[SOLVED] DHCP option 82 prevents to receive address

LifWer · June 30, 2023, 12:29pm

Hello! I have:

DHCP server on MikroTik RB4011iGS+RM
DHCP relay on MikroTik CRS326-24G-2S+RM (ROS)

They are both in 2 VLANs: 91 (management VLAN) and 40 (workstation VLAN). My goal is to have information about switch and port client PC is connected in.

If I just set up relay, it work perfect. But if I add option 82 to bridge settings on both RB4011 and CRS326 - DHCP stops working (no errors in dhcp server debug log). Tried ROS 7.7 and 7.10 since ROS is very unstable in version 7.

What should I do to fix this?

RB4011:

# 2023-06-29 16:43:04 by RouterOS 7.10
# software id = WGV5-0GJK
#
# model = RB4011iGS+
# serial number = F0380FD92BC4
/caps-man channel
add band=2ghz-b/g/n frequency=2412 name=2ghz
add band=5ghz-a/n/ac frequency=5300 name=5ghz
/interface pptp-client
add connect-to=1.1.1.1 disabled=no name=AAAA user=lll1
/interface bridge
add comment="Loopback interface" name=br-lo
add arp=reply-only dhcp-snooping=yes name=bridge-vlan10 pvid=10 \
    vlan-filtering=yes
add arp=reply-only dhcp-snooping=yes name=bridge-vlan20 pvid=20 \
    vlan-filtering=yes
add add-dhcp-option82=yes dhcp-snooping=yes name=bridge-vlan40 pvid=40 \
    vlan-filtering=yes
add dhcp-snooping=yes name=bridge-vlan50 pvid=50 vlan-filtering=yes
add dhcp-snooping=yes name=bridge-vlan60 pvid=60 vlan-filtering=yes
add arp=reply-only dhcp-snooping=yes name=bridge-vlan70 pvid=70 \
    vlan-filtering=yes
add dhcp-snooping=yes name=bridge-vlan80 pvid=80 vlan-filtering=yes
add arp=reply-only dhcp-snooping=yes name=bridge-vlan90 pvid=90 \
    vlan-filtering=yes
add add-dhcp-option82=yes dhcp-snooping=yes name=bridge-vlan91 pvid=91 \
    vlan-filtering=yes
add dhcp-snooping=yes name=bridge-vlan100 pvid=100 vlan-filtering=yes
add arp=reply-only dhcp-snooping=yes name=bridge-vlan110 pvid=110 \
    vlan-filtering=yes
add arp=reply-only dhcp-snooping=yes name=bridge-vlan120 pvid=120 \
    vlan-filtering=yes
add dhcp-snooping=yes name=bridge-vlan130 pvid=130 vlan-filtering=yes
/interface wireguard
add listen-port=25000 mtu=1420 name=wg01
/interface vlan
add arp=reply-only interface=bridge-vlan10 name=vlan10-bridge-if vlan-id=10
add interface=sfp-sfpplus1 name=vlan10-sfp-if vlan-id=10
add arp=reply-only interface=bridge-vlan20 name=vlan20-bridge-if vlan-id=20
add interface=sfp-sfpplus1 name=vlan20-sfp-if vlan-id=20
add interface=bridge-vlan40 name=vlan40-bridge-if vlan-id=40
add interface=sfp-sfpplus1 name=vlan40-sfp-if vlan-id=40
add interface=bridge-vlan50 name=vlan50-bridge-if vlan-id=50
add interface=sfp-sfpplus1 name=vlan50-sfp-if vlan-id=50
add interface=bridge-vlan60 name=vlan60-bridge-if vlan-id=60
add interface=sfp-sfpplus1 name=vlan60-sfp-if vlan-id=60
add arp=reply-only interface=bridge-vlan70 name=vlan70-bridge-if vlan-id=70
add interface=sfp-sfpplus1 name=vlan70-sfp-if vlan-id=70
add interface=bridge-vlan80 name=vlan80-bridge-if vlan-id=80
add interface=sfp-sfpplus1 name=vlan80-sfp-if vlan-id=80
add arp=reply-only interface=bridge-vlan90 name=vlan90-bridge-if vlan-id=90
add interface=sfp-sfpplus1 name=vlan90-sfp-if vlan-id=90
add interface=bridge-vlan91 name=vlan91-bridge-if vlan-id=91
add interface=sfp-sfpplus1 name=vlan91-sfp-if vlan-id=91
add interface=bridge-vlan100 name=vlan100-bridge-if vlan-id=100
add interface=sfp-sfpplus1 name=vlan100-sfp-if vlan-id=100
add arp=reply-only interface=bridge-vlan110 name=vlan110-bridge-if vlan-id=\
    110
add interface=sfp-sfpplus1 name=vlan110-sfp-if vlan-id=110
add arp=reply-only interface=bridge-vlan120 name=vlan120-bridge-if vlan-id=\
    120
add interface=sfp-sfpplus1 name=vlan120-sfp-if vlan-id=120
add interface=bridge-vlan130 name=vlan130-bridge-if vlan-id=130
add interface=sfp-sfpplus1 name=vlan130-sfp-if vlan-id=130
/caps-man datapath
add bridge=bridge-vlan20 client-to-client-forwarding=no name=datapath-guest \
    vlan-id=20 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=wifi-guest
/caps-man configuration
add channel=2ghz country=russia datapath=datapath-guest mode=ap name=\
    guest-wifi-2ghz security=wifi-guest ssid=dfgd-7n-2GHz
add channel=5ghz country=russia datapath=datapath-guest mode=ap name=\
    guest-wifi-5ghz security=wifi-guest ssid=dfgd-7n-5GHz
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=Gate
/ip pool
add name=pool-vlan10-office ranges=172.30.50.101-172.30.50.190
add name=pool-vlan20-guest ranges=172.30.51.101-172.30.51.190
add name=pool-ovpn ranges=172.30.52.91-172.30.52.120
add name=pool-vlan40-engineer1 ranges=172.30.53.101-172.30.53.190
add name=pool-vlan50-engineer2 ranges=172.30.54.101-172.30.54.190
add name=pool-vlan60-cameras ranges=172.30.55.101-172.30.55.190
add name=pool-vlan70-phones ranges=172.30.56.101-172.30.56.190
add name=pool-vlan80-skud ranges=172.30.57.101-172.30.57.190
add name=pool-vlan90-coders ranges=172.30.58.102-172.30.58.190
add name=pool-vlan91-management ranges=172.30.61.101-172.30.61.190
add name=pool-vlan100-engineer3 ranges=172.30.59.101-172.30.59.190
add name=pool-vlan110-services ranges=172.30.60.101-172.30.60.190
add name=pool-vlan120-additional ranges=172.30.62.101-172.30.62.190
add name=pool-local-mgmt ranges=172.30.63.101-172.30.63.190
add name=pool-vlan130-engineer4 ranges=172.30.64.101-172.30.64.190
add name=TFTP ranges=192.168.88.1-192.168.88.3
/ip dhcp-server
add add-arp=yes address-pool=pool-vlan10-office interface=vlan10-bridge-if \
    lease-time=3h name=dhcp-vlan10-office relay=255.255.255.255
add add-arp=yes address-pool=pool-vlan20-guest interface=vlan20-bridge-if \
    lease-time=3h name=dhcp-vlan20-guest
add add-arp=yes address-pool=pool-vlan40-engineer1 interface=vlan40-bridge-if \
    lease-time=3h name=dhcp-vlan40-engineer1 relay=255.255.255.255
add add-arp=yes address-pool=pool-vlan50-engineer2 interface=vlan50-bridge-if \
    lease-time=3h name=dhcp-vlan50-engineer2
add add-arp=yes address-pool=pool-vlan60-cameras interface=vlan60-bridge-if \
    lease-time=3h name=dhcp-vlan60-cameras
add add-arp=yes address-pool=pool-vlan70-phones interface=vlan70-bridge-if \
    lease-time=3h name=dhcp-vlan70-phones
add add-arp=yes address-pool=pool-vlan80-skud interface=vlan80-bridge-if \
    lease-time=3h name=dhcp-vlan80-skud
add add-arp=yes address-pool=pool-vlan90-coders interface=vlan90-bridge-if \
    lease-time=3h name=dhcp-vlan90-coders
add add-arp=yes address-pool=pool-vlan91-management interface=\
    vlan91-bridge-if lease-time=3h name=dhcp-vlan91-management
add add-arp=yes address-pool=pool-vlan100-engineer3 interface=\
    vlan100-bridge-if lease-time=3h name=dhcp-vlan100-engineer3
add add-arp=yes address-pool=pool-vlan110-services interface=\
    vlan110-bridge-if lease-time=3h name=dhcp-vlan110-services
add add-arp=yes address-pool=pool-vlan120-additional interface=\
    vlan120-bridge-if lease-time=3h name=dhcp-vlan120-additional
add add-arp=yes address-pool=pool-local-mgmt interface=ether1 name=\
    dhcp-local-mgmt
add add-arp=yes address-pool=pool-vlan130-engineer4 interface=\
    vlan130-bridge-if lease-time=3h name=dhcp-vlan130-engineer4
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
set *0 use-ipv6=no use-upnp=no
add local-address=172.30.52.254 name=ovpn remote-address=pool-ovpn use-ipv6=\
    no use-upnp=no
set *FFFFFFFE use-ipv6=no use-upnp=no
/interface ovpn-client
add certificate=x.lll.office.support1 cipher=aes256-cbc comment=\
    "d lll office" connect-to=1.1.1.1 mac-address=\
    FE:F1:30:DE:F6:6E name=x-lll-ovpn port=9001 profile=\
    default-encryption use-peer-dns=no user=support-1
/queue tree
add max-limit=90M name=DOWNLOAD_main parent=global
add max-limit=90M name=UPLOAD_main parent=global
/queue type
add kind=pcq name=SERVICE_DL pcq-classifier=dst-address \
    pcq-dst-address6-mask=64 pcq-src-address6-mask=64
add kind=pcq name=SIP_DL pcq-classifier=dst-address pcq-dst-address6-mask=64 \
    pcq-src-address6-mask=64
add kind=pcq name=OPERATING_DL pcq-classifier=dst-address \
    pcq-dst-address6-mask=64 pcq-src-address6-mask=64
add kind=pcq name=OTHER_DL pcq-classifier=dst-address pcq-dst-address6-mask=\
    64 pcq-src-address6-mask=64
add kind=pcq name=SERVICE_UL pcq-classifier=dst-address \
    pcq-dst-address6-mask=64 pcq-src-address6-mask=64
add kind=pcq name=SIP_UL pcq-classifier=dst-address pcq-dst-address6-mask=64 \
    pcq-src-address6-mask=64
add kind=pcq name=OPERATING_UL pcq-classifier=dst-address \
    pcq-dst-address6-mask=64 pcq-src-address6-mask=64
add kind=pcq name=OTHER_UL pcq-classifier=dst-address pcq-dst-address6-mask=\
    64 pcq-src-address6-mask=64
add kind=pcq name=WEB_DL pcq-classifier=dst-address pcq-dst-address6-mask=64 \
    pcq-src-address6-mask=64
add kind=pcq name=WEB_UL pcq-classifier=dst-address pcq-dst-address6-mask=64 \
    pcq-src-address6-mask=64
/queue tree
add name=SERVICE_DL packet-mark=SERVICE parent=DOWNLOAD_main priority=1 queue=\
    SERVICE_DL
add limit-at=2M max-limit=90M name=SIP_DL packet-mark=SIP parent=DOWNLOAD_main \
    priority=2 queue=SIP_DL
add name=OPERATING_DL packet-mark=OPERATING parent=DOWNLOAD_main priority=5 \
    queue=OPERATING_DL
add name=OTHER_DL packet-mark=OTHER parent=DOWNLOAD_main queue=OTHER_DL
add name=WEB_DL packet-mark=WEB parent=DOWNLOAD_main priority=3 queue=WEB_DL
add name=SERVICE_UL packet-mark=SERVICE parent=UPLOAD_main priority=1 queue=\
    SERVICE_UL
add limit-at=2M max-limit=90M name=SIP_UL packet-mark=SIP parent=UPLOAD_main \
    priority=2 queue=SIP_UL
add name=WEB_UL packet-mark=WEB parent=UPLOAD_main priority=3 queue=WEB_UL
add name=OPERATING_UL packet-mark=OPERATING parent=UPLOAD_main priority=5 \
    queue=OPERATING_UL
add name=OTHER_UL packet-mark=OTHER parent=UPLOAD_main queue=OTHER_UL
/routing table
add comment=555 disabled=no fib name=to_wan1
add comment=res disabled=no fib name=to_wan2
add comment=TEST disabled=yes fib name=to_x_lll
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=vlan91-bridge-if
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=guest-wifi-2ghz \
    name-format=prefix-identity name-prefix=2G radio-mac=DC:2C:6E:1E:AE:9C
add action=create-dynamic-enabled master-configuration=guest-wifi-5ghz \
    name-format=prefix-identity name-prefix=5G radio-mac=DC:2C:6E:1E:AE:9D
add action=create-dynamic-enabled master-configuration=guest-wifi-2ghz \
    name-format=prefix-identity name-prefix=2G radio-mac=DC:2C:6E:1E:BA:AC
add action=create-dynamic-enabled master-configuration=guest-wifi-5ghz \
    name-format=prefix-identity name-prefix=5G radio-mac=DC:2C:6E:1E:BA:AD
/interface bridge filter
add action=drop chain=forward in-bridge=bridge-vlan10
add action=drop chain=forward in-bridge=bridge-vlan20
add action=drop chain=forward in-bridge=bridge-vlan70
add action=accept chain=forward disabled=yes dst-mac-address=\
    00:17:C8:B9:99:74/FF:FF:FF:FF:FF:FF in-bridge=bridge-vlan110 out-bridge=\
    bridge-vlan110 src-mac-address=A8:5E:45:2F:27:8C/FF:FF:FF:FF:FF:FF
add action=accept chain=forward disabled=yes dst-mac-address=\
    A8:5E:45:2F:27:8C/FF:FF:FF:FF:FF:FF in-bridge=bridge-vlan110 out-bridge=\
    bridge-vlan110 src-mac-address=00:17:C8:B9:99:74/FF:FF:FF:FF:FF:FF
add action=drop chain=forward in-bridge=bridge-vlan110
/interface bridge port
add bridge=bridge-vlan91 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether10 pvid=91
add bridge=bridge-vlan91 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether2 pvid=91
add bridge=bridge-vlan10 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3 pvid=10
add bridge=bridge-vlan10 frame-types=admit-only-untagged-and-priority-tagged \
    interface=vlan10-sfp-if pvid=10
add bridge=bridge-vlan20 frame-types=admit-only-untagged-and-priority-tagged \
    interface=vlan20-sfp-if pvid=20
add bridge=bridge-vlan40 frame-types=admit-only-untagged-and-priority-tagged \
    interface=vlan40-sfp-if pvid=40 trusted=yes
add bridge=bridge-vlan50 frame-types=admit-only-untagged-and-priority-tagged \
    interface=vlan50-sfp-if pvid=50
add bridge=bridge-vlan60 frame-types=admit-only-untagged-and-priority-tagged \
    interface=vlan60-sfp-if pvid=60
add bridge=bridge-vlan70 frame-types=admit-only-untagged-and-priority-tagged \
    interface=vlan70-sfp-if pvid=70
add bridge=bridge-vlan80 frame-types=admit-only-untagged-and-priority-tagged \
    interface=vlan80-sfp-if pvid=80
add bridge=bridge-vlan90 frame-types=admit-only-untagged-and-priority-tagged \
    interface=vlan90-sfp-if pvid=90
add bridge=bridge-vlan91 frame-types=admit-only-untagged-and-priority-tagged \
    interface=vlan91-sfp-if pvid=91 trusted=yes
add bridge=bridge-vlan100 frame-types=admit-only-untagged-and-priority-tagged \
    interface=vlan100-sfp-if pvid=100
add bridge=bridge-vlan110 frame-types=admit-only-untagged-and-priority-tagged \
    interface=vlan110-sfp-if pvid=110
add bridge=bridge-vlan120 frame-types=admit-only-untagged-and-priority-tagged \
    interface=vlan120-sfp-if pvid=120
add bridge=bridge-vlan130 frame-types=admit-only-untagged-and-priority-tagged \
    interface=vlan130-sfp-if pvid=130
add bridge=bridge-vlan91 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether9 pvid=91
add bridge=bridge-vlan91 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether5 pvid=91
/interface bridge settings
set use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=none
/ipv6 settings
set accept-redirects=no accept-router-advertisements=no disable-ipv6=yes \
    forward=no
/interface bridge vlan
add bridge=bridge-vlan10 tagged=bridge-vlan10 untagged=ether3 vlan-ids=10
add bridge=bridge-vlan20 tagged=bridge-vlan20 vlan-ids=20
add bridge=bridge-vlan40 tagged=bridge-vlan40 vlan-ids=40
add bridge=bridge-vlan50 tagged=bridge-vlan50 vlan-ids=50
add bridge=bridge-vlan60 tagged=bridge-vlan60 vlan-ids=60
add bridge=bridge-vlan70 tagged=bridge-vlan70 vlan-ids=70
add bridge=bridge-vlan80 tagged=bridge-vlan80 vlan-ids=80
add bridge=bridge-vlan90 tagged=bridge-vlan90 vlan-ids=90
add bridge=bridge-vlan91 tagged=bridge-vlan91 vlan-ids=91
add bridge=bridge-vlan100 tagged=bridge-vlan100 vlan-ids=100
add bridge=bridge-vlan110 tagged=bridge-vlan110 vlan-ids=110
add bridge=bridge-vlan120 tagged=bridge-vlan120 vlan-ids=120
add bridge=bridge-vlan130 tagged=bridge-vlan130 vlan-ids=130
/interface list member
add interface=ether6 list=WAN
add interface=ether7 list=WAN
add interface=vlan10-bridge-if list=LAN
add interface=vlan20-bridge-if list=LAN
add interface=vlan40-bridge-if list=LAN
add interface=vlan50-bridge-if list=LAN
add interface=vlan70-bridge-if list=LAN
add interface=vlan90-bridge-if list=LAN
add interface=vlan91-bridge-if list=LAN
add interface=vlan100-bridge-if list=LAN
add interface=vlan110-bridge-if list=LAN
add interface=vlan120-bridge-if list=LAN
add interface=vlan130-bridge-if list=LAN
add interface=vlan60-bridge-if list=LAN
add interface=vlan80-bridge-if list=LAN
/interface ovpn-server server
set auth=sha256,sha512 certificate=ovpn-server.crt cipher=\
    aes128-cbc,aes256-cbc default-profile=ovpn enabled=yes port=25001 \
    protocol=udp require-client-certificate=yes
/interface wireguard peers
add allowed-address="172.30.65.101/32,172.29.50.0/24,172.29.51.0/24,172.29.52.\
    0/24,172.29.53.0/24,172.29.54.0/24,172.29.55.0/24,172.29.56.0/24,172.29.58\
    .0/24" comment="7 - lp" endpoint-address=2.2.2.2 \
    endpoint-port=16701 interface=wg01 public-key=\
    "/pngEGcF3Qm0GEgMhB0PffQqEpamqZMHxiO25zG5eiM="
add allowed-address=172.30.65.111/32 interface=wg01 public-key=\
    "7WSmPS66IDKVjl8SEjTuC4tO5W7j2EUolMzK1KmHghM="
/ip address
add address=172.30.50.254/24 interface=vlan10-bridge-if network=172.30.50.0
add address=172.30.51.254/24 interface=vlan20-bridge-if network=172.30.51.0
add address=172.30.53.254/24 interface=vlan40-bridge-if network=172.30.53.0
add address=172.30.54.254/24 interface=vlan50-bridge-if network=172.30.54.0
add address=172.30.55.254/24 interface=vlan60-bridge-if network=172.30.55.0
add address=172.30.56.254/24 interface=vlan70-bridge-if network=172.30.56.0
add address=172.30.57.254/24 interface=vlan80-bridge-if network=172.30.57.0
add address=172.30.58.254/24 interface=vlan90-bridge-if network=172.30.58.0
add address=172.30.61.254/24 interface=vlan91-bridge-if network=172.30.61.0
add address=172.30.59.254/24 interface=vlan100-bridge-if network=172.30.59.0
add address=172.30.60.254/24 interface=vlan110-bridge-if network=172.30.60.0
add address=172.30.62.254/24 interface=vlan120-bridge-if network=172.30.62.0
add address=3.3.3.3/29 comment=555 interface=ether6 network=\
    3.3.3.0
add address=172.30.63.254/24 comment="Local MGMT" interface=ether1 network=\
    172.30.63.0
add address=3.3.3.4/29 comment=555 interface=ether6 network=\
    3.3.3.0
add address=3.3.3.5/29 comment=555 interface=ether6 network=\
    3.3.3.0
add address=3.3.3.6/29 comment=555 interface=ether6 network=\
    3.3.3.0
add address=3.3.3.7/29 comment=555 interface=ether6 network=\
    3.3.3.0
add address=172.30.64.254/24 interface=vlan130-bridge-if network=172.30.64.0
add address=172.30.65.100/24 interface=wg01 network=172.30.65.0
add address=192.168.88.254 comment="For TFTP server" interface=\
    vlan40-bridge-if network=192.168.88.254
/ip arp
add address=172.30.58.101 interface=vlan90-bridge-if mac-address=\
    D4:5D:64:1E:07:67
/ip dhcp-client
add add-default-route=no dhcp-options=clientid,hostname interface=ether7 \
    script=":if (\$bound=1) do={\
    \n   /ip route remove [ find gateway=\"4.2.2.2\" ]; /ip route remove [ fin\
    d where dst-address ~\"4.2.2.2\" ]\
    \n   /ip route add check-gateway=ping comment=\"For recursive check remote\
    \_host via res\" distance=2 dst-address=4.2.2.2/32 gateway=\$\"gateway-a\
    ddress\" scope=11\
    \n   /ip route add check-gateway=ping comment=\"Unmarked via res\" dista\
    nce=2 gateway=4.2.2.2 target-scope=11\
    \n   /ip route add comment=\"Marked via res Main\" distance=1 gateway=4.\
    2.2.2 routing-table=to_wan2 target-scope=11\
    \n   /ip route add comment=\"Marked via main Backup1\" distance=2 gateway=4\
    .2.2.2 routing-table=to_wan1 target-scope=11\
    \n   :if [:tobool ([/ip firewall/nat/ find comment=\"NAT via res\"])] do\
    ={\
    \n   /ip firewall nat set [find comment=\"NAT via res\"] action=src-nat \
    chain=srcnat ipsec-policy=out,none out-interface=\$\"interface\" to-addres\
    ses=\$\"lease-address\" \
    \n    } else={/ip firewall nat add action=src-nat chain=srcnat ipsec-polic\
    y=out,none out-interface=\$\"interface\" to-addresses=\$\"lease-address\" \
    comment=\"NAT via res\"}\
    \n    :if [:tobool ([/routing/rule find comment=\"From res IP to Inet\"]\
    )] do={\
    \n      /routing/rule/set [find comment=\"From res IP to Inet\"] action=\
    lookup src-address=\$\"lease-address\" table=to_wan2\
    \n    } else={/routing/rule/add action=lookup comment=\"From res IP to I\
    net\" src-address=\$\"lease-address\" table=to_wan2 }\
    \n} else={\
    \n   /ip route remove [find gateway=\"4.2.2.2\"]; /ip route remove [find w\
    here dst-address ~\"4.2.2.2\"]\
    \n   /ip firewall nat remove  [find comment=\"NAT via res\"]\
    \n   /routing/rule/remove [find comment=\"From res IP to Inet\"]\
    \n}\
    \n" use-peer-dns=no use-peer-ntp=no
/ip dhcp-server config
set store-leases-disk=never
/ip dhcp-server network
add address=172.30.50.0/24 dns-server=172.30.50.254 gateway=172.30.50.254 \
    netmask=24 ntp-server=172.30.50.254
add address=172.30.51.0/24 dns-server=172.30.51.254 gateway=172.30.51.254 \
    netmask=24 ntp-server=172.30.51.254
add address=172.30.53.0/24 dns-server=172.30.53.254 gateway=172.30.53.254 \
    netmask=24 ntp-server=172.30.53.254
add address=172.30.54.0/24 dns-server=172.30.54.254 gateway=172.30.54.254 \
    netmask=24 ntp-server=172.30.53.254
add address=172.30.55.0/24 dns-server=172.30.55.254 gateway=172.30.55.254 \
    netmask=24 ntp-server=172.30.55.254
add address=172.30.56.0/24 dns-server=172.30.56.254 gateway=172.30.56.254 \
    netmask=24 ntp-server=172.30.56.254
add address=172.30.57.0/24 dns-server=172.30.57.254 gateway=172.30.57.254 \
    netmask=24 ntp-server=172.30.57.254
add address=172.30.58.0/24 dns-server=172.30.58.254 gateway=172.30.58.254 \
    netmask=24 ntp-server=172.30.58.254
add address=172.30.59.0/24 dns-server=172.30.59.254 gateway=172.30.59.254 \
    netmask=24 ntp-server=172.30.59.254
add address=172.30.60.0/24 dns-server=172.30.60.254 gateway=172.30.60.254 \
    netmask=24 ntp-server=172.30.60.254
add address=172.30.61.0/24 dns-server=172.30.61.254 gateway=172.30.61.254 \
    netmask=24 ntp-server=172.30.61.254
add address=172.30.62.0/24 dns-server=172.30.62.254 gateway=172.30.62.254 \
    netmask=24 ntp-server=172.30.62.254
add address=172.30.63.0/24 dns-server=172.30.63.254 gateway=172.30.63.254 \
    netmask=24 ntp-server=172.30.63.254
add address=172.30.64.0/24 dns-server=172.30.64.254 gateway=172.30.64.254 \
    netmask=24 ntp-server=172.30.64.254
add address=192.168.88.0/24 gateway=192.168.88.254
/ip dns
set allow-remote-requests=yes servers=8.8.4.4,8.8.8.8
/ip firewall address-list
add address=172.30.50.1-172.30.50.253 list=vlan10-office
add address=172.30.51.1-172.30.51.253 list=vlan20-guest
add address=172.30.52.31-172.30.52.50 list=ovpn-engineers
add address=172.30.52.51-172.30.52.70 list=ovpn-coders
add address=172.30.53.1-172.30.53.253 list=vlan40-engineer1
add address=172.30.54.1-172.30.54.253 list=vlan50-engineer2
add address=172.30.55.1-172.30.55.253 list=vlan60-cameras
add address=172.30.56.1-172.30.56.253 list=vlan70-phones
add address=172.30.57.1-172.30.57.253 list=vlan80-skud
add address=172.30.58.1-172.30.58.253 list=vlan90-coders
add address=172.30.61.1-172.30.61.253 list=vlan91-management
add address=172.30.59.1-172.30.59.253 list=vlan100-engineer3
add address=172.30.60.1-172.30.60.253 list=vlan110-services
add address=172.30.62.1-172.30.62.253 list=vlan120-additional
add address=172.30.64.1-172.30.64.253 list=vlan130-engineer4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add address=172.30.52.71-172.30.52.90 list=ovpn-other
add address=172.30.52.71-172.30.52.72 list=murahtaevy
add address=172.30.50.1-172.30.64.253 list=LAN
add address=172.30.65.1-172.30.65.254 list=wireguard
add address=172.30.65.101 list=g-net
add address=172.30.52.245 list=g-net
add address=192.168.115.0/24 list=AAAA
add address=192.168.116.0/24 list=AAAA
add address=192.168.51.0/24 list=777-ovpn
add address=172.30.52.74 list=777-ovpn-support
add address=172.30.60.191-172.30.60.200 list=gn-printers
add address=172.29.50.0/24 list=g
add address=172.29.51.0/24 list=g
add address=172.29.52.0/24 list=g
add address=172.29.53.0/24 list=g
add address=172.29.54.0/24 list=g
add address=172.29.55.0/24 list=g
add address=172.29.56.0/24 list=g
add address=172.29.58.0/24 list=g
add address=172.29.56.0/24 list=g-net
add address=172.30.53.31 comment="Old office user support" list=user-support
add address=172.30.54.100 list=user-support
add address=172.30.59.100 list=user-support
add address=172.29.50.101-172.29.50.102 list=old-office-users
/ip firewall filter
add action=accept chain=input comment=Podstrahovka disabled=yes src-address=\
    172.30.61.31
add action=add-src-to-address-list address-list=KNOCK-1 address-list-timeout=\
    35s chain=input dst-port=13000 in-interface-list=WAN protocol=tcp
add action=add-src-to-address-list address-list=KNOCK-2 address-list-timeout=\
    35s chain=input dst-port=13001 in-interface-list=WAN protocol=tcp \
    src-address-list=KNOCK-1
add action=add-src-to-address-list address-list=KNOCK-ACCEPT \
    address-list-timeout=15s chain=input dst-port=13002 in-interface-list=WAN \
    protocol=tcp src-address-list=KNOCK-2
add action=accept chain=input comment="Accept established, related" \
    connection-state=established,related
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=fasttrack-connection chain=forward comment=\
    "Accept established, related" connection-state=established,related \
    disabled=yes hw-offload=yes
add action=accept chain=forward comment="Accept established, related" \
    connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=drop chain=forward comment="Drop bad forward IPs" \
    src-address-list=no_forward_ipv4
add action=drop chain=forward comment="Drop bad forward IPs" \
    dst-address-list=no_forward_ipv4
add action=drop chain=forward comment="Drop forward from cameras" \
    src-address-list=vlan60-cameras
add action=accept chain=forward comment=\
    "Accept forward from hh VM to internet" disabled=yes in-interface=\
    vlan80-bridge-if out-interface-list=WAN src-address=172.30.57.110
add action=accept chain=forward comment=\
    "Allow forward from hh VM (SKUD) to lp controller" \
    dst-address=172.29.58.101 out-interface=wg01 src-address=172.30.57.110
add action=drop chain=forward comment="Drop forward from SKUD" \
    src-address-list=vlan80-skud
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment=\
    "Accept forward from LAN list to internet" in-interface-list=LAN \
    out-interface-list=WAN
add action=accept chain=forward comment="Allow forward to k2" dst-address=\
    172.30.58.102 in-interface-list=LAN out-interface=vlan90-bridge-if
add action=accept chain=forward comment=\
    "Accept coders forward from OpenVPN to their network" dst-address-list=\
    vlan90-coders in-interface=all-ppp protocol=tcp src-address-list=\
    ovpn-coders
add action=accept chain=forward comment=\
    "Accept forward from engineers (OpenVPN)" in-interface=all-ppp \
    src-address-list=ovpn-engineers
add action=accept chain=forward comment=\
    "Allow forward from office to printers" dst-address-list=gn-printers \
    in-interface=vlan10-bridge-if out-interface=vlan110-bridge-if \
    src-address-list=vlan10-office
add action=accept chain=forward comment="Allow forward from engineer 1" \
    in-interface=vlan40-bridge-if src-address=172.30.53.31
add action=accept chain=forward comment=\
    "Allow forward from VLAN40 (engineer 1) to VLAN110 (services)" \
    dst-address-list=vlan110-services in-interface=vlan40-bridge-if \
    out-interface=vlan110-bridge-if src-address-list=vlan40-engineer1
add action=accept chain=forward comment=\
    "Allow forward from VLAN50 (engineer 2) to VLAN110 (services)" \
    dst-address-list=vlan110-services in-interface=vlan50-bridge-if \
    out-interface=vlan110-bridge-if src-address-list=vlan50-engineer2
add action=accept chain=forward comment=\
    "Allow forward from VLAN100 (engineer 3) to printers" dst-address-list=\
    gn-printers in-interface=vlan100-bridge-if out-interface=\
    vlan110-bridge-if src-address-list=vlan100-engineer3
add action=accept chain=forward comment=\
    "Accept other OpenVPN users forward to k2" dst-address=172.30.58.102 \
    in-interface=all-ppp protocol=tcp src-address-list=ovpn-other
add action=accept chain=forward comment=\
    "Accept other OpenVPN users forward to AAAA" dst-address-list=AAAA \
    in-interface=all-ppp protocol=tcp src-address-list=ovpn-other
add action=accept chain=forward comment=\
    "Allow forward from VLAN50 (engineer 2) to 777 OVPN over d" \
    dst-address-list=777-ovpn in-interface=vlan50-bridge-if src-address=\
    172.30.54.100
add action=accept chain=forward comment=\
    "Accept forward to 777 OVPN over d" dst-address-list=777-ovpn \
    in-interface=all-ppp protocol=tcp src-address-list=777-ovpn-support
add action=accept chain=forward comment=\
    "Accept forward from OpenVPN yer to yur's net" dst-address-list=\
    vlan130-engineer4 in-interface=all-ppp src-address-list=murahtaevy
add action=accept chain=forward comment=\
    "Accept forward from OpenVPN yer to coders network" \
    dst-address-list=vlan90-coders in-interface=all-ppp src-address-list=\
    murahtaevy
add action=accept chain=forward comment=\
    "Accept forward from OpenVPN i.gorbunov to his network" dst-address-list=\
    vlan100-engineer3 in-interface=all-ppp src-address=172.30.52.77
add action=accept chain=forward comment=\
    "Allow forward from engineer 1 to VLAN90 (coders)" disabled=yes \
    dst-address-list=vlan90-coders in-interface=vlan40-bridge-if \
    out-interface=vlan90-bridge-if src-address=172.30.53.31
add action=accept chain=forward comment=\
    "Allow forward from engineer 2 to VLAN90 (coders)" dst-address-list=\
    vlan90-coders in-interface=vlan50-bridge-if out-interface=\
    vlan90-bridge-if src-address=172.30.54.100
add action=accept chain=forward comment=\
    "Allow forward from engineer 1 to VLAN70 (phones)" disabled=yes \
    dst-address-list=vlan70-phones in-interface=vlan40-bridge-if \
    out-interface=vlan70-bridge-if src-address=172.30.53.31
add action=accept chain=forward comment=\
    "Allow forward from engineer 2 to VLAN70 (phones)" dst-address-list=\
    vlan70-phones in-interface=vlan50-bridge-if out-interface=\
    vlan70-bridge-if src-address=172.30.54.100
add action=accept chain=forward comment=\
    "Allow forward from engineer windows server to VLAN70 (phones)" disabled=\
    yes dst-address-list=vlan70-phones in-interface=vlan110-bridge-if \
    out-interface=vlan70-bridge-if src-address=172.30.60.101
add action=accept chain=forward comment=\
    "Allow forward from engineer 1 to VLAN80 (SKUD)" disabled=yes \
    dst-address-list=vlan80-skud in-interface=vlan40-bridge-if out-interface=\
    vlan80-bridge-if src-address=172.30.53.31
add action=accept chain=forward comment=\
    "Allow forward from engineer 2 to VLAN80 (SKUD)" dst-address-list=\
    vlan80-skud in-interface=vlan50-bridge-if out-interface=vlan80-bridge-if \
    src-address=172.30.54.100
add action=accept chain=forward comment=\
    "Allow forward from engineer 1 to VLAN10 (office)" disabled=yes \
    dst-address-list=vlan10-office in-interface=vlan40-bridge-if \
    out-interface=vlan10-bridge-if src-address=172.30.53.31
add action=accept chain=forward comment=\
    "Allow forward from engineer 2 to VLAN10 (office)" dst-address-list=\
    vlan10-office in-interface=vlan50-bridge-if out-interface=\
    vlan10-bridge-if src-address=172.30.54.100
add action=accept chain=forward comment=\
    "Allow forward from engineer 3 to Brother QL-800" dst-address=\
    172.30.50.156 in-interface=vlan100-bridge-if out-interface=\
    vlan10-bridge-if src-address=172.30.59.100
add action=accept chain=forward comment=\
    "Allow forward from engineer 1 to AAAA" disabled=yes dst-address-list=\
    AAAA in-interface=vlan40-bridge-if src-address=172.30.53.31
add action=accept chain=forward comment=\
    "Allow forward from engineer 2 to AAAA" dst-address-list=AAAA \
    in-interface=vlan50-bridge-if src-address=172.30.54.100
add action=accept chain=forward comment=\
    "Allow forward from engineer 2 to engineer 3 network" disabled=yes \
    dst-address-list=vlan100-engineer3 in-interface=vlan50-bridge-if \
    out-interface=vlan100-bridge-if src-address=172.30.54.100
add action=accept chain=forward comment=\
    "Allow forward inside VLAN110 (services)" disabled=yes dst-address-list=\
    vlan110-services in-interface=vlan110-bridge-if out-interface=\
    vlan110-bridge-if src-address-list=vlan110-services
add action=accept chain=forward comment=\
    "Allow forward from engineer 1 to 777" disabled=yes dst-address-list=\
    777-ovpn in-interface=vlan40-bridge-if src-address=172.30.53.31
add action=accept chain=forward comment=\
    "Allow forward from engineer 2 to 777" disabled=yes dst-address-list=\
    777-ovpn in-interface=vlan50-bridge-if src-address=172.30.54.100
add action=accept chain=forward comment=\
    "Allow forward from MGMT VLAN to 7 lp gate (over WireGuard)" \
    dst-address-list=g-net in-interface=vlan91-bridge-if src-address-list=\
    vlan91-management
add action=accept chain=forward comment=\
    "Allow forward from lp controller to hh VM (SKUD)" \
    dst-address=172.30.57.110 in-interface=wg01 src-address=172.29.58.101
add action=accept chain=forward comment=\
    "Allow forward from office engineers to lp VLAN 10 (office)" \
    dst-address-list=old-office-users out-interface=wg01 src-address-list=\
    user-support
add action=accept chain=forward comment=\
    "Allow forward from engineer 1 to 7 lp service network" \
    disabled=yes dst-address=172.29.55.0/24 in-interface=vlan40-bridge-if \
    src-address=172.30.53.31
add action=accept chain=forward comment=\
    "Allow forward from engineer 1 (WireGuard)" in-interface=wg01 \
    src-address=172.30.65.111
add action=accept chain=forward comment=\
    "Accept forward from OpenVPN to internet" disabled=yes in-interface=\
    all-ppp out-interface-list=WAN
add action=accept chain=forward comment="Allow forward dstnat'ed" \
    connection-nat-state=dstnat connection-state=new
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
add action=drop chain=forward comment="Drop forward not dstnat'ed" \
    connection-nat-state=!dstnat disabled=yes
add action=drop chain=forward
add action=accept chain=input comment="Accept DNS from LAN" disabled=yes \
    dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Accept DNS and DHCP from LAN" \
    disabled=yes dst-port=53,67 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Accept DNS from VLAN10 (office)" \
    dst-address=172.30.50.254 dst-port=53 protocol=tcp src-address-list=\
    vlan10-office
add action=accept chain=input comment=\
    "Accept DNS and DHCP from VLAN10 (office)" dst-address=172.30.50.254 \
    dst-port=53,67 protocol=udp src-address-list=vlan10-office
add action=accept chain=input comment="Accept DNS from VLAN20 (guest)" \
    dst-address=172.30.51.254 dst-port=53 in-interface=vlan20-bridge-if \
    protocol=tcp src-address-list=vlan20-guest
add action=accept chain=input comment=\
    "Accept DNS and DHCP from VLAN20 (guest)" dst-address=172.30.51.254 \
    dst-port=53,67 in-interface=vlan20-bridge-if protocol=udp \
    src-address-list=vlan20-guest
add action=accept chain=input comment="Accept DNS from OpenVPN" dst-address=\
    172.30.52.254 dst-port=53 in-interface=all-ppp protocol=tcp src-address=\
    172.30.52.0/24
add action=accept chain=input comment="Accept DNS and DHCP from OpenVPN" \
    dst-address=172.30.52.254 dst-port=53,67 in-interface=all-ppp protocol=\
    udp src-address=172.30.52.0/24
add action=accept chain=input comment="Engineers input from OpenVPN" \
    dst-port=80,25003 in-interface=all-ppp protocol=tcp src-address-list=\
    ovpn-engineers
add action=accept chain=input comment="Accept DNS from VLAN40 (engineer1)" \
    dst-address=172.30.53.254 dst-port=53 in-interface=vlan40-bridge-if \
    protocol=tcp src-address-list=vlan40-engineer1
add action=accept chain=input comment=\
    "Accept DNS and DHCP from VLAN40 (engineer1)" dst-address=172.30.53.254 \
    dst-port=53,67 in-interface=vlan40-bridge-if protocol=udp \
    src-address-list=vlan40-engineer1
add action=accept chain=input comment="Accept DNS from VLAN50 (engineer2)" \
    dst-address=172.30.54.254 dst-port=53 in-interface=vlan50-bridge-if \
    protocol=tcp src-address-list=vlan50-engineer2
add action=accept chain=input comment=\
    "Accept DNS and DHCP from VLAN50 (engineer2)" dst-address=172.30.54.254 \
    dst-port=53,67 in-interface=vlan50-bridge-if protocol=udp \
    src-address-list=vlan50-engineer2
add action=accept chain=input comment="Accept DHCP from VLAN60 (cameras)" \
    dst-address=172.30.55.254 dst-port=67 in-interface=vlan60-bridge-if \
    protocol=udp src-address-list=vlan60-cameras
add action=accept chain=input comment="Accept DNS from VLAN70 (phones)" \
    dst-address=172.30.56.254 dst-port=53 in-interface=vlan70-bridge-if \
    protocol=tcp src-address-list=vlan70-phones
add action=accept chain=input comment=\
    "Accept DNS and DHCP from VLAN70 (phones)" dst-address=172.30.56.254 \
    dst-port=53,67 in-interface=vlan70-bridge-if protocol=udp \
    src-address-list=vlan70-phones
add action=accept chain=input comment="Accept DNS from VLAN80 (skud)" \
    dst-address=172.30.57.254 dst-port=53 in-interface=vlan80-bridge-if \
    protocol=tcp src-address-list=vlan80-skud
add action=accept chain=input comment=\
    "Accept DNS and DHCP from VLAN80 (skud)" dst-address=172.30.57.254 \
    dst-port=53,67 in-interface=vlan80-bridge-if protocol=udp \
    src-address-list=vlan80-skud
add action=accept chain=input comment="Accept DNS from VLAN90 (coders)" \
    dst-address=172.30.58.254 dst-port=53 in-interface=vlan90-bridge-if \
    protocol=tcp src-address-list=vlan90-coders
add action=accept chain=input comment=\
    "Accept DNS and DHCP from VLAN90 (coders)" dst-address=172.30.58.254 \
    dst-port=53,67 in-interface=vlan90-bridge-if protocol=udp \
    src-address-list=vlan90-coders
add action=accept chain=input comment=\
    "Accept DNS and DHCP from VLAN91 (management)" dst-address=172.30.61.254 \
    dst-port=53,67 in-interface=vlan91-bridge-if protocol=udp \
    src-address-list=vlan91-management
add action=accept chain=input comment="Accept input from VLAN91 (management)" \
    dst-address=172.30.61.254 dst-port=53,80,8291,25003 in-interface=\
    vlan91-bridge-if protocol=tcp src-address-list=vlan91-management
add action=accept chain=input comment=\
    "Accept DNS and DHCP from MGMT interface" dst-address=172.30.63.254 \
    dst-port=53,67 in-interface=ether1 protocol=udp src-address=\
    172.30.63.0/24
add action=accept chain=input comment="Accept NTP from LAN" dst-port=123 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Accept input from MGMT interface" \
    dst-address=172.30.63.254 dst-port=80,8291,25003 in-interface=ether1 \
    protocol=tcp src-address=172.30.63.0/24
add action=accept chain=input comment="Accept DNS for engineer 1 (WireGuard)" \
    dst-address=172.30.65.100 dst-port=53 in-interface=wg01 protocol=udp \
    src-address=172.30.65.111
add action=accept chain=input comment=\
    "Accept input from engineer 1 (WireGuard)" dst-address=172.30.65.100 \
    dst-port=53,80,25003 in-interface=wg01 protocol=tcp src-address=\
    172.30.65.111
add action=accept chain=input comment="Accept DNS from VLAN100 (engineer3)" \
    dst-address=172.30.59.254 dst-port=53 in-interface=vlan100-bridge-if \
    protocol=tcp src-address-list=vlan100-engineer3
add action=accept chain=input comment=\
    "Accept DNS and DHCP from VLAN100 (engineer3)" dst-address=172.30.59.254 \
    dst-port=53,67 in-interface=vlan100-bridge-if protocol=udp \
    src-address-list=vlan100-engineer3
add action=accept chain=input comment="Accept DNS from VLAN110 (services)" \
    dst-address=172.30.60.254 dst-port=53 in-interface=vlan110-bridge-if \
    protocol=tcp src-address-list=vlan110-services
add action=accept chain=input comment=\
    "Accept DNS and DHCP from VLAN110 (services)" dst-address=172.30.60.254 \
    dst-port=53,67 in-interface=vlan110-bridge-if protocol=udp \
    src-address-list=vlan110-services
add action=accept chain=input comment="Accept DNS from VLAN120 (additional)" \
    dst-address=172.30.62.254 dst-port=53 in-interface=vlan120-bridge-if \
    protocol=tcp src-address-list=vlan120-additional
add action=accept chain=input comment=\
    "Accept DNS and DHCP from VLAN120 (additional)" dst-address=172.30.62.254 \
    dst-port=53,67 in-interface=vlan120-bridge-if protocol=udp \
    src-address-list=vlan120-additional
add action=accept chain=input comment="Accept DNS from VLAN130 (engineer4)" \
    dst-address=172.30.64.254 dst-port=53 in-interface=vlan130-bridge-if \
    protocol=tcp src-address-list=vlan130-engineer4
add action=accept chain=input comment=\
    "Accept DNS and DHCP from VLAN130 (engineer4)" dst-address=172.30.64.254 \
    dst-port=53,67 in-interface=vlan130-bridge-if protocol=udp \
    src-address-list=vlan130-engineer4
add action=accept chain=input comment="Accept OpenVPN" dst-port=25001 \
    in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Accept Wireguard" dst-port=25000 \
    in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Accept SSH from WAN" dst-port=25003 \
    in-interface-list=WAN protocol=tcp src-address-list=KNOCK-ACCEPT
add action=accept chain=input comment="Accept ICMP" disabled=yes \
    in-interface-list=LAN protocol=icmp
add action=accept chain=input comment="Accept ICMP from WAN k2 address" \
    dst-address=3.3.3.213 in-interface=ether6 protocol=icmp
add action=accept chain=input comment="Accept ICMP from VLAN10 (office)" \
    dst-address=172.30.50.254 protocol=icmp src-address-list=vlan10-office
add action=accept chain=input comment="Accept ICMP from VLAN20 (guest)" \
    dst-address=172.30.51.254 in-interface=vlan20-bridge-if protocol=icmp \
    src-address-list=vlan20-guest
add action=accept chain=input comment="Accept ICMP from OpenVPN" dst-address=\
    172.30.52.254 in-interface=all-ppp protocol=icmp src-address=\
    172.30.52.0/24
add action=accept chain=input comment="Accept ICMP from VLAN40 (engineer1)" \
    dst-address=172.30.53.254 in-interface=vlan40-bridge-if protocol=icmp \
    src-address-list=vlan40-engineer1
add action=accept chain=input comment="Accept ICMP from VLAN50 (engineer2)" \
    dst-address=172.30.54.254 in-interface=vlan50-bridge-if protocol=icmp \
    src-address-list=vlan50-engineer2
add action=accept chain=input comment="Accept ICMP from VLAN60 (cameras)" \
    dst-address=172.30.55.254 in-interface=vlan60-bridge-if protocol=icmp \
    src-address-list=vlan60-cameras
add action=accept chain=input comment="Accept ICMP from VLAN70 (phones)" \
    dst-address=172.30.56.254 in-interface=vlan70-bridge-if protocol=icmp \
    src-address-list=vlan70-phones
add action=accept chain=input comment="Accept ICMP from VLAN80 (skud)" \
    dst-address=172.30.57.254 in-interface=vlan80-bridge-if protocol=icmp \
    src-address-list=vlan80-skud
add action=accept chain=input comment="Accept ICMP from VLAN90 (coders)" \
    dst-address=172.30.58.254 in-interface=vlan90-bridge-if protocol=icmp \
    src-address-list=vlan90-coders
add action=accept chain=input comment="Accept ICMP from VLAN91 (management)" \
    dst-address=172.30.61.254 in-interface=vlan91-bridge-if protocol=icmp \
    src-address-list=vlan91-management
add action=accept chain=input comment="Accept ICMP from MGMT interface" \
    dst-address=172.30.63.254 in-interface=ether1 protocol=icmp src-address=\
    172.30.63.0/24
add action=accept chain=input comment="Accept ICMP from VLAN100 (engineer3)" \
    dst-address=172.30.59.254 in-interface=vlan100-bridge-if protocol=icmp \
    src-address-list=vlan100-engineer3
add action=accept chain=input comment="Accept ICMP from VLAN110 (services)" \
    dst-address=172.30.60.254 in-interface=vlan110-bridge-if protocol=icmp \
    src-address-list=vlan110-services
add action=accept chain=input comment="Accept ICMP from VLAN120 (additional)" \
    dst-address=172.30.62.254 in-interface=vlan120-bridge-if protocol=icmp \
    src-address-list=vlan120-additional
add action=accept chain=input comment="Accept ICMP from VLAN130 (engineer4)" \
    dst-address=172.30.64.254 in-interface=vlan130-bridge-if protocol=icmp \
    src-address-list=vlan130-engineer4
add action=accept chain=input comment="Accept ICMP from WireGuard" \
    dst-address=172.30.65.100 protocol=icmp src-address-list=wireguard
add action=drop chain=input connection-state=""
add action=accept chain=output comment="Accept output"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
/ip firewall mangle
add action=mark-packet chain=forward comment=\
    "Mark forward ICMP packets with SERVICE mark" new-packet-mark=SERVICE \
    passthrough=yes protocol=icmp
add action=mark-packet chain=postrouting comment=\
    "Mark DNS (TCP) packets with SERVICE mark" new-packet-mark=SERVICE \
    passthrough=yes port=53 protocol=tcp
add action=mark-packet chain=postrouting comment=\
    "Mark DNS (UDP) packets with SERVICE mark" new-packet-mark=SERVICE \
    passthrough=yes port=53 protocol=udp
add action=mark-packet chain=postrouting comment=\
    "Mark forward ICMP packets with SERVICE mark" new-packet-mark=SERVICE \
    packet-size=0-123 passthrough=yes protocol=tcp tcp-flags=ack
add action=mark-packet chain=forward comment=\
    "Mark forward SIP packets with SIP mark" dst-address-list=vlan70-phones \
    new-packet-mark=SIP passthrough=yes
add action=mark-packet chain=forward comment=\
    "Mark forward SIP packets with SIP mark" new-packet-mark=SIP passthrough=\
    yes src-address-list=vlan70-phones
add action=mark-packet chain=forward comment=\
    "Mark forward SSH packets with OPERATING mark" new-packet-mark=OPERATING \
    passthrough=yes port=22 protocol=tcp
add action=mark-packet chain=forward comment=\
    "Mark forward RDP packets with OPERATING mark" new-packet-mark=OPERATING \
    passthrough=yes port=3389 protocol=tcp
add action=mark-packet chain=forward comment=\
    "Mark forward WEB packets with WEB mark" new-packet-mark=WEB passthrough=\
    yes port=80,443 protocol=tcp
add action=mark-packet chain=prerouting comment=\
    "Mark input OpenVPN packets with OPERATING mark" new-packet-mark=\
    OPERATING passthrough=yes port=25001 protocol=udp
add action=mark-packet chain=prerouting comment=\
    "Mark input Wireguard packets with OPERATING mark" new-packet-mark=\
    OPERATING passthrough=yes port=25000 protocol=udp
add action=mark-routing chain=prerouting comment=\
    "Routemark transit out via main to Chel office" disabled=yes \
    dst-address-type=!local in-interface-list=!WAN new-routing-mark=\
    to_x_lll passthrough=no
add action=mark-connection chain=prerouting comment="Connmark in from main" \
    connection-mark=no-mark in-interface=ether6 new-connection-mark=conn_wan1 \
    passthrough=no
add action=mark-connection chain=prerouting comment="Connmark in from res" \
    connection-mark=no-mark in-interface=ether7 new-connection-mark=conn_wan2 \
    passthrough=no
add action=mark-routing chain=prerouting comment=\
    "Routemark transit out via main" connection-mark=conn_wan1 \
    dst-address-type=!local in-interface-list=!WAN new-routing-mark=to_wan1 \
    passthrough=no
add action=mark-routing chain=prerouting comment=\
    "Routemark transit out via res" connection-mark=conn_wan2 \
    dst-address-type=!local in-interface-list=!WAN new-routing-mark=to_wan2 \
    passthrough=no
add action=mark-routing chain=output comment="Routemark local out via main" \
    connection-mark=conn_wan1 dst-address-type=!local new-routing-mark=\
    to_wan1 passthrough=no
add action=mark-routing chain=output comment="Routemark local out via res" \
    connection-mark=conn_wan2 dst-address-type=!local new-routing-mark=\
    to_wan2 passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment=\
    "Masquerade to 7 lp (OpenVPN)" disabled=yes dst-address=\
    172.30.52.245 ipsec-policy=out,none
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
    ipsec-policy=out,none out-interface-list=WAN
add action=src-nat chain=srcnat comment="NAT via main for office vlan" \
    ipsec-policy=out,none out-interface=ether6 src-address-list=vlan10-office \
    to-addresses=3.3.3.211
add action=src-nat chain=srcnat comment="NAT via main for guest vlan" \
    ipsec-policy=out,none out-interface=ether6 src-address-list=vlan20-guest \
    to-addresses=3.3.3.212
add action=src-nat chain=srcnat comment="NAT via main" ipsec-policy=out,none \
    out-interface=ether6 to-addresses=3.3.3.3
add action=dst-nat chain=dstnat comment="k2 HTTP (main)" dst-address=\
    3.3.3.213 dst-port=80 protocol=tcp to-addresses=172.30.58.102 \
    to-ports=80
add action=dst-nat chain=dstnat comment="k2 HTTP (res)" dst-port=80 \
    in-interface=ether7 protocol=tcp to-addresses=172.30.58.102 to-ports=80
add action=dst-nat chain=dstnat comment="k2 9191 (main)" disabled=yes \
    dst-address=3.3.3.213 dst-port=9191 in-interface-list=WAN protocol=\
    tcp to-addresses=172.30.58.102 to-ports=9191
add action=dst-nat chain=dstnat comment="k2 9191 (res)" disabled=yes \
    dst-port=9191 in-interface=ether7 protocol=tcp to-addresses=172.30.58.102 \
    to-ports=9191
add action=dst-nat chain=dstnat comment="k2 1313 (main)" dst-address=\
    3.3.3.3 dst-port=1313 in-interface-list=WAN protocol=tcp \
    to-addresses=172.30.58.102 to-ports=1313
add action=dst-nat chain=dstnat comment="k2 1313 (res)" dst-port=1313 \
    in-interface=ether7 protocol=tcp to-addresses=172.30.58.102 to-ports=1313
add action=dst-nat chain=dstnat comment="Dev station 8000,8080 (main)" \
    dst-address=3.3.3.3 dst-port=8000,8080 protocol=tcp to-addresses=\
    172.30.58.101
add action=dst-nat chain=dstnat comment="Dev station 8000,8080 (res)" \
    dst-port=8000,8080 in-interface=ether7 protocol=tcp to-addresses=\
    172.30.58.101
add action=dst-nat chain=dstnat comment="3080 SSH (main)" dst-address=\
    3.3.3.3 dst-port=50005 in-interface-list=WAN protocol=tcp \
    to-addresses=172.30.58.103 to-ports=22
add action=dst-nat chain=dstnat comment="3080 SSH (res)" dst-port=50005 \
    in-interface=ether7 protocol=tcp to-addresses=172.30.58.103 to-ports=22
add action=dst-nat chain=dstnat comment="k2 SSH (main)" dst-address=\
    3.3.3.3 dst-port=50006 in-interface-list=WAN protocol=tcp \
    to-addresses=172.30.58.102 to-ports=22
add action=dst-nat chain=dstnat comment="k2 SSH (res)" dst-port=50006 \
    in-interface=ether7 protocol=tcp to-addresses=172.30.58.102 to-ports=22
add action=masquerade chain=srcnat comment=\
    "k2 HTTP from LAN (Hainpin NAT)" dst-address=172.30.58.102 dst-port=80 \
    protocol=tcp src-address-list=vlan90-coders
add action=dst-nat chain=dstnat comment=\
    "Dev station 8000,8080 from LAN (Hairpin NAT)" disabled=yes dst-address=\
    3.3.3.3 dst-port=8000,8080 protocol=tcp src-address=\
    172.30.50.0/24 to-addresses=172.30.58.101
add action=masquerade chain=srcnat comment=\
    "Dev station 8000,8080 from LAN (Hairpin NAT)" disabled=yes dst-address=\
    3.3.3.3 dst-port=8000,8080 protocol=tcp src-address-list=LAN
add action=masquerade chain=srcnat comment=AAAA out-interface=AAAA
add action=masquerade chain=srcnat comment="d dfgd office" \
    out-interface=x-lll-ovpn
add action=masquerade chain=srcnat comment="7 lp" disabled=yes \
    dst-address-list=g out-interface=wg01
add action=src-nat chain=srcnat comment="NAT via res" ipsec-policy=out,none \
    out-interface=ether7 to-addresses=6.6.6.6
/ip firewall raw
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 \
    protocol=udp
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 \
    protocol=tcp
/ip route
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=3.3.3.209 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment="Emergency route" distance=254 gateway=br-lo
add check-gateway=ping comment="For recursive check remote host via main" \
    disabled=no distance=1 dst-address=8.8.4.4/32 gateway=3.3.3.209 \
    pref-src="" routing-table=main scope=11 suppress-hw-offload=no \
    target-scope=10
add check-gateway=ping comment="Unmarked via main" disabled=no distance=1 \
    dst-address=0.0.0.0/0 gateway=8.8.4.4 pref-src="" routing-table=main \
    scope=30 suppress-hw-offload=no target-scope=11
add comment="Marked via main Main" disabled=no distance=1 dst-address=\
    0.0.0.0/0 gateway=8.8.4.4 pref-src="" routing-table=to_wan1 scope=30 \
    suppress-hw-offload=no target-scope=11
add comment="Marked via res Backup1" disabled=no distance=2 dst-address=\
    0.0.0.0/0 gateway=8.8.4.4 pref-src="" routing-table=to_wan2 scope=30 \
    suppress-hw-offload=no target-scope=11
add disabled=no dst-address=192.168.115.162/32 gateway=172.16.1.1 \
    routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=192.168.116.171/32 gateway=172.16.1.1 \
    pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add dst-address=172.29.55.0/24 gateway=wg01
add dst-address=172.29.56.0/24 gateway=wg01
add disabled=no dst-address=192.168.115.144/32 gateway=172.16.1.1 \
    routing-table=main suppress-hw-offload=no
add comment="TEST lll x" disabled=yes distance=1 dst-address=\
    192.168.51.0/24 gateway=x-lll-ovpn pref-src="" routing-table=\
    to_x_lll suppress-hw-offload=no target-scope=12
add dst-address=172.29.50.0/24 gateway=wg01
add dst-address=172.29.51.0/24 gateway=wg01
add dst-address=172.29.52.0/24 gateway=wg01
add dst-address=172.29.53.0/24 gateway=wg01
add dst-address=172.29.54.0/24 gateway=wg01
add dst-address=172.29.58.0/24 gateway=wg01
add check-gateway=ping comment="For recursive check remote host via res" \
    distance=2 dst-address=4.2.2.2/32 gateway=34.34.34.34 scope=11
add check-gateway=ping comment="Unmarked via res" distance=2 gateway=\
    4.2.2.2 target-scope=11
add comment="Marked via res Main" distance=1 gateway=4.2.2.2 routing-table=\
    to_wan2 target-scope=11
add comment="Marked via main Backup1" distance=2 gateway=4.2.2.2 \
    routing-table=to_wan1 target-scope=11
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address="172.30.63.0/24,172.30.61.0/24,172.30.52.0/24,172.30.65.111/32\
    ,127.0.0.1/32"
set ssh port=25003
set api disabled=yes
set winbox address=172.30.63.0/24,172.30.61.0/24
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=local host-key-size=4096 strong-crypto=yes
/ip tftp
add ip-addresses=192.168.88.1-192.168.88.3 real-filename=\
    swos-css610pi-2.16.bin
/ipv6 firewall filter
add action=drop chain=forward
add action=drop chain=input
add action=drop chain=output
/routing rule
add action=lookup dst-address=172.30.50.0/24 table=main
add action=lookup dst-address=172.30.51.0/24 table=main
add action=lookup dst-address=172.30.53.0/24 table=main
add action=lookup dst-address=172.30.54.0/24 table=main
add action=lookup dst-address=172.30.55.0/24 table=main
add action=lookup dst-address=172.30.56.0/24 table=main
add action=lookup dst-address=172.30.57.0/24 table=main
add action=lookup dst-address=172.30.58.0/24 table=main
add action=lookup dst-address=172.30.59.0/24 table=main
add action=lookup dst-address=172.30.60.0/24 table=main
add action=lookup dst-address=172.30.61.0/24 table=main
add action=lookup dst-address=172.30.62.0/24 table=main
add action=lookup comment="From main IP to Inet" src-address=3.3.3.3 \
    table=to_wan1
add action=lookup dst-address=172.30.52.0/24 table=main
add action=lookup disabled=yes interface=x-lll-ovpn table=to_x_lll
add action=lookup dst-address=172.30.64.0/24 table=main
add action=lookup dst-address=172.30.65.0/24 table=main
add action=lookup comment="From res IP to Inet" src-address=6.6.6.6 \
    table=to_wan2
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Moscow
/system clock manual
set time-zone=+02:00
/system identity
set name=7-new-Gate
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes multicast=yes
/system ntp client servers
add address=195.91.239.8
add address=85.21.78.23
/system routerboard settings
set auto-upgrade=yes
/system script
add dont-require-permissions=no name=find_mac owner=i policy=read,test,sniff \
    source="{\r\
    \n:local macToFind \"64:16:7F:64:2A:7F\"\r\
    \n\r\
    \n/interface bridge host\r\
    \n:foreach i in=[find mac-address=\$macToFind] do={\r\
    \n  :if ([:len [find on-interface=[get \$i on-interface]]] = 1) do={\r\
    \n    :put (\"Found \$macToFind as only host on interface \" . [get \$i on\
    -interface])\r\
    \n  }\r\
    \n}\r\
    \n}\r\
    \n"
/tool bandwidth-server
set enabled=no
/tool graphing interface
add allow-address=172.30.61.0/24 store-on-disk=no
/tool graphing resource
add allow-address=172.30.61.0/24 store-on-disk=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/tool sniffer
set file-name=001 filter-interface=*F00008 memory-limit=10240KiB

CRS326:

# jun/29/2023 16:43:28 by RouterOS 7.7
# software id = FRYU-5HYJ
#
# model = CRS326-24G-2S+
# serial number = DA720E991DCA
/interface bridge
add add-dhcp-option82=yes dhcp-snooping=yes ingress-filtering=no name=bridge \
    pvid=91 vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan40-bridge-if vlan-id=40
add interface=bridge name=vlan91-management-if vlan-id=91
/interface ethernet switch port
set 0 limit-unknown-multicasts=yes limit-unknown-unicasts=yes storm-rate=3
set 1 limit-unknown-multicasts=yes limit-unknown-unicasts=yes storm-rate=3
set 2 limit-unknown-multicasts=yes limit-unknown-unicasts=yes storm-rate=3
set 3 limit-unknown-multicasts=yes limit-unknown-unicasts=yes storm-rate=3
set 4 limit-unknown-multicasts=yes limit-unknown-unicasts=yes storm-rate=3
set 5 limit-unknown-multicasts=yes limit-unknown-unicasts=yes storm-rate=3
set 6 limit-unknown-multicasts=yes limit-unknown-unicasts=yes storm-rate=3
set 7 limit-unknown-multicasts=yes limit-unknown-unicasts=yes storm-rate=3
set 8 limit-unknown-multicasts=yes limit-unknown-unicasts=yes storm-rate=3
set 9 limit-unknown-multicasts=yes limit-unknown-unicasts=yes storm-rate=3
set 10 limit-unknown-multicasts=yes limit-unknown-unicasts=yes storm-rate=3
set 11 limit-unknown-multicasts=yes limit-unknown-unicasts=yes storm-rate=3
set 12 limit-unknown-multicasts=yes limit-unknown-unicasts=yes storm-rate=3
set 13 limit-unknown-multicasts=yes limit-unknown-unicasts=yes storm-rate=3
set 14 limit-unknown-multicasts=yes limit-unknown-unicasts=yes storm-rate=3
set 15 limit-unknown-multicasts=yes limit-unknown-unicasts=yes storm-rate=3
set 16 limit-unknown-multicasts=yes limit-unknown-unicasts=yes storm-rate=3
set 17 limit-unknown-multicasts=yes limit-unknown-unicasts=yes storm-rate=3
set 18 limit-unknown-multicasts=yes limit-unknown-unicasts=yes storm-rate=3
set 19 limit-unknown-multicasts=yes limit-unknown-unicasts=yes storm-rate=3
set 20 limit-unknown-multicasts=yes limit-unknown-unicasts=yes storm-rate=3
set 21 limit-unknown-multicasts=yes limit-unknown-unicasts=yes storm-rate=3
set 22 limit-unknown-multicasts=yes limit-unknown-unicasts=yes storm-rate=3
set 23 limit-unknown-multicasts=yes limit-unknown-unicasts=yes storm-rate=3
/interface list
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=local-mgmt ranges=172.30.63.101-172.30.63.190
/ip dhcp-server
add address-pool=local-mgmt interface=ether1 lease-time=3h name=local-mgmt
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether2 pvid=40
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3 pvid=40
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4 pvid=40
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether5 pvid=40
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether6 pvid=40
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether7 pvid=40
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether8 pvid=40
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether9 pvid=50
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether10 pvid=50
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether11 pvid=50
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether12 pvid=50
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether13 pvid=100
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether14 pvid=100
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether15 pvid=100
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether16 pvid=100
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether17 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether18 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether19 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether20 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether21 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether22 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether23 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether24 pvid=10
add bridge=bridge frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1 \
    pvid=150 trusted=yes
add bridge=bridge frame-types=admit-only-vlan-tagged interface=sfp-sfpplus2 \
    pvid=150
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=vlan40-bridge-if pvid=40
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set accept-redirects=no accept-router-advertisements=no disable-ipv6=yes \
    forward=no
/interface bridge vlan
add bridge=bridge tagged=sfp-sfpplus1 vlan-ids=10
add bridge=bridge tagged=sfp-sfpplus1,bridge vlan-ids=40
add bridge=bridge tagged=sfp-sfpplus1 vlan-ids=50
add bridge=bridge tagged=sfp-sfpplus1,bridge vlan-ids=91
add bridge=bridge tagged=sfp-sfpplus1 vlan-ids=100
/ip address
add address=172.30.61.250/24 interface=vlan91-management-if network=\
    172.30.61.0
add address=172.30.63.250/24 interface=ether1 network=172.30.63.0
add address=172.30.53.250/24 interface=vlan40-bridge-if network=172.30.53.0
/ip dhcp-relay
add dhcp-server=172.30.61.254 disabled=no interface=vlan40-bridge-if \
    local-address=172.30.53.250 name=vlan40-relay
/ip dhcp-server config
set accounting=no store-leases-disk=never
/ip dhcp-server network
add address=172.30.63.0/24 dns-server=172.30.63.254 gateway=172.30.63.253 \
    netmask=24
/ip dns
set servers=172.30.61.254
/ip firewall address-list
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add address=172.30.65.0/24 list=mgmt
add address=172.30.63.0/24 list=mgmt
add address=172.30.61.0/24 list=mgmt
add address=172.30.52.0/24 list=mgmt
/ip firewall filter
add action=accept chain=input comment="Accept established, related" \
    connection-state=established,related
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input dst-port=22,80,8291 in-interface=\
    vlan91-management-if protocol=tcp src-address-list=mgmt
add action=accept chain=input dst-port=22,80,8291 in-interface=ether1 \
    protocol=tcp src-address=172.30.63.0/24
add action=accept chain=input comment="Allow DHCP input" dst-port=67 \
    protocol=udp
add action=accept chain=input comment="Allow DHCP input on MGMT interface" \
    dst-port=67 in-interface=ether1 protocol=udp
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=accept chain=input comment="Accept ICMP" in-interface=ether1 \
    protocol=icmp
add action=drop chain=input
add action=fasttrack-connection chain=forward comment=\
    "Accept established, related" connection-state=established,related \
    disabled=yes hw-offload=yes
add action=accept chain=forward comment="Accept established, related" \
    connection-state=established,related disabled=yes
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
    disabled=yes
add action=accept chain=forward comment="Accept forward" disabled=yes \
    in-interface=ether1
add action=drop chain=forward comment="Drop forward"
add action=accept chain=output comment="Accept output"
/ip firewall raw
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 \
    protocol=udp
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 \
    protocol=tcp
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=172.30.61.254
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=\
    172.30.65.0/24,172.30.63.0/24,172.30.61.0/24,172.30.52.0/24,127.0.0.1/32
set ssh address=172.30.65.0/24,172.30.63.0/24,172.30.61.0/24,172.30.52.0/24
set api disabled=yes
set winbox address=172.30.63.0/24,172.30.61.0/24
set api-ssl disabled=yes
/ipv6 firewall filter
add action=drop chain=forward
add action=drop chain=input
add action=drop chain=output
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Moscow
/system clock manual
set time-zone=+02:00
/system identity
set name=SW24P
/system ntp client
set enabled=yes
/system ntp client servers
add address=195.91.239.8
add address=85.21.78.23
/system routerboard settings
# Firmware upgraded successfully, please reboot for changes to take effect!
set auto-upgrade=yes boot-os=router-os
/tool bandwidth-server
set enabled=no
/tool graphing interface
add allow-address=172.30.61.0/24 store-on-disk=no
/tool graphing resource
add allow-address=172.30.61.0/24 store-on-disk=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none

Kentzo · June 30, 2023, 6:50pm

Are you sure all the right interfaces marked as trusted? What about CRS354, is there no DHCP snooping there?

LifWer · July 3, 2023, 7:49am

Are you sure all the right interfaces marked as trusted?

No, I’m not sure. Tried to mark other interfaces trusted with same result. Without option 82 relay works without making any port trusted.

What about CRS354, is there no DHCP snooping there?

It is:

/interface bridge
add add-dhcp-option82=yes dhcp-snooping=yes ingress-filtering=no name=bridge \
    pvid=91 vlan-filtering=yes

mkx · July 3, 2023, 11:12am

CRS326’ VLAN setup is wrong in multiple aspects:

bridge itself should not have pvid set (to 91) as you’re using VLAN interface (hence bridge should be set as tagged member of said VLAN)
VLAN interface vlan40-bridge-if (anchored off bridge) should not be added as bridge port (you’re creating a twisted loop here)
setting pvid on bridge ports with frame-types=admit-only-vlan-tagged (sfp1 and sfp2) is unnecessary and clutters readability of configuration export (although it doesn’t change the way those ports work)

Both devices have convoluted setup and thus prone to contain errors. RB4011 is even worse, but I’m not going to dive into that mess …

And using CRS326 as a router/firewall is really a sin.

I guess both devices would benefit from upgrading to 7.10.1 (unless you have a good reason not to), there were numerous fixes included in recent ROS releases (your CRS shows 7.7 as version running).

Kentzo · July 5, 2023, 6:10am

The corresponding interfaces on CRS354 need to be marked as trusted as well. Overall untrust access switch ports that lead to clients, then trust all ports on the way to the router, including intermediate switches with dhcp snooping enabled.

LifWer · July 11, 2023, 8:36am

I was guided by mikrotik help (part with management access). Example from this help:

/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether3 vlan-ids=99
/interface vlan
add interface=bridge1 name=VLAN99 vlan-id=99
/ip address
add address=192.168.99.2/24 interface=VLAN99

Yes, an obvious mistake, thank you.

You are completely right again, but that complexity and misconfig is the only way I can get necessary functionality: different arp settings for different VLANs and different bridge filters for them.

DHCP relay is not big load, isn’t it? I don’t use CRS326 as router/firewall in another aspects.

This!

SOLVED.

Conclusion: everything I need is not relay, just 3 things:

Add DHCP option 82 in bridge settings on both CRS (not 4011).
Add SFP vlan interfaces on 4011 as trusted.
Add SFP port on CRS354 leading to CRS326 as trusted. Why? After adding option 82 fields request considered as relay? Relays are disabled in DHCP servers settings.
No relays configured. Now I can see device and port DHCP client connected to.

Thank you guys for help.

mkx · July 11, 2023, 6:53pm

… which doesn’t include setting bridge with pvid.