-type=yes \
igmp-type=yes in-interface=yes ip-header-length=yes ip-total-length=yes ipv6-flow-label=yes is-multicast=yes last-forwarded=yes \
nat-dst-address=yes nat-dst-port=yes nat-events=no nat-src-address=yes nat-src-port=yes out-interface=yes packets=yes protocol=yes \
src-address=yes src-address-mask=yes src-mac-address=yes src-port=yes sys-init-time=yes tcp-ack-num=yes tcp-flags=yes tcp-seq-num=yes \
tcp-window-size=yes tos=yes ttl=yes udp-length=yes
/ip upnp
set allow-disable-external-interface=no enabled=no show-dummy-rule=yes
/ipv6 nd
set [ find default=yes ] advertise-dns=yes advertise-mac-address=yes disabled=no hop-limit=unspecified interface=all \
managed-address-configuration=no mtu=unspecified other-configuration=no ra-delay=3s ra-interval=3m20s-10m ra-lifetime=30m ra-preference=\
medium reachable-time=unspecified retransmit-interval=unspecified
/ipv6 nd prefix default
set autonomous=yes preferred-lifetime=1w valid-lifetime=4w2d
/mpls settings
set allow-fast-path=yes dynamic-label-range=16-1048575 propagate-ttl=yes
/ppp aaa
set accounting=yes enable-ipv6-accounting=no interim-update=0s use-circuit-id-in-nas-port-id=no use-radius=no
/radius incoming
set accept=no port=3799 vrf=main
/routing igmp-proxy
set query-interval=2m5s query-response-interval=10s quick-leave=no
/routing settings
set single-process=no
/snmp
set contact="" enabled=no engine-id-suffix="" location="" src-address=:: trap-community=public trap-generators=temp-exception trap-target="" \
trap-version=1 vrf=main
/system clock
set time-zone-autodetect=yes time-zone-name=Europe/Vienna
/system clock manual
set dst-delta=+00:00 dst-end="1970-01-01 00:00:00" dst-start="1970-01-01 00:00:00" time-zone=+00:00
/system identity
set name=R403.CAP:OG.BUERO
/system leds
set 0 disabled=no leds=poe-led type=poe-out
/system leds settings
set all-leds-off=never
/system logging
set 0 action=memory disabled=no prefix="" topics=info
set 1 action=memory disabled=no prefix="" topics=error
set 2 action=memory disabled=no prefix="" topics=warning
set 3 action=echo disabled=no prefix="" topics=critical
/system note
set note="" show-at-cli-login=no show-at-login=no
/system ntp client
set enabled=no mode=unicast servers="" vrf=main
/system ntp server
set auth-key=none broadcast=no broadcast-addresses="" enabled=no local-clock-stratum=5 manycast=no multicast=no use-local-clock=no vrf=main
/system package update
set channel=long-term
/system resource irq
set 0 cpu=auto
set 1 cpu=auto
set 2 cpu=auto
set 3 cpu=auto
set 4 cpu=auto
set 5 cpu=auto
set 6 cpu=auto
set 7 cpu=auto
set 8 cpu=auto
set 9 cpu=auto
set 10 cpu=auto
set 11 cpu=auto
set 12 cpu=auto
set 13 cpu=auto
set 14 cpu=auto
set 15 cpu=auto
set 16 cpu=auto
set 17 cpu=auto
set 18 cpu=auto
set 19 cpu=auto
set 20 cpu=auto
set 21 cpu=auto
set 22 cpu=auto
set 23 cpu=auto
set 24 cpu=auto
set 25 cpu=auto
set 26 cpu=auto
set 27 cpu=auto
set 28 cpu=auto
set 29 cpu=auto
set 30 cpu=auto
set 31 cpu=auto
set 32 cpu=auto
set 33 cpu=auto
set 34 cpu=auto
set 35 cpu=auto
set 36 cpu=auto
set 37 cpu=auto
set 38 cpu=auto
set 39 cpu=auto
set 40 cpu=auto
set 41 cpu=auto
set 42 cpu=auto
set 43 cpu=auto
set 44 cpu=auto
set 45 cpu=auto
set 46 cpu=auto
set 47 cpu=auto
set 48 cpu=auto
/system resource irq rps
set ether1 disabled=yes
set ether2 disabled=yes
/system resource usb settings
set authorization=no
/system routerboard mode-button
set enabled=no hold-time=0s..1m on-event=""
/system routerboard reset-button
set enabled=no hold-time=0s..1m on-event=""
/system routerboard settings
set auto-upgrade=yes boot-device=nand-if-fail-then-ethernet boot-protocol=bootp force-backup-booter=no preboot-etherboot=disabled \
preboot-etherboot-server=any protected-routerboot=disabled reformat-hold-button=20s reformat-hold-button-max=10m silent-boot=no
/system upgrade mirror
set check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=0.0.0.0 user=""
/system watchdog
set auto-send-supout=no automatic-supout=yes ping-start-after-boot=5m ping-timeout=1m watch-address=none watchdog-timer=yes
/tool bandwidth-server
set allocate-udp-ports-from=2000 authenticate=yes enabled=yes max-sessions=100
/tool e-mail
set from=<> port=25 server=0.0.0.0 tls=no user="" vrf=main
/tool graphing
set page-refresh=300 store-every=5min
/tool mac-server
set allowed-interface-list=all
/tool mac-server mac-winbox
set allowed-interface-list=all
/tool mac-server ping
set enabled=yes
/tool romon
set enabled=no id=00:00:00:00:00:00
/tool romon port
set [ find default=yes ] cost=100 disabled=no forbid=no interface=all
/tool sms
set allowed-number="" channel=0 polling=no port=none receive-enabled=no sms-storage=sim
/tool sniffer
set file-limit=1000KiB file-name="" filter-cpu="" filter-direction=any filter-dst-ip-address="" filter-dst-ipv6-address="" \
filter-dst-mac-address="" filter-dst-port="" filter-interface="" filter-ip-address="" filter-ip-protocol="" filter-ipv6-address="" \
filter-mac-address="" filter-mac-protocol="" filter-operator-between-entries=or filter-port="" filter-size="" filter-src-ip-address="" \
filter-src-ipv6-address="" filter-src-mac-address="" filter-src-port="" filter-stream=no filter-vlan="" memory-limit=100KiB memory-scroll=yes \
only-headers=no quick-rows=20 quick-show-frame=no streaming-enabled=no streaming-server=0.0.0.0:37008
/tool traffic-generator
set latency-distribution-max=100us measure-out-of-order=no stats-samples-to-keep=100 test-id=0
/user aaa
set accounting=yes default-group=read exclude-groups="" interim-update=0s use-radius=no
/user settings
set minimum-categories=0 minimum-password-length=0
CAP “4” (R403.CAP:UG.KELLER)
# model = RBwAPG-5HacD2HnD
# serial number = HFM09SMSG9E
/interface bridge
add admin-mac=D4:01:C3:04:F3:FF ageing-time=5m arp=enabled arp-timeout=auto auto-mac=no comment=defconf dhcp-snooping=no disabled=no fast-forward=yes \
forward-delay=15s igmp-snooping=no max-learned-entries=auto max-message-age=20s mtu=auto mvrp=no name=bridgeLocal port-cost-mode=long priority=0x8000 \
protocol-mode=rstp transmit-hold-count=6 vlan-filtering=no
/interface ethernet
set [ find default-name=ether1 ] advertise=10M-baseT-half,10M-baseT-full,100M-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full arp=enabled arp-timeout=\
auto auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no l2mtu=1598 loop-protect=default loop-protect-disable-time=5m \
loop-protect-send-interval=5s mac-address=D4:01:C3:04:F3:FF mtu=1500 name=ether1 orig-mac-address=D4:01:C3:04:F3:FF rx-flow-control=off tx-flow-control=\
off
set [ find default-name=ether2 ] advertise=10M-baseT-half,10M-baseT-full,100M-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full arp=enabled arp-timeout=\
auto auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no l2mtu=1598 loop-protect=default loop-protect-disable-time=5m \
loop-protect-send-interval=5s mac-address=D4:01:C3:04:F4:00 mtu=1500 name=ether2 orig-mac-address=D4:01:C3:04:F4:00 rx-flow-control=off tx-flow-control=\
off
/queue interface
set bridgeLocal queue=no-queue
/interface ethernet switch
set 0 cpu-flow-control=yes mirror-source=none mirror-target=none name=switch1
/interface ethernet switch port
set 0 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 1 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 2 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
/interface ethernet switch port-isolation
set 0 !forwarding-override
set 1 !forwarding-override
set 2 !forwarding-override
/interface list
set [ find name=all ] comment="contains all interfaces" exclude="" include="" name=all
set [ find name=none ] comment="contains no interfaces" exclude="" include="" name=none
set [ find name=dynamic ] comment="contains dynamic interfaces" exclude="" include="" name=dynamic
set [ find name=static ] comment="contains static interfaces" exclude="" include="" name=static
/interface lte apn
set [ find default=yes ] add-default-route=yes apn=internet authentication=none default-route-distance=2 ip-type=auto name=default use-network-apn=yes \
use-peer-dns=yes
/interface macsec profile
set [ find default-name=default ] name=default server-priority=10
/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifi
# managed by CAPsMAN
set [ find default-name=wifi1 ] arp-timeout=auto configuration.manager=capsman datapath=capdp disabled=no l2mtu=1560 mac-address=D4:01:C3:04:F4:01 name=wifi1 \
radio-mac=D4:01:C3:04:F4:01
# managed by CAPsMAN
set [ find default-name=wifi2 ] arp-timeout=auto configuration.manager=capsman datapath=capdp disabled=no l2mtu=1560 mac-address=D4:01:C3:04:F4:02 name=wifi2 \
radio-mac=D4:01:C3:04:F4:02
/ip dhcp-client option
set clientid_duid code=61 name=clientid_duid value="0xff\$(CLIENT_DUID)"
set clientid code=61 name=clientid value="0x01\$(CLIENT_MAC)"
set hostname code=12 name=hostname value="\$(HOSTNAME)"
/ip hotspot profile
set [ find default=yes ] dns-name="" hotspot-address=0.0.0.0 html-directory=hotspot html-directory-override="" http-cookie-lifetime=3d http-proxy=0.0.0.0:0 \
install-hotspot-queue=no login-by=cookie,http-chap name=default smtp-server=0.0.0.0 split-user-domain=no use-radius=no
/ip hotspot user profile
set [ find default=yes ] add-mac-cookie=yes address-list="" idle-timeout=none !insert-queue-before keepalive-timeout=2m mac-cookie-timeout=3d name=default \
!parent-queue !queue-type shared-users=1 status-autorefresh=1m transparent-proxy=no
/ip ipsec mode-config
set [ find default=yes ] name=request-only responder=no use-responder-dns=exclusively
/ip ipsec policy group
set [ find default=yes ] name=default
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048,modp1024 dpd-interval=8s dpd-maximum-failures=4 enc-algorithm=aes-128,3des hash-algorithm=sha1 lifetime=1d name=\
default nat-traversal=yes proposal-check=obey
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m name=default pfs-group=modp1024
/ip smb users
set [ find default=yes ] disabled=no name=guest read-only=yes
/ppp profile
set *0 address-list="" !bridge !bridge-horizon bridge-learning=default !bridge-path-cost !bridge-port-priority change-tcp-mss=yes !dns-server !idle-timeout \
!incoming-filter !insert-queue-before !interface-list !local-address name=default on-down="" on-up="" only-one=default !outgoing-filter !parent-queue \
!queue-type !rate-limit !remote-address !session-timeout use-compression=default use-encryption=default use-ipv6=yes use-mpls=default use-upnp=default \
!wins-server
set *FFFFFFFE address-list="" !bridge !bridge-horizon bridge-learning=default !bridge-path-cost !bridge-port-priority change-tcp-mss=yes !dns-server \
!idle-timeout !incoming-filter !insert-queue-before !interface-list !local-address name=default-encryption on-down="" on-up="" only-one=default \
!outgoing-filter !parent-queue !queue-type !rate-limit !remote-address !session-timeout use-compression=default use-encryption=yes use-ipv6=yes use-mpls=\
default use-upnp=default !wins-server
/queue type
set 0 kind=pfifo name=default pfifo-limit=50
set 1 kind=pfifo name=ethernet-default pfifo-limit=50
set 2 kind=sfq name=wireless-default sfq-allot=1514 sfq-perturb=5
set 3 kind=red name=synchronous-default red-avg-packet=1000 red-burst=20 red-limit=60 red-max-threshold=50 red-min-threshold=10
set 4 kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=5
set 5 kind=pcq name=pcq-upload-default pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 \
pcq-dst-address6-mask=128 pcq-limit=50KiB pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=128 pcq-total-limit=2000KiB
set 6 kind=pcq name=pcq-download-default pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 \
pcq-dst-address6-mask=128 pcq-limit=50KiB pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=128 pcq-total-limit=2000KiB
set 7 kind=none name=only-hardware-queue
set 8 kind=mq-pfifo mq-pfifo-limit=50 name=multi-queue-ethernet-default
set 9 kind=pfifo name=default-small pfifo-limit=10
/queue interface
set ether1 queue=only-hardware-queue
set ether2 queue=only-hardware-queue
# managed by CAPsMAN
set wifi1 queue=wireless-default
# managed by CAPsMAN
set wifi2 queue=wireless-default
/routing bgp template
set default as=65530 name=default
/snmp community
set [ find default=yes ] addresses=::/0 authentication-protocol=MD5 disabled=no encryption-protocol=DES name=public read-access=yes security=none \
write-access=no
/system logging action
set 0 memory-lines=1000 memory-stop-on-full=no name=memory target=memory
set 1 disk-file-count=2 disk-file-name=flash/log disk-lines-per-file=1000 disk-stop-on-full=no name=disk target=disk
set 2 name=echo remember=yes target=echo
set 3 bsd-syslog=no name=remote remote=0.0.0.0 remote-port=514 src-address=0.0.0.0 syslog-facility=daemon syslog-severity=auto syslog-time-format=bsd-syslog \
target=remote
/user group
set read name=read policy=local,telnet,ssh,reboot,read,test,winbox,password,web,sniff,sensitive,api,romon,rest-api,!ftp,!write,!policy skin=default
set write name=write policy=local,telnet,ssh,reboot,read,write,test,winbox,password,web,sniff,sensitive,api,romon,rest-api,!ftp,!policy skin=default
set full name=full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,rest-api skin=default
/certificate settings
set crl-download=no crl-store=ram crl-use=no
/console settings
set sanitize-names=no
/disk settings
set auto-media-interface=none auto-media-sharing=no auto-smb-sharing=no auto-smb-user=guest
/ip smb
set comment=MikrotikSMB domain=MSHOME enabled=auto interfaces=all
/interface bridge port
add auto-isolate=no bpdu-guard=no bridge=bridgeLocal broadcast-flood=yes comment=defconf disabled=no edge=auto fast-leave=no frame-types=admit-all horizon=\
none hw=yes ingress-filtering=yes interface=ether1 !internal-path-cost learn=auto multicast-router=temporary-query mvrp-applicant-state=normal-participant \
mvrp-registrar-state=normal !path-cost point-to-point=auto priority=0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no \
unknown-multicast-flood=yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridgeLocal broadcast-flood=yes comment=defconf disabled=no edge=auto fast-leave=no frame-types=admit-all horizon=\
none hw=yes ingress-filtering=yes interface=ether2 !internal-path-cost learn=auto multicast-router=temporary-query mvrp-applicant-state=normal-participant \
mvrp-registrar-state=normal !path-cost point-to-point=auto priority=0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no \
unknown-multicast-flood=yes unknown-unicast-flood=yes
/interface bridge port-controller
# disabled
set bridge=none cascade-ports="" switch=none
/interface bridge port-extender
# disabled
set control-ports="" excluded-ports="" switch=none
/interface bridge settings
set allow-fast-path=yes use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=no
/ip firewall connection tracking
set enabled=auto generic-timeout=10m icmp-timeout=10s loose-tcp-tracking=yes tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-max-retrans-timeout=5m tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-time-wait-timeout=10s \
tcp-unacked-timeout=5m udp-stream-timeout=3m udp-timeout=30s
/ip neighbor discovery-settings
set discover-interface-list=static discover-interval=30s lldp-mac-phy-config=no lldp-max-frame-size=no lldp-med-net-policy-vlan=disabled lldp-vlan-info=no \
mode=tx-and-rx protocol=cdp,lldp,mndp
/ip settings
set accept-redirects=no accept-source-route=no allow-fast-path=yes arp-timeout=30s icmp-rate-limit=10 icmp-rate-mask=0x1818 ip-forward=yes \
ipv4-multipath-hash-policy=l3 max-neighbor-entries=4096 rp-filter=no secure-redirects=yes send-redirects=yes tcp-syncookies=no
/ipv6 settings
set accept-redirects=yes-if-forwarding-disabled accept-router-advertisements=yes-if-forwarding-disabled disable-ipv6=no forward=yes max-neighbor-entries=2048 \
multipath-hash-policy=l3
/interface detect-internet
set detect-interface-list=none internet-interface-list=none lan-interface-list=none wan-interface-list=none
/interface l2tp-server server
set accept-proto-version=all accept-pseudowire-type=all allow-fast-path=no authentication=pap,chap,mschap1,mschap2 caller-id-type=ip-address default-profile=\
default-encryption enabled=no keepalive-timeout=30 l2tpv3-circuit-id="" l2tpv3-cookie-length=0 l2tpv3-digest-hash=md5 !l2tpv3-ether-interface-list \
max-mru=1450 max-mtu=1450 max-sessions=unlimited mrru=disabled one-session-per-host=no use-ipsec=no
/interface lte settings
set firmware-path=firmware mode=auto
/interface ovpn-server server
set auth=sha1,md5,sha256,sha512 certificate=*0 cipher=blowfish128,aes128-cbc default-profile=default enable-tun-ipv6=no enabled=no ipv6-prefix-len=64 \
keepalive-timeout=60 mac-address=FE:C4:86:1A:0A:98 max-mtu=1500 mode=ip netmask=24 port=1194 protocol=tcp push-routes="" redirect-gateway=disabled \
reneg-sec=3600 require-client-certificate=no tls-version=any tun-server-ipv6=::
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set authentication=mschap1,mschap2 default-profile=default-encryption enabled=no keepalive-timeout=30 max-mru=1450 max-mtu=1450 mrru=disabled
/interface sstp-server server
set authentication=pap,chap,mschap1,mschap2 certificate=none ciphers=aes256-sha,aes256-gcm-sha384 default-profile=default enabled=no keepalive-timeout=60 \
max-mru=1500 max-mtu=1500 mrru=disabled pfs=no port=443 tls-version=any verify-client-certificate=no
/interface wifi cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp
/interface wifi capsman
set enabled=no
/ip cloud
set back-to-home-vpn=revoked-and-disabled ddns-enabled=no ddns-update-interval=none update-time=yes
/ip cloud advanced
set use-local-address=no
/ip dhcp-client
add add-default-route=yes comment=defconf default-route-distance=1 dhcp-options=hostname,clientid disabled=no interface=bridgeLocal use-peer-dns=yes \
use-peer-ntp=yes
/ip dhcp-server config
set accounting=yes interim-update=0s radius-password=empty store-leases-disk=5m
/ip dns
set address-list-extra-time=0s allow-remote-requests=no cache-max-ttl=1w cache-size=2048KiB doh-max-concurrent-queries=50 doh-max-server-connections=5 \
doh-timeout=5s max-concurrent-queries=100 max-concurrent-tcp-sessions=20 max-udp-packet-size=4096 mdns-repeat-ifaces="" query-server-timeout=2s \
query-total-timeout=10s servers="" use-doh-server="" verify-doh-cert=no vrf=main
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=yes ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes sip-timeout=1h
set pptp disabled=no
set rtsp disabled=yes ports=554
set udplite disabled=no
set dccp disabled=no
set sctp disabled=no
/ip hotspot service-port
set ftp disabled=no ports=21
/ip hotspot user
set [ find default=yes ] comment="counters and limits for trial users" disabled=no name=default-trial
/ip ipsec policy
set 0 disabled=no dst-address=::/0 group=default proposal=default protocol=all src-address=::/0 template=yes
/ip ipsec settings
set accounting=yes interim-update=0s xauth-use-radius=no
/ip media settings
set thumbnails=""
/ip nat-pmp
set enabled=no
/ip proxy
set always-from-cache=no anonymous=no cache-administrator=webmaster cache-hit-dscp=4 cache-on-disk=no cache-path=web-proxy enabled=no max-cache-object-size=\
2048KiB max-cache-size=unlimited max-client-connections=600 max-fresh-time=3d max-server-connections=600 parent-proxy=:: parent-proxy-port=0 port=8080 \
serialize-connections=no src-address=::
/ip service
set telnet address="" disabled=no max-sessions=20 port=23 vrf=main
set ftp address="" disabled=no max-sessions=20 port=21
set www address="" disabled=no max-sessions=20 port=80 vrf=main
set ssh address="" disabled=no max-sessions=20 port=22 vrf=main
set www-ssl address="" certificate=none disabled=yes max-sessions=20 port=443 tls-version=any vrf=main
set api address="" disabled=no max-sessions=20 port=8728 vrf=main
set winbox address="" disabled=no max-sessions=20 port=8291 vrf=main
set api-ssl address="" certificate=none disabled=no max-sessions=20 port=8729 tls-version=any vrf=main
/ip smb shares
set [ find default=yes ] directory=flash/pub disabled=yes invalid-users="" name=pub read-only=no require-encryption=no valid-users=""
/ip socks
set auth-method=none connection-idle-timeout=2m enabled=no max-connections=200 port=1080 version=4 vrf=main
/ip ssh
set allow-none-crypto=no always-allow-password-login=no forwarding-enabled=no host-key-size=2048 host-key-type=rsa strong-crypto=no
/ip tftp settings
set max-block-size=4096
/ip traffic-flow
set active-flow-timeout=30m cache-entries=32k enabled=no inactive-flow-timeout=15s interfaces=all packet-sampling=no sampling-interval=0 sampling-space=0
/ip traffic-flow ipfix
set bytes=yes dst-address=yes dst-address-mask=yes dst-mac-address=yes dst-port=yes first-forwarded=yes gateway=yes icmp-code=yes icmp-type=yes igmp-type=yes \
in-interface=yes ip-header-length=yes ip-total-length=yes ipv6-flow-label=yes is-multicast=yes last-forwarded=yes nat-dst-address=yes nat-dst-port=yes \
nat-events=no nat-src-address=yes nat-src-port=yes out-interface=yes packets=yes protocol=yes src-address=yes src-address-mask=yes src-mac-address=yes \
src-port=yes sys-init-time=yes tcp-ack-num=yes tcp-flags=yes tcp-seq-num=yes tcp-window-size=yes tos=yes ttl=yes udp-length=yes
/ip upnp
set allow-disable-external-interface=no enabled=no show-dummy-rule=yes
/ipv6 nd
set [ find default=yes ] advertise-dns=yes advertise-mac-address=yes disabled=no hop-limit=unspecified interface=all managed-address-configuration=no mtu=\
unspecified other-configuration=no ra-delay=3s ra-interval=3m20s-10m ra-lifetime=30m ra-preference=medium reachable-time=unspecified retransmit-interval=\
unspecified
/ipv6 nd prefix default
set autonomous=yes preferred-lifetime=1w valid-lifetime=4w2d
/mpls settings
set allow-fast-path=yes dynamic-label-range=16-1048575 propagate-ttl=yes
/ppp aaa
set accounting=yes enable-ipv6-accounting=no interim-update=0s use-circuit-id-in-nas-port-id=no use-radius=no
/radius incoming
set accept=no port=3799 vrf=main
/routing igmp-proxy
set query-interval=2m5s query-response-interval=10s quick-leave=no
/routing settings
set single-process=no
/snmp
set contact="" enabled=no engine-id-suffix="" location="" src-address=:: trap-community=public trap-generators=temp-exception trap-target="" trap-version=1 \
vrf=main
/system clock
set time-zone-autodetect=yes time-zone-name=Europe/Vienna
/system clock manual
set dst-delta=+00:00 dst-end="1970-01-01 00:00:00" dst-start="1970-01-01 00:00:00" time-zone=+00:00
/system identity
set name=R403.CAP:UG.KELLER
/system leds settings
set all-leds-off=never
/system logging
set 0 action=memory disabled=no prefix="" topics=info
set 1 action=memory disabled=no prefix="" topics=error
set 2 action=memory disabled=no prefix="" topics=warning
set 3 action=echo disabled=no prefix="" topics=critical
/system note
set note="" show-at-cli-login=no show-at-login=no
/system ntp client
set enabled=no mode=unicast servers="" vrf=main
/system ntp server
set auth-key=none broadcast=no broadcast-addresses="" enabled=no local-clock-stratum=5 manycast=no multicast=no use-local-clock=no vrf=main
/system resource irq
set 0 cpu=auto
set 1 cpu=auto
set 2 cpu=auto
set 3 cpu=auto
set 4 cpu=auto
set 5 cpu=auto
set 6 cpu=auto
/system resource irq rps
set ether1 disabled=yes
set ether2 disabled=yes
/system resource usb settings
set authorization=no
/system routerboard reset-button
set enabled=no hold-time=0s..1m on-event=""
/system routerboard settings
set auto-upgrade=yes boot-device=nand-if-fail-then-ethernet boot-protocol=bootp force-backup-booter=no preboot-etherboot=disabled preboot-etherboot-server=any \
protected-routerboot=disabled reformat-hold-button=20s reformat-hold-button-max=10m silent-boot=no
/system upgrade mirror
set check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=0.0.0.0 user=""
/system watchdog
set auto-send-supout=no automatic-supout=yes ping-start-after-boot=5m ping-timeout=1m watch-address=none watchdog-timer=yes
/tool bandwidth-server
set allocate-udp-ports-from=2000 authenticate=yes enabled=yes max-sessions=100
/tool e-mail
set from=<> port=25 server=0.0.0.0 tls=no user="" vrf=main
/tool graphing
set page-refresh=300 store-every=5min
/tool mac-server
set allowed-interface-list=all
/tool mac-server mac-winbox
set allowed-interface-list=all
/tool mac-server ping
set enabled=yes
/tool romon
set enabled=no id=00:00:00:00:00:00
/tool romon port
set [ find default=yes ] cost=100 disabled=no forbid=no interface=all
/tool sms
set allowed-number="" channel=0 polling=no port=none receive-enabled=no sms-storage=sim
/tool sniffer
set file-limit=1000KiB file-name="" filter-cpu="" filter-direction=any filter-dst-ip-address="" filter-dst-ipv6-address="" filter-dst-mac-address="" \
filter-dst-port="" filter-interface="" filter-ip-address="" filter-ip-protocol="" filter-ipv6-address="" filter-mac-address="" filter-mac-protocol="" \
filter-operator-between-entries=or filter-port="" filter-size="" filter-src-ip-address="" filter-src-ipv6-address="" filter-src-mac-address="" \
filter-src-port="" filter-stream=no filter-vlan="" memory-limit=100KiB memory-scroll=yes only-headers=no quick-rows=20 quick-show-frame=no \
streaming-enabled=no streaming-server=0.0.0.0:37008
/tool traffic-generator
set latency-distribution-max=100us measure-out-of-order=no stats-samples-to-keep=100 test-id=0
/user aaa
set accounting=yes default-group=read exclude-groups="" interim-update=0s use-radius=no
/user settings
set minimum-categories=0 minimum-password-length=0
CAPSMAN:
# model = CRS328-24P-4S+
# serial number = HD508BTMHMH
/interface bridge
add admin-mac=18:FD:74:A8:66:F9 auto-mac=no comment=defconf name=BRIDGE1 port-cost-mode=short protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether01 poe-out=off
set [ find default-name=ether2 ] name=ether02
set [ find default-name=ether3 ] name=ether03
set [ find default-name=ether4 ] name=ether04
set [ find default-name=ether5 ] name=ether05
set [ find default-name=ether6 ] name=ether06
set [ find default-name=ether7 ] name=ether07
set [ find default-name=ether8 ] name=ether08
set [ find default-name=ether9 ] name=ether09
set [ find default-name=ether24 ] advertise=1G-baseT-half,1G-baseT-full poe-out=off
/interface vlan
add interface=BRIDGE1 name=VLAN1-R403-intern vlan-id=1
add interface=ether01 name=VLAN2-R403-Heimautomatisierung vlan-id=1
add interface=ether17 name=gast vlan-id=1
/interface bonding
add name=Bond-MacPro slaves=ether07,ether08
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wifi channel
add disabled=no frequency=2412,2437,2462 name=channel-2G width=20mhz
add disabled=no frequency=5180,5220,5745,5785 name=channel-5G width=20/40mhz-Ce
/interface wifi datapath
add bridge=BRIDGE1 disabled=no name=datapath1
/interface wifi security
add authentication-types=wpa2-psk disabled=no name=security-clients
add authentication-types=wpa2-psk disabled=no name=security-IoT
add authentication-types=wpa2-psk disabled=no name=security-AC
/interface wifi configuration
add channel=channel-5G country="United States" disabled=no mode=ap name=config-clients-5G security=security-clients ssid=R403
add channel=channel-2G country="United States" disabled=no mode=ap name=config-clients-2G security=security-clients ssid=R403
add channel=channel-2G country="United States" disabled=no mode=ap name=config-IoT-2G security=security-IoT ssid=R403IoT
add channel=channel-2G country="United States" disabled=no mode=ap name=config-AC-2G security=security-AC ssid=R403AC
/interface wifi
# must specify passphrase for PSK
add configuration=config-clients-2G disabled=no name=cap-wifi1 radio-mac=D4:01:C3:04:F4:01
add configuration=config-IoT-2G disabled=no mac-address=D6:01:C3:04:F4:01 master-interface=cap-wifi1 name=cap-wifi1-virtual1
add configuration=config-AC-2G disabled=no mac-address=D6:01:C3:04:F4:02 master-interface=cap-wifi1 name=cap-wifi1-virtual2
# must specify passphrase for PSK
add configuration=config-clients-5G disabled=no name=cap-wifi2 radio-mac=D4:01:C3:04:F4:02
# must specify passphrase for PSK
add configuration=config-clients-5G disabled=no name=cap-wifi3 radio-mac=D4:01:C3:97:B1:06
# must specify passphrase for PSK
add configuration=config-clients-5G disabled=no name=cap-wifi4 radio-mac=D4:01:C3:94:99:A1
# must specify passphrase for PSK
add configuration=config-clients-2G disabled=no name=cap-wifi5 radio-mac=D4:01:C3:94:99:A2
add configuration=config-IoT-2G disabled=no mac-address=D6:01:C3:94:99:A2 master-interface=cap-wifi5 name=cap-wifi5-virtual1
add configuration=config-AC-2G disabled=no mac-address=D6:01:C3:94:99:A3 master-interface=cap-wifi5 name=cap-wifi5-virtual2
# must specify passphrase for PSK
add configuration=config-clients-5G disabled=no name=cap-wifi6 radio-mac=C4:AD:34:58:8A:AD
# must specify passphrase for PSK
add configuration=config-clients-2G disabled=no name=cap-wifi7 radio-mac=D4:01:C3:97:B1:07
add configuration=config-IoT-2G disabled=no mac-address=D6:01:C3:97:B1:07 master-interface=cap-wifi7 name=cap-wifi7-virtual1
add configuration=config-AC-2G disabled=no mac-address=D6:01:C3:97:B1:08 master-interface=cap-wifi7 name=cap-wifi7-virtual2
# must specify passphrase for PSK
add configuration=config-clients-2G disabled=no name=cap-wifi8 radio-mac=C4:AD:34:58:8A:AC
add configuration=config-IoT-2G disabled=no mac-address=C6:AD:34:58:8A:AC master-interface=cap-wifi8 name=cap-wifi8-virtual1
add configuration=config-AC-2G disabled=no mac-address=C6:AD:34:58:8A:AD master-interface=cap-wifi8 name=cap-wifi8-virtual2
/ip ipsec policy group
add name=group1
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=aes-256,3des hash-algorithm=sha256
add dh-group=modp1536 dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=aes-256,aes-192,aes-128 name=IPsec-Profile-comp
add dh-group=modp1024 dpd-interval=30s dpd-maximum-failures=3 enc-algorithm=aes-256,aes-192,aes-128 name=Private-S2S-VPNs
/ip ipsec peer
add address=hff0915c2k1.sn.mynetname.net name=G21 profile=Private-S2S-VPNs
add address=*****/32 name=comp profile=IPsec-Profile-comp
/ip ipsec proposal
add auth-algorithms=sha1,md5 enc-algorithms=aes-256-cbc,aes-256-gcm,aes-192-cbc,aes-192-ctr,aes-128-cbc,3des name=proposal-comp pfs-group=modp1536
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-192-cbc name=proposal-R403 pfs-group=modp1536
/ip pool
add name=VLAN0-DHCP ranges=10.43.210.101-10.43.210.200
/ip dhcp-server
add add-arp=yes address-pool=VLAN0-DHCP authoritative=no interface=BRIDGE1 lease-time=23h name=DHCP-INTERN
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/ip smb
set domain=R403
/interface bridge port
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether01 internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether02 internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether03 internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether04 internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether05 internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether06 internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether09 internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether10 internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether11 internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether12 internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether13 internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether14 internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether15 internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether19 internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether20 internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether21 internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether22 internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether23 internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 ingress-filtering=no interface=sfp-sfpplus1 internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 ingress-filtering=no interface=ether16 internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 ingress-filtering=no interface=ether17 internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 ingress-filtering=no interface=ether18 internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 interface=sfp-sfpplus4 internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 interface=sfp-sfpplus3 internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 interface=Bond-MacPro
add bridge=BRIDGE1 interface=sfp-sfpplus2
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=BRIDGE1 vlan-ids=1
/interface detect-internet
set detect-interface-list=WAN
/interface ethernet switch
set 0 name=SW1-OG
/interface list member
add interface=ether01 list=LAN
add interface=ether02 list=LAN
add interface=ether03 list=LAN
add interface=ether04 list=LAN
add interface=ether05 list=LAN
add interface=ether06 list=LAN
add interface=ether07 list=LAN
add interface=ether08 list=LAN
add interface=ether09 list=LAN
add interface=ether10 list=LAN
add interface=ether11 list=LAN
add interface=ether12 list=LAN
add interface=ether13 list=LAN
add interface=ether14 list=LAN
add interface=ether15 list=LAN
add interface=ether16 list=LAN
add interface=ether17 list=LAN
add interface=ether18 list=LAN
add interface=ether19 list=LAN
add interface=ether20 list=LAN
add interface=ether21 list=LAN
add interface=ether22 list=LAN
add interface=ether23 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
add interface=sfp-sfpplus3 list=LAN
add interface=sfp-sfpplus4 list=LAN
add interface=BRIDGE1 list=LAN
add interface=ether24 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wifi capsman
set enabled=yes interfaces=BRIDGE1 package-path="" require-peer-certificate=no upgrade-policy=suggest-same-version
/interface wifi provisioning
add action=create-enabled disabled=no master-configuration=config-clients-5G supported-bands=5ghz-ax
add action=create-enabled disabled=no master-configuration=config-clients-2G slave-configurations=config-IoT-2G,config-AC-2G supported-bands=2ghz-ax
add action=create-enabled disabled=no master-configuration=config-clients-5G supported-bands=5ghz-ac
add action=create-enabled disabled=no master-configuration=config-clients-2G slave-configurations=config-IoT-2G,config-AC-2G supported-bands=2ghz-n
/ip address
add address=10.43.210.254/24 comment=defconf interface=BRIDGE1 network=10.43.210.0
add address=93.83.243.146/30 interface=ether24 network=93.83.243.144
add address=10.43.220.254/24 interface=gast network=10.43.220.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip cloud advanced
set use-local-address=yes
/ip dhcp-server lease
add address=10.43.210.188 comment="Jal EG Wirtschaftsraum" mac-address=48:E1:E9:A9:55:DB server=DHCP-INTERN
add address=10.43.210.34 client-id=1:dc:a9:4:88:53:ba comment="MacBook Erik" mac-address=DC:A9:04:88:53:BA server=DHCP-INTERN
add address=10.43.210.181 comment="Jal OG Buero" mac-address=48:E1:E9:A9:59:97 server=DHCP-INTERN
add address=10.43.210.182 comment="Jal OG Schlafzimmer" mac-address=48:E1:E9:A2:4B:90 server=DHCP-INTERN
add address=10.43.210.183 comment="Jal OG Balkon" mac-address=48:E1:E9:A9:6B:99 server=DHCP-INTERN
add address=10.43.210.184 comment="Jal EG Veranda" mac-address=48:E1:E9:A2:4E:F6 server=DHCP-INTERN
add address=10.43.210.185 comment="Jal EG Kueche Sued" mac-address=48:E1:E9:A9:54:76 server=DHCP-INTERN
add address=10.43.210.186 comment="Jal EG Kueche West" mac-address=48:E1:E9:A9:51:6B server=DHCP-INTERN
add address=10.43.210.187 comment="Jal EG Wohnzimmer Nord" mac-address=48:E1:E9:A9:6A:93 server=DHCP-INTERN
add address=10.43.210.189 comment="Jal EG Wohnzimmer West" mac-address=48:E1:E9:A9:60:5B server=DHCP-INTERN
add address=10.43.210.201 comment="SWITCH HP ARUBA2530 48 POE OG" mac-address=A0:1D:48:34:0A:00 server=DHCP-INTERN
add address=10.43.210.35 comment=MacPro6 mac-address=00:3E:E1:BD:F9:55 server=DHCP-INTERN
add address=10.43.210.100 client-id=1:f0:92:1c:e7:4c:90 mac-address=F0:92:1C:E7:4C:90 server=DHCP-INTERN
add address=10.43.210.203 mac-address=48:A9:8A:47:38:14 server=DHCP-INTERN
add address=10.43.210.91 client-id=1:4:79:b7:b0:1a:f1 comment="Wechselrichter Kostal" mac-address=04:79:B7:B0:1A:F1 server=DHCP-INTERN
add address=10.43.210.92 client-id=1:0:d0:93:4d:41:11 mac-address=00:D0:93:4D:41:11 server=DHCP-INTERN
add address=10.43.210.212 client-id=1:d4:1:c3:94:99:9f mac-address=D4:01:C3:94:99:9F server=DHCP-INTERN
add address=10.43.210.214 client-id=1:d4:1:c3:97:b1:4 mac-address=D4:01:C3:97:B1:04 server=DHCP-INTERN
add address=10.43.210.211 client-id=1:c4:ad:34:58:8a:aa mac-address=C4:AD:34:58:8A:AA server=DHCP-INTERN
add address=10.43.210.213 client-id=1:d4:1:c3:4:f3:ff mac-address=D4:01:C3:04:F3:FF server=DHCP-INTERN
add address=10.43.210.3 client-id=1:0:8:9b:c3:cb:93 mac-address=00:08:9B:C3:CB:93 server=DHCP-INTERN
add address=10.43.210.2 client-id=1:0:8:9b:f1:be:ba mac-address=00:08:9B:F1:BE:BA server=DHCP-INTERN
add address=10.43.210.18 mac-address=F0:92:1C:E7:42:0F server=DHCP-INTERN
/ip dhcp-server network
add address=10.43.210.0/24 dns-server=10.43.210.1,10.43.210.11,8.8.8.8,192.168.121.201 domain=r403.local gateway=10.43.210.254 ntp-server=10.43.210.254
/ip dns
set allow-remote-requests=yes cache-max-ttl=1h servers=8.8.8.8
/ip firewall filter
add action=accept chain=input dst-port=4443,8291 protocol=tcp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward protocol=icmp
add action=accept chain=forward disabled=yes dst-address=192.168.0.0/16 src-address=10.43.210.0/24
add action=drop chain=forward disabled=yes dst-address=10.43.210.0/24 src-address=192.168.10.0/24
add action=accept chain=forward dst-address=10.43.210.0/24 src-address=10.21.0.0/24
add action=accept chain=forward dst-address=10.21.0.0/24 src-address=10.43.210.0/24
add action=accept chain=forward dst-address=10.43.210.1 dst-port=443 protocol=tcp src-port=443
add action=accept chain=forward dst-address=213.33.98.136 dst-port=53 protocol=udp
add action=accept chain=input dst-address=10.43.210.2 dst-port=5000 in-interface-list=WAN protocol=tcp
add action=accept chain=forward dst-address=10.43.210.1 dst-port=443 in-interface-list=WAN protocol=tcp
add action=accept chain=forward
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="defconf: accept in ipsec policy" in-interface=all-ppp ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input in-interface=ether24 protocol=ipsec-esp
add action=accept chain=input dst-port=500,1701,4500 in-interface=ether24 protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=dstnat dst-address=10.43.210.11 dst-port=443 in-interface=ether24 protocol=tcp
/ip firewall nat
add action=accept chain=srcnat dst-address=10.21.0.0/24 src-address=10.43.210.0/24
add action=accept chain=srcnat dst-address=192.168.0.0/16 src-address=10.43.210.0/24
add action=dst-nat chain=dstnat comment="Forwarding rule" dst-port=5000 in-interface-list=WAN protocol=tcp src-port="" to-addresses=10.43.210.2 to-ports=5000
add action=masquerade chain=srcnat out-interface=ether24
/ip ipsec identity
add peer=G21
add comment=** mode-config=request-only peer=comp
/ip ipsec policy
set 0 disabled=yes proposal=proposal-comp
add dst-address=192.168.10.0/24 level=unique peer=comp proposal=proposal-comp src-address=10.43.210.0/24 tunnel=yes
add dst-address=192.168.121.0/24 level=unique peer=comp proposal=proposal-comp src-address=10.43.210.0/24 tunnel=yes
add dst-address=192.168.122.0/24 level=unique peer=comp proposal=proposal-comp src-address=10.43.210.0/24 tunnel=yes
add dst-address=192.168.70.0/24 level=unique peer=comp proposal=proposal-comp src-address=10.43.210.0/24 tunnel=yes
add dst-address=10.21.0.0/24 peer=G21 proposal=proposal-R403 src-address=10.43.210.0/24 tunnel=yes
add dst-address=192.168.50.0/24 level=unique peer=comp proposal=proposal-comp src-address=10.43.210.0/24 tunnel=yes
/ip proxy
set max-cache-size=100000KiB
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=93.83.243.145 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.0.0.0/8
set ssh address=10.0.0.0/8
set www-ssl address=10.0.0.0/8 certificate=cert1 disabled=no port=8443
set winbox address=10.0.0.0/8
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/routing bfd configuration
add disabled=no interfaces=all min-rx=200us min-tx=200us multiplier=5
/system clock
set time-zone-name=Europe/Vienna
/system identity
set name=SW.OG.1
/system logging
add topics=debug,dhcp
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add address=178.189.127.148
/system package update
set channel=testing
/system routerboard settings
set auto-upgrade=yes
/tool graphing interface
add
Do you have an explanation, why adding ports (which is based on a hint in this forum) is the reason for my pc to chose 2,4ghz instead of 5?
You wrote that it’s a cause for failures, so… which cause is that?
not current and important anymore, but i cannot delete it.
Now I have cleaned up capsman, threw everything out and put in your config.
All AP’s say “SSID not set”
I did what you told me, I shall not change any other settings.
No surprise, my complete IoT devices are offline, in the meantime I will reset them to factory defaults.
Until I get a new response I plug in my cisco accesspoints, I need wifi (at least for phones and ipads), and I won’t do anything on this config until your next instructions…
we will stop here; or, at least I want to ask you to stop any further attempts to “help” me…
my desktop pc slowed down its connection to 1.000 Kps (!!)
my IoT devices still don’t have a connection (how could they, you let me delete my wpa2 config)
I will recover the wpa settings now and remove the wifi for highspeed.
It’s just not working, and I see no reason to believe that someone will get more than constant and stable 300mbps out of those devices.