I want to make home networking with several vlan
My target is
Create vlan
Trunk (vlan id 1) : for router, AP, Switch, and all networking device
Server (vlan id 2) : for sever (NAS)
LAN (vlan id 3): for user
Guest (vlan id 4): for guest
Allow traffic between Trunk - server - LAN
Restricted traficc guest only to internet
I use 2 internet connection and make failover
Bandwith management for each vlan
Capsman (with 2 AP for now) with multiple SSID
And if can I also want to make
Hope can make different channel for each SSID (right now all SSID still used master wlan)
DNS with DoH
limit time and access for kids device
split traffic for youtube
I have search and try to configure setting but still have some issue
And please give me correction if my setting is not correct
My config is
Code: Select all
# jul/10/2021 09:45:06 by RouterOS 6.48.3
# software id = 6SEY-DDPH
#
# model = RB450Gx4
# serial number = B8D00B104484
/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
frequency=2412 name=ch1
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
frequency=2417 name=ch2
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
frequency=2422 name=ch3
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
frequency=2427 name=ch4
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
frequency=2432 name=ch5
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
frequency=2437 name=ch6
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
frequency=2442 name=ch7
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
frequency=2447 name=ch8
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
frequency=2452 name=ch9
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
frequency=2457 name=ch10
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
frequency=2462 name=ch11
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
frequency=2467 name=ch12
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
frequency=2472 name=ch13
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
frequency=2477 name=ch14
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled \
frequency=5320 name=ch64
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled \
frequency=5180 name=ch36
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled \
frequency=5500 name=ch100
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled \
frequency=5200 name=ch40
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled \
frequency=5520 name=ch104
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled \
frequency=5220 name=ch44
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled \
frequency=5540 name=ch108
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled \
frequency=5240 name=ch48
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled \
frequency=5560 name=ch112
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled \
frequency=5260 name=ch52
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled \
frequency=5580 name=ch116
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled \
frequency=5280 name=ch56
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled \
frequency=5300 name=ch60
/interface bridge
add mtu=1500 name=bGuest
add mtu=1500 name=bLAN
add mtu=1500 name=bServer
add mtu=1500 name=bTrunk
/interface ethernet
set [ find default-name=ether1 ] name=eth1_Trunk
set [ find default-name=ether4 ] name=eth4_BackInt
set [ find default-name=ether5 ] name=eth5_MainInt
/caps-man interface
add channel=ch36 disabled=no l2mtu=1600 mac-address=48:8F:5A:16:20:63 \
master-interface=none name=AP1_5 radio-mac=48:8F:5A:16:20:63 radio-name=\
488F5A162063
add channel=ch52 disabled=no l2mtu=1600 mac-address=48:8F:5A:09:2B:83 \
master-interface=none name=AP2_5 radio-mac=48:8F:5A:09:2B:83 radio-name=\
488F5A092B83
/interface vlan
add arp=reply-only interface=eth1_Trunk loop-protect=on \
loop-protect-disable-time=1m name=vGuest vlan-id=4
add interface=eth1_Trunk loop-protect=on loop-protect-disable-time=1m name=\
vLAN vlan-id=3
add interface=eth1_Trunk loop-protect=on loop-protect-disable-time=1m name=\
vServer vlan-id=2
/caps-man datapath
add bridge=bTrunk client-to-client-forwarding=yes local-forwarding=no name=\
dpTrunk
add bridge=bLAN client-to-client-forwarding=yes local-forwarding=no name=\
dpLAN vlan-id=3
add bridge=bGuest client-to-client-forwarding=yes local-forwarding=no name=\
dpGuest vlan-id=4
add bridge=bServer client-to-client-forwarding=yes name=dpServer vlan-id=2
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm \
group-encryption=aes-ccm name=sAUse passphrase=Amao@123
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm \
group-encryption=aes-ccm name=sAGue passphrase=wifi1234
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm \
group-encryption=aes-ccm name=sSer passphrase=Serv@123
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm \
group-encryption=aes-ccm name=sTrunk passphrase=Trunk@123
/caps-man configuration
add channel=ch1 channel.tx-power=20 country=indonesia datapath=dpLAN mode=ap \
name=LANa security=sAUse ssid=Amao
add channel=ch3 channel.tx-power=12 country=indonesia datapath=dpGuest mode=\
ap name=Guesta security=sAGue ssid=Wifi
add channel=ch6 channel.tx-power=14 country=indonesia datapath=dpLAN mode=ap \
name=LANb security=sAUse ssid=Amao
add channel=ch8 channel.tx-power=12 country=indonesia datapath=dpGuest mode=\
ap name=Guestb security=sAGue ssid=Wifi
add channel=ch1 channel.tx-power=20 country=indonesia datapath=dpTrunk name=\
Trunka security=sSer ssid=Trunk tx-chains=0,1,2,3
add channel=ch6 channel.tx-power=20 country=indonesia datapath=dpTrunk name=\
Trunkb security=sSer ssid=Trunk
add channel=ch3 channel.tx-power=12 country=indonesia datapath=dpServer mode=\
ap name=Server security=sSer ssid=Server
/caps-man interface
add channel=ch1 channel.frequency=2412 channel.tx-power=20 configuration=\
Trunka disabled=no l2mtu=1600 mac-address=48:8F:5A:16:20:62 \
master-interface=none name=AP1_2 radio-mac=48:8F:5A:16:20:62 radio-name=\
488F5A162062
add channel=ch6 channel.frequency=2437 channel.tx-power=20 configuration=\
Trunkb disabled=no l2mtu=1600 mac-address=48:8F:5A:09:2B:82 \
master-interface=none name=AP2_2 radio-mac=48:8F:5A:09:2B:82 radio-name=\
488F5A092B82
add configuration=Guestb disabled=no l2mtu=1600 mac-address=4A:8F:5A:09:2B:83 \
master-interface=AP2_2 name=Guestb radio-mac=00:00:00:00:00:00 \
radio-name=""
add configuration=LANa disabled=no mac-address=4A:8F:5A:16:20:62 \
master-interface=AP1_2 name=LANa radio-mac=00:00:00:00:00:00 radio-name=\
""
add configuration=LANb disabled=no l2mtu=1600 mac-address=4A:8F:5A:09:2B:82 \
master-interface=AP2_2 name=LANb radio-mac=00:00:00:00:00:00 radio-name=\
""
add channel=ch3 configuration=Server disabled=no l2mtu=1600 mac-address=\
4A:8F:5A:16:20:63 master-interface=AP1_2 name=Server radio-mac=\
00:00:00:00:00:00 radio-name=""
/interface list
add name=WAN
add name=LAN
add name=WLAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall layer7-protocol
add name=Facebook regexp="^.+(facebook.com).*\$"
add name=Instagram regexp="^.+(instagram.com).*\$"
add name=Torrent regexp="^.*(get|GET).+(torrent|thepiratebay|isohunt|entertane\
|demonoid|btjunkie|mininova|flixflux|torrentz|vertor|h33t|btscene|bitunity\
|bittoxic|thunderbytes|zoozle|vcdq|bitnova|bitsoup|meganova|fulldls|btbot|\
flixflux|seedpeer|fenopy|gpirate|commonbits|x13bittorrent protocol|azver p\
rotocol|azver\\x01\$|get /scrape\\\?info_hash=get /announce\\\?info_hash=|\
get /client/bitcomet/|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"
add name=Twitter regexp="^.+(twitter.com).*\$"
add name=Youtube regexp="^.+(.youtube.|ytmig.|googlevideo.com|youtu.be|youtube\
.com|www.youtube.com|m.youtube.com|ytimg.c\\\r\
\n om|s.ytimg.com|ytimg.l.google.com|youtube.lyoutu.be|youtube.l.google\
.com).*\$"
add name=iTunes regexp=\
"http-itunes\r\
\nhttp/(0\\.9|1\\.0|1\\.1).*(user-agent: itunes)"
/ip pool
add name=dTrunk ranges=192.168.100.1-192.168.100.61
add name=dLAN ranges=192.168.10.1-192.168.10.61
add name=dGuest ranges=192.168.20.1-192.168.20.13
add name=dCAP ranges=192.168.99.1-192.168.99.61
/ip dhcp-server
add address-pool=dLAN disabled=no interface=bLAN lease-time=4h name=dhcpLAN
add address-pool=dTrunk disabled=no interface=bTrunk lease-time=1m name=\
dhcpTrunk
add address-pool=dGuest disabled=no interface=bGuest lease-time=2h name=\
dhcpGuest
# DHCP server can not run on slave interface!
add address-pool=dCAP disabled=no interface=vServer name=dhxpCAP
/queue simple
add max-limit=5M/20M name=Total-bw priority=1/1
add max-limit=5M/10M name=bw-LAN parent=Total-bw priority=2/1 queue=\
pcq-upload-default/pcq-download-default target=192.168.10.0/26
add limit-at=4M/8M max-limit=4M/8M name=bw-LAN-others packet-marks=no-mark \
parent=bw-LAN priority=3/2 queue=pcq-upload-default/pcq-download-default \
target=192.168.10.0/26
add limit-at=1M/2M max-limit=1M/2M name=bw-LAN-youtube packet-marks=\
Youtube-packet parent=bw-LAN priority=4/3 queue=\
pcq-upload-default/pcq-download-default target=192.168.10.0/26
add max-limit=3M/5M name=bw-guest parent=Total-bw priority=5/4 queue=\
pcq-download-default/pcq-upload-default target=192.168.20.0/28
add limit-at=2M/3M max-limit=2M/3M name=bw-guest-others packet-marks=no-mark \
parent=bw-guest priority=6/5 queue=\
pcq-upload-default/pcq-download-default target=192.168.20.0/28
add limit-at=1M/2M max-limit=1M/2M name=bw-guest-youtube packet-marks=\
Youtube-packet parent=bw-guest priority=7/6 queue=\
pcq-upload-default/pcq-download-default target=192.168.20.0/28
/tool user-manager customer
set admin access=\
own-routers,own-users,own-profiles,own-limits,config-payment-gw
/caps-man access-list
add action=accept allow-signal-out-of-range=10s disabled=no interface=all \
signal-range=-78..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s disabled=no interface=all \
signal-range=-120..-79 ssid-regexp=""
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bTrunk
add forbid=yes interface=eth5_MainInt
add forbid=yes interface=eth4_BackInt
/caps-man provisioning
add action=create-dynamic-enabled comment=AP1 master-configuration=Trunka \
name-format=prefix name-prefix=AP radio-mac=48:8F:5A:16:20:61 \
slave-configurations=LANa,Guesta
add action=create-dynamic-enabled comment=AP2 master-configuration=Trunkb \
name-format=prefix name-prefix=AP radio-mac=48:8F:5A:09:2B:80 \
slave-configurations=LANb,Guestb
/certificate settings
set crl-download=yes crl-use=yes
/interface bridge port
add bridge=bTrunk interface=eth1_Trunk
add bridge=bTrunk interface=ether2
add bridge=bTrunk interface=ether3
add bridge=bLAN interface=vLAN
add bridge=bGuest interface=vGuest
add bridge=bServer interface=vServer multicast-router=disabled
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=eth5_MainInt list=WAN
add interface=eth4_BackInt list=WAN
add interface=vLAN list=LAN
add interface=vServer list=LAN
add interface=AP1_2 list=WLAN
add interface=AP2_2 list=WLAN
/ip address
add address=192.168.100.62/26 interface=bTrunk network=192.168.100.0
add address=192.168.99.62/26 interface=vServer network=192.168.99.0
add address=192.168.10.62/26 interface=vLAN network=192.168.10.0
add address=172.16.20.14/28 interface=vGuest network=172.16.20.0
add address=192.168.1.2/28 interface=eth5_MainInt network=192.168.1.0
add address=192.168.2.15/24 interface=eth4_BackInt network=192.168.2.0
/ip dhcp-client
add interface=eth5_MainInt
add interface=eth4_BackInt
/ip dhcp-server lease
add address=192.168.100.59 client-id=1:48:8f:5a:16:20:61 mac-address=\
48:8F:5A:16:20:61 server=dhcpTrunk
add address=192.168.100.58 client-id=1:48:8f:5a:9:2b:80 mac-address=\
48:8F:5A:09:2B:80 server=dhcpTrunk
add address=192.168.10.4 client-id=1:4c:66:41:3c:65:5f mac-address=\
4C:66:41:3C:65:5F server=dhcpLAN
add address=192.168.10.5 client-id=1:68:bf:c4:f1:92:10 mac-address=\
68:BF:C4:F1:92:10 server=dhcpLAN
add address=192.168.10.3 client-id=1:4:d6:aa:55:1a:d2 mac-address=\
04:D6:AA:55:1A:D2 server=dhcpLAN
add address=192.168.10.2 client-id=1:24:18:1d:16:8a:24 mac-address=\
24:18:1D:16:8A:24 server=dhcpLAN
add address=192.168.10.6 client-id=1:10:dd:b1:a7:f2:4b mac-address=\
10:DD:B1:A7:F2:4B server=dhcpLAN
add address=192.168.100.1 client-id=1:0:11:32:30:57:15 mac-address=\
00:11:32:30:57:15 server=dhcpTrunk
add address=192.168.10.1 client-id=1:0:11:32:30:57:15 mac-address=\
00:11:32:30:57:15 server=dhcpLAN
/ip dhcp-server network
add address=192.168.10.0/26 comment="Range for LAN" dns-server=\
8.8.8.8,192.168.100.62,176.103.130.130,176.103.130.131 gateway=\
192.168.10.62
add address=192.168.20.0/28 comment="Range for Guest" dns-server=\
8.8.8.8,192.168.100.62,176.103.130.130,176.103.130.131 gateway=\
192.168.20.14
add address=192.168.99.0/26 comment="Range for CAP" dns-server=\
8.8.8.8,192.168.100.62,176.103.130.130,176.103.130.131 gateway=\
192.168.99.62
add address=192.168.100.0/26 comment="Range for Trunk" dns-server=\
8.8.8.8,192.168.100.62,176.103.130.130,176.103.130.131 gateway=\
192.168.100.62
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,192.168.100.62
/ip dns static
add address=176.103.130.131 name=dns.adguard.com
add address=176.103.130.130 name=dns.adguard.com
add address=127.0.0.1 name=ads.pubmatic.com
add address=127.0.0.1 name=adservice.google.com
add address=127.0.0.1 name=pagead46.l.doubleclick.net
add address=127.0.0.1 name=wzrkt.com
add address=127.0.0.1 name=ad.doubleclick.net
add address=127.0.0.1 regexp=googlesyndication*
add address=127.0.0.1 name=cxp.emogi.com
add address=127.0.0.1 name=shavar.prod.mozaws.net
add address=127.0.0.1 name=cdn.branch.io
add address=127.0.0.1 name=server.cpmstar.com
add address=127.0.0.1 name=analytics.rayjump.com
add address=127.0.0.1 name=stats.g.doubleclick.net
add address=127.0.0.1 name=pagead.l.doubleclick.net
add address=127.0.0.1 name=ads.mopub.com
add address=127.0.0.1 name=googleads.g.doubleclick.net
add address=127.0.0.1 name=211.152.129.21
add address=127.0.0.1 name=partnerad.l.doubleclick.net
add address=127.0.0.1 name=ads.yahoo.com
add address=127.0.0.1 name=www.googleadservices.com
/ip firewall filter
add action=add-src-to-address-list address-list=ICMP address-list-timeout=2m \
chain=input comment=Knock disabled=yes protocol=icmp
add action=add-src-to-address-list address-list=Knock address-list-timeout=1m \
chain=input disabled=yes dst-port=80 protocol=tcp
add action=drop chain=input disabled=yes dst-port=80,8291 protocol=tcp
add action=drop chain=input disabled=yes dst-port=21 protocol=tcp \
src-address=!192.168.10.0/26
/ip firewall mangle
add action=mark-connection chain=forward dst-port=443 in-interface=bTrunk \
layer7-protocol=Youtube new-connection-mark=Youtube-Conn passthrough=yes \
protocol=tcp
add action=mark-connection chain=forward dst-port=443 in-interface=bTrunk \
layer7-protocol=Youtube new-connection-mark=Youtube-Conn passthrough=yes \
protocol=udp
add action=mark-packet chain=forward connection-mark=Youtube-Conn \
new-packet-mark=Youtube-packet passthrough=no
add action=mark-connection chain=forward dst-port=443 in-interface=bTrunk \
layer7-protocol=Torrent new-connection-mark=Torrent-Conn passthrough=yes \
protocol=tcp
add action=mark-connection chain=forward dst-port=443 in-interface=bTrunk \
layer7-protocol=Torrent new-connection-mark=Torrent-Conn passthrough=yes \
protocol=udp
add action=mark-packet chain=forward connection-mark=Torrent-Conn \
new-packet-mark=Torrent-packet passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=eth4_BackInt
add action=masquerade chain=srcnat out-interface=eth5_MainInt
/ip route
add check-gateway=ping distance=1 gateway=8.8.8.8 target-scope=30
add distance=1 gateway=192.168.1.1
add distance=2 gateway=192.168.2.1
add distance=1 dst-address=192.168.100.62/32 gateway=bLAN
/system clock
set time-zone-name=Asia/Jakarta
/system identity
set name=RAmao
/system ntp client
set enabled=yes primary-ntp=162.159.200.1 secondary-ntp=36.86.63.182
/system watchdog
set watch-address=8.8.8.8
/tool romon
set enabled=yes secrets=Ph1nk13Ro
/tool user-manager database
set db-path=user-manager