hi,
after changing the mac address on my Dell things seem to be going better, I say seem to be going better because am still getting conflicts but no disservice.
I went to the ARP list and deleted a stale IP address linked to my computer mac address, maybe this was causing confusion?
but on my ARP list my computer MAC address seems to have an IANA IP of the range 169.254.XXX.XXX also somehow linked to my computer in the stale state?
at the moment the computer has a correct IP bound to it but what is this? why does my computer MAC address get such an address?
can I delete this from the ARP list?
ciao,
hi ,
jaclaz
October 20, 2024, 3:32pm
4
Yes, you can delete it.
But do check again the ARP list in a week time, APIPA addresses tend to appear out of nowhere on wednesday and friday nights (with or without a full moon)
Seriously, a same given MAC can have more than one IP address, that APIPA one most likely was created at the time you had the conflicting (duplicated/cloned) MAC address you mentioned in another topic:http://forum.mikrotik.com/t/ax2-dhcp-offering-same-ip-already-bound-to-other-pc/179358/11
hi Guru,
it has been resolved vy changing the mac address of the PC but i still seemed to be getting some strange behavior probabaly due to the ARP list entries with same MAC addresses.
I cleaned it up now and hope that this behavior ends.
will keep this open and update you.
ciao,
Hi,
it Happened again the IANA IP showed up on the ARP , the ARP list had the IANA IP as stale on the MAC address and the Mikrotiks assigned IP on the sama MAc as reachable.
on the DHCP list it’s not showing the lease given to the MAC address.. strange!!
jaclaz
October 20, 2024, 11:42pm
7
Conceptually an APIPA address Is generated when these two happen:
a device connected has a DHCP client
for some reasons the DHCP server fails to lease an address to it
A computer that falls back to an APIPA address will try periodically to get a “proper” IP address from the DHCP server.
So the cause could be an eccessive delay in the DHCP server response (rare, unless maybe too many requests at the same time) or more likely some connection issue (lost packets).
Amm0
October 20, 2024, 11:54pm
8
If you started with QuickSet…
hi Guru,
no there was no such entry 0.0.0.0 in the networks list but therere were a few old networks with no pool or dhcp server entries that i was using in the past I deleted those.
there must be something else wrong.. could it be my docking station part of the problem?
Anything could be wrong. Just to make sure…can you share your config?
/export file=anynameyoulike
Remove serial and any other private info.
hi,
this has been working for about one year without any issues!!!
Issues started when i had the two PCs with the same MAC addresses but seems that even after changing the MAC address of the computer the situation got a little worse.. but at least there is no disservice!
# 2024-10-21 08:43:19 by RouterOS 7.16.1
# software id = METC-NDW4
#
# model = C52iG-5HaxD2HaxD
# serial number = xxxxxxxxxxx
/interface bridge
add name=main_bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
set [ find default-name=ether2 ] name=ether2_LAN
set [ find default-name=ether3 ] name=ether3_LAN
set [ find default-name=ether4 ] name=ether4_LAN
set [ find default-name=ether5 ] name=ether5_LAN
/interface vlan
add interface=main_bridge name=vlan_2 vlan-id=2
add interface=main_bridge name=vlan_3 vlan-id=3
add interface=main_bridge name=vlan_4 vlan-id=4
add interface=main_bridge name=vlan_5 vlan-id=5
/interface list
add name=lan_ports
add name=VLANS
add name=management
/interface wifi channel
add band=2ghz-ax disabled=no name=channel1 width=20/40mhz-eC
add band=5ghz-ax disabled=no frequency=5180,5200,5220,5240 name=channel2
/interface wifi
set [ find default-name=wifi1 ] channel=channel2 channel.band=5ghz-ax \
.frequency=5180,5200,5220,5240 .skip-dfs-channels=disabled \
configuration.country=Italy .mode=ap .ssid=Mikrotik_5 disabled=no name=\
wifi1_5ghz security.authentication-types=wpa-psk,wpa2-psk
set [ find default-name=wifi2 ] channel=channel1 channel.band=2ghz-ax .width=\
20/40mhz configuration.country=Italy .mode=ap .ssid=Mikrotik_2 \
datapath.interface-list=all disabled=no name=wifi2_2ghz \
security.authentication-types=wpa-psk,wpa2-psk
add configuration.mode=ap .ssid=Mikrotik_guest_appa disabled=no mac-address=\
4A:A9:8A:D0:6C:BF master-interface=wifi2_2ghz name=wifi3_guest \
security.authentication-types=wpa-psk,wpa2-psk
/ip pool
add name=dhcp_pool_VLAN_3 ranges=172.22.3.10-172.22.3.200
add name=dhcp_pool_VLAN_4 ranges=172.22.4.10-172.22.4.200
add name=dhcp_pool_VLAN_5 ranges=172.22.5.10-172.22.5.200
add name=dhcp_pool_VLAN_2 ranges=172.22.2.20-172.22.2.200
/ip dhcp-server
add address-pool=dhcp_pool_VLAN_3 interface=vlan_3 lease-time=1d name=\
dhcp_VLAN_3
add address-pool=dhcp_pool_VLAN_4 interface=vlan_4 lease-time=1d name=\
dhcp_VLAN_4
add address-pool=dhcp_pool_VLAN_5 interface=vlan_5 lease-time=1d name=\
dhcp_VLAN_5
add address-pool=dhcp_pool_VLAN_2 interface=vlan_2 lease-time=1d name=\
dhcp_VLAN_2
/ip smb users
set [ find default=yes ] disabled=yes
/interface bridge port
add bridge=main_bridge interface=ether2_LAN internal-path-cost=10 path-cost=\
10 pvid=2
add bridge=main_bridge interface=ether3_LAN internal-path-cost=10 path-cost=\
10 pvid=3
add bridge=main_bridge interface=wifi1_5ghz internal-path-cost=10 path-cost=\
10 pvid=2
add bridge=main_bridge interface=wifi2_2ghz internal-path-cost=10 path-cost=\
10 pvid=2
add bridge=main_bridge interface=ether4_LAN internal-path-cost=10 path-cost=\
10 pvid=4
add bridge=main_bridge interface=ether5_LAN pvid=5
add bridge=main_bridge interface=wifi3_guest pvid=3
/ip firewall connection tracking
set udp-timeout=10s
/interface bridge vlan
add bridge=main_bridge tagged=main_bridge,ether5_LAN untagged=ether3_LAN \
vlan-ids=3
add bridge=main_bridge tagged=main_bridge,ether5_LAN untagged=ether4_LAN \
vlan-ids=4
add bridge=main_bridge tagged=main_bridge untagged=ether5_LAN vlan-ids=5
add bridge=main_bridge tagged=main_bridge,ether5_LAN untagged=ether2_LAN \
vlan-ids=2
/interface list member
add interface=ether2_LAN list=lan_ports
add interface=ether3_LAN list=lan_ports
add interface=ether4_LAN list=lan_ports
add interface=ether5_LAN list=lan_ports
add interface=vlan_2 list=VLANS
add interface=vlan_3 list=VLANS
add interface=vlan_4 list=VLANS
add interface=vlan_5 list=VLANS
add interface=vlan_2 list=management
add interface=vlan_5 list=management
/ip address
add address=172.22.3.1/24 comment=eth3_port/wifi_guest interface=vlan_3 \
network=172.22.3.0
add address=172.22.4.1/24 interface=vlan_4 network=172.22.4.0
add address=172.22.5.1/24 interface=vlan_5 network=172.22.5.0
add address=172.22.2.1/24 comment="eth2_port /wifi_2G/wifi_5G" interface=\
vlan_2 network=172.22.2.0
/ip dhcp-client
add interface=ether1_WAN
/ip dhcp-server alert
add disabled=no interface=vlan_2 on-alert=\
": log error= \"not valid DHCP server VLAN_2\"" valid-server=\
48:A9:8A:D0:6C:BA
add disabled=no interface=vlan_3 on-alert=\
":log error= \" not valid DHCP server VLAN_3\"" valid-server=\
48:A9:8A:D0:6C:BA
add disabled=no interface=vlan_4 on-alert=\
":log error=\"not valid DHCP server wifi_guest\"" valid-server=\
4A:A9:8A:D0:6C:BF
add disabled=no interface=vlan_5 on-alert=\
":log error=\"not valid DHCP server wifi_guest\"" valid-server=\
48:A9:8A:D0:6C:BA
/ip dhcp-server network
add address=172.22.2.0/24 comment=VLAN2 gateway=172.22.2.1
add address=172.22.3.0/24 comment=VLAN3 gateway=172.22.3.1
add address=172.22.4.0/24 comment=VLAN4 gateway=172.22.4.1
add address=172.22.5.0/24 comment=VLAN5 gateway=172.22.5.1
/ip firewall address-list
add address=172.22.2.0/24 disabled=yes list=block_porn
add address=172.22.3.0/24 disabled=yes list=block_porn
add address=172.22.4.0/24 disabled=yes list=block_porn
add address=172.22.5.0/24 disabled=yes list=block_porn
/ip firewall filter
add action=drop chain=input comment="if not 172.22.22.0/24 drop ping" \
protocol=icmp src-address=10.22.2.0/24
add action=drop chain=input comment="block port scanners" disabled=yes \
src-address-list=port_scanners
add action=fasttrack-connection chain=forward connection-state=\
established,related hw-offload=no
add action=accept chain=forward connection-state=established,related
add action=add-src-to-address-list address-list=port_scanners \
address-list-timeout=1d chain=input comment="port scanner detector" \
protocol=tcp psd=21,3s,3,1
add action=drop chain=forward connection-nat-state="" connection-state=\
invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=\
new in-interface=ether1_WAN
add action=accept chain=forward disabled=yes dst-address=172.22.2.14 \
dst-port=6667 protocol=tcp src-address-list=""
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1_WAN
add action=dst-nat chain=dstnat comment="block porn on guest wifi" dst-port=\
53 in-interface-list=VLANS protocol=udp to-addresses=8.8.8.8 to-ports=53
add action=src-nat chain=srcnat log=yes out-interface=ether1_WAN protocol=tcp \
src-port=6667 to-ports=61667
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=172.22.2.0/24 port=2222
set api disabled=yes
set winbox address=172.22.2.0/24,172.22.4.0/24,172.22.5.0/24
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/system clock
set time-zone-name=Europe/Rome
/system note
set show-at-login=no
mkx
October 21, 2024, 12:30pm
12
One thing, that pops out to me: you don’t have dns-server property configured in /ip/dhcp-server/network … may clients plainly refuse to use DHCP lease without this property included. Property netmask would be handy as well (default seems to be 0 which is plainly wrong in most cases).
One thing, that pops out to me: you don’t have dns-server property configured in /ip/dhcp-server/network … may clients plainly refuse to use DHCP lease without this property included. Property netmask would be handy as well (default seems to be 0 which is plainly wrong in most cases).
where exactly should this be modified and to waht values? can you please explain the steps?
Change this…:
/ip dhcp-server network
add address=172.22.2.0/24 comment=VLAN2 gateway=172.22.2.1
add address=172.22.3.0/24 comment=VLAN3 gateway=172.22.3.1
add address=172.22.4.0/24 comment=VLAN4 gateway=172.22.4.1
add address=172.22.5.0/24 comment=VLAN5 gateway=172.22.5.1
…to this:
/ip dhcp-server network
add address=172.22.2.0/24 comment=VLAN2 gateway=172.22.2.1 dns-server=172.22.2.1
add address=172.22.3.0/24 comment=VLAN3 gateway=172.22.3.1 dns-server=172.22.3.1
add address=172.22.4.0/24 comment=VLAN4 gateway=172.22.4.1 dns-server=172.22.4.1
add address=172.22.5.0/24 comment=VLAN5 gateway=172.22.5.1 dns-server=172.22.5.1
You would also have to run DNS server on the MikroTik (or set it to public):
# DNS server, set to cache for LAN
/ip dns set allow-remote-requests=yes servers="9.9.9.9"
Make sure that the DNS server is allowed in the firewall.
ok, I applied the modifications, you can see below, let’s hope this works
do you see anything strange in my firewall settings?
# 2024-10-21 15:52:02 by RouterOS 7.16.1
# software id = METC-NDW4
#
# model = C52iG-5HaxD2HaxD
# serial number =
/interface bridge
add name=main_bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
set [ find default-name=ether2 ] name=ether2_LAN
set [ find default-name=ether3 ] name=ether3_LAN
set [ find default-name=ether4 ] name=ether4_LAN
set [ find default-name=ether5 ] name=ether5_LAN
/interface vlan
add interface=main_bridge name=vlan_2 vlan-id=2
add interface=main_bridge name=vlan_3 vlan-id=3
add interface=main_bridge name=vlan_4 vlan-id=4
add interface=main_bridge name=vlan_5 vlan-id=5
/interface list
add name=lan_ports
add name=VLANS
add name=management
/interface wifi channel
add band=2ghz-ax disabled=no name=channel1 width=20/40mhz-eC
add band=5ghz-ax disabled=no frequency=5180,5200,5220,5240 name=channel2
/interface wifi
set [ find default-name=wifi1 ] channel=channel2 channel.band=5ghz-ax \
.frequency=5180,5200,5220,5240 .skip-dfs-channels=disabled \
configuration.country=Italy .mode=ap .ssid=Mikrotik_5 disabled=no name=\
wifi1_5ghz security.authentication-types=wpa-psk,wpa2-psk
set [ find default-name=wifi2 ] channel=channel1 channel.band=2ghz-ax .width=\
20/40mhz configuration.country=Italy .mode=ap .ssid=Mikrotik_2 \
datapath.interface-list=all disabled=no name=wifi2_2ghz \
security.authentication-types=wpa-psk,wpa2-psk
add configuration.mode=ap .ssid=Mikrotik_guest_appa disabled=no mac-address=\
4A:A9:8A:D0:6C:BF master-interface=wifi2_2ghz name=wifi3_guest \
security.authentication-types=wpa-psk,wpa2-psk
/ip pool
add name=dhcp_pool_VLAN_3 ranges=172.22.3.10-172.22.3.200
add name=dhcp_pool_VLAN_4 ranges=172.22.4.10-172.22.4.200
add name=dhcp_pool_VLAN_5 ranges=172.22.5.10-172.22.5.200
add name=dhcp_pool_VLAN_2 ranges=172.22.2.20-172.22.2.200
/ip dhcp-server
add address-pool=dhcp_pool_VLAN_3 interface=vlan_3 lease-time=1d name=\
dhcp_VLAN_3
add address-pool=dhcp_pool_VLAN_4 interface=vlan_4 lease-time=1d name=\
dhcp_VLAN_4
add address-pool=dhcp_pool_VLAN_5 interface=vlan_5 lease-time=1d name=\
dhcp_VLAN_5
add address-pool=dhcp_pool_VLAN_2 interface=vlan_2 lease-time=1d name=\
dhcp_VLAN_2
/ip smb users
set [ find default=yes ] disabled=yes
/interface bridge port
add bridge=main_bridge interface=ether2_LAN internal-path-cost=10 path-cost=\
10 pvid=2
add bridge=main_bridge interface=ether3_LAN internal-path-cost=10 path-cost=\
10 pvid=3
add bridge=main_bridge interface=wifi1_5ghz internal-path-cost=10 path-cost=\
10 pvid=2
add bridge=main_bridge interface=wifi2_2ghz internal-path-cost=10 path-cost=\
10 pvid=2
add bridge=main_bridge interface=ether4_LAN internal-path-cost=10 path-cost=\
10 pvid=4
add bridge=main_bridge interface=ether5_LAN pvid=5
add bridge=main_bridge interface=wifi3_guest pvid=3
/ip firewall connection tracking
set udp-timeout=10s
/interface bridge vlan
add bridge=main_bridge tagged=main_bridge,ether5_LAN untagged=ether3_LAN \
vlan-ids=3
add bridge=main_bridge tagged=main_bridge,ether5_LAN untagged=ether4_LAN \
vlan-ids=4
add bridge=main_bridge tagged=main_bridge untagged=ether5_LAN vlan-ids=5
add bridge=main_bridge tagged=main_bridge,ether5_LAN untagged=ether2_LAN \
vlan-ids=2
/interface list member
add interface=ether2_LAN list=lan_ports
add interface=ether3_LAN list=lan_ports
add interface=ether4_LAN list=lan_ports
add interface=ether5_LAN list=lan_ports
add interface=vlan_2 list=VLANS
add interface=vlan_3 list=VLANS
add interface=vlan_4 list=VLANS
add interface=vlan_5 list=VLANS
add interface=vlan_2 list=management
add interface=vlan_5 list=management
/ip address
add address=172.22.3.1/24 comment=eth3_port/wifi_guest interface=vlan_3 \
network=172.22.3.0
add address=172.22.4.1/24 interface=vlan_4 network=172.22.4.0
add address=172.22.5.1/24 interface=vlan_5 network=172.22.5.0
add address=172.22.2.1/24 comment="eth2_port /wifi_2G/wifi_5G" interface=\
vlan_2 network=172.22.2.0
/ip dhcp-client
add interface=ether1_WAN
/ip dhcp-server alert
add disabled=no interface=vlan_2 on-alert=\
": log error= \"not valid DHCP server VLAN_2\"" valid-server=\
48:A9:8A:D0:6C:BA
add disabled=no interface=vlan_3 on-alert=\
":log error= \" not valid DHCP server VLAN_3\"" valid-server=\
48:A9:8A:D0:6C:BA
add disabled=no interface=vlan_4 on-alert=\
":log error=\"not valid DHCP server wifi_guest\"" valid-server=\
4A:A9:8A:D0:6C:BF
add disabled=no interface=vlan_5 on-alert=\
":log error=\"not valid DHCP server wifi_guest\"" valid-server=\
48:A9:8A:D0:6C:BA
/ip dhcp-server network
add address=172.22.2.0/24 comment=VLAN2 dns-server=172.22.2.1 gateway=\
172.22.2.1
add address=172.22.3.0/24 comment=VLAN3 dns-server=172.22.3.1 gateway=\
172.22.3.1
add address=172.22.4.0/24 comment=VLAN4 dns-server=172.22.4.1 gateway=\
172.22.4.1
add address=172.22.5.0/24 comment=VLAN5 dns-server=172.22.5.1 gateway=\
172.22.5.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9
/ip firewall address-list
add address=172.22.2.0/24 disabled=yes list=block_porn
add address=172.22.3.0/24 disabled=yes list=block_porn
add address=172.22.4.0/24 disabled=yes list=block_porn
add address=172.22.5.0/24 disabled=yes list=block_porn
/ip firewall filter
add action=drop chain=input comment="if not 172.22.22.0/24 drop ping" \
protocol=icmp src-address=10.22.2.0/24
add action=drop chain=input comment="block port scanners" disabled=yes \
src-address-list=port_scanners
add action=fasttrack-connection chain=forward connection-state=\
established,related hw-offload=no
add action=accept chain=forward connection-state=established,related
add action=add-src-to-address-list address-list=port_scanners \
address-list-timeout=1d chain=input comment="port scanner detector" \
protocol=tcp psd=21,3s,3,1
add action=drop chain=forward connection-nat-state="" connection-state=\
invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=\
new in-interface=ether1_WAN
add action=accept chain=forward disabled=yes dst-address=172.22.2.14 \
dst-port=6667 protocol=tcp src-address-list=""
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1_WAN
add action=dst-nat chain=dstnat comment="block porn on guest wifi" dst-port=\
53 in-interface-list=VLANS protocol=udp to-addresses=8.8.8.8 to-ports=53
add action=src-nat chain=srcnat log=yes out-interface=ether1_WAN protocol=tcp \
src-port=6667 to-ports=61667
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=172.22.2.0/24 port=2222
set api disabled=yes
set winbox address=172.22.2.0/24,172.22.4.0/24,172.22.5.0/24
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/system clock
set time-zone-name=Europe/Rome
/system note
set show-at-login=no
mkx
October 21, 2024, 5:54pm
16
Your DHCP server network config lines are still missing “netmask=24” …
From the documentation:
netmask (integer: 0..32; Default: 0 )
When set to 0, it will not show up in the export. When set to 24 it will. Wasn’t aware of this, @mkx .24 .
Did the initial change help, @antoniocerasuolo ?
ok done!
thanks to you both at the moment all seem sto be ok no problems.
i guess at this stage I will see what happens when the lease ends on the computer IP.
I want to see under normal working conditions of the dhcp server what will happen.
# 2024-10-21 20:04:08 by RouterOS 7.16.1
# software id = METC-NDW4
#
# model = C52iG-5HaxD2HaxD
# serial number =
/interface bridge
add name=main_bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
set [ find default-name=ether2 ] name=ether2_LAN
set [ find default-name=ether3 ] name=ether3_LAN
set [ find default-name=ether4 ] name=ether4_LAN
set [ find default-name=ether5 ] name=ether5_LAN
/interface vlan
add interface=main_bridge name=vlan_2 vlan-id=2
add interface=main_bridge name=vlan_3 vlan-id=3
add interface=main_bridge name=vlan_4 vlan-id=4
add interface=main_bridge name=vlan_5 vlan-id=5
/interface list
add name=lan_ports
add name=VLANS
add name=management
/interface wifi channel
add band=2ghz-ax disabled=no name=channel1 width=20/40mhz-eC
add band=5ghz-ax disabled=no frequency=5180,5200,5220,5240 name=channel2
/interface wifi
set [ find default-name=wifi1 ] channel=channel2 channel.band=5ghz-ax \
.frequency=5180,5200,5220,5240 .skip-dfs-channels=disabled \
configuration.country=Italy .mode=ap .ssid=Mikrotik_5 disabled=no name=\
wifi1_5ghz security.authentication-types=wpa-psk,wpa2-psk
set [ find default-name=wifi2 ] channel=channel1 channel.band=2ghz-ax .width=\
20/40mhz configuration.country=Italy .mode=ap .ssid=Mikrotik_2 \
datapath.interface-list=all disabled=no name=wifi2_2ghz \
security.authentication-types=wpa-psk,wpa2-psk
add configuration.mode=ap .ssid=Mikrotik_guest_appa disabled=no mac-address=\
4A:A9:8A:D0:6C:BF master-interface=wifi2_2ghz name=wifi3_guest \
security.authentication-types=wpa-psk,wpa2-psk
/ip pool
add name=dhcp_pool_VLAN_3 ranges=172.22.3.10-172.22.3.200
add name=dhcp_pool_VLAN_4 ranges=172.22.4.10-172.22.4.200
add name=dhcp_pool_VLAN_5 ranges=172.22.5.10-172.22.5.200
add name=dhcp_pool_VLAN_2 ranges=172.22.2.20-172.22.2.200
/ip dhcp-server
add address-pool=dhcp_pool_VLAN_3 interface=vlan_3 lease-time=1d name=\
dhcp_VLAN_3
add address-pool=dhcp_pool_VLAN_4 interface=vlan_4 lease-time=1d name=\
dhcp_VLAN_4
add address-pool=dhcp_pool_VLAN_5 interface=vlan_5 lease-time=1d name=\
dhcp_VLAN_5
add address-pool=dhcp_pool_VLAN_2 interface=vlan_2 lease-time=1d name=\
dhcp_VLAN_2
/ip smb users
set [ find default=yes ] disabled=yes
/interface bridge port
add bridge=main_bridge interface=ether2_LAN internal-path-cost=10 path-cost=\
10 pvid=2
add bridge=main_bridge interface=ether3_LAN internal-path-cost=10 path-cost=\
10 pvid=3
add bridge=main_bridge interface=wifi1_5ghz internal-path-cost=10 path-cost=\
10 pvid=2
add bridge=main_bridge interface=wifi2_2ghz internal-path-cost=10 path-cost=\
10 pvid=2
add bridge=main_bridge interface=ether4_LAN internal-path-cost=10 path-cost=\
10 pvid=4
add bridge=main_bridge interface=ether5_LAN pvid=5
add bridge=main_bridge interface=wifi3_guest pvid=3
/ip firewall connection tracking
set udp-timeout=10s
/interface bridge vlan
add bridge=main_bridge tagged=main_bridge,ether5_LAN untagged=ether3_LAN \
vlan-ids=3
add bridge=main_bridge tagged=main_bridge,ether5_LAN untagged=ether4_LAN \
vlan-ids=4
add bridge=main_bridge tagged=main_bridge untagged=ether5_LAN vlan-ids=5
add bridge=main_bridge tagged=main_bridge,ether5_LAN untagged=ether2_LAN \
vlan-ids=2
/interface list member
add interface=ether2_LAN list=lan_ports
add interface=ether3_LAN list=lan_ports
add interface=ether4_LAN list=lan_ports
add interface=ether5_LAN list=lan_ports
add interface=vlan_2 list=VLANS
add interface=vlan_3 list=VLANS
add interface=vlan_4 list=VLANS
add interface=vlan_5 list=VLANS
add interface=vlan_2 list=management
add interface=vlan_5 list=management
/ip address
add address=172.22.3.1/24 comment=eth3_port/wifi_guest interface=vlan_3 \
network=172.22.3.0
add address=172.22.4.1/24 interface=vlan_4 network=172.22.4.0
add address=172.22.5.1/24 interface=vlan_5 network=172.22.5.0
add address=172.22.2.1/24 comment="eth2_port /wifi_2G/wifi_5G" interface=\
vlan_2 network=172.22.2.0
/ip dhcp-client
add interface=ether1_WAN
/ip dhcp-server alert
add disabled=no interface=vlan_2 on-alert=\
": log error= \"not valid DHCP server VLAN_2\"" valid-server=\
48:A9:8A:D0:6C:BA
add disabled=no interface=vlan_3 on-alert=\
":log error= \" not valid DHCP server VLAN_3\"" valid-server=\
48:A9:8A:D0:6C:BA
add disabled=no interface=vlan_4 on-alert=\
":log error=\"not valid DHCP server wifi_guest\"" valid-server=\
4A:A9:8A:D0:6C:BF
add disabled=no interface=vlan_5 on-alert=\
":log error=\"not valid DHCP server wifi_guest\"" valid-server=\
48:A9:8A:D0:6C:BA
/ip dhcp-server network
add address=172.22.2.0/24 comment=VLAN2 dns-server=172.22.2.1 gateway=\
172.22.2.1 netmask=24
add address=172.22.3.0/24 comment=VLAN3 dns-server=172.22.3.1 gateway=\
172.22.3.1 netmask=24
add address=172.22.4.0/24 comment=VLAN4 dns-server=172.22.4.1 gateway=\
172.22.4.1 netmask=24
add address=172.22.5.0/24 comment=VLAN5 dns-server=172.22.5.1 gateway=\
172.22.5.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=9.9.9.9
/ip firewall address-list
add address=172.22.2.0/24 disabled=yes list=block_porn
add address=172.22.3.0/24 disabled=yes list=block_porn
add address=172.22.4.0/24 disabled=yes list=block_porn
add address=172.22.5.0/24 disabled=yes list=block_porn
/ip firewall filter
add action=drop chain=input comment="if not 172.22.22.0/24 drop ping" \
protocol=icmp src-address=10.22.2.0/24
add action=drop chain=input comment="block port scanners" disabled=yes \
src-address-list=port_scanners
add action=fasttrack-connection chain=forward connection-state=\
established,related hw-offload=no
add action=accept chain=forward connection-state=established,related
add action=add-src-to-address-list address-list=port_scanners \
address-list-timeout=1d chain=input comment="port scanner detector" \
protocol=tcp psd=21,3s,3,1
add action=drop chain=forward connection-nat-state="" connection-state=\
invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=\
new in-interface=ether1_WAN
add action=accept chain=forward disabled=yes dst-address=172.22.2.14 \
dst-port=6667 protocol=tcp src-address-list=""
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1_WAN
add action=dst-nat chain=dstnat comment="block porn on guest wifi" dst-port=\
53 in-interface-list=VLANS protocol=udp to-addresses=8.8.8.8 to-ports=53
add action=src-nat chain=srcnat log=yes out-interface=ether1_WAN protocol=tcp \
src-port=6667 to-ports=61667
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=172.22.2.0/24 port=2222
set api disabled=yes
set winbox address=172.22.2.0/24,172.22.4.0/24,172.22.5.0/24
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/system clock
set time-zone-name=Europe/Rome
/system note
set show-at-login=no
mkx
October 21, 2024, 6:45pm
19
I learned something new today. And will keep setting things explicitly.
Problem with interpretation of "insensible" default values is that it can change with software upgrade (unlike default settings which, after they get applied during factory reset, don't change with software upgrade).
Amm0
October 21, 2024, 6:48pm
20
There are some devices that don’t follow rules - totally seen that some devices need netmask explicitly set. And netmask=24 is harmless to rule-following dhcp-clients, they have the same info twice.
And I’m not sure the actual value is 0, despite the docs, it is “unset” (now perhaps on some devices this not true, and if really 0 that be bad). But you can add dhcp to logging to see what’s actually getting sent to confirm…
.