Greetings all! Longtime lurker, first time poster here. I’ve relied heavily on the wealth of information in this forum as I’ve learned my way around RouterOS. Thank you to the community!
My router is a RB5009 on 7.16.2. I have a hAP ax2 (also 7.16.2) acting as a switch/AP (layer 2 only). My DLNA-enabled stereo is connected to the hAP on VLAN 31. The hAP and another access point (TP-Link EAP245) have a WiFi network on VLAN 20. Here is a simplified diagram (other VLANs, switches, and APs are elided):
My goal is to isolate the stereo on its own VLAN, and only allow certain other VLANs access to it. The stereo should only be able to access the internet.
My understanding is that Denon and Spotify Connect work by using some combination of mDNS, DLNA, and multicast. So in order to get it working, I should:
- Configure the mDNS reflector on the RB5009 to include VLANs 20 and 31.
- Add a firewall rule to allow UDP ports 5353 and 1900 (mDNS and UPNP, respectively) and destination address 224.0.0.0/4 (multicast) between VLANs 20 and 31.
This configuration works for my Android phone and our two Macbooks. But curiously, Spotify Connect on my wife’s iPhone is not able to find the stereo.
So in an effort to understand how it works, I’m trying to break Spotify Connect on my own Android phone. For the life of me I am unable to break the connection between my phone and the stereo! To me this says I have a fundamentally incorrect mental model of what’s happening.
Here is what I’ve tried. As a note, VLAN 31 has a VLAN interface named dlna-vlan, and VLAN 20 has a VLAN interface named guest-vlan.
- Firewall filter rule to block all forward traffic between dlna-vlan interface and the LAN interface list (which includes guest-vlan and dlna-vlan interfaces). In both directions.
- Firewall filter rule to block all input and forward traffic on UDP ports 1900 and 5353.
- Firewall filter rule to block all forward traffic with destination address 224.0.0.0/4.
- The same as the above, except raw rules.
- Remove dlna-vlan interface from the mDNS repeater.
The firewall rules are present in the configuration below as “debug” rules. Even with all of that, my Android phone is able to play music on the stereo with Spotify Connect.
None of the filter rules ever blocked anything – the counters remained at zero. Only the raw multicast rule blocked any packets, yet Spotify Connect still worked.
In case the stereo’s DNS entry was cached somewhere I also tried changing the IP of the stereo by configuring a static DHCP lease with a very short TTL. Yet my phone is always able to find the Denon after an IP change.
I’ve done packet sniffing between the two interfaces and discovered mDNS traffic as well as multicast traffic, even with the firewall rules.
I’m out of ideas. What else can I try? And remember, my real goal is to get it working on my wife’s phone. I’m also not convinced that I’m properly isolating the VLANs. I’m hoping by understanding exactly how it works I can debug her issue.
Thanks in advance for any help and advice!
RB5009 configuration
# 2025-01-08 18:22:42 by RouterOS 7.16.2
# software id = 582G-8BQC
#
# model = RB5009UG+S+
# serial number = HEN08NXSYWH
/interface bridge
add admin-mac=48:A9:8A:F4:6C:D5 auto-mac=no frame-types=\
admit-only-vlan-tagged name=bridge port-cost-mode=short protocol-mode=\
mstp vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment="Living room switch/AP"
set [ find default-name=ether3 ] comment="Office switch"
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] comment="Bedroom AP"
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] comment="Management port"
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface vlan
add interface=bridge name=dlna-vlan vlan-id=32
add interface=bridge name=guest-vlan vlan-id=20
add interface=bridge name=iot-vlan vlan-id=30
add interface=bridge name=mgmt-vlan vlan-id=99
add interface=bridge name=printer-vlan vlan-id=31
add interface=bridge name=trusted-vlan vlan-id=10
/interface list
add name=WAN
add name=LAN
add name=router_access
add name=printer_access
add name=internet_access
add name=dlna-access
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=mgmt-ip-pool ranges=10.0.99.200-10.0.99.254
add name=iot-ip-pool ranges=10.0.30.200-10.0.30.254
add name=guest-ip-pool ranges=10.0.20.200-10.0.20.254
add name=trusted-ip-pool ranges=10.0.10.200-10.0.10.254
add name=printer-pool ranges=10.0.31.2
add name=dlna-ip-pool ranges=10.0.32.200-10.0.32.254
/ip dhcp-server
add address-pool=mgmt-ip-pool interface=mgmt-vlan name=mgmt-dhcp-srv
add address-pool=trusted-ip-pool interface=trusted-vlan lease-time=1d name=\
trusted-dhcp-srv
add address-pool=guest-ip-pool interface=guest-vlan lease-time=2h name=\
guest-dhcp-srv
add address-pool=iot-ip-pool interface=iot-vlan lease-time=1d name=\
iot-dhcp-srv
add address-pool=printer-pool interface=printer-vlan lease-time=1d name=\
printer-dhcp-srv
add address-pool=dlna-ip-pool interface=dlna-vlan lease-time=30s name=\
dlna-dhcp-srv
/interface bridge filter
add action=accept chain=input in-interface-list=router_access
add action=accept chain=forward disabled=yes in-interface-list=LAN \
out-interface-list=WAN
/interface bridge port
add bridge=bridge comment="Living room switch/AP" frame-types=\
admit-only-vlan-tagged interface=ether2 internal-path-cost=10 path-cost=\
10
add bridge=bridge comment="Office switch" interface=ether3 \
internal-path-cost=10 path-cost=10 pvid=99
add bridge=bridge disabled=yes interface=ether4 internal-path-cost=10 \
path-cost=10
add bridge=bridge disabled=yes interface=ether5 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment="Bedroom AP" frame-types=admit-only-vlan-tagged \
interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridge disabled=yes interface=ether7 internal-path-cost=10 \
path-cost=10
add bridge=bridge disabled=yes interface=sfp-sfpplus1 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment="Management port" frame-types=\
admit-only-untagged-and-priority-tagged interface=ether8 pvid=99
/ip firewall connection tracking
set enabled=yes udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=none lldp-med-net-policy-vlan=1
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge tagged=bridge,ether2,ether6,ether3 untagged=ether8 \
vlan-ids=99
add bridge=bridge tagged=ether6,bridge,ether2,ether3 vlan-ids=10,20,30,31,32
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=mgmt-vlan list=LAN
add interface=trusted-vlan list=LAN
add interface=guest-vlan list=LAN
add interface=iot-vlan list=LAN
add interface=printer-vlan list=LAN
add interface=mgmt-vlan list=router_access
add interface=trusted-vlan list=router_access
add interface=trusted-vlan list=printer_access
add interface=guest-vlan list=printer_access
add interface=mgmt-vlan list=internet_access
add interface=trusted-vlan list=internet_access
add interface=guest-vlan list=internet_access
add interface=iot-vlan list=internet_access
add interface=dlna-vlan list=internet_access
add interface=dlna-vlan list=dlna-access
add interface=guest-vlan list=dlna-access
add interface=trusted-vlan list=dlna-access
add interface=dlna-vlan list=LAN
/ip address
add address=10.0.99.1/24 interface=mgmt-vlan network=10.0.99.0
add address=10.0.10.1/24 interface=trusted-vlan network=10.0.10.0
add address=10.0.20.1/24 interface=guest-vlan network=10.0.20.0
add address=10.0.30.1/24 interface=iot-vlan network=10.0.30.0
add address=10.0.31.1/30 interface=printer-vlan network=10.0.31.0
add address=10.0.32.1/24 interface=dlna-vlan network=10.0.32.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=WAN interface=ether1
/ip dhcp-server lease
add address=10.0.99.20 client-id=1:1c:61:b4:13:7b:78 comment="Office AP" \
lease-time=1d mac-address=1C:61:B4:13:7B:78 server=mgmt-dhcp-srv
add address=10.0.99.30 comment="Office switch" mac-address=F0:A7:31:BC:79:EE \
server=mgmt-dhcp-srv
add address=10.0.31.2 client-id=1:94:dd:f8:14:e1:8e comment=Printer \
mac-address=94:DD:F8:14:E1:8E server=printer-dhcp-srv
add address=10.0.99.21 client-id=1:60:83:e7:b6:82:56 comment="Bedroom AP" \
mac-address=60:83:E7:B6:82:56 server=mgmt-dhcp-srv
add address=10.0.10.20 client-id=1:0:11:32:3b:1f:7e comment=NAS mac-address=\
00:11:32:3B:1F:7E server=trusted-dhcp-srv
add address=10.0.99.10 client-id=1:78:9a:18:6a:62:81 comment=\
"Living room switch/AP" mac-address=78:9A:18:6A:62:81 server=\
mgmt-dhcp-srv
add address=10.0.32.249 client-id=1:0:6:78:d1:17:53 mac-address=\
00:06:78:D1:17:53 server=dlna-dhcp-srv
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=10.0.10.1 domain=home.gdpq.ca gateway=\
10.0.10.1
add address=10.0.20.0/24 dns-server=10.0.20.1 gateway=10.0.20.1
add address=10.0.30.0/24 dns-server=10.0.30.1 gateway=10.0.30.1
add address=10.0.31.0/30 dns-server=0.0.0.0 gateway=10.0.31.1
add address=10.0.32.0/24 dns-server=10.0.32.1 domain=home.gdpq.ca gateway=\
10.0.32.1
add address=10.0.99.0/24 dns-server=10.0.99.1 domain=home.gdpq.ca gateway=\
10.0.99.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-size=50000KiB mdns-repeat-ifaces=\
printer-vlan,trusted-vlan,guest-vlan
/ip dns adlist
add ssl-verify=no url="https://raw.githubusercontent.com/hagezi/dns-blocklists\
/main/hosts/pro.txt"
/ip dns static
add comment="Router is authoritative DNS server for LAN" ns=10.0.99.1 regexp=\
"^.*\\.home\\.gdpq\\.ca\$" type=NS
add address=10.0.99.1 comment=Router name=router.home.gdpq.ca type=A
add address=10.0.99.10 comment="Living room switch/AP" name=ap1.home.gdpq.ca \
type=A
add address=10.0.99.20 comment="Office AP" name=ap2.home.gdpq.ca type=A
add address=10.0.99.21 comment="Bedroom AP" name=ap3.home.gdpq.ca type=A
add address=10.0.99.30 comment="Office switch" name=sw1.home.gdpq.ca type=A
add address=10.0.31.2 comment=Printer name=printer.home.gdpq.ca type=A
add address=10.0.10.20 comment=NAS name=nas.home.gdqp.ca type=A
/ip firewall address-list
add address=10.0.99.20 comment="Office AP" list=eap245
add address=10.0.99.21 comment="Bedroom AP" list=eap245
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
not_in_internet
/ip firewall filter
add action=drop chain=input comment="UPnP debugging" dst-port=1900 log=yes \
log-prefix=upnp protocol=udp
add action=accept chain=input comment=\
"Accept established, related, untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="Accept DNS (udp)" connection-state=new \
dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=accept chain=input comment="Accept DHCP" dst-address=\
255.255.255.255 dst-port=67 in-interface-list=LAN protocol=udp \
src-address=0.0.0.0 src-port=68
add action=accept chain=input comment="Accept mDNS" dst-port=5353 \
in-interface-list=LAN protocol=udp src-port=5353
add action=accept chain=input comment="Accept administrative access" \
connection-state=new dst-port=80 in-interface-list=router_access \
protocol=tcp
add action=accept chain=input comment="Accept DNS-over-TLS" dst-port=853 \
in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Accept DNS (tcp)" connection-state=new \
dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Accept local loopback (for CAPsMAN)" \
disabled=yes dst-address=127.0.0.1
add action=drop chain=input comment="Drop everything else" log-prefix=\
"input black hole"
add action=accept chain=forward comment="IPSec in" disabled=yes ipsec-policy=\
in,ipsec
add action=accept chain=forward comment="IPSec out" disabled=yes \
ipsec-policy=out,ipsec
add action=drop chain=forward comment="Block DLNA from LAN" disabled=yes \
in-interface=dlna-vlan log=yes log-prefix=DLNA->LAN out-interface-list=\
LAN
add action=drop chain=forward comment="Block LAN from DLNA" disabled=yes \
in-interface-list=LAN log=yes log-prefix=LAN->DLNA out-interface=\
dlna-vlan
add action=drop chain=forward comment="Debug: block mDNS" disabled=yes \
dst-port=5353 log=yes log-prefix=mdns protocol=udp
add action=drop chain=forward comment="Debug: block LAN multicast" disabled=\
yes dst-address=224.0.0.0/4 log=yes log-prefix=multicast
add action=drop chain=forward comment="Debug: block uPNP" disabled=yes \
dst-port=1900 log=yes log-prefix=upnp protocol=udp
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"Accept established, related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
log-prefix=invalid
add action=jump chain=forward comment="Jump to ICMP filters" jump-target=icmp \
protocol=icmp
add action=drop chain=forward comment=\
"Drop incoming packets that are not NATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="Allow printer access" \
in-interface-list=printer_access out-interface=printer-vlan
add action=reject chain=forward comment="Allow DLNA access" \
in-interface-list=!dlna-access log=yes out-interface=dlna-vlan \
reject-with=icmp-network-unreachable
add action=drop chain=forward comment="Drop all from printer" in-interface=\
printer-vlan
add action=drop chain=forward comment="Block IoT from LAN" in-interface=\
iot-vlan out-interface-list=LAN
add action=drop chain=forward comment="Block guest from LAN" in-interface=\
guest-vlan out-interface=!guest-vlan out-interface-list=LAN
add action=drop chain=forward comment=\
"Drop tries to reach not public addresses from LAN" dst-address-list=\
not_in_internet in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment=\
"Drop incoming from internet which is not public IP" in-interface-list=\
WAN src-address-list=not_in_internet
add action=drop chain=forward comment=\
"Drop packets from LAN that do not have LAN IP" in-interface-list=LAN \
log=yes log-prefix=LAN_!LAN src-address=!10.0.0.0/16
add action=drop chain=icmp comment="Block IoT" in-interface=iot-vlan \
out-interface=!iot-vlan out-interface-list=LAN
add action=drop chain=icmp comment="Block guest" in-interface=guest-vlan \
out-interface=!guest-vlan out-interface-list=LAN
add action=drop chain=icmp comment="Block printer" in-interface=printer-vlan \
out-interface-list=!printer_access
add action=drop chain=icmp comment="Block mgmt" in-interface=mgmt-vlan \
out-interface=!mgmt-vlan out-interface-list=LAN
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
protocol=icmp
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
protocol=icmp
add action=accept chain=icmp comment=\
"host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
protocol=icmp
add action=drop chain=icmp comment="deny all other types"
/ip firewall nat
add action=accept chain=srcnat comment=IPSec disabled=yes ipsec-policy=\
out,ipsec
add action=masquerade chain=srcnat comment=WAN out-interface-list=WAN
/ip firewall raw
add action=drop chain=prerouting comment="Debug: block multicast" disabled=\
yes dst-address=224.0.0.0/4 log=yes log-prefix=raw-multi
add action=drop chain=prerouting comment="Debug: block uPNP" disabled=yes \
dst-port=1900 log=yes log-prefix=raw-upnp protocol=udp
add action=drop chain=prerouting comment="Debug: block mDNS" disabled=yes \
dst-port=5353 log=yes log-prefix=raw-mdns protocol=udp
add action=drop chain=prerouting disabled=yes dst-address=239.255.250.250 \
log=yes
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set www-ssl disabled=no
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system identity
set name=RB5009
/system logging
add disabled=yes prefix=firewall topics=firewall
hAP ax2 configuration
# 2025-01-08 20:24:17 by RouterOS 7.16.2
# software id = PMUH-XWFT
#
# model = C52iG-5HaxD2HaxD
# serial number = HF409B1D4TA
/interface bridge
add admin-mac=78:9A:18:6A:62:81 auto-mac=no frame-types=\
admit-only-vlan-tagged igmp-snooping=yes name=bridge port-cost-mode=short \
protocol-mode=mstp vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] poe-out=off
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
/interface vlan
add interface=bridge name=mgmt-vlan vlan-id=99
add interface=bridge name=trusted-vlan vlan-id=10
/interface wifi channel
add band=2ghz-ax name=ch-2ghz
add band=5ghz-ax name=ch-5ghz
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk name=gdpq-iot wps=disable
add authentication-types=wpa2-psk,wpa3-psk name=gdpq-trusted wps=disable
add authentication-types=wpa2-psk,wpa3-psk connect-priority=0 disabled=no \
name=gdpq-wifi wps=disable
/interface wifi configuration
add country=Canada name=gdpq-wifi security=gdpq-wifi ssid=gdpq-wifi
add disabled=no hide-ssid=yes name=gdpq-trusted security=gdpq-trusted \
security.connect-priority=0 ssid=gdpq-trusted
add country=Canada hide-ssid=yes name=gdpq-iot security=gdpq-iot ssid=\
gdpq-iot
/interface wifi
set [ find default-name=wifi2 ] channel=ch-2ghz configuration=gdpq-wifi \
disabled=no name=wifi_2ghz
set [ find default-name=wifi1 ] channel=ch-5ghz configuration=gdpq-wifi \
configuration.mode=ap disabled=no name=wifi_5ghz \
security.connect-priority=0
add channel=ch-2ghz configuration=gdpq-iot configuration.hide-ssid=yes .mode=\
ap disabled=no mac-address=7A:9A:18:6A:62:88 master-interface=wifi_2ghz \
name=iot_2ghz security.connect-priority=0
add channel=ch-2ghz configuration=gdpq-iot configuration.hide-ssid=yes .mode=\
ap disabled=no mac-address=7A:9A:18:6A:62:89 master-interface=wifi_5ghz \
name=iot_5ghz security.connect-priority=0
add channel=ch-2ghz configuration=gdpq-trusted configuration.mode=ap \
disabled=no mac-address=7A:9A:18:6A:62:8A master-interface=wifi_2ghz \
name=trusted_2ghz security.connect-priority=0
add channel=ch-5ghz channel.band=5ghz-ax configuration=gdpq-trusted \
configuration.mode=ap disabled=no mac-address=7A:9A:18:6A:62:85 \
master-interface=wifi_5ghz name=trusted_5ghz security.connect-priority=0
/system logging action
add disk-file-name=dhcp.log disk-lines-per-file=10000 name=dhcplog target=\
disk
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
interface=wifi_5ghz internal-path-cost=10 path-cost=10 pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
interface=wifi_2ghz internal-path-cost=10 path-cost=10 pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
interface=trusted_5ghz pvid=10
add bridge=bridge comment=Management frame-types=\
admit-only-untagged-and-priority-tagged interface=ether5 \
internal-path-cost=10 path-cost=10 pvid=99
add bridge=bridge disabled=yes frame-types=\
admit-only-untagged-and-priority-tagged interface=ether4 \
internal-path-cost=10 path-cost=10 pvid=20
add bridge=bridge disabled=yes frame-types=\
admit-only-untagged-and-priority-tagged interface=ether3 \
internal-path-cost=10 path-cost=10 pvid=20
add bridge=bridge comment="Denon CEOL" frame-types=\
admit-only-untagged-and-priority-tagged interface=ether2 \
internal-path-cost=10 path-cost=10 pvid=32
add bridge=bridge comment=Uplink interface=ether1
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
interface=iot_2ghz pvid=30
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
interface=iot_5ghz pvid=30
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
interface=trusted_2ghz pvid=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=none
/interface bridge vlan
add bridge=bridge tagged=ether1,bridge vlan-ids=10,20,30,31,32,99
add bridge=bridge untagged=trusted_5ghz,trusted_2ghz vlan-ids=10
add bridge=bridge untagged=wifi_2ghz,wifi_5ghz vlan-ids=20
add bridge=bridge untagged=iot_2ghz,iot_5ghz vlan-ids=30
add bridge=bridge untagged=ether5 vlan-ids=99
add bridge=bridge untagged=ether2 vlan-ids=32
/ip dhcp-client
add interface=mgmt-vlan
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/ipv6 nd
set [ find default=yes ] disabled=yes
/system clock
set time-zone-name=America/Vancouver
/system identity
set name=hAP_ax2
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=time.nrc.ca
add address=time.chu.nrc.ca
/tool graphing interface
add
/tool graphing resource
add