# sep/28/2018 10:12:02 by RouterOS 6.43.2
#
# model = RBD52G-5HacD2HnD
/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan speed=100Mbps
set [ find default-name=ether2 ] name=ether2 speed=100Mbps
set [ find default-name=ether3 ] name=ether3 speed=100Mbps
set [ find default-name=ether4 ] name=ether4 speed=100Mbps
set [ find default-name=ether5 ] name=ether5 speed=100Mbps
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-wan name=ether1-wan.pppoe-out1 use-peer-dns=yes user=pppoe-username
/interface vlan
add interface=lan name=lan.vlan10 vlan-id=10
add interface=lan name=lan.vlan20 vlan-id=20
add interface=lan name=lan.vlan30 vlan-id=30
/interface ethernet switch port
set 2 default-vlan-id=10 vlan-mode=secure
set 3 default-vlan-id=20 vlan-mode=secure
set 4 default-vlan-id=20 vlan-mode=secure
set 5 vlan-mode=secure
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk group-key-update=1h mode=dynamic-keys name=2g supplicant-identity=MikroTik
add authentication-types=wpa2-psk group-key-update=1h mode=dynamic-keys name=5g supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce country=china disabled=no distance=indoors frequency=auto mode=ap-bridge security-profile=2g ssid=MikroTik_2G vlan-id=40 vlan-mode=use-tag wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee country=china disabled=no distance=indoors frequency=auto mode=ap-bridge security-profile=5g ssid=MikroTik_5G vlan-id=40 vlan-mode=use-tag wireless-protocol=802.11 wps-mode=disabled
/ip pool
add name=dhcp.vlan10 ranges=172.16.10.70-172.16.10.230
add name=dhcp.vlan20 ranges=172.16.20.90-172.16.20.230
add name=dhcp.vlan30 ranges=172.16.30.40-172.16.30.230
/ip dhcp-server
add address-pool=dhcp.vlan10 disabled=no interface=lan.vlan10 name=dhcp.vlan10
add address-pool=dhcp.vlan20 disabled=no interface=lan.vlan20 name=dhcp.vlan20
add address-pool=dhcp.vlan30 disabled=no interface=lan.vlan30 name=dhcp.vlan30
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface ethernet switch vlan
add independent-learning=yes ports=ether3,switch1-cpu switch=switch1 vlan-id=10
add independent-learning=yes ports=ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=20
add independent-learning=yes ports=ether3,switch1-cpu switch=switch1 vlan-id=30
/interface list member
add interface=ether1-wan.pppoe-out1 list=WAN
add interface=lan list=LAN
add interface=lan.vlan10 list=LAN
add interface=lan.vlan20 list=LAN
add interface=lan.vlan30 list=LAN
add disabled=yes interface=ether1-wan list=WAN
add interface=ether1-wan list=WAN-MODEM
/ip address
add address=172.16.10.254/24 interface=lan.vlan10 network=172.16.10.0
add address=172.16.20.254/24 interface=lan.vlan20 network=172.16.20.0
add address=172.16.30.254/24 interface=lan.vlan30 network=172.16.30.0
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=ether1-wan use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=172.16.10.0/24 dns-server=172.16.10.254 gateway=172.16.10.254
add address=172.16.20.0/24 dns-server=172.16.20.254 gateway=172.16.20.254
add address=172.16.30.0/24 dns-server=172.16.30.254 gateway=172.16.30.254
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=drop chain=forward comment="drop guest to private network" in-interface=lan.vlan30 out-interface-list=!WAN
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN-MODEM
add action=redirect chain=dstnat dst-port=53 in-interface-list=LAN protocol=udp to-ports=53
add action=redirect chain=dstnat dst-port=53 in-interface-list=LAN protocol=tcp to-ports=53
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1-wan.pppoe-out1 type=external
add interface=lan.vlan10 type=internal
add interface=lan.vlan20 type=internal
add interface=lan.vlan30 type=internal
add disabled=yes interface=lan type=internal
add disabled=yes interface=ether1-wan type=external
/system clock
set time-zone-name=Asia/Shanghai
/system ntp client
set enabled=yes primary-ntp=17.253.114.253
/system routerboard settings
set silent-boot=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
here is my full export. (contain the dns dst-nat)
when delete
add action=redirect chain=dstnat dst-port=53 in-interface-list=LAN protocol=udp to-ports=53
add action=redirect chain=dstnat dst-port=53 in-interface-list=LAN protocol=tcp to-ports=53
the system is work well.
if use
/ip firewall nat add action=redirect chain=dstnat dst-port=53 in-interface=lan.vlan10 protocol=udp to-ports=53
/ip firewall nat add action=redirect chain=dstnat dst-port=53 in-interface=lan.vlan20 protocol=udp to-ports=53
/ip firewall nat add action=redirect chain=dstnat dst-port=53 in-interface=lan.vlan30 protocol=udp to-ports=53
/ip firewall nat add action=redirect chain=dstnat dst-port=53 in-interface=lan.vlan10 protocol=tcp to-ports=53
/ip firewall nat add action=redirect chain=dstnat dst-port=53 in-interface=lan.vlan20 protocol=tcp to-ports=53
/ip firewall nat add action=redirect chain=dstnat dst-port=53 in-interface=lan.vlan30 protocol=tcp to-ports=53
also work.
if use
add action=redirect chain=dstnat disabled=yes dst-port=53 in-interface-list=LAN protocol=udp to-ports=53
add action=redirect chain=dstnat disabled=yes dst-port=53 in-interface-list=LAN protocol=tcp to-ports=53
everybody can’t access internet.