My config:
Code: Select all
# feb/14/2023 21:51:06 by RouterOS 7.7
# software id = Y3ZY-732P
#
# model = RBD52G-5HacD2HnD
/interface bridge
add admin-mac=48:8F:5A:7B:E3:79 auto-mac=no comment=defconf name=bridge
add name=bridge-servers
/interface ethernet
set [ find default-name=ether1 ] name=ether1-datagroup
set [ find default-name=ether2 ] name=ether2-kyivstar
set [ find default-name=ether3 ] name=ether3-pi
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk management-protection=allowed mode=\
dynamic-keys name=secured_main supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode \
band=2ghz-b/g/n channel-width=20/40mhz-XX country=no_country_set \
disabled=no frequency=auto frequency-mode=manual-txpower mode=ap-bridge \
security-profile=secured_main ssid=MikroTik station-roaming=enabled \
tx-power=20 tx-power-mode=all-rates-fixed wireless-protocol=802.11 \
wmm-support=enabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX country=no_country_set disabled=no distance=indoors \
frequency=auto frequency-mode=manual-txpower mode=ap-bridge \
security-profile=secured_main ssid=MikroTik station-roaming=enabled \
tx-power=26 tx-power-mode=all-rates-fixed wireless-protocol=802.11 \
wmm-support=enabled
add disabled=no keepalive-frames=disabled mac-address=4A:8F:5A:7B:E3:7D \
master-interface=wlan1 multicast-buffering=disabled name=iot \
security-profile=secured_main ssid=IOT_ONLY wds-cost-range=0 \
wds-default-cost=0 wps-mode=disabled
/ip pool
add name=local-dhcp-pool ranges=192.168.88.10-192.168.88.254
add name=guest_pool ranges=10.10.10.2-10.10.10.254
add name=servers-pool ranges=192.168.10.101-192.168.10.254
/ip dhcp-server
add address-pool=local-dhcp-pool interface=bridge name=local-dhcp
add address-pool=servers-pool interface=bridge-servers name=servers-dhcp
/interface bridge port
add bridge=bridge-servers comment=defconf disabled=yes ingress-filtering=no \
interface=ether2-kyivstar
add bridge=bridge-servers comment=defconf ingress-filtering=no interface=\
ether3-pi
add bridge=bridge-servers comment=defconf ingress-filtering=no interface=\
ether4
add bridge=bridge-servers comment=defconf ingress-filtering=no interface=\
ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
add bridge=bridge-servers interface=iot
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=\
all wan-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-datagroup list=WAN
add comment=Servers interface=bridge-servers list=LAN
add interface=ether2-kyivstar list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireless access-list
add comment="oneplus 6 \D0\BC\D1\96\D0\B9" interface=wlan2 mac-address=\
22:97:D3:1F:F0:EB
add comment="\D0\9D\D0\B0\D1\81\D1\82\D1\96 \D1\82\D0\B5\D0\BB\D0\B5\D1\84\D0\
\BE\D0\BD" interface=wlan1 mac-address=20:F4:78:65:E9:94
add comment="\D0\86\D1\80\D0\B8 \D1\82\D0\B5\D0\BB\D0\B5\D1\84\D0\BE\D0\BD" \
interface=wlan1 mac-address=20:47:DA:FC:1A:38
add comment=\
"\D1\80\D0\BE\D0\B1\D0\BE\D1\87\D0\B8\D0\B9 \D0\BD\D0\BE\D1\83\D1\82" \
interface=wlan2 mac-address=00:E1:8C:B9:3F:25
add comment="oneplus6 \D0\BC\D1\96\D0\B9" interface=wlan1 mac-address=\
76:B4:9A:1C:80:3E
add comment="\D0\9D\D0\B0\D1\81\D1\82\D1\96 \D0\BD\D0\BE\D1\83\D1\82" \
interface=wlan1 mac-address=38:59:F9:9C:40:C2
add comment="\D0\B4\D0\B0\D1\82\D1\87\D0\B8\D0\BA \D0\B7\D0\B0\D0\BB" \
interface=wlan1 mac-address=E8:DB:84:9B:F2:DF
add comment="\D0\B4\D0\B0\D1\82\D1\87\D0\B8\D0\BA \D1\81\D0\BF\D0\B0\D0\BB\D1\
\8C\D0\BD\D1\8F" interface=wlan1 mac-address=E8:DB:84:9B:DB:4E
add interface=wlan2 mac-address=22:97:D3:1F:F0:EB
add comment=switcher_zal interface=wlan1 mac-address=E8:DB:84:DD:DC:4B
add comment="\D0\BC\D0\B0\D0\BA \D1\80\D0\BE\D0\B1\D0\BE\D1\87\D0\B8\D0\B9" \
interface=wlan2 mac-address=A4:83:E7:91:80:47
add comment="\D0\BD\D0\BE\D1\83\D1\82 \D0\B5\D0\BF\D0\BB \D1\80\D0\BE\D0\B1\D0\
\BE\D1\87\D0\B8\D0\B9" interface=wlan2 mac-address=F8:FF:C2:66:EE:EF
/ip address
add address=192.168.88.1/24 comment=local-adresses interface=bridge network=\
192.168.88.0
add address=192.168.10.1/24 interface=bridge-servers network=192.168.10.0
/ip arp
add address=192.168.10.95 interface=bridge-servers mac-address=\
02:42:C0:A8:0A:5F
add address=192.168.88.100 interface=bridge mac-address=24:4B:FE:52:96:6B
/ip cloud advanced
set use-local-address=yes
/ip dhcp-client
add add-default-route=no comment=defconf interface=ether1-datagroup \
use-peer-dns=no
add add-default-route=no interface=ether2-kyivstar use-peer-dns=no
/ip dhcp-server lease
add address=192.168.10.101 comment=kitchen_switcher mac-address=\
C4:5B:BE:6C:9F:24 server=servers-dhcp
add address=192.168.10.102 comment=sleaping_switcher mac-address=\
80:7D:3A:69:3E:3E server=servers-dhcp
add address=192.168.10.103 comment=living_switcher mac-address=\
E8:DB:84:DD:DC:4B server=servers-dhcp
add address=192.168.10.10 comment=PiHole-DHCP1 mac-address=32:12:CE:01:39:17 \
server=servers-dhcp
add address=192.168.10.50 comment=proxmox disabled=yes mac-address=\
EC:8E:B5:6F:FA:2C server=servers-dhcp
add address=192.168.10.40 client-id=1:e2:a5:4a:c7:e2:47 comment=TrueNAS \
mac-address=E2:A5:4A:C7:E2:47 server=servers-dhcp
add address=192.168.10.41 client-id=1:1e:5d:b1:4b:cb:ec comment=nextcloud \
mac-address=1E:5D:B1:4B:CB:EC server=servers-dhcp
add address=192.168.10.90 client-id=\
ff:53:5c:66:99:0:2:0:0:ab:11:67:9d:98:d7:e1:41:f6:5b comment=\
RaspberryPi-OMV mac-address=DC:A6:32:E9:F9:E3 server=servers-dhcp
add address=192.168.88.2 mac-address=E8:DE:27:CF:28:2D server=local-dhcp
add address=192.168.10.250 client-id=1:24:4b:fe:52:96:6b comment=PC \
mac-address=24:4B:FE:52:96:6B server=servers-dhcp
add address=192.168.10.60 client-id=\
ff:b0:1:15:3:0:2:0:0:ab:11:56:7f:59:82:50:55:34:c6 comment="NUT server" \
mac-address=22:EC:95:EB:ED:AF server=servers-dhcp
add address=192.168.10.20 client-id=\
ff:ca:53:9:5a:0:2:0:0:ab:11:2f:6e:63:6f:e1:48:92:8e comment=dockering \
mac-address=9E:8C:ED:FB:18:5D server=servers-dhcp
add address=192.168.10.70 client-id=1:aa:a1:a7:87:6:67 comment=jellyfin \
mac-address=AA:A1:A7:87:06:67 server=servers-dhcp
add address=192.168.10.75 client-id=1:a:45:17:d4:b4:df comment=torrent \
mac-address=0A:45:17:D4:B4:DF server=servers-dhcp
add address=192.168.10.80 client-id=\
ff:88:36:5d:a:0:1:0:1:2a:8b:b3:84:f2:35:88:36:5d:a comment=gameservers \
mac-address=F2:35:88:36:5D:0A server=servers-dhcp
add address=192.168.10.91 client-id=\
ff:ca:53:9:5a:0:2:0:0:ab:11:f9:be:c5:36:4e:dd:aa:ef comment=pve_docker \
mac-address=9A:4F:52:8A:B0:64 server=servers-dhcp
add address=192.168.88.21 client-id=1:d2:9b:e1:68:8e:51 mac-address=\
D2:9B:E1:68:8E:51 server=local-dhcp
add address=192.168.88.18 client-id=1:dc:a6:32:29:70:29 mac-address=\
DC:A6:32:29:70:29 server=local-dhcp
add address=192.168.88.19 comment=LED mac-address=B4:E8:42:A1:D6:E2 server=\
local-dhcp
add address=192.168.10.106 mac-address=E8:DB:84:9C:3D:1F server=servers-dhcp
add address=192.168.10.108 mac-address=BC:FF:4D:2B:45:CD server=servers-dhcp
add address=192.168.10.109 mac-address=C4:5B:BE:6D:07:6C server=servers-dhcp
add address=192.168.10.107 mac-address=BC:FF:4D:2B:24:BC server=servers-dhcp
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.10,192.168.10.11 gateway=\
192.168.10.1
add address=192.168.88.0/24 comment=defconf dns-server=\
192.168.10.10,192.168.10.11 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=192.168.10.10,192.168.10.11
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="allow iot to main" dst-address=\
192.168.88.0/24 src-address=192.168.10.0/24
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=input in-interface=ether1-datagroup \
new-connection-mark=from-datagroup
add action=mark-routing chain=output connection-mark=from-datagroup \
new-routing-mark=main
add action=mark-connection chain=input in-interface=ether2-kyivstar \
new-connection-mark=from-kiyvstar
add action=mark-routing chain=output connection-mark=from-kiyvstar \
new-routing-mark=main
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=http dst-port=80 in-interface-list=\
WAN protocol=tcp to-addresses=192.168.10.90 to-ports=80
add action=dst-nat chain=dstnat comment=https dst-port=443 in-interface-list=\
WAN protocol=tcp to-addresses=192.168.10.90 to-ports=443
/ip firewall service-port
set sip disabled=yes
/ip route
add check-gateway=ping comment=datagroup disabled=no distance=1 dst-address=\
0.0.0.0/0 gateway="some ip" pref-src=0.0.0.0 routing-table=main \
scope=30 suppress-hw-offload=no target-scope=10
add comment=kiyvstar disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
"some ip" pref-src=0.0.0.0 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api-ssl disabled=yes
/ip smb
set domain=HOME_MIKROTIK
/ip upnp interfaces
add interface=bridge type=internal
/system clock
set time-zone-name=Europe/Kiev
/system ntp client
set mode=broadcast
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN