Chateau LTE18

RouterOS Beginner Basics
1

Hi,

Have a question or two regarding VLAN’s, using the Chateau LTE18, extra eyeballs for feedback would be appreciated

So, to give an idea, this is the overview of the network, due to WFH, strict requirements around work laptop access and security hence usage of VLAN’s to tighten down the network

  • VLAN 10 is the home network - 192.168.10.0/24


  • VLAN 30 is the internet of things network - 192.168.30.0/24


  • VLAN 50 is the work - 192.168.50.0/24

With the Ether5 plugged in, the bridge that has default configuration, the CIDR is 192.168.88.0/24

Without Ether5 plugged in, the CIDR is 192.168.1.0/24

  • Pihole is on 192.168.1.2 and directly attached to ether2 port of the Chateau


  • Other devices are attached to the switch, this is directly attached to ether1 port of the Chateau


  • Firewall is as is, part of default configuration

I have read the infamous pcunite’s VLAN tutorial on this forum, and adapted to the approach here and failed to use a singular bridge that is part of default configuration
network_view.png
It works in isolation - different networks in their own VLAN’s, with a pihole blocking network wide - that works, DHCP works, leasing addresses and general internet access across different VLAN’s

However, because the bridges are setup individually to tie in with the address block as part of the /ip address configuration in the attached.

My questions:

  • Why is it that have had to set up a separate bridge for each Address CIDR, in conjunction with the dhcp server’s interface as part of the /ip dhcp-server


  • With what is configured - is this the right approach to take in using multiple bridges in this manner for different VLAN’s with security in mind?

What I could not understand is why the default bridge could not be used instead, the clients on the vlan’s kept associating and disassociating with the virtual access point on the wireless, and dhcp failures which resulted in refusal to connect to the access point.

This has left a feeling of wee bit confused with VLAN’s and not quite sure, maybe its a different device that is referenced in the VLAN tutorial.

Navigating on the winbox GUI, it was, confusing with determining which interface to tag and untag.

That the right terminology that have seen floating around the forum /interface bridge port is known as ingress, and /interface bridge vlan as egress?

Could be wrong in my assumption that the terminology used on the winbox GUI is not consistent, for example pvid versus vlan-ids which make matters worse in understanding and adapt the tutorial referenced

Here’s the attached sanitized configuration
my_defconf.rsc (20.1 KB)
Thanks for reading and for any valuable feedback.

2

Updated the script - notably, the firewall rules

Packets from VLAN WORK destined to other VLANs are dropped to the floor on the forward chain.
Have done the same for VLAN IOT and VLAN HOME, packets destined to other VLANs are dropped also.

My question still stands as to why I had to create brand new bridges when one could use a singular bridge.

Funnily enough, the default firewall seems to break speedtest.net :smiley:
Logging the packets dropped, all udp packets of 1500 bytes coming from speedtest.net shows a fantastic download speed with a zero upload speed

Thanks for any input that you may have
my_defconf.rsc (20.1 KB)

3

Can you confirm the RouterOS version, are you on the latest stable or testing?

4

Hi @hecatae

Router OS is on latest stable, v7.8

Thanks,

# mar/20/2023 15:18:12 by RouterOS 7.8
#
# model = D53G-5HacD2HnD
/interface bridge add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf frame-types=admit-only-untagged-and-priority-tagged name=bridge vlan-filtering=yes
/interface bridge add comment="Bridge - VLAN - HOME" frame-types=admit-only-untagged-and-priority-tagged name=bridge-home pvid=10 vlan-filtering=yes
/interface bridge add comment="Bridge - VLAN - IOT" frame-types=admit-only-untagged-and-priority-tagged name=bridge-iot pvid=30 vlan-filtering=yes
/interface bridge add comment="Bridge - VLAN - WORK" frame-types=admit-only-untagged-and-priority-tagged name=bridge-work pvid=50 vlan-filtering=yes
/interface ethernet set [ find default-name=ether1 ] comment="Zyxel GS1200 8 Port Managed Switch"
/interface ethernet set [ find default-name=ether2 ] comment="Pihole on Raspberry Pi 4B"
/interface ethernet set [ find default-name=ether5 ] comment="MGMT - Ethernet 5 for direct access"
/interface wireless set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-52CF17 wireless-protocol=802.11
/interface vlan add comment="VLAN Home" interface=bridge name=if-vlan-home vlan-id=10
/interface vlan add comment="VLAN IOT" interface=bridge name=if-vlan-iot vlan-id=30
/interface vlan add comment="VLAN Work" interface=bridge name=if-vlan-work vlan-id=50
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface list add comment="Ether5 Direct Access" name=MGMT
/interface lte apn add apn=3internet comment="LTE APN - Hutchinsons 3 Ireland" name="Hutchinsons 3" use-peer-dns=no
/interface lte set [ find default-name=lte1 ] allow-roaming=no apn-profiles="Hutchinsons 3" band="" network-mode=lte
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/interface wireless security-profiles add authentication-types=wpa2-psk comment="Security Profile - VLAN Home" group-ciphers=tkip,aes-ccm mode=dynamic-keys name=security-profile-vlan-home supplicant-identity="" unicast-ciphers=tkip,aes-ccm
/interface wireless security-profiles add authentication-types=wpa2-psk comment="Security Profile - VLAN Work" group-ciphers=tkip,aes-ccm mode=dynamic-keys name=security-profile-vlan-work supplicant-identity="" unicast-ciphers=tkip,aes-ccm
/interface wireless security-profiles add authentication-types=wpa2-psk comment="Security Profile - VLAN IOT" group-ciphers=tkip,aes-ccm mode=dynamic-keys name=security-profile-vlan-iot supplicant-identity="" unicast-ciphers=tkip,aes-ccm
/interface wireless nstreme set wlan2 comment=defconf
/interface wireless manual-tx-power-table set wlan2 comment=defconf
/interface wireless add comment="Wireless Virtual AP - VLAN Home" disabled=no keepalive-frames=disabled mac-address=XX:XX:XX:XX:XX:XX master-interface=wlan2 multicast-buffering=disabled name=wlan-vlan-home security-profile=security-profile-vlan-home ssid=MyVwH vlan-id=10 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface wireless add comment="Wireless Virtual AP - VLAN IOT" disabled=no keepalive-frames=disabled mac-address=XX:XX:XX:XX:XX:XX master-interface=wlan2 multicast-buffering=disabled name=wlan-vlan-iot security-profile=security-profile-vlan-iot ssid=MyVwI vlan-id=30 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface wireless add comment="Wireless Virtual AP - VLAN Work" disabled=no keepalive-frames=disabled mac-address=XX:XX:XX:XX:XX:XX master-interface=wlan2 multicast-buffering=disabled name=wlan-vlan-work security-profile=security-profile-vlan-work ssid=MyVwW vlan-id=50 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface wireless nstreme set *11 comment="Wireless Virtual AP - VLAN Home"
/interface wireless nstreme set *12 comment="Wireless Virtual AP - VLAN IOT"
/interface wireless nstreme set *10 comment="Wireless Virtual AP - VLAN Work"
/interface wireless manual-tx-power-table set wlan-vlan-home comment="Wireless Virtual AP - VLAN Home"
/interface wireless manual-tx-power-table set wlan-vlan-iot comment="Wireless Virtual AP - VLAN IOT"
/interface wireless manual-tx-power-table set wlan-vlan-work comment="Wireless Virtual AP - VLAN Work"
/ip hotspot profile set [ find default=yes ] html-directory=hotspot
/ip pool add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip pool add comment="DHCP Pool for VLAN Home" name=ip-pool-vlan-home ranges=192.168.10.2-192.168.10.254
/ip pool add comment="DHCP Pool for VLAN IOT" name=ip-pool-vlan-iot ranges=192.168.30.2-192.168.30.254
/ip pool add comment="DHCP Pool for VLAN Work" name=ip-pool-vlan-work ranges=192.168.50.2-192.168.50.10
/ip dhcp-server add address-pool=default-dhcp interface=bridge name=defconf
/ip dhcp-server add address-pool=ip-pool-vlan-home comment="DHCP Server VLAN Home" interface=bridge-home name=dhcp-server-vlan-home
/ip dhcp-server add address-pool=ip-pool-vlan-iot comment="DHCP Server VLAN IOT" interface=bridge-iot name=dhcp-server-vlan-iot
/ip dhcp-server add address-pool=ip-pool-vlan-work comment="DHCP Server VLAN Work" interface=bridge-work name=dhcp-server-vlan-work
/interface bridge port add bridge=bridge comment=defconf interface=ether1
/interface bridge port add bridge=bridge comment=defconf interface=ether2
/interface bridge port add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether3
/interface bridge port add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether4
/interface bridge port add bridge=bridge comment="Bridge Port VLAN Admin - Allow all on Ether5" interface=ether5
/interface bridge port add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=wlan1
/interface bridge port add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=wlan2
/interface bridge port add bridge=bridge-home comment="Bridge Port VLAN HOME" frame-types=admit-only-untagged-and-priority-tagged interface=if-vlan-home pvid=10
/interface bridge port add bridge=bridge-home frame-types=admit-only-untagged-and-priority-tagged interface=wlan-vlan-home pvid=10
/interface bridge port add bridge=bridge-iot comment="Bridge Port VLAN IOT" frame-types=admit-only-untagged-and-priority-tagged interface=if-vlan-iot pvid=30
/interface bridge port add bridge=bridge-iot frame-types=admit-only-untagged-and-priority-tagged interface=wlan-vlan-iot pvid=30
/interface bridge port add bridge=bridge-work comment="Bridge Port VLAN WORK" frame-types=admit-only-untagged-and-priority-tagged interface=if-vlan-work pvid=50
/interface bridge port add bridge=bridge-work frame-types=admit-only-untagged-and-priority-tagged interface=wlan-vlan-work pvid=50
/ip neighbor discovery-settings set discover-interface-list=MGMT
/ip settings set tcp-syncookies=yes
/ipv6 settings set disable-ipv6=yes forward=no
/interface bridge vlan add bridge=bridge-home comment="Bridge VLAN HOME" tagged=if-vlan-home untagged=bridge-home,wlan-vlan-home vlan-ids=10
/interface bridge vlan add bridge=bridge-iot comment="Bridge VLAN IOT" tagged=if-vlan-iot untagged=wlan-vlan-iot,bridge-iot vlan-ids=30
/interface bridge vlan add bridge=bridge-work comment="Bridge VLAN WORK" tagged=if-vlan-work untagged=bridge-work,wlan-vlan-work vlan-ids=50
/interface list member add comment=defconf interface=lte1 list=WAN
/interface list member add comment="List Member - MGMT - Ethernet 5 for direct access" interface=ether5 list=MGMT
/interface list member add comment="List Member - Bridge - VLAN WORK" interface=bridge-work list=LAN
/interface list member add comment="List Member - VLAN Home " interface=if-vlan-home list=LAN
/interface list member add comment="List Member - VLAN IOT" interface=if-vlan-iot list=LAN
/interface list member add comment="List Member - VLAN Work" interface=if-vlan-work list=LAN
/interface list member add comment="List Member - Wireless VLAN Home" interface=wlan-vlan-home list=LAN
/interface list member add comment="List Member - Wireless VLAN IOT" interface=wlan-vlan-iot list=LAN
/interface list member add comment="List Member - Wireless VLAN Work" interface=wlan-vlan-work list=LAN
/interface list member add comment="Zyxel GS1200 8 Port Managed Switch" interface=ether1 list=LAN
/interface list member add comment=defconf interface=bridge list=LAN
/interface list member add comment="Pihole on Raspberry Pi 4B" interface=ether2 list=LAN
/interface list member add comment="List Member - Bridge - VLAN HOME" interface=bridge-home list=LAN
/interface list member add comment="List Member - Bridge - VLAN IOT" interface=bridge-iot list=LAN
/interface wireless access-list add interface=wlan-vlan-home mac-address=XX:XX:XX:XX:XX:XX vlan-mode=no-tag
/interface wireless access-list add interface=wlan-vlan-home mac-address=XX:XX:XX:XX:XX:XX vlan-mode=no-tag
/interface wireless access-list add interface=wlan-vlan-iot mac-address=XX:XX:XX:XX:XX:XX vlan-mode=no-tag
/interface wireless access-list add interface=wlan-vlan-home mac-address=XX:XX:XX:XX:XX:XX vlan-mode=no-tag
/interface wireless access-list add interface=wlan-vlan-iot mac-address=XX:XX:XX:XX:XX:XX vlan-mode=no-tag
/ip address add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip address add address=192.168.10.1/24 comment="CIDR Block for VLAN Home " interface=bridge-home network=192.168.10.0
/ip address add address=192.168.30.1/24 comment="CIDR Block for VLAN IOT" interface=bridge-iot network=192.168.30.0
/ip address add address=192.168.50.1/24 comment="CIDR Block for VLAN Work" interface=bridge-work network=192.168.50.0
/ip address add address=192.168.1.1/24 comment="CIDR block for local bridge" interface=bridge network=192.168.1.0
/ip cloud set update-time=no
/ip dhcp-server network add address=192.168.10.0/24 comment="DHCP Network - VLAN Home" gateway=192.168.10.1
/ip dhcp-server network add address=192.168.30.0/24 comment="DHCP Network - VLAN IOT" gateway=192.168.30.1
/ip dhcp-server network add address=192.168.50.0/24 comment="DHCP Network - VLAN Work" gateway=192.168.50.1
/ip dhcp-server network add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns set servers=192.168.1.2
/ip dns static add address=192.168.88.1 comment=defconf name=router.lan
/ip dns static add address=192.168.1.2 comment="Default route for DNS" name=pihole.lan
/ip dns static add address=192.168.1.1 comment="Router custom setup on pihole.lan domain" name=router.pihole.lan
/ip firewall address-list add address=192.168.1.2 comment="Pihole Server" list=pihole
/ip firewall address-list add address=192.168.10.3 comment="On VLAN HOME" list=allowed_to_router
/ip firewall address-list add address=192.168.1.253 comment="Via MGMT Ether5" list=allowed_to_router
/ip firewall address-list add address=192.168.10.0/24 comment="Blocked CIDR List - VLAN WORK" list=vlan_work_blocked
/ip firewall address-list add address=192.168.30.0/24 comment="Blocked CIDR List - VLAN WORK" list=vlan_work_blocked
/ip firewall address-list add address=192.168.30.0/24 comment="Blocked CIDR List - VLAN HOME" list=vlan_home_blocked
/ip firewall address-list add address=192.168.10.0/24 comment="CIDR Block for VLAN HOME" list=cidr_vlan_home
/ip firewall address-list add address=192.168.50.0/24 comment="CIDR Block for VLAN WORK" list=cidr_vlan_work
/ip firewall address-list add address=192.168.50.0/24 comment="Blocked CIDR List - VLAN HOME" list=vlan_home_blocked
/ip firewall address-list add address=192.168.30.0/24 comment="CIDR Block for VLAN IOT" list=cidr_vlan_iot
/ip firewall address-list add address=192.168.10.0/24 comment="Blocked CIDR List - VLAN IOT" list=vlan_iot_blocked
/ip firewall address-list add address=192.168.50.0/24 comment="Blocked CIDR List - VLAN IOT" list=vlan_iot_blocked
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked log-prefix=FILTER-Input-accept
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix=FILTER-INPUT-DROP-INVALID
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP - DISABLED" disabled=yes protocol=icmp
/ip firewall filter add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN) - DISABLED" disabled=yes dst-address=127.0.0.1
/ip firewall filter add action=accept chain=input comment="Winbox / SSH access" dst-port=2200,8291 log=yes log-prefix=FILTER-INPUT-ACCEPT-ssh protocol=tcp src-address-list=allowed_to_router
/ip firewall filter add action=accept chain=input comment="Allow VLAN DHCP" dst-port=67 in-interface-list=LAN log-prefix=FILTER-Input-VLAN-DHCP protocol=udp
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN log-prefix="FILTER-INPUT-DROP ALL !LAN"
/ip firewall filter add action=drop chain=input comment="Drop all other traffic" log-prefix=FILTER-DROP
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="Drop traffic from VLAN Work" dst-address-list=vlan_work_blocked in-interface-list=LAN log=yes log-prefix="FILTER-FORWARD-DROP work>others" src-address-list=cidr_vlan_work
/ip firewall filter add action=drop chain=forward comment="Drop traffic from VLAN HOME" dst-address-list=vlan_home_blocked in-interface-list=LAN log=yes log-prefix="FILTER-FORWARD-DROP home>others" src-address-list=cidr_vlan_home
/ip firewall filter add action=drop chain=forward comment="Drop traffic from VLAN IOT" dst-address-list=vlan_iot_blocked in-interface-list=LAN log=yes log-prefix="FILTER-FORWARD-DROP iot>others" src-address-list=cidr_vlan_iot
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log-prefix="FILTER-FORWARD-DROP invalid"
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix=FILTER-FORWARD-DROP all
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip firewall nat add action=dst-nat chain=dstnat comment="Redirect DNS (udp) to Pihole" dst-address=!192.168.1.2 dst-port=53 in-interface-list=LAN log-prefix=NAT_dstnat_pihole_udp protocol=udp src-address=!192.168.1.2 to-addresses=192.168.1.2
/ip firewall nat add action=dst-nat chain=dstnat comment="Redirect DNS (tcp) to Pihole" dst-address=!192.168.1.2 dst-port=53 in-interface-list=LAN log-prefix=NAT_dstnat_pihole_tcp protocol=tcp src-address=!192.168.1.2 to-addresses=192.168.1.2
/ip firewall service-port set ftp disabled=yes
/ip firewall service-port set tftp disabled=yes
/ip firewall service-port set h323 disabled=yes
/ip firewall service-port set sip disabled=yes
/ip firewall service-port set pptp disabled=yes
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set www disabled=yes
/ip service set ssh address=192.168.10.3/32,192.168.1.253/32,192.168.88.253/32 port=2200
/ip service set api disabled=yes
/ip service set winbox address=192.168.10.3/32,192.168.1.253/32
/ip service set api-ssl disabled=yes
/ip ssh set strong-crypto=yes
/ipv6 firewall address-list add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
/ipv6 firewall address-list add address=::1/128 comment="defconf: lo" list=bad_ipv6
/ipv6 firewall address-list add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
/ipv6 firewall address-list add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
/ipv6 firewall address-list add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
/ipv6 firewall address-list add address=100::/64 comment="defconf: discard only " list=bad_ipv6
/ipv6 firewall address-list add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
/ipv6 firewall address-list add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
/ipv6 firewall address-list add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ipv6 firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
/ipv6 firewall filter add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
/ipv6 firewall filter add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept HIP" protocol=139
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock set time-zone-name=Europe/Dublin
/system ntp client set enabled=yes
/system ntp client servers add address=2.ie.pool.ntp.org
/system ntp client servers add address=3.europe.pool.ntp.org
/system ntp client servers add address=1.europe.pool.ntp.org
/system routerboard mode-button set enabled=yes on-event=dark-mode
/system script add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
/tool bandwidth-server set enabled=no
/tool mac-server set allowed-interface-list=MGMT
/tool mac-server mac-winbox set allowed-interface-list=MGMT
/tool mac-server ping set enabled=no
5

@t0mm13b please delete your Software ID from all of your posts, it’s your RouterOS license:
https://wiki.mikrotik.com/wiki/Manual:License

6

Thanks for the heads up!