# jan/30/2021 07:33:35 by RouterOS 6.48
# software id = PU3F-62RK
#
# model = RB4011iGS+5HacQ2HnD
# serial number = D4410D87938B
/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=XX \
frequency="" name=2ghz
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=XXXX \
frequency="" name=5ghz
/interface bridge
add admin-mac=08:55:31:03:59:CE auto-mac=no name=bridge protocol-mode=none \
vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
# channel: 5805/20-eeCe/ac(27dBm)+5210/80(27dBm), SSID: PRIVATE_CAP, CAPsMAN forwarding
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor \
mode=ap-bridge ssid=MikroTik-0359D8 wireless-protocol=802.11
# managed by CAPsMAN
# channel: 2412/20-Ce/gn(27dBm), SSID: PRIVATE_CAP, CAPsMAN forwarding
set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
MikroTik-4AA9C4 wireless-protocol=802.11
/interface vlan
add interface=bridge name=vlan10-private vlan-id=10
add interface=bridge name=vlan20-guest vlan-id=20
add interface=bridge name=vlan30-kids vlan-id=30
add interface=bridge name=vlan99-base vlan-id=99
/caps-man datapath
add bridge=bridge client-to-client-forwarding=yes local-forwarding=no name=\
datapath-10-private vlan-id=10 vlan-mode=use-tag
add bridge=bridge client-to-client-forwarding=no local-forwarding=no name=\
datapath-20-guest vlan-id=20 vlan-mode=use-tag
add bridge=bridge client-to-client-forwarding=yes local-forwarding=no name=\
datapath-30-kids vlan-id=30 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm \
group-encryption=aes-ccm name=security-cfg-10-private
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm \
group-encryption=aes-ccm name=security-cfg-20-guest
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm \
group-encryption=aes-ccm name=security-cfg-30-kids
/caps-man configuration
add channel=2ghz datapath=datapath-10-private mode=ap name=\
cfg-10-private-2ghz security=security-cfg-10-private ssid=PRIVATE_CAP
add channel=5ghz datapath=datapath-10-private mode=ap name=\
cfg-10-private-5ghz security=security-cfg-10-private ssid=PRIVATE_CAP
add channel=2ghz datapath=datapath-20-guest mode=ap name=cfg-20-guest-2ghz \
security=security-cfg-20-guest ssid=GUEST_CAP
add channel=5ghz datapath=datapath-20-guest mode=ap name=cfg-20-guest-5ghz \
security=security-cfg-20-guest ssid=GUEST_CAP
add channel=2ghz datapath=datapath-30-kids mode=ap name=cfg-30-kids-2ghz \
security=security-cfg-30-kids ssid=KIDS_CAP
add channel=5ghz datapath=datapath-30-kids mode=ap name=cfg-30-kids-5ghz \
security=security-cfg-30-kids ssid=KIDS_CAP
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=pool99 ranges=10.0.0.2-10.0.0.254
add name=pool10 ranges=10.0.10.2-10.0.10.254
add name=pool20 ranges=10.0.20.2-10.0.20.254
add name=pool30 ranges=10.0.30.2-10.0.30.254
/ip dhcp-server
add address-pool=pool99 disabled=no interface=vlan99-base name=dhcp-server99
add address-pool=pool10 disabled=no interface=vlan10-private name=\
dhcp-server10
add address-pool=pool20 disabled=no interface=vlan20-guest name=dhcp-server20
add address-pool=pool30 disabled=no interface=vlan30-kids name=dhcp-server30
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=\
cfg-10-private-5ghz name-format=prefix-identity slave-configurations=\
cfg-20-guest-5ghz,cfg-30-kids-5ghz
add action=create-dynamic-enabled master-configuration=cfg-10-private-2ghz \
name-format=prefix-identity slave-configurations=\
cfg-20-guest-2ghz,cfg-30-kids-2ghz
/interface bridge port
add bridge=bridge ingress-filtering=yes interface=ether2 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether3 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether4 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether5 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether6 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether7 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether8 pvid=10
add bridge=bridge interface=ether9
add bridge=bridge interface=ether10
add bridge=bridge interface=sfp-sfpplus1
add bridge=bridge interface=wlan1
add bridge=bridge interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=VLAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether2,ether9,ether10,sfp-sfpplus1 untagged=\
ether3,ether4,ether5,ether6,ether7,ether8 vlan-ids=10
add bridge=bridge tagged=bridge,ether2,ether9,ether10,sfp-sfpplus1 vlan-ids=\
20
add bridge=bridge tagged=bridge,ether2,ether9,ether10,sfp-sfpplus1 vlan-ids=\
30
add bridge=bridge tagged=bridge,ether2,ether9,ether10,sfp-sfpplus1 vlan-ids=\
99
/interface list member
add interface=ether1 list=WAN
add interface=vlan99-base list=BASE
add interface=vlan10-private list=VLAN
add interface=vlan20-guest list=VLAN
add interface=vlan30-kids list=VLAN
add interface=vlan99-base list=VLAN
/interface wireless cap
#
set discovery-interfaces=vlan99-base enabled=yes interfaces=wlan1,wlan2
/ip address
add address=10.0.0.1/24 interface=vlan99-base network=10.0.0.0
add address=10.0.10.1/24 interface=vlan10-private network=10.0.10.0
add address=10.0.20.1/24 interface=vlan20-guest network=10.0.20.0
add address=10.0.30.1/24 interface=vlan30-kids network=10.0.30.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 gateway=\
10.0.0.1 netmask=24
add address=10.0.10.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 gateway=\
10.0.10.1 netmask=24
add address=10.0.20.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 gateway=\
10.0.20.1 netmask=24
add address=10.0.30.0/24 dns-server=208.67.222.123,208.67.220.123 gateway=\
10.0.30.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.0.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
in-interface=vlan99-base
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment="VLAN inter-VLAN routing" \
connection-state=new in-interface-list=VLAN
add action=accept chain=forward comment="VLAN Internet Access only" \
connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=America/Chicago
/system identity
set name=Router
/system leds
add interface=wlan2 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le\
d,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system ntp client
set enabled=yes server-dns-names=\
0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
/tool mac-server
set allowed-interface-list=VLAN
/tool mac-server mac-winbox
set allowed-interface-list=VLAN
# jan/30/2021 07:34:07 by RouterOS 6.48
# software id = JVFK-X1M2
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 8A7D08DEEF06
/interface bridge
add admin-mac=CC:2D:E0:E0:8D:3B auto-mac=no name=bridge protocol-mode=none \
vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
# channel: 2447/20-eC/gn(28dBm), SSID: PRIVATE_CAP, CAPsMAN forwarding
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
MikroTik-E08D41 wireless-protocol=802.11
# managed by CAPsMAN
# channel: 5805/20-eeeC/ac(27dBm), SSID: PRIVATE_CAP, CAPsMAN forwarding
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor \
mode=ap-bridge ssid=MikroTik-E08D40 wireless-protocol=802.11
/interface vlan
add interface=bridge name=vlan99-base vlan-id=99
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether2 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether3 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether4 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether5 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=sfp1 pvid=10
add bridge=bridge interface=wlan1
add bridge=bridge interface=wlan2
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes \
interface=ether1 multicast-router=disabled
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=ether1 untagged=ether2,ether3,ether4,ether5,sfp1 \
vlan-ids=10
add bridge=bridge tagged=ether1 vlan-ids=20
add bridge=bridge tagged=ether1 vlan-ids=30
add bridge=bridge tagged=bridge,ether1 vlan-ids=99
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=sfp1 list=LAN
add interface=wlan2 list=LAN
add interface=wlan1 list=LAN
/interface wireless cap
#
set bridge=bridge discovery-interfaces=vlan99-base enabled=yes interfaces=\
wlan2,wlan1
/ip dhcp-client
add comment=defconf disabled=no interface=vlan99-base
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 gateway=10.0.0.1
/system clock
set time-zone-name=America/Chicago
/system identity
set name=AP
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
The first rule overshadows the second one because the first rule allows to pass any connection which ingresses through any of VLAN interfaces ... which certainly includes those which specifically egress through WAN interface.add action=accept chain=forward comment="VLAN inter-VLAN routing" \
connection-state=new in-interface-list=VLAN
add action=accept chain=forward comment="VLAN Internet Access only" \
connection-state=new in-interface-list=VLAN out-interface-list=WAN
# jan/30/2021 22:43:17 by RouterOS 6.48
# software id = PU3F-62RK
#
# model = RB4011iGS+5HacQ2HnD
# serial number = D4410D87938B
/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=XX \
frequency="" name=2ghz
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=XXXX \
frequency="" name=5ghz
/interface bridge
add admin-mac=08:55:31:03:59:CE auto-mac=no name=bridge protocol-mode=none \
vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
# channel: 5805/20-eeCe/ac(27dBm)+5210/80(27dBm), SSID: PRIVATE_CAP, CAPsMAN forwarding
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor \
mode=ap-bridge ssid=MikroTik-0359D8 wireless-protocol=802.11
# managed by CAPsMAN
# channel: 2412/20-Ce/gn(27dBm), SSID: PRIVATE_CAP, CAPsMAN forwarding
set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
MikroTik-4AA9C4 wireless-protocol=802.11
/interface vlan
add interface=bridge name=vlan10-private vlan-id=10
add interface=bridge name=vlan11-MoCA vlan-id=11
add interface=bridge name=vlan20-guest vlan-id=20
add interface=bridge name=vlan30-kids vlan-id=30
add interface=bridge name=vlan99-base vlan-id=99
/caps-man datapath
add bridge=bridge client-to-client-forwarding=yes local-forwarding=no name=\
datapath-10-private vlan-id=10 vlan-mode=use-tag
add bridge=bridge client-to-client-forwarding=no local-forwarding=no name=\
datapath-20-guest vlan-id=20 vlan-mode=use-tag
add bridge=bridge client-to-client-forwarding=yes local-forwarding=no name=\
datapath-30-kids vlan-id=30 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm \
group-encryption=aes-ccm name=security-cfg-10-private
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm \
group-encryption=aes-ccm name=security-cfg-20-guest
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm \
group-encryption=aes-ccm name=security-cfg-30-kids
/caps-man configuration
add channel=2ghz datapath=datapath-10-private mode=ap name=\
cfg-10-private-2ghz security=security-cfg-10-private ssid=PRIVATE_CAP
add channel=5ghz datapath=datapath-10-private mode=ap name=\
cfg-10-private-5ghz security=security-cfg-10-private ssid=PRIVATE_CAP
add channel=2ghz datapath=datapath-20-guest mode=ap name=cfg-20-guest-2ghz \
security=security-cfg-20-guest ssid=GUEST_CAP
add channel=5ghz datapath=datapath-20-guest mode=ap name=cfg-20-guest-5ghz \
security=security-cfg-20-guest ssid=GUEST_CAP
add channel=2ghz datapath=datapath-30-kids mode=ap name=cfg-30-kids-2ghz \
security=security-cfg-30-kids ssid=KIDS_CAP
add channel=5ghz datapath=datapath-30-kids mode=ap name=cfg-30-kids-5ghz \
security=security-cfg-30-kids ssid=KIDS_CAP
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=pool99 ranges=10.0.0.2-10.0.0.254
add name=pool10 ranges=10.0.10.2-10.0.10.254
add name=pool20 ranges=10.0.20.2-10.0.20.254
add name=pool30 ranges=10.0.30.2-10.0.30.254
add name=pool11 ranges=10.0.11.2-10.0.11.254
/ip dhcp-server
add address-pool=pool99 disabled=no interface=vlan99-base name=dhcp-server99
add address-pool=pool10 disabled=no interface=vlan10-private name=\
dhcp-server10
add address-pool=pool20 disabled=no interface=vlan20-guest name=dhcp-server20
add address-pool=pool30 disabled=no interface=vlan30-kids name=dhcp-server30
add address-pool=pool11 disabled=no interface=vlan11-MoCA name=dhcp-server11
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=\
cfg-10-private-5ghz name-format=prefix-identity slave-configurations=\
cfg-20-guest-5ghz,cfg-30-kids-5ghz
add action=create-dynamic-enabled master-configuration=cfg-10-private-2ghz \
name-format=prefix-identity slave-configurations=\
cfg-20-guest-2ghz,cfg-30-kids-2ghz
/interface bridge port
add bridge=bridge ingress-filtering=yes interface=ether2 pvid=11
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether3 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether4 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether5 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether6 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether7 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether8 pvid=10
add bridge=bridge interface=ether9
add bridge=bridge interface=ether10
add bridge=bridge interface=sfp-sfpplus1
add bridge=bridge interface=wlan1
add bridge=bridge interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=VLAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether2,ether9,ether10,sfp-sfpplus1 untagged=\
ether3,ether4,ether5,ether6,ether7,ether8 vlan-ids=10
add bridge=bridge tagged=bridge,ether2,ether9,ether10,sfp-sfpplus1 vlan-ids=\
20
add bridge=bridge tagged=bridge,ether2,ether9,ether10,sfp-sfpplus1 vlan-ids=\
30
add bridge=bridge tagged=bridge,ether2,ether9,ether10,sfp-sfpplus1 vlan-ids=\
99
add bridge=bridge tagged=bridge untagged=ether2 vlan-ids=11
/interface list member
add interface=ether1 list=WAN
add interface=vlan99-base list=BASE
add interface=vlan10-private list=VLAN
add interface=vlan20-guest list=VLAN
add interface=vlan30-kids list=VLAN
add interface=vlan99-base list=VLAN
add interface=vlan11-MoCA list=VLAN
/interface wireless cap
#
set discovery-interfaces=vlan99-base enabled=yes interfaces=wlan1,wlan2
/ip address
add address=10.0.0.1/24 interface=vlan99-base network=10.0.0.0
add address=10.0.10.1/24 interface=vlan10-private network=10.0.10.0
add address=10.0.20.1/24 interface=vlan20-guest network=10.0.20.0
add address=10.0.30.1/24 interface=vlan30-kids network=10.0.30.0
add address=10.0.11.1/24 interface=vlan11-MoCA network=10.0.11.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 gateway=\
10.0.0.1 netmask=24
add address=10.0.10.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 gateway=\
10.0.10.1 netmask=24
add address=10.0.11.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 gateway=\
10.0.11.1 netmask=24
add address=10.0.20.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 gateway=\
10.0.20.1 netmask=24
add address=10.0.30.0/24 dns-server=208.67.222.123,208.67.220.123 gateway=\
10.0.30.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.0.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
in-interface=vlan99-base
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment="VLAN inter-VLAN routing" \
connection-state=new in-interface-list=VLAN
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=America/Chicago
/system identity
set name=Router
/system leds
add interface=wlan2 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le\
d,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system ntp client
set enabled=yes server-dns-names=\
0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
/tool mac-server
set allowed-interface-list=VLAN
/tool mac-server mac-winbox
set allowed-interface-list=VLAN
# feb/01/2021 21:50:36 by RouterOS 6.48
# software id = PU3F-62RK
#
# model = RB4011iGS+5HacQ2HnD
# serial number = D4410D87938B
/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=XX \
frequency="" name=2ghz reselect-interval=1m
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=XXXX \
frequency="" name=5ghz reselect-interval=1m
/interface bridge
add admin-mac=08:55:31:03:59:CE auto-mac=no name=bridge protocol-mode=none \
vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac(27dBm)+5775/80(27dBm), SSID: PRIVATE_CAP, local forwarding
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
installation=indoor mode=ap-bridge ssid=MikroTik-0359D8 \
wireless-protocol=802.11
# managed by CAPsMAN
# channel: 2447/20-eC/gn(27dBm), SSID: PRIVATE_CAP, local forwarding
set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge ssid=MikroTik-4AA9C4 wireless-protocol=802.11
/interface vlan
add interface=bridge name=vlan10-private vlan-id=10
add interface=bridge name=vlan11-MoCA vlan-id=11
add interface=bridge name=vlan20-guest vlan-id=20
add interface=bridge name=vlan30-kids vlan-id=30
add interface=bridge name=vlan99-base vlan-id=99
/caps-man datapath
add bridge=bridge client-to-client-forwarding=yes local-forwarding=yes name=\
datapath-10-private vlan-id=10 vlan-mode=use-tag
add bridge=bridge client-to-client-forwarding=no local-forwarding=yes name=\
datapath-20-guest vlan-id=20 vlan-mode=use-tag
add bridge=bridge client-to-client-forwarding=yes local-forwarding=yes name=\
datapath-30-kids vlan-id=30 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm \
group-encryption=aes-ccm name=security-cfg-10-private
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm \
group-encryption=aes-ccm name=security-cfg-20-guest
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm \
group-encryption=aes-ccm name=security-cfg-30-kids
/caps-man configuration
add channel=2ghz country="united states3" datapath=datapath-10-private mode=\
ap name=cfg-10-private-2ghz security=security-cfg-10-private ssid=\
PRIVATE_CAP
add channel=5ghz country="united states3" datapath=datapath-10-private mode=\
ap name=cfg-10-private-5ghz security=security-cfg-10-private ssid=\
PRIVATE_CAP
add channel=2ghz country="united states3" datapath=datapath-20-guest mode=ap \
name=cfg-20-guest-2ghz security=security-cfg-20-guest ssid=GUEST_CAP
add channel=5ghz country="united states3" datapath=datapath-20-guest mode=ap \
name=cfg-20-guest-5ghz security=security-cfg-20-guest ssid=GUEST_CAP
add channel=2ghz country="united states3" datapath=datapath-30-kids mode=ap \
name=cfg-30-kids-2ghz security=security-cfg-30-kids ssid=KIDS_CAP
add channel=5ghz country="united states3" datapath=datapath-30-kids mode=ap \
name=cfg-30-kids-5ghz security=security-cfg-30-kids ssid=KIDS_CAP
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=pool99 ranges=10.0.0.2-10.0.0.254
add name=pool10 ranges=10.0.10.2-10.0.10.254
add name=pool20 ranges=10.0.20.2-10.0.20.254
add name=pool30 ranges=10.0.30.2-10.0.30.254
/ip dhcp-server
add address-pool=pool99 disabled=no interface=vlan99-base name=dhcp-server99
add address-pool=pool10 disabled=no interface=vlan10-private name=\
dhcp-server10
add address-pool=pool20 disabled=no interface=vlan20-guest name=dhcp-server20
add address-pool=pool30 disabled=no interface=vlan30-kids name=dhcp-server30
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=\
cfg-10-private-5ghz name-format=prefix-identity slave-configurations=\
cfg-20-guest-5ghz,cfg-30-kids-5ghz
add action=create-dynamic-enabled master-configuration=cfg-10-private-2ghz \
name-format=prefix-identity slave-configurations=\
cfg-20-guest-2ghz,cfg-30-kids-2ghz
/interface bridge port
add bridge=bridge ingress-filtering=yes interface=ether2 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether3 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether4 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether5 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether6 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether7 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether8 pvid=10
add bridge=bridge interface=ether9
add bridge=bridge interface=ether10
add bridge=bridge interface=sfp-sfpplus1
add bridge=bridge interface=wlan1
add bridge=bridge interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=VLAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether9,ether10,sfp-sfpplus1 untagged=\
ether3,ether4,ether5,ether6,ether7,ether8 vlan-ids=10
add bridge=bridge tagged=bridge,ether2,ether9,ether10,sfp-sfpplus1 vlan-ids=\
20
add bridge=bridge tagged=bridge,ether2,ether9,ether10,sfp-sfpplus1 vlan-ids=\
30
add bridge=bridge tagged=bridge,ether2,ether9,ether10,sfp-sfpplus1 vlan-ids=\
99
add bridge=bridge tagged=bridge untagged=ether2 vlan-ids=11
/interface list member
add interface=ether1 list=WAN
add interface=vlan99-base list=BASE
add interface=vlan10-private list=VLAN
add interface=vlan20-guest list=VLAN
add interface=vlan30-kids list=VLAN
add interface=vlan99-base list=VLAN
add interface=vlan11-MoCA list=VLAN
/interface wireless cap
#
set bridge=bridge discovery-interfaces=vlan99-base enabled=yes interfaces=\
wlan1,wlan2
/ip address
add address=10.0.0.1/24 interface=vlan99-base network=10.0.0.0
add address=10.0.10.1/24 interface=vlan10-private network=10.0.10.0
add address=10.0.20.1/24 interface=vlan20-guest network=10.0.20.0
add address=10.0.30.1/24 interface=vlan30-kids network=10.0.30.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 gateway=\
10.0.0.1 netmask=24
add address=10.0.10.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 gateway=\
10.0.10.1 netmask=24
add address=10.0.20.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 gateway=\
10.0.20.1 netmask=24
add address=10.0.30.0/24 dns-server=208.67.222.123,208.67.220.123 gateway=\
10.0.30.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.0.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
in-interface=vlan99-base
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment="VLAN inter-VLAN routing" \
connection-state=new in-interface-list=VLAN
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=America/Chicago
/system identity
set name=Router
/system leds
add interface=wlan2 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le\
d,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system ntp client
set enabled=yes server-dns-names=\
0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
/tool mac-server
set allowed-interface-list=VLAN
/tool mac-server mac-winbox
set allowed-interface-list=VLAN
# feb/01/2021 21:51:34 by RouterOS 6.48
# software id = JVFK-X1M2
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 8A7D08DEEF06
/interface bridge
add admin-mac=CC:2D:E0:E0:8D:3B auto-mac=no name=bridge protocol-mode=none \
vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
# channel: 2447/20-eC/gn(28dBm), SSID: PRIVATE_CAP, local forwarding
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge ssid=MikroTik-E08D41 wireless-protocol=802.11
# managed by CAPsMAN
# channel: 5805/20-eeeC/ac(27dBm), SSID: PRIVATE_CAP, local forwarding
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
installation=indoor mode=ap-bridge ssid=MikroTik-E08D40 \
wireless-protocol=802.11
/interface vlan
add interface=bridge name=vlan99-base vlan-id=99
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether2 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether3 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether4 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether5 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=sfp1 pvid=10
add bridge=bridge interface=wlan1
add bridge=bridge interface=wlan2
add bridge=bridge ingress-filtering=yes interface=ether1 multicast-router=\
disabled pvid=10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge untagged=ether1,ether2,ether3,ether4,ether5,sfp1 vlan-ids=\
10
add bridge=bridge tagged=ether1 vlan-ids=20
add bridge=bridge tagged=ether1 vlan-ids=30
add bridge=bridge tagged=bridge,ether1 vlan-ids=99
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=sfp1 list=LAN
add interface=wlan2 list=LAN
add interface=wlan1 list=LAN
/interface wireless cap
#
set bridge=bridge discovery-interfaces=vlan99-base enabled=yes interfaces=\
wlan2,wlan1
/ip dhcp-client
add comment=defconf disabled=no interface=vlan99-base
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 gateway=10.0.0.1
/system clock
set time-zone-name=America/Chicago
/system identity
set name=AP
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/interface wireless cap
set bridge=bridge discovery-interfaces=vlan99-base enabled=yes interfaces=wlan2,wlan1