Hi,

I’m pretty new to MikroTik devices. Even though I’m a computer technician by profession, I’m having a really hard time making a functional setup. I’ve been reading this forum and attempting configurations through WinBox and the CLI, but with little success. I also tried using ChatGPT for assistance, but that didn’t resolve the issue either.

Here’s some background:

Hardware: Chateau AX 5G and cAP AX

Goal:

Configure Chateau AX 5G as a CAPsMAN server (both devices currently have RouterOS 7.18.2).

The Chateau AX 5G should function as a CAPsMAN server for its own Wi-Fi (this AP is needed as well) and distribute identical Wi-Fi networks through the cAP AX.

Enable seamless roaming.

The three networks I want could be named:

MainNet – used by my computers and NAS servers. Devices on this network shouldn’t be visible to other networks unless explicitly specified.

GuestNet – a Wi-Fi network for guests. Devices on this network should not have access to other Wi-Fi networks.

IoTNet – used exclusively for IoT hardware. Devices should not have access to other networks unless explicitly specified.

Each of these Wi-Fi networks should have its own DHCP server.

Before someone asks: Yes, this setup is necessary. I live in a large, detached house, have many IoT devices, and in the future, I will add two outdoor mANTBox AX 15 / NetMetal AX units to cover a large outdoor area. Also, due to challenging installation locations and the large coverage area, CAPsMAN is a necessity. I frequently make VoIP calls and move around with my phone, so roaming is absolutely essential.

I think I’ve successfully configured (reset) the cAP AX to work as a CAP client—and that’s about it. Well, I’ve managed to relay MainNet to the cAP AX but haven’t succeeded in adding other Wi-Fi networks (visible through cAP AX), even when using the same DHCP.

Could someone please help me? I’m getting a bit desperate here.

EDIT: All MikroTik devices are connected through ethernet cable

Here’s my config-output (anynymized) This is not the best config I’ve managed to make so far. So I can reset the Chateau AX 5g, if it’s easier to proceed that way)

# software id = xxxxxxxx
#
# model = S53UG+M-5HaxD2HaxD
# serial number = xxxxxxx
/interface bridge
add admin-mac=xxxxxxxxxxxxxxxxxxx auto-mac=no comment=defconf name=bridge
/interface wifi
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac \
    configuration.mode=ap .ssid=SSID-1 disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac \
    configuration.mode=ap .ssid=SSID-2 disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
/interface lte
set [ find default-name=lte1 ] allow-roaming=no band="" network-mode=lte \
    nr-band=""
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=MainNet-sec \
    wps=disable
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=GuestNet-sec \
    wps=disable
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=IoTNet-sec wps=\
    disable
/interface wifi configuration
add country=LaLaLand name=MainNet-conf security=MainNet-sec ssid=MainNet
add country=LaLaLand disabled=no name=GuestNet-conf security=GuestNet-sec \
    ssid=GuestNet
add country=LaLaLand name=IoTNet-conf security=IoTNet-sec ssid=IoTNet
/interface wifi
# operated by CAP xxxxxxxxxxxxxxxxxxx%bridge, traffic processing on CAP
add configuration=MainNet-conf disabled=no name=prov-MainNet radio-mac=\
    xxxxxxxxxxxxxxxxxxx
# operated by CAP xxxxxxxxxxxxxxxxxxx%bridge, traffic processing on CAP
add configuration=MainNet-conf disabled=no name=prov-MainNet2 radio-mac=\
    xxxxxxxxxxxxxxxxxxx
add configuration=GuestNet-conf configuration.mode=ap disabled=no \
    mac-address=xxxxxxxxxxxxxxxxxxx master-interface=wifi1 name=wifi3 security=\
    GuestNet-sec
add configuration=IoTNet-conf configuration.mode=ap disabled=no mac-address=\
    xxxxxxxxxxxxxxxxxxx master-interface=wifi1 name=wifi4 security=IoTNet-sec
/ip pool
add name=dhcp ranges=xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/queue type
add fq-codel-ecn=no kind=fq-codel name=fq-codel-ethernet-default
/queue interface
set ether1 queue=fq-codel-ethernet-default
set ether2 queue=fq-codel-ethernet-default
set ether3 queue=fq-codel-ethernet-default
set ether4 queue=fq-codel-ethernet-default
set ether5 queue=fq-codel-ethernet-default
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/interface wifi cap
set enabled=yes
/interface wifi capsman
set enabled=yes package-path="" require-peer-certificate=no upgrade-policy=\
    none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=\
    MainNet-conf name-format="" slave-configurations=\
    GuestNet-conf,GuestNet-conf
add action=create-dynamic-enabled disabled=no master-configuration=\
    GuestNet-conf
add action=create-dynamic-enabled disabled=no master-configuration=\
    IoTNet-conf
/ip address
add address=xxx.xxx.xxx.xxx/24 comment=defconf interface=bridge network=\
    xxx.xxx.xxx.xxx
/ip dhcp-server network
add address=xxx.xxx.xxx.xxx/24 comment=defconf dns-server=xxx.xxx.xxx.xxx \
    gateway=xxx.xxx.xxx.xxx netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=xxx.xxx.xxx.xxx comment=defconf name=router.lan type=A
/system clock
set time-zone-name=Region/City
/system note
set show-at-login=no

1. use code tags around your config
2. There’s no config for cap ax
3. You got 3 nets. But they all using the same Subnet? I dont see any VLANs here
4. You can use capsman to provision local interfaces. Which means you lose some customizability on the chateau but all interfaces (on each ap) will be the same across configuration

There is a complete example on the documentation page:
https://help.mikrotik.com/docs/spaces/ROS/pages/224559120/WiFi#WiFi-CAPsMAN-CAPVLANconfigurationexample:

Just be aware that you have to provision local (wifi) interfaces manually or choose to configure the local interfaces as described below:

CAPsMAN cannot manage it’s own wifi interfaces using configuration.manager=capsman, it is enough to just set the same configuration profile on local interfaces manually as you would with provisioning rules, and the end result will be the same as if they were CAPs. That being said, it is also possible to provision local interfaces via /interface/wifi/radio menu, it should be noted that to regain control of local interfaces after provisioning, you will need to disable the matching provisioning rules and press “provision” again, which will return local interfaces to an unconfigured state.

Thank you for the clarification.

Could somene please offer me a model to CLI commands needet to accomplish what I’m trying to do here? I can reset my device an start all over.

Here are the commands chatGPT suggested (on reseted devices):

/interface bridge
add name=BR1 vlan-filtering=yes

/interface bridge port
add bridge=BR1 interface=ether1

/interface bridge vlan
add bridge=BR1 vlan-ids=10 tagged=BR1
add bridge=BR1 vlan-ids=20 tagged=BR1
add bridge=BR1 vlan-ids=30 tagged=BR1

/interface vlan
add interface=BR1 name=VLAN10 vlan-id=10
add interface=BR1 name=VLAN20 vlan-id=20
add interface=BR1 name=VLAN30 vlan-id=30

/ip address
add address=192.168.10.1/24 interface=VLAN10
add address=192.168.20.1/24 interface=VLAN20
add address=192.168.30.1/24 interface=VLAN30

/ip pool
add name=pool10 ranges=192.168.10.2-192.168.10.254
add name=pool20 ranges=192.168.20.2-192.168.20.254
add name=pool30 ranges=192.168.30.2-192.168.30.254

/ip dhcp-server
add address-pool=pool10 interface=VLAN10 name=dhcp10
add address-pool=pool20 interface=VLAN20 name=dhcp20
add address-pool=pool30 interface=pool30 name=dhcp30

/ip dhcp-server network
add address=192.168.10.0/24 gateway=192.168.10.1
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1

/ip dhcp-server enable [find name=dhcp10]
/ip dhcp-server enable [find name=dhcp20]
/ip dhcp-server enable [find name=dhcp30]

/interface wifi channel
add name=dual-ax supported-bands=2ghz-ax,5ghz-ax width=20/40/80mhz

/interface wifi datapath
add name=DP10 bridge=BR1 vlan-id=10
add name=DP20 bridge=BR1 vlan-id=20
add name=DP30 bridge=BR1 vlan-id=30

/interface wifi security
add name=secMainNet authentication-types=wpa2-psk,wpa3-psk passphrase="PWDMain"
add name=secGuestNet authentication-types=wpa2-psk,wpa3-psk passphrase="PWDGuest"
add name=secIoTNet  authentication-types=wpa2-psk,wpa3-psk passphrase="PWDIoT"

/interface wifi configuration
add name=MainNet   ssid=MainNet   channel=dual-ax security=secMainNet  datapath=DP10 country=xxxxx
add name=GuestNet  ssid=GuestNet  channel=dual-ax security=secGuestNet datapath=DP20 country=xxxxx
add name=IoTNet    ssid=IoTNet    channel=dual-ax security=secIoTNet   datapath=DP30 country=xxxxx

/interface wifi provisioning
add action=create-dynamic-enabled master-configuration=MainNet slave-configurations=GuestNet,IoTNet \
    supported-bands=2ghz-ax,5ghz-ax

/interface wifi cap
set enabled=yes
/interface wifi set [find default-name=wifi1] configuration.manager=capsman-or-local
/interface wifi set [find default-name=wifi2] configuration.manager=capsman-or-local

/interface wifi cap
set enabled=yes discovery-interfaces=bridge
/interface wifi set [find default-name=wifi1] configuration.manager=capsman-or-local
/interface wifi set [find default-name=wifi2] configuration.manager=capsman-or-local

/interface wifi security
set secMainNet  ft=yes ft-over-ds=yes
set secGuestNet ft=yes ft-over-ds=yes
set secIoTNet   ft=yes ft-over-ds=yes

/interface wifi configuration
set MainNet  steering.rrm=yes
set GuestNet steering.rrm=yes
set IoTNet   steering.rrm=yes

/interface wifi configuration
set MainNet  steering.wnm=yes
set GuestNet steering.wnm=yes
set IoTNet   steering.wnm=yes

1. Thank you for the tip - posts edited accordingly
2. & 3. That’s right. This was only a misguided trial, where I tried multiple configs - propably shouldn’t have even posted it, but did so since the forum rules require that
3. Thanks, got it

You’re not going to get many comments on the chatgpt config.

Starting with Mikrotik is all about learning.
And you already got a link to the configuration.

But i can say:
For the beginning, it’s enough if you configure your capsman (including provisioning rules).
You can then provision the local radios of your chateau using the “radio” menu in wifi.
You just select the radios and hit the provision button.
Your cap you can connect using caps-mode (its in the manual how to use it on the cap ax. On cap ac it’s holding reset button)

Hi thank you for your comment itimo01

I knew this was a risk of being frank. Purists are well… purists.. The enthusiasim about the MikroTik tech was propably the reason I myself originally updated my hardware to MikroTik only - it’s pretty inspiring.

Well… I’ve watched a huge amount of OG Mikrotik tutorials and read the documentation for the most part. I’ve been using chatGPT as a learning tool → not to do the job and the thinking for me. I use it also to study coding, and I see not any harm in that.

I’ve been stuck a pretty long time with the current state of my devices. It means my large network infrastructure doesn’t work mostly and I really do need my home assistant devices, computers etc. For that reason I can’t spend a year from now (actually not even a month more) learning how do basic stuff like “mesh” (roaming), VLAN:s. I tried to find someone local whom I could hire to help me with this config. I asked around in schools, businesses: there are none. Or at least I kind find none Even the Mikrotiks support site does not refer to any support specialist in my country…

So this basicly leaves two options: A) somehow fastforward my understanding to be able to config the devices to an accetable level B) Flash some more familiar Firmware to MikroTik devices and get the job done. Option B) is the last alternative since it kinda defeats the whole purpose of “wanting to get into MikroTik for good”.

After spending hours configuring, I think I've mostly got things working:

-Set up three configurations and security profiles accordingly.-
-Configured provisioning and slave provisioning.
-Created three VLANs for different Wi-Fi networks (data is flowing nicely through at least VLAN "V100/MainNet").
-Set up some NAT and firewall rules.
-Enabled roaming.
-Enabled and configured CAPsMAN locally on router radios.
-Partially got CAPsMAN and the CAP client working.
For some reason, the cAP AX and CAPsMAN server still "visible to each other".

Could someone give me a hand figuring this out?

Here are my current configs:

cAP AX config:

RouterOS 7.18.2

model = cAPGi-5HaxD2HaxD

serial number = HGZ0A1CCVC2

/interface bridge
add admin-mac=F4:1E:57:2F:40:47 auto-mac=no comment=defconf name=bridgeLocal
/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifi

no connection to CAPsMAN, managed locally

set [ find default-name=wifi1 ] configuration.manager=capsman-or-local datapath=capdp

no connection to CAPsMAN, managed locally

set [ find default-name=wifi2 ] configuration.manager=capsman-or-local datapath=capdp
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
/interface wifi cap
set caps-man-addresses=192.168.100.1 discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp
/ip dhcp-client
add comment=defconf interface=bridgeLocal
/system clock

Router (Chateau AX 5G) config:

2025-03-16 01:33:29 by RouterOS 7.18.2

model = S53UG+M-5HaxD2HaxD

/interface bridge
add name=BR1 vlan-filtering=yes
/interface bridge
add name=BR1 vlan-filtering=yes
add name=bridge admin-mac=xx:xx:xx:xx:xx:xx vlan-filtering=yes

/interface bridge
add name=BR1 vlan-filtering=yes

/interface lte
set [ find default-name=lte1 ] name=lte1

/interface wifi configuration
add country=LaLaland datapath=MainNet name=MainNet ssid=MainNet
add country=LaLaland datapath=GuestNet name=GuestNet ssid=GuestNet
add country=LaLaland datapath=IoTNet name=IoTNet ssid=IoTNet

/ip pool
add name=default-dhcp interface=bridge ranges=192.168.xxx.xxx-192.168.xxx.xxx

/system identity
set name=xxxxxxxx

/interface bridge port
add bridge=BR1 interface=ether1 pvid=100

/ip address
add address=xxx.xxx.88.1/24 interface=bridge network=xxx.xxx.88.0
add address=xxx.xxx.100.1/24 interface=VLAN100 network=xxx.xxx.100.0
add address=xxx.xxx.200.1/24 interface=VLAN200 network=xxx.xxx.200.0

/ip dhcp-server network
add address=xxx.xxx.100.0/24 dns-server=xxx.xxx.100.1 gateway=xxx.xxx.100.1
add address=xxx.xxx.88.0/24 dns-server=xxx.xxx.88.1 gateway=xxx.xxx.88.1

/ip pool
add name=pool100 ranges=xxx.xxx.100.40-xxx.xxx.100.254
add name=pool200 ranges=xxx.xxx.200.40-xxx.xxx.200.254
add name=pool300 ranges=xxx.xxx.255.40-xxx.xxx.255.254

/interface wifi
set [ find default-name=wifi1 ] configuration=MainNet disabled=no
set [ find default-name=wifi2 ] configuration=MainNet configuration.manager=capsman-or-local disabled=no

/ip dns
set servers=xxx.xxx.88.1

/ip firewall filter
add action=accept chain=input comment="accept from LAN" in-interface-list=LAN
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="allow established, related" connection-state=established,related,untracked
add action=drop chain=input comment="drop everything else" in-interface-list=!LAN

/tool mac-server
set allowed-interface-list=LAN

/tool mac-server mac-winbox
set allowed-interface-list=LAN

I dont think you posted an export?

1. Im guessing the AP is connected to ether1 of the chateau
2. I cant see any provisioning rules on the chateau
3. I cant see a capsman config on the chateau
4. I cant see a VLAN Interface description but i can see a configured DHCP on an Interface thats named VLAN100
5. In your “export” theres 3 times the same config. add name=BR1.
6. Your adding 2 bridges to a device with 1 physical switch
7. You dont need caps-man-addresses AND discovery-interface. One of them is enough.

EDIT: i posted a simple capsman setup without VLANs here:
http://forum.mikrotik.com/t/move-from-unifi-ap-to-mikrotik-ap/182299/23

Thank you for you reply.

I’ll check the topic you linked out. There was some kind of mistake copypasting the export. Here’s a fresh one hand edited:

[admin@RT-MikroTik] > /export
RouterOS 7.18.2
#
# model = S53UG+M-5HaxD2HaxD
/interface bridge
add name=BR1 vlan-filtering=yes
add admin-mac=48:A9:8A:CE:31:21 auto-mac=no comment=defconf name=bridge
/interface lte
set [ find default-name=lte1 ] allow-roaming=no band="" nr-band=""
/interface vlan
add interface=BR1 name=VLAN100 vlan-id=100
add interface=BR1 name=VLAN200 vlan-id=200
add interface=BR1 name=VLAN300 vlan-id=300
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi datapath
add bridge=BR1 name=DP100 vlan-id=100
add bridge=BR1 name=DP200 vlan-id=200
add bridge=BR1 name=DP300 vlan-id=300
/interface wifi security
add authentication-types=wpa3-psk disabled=no ft=yes ft-over-ds=yes name=secMainNet
add authentication-types=wpa2-psk disabled=no ft=yes ft-over-ds=yes name=secGuestNet
add authentication-types=wpa2-psk disabled=no ft=yes ft-over-ds=yes name=secIotNet
/interface wifi configuration
add country=LaLaLand datapath=DP100 disabled=no name=MainNet security=secMainNet ssid=MainNet steering.rrm=yes .wnm=yes
add country=LaLaLand disabled=no mode=ap name=IoTNet security=secIoTNet ssid=IoTNet steering.rrm=yes .wnm=yes
add country=LaLaLand disabled=no name=GuestNet security=secGuestnet ssid=GuestNet steering.rrm=yes .wnm=yes
/interface wifi
# no connection to CAPsMAN, managed locally
set [ find default-name=wifi1 ] configuration=MainNet configuration.manager=capsman-or-local disabled=no
add configuration=IoTNet disabled=no mac-address=4A:A9:8A:CE:31:27 master-interface=wifi1 name=wifi1_IoTNet
add configuration=GuestNet disabled=no mac-address=4A:A9:8A:CE:31:26 master-interface=wifi1 name=wifi1_GuestNet
# no connection to CAPsMAN, managed locally
set [ find default-name=wifi2 ] configuration=MainNet configuration.manager=capsman-or-local disabled=no
/ip pool
add name=default-dhcp ranges=xxx.xxx.xx.10-xxx.xxx.xxx.254
add name=pool100 ranges=xxx.xxx.xxx.40-xxx.xxx.xxx.254
add name=pool200 ranges=xxx.xxx.xxx.40-xxx.xxx.xxx.254
add name=pool300 ranges=xxx.xxx.xxx.40-xxx.xxx.xxx.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=pool100 interface=VLAN100 name=dhcp100
add address-pool=pool200 interface=VLAN200 name=dhcp200
add address-pool=pool300 interface=VLAN300 name=dhcp300
/queue type
add fq-codel-ecn=no kind=fq-codel name=fq-codel-ethernet-default
/queue interface
set ether1 queue=fq-codel-ethernet-default
set ether2 queue=fq-codel-ethernet-default
set ether3 queue=fq-codel-ethernet-default
set ether4 queue=fq-codel-ethernet-default
set ether5 queue=fq-codel-ethernet-default
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
add bridge=BR1 interface=ether1 pvid=100
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=BR1 tagged=BR1 untagged=ether1 vlan-ids=100
add bridge=BR1 tagged=BR1 vlan-ids=200
add bridge=BR1 tagged=BR1 vlan-ids=300
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
add interface=VLAN100 list=LAN
add interface=VLAN200 list=LAN
add interface=VLAN300 list=LAN
/interface wifi cap
set enabled=yes
/interface wifi capsman
set enabled=yes interfaces=BR1
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=MainNet slave-configurations=GuestNet,IoTNet supported-bands=2ghz-ax,5ghz-ax
/ip address
add address=xxx.xxx.xx.1/24 comment=defconf interface=bridge network=xxx.xxx.xx.0
add address=xxx.xxx.xxx.1/24 interface=VLAN100 network=xxx.xxx.xxx.0
add address=xxx.xxx.xxx.1/24 interface=VLAN200 network=xxx.xxxx.xxx.0
add address=xxx.xxx.xxx.1/24 interface=VLAN300 network=xxx.xxx.xxx.0
/ip dhcp-server network
add address=xxx.xxx.xxx.0/24 comment=defconf dns-server=xxx.xxx.xxx.1 gateway=xxx.xxx.xx.1
add address=xxx.xxx.xxx.0/24 dns-server=xxx.xxx.xxx.1 gateway=xxx.xxx.xxx.1
add address=xxx.xxx.xxxx.0/24 gateway=xxx.xxx.xxx.1
add address=xxx.xxx.xxxx.0/24 gateway=xxx.xxx.x.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=xxx.xxx.xx.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input in-interface-list=LAN
add action=accept chain=input comment="Allow CAPsMAN UDP 5246" dst-port=5246 protocol=udp
add action=accept chain=input comment="Allow CAPsMAN UDP 5247" dst-port=5247 protocol=udp
add action=accept chain=input comment="Accept established LAN connections" connection-state=established,related,untracked
add action=accept chain=input comment="Allow new management and web traffic from LAN" connection-state=new dst-port=22,8291,80,443 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="Drop all other new LAN input" connection-state=new in-interface-list=LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=lte1 src-address= xxx.xxx.100.0/24
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=lte1
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
/system identity
set name=RT-XX
/system note
set show-at-login=no
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system routerboard settings
set auto-upgrade=yes
/system routerboard wps-button
set enabled=yes on-event=wps-accept
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
add comment=defconf dont-require-permissions=no name=wps-accept owner=*sys policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "\r\
    \n   :foreach iface in=[/interface/wifi find where (configuration.mode=\"ap\" && disabled=no)] do={\r\
    \n     /interface/wifi wps-push-button \$iface;}\r\
    \n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

1. Yes, that’s right
   2 - 4 Are they ok on my previous post (export)?
   5 & 6 These should be ok now?
2. I have a defconf bridge managing all but the trunkport (ether1). I want to reserve other ports than ether1 to make sure I can access my router while configuring - please advice?
3. Does it matter which one I shut down?