Today i also tried with connecting CAPs through one totaly dumb switch, removing Zyxel from the equation, but the problem persisted..
https://files.ekmcdn.com/itinstock/images/netgear-8-port-10-100-mbps-desktop-switch-gs608-v3-networking-equipment-(2)-34756-p.jpg
I managed to clean this a little bit, but it’s still a mess:
# 2024-09-17 00:41:36 by RouterOS 7.15.3
# software id = LSTE-IL0H
#
# model = RB5009UG+S+
# serial number = ******
/caps-man channel
add band=2ghz-onlyn name=channel2
add band=5ghz-onlyac name=channel5
/interface bridge
add admin-mac=4E:5E:0C:65:A1:62 auto-mac=no igmp-snooping=yes name=\
"IOT bridge" port-cost-mode=short
add igmp-snooping=yes name="Sejanci IPTV" port-cost-mode=short
add igmp-snooping=yes name=Sejanci_Internet port-cost-mode=short
add admin-mac=48:A9:8A:25:8B:B6 auto-mac=no comment=defconf igmp-snooping=yes \
name=bridge port-cost-mode=short
add igmp-snooping=yes name=dockers port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] mac-address=4C:5E:0C:65:A1:58
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no speed=\
1G-baseT-full
/interface l2tp-server
add disabled=yes name=Gregor user=
add name=HapAC3_potovalni_IN user=
add disabled=yes name="L2TP_server 1" user=
add name=b535_IN user=
add name=morskitestvpn user=
/interface eoip
add local-address=192.168.32.1 mac-address=02:A5:5B:36:D9:47 mtu=1500 name=\
Hap_Lite_LTE_EOIP remote-address=192.168.32.2 tunnel-id=500
add local-address=192.168.69.254 mac-address=02:FC:88:6C:74:D3 mtu=1500 name=\
eoip-tunnel1 remote-address=192.168.69.1 tunnel-id=400
add local-address=192.168.32.1 mac-address=02:A5:5B:36:D9:47 mtu=1500 name=\
eoip-tunnel3 remote-address=192.168.32.3 tunnel-id=222
/interface veth
add address=172.17.0.2/24 gateway=172.17.0.1 gateway6="" name=veth1
add address=172.17.0.3/24 comment=Iperf gateway=172.17.0.1 gateway6="" name=\
veth2
add address=172.17.0.4/24 comment="UDPXY port 4000/status" gateway=172.17.0.1 \
gateway6="" name=veth3
add address=172.17.0.5/24 comment="OpenSpeedTest port 3000" gateway=\
172.17.0.1 gateway6="" name=veth4
/interface wireguard
add listen-port=51818 mtu=1420 name=RemoteWGTiks
add listen-port=51821 mtu=1420 name=WG
add comment=back-to-home-vpn listen-port=65505 mtu=1420 name=back-to-home-vpn
/interface vlan
add interface=eoip-tunnel1 name=IPTV3999 vlan-id=3999
add interface=ether5 name=Vlan30_eth5 vlan-id=30
add interface=sfp-sfpplus1 name=vlan30_SFP vlan-id=30
add interface=ether4 name=vlan30_eth4 vlan-id=30
add interface=ether6 name=vlan30_eth6 vlan-id=30
add interface=ether7 name=vlan30_eth7 vlan-id=30
add interface=ether3 name=vlan3999_ETH3 vlan-id=3999
/caps-man datapath
add bridge=bridge name=datapath1
add bridge="IOT bridge" name=datapath2
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=security1
/caps-man configuration
add channel=channel2 channel.band=2ghz-g/n datapath=datapath1 \
datapath.client-to-client-forwarding=yes .local-forwarding=no name=cfg1 \
security=security1 ssid=Kmetija
add datapath=datapath2 datapath.client-to-client-forwarding=yes name=cfg_IOT \
security=security1 ssid=IOT
/disk
set usb1 media-interface=none media-sharing=no
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi datapath
add bridge=bridge disabled=no name=Osnovni
add bridge="IOT bridge" client-isolation=no disabled=no name=IOT
/interface wifi security
add authentication-types=wpa2-psk disabled=no ft=yes ft-over-ds=yes name=sec1
add authentication-types=wpa2-psk disabled=no ft=yes ft-over-ds=yes name=\
sec_IOT
/interface wifi configuration
add country=Slovenia datapath=Osnovni disabled=no mode=ap name=Kmetija \
security=sec1 ssid=Kmetija
add country=Slovenia datapath=IOT datapath.bridge="IOT bridge" disabled=no \
mode=ap name=IOT security=sec_IOT ssid=IOT
/interface wifi
add channel.frequency=2412 configuration=Kmetija configuration.mode=ap \
disabled=no name="CapAX_Kmetija 2" radio-mac=48:A9:8A:E3:3F:A3
add channel.skip-dfs-channels=disabled configuration=Kmetija \
configuration.mode=ap disabled=no name="CapAX_Kmetija 5" radio-mac=\
48:A9:8A:E3:3F:A2
add channel.frequency=2462 configuration=Kmetija configuration.mode=ap \
disabled=no name="HapAC2_Klet_Kmetija 2" radio-mac=48:8F:5A:C9:71:79
add channel.frequency=5180 configuration=Kmetija configuration.mode=ap \
.tx-power=22 disabled=no name="HapAC2_Klet_Kmetija 5" radio-mac=\
48:8F:5A:C9:71:7A
add channel.frequency=2412 configuration=Kmetija configuration.mode=ap \
disabled=no name="HapAC2_\8Atala_Kmetija 2" radio-mac=08:55:31:2B:63:8B
add configuration=Kmetija configuration.mode=ap disabled=no name=\
"HapAC2_\8Atala_Kmetija 5" radio-mac=08:55:31:2B:63:8C
add configuration=Kmetija configuration.mode=ap disabled=no name=\
"HapAC3_Sobica_Kmetija 2" radio-mac=48:8F:5A:AF:4B:A8
add channel.frequency=5260 configuration=Kmetija configuration.mode=ap \
.tx-power=22 disabled=no name="HapAC3_Sobica_Kmetija 5" radio-mac=\
48:8F:5A:AF:4B:A9
add channel.frequency=2462 configuration=Kmetija configuration.mode=ap \
disabled=no name="WapAC_Silosi_Kmetija 2" radio-mac=08:55:31:3D:6E:22
add channel.frequency=5500 .skip-dfs-channels=disabled configuration=Kmetija \
configuration.mode=ap disabled=no name="WapAC_Silosi_Kmetija 5" \
radio-mac=08:55:31:3D:6E:23
add channel.frequency=2462 configuration=Kmetija configuration.mode=ap \
disabled=no name=wifi1 radio-mac=08:55:31:23:0B:11
add channel.frequency=5660 configuration=Kmetija configuration.mode=ap \
disabled=no name=wifi2 radio-mac=08:55:31:23:0B:12
add configuration=IOT configuration.mode=ap disabled=no mac-address=\
0A:55:31:23:0B:11 master-interface=wifi1 name=wifi3
add configuration=IOT configuration.mode=ap disabled=no mac-address=\
0A:55:31:23:0B:12 master-interface=wifi2 name=wifi4
add configuration=Kmetija configuration.mode=ap disabled=no name=wifi5 \
radio-mac=78:9A:18:8C:2D:83
add configuration=IOT configuration.mode=ap disabled=no mac-address=\
7A:9A:18:8C:2D:83 master-interface=wifi5 name=wifi6
add configuration=IOT configuration.mode=ap disabled=no mac-address=\
4A:A9:8A:E3:3F:A3 master-interface="CapAX_Kmetija 2" name="CapAX_IOT 2"
add configuration=IOT configuration.mode=ap disabled=no mac-address=\
4A:A9:8A:E3:3F:A2 master-interface="CapAX_Kmetija 5" name="CapAX_IOT 5"
add configuration=IOT configuration.mode=ap disabled=no mac-address=\
4A:8F:5A:C9:71:79 master-interface="HapAC2_Klet_Kmetija 2" name=\
"HapAC2_Klet_IOT 2"
add configuration=IOT configuration.mode=ap disabled=no mac-address=\
4A:8F:5A:C9:71:7A master-interface="HapAC2_Klet_Kmetija 5" name=\
"HapAC2_Klet_IOT 5"
add configuration=IOT configuration.mode=ap disabled=no mac-address=\
0A:55:31:2B:63:8B master-interface="HapAC2_\8Atala_Kmetija 2" name=\
"HapAC2_\8Atala_IOT 2"
add configuration=IOT configuration.mode=ap disabled=no mac-address=\
0A:55:31:2B:63:8C master-interface="HapAC2_\8Atala_Kmetija 5" name=\
"HapAC2_\8Atala_IOT 5"
add configuration=IOT configuration.mode=ap disabled=no mac-address=\
4A:8F:5A:AF:4B:A8 master-interface="HapAC3_Sobica_Kmetija 2" name=\
"HapAC3_Sobica_IOT 2"
add configuration=IOT configuration.mode=ap disabled=no mac-address=\
4A:8F:5A:AF:4B:A9 master-interface="HapAC3_Sobica_Kmetija 5" name=\
"HapAC3_Sobica_IOT 5"
add configuration=IOT configuration.mode=ap disabled=no mac-address=\
0A:55:31:3D:6E:22 master-interface="WapAC_Silosi_Kmetija 2" name=\
"WapAC_Silosi_IOT 2"
add configuration=IOT configuration.mode=ap disabled=no mac-address=\
0A:55:31:3D:6E:23 master-interface="WapAC_Silosi_Kmetija 5" name=\
"WapAC_Silosi_IOT 5"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.3.110-192.168.3.200
add name=IOT_pool ranges=172.16.1.100-172.16.1.254
add name=vpn ranges=192.168.23.2-192.168.23.250
add name=dhcp_pool4 ranges=192.168.45.2-192.168.45.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=23h59m59s name=defconf
add address-pool=IOT_pool interface="IOT bridge" lease-time=23h59m59s name=\
IOTdhcp
/ip smb users
add disabled=yes name=d1
add name=user
/ppp profile
add name=Koroska use-compression=no use-encryption=yes use-mpls=no
add name=Sejanci
add name=Tadej
add name=Testni
add name=Janko
add name="VPN Unlimited CZ"
add name="VPN Unlimited Italy"
add name=morskitestprofile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface l2tp-client
add connect-to=*.sn.mynetname.net name=IJS profile=Testni \
use-ipsec=yes user=morski2
add connect-to=*.sn.mynetname.net disabled=no name=Janko profile=\
Janko use-ipsec=yes user=
add connect-to=*.sn.mynetname.net name="Koro\9Aka" profile=Koroska \
use-ipsec=yes user=
add connect-to=*.sn.mynetname.net disabled=no name=SejanciAC3 \
profile=Sejanci use-ipsec=yes user=
add connect-to=* disabled=no name=Tadej profile=Tadej use-ipsec=\
yes user=
add connect-to=cz.vpnunlimitedapp.com disabled=no keepalive-timeout=disabled \
name="VPN_Unlimited CZ" profile="VPN Unlimited CZ" user=\
add connect-to=it.vpnunlimitedapp.com name="VPN_Unlimited Italy" profile=\
"VPN Unlimited Italy" user=\
/routing table
add fib name=t2tv
add fib name=sejanci
add fib name=koroska
add fib name=t2test
add fib name=marko
add fib name=janko
add disabled=no fib name=gregor_net
add disabled=no fib name=test
add disabled=no fib name=VPNUnlimited_CZ
add disabled=no fib name=VPNUnlimited_Italy
add disabled=no fib name=nflix
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
name=zt1 port=9993
/zerotier interface
add allow-default=no allow-global=no allow-managed=no disabled=no instance=\
zt1 name=zerotier1 network=*
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=cfg1 \
slave-configurations=cfg_IOT
/container
add interface=veth3 root-dir=disk1/udpxy start-on-boot=yes
add interface=veth2 root-dir=disk1/iperf3 workdir=/
add interface=veth4 root-dir=disk1/openspeedtest start-on-boot=yes
/container config
set registry-url=https://registry-1.docker.io tmpdir=disk1/pull
/ip smb
set enabled=yes interfaces=bridge
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether6 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether7 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether8 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus1 internal-path-cost=\
10 path-cost=10
add bridge="Sejanci IPTV" fast-leave=yes ingress-filtering=no interface=\
IPTV3999 internal-path-cost=10 path-cost=10
add bridge=Sejanci_Internet fast-leave=yes ingress-filtering=no interface=\
eoip-tunnel1 internal-path-cost=10 path-cost=10
add bridge=dockers interface=veth1 internal-path-cost=10 path-cost=10
add bridge=dockers interface=veth2 internal-path-cost=10 path-cost=10
add bridge=dockers interface=veth3 internal-path-cost=10 path-cost=10
add bridge=dockers interface=veth4 internal-path-cost=10 path-cost=10
add bridge="Sejanci IPTV" interface=vlan3999_ETH3 internal-path-cost=10 \
path-cost=10
add bridge="IOT bridge" interface=vlan30_SFP internal-path-cost=10 path-cost=\
10
add bridge=bridge interface=Hap_Lite_LTE_EOIP
add bridge="IOT bridge" interface=vlan30_eth7
add bridge="IOT bridge" interface=vlan30_eth4
add bridge="IOT bridge" interface=Vlan30_eth5
add bridge="IOT bridge" interface=vlan30_eth6
add bridge=bridge interface=eoip-tunnel3
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface="L2TP_server 1" list=LAN
add interface=HapAC3_potovalni_IN list=LAN
add interface=b535_IN list=LAN
add interface=morskitestvpn list=LAN
add interface="IOT bridge" list=LAN
add interface=RemoteWGTiks list=LAN
add interface=zerotier1 list=LAN
add interface=WG list=LAN
/interface wifi capsman
set enabled=yes interfaces=bridge package-path="" require-peer-certificate=no \
upgrade-policy=none
/interface wifi provisioning
add action=create-enabled disabled=no master-configuration=Kmetija \
name-format="" slave-configurations=IOT
/interface wireguard peers
add allowed-address=10.0.0.2/32 comment=Xcover6 interface=WG is-responder=yes \
name=peer1 preshared-key="*" \
public-key="*"
/ip address
add address=192.168.3.3/24 comment=defconf interface=bridge network=\
192.168.3.0
add address=172.16.1.1/24 interface="IOT bridge" network=172.16.1.0
add address=192.168.13.1/24 interface="Sejanci IPTV" network=192.168.13.0
add address=10.0.0.1/24 interface=WG network=10.0.0.0
add address=172.17.0.1/24 interface=dockers network=172.17.0.0
add address=192.168.32.1/24 interface=RemoteWGTiks network=192.168.32.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes ddns-update-interval=10m
/ip cloud back-to-home-users
add allow-lan=yes comment=" samsung SM-S928B" name=RB5009UG+S+ private-key=\
"*" public-key=\
"*"
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.3.121 client-id=1:0:e4:0:91:3d:e6 mac-address=\
00:E4:00:91:3D:E6 server=defconf
add address=192.168.3.130 client-id=1:c:9d:92:83:e0:1d mac-address=\
0C:9D:92:83:E0:1D server=defconf
add address=192.168.3.8 mac-address=E4:5F:01:5F:71:CC server=defconf
add address=192.168.3.110 client-id=1:fc:d5:d9:9f:6c:f mac-address=\
FC:D5:D9:9F:6C:0F server=defconf
add address=192.168.3.166 client-id=1:d8:8c:79:34:4:1f comment=\
"Chromecast CZ" mac-address=D8:8C:79:34:04:1F server=defconf
add address=192.168.3.117 client-id=1:84:d6:c5:28:5d:22 comment=Solaredge \
mac-address=84:D6:C5:28:5D:22 server=defconf
add address=192.168.3.148 client-id=1:6c:3b:6b:27:e8:c mac-address=\
6C:3B:6B:27:E8:0C server=defconf
add address=192.168.3.4 mac-address=B8:27:EB:AE:35:60 server=defconf
add address=192.168.3.5 mac-address=B8:27:EB:8A:50:4D server=defconf
add address=192.168.3.152 client-id=1:84:d6:c5:18:5d:22 comment=\
"Solaredge LAN_modbus" mac-address=84:D6:C5:18:5D:22 server=defconf
add address=172.16.1.102 mac-address=34:00:8A:E4:BE:95 server=IOTdhcp
add address=192.168.3.160 client-id=1:0:24:32:91:7:67 mac-address=\
00:24:32:91:07:67 server=defconf
add address=192.168.3.131 client-id=1:b0:e4:d5:c4:a6:4c mac-address=\
B0:E4:D5:C4:A6:4C server=defconf
add address=192.168.3.141 client-id=1:78:9a:18:8c:2d:82 mac-address=\
78:9A:18:8C:2D:82 server=defconf
add address=192.168.3.127 mac-address=34:EA:34:42:FF:36 server=defconf
add address=192.168.3.129 client-id=1:20:f8:3b:0:9b:eb mac-address=\
20:F8:3B:00:9B:EB server=defconf
add address=192.168.3.142 client-id=1:30:83:98:16:48:3f mac-address=\
30:83:98:16:48:3F server=defconf
add address=192.168.3.150 client-id=1:30:83:98:16:40:b0 mac-address=\
30:83:98:16:40:B0 server=defconf
add address=192.168.3.128 comment="Vremenska postaja" mac-address=\
34:00:8A:E4:BE:95 server=defconf
/ip dhcp-server network
add address=172.16.1.0/24 comment=IOT dns-server=172.16.1.1 gateway=\
172.16.1.1
add address=192.168.3.0/24 comment=DHCP dns-server=192.168.3.3 gateway=\
192.168.3.3
/ip dns
set allow-remote-requests=yes doh-max-concurrent-queries=100 use-doh-server=\
https://dns.nextdns.io/x verify-doh-cert=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add address=192.168.3.3 comment=defconf name=router.lan
add address=159.148.172.226 disabled=yes name=upgrade.mikrotik.com
add address=2a07:a8c0:: name=dns.nextdns.io type=AAAA
add address=2a07:a8c1:: name=dns.nextdns.io type=AAAA
add address=45.90.28.0 name=dns.nextdns.io
add address=45.90.30.0 name=dns.nextdns.io
/ip firewall address-list
add address=tv-front.t-2.com list=T2_TV
add address=192.168.3.0/24 list=lan
add address=*.sn.mynetname.net list=WAN_IP
add address=192.168.45.0/24 list=CZ_VPN
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment=WIREGUARD in-interface=WG protocol=udp
add action=accept chain=input comment=WIREGUARD_WG_TIKS disabled=yes \
dst-port=51818 protocol=udp
add action=accept chain=input comment="WIREGUARD AX_LTE6" in-interface=\
RemoteWGTiks protocol=udp
add action=accept chain=input comment="WIREGUARD HAP AC3_AX_lite_LTE6" \
dst-port=13231 protocol=udp
add action=accept chain=input comment=Winbox dst-port=8291 protocol=tcp
add action=jump chain=forward comment="jump to kid-control rules" \
jump-target=kid-control
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-mark=!ppp connection-state=established,related hw-offload=yes
add action=accept chain=input comment="BTEST Janko" disabled=yes protocol=tcp
add action=accept chain=input comment="BTEST Janko" disabled=yes protocol=udp
add action=drop chain=input disabled=yes dst-port=53 in-interface=ether1 \
protocol=tcp
add action=drop chain=input disabled=yes dst-port=53 in-interface=ether1 \
protocol=udp
add action=accept chain=input comment=WIREGUARD disabled=yes in-interface=*A9 \
protocol=udp
add action=accept chain=input comment=IGMP protocol=igmp
add action=accept chain=forward disabled=yes protocol=udp
add action=accept chain=input disabled=yes protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="WIREGUARD HAP AC3" disabled=yes \
dst-port=51821 protocol=udp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment=L2TP dst-port=4500,500,1701 protocol=\
udp
add action=accept chain=input comment=CAPSMAN src-address=192.168.3.3
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="CAPSMAN PORTS" port=5246,5247 \
protocol=udp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Accept GRE" protocol=gre
add action=accept chain=forward comment="Zerotier Forward" in-interface=\
zerotier1
add action=accept chain=input comment="Zerotier Input" in-interface=zerotier1
add action=add-src-to-address-list address-list="Port Scanners" \
address-list-timeout=2h46m40s chain=input comment="Port Scanners to list" \
in-interface-list=WAN log=yes log-prefix=scanner protocol=tcp psd=\
21,3s,3,1
add action=drop chain=input comment="Drop Port Scanners" in-interface-list=\
WAN src-address-list="Port Scanners"
add action=drop chain=forward comment="Disable LAN to LAN traffic" disabled=\
yes dst-address=192.168.0.0/16 src-address=192.168.0.0/16
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Tadej L2TP drop" in-interface=Tadej
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment="Drop traffic between IOT and Bridge" \
in-interface="IOT bridge" out-interface=bridge
add action=drop chain=input comment=\
"Drop traffic between IOT and Bridge_routerIP" disabled=yes src-address=\
172.16.1.0/24
add action=drop chain=forward comment="Drop traffic between Bridge and IOT" \
in-interface=bridge out-interface="IOT bridge"
add action=add-src-to-address-list address-list=bruteforce_blacklist \
address-list-timeout=1d chain=input comment=Blacklist connection-state=\
new dst-port=22 protocol=tcp src-address-list=connection3
add action=add-src-to-address-list address-list=connection3 \
address-list-timeout=1h chain=input comment="Third attempt" \
connection-state=new dst-port=22 protocol=tcp src-address-list=\
connection2,!secured
add action=add-src-to-address-list address-list=connection2 \
address-list-timeout=15m chain=input comment="Second attempt" \
connection-state=new dst-port=22 protocol=tcp src-address-list=\
connection1
add action=add-src-to-address-list address-list=connection1 \
address-list-timeout=5m chain=input comment="First attempt" \
connection-state=new dst-port=22 protocol=tcp
add action=accept chain=input dst-port=22 protocol=tcp src-address-list=\
!bruteforce_blacklist
/ip firewall mangle
add action=change-mss chain=forward disabled=yes new-mss=clamp-to-pmtu \
passthrough=yes protocol=tcp tcp-flags=syn
add action=mark-connection chain=forward comment=\
"Mark PPP connections to exclude them from fasttrack" \
new-connection-mark=ppp out-interface=all-ppp passthrough=no
add action=mark-routing chain=prerouting disabled=yes dst-address=\
!192.168.3.0/24 new-routing-mark=sejanci passthrough=yes src-address=\
192.168.3.130
add action=mark-routing chain=prerouting disabled=yes dst-address=\
!192.168.3.0/24 new-routing-mark=koroska passthrough=yes src-address=\
192.168.3.130
add action=mark-routing chain=prerouting comment="Chromecast Timotej" \
disabled=yes dst-address=!192.168.3.0/24 new-routing-mark=VPNUnlimited_CZ \
passthrough=yes src-address=192.168.3.166
add action=mark-routing chain=prerouting disabled=yes dst-address=\
!192.168.45.0/24 new-routing-mark=sejanci passthrough=yes src-address=\
192.168.45.4
add action=mark-routing chain=prerouting disabled=yes dst-address=\
!192.168.3.0/24 new-routing-mark=VPNUnlimited_CZ passthrough=yes \
src-address=192.168.3.130
add action=mark-routing chain=prerouting disabled=yes dst-address=\
!192.168.3.0/24 new-routing-mark=test src-address=192.168.3.183
add action=mark-routing chain=prerouting disabled=yes dst-address=\
!192.168.3.0/24 new-routing-mark=VPNUnlimited_Italy src-address=\
192.168.3.140
add action=mark-routing chain=prerouting disabled=yes dst-address=89.212.88.4 \
new-routing-mark=t2test passthrough=yes src-address=192.168.3.116
add action=mark-routing chain=prerouting disabled=yes dst-address=\
!192.168.3.0/24 new-routing-mark=janko passthrough=yes src-address=\
192.168.3.130
add action=mark-routing chain=prerouting comment="Chromecast Spalnica LAN" \
dst-address-list=T2_TV new-routing-mark=t2tv passthrough=yes \
src-mac-address=00:24:32:91:07:67
add action=mark-routing chain=prerouting comment="Chromecast Spalnica WiFi" \
dst-address-list=T2_TV new-routing-mark=t2tv passthrough=yes \
src-mac-address=B0:E4:D5:C4:A6:4C
add action=mark-routing chain=prerouting disabled=yes dst-address=\
!192.168.3.0/24 new-routing-mark=gregor_net passthrough=yes src-address=\
192.168.3.130
add action=add-dst-to-address-list address-list="Netflix adress list" \
address-list-timeout=23h59m59s chain=prerouting comment=Netflix content=\
netflix
add action=mark-routing chain=prerouting comment="Netflix routing test" \
dst-address-list="Netflix adress list" new-routing-mark=nflix \
passthrough=yes
add action=change-mss chain=forward comment="Clamp MTU to PMTU" disabled=yes \
new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat comment=\
"Masuarade Wireguard between Mikrotiks" disabled=yes src-address=\
192.168.32.0/24
add action=accept chain=srcnat comment=WG_Test disabled=yes dst-address=\
192.168.3.3 dst-port=13231 protocol=udp
add action=redirect chain=dstnat comment="DNS Redirect" dst-port=53 protocol=\
tcp
add action=redirect chain=dstnat comment="DNS Redirect" dst-port=53 protocol=\
udp
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.23.0/24
add action=masquerade chain=srcnat comment=PPP_Out_Masquarade out-interface=\
all-ppp
add action=masquerade chain=srcnat comment="Masquarade for DOCKER" \
src-address=172.17.0.0/24
add action=dst-nat chain=dstnat comment=\
"Hairpin NAT WWW dostop od zunaj na RPI4" disabled=yes dst-address-list=\
WAN_IP dst-port=12000 protocol=tcp to-addresses=192.168.3.8 to-ports=8000
add action=masquerade chain=srcnat comment="Hairpin NAT dostop kot od zunaj" \
dst-address=192.168.3.0/24 src-address=192.168.3.0/24
add action=masquerade chain=srcnat comment="masq. Wireguard vpn traffic" \
src-address=10.0.0.0/24
to-ports=17000
add action=dst-nat chain=dstnat comment=Test_double_redirection disabled=yes \
dst-port=18000 in-interface=ether1 protocol=tcp to-addresses=\
192.168.11.20 to-ports=80
add action=dst-nat chain=dstnat comment=WOL_Mansarda dst-port=6030 \
in-interface=ether1 protocol=udp to-addresses=192.168.3.130 to-ports=9
add action=dst-nat chain=dstnat comment=WOL_7 dst-port=7 in-interface=ether1 \
protocol=udp to-addresses=192.168.3.255 to-ports=7
add action=dst-nat chain=dstnat comment=WOL_9 dst-port=9 in-interface=ether1 \
protocol=udp to-addresses=192.168.3.255 to-ports=7
/ip firewall service-port
set rtsp disabled=no
/ip kid-control
add name=kid1
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=Tadej routing-table=t2tv
add disabled=yes distance=1 dst-address=10.6.0.0/24 gateway=192.168.3.6 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=SejanciAC3 pref-src=\
0.0.0.0 routing-table=sejanci scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=192.168.60.0/24 gateway=Janko \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=Janko pref-src=\
0.0.0.0 routing-table=janko scope=30 suppress-hw-offload=no target-scope=\
10
add disabled=yes distance=1 dst-address=192.168.4.0/24 gateway=\
HapAC3_potovalni_IN pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.11.0/24 gateway=SejanciAC3 \
pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=192.168.71.0/24 gateway=Gregor \
pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=yes distance=1 dst-address=192.168.1.0/24 gateway=Gregor \
pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=Gregor pref-src="" \
routing-table=gregor_net scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=IJS pref-src=0.0.0.0 \
routing-table=test scope=30 suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=192.168.88.0/24 gateway=IJS pref-src=\
"" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.8.0/24 gateway=morskitestvpn \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway="VPN_Unlimited CZ" \
pref-src="" routing-table=VPNUnlimited_CZ scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
"VPN_Unlimited Italy" pref-src=0.0.0.0 routing-table=VPNUnlimited_Italy \
scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.80.0/24 gateway=morskitestvpn \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no dst-address=192.168.62.0/24 gateway=Janko routing-table=main \
suppress-hw-offload=no
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=morskitestvpn \
pref-src=0.0.0.0 routing-table=test scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=yes distance=1 dst-address=192.168.1.0/24 gateway=SejanciAC3 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no dst-address=172.20.0.0/24 gateway=SejanciAC3 routing-table=\
main suppress-hw-offload=no
add disabled=yes distance=1 dst-address=192.168.88.0/24 gateway=b535_IN \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=192.168.40.0/24 gateway=RemoteWGTiks \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.100.0/24 gateway=RemoteWGTiks \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
/ip service
set telnet disabled=yes
set ftp address=192.168.3.0/24 disabled=yes
set www disabled=yes port=8000
set ssh address=192.168.3.0/24
set api disabled=yes
set winbox address=0.0.0.0/0
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
add directory=usb1 name="256 GB"
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/ppp secret
add name=*
add name=* profile=default-encryption
add name=* profile=default-encryption
add name=* profile=default-encryption
add name=* profile=default-encryption
add local-address=192.168.89.1 name=b535 profile=default-encryption \
remote-address=192.168.23.247
add name=morskitest profile=morskitestprofile
add local-address=192.168.89.1 name=vinograd remote-address=192.168.23.249
/routing igmp-proxy
set quick-leave=yes
/routing igmp-proxy interface
add alternative-subnets=0.0.0.0/0 interface="Sejanci IPTV" upstream=yes
add interface=dockers
/system clock
set time-zone-name=Europe/Ljubljana
/system logging
set 0 topics=info,!wireguard
add topics=caps
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=193.2.1.117
add address=193.2.4.2
/tool bandwidth-server
set authenticate=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add disabled=no host=10.255.255.0 interval=25m timeout=1s type=simple