I needa help to config vlan3999 from siol provider

barracuda · Mon Jan 13, 2020 6:11 pm

Hello!
My router is RouterBOARD 941-2nD and I've been trying to configure my router lately so I can only use one cable from siol modem trunk port(siol modem is on bridge mode) and make both internet and iptv to work on my computer and siol box on other router port(or the same if is posible)..I know siol is using for iptv vlan3999, So far I created vlan3999 on ether1 where the router connects to the modem via PPPoE and then gave that vlan to the bridge. The internet and iptv work on my computer, but the box does not. Can any of you know how to do this to and please fix my export file so that I could give these commands via the terminal because I really don't have knowledge about such a config.
Here is my export file

MMM MMM KKK TTTTTTTTTTT KKK
MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK

MikroTik RouterOS 6.46.1 (c) 1999-2019 http://www.mikrotik.com/

[?] Gives the list of available commands
command [?] Gives help on the command and list of arguments

[Tab] Completes the command/word. If the input is ambiguous,
a second [Tab] gives possible options

/ Move up to base level
.. Move up one level
/command Use command at the base level
[admin@MikroTik] > export hide-sensitive
# jan/13/2020 16:22:26 by RouterOS 6.46.1
# software id = UH34-V159
#
# model = RouterBOARD 941-2nD
# serial number = 5B3205DA01D3
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge ssid=MikroTik-13411A wireless-protocol=802.11
/interface bridge
add admin-mac=E4:8D:8C:13:41:17 auto-mac=no comment=defconf igmp-snooping=yes \
name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
use-peer-dns=yes user=rbrnot1
/interface vlan
add interface=ether1 name="vlan-siol IN" vlan-id=3999
add interface=ether3 name=vlan-siol-OUT vlan-id=3999
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface="vlan-siol IN"
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.88.82 client-id=1:0:9:34:2a:3e:e9 mac-address=\
00:09:34:2A:3E:E9 server=defconf
add address=192.168.88.100 client-id=1:5c:fa:0:0:e:2b mac-address=\
5C:FA:00:00:0E:2B server=defconf use-src-mac=yes
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN

/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Ljubljana
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik] >

thank you!

mkx · Mon Jan 13, 2020 10:39 pm

You have it a bit awkward. My suggestion is to use single VLANaware bridge. ether1 will be used to connect to innbox (trunk port) and ether3 to connect Box. Box will get internet via LAN (so it will be able to play multimedia from your PCs if they are DLNA enabled). You can adapt config to allow IPTV via another port if you wish.

Below is configuration only for specific configuration sections. I suggest you to start from empty (no config - reset without config ... that's not factory default). Connect using winbox via MAC connectivity, which will cause least disruptions during reconfiguration.

/interface bridge
add admin-mac=E4:8D:8C:13:41:17 auto-mac=no igmp-snooping=yes name=bridge
/interface bridge port
# WAN will be VLAN=11 internally 
# set multicast router to enable IGMP proxy operation
add bridge=bridge ingress-filtering=yes interface=ether1 pvid=11 multicast-router=permanent 
# LAN will be VLAN=22 internally
add bridge=bridge ingress-filtering=yes interface=ether2 pvid=22
add bridge=bridge ingress-filtering=yes interface=ether3 pvid=22
add bridge=bridge ingress-filtering=yes interface=ether4 pvid=22
add bridge=bridge ingress-filtering=yes interface=wlan1 pvid=22
/interface bridge vlan
# configure VLANs on ports ... both tagged (IPTV) and untagged
add bridge=bridge tagged=bridge untagged=ether1 vlan-ids=11
add bridge=bridge tagged=bridge untagged=ether2,ether3,ether4,wlan1 vlan-ids=22
# below tagged ports for IPTV - ether1 for innbox and ether3 for Box
add bridge=bridge tagged=ether1,ether3 vlan-ids=3999
#
/interface vlan
add interface=bridge name=vlanWAN vlan-id=11
add interface=bridge name=vlanLAN vlan-id=22
#
/interface list member
add interface=vlanWAN list=WAN
add interface=pppoe-out1 list=WAN
add interface=ether1 list=WAN
add interface=vlanLAN list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=wlan1 list=LAN
# the following is copied from your old config ... doesn't seem secured!!!
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-13411A wireless-protocol=802.11
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlanWAN name=pppoe-out1 use-peer-dns=yes user=rbrnot1
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=vlanLAN name=defconf
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip address
add address=192.168.88.1/24 interface=vlanLAN network=192.168.88.0
/ip dhcp-client
add interface=vlanWAN
/ip dhcp-server lease
add address=192.168.88.82 client-id=1:0:9:34:2a:3e:e9 mac-address=00:09:34:2A:3E:E9 server=defconf
add address=192.168.88.100 client-id=1:5c:fa:0:0:e:2b mac-address=5C:FA:00:00:0E:2B server=defconf use-src-mac=yes
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Ljubljana

Now comes the tricky part: if not everything regarding VLANs is right, then you might loose management access when running the next few commands. So do enable safe mode (there's a button for it in winbox and if you're using CLI just press ctrl-X to toggle it - when it's enabled, the command prompt changes). If you loose connectivity while in safe mode, router reverts config to the one before enabling safe mode and you should be able to re-connect after around 20 seconds.

/interface bridge
set [ find name=bridge ] vlan-filtering=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

If the commands above went fine, exit safe mode before closing admin connection.

The whole firewall filter section is still missing. I don't want to copy-paste the default settings (and you're running pretty much default firewall right now), so execute command /system default-configuration print, scroll down until you see beginning of code block /ip firewall { and copy-paste it entirely (until closing curly brace). Be sure to have realy wide terminal window to capture whole config lines (they are not wrapped-around, they simply end with character ">").

Meni podobno skonfiguriran RB deluje super.

barracuda · Tue Jan 14, 2020 12:11 am

Thank you very much for your fast answer and clear explanation.I could deal with this for another month, but for shore I would not succeed..
I will try this configuration tomorrow..

romihg · Tue Jan 14, 2020 2:36 am

Nekaj slovencev pa je na tem forumu

Translation of above sentence: Some slovenian guys are here on this forum.

romihg · Tue Jan 14, 2020 2:49 am

/interface vlan
add interface=ether1 name="ether1 - VLAN 3999" vlan-id=3999
add interface=ether5 name="ether5 - VLAN 3999" vlan-id=3999
/interface bridge port
add bridge=bridgeTV interface="ether1 - VLAN 3999"
add bridge=bridgeTV interface="ether5 - VLAN 3999"

You also need have ether port 5 in same bridge as internet

add bridge=bridge comment=defconf interface=ether5

Basically you need have two bridges. One for internet one for iptv.

barracuda · Tue Jan 14, 2020 8:37 pm

@mkx
oprosti za tale post!

Today I tried your configuration but when I entered all the commands in to winbox terminal the router did not connect to the internet.The PPPoE client was on vlan Wan interface but when I added the username and password it was status connecting .... but offline.
However, when I added the following commands:
/ interface bridge
set [find name = bridge] vlan-filtering = yes
/ tool mac-server
set allowed-interface-list = LAN
/ tool mac-server mac-winbox
set allowed-interface-list = LAN
the winbox immediately reset
looks like something's wrong but i don't know what ..

Here is also my latest working export:

[admin@MikroTik] > export hide-sensitive
# jan/14/2020 23:31:53 by RouterOS 6.46.1
# software id = UH34-V159
#
# model = RouterBOARD 941-2nD
# serial number = 5B3205DA01D3
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge ssid=MikroTik-13411A wireless-protocol=802.11
/interface bridge
add admin-mac=E4:8D:8C:13:41:17 auto-mac=no comment=defconf igmp-snooping=yes \
name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
use-peer-dns=yes user=rbrnot1
/interface vlan
add interface=ether1 name=siolIn vlan-id=3999
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=ether3
add bridge=bridge interface=siolIn
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.88.82 client-id=xxxxx mac-address=\
xxxxxxxx server=defconf
add address=192.168.88.100 client-id=1:5c:fa:0:0:e:2b mac-address=\
5xxxxxxxxxxxx server=defconf use-src-mac=yes
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=17550 protocol=tcp to-addresses=\
192.168.88.100 to-ports=17550
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Ljubljana
/system scheduler
add interval=15m name=dnsexit on-event="/system script run dnsexit" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-time=startup
add comment="DNSEXIT RUN AT STARTUP" name=Up_Dnsexit on-event=\
":delay 60;\r\
\n/system script run dnsexit\r\
\n" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-time=startup
/system script
add comment="DNSEXIT SCRIPT" dont-require-permissions=no name=dnsexit owner=\
admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="###\
## Script Settings #####\r\
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
[admin@MikroTik] >

mkx · Wed Jan 15, 2020 11:21 am

Today I tried your configuration but when I entered all the commands in to winbox terminal the router did not connect to the internet.The PPPoE client was on vlan Wan interface but when I added the username and password it was status connecting .... but offline.
However, when I added the following commands:
/ interface bridge
set [find name = bridge] vlan-filtering = yes
/ tool mac-server
set allowed-interface-list = LAN
/ tool mac-server mac-winbox
set allowed-interface-list = LAN
the winbox immediately reset
looks like something's wrong but i don't know what ..

It is expected that my whole setup doesn't work correctly until vlan-filtering=yes is set on bridge. And when I think of it, it's also expected that winbox connection drops after that setting is enabled ... because the connection between winbox and ROS now takes different path (internal VLAN instead of direct ether-bridge path).

Anyway, if your current setup works as expected, then keep it ...

barracuda · Wed Jan 15, 2020 8:03 pm

You are right, Iptv works fine on my computer, also the internet only the box alone does not work.It will need to install another cable for box but it will be fine.
All I can say is that the microtick router is really amazing if you know how to set it properly, which is a little harder for us laymen, so thanks to all those who are willing to share their knowledge!
In my case especially mkx!

romihg · Thu Jan 16, 2020 2:07 pm

Moja konfiguracija na Siolu z omogočeno iptv. Iptv dela tako tudi dela lokalna mreža in internet na siol boxih

Sorry guys for slovenian language.

# jan/16/2020 13:03:12 by RouterOS 6.46.1
# software id = U9SD-JKHU
#
# model = RB4011iGS+5HacQ2HnD
# serial number = 96890A689AF2
/interface bridge
add admin-mac=74:4D:28:4A:D4:8B auto-mac=no comment=defconf name=bridge
add name=bridgeTV
/interface ethernet
set [ find default-name=ether10 ] poe-out=forced-on
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 keepalive-timeout=\
disabled name=pppoe-out1 use-peer-dns=yes user=gromih1
/interface vlan
add interface=ether2 name=Ether2 vlan-id=3999
add interface=ether1 name="ether1 - VLAN 3999" vlan-id=3999
add interface=ether5 name="ether5 - VLAN 3999" vlan-id=3999
add interface=ether7 name="ether7 - VLAN 3999" vlan-id=3999
add interface=ether8 name="ether8 - VLAN 3999" vlan-id=3999
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
management-protection=allowed mode=dynamic-keys name=profile1 \
supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=5ghz-n/ac channel-width=\
20/40/80mhz-XXXX country=no_country_set disabled=no distance=indoors \
frequency-mode=manual-txpower installation=indoor mode=ap-bridge \
security-profile=profile1 ssid=MikroTik-5Ghz wireless-protocol=802.11
set [ find default-name=wlan2 ] antenna-gain=0 band=2ghz-g/n channel-width=\
20/40mhz-XX country=no_country_set disabled=no distance=indoors \
frequency=auto frequency-mode=manual-txpower mode=ap-bridge \
security-profile=profile1 ssid="LAN of Milk and Honey" wireless-protocol=\
802.11
/ip pool
add name=dhcp ranges=192.168.88.100-192.168.88.200
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add add-arp=yes address-pool=dhcp always-broadcast=yes disabled=no interface=\
bridge lease-time=1h name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridgeTV interface="ether1 - VLAN 3999"
add bridge=bridgeTV interface="ether5 - VLAN 3999"
add bridge=bridgeTV interface="ether7 - VLAN 3999"
add bridge=bridgeTV interface="ether8 - VLAN 3999"
add bridge=bridgeTV interface=Ether2
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set accept-source-route=yes
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip cloud advanced
set use-local-address=yes
/ip dhcp-client
add add-default-route=no comment=defconf dhcp-options=hostname interface=\
ether1 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=\
192.168.88.1,193.189.160.13,193.189.160.23 domain=clarkynet.com gateway=\
192.168.88.1 netmask=24 ntp-server=193.2.1.117,193.2.1.92
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add address=192.168.88.254 name=i7-3770 ttl=10m
/ip firewall address-list
add address=96890A689AF2.sn.mynetname.net list=WANIP
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=HAIRPIN dst-address=\
192.168.88.0/24 src-address=192.168.88.0/24
add action=dst-nat chain=dstnat comment="template port forward" disabled=yes \
dst-address-list=WANIP dst-port=8080 protocol=tcp to-addresses=\
192.168.1.2
add action=dst-nat chain=dstnat comment="template port forward" disabled=yes \
dst-address-list=WANIP dst-port=8080 protocol=tcp to-addresses=\
192.168.1.2
add action=dst-nat chain=dstnat comment="template port forward" disabled=yes \
dst-address-list=WANIP dst-port=8080 protocol=tcp to-addresses=\
192.168.1.2
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=pppoe-out1 type=external
/ipv6 address
add address=::1 from-pool=SiOL_IPv6 interface=bridge
/ipv6 dhcp-client
add add-default-route=yes interface=pppoe-out1 pool-name=SiOL_IPv6 \
rapid-commit=no request=prefix
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/ipv6 nd
set [ find default=yes ] advertise-mac-address=no hop-limit=64
/ppp secret
add name=vpn
/system clock
set time-zone-name=Europe/Ljubljana
/system identity
set name="Main Router"
/system leds
add interface=wlan2 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le\
d,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system ntp client
set enabled=yes primary-ntp=193.77.204.19 secondary-ntp=193.2.1.117
/system package update
set channel=development
/system routerboard settings
# Firmware upgraded successfully, please reboot for changes to take effect!
set auto-upgrade=yes
/system watchdog
set automatic-supout=no watchdog-timer=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

barracuda · Thu Jan 16, 2020 9:46 pm

@romihg

I'm still pretty much in the dark with so kind of configuration like you have.
I see that your hardware is a lot different from my router, (10 ports) so I don't know what to exclude from your config. I now have a 4 port router, but I'm thinking of getting 5 port with a better processor. I also don't have IPv6.
Can you tell me what configuration I can exclude(delete) from your config for 4 or 5 port router ?

hvala!

barracuda · Tue Jan 28, 2020 10:59 pm

After a long time I finally managed to get a box to work on mikrotik router..
I don't even know what I've tried but so far it's working.

Ne dela mi samo ogled nazaj.Ali vam to dela?

Hvala vsem za pomoč!

Thank you all for your help!

vuli · Thu Dec 31, 2020 8:11 pm

I have it like this and it works. I bet there is something that could be better.
modem (trunk) -> eth1 mk (pppoe) , eth2,eth3,eth4 = lan, eth 5 (for IPTv) -> dumb switch -> 3 boxes.
I only made second dhcp for BOXes only, so 3 bridges.

/interface bridge
add admin-mac=48:8F:5A:A2:75:B2 auto-mac=no comment="bridge lan-wlan" dhcp-snooping=yes name=bridge
add comment="bridge IPTV video" igmp-snooping=yes name="bridge IPTV"
add comment="data for IPTV" igmp-snooping=yes name=data
/interface ethernet
set [ find default-name=ether1 ] comment="PPPOE - trunk port" mtu=1480 name="ether1 - WAN"
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n channel-width=20/40mhz-XX country=slovenia disabled=no \
    distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=WIFI station-roaming=enabled \
    tx-power-mode=all-rates-fixed wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40mhz-eC country=slovenia disabled=no \
    distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid="WIFI 5G" station-roaming=\
    enabled tx-power-mode=all-rates-fixed wireless-protocol=802.11
/interface pppoe-client
add add-default-route=yes dial-on-demand=yes disabled=no interface="ether1 - WAN" keepalive-timeout=disabled \
    max-mru=1480 max-mtu=1500 mrru=1600 name="SIOL " use-peer-dns=yes user=USERNAME
/interface vlan
add comment="video for IPTV  - vlan 3999" interface="ether1 - WAN" name="TV IN" vlan-id=3999
add comment="video for IPTV - vlan3999" interface=ether5 name="TV OUT" vlan-id=3999
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp_lan_wlan ranges=192.168.0.10-192.168.0.254
add name=dhcp_siolbox ranges=192.168.2.2-192.168.2.254
/ip dhcp-server
add address-pool=dhcp_lan_wlan disabled=no interface=bridge lease-time=1d10m name="dhcp lan+wlan"
add address-pool=dhcp_siolbox disabled=no interface=data lease-time=1d name="dhcp siol box"
/interface bridge filter
add action=accept chain=forward in-interface-list=LAN out-interface-list=LAN
add action=drop chain=forward in-bridge=bridge packet-type=multicast
add action=drop chain=input in-bridge=bridge packet-type=multicast
add action=accept chain=forward disabled=yes in-interface=ether5 out-interface="ether1 - WAN"
/interface bridge port
add bridge=bridge comment=Lan interface=ether2
add bridge=bridge comment=Lan interface=ether3
add bridge=bridge comment=Lan interface=ether4
add bridge=data comment="Siol Box out port + data" interface=ether5
add bridge=bridge comment="Wlan 2.4G" interface=wlan1
add bridge=bridge comment="Wlan 5G" interface=wlan2
add bridge="bridge IPTV" comment="IPTV IN vlan" interface="TV IN"
add bridge="bridge IPTV" comment="IPTV OUT vlan" interface="TV OUT"
/ip neighbor discovery-settings
set discover-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface="ether1 - WAN" list=WAN
add interface="SIOL " list=WAN
add interface=wlan2 list=LAN
add interface=wlan1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
/ip address
add address=192.168.0.1/24 comment="DHCP LAN-WLAN" interface=bridge network=192.168.0.0
add address=192.168.1.2/8 disabled=yes interface="ether1 - WAN" network=192.0.0.0
add address=192.168.2.1/24 comment="DHCP SIOL BOX data" interface=data network=192.168.2.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=23h5m
/ip dhcp-client
add comment=defconf interface="ether1 - WAN"
/ip dhcp-server lease
add address=192.168.0.4 client-id=1:b4:2e:99:3e:43:e6 mac-address=B4:2E:99:3E:43:E6 server="dhcp lan+wlan"
/ip dhcp-server network
add address=192.168.0.0/24 comment="DHCP LAN-WLAN" gateway=192.168.0.1 netmask=24
add address=192.168.2.0/24 comment="DHCP za SIOL BOX data" gateway=192.168.2.1
/ip dns
set allow-remote-requests=yes servers=193.189.160.13,8.8.8.8,193.189.160.23,8.8.4.4
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.0.2-192.168.0.255 list=client
add address=192.168.2.1-192.168.2.255 list="siol box"
add address=213.250.22.35 list=IP
/ip firewall filter
add action=accept chain=input connection-nat-state="" dst-port=8291 protocol=tcp src-address-type=""
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input src-address=192.168.0.0/24
add action=accept chain=input src-address=192.168.2.0/24
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
    established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward protocol=udp
add action=accept chain=input protocol=udp
add action=accept chain=input protocol=igmp
add action=accept chain=input connection-state=established,related
add action=accept chain=forward dst-address-type=local dst-port=9678 protocol=tcp
add action=accept chain=input protocol=tcp src-address-list=IP
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input comment=\
    "defconf: drop all not coming from LAN, cant access Mikrotik from 4G-outside" disabled=yes \
    in-interface-list=!LAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=\
    ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=34w2d chain=input \
    connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=15s chain=input \
    connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=15s chain=input \
    connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=15s chain=input \
    connection-state=new dst-port=22 protocol=tcp
add action=reject chain=forward comment="drop ssh brute downstream" dst-port=22 protocol=tcp reject-with=\
    icmp-host-unreachable src-address-list=ssh_blacklist
add action=drop chain=input comment="drop telnet brute forcers" dst-port=23 protocol=tcp src-address-list=\
    telnet_blacklist
add action=add-src-to-address-list address-list=telnet_blacklist address-list-timeout=34w2d chain=input \
    connection-state=new dst-port=23 protocol=tcp src-address-list=telnet_stage3
add action=add-src-to-address-list address-list=telnet_stage3 address-list-timeout=15s chain=input \
    connection-state=new dst-port=23 protocol=tcp src-address-list=telnet_stage2
add action=add-src-to-address-list address-list=telnet_stage2 address-list-timeout=15s chain=input \
    connection-state=new dst-port=23 protocol=tcp src-address-list=telnet_stage1
add action=add-src-to-address-list address-list=telnet_stage1 address-list-timeout=15s chain=input \
    connection-state=new dst-port=23 protocol=tcp
add action=reject chain=forward comment="drop telnet brute downstream" dst-port=23 protocol=tcp reject-with=\
    icmp-host-unreachable src-address-list=telnet_blacklist
add action=drop chain=input comment="drop api brute forcers" dst-port=8728 protocol=tcp src-address-list=\
    API_Blacklist
add action=add-src-to-address-list address-list=API_Blacklist address-list-timeout=34w2d chain=input \
    connection-state=new dst-port=8728 protocol=tcp src-address-list=api_stage3
add action=add-src-to-address-list address-list=api_stage3 address-list-timeout=1m chain=input \
    connection-state=new dst-port=8728 protocol=tcp src-address-list=api_stage2
add action=add-src-to-address-list address-list=api_stage2 address-list-timeout=1m chain=input \
    connection-state=new dst-port=8728 protocol=tcp src-address-list=api_stage1
add action=add-src-to-address-list address-list=api_stage1 address-list-timeout=1m chain=input \
    connection-state=new dst-port=8728 protocol=tcp
add action=reject chain=forward comment="drop api brute downstream" dst-port=8728 protocol=tcp reject-with=\
    icmp-host-unreachable src-address-list=API_Blacklist
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 protocol=tcp src-address-list=\
    FTP_blacklist
add action=add-src-to-address-list address-list=FTP_Blacklist address-list-timeout=34w2d chain=input \
    connection-state=new dst-port=21 protocol=tcp src-address-list=ftp_stage3
add action=add-src-to-address-list address-list=ftp_stage3 address-list-timeout=1m chain=input \
    connection-state=new dst-port=21 protocol=tcp src-address-list=ftp_stage2
add action=add-src-to-address-list address-list=ftp_stage2 address-list-timeout=1m chain=input \
    connection-state=new dst-port=21 protocol=tcp src-address-list=ftp_stage1
add action=add-src-to-address-list address-list=ftp_stage1 address-list-timeout=1m chain=input \
    connection-state=new dst-port=21 protocol=tcp
add action=drop chain=forward comment="drop ftp brute downstream" dst-port=21 protocol=tcp src-address-list=\
    FTP_blacklist
/ip firewall mangle
add action=mark-connection chain=forward comment=dw-connection in-interface="ether1 - WAN" \
    new-connection-mark=dw-connection passthrough=yes
add action=mark-packet chain=forward comment=dw-packet connection-mark=dw-connection new-packet-mark=\
    dw-packet passthrough=yes
add action=mark-connection chain=prerouting comment=up-connection in-interface=bridge new-connection-mark=\
    up-connection passthrough=yes
add action=mark-packet chain=prerouting comment=up-packet connection-mark=up-connection new-packet-mark=\
    up-packet passthrough=yes
add action=mark-packet chain=forward comment=http-dw-packet new-packet-mark=http-dw-packet packet-mark=\
    dw-packet passthrough=no port=80,443 protocol=tcp
add action=mark-packet chain=forward comment=http-up-packet new-packet-mark=http-up-packet packet-mark=\
    up-packet passthrough=no port=80,443 protocol=tcp
add action=mark-packet chain=forward comment=other-dw-packet new-packet-mark=other-dw-packet packet-mark=\
    dw-packet passthrough=no
add action=mark-packet chain=forward comment=other-up-packet new-packet-mark=other-up-packet packet-mark=\
    up-packet passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat src-address=192.168.0.0/24
add action=masquerade chain=srcnat src-address=192.168.2.0/24
add action=masquerade chain=srcnat disabled=yes out-interface="SIOL "
add action=dst-nat chain=dstnat dst-address-type=local dst-port=28967 protocol=tcp to-addresses=192.168.0.4
add action=dst-nat chain=dstnat dst-address-type=local dst-port=9678 protocol=tcp to-addresses=192.168.0.4
add action=dst-nat chain=dstnat dst-address-type=local dst-port=8291 protocol=tcp to-addresses=192.168.0.1
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.0.0/24 src-address=192.168.0.0/24
add action=passthrough chain=dstnat disabled=yes dst-address-list=client src-address-list=client
/ip route
add disabled=yes distance=1 gateway=192.168.1.1
/ip service
set www-ssl disabled=no
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface="ether1 - WAN" type=external
add interface="SIOL " type=external
/ipv6 address
add address=::4a8f:5aff:fea2:75b2 eui-64=yes from-pool="siol ipv6" interface=bridge
/ipv6 dhcp-client
add interface="SIOL " pool-name="siol ipv6" prefix-hint=::/56 request=prefix
/ipv6 firewall filter
add action=accept chain=input dst-port=546 in-interface="SIOL " protocol=udp
/ipv6 nd
set [ find default=yes ] other-configuration=yes
/system clock
set time-zone-name=Europe/Ljubljana
/system leds
set 0 interface="ether1 - WAN" leds=led1 type=interface-activity
add interface=ether2 leds=led2 type=interface-activity
add interface=ether3 leds=led3 type=interface-activity
add interface=ether4 leds=led4 type=interface-activity
add interface=ether5 leds=led5 type=interface-activity
/tool graphing interface
add allow-address=192.168.0.0/24
/tool graphing resource
add allow-address=192.168.0.0/24
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

tinodj · Mon Nov 22, 2021 11:40 am

Hi all. @mkx I saw you are pretty much into this, so I hope you can help me. I found some Mikrotik configuration on siol.net forum few years ago and that worked perfectly for me. Now, I've added one more Mikrotik (Audience) device in my config, so I adjusted this configuration a bit, actually I set it up on the Audience.

However, I have two questions:

1. I am not sure that this setup is the most optimal in terms of resources/speed. I see you are debating here VLAN filtering on the bridge, some hw offloading, and traffic that should and shouldn't go on CPU, so I was wondering whether I can make this setup better. I am also not sure wether setting/unsetting some of these unknown-multicast-flood, broadcast-flood and unknown-unicast-flood is a good idea.

2. From PC I only watch with a cable plugged in. Can I make it on the wireless Interface as well ? I've tried something, however, this slowed down the wi-fi speeds a lot. I guess it has to do with this flooding because once Neo was switched on I've seen this traffic (13-15Mbps) being propagated to many other interfaces.

Audience

/interface bridge
add igmp-snooping=yes name=IPTV
add admin-mac=08:55:31:EC:08:20 auto-mac=no comment=defconf igmp-snooping=yes name=bridge vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
# channel: 2442/20-eC/gn(26dBm), SSID: MMM, local forwarding
set [ find default-name=wlan1 ] disabled=no ssid=MikroTik station-roaming=enabled
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac(12dBm), SSID: MMM, local forwarding
set [ find default-name=wlan2 ] disabled=no ssid=MikroTik station-roaming=enabled
/interface vlan
add interface=ether1 name="IPTV IN" vlan-id=3999
add interface=ether2 name="IPTV OUT" vlan-id=3999
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk comment=defconf disable-pmkid=yes mode=dynamic-keys name=wpsSync supplicant-identity=MikroTik
/interface wireless
# managed by CAPsMAN
# channel: 5745/20-Ceee/ac(25dBm)+5570/80/DP(22dBm), SSID: MMM, local forwarding
set [ find default-name=wlan3 ] band=5ghz-a/n/ac channel-width=20/40mhz-XX disabled=no mode=ap-bridge security-profile=wpsSync ssid=SYNC-EC0823 station-roaming=enabled
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge comment=defconf interface=wlan3
add bridge=bridge interface=ether1
add bridge=IPTV interface="IPTV OUT"
add bridge=IPTV interface="IPTV IN"
/interface wireless cap
# 
set caps-man-addresses=127.0.0.1 enabled=yes interfaces=wlan1,wlan3,wlan2

Main Mikrotik:

# model = 2011UiAS-2HnD
/interface bridge
add admin-mac=64:D1:54:7F:68:2D auto-mac=no igmp-snooping=yes name=IPTV
add admin-mac=64:D1:54:7F:68:2E arp=proxy-arp auto-mac=no igmp-snooping=yes name=bridge protocol-mode=none
/interface ethernet
set [ find default-name=ether2 ] name=ether2-neo-dnevna
set [ find default-name=ether4 ] name=ether4-cabinet-audience 
set [ find default-name=ether5 ] name=ether5-telekom-out
set [ find default-name=sfp1 ] disabled=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether5-telekom-out name=pppoe-out1 user=mmm
/interface wireless
# managed by CAPsMAN
# channel: 2437/20-eC/gn(30dBm), SSID: MMM, local forwarding
set [ find default-name=wlan1 ] antenna-gain=0 arp=proxy-arp band=2ghz-onlyn channel-width=20/40mhz-XX country=no_country_set disabled=no distance=indoors installation=indoor mode=ap-bridge ssid=MMM station-roaming=\
    enabled wireless-protocol=802.11
/interface vlan
add interface=ether4-cabinet-audience name="IPTV PC TimeShift" vlan-id=3999
add interface=ether2-neo-dnevna name="Neo dnevna" vlan-id=3999
add interface=ether5-telekom-out name="SIOL IPTV IN" vlan-id=3999
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge broadcast-flood=no comment=defconf interface=ether2-neo-dnevna unknown-multicast-flood=no unknown-unicast-flood=no
add bridge=bridge comment=defconf interface=ether6-master
add bridge=bridge comment=defconf disabled=yes interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge hw=no interface=ether1
add bridge=IPTV interface="SIOL IPTV IN"
add bridge=IPTV interface="Neo dnevna"
add bridge=IPTV interface="IPTV PC TimeShift"
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4-cabinet-audience
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=ether9
add bridge=bridge interface=ether10

/interface wireless cap
# 
set caps-man-addresses=192.168.98.95 enabled=yes interfaces=wlan1

mkx · Mon Nov 22, 2021 7:10 pm

Your VLAN config is a mess, no wonder multicast streams leak all over. Recomended reading: tutorial on how to do VLANs in RouterOS . In short: you should use single bridge with VLANs configured properly.

We can help you get things straight, but I'd prefer if you studied the tutorial first so that you'll understand the rest of suggestions. I could drop you a working config, but I will not, I'd like you to learn how to catch the fish

From resource-consumption point of view the configuration from the above mentioned tutorial is not the best either, your RB2011 would benefit from configuration on switch chip. But not as much as properly done config, so forget about it for now.

I needa help to config vlan3999 from siol provider [SOLVED]

I needa help to config vlan3999 from siol provider

Re: I needa help to config vlan3999 from siol provider

Re: I needa help to config vlan3999 from siol provider

Re: I needa help to config vlan3999 from siol provider

Re: I needa help to config vlan3999 from siol provider

Re: I needa help to config vlan3999 from siol provider

Re: I needa help to config vlan3999 from siol provider

Re: I needa help to config vlan3999 from siol provider

Re: I needa help to config vlan3999 from siol provider

Re: I needa help to config vlan3999 from siol provider

Re: I needa help to config vlan3999 from siol provider [SOLVED]

Re: I needa help to config vlan3999 from siol provider

Re: I needa help to config vlan3999 from siol provider

Re: I needa help to config vlan3999 from siol provider

Who is online