Hi everyone,
I’m new to routing and Mikrotik, I’m doing some tests with an ISP router in cascade to a CCR and CRS.
ISP router have open the port to the internal lan address 192.168.1.150 that is the spf1 port (WAN) of the ccr.
In eth port 23 of the CRS I have connected switches for intercom and a server dahua(10.12.20.50) that must have remote access with opening of ports 443,5080,61616… some RB960s are also connected in the CRS which bring me via vlans internet connectivity vlan and intercom vlan to the apartments. I can connect to the server from outside 63.xx.xx.xx but not internally direct connected to rb960 (eth 1,2,3,4 port)
ccr code:
# 2024-07-01 10:58:55 by RouterOS 7.14.3
# software id = **ELIDED**
#
# model = CCR2004-1G-12S+2XS
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] comment=WAN
set [ find default-name=sfp-sfpplus2 ] disabled=yes
set [ find default-name=sfp-sfpplus3 ] disabled=yes
set [ find default-name=sfp-sfpplus4 ] disabled=yes
set [ find default-name=sfp-sfpplus5 ] disabled=yes
set [ find default-name=sfp-sfpplus6 ] disabled=yes
set [ find default-name=sfp-sfpplus7 ] disabled=yes
set [ find default-name=sfp-sfpplus8 ] disabled=yes
set [ find default-name=sfp-sfpplus9 ] disabled=yes
set [ find default-name=sfp-sfpplus10 ] disabled=yes
set [ find default-name=sfp-sfpplus11 ] disabled=yes
set [ find default-name=sfp-sfpplus12 ] comment=LAN
set [ find default-name=sfp28-1 ] disabled=yes
set [ find default-name=sfp28-2 ] disabled=yes
/interface vlan
add comment="Video e c.accessi" interface=sfp-sfpplus12 name=vlan10 vlan-id=\
10
add comment="vlan app.to 001" interface=sfp-sfpplus12 name=vlan11 vlan-id=11
add comment="vlan app.to 002" interface=sfp-sfpplus12 name=vlan12 vlan-id=12
add comment="vlan app.to 003" interface=sfp-sfpplus12 name=vlan13 vlan-id=13
add comment="vlan app.to 101" interface=sfp-sfpplus12 name=vlan14 vlan-id=14
add comment="vlan app.to 102" interface=sfp-sfpplus12 name=vlan15 vlan-id=15
add comment="vlan app.to 103" interface=sfp-sfpplus12 name=vlan16 vlan-id=16
add comment="vlan app.to 201" interface=sfp-sfpplus12 name=vlan17 vlan-id=17
add comment="vlan app.to 202" interface=sfp-sfpplus12 name=vlan18 vlan-id=18
add comment="vlan app.to 203" interface=sfp-sfpplus12 name=vlan19 vlan-id=19
add comment="vlan app.to 301" interface=sfp-sfpplus12 name=vlan20 vlan-id=20
add comment="vlan app.to 302" interface=sfp-sfpplus12 name=vlan21 vlan-id=21
add comment="vlan app.to 303" interface=sfp-sfpplus12 name=vlan22 vlan-id=22
add comment="vlan app.to 401" interface=sfp-sfpplus12 name=vlan23 vlan-id=23
add comment="vlan app.to 402" interface=sfp-sfpplus12 name=vlan24 vlan-id=24
add comment="vlan app.to 403" interface=sfp-sfpplus12 name=vlan25 vlan-id=25
add comment="vlan app.to 501" interface=sfp-sfpplus12 name=vlan26 vlan-id=26
add comment="vlan app.to 502" interface=sfp-sfpplus12 name=vlan27 vlan-id=27
add comment="vlan app.to 503" interface=sfp-sfpplus12 name=vlan28 vlan-id=28
add comment="vlan app.to 601" interface=sfp-sfpplus12 name=vlan29 vlan-id=29
add comment="vlan app.to 602" interface=sfp-sfpplus12 name=vlan30 vlan-id=30
add comment="vlan management" interface=sfp-sfpplus12 name=vlan99 vlan-id=99
/interface list
add name=VLANs
add name=MNG
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool99 ranges=10.99.99.2-10.99.99.100
add name=dhcp_pool11 ranges=172.18.11.2
add name=dhcp_pool12 ranges=172.18.12.2
add name=dhcp_pool13 ranges=172.18.13.2
add name=dhcp_pool14 ranges=172.18.14.2
add name=dhcp_pool15 ranges=172.18.15.2
add name=dhcp_pool16 ranges=172.18.16.2
add name=dhcp_pool17 ranges=172.18.17.2
add name=dhcp_pool18 ranges=172.18.18.2
add name=dhcp_pool19 ranges=172.18.19.2
add name=dhcp_pool20 ranges=172.18.20.2
add name=dhcp_pool21 ranges=172.18.21.2
add name=dhcp_pool22 ranges=172.18.22.2
add name=dhcp_pool23 ranges=172.18.23.2
add name=dhcp_pool24 ranges=172.18.24.2
add name=dhcp_pool25 ranges=172.18.25.2
add name=dhcp_pool26 ranges=172.18.26.2
add name=dhcp_pool27 ranges=172.18.27.2
add name=dhcp_pool28 ranges=172.18.28.2
add name=dhcp_pool29 ranges=172.18.29.2
add name=dhcp_pool30 ranges=172.18.30.2
add name=dhcp_pool10 ranges=10.12.20.2-10.12.20.100
add name=pool-openvpn ranges=10.10.10.1-10.10.10.200
/ip dhcp-server
add address-pool=dhcp_pool99 interface=vlan99 name=dhcp99
add address-pool=dhcp_pool11 interface=vlan11 name=dhcp11
add address-pool=dhcp_pool12 interface=vlan12 name=dhcp12
add address-pool=dhcp_pool13 interface=vlan13 name=dhcp13
add address-pool=dhcp_pool14 interface=vlan14 name=dhcp14
add address-pool=dhcp_pool15 interface=vlan15 name=dhcp15
add address-pool=dhcp_pool16 interface=vlan16 name=dhcp16
add address-pool=dhcp_pool17 interface=vlan17 name=dhcp17
add address-pool=dhcp_pool18 interface=vlan18 name=dhcp18
add address-pool=dhcp_pool19 interface=vlan19 name=dhcp19
add address-pool=dhcp_pool20 interface=vlan20 name=dhcp20
add address-pool=dhcp_pool21 interface=vlan21 name=dhcp21
add address-pool=dhcp_pool22 interface=vlan22 name=dhcp22
add address-pool=dhcp_pool23 interface=vlan23 name=dhcp23
add address-pool=dhcp_pool24 interface=vlan24 name=dhcp24
add address-pool=dhcp_pool25 interface=vlan25 name=dhcp25
add address-pool=dhcp_pool26 interface=vlan26 name=dhcp26
add address-pool=dhcp_pool27 interface=vlan27 name=dhcp27
add address-pool=dhcp_pool28 interface=vlan28 name=dhcp28
add address-pool=dhcp_pool29 interface=vlan29 name=dhcp29
add address-pool=dhcp_pool30 interface=vlan30 name=dhcp30
add address-pool=dhcp_pool10 interface=vlan10 name=dhcp10
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
add address-list=user-openvpn change-tcp-mss=yes local-address=10.10.10.254 \
name=profile-openvpn remote-address=pool-openvpn use-encryption=required
/queue type
add kind=pcq name=pcq-upload pcq-burst-rate=200M pcq-burst-threshold=100M \
pcq-classifier=src-address pcq-rate=100M
add kind=pcq name=pcq-download pcq-burst-rate=200M pcq-burst-threshold=100M \
pcq-classifier=dst-address pcq-rate=100M
/queue simple
add max-limit=1G/1250M name=queue1 queue=pcq-upload/pcq-download target=\
172.18.0.0/16,10.12.20.0/24
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=MNG
/interface list member
add interface=vlan10 list=VLANs
add interface=vlan11 list=VLANs
add interface=vlan12 list=VLANs
add interface=vlan13 list=VLANs
add interface=vlan14 list=VLANs
add interface=vlan15 list=VLANs
add interface=vlan16 list=VLANs
add interface=vlan17 list=VLANs
add interface=vlan18 list=VLANs
add interface=vlan19 list=VLANs
add interface=vlan20 list=VLANs
add interface=vlan21 list=VLANs
add interface=vlan22 list=VLANs
add interface=vlan23 list=VLANs
add interface=vlan24 list=VLANs
add interface=vlan25 list=VLANs
add interface=vlan26 list=VLANs
add interface=vlan27 list=VLANs
add interface=vlan28 list=VLANs
add interface=vlan29 list=VLANs
add interface=vlan30 list=VLANs
add interface=vlan99 list=VLANs
add interface=vlan99 list=MNG
add interface=ether1 list=MNG
add interface=sfp-sfpplus1 list=WAN
/interface ovpn-server server
set auth=sha256,sha512 certificate=OpenVPN-Server cipher=aes256-cbc \
default-profile=default-encryption protocol=udp push-routes=\
"10.12.20.0 255.255.255.0" require-client-certificate=yes
/ip address
add address=10.12.20.254/24 interface=vlan10 network=10.12.20.0
add address=172.18.11.1/30 interface=vlan11 network=172.18.11.0
add address=172.18.12.1/30 interface=vlan12 network=172.18.12.0
add address=172.18.13.1/30 interface=vlan13 network=172.18.13.0
add address=172.18.14.1/30 interface=vlan14 network=172.18.14.0
add address=172.18.15.1/30 interface=vlan15 network=172.18.15.0
add address=172.18.16.1/30 interface=vlan16 network=172.18.16.0
add address=172.18.17.1/30 interface=vlan17 network=172.18.17.0
add address=172.18.18.1/30 interface=vlan18 network=172.18.18.0
add address=172.18.19.1/30 interface=vlan19 network=172.18.19.0
add address=172.18.20.1/30 interface=vlan20 network=172.18.20.0
add address=172.18.21.1/30 interface=vlan21 network=172.18.21.0
add address=172.18.22.1/30 interface=vlan22 network=172.18.22.0
add address=172.18.23.1/30 interface=vlan23 network=172.18.23.0
add address=172.18.24.1/30 interface=vlan24 network=172.18.24.0
add address=172.18.25.1/30 interface=vlan25 network=172.18.25.0
add address=172.18.26.1/30 interface=vlan26 network=172.18.26.0
add address=172.18.27.1/30 interface=vlan27 network=172.18.27.0
add address=172.18.28.1/30 interface=vlan28 network=172.18.28.0
add address=172.18.29.1/30 interface=vlan29 network=172.18.29.0
add address=172.18.30.1/30 interface=vlan30 network=172.18.30.0
add address=10.99.99.1/24 interface=vlan99 network=10.99.99.0
add address=192.168.1.150/24 disabled=yes interface=sfp-sfpplus1 network=\
192.168.1.0
/ip cloud
set ddns-enabled=no
/ip dhcp-client
add interface=sfp-sfpplus1
/ip dhcp-server network
add address=10.12.20.0/24 dns-server=10.12.20.254 gateway=10.12.20.254
add address=10.99.99.0/24 dns-server=10.99.99.1 gateway=10.99.99.1
add address=172.18.11.0/30 dns-server=172.18.11.1 gateway=172.18.11.1
add address=172.18.12.0/30 dns-server=172.18.12.1 gateway=172.18.12.1
add address=172.18.13.0/30 dns-server=172.18.13.1 gateway=172.18.13.1
add address=172.18.14.0/30 dns-server=172.18.14.1 gateway=172.18.14.1
add address=172.18.15.0/30 dns-server=172.18.15.1 gateway=172.18.15.1
add address=172.18.16.0/30 dns-server=172.18.16.1 gateway=172.18.16.1
add address=172.18.17.0/30 dns-server=172.18.17.1 gateway=172.18.17.1
add address=172.18.18.0/30 dns-server=172.18.18.1 gateway=172.18.18.1
add address=172.18.19.0/30 dns-server=172.18.19.1 gateway=172.18.19.1
add address=172.18.20.0/30 dns-server=172.18.20.1 gateway=172.18.20.1
add address=172.18.21.0/30 dns-server=172.18.21.1 gateway=172.18.21.1
add address=172.18.22.0/30 dns-server=172.18.22.1 gateway=172.18.22.1
add address=172.18.23.0/30 dns-server=172.18.23.1 gateway=172.18.23.1
add address=172.18.24.0/30 dns-server=172.18.24.1 gateway=172.18.24.1
add address=172.18.25.0/30 dns-server=172.18.25.1 gateway=172.18.25.1
add address=172.18.26.0/30 dns-server=172.18.26.1 gateway=172.18.26.1
add address=172.18.27.0/30 dns-server=172.18.27.1 gateway=172.18.27.1
add address=172.18.28.0/30 dns-server=172.18.28.1 gateway=172.18.28.1
add address=172.18.29.0/30 dns-server=172.18.29.1 gateway=172.18.29.1
add address=172.18.30.0/30 dns-server=172.18.30.1 gateway=172.18.30.1
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=10.99.99.0/24 list=allow-winbox
/ip firewall filter
add action=accept chain=forward comment=\
"FORWARD: accetta traffico established e related" connection-state=\
established,related
add action=accept chain=forward comment=\
"FORWARD: accept traffico da user OpenVPN" src-address-list=user-openvpn
add action=accept chain=forward comment="accetta connessioni dst nat " \
connection-nat-state=dstnat disabled=yes
add action=drop chain=forward comment="FORWARD: drop traffico tra VLANs" \
in-interface-list=VLANs out-interface-list=VLANs
add action=accept chain=input comment="IINPUT: accetta established e related" \
connection-state=established,related
add action=drop chain=input comment="INPUT: drop traffico INVALID" \
connection-state=invalid
add action=drop chain=input comment=\
"INPUT: drop winbox se non presente in allow-winbox" dst-port=28292 \
protocol=tcp src-address-list=!allow-winbox
add action=accept chain=input comment=\
"INPUT: accetta fino a 5 nuove connessioni TCP al secondo" limit=\
5,5:packet protocol=tcp tcp-flags=syn
add action=add-src-to-address-list address-list=TCP-SYN-blacklist \
address-list-timeout=1d chain=input comment=\
"INPUT: blocco attacchi TCP-SYN" protocol=tcp tcp-flags=syn
add action=accept chain=input comment="INPUT: accetto OpenVPN" dst-port=1194 \
protocol=udp
add action=accept chain=input comment=\
"INPUT: accetta traffico da client OpenVPN" src-address-list=user-openvpn
add action=accept chain=input comment="INPUT: accetta Winbox" dst-port=28292 \
protocol=tcp src-address-list=allow-winbox
add action=accept chain=input comment="INPUT: accept Winbox da vlan99" \
dst-port=28292 in-interface=vlan99 protocol=tcp
add action=accept chain=input comment=\
"INPUT: accetta DNS UDP da tutte le VLANs" dst-port=53 in-interface-list=\
VLANs protocol=udp
add action=accept chain=input comment=\
"INPUT: accetta DNS TCP da tutte le VLANs" dst-port=53 in-interface-list=\
VLANs protocol=tcp
add action=accept chain=input comment="INPUT: accetta DHCP request da VLANs" \
dst-port=67,68 in-interface-list=VLANs protocol=udp
add action=accept chain=input comment=\
"INPUT: accept traffico da MNG (VLAN99 + ether1)" disabled=yes \
in-interface-list=MNG
add action=drop chain=input comment="INPUT: drop resto del traffico"
/ip firewall mangle
add action=add-src-to-address-list address-list=allow-winbox \
address-list-timeout=1d chain=prerouting comment=\
"PREROUTING: simple port knock per winbox porta xxxx" dst-port=xxxx \
protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment="HTTPS/Client dss mobile" dst-port=\
443 in-interface-list=WAN log=yes protocol=tcp to-addresses=10.12.20.50 \
to-ports=443
add action=dst-nat chain=dstnat comment="Registrazione clienti SIP" dst-port=\
5080 in-interface-list=WAN protocol=udp to-addresses=10.12.20.50 \
to-ports=5080
add action=dst-nat chain=dstnat comment="Notifiche Eventi" dst-port=61616 \
in-interface-list=WAN protocol=tcp to-addresses=10.12.20.50 to-ports=\
61616
add action=dst-nat chain=dstnat comment=" Notifiche Push" dst-port=1883 \
in-interface-list=WAN protocol=tcp to-addresses=10.12.20.50 to-ports=1883
add action=dst-nat chain=dstnat comment=" Trasmissione Video Live" dst-port=\
9100 in-interface-list=WAN protocol=tcp to-addresses=10.12.20.50 \
to-ports=9100
add action=dst-nat chain=dstnat comment=\
"Trasmissione Playback/Registrazioni\r\
\n" dst-port=9320 in-interface-list=WAN protocol=tcp to-addresses=\
10.12.20.50 to-ports=9320
add action=dst-nat chain=dstnat comment="Trasmissione audio RTP" dst-port=\
20000-20100 in-interface-list=WAN protocol=tcp to-addresses=10.12.20.50 \
to-ports=20000-20100
/ip firewall raw
add action=accept chain=prerouting comment=\
"PREROUTING: accetta WinBox da allow-winbox" disabled=yes dst-port=xxxx \
protocol=tcp src-address-list=allow-winbox
add action=drop chain=prerouting comment="PREROUTING: drop WinBox da altri" \
disabled=yes dst-port=xxxx protocol=tcp
add action=drop chain=prerouting comment="PREROUTING: blocco attacco TCP-SYN" \
src-address-list=TCP-SYN-blacklist
/ip route
add disabled=no distance=1 dst-address=192.168.102.0/24 gateway=172.18.12.2 \
pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=192.168.103.0/24 gateway=172.18.13.2 \
pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add dst-address=192.168.104.0/24 gateway=172.18.14.2
add dst-address=192.168.105.0/24 gateway=172.18.15.2
add dst-address=192.168.106.0/24 gateway=172.18.16.2
add dst-address=192.168.107.0/24 gateway=172.18.17.2
add dst-address=192.168.108.0/24 gateway=172.18.18.2
add dst-address=192.168.109.0/24 gateway=172.18.19.2
add dst-address=192.168.110.0/24 gateway=172.18.20.2
add dst-address=192.168.111.0/24 gateway=172.18.21.2
add dst-address=192.168.112.0/24 gateway=172.18.22.2
add dst-address=192.168.113.0/24 gateway=172.18.23.2
add dst-address=192.168.114.0/24 gateway=172.18.24.2
add dst-address=192.168.115.0/24 gateway=172.18.25.2
add dst-address=192.168.116.0/24 gateway=172.18.26.2
add dst-address=192.168.117.0/24 gateway=172.18.27.2
add dst-address=192.168.118.0/24 gateway=172.18.28.2
add dst-address=192.168.119.0/24 gateway=172.18.29.2
add dst-address=192.168.120.0/24 gateway=172.18.30.2
add disabled=no distance=1 dst-address=192.168.101.0/24 gateway=172.18.11.2 \
pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=28292
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=ROUTER-ccr2004
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key
/tool mac-server
set allowed-interface-list=MNG
/tool mac-server mac-winbox
set allowed-interface-list=MNG
/tool romon
set enabled=yes
/tool romon port
add comment="Disabilito RoMON da WAN" disabled=no forbid=yes interface=\
sfp-sfpplus1
crs code:
# 2024-07-01 11:22:13 by RouterOS 7.12.2
# software id = **ELIDED**
#
# model = CRS326-24S+2Q+
/interface bridge
add name=bridge1 priority=0x7000 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-mng
set [ find default-name=qsfpplus1-1 ] disabled=yes
set [ find default-name=qsfpplus1-2 ] disabled=yes
set [ find default-name=qsfpplus1-3 ] disabled=yes
set [ find default-name=qsfpplus1-4 ] disabled=yes
set [ find default-name=qsfpplus2-1 ] disabled=yes
set [ find default-name=qsfpplus2-2 ] disabled=yes
set [ find default-name=qsfpplus2-3 ] disabled=yes
set [ find default-name=qsfpplus2-4 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] name=sfp-sfpplus1-verso-main-router
set [ find default-name=sfp-sfpplus2 ] name=sfp-sfpplus2-verso-RC1-APP001
set [ find default-name=sfp-sfpplus3 ] name=sfp-sfpplus3-verso-RC2-APP002
set [ find default-name=sfp-sfpplus4 ] name=sfp-sfpplus4-verso-RC3-APP003
set [ find default-name=sfp-sfpplus5 ] name=sfp-sfpplus5-verso-RC4-APP101
set [ find default-name=sfp-sfpplus6 ] name=sfp-sfpplus6-verso-RC5-APP102
set [ find default-name=sfp-sfpplus7 ] name=sfp-sfpplus7-verso-RC6-APP103
set [ find default-name=sfp-sfpplus8 ] name=sfp-sfpplus8-verso-RC7-APP201
set [ find default-name=sfp-sfpplus9 ] name=sfp-sfpplus9-verso-RC8-APP202
set [ find default-name=sfp-sfpplus10 ] name=sfp-sfpplus10-verso-RC9-APP203
set [ find default-name=sfp-sfpplus11 ] name=sfp-sfpplus11-verso-RC10-APP301
set [ find default-name=sfp-sfpplus12 ] name=sfp-sfpplus12-verso-RC11-APP302
set [ find default-name=sfp-sfpplus13 ] name=sfp-sfpplus13-verso-RC12-APP303
set [ find default-name=sfp-sfpplus14 ] name=sfp-sfpplus14-verso-RC13-APP401
set [ find default-name=sfp-sfpplus15 ] name=sfp-sfpplus15-verso-RC14-APP402
set [ find default-name=sfp-sfpplus16 ] name=sfp-sfpplus16-verso-RC15-APP403
set [ find default-name=sfp-sfpplus17 ] name=sfp-sfpplus17-verso-RC16-APP501
set [ find default-name=sfp-sfpplus18 ] name=sfp-sfpplus18-verso-RC17-APP502
set [ find default-name=sfp-sfpplus19 ] name=sfp-sfpplus19-verso-RC18-APP503
set [ find default-name=sfp-sfpplus20 ] name=sfp-sfpplus20-verso-RC19-APP601
set [ find default-name=sfp-sfpplus21 ] name=sfp-sfpplus21-verso-RC20-APP602
set [ find default-name=sfp-sfpplus22 ] disabled=yes
set [ find default-name=sfp-sfpplus23 ] name=\
sfp-sfpplus23-access-servizi-comuni
set [ find default-name=sfp-sfpplus24 ] disabled=yes
/interface vlan
add interface=sfp-sfpplus23-access-servizi-comuni name=vlan10 vlan-id=10
add interface=bridge1 name=vlan99-management vlan-id=99
/interface list
add name=MNG
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=\
sfp-sfpplus1-verso-main-router
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=\
sfp-sfpplus2-verso-RC1-APP001
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=\
sfp-sfpplus3-verso-RC2-APP002
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=\
sfp-sfpplus21-verso-RC20-APP602
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=\
sfp-sfpplus5-verso-RC4-APP101
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=\
sfp-sfpplus6-verso-RC5-APP102
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=\
sfp-sfpplus7-verso-RC6-APP103
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=\
sfp-sfpplus8-verso-RC7-APP201
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=\
sfp-sfpplus9-verso-RC8-APP202
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=\
sfp-sfpplus10-verso-RC9-APP203
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=\
sfp-sfpplus11-verso-RC10-APP301
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=\
sfp-sfpplus12-verso-RC11-APP302
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=\
sfp-sfpplus13-verso-RC12-APP303
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=\
sfp-sfpplus14-verso-RC13-APP401
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=\
sfp-sfpplus15-verso-RC14-APP402
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=\
sfp-sfpplus16-verso-RC15-APP403
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=\
sfp-sfpplus17-verso-RC16-APP501
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=\
sfp-sfpplus18-verso-RC17-APP502
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=\
sfp-sfpplus19-verso-RC18-APP503
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=\
sfp-sfpplus20-verso-RC19-APP601
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=\
sfp-sfpplus4-verso-RC3-APP003
add bridge=bridge1 interface=sfp-sfpplus22
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
interface=sfp-sfpplus23-access-servizi-comuni pvid=10
add bridge=bridge1 interface=sfp-sfpplus24
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set ip-forward=no
/interface bridge vlan
add bridge=bridge1 tagged="sfp-sfpplus1-verso-main-router,sfp-sfpplus2-verso-R\
C1-APP001,sfp-sfpplus3-verso-RC2-APP002,sfp-sfpplus4-verso-RC3-APP003,sfp-\
sfpplus5-verso-RC4-APP101,sfp-sfpplus6-verso-RC5-APP102,sfp-sfpplus7-verso\
-RC6-APP103,sfp-sfpplus8-verso-RC7-APP201,sfp-sfpplus9-verso-RC8-APP202,sf\
p-sfpplus10-verso-RC9-APP203,sfp-sfpplus11-verso-RC10-APP301,sfp-sfpplus12\
-verso-RC11-APP302,sfp-sfpplus13-verso-RC12-APP303,sfp-sfpplus14-verso-RC1\
3-APP401,sfp-sfpplus15-verso-RC14-APP402,sfp-sfpplus16-verso-RC15-APP403,s\
fp-sfpplus17-verso-RC16-APP501,sfp-sfpplus18-verso-RC17-APP502,sfp-sfpplus\
19-verso-RC18-APP503,sfp-sfpplus20-verso-RC19-APP601,sfp-sfpplus21-verso-R\
C20-APP602" untagged=sfp-sfpplus23-access-servizi-comuni vlan-ids=10
add bridge=bridge1 tagged=\
sfp-sfpplus1-verso-main-router,sfp-sfpplus3-verso-RC2-APP002 vlan-ids=12
add bridge=bridge1 tagged="sfp-sfpplus1-verso-main-router,bridge1,sfp-sfpplus2\
-verso-RC1-APP001,sfp-sfpplus3-verso-RC2-APP002,sfp-sfpplus4-verso-RC3-APP\
003,sfp-sfpplus5-verso-RC4-APP101,sfp-sfpplus6-verso-RC5-APP102,sfp-sfpplu\
s7-verso-RC6-APP103,sfp-sfpplus8-verso-RC7-APP201,sfp-sfpplus9-verso-RC8-A\
PP202,sfp-sfpplus10-verso-RC9-APP203,sfp-sfpplus11-verso-RC10-APP301,sfp-s\
fpplus12-verso-RC11-APP302,sfp-sfpplus13-verso-RC12-APP303,sfp-sfpplus14-v\
erso-RC13-APP401,sfp-sfpplus15-verso-RC14-APP402,sfp-sfpplus16-verso-RC15-\
APP403,sfp-sfpplus17-verso-RC16-APP501,sfp-sfpplus18-verso-RC17-APP502,sfp\
-sfpplus19-verso-RC18-APP503,sfp-sfpplus20-verso-RC19-APP601,sfp-sfpplus21\
-verso-RC20-APP602" vlan-ids=99
add bridge=bridge1 tagged=\
sfp-sfpplus1-verso-main-router,sfp-sfpplus21-verso-RC20-APP602 vlan-ids=\
30
add bridge=bridge1 tagged=\
sfp-sfpplus1-verso-main-router,sfp-sfpplus20-verso-RC19-APP601 vlan-ids=\
29
add bridge=bridge1 tagged=\
sfp-sfpplus1-verso-main-router,sfp-sfpplus19-verso-RC18-APP503 vlan-ids=\
28
add bridge=bridge1 tagged=\
sfp-sfpplus1-verso-main-router,sfp-sfpplus18-verso-RC17-APP502 vlan-ids=\
27
add bridge=bridge1 tagged=\
sfp-sfpplus1-verso-main-router,sfp-sfpplus17-verso-RC16-APP501 vlan-ids=\
26
add bridge=bridge1 tagged=\
sfp-sfpplus1-verso-main-router,sfp-sfpplus16-verso-RC15-APP403 vlan-ids=\
25
add bridge=bridge1 tagged=\
sfp-sfpplus1-verso-main-router,sfp-sfpplus15-verso-RC14-APP402 vlan-ids=\
24
add bridge=bridge1 tagged=\
sfp-sfpplus1-verso-main-router,sfp-sfpplus14-verso-RC13-APP401 vlan-ids=\
23
add bridge=bridge1 tagged=\
sfp-sfpplus1-verso-main-router,sfp-sfpplus13-verso-RC12-APP303 vlan-ids=\
22
add bridge=bridge1 tagged=\
sfp-sfpplus1-verso-main-router,sfp-sfpplus12-verso-RC11-APP302 vlan-ids=\
21
add bridge=bridge1 tagged=\
sfp-sfpplus1-verso-main-router,sfp-sfpplus11-verso-RC10-APP301 vlan-ids=\
20
add bridge=bridge1 tagged=\
sfp-sfpplus1-verso-main-router,sfp-sfpplus10-verso-RC9-APP203 vlan-ids=19
add bridge=bridge1 tagged=\
sfp-sfpplus1-verso-main-router,sfp-sfpplus9-verso-RC8-APP202 vlan-ids=18
add bridge=bridge1 tagged=\
sfp-sfpplus1-verso-main-router,sfp-sfpplus8-verso-RC7-APP201 vlan-ids=17
add bridge=bridge1 tagged=\
sfp-sfpplus1-verso-main-router,sfp-sfpplus7-verso-RC6-APP103 vlan-ids=16
add bridge=bridge1 tagged=\
sfp-sfpplus1-verso-main-router,sfp-sfpplus6-verso-RC5-APP102 vlan-ids=15
add bridge=bridge1 tagged=\
sfp-sfpplus1-verso-main-router,sfp-sfpplus5-verso-RC4-APP101 vlan-ids=14
add bridge=bridge1 tagged=\
sfp-sfpplus1-verso-main-router,sfp-sfpplus4-verso-RC3-APP003 vlan-ids=13
add bridge=bridge1 tagged=\
sfp-sfpplus1-verso-main-router,sfp-sfpplus2-verso-RC1-APP001 vlan-ids=11
/interface list member
add interface=vlan99-management list=MNG
/ip dhcp-client
add interface=vlan99-management
/ip route
add disabled=no distance=1 dst-address=10.10.10.0/24 gateway=vlan10 pref-src=\
0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=\
10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=SWITCH-crs326
/system note
set show-at-login=no
/system routerboard settings
set boot-os=router-os enter-setup-on=delete-key
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=MNG
/tool mac-server mac-winbox
set allowed-interface-list=MNG
/tool romon
set enabled=yes
/tool sniffer
set filter-interface=sfp-sfpplus10-verso-RC9-APP203
rb960 code:
# 2024-07-01 11:25:14 by RouterOS 7.15
# software id = **ELIDED**
#
# model = RB960PGS
/interface bridge
add ingress-filtering=no name=bridge1 port-cost-mode=short pvid=101 \
vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-ap1
set [ find default-name=ether2 ] name=ether2-ap2
set [ find default-name=ether3 ] name=ether3-lan
set [ find default-name=ether4 ] name=ether4-lan
set [ find default-name=ether5 ] name=ether5-video
set [ find default-name=sfp1 ] name=sfp1-trunk
/interface vlan
add interface=bridge1 name=vlan11-internet vlan-id=11
add interface=bridge1 name=vlan99-mng vlan-id=99
add interface=bridge1 name=vlan101-lan vlan-id=101
/interface list
add name=MNG
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.101.2-192.168.101.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=vlan101-lan lease-time=10m name=dhcp1
/interface bridge port
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=no interface=ether1-ap1 internal-path-cost=10 \
path-cost=10 pvid=101
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=no interface=ether2-ap2 internal-path-cost=10 \
path-cost=10 pvid=101
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=no interface=ether3-lan internal-path-cost=10 \
path-cost=10 pvid=101
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=no interface=ether4-lan internal-path-cost=10 \
path-cost=10 pvid=101
add bridge=bridge1 comment="Porta di access per VLAN10 citofonia" \
frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no \
interface=ether5-video internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=no \
interface=sfp1-trunk internal-path-cost=10 path-cost=10 pvid=101
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=MNG
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge1 tagged=sfp1-trunk untagged=ether5-video vlan-ids=10
add bridge=bridge1 tagged=sfp1-trunk,bridge1 vlan-ids=11
add bridge=bridge1 tagged=sfp1-trunk,bridge1 vlan-ids=99
add bridge=bridge1 tagged=bridge1 untagged=\
ether1-ap1,ether2-ap2,ether3-lan,ether4-lan vlan-ids=101
/interface list member
add interface=sfp1-trunk list=MNG
add interface=vlan99-mng list=MNG
add interface=bridge1 list=MNG
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.101.1/24 interface=vlan101-lan network=192.168.101.0
/ip dhcp-client
add interface=vlan11-internet
add add-default-route=no interface=vlan99-mng use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.101.0/24 dns-server=192.168.101.1 gateway=192.168.101.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment="INPUT: accept established e related" \
connection-state=established,related
add action=drop chain=input comment="INPUT: drop INVALID" connection-state=\
invalid
add action=accept chain=input comment="INPUT: accept winbox" dst-port=xxxx \
protocol=tcp
add action=accept chain=input comment="INPUT: accept DHCP" dst-port=67,68 \
protocol=udp
add action=accept chain=input comment="INPUT: accept DNS UDP 53" dst-port=53 \
protocol=udp
add action=accept chain=input comment="INPUT: accept DNS TCP 53" dst-port=53 \
protocol=tcp
add action=drop chain=input comment="INPUT: drop all"
/ip firewall nat
add action=masquerade chain=srcnat comment=SRCNAT-masquerade disabled=yes \
out-interface=vlan11-internet
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=28292
set api-ssl disabled=yes
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=rb960-app-001
/system note
set show-at-login=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=MNG
/tool mac-server mac-winbox
set allowed-interface-list=MNG
/tool romon
set enabled=yes
Thanks for your help
Enrico