Hello,
I have a microtik 2011uias.
I have a few issues i can't Explain.
- The Unit has 2 lan Ports in a bridge. but both lan port1 and the bridge are having a ip adres.
- The unit has Multiple ethernet ports. if i am in the LAN network i Can Ping the LAN port. But is i am in an other network i can't ping the Port of that network. But if i do a trace it will show up.
- i got a Network called unifi-default (ethernet6) this port has a dhcp for iprange 192.168.0.0/16 the interface has ip 192.168.0.254. If i connect a pc to the interface i don't have internet access. but all config look's good.
Can Someone help me checking the config ?
Config:
nov/05/2020 12:28:49 by RouterOS 6.47.4
software id = GMS5-ZC68
model = 2011UiAS
serial number =
/interface bridge
add name="CAM Bridge"
add admin-mac=E4:8D:8C:06:72:93 arp=proxy-arp auto-mac=no comment=defconf
igmp-snooping=yes name="LAN Bridge"
/interface ethernet
set [ find default-name=ether7 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
name="(ether7) Defect ?"
set [ find default-name=ether4 ] disabled=yes name="CAM 1 (ether4)" speed=
100Mbps
set [ find default-name=ether5 ] name="CAM 2 (ether5)" speed=100Mbps
set [ find default-name=ether8 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=
"Gasten (ether8)"
set [ find default-name=ether2 ] arp=proxy-arp name="LAN 1 (ether2)" speed=
100Mbps
set [ find default-name=ether3 ] arp=proxy-arp name="LAN 2 (ether3)" speed=
100Mbps
set [ find default-name=ether6 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=
"Unifi-Default (ether6)"
set [ find default-name=ether1 ] name="WAN (ether1)" speed=100Mbps
set [ find default-name=ether9 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether10 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
name="ethernet 10"
set [ find default-name=sfp1 ] disabled=yes
/interface ethernet switch port
set 7 vlan-mode=fallback
set 9 vlan-mode=fallback
set 10 vlan-mode=fallback
/interface list
add name=WAN
add name=LAN
add name=CAM
add name=Unifi-Default
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256,aes-192,3des
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 pfs-group=none
/ip kid-control
add disabled=yes fri=7h-20h30m mon=7h-20h30m name=Wouter sat=7h-20h30m sun=
7h-20h30m thu=7h-20h30m tue=7h-20h30m wed=7h-20h30m
add disabled=yes fri=7h-20h30m mon=7h-20h30m name=Bram sat=7h-20h30m sun=
7h-20h30m thu=7h-20h30m tue=7h-20h30m wed=7h-20h30m
/ip pool
add name="Gasten Pool" ranges=10.70.3.1-10.70.3.254
add name="Cam Pool" ranges=10.50.3.1-10.50.3.254
add name=dhcp ranges=10.10.3.0-10.10.3.254
add name="vpn Pool" ranges=10.99.0.0/16
add name="UNIFI-DEFAULT Pool" ranges=192.168.1.10-192.168.1.100
/ip dhcp-server
add address-pool=dhcp disabled=no interface="LAN Bridge" name="LAN DHCP"
add address-pool="Cam Pool" disabled=no interface="CAM Bridge" name=
"Cam DHCP"
add address-pool="UNIFI-DEFAULT Pool" disabled=no interface=
"Unifi-Default (ether6)" name="Unifi-Default DHCP"
add address-pool="Gasten Pool" disabled=no interface="Gasten (ether8)" name=
"Gasten DHCP"
/ppp profile
add name=PPTP-Profile use-encryption=yes
set *FFFFFFFE local-address=192.168.89.1 remote-address="vpn Pool"
/snmp community
set [ find default=yes ] name=DoetErNietToe read-access=no security=
authorized
add addresses=10.10.0.0/16 name=Monitor security=authorized
/tool user-manager customer
set admin access=
own-routers,own-users,own-profiles,own-limits,config-payment-gw
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge="LAN Bridge" comment=defconf interface="LAN 1 (ether2)" trusted=
yes
add bridge="LAN Bridge" interface="LAN 2 (ether3)" trusted=yes
add bridge="CAM Bridge" interface="CAM 1 (ether4)" trusted=yes
add bridge="CAM Bridge" interface="CAM 2 (ether5)" trusted=yes
/ip firewall connection tracking
set enabled=yes
/ip neighbor discovery-settings
set discover-interface-list=none
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set allow-fast-path=yes default-profile=PPTP-Profile enabled=yes use-ipsec=
yes
/interface list member
add interface="WAN (ether1)" list=WAN
add interface="LAN Bridge" list=LAN
add interface="CAM Bridge" list=CAM
add interface="Unifi-Default (ether6)" list=Unifi-Default
/interface pptp-server server
set default-profile=PPTP-Profile max-mru=1460 max-mtu=1460
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=10.10.0.254/16 interface="LAN Bridge" network=10.10.0.0
add address=10.50.0.254/16 interface="CAM Bridge" network=10.50.0.0
add address=10.10.0.254/16 interface="LAN 1 (ether2)" network=10.10.0.0
add address=192.168.0.254/16 interface="Unifi-Default (ether6)" network=
192.168.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=no interface="WAN (ether1)"
/ip dhcp-server lease
/ip dhcp-server network
add address=10.10.0.0/16 dns-server=212.54.40.25,212.54.44.54,10.10.0.254
domain=TES-Com.nl gateway=10.10.0.254 netmask=16
add address=10.50.0.0/16 dns-server=10.50.0.254,8.8.8.8 domain=TES-Com.CAM
gateway=10.50.0.254
add address=10.70.0.0/16 dns-server=10.70.0.254,8.8.8.8 domain=TES-Com.GAST
gateway=10.70.0.254 netmask=16
add address=192.168.0.0/16 dns-server=212.54.40.25,212.54.44.54 domain=
TES-Com.default gateway=192.168.0.254 netmask=16
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d
/ip dns static
add address=10.10.0.254 name=router.lan
add address=10.10.0.254 name=Security.tes-com.nl ttl=82w5d11h3m28s
add address=159.148.147.205 disabled=yes name=upgrade.microstik.com
/ip firewall address-list
add address=10.50.1.1 list="Security Server"
add address=10.10.0.254 list=Routers
add address=10.10.6.0/24 list=Kinderen
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you
need this subnet before enable it" list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you
_need this subnet before enable it" list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=
bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=10.10.6.0/24 list=Block-Porn
add address=10.10.5.0/24 list=Ouders
add address=10.10.1.2 list=Home-Assistant
add address=10.10.7.0/24 list=Domotica
add address=10.50.0.0/16 list="Security netwerk"
add address=10.10.6.4 list=Wouter
add address=10.10.6.2 list="Telefoon Bram"
add address=10.10.2.0/24 list=Printers
add address=10.10.20.0/24 list=NASSEN
/ip firewall filter
add action=drop chain=forward disabled=yes src-address-list=Kinderen
add action=accept chain=forward in-interface="LAN Bridge" out-interface=
"Unifi-Default (ether6)"
add action=accept chain=forward in-interface="Unifi-Default (ether6)"
out-interface="LAN Bridge"
add action=accept chain=forward in-interface="Unifi-Default (ether6)" log=yes
log-prefix=unifi out-interface="WAN (ether1)"
add action=accept chain=forward dst-port=53 protocol=tcp src-address-list=
Printers
add action=accept chain=forward dst-port=53 protocol=udp src-address-list=
Printers
add action=accept chain=forward dst-address-list="" dst-port=25,587 log=yes
log-prefix=email out-interface="WAN (ether1)" protocol=tcp
src-address-list=Printers
add action=accept chain=forward log=yes log-prefix=printers src-address-list=
Printers
add action=accept chain=input comment="PPTP VPN" in-interface="WAN (ether1)"
protocol=ipsec-esp
add action=accept chain=input dst-port=500,1701,4500 in-interface=
"WAN (ether1)" protocol=udp
add action=fasttrack-connection chain=forward comment=
"FastTrack: established & related" connection-state=established,related
add action=accept chain=forward disabled=yes out-interface-list=WAN
src-address=10.10.7.0/24
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=drop chain=input comment="dropping port scanners"
src-address-list="port scanners"
add action=accept chain=forward dst-port=49152-65535 protocol=udp
src-address-list=Kinderen
add action=accept chain=forward comment="Allowed Internet Protocols"
connection-bytes=0-10000 dst-port=21,80,443,53 protocol=tcp
src-address-list=Kinderen
add action=accept chain=forward in-interface="Gasten (ether8)" out-interface=
"WAN (ether1)"
add action=accept chain=forward comment="Block Mail Protocol" disabled=yes
src-address=10.10.5.1
add action=drop chain=input comment="defconf: Drop All External DNS Requests"
dst-port=53 in-interface-list=WAN log-prefix=DROP-DNS protocol=udp
add action=drop chain=input dst-port=53 in-interface-list=WAN log-prefix=
DROP-DNS protocol=tcp
add action=drop chain=input comment="defconf: accept ICMP" in-interface=
"WAN (ether1)" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN"
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related disabled=yes
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked disabled=yes
add action=drop chain=forward comment="Drop Bogons" dst-address-list=bogons
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=accept chain=forward src-address-list=NASSEN
add action=accept chain=forward dst-address-list="Security Server" dst-port=
3389 protocol=tcp src-address-list=Ouders
add action=accept chain=forward dst-address-list="Security Server" dst-port=
7080,7443,7445,7446,7447,10001 log-prefix=Unifi-Video protocol=tcp
src-address-list=Ouders
add action=accept chain=forward dst-address-list="Security netwerk" dst-port=
7080,7443,7445,7446,7447,10001 log-prefix=Unifi-Video protocol=tcp
src-address-list=Domotica
add action=accept chain=forward dst-address-list="Security Server" log=yes
log-prefix=Unifi-Video protocol=tcp src-address-list=Home-Assistant
add action=accept chain=forward in-interface="CAM Bridge" out-interface=
"LAN Bridge"
add action=drop chain=forward in-interface="LAN Bridge" out-interface=
"CAM Bridge"
add action=accept chain=input dst-address-list=Routers dst-port=80 protocol=
tcp src-address-list=Ouders
add action=accept chain=forward in-interface="LAN Bridge" log-prefix=
WAN-TRAFFIC out-interface="WAN (ether1)"
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
add action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w chain=input comment="Port scanners to list "
protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan"
protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp
tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp
tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=
tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=accept chain=forward in-interface="LAN Bridge" out-interface=
"WAN (ether1)" src-address-list=""
add action=drop chain=input dst-port=80 log=yes log-prefix=DROP-ALL protocol=
tcp
add action=accept chain=forward connection-bytes=0-10000 src-address-list=
Kinderen
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes log=yes log-prefix=Block-PORN
protocol=udp src-address-list=Block-Porn to-addresses=199.85.126.20
to-ports=53
add action=dst-nat chain=dstnat comment="SABNZB External" dst-port=8080
in-interface="WAN (ether1)" log=yes log-prefix=NZB protocol=tcp
to-addresses=10.10.1.254 to-ports=8080
add action=dst-nat chain=dstnat dst-port=32400 in-interface="WAN (ether1)"
protocol=tcp to-addresses=10.10.1.2 to-ports=32400
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=
192.168.89.0/24
/ip kid-control device
add mac-address=08:78:08:17:1E:DE name="Laptop Wouter" user=Wouter
add mac-address=08:78:08:17:1E:C6 name="Mobiel Bram" user=Bram
add mac-address=8C:70:5A:D0:5D:3C name="Laptop Bram" user=Bram
add mac-address=4E:D8:98:C1:07:8C name="Wouter Mobiel" user=Wouter
add mac-address=FC:F8:AE:0C:CA:60 name="Laptop Wouter 2" user=Wouter
add mac-address=4C:66:41:5A:A5:D5 name="Bram Mobiel" user=Bram
/ip service
set telnet address=10.10.0.0/16 disabled=yes
set ftp address=10.10.0.0/16 disabled=yes
set www address=10.10.0.0/16,192.168.1.0/24
set ssh address=10.10.0.0/16
set www-ssl address=10.10.0.0/16,192.168.1.0/24
set api address=10.10.0.0/16
set winbox address=10.10.0.0/16
set api-ssl address=10.10.0.0/16 disabled=yes
/ip ssh
set strong-crypto=yes
/ipv6 dhcp-client
add add-default-route=yes disabled=yes interface="WAN (ether1)" pool-name=
IPv6-local-pool request=address,prefix
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=
33434-33534 protocol=udp
add action=accept chain=input comment=
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=
udp src-address=fe80::/16
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=
ipsec-esp
add action=accept chain=input comment=
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=
"defconf: drop everything else not coming from LAN" in-interface-list=
!LAN
add action=accept chain=forward comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1"
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=
ipsec-esp
add action=accept chain=forward comment=
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=
"defconf: drop everything else not coming from LAN" in-interface-list=
!LAN
/ipv6 nd
set [ find default=yes ] advertise-dns=no
/lcd
set backlight-timeout=never default-screen=stat-slideshow read-only-mode=yes
touch-screen=disabled
/lcd pin
set pin-number=9086
/ppp secret
add local-address=10.10.11.1 name=Ronald profile=PPTP-Profile remote-address=
10.10.11.11
add local-address=10.10.11.2 name=Ilona profile=PPTP-Profile remote-address=
10.10.11.12
/snmp
set contact="Ronald Bok" enabled=yes engine-id=RB2011UiAs location=
"Rack Zolder" trap-community=Monitor trap-interfaces=all trap-target=
10.10.5.1 trap-version=2
/system clock
set time-zone-name=Europe/Amsterdam
/system console
set [ find ] disabled=yes
/system identity
set name=VuurMuur
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set "CAM Bridge" disabled=yes display-time=5s
set "LAN Bridge" disabled=yes display-time=5s
set sfp1 disabled=yes display-time=5s
set "WAN (ether1)" disabled=yes display-time=5s
set "LAN 1 (ether2)" disabled=yes display-time=5s
set "LAN 2 (ether3)" disabled=yes display-time=5s
set "CAM 1 (ether4)" disabled=yes display-time=5s
set "CAM 2 (ether5)" disabled=yes display-time=5s
set "Unifi-Default (ether6)" disabled=yes display-time=5s
set "(ether7) Defect ?" disabled=yes display-time=5s
set "Gasten (ether8)" disabled=yes display-time=5s
set ether9 disabled=yes display-time=5s
set "ethernet 10" disabled=yes display-time=5s
/system routerboard settings
set auto-upgrade=yes
/system scheduler
add interval=30m name="Update Free-DNS" on-event="/system script run FREEDNS"
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-date=mar/23/2020 start-time=12:35:38
/system script
add dont-require-permissions=no name=FREEDNS owner=admin policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#
_Author: MasterJames \r
\n# Date: 2016:06:10\r
\n# Corp: SparcAsia Holdings Inc.\r
\n\r
\n:global afraidDomain "tes-com1.mooo.com"\r
\n:global domainUpdateLink "http://sync.afraid.org/u/VEtsbxD5RSxfBQjMhTCP\
Rvyz/"\r
\n\r
\n/tool fetch url="http://icanhazip.com/\" dst-path="/whatsMyIP.txt";\r
\n:global pubIP [/file get whatsMyIP.txt contents]\r
\n\r
\n:for i from=( [:len $pubIP] - 1 ) to=0 do={ \r
\n :if ( [:pick $pubIP $i] = "\n") do={ \r
\n :global curIP [:pick $pubIP 0 $i];\r
\n :if ([:resolve $afraidDomain] != $curIP) do={\r
\n /tool fetch url="$domainUpdateLink" keep-result=no;\r
\n :log info "Afraid.org Update: $afraidDomain - $curIP";\r
\n } else={\r
\n :log info "Afraid.org: does NOT need updating: $curIP";\r
\n }\r
\n } \r
\n}"
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/tool user-manager database
set db-path=user-manager