However, when I recreated my configuration on HAP AC2 (export from HAP AC and rerun on AC2 via terminal) I've found that two ethernet ports are shown disabled, along with one of the wifi endpoints. Namely ether5-VMLAB, ether2-OPEN and plan-guest
I thinking I'm dong something wrong and its not a hardware related issue. Appreciate help.
Here is my AC2 config (passwords removed) for reference:
Code: Select all
# mar/17/2019 18:49:47 by RouterOS 6.42.10
# software id = N505-56PM
#
# model = RBD52G-5HacD2HnD
# serial number = BLAHBLAH
/interface bridge
add admin-mac=74:4D:28:0C:BB:6A auto-mac=no comment=defconf name=bridge
add name=bridge-guest-lan
add name=bridge-iot-lan
add name=bridge-main-lan
/interface ethernet
set [ find default-name=ether1 ] name=ether-WAN
set [ find default-name=ether2 ] name=ether2-OPEN
set [ find default-name=ether3 ] name=ether3-WIN-WRKST
set [ find default-name=ether4 ] name=ether4-NAS
set [ find default-name=ether5 ] name=ether5-VMLAB
/interface vlan
add interface=ether3-WIN-WRKST name=vlan-main-lan vlan-id=40
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment="Home LAN Network" name=HOME-LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
dynamic-keys supplicant-identity=MikroTik wpa2-pre-shared-key=BLAHBLAH
add authentication-types=wpa2-psk eap-methods="" management-protection=\
allowed mode=dynamic-keys name=home-user supplicant-identity="" \
wpa2-pre-shared-key=BLAHBLAH
add authentication-types=wpa2-psk eap-methods="" management-protection=\
allowed mode=dynamic-keys name=iot-user supplicant-identity="" \
wpa2-pre-shared-key=BLAHBLAH
add authentication-types=wpa2-psk eap-methods="" management-protection=\
allowed mode=dynamic-keys name=guest-user supplicant-identity="" \
wpa2-pre-shared-key=BLAHBLAH
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto hide-ssid=yes mode=ap-bridge \
name=wlan-2-main-lan security-profile=home-user ssid=KhanNetHome \
wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto hide-ssid=\
yes mode=ap-bridge name=wlan-5-main-lan security-profile=home-user ssid=\
KhanNetHome5 vlan-id=40 wireless-protocol=802.11
add default-forwarding=no disabled=no hide-ssid=yes keepalive-frames=disabled \
mac-address=CE:2D:E0:3F:F3:CB master-interface=wlan-2-main-lan \
multicast-buffering=disabled name=wlan-guest security-profile=guest-user \
ssid=KhanNetGuest wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add default-forwarding=no disabled=no hide-ssid=yes keepalive-frames=disabled \
mac-address=CE:2D:E0:3F:F3:CA master-interface=wlan-2-main-lan \
multicast-buffering=disabled name=wlan-iot security-profile=iot-user \
ssid=KhanNetD wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no hide-ssid=yes keepalive-frames=disabled mac-address=\
CE:2D:E0:3F:F3:C9 master-interface=wlan-2-main-lan multicast-buffering=\
disabled name=wlan-router ssid=MK-KhanNet wds-cost-range=0 \
wds-default-cost=0 wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=pool-main-lan ranges=192.168.40.10-192.168.40.254
add name=pool-iot-lan ranges=192.168.30.10-192.168.30.254
add name=pool-guest-lan ranges=192.168.80.10-192.168.80.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=pool-main-lan disabled=no interface=bridge-main-lan name=\
dhcp-main-lan
add address-pool=pool-iot-lan disabled=no interface=bridge-iot-lan \
lease-time=4d3h10m name=dhcp-iot-lan
add address-pool=pool-guest-lan disabled=no interface=bridge-guest-lan name=\
dhcp-guest-lan
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-OPEN
add bridge=bridge-main-lan comment=defconf interface=ether3-WIN-WRKST
add bridge=bridge-main-lan comment=defconf interface=ether4-NAS
add bridge=bridge comment=defconf interface=ether5-VMLAB
add bridge=bridge-main-lan comment=defconf interface=wlan-2-main-lan
add bridge=bridge-main-lan comment=defconf interface=wlan-5-main-lan
add bridge=bridge interface=wlan-router
add bridge=bridge-main-lan interface=vlan-main-lan
add bridge=bridge-iot-lan interface=wlan-iot
add bridge=bridge-guest-lan interface=wlan-guest
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether-WAN list=WAN
add interface=bridge-main-lan list=HOME-LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=192.168.9.1/24 comment=defconf interface=bridge network=\
192.168.9.0
add address=192.168.40.1/24 interface=bridge-main-lan network=192.168.40.0
add address=192.168.30.1/24 interface=bridge-iot-lan network=192.168.30.0
add address=192.168.80.1/24 interface=bridge-guest-lan network=192.168.80.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
ether-WAN use-peer-dns=no
/ip dhcp-server lease
add address=192.168.30.253 client-id=1:64:16:66:c:9a:d4 mac-address=\
64:16:66:0C:9A:D4 server=dhcp-iot-lan
add address=192.168.30.252 client-id=1:18:b4:30:e8:98:9a mac-address=\
18:B4:30:E8:98:9A server=dhcp-iot-lan
add address=192.168.40.251 client-id=1:f0:18:98:27:94:e mac-address=\
F0:18:98:27:94:0E server=dhcp-main-lan
add address=192.168.30.250 client-id=1:7c:1c:4e:e9:68:26 mac-address=\
7C:1C:4E:E9:68:26 server=dhcp-iot-lan
add address=192.168.30.249 mac-address=C8:3A:6B:17:3F:DA server=dhcp-iot-lan
add address=192.168.40.253 client-id=1:90:dd:5d:4a:c7:8a mac-address=\
90:DD:5D:4A:C7:8A server=dhcp-main-lan
add address=192.168.40.252 client-id=1:4c:56:9d:1d:47:6a mac-address=\
4C:56:9D:1D:47:6A server=dhcp-main-lan
/ip dhcp-server network
add address=192.168.9.0/24 comment=defconf gateway=192.168.9.1
add address=192.168.30.0/24 gateway=192.168.30.1
add address=192.168.40.0/24 gateway=192.168.40.1
add address=192.168.80.0/24 gateway=192.168.80.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.88.1 name=router.lan
add address=192.168.9.1 name=router.lan
add address=192.168.40.2 name=mynas
/ip firewall address-list
add address=192.168.30.1-192.168.30.254 list=iot-clients
add address=192.168.80.1-192.168.80.254 list=guest-clients
add address=192.168.40.1-192.168.40.254 list=home-lan-clients
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=reject chain=forward comment="IOT Client Isolation" \
dst-address-list=iot-clients log=yes reject-with=icmp-network-unreachable \
src-address-list=iot-clients
add action=reject chain=forward comment="Guest LAN Client Isolation" \
dst-address-list=guest-clients log=yes reject-with=\
icmp-network-unreachable src-address-list=guest-clients
add action=drop chain=input comment="Block IOT from Home LAN" dst-address=\
192.168.40.0/24 log=yes src-address-list=iot-clients
add action=drop chain=input comment="Block Guest LAN from Home LAN" \
dst-address=192.168.40.0/24 log=yes src-address-list=guest-clients
add action=drop chain=input comment="Block DNS from WAN" dst-port=53 \
in-interface=ether-WAN protocol=udp
add action=drop chain=input comment="Block DNS from WAN" dst-port=53 \
in-interface=ether-WAN protocol=tcp
add action=drop chain=input comment="Block Telnet from WAN" dst-port=23 \
in-interface=ether-WAN protocol=tcp
add action=drop chain=input comment="Block Telnet from WAN" dst-port=23 \
in-interface=ether-WAN protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=America/New_York
/system routerboard settings
set silent-boot=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN