Hi, I am trying to configure hAP ax2. I have to admit that I did not know much about Mikrotik configuration at the beginning, so please forgive me for simple errors. I love this device, but I do not yet understand all the features and relation between them.
My goal is is set up such a configuration
port 1, management subnet defaults to Mikrotik, access to all networks
port 2, WAN 1 - 5G modem
port 3, WAN 2 - backup 4G modem
port 4, trunk all vlans for the switch
port 5, vlan private, no tagging
I need 3 wifi ( 6 SSIDs ) for different purposes
MAL-P vlan 11, private , highest priority
MAL-I vlan 12, iOT lowe priority speed limit 1/1M
MAL-G vlan 13 , guest lowest priority and speed limit 20/5
VLAN 12, 13 should be isolated
I need Capsman now it is wifiwave2 for future APs. Right now, I will start only with internal wifi, but later, more APs will be added. So I need a configuration covering it.
I am trying to fix the script, even asking chatgpt,grok gemini, but they can not fix the problem, contradict themselves, and mess more with the script. I just need to upload, and later add more modifications.
# ================================
# CLEANUP
# ================================
/system reset-configuration no-defaults=yes skip-backup=yes
# ================================
# INTERFACES & WAN SETUP
# ================================
/interface ethernet
set [find default-name=ether1] name=MGMT
set [find default-name=ether2] name=WAN1
set [find default-name=ether3] name=WAN2
set [find default-name=ether4] name=TRUNK
set [find default-name=ether5] name=ACCESS
/interface list
add name=WAN
add name=LAN
/interface list member
add interface=WAN1 list=WAN
add interface=WAN2 list=WAN
add interface=TRUNK list=LAN
add interface=ACCESS list=LAN
add interface=MGMT list=LAN
/ip dhcp-client
add interface=WAN1 use-peer-dns=no add-default-route=yes default-route-distance=1
add interface=WAN2 use-peer-dns=no add-default-route=yes default-route-distance=2
# ================================
# VLAN SETUP
# ================================
/interface bridge
add name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan11-private vlan-id=11
add interface=bridge name=vlan12-iot vlan-id=12
add interface=bridge name=vlan13-guest vlan-id=13
/interface bridge port
add interface=TRUNK bridge=bridge frame-types=admit-only-vlan-tagged
add interface=ACCESS bridge=bridge pvid=11 frame-types=admit-only-untagged-and-priority-tagged
add interface=MGMT bridge=bridge
add interface=wifi1-private bridge=bridge
add interface=wifi1-iot bridge=bridge
add interface=wifi1-guest bridge=bridge
add interface=wifi2-private bridge=bridge
add interface=wifi2-iot bridge=bridge
add interface=wifi2-guest bridge=bridge
/interface bridge vlan
add bridge=bridge vlan-ids=11 tagged=bridge,TRUNK untagged=ACCESS
add bridge=bridge vlan-ids=12 tagged=bridge,TRUNK
add bridge=bridge vlan-ids=13 tagged=bridge,TRUNK
# ================================
# IP ADDRESSES
# ================================
/ip address
add address=192.168.88.1/24 interface=MGMT
add address=192.168.8.1/24 interface=vlan11-private
add address=192.168.7.1/24 interface=vlan12-iot
add address=192.168.6.1/24 interface=vlan13-guest
# ================================
# DHCP SERVERS
# ================================
/ip pool
add name=pool-private ranges=192.168.8.10-192.168.8.254
add name=pool-iot ranges=192.168.7.10-192.168.7.254
add name=pool-guest ranges=192.168.6.10-192.168.6.254
add name=pool-mgmt ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add name=dhcp-private interface=vlan11-private address-pool=pool-private disabled=no
add name=dhcp-iot interface=vlan12-iot address-pool=pool-iot disabled=no
add name=dhcp-guest interface=vlan13-guest address-pool=pool-guest disabled=no
add name=dhcp-mgmt interface=MGMT address-pool=pool-mgmt disabled=no
/ip dhcp-server network
add address=192.168.8.0/24 gateway=192.168.8.1 dns-server=94.140.14.14,94.140.15.15
add address=192.168.7.0/24 gateway=192.168.7.1 dns-server=94.140.14.140,94.140.14.141
add address=192.168.6.0/24 gateway=192.168.6.1 dns-server=94.140.14.15,94.140.15.16
add address=192.168.88.0/24 gateway=192.168.88.1 dns-server=94.140.14.14,94.140.15.15
# ================================
# NAT
# ================================
/ip firewall nat
add chain=srcnat out-interface=WAN1 action=masquerade
add chain=srcnat out-interface=WAN2 action=masquerade
# ================================
# FIREWALL RULES
# ================================
/ip firewall filter
add chain=input action=accept connection-state=established,related
add chain=forward action=accept connection-state=established,related comment="Allow Established"
add chain=forward action=fasttrack-connection connection-state=established,related comment="FastTrack"
# Drop inter-VLAN routing
add chain=forward src-address=192.168.8.0/24 dst-address=192.168.7.0/24 action=drop comment="Block VLAN1 to VLAN2"
add chain=forward src-address=192.168.8.0/24 dst-address=192.168.6.0/24 action=drop comment="Block VLAN1 to VLAN3"
add chain=forward src-address=192.168.7.0/24 dst-address=192.168.8.0/24 action=drop comment="Block VLAN2 to VLAN1"
add chain=forward src-address=192.168.7.0/24 dst-address=192.168.6.0/24 action=drop comment="Block VLAN2 to VLAN3"
add chain=forward src-address=192.168.6.0/24 dst-address=192.168.8.0/24 action=drop comment="Block VLAN3 to VLAN1"
add chain=forward src-address=192.168.6.0/24 dst-address=192.168.7.0/24 action=drop comment="Block VLAN3 to VLAN2"
# Allow WAN traffic
add chain=forward out-interface=WAN1 action=accept
add chain=forward out-interface=WAN2 action=accept
# ================================
# QUEUE SETUP (QoS)
# ================================
/queue simple
add name=queue-private target=192.168.8.0/24 max-limit=0/0 priority=1/1
add name=queue-iot target=192.168.7.0/24 max-limit=1M/1M priority=5/5
add name=queue-guest target=192.168.6.0/24 max-limit=20M/5M priority=8/8
# ================================
# WIFIWAVE2 CONFIGURATION
# ================================
/interface wifiwave2 configuration
add name=cfg-private ssid="MAL-P" security.authentication-types="wpa2-psk,wpa3-psk" security.psk=QAZzxcv8 vlan-id=11
add name=cfg-iot ssid="MAL-I" security.authentication-types="wpa2-psk,wpa3-psk" security.psk=QAZzxcv8 vlan-id=12 isolate-client=yes
add name=cfg-guest ssid="MAL-G" security.authentication-types="wpa2-psk,wpa3-psk" security.psk=QAZzxcv8 vlan-id=13 isolate-client=yes
/interface wifiwave2
set [find default-name=wifi1] configuration=cfg-private disabled=no
add configuration=cfg-iot disabled=no name=wifi1-iot
add configuration=cfg-guest disabled=no name=wifi1-guest
add configuration=cfg-private disabled=no name=wifi2-private
add configuration=cfg-iot disabled=no name=wifi1-iot
add configuration=cfg-guest disabled=no name=wifi2-guest
# ================================
# SCHEDULER: AUTOMATIC STABLE UPDATES AT 3 AM
# ================================
/system package update
set channel=stable
/system scheduler
add name=auto-update interval=1d start-time=03:00:00 on-event="/system package update check-for-updates once; /system package update install; /system reboot"
# ================================
# SECURITY HARDENING
# ================================
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl disabled=yes
set api disabled=yes
set api-ssl disabled=yes
# ================================
# WATCHDOG FOR STABILITY
# ================================
/system watchdog
set watchdog-timer=yes automatic-supout=no auto-send-supout=no
S33.rsc (6.42 KB)