WiFi vlan dhcp offering not working

jm86ar · August 7, 2024, 12:59pm

Hi guys, this is my first time posting here, I’ll try to be concise, I’ve managed to setup my mikrotik RB4011iGS+5HacQ2HnD with vlans, qos and basic fwd ( it used to have raw rules filtering bogons and jumps chains on tcp and udp protocols, but for the sake of clarity and simplicity, I removed them).
My problem is when I reboot the router, all vlans but the vlan id 39 (wifi 5.8ghz) offer dhcp successfully. After 3 o 4 attempts with luck then I get an ip through dhcp from any wireless device like my phone or laptop. All previous failed attempts I get “It was not possible get an ip”, in android and apple devices for example.
I switched between qos algoriths like FqCodel and CAKE (with wash and ack filtering) and I even did a sniffing on the bridge and wifi iface trying to understand what’s happening at the negotiation with the dhcp server or if some traffic flow issue was taking place, but I didn’t find anything.
2.4Ghz wlan iface is not enable but works just fine with the same vlan config as the wlan 5.8ghz iface. All address-lists were disabled and tried to only use LAN interface lists when firewalling.

I hope you can help me pinpoint what might be wrong here.

Thanks in advance.

# 2024-08-07 10:34:24 by RouterOS 7.15.3
# software id = KJ91-TB4Y
#
# model = RB4011iGS+5HacQ2HnD
# serial number = <edited>
/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge-mgmt pvid=3 \
    vlan-filtering=yes
add fast-forward=no name=bridge-vlans pvid=2 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=LAN
set [ find default-name=ether6 ] comment=MGMT
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface ovpn-server
add disabled=yes name=ovpn-chozita user=ovpn_user
/interface vlan
add interface=bridge-mgmt name=vlan-mgmt-99 vlan-id=99
add interface=bridge-vlans name=vlan-wifi vlan-id=39
add disabled=yes interface=bridge-vlans name=vlan-wifi-2 vlan-id=49
add interface=bridge-vlans name=vlan1-lan vlan-id=10
/interface list
add name=Local
add name=WAN
add name=Bridges
add name=WiFi
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk disable-pmkid=yes eap-methods="" mode=\
    dynamic-keys name=profile1 supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=5ghz-n/ac channel-width=\
    20/40/80mhz-eCee country=no_country_set disabled=no frequency=5200 \
    frequency-mode=manual-txpower mode=ap-bridge security-profile=profile1 \
    ssid=JML station-roaming=enabled vlan-id=39 wmm-support=enabled wps-mode=\
    disabled
set [ find default-name=wlan2 ] antenna-gain=0 band=2ghz-g/n country=\
    no_country_set default-forwarding=no frequency=2432 frequency-mode=\
    manual-txpower mode=ap-bridge security-profile=profile1 ssid=JML-2.4Ghz \
    station-roaming=enabled vlan-id=49 wireless-protocol=802.11 wmm-support=\
    enabled wps-mode=disabled
/interface wireless nstreme
set wlan1 disable-csma=yes
set wlan2 disable-csma=yes
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1
/ip pool
add name=dhcp_pool16 ranges=192.168.10.2-192.168.10.30
add name=dhcp_pool19 ranges=192.168.39.2-192.168.39.254
add name=dhcp_pool20 ranges=192.168.49.2-192.168.49.254
add name=dhcp_pool21 ranges=192.168.99.2-192.168.99.14
/ip dhcp-server
add address-pool=dhcp_pool16 interface=vlan1-lan name=dhcp2
add address-pool=dhcp_pool19 interface=vlan-wifi name=dhcp3
add address-pool=dhcp_pool20 disabled=yes interface=vlan-wifi-2 name=dhcp4
add address-pool=dhcp_pool21 interface=vlan-mgmt-99 name=dhcp1
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 baud-rate=auto name=serial0
set 1 name=serial1
/queue type
set 0 kind=sfq
add kind=red name=red-custom red-avg-packet=1514
add kind=pcq name=PCQ_download pcq-classifier=dst-address
add kind=pcq name=PCQ_upload pcq-classifier=src-address
add kind=pcq name=bulkUp pcq-classifier=\
    src-address,dst-address,src-port,dst-port pcq-limit=450KiB \
    pcq-total-limit=4500KiB
add kind=sfq name=bulkDown
add kind=fq-codel name=fq-codel
add cake-ack-filter=filter cake-diffserv=diffserv4 cake-flowmode=dual-srchost \
    cake-mpu=84 cake-nat=yes cake-overhead=44 cake-rtt-scheme=internet kind=\
    cake name=cake-upload
add cake-diffserv=diffserv4 cake-flowmode=dual-dsthost cake-mpu=84 \
    cake-overhead=44 cake-rtt-scheme=internet cake-wash=yes kind=cake name=\
    cake-download
add kind=sfq name=sfq-default
add cake-diffserv=diffserv4 cake-mpu=84 cake-overhead=44 cake-rtt-scheme=\
    internet cake-wash=yes kind=cake name=cake-download-v2
add cake-ack-filter=filter cake-diffserv=besteffort cake-mpu=84 \
    cake-overhead=44 cake-rtt-scheme=internet kind=cake name=cake-upload-v2
/queue tree
add bucket-size=0.001 max-limit=301M name=QoS_Padre_Down parent=global queue=\
    fq-codel
add bucket-size=0.01 limit-at=3M max-limit=10M name=P3_ICMP packet-mark=\
    ICMP_D parent=QoS_Padre_Down priority=3 queue=default
add bucket-size=0.01 limit-at=15M max-limit=150M name=P1_DNS packet-mark=\
    DNS_D parent=QoS_Padre_Down priority=1 queue=default
add bucket-size=0.01 limit-at=100M max-limit=150M name=P3_HTTP packet-mark=\
    HTTP_D parent=QoS_Padre_Down priority=3 queue=default
add bucket-size=0.01 limit-at=40M max-limit=150M name="P8_TODO LO DE MAS" \
    packet-mark=OTHER_D parent=QoS_Padre_Down queue=default
add bucket-size=0.001 max-limit=31M name=Qos_Padre_Up parent=ether1 queue=\
    fq-codel
add bucket-size=0.01 limit-at=3M max-limit=15M name=P1_DNS_Up packet-mark=\
    DNS_U parent=Qos_Padre_Up priority=1 queue=default
add bucket-size=0.01 limit-at=2M max-limit=2M name=P3_ICMP_UP packet-mark=\
    ICMP_U parent=Qos_Padre_Up priority=3 queue=default
add bucket-size=0.01 limit-at=5M max-limit=29M name=P3_HTTP_Up packet-mark=\
    HTTP_U parent=Qos_Padre_Up priority=3 queue=default
add bucket-size=0.01 limit-at=4M max-limit=30M name="P8_TODO LO DE MAS_Up" \
    packet-mark=OTHER_U parent=Qos_Padre_Up queue=default
add bucket-size=0.01 limit-at=2M max-limit=30M name=P1_ACK_Up packet-mark=\
    ACK_U parent=Qos_Padre_Up priority=1 queue=default
add bucket-size=0.01 limit-at=15M max-limit=150M name=P1_ACK packet-mark=\
    ACK_D parent=QoS_Padre_Down priority=1 queue=default
add bucket-size=0.01 limit-at=50M max-limit=298M name=P2_UDP packet-mark=\
    UDP_D parent=QoS_Padre_Down priority=2 queue=default
add bucket-size=0.01 limit-at=6M max-limit=30M name=P2_UDP_Up packet-mark=\
    UDP_U parent=Qos_Padre_Up priority=2 queue=default
add bucket-size=0.01 limit-at=27M max-limit=150M name=P4_QUIC packet-mark=\
    QUIC_D parent=QoS_Padre_Down priority=4 queue=default
add bucket-size=0.01 limit-at=4M max-limit=15M name=P4_QUIC_UP packet-mark=\
    QUIC_U parent=Qos_Padre_Up priority=4 queue=default
add bucket-size=0.01 limit-at=50M max-limit=298M name=P5_HTTP_LARGE \
    packet-mark=LARGE_TRANSFER_D parent=QoS_Padre_Down priority=5 queue=\
    default
add bucket-size=0.01 limit-at=8M max-limit=29M name=P5_HTTP_LARGE_UP \
    packet-mark=LARGE_TRANSFER_U parent=Qos_Padre_Up priority=5 queue=default
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing table
add fib name=to_ether1
add fib name=to_bridge-wifi-2.4
add fib name=odd
add fib name=even
/system logging action
set 0 memory-stop-on-full=yes
/ip smb
set enabled=no
/interface bridge port
add bridge=bridge-vlans broadcast-flood=no frame-types=\
    admit-only-untagged-and-priority-tagged hw=no interface=ether3 \
    internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge-mgmt frame-types=admit-only-untagged-and-priority-tagged \
    hw=no interface=ether6 pvid=99
add bridge=bridge-vlans frame-types=admit-only-untagged-and-priority-tagged \
    hw=no interface=ether2 pvid=10
add bridge=bridge-vlans frame-types=admit-only-untagged-and-priority-tagged \
    interface=wlan1 pvid=39
add bridge=bridge-vlans disabled=yes frame-types=\
    admit-only-untagged-and-priority-tagged interface=wlan2 pvid=49
add bridge=*23 disabled=yes interface=ether4
add bridge=*23 disabled=yes interface=ether5
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192 tcp-syncookies=yes
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge-vlans tagged=bridge-vlans untagged=ether3,ether2 vlan-ids=\
    10
add bridge=bridge-vlans tagged=bridge-vlans untagged=wlan1 vlan-ids=39
# bridge-vlans,wlan2 not a bridge port
add bridge=bridge-vlans disabled=yes tagged=bridge-vlans untagged=wlan2 \
    vlan-ids=49
add bridge=bridge-vlans tagged=bridge-vlans vlan-ids=2
add bridge=bridge-mgmt tagged=bridge-mgmt untagged=ether6 vlan-ids=99
add bridge=bridge-mgmt tagged=bridge-mgmt vlan-ids=3
/interface l2tp-server server
set authentication=mschap2 use-ipsec=required
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=wlan1 list=LAN
add interface=ether6 list=LAN
add interface=wlan2 list=LAN
add interface=vlan1-lan list=LAN
add interface=vlan-wifi list=LAN
add disabled=yes interface=vlan-wifi-2 list=LAN
add disabled=yes interface=bridge-vlans list=LAN
add interface=vlan-mgmt-99 list=LAN
/interface ovpn-server server
set auth=sha1 certificate=cert_export_CA.crt_0 cipher=aes256-cbc,aes256-gcm \
    default-profile=default-encryption port=10975 protocol=udp \
    require-client-certificate=yes
/interface sstp-server server
set authentication=mschap2 certificate=*94 default-profile=default-encryption \
    port=5443 verify-client-certificate=yes
/interface wireless access-list
add interface=wlan2 mac-address=C8:21:58:57:21:28
add interface=wlan2 mac-address=DE:35:65:5C:63:1C
/ip address
add address=192.168.10.1/24 interface=vlan1-lan network=192.168.10.0
add address=192.168.99.1/28 interface=vlan-mgmt-99 network=192.168.99.0
add address=192.168.39.1/24 interface=vlan-wifi network=192.168.39.0
add address=192.168.49.1/24 disabled=yes interface=vlan-wifi-2 network=\
    192.168.49.0
/ip arp
add address=192.168.10.4 interface=vlan1-lan mac-address=04:42:1A:F2:05:D2
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=WAN1 interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=192.168.10.0/24 gateway=192.168.10.1
add address=192.168.39.0/24 gateway=192.168.39.1
add address=192.168.49.0/24 gateway=192.168.49.1
add address=192.168.99.0/28 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes doh-max-server-connections=30 \
    max-concurrent-queries=50 max-concurrent-tcp-sessions=30 servers=\
    1.1.1.1,1.0.0.1 verify-doh-cert=yes
/ip dns static
add address=8.8.8.8 disabled=yes name=dns.google
add address=8.8.4.4 disabled=yes name=dns.google
add address=104.16.249.249 disabled=yes name=cloudflare-dns.com
add address=104.16.248.249 disabled=yes name=cloudflare-dns.com
add address=45.90.28.0 disabled=yes name=dns.nextdns.io
add address=45.90.30.0 disabled=yes name=dns.nextdns.io
add address=2a07:a8c0:: disabled=yes name=dns.nextdns.io type=AAAA
add address=2a07:a8c1:: disabled=yes name=dns.nextdns.io type=AAAA
add address=104.16.248.249 disabled=yes name=cloudflare-dns.com
add address=104.16.249.249 disabled=yes name=cloudflare-dns.com
add address=45.90.28.0 disabled=yes name=dns.nextdns.io
add address=45.90.30.0 disabled=yes name=dns.nextdns.io
add address=2a07:a8c0:: disabled=yes name=dns.nextdns.io type=AAAA
add address=2a07:a8c1:: disabled=yes name=dns.nextdns.io type=AAAA
add address=9.9.9.9 disabled=yes name=dns.quad9.net
add address=149.112.112.112 disabled=yes name=dns.quad9.net
add address=2620:fe::fe disabled=yes name=dns.quad9.net type=AAAA
add address=2620:fe::9 disabled=yes name=dns.quad9.net type=AAAA
/ip firewall address-list
add address=192.168.10.0/24 disabled=yes list=local
add address=192.168.99.0/28 disabled=yes list=local
add address=192.168.39.0/24 disabled=yes list=local
add address=192.168.49.0/24 disabled=yes list=local
add address=192.168.20.0/24 disabled=yes list=local
/ip firewall filter
add action=accept chain=input comment="ACCEPT ESTABLISHED,RELATED,UNTRACKED" \
    connection-state=established,related,untracked
add action=accept chain=input comment=Winbox dst-port=5696 protocol=tcp
add action=accept chain=input comment="ACCEPT NEW !WAN" connection-state=new \
    in-interface-list=!WAN
add action=accept chain=input comment="accept Local Lan" in-interface-list=\
    LAN
add action=drop chain=input comment="Drop Invalid" connection-state=invalid
add action=drop chain=input comment="DROP EVERYTHING ELSE"
add action=accept chain=forward comment="ACCEPT ESTABLISHED,RELATED" \
    connection-state=established,related,untracked
add action=accept chain=forward comment="accept Local Lan" in-interface-list=\
    LAN
add action=drop chain=forward comment="DROP INVALID" connection-state=invalid
add action=drop chain=forward comment="Drop not dest natted" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="DROP EVERYTHING ELSE"
/ip firewall mangle
add action=accept chain=prerouting comment="Skip mangle for non WAN" \
    in-interface-list=!WAN
add action=accept chain=postrouting out-interface-list=!WAN
add action=mark-packet chain=prerouting comment=ACK new-packet-mark=ACK_D \
    packet-size=0-123 passthrough=no protocol=tcp tcp-flags=ack
add action=mark-packet chain=postrouting new-packet-mark=ACK_U packet-size=\
    0-123 passthrough=no protocol=tcp tcp-flags=ack
add action=mark-connection chain=prerouting comment=DNS connection-mark=\
    no-mark connection-state=new dst-port=53 new-connection-mark=DNS \
    passthrough=yes protocol=udp
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new dst-port=53 new-connection-mark=DNS passthrough=yes \
    protocol=tcp
add action=mark-connection chain=postrouting connection-mark=no-mark \
    connection-state=new dst-port=53 new-connection-mark=DNS passthrough=yes \
    protocol=udp
add action=mark-connection chain=postrouting connection-mark=no-mark \
    connection-state=new dst-port=53 new-connection-mark=DNS passthrough=yes \
    protocol=tcp
add action=mark-packet chain=prerouting comment=-- connection-mark=DNS \
    new-packet-mark=DNS_D passthrough=no
add action=mark-packet chain=postrouting connection-mark=DNS new-packet-mark=\
    DNS_U passthrough=no
add action=mark-connection chain=prerouting comment=UDP connection-mark=\
    no-mark connection-state=new new-connection-mark=UDP passthrough=yes \
    protocol=udp
add action=mark-connection chain=postrouting connection-mark=no-mark \
    connection-state=new new-connection-mark=UDP passthrough=yes protocol=udp
add action=mark-packet chain=prerouting connection-mark=UDP new-packet-mark=\
    UDP_D passthrough=no
add action=mark-packet chain=postrouting connection-mark=UDP new-packet-mark=\
    UDP_U passthrough=no
add action=mark-connection chain=prerouting comment=HTTP connection-mark=\
    no-mark connection-state=new dst-port=80,8080,443 new-connection-mark=\
    HTTP passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="HTTP - LARGE TRANSFER" \
    connection-bytes=10000000-0 connection-mark=HTTP new-connection-mark=\
    LARGE_TRANSFER passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting connection-mark=HTTP new-packet-mark=\
    HTTP_D passthrough=no
add action=mark-packet chain=prerouting connection-mark=LARGE_TRANSFER \
    new-packet-mark=LARGE_TRANSFER_D passthrough=no
add action=mark-connection chain=postrouting connection-mark=no-mark \
    connection-state=new dst-port=80,8080,443 new-connection-mark=HTTP \
    passthrough=yes protocol=tcp
add action=mark-connection chain=postrouting connection-bytes=5000000-0 \
    connection-mark=HTTP new-connection-mark=LARGE_TRANSFER passthrough=yes \
    protocol=tcp
add action=mark-packet chain=postrouting connection-mark=HTTP \
    new-packet-mark=HTTP_U passthrough=no
add action=mark-packet chain=postrouting connection-mark=LARGE_TRANSFER \
    new-packet-mark=LARGE_TRANSFER_U passthrough=yes
add action=mark-connection chain=prerouting comment=ICMP connection-mark=\
    no-mark connection-state=new new-connection-mark=ICMP passthrough=yes \
    protocol=icmp
add action=mark-connection chain=postrouting connection-mark=no-mark \
    connection-state=new new-connection-mark=ICMP passthrough=yes protocol=\
    icmp
add action=mark-packet chain=prerouting connection-mark=ICMP new-packet-mark=\
    ICMP_D passthrough=no
add action=mark-packet chain=postrouting connection-mark=ICMP \
    new-packet-mark=ICMP_U passthrough=no
add action=mark-connection chain=prerouting comment=QUIC connection-mark=\
    no-mark connection-state=new dst-port=80,443 new-connection-mark=QUIC \
    passthrough=yes protocol=udp
add action=mark-connection chain=postrouting connection-mark=no-mark \
    connection-state=new dst-port=80,443 new-connection-mark=QUIC \
    passthrough=yes protocol=udp
add action=mark-packet chain=prerouting connection-mark=QUIC new-packet-mark=\
    QUIC_D passthrough=no
add action=mark-packet chain=postrouting connection-mark=QUIC \
    new-packet-mark=QUIC_U passthrough=no
add action=mark-connection chain=prerouting comment=OTHER connection-mark=\
    no-mark new-connection-mark=OTHER passthrough=yes
add action=mark-connection chain=postrouting connection-mark=no-mark \
    new-connection-mark=OTHER passthrough=yes
add action=mark-packet chain=prerouting connection-mark=OTHER \
    new-packet-mark=OTHER_D passthrough=no
add action=mark-packet chain=postrouting connection-mark=OTHER \
    new-packet-mark=OTHER_U passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=redirect chain=dstnat comment="DNS forwarding" disabled=yes \
    dst-port=53 protocol=udp
add action=redirect chain=dstnat disabled=yes dst-port=53 protocol=tcp
add action=dst-nat chain=dstnat comment=\
    "Transmission port listening - Torrent" dst-port=51414 protocol=tcp \
    to-addresses=192.168.10.2 to-ports=51414
/ip firewall raw
add action=accept chain=prerouting dst-address=255.255.255.255 dst-port=67 \
    protocol=udp src-address=0.0.0.0 src-port=68
add action=accept chain=prerouting dst-port=67 protocol=udp src-port=68
add action=accept chain=prerouting disabled=yes in-interface-list=LAN \
    src-address-list=local
/ip firewall service-port
set ftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-192,aes-128
/ip service
set telnet disabled=yes
set ftp address=192.168.10.0/24,192.168.20.0/24 disabled=yes
set www address=192.168.10.0/24,192.168.20.0/24 disabled=yes
set ssh port=10737
set www-ssl certificate=*96 tls-version=only-1.2
set api address=192.168.10.0/24,192.168.20.0/24 disabled=yes
set winbox port=5696
set api-ssl certificate=*96 disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ip upnp interfaces
add interface=ether1 type=external
add interface=bridge-vlans type=internal
/ipv6 firewall mangle
add action=accept chain=postrouting comment=\
    "IP Precedence 0 (DSCP 0) - Best Effort (Low Priority) (default)" dscp=0
add action=accept chain=postrouting comment=\
    "IP Precedence 0 (DSCP 1) - Best Effort (Low Priority) (default)" dscp=1
add action=accept chain=postrouting comment=\
    "IP Precedence 0 (DSCP 2) - Best Effort (Low Priority) (default)" dscp=2
add action=accept chain=postrouting comment=\
    "IP Precedence 0 (DSCP 3) - Best Effort (Low Priority) (default)" dscp=3
add action=accept chain=postrouting comment=\
    "IP Precedence 0 (DSCP 4) - Best Effort (Low Priority) (default)" dscp=4
add action=accept chain=postrouting comment=\
    "IP Precedence 0 (DSCP 5) - Best Effort (Low Priority) (default)" dscp=5
add action=accept chain=postrouting comment=\
    "IP Precedence 0 (DSCP 6) - Best Effort (Low Priority) (default)" dscp=6
add action=accept chain=postrouting comment=\
    "IP Precedence 0 (DSCP 7) - Best Effort (Low Priority) (default)" dscp=7
/ppp secret
add local-address=192.168.88.1 name=jm86ar profile=default-encryption \
    remote-address=192.168.88.3 service=ovpn
add local-address=192.168.88.1 name=ovpn_user profile=default-encryption \
    remote-address=192.168.88.2 service=ovpn
/routing bfd configuration
add disabled=no
/routing ospf area
add disabled=yes instance=*1 name=backbone-v2
/special-login
add port=serial0 user=serial
/system clock
set time-zone-name=America/Argentina/Buenos_Aires
/system identity
set name=MikroTik_JML
/system leds
add interface=wlan2 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le\
    d,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system note
set show-at-login=no
/system ntp client servers
add address=192.168.10.1
/system resource irq rps
set sfp-sfpplus1 disabled=no
/system script
add dont-require-permissions=yes name=encender-ryzen owner=jm86ar policy=\
    reboot,read,write,policy,test source=\
    " /tool wol 04:D4:C4:F2:7B:E8 interface=bridge-lan "
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set file-limit=5240KiB file-name=captura-wifi filter-interface=*1E \
    memory-limit=10240KiB streaming-server=192.168.20.1

anav · August 7, 2024, 3:50pm

Keep bridge simple aka ONLY need to turn vlan-filtering on! AND ONE BRIDGE!!
Remove vlans from wifi, use wifi for only wifi settings.
Fix /interface bridge ports
Fix /interface bridge vlans
Fix /interface list members
SECURITY ISSUE, never have winbox open to the internet, you have VPNs, use them to access the router, then winbox from inside.
BAD RULE. Too open ended ( always have a clear originator and a CLEAR defined receiver ). Allows all vlans to see each other.
I have no clue as to what you are doing in mangles…
I get that you are trying to identify traffic for queues in some respects, but then you have others that look like forcing DNS traffic???
Please explain what the purpose of all mangles are for…in words, so that perhaps we can find a better or clearer way.
Also, just except ICMP in the input chain, and dont try to get fancy with it. WASTE of time.
Remove raw firewall rules. Not needed.
Dstnat port forwarding is incorrectly formatted, if only external access then ensure you put in-interface-list=WAN as an additional component.
Recommend not enabling uPNP if not required.
NTP setup is screwy, you need to setup NTP client Router to internet and then the NTP server to devices on the network…
Dont see any routes???

# 2024-08-07 10:34:24 by RouterOS 7.15.3
# model = RB4011iGS+5HacQ2HnD
/interface bridge
add name=MYbridge vlan-filtering=yes

/interface vlan
add interface=MYbridge  name=vlan1-lan vlan-id=10
add interface=MYbridge  name=vlan-wifi vlan-id=39
add interface=MYbridge  name=vlan-wifi-2 vlan-id=49
add interface=MYbridge   name=vlan-mgmt-99 vlan-id=99

/interface list
add name=WAN
add name=LAN
add name=TRUSTED

/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=5ghz-n/ac channel-width=\
    20/40/80mhz-eCee country=no_country_set disabled=no frequency=5200 \
    frequency-mode=manual-txpower mode=ap-bridge security-profile=profile1 \
    ssid=JML station-roaming=enabled wmm-support=enabled wps-mode=\
    disabled
set [ find default-name=wlan2 ] antenna-gain=0 band=2ghz-g/n country=\
    no_country_set default-forwarding=no frequency=2432 frequency-mode=\
    manual-txpower mode=ap-bridge security-profile=profile1 ssid=JML-2.4Ghz \
    station-roaming=enabled wireless-protocol=802.11 wmm-support=\
    enabled wps-mode=disabled

/ip dhcp-server
add address-pool=dhcp_pool16 interface=vlan1-lan name=dhcp2
add address-pool=dhcp_pool19 interface=vlan-wifi name=dhcp3
add address-pool=dhcp_pool20 interface=vlan-wifi-2 name=dhcp4
add address-pool=dhcp_pool21 interface=vlan-mgmt-99 name=dhcp1

/routing table
add fib name=to_ether1
add fib name=to_bridge-wifi-2.4
add fib name=odd
add fib name=even

/interface bridge port
add bridge=MYbridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged  interface=ether2 pvid=10
add bridge=MYbridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged  interface=ether3 pvid=10
add bridge=MYbridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged  interface=ether6 pvid=99
add bridge=MYbridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged  interface=wlan1 pvid=39
add bridge=MYbridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged  interface=wlan2 pvid=49

/ip neighbor discovery-settings
set discover-interface-list=TRUSTED

/ipv6 firewall
add chain=input action=drop
add chain=forward action=drop

/interface bridge vlan
add bridge=MYbridge tagged=MYBridge  untagged=ether2,ether3 vlan-ids=10
add bridge=MYbridge tagged=MYBridge  untagged=wlan1 vlan-ids=39
add bridge=MYbridge tagged=MYBridge  untagged=wlan2 vlan-ids=49
add bridge=MYbridge tagged=MYBridge  untagged=ether6 vlan-ids=99

/interface list member
add interface=ether1 list=WAN
add interface=vlan1-lan list=LAN
add interface=vlan-wifi list=LAN
add  interface=vlan-wifi-2 list=LAN
add interface=vlan-mgmt-99 list=LAN
add interface=vlan-mgmt-99 list=TRUSTED

/ip address
add address=192.168.10.1/24 interface=vlan1-lan network=192.168.10.0
add address=192.168.39.1/24 interface=vlan-wifi network=192.168.39.0
add address=192.168.49.1/24 interface=vlan-wifi-2 network=192.168.49.0
add address=192.168.99.1/28 interface=vlan-mgmt-99 network=192.168.99.0

/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input comment="Drop Invalid" connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="admin access"  in-interface=vlan-mgmt-99 
add action=accept chain=input comment="users to services" in-interface-list=LAN dst-port=53,123 protocol=udp
add action=accept chain=input comment="users to services" in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment="DROP EVERYTHING ELSE"
++++++++++++++++++++++++++++
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward  connection-state=invalid
add action=accept chain=forward comment="internet traffic"  in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="admin access"  in-interface=vlan-mgmt-99  out-interface-list=LAN
add action=accept  chain=forward comment="Port Forwarding"   connection-nat-state=dstnat
add action=drop chain=forward comment="DROP EVERYTHING ELSE"

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat in-interface-list=WAN comment=\
    "Transmission port listening - Torrent" dst-port=51414 protocol=tcp \
    to-addresses=192.168.10.2

/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED

jm86ar · August 7, 2024, 5:53pm

Ok, most of the notes you made are on features that are not enabled, leftovers of old tests that I ran. (DoH, UPnP)
I’ve appended the fwd rule to block intervlan traffic.
I know the severity about the incoming fwd rule to allow winbox, I just disabled ovpn that I normally use when I need to access from outside (rare occasions) and I forgot to erase that rule by the time I did the export.

Mangle rules are use to apply QOS with FqCodel, that works fine mitigating bufferbloat, that’s a A+ calification for streaming and gaming with a 300/30 Mbits uplink connection.
It’s meant to deal with several devices like smart tvs, cellphones and laptops working at home at the same time.

Anyway, I think I’ve corrected most of the mentions you did, and the problem still remains. All devices stuck at “Connecting”, the first 3 o 4 attempts.

pwd. why can’t I use the vlan logical iface with wifi and benefit from the vlan-filtering ? My router doesn’t support vlans on switch chips.

thanks.
Regards

/interface bridge
add fast-forward=no name=bridge-vlans protocol-mode=none pvid=2 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=LAN
set [ find default-name=ether6 ] comment=MGMT
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface ovpn-server
add disabled=yes name=ovpn-chozita user=ovpn_user
/interface vlan
add interface=bridge-vlans name=vlan-mgmt-99 vlan-id=99
add interface=bridge-vlans name=vlan10-lan vlan-id=10
/interface list
add name=WAN
add name=WiFi
add name=LAN
add name=TRUSTED
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk disable-pmkid=yes eap-methods=“” mode=dynamic-keys name=profile1 supplicant-identity=“”
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=5ghz-n/ac channel-width=20/40/80mhz-eCee country=no_country_set default-forwarding=no disabled=no frequency=5200 frequency-mode=
manual-txpower mode=ap-bridge security-profile=profile1 ssid=JML station-roaming=enabled vlan-id=39 wmm-support=enabled wps-mode=disabled
set [ find default-name=wlan2 ] antenna-gain=0 band=2ghz-g/n country=no_country_set default-forwarding=no frequency=2432 frequency-mode=manual-txpower mode=ap-bridge
security-profile=profile1 ssid=JML-2.4Ghz station-roaming=enabled vlan-id=49 wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1
/ip pool
add name=dhcp_pool16 ranges=192.168.10.2-192.168.10.30
add name=dhcp_pool19 ranges=192.168.39.2-192.168.39.254
add name=dhcp_pool20 ranges=192.168.49.2-192.168.49.254
add name=dhcp_pool21 ranges=192.168.99.2-192.168.99.14
add name=dhcp_pool22 ranges=192.168.39.2-192.168.39.254
/ip dhcp-server
add address-pool=dhcp_pool16 interface=vlan10-lan name=dhcp2
add address-pool=dhcp_pool21 interface=vlan-mgmt-99 name=dhcp1
add address-pool=dhcp_pool22 interface=wlan1 name=dhcp3
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 baud-rate=auto name=serial0
set 1 name=serial1
/queue type
set 0 kind=sfq
add kind=red name=red-custom red-avg-packet=1514
add kind=pcq name=PCQ_download pcq-classifier=dst-address
add kind=pcq name=PCQ_upload pcq-classifier=src-address
add kind=pcq name=bulkUp pcq-classifier=src-address,dst-address,src-port,dst-port pcq-limit=450KiB pcq-total-limit=4500KiB
add kind=sfq name=bulkDown
add kind=fq-codel name=fq-codel
add cake-ack-filter=filter cake-diffserv=diffserv4 cake-flowmode=dual-srchost cake-mpu=84 cake-nat=yes cake-overhead=44 cake-rtt-scheme=internet kind=cake name=cake-upload
add cake-diffserv=diffserv4 cake-flowmode=dual-dsthost cake-mpu=84 cake-overhead=44 cake-rtt-scheme=internet cake-wash=yes kind=cake name=cake-download
add kind=sfq name=sfq-default
add cake-diffserv=diffserv4 cake-mpu=84 cake-overhead=44 cake-rtt-scheme=internet cake-wash=yes kind=cake name=cake-download-v2
add cake-ack-filter=filter cake-diffserv=besteffort cake-mpu=84 cake-overhead=44 cake-rtt-scheme=internet kind=cake name=cake-upload-v2
/queue tree
add bucket-size=0.001 max-limit=301M name=QoS_Main_Down parent=global queue=fq-codel
add bucket-size=0.01 limit-at=3M max-limit=10M name=P3_ICMP packet-mark=ICMP_D parent=QoS_Main_Down priority=3 queue=default
add bucket-size=0.01 limit-at=15M max-limit=150M name=P1_DNS packet-mark=DNS_D parent=QoS_Main_Down priority=1 queue=default
add bucket-size=0.01 limit-at=100M max-limit=150M name=P3_HTTP packet-mark=HTTP_D parent=QoS_Main_Down priority=3 queue=default
add bucket-size=0.01 limit-at=40M max-limit=150M name=“P8_TODO LO DE MAS” packet-mark=OTHER_D parent=QoS_Main_Down queue=default
add bucket-size=0.001 max-limit=31M name=Qos_Main_Up parent=ether1 queue=fq-codel
add bucket-size=0.01 limit-at=3M max-limit=15M name=P1_DNS_Up packet-mark=DNS_U parent=Qos_Main_Up priority=1 queue=default
add bucket-size=0.01 limit-at=2M max-limit=2M name=P3_ICMP_UP packet-mark=ICMP_U parent=Qos_Main_Up priority=3 queue=default
add bucket-size=0.01 limit-at=5M max-limit=29M name=P3_HTTP_Up packet-mark=HTTP_U parent=Qos_Main_Up priority=3 queue=default
add bucket-size=0.01 limit-at=4M max-limit=30M name=“P8_TODO LO DE MAS_Up” packet-mark=OTHER_U parent=Qos_Main_Up queue=default
add bucket-size=0.01 limit-at=2M max-limit=30M name=P1_ACK_Up packet-mark=ACK_U parent=Qos_Main_Up priority=1 queue=default
add bucket-size=0.01 limit-at=15M max-limit=150M name=P1_ACK packet-mark=ACK_D parent=QoS_Main_Down priority=1 queue=default
add bucket-size=0.01 limit-at=50M max-limit=298M name=P2_UDP packet-mark=UDP_D parent=QoS_Main_Down priority=2 queue=default
add bucket-size=0.01 limit-at=6M max-limit=30M name=P2_UDP_Up packet-mark=UDP_U parent=Qos_Main_Up priority=2 queue=default
add bucket-size=0.01 limit-at=27M max-limit=150M name=P4_QUIC packet-mark=QUIC_D parent=QoS_Main_Down priority=4 queue=default
add bucket-size=0.01 limit-at=4M max-limit=15M name=P4_QUIC_UP packet-mark=QUIC_U parent=Qos_Main_Up priority=4 queue=default
add bucket-size=0.01 limit-at=50M max-limit=298M name=P5_HTTP_LARGE packet-mark=LARGE_TRANSFER_D parent=QoS_Main_Down priority=5 queue=default
add bucket-size=0.01 limit-at=8M max-limit=29M name=P5_HTTP_LARGE_UP packet-mark=LARGE_TRANSFER_U parent=Qos_Main_Up priority=5 queue=default
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing table
add fib name=to_ether1
/system logging action
set 0 memory-stop-on-full=yes
/ip smb
set enabled=no
/interface bridge port
add bridge=bridge-vlans broadcast-flood=no frame-types=admit-only-untagged-and-priority-tagged hw=no interface=ether3 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge-vlans frame-types=admit-only-untagged-and-priority-tagged hw=no interface=ether6 pvid=99
add bridge=bridge-vlans frame-types=admit-only-untagged-and-priority-tagged hw=no interface=ether2 pvid=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192 tcp-syncookies=yes
/ipv6 settings
set disable-ipv6=yes forward=no max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge-vlans tagged=bridge-vlans untagged=ether3,ether2 vlan-ids=10
add bridge=bridge-vlans tagged=bridge-vlans vlan-ids=2
add bridge=bridge-vlans tagged=bridge-vlans untagged=ether6 vlan-ids=99
/interface l2tp-server server
set authentication=mschap2 use-ipsec=required
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=wlan1 list=LAN
add interface=ether6 list=LAN
add interface=wlan2 list=LAN
add interface=vlan10-lan list=LAN
add interface=vlan-mgmt-99 list=LAN
add interface=vlan-mgmt-99 list=TRUSTED
/interface ovpn-server server
set auth=sha1 certificate=cert_export_CA.crt_0 cipher=aes256-cbc,aes256-gcm default-profile=default-encryption port=10975 protocol=udp require-client-certificate=yes
/interface sstp-server server
set authentication=mschap2 certificate=*94 default-profile=default-encryption port=5443 verify-client-certificate=yes
/interface wireless connect-list
add interface=wlan1 mac-address=8A:8B:6A:53:8D:8A
/ip address
add address=192.168.10.1/24 interface=vlan10-lan network=192.168.10.0
add address=192.168.99.1/28 interface=vlan-mgmt-99 network=192.168.99.0
add address=192.168.39.1/24 interface=wlan1 network=192.168.39.0
add address=192.168.49.1/24 disabled=yes interface=wlan2 network=192.168.49.0
/ip arp
add address=192.168.10.4 interface=vlan10-lan mac-address=04:42:1A:F2:05:D2
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=WAN1 interface=ether1 use-peer-dns=no
/ip dhcp-server
add address-pool=dhcp_pool20 disabled=yes interface=*20 name=dhcp4
/ip dhcp-server network
add address=192.168.10.0/24 gateway=192.168.10.1
add address=192.168.39.0/24 gateway=192.168.39.1
add address=192.168.49.0/24 gateway=192.168.49.1
add address=192.168.99.0/28 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes doh-max-server-connections=30 max-concurrent-queries=50 max-concurrent-tcp-sessions=30 servers=1.1.1.1,1.0.0.1 verify-doh-cert=yes
/ip dns static
add address=8.8.8.8 disabled=yes name=dns.google
add address=8.8.4.4 disabled=yes name=dns.google
add address=104.16.249.249 disabled=yes name=cloudflare-dns.com
add address=104.16.248.249 disabled=yes name=cloudflare-dns.com
add address=45.90.28.0 disabled=yes name=dns.nextdns.io
add address=45.90.30.0 disabled=yes name=dns.nextdns.io
add address=2a07:a8c0:: disabled=yes name=dns.nextdns.io type=AAAA
add address=2a07:a8c1:: disabled=yes name=dns.nextdns.io type=AAAA
add address=104.16.248.249 disabled=yes name=cloudflare-dns.com
add address=104.16.249.249 disabled=yes name=cloudflare-dns.com
add address=45.90.28.0 disabled=yes name=dns.nextdns.io
add address=45.90.30.0 disabled=yes name=dns.nextdns.io
add address=2a07:a8c0:: disabled=yes name=dns.nextdns.io type=AAAA
add address=2a07:a8c1:: disabled=yes name=dns.nextdns.io type=AAAA
add address=9.9.9.9 disabled=yes name=dns.quad9.net
add address=149.112.112.112 disabled=yes name=dns.quad9.net
add address=2620:fe::fe disabled=yes name=dns.quad9.net type=AAAA
add address=2620:fe::9 disabled=yes name=dns.quad9.net type=AAAA
/ip firewall address-list
add address=192.168.10.0/24 list=vlan10
add address=192.168.99.0/28 list=vlan99
add address=192.168.39.0/24 list=wifi5.8
add address=192.168.49.0/24 list=wifi2.4
/ip firewall filter
add action=accept chain=input comment=“ACCEPT ESTABLISHED,RELATED,UNTRACKED” connection-state=established,related,untracked
add action=drop chain=input comment=“Drop Invalid” connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment=“admin access” in-interface=vlan-mgmt-99
add action=accept chain=input comment=“users to services” dst-port=53,123 in-interface-list=LAN protocol=udp
add action=accept chain=input comment=“users to services” dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment=“DROP EVERYTHING ELSE”
add action=accept chain=forward comment=“ACCEPT ESTABLISHED,RELATED” connection-state=established,related,untracked
add action=drop chain=forward comment=“DROP INVALID” connection-state=invalid
add action=accept chain=forward comment=“Internet Traffic” in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment=“Block inter-vlan traffic” in-interface=vlan10-lan out-interface=!vlan-mgmt-99
add action=drop chain=forward in-interface=vlan10-lan out-interface=!vlan10-lan
add action=drop chain=forward comment=“Drop not dest natted” connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment=“Port Forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“DROP EVERYTHING ELSE”
/ip firewall mangle
add action=accept chain=prerouting comment=“Skip mangle for non WAN” in-interface-list=!WAN
add action=accept chain=postrouting out-interface-list=!WAN
add action=mark-packet chain=prerouting comment=ACK new-packet-mark=ACK_D packet-size=0-123 passthrough=no protocol=tcp tcp-flags=ack
add action=mark-packet chain=postrouting new-packet-mark=ACK_U packet-size=0-123 passthrough=no protocol=tcp tcp-flags=ack
add action=mark-connection chain=prerouting comment=DNS connection-mark=no-mark connection-state=new dst-port=53 new-connection-mark=DNS passthrough=yes protocol=udp
add action=mark-connection chain=prerouting connection-mark=no-mark connection-state=new dst-port=53 new-connection-mark=DNS passthrough=yes protocol=tcp
add action=mark-connection chain=postrouting connection-mark=no-mark connection-state=new dst-port=53 new-connection-mark=DNS passthrough=yes protocol=udp
add action=mark-connection chain=postrouting connection-mark=no-mark connection-state=new dst-port=53 new-connection-mark=DNS passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting comment=-- connection-mark=DNS new-packet-mark=DNS_D passthrough=no
add action=mark-packet chain=postrouting connection-mark=DNS new-packet-mark=DNS_U passthrough=no
add action=mark-connection chain=prerouting comment=UDP connection-mark=no-mark connection-state=new new-connection-mark=UDP passthrough=yes protocol=udp
add action=mark-connection chain=postrouting connection-mark=no-mark connection-state=new new-connection-mark=UDP passthrough=yes protocol=udp
add action=mark-packet chain=prerouting connection-mark=UDP new-packet-mark=UDP_D passthrough=no
add action=mark-packet chain=postrouting connection-mark=UDP new-packet-mark=UDP_U passthrough=no
add action=mark-connection chain=prerouting comment=HTTP connection-mark=no-mark connection-state=new dst-port=80,8080,443 new-connection-mark=HTTP passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment=“HTTP - LARGE TRANSFER” connection-bytes=10000000-0 connection-mark=HTTP new-connection-mark=LARGE_TRANSFER passthrough=yes
protocol=tcp
add action=mark-packet chain=prerouting connection-mark=HTTP new-packet-mark=HTTP_D passthrough=no
add action=mark-packet chain=prerouting connection-mark=LARGE_TRANSFER new-packet-mark=LARGE_TRANSFER_D passthrough=no
add action=mark-connection chain=postrouting connection-mark=no-mark connection-state=new dst-port=80,8080,443 new-connection-mark=HTTP passthrough=yes protocol=tcp
add action=mark-connection chain=postrouting connection-bytes=5000000-0 connection-mark=HTTP new-connection-mark=LARGE_TRANSFER passthrough=yes protocol=tcp
add action=mark-packet chain=postrouting connection-mark=HTTP new-packet-mark=HTTP_U passthrough=no
add action=mark-packet chain=postrouting connection-mark=LARGE_TRANSFER new-packet-mark=LARGE_TRANSFER_U passthrough=yes
add action=mark-connection chain=prerouting comment=ICMP connection-mark=no-mark connection-state=new new-connection-mark=ICMP passthrough=yes protocol=icmp
add action=mark-connection chain=postrouting connection-mark=no-mark connection-state=new new-connection-mark=ICMP passthrough=yes protocol=icmp
add action=mark-packet chain=prerouting connection-mark=ICMP new-packet-mark=ICMP_D passthrough=no
add action=mark-packet chain=postrouting connection-mark=ICMP new-packet-mark=ICMP_U passthrough=no
add action=mark-connection chain=prerouting comment=QUIC connection-mark=no-mark connection-state=new dst-port=80,443 new-connection-mark=QUIC passthrough=yes protocol=udp
add action=mark-connection chain=postrouting connection-mark=no-mark connection-state=new dst-port=80,443 new-connection-mark=QUIC passthrough=yes protocol=udp
add action=mark-packet chain=prerouting connection-mark=QUIC new-packet-mark=QUIC_D passthrough=no
add action=mark-packet chain=postrouting connection-mark=QUIC new-packet-mark=QUIC_U passthrough=no
add action=mark-connection chain=prerouting comment=OTHER connection-mark=no-mark new-connection-mark=OTHER passthrough=yes
add action=mark-connection chain=postrouting connection-mark=no-mark new-connection-mark=OTHER passthrough=yes
add action=mark-packet chain=prerouting connection-mark=OTHER new-packet-mark=OTHER_D passthrough=no
add action=mark-packet chain=postrouting connection-mark=OTHER new-packet-mark=OTHER_U passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment=“Transmission port listening - Torrent” disabled=yes dst-port=51414 in-interface-list=WAN protocol=tcp to-addresses=192.168.10.2 to-ports=
51414
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-192,aes-128
/ip service
set telnet disabled=yes
set ftp address=192.168.10.0/24,192.168.20.0/24 disabled=yes
set www address=192.168.10.0/24,192.168.20.0/24 disabled=yes
set ssh port=10737
set www-ssl certificate=*96 tls-version=only-1.2
set api address=192.168.10.0/24,192.168.20.0/24 disabled=yes
set winbox port=5696
set api-ssl certificate=*96 disabled=yes
/ppp secret
add local-address=192.168.88.1 name=jm86ar profile=default-encryption remote-address=192.168.88.3 service=ovpn
add local-address=192.168.88.1 name=ovpn_user profile=default-encryption remote-address=192.168.88.2 service=ovpn
/routing bfd configuration
add disabled=no
/routing ospf area
add disabled=yes instance=*1 name=backbone-v2
/special-login
add port=serial0 user=serial
/system clock
set time-zone-name=America/Argentina/Buenos_Aires
/system identity
set name=MikroTik_JML
/system leds
add interface=wlan2 leds=wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-led,wlan2_signal4-led,wlan2_signal5-led type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system note
set show-at-login=no
/system resource irq rps
set sfp-sfpplus1 disabled=no
/system script
add dont-require-permissions=yes name=encender-ryzen owner=jm86ar policy=reboot,read,write,policy,test source=" /tool wol 04:D4:C4:F2:7B:E8 interface=bridge-lan "
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
/tool sniffer
set file-limit=5240KiB file-name=captura-wifi filter-interface=*1E memory-limit=10240KiB streaming-server=192.168.20.1

**** — Routes — *****
ip route/print detail
Flags: D - dynamic; X - disabled, I - inactive, A - active; c - connect, s - static, r - rip, b - bgp, o - ospf, i - is-is, d - dhcp, v - vpn, m - modem, y - bgp-mpls-vpn;
H - hw-offloaded; + - ecmp
DAd dst-address=0.0.0.0/0 routing-table=main gateway=190.1.53.1 immediate-gw=190.1.53.1%ether1 distance=1 scope=30 target-scope=10 vrf-interface=ether1 suppress-hw-offload=no

DAc dst-address=190.1.53.0/24 routing-table=main gateway=ether1 immediate-gw=ether1 distance=0 scope=10 suppress-hw-offload=no local-address=190.1.53.59%ether1

DAc dst-address=192.168.10.0/24 routing-table=main gateway=vlan10-lan immediate-gw=vlan10-lan distance=0 scope=10 suppress-hw-offload=no local-address=192.168.10.1%vlan10-lan

DIcH dst-address=192.168.39.0/24 routing-table=main gateway=wlan1 distance=0 scope=10 suppress-hw-offload=no local-address=192.168.39.1%wlan1

DAc dst-address=192.168.99.0/28 routing-table=main gateway=vlan-mgmt-99 immediate-gw=vlan-mgmt-99 distance=0 scope=10 suppress-hw-offload=no
local-address=192.168.99.1%vlan-mgmt-99