Hi
I'm setting quite complicated (for me) settings on RB2011.
Im using RB2011 as my main router and acess to internet. I have 2 bridges set, one is on 192.168.3.0 (ports from 2-5) and the other one on 192.168.4.0 on port 6. Ether1 is used for PPPoE connection to my ISP.
I use this configuration to DROP DHCP packets from my ISP for IP TV, since i have IPTV reciever connected into switch behind mikrotik on ether6. I don't want another DHCP server in my network with other devices. Everything is working fine now except for /ip address part in RB2011.
Here is a print:
Flags: X - disabled, I - invalid, D - dynamic
ADDRESS NETWORK INTERFACE
0 ;;; default configuration
192.168.3.3/24 192.168.3.0 ether2
1 ;;; ETH6_TV
192.168.4.3/24 192.168.4.0 ether6-master-local
2 D 89.143.109.62/32 213.250.19.90 pppoe-out1
3 192.168.1.2/24 192.168.1.0 ether1-gateway
The problem is, that #3 keep's disapearing by itself (needed to acess modem through ether1) and #1 keep's changing interfece from ether6 to ether2 or disapears completly. This happens from time and i don't know how to stop this from happening. Any ideas?
I'm adding whole configuration bellow:
[admin@MikroTik] > export
# dec/10/2015 23:33:34 by RouterOS 6.33.3
# software id = AZ3N-AZ5S
#
/interface bridge
add name=TV_Benjamin
add admin-mac=4C:5E:0C:65:A1:59 auto-mac=no name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether6 ] name=ether6-master-local
set [ find default-name=ether7 ] master-port=ether6-master-local name=ether7-slave-local
set [ find default-name=ether8 ] master-port=ether6-master-local name=ether8-slave-local
set [ find default-name=ether9 ] master-port=ether6-master-local name=ether9-slave-local
set [ find default-name=ether10 ] master-port=ether6-master-local name=ether10-slave-local
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no distance=indoors frequency=2427 mode=ap-bridge \
multicast-helper=full ssid=***** wireless-protocol=802.11
/interface pppoe-client
add add-default-route=yes default-route-distance=1 disabled=no interface=ether1-gateway max-mru=1492 max-mtu=\
1492 name=pppoe-out1 password=**** user=****
/ip neighbor discovery
set ether1-gateway discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys wpa-pre-shared-key=**** \
wpa2-pre-shared-key=****
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=dhcp ranges=192.168.3.100-192.168.3.200
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=OpenVPN ranges=172.25.10.2-172.25.10.10
add name=vpn-pool ranges=192.168.99.2-192.168.99.100
add name=dhcp_pool2 ranges=192.168.4.100-192.168.4.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-local lease-time=23h59m name=default
add address-pool=dhcp_pool2 disabled=no interface=TV_Benjamin lease-time=23h59m name=dhcp1
/metarouter
add disabled=yes disk-size=5000kiB name=mr1
/port
set 1 baud-rate=9600 data-bits=8 flow-control=none name=usb2 parity=none stop-bits=1
/interface ppp-client
add apn=internet default-route-distance=1 dial-on-demand=no keepalive-timeout=10 name=ppp-out1 password=internet \
port=usb2 use-peer-dns=no user=mobitel
/ppp profile
set *0 local-address=vpn-pool remote-address=vpn
add local-address=172.25.10.1 name=OpenVPN remote-address=OpenVPN
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/queue tree
add limit-at=15M max-limit=15M name=HTTP-Queue packet-mark=HTTP-Marked parent=ether1-gateway priority=1 queue=\
default
add limit-at=15M max-limit=15M name=P2P-Queue packet-mark=p2p parent=ether1-gateway queue=default
add limit-at=15M max-limit=15M name=Other-Queue packet-mark=other parent=ether1-gateway priority=4 queue=default
/system logging action
set 1 disk-file-name=""
/interface bridge port
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=TV_Benjamin interface=ether6-master-local
add bridge=bridge-local interface=sfp1
add bridge=bridge-local interface=wlan1
add
add
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=yes
/interface l2tp-server server
set ipsec-secret=**** use-ipsec=yes
/interface ovpn-server server
set certificate=cert_2 cipher=blowfish128,aes128,aes256 default-profile=OpenVPN enabled=yes max-mtu=1450 \
require-client-certificate=yes
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.3.3/24 comment="default configuration" interface=ether2 network=192.168.3.0
add address=192.168.4.3/24 comment=ETH6_TV interface=ether6-master-local network=192.168.4.0
add address=192.168.1.2/24 interface=ether1-gateway network=192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=ether1-gateway
/ip dhcp-server alert
add alert-timeout=none disabled=no interface=ether2
add disabled=no interface=ether6-master-local
/ip dhcp-server lease
add address=192.168.3.50 comment=Kamera mac-address=00:6E:07:71:C8:4E server=default
add address=192.168.3.147 comment=Rpi mac-address=B8:27:EB:6F:99:6B server=default
add address=192.168.3.100 always-broadcast=yes client-id=1:98:f1:70:17:56:e2 comment="Note 4" mac-address=\
98:F1:70:17:56:E2 server=default
add address=192.168.3.102 client-id=1:50:e5:49:e5:d8:aa comment=Racunalnik_Mansarda mac-address=\
50:E5:49:E5:D8:AA server=default
add address=192.168.3.189 client-id=1:68:5d:43:73:a1:ea comment=Prenosnik mac-address=68:5D:43:73:A1:EA server=\
default
add address=192.168.3.105 always-broadcast=yes client-id=1:70:8d:9:34:4e:34 comment="Lumia 1020" mac-address=\
70:8D:09:34:4E:34 server=default
add address=192.168.3.145 always-broadcast=yes client-id=1:0:30:5:c9:d:9 comment="Ra\E8unalnik_Dnevna_spodaj" \
mac-address=00:30:05:C9:0D:09 server=default
add block-access=yes comment=Sagem mac-address=00:1F:95:4A:0C:CA
add block-access=yes comment="Siol Box" mac-address=00:04:30:5F:EF:3D
add address=192.168.3.12 comment=Tiskalnik mac-address=18:A9:05:0E:30:50 server=default
add address=192.168.3.104 client-id=1:5c:a3:9d:51:94:5a comment=TV_Dnevna_Mansarda_Samsung mac-address=\
5C:A3:9D:51:94:5A server=default
add address=192.168.3.101 client-id=1:0:4:30:5f:ef:3d comment=Siol_Box mac-address=00:AE:EC:47:3E:B4 server=\
default
add address=192.168.3.108 client-id=1:dc:9f:db:99:ba:3c comment=Wlan-Si_Bullet mac-address=DC:9F:DB:99:BA:3C \
server=default
add address=192.168.3.103 comment=Samknows_TpLink mac-address=E8:94:F6:F2:F5:E2 server=default
add address=192.168.3.109 client-id=1:0:17:31:54:59:76 comment=Benjamin-PC mac-address=00:17:31:54:59:76 server=\
default
add block-access=yes comment="Innbox V60" mac-address=64:6E:EA:17:E4:9F
add address=192.168.3.113 client-id=1:b8:27:eb:ae:35:60 comment=Kodi mac-address=B8:27:EB:AE:35:60 server=\
default
add address=192.168.4.145 comment=Wlan-Si_1043ND_Obrez_42 mac-address=74:EA:3A:E4:CB:68 server=dhcp1
add address=192.168.4.248 comment=TpLink_EasySmart_Switch mac-address=C4:E9:84:E5:5F:08 server=dhcp1
/ip dhcp-server network
add address=192.168.3.0/24 comment="default configuration" gateway=192.168.3.3 netmask=24
add address=192.168.4.0/24 gateway=192.168.4.3 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.3.147
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related
add action=drop chain=input comment="Drop DHCP form ETH5" dst-port=67 protocol=udp src-port=68
add action=drop chain=input protocol=udp src-port=67
add action=drop chain=forward comment=Drop_Microsoft dst-address=65.55.252.63
add action=drop chain=forward dst-address=204.79.197.200
add action=drop chain=forward dst-address=65.52.100.91
add action=drop chain=forward dst-address=191.232.139.254
add action=drop chain=forward dst-address=65.55.252.92
add action=drop chain=forward dst-address=65.55.252.93
add action=drop chain=forward dst-address=65.52.100.7
add action=drop chain=forward dst-address=68.232.34.200
add action=drop chain=forward dst-address=64.4.54.32
add action=drop chain=forward dst-address=23.67.139.33
add action=drop chain=forward dst-address=168.63.108.233
add action=drop chain=forward dst-address=65.55.176.90
add action=drop chain=forward dst-address=134.170.115.60
add action=drop chain=forward content=telemetry.urs.microsoft.com
add action=drop chain=forward content=vortex-win.data.microsoft.com
add chain=forward comment="default configuration" connection-state=established,related
add action=drop chain=forward comment="default configuration" connection-state=invalid
add chain=input protocol=icmp
add chain=input connection-state=established
add chain=input connection-state=related
add chain=input comment="allow pptp" disabled=yes dst-port=1723 protocol=tcp
add chain=input comment="allow sstp" disabled=yes dst-port=443 protocol=tcp
add chain=input comment="allow l2tp" disabled=yes dst-port=1701 protocol=udp
/ip firewall mangle
add action=mark-connection chain=prerouting comment="Mark HTTP" disabled=yes dst-port=80 new-connection-mark=\
HTTP-Conn protocol=tcp src-address=192.168.3.0/24
add action=mark-packet chain=prerouting connection-mark=HTTP-Conn disabled=yes new-packet-mark=HTTP-Marked \
passthrough=no
add action=mark-connection chain=prerouting comment="Mark P2P" disabled=yes new-connection-mark=p2p_conn p2p=\
all-p2p src-address=192.168.3.0/24
add action=mark-packet chain=prerouting connection-mark=p2p_conn disabled=yes new-packet-mark=p2p passthrough=no
add action=mark-connection chain=prerouting comment="Mark Other" disabled=yes new-connection-mark=other_conn \
src-address=192.168.3.0/24
add action=mark-packet chain=prerouting connection-mark=other_conn disabled=yes new-packet-mark=other \
passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT acess to modem" out-interface=ether1-gateway to-addresses=\
192.168.1.10
add action=masquerade chain=srcnat comment="default configuration" out-interface=pppoe-out1
# ppp-out1 not ready
add action=masquerade chain=srcnat out-interface=ppp-out1
add action=dst-nat chain=dstnat dst-port=21 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.3.147 \
to-ports=21
add action=dst-nat chain=dstnat comment=Kamera dst-port=8000 in-interface=pppoe-out1 protocol=tcp to-addresses=\
192.168.3.50 to-ports=80
add action=dst-nat chain=dstnat comment="WebStre\9EnikRPI" dst-port=80 in-interface=pppoe-out1 protocol=tcp \
to-addresses=192.168.3.147 to-ports=80
add action=dst-nat chain=dstnat comment="RPI_TV_UDP v navaden stream" disabled=yes dst-port=4022 in-interface=\
pppoe-out1 protocol=tcp to-addresses=192.168.4.5 to-ports=4022
add action=dst-nat chain=dstnat comment="Dostop do Modema iz Interneta" dst-port=9000 in-interface=pppoe-out1 \
protocol=tcp to-addresses=192.168.1.3 to-ports=80
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
/ip proxy
set enabled=yes
/ip route
add disabled=yes distance=1 gateway=192.168.1.1
/ip service
set ftp disabled=yes
set ssh address=192.168.3.102/32
set www-ssl disabled=no
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge-local type=internal
add interface=pppoe-out1 type=external
/ipv6 address
add address=**** from-pool=Siol interface=bridge-local
/ipv6 dhcp-client
add add-default-route=yes interface=pppoe-out1 pool-name=Siol pool-prefix-length=56 use-peer-dns=no
/ipv6 firewall filter
add chain=input comment="Router - Allow IPv6 ICMP" protocol=icmpv6
add chain=input comment="Router - Accept established connections" connection-state=established
add chain=input comment="Router - Accept related connections" connection-state=related
add action=drop chain=input comment="Router - Drop invalid connections" connection-state=invalid
add chain=input comment="Router- UDP" protocol=udp
add action=drop chain=input comment="Router - Drop other traffic"
add action=drop chain=forward comment="LAN - Drop invalid Connections" connection-state=invalid
add chain=forward comment="LAN - Accept UDP" protocol=udp
add chain=forward comment="LAN - Accept ICMPv6 " protocol=icmpv6
add chain=forward comment="LAN - Accept established Connections" connection-state=established
add chain=forward comment="LAN - Accept related connections" connection-state=related
add action=log chain=forward comment="LAN - Log everything else" disabled=yes log-prefix="Log IPv6"
add action=drop chain=forward dst-address=2606:2800:133:206e:1315:22a5:2006:24fd/128
/ipv6 nd
set [ find default=yes ] advertise-dns=yes interface=bridge-local
/lcd
set enabled=no touch-screen=disabled
/ppp secret
add name=vpn password=****
add name=openvpn password=openvpn profile=OpenVPN service=ovpn
/routing igmp-proxy
set quick-leave=yes
/system clock
set time-zone-autodetect=no
/system scheduler
add interval=5m name=schedule1 on-event="\r\
\n :global currentIP;\r\
\n\r\
\n :local newIP [/ip address get [find interface=\"pppoe-out1\"] address];\r\
\n\r\
\n :if (\$newIP != \$currentIP) \\\r\
\n do={ \\\r\
\n :log info \"ip address \$currentIP changed to \$newIP\"; \\\r\
\n /system script run DDNS-Update; \\\r\
\n :set currentIP \$newIP; \\\r\
\n } else={ \\\r\
\n :log info \"No change of IP\"; \\\r\
\n }" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-time=startup
/system script
add name=DDNS-Update owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive source="# get \
freedns.afraid.org\r\
\n:global a [:resolve freedns.afraid.org]\r\
\n#update ddns from wan1\r\
\n/ip ro add dst-address=\$a gateway=pppoe-out1 comment=ddns\r\
\n/tool fetch url=\"http://freedns.afraid.org/dynamic/update.php\\\?
****
zI=\"\r\
\n# remove static gateway\r\
\n/ip ro rem [find comment=ddns]"
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=wlan1
add interface=sfp1
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=wlan1
add interface=sfp1