Tue Jun 15, 2021 3:51 pm
so back home again to continioue experiments.Today i connected two smart switces and turns out i could control them no matter what wifi i was in.So instead of output i added chain-forward but now everything is blocked .Here is my cfg .
# jun/15/2021 15:48:31 by RouterOS 6.48.3
# software id = 9GTC-CMYL
#
# model = RB750Gr3
# serial number = CC210E0F342C
/interface pppoe-client
add add-default-route=yes allow=pap,chap dial-on-demand=yes disabled=no \
interface=ether1 name=pppoe-out1 use-peer-dns=yes user=xxxx
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
add hotspot-address=192.168.2.1 html-directory=flash/hotspot name=hsprof1
/ip pool
add name=dhcp_pool6 ranges=192.168.2.15-192.168.2.254
add name=dhcp_pool8 ranges=10.0.0.22-10.0.0.254
add name=dhcp_pool9 ranges=10.0.0.10-10.0.0.254
/ip dhcp-server
add address-pool=dhcp_pool6 disabled=no interface=ether2 name=dhcp1
add address-pool=dhcp_pool9 disabled=no interface=ether5 name=dhcp2
/queue simple
add max-limit=3M/50M name="KATW SPITI" target=ether5
/ip neighbor discovery-settings
set discover-interface-list=all
/ip address
add address=192.168.2.1/24 interface=ether2 network=192.168.2.0
add address=10.0.0.1/24 interface=ether5 network=10.0.0.0
/ip arp
add address=192.168.2.5 mac-address=9C:9D:7E:63:8D:E7
add address=192.168.2.8
/ip dhcp-server config
set store-leases-disk=never
/ip dhcp-server lease
add address=192.168.2.2 client-id=1:70:85:c2:3b:53:ca mac-address=\
70:85:C2:3B:53:CA server=dhcp1
add address=192.168.2.3 client-id=1:6:ba:e1:31:41:eb mac-address=\
06:BA:E1:31:41:EB server=dhcp1 use-src-mac=yes
/ip dhcp-server network
add address=10.0.0.0/24 gateway=10.0.0.1
add address=192.168.2.0/24 dns-server=195.170.0.1,212.205.212.205 gateway=\
192.168.2.1
/ip firewall address-list
add address=192.168.2.0/24 list=support
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
d this subnet before enable it" disabled=yes list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
need this subnet before enable it" disabled=yes list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you\
\_need this subnet before enable it" disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment=\
"MC, Class D, IANA # Check if you need this subnet before enable it" \
disabled=yes list=bogons
add address=10.0.0.0 list=IOT
/ip firewall filter
add action=drop chain=forward log=yes out-interface=ether5
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
/ip firewall service-port
set ftp disabled=yes
/ip hotspot ip-binding
add address=192.168.2.10 mac-address=F4:92:BF:10:A8:9B
/ip hotspot user
add name=admin
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.2.0/24 port=800
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Athens
/system script
add dont-require-permissions=no name=script1 owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="a\
dd chain=forward action=fasttrack-connection connection-state=established,\
related \\\r\
\n comment=\"fast-track for established,related\";\r\
\n add chain=forward action=accept connection-state=established,related \
\\\r\
\n comment=\"accept established,related\";\r\
\n add chain=forward action=drop connection-state=invalid\r\
\n add chain=forward action=drop connection-state=new connection-nat-stat\
e=!dstnat \\\r\
\n in-interface=ether1 comment=\"drop access to clients behind NAT form\
\_WAN\""
To remind you i want ether 5 to be reachable from ether 2 but but not be able to reach ether 2