So I’m around here quite sometimes. I still learning and facing a lot of problem with my own decision and tried to solve most of them.
I have a hAP ac. My ISP give me 2 VLANs, VLAN35 for internet with pppoe and VLAN2502 for IPTV. I have 2 TVs.
Here is my config at the moment.
Code: Select all
# may/20/2019 17:55:28 by RouterOS 6.44.3
# software id =
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number =
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz frequency=2437 name=channel11
/interface bridge
add admin-mac=CC:2Dxxx auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether3 ] comment=PC_NAS
set [ find default-name=ether5 ] comment=cAP
/interface vlan
add interface=ether1 name=vlan35 vlan-id=35
/caps-man datapath
add bridge=bridge name=datapath1
/interface pppoe-client
add add-default-route=yes comment=PPPOE disabled=no interface=vlan35 \
name=pppoe-out user=xxxx
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=cAP_sec
/caps-man configuration
add channel=channel11 datapath=datapath1 mode=ap name=cfg1 security=cAP_sec \
ssid=lilw3
/caps-man interface
add channel=channel11 configuration=cfg1 datapath=datapath1 disabled=no \
l2mtu=1600 mac-address=64:D1xxxx master-interface=none name=cAP \
radio-mac=64:D1xxxx radio-name=64D1xxxxx security=cAP_sec
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
management-protection=allowed mode=dynamic-keys name=lilw5ghz \
supplicant-identity=""
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
management-protection=allowed mode=dynamic-keys name=lilw2ghz \
supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n channel-width=20/40mhz-Ce \
comment=2ghz disabled=no distance=indoors installation=indoor mode=\
ap-bridge security-profile=lilw2ghz ssid=lilw2 wireless-protocol=802.11 \
wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX comment=5ghz disabled=no distance=indoors frequency=auto \
installation=indoor mode=ap-bridge security-profile=lilw5ghz ssid=lilw \
wireless-protocol=802.11 wps-mode=disabled
/interface wireless nstreme
set wlan1 comment=2ghz
set wlan2 comment=5ghz
/interface wireless manual-tx-power-table
set wlan1 comment=2ghz
set wlan2 comment=5ghz
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=100.10.10.2-100.10.10.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=12h name=\
defconf
/caps-man access-list
add action=accept allow-signal-out-of-range=5s disabled=no interface=cAP \
signal-range=-75..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=5s disabled=no interface=cAP \
signal-range=-120..-76 ssid-regexp=""
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled disabled=yes hw-supported-modes=gn \
master-configuration=cfg1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set accept-router-advertisements=yes
/interface detect-internet
set detect-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=pppoe-out list=WAN
/interface wireless access-list
add allow-signal-out-of-range=5s interface=all signal-range=-79..120
add allow-signal-out-of-range=5s authentication=no forwarding=no interface=\
all signal-range=-120..-80
/ip address
add address=100.10.10.1/24 comment=defconf interface=bridge network=\
100.10.10.0
add address=192.168.1.3/24 comment="GPON interface" disabled=yes interface=\
ether1 network=192.168.1.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-server network
add address=100.10.10.0/24 comment=defconf dns-server=100.10.10.1 gateway=\
100.10.10.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=100.10.10.1 name=router.lan
/ip firewall address-list
add address=xxxxx comment="WAN-IP for HAIRPIN" list=\
WAN-IP
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid log-prefix=in_
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: HAIRPIN NAT" \
dst-address=100.10.10.0/24 ipsec-policy=out,none src-address=\
100.10.10.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=transmission dst-port=xxxx \
in-interface-list=WAN log-prefix=tor_ protocol=tcp to-addresses=\
100.10.10.5 to-ports=xxxx
add action=dst-nat chain=dstnat comment="NAS out" dst-address-list=WAN-IP \
dst-port=xxxx log-prefix=tor_ protocol=tcp to-addresses=100.10.10.5 \
to-ports=xxx
add action=dst-nat chain=dstnat comment="NAS root settings" dst-address-list=\
WAN-IP dst-port=80 log-prefix=tor_ protocol=tcp to-addresses=100.10.10.5 \
to-ports=xxx
add action=dst-nat chain=dstnat comment="NAS smb" dst-address-list=WAN-IP \
dst-port=445 log-prefix=tor_ protocol=tcp to-addresses=100.10.10.5 \
to-ports=445
add action=dst-nat chain=dstnat comment="Transmission out" dst-address-list=\
WAN-IP dst-port=xxxx log-prefix=tor_ protocol=tcp to-addresses=\
100.10.10.5 to-ports=xxxx
add action=src-nat chain=srcnat comment="access GPON" dst-address=192.168.1.1 \
to-addresses=192.168.1.2
/ip ssh
set forwarding-enabled=remote
/ip upnp
set enabled=yes
/ipv6 address
add from-pool=pool6dhcp interface=bridge
/ipv6 dhcp-client
add add-default-route=yes interface=pppoe-out pool-name=pool6dhcp \
prefix-hint=::/64 request=prefix
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system scheduler
add interval=5m name=noip_update on-event=noip_changeip policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=apr/18/2019 start-time=07:00:00
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=ether4
I’ve been reading a lot of trunk ports and think this maybe what I need. I think that I’ll make ether3 as trunk ports. So I create 2 VLan e3-35 and e3-2502 on ether3. Then I bridge e3-35 to main bridge for internet access. Create bridge VLan2502 with e3-2502 and e1-2502 for IPTV.
On LEDE switch I create VLan35 and tagged CPU0 and the port WAN (now is LAN5 and connect to mikrotik ether3) untagged 3 other LAN1,2,3 and have internet access. Then create VLan2502, tagged WAN and untagged LAN4. Connect my set top box to LAN4 but it’s not working. No traffic go through e3-2502. I assume my config for switch is correct since I can connect to internet with my PC and NAS connect to switch. In this switch, LAN5 act as trunked port.
So my question is can WAN with multiple VLan will work with trunk port for IPTV on mikrotik?
I’m sorry if my explanation is not clear, just tell me which part you want for more detail.