Hello guys,
I have a strange problem with my mikrotik, where Im trying to configure DHCP relay so it forwareds the dhcp packets to my Windows Server 2019.
When I check the status of DHCP relay I can see that mikrotik is getting requests but no responses.
Does any of you have any idea what could be the problem?
Here is the configuration of my mikrotik:
/interface bridge
add name=Bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether4 ] comment="Main WAN" name=\
" WAN - Ether4"
set [ find default-name=ether2 ] comment="Backup WAN" name=" Ether2"
set [ find default-name=ether8 ] comment="Wifi Link - Ether 8" name=Wifi
set [ find default-name=ether9 ] arp=proxy-arp comment=\
"UTP Link - xx"
set [ find default-name=ether10 ] arp=proxy-arp
set [ find default-name=ether11 ] comment=LAN
/interface vlan
add comment=" Radius Wifi" interface=Wifi name=Vlan1111 vlan-id=1111
add comment=" Guest Wifi" interface=Wifi name=Vlan2222 vlan-id=2222
add interface=ether11 name=vlan10 vlan-id=10
add interface=ether11 name=vlan20 vlan-id=20
add interface=ether11 name=vlan30 vlan-id=30
add interface=ether11 name=vlan40 vlan-id=40
add interface=ether11 name=vlan50 vlan-id=50
add interface=ether11 name=vlan60 vlan-id=60
add interface=ether11 name=vlan70 vlan-id=70
add interface=ether11 name=vlan80 vlan-id=80
add interface=ether11 name=vlan90 vlan-id=90
add interface=ether11 name=vlan100 vlan-id=100
add interface=ether11 name=vlan110 vlan-id=110
add interface=ether11 name=vlan120 vlan-id=120
add interface=ether11 name=vlan130 vlan-id=130
add interface=ether11 name=vlan140 vlan-id=140
add interface=ether11 name=vlan150 vlan-id=150
add interface=ether11 name=vlan160 vlan-id=160
add interface=ether11 name=vlan170 vlan-id=170
add interface=ether11 name=vlan200 vlan-id=200
add interface=ether11 name=vlan240 vlan-id=240
add interface=ether11 name=vlan1000 vlan-id=1000
/interface list
add comment="Contains all user VLANs" name=VLANs
add comment="Contains both WANs" name=WANs
add comment="Conatins IT Devices" name=mgmtVLAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] login-by=mac mac-auth-mode=\
mac-as-username-and-password
/ip pool
add comment="Managment VLAN Pool" name=vlan1000-pool ranges=\
10.1.1.11-10.1.1.190
add comment="_DELE old Wifi pool" name=WifiUsers-pool ranges=\
192.168.100.2-192.168.100.240
add comment="VLAN 10 Pool - Ground Floor" name=vlan10-pool ranges=\
10.1.10.100-10.1.10.120
add comment="VLAN 20 Pool - Ground Floor" name=vlan20-pool ranges=\
10.1.20.100-10.1.20.120
add comment="VLAN 30 Pool - Ground Floor" name=vlan30-pool ranges=\
10.1.30.100-10.1.30.120
add name=vlan70-pool ranges=10.1.70.100-10.1.70.120
add name=vlan80-pool ranges=10.1.80.100-10.1.80.120
add name=vlan90-pool ranges=10.1.90.100-10.1.90.120
add name=vlan100-pool ranges=10.1.100.100-10.1.100.120
add name=vlan110-pool ranges=10.1.110.100-10.1.110.120
add name=vlan120-pool ranges=10.1.120.100-10.1.120.120
add name=vlan130-pool ranges=10.1.130.100-10.1.130.120
add name=vlan140-pool ranges=10.1.140.100-10.1.140.120
add name=vlan150-pool ranges=10.1.150.100-10.1.150.120
add comment="VLAN 160 Pool - Fourth Floor" name=vlan160-pool ranges=\
10.1.160.100-10.1.160.120
add comment="VLAN 170 Pool - Fourth Floor" name=vlan170-pool ranges=\
10.1.170.100-10.1.170.120
add comment="VLAN 40 Pool - First Floor" name=vlan40-pool ranges=\
10.1.40.100-10.1.40.130
add name=vlan50-pool ranges=10.1.50.100-10.1.50.120
add name=vlan60-pool ranges=10.1.60.100-10.1.60.120
add comment="VLAN 200 Pool" name=vlan200-pool ranges=\
10.1.200.100-10.1.200.120
add comment="VPN Pool " name=VPN-Users-pool ranges=10.1.240.100-10.1.240.200
add comment="VLAN 1111 - Wifi Staff Pool" name=SLR-Pool ranges=\
192.168.111.50-192.168.111.200
add comment="VLAN 2222 - Wifi Guest Pool" name=SL-Guest-Pool ranges=\
192.168.222.20-192.168.222.250
add name=dhcp_pool34 ranges=10.1.1.2-10.1.1.254
/ip dhcp-server
add address-pool=vlan1000-pool allow-dual-stack-queue=no conflict-detection=\
no disabled=no interface=vlan1000 lease-time=1d10m name="LAN dhcp" \
src-address=10.1.1.1
add address-pool=WifiUsers-pool disabled=no interface=Wifi lease-time=14h10m \
name="Wifi dhcp" src-address=192.168.100.1
add address-pool=vlan10-pool disabled=no interface=vlan10 lease-time=1w23h59m \
name=vlan10-dhcp
add address-pool=vlan20-pool disabled=no interface=vlan20 lease-time=1w23h59m \
name=vlan20-dhcp
add address-pool=vlan30-pool disabled=no interface=vlan30 lease-time=1w23h59m \
name=vlan30-dhcp
add address-pool=vlan70-pool disabled=no interface=vlan70 lease-time=1w23h59m \
name=vlan70-dhcp
add address-pool=vlan80-pool disabled=no interface=vlan80 lease-time=1w23h59m \
name=vlan80-dhcp
add address-pool=vlan90-pool disabled=no interface=vlan90 lease-time=1w23h59m \
name=vlan90-dhcp
add address-pool=vlan100-pool disabled=no interface=vlan100 lease-time=\
1w23h59m name=vlan100-dhcp
add address-pool=vlan110-pool disabled=no interface=vlan110 lease-time=\
1w23h59m name=vlan110-dhcp
add address-pool=vlan120-pool disabled=no interface=vlan120 lease-time=\
1w23h59m name=vlan120-dhcp
add address-pool=vlan130-pool disabled=no interface=vlan130 lease-time=\
1w23h59m name=vlan130-dhcp
add address-pool=vlan140-pool disabled=no interface=vlan140 lease-time=\
1w23h59m name=vlan140-dhcp
add address-pool=vlan150-pool disabled=no interface=vlan150 lease-time=\
1w23h59m name=vlan150-dhcp
add address-pool=vlan160-pool disabled=no interface=vlan160 lease-time=\
1w23h59m name=vlan160-dhcp
add address-pool=vlan170-pool disabled=no interface=vlan170 lease-time=\
1w23h59m name=vlan170-dhcp
add address-pool=vlan40-pool disabled=no interface=vlan40 lease-time=1w23h59m \
name=vlan40-dhcp
add address-pool=vlan50-pool disabled=no interface=vlan50 lease-time=1w23h59m \
name=vlan50-dhcp
add address-pool=vlan60-pool disabled=no interface=vlan60 lease-time=1w23h59m \
name=vlan60-dhcp
add address-pool=vlan200-pool disabled=no interface=vlan200 lease-time=\
1w23h59m name=vlan200-dhcp
add address-pool=VPN-Users-pool disabled=no interface=vlan240 lease-time=\
8h10m name=vlan240-dhcp-VPN-users
add address-pool=SLR-Pool disabled=no interface=Vlan1111 lease-time=2d12h10m \
name="SLR-Wifi dhcp"
add address-pool=SL-Guest-Pool disabled=no interface=Vlan2222 lease-time=\
2h10m name=SL-Guest-dhcp
/ip hotspot user profile
set [ find default=yes ] address-pool=vlan200-pool
/ppp profile
add dns-server=10.1.1.10,8.8.8.8 interface-list=VLANs local-address=\
VPN-Users-pool name=openvpn-profile remote-address=VPN-Users-pool
/queue simple
add comment="Bandwidth total " name="Total Bandwidth" target=\
10.1.0.0/16
add comment="Bandwidth total WIFI" disabled=yes name=\
"Bandwidth total WIFI" target=192.168.100.0/24
add comment="Bandwidth total WIFI" name="Bandwidh total Wifi " \
target=192.168.111.0/24
add comment="Bandwidth total WIFI" name="Bandwitdh total WifiGuest" \
target=192.168.222.0/24
/queue type
add kind=pcq name=pcq-download-user-Main pcq-classifier=dst-address pcq-rate=\
30M
add kind=pcq name=pcq-upload-user-Main pcq-classifier=src-address pcq-rate=\
30M
add kind=pcq name=pcq-download-vip100 pcq-classifier=dst-address pcq-rate=\
100M
add kind=pcq name=pcq-upload-vip100 pcq-classifier=src-address pcq-rate=100M
add kind=pcq name=pcq-download-wifiuser pcq-classifier=dst-address pcq-rate=\
50M
add kind=pcq name=pcq-upload-wifiuser pcq-classifier=src-address pcq-rate=50M
add kind=pcq name=pcq-download-vip100-wifi pcq-classifier=dst-address \
pcq-rate=100M
add kind=pcq name=pcq-upload-vip100-wifi pcq-classifier=src-address pcq-rate=\
100M
add kind=pcq name=pcq-download-user-Backup pcq-classifier=dst-address \
pcq-rate=30M
add kind=pcq name=pcq-upload-user-Backup pcq-classifier=src-address pcq-rate=\
30M
add kind=pcq name=pcq-upload-wifiguest pcq-classifier=src-address pcq-rate=\
25M
add kind=pcq name=pcq-download-wifiguest pcq-classifier=dst-address pcq-rate=\
25M
/system logging action
add name=RemoteLog remote=10.1.1.250 target=remote
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=Bridge interface=ether11
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=Bridge disabled=yes tagged=Wifi vlan-ids=101
add bridge=Bridge tagged=Bridge,ether11 vlan-ids=\
10,20,30,40,50,60,70,80,90,100,110,120,130,140,150,160,170,200,1000
/interface list member
add interface=" WAN - Ether4" list=WANs
add interface=" Ether2" list=WANs
add interface=vlan10 list=VLANs
add interface=vlan20 list=VLANs
add interface=vlan30 list=VLANs
add interface=vlan40 list=VLANs
add interface=vlan50 list=VLANs
add interface=vlan60 list=VLANs
add interface=vlan70 list=VLANs
add interface=vlan80 list=VLANs
add interface=vlan90 list=VLANs
add interface=vlan100 list=VLANs
add interface=vlan110 list=VLANs
add interface=vlan120 list=VLANs
add interface=vlan130 list=VLANs
add interface=vlan140 list=VLANs
add interface=vlan150 list=VLANs
add interface=vlan160 list=VLANs
add interface=vlan170 list=VLANs
add interface=vlan1000 list=mgmtVLAN
/interface ovpn-server server
set auth=sha1 certificate=Server cipher=aes256 default-profile=\
openvpn-profile enabled=yes require-client-certificate=yes
/ip address
add address=10.1.1.1/24 comment="LAN bridge" interface=vlan1000 network=\
10.1.1.0
add address=xxxxxxxxxx comment="I" interface=\
"xxxx WAN - Ether4" network=xxxxxx
add address=192.168.100.1/24 comment="Gateway Wifi" interface=Wifi \
network=192.168.100.0
add address=10.1.10.1/24 comment="VLAN 10 - Network" interface=vlan10 \
network=10.1.10.0
add address=10.1.20.1/24 comment="VLAN 20 - Network" interface=vlan20 \
network=10.1.20.0
add address=10.1.30.1/24 comment="VLAN 30 - Network" interface=vlan30 \
network=10.1.30.0
add address=10.1.40.1/24 comment="VLAN 40 - Network" interface=vlan40 \
network=10.1.40.0
add address=10.1.50.1/24 comment="VLAN 50 - Network" interface=vlan50 \
network=10.1.50.0
add address=10.1.60.1/24 comment="VLAN 60 - Network" interface=vlan60 \
network=10.1.60.0
add address=10.1.70.1/24 comment="VLAN 70 - Network" interface=vlan70 \
network=10.1.70.0
add address=10.1.80.1/24 comment="VLAN 80 - Network" interface=vlan80 \
network=10.1.80.0
add address=10.1.90.1/24 comment="VLAN 90 - Network" interface=vlan90 \
network=10.1.90.0
add address=10.1.100.1/24 comment="VLAN 100 - Network" interface=vlan100 \
network=10.1.100.0
add address=10.1.110.1/24 comment="VLAN 110 - Network" interface=vlan110 \
network=10.1.110.0
add address=10.1.120.1/24 comment="VLAN 120 - Network" interface=vlan120 \
network=10.1.120.0
add address=10.1.130.1/24 comment="VLAN 130 - Network" interface=vlan130 \
network=10.1.130.0
add address=10.1.140.1/24 comment="VLAN 140 - Network" interface=vlan140 \
network=10.1.140.0
add address=10.1.150.1/24 comment="VLAN 150 - Network" interface=vlan150 \
network=10.1.150.0
add address=10.1.160.1/24 comment="VLAN 160 - Network" interface=vlan160 \
network=10.1.160.0
add address=10.1.170.1/24 comment="VLAN 170 - Network" interface=vlan170 \
network=10.1.170.0
add address=10.1.200.1/24 comment="VLAN 200 - Network" interface=vlan200 \
network=10.1.200.0
add address=10.1.240.1/24 comment="VLAN 240 - VPN Users " interface=vlan240 \
network=10.1.240.0
add address=10.10.10.1/30 comment="Network Routers" \
interface=ether9 network=10.10.10.0
add address=192.168.111.1/24 comment="Gateway SLR Wifi" interface=Vlan1111 \
network=192.168.111.0
add address=192.168.222.1/24 comment="Gateway SL Guest Wifi" interface=\
Vlan2222 network=192.168.222.0
/ip dhcp-client
add add-default-route=no disabled=no interface=" Ether2"
add interface="K WAN - Ether4"
/ip dhcp-relay
add dhcp-server=10.1.1.10 interface=vlan200 local-address=10.1.200.1 name=\
Vlan200Relay
add dhcp-server=10.1.1.10 interface=vlan1000 local-address=10.1.1.1 name=\
relay1
/ip dhcp-server lease
add address=10.1.1.10 comment="Domain Controller" mac-address=\
00:15:5D:01:F3:00
add address=10.1.170.102 client-id=1:94:99:1:8:6a:f comment="Device" \
mac-address=94:99:01:08:6A:0F server=vlan170-dhcp
add address=10.1.1.58 allow-dual-stack-queue=no client-id=1:0:15:5d:1:6:5 \
mac-address=00:15:5D:01:06:05 server="LAN dhcp"
add address=10.1.1.62 allow-dual-stack-queue=no client-id=1:0:15:5d:1:f3:3b \
mac-address=00:15:5D:01:F3:3B server="LAN dhcp"
add address=192.168.111.77 client-id=1:f4:8c:50:5d:ee:b3 mac-address=\
F4:8C:50:5D:EE:B3 server="SLR-Wifi dhcp"
add address=192.168.222.104 client-id=1:bc:d0:74:30:8d:d2 mac-address=\
BC:D0:74:30:8D:D2 server=SL-Guest-dhcp
add address=10.1.1.60 allow-dual-stack-queue=no client-id=\
ff:5d:1:6:1:0:1:0:1:2a:97:7e:ca:0:15:5d:1:6:1 mac-address=\
00:15:5D:01:06:01 server="LAN dhcp"
add address=10.1.40.108 client-id=1:0:e0:4c:ec:d2:8d mac-address=\
00:E0:4C:EC:D2:8D server=vlan40-dhcp
add address=10.1.40.110 client-id=1:0:e0:4c:68:36:59 mac-address=\
00:E0:4C:68:36:59 server=vlan40-dhcp
/ip dhcp-server network
add address=10.1.1.0/24 dns-server=10.1.1.10,208.67.222.222,208.67.220.220 \
gateway=10.1.1.1
add address=10.1.10.0/24 comment="VLan 10 Network - GW" dns-server=\
10.1.1.10,208.67.222.222,208.67.220.220 gateway=10.1.10.1
add address=10.1.20.0/24 comment="VLan 20 Network - GW" dns-server=\
10.1.1.10,208.67.222.222,208.67.220.220 gateway=10.1.20.1
add address=10.1.30.0/24 comment="VLan 30 Network - GW" dns-server=\
10.1.1.10,208.67.222.222,208.67.220.220 gateway=10.1.30.1
add address=10.1.40.0/24 comment="VLan 40 Network - GW" dns-server=\
10.1.1.10,208.67.222.222,208.67.220.220 gateway=10.1.40.1
add address=10.1.50.0/24 comment="VLan 50 Network - GW" dns-server=\
10.1.1.10,208.67.222.222,208.67.220.220 gateway=10.1.50.1
add address=10.1.60.0/24 comment="VLan 60 Network - GW" dns-server=\
10.1.1.10,208.67.222.222,208.67.220.220 gateway=10.1.60.1
add address=10.1.70.0/24 comment="VLan 70 Network - GW" dns-server=\
10.1.1.10,208.67.222.222,208.67.220.220 gateway=10.1.70.1
add address=10.1.80.0/24 comment="VLan 80 Network - GW" dns-server=\
10.1.1.10,208.67.222.222,208.67.220.220 gateway=10.1.80.1
add address=10.1.90.0/24 comment="VLan 90 Network - GW" dns-server=\
10.1.1.10,208.67.222.222,208.67.220.220 gateway=10.1.90.1
add address=10.1.100.0/24 comment="VLan 100 Network - GW" dns-server=\
10.1.1.10,208.67.222.222,208.67.220.220 gateway=10.1.100.1
add address=10.1.110.0/24 comment="VLan 110 Network - GW" dns-server=\
10.1.1.10,208.67.222.222,208.67.220.220 gateway=10.1.110.1
add address=10.1.120.0/24 comment="VLan 120 Network - GW" dns-server=\
10.1.1.10,208.67.222.222,208.67.220.220 gateway=10.1.120.1
add address=10.1.130.0/24 comment="VLan 130 Network - GW" dns-server=\
10.1.1.10,208.67.222.222,208.67.220.220 gateway=10.1.130.1
add address=10.1.140.0/24 comment="VLan 140 Network - GW" dns-server=\
10.1.1.10,208.67.222.222,208.67.220.220 gateway=10.1.140.1
add address=10.1.150.0/24 comment="VLan 150 Network - GW" dns-server=\
10.1.1.10,208.67.222.222,208.67.220.220 gateway=10.1.150.1
add address=10.1.160.0/24 comment="VLan 160 Network - GW" dns-server=\
10.1.1.10,208.67.222.222,208.67.220.220 gateway=10.1.160.1
add address=10.1.170.0/24 comment="VLan 170 Network - GW" dns-server=\
208.67.222.222,208.67.220.220 gateway=10.1.170.1
add address=10.1.200.0/24 comment="VLan 200 Network - GW" dns-server=\
10.1.1.10,208.67.222.222,208.67.220.220 gateway=10.1.200.1
add address=10.1.240.0/24 comment="VLan 240 Network - GW" dns-server=\
10.1.1.10,208.67.222.222,208.67.220.220 gateway=10.1.240.1
add address=192.168.100.0/24 comment="_DELE old wifi Network - GW" \
dns-server=8.8.8.8,8.8.4.4 gateway=192.168.100.1
add address=192.168.111.0/24 comment="VLan 1111 Network - GW" dns-server=\
10.1.1.10,208.67.222.222,208.67.220.220 gateway=192.168.111.1
add address=192.168.222.0/24 comment="VLan 2222 Network- GW" dns-server=\
8.8.8.8,8.8.4.4 gateway=192.168.222.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=10.1.10.0/24 list=Vlan10-List
add address=10.1.20.0/24 list=Vlan20-List
add address=10.1.30.0/24 list=Vlan30-List
add address=10.1.10.0/24 list="All VLANs"
add address=10.1.1.0/24 list="IT Devices"
add address=10.1.200.0/24 list="IT Room"
add address=10.1.20.0/24 list="All VLANs"
add address=10.1.30.0/24 list="All VLANs"
add address=10.1.40.0/24 list="All VLANs"
add address=10.1.50.0/24 list="All VLANs"
add address=10.1.60.0/24 list="All VLANs"
add address=10.1.70.0/24 list="All VLANs"
add address=10.1.80.0/24 list="All VLANs"
add address=10.1.90.0/24 list="All VLANs"
add address=10.1.100.0/24 list="All VLANs"
add address=10.1.110.0/24 list="All VLANs"
add address=10.1.120.0/24 list="All VLANs"
add address=10.1.130.0/24 list="All VLANs"
add address=10.1.140.0/24 list="All VLANs"
add address=10.1.150.0/24 list="All VLANs"
add address=10.1.160.0/24 list="All VLANs"
add address=10.1.170.0/24 list="All VLANs"
add address=10.1.10.102 list="IT Room"
add address=10.1.10.107 list="IT Room"
add address=10.1.130.0/24 list=vlan130-List
add address=220.196.160.76 list=MaliciousIP
add address=134.122.72.173 list=MaliciousIP
add address=72.251.235.152 list=MaliciousIP
add address=194.233.164.30 list=MaliciousIP
add address=220.196.160.95 list=MaliciousIP
add address=180.101.245.253 list=MaliciousIP
add address=172.105.81.59 list=MaliciousIP
add address=167.248.133.118 list=MaliciousIP
add address=206.189.170.136 list=MaliciousIP
add address=3.10.19.143 list=MaliciousIP
add address=3.124.123.169 list=MaliciousIP
add address=167.248.133.51 list=MaliciousIP
/ip firewall filter
add action=accept chain=forward comment=\
"Accept Established&Related connections" connection-state=\
established,related
add action=accept chain=forward comment=\
"Permit connection with RFID - D" dst-address=10.1.1.18 \
src-address=192.168.111.77
add action=accept chain=forward comment=\
"Permit connection with RFID - N" dst-address=10.1.1.18 \
src-address=192.168.222.104
add action=accept chain=forward comment=\
"Permit connection with RFID - N" dst-address=10.1.1.10 \
src-address=192.168.222.245
add action=accept chain=forward comment=\
"Permit connection with RFID - N" dst-address=10.1.1.18 \
src-address=10.1.40.108
add action=accept chain=forward comment=\
"Permit connection with RFID - K" dst-address=10.1.1.18 \
src-address=10.1.40.110
add action=accept chain=forward comment="Permit connection with AD from WIFI" \
dst-address=10.1.1.10 src-address=192.168.111.0/24
add action=accept chain=forward comment="Permit connection with FilesServer" \
dst-address=10.1.1.19 in-interface-list=VLANs
add action=accept chain=forward comment="Permit connection with AD" \
dst-address=10.1.1.10 in-interface-list=VLANs
add action=accept chain=forward comment=\
"Permit connection with FilesServer from WIFI" dst-address=10.1.1.19 \
src-address=192.168.111.0/24
add action=accept chain=forward comment=\
"Permit Recepsion with Camera connection" dst-address=10.1.1.222 \
src-address=10.1.170.101
add action=accept chain=forward comment="Permit CIO IP to Access MgmtVLAN" \
out-interface-list=mgmtVLAN src-address=10.1.240.210
add action=accept chain=forward comment="Permit CIO IP to Access all VLANs" \
out-interface-list=VLANs src-address=10.1.240.210
add action=accept chain=forward comment="Permit ITM to Access MgmtVLAN" \
out-interface-list=mgmtVLAN src-address=10.1.240.205
add action=accept chain=forward comment="Permit ITM to Access all VLANs" \
out-interface-list=VLANs src-address=10.1.240.205
add action=accept chain=forward comment="Permit connection to AlienVault" \
disabled=yes out-interface-list=VLANs src-address=10.1.1.250
add action=accept chain=forward comment="K RFID accept" \
disabled=yes dst-address=10.1.1.18 src-address=10.1.40.107
add action=accept chain=forward comment=\
"Permit AlienVault IP to Access all VLANs" disabled=yes dst-address=\
10.1.1.250 in-interface-list=VLANs
add action=accept chain=forward comment="VLAN10 allow communication to All" \
disabled=yes in-interface=vlan10 out-interface-list=VLANs
add action=accept chain=forward comment=\
"Permit IT Staff connection with IT devices" dst-address-list=\
"IT Devices" src-address-list="IT Room"
add action=accept chain=forward comment=\
"Permit IT Staff Connection with All Vlans" dst-address-list="All VLANs" \
src-address-list="IT Room"
add action=accept chain=forward comment="Permit IP to communicate with IP" \
disabled=yes dst-address-list=Vlan20-List src-address=10.1.10.102
add action=drop chain=forward comment="Block an IP to access internet." \
disabled=yes src-address=10.1.140.100
add action=drop chain=forward comment="Block an IP to access internet." \
disabled=yes src-address=192.168.111.57
add action=drop chain=forward comment=\
"Blocking Wifi to access Internal Network" dst-address=10.1.0.0/16 \
src-address=192.168.222.0/24
add action=drop chain=forward comment=\
"Blocking Wifi to access Internal Network" dst-address=10.1.0.0/16 \
src-address=192.168.111.0/24
add action=drop chain=forward comment=\
"Blocking Wifi to access Internal Network" disabled=yes dst-address=\
10.1.0.0/16 src-address=192.168.100.0/24
add action=drop chain=forward comment="Blocking VLANs to IT Room" \
dst-address-list="IT Room" in-interface-list=VLANs src-address-list=""
add action=drop chain=forward comment="Blocking VLANs to IT devices" \
in-interface-list=VLANs out-interface-list=mgmtVLAN src-address-list=""
add action=drop chain=forward comment="Blocking InterVLAN communication" \
in-interface-list=VLANs out-interface-list=VLANs
add action=drop chain=input comment="Blocking Malicous IPs" src-address-list=\
MaliciousIP
add action=drop chain=input comment=Test-Rule disabled=yes src-address=\
1.1.1.1
add action=drop chain=output comment=Test-Rule disabled=yes src-address=\
192.168.1.2
/ip firewall mangle
add action=accept chain=prerouting comment=\
"No rules apply for - 192.168.100.95 - Unifi Controller" src-address=\
192.168.100.95
add action=accept chain=prerouting comment=\
"No rules apply for - 192.168.100.240 - GroundFloor AP" src-address=\
192.168.100.240
add action=accept chain=prerouting comment=\
"No rules apply for - 192.168.100.241 - FirstFloor AP" src-address=\
192.168.100.241
add action=accept chain=prerouting comment=\
"No rules apply for - 192.168.100.242 - SecondFloor AP" src-address=\
192.168.100.242
add action=accept chain=prerouting comment=\
"No rules apply for - 192.168.100.243 - ThirdFloor AP" src-address=\
192.168.100.243
add action=accept chain=prerouting comment=\
"No rules apply for - 192.168.100.244 - FourthFloor AP" src-address=\
192.168.100.244
add action=accept chain=prerouting comment=\
"No rules apply for - 192.168.100.245 - TopFloor AP" src-address=\
192.168.100.245
add action=accept chain=prerouting comment=\
"No rules apply for - 192.168.100.246 - UnderGroundFloor AP" src-address=\
192.168.100.246
add action=accept chain=prerouting comment=\
"No rules apply for - 192.168.100.246 - UnderGroundFloor AP" dst-address=\
192.168.100.95 src-address=192.168.222.0/24
add action=mark-routing chain=prerouting comment="LAN PC to ISP2 Rule" \
disabled=yes dst-address=!10.1.0.0/16 new-routing-mark="Wifi to ISP2" \
passthrough=yes src-address=10.1.200.102
add action=mark-routing chain=prerouting comment="Wifi to ISP2 Rule" \
disabled=yes dst-address=!10.1.0.0/16 new-routing-mark="Wifi to ISP2" \
passthrough=yes src-address=192.168.111.0/24
add action=mark-routing chain=prerouting comment="Wifi to ISP2 Rule" \
disabled=yes dst-address=!10.1.0.0/16 new-routing-mark="Wifi to ISP2" \
passthrough=yes src-address=10.1.150.0/24
add action=mark-routing chain=prerouting comment="Wifi to ISP2 Rule" \
disabled=yes dst-address=!10.1.0.0/16 new-routing-mark="Wifi to ISP2" \
passthrough=yes src-address=192.168.222.0/24
add action=mark-routing chain=prerouting comment="PC " \
disabled=yes new-routing-mark="TO " passthrough=yes src-address=\
192.168.222.162
add action=mark-routing chain=prerouting comment="PC to " \
disabled=yes new-routing-mark="Wifi to ISP2" passthrough=yes src-address=\
10.1.200.102
add action=mark-routing chain=prerouting comment="Ping 1.1.1.1 " disabled=yes \
dst-address=1.1.1.1 new-routing-mark="TO " passthrough=yes
add action=mark-packet chain=prerouting comment="Marking for Internet Upload" \
new-packet-mark=InternetUP passthrough=yes src-address=!10.1.0.0/16
add action=mark-packet chain=prerouting comment=\
"Marking for Internet Download" dst-address=!10.1.0.0/16 new-packet-mark=\
InternetDown passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="Default Route to T" \
out-interface=" Ether2"
add action=masquerade chain=srcnat comment="Default Route to K" \
out-interface=" WAN - Ether4"
add action=dst-nat chain=dstnat comment="Port Forward for Z" disabled=\
yes dst-port=389 in-interface-list=WANs protocol=tcp to-addresses=\
10.1.1.10 to-ports=389
add action=dst-nat chain=dstnat comment="Port Forward for Z" dst-port=\
636 in-interface-list=WANs protocol=tcp src-address=xxxxxxxx \
to-addresses=10.1.1.10 to-ports=636
/ip route
add comment="Route using by Wifi " distance=2 gateway=192.168.1.1 \
routing-mark="Wifi to ISP2"
add comment="Route to use Main WAN" distance=1 gateway=xxxxxxx \
routing-mark="TO "
add comment=Main distance=1 gateway=xxxxxx
add comment=Backup distance=2 gateway=192.168.1.1
add comment="Netwatch Backup" disabled=yes distance=1 dst-address=1.0.0.1/32 \
gateway=192.168.1.1
add comment="Netwatch Main" distance=1 dst-address=1.1.1.1/32 gateway=\
xxxxxxxxx
add comment="Static route for Wifi - 1" disabled=yes distance=1 dst-address=\
192.168.100.0/24 gateway=10.10.10.2
add comment=_DELE_ disabled=yes distance=1 dst-address=192.168.111.2/32 \
gateway=10.10.10.2
add distance=1 dst-address=192.168.130.0/24 gateway=10.10.10.2
add distance=1 dst-address=192.168.199.0/24 gateway=10.10.10.2
add comment="Static route for Wifi - 2" distance=1 dst-address=\
192.168.200.0/24 gateway=10.10.10.2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp aaa
set use-circuit-id-in-nas-port-id=yes use-radius=yes
/radius
add address=10.1.1.9 service=ppp,login src-address=10.1.1.1
add address=10.1.1.9 disabled=yes service=login src-address=10.1.1.1