Reached the end of my competence, request for review

RouterOS General
1

Hello all,

I’ve been learning networking with Mikrotik products and I think I have reached the end of where I am able to competently judge if my setup is working properly. Its working (including the wifi), everything connects, can use internet as normal, but I dont know if I’m missing something or have done something stupid or unsafe. I would very kindly ask for your help in a quick sanity/security check to help me as a checkpoint so I can experiment on my own further knowing I have a safe and secure configuration.

Details:

  • The network is router on a stick, with RB4011(wifi) as router, CRS328-24p-4s as central switch, and cAP-ax as wAP (currently have one and learning with it, but planning for 2-3 more).
  • The network is connected to ISP router via the 5ghz radios on the RB4011 as I cannot run ethernet between them, just to explain that little oddity. The ISP router is operating as a normal ISP router, so that the rest of the household devices aren’t reliant on my learning, with my little network behind the RB4011.
  • Once I move, the goal is to have a more normal setup, with ISP modem and RB4011(radios off) handling all the routing/firewall.
  • This is why I've attempted the CAPsMAN, but if this is nuts for 3-4 wAP then please say.
  • I'm intending to implement WireGuard for things like NextCloud, and VLANs for Guest, IoT, Managment, etc, but havent gotten there yet.

Configs:

RB4011 
model = RB4011iGS+5HacQ2HnD
serial number = XXXXX

/interface bridge add admin-mac=A:B:C:D:E:FB auto-mac=no comment=defconf name=bridge
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN

/interface wifi channel add band=2ghz-ax disabled=no frequency=2412,2437,2462 name=ch-2g skip-dfs-channels=all width=20mhz
/interface wifi channel add band=5ghz-ax disabled=no frequency=5180,5220,5745,5785 name=ch-5g skip-dfs-channels=all width=20/40mhz-Ce
/interface wifi datapath add bridge=bridge disabled=no name=lan-dp
/interface wifi security add authentication-types=wpa2-psk,wpa3-psk disabled=no name=isp-psk
/interface wifi security add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes name=home-psk wps=disable
/interface wifi set [ find default-name=wifi1 ] channel.band=5ghz-ac .skip-dfs-channels=all .width=20/40/80+80mhz configuration.country=Netherlands .installation=indoor .mode=station .ssid=KPNA9C446 disabled=no name=wifi-isp security=isp-psk security.authentication-types=wpa2-psk,wpa3-psk
/interface wifi steering add disabled=no name=steering-internal rrm=yes wnm=yes
/interface wifi steering add disabled=no name=steering-guests rrm=yes wnm=yes
/interface wifi configuration add channel=ch-5g channel.skip-dfs-channels=all country=Netherlands datapath=lan-dp disabled=no mode=ap name=cfg-5 security=home-psk security.authentication-types=wpa3-psk .ft=yes .ft-over-ds=yes ssid=LekkerBeer steering=steering-internal steering.rrm=yes .wnm=yes
/interface wifi configuration add channel=ch-2g channel.skip-dfs-channels=all country=Netherlands datapath=lan-dp disabled=no mode=ap name=cfg-2 security=home-psk security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes ssid=LekkerBeer steering=steering-internal steering.rrm=yes .wnm=yes

/ip pool add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server add address-pool=default-dhcp interface=bridge name=defconf

/port set 0 name=serial0
/port set 1 name=serial1

/disk settings set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes

/interface bridge port add bridge=bridge comment=defconf interface=ether2
/interface bridge port add bridge=bridge comment=defconf interface=ether3
/interface bridge port add bridge=bridge comment=defconf interface=ether4
/interface bridge port add bridge=bridge comment=defconf interface=ether5
/interface bridge port add bridge=bridge comment=defconf interface=ether6
/interface bridge port add bridge=bridge comment=defconf interface=ether7
/interface bridge port add bridge=bridge comment=defconf interface=ether8
/interface bridge port add bridge=bridge comment=defconf interface=ether9
/interface bridge port add bridge=bridge comment=defconf interface=ether10
/interface bridge port add bridge=bridge comment=defconf interface=sfp-sfpplus1
/interface bridge port add bridge=bridge comment=defconf disabled=yes interface=wifi-isp

/ip neighbor discovery-settings set discover-interface-list=LAN
/ip settings set rp-filter=strict

/interface list member add comment=defconf interface=bridge list=LAN
/interface list member add comment=defconf interface=wifi-isp list=WAN

/interface wifi capsman set ca-certificate=auto enabled=yes package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning add action=create-dynamic-enabled disabled=no master-configuration=cfg-5 supported-bands=5ghz-ax
/interface wifi provisioning add action=create-dynamic-enabled disabled=no master-configuration=cfg-2 supported-bands=2ghz-ax

/ip address add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0

/ip dhcp-client add comment=defconf default-route-tables=main disabled=yes interface=ether1
/ip dhcp-client add default-route-tables=main interface=wifi-isp use-peer-ntp=no
/ip dhcp-server network add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1

/ip dns set allow-remote-requests=yes
/ip dns static add address=192.168.88.1 comment=defconf name=router.lan type=A

/ip firewall address-list add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=224.0.0.0/4 comment="Multicast - Disabled for HomeAssistant" disabled=yes list=not_in_internet
/ip firewall address-list add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
/ip firewall address-list add address=192.168.88.2-192.168.88.254 comment="Only Allows LAN Router access" list=allowed_to_router

/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall filter add action=accept chain=input comment="Firewall Hardening - Limit router access to only LAN" src-address-list=allowed_to_router
/ip firewall filter add action=drop chain=forward comment="Firewall Hardening - Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface=bridge log=yes log-prefix=!public_from_LAN out-interface=!bridge

/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

/ip service set ftp disabled=yes
/ip service set ssh address=192.168.88.0/24
/ip service set telnet disabled=yes
/ip service set www disabled=yes
/ip service set winbox address=192.168.88.0/24
/ip service set api disabled=yes
/ip service set api-ssl disabled=yes
/ip ssh set strong-crypto=yes

/ipv6 firewall address-list add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
/ipv6 firewall address-list add address=::1/128 comment="defconf: lo" list=bad_ipv6
/ipv6 firewall address-list add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
/ipv6 firewall address-list add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
/ipv6 firewall address-list add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
/ipv6 firewall address-list add address=100::/64 comment="defconf: discard only " list=bad_ipv6
/ipv6 firewall address-list add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
/ipv6 firewall address-list add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
/ipv6 firewall address-list add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ipv6 firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
/ipv6 firewall filter add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" connection-state=established,related
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
/ipv6 firewall filter add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept HIP" protocol=139
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN

/system clock set time-zone-name=Europe/Amsterdam
/system identity set name=RB4011
/system ntp client set enabled=yes
/system ntp server set enabled=yes
/system ntp client servers add address=pool.ntp.org
/system ntp client servers add address=time.cloudflare.com
/system routerboard settings set auto-upgrade=yes

/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN
CRS328 
model = CRS328-24P-4S+
serial number = XXXXX

/interface bridge add admin-mac=A:B:C:D:E:B6 auto-mac=no comment=defconf name=bridge

/port set 0 name=serial0

/interface bridge port add bridge=bridge comment=defconf interface=ether1
/interface bridge port add bridge=bridge comment=defconf interface=ether2
/interface bridge port add bridge=bridge comment=defconf interface=ether3
/interface bridge port add bridge=bridge comment=defconf interface=ether4
/interface bridge port add bridge=bridge comment=defconf interface=ether5
/interface bridge port add bridge=bridge comment=defconf interface=ether6
/interface bridge port add bridge=bridge comment=defconf interface=ether7
/interface bridge port add bridge=bridge comment=defconf interface=ether8
/interface bridge port add bridge=bridge comment=defconf interface=ether9
/interface bridge port add bridge=bridge comment=defconf interface=ether10
/interface bridge port add bridge=bridge comment=defconf interface=ether11
/interface bridge port add bridge=bridge comment=defconf interface=ether12
/interface bridge port add bridge=bridge comment=defconf interface=ether13
/interface bridge port add bridge=bridge comment=defconf interface=ether14
/interface bridge port add bridge=bridge comment=defconf interface=ether15
/interface bridge port add bridge=bridge comment=defconf interface=ether16
/interface bridge port add bridge=bridge comment=defconf interface=ether17
/interface bridge port add bridge=bridge comment=defconf interface=ether18
/interface bridge port add bridge=bridge comment=defconf interface=ether19
/interface bridge port add bridge=bridge comment=defconf interface=ether20
/interface bridge port add bridge=bridge comment=defconf interface=ether21
/interface bridge port add bridge=bridge comment=defconf interface=ether22
/interface bridge port add bridge=bridge comment=defconf interface=ether23
/interface bridge port add bridge=bridge comment=defconf interface=ether24
/interface bridge port add bridge=bridge comment=defconf interface=sfp-sfpplus1
/interface bridge port add bridge=bridge comment=defconf interface=sfp-sfpplus2
/interface bridge port add bridge=bridge comment=defconf interface=sfp-sfpplus3
/interface bridge port add bridge=bridge comment=defconf interface=sfp-sfpplus4

/ip address add address=192.168.88.2/24 comment=defconf interface=bridge network=192.168.88.0

/ip dhcp-client add default-route-tables=main disabled=yes interface=bridge use-peer-ntp=no

/ip dns set servers=192.168.88.1,1.1.1.1

/ip route add disabled=no dst-address=0.0.0.0/0 gateway=192.168.88.1 routing-table=main suppress-hw-offload=no

/ip service set ftp disabled=yes
/ip service set ssh address=192.168.88.0/24
/ip service set telnet disabled=yes
/ip service set www disabled=yes
/ip service set winbox address=192.168.88.0/24
/ip service set api disabled=yes
/ip service set api-ssl disabled=yes

/system clock set time-zone-name=Europe/Amsterdam
/system identity set name=CRS328-LAN

/system ntp client set enabled=yes
/system ntp client servers add address=192.168.88.1
/system ntp client servers add address=pool.ntp.org

/system routerboard settings set auto-upgrade=yes enter-setup-on=delete-key
cAP ax 
# model = cAPGi-5HaxD2HaxD
# serial number = XXX
/interface bridge add admin-mac=A:B:C:D:E:16 auto-mac=no comment=defconf name=bridgeLocal
/interface wifi datapath add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifi
# managed by CAPsMAN A:B:C:D:E:FB%bridgeLocal, traffic processing on CAP
# mode: AP, SSID: LekkerBeer, channel: 5745/ax/Ce
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap datapath=capdp disabled=no
/interface wifi
# managed by CAPsMAN A:B:C:D:E:FB%bridgeLocal, traffic processing on CAP
# mode: AP, SSID: LekkerBeer, channel: 2412/ax
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap datapath=capdp disabled=no
/interface bridge port add bridge=bridgeLocal comment=defconf interface=ether1
/interface bridge port add bridge=bridgeLocal comment=defconf interface=ether2
/interface wifi cap set discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp

/ip dhcp-client add comment=defconf interface=bridgeLocal

/ip service set ftp disabled=yes
/ip service set ssh address=192.168.88.0/24
/ip service set telnet disabled=yes
/ip service set www disabled=yes
/ip service set winbox address=192.168.88.0/24
/ip service set api disabled=yes
/ip service set api-ssl disabled=yes

/system clock set time-zone-name=Europe/Amsterdam
/system identity set name=cAP-ax1
/system ntp client set enabled=yes
/system ntp client servers add address=192.168.88.1
/system ntp client servers add address=pool.ntp.org
/system routerboard settings set auto-upgrade=yes

I hope this is enough detail, and as an aside I wanted to say thank you to all of you who bother helping the beginners. Your comments on other posts have helped me get this far and were very kind with your time.

2

I personally would approach this ias going wired now from ISP modem to router and to switch and to single capax, WITHOUT capsman.

Once you are happy with all, then add the other cap aX after transitioning the setup to capsman for the single cap AX. In this way you are not trying to chew on to many things at once.

3

Hey, thanks for the response. Yeah I understand and agree with you, but I think I've got a bit of an understanding of the wired and router portion, its really the jump to the wifi part that I'm unsure if I've done correctly.

I'm pretty happy with the rest unless I've missed something, and thats what I'm struggling with. I just have no idea how to tell if I've done it right/securely beyond 'yay internet works', so hoping to get a bit of guidance from here. Any suggestions on how to tell if I've done things correctly? I want to continue learning and experimenting, but seems sensible to make sure I have a secure base to build from. Also for so few access points does it make sense to just ignore capsman? It seems like a useful tool if I can ever figure it out aha.

If anyone has even just word based guidance, eg first set up the security keys, then do configurations making sure to x, then I can go and do more research/learning based on that. Dont want to ask for peoples time, but just really not sure how to progress so any help would be really appreciated.