Having been wisely informed that there is no alternative to VLANs for implementing guest WiFi with WiFi CAPsMAN: http://forum.mikrotik.com/t/guest-wifi-without-vlans-after-migrating-to-wifi-qcom/181232/1 I made my first attempt at configuring a system consisting of an RB5009 router and three cAPs using VLANs. I encountered the issue: “client was disconnected because could not assign VLAN”.
I am likely making some fundamental mistake; however, a quick review of the forum suggested that VLANs on wifi-qcom-ac might conflict with the “FT enabled” and “FT Over DS” options. If this is true, the primary advantage of migrating to the new wireless subsystem would disappear.
Please take a look at the attached provisional configurations for the router and one of the APs and advise where I might be going wrong. Thank you.
ROUTER:
# 2025-01-17 17:31:34 by RouterOS 7.17
# software id = CH1L-4YX8
#
# model = RB5009UG+S+
/interface bridge add admin-mac=D4:01:C3:2A:00:AF arp=proxy-arp auto-mac=no comment="home / trusted" name=bridge port-cost-mode=short vlan-filtering=yes
/interface ethernet set [ find default-name=ether1 ] comment=tech-media-wan
/interface ethernet set [ find default-name=ether2 ] comment=olfisz name=ether2-master
/interface ethernet set [ find default-name=ether3 ] comment=ap-salon
/interface ethernet set [ find default-name=ether4 ] comment=ap-sypialnia
/interface ethernet set [ find default-name=ether5 ] comment=ap-gabinet
/interface ethernet set [ find default-name=ether6 ] comment=hp-printer name=ether6-master
/interface ethernet set [ find default-name=ether7 ] comment=ipcam-strych
/interface ethernet set [ find default-name=ether8 ] comment=alarm-satel-ethm
/interface ethernet set [ find default-name=sfp-sfpplus1 ] comment="SFP for fiber\?" disabled=yes
/interface wireguard add listen-port=33231 mtu=1420 name=wire-guard-vpn
/interface vlan add interface=bridge name=vlan_10_mgmt vlan-id=10
/interface vlan add interface=bridge name=vlan_20_home vlan-id=20
/interface vlan add interface=bridge name=vlan_30_guest vlan-id=30
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface list add exclude=dynamic name=discover
/interface list add name=mactel
/interface list add name=mac-winbox
/interface list add name=guest
/interface lte apn set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wifi channel add band=2ghz-n comment=gabinet disabled=no frequency=2472 name=2.4g_ch13 width=20mhz
/interface wifi channel add band=5ghz-ac comment=gabinet_5g disabled=no frequency=5260 name=5.0g_ch52 width=20/40/80mhz
/interface wifi channel add band=2ghz-n comment=salon disabled=no frequency=2422 name=2.4g_ch03 width=20mhz
/interface wifi channel add band=2ghz-n comment=sypialnia disabled=no frequency=2447 name=2.4g_ch08 width=20mhz
/interface wifi channel add band=5ghz-ac comment=salon_5g disabled=no frequency=5180 name=5.0g_ch36 width=20/40/80mhz
/interface wifi channel add band=5ghz-ac comment=sypialnia_5g disabled=no frequency=5500 name=5.0g_ch100 width=20/40/80mhz
/interface wifi datapath add bridge=bridge disabled=no name=main vlan-id=20
/interface wifi datapath add bridge=bridge client-isolation=yes disabled=no name=guest vlan-id=30
/interface wifi security add authentication-types=wpa2-psk disabled=no encryption="" ft=yes ft-over-ds=yes ft-preserve-vlanid=no name=main_security wps=disable
/interface wifi security add authentication-types=wpa2-psk disabled=no ft=yes ft-over-ds=yes ft-preserve-vlanid=no name=guest_security wps=disable
/interface wifi steering add disabled=no name=steering_main neighbor-group=dynamic-klemens_wafelek-13de67f5 rrm=yes wnm=yes
/interface wifi steering add disabled=no name=steering_guest neighbor-group=dynamic-200_e_goscie-d711cc46 rrm=yes wnm=yes
/interface wifi configuration add channel.band=2ghz-n datapath=main disabled=no manager=local mode=ap name=main_2g security=main_security ssid=klemens_wafelek steering=steering_main tx-power=20
/interface wifi configuration add channel.band=5ghz-ac .skip-dfs-channels=10min-cac datapath=main disabled=no manager=local mode=ap name=main_5g security=main_security ssid=klemens_wafelek steering=steering_main tx-power=24
/interface wifi configuration add channel.band=2ghz-n datapath=guest disabled=no manager=local mode=ap name=guest_2g security=guest_security ssid=200_e_goscie steering=steering_guest
/interface wifi
# operated by CAP 74:4D:28:2E:8C:8F%vlan_10_mgmt, traffic processing on CAP
# vlan-id configured, but interface does not support assigning vlans
# client was disconnected because could not assign vlan
add configuration=main_2g disabled=no name=ap-gabinet_2G radio-mac=74:4D:28:2E:8C:91
/interface wifi
# operated by CAP 74:4D:28:2E:8C:8F%vlan_10_mgmt, traffic processing on CAP
# vlan-id configured, but interface does not support assigning vlans
add configuration=main_5g disabled=no name=ap-gabinet_5G radio-mac=74:4D:28:2E:8C:92
/interface wifi
# operated by CAP 74:4D:28:2E:8C:8F%vlan_10_mgmt, traffic processing on CAP
# vlan-id configured, but interface does not support assigning vlans
# client was disconnected because could not assign vlan
add configuration=guest_2g disabled=no mac-address=76:4D:28:2E:8C:91 master-interface=ap-gabinet_2G name=ap-gabinet_guest
/interface wifi add channel=2.4g_ch03 channel.frequency=2422 configuration=main_2g configuration.country=Poland .mode=ap datapath=main disabled=no name=ap-salon-2G- radio-mac=C4:AD:34:F5:82:4E security=main_security steering=steering_main
/interface wifi add channel=5.0g_ch36 channel.frequency=5180 configuration=main_5g configuration.country=Poland .mode=ap datapath=main disabled=no name=ap-salon-5G- radio-mac=C4:AD:34:F5:82:4F security=main_security steering=steering_main
/interface wifi add configuration=guest_2g configuration.mode=ap datapath=guest disabled=no mac-address=C6:AD:34:F5:82:4E master-interface=ap-salon-2G- name=ap-salon-guest- security=guest_security steering=steering_guest
/interface wifi add channel=2.4g_ch08 channel.frequency=2447 configuration=main_2g configuration.country=Poland .mode=ap datapath=main disabled=no mtu=1500 name=ap-sypialnia-2G- radio-mac=74:4D:28:BE:F1:C9 security=main_security steering=steering_main
/interface wifi add channel=5.0g_ch100 channel.frequency=5500 configuration=main_5g configuration.country=Poland .mode=ap datapath=main disabled=no name=ap-sypialnia-5G- radio-mac=74:4D:28:BE:F1:CA security=main_security steering=steering_main
/interface wifi add configuration=guest_2g configuration.mode=ap datapath=guest disabled=no mac-address=76:4D:28:BE:F1:C9 master-interface=ap-sypialnia-2G- name=ap-sypialnia-guest- security=guest_security steering=steering_guest
/ip ipsec proposal set [ find default=yes ] auth-algorithms=sha512,sha256 enc-algorithms=aes-256-cbc pfs-group=none
/ip pool add comment="new home devices before making static" name=home-dynamic ranges=192.168.5.224-192.168.5.238
/ip pool add comment="address pool for SSTP VPN belonging to the safe home IP range" name=sstp-pool ranges=192.168.5.239-192.168.5.254
/ip pool add comment="wifi guest DHCP pool" name=guests ranges=192.168.6.129-192.168.6.254
/ip pool add comment="blocked on firewall, only local" name=home-no-routing ranges=192.168.5.2-192.168.5.127
/ip pool add comment="defined static leases" name=home-static ranges=192.168.5.128-192.168.5.223
/ip pool add comment="for AP management" name=management ranges=192.168.4.2-192.168.4.254
/ip dhcp-server add address-pool=home-dynamic interface=vlan_20_home lease-time=2m name=dhcp_home server-address=192.168.5.1
/ip dhcp-server add address-pool=guests interface=vlan_30_guest lease-time=10m name=dhcp_guest server-address=192.168.6.1
/ip dhcp-server add address-pool=management interface=vlan_10_mgmt lease-time=2m name=dhcp_mgmt server-address=192.168.4.1
/ip smb users set [ find default=yes ] disabled=yes
/ppp profile add bridge=bridge dns-server=192.168.5.1,1.1.1.1 local-address=192.168.5.1 name=sstp only-one=no remote-address=sstp-pool use-compression=no use-encryption=required use-ipv6=no use-mpls=no use-upnp=no
/ppp profile add change-tcp-mss=yes name=tech-media-ppoe only-one=yes use-compression=no use-ipv6=no
/interface pppoe-client add add-default-route=yes disabled=no interface=ether1 keepalive-timeout=20 max-mtu=1492 name=tech-media profile=tech-media-ppoe use-peer-dns=yes user=DASZYNSKIEGO200E
/queue type set 0 pfifo-limit=500
/queue type set 5 pcq-limit=200KiB pcq-total-limit=4000KiB
/queue type set 6 pcq-limit=200KiB pcq-total-limit=4000KiB
/queue simple add comment="for testing unrestricted speeds" disabled=yes max-limit=1G/1G name=unrestricted packet-marks=mark_nat_packet queue=pcq-upload-default/pcq-download-default target=192.168.0.0/16
/queue simple add comment="root - queues only for NAT traffic" max-limit=100M/500M name=parent_nat packet-marks=mark_nat_packet queue=pcq-upload-default/pcq-download-default target=192.168.0.0/16
/queue simple add burst-limit=70M/200M burst-threshold=20M/50M burst-time=10s/10s limit-at=3M/3M max-limit=20M/50M name="vpn_sstp (r)" parent=parent_nat priority=6/6 queue=pcq-upload-default/pcq-download-default target=192.168.5.224/28
/queue simple add burst-limit=80M/200M burst-threshold=50M/150M burst-time=25s/25s limit-at=5M/5M max-limit=50M/150M name="vpn_wg_tomek (r)" parent=parent_nat priority=5/5 queue=pcq-upload-default/pcq-download-default target=192.168.105.2/32,192.168.105.3/32
/queue simple add burst-limit=80M/200M burst-threshold=20M/100M burst-time=25s/25s limit-at=3M/3M max-limit=20M/100M name="vpn_wg_justyna (r)" parent=parent_nat priority=6/6 queue=pcq-upload-default/pcq-download-default target=192.168.105.4/32
/queue simple add limit-at=33M/150M max-limit=98M/496M name=home parent=parent_nat priority=2/2 queue=pcq-upload-default/pcq-download-default target=192.168.5.128/25
/queue simple add burst-limit=90M/450M burst-threshold=70M/400M burst-time=1m/1m limit-at=10M/50M max-limit=70M/400M name=home_tomek_dell parent=home priority=3/3 queue=pcq-upload-default/pcq-download-default target=192.168.5.128/32,192.168.5.135/32
/queue simple add burst-limit=90M/450M burst-threshold=70M/400M burst-time=30s/30s limit-at=10M/50M max-limit=70M/400M name=olfisz parent=home priority=2/2 queue=pcq-upload-default/pcq-download-default target=192.168.5.144/32
/queue simple add burst-limit=40M/100M burst-threshold=20M/50M burst-time=10s/10s limit-at=2M/5M max-limit=20M/50M name=alarm_satel_ethm parent=home priority=2/2 queue=pcq-upload-default/pcq-download-default target=192.168.5.151/32
/queue simple add burst-limit=90M/450M burst-threshold=66M/250M burst-time=30s/30s limit-at=10M/50M max-limit=66M/250M name=home_remaining_traffic parent=home priority=5/5 queue=pcq-upload-default/pcq-download-default target=192.168.5.128/25
/queue simple add burst-limit=30M/150M burst-threshold=20M/100M burst-time=10s/10s limit-at=2M/10M max-limit=20M/100M name=guest_wifi parent=parent_nat priority=7/7 queue=pcq-upload-default/pcq-download-default target=192.168.6.128/25
/queue simple add name=parent_remaining_traffic parent=parent_nat queue=pcq-upload-default/pcq-download-default target=192.168.0.0/16
/routing bgp template set default disabled=no output.network=bgp-networks
/routing ospf instance add disabled=no name=default-v2
/routing ospf area add disabled=yes instance=default-v2 name=backbone-v2
/system logging action set 0 memory-lines=8192
/system logging action set 1 disk-lines-per-file=8192
/interface bridge port add bridge=bridge interface=ether2-master internal-path-cost=10 path-cost=10 trusted=yes
/interface bridge port add bridge=bridge comment=ap-salon frame-types=admit-only-vlan-tagged interface=ether3 internal-path-cost=10 path-cost=10 trusted=yes
/interface bridge port add bridge=bridge comment=ap-sypialnia frame-types=admit-only-vlan-tagged interface=ether4 internal-path-cost=10 path-cost=10 trusted=yes
/interface bridge port add bridge=bridge comment="!change to admit only tagged! ap-gabinet" interface=ether5 internal-path-cost=10 path-cost=10 trusted=yes
/interface bridge port add bridge=bridge interface=ether6-master internal-path-cost=10 path-cost=10 trusted=yes
/interface bridge port add bridge=bridge interface=ether7 internal-path-cost=10 path-cost=10 trusted=yes
/interface bridge port add bridge=bridge interface=ether8 internal-path-cost=10 path-cost=10 trusted=yes
/interface bridge vlan add bridge=bridge comment=vlan-10-guest tagged=bridge,ether3,ether4,ether5 vlan-ids=30
/interface bridge vlan add bridge=bridge comment=vlan-20-home tagged=bridge,ether3,ether4,ether5 vlan-ids=20
/interface bridge vlan add bridge=bridge comment=vlan-10-mgmt tagged=bridge,ether3,ether4,ether5 vlan-ids=10
/interface list member add interface=bridge list=LAN
/interface list member add interface=ether1 list=WAN
/interface list member add interface=ether2-master list=discover
/interface list member add interface=ether3 list=discover
/interface list member add interface=ether4 list=discover
/interface list member add interface=ether5 list=discover
/interface list member add interface=ether6-master list=discover
/interface list member add interface=ether7 list=discover
/interface list member add interface=ether8 list=discover
/interface list member add interface=bridge list=discover
/interface list member add interface=ether2-master list=mactel
/interface list member add interface=ether2-master list=mac-winbox
/interface list member add interface=ether6-master list=mactel
/interface list member add interface=ether6-master list=mac-winbox
/interface list member add interface=wire-guard-vpn list=LAN
/interface list member add interface=tech-media list=WAN
/interface list member add interface=wire-guard-vpn list=discover
/interface list member add interface=sfp-sfpplus1 list=WAN
/interface ovpn-server server add auth=sha1,md5 mac-address=FE:49:36:72:D1:F6 name=ovpn-server1
/interface sstp-server server set authentication=mschap2 certificate=SSTP-server default-profile=sstp enabled=yes pfs=yes tls-version=only-1.2
/interface wifi access-list # full list of MACs follows here...
/interface wifi capsman set ca-certificate=CAPsMAN-CA certificate=CAPsMAN enabled=yes interfaces=vlan_10_mgmt package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning add action=create-enabled disabled=no master-configuration=main_2g name-format=%I_2G slave-configurations=guest_2g slave-name-format=%I_guest supported-bands=2ghz-n
/interface wifi provisioning add action=create-enabled disabled=no master-configuration=main_5g name-format=%I_5G supported-bands=5ghz-ac
/interface wireguard peers add allowed-address=192.168.105.2/32 client-address=192.168.105.2/32 client-dns=8.8.8.8,192.168.5.1 interface=wire-guard-vpn name=tomek-dell-9570 public-key="c6hcQJ8Ag1r2P69j0i0fw8ExWFwnyMTfVSnpZLHk+AU="
/interface wireguard peers add allowed-address=192.168.105.3/32 client-address=192.168.105.3/32 client-dns=8.8.8.8,192.168.5.1 interface=wire-guard-vpn name=tomek-s24u public-key="chIDCuj+9TfV+35b97hZD0hzgp0hYFnvGIteFEpzwns="
/interface wireguard peers add allowed-address=192.168.105.4/32 client-address=192.168.105.4/32 client-dns=192.168.5.1,1.1.1.1 interface=wire-guard-vpn name=justyna-dell-7410 public-key="3eCAF8D4HuZN/unN8y/D+CZ/Fac/Ikuh2+KANHS4qzw="
/ip address add address=192.168.5.1/24 interface=vlan_20_home network=192.168.5.0
/ip address add address=192.168.6.1/24 interface=vlan_30_guest network=192.168.6.0
/ip address add address=192.168.105.1/24 interface=wire-guard-vpn network=192.168.105.0
/ip address add address=192.168.4.1/24 interface=vlan_10_mgmt network=192.168.4.0
/ip cloud set ddns-update-interval=8h
/ip dhcp-client add comment="PPPoE from ISP doesn't provide DHCP" disabled=yes interface=ether1
/ip dhcp-server lease # static leases follow here...
/ip dhcp-server network add address=192.168.5.0/24 comment=home dns-server=192.168.5.1,1.1.1.1,8.8.8.8 gateway=192.168.5.1 netmask=24
/ip dhcp-server network add address=192.168.6.0/24 comment=guest dns-server=192.168.6.1,1.1.1.1,8.8.8.8 gateway=192.168.6.1 netmask=24
/ip dns set allow-remote-requests=yes servers=1.1.1.1
/ip dns static add address=192.168.5.1 name=router.lan type=A
/ip dns static add address=192.168.5.132 name=hp_1320.lan type=A
/ip firewall address-list add address=255.255.255.255 list=broadcast
/ip firewall address-list add address=192.168.5.128/25 list=lan
/ip firewall address-list add address=192.168.5.128/25 list=all_local
/ip firewall address-list add address=192.168.6.0/24 list=all_local
/ip firewall address-list add address=192.168.105.0/24 list=all_local
/ip firewall address-list add address=224.0.0.0/4 list=broadcast
/ip firewall address-list add address=169.254.0.0/16 list=broadcast
/ip firewall address-list add address=0.0.0.0/8 list=broadcast
/ip firewall address-list add address=192.168.5.128/25 list=safe_local
/ip firewall address-list add address=192.168.105.0/24 list=safe_local
/ip firewall filter add action=drop chain=forward comment="drop invalid forward" connection-state=invalid log-prefix="FW invalid fwd "
/ip firewall filter add action=drop chain=forward comment="explicitly drop forwarding attacks, redundant\?" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix="FW NAT attack"
/ip firewall filter add action=fasttrack-connection chain=forward comment="fasttrack traffic between LAN peers, without filtering or bandwith limits" connection-state=established,related disabled=yes dst-address-list=lan hw-offload=yes src-address-list=lan
/ip firewall filter add action=fasttrack-connection chain=forward comment="fasttrack for NAT kills simple queues - therefore disabled" connection-state=established,related disabled=yes hw-offload=yes
/ip firewall filter add action=accept chain=forward comment="accept all related traffic (also answers from NAT for everybody)" connection-state=established,related,untracked
/ip firewall filter add action=accept chain=forward comment="allow local traffic between safe networks (VPN included but not guest network)" connection-state="" dst-address-list=safe_local src-address-list=safe_local
/ip firewall filter add action=accept chain=forward comment="allow NAT for all local subnets (including guests)" connection-nat-state="" connection-state="" out-interface-list=WAN src-address-list=all_local
/ip firewall filter add action=drop chain=forward comment="drop all remaining forwards (also LAN to guests)" connection-nat-state="" connection-state="" log=yes log-prefix="FW fwd other"
/ip firewall filter add action=drop chain=input comment="drop invalid input" connection-state=invalid log-prefix="FW INVALID"
/ip firewall filter add action=drop chain=input comment="drop broadcasts, multicasts from outside" dst-address-list=broadcast in-interface-list=WAN
/ip firewall filter add action=accept chain=input comment="accept all related input (also answers to the router itself NTP, DNS, etc.)" connection-state=established,related
/ip firewall filter add action=accept chain=input comment="allow local inputs (also winbox from LAN + VPN)" in-interface-list=!WAN log-prefix="TEMP: " src-address-type=""
/ip firewall filter add action=accept chain=input comment="accept ICMP (ping, traceroute)" protocol=icmp
/ip firewall filter add action=accept chain=input comment="SSTP VPN connects on port 443" dst-port=443 protocol=tcp src-port=""
/ip firewall filter add action=accept chain=input comment="WireGuard on non-standard 33231 UDP" dst-port=33231 protocol=udp src-port=""
/ip firewall filter add action=drop chain=input comment="drop everything else on input" log-prefix="FW IN"
/ip firewall mangle add action=mark-packet chain=forward comment="Mark NAT traffic" connection-nat-state=srcnat connection-state="" new-packet-mark=mark_nat_packet
/ip firewall nat add action=masquerade chain=srcnat comment="NAT for local subnets (inc. SSTP and guest VLAN)" dst-address-list=!all_local src-address-list=all_local
/ip firewall raw add action=drop chain=prerouting comment="attempt to drop unkown MAC addresses\?" disabled=yes src-address=192.168.5.2-192.168.5.127
/ip firewall service-port set ftp disabled=yes
/ip firewall service-port set h323 disabled=yes
/ip firewall service-port set sip disabled=yes sip-direct-media=no
/ip hotspot profile set [ find default=yes ] html-directory=hotspot
/ip ipsec policy set 0 dst-address=0.0.0.0/0 src-address=192.168.0.0/16
/ip ipsec profile set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=aes-256 hash-algorithm=sha256 prf-algorithm=sha256 proposal-check=strict
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set www address=192.168.5.128/25,192.168.105.0/24 disabled=yes
/ip service set ssh address=192.168.5.128/25,192.168.105.0/24
/ip service set www-ssl address=192.168.5.128/25,192.168.105.0/24 tls-version=only-1.2
/ip service set api disabled=yes
/ip service set winbox address=192.168.5.128/25,192.168.105.0/24
/ip service set api-ssl disabled=yes
/ip smb shares set [ find default=yes ] directory=/pub
/ip ssh set ciphers=aes-gcm,aes-ctr,aes-cbc,3des-cbc,null forwarding-enabled=remote
/ipv6 firewall filter add action=reject chain=forward log=yes log-prefix=IP6 reject-with=icmp-admin-prohibited
/ipv6 firewall filter add action=reject chain=input log-prefix=IP6 reject-with=icmp-admin-prohibited
/ppp secret add name=tomek profile=sstp service=sstp
/ppp secret add name=justyna profile=sstp service=sstp
/system clock set time-zone-autodetect=no time-zone-name=Europe/Warsaw
/system identity set name=Mikrobi-RB5009
/system logging add disabled=yes prefix=debug topics=debug
/system logging add disabled=yes topics=debug,caps
/system logging add disabled=yes topics=dhcp
/system logging add disabled=yes topics=bridge
/system logging add topics=firewall
/system note set show-at-login=no
/system ntp client set enabled=yes
/system ntp server set manycast=yes
/system ntp client servers add address=0.pl.pool.ntp.org
/system ntp client servers add address=1.pl.pool.ntp.org
/system ntp client servers add address=2.pl.pool.ntp.org
/system ntp client servers add address=3.pl.pool.ntp.org
/tool bandwidth-server set enabled=no
/tool graphing interface add allow-address=192.168.0.0/16 interface=tech-media store-on-disk=no
/tool graphing resource add allow-address=192.168.0.0/16 store-on-disk=no
/tool mac-server set allowed-interface-list=none
/tool mac-server mac-winbox set allowed-interface-list=none
/tool mac-server ping set enabled=no
/tool romon set enabled=yes
/tool romon port add cost=50 disabled=no forbid=yes interface=WAN
/tool traffic-monitor add interface=tech-media name="WAN TX" on-event=":log info \"WAN upload > 80M\"" threshold=80000000
/tool traffic-monitor add interface=tech-media name="WAN RX" on-event=":log info \"WAN download > 400M\"" threshold=400000000 traffic=received
AP:
# 2025-01-17 17:32:12 by RouterOS 7.17
# software id = CQHK-DBUK
#
# model = RBcAPGi-5acD2nD
/interface bridge add admin-mac=74:4D:28:2E:8C:8F auto-mac=no ingress-filtering=no name=bridge port-cost-mode=short vlan-filtering=yes
/interface vlan add interface=ether1 name=vlan_10_mgmt vlan-id=10
/interface lte apn set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wifi datapath add bridge=bridge disabled=no name=cap_path
/interface wifi
# managed by CAPsMAN D4:01:C3:2A:00:AF%vlan_10_mgmt, traffic processing on CAP
# mode: AP, SSID: klemens_wafelek, channel: 2432/n/Ce
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap datapath=cap_path disabled=no name=home_2g
/interface wifi
# managed by CAPsMAN D4:01:C3:2A:00:AF%vlan_10_mgmt, traffic processing on CAP
# mode: AP, SSID: klemens_wafelek, channel: 5500/ac/Ceee/D
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap datapath=cap_path disabled=no name=home_5g
/interface wifi
# managed by CAPsMAN D4:01:C3:2A:00:AF%vlan_10_mgmt, traffic processing on CAP
# mode: AP, SSID: 200_e_goscie
add configuration.mode=ap datapath=cap_path disabled=no mac-address=76:4D:28:2E:8C:91 master-interface=home_2g name=guest_2g
/ip smb users set [ find default=yes ] disabled=yes
/routing bgp template set default disabled=no output.network=bgp-networks
/routing ospf instance add disabled=no name=default-v2
/routing ospf area add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port add bridge=bridge comment="from router" frame-types=admit-only-vlan-tagged ingress-filtering=no interface=ether1 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge comment=LAN frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no interface=ether2 internal-path-cost=10 path-cost=10 pvid=20
/interface bridge port add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no interface=home_2g internal-path-cost=10 path-cost=10 pvid=20
/interface bridge port add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no interface=home_5g internal-path-cost=10 path-cost=10 pvid=20
/interface bridge port add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=guest_2g pvid=30
/ip firewall connection tracking set udp-timeout=10s
/ip neighbor discovery-settings set discover-interface-list=!dynamic
/ip settings set max-neighbor-entries=8192
/ipv6 settings set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan add bridge=bridge comment=mgmt tagged=bridge,ether1 vlan-ids=10
/interface bridge vlan add bridge=bridge comment=home tagged=bridge,ether1 untagged=home_2g,home_5g vlan-ids=20
/interface bridge vlan add bridge=bridge comment=guest tagged=bridge,ether1 untagged=guest_2g vlan-ids=30
/interface ovpn-server server add auth=sha1,md5 mac-address=FE:CF:0C:E3:73:B9 name=ovpn-server1
/interface wifi cap set caps-man-addresses=192.168.5.1 certificate=request discovery-interfaces=vlan_10_mgmt enabled=yes lock-to-caps-man=yes slaves-datapath=cap_path slaves-static=yes
/ip dhcp-client add interface=vlan_10_mgmt
/ip ipsec profile set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set www disabled=yes
/ip service set ssh address=192.168.5.128/25,192.168.105.0/24
/ip service set api disabled=yes
/ip service set winbox address=192.168.5.128/25,192.168.105.0/24
/ip service set api-ssl disabled=yes
/ip smb shares set [ find default=yes ] directory=/flash/pub
/routing bfd configuration add disabled=no
/system clock set time-zone-name=Europe/Warsaw
/system identity set name=ap-gabinet
/system note set show-at-login=no
/system routerboard mode-button set enabled=yes on-event=dark-mode
/tool bandwidth-server set enabled=no
/tool romon set enabled=yes
