Hello,
I would like to ask you for a help with this architecture - see attachment - and configuration:
Hex S Config:
# 2023-08-08 23:15:54 by RouterOS 7.10.2
# software id = xxxxx
#
# model = RB760iGS
# serial number = xxxx
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz name=2GhzChnl \
reselect-interval=1d save-selected=yes skip-dfs-channels=yes
add band=5ghz-a/n/ac control-channel-width=20mhz name=5GhzChnl \
reselect-interval=1d save-selected=yes skip-dfs-channels=yes
/interface bridge
add admin-mac=xxxxx:9A:B8 auto-mac=no comment=defconf name=\
bridge-Domaci priority=0x1000
/interface ethernet
set [ find default-name=ether1 ] comment="Internet WAN"
set [ find default-name=ether2 ] comment="To SWITCH"
set [ find default-name=ether3 ] comment="xxx"
set [ find default-name=ether4 ] comment="xxx"
set [ find default-name=ether5 ] comment="AP port"
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add disabled=yes interface=bridge-Domaci name=vlan10-Intranet vlan-id=10
add disabled=yes interface=bridge-Domaci name=vlan20-Guest vlan-id=20
add disabled=yes interface=bridge-Domaci loop-protect=on name=\
vlan254-Management vlan-id=254
add disabled=yes interface=bridge-Domaci name=vlan666-BlackHole vlan-id=666
/caps-man datapath
add bridge=bridge-Domaci l2mtu=1600 name=datapath10-Intranet vlan-id=10 \
vlan-mode=use-tag
add bridge=bridge-Domaci l2mtu=1600 name=datapath20-Guest vlan-id=20 \
vlan-mode=use-tag
add bridge=bridge-Domaci l2mtu=1600 name=datapath254-Mgmt vlan-id=254 \
vlan-mode=use-tag
/caps-man security
add authentication-types=wpa2-psk disable-pmkid=yes encryption=aes-ccm \
group-key-update=1h name=sec1-Domaci
/caps-man configuration
add channel=2GhzChnl country="czech republic" datapath.bridge=bridge-Domaci \
distance=indoors hw-retries=4 max-sta-count=40 name=cfg-Domaci-2Ghz \
security=sec1-Domaci ssid=xxx
add channel=5GhzChnl country="czech republic" datapath.bridge=bridge-Domaci \
distance=indoors hw-retries=4 max-sta-count=20 name=cfg-Domaci-5ghz \
security=sec1-Domaci ssid=yyy
add channel=5GhzChnl country="czech republic" datapath=datapath254-Mgmt name=\
cfg254-Mgmt security=sec1-Domaci ssid=zzzzz
/caps-man interface
add channel=2GhzChnl configuration=cfg-Domaci-2Ghz disabled=no l2mtu=1600 \
mac-address=xxx:D6:F4 master-interface=none name=cap1-2Ghz \
radio-mac=xxxxxx:D6:F4 radio-name=sssssssssF4
add channel=5GhzChnl configuration=cfg-Domaci-5ghz disabled=no l2mtu=1600 \
mac-address=gggggggggg:F4 master-interface=none name=cap2-5GHz \
radio-mac=xxxxxx:D6:F5 radio-name=sssssssssF5 security=sec1-Domaci
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip kid-control
add disabled=yes name=uuuuu
add disabled=yes name=ggggg
add name=qqqqq
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.100
add name=pool10-Intranet ranges=10.0.10.10-10.0.10.100
add name=pool20-Guest ranges=10.0.20.10-10.0.20.200
add name=pool254-Management ranges=10.0.254.10-10.0.254.100
/ip dhcp-server
add address-pool=default-dhcp interface=bridge-Domaci lease-time=5m name=\
DHCP-Domaci
add address-pool=pool10-Intranet disabled=yes interface=vlan10-Intranet \
lease-time=10m name=DHCP10-Intranet
add address-pool=pool20-Guest disabled=yes interface=vlan20-Guest lease-time=\
10m name=DHCP20-Guest
add address-pool=pool254-Management disabled=yes interface=vlan254-Management \
lease-time=10m name=DHCP254-Mgmt
/port
set 0 name=serial0
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/caps-man manager
set enabled=yes
/caps-man manager interface
add interface=ether5
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
cfg-Domaci-2Ghz name-format=identity slave-configurations=cfg254-Mgmt
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=\
cfg-Domaci-5ghz name-format=identity slave-configurations=cfg254-Mgmt
/interface bridge port
add bridge=bridge-Domaci comment=defconf ingress-filtering=no interface=\
ether2 pvid=254
add bridge=bridge-Domaci comment=defconf ingress-filtering=no interface=\
ether3 pvid=20
add bridge=bridge-Domaci comment=defconf ingress-filtering=no interface=\
ether4 pvid=10
add bridge=bridge-Domaci comment=defconf frame-types=admit-only-vlan-tagged \
interface=ether5 pvid=254
add bridge=bridge-Domaci comment=defconf ingress-filtering=no interface=sfp1 \
path-cost=5 priority=0x10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge-Domaci tagged=ether2,ether5 untagged=ether4 vlan-ids=10
add bridge=bridge-Domaci tagged=ether2,ether5 untagged=ether3 vlan-ids=20
add bridge=bridge-Domaci tagged=bridge-Domaci,ether4,ether5 vlan-ids=254
add bridge=bridge-Domaci vlan-ids=666
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge-Domaci list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1 certificate=eeeeee.crt_0 cipher=aes256-cbc enabled=yes
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge-Domaci network=\
192.168.88.0
add address=10.0.10.0/24 interface=vlan10-Intranet network=10.0.10.0
add address=10.0.20.0/24 interface=vlan20-Guest network=10.0.20.0
add address=10.0.254.0/24 interface=vlan254-Management network=10.0.254.0
/ip arp
add address=192.168.88.252 interface=bridge-Domaci mac-address=\
mmmmmmm:5E:8E
add address=192.168.88.253 interface=bridge-Domaci mac-address=\
xxxxxx:D6:F2
add address=192.168.88.205 interface=bridge-Domaci mac-address=\
rrrrrrrr:C4:E2
add address=192.168.88.185 interface=bridge-Domaci mac-address=\
vvvvvvvv:B6:A5
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.88.181 client-id=cccccccccmment=Onkyo \
mac-address=xxxxxxx:6B:F9 server=DHCP-Domaci
add address=192.168.88.180 comment="" \
mac-address=kkkkk:00:03 server=DHCP-Domaci
add address=192.168.88.183 client-id=ccccccccc0:8a comment=\
" http://192.168.88.241:8018/wsd" mac-address=\
adddresss:90:8A server=DHCP-Domaci
add address=192.168.88.203 client-id=cccccccccd:e1 comment=\
"repra2 - horni zasuvka" mac-address=addresss:E1 server=DHCP-Domaci
add address=192.168.88.201 client-id=ccccccccc34:9c comment=\
"Eliska Notebook" mac-address=addresss:9C server=DHCP-Domaci
add address=192.168.88.202 client-id=cccccccccd:e0 comment=\
"repra2 - spodni zasuvka" mac-address=addresss:E0 server=\
DHCP-Domaci
add address=192.168.88.102 client-id=ccccccccc5a:4b comment=\
" telefon" mac-address=addresss:4B server=DHCP-Domaci
add address=192.168.88.101 client-id=ccccccccc7:52 comment=\
"telefon" mac-address=addresss:52 server=DHCP-Domaci
add address=192.168.88.204 comment=" WiFi" mac-address=\
adddresss:F3:87 server=DHCP-Domaci
add address=192.168.88.184 comment="" mac-address=\
adddresss:F6:FF server=DHCP-Domaci
add address=192.168.88.205 client-id=ccccccccce2 comment=\
"" mac-address=rrrrrrrr:C4:E2 server=DHCP-Domaci
add address=192.168.88.182 client-id=ccccccccc1a:c9 comment=\
"." mac-address=aaadreesss:C9 server=\
DHCP-Domaci
add address=192.168.88.103 client-id=ccccccccc1:eb comment=\
"" mac-address=aaadreesss:EB server=DHCP-Domaci
add address=192.168.88.185 comment="" \
mac-address=aaadreesss server=DHCP-Domaci
add address=192.168.88.100 client-id=cccccccccfa:99 comment=\
"" mac-address=aaadreesss:99 server=DHCP-Domaci
add address=192.168.88.252 client-id=ccccccccce comment=\
"Switch" mac-address=aaadreesssserver=DHCP-Domaci
add address=192.168.88.104 client-id=cccccccccf2:10 comment=\
"e" mac-address=aaadreesss:10 server=\
DHCP-Domaci
add address=192.168.88.186 client-id=cccccccccfb:a2 comment=\
"3" mac-address=aaadreesss:A2 server=\
DHCP-Domaci
add address=192.168.88.187 client-id=ccccccccc1a:c6 comment=\
"" mac-address=aaadreesss:C6 server=DHCP-Domaci
add address=192.168.88.211 comment="veth pihole" mac-address=\
adddresss:BF:6A server=DHCP-Domaci
add address=192.168.88.253 client-id=ccccccccc:bf:59 \
mac-address=xxxxxxxxx:BF:5A server=DHCP-Domaci
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=\
192.168.88.1,8.8.8.8,1.1.1.1 gateway=192.168.88.1 ntp-server=\
192.168.88.1,216.239.35.12
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=gate.ayo
/ip firewall filter
add action=jump chain=forward comment="jump to kid-control rules" \
jump-target=kid-control
add action=reject chain=forward comment="Block Youtube Rule" connection-mark=\
YoutubeMangle disabled=yes log=yes log-prefix=Youtube-tcp-reset protocol=\
tcp reject-with=tcp-reset
add action=drop chain=input comment="Pridano: Drop PING from WAN" \
in-interface-list=WAN protocol=icmp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=forward comment=\
"Youtube Mangle Mark Connection" disabled=yes layer7-protocol=*2 \
new-connection-mark=YoutubeMangle passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip kid-control device
add mac-address=nnnnnn:5A:4B name=aaaaa user=zzzzz
add mac-address=nnnnnn:57:52 name=zzzzz user=eeee
add mac-address=nnnnnnn:9B:60 name=hhhhh user=ttttt
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=6022
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=zzzzzzz profile=default-encryption
/routing bfd configuration
add disabled=no
/system clock
set time-zone-name=Europe/cccccc
/system identity
set name=MikroTikRouter
/system note
set show-at-login=no
/system ntp server
set enabled=yes
/tool bandwidth-server
set authenticate=no enabled=no
/tool graphing interface
add interface=ether1
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
Ax3 Configuration:
# 1970-01-09 07:47:21 by RouterOS 7.10.2
# software id = xxxx
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = xxxxx
/container mounts
add dst=/etc/pihole name=etc_pihole src=/usb1-part1/etc
add dst=/etc/dnsmasq.d name=dnsmasq_pihole src=/usb1-part1/etc-dnsmasq.d
/disk
set usb1 type=hardware
add parent=usb1 partition-number=1 partition-offset=512 partition-size=\
"2 013 807 616" type=partition
/interface bridge
add admin-mac=xxxx:BF:5A auto-mac=no name=bridge
/interface wifiwave2
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac \
configuration.country=Czech .mode=ap .ssid=ayo2 disabled=no name=\
wifi-ayo2 security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac \
configuration.country=Czech .mode=ap .ssid=ayo5 disabled=no name=\
wifi-ayo5 security.authentication-types=wpa2-psk,wpa3-psk
/interface veth
add address=192.168.88.211/24 gateway=192.168.88.1 name=veth1-pihole
/interface list
add name=LAN
add name=WAN
/container config
set ram-high=500 registry-url=https://hub.docker.com/layers tmpdir=\
usb1-part1/pulltmp
/container envs
add key=TZ name=pihole_env value=Europe/Prague
add key=WEBPASSWORD name=pihole_env value=mystrongpassword
add key=DNSMASQ_USER name=pihole_env value=root
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=wifi-ayo5
add bridge=bridge interface=ether1
add bridge=bridge interface=wifi-ayo2
add bridge=bridge interface=veth1-pihole
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=bridge list=LAN
/ip dhcp-client
add dhcp-options=hostname,clientid,clientid_duid interface=bridge
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.88.1 routing-table=main \
suppress-hw-offload=no
/system identity
set name=ax3ap
/system logging
add topics=container
/system note
set show-at-login=no
/system ntp client
set enabled=yes mode=broadcast
/system package update
set channel=development
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Hex S configuration contains some VLAN - but I could not get it to work so it is not used at all.
First problem what I am facing is, that the internal ax3 seems to not have internet access. It’s own Detect Internet says “Available on bridge (Limited Access)” - I am not able to do automatic check for ROS updates on ax3, download containers, or ping to internet. Updates and Detect internet is completely normal on HexS. Any suggestions?
Second problem is with ax3 IP adress in HexS DHCP Server. I set the IP as static to .253 - connected to smallest MAC address of ax3 ethernet interfaces (:BF:5A) in bridge. But time to time, I can find out that ax3 get different IP for different MAC ethernet interface connected to ax3 bridge (*:BF:6A). So it seems that ax3 has two IP adresses.
Thank you for your suggestions.
