Separate wireless networks, bridged to wired interface

okw · March 8, 2024, 1:38pm

Hello.

Short story: I want to separate two wireless networks and bridge(?) one of them to a wired interface, while upholding high security.

I have a 2011UiAS and 4 cAP ac running capsman. I also have 4 UniFi AP-AC Pro and some wired receipt printers (gastrofix POS). Todays setup works fine, but the UniFi’s have died one after one. Now I’m down to only 1(!) working. All cAP ac are just fine.
The cAP ac is giving guest wifi (dhcp), while the UniFi’s handle POS equipment (5 iPads and 4 iZettle, dhcp). Receipt printers are wired (with static IP).
The cAP ac’s are connected to a managed Mikrotik POE switch (eth3) to eliminate the POE dongles, while UniFi’s and receipt printers are all on an unmanaged switch (eth4) the cAP ac’s could also be on a unmanaged switch (separate), i just used what I had). Broadband on eth1, switch for office computers on eth2.
Everything works fine today.
However, I need to quickly replace the dead UniFi’s. So I was hoping to move the POS network over to my cAP ac’s and separate guest and POS network into vlans. And bridge wired and wireless POS vlans.
It’s very important that guests can’t access anything else on the net than internet. And of course outsiders can’t get into the network.

I’ve exported my current config and modified it to add the POS network (which was previously done locally in the UniFi APs). On the bottom is the current config.
Could someone check the script and tell me if I did something wrong, could be better or if I should set it up entirely different?
Also, I’m not sure if capsman has any pros or cons in my case? I might expand to 5 cAP ac’s in the near future. And running a script locally on each AP if I change config some times isn’t that big of a deal.

New, modified config (not tested yet).

# mar/07/2024 20:07:04 by RouterOS 6.49.13
# software id = TRSV-ISX2
#
# model = 2011UiAS
/caps-man channel
add band=2ghz-g/n    control-channel-width=20mhz extension-channel=disabled frequency=2412 name=Ch01_20M_24G tx-power=10
add band=2ghz-g/n    control-channel-width=20mhz extension-channel=disabled frequency=2437 name=Ch06_20M_24G tx-power=10
add band=2ghz-g/n    control-channel-width=20mhz extension-channel=disabled frequency=2462 name=Ch11_20M_24G tx-power=10
add band=2ghz-g/n    control-channel-width=20mhz extension-channel=disabled frequency=2467 name=Ch12_20M_24G tx-power=10
add band=2ghz-g/n    control-channel-width=20mhz extension-channel=disabled frequency=2472 name=Ch13_20M_24G tx-power=10
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5180 name=Ch36_20M_5G  tx-power=20
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5200 name=Ch40_20M_5G  tx-power=20
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5220 name=Ch44_20M_5G  tx-power=20
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5240 name=Ch48_20M_5G  tx-power=20


#previous config (only guest APs)
#/interface bridge
#add fast-forward=no name=AP_bridge
#add admin-mac=E4:8D:8C:2D:27:5A auto-mac=no comment=TrustedBridge name=WorkBridge

/interface ethernet
set [ find default-name=ether1 ] name=eth1_WAN
set [ find default-name=ether2 ] name=eth2_kontor
set [ find default-name=ether3 ] name=eth3_MikrotikAPs
set [ find default-name=ether4 ] name=eth4_gastrofix_wired
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=sfp1 ]   disabled=yes

#/caps-man datapath
#add bridge=AP_bridge bridge-horizon=1 client-to-client-forwarding=no     local-forwarding=no name="My Public"

/interface vlan
add vlan-id=10 interface=eth2_kontor            name=EmployeeLAN_VLAN
add vlan-id=20 interface=eth3_MikrotikAPs       name=GuestWIFI_VLAN
add vlan-id=30 interface=eth3_MikrotikAPs       name=GastrofixWIFI_VLAN
add vlan-id=40 interface=eth4_gastrofix_wired   name=GastrofixLAN_VLAN

/interface bridge
add name=Gastrofix_bridge

/interface bridge port
add bridge=Gastrofix_bridge interface=GastrofixLAN_VLAN
add bridge=Gastrofix_bridge interface=GastrofixWIFI_VLAN

/caps-man rates
add basic=9Mbps name="GN Only - No B rates" supported=9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps vht-basic-mcs=""

#5GHz
/caps-man configuration
add country=norway datapath.local-forwarding=yes datapath.vlan-id=30 datapath.vlan-mode=use-tag name="GastrofixConfig5G" distance=indoors installation=indoor mode=ap security.authentication-types=wpa-psk,wpa2-psk security.passphrase=Test1234 ssid="Gastrofix_5GHz"
add country=norway datapath.local-forwarding=no  datapath.vlan-id=20 datapath.vlan-mode=use-tag name="GuestPublicConfig5GHz"   distance=indoors installation=indoor mode=ap ssid="Public"
 

/caps-man interface
add channel=Ch36_20M_5G configuration="GastrofixConfig5G" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=C4:AD:34:14:34:2B master-interface=none radio-mac=C4:AD:34:14:34:2B radio-name=C4AD3414342B name=5GHz-AP_Kontor
add channel=Ch40_20M_5G configuration="GastrofixConfig5G" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=74:4D:28:F9:AF:1A master-interface=none radio-mac=74:4D:28:F9:AF:1A radio-name=744D28F9AF1A name=5GHz-AP_Bar
#add channel=Ch44_20M_5G configuration="GastrofixConfig5G" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=xx master-interface=none radio-mac=xx radio-name=xx name=5GHz-AP_Messanin
add channel=Ch48_20M_5G configuration="GastrofixConfig5G" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=74:4D:28:F9:AA:6D master-interface=none radio-mac=74:4D:28:F9:AA:6D radio-name=744D28F9AA6D name=5GHz-AP_Chambre
 
add channel=Ch36_20M_5G configuration="GuestPublicConfig5GHz" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=C4:AD:34:14:34:2B master-interface=none radio-mac=C4:AD:34:14:34:2B radio-name=C4AD3414342B name=5GHz-AP_Kontor
add channel=Ch40_20M_5G configuration="GuestPublicConfig5GHz" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=74:4D:28:F9:AF:1A master-interface=none radio-mac=74:4D:28:F9:AF:1A radio-name=744D28F9AF1A name=5GHz-AP_Bar
#add channel=Ch44_20M_5G configuration="GuestPublicConfig5GHz" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=xx master-interface=none radio-mac=xx radio-name=xx name=5GHz-AP_Messanin
add channel=Ch48_20M_5G configuration="GuestPublicConfig5GHz" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=74:4D:28:F9:AA:6D master-interface=none radio-mac=74:4D:28:F9:AA:6D radio-name=744D28F9AA6D name=5GHz-AP_Chambre
 
 #2.4GHz
/caps-man configuration
add country=norway datapath.local-forwarding=yes datapath.vlan-id=30 datapath.vlan-mode=use-tag name="GastrofixConfig24G" distance=indoors installation=indoor mode=ap security.authentication-types=wpa-psk,wpa2-psk security.passphrase=Test1234 ssid="Gastrofix_2.4GHz" rates="GN Only - No B rates"
add country=norway datapath.local-forwarding=no  datapath.vlan-id=20 datapath.vlan-mode=use-tag name="GuestPublicConfig24GHz"   distance=indoors installation=indoor mode=ap ssid="Public" rates="GN Only - No B rates"


/caps-man interface
add channel=Ch01_20M_24G configuration="GastrofixConfig24G" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=74:4D:28:F9:AF:19 master-interface=none radio-mac=74:4D:28:F9:AF:19 radio-name=744D28F9AF19 name=2.4GHz-AP_Bar
add channel=Ch06_20M_24G configuration="GastrofixConfig24G" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=C4:AD:34:14:34:2A master-interface=none radio-mac=C4:AD:34:14:34:2A radio-name=C4AD3414342A name=2.4GHz-AP_Kontor
add channel=Ch11_20M_24G configuration="GastrofixConfig24G" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=74:4D:28:F9:AA:6C master-interface=none radio-mac=74:4D:28:F9:AA:6C radio-name=744D28F9AA6C name=2.4GHz-AP_Chambre
#channel 12 or 13: add channel=Ch12_20M_24G configuration="GastrofixConfig24G" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=xx master-interface=none name=2.4GHz-AP_Messanin radio-mac=xx radio-name=xx
 
add channel=Ch01_20M_24G configuration="GuestPublicConfig24GHz" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=74:4D:28:F9:AF:19 master-interface=none radio-mac=74:4D:28:F9:AF:19 radio-name=744D28F9AF19 name=2.4GHz-AP_Bar
add channel=Ch06_20M_24G configuration="GuestPublicConfig24GHz" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=C4:AD:34:14:34:2A master-interface=none radio-mac=C4:AD:34:14:34:2A radio-name=C4AD3414342A name=2.4GHz-AP_Kontor
add channel=Ch11_20M_24G configuration="GuestPublicConfig24GHz" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=74:4D:28:F9:AA:6C master-interface=none radio-mac=74:4D:28:F9:AA:6C radio-name=744D28F9AA6C name=2.4GHz-AP_Chambre
#channel 12 or 13: add channel=Ch12_20M_24G configuration="GuestPublicConfig24GHz" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=xx master-interface=none name=2.4GHz-AP_Messanin radio-mac=xx radio-name=xx



/interface list
add name=WAN
add name=LAN
add name=WinboxAccess

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=gastrofix_dhcp_pool ranges=192.168.7.120-192.168.7.254
add name=guest_dhcp_pool     ranges=192.168.88.20-192.168.88.250

/ip dhcp-server
add address-pool=gastrofix_dhcp_pool disabled=no interface=GastrofixWIFI_VLAN lease-time=23h59m59s name=gastrofix_dhcp_server
add address-pool=guest_dhcp_pool disabled=no interface=GuestWIFI_VLAN lease-time=2h59m  name=guest_dhcp_server

/system logging action
set 0 memory-lines=3000
set 1 disk-file-count=10 disk-lines-per-file=3000
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp"

/caps-man access-list
add action=accept allow-signal-out-of-range=10s comment="-85..120 accept"  disabled=no signal-range=-85..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s comment="-120..-86 reject" disabled=no signal-range=-120..-86 ssid-regexp=""


/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes

/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=eth3_MikrotikAPs


/caps-man provisioning
add action=create-dynamic-enabled comment="2.4GHz 802.11g capable radios" hw-supported-modes=gn master-configuration="GastrofixConfig24G"     name-format=prefix-identity name-prefix=2.4GHz-
add action=create-dynamic-enabled comment="5GHz 802.11ac capable radios"  hw-supported-modes=ac master-configuration="GastrofixConfig5G"      name-format=prefix-identity name-prefix=5GHz-
add action=create-dynamic-enabled comment="2.4GHz 802.11g capable radios" hw-supported-modes=gn master-configuration="GuestPublicConfig24GHz" name-format=prefix-identity name-prefix=2.4GHz-
add action=create-dynamic-enabled comment="5GHz 802.11ac capable radios"  hw-supported-modes=ac master-configuration="GuestPublicConfig5GHz"  name-format=prefix-identity name-prefix=5GHz-

#/interface bridge port
#add bridge=AP_bridge interface=eth3_MikrotikAPs

/ip neighbor discovery-settings
#set discover-interface-list=all lldp-med-net-policy-vlan=1
set discover-interface-list=WinboxAccess


/interface list member
add interface=eth1_WAN list=WAN
add interface=eth2_kontor list=LAN
add interface=eth3_MikrotikAPs list=LAN ##needed?
add interface=eth4_gastrofix_wired list=LAN
#add interface=AP_bridge list=LAN
add interface=eth2_kontor list=WinboxAccess
#add interface=GastrofixWIFI_VLAN list=WinboxAccess

/ip address
add address=x.x.x.x/24 network=x.x.x.0 interface=eth1_WAN #public IP hidden in forum
add address=192.168.1.1/24    network=192.168.1.0  interface=eth2_kontor
add address=192.168.7.1/24    network=192.168.7.0  interface=eth4_gastrofix_wired
add address=192.168.88.1/24   network=192.168.88.0 interface=GuestWIFI_VLAN
#add address=192.168.8.1/24   network=192.168.8.0  interface=ether5

/ip arp
add address=192.168.7.41 interface=GastrofixWIFI_VLAN mac-address=FE:67:3A:11:0F:D0
#add address=192.168.7.41 interface=eth4_gastrofix_wired mac-address=FE:67:3A:11:0F:D0

/ip cloud
set update-time=no

/ip dhcp-server lease
add address=192.168.7.247 client-id=1:78:8a:20:4b:4:a6 mac-address=78:8A:20:4B:04:A6 server=gastrofix_dhcp_server

/ip dhcp-server network
add address=192.168.7.0/24 comment="DHCP for Gastrofix" dns-server=193.75.75.75,192.168.7.1 gateway=192.168.7.1 netmask=24
#add address=192.168.8.0/24 comment="DHCP for Gastrofix AP" dns-server=193.75.75.75,192.168.8.1 gateway=192.168.8.1
add address=192.168.88.0/24 comment="DHCP for Guests" dns-server=193.75.75.75,193.75.75.193 gateway=192.168.88.1


/ip dns
set allow-remote-requests=yes servers=193.75.75.75,193.75.75.193

/ip firewall address-list
add list=AdminAccess address=192.168.1.0/24 
add list=bogons address=0.0.0.0/8
add list=bogons address=172.16.0.0/12
add list=bogons address=10.0.0.0/8
add list=bogons address=169.254.0.0/16
add list=bogons address=127.0.0.0/8
add list=bogons address=224.0.0.0/4
add list=bogons address=198.18.0.0/15
add list=bogons address=192.0.0.0/24
add list=bogons address=192.0.2.0/24
add list=bogons address=198.51.100.0/24
add list=bogons address=203.0.113.0/24
add list=bogons address=100.64.0.0/10
add list=bogons address=240.0.0.0/4
add list=bogons address=192.88.99.0/24

/ip firewall filter
add action=accept chain=input comment="accept established,related" connection-state=established,related
add action=drop chain=input comment="drop invalid" connection-state=invalid
#add action=drop chain=forward dst-address=77.66.21.133 in-interface=AP_bridge
add action=drop chain=forward dst-address=77.66.21.133 in-interface=GuestWIFI_VLAN
add action=accept chain=input comment="Admin Access to Router" src-address-list=AdminAccess
add action=accept chain=input comment="allow LAN to DNS-TCP" dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="allow LAN to DNS-UDP" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="CAPsMAN accept all local traffic" dst-port=5246,5247 protocol=udp src-address=127.0.0.1
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 log=yes log-prefix="acceot local loopback CAPsMAN"
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address-type=local src-address-type=local
add action=drop chain=input comment="Drop All Else" log-prefix=DROP-FIREWALL
#add action=drop chain=forward dst-address=77.66.21.133 in-interface=AP_bridge
add action=drop chain=forward dst-address=77.66.21.133 in-interface=GuestWIFI_VLAN
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related
add action=accept chain=forward comment="accept established,related" connection-state=established,related
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="Allow all LAN (Office, Guest and POS) Traffic to Internet" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="DROP ALL Else"
add action=accept chain=forward comment="Allow Port Fowarding if required" connection-nat-state=dstnat
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="DROP All Else"
/ip firewall nat
add action=src-nat chain=srcnat comment="Source_NAT for All Users" ipsec-policy=out,none out-interface=eth1_WAN to-addresses=x.x.x.x #public IP hidden in forum
add action=redirect chain=dstnat comment="Force Users to Router DNS -TCP" dst-port=53 protocol=tcp
add action=redirect chain=dstnat comment="Force Users to Router DNS -UDP" dst-port=53 protocol=udp
add action=accept chain=srcnat disabled=yes ipsec-policy=out,none out-interface=eth1_WAN
/ip firewall raw
add action=drop chain=prerouting comment="Drop all non-internet networks" src-address-list=bogons

/ip route
add distance=1 gateway=x.x.x.x #public IP hidden in forum
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes port=2200
set www-ssl disabled=no
set api disabled=yes
set winbox address=192.168.1.20/32,192.168.1.21/32
#set winbox address=192.168.1.20/32,192.168.1.21/32,192.168.88.5/32
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/lcd
set default-screen=stat-slideshow
/system clock
set time-zone-name=Europe/Oslo
/system identity
set name=Router-Kontor
/system logging
add action=disk topics=info,critical,error,info
/system ntp client
set enabled=yes primary-ntp=79.160.13.250 secondary-ntp=162.159.200.1
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=WinboxAccess
/tool mac-server ping
set enabled=no
/tool romon
set enabled=yes

Current config which runs today (without wireless POS, vlan, etc):

# mar/07/2024 20:07:04 by RouterOS 6.49.13
# software id = TRSV-ISX2
#
# model = 2011UiAS
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled \
    frequency=2412 name=Ch01_20M_24G tx-power=10
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled \
    frequency=2437 name=Ch06_20M_24G tx-power=10
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled \
    frequency=2462 name=Ch11_20M_24G tx-power=10
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled \
    frequency=5180 name=Ch36_20M_5G tx-power=20
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled \
    frequency=5200 name=Ch40_20M_5G tx-power=20
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled \
    frequency=5220 name=Ch44_20M_5G tx-power=20
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled \
    frequency=5240 name=Ch48_20M_5G tx-power=20
/interface bridge
add fast-forward=no name=AP_bridge
add admin-mac=E4:8D:8C:2D:27:5A auto-mac=no comment=TrustedBridge name=\
    WorkBridge
/interface ethernet
set [ find default-name=ether1 ] name=eth1_WAN
set [ find default-name=ether2 ] name=eth2_kontor
set [ find default-name=ether3 ] name=eth3_MikrotikAPs
set [ find default-name=ether4 ] name=eth4_gastrofix
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/caps-man datapath
add bridge=AP_bridge bridge-horizon=1 client-to-client-forwarding=no \
    local-forwarding=no name="My Public"
/caps-man configuration
add country=norway datapath="My Public" distance=indoors frame-lifetime=\
    10ms installation=indoor mode=ap name="My Public 5GHz" ssid=\
    "My Restaurant"
add country=norway datapath="My Public" distance=indoors frame-lifetime=\
    10ms installation=indoor mode=ap name="My Public 2.4GHz" ssid=\
    "My Restaurant"
/caps-man rates
add basic=9Mbps name="GN Only - No B rates" supported=\
    9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps vht-basic-mcs=""
/interface list
add name=WAN
add name=LAN
add name=WinboxAccess
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=gastrofix_dhcp ranges=192.168.7.120-192.168.7.254
add name=guest_dhcp ranges=192.168.88.10-192.168.88.250
add name=gastrofix_wifi_dhcp ranges=192.168.8.120-192.168.8.254
/ip dhcp-server
add address-pool=gastrofix_dhcp disabled=no interface=eth4_gastrofix \
    lease-time=23h59m59s name=gastrofix_dhcp
add address-pool=guest_dhcp disabled=no interface=AP_bridge lease-time=2h30m \
    name=guest_dhcp
add address-pool=gastrofix_wifi_dhcp disabled=no interface=ether5 lease-time=\
    23h59m59s name=gastrofix_wifi_dhcp
/system logging action
set 0 memory-lines=3000
set 1 disk-file-count=10 disk-lines-per-file=3000
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/caps-man access-list
add action=accept allow-signal-out-of-range=10s comment="-85..120 accept" \
    disabled=no signal-range=-85..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s comment="-120..-86 reject" \
    disabled=no signal-range=-120..-86 ssid-regexp=""
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=AP_bridge
/caps-man provisioning
add action=create-dynamic-enabled comment="2.4GHz 802.11g capable radios" \
    hw-supported-modes=gn master-configuration="My Public 2.4GHz" \
    name-format=prefix-identity name-prefix=2.4GHz-
add action=create-dynamic-enabled comment="5GHz 802.11ac capable radios" \
    hw-supported-modes=ac master-configuration="My Public 5GHz" \
    name-format=prefix-identity name-prefix=5GHz-
/interface bridge port
add bridge=AP_bridge interface=eth3_MikrotikAPs
/ip neighbor discovery-settings
set discover-interface-list=all lldp-med-net-policy-vlan=1
/interface list member
add interface=eth1_WAN list=WAN
add interface=eth2_kontor list=LAN
add interface=eth4_gastrofix list=LAN
add interface=AP_bridge list=LAN
add interface=eth2_kontor list=WinboxAccess
add interface=eth4_gastrofix list=WinboxAccess
add interface=ether5 list=WinboxAccess
/ip address
add address=xxxx/24 interface=eth1_WAN network=xx.xxx
add address=192.168.1.1/24 interface=eth2_kontor network=192.168.1.0
add address=192.168.7.1/24 interface=eth4_gastrofix network=192.168.7.0
add address=192.168.88.1/24 interface=AP_bridge network=192.168.88.0
add address=192.168.8.1/24 interface=ether5 network=192.168.8.0
/ip arp
add address=192.168.7.41 interface=eth4_gastrofix mac-address=\
    FE:67:3A:11:0F:D0
/ip cloud
set update-time=no
/ip dhcp-server lease
add address=192.168.7.247 client-id=1:78:8a:20:4b:4:a6 mac-address=\
    78:8A:20:4B:04:A6 server=gastrofix_dhcp
/ip dhcp-server network
add address=192.168.7.0/24 comment="DHCP for Gastrofix" dns-server=\
    193.75.75.75,192.168.7.1 gateway=192.168.7.1 netmask=24
add address=192.168.8.0/24 comment="DHCP for Gastrofix AP" dns-server=\
    193.75.75.75,192.168.8.1 gateway=192.168.8.1
add address=192.168.88.0/24 comment="DHCP for Guests" dns-server=\
    193.75.75.75,193.75.75.193 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=193.75.75.75,193.75.75.193
/ip firewall address-list
add address=192.168.1.0/24 list=AdminAccess
add address=0.0.0.0/8 list=bogons
add address=172.16.0.0/12 list=bogons
add address=10.0.0.0/8 list=bogons
add address=169.254.0.0/16 list=bogons
add address=127.0.0.0/8 list=bogons
add address=224.0.0.0/4 list=bogons
add address=198.18.0.0/15 list=bogons
add address=192.0.0.0/24 list=bogons
add address=192.0.2.0/24 list=bogons
add address=198.51.100.0/24 list=bogons
add address=203.0.113.0/24 list=bogons
add address=100.64.0.0/10 list=bogons
add address=240.0.0.0/4 list=bogons
add address=192.88.99.0/24 list=bogons
/ip firewall filter
add action=accept chain=input comment="accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=drop chain=forward dst-address=77.66.21.133 in-interface=AP_bridge
add action=accept chain=input comment="Admin Access to Router" \
    src-address-list=AdminAccess
add action=accept chain=input comment="allow LAN to DNS-TCP" dst-port=53 \
    in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="allow LAN to DNS-UDP" dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="CAPsMAN accept all local traffic" \
    dst-port=5246,5247 protocol=udp src-address=127.0.0.1
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 \
    log=yes log-prefix="acceot local loopback CAPsMAN"
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address-type=local \
    src-address-type=local
add action=drop chain=input comment="Drop All Else" log-prefix=DROP-FIREWALL
add action=drop chain=forward dst-address=77.66.21.133 in-interface=AP_bridge
add action=fasttrack-connection chain=forward comment=fasttrack \
    connection-state=established,related
add action=accept chain=forward comment="accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment=\
    "Allow all LAN (Office, Guest and POS) Traffic to Internet" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=drop chain=forward comment="DROP ALL Else"
add action=accept chain=forward comment="Allow Port Fowarding if required" \
    connection-nat-state=dstnat
add action=accept chain=forward comment="accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=drop chain=forward comment="DROP All Else"
/ip firewall nat
add action=src-nat chain=srcnat comment="Source_NAT for All Users" \
    ipsec-policy=out,none out-interface=eth1_WAN to-addresses=xxxxxx
add action=redirect chain=dstnat comment="Force Users to Router DNS -TCP" \
    dst-port=53 protocol=tcp
add action=redirect chain=dstnat comment="Force Users to Router DNS -UDP" \
    dst-port=53 protocol=udp
add action=accept chain=srcnat disabled=yes ipsec-policy=out,none \
    out-interface=eth1_WAN
/ip firewall raw
add action=drop chain=prerouting comment="Drop all non-internet networks" \
    src-address-list=bogons
/ip route
add distance=1 gateway=xxxxx
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes port=2200
set www-ssl disabled=no
set api disabled=yes
set winbox address=192.168.1.20/32,192.168.1.21/32,192.168.88.5/32
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/lcd
set default-screen=stat-slideshow
/system clock
set time-zone-name=Europe/Oslo
/system identity
set name=Router-Kontor
/system logging
add action=disk topics=info,critical,error,info
/system ntp client
set enabled=yes primary-ntp=79.160.13.250 secondary-ntp=162.159.200.1
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=WinboxAccess
/tool mac-server ping
set enabled=no
/tool romon
set enabled=yes

TheCat12 · March 8, 2024, 6:18pm

Why don’t you combine your wired and wireless POS in one VLAN and bridge all of the used for VLAN ports and not the VLANs? In this you would utilize bridge VLAN and bind the POS and employee addresses to their respective VLANs:

/interface bridge
add name=bridge

/interface bridge port
add bridge=bridge interface=eth2_kontor pvid=10
add bridge=bridge interface=eth3_MikrotikAPs
add bridge=bridge interface=eth4_gastrofix_wired pvid=30

/interface vlan
add vlan-id=10 interface=bridge name=EmployeeLAN_VLAN
add vlan-id=20 interface=bridge name=GuestWIFI_VLAN
add vlan-id=30 interface=bridge name=Gastrofix_VLAN

/ip address
set [ find interface=eth2_kontor ] interface=EmployeeLAN_VLAN
set [ find interface=eth4_gastrofix ] interface=Gastrofix_VLAN
set [ find interface=AP_Bridge ] interface=GuestWIFI_VLAN

/interface bridge vlan
add bridge=bridge tagged=bridge,eth3_MikrotikAPs vlan-ids=20
add bridge=bridge tagged=bridge,eth3_MikrotikAPs vlan-ids=30

/interface bridge set vlan-filtering=yes frame-types=admit-only-vlan-tagged

Through this configuration you’ll achieve the following:

Separate VLANs for employees, guests and POSes
Untagged VLAN traffic for employees and trunk port to switch with VLAN 20 and 30
No need for bridging VLANs

After you’ve setup this configuration you could divide the VLANs in the switch and further on the CAPs according to your needs (for instance one channel on a CAP for POS, one for clients, or one CAP for POSes, one for clients, etc.)

okw · March 8, 2024, 9:30pm

I saw you referenced AP_Bridge in:
set [ find interface=AP_Bridge ] interface=GuestWIFI_VLAN
I abandoned AP_Bridge all together in the new modified script (so it was commented out):

#previous config (only guest APs)
#/interface bridge
#add fast-forward=no name=AP_bridge
#add admin-mac=E4:8D:8C:2D:27:5A auto-mac=no comment=TrustedBridge name=WorkBridge
#/caps-man datapath
#add bridge=AP_bridge bridge-horizon=1 client-to-client-forwarding=no     local-forwarding=no name="My Public"

You looked at the code “New, modified config (not tested yet)”, and not “Current config which runs today (without wireless POS, vlan, etc)”?

Anyway, I think I got what you meant.
Something like this?

# model = 2011UiAS
/caps-man channel
add band=2ghz-g/n    control-channel-width=20mhz extension-channel=disabled frequency=2412 name=Ch01_20M_24G tx-power=10
add band=2ghz-g/n    control-channel-width=20mhz extension-channel=disabled frequency=2437 name=Ch06_20M_24G tx-power=10
add band=2ghz-g/n    control-channel-width=20mhz extension-channel=disabled frequency=2462 name=Ch11_20M_24G tx-power=10
add band=2ghz-g/n    control-channel-width=20mhz extension-channel=disabled frequency=2467 name=Ch12_20M_24G tx-power=10
add band=2ghz-g/n    control-channel-width=20mhz extension-channel=disabled frequency=2472 name=Ch13_20M_24G tx-power=10
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5180 name=Ch36_20M_5G  tx-power=20
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5200 name=Ch40_20M_5G  tx-power=20
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5220 name=Ch44_20M_5G  tx-power=20
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5240 name=Ch48_20M_5G  tx-power=20



/interface ethernet
set [ find default-name=ether1 ] name=eth1_WAN
set [ find default-name=ether2 ] name=eth2_kontor
set [ find default-name=ether3 ] name=eth3_MikrotikAPs
set [ find default-name=ether4 ] name=eth4_gastrofix_wired
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=sfp1 ]   disabled=yes

/interface bridge
#add name=Gastrofix_bridge
add name=bridge

/interface bridge port
#add bridge=Gastrofix_bridge interface=GastrofixLAN_VLAN
#add bridge=Gastrofix_bridge interface=GastrofixWIFI_VLAN
add bridge=bridge interface=eth2_kontor pvid=10
add bridge=bridge interface=eth3_MikrotikAPs
add bridge=bridge interface=eth4_gastrofix_wired pvid=30

/interface vlan
#add vlan-id=10 interface=eth2_kontor            name=EmployeeLAN_VLAN
#add vlan-id=20 interface=eth3_MikrotikAPs       name=GuestWIFI_VLAN
#add vlan-id=30 interface=eth3_MikrotikAPs       name=GastrofixWIFI_VLAN
#add vlan-id=40 interface=eth4_gastrofix_wired   name=GastrofixLAN_VLAN
add vlan-id=10 interface=bridge name=EmployeeLAN_VLAN
add vlan-id=20 interface=bridge name=GuestWIFI_VLAN
add vlan-id=30 interface=bridge name=Gastrofix_VLAN


/interface bridge vlan
add bridge=bridge tagged=bridge,eth3_MikrotikAPs vlan-ids=20
add bridge=bridge tagged=bridge,eth3_MikrotikAPs vlan-ids=30

/interface bridge
set vlan-filtering=yes frame-types=admit-only-vlan-tagged

/caps-man rates
add basic=9Mbps name="GN Only - No B rates" supported=9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps vht-basic-mcs=""

#5GHz
/caps-man configuration
add country=norway datapath.local-forwarding=yes datapath.vlan-id=30 datapath.vlan-mode=use-tag name="GastrofixConfig5G" distance=indoors installation=indoor mode=ap security.authentication-types=wpa-psk,wpa2-psk security.passphrase=Test1234 ssid="Gastrofix_5GHz"
add country=norway datapath.local-forwarding=no  datapath.vlan-id=20 datapath.vlan-mode=use-tag name="GuestPublicConfig5GHz"   distance=indoors installation=indoor mode=ap ssid="Public"

/caps-man interface
add channel=Ch36_20M_5G configuration="GastrofixConfig5G" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=C4:AD:34:14:34:2B master-interface=none radio-mac=C4:AD:34:14:34:2B radio-name=C4AD3414342B name=Gastrofix_5GHz-AP_Kontor
add channel=Ch40_20M_5G configuration="GastrofixConfig5G" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=74:4D:28:F9:AF:1A master-interface=none radio-mac=74:4D:28:F9:AF:1A radio-name=744D28F9AF1A name=Gastrofix_5GHz-AP_Bar
add channel=Ch44_20M_5G configuration="GastrofixConfig5G" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=C4:AD:34:9E:DA:B2 master-interface=none radio-mac=C4:AD:34:9E:DA:B2 radio-name=C4AD349EDAB2 name=Gastrofix_5GHz-AP_Messanin
add channel=Ch48_20M_5G configuration="GastrofixConfig5G" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=74:4D:28:F9:AA:6D master-interface=none radio-mac=74:4D:28:F9:AA:6D radio-name=744D28F9AA6D name=Gastrofix_5GHz-AP_Chambre
 
add channel=Ch36_20M_5G configuration="GuestPublicConfig5GHz" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=C4:AD:34:14:34:2B master-interface=none radio-mac=C4:AD:34:14:34:2B radio-name=C4AD3414342B name=Guest_5GHz-AP_Kontor
add channel=Ch40_20M_5G configuration="GuestPublicConfig5GHz" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=74:4D:28:F9:AF:1A master-interface=none radio-mac=74:4D:28:F9:AF:1A radio-name=744D28F9AF1A name=Guest_5GHz-AP_Bar
add channel=Ch44_20M_5G configuration="GuestPublicConfig5GHz" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=C4:AD:34:9E:DA:B2 master-interface=none radio-mac=C4:AD:34:9E:DA:B2 radio-name=C4AD349EDAB2 name=Guest_5GHz-AP_Messanin
add channel=Ch48_20M_5G configuration="GuestPublicConfig5GHz" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=74:4D:28:F9:AA:6D master-interface=none radio-mac=74:4D:28:F9:AA:6D radio-name=744D28F9AA6D name=Guest_5GHz-AP_Chambre

#2.4GHz
/caps-man configuration
add country=norway datapath.local-forwarding=yes datapath.vlan-id=30 datapath.vlan-mode=use-tag name="GastrofixConfig24G" distance=indoors installation=indoor mode=ap security.authentication-types=wpa-psk,wpa2-psk security.passphrase=Test1234 ssid="Gastrofix_2.4GHz" rates="GN Only - No B rates"
add country=norway datapath.local-forwarding=no  datapath.vlan-id=20 datapath.vlan-mode=use-tag name="GuestPublicConfig24GHz"   distance=indoors installation=indoor mode=ap ssid="Public" rates="GN Only - No B rates"


/caps-man interface
add channel=Ch01_20M_24G configuration="GastrofixConfig24G" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=74:4D:28:F9:AF:19 master-interface=none radio-mac=74:4D:28:F9:AF:19 radio-name=744D28F9AF19 name=Gastrofix_2.4GHz-AP_Bar
add channel=Ch06_20M_24G configuration="GastrofixConfig24G" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=C4:AD:34:14:34:2A master-interface=none radio-mac=C4:AD:34:14:34:2A radio-name=C4AD3414342A name=Gastrofix_2.4GHz-AP_Kontor
add channel=Ch11_20M_24G configuration="GastrofixConfig24G" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=74:4D:28:F9:AA:6C master-interface=none radio-mac=74:4D:28:F9:AA:6C radio-name=744D28F9AA6C name=Gastrofix_2.4GHz-AP_Chambre
add channel=Ch12_20M_24G configuration="GastrofixConfig24G" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=C4:AD:34:9E:DA:B1 master-interface=none radio-mac=C4:AD:34:9E:DA:B1 radio-name=C4AD349EDAB1 name=Gastrofix_2.4GHz-AP_Messanin
 
add channel=Ch01_20M_24G configuration="GuestPublicConfig24GHz" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=74:4D:28:F9:AF:19 master-interface=none radio-mac=74:4D:28:F9:AF:19 radio-name=744D28F9AF19 name=Guest_2.4GHz-AP_Bar
add channel=Ch06_20M_24G configuration="GuestPublicConfig24GHz" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=C4:AD:34:14:34:2A master-interface=none radio-mac=C4:AD:34:14:34:2A radio-name=C4AD3414342A name=Guest_2.4GHz-AP_Kontor
add channel=Ch11_20M_24G configuration="GuestPublicConfig24GHz" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=74:4D:28:F9:AA:6C master-interface=none radio-mac=74:4D:28:F9:AA:6C radio-name=744D28F9AA6C name=Guest_2.4GHz-AP_Chambre
add channel=Ch12_20M_24G configuration="GuestPublicConfig24GHz" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=C4:AD:34:9E:DA:B1 master-interface=none radio-mac=C4:AD:34:9E:DA:B1 radio-name=C4AD349EDAB1 name=Guest_2.4GHz-AP_Messanin



/interface list
add name=WAN
add name=LAN
add name=WinboxAccess

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=gastrofix_dhcp_pool ranges=192.168.7.120-192.168.7.254
add name=guest_dhcp_pool     ranges=192.168.88.20-192.168.88.250

/ip dhcp-server
add address-pool=gastrofix_dhcp_pool disabled=no interface=GastrofixWIFI_VLAN lease-time=23h59m59s name=gastrofix_dhcp_server
add address-pool=guest_dhcp_pool disabled=no interface=GuestWIFI_VLAN lease-time=2h59m  name=guest_dhcp_server

/system logging action
set 0 memory-lines=3000
set 1 disk-file-count=10 disk-lines-per-file=3000
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp"

/caps-man access-list
add action=accept allow-signal-out-of-range=10s comment="-85..120 accept"  disabled=no signal-range=-85..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s comment="-120..-86 reject" disabled=no signal-range=-120..-86 ssid-regexp=""


/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes

/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=eth3_MikrotikAPs


/caps-man provisioning
add action=create-dynamic-enabled comment="2.4GHz 802.11g capable radios" hw-supported-modes=gn master-configuration="GastrofixConfig24G"     name-format=prefix-identity name-prefix=2.4GHz-
add action=create-dynamic-enabled comment="5GHz 802.11ac capable radios"  hw-supported-modes=ac master-configuration="GastrofixConfig5G"      name-format=prefix-identity name-prefix=5GHz-
add action=create-dynamic-enabled comment="2.4GHz 802.11g capable radios" hw-supported-modes=gn master-configuration="GuestPublicConfig24GHz" name-format=prefix-identity name-prefix=2.4GHz-
add action=create-dynamic-enabled comment="5GHz 802.11ac capable radios"  hw-supported-modes=ac master-configuration="GuestPublicConfig5GHz"  name-format=prefix-identity name-prefix=5GHz-



/ip neighbor discovery-settings
#set discover-interface-list=all lldp-med-net-policy-vlan=1
set discover-interface-list=WinboxAccess


/interface list member
add interface=eth1_WAN list=WAN
add interface=eth2_kontor list=LAN
add interface=eth3_MikrotikAPs list=LAN ##needed?
add interface=Gastrofix_VLAN list=LAN
#add interface=AP_bridge list=LAN
add interface=eth2_kontor list=WinboxAccess
#add interface=GastrofixWIFI_VLAN list=WinboxAccess

/ip address
add address=x.x.x.x/24 network=x.x.x.0 interface=eth1_WAN #public IP hidden in forum
add address=192.168.1.1/24    network=192.168.1.0  interface=EmployeeLAN_VLAN
add address=192.168.7.1/24    network=192.168.7.0  interface=Gastrofix_VLAN
add address=192.168.88.1/24   network=192.168.88.0 interface=GuestWIFI_VLAN
set [ find interface=eth2_kontor ] interface=EmployeeLAN_VLAN
set [ find interface=eth4_gastrofix_wired ] interface=Gastrofix_VLAN
set [ find interface=AP_Bridge ] interface=GuestWIFI_VLAN


/ip arp
add address=192.168.7.41 interface=GastrofixWIFI_VLAN mac-address=FE:67:3A:11:0F:D0
#add address=192.168.7.41 interface=eth4_gastrofix_wired mac-address=FE:67:3A:11:0F:D0

/ip cloud
set update-time=no

/ip dhcp-server lease
add address=192.168.7.247 client-id=1:78:8a:20:4b:4:a6 mac-address=78:8A:20:4B:04:A6 server=gastrofix_dhcp_server

/ip dhcp-server network
add address=192.168.7.0/24 comment="DHCP for Gastrofix" dns-server=193.75.75.75,192.168.7.1 gateway=192.168.7.1 netmask=24
add address=192.168.88.0/24 comment="DHCP for Guests" dns-server=193.75.75.75,193.75.75.193 gateway=192.168.88.1


/ip dns
set allow-remote-requests=yes servers=193.75.75.75,193.75.75.193

/ip firewall address-list
add list=AdminAccess address=192.168.1.0/24 
add list=bogons address=0.0.0.0/8
add list=bogons address=172.16.0.0/12
add list=bogons address=10.0.0.0/8
add list=bogons address=169.254.0.0/16
add list=bogons address=127.0.0.0/8
add list=bogons address=224.0.0.0/4
add list=bogons address=198.18.0.0/15
add list=bogons address=192.0.0.0/24
add list=bogons address=192.0.2.0/24
add list=bogons address=198.51.100.0/24
add list=bogons address=203.0.113.0/24
add list=bogons address=100.64.0.0/10
add list=bogons address=240.0.0.0/4
add list=bogons address=192.88.99.0/24

/ip firewall filter
add action=accept chain=input comment="accept established,related" connection-state=established,related
add action=drop chain=input comment="drop invalid" connection-state=invalid
#add action=drop chain=forward dst-address=77.66.21.133 in-interface=AP_bridge
add action=drop chain=forward dst-address=77.66.21.133 in-interface=GuestWIFI_VLAN
add action=accept chain=input comment="Admin Access to Router" src-address-list=AdminAccess
add action=accept chain=input comment="allow LAN to DNS-TCP" dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="allow LAN to DNS-UDP" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="CAPsMAN accept all local traffic" dst-port=5246,5247 protocol=udp src-address=127.0.0.1
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 log=yes log-prefix="acceot local loopback CAPsMAN"
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address-type=local src-address-type=local
add action=drop chain=input comment="Drop All Else" log-prefix=DROP-FIREWALL
#add action=drop chain=forward dst-address=77.66.21.133 in-interface=AP_bridge
add action=drop chain=forward dst-address=77.66.21.133 in-interface=GuestWIFI_VLAN
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related
add action=accept chain=forward comment="accept established,related" connection-state=established,related
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="Allow all LAN (Office, Guest and POS) Traffic to Internet" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="DROP ALL Else"
add action=accept chain=forward comment="Allow Port Fowarding if required" connection-nat-state=dstnat
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="DROP All Else"
/ip firewall nat
add action=src-nat chain=srcnat comment="Source_NAT for All Users" ipsec-policy=out,none out-interface=eth1_WAN to-addresses=x.x.x.x #public IP hidden in forum
add action=redirect chain=dstnat comment="Force Users to Router DNS -TCP" dst-port=53 protocol=tcp
add action=redirect chain=dstnat comment="Force Users to Router DNS -UDP" dst-port=53 protocol=udp
add action=accept chain=srcnat disabled=yes ipsec-policy=out,none out-interface=eth1_WAN
/ip firewall raw
add action=drop chain=prerouting comment="Drop all non-internet networks" src-address-list=bogons

/ip route
add distance=1 gateway=x.x.x.x #public IP hidden in forum
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes port=2200
set www-ssl disabled=no
set api disabled=yes
set winbox address=192.168.1.20/32,192.168.1.21/32
#set winbox address=192.168.1.20/32,192.168.1.21/32,192.168.88.5/32
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/lcd
set default-screen=stat-slideshow
/system clock
set time-zone-name=Europe/Oslo
/system identity
set name=Router-Kontor
/system logging
add action=disk topics=info,critical,error,info
/system ntp client
set enabled=yes primary-ntp=79.160.13.250 secondary-ntp=162.159.200.1
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=WinboxAccess
/tool mac-server ping
set enabled=no
/tool romon
set enabled=yes

TheCat12 · March 9, 2024, 7:40am

I was looking at both configs and saw that in the current the 192.168.88.0 network for guests was binded to the Bridge_AP. That’s why I referenced it. And in the new revised config you could either use for the ip address section either the [ find interface=… ] commands if the addresses are still binded to the interfaces from the working config or as you have done just add new ones and bind them to the VLANs but not both as it’s in your variant of the new config. All in all, that’s the configuration

TheCat12 · March 9, 2024, 8:55am

Another option which I’m starting to think is more suitable is configuring the VLANs through the Switch menu because you can benefit from Hardware Offloading and Layer3 isolation on hardware level. The configuration is similar except almost all VLAN settings are made in the aforementioned menu:

/interface bridge
add name=bridge

/interface bridge port
add bridge=bridge interface=eth2_kontor hw=yes
add bridge=bridge interface=eth3_MikrotikAPs hw=yes
add bridge=bridge interface=eth4_gastrofix_wired hw=yes

/interface vlan
add vlan-id=10 interface=bridge name=EmployeeLAN_VLAN
add vlan-id=20 interface=bridge name=GuestWIFI_VLAN
add vlan-id=30 interface=bridge name=Gastrofix_VLAN

/ip address
set [ find interface=eth2_kontor ] interface=EmployeeLAN_VLAN
set [ find interface=eth4_gastrofix ] interface=Gastrofix_VLAN
set [ find interface=AP_Bridge ] interface=GuestWIFI_VLAN

/interface ethernet switch vlan
add ports=switch1-cpu,eth2_kontor switch=switch1 vlan-id=10
add ports=switch1-cpu,eth3_MikrotikAPs switch=switch1 vlan-id=20
add ports=switch1-cpu,eth3_MikrotikAPs,eth4_gastrofix switch=switch1 vlan-id=30

/interface ethernet switch port
set eth2_kontor vlan-mode=secure vlan-header=leave-as-is default-vlan-id=10
set eth3_MikrotikAPs vlan-mode=secure vlan-header=leave-as-is
set eth4_gastrofix vlan-mode=secure vlan-header=leave-as-is default-vlan-id=30
set switch1-cpu vlan-mode=secure

/interface ethernet switch rule
add dst-address=192.168.1.0/24 new-dst-ports="" ports=eth2_kontor switch=switch1
add dst-address=192.168.7.0/24 new-dst-ports="" ports=eth3_MikrotikAPs,eth4_gastrofix switch=switch1
add dst-address=192.168.88.0/24 new-dst-ports="" ports=eth3_Mikrotik_APs switch=switch1

okw · March 9, 2024, 12:19pm

I’ve added the latest changes now. Looks ok?

Keep in mind, I’m making the script to setup a completely reset router, so I’m not sure if set/find is needed, since I’m not modifying, but rather setting everything from scratch? Or is it for readability of the code?

I also wonder about the:
set [ find interface=eth2_kontor ] interface=EmployeeLAN_VLAN
And then later:
add ports=switch1-cpu,eth2_kontor switch=switch1 vlan-id=10
I assume the set/find only works on already set variables, and all references to eth2_kontor after the set/find line will still be eth2_kontor, not EmployeeLAN_VLAN?

Should I manually replace all eth2_kontor to EmployeeLAN_VLAN?

Here is the latest and greatest:

# software id = TRSV-ISX2
#
# model = 2011UiAS
/caps-man channel
add band=2ghz-g/n    control-channel-width=20mhz extension-channel=disabled frequency=2412 name=Ch01_20M_24G tx-power=10
add band=2ghz-g/n    control-channel-width=20mhz extension-channel=disabled frequency=2437 name=Ch06_20M_24G tx-power=10
add band=2ghz-g/n    control-channel-width=20mhz extension-channel=disabled frequency=2462 name=Ch11_20M_24G tx-power=10
add band=2ghz-g/n    control-channel-width=20mhz extension-channel=disabled frequency=2467 name=Ch12_20M_24G tx-power=10
add band=2ghz-g/n    control-channel-width=20mhz extension-channel=disabled frequency=2472 name=Ch13_20M_24G tx-power=10
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5180 name=Ch36_20M_5G  tx-power=20
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5200 name=Ch40_20M_5G  tx-power=20
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5220 name=Ch44_20M_5G  tx-power=20
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5240 name=Ch48_20M_5G  tx-power=20

/interface ethernet
set [ find default-name=ether1 ] name=eth1_WAN
set [ find default-name=ether2 ] name=eth2_kontor
set [ find default-name=ether3 ] name=eth3_MikrotikAPs
set [ find default-name=ether4 ] name=eth4_gastrofix_wired
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=sfp1 ]   disabled=yes

/interface bridge
add name=bridge

/interface bridge port
add bridge=bridge interface=eth2_kontor hw=yes
add bridge=bridge interface=eth3_MikrotikAPs hw=yes
add bridge=bridge interface=eth4_gastrofix_wired hw=yes

/interface vlan
add vlan-id=10 interface=bridge name=EmployeeLAN_VLAN
add vlan-id=20 interface=bridge name=GuestWIFI_VLAN
add vlan-id=30 interface=bridge name=Gastrofix_VLAN


/interface ethernet switch vlan
add ports=switch1-cpu,eth2_kontor switch=switch1 vlan-id=10
add ports=switch1-cpu,eth3_MikrotikAPs switch=switch1 vlan-id=20
add ports=switch1-cpu,eth3_MikrotikAPs,eth4_gastrofix switch=switch1 vlan-id=30

/interface ethernet switch port
set eth2_kontor vlan-mode=secure vlan-header=leave-as-is default-vlan-id=10
set eth3_MikrotikAPs vlan-mode=secure vlan-header=leave-as-is
set eth4_gastrofix vlan-mode=secure vlan-header=leave-as-is default-vlan-id=30
set switch1-cpu vlan-mode=secure

/interface ethernet switch rule
add dst-address=192.168.1.0/24 new-dst-ports="" ports=eth2_kontor switch=switch1
add dst-address=192.168.7.0/24 new-dst-ports="" ports=eth3_MikrotikAPs,eth4_gastrofix switch=switch1
add dst-address=192.168.88.0/24 new-dst-ports="" ports=eth3_Mikrotik_APs switch=switch1

/caps-man rates
add basic=9Mbps name="GN Only - No B rates" supported=9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps vht-basic-mcs=""

#5GHz
/caps-man configuration
add country=norway datapath.local-forwarding=yes datapath.vlan-id=30 datapath.vlan-mode=use-tag name="GastrofixConfig5G" distance=indoors installation=indoor mode=ap security.authentication-types=wpa-psk,wpa2-psk security.passphrase=Test1234 ssid="Gastrofix_5GHz"
add country=norway datapath.local-forwarding=no  datapath.vlan-id=20 datapath.vlan-mode=use-tag name="GuestPublicConfig5GHz"   distance=indoors installation=indoor mode=ap ssid="Public"

/caps-man interface
add channel=Ch36_20M_5G configuration="GastrofixConfig5G" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=C4:AD:34:14:34:2B master-interface=none radio-mac=C4:AD:34:14:34:2B radio-name=C4AD3414342B name=Gastrofix_5GHz-AP_Kontor
add channel=Ch40_20M_5G configuration="GastrofixConfig5G" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=74:4D:28:F9:AF:1A master-interface=none radio-mac=74:4D:28:F9:AF:1A radio-name=744D28F9AF1A name=Gastrofix_5GHz-AP_Bar
add channel=Ch44_20M_5G configuration="GastrofixConfig5G" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=C4:AD:34:9E:DA:B2 master-interface=none radio-mac=C4:AD:34:9E:DA:B2 radio-name=C4AD349EDAB2 name=Gastrofix_5GHz-AP_Messanin
add channel=Ch48_20M_5G configuration="GastrofixConfig5G" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=74:4D:28:F9:AA:6D master-interface=none radio-mac=74:4D:28:F9:AA:6D radio-name=744D28F9AA6D name=Gastrofix_5GHz-AP_Chambre
 
add channel=Ch36_20M_5G configuration="GuestPublicConfig5GHz" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=C4:AD:34:14:34:2B master-interface=none radio-mac=C4:AD:34:14:34:2B radio-name=C4AD3414342B name=Guest_5GHz-AP_Kontor
add channel=Ch40_20M_5G configuration="GuestPublicConfig5GHz" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=74:4D:28:F9:AF:1A master-interface=none radio-mac=74:4D:28:F9:AF:1A radio-name=744D28F9AF1A name=Guest_5GHz-AP_Bar
add channel=Ch44_20M_5G configuration="GuestPublicConfig5GHz" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=C4:AD:34:9E:DA:B2 master-interface=none radio-mac=C4:AD:34:9E:DA:B2 radio-name=C4AD349EDAB2 name=Guest_5GHz-AP_Messanin
add channel=Ch48_20M_5G configuration="GuestPublicConfig5GHz" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=74:4D:28:F9:AA:6D master-interface=none radio-mac=74:4D:28:F9:AA:6D radio-name=744D28F9AA6D name=Guest_5GHz-AP_Chambre

#2.4GHz
/caps-man configuration
add country=norway datapath.local-forwarding=yes datapath.vlan-id=30 datapath.vlan-mode=use-tag name="GastrofixConfig24G" distance=indoors installation=indoor mode=ap security.authentication-types=wpa-psk,wpa2-psk security.passphrase=Test1234 ssid="Gastrofix_2.4GHz" rates="GN Only - No B rates"
add country=norway datapath.local-forwarding=no  datapath.vlan-id=20 datapath.vlan-mode=use-tag name="GuestPublicConfig24GHz"   distance=indoors installation=indoor mode=ap ssid="Public" rates="GN Only - No B rates"


/caps-man interface
add channel=Ch01_20M_24G configuration="GastrofixConfig24G" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=74:4D:28:F9:AF:19 master-interface=none radio-mac=74:4D:28:F9:AF:19 radio-name=744D28F9AF19 name=Gastrofix_2.4GHz-AP_Bar
add channel=Ch06_20M_24G configuration="GastrofixConfig24G" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=C4:AD:34:14:34:2A master-interface=none radio-mac=C4:AD:34:14:34:2A radio-name=C4AD3414342A name=Gastrofix_2.4GHz-AP_Kontor
add channel=Ch11_20M_24G configuration="GastrofixConfig24G" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=74:4D:28:F9:AA:6C master-interface=none radio-mac=74:4D:28:F9:AA:6C radio-name=744D28F9AA6C name=Gastrofix_2.4GHz-AP_Chambre
add channel=Ch12_20M_24G configuration="GastrofixConfig24G" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=C4:AD:34:9E:DA:B1 master-interface=none radio-mac=C4:AD:34:9E:DA:B1 radio-name=C4AD349EDAB1 name=Gastrofix_2.4GHz-AP_Messanin
 
add channel=Ch01_20M_24G configuration="GuestPublicConfig24GHz" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=74:4D:28:F9:AF:19 master-interface=none radio-mac=74:4D:28:F9:AF:19 radio-name=744D28F9AF19 name=Guest_2.4GHz-AP_Bar
add channel=Ch06_20M_24G configuration="GuestPublicConfig24GHz" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=C4:AD:34:14:34:2A master-interface=none radio-mac=C4:AD:34:14:34:2A radio-name=C4AD3414342A name=Guest_2.4GHz-AP_Kontor
add channel=Ch11_20M_24G configuration="GuestPublicConfig24GHz" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=74:4D:28:F9:AA:6C master-interface=none radio-mac=74:4D:28:F9:AA:6C radio-name=744D28F9AA6C name=Guest_2.4GHz-AP_Chambre
add channel=Ch12_20M_24G configuration="GuestPublicConfig24GHz" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=C4:AD:34:9E:DA:B1 master-interface=none radio-mac=C4:AD:34:9E:DA:B1 radio-name=C4AD349EDAB1 name=Guest_2.4GHz-AP_Messanin



/interface list
add name=WAN
add name=LAN
add name=WinboxAccess

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=gastrofix_dhcp_pool ranges=192.168.7.120-192.168.7.254
add name=guest_dhcp_pool     ranges=192.168.88.20-192.168.88.250

/ip dhcp-server
add address-pool=gastrofix_dhcp_pool disabled=no interface=GastrofixWIFI_VLAN lease-time=23h59m59s name=gastrofix_dhcp_server
add address-pool=guest_dhcp_pool disabled=no interface=GuestWIFI_VLAN lease-time=2h59m  name=guest_dhcp_server

/system logging action
set 0 memory-lines=3000
set 1 disk-file-count=10 disk-lines-per-file=3000
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp"

/caps-man access-list
add action=accept allow-signal-out-of-range=10s comment="-85..120 accept"  disabled=no signal-range=-85..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s comment="-120..-86 reject" disabled=no signal-range=-120..-86 ssid-regexp=""


/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes

/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=eth3_MikrotikAPs


/caps-man provisioning
add action=create-dynamic-enabled comment="2.4GHz 802.11g capable radios" hw-supported-modes=gn master-configuration="GastrofixConfig24G"     name-format=prefix-identity name-prefix=2.4GHz-
add action=create-dynamic-enabled comment="5GHz 802.11ac capable radios"  hw-supported-modes=ac master-configuration="GastrofixConfig5G"      name-format=prefix-identity name-prefix=5GHz-
add action=create-dynamic-enabled comment="2.4GHz 802.11g capable radios" hw-supported-modes=gn master-configuration="GuestPublicConfig24GHz" name-format=prefix-identity name-prefix=2.4GHz-
add action=create-dynamic-enabled comment="5GHz 802.11ac capable radios"  hw-supported-modes=ac master-configuration="GuestPublicConfig5GHz"  name-format=prefix-identity name-prefix=5GHz-



/ip neighbor discovery-settings
#set discover-interface-list=all lldp-med-net-policy-vlan=1
set discover-interface-list=WinboxAccess


/interface list member
add interface=eth1_WAN list=WAN
add interface=eth2_kontor list=LAN
add interface=eth3_MikrotikAPs list=LAN ##needed?
add interface=Gastrofix_VLAN list=LAN
add interface=eth2_kontor list=WinboxAccess

/ip address
add address=x.x.x.x/24 network=x.x.x.0 interface=eth1_WAN #public IP hidden in forum
add address=192.168.1.1/24    network=192.168.1.0  interface=EmployeeLAN_VLAN
add address=192.168.7.1/24    network=192.168.7.0  interface=Gastrofix_VLAN
add address=192.168.88.1/24   network=192.168.88.0 interface=GuestWIFI_VLAN
set [ find interface=eth2_kontor ] interface=EmployeeLAN_VLAN
set [ find interface=eth4_gastrofix_wired ] interface=Gastrofix_VLAN
set [ find interface=AP_Bridge ] interface=GuestWIFI_VLAN


/ip arp
add address=192.168.7.41 interface=GastrofixWIFI_VLAN mac-address=FE:67:3A:11:0F:D0
#add address=192.168.7.41 interface=eth4_gastrofix_wired mac-address=FE:67:3A:11:0F:D0

/ip cloud
set update-time=no

/ip dhcp-server lease
add address=192.168.7.247 client-id=1:78:8a:20:4b:4:a6 mac-address=78:8A:20:4B:04:A6 server=gastrofix_dhcp_server

/ip dhcp-server network
add address=192.168.7.0/24 comment="DHCP for Gastrofix" dns-server=193.75.75.75,192.168.7.1 gateway=192.168.7.1 netmask=24
add address=192.168.88.0/24 comment="DHCP for Guests" dns-server=193.75.75.75,193.75.75.193 gateway=192.168.88.1


/ip dns
set allow-remote-requests=yes servers=193.75.75.75,193.75.75.193

/ip firewall address-list
add list=AdminAccess address=192.168.1.0/24 
add list=bogons address=0.0.0.0/8
add list=bogons address=172.16.0.0/12
add list=bogons address=10.0.0.0/8
add list=bogons address=169.254.0.0/16
add list=bogons address=127.0.0.0/8
add list=bogons address=224.0.0.0/4
add list=bogons address=198.18.0.0/15
add list=bogons address=192.0.0.0/24
add list=bogons address=192.0.2.0/24
add list=bogons address=198.51.100.0/24
add list=bogons address=203.0.113.0/24
add list=bogons address=100.64.0.0/10
add list=bogons address=240.0.0.0/4
add list=bogons address=192.88.99.0/24

/ip firewall filter
add action=accept chain=input comment="accept established,related" connection-state=established,related
add action=drop chain=input comment="drop invalid" connection-state=invalid
#add action=drop chain=forward dst-address=77.66.21.133 in-interface=AP_bridge
add action=drop chain=forward dst-address=77.66.21.133 in-interface=GuestWIFI_VLAN
add action=accept chain=input comment="Admin Access to Router" src-address-list=AdminAccess
add action=accept chain=input comment="allow LAN to DNS-TCP" dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="allow LAN to DNS-UDP" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="CAPsMAN accept all local traffic" dst-port=5246,5247 protocol=udp src-address=127.0.0.1
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 log=yes log-prefix="acceot local loopback CAPsMAN"
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address-type=local src-address-type=local
add action=drop chain=input comment="Drop All Else" log-prefix=DROP-FIREWALL
#add action=drop chain=forward dst-address=77.66.21.133 in-interface=AP_bridge
add action=drop chain=forward dst-address=77.66.21.133 in-interface=GuestWIFI_VLAN
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related
add action=accept chain=forward comment="accept established,related" connection-state=established,related
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="Allow all LAN (Office, Guest and POS) Traffic to Internet" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="DROP ALL Else"
add action=accept chain=forward comment="Allow Port Fowarding if required" connection-nat-state=dstnat
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="DROP All Else"
/ip firewall nat
add action=src-nat chain=srcnat comment="Source_NAT for All Users" ipsec-policy=out,none out-interface=eth1_WAN to-addresses=x.x.x.x #public IP hidden in forum
add action=redirect chain=dstnat comment="Force Users to Router DNS -TCP" dst-port=53 protocol=tcp
add action=redirect chain=dstnat comment="Force Users to Router DNS -UDP" dst-port=53 protocol=udp
add action=accept chain=srcnat disabled=yes ipsec-policy=out,none out-interface=eth1_WAN
/ip firewall raw
add action=drop chain=prerouting comment="Drop all non-internet networks" src-address-list=bogons

/ip route
add distance=1 gateway=x.x.x.x #public IP hidden in forum
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes port=2200
set www-ssl disabled=no
set api disabled=yes
set winbox address=192.168.1.20/32,192.168.1.21/32
#set winbox address=192.168.1.20/32,192.168.1.21/32,192.168.88.5/32
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/lcd
set default-screen=stat-slideshow
/system clock
set time-zone-name=Europe/Oslo
/system identity
set name=Router-Kontor
/system logging
add action=disk topics=info,critical,error,info
/system ntp client
set enabled=yes primary-ntp=79.160.13.250 secondary-ntp=162.159.200.1
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=WinboxAccess
/tool mac-server ping
set enabled=no
/tool romon
set enabled=yes

TheCat12 · March 9, 2024, 12:37pm

If you’re doing the settings from scratch, then yes, directly reference the VLANs in the /ip address commands and don’t use the find parameter:

/ip address
add address=192.168.1.1/24 network=192.168.1.0 interface=EmployeeLAN_VLAN
add address=192.168.7.1/24 network=192.168.7.0 interface=Gastrofix_VLAN
add address=192.168.88.1/24 network=192.168.88.0 interface=GuestWIFI_VLAN

And last, add to the /interface ethernet switch vlan entries independent-learning=yes

okw · March 21, 2024, 2:18am

Finally I tried out the script on a clean RB2011UiAS.

It creates just one interface for each radio. I guess the answer lies in: “master-interface=none”. I don’t know what master/slave means in this context?

I got these errors:

[admin@MikroTik] /caps-man/configuration> /caps-man interface
[admin@MikroTik] /caps-man/interface> add channel=Ch36_20M_5G configuration="GastrofixConfig5G" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=C4:AD:34:14:34:2B master-interface=none radio-mac=C4:AD:34:14:34:2B radio-name=C4AD3414
342B name=Gastrofix_5GHz-AP_Kontor
[admin@MikroTik] /caps-man/interface> add channel=Ch40_20M_5G configuration="GastrofixConfig5G" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=74:4D:28:F9:AF:1A master-interface=none radio-mac=74:4D:28:F9:AF:1A radio-name=744D28F9
AF1A name=Gastrofix_5GHz-AP_Bar
[admin@MikroTik] /caps-man/interface> add channel=Ch44_20M_5G configuration="GastrofixConfig5G" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=C4:AD:34:9E:DA:B2 master-interface=none radio-mac=C4:AD:34:9E:DA:B2 radio-name=C4AD349E
DAB2 name=Gastrofix_5GHz-AP_Messanin
[admin@MikroTik] /caps-man/interface> add channel=Ch48_20M_5G configuration="GastrofixConfig5G" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=74:4D:28:F9:AA:6D master-interface=none radio-mac=74:4D:28:F9:AA:6D radio-name=744D28F9
AA6D name=Gastrofix_5GHz-AP_Chambre
[admin@MikroTik] /caps-man/interface>  
[admin@MikroTik] /caps-man/interface> add channel=Ch36_20M_5G configuration="GuestPublicConfig5GHz" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=C4:AD:34:14:34:2B master-interface=none radio-mac=C4:AD:34:14:34:2B radio-name=C4AD
3414342B name=Guest_5GHz-AP_Kontor
failure: already have master interface with same radio-mac
[admin@MikroTik] /caps-man/interface> add channel=Ch40_20M_5G configuration="GuestPublicConfig5GHz" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=74:4D:28:F9:AF:1A master-interface=none radio-mac=74:4D:28:F9:AF:1A radio-name=744D
28F9AF1A name=Guest_5GHz-AP_Bar
failure: already have master interface with same radio-mac
[admin@MikroTik] /caps-man/interface> add channel=Ch44_20M_5G configuration="GuestPublicConfig5GHz" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=C4:AD:34:9E:DA:B2 master-interface=none radio-mac=C4:AD:34:9E:DA:B2 radio-name=C4AD
349EDAB2 name=Guest_5GHz-AP_Messanin
failure: already have master interface with same radio-mac
[admin@MikroTik] /caps-man/interface> add channel=Ch48_20M_5G configuration="GuestPublicConfig5GHz" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=74:4D:28:F9:AA:6D master-interface=none radio-mac=74:4D:28:F9:AA:6D radio-name=744D
28F9AA6D name=Guest_5GHz-AP_Chambre
failure: already have master interface with same radio-mac
[admin@MikroTik] /caps-man/interface> 



[admin@MikroTik] /caps-man/configuration> /caps-man interface
[admin@MikroTik] /caps-man/interface> add channel=Ch01_20M_24G configuration="GastrofixConfig24G" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=74:4D:28:F9:AF:19 master-interface=none radio-mac=74:4D:28:F9:AF:19 radio-name=744D28
F9AF19 name=Gastrofix_2.4GHz-AP_Bar
[admin@MikroTik] /caps-man/interface> add channel=Ch06_20M_24G configuration="GastrofixConfig24G" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=C4:AD:34:14:34:2A master-interface=none radio-mac=C4:AD:34:14:34:2A radio-name=C4AD34
14342A name=Gastrofix_2.4GHz-AP_Kontor
[admin@MikroTik] /caps-man/interface> add channel=Ch11_20M_24G configuration="GastrofixConfig24G" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=74:4D:28:F9:AA:6C master-interface=none radio-mac=74:4D:28:F9:AA:6C radio-name=744D28
F9AA6C name=Gastrofix_2.4GHz-AP_Chambre
[admin@MikroTik] /caps-man/interface> add channel=Ch12_20M_24G configuration="GastrofixConfig24G" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=C4:AD:34:9E:DA:B1 master-interface=none radio-mac=C4:AD:34:9E:DA:B1 radio-name=C4AD34
9EDAB1 name=Gastrofix_2.4GHz-AP_Messanin
[admin@MikroTik] /caps-man/interface>  
[admin@MikroTik] /caps-man/interface> add channel=Ch01_20M_24G configuration="GuestPublicConfig24GHz" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=74:4D:28:F9:AF:19 master-interface=none radio-mac=74:4D:28:F9:AF:19 radio-name=74
4D28F9AF19 name=Guest_2.4GHz-AP_Bar
failure: already have master interface with same radio-mac
[admin@MikroTik] /caps-man/interface> add channel=Ch06_20M_24G configuration="GuestPublicConfig24GHz" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=C4:AD:34:14:34:2A master-interface=none radio-mac=C4:AD:34:14:34:2A radio-name=C4
AD3414342A name=Guest_2.4GHz-AP_Kontor
failure: already have master interface with same radio-mac
[admin@MikroTik] /caps-man/interface> add channel=Ch11_20M_24G configuration="GuestPublicConfig24GHz" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=74:4D:28:F9:AA:6C master-interface=none radio-mac=74:4D:28:F9:AA:6C radio-name=74
4D28F9AA6C name=Guest_2.4GHz-AP_Chambre
failure: already have master interface with same radio-mac
[admin@MikroTik] /caps-man/interface> add channel=Ch12_20M_24G configuration="GuestPublicConfig24GHz" configuration.frame-lifetime=10ms disabled=no l2mtu=1600 mac-address=C4:AD:34:9E:DA:B1 master-interface=none radio-mac=C4:AD:34:9E:DA:B1 radio-name=C4
AD349EDAB1 name=Guest_2.4GHz-AP_Messanin
failure: already have master interface with same radio-mac

I also get these three:

[admin@MikroTik] /user/group> set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp"
input does not match any value of policy

[admin@MikroTik] /ip/dhcp-server/lease> add address=192.168.7.247 client-id=1:78:8a:20:4b:4:a6 mac-address=78:8A:20:4B:04:A6 server=gastrofix_dhcp_server
input does not match any value of server

[admin@MikroTik] /system/ntp/client> set enabled=yes primary-ntp=79.160.13.250 secondary-ntp=162.159.200.1
expected end of command (line 1 column 17)

TheCat12 · March 21, 2024, 7:54am

Because I’m not very good with CAPsMAN, try to check the CAPsMAN part of the configuration with this video:

https://youtu.be/LLuGby1ecVM?si=hIP3F9kLDmGa0XxR

Hopefully it’s helpful