Community discussions

MikroTik App
 
Niffchen
newbie
Topic Author
Posts: 37
Joined: Thu Mar 22, 2018 1:36 pm

Wireless App with Smart Home Gateway - One network, App cannot find Gateway, maybe Zeroconf problem?

Wed Oct 14, 2020 11:19 pm

Hello,

I have been testing many days and now I need some external help. I don't know what is going wrong.
I try to use a smart home gateay of a company called "Digital Concepts". This gateways are used for different Smart Home solutions. All components are managed on the gateway and the gateway is exporting all informations to an Apple TV for Homekit. I have a app for the gateway where I can manage all components which are already installed. I think I have a zeroconf problem but I am not really sure.
The gateway, the Apple TV and the phone with the app installed have to be located at the same network.

My phone is connected by wlan. The gateway and the the Apple TV are connected on port "Ether 3" and "Ether 6" of my main router - Mikrotik RG4011iGS.
My phone is connected wireless at a hAP AC.
Everything is located at VLAN 40.

The app on my phone says it cannot find the gateway.
If I connect all devices to a router of my ISP which is very simple - no VLANS, no special config - everything is working. The app gets a connection. This is the reason why I think something is wrong with my Mikrotik configuration.

This is my config of the hAP AC:
/interface bridge
add name=BridgeWlanEthernetPorts protocol-mode=none pvid=5 vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=germany disabled=no distance=indoors frequency=auto installation=\
    indoor mode=ap-bridge name=Woodroot2 radio-name=Woodroot2Sportzimmer \
    ssid=Woodroot wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40mhz-XX \
    country=germany disabled=no frequency=auto installation=indoor mode=\
    ap-bridge name=Woodroot5 ssid=Woodroot5 wps-mode=disabled
/interface vlan
add interface=BridgeWlanEthernetPorts name=VLAN5 vlan-id=5
add interface=BridgeWlanEthernetPorts name=VLAN40 vlan-id=40
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik wpa2-pre-shared-key=xxx
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no name=defconf
/interface bridge port
add bridge=BridgeWlanEthernetPorts comment=defconf interface=ether2 pvid=40
add bridge=BridgeWlanEthernetPorts comment=defconf interface=ether3 pvid=40
add bridge=BridgeWlanEthernetPorts comment=defconf interface=ether4 pvid=40
add bridge=BridgeWlanEthernetPorts comment=defconf interface=sfp1
add bridge=BridgeWlanEthernetPorts comment=defconf interface=Woodroot2 pvid=\
    40
add bridge=BridgeWlanEthernetPorts comment=defconf interface=Woodroot5 pvid=\
    40
add bridge=BridgeWlanEthernetPorts interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=BridgeWlanEthernetPorts tagged=ether1 untagged=\
    BridgeWlanEthernetPorts vlan-ids=5
add bridge=BridgeWlanEthernetPorts tagged=BridgeWlanEthernetPorts,ether1 \
    untagged=ether2,ether3,ether4,Woodroot2,Woodroot5 vlan-ids=40
/interface ethernet switch vlan
add independent-learning=no ports=ether1,ether2,ether3,ether4,switch1-cpu \
    switch=switch1 vlan-id=40
/interface list member
add comment=defconf list=LAN
add comment=defconf interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=BridgeWlanEthernetPorts list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf network=192.168.88.0
add address=192.168.88.50/24 interface=ether5 network=192.168.88.0
add address=192.168.5.50/24 interface=BridgeWlanEthernetPorts network=\
    192.168.5.0
/ip dhcp-client
# DHCP client can not run on slave interface!
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=192.168.5.1,192.168.2.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
    protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
    dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 gateway=192.168.5.5
add distance=1 dst-address=192.168.2.0/24 gateway=192.168.5.5
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=Balkonzimmer-AP
/system leds settings
set all-leds-off=after-1min
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
This is the configuration of my main router:
/interface bridge
add admin-mac=74:4D:28:E7:AB:D6 auto-mac=no comment=defconf name=bridge pvid=\
    5 vlan-filtering=yes
/caps-man interface
add disabled=no l2mtu=1600 mac-address=CC:2D:E0:1D:7B:A1 master-interface=\
    none name=cap1 radio-mac=CC:2D:E0:1D:7B:A1 radio-name=CC2DE01D7BA1
add disabled=no l2mtu=1600 mac-address=CC:2D:E0:1D:7B:A0 master-interface=\
    none name=cap2 radio-mac=CC:2D:E0:1D:7B:A0 radio-name=CC2DE01D7BA0
/interface vlan
add interface=bridge name=VLAN5 vlan-id=5
add interface=bridge name=VLAN40 vlan-id=40
add interface=bridge name=VLAN110 vlan-id=110
add interface=bridge name=VLAN120 vlan-id=120
add interface=bridge name=VLAN130 vlan-id=130
add interface=bridge name=VLAN140 vlan-id=140
add interface=bridge name=VLAN150 vlan-id=150
add interface=bridge name=VLAN160 vlan-id=160
add interface=bridge name=VLAN170 vlan-id=170
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.40.220-192.168.40.250
add name=dhcp_pool2 ranges=192.168.110.220-192.168.110.250
add name=dhcp_pool3 ranges=192.168.150.220-192.168.150.250
add name=dhcp_pool4 ranges=192.168.120.220-192.168.120.250
add name=dhcp_pool5 ranges=192.168.130.220-192.168.130.250
add name=dhcp_pool6 ranges=192.168.140.220-192.168.140.250
add name=dhcp_pool7 ranges=192.168.160.220-192.168.160.250
add name=dhcp_pool8 ranges=192.168.170.220-192.168.170.250
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool1 disabled=no interface=VLAN40 name=dhcp_VLAN40
add address-pool=dhcp_pool2 disabled=no interface=VLAN110 name=dhcp2
add address-pool=dhcp_pool3 disabled=no interface=VLAN150 name=dhcp3
add address-pool=dhcp_pool4 disabled=no interface=VLAN120 name=dhcp4
add address-pool=dhcp_pool5 disabled=no interface=VLAN130 name=dhcp5
add address-pool=dhcp_pool6 disabled=no interface=VLAN140 name=dhcp6
add address-pool=dhcp_pool7 disabled=no interface=VLAN160 name=dhcp7
add address-pool=dhcp_pool8 disabled=no interface=VLAN170 name=dhcp8
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/caps-man manager
set enabled=yes
/caps-man manager interface
add disabled=no interface=bridge
/caps-man provisioning
add action=create-dynamic-enabled radio-mac=64:D1:54:66:AE:06
add action=create-dynamic-enabled master-configuration=\
    Woodroot2GHz_Balkonzimmer radio-mac=64:D1:54:66:AE:06
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4 pvid=5
add bridge=bridge comment=defconf interface=ether5 pvid=5
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge interface=*1C
add bridge=bridge interface=ether10
add bridge=bridge interface=ether9
add bridge=bridge interface=ether8
add bridge=bridge interface=ether7
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=ether3,ether2,ether10,ether9,ether8,ether7 untagged=\
    bridge,ether4,ether5 vlan-ids=5
add bridge=bridge tagged=bridge,ether2,ether3,ether10,ether8,ether7,ether9 \
    vlan-ids=40
add bridge=bridge tagged=ether2,bridge vlan-ids=110
add bridge=bridge tagged=ether2,bridge vlan-ids=150
add bridge=bridge tagged=ether2,bridge vlan-ids=120
add bridge=bridge tagged=bridge,ether2 vlan-ids=130,140,160,170
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
/ip address
add address=192.168.2.20/24 interface=ether1 network=192.168.2.0
add address=192.168.5.5/24 interface=bridge network=192.168.5.0
add address=192.168.40.1/24 interface=VLAN40 network=192.168.40.0
add address=192.168.150.1/24 interface=VLAN150 network=192.168.150.0
add address=192.168.110.1/24 interface=VLAN110 network=192.168.110.0
add address=192.168.120.1/24 interface=VLAN120 network=192.168.120.0
add address=192.168.130.1/24 interface=VLAN130 network=192.168.130.0
add address=192.168.140.1/24 interface=VLAN140 network=192.168.140.0
add address=192.168.160.1/24 interface=VLAN160 network=192.168.160.0
add address=192.168.170.1/24 interface=VLAN170 network=192.168.170.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
add comment=defconf interface=ether1
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.5.0/24 comment=defconf dns-server=192.168.5.5,192.168.2.1 \
    domain=lan gateway=192.168.5.5 netmask=24 ntp-server=192.168.5.5
add address=192.168.40.0/24 dns-server=192.168.5.5,192.168.2.1 domain=lan \
    gateway=192.168.40.1 ntp-server=192.168.5.5
add address=192.168.110.0/24 dns-server=192.168.5.5,192.168.2.1 domain=lan \
    gateway=192.168.110.1 ntp-server=192.168.5.5
add address=192.168.120.0/24 dns-server=192.168.5.5,192.168.2.1 domain=lan \
    gateway=192.168.120.1 ntp-server=192.168.5.5
add address=192.168.130.0/24 dns-server=192.168.5.5,192.168.2.1 domain=lan \
    gateway=192.168.130.1 ntp-server=192.168.5.5
add address=192.168.140.0/24 dns-server=192.168.5.5,192.168.2.1 domain=lan \
    gateway=192.168.140.1 ntp-server=192.168.5.5
add address=192.168.150.0/24 dns-server=192.168.5.5,192.168.2.1 domain=lan \
    gateway=192.168.150.1 ntp-server=192.168.5.5
add address=192.168.160.0/24 dns-server=192.168.5.5,192.168.2.1 domain=lan \
    gateway=192.168.160.1 ntp-server=192.168.5.5
add address=192.168.170.0/24 dns-server=192.168.5.5,192.168.2.1 domain=lan \
    gateway=192.168.170.1 ntp-server=192.168.5.5
/ip dns
set allow-remote-requests=yes servers=192.168.5.5,192.168.2.1
/ip dns static
add address=192.168.5.5 name=router.lan
add address=192.168.130.201 name=zeroconf.lan
add address=192.168.120.201 name=icinga2server.lan
add address=192.168.150.204 name=printer.lan
add address=192.168.130.203 name=itunesserver.lan
add address=192.168.140.202 name=nasts231eth1.lan
add address=192.168.140.203 name=nasts231eth2.lan
add address=192.168.5.10 name=capsman.lan
add address=192.168.5.30 name=capoutdoor.lan
add address=192.168.5.20 name=capsportzimmer.lan
add address=192.168.5.40 name=capwohnzimmer.lan
add address=192.168.5.40 name=capbalkonzimmer.lan
add address=192.168.40.202 name=yamahawz.lan
add address=192.168.40.203 name=yamahabad1.lan
add address=192.168.40.204 name=yamahakue.lan
add address=192.168.40.205 name=yamahasport.lan
add address=192.168.40.210 name=klimaanlagesz.lan
add address=192.168.40.206 name=appletvsz.lan
add address=192.168.40.201 name=rasbpiservice40.lan
add address=192.168.110.201 name=rasbpiservice110.lan
add address=192.168.130.201 name=rasbpiservice130.lan
add address=192.168.140.201 name=rasbpiservice140.lan
add address=192.168.150.201 name=rasbpiservice150.lan
add address=192.168.170.201 name=rasbpiserviceeth1.lan
add address=192.168.110.206 name=appletvwz.lan
add address=192.168.110.206 name=panasonictv.lan
add address=192.168.110.205 name=panasonicbluray.lan
add address=192.168.150.203 name=desktopbuero.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    invalid,established,related,new,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
    protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
    dst-address=127.0.0.1
add action=accept chain=input disabled=yes dst-port=161 protocol=udp \
    src-address=192.168.130.210
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked disabled=yes
add action=return chain=input disabled=yes in-interface-list=!LAN log=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
    protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    invalid,established,related,new,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
    protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
    dst-address=127.0.0.1
add action=accept chain=input disabled=yes dst-port=161 protocol=udp \
    src-address=192.168.130.210
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked disabled=yes
add action=return chain=input disabled=yes in-interface-list=!LAN log=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
    protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
/ip firewall mangle
add action=accept chain=prerouting
add action=accept chain=forward
add action=accept chain=postrouting
add action=accept chain=prerouting
add action=accept chain=forward
add action=accept chain=postrouting
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
    ipsec-policy=out,none out-interface-list=WAN
add action=src-nat chain=srcnat comment=NTP dst-port=123 protocol=udp \
    to-addresses=192.168.5.5
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
    ipsec-policy=out,none out-interface-list=WAN
add action=src-nat chain=srcnat comment=NTP dst-port=123 protocol=udp \
    to-addresses=192.168.5.5
/ip route
add distance=1 gateway=192.168.2.1
add distance=1 gateway=192.168.2.1
/ip ssh
set forwarding-enabled=remote
/ip traffic-flow
set enabled=yes
/ip traffic-flow target
add dst-address=192.168.120.201
add dst-address=192.168.120.201
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1 type=external
add interface=ether2 type=internal
add interface=ether3 type=internal
add interface=ether4 type=internal
add interface=ether5 type=internal
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=MikroTik-Keller-Zentrale-2
/system ntp client
set enabled=yes primary-ntp=192.53.103.108 secondary-ntp=44.225.94.177
/system ntp server
set enabled=yes multicast=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set file-limit=2000KiB filter-interface=all
/tool traffic-monitor
add disabled=yes interface=bridge name=tmon1 threshold=0 traffic=received \
    trigger=always
add disabled=yes interface=bridge name=tmon2 threshold=0
Do you have any suggestions what is wrong at my environment?
 
Niffchen
newbie
Topic Author
Posts: 37
Joined: Thu Mar 22, 2018 1:36 pm

Re: Wireless App with Smart Home Gateway - One network, App cannot find Gateway, maybe Zeroconf problem?

Thu Oct 15, 2020 11:26 am

I have cleaned up my configs a little bit. I removed some configurations which I don't need anymore.

This is the configuration of the main router:
/interface bridge
add admin-mac=74:4D:28:E7:AB:D6 auto-mac=no comment=defconf name=bridge pvid=\
    5 vlan-filtering=yes
/caps-man interface
add disabled=no l2mtu=1600 mac-address=CC:2D:E0:1D:7B:A1 master-interface=\
    none name=cap1 radio-mac=CC:2D:E0:1D:7B:A1 radio-name=CC2DE01D7BA1
add disabled=no l2mtu=1600 mac-address=CC:2D:E0:1D:7B:A0 master-interface=\
    none name=cap2 radio-mac=CC:2D:E0:1D:7B:A0 radio-name=CC2DE01D7BA0
/interface vlan
add interface=bridge name=VLAN5 vlan-id=5
add interface=bridge name=VLAN40 vlan-id=40
add interface=bridge name=VLAN110 vlan-id=110
add interface=bridge name=VLAN120 vlan-id=120
add interface=bridge name=VLAN130 vlan-id=130
add interface=bridge name=VLAN140 vlan-id=140
add interface=bridge name=VLAN150 vlan-id=150
add interface=bridge name=VLAN160 vlan-id=160
add interface=bridge name=VLAN170 vlan-id=170
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.40.220-192.168.40.250
add name=dhcp_pool2 ranges=192.168.110.220-192.168.110.250
add name=dhcp_pool3 ranges=192.168.150.220-192.168.150.250
add name=dhcp_pool4 ranges=192.168.120.220-192.168.120.250
add name=dhcp_pool5 ranges=192.168.130.220-192.168.130.250
add name=dhcp_pool6 ranges=192.168.140.220-192.168.140.250
add name=dhcp_pool7 ranges=192.168.160.220-192.168.160.250
add name=dhcp_pool8 ranges=192.168.170.220-192.168.170.250
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool1 disabled=no interface=VLAN40 name=dhcp_VLAN40
add address-pool=dhcp_pool2 disabled=no interface=VLAN110 name=dhcp2
add address-pool=dhcp_pool3 disabled=no interface=VLAN150 name=dhcp3
add address-pool=dhcp_pool4 disabled=no interface=VLAN120 name=dhcp4
add address-pool=dhcp_pool5 disabled=no interface=VLAN130 name=dhcp5
add address-pool=dhcp_pool6 disabled=no interface=VLAN140 name=dhcp6
add address-pool=dhcp_pool7 disabled=no interface=VLAN160 name=dhcp7
add address-pool=dhcp_pool8 disabled=no interface=VLAN170 name=dhcp8
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3 pvid=40
add bridge=bridge comment=defconf interface=ether4 pvid=5
add bridge=bridge comment=defconf interface=ether5 pvid=5
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge interface=*1C
add bridge=bridge interface=ether10
add bridge=bridge interface=ether9
add bridge=bridge interface=ether8
add bridge=bridge interface=ether7
add bridge=bridge interface=ether6 pvid=40
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=ether3,ether2,ether10,ether9,ether8,ether7 untagged=\
    bridge,ether4,ether5 vlan-ids=5
add bridge=bridge tagged=bridge,ether2,ether10,ether8,ether7,ether9 untagged=\
    ether3,ether6 vlan-ids=40
add bridge=bridge tagged=ether2,bridge vlan-ids=110
add bridge=bridge tagged=ether2,bridge vlan-ids=150
add bridge=bridge tagged=ether2,bridge vlan-ids=120
add bridge=bridge tagged=bridge,ether2 vlan-ids=130,140,160,170
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
/ip address
add address=192.168.2.20/24 interface=ether1 network=192.168.2.0
add address=192.168.5.5/24 interface=bridge network=192.168.5.0
add address=192.168.40.1/24 interface=VLAN40 network=192.168.40.0
add address=192.168.150.1/24 interface=VLAN150 network=192.168.150.0
add address=192.168.110.1/24 interface=VLAN110 network=192.168.110.0
add address=192.168.120.1/24 interface=VLAN120 network=192.168.120.0
add address=192.168.130.1/24 interface=VLAN130 network=192.168.130.0
add address=192.168.140.1/24 interface=VLAN140 network=192.168.140.0
add address=192.168.160.1/24 interface=VLAN160 network=192.168.160.0
add address=192.168.170.1/24 interface=VLAN170 network=192.168.170.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
add comment=defconf interface=ether1
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.5.0/24 comment=defconf dns-server=192.168.5.5,192.168.2.1 \
    domain=lan gateway=192.168.5.5 netmask=24 ntp-server=192.168.5.5
add address=192.168.40.0/24 dns-server=192.168.5.5,192.168.2.1 domain=lan \
    gateway=192.168.40.1 ntp-server=192.168.5.5
add address=192.168.110.0/24 dns-server=192.168.5.5,192.168.2.1 domain=lan \
    gateway=192.168.110.1 ntp-server=192.168.5.5
add address=192.168.120.0/24 dns-server=192.168.5.5,192.168.2.1 domain=lan \
    gateway=192.168.120.1 ntp-server=192.168.5.5
add address=192.168.130.0/24 dns-server=192.168.5.5,192.168.2.1 domain=lan \
    gateway=192.168.130.1 ntp-server=192.168.5.5
add address=192.168.140.0/24 dns-server=192.168.5.5,192.168.2.1 domain=lan \
    gateway=192.168.140.1 ntp-server=192.168.5.5
add address=192.168.150.0/24 dns-server=192.168.5.5,192.168.2.1 domain=lan \
    gateway=192.168.150.1 ntp-server=192.168.5.5
add address=192.168.160.0/24 dns-server=192.168.5.5,192.168.2.1 domain=lan \
    gateway=192.168.160.1 ntp-server=192.168.5.5
add address=192.168.170.0/24 dns-server=192.168.5.5,192.168.2.1 domain=lan \
    gateway=192.168.170.1 ntp-server=192.168.5.5
/ip dns
set allow-remote-requests=yes servers=192.168.5.5,192.168.2.1
/ip dns static
add address=192.168.5.5 name=router.lan
add address=192.168.130.201 name=zeroconf.lan
add address=192.168.120.201 name=icinga2server.lan
add address=192.168.150.204 name=printer.lan
add address=192.168.130.203 name=itunesserver.lan
add address=192.168.140.202 name=nasts231eth1.lan
add address=192.168.140.203 name=nasts231eth2.lan
add address=192.168.5.10 name=capsman.lan
add address=192.168.5.30 name=capoutdoor.lan
add address=192.168.5.20 name=capsportzimmer.lan
add address=192.168.5.40 name=capwohnzimmer.lan
add address=192.168.5.40 name=capbalkonzimmer.lan
add address=192.168.40.202 name=yamahawz.lan
add address=192.168.40.203 name=yamahabad1.lan
add address=192.168.40.204 name=yamahakue.lan
add address=192.168.40.205 name=yamahasport.lan
add address=192.168.40.210 name=klimaanlagesz.lan
add address=192.168.40.206 name=appletvsz.lan
add address=192.168.40.201 name=rasbpiservice40.lan
add address=192.168.110.201 name=rasbpiservice110.lan
add address=192.168.130.201 name=rasbpiservice130.lan
add address=192.168.140.201 name=rasbpiservice140.lan
add address=192.168.150.201 name=rasbpiservice150.lan
add address=192.168.170.201 name=rasbpiserviceeth1.lan
add address=192.168.110.206 name=appletvwz.lan
add address=192.168.110.206 name=panasonictv.lan
add address=192.168.110.205 name=panasonicbluray.lan
add address=192.168.150.203 name=desktopbuero.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    invalid,established,related,new,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
    protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
    dst-address=127.0.0.1
add action=accept chain=input disabled=yes dst-port=161 protocol=udp \
    src-address=192.168.130.210
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked disabled=yes
add action=return chain=input disabled=yes in-interface-list=!LAN log=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
    protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    invalid,established,related,new,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
    protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
    dst-address=127.0.0.1
add action=accept chain=input disabled=yes dst-port=161 protocol=udp \
    src-address=192.168.130.210
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked disabled=yes
add action=return chain=input disabled=yes in-interface-list=!LAN log=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
    protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 gateway=192.168.2.1
add distance=1 gateway=192.168.2.1
/ip ssh
set forwarding-enabled=remote
/ip traffic-flow
set enabled=yes
/ip traffic-flow target
add dst-address=192.168.120.201
add dst-address=192.168.120.201
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1 type=external
add interface=ether2 type=internal
add interface=ether3 type=internal
add interface=ether4 type=internal
add interface=ether5 type=internal
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=MikroTik-Keller-Zentrale-2
/system ntp client
set enabled=yes primary-ntp=192.53.103.108 secondary-ntp=44.225.94.177
/system ntp server
set enabled=yes multicast=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set file-limit=2000KiB filter-interface=all
/tool traffic-monitor
add disabled=yes interface=bridge name=tmon1 threshold=0 traffic=received \
    trigger=always
add disabled=yes interface=bridge name=tmon2 threshold=0
This is the configuration of my hAP AC:
/interface bridge
add name=BridgeWlanEthernetPorts protocol-mode=none pvid=5 vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=germany disabled=no frequency=auto installation=indoor mode=\
    ap-bridge multicast-helper=full name=Woodroot2 radio-name=\
    Woodroot2Wohnzimmer ssid=Woodroot vlan-id=40 vlan-mode=use-tag \
    wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40mhz-XX \
    country=germany disabled=no frequency=auto installation=indoor mode=\
    ap-bridge multicast-helper=full name=Woodroot5 radio-name=\
    Woodroot5Wohnzimmer ssid=Woodroot5 vlan-id=40 vlan-mode=use-tag \
    wireless-protocol=802.11 wps-mode=disabled
/interface vlan
add interface=BridgeWlanEthernetPorts name=VLAN5 vlan-id=5
add interface=BridgeWlanEthernetPorts name=VLAN40 vlan-id=40
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik wpa2-pre-shared-key=xxx
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no name=defconf
/interface bridge port
add bridge=BridgeWlanEthernetPorts comment=defconf interface=ether2 pvid=40
add bridge=BridgeWlanEthernetPorts comment=defconf interface=ether3 pvid=40
add bridge=BridgeWlanEthernetPorts comment=defconf interface=ether4 pvid=40
add bridge=BridgeWlanEthernetPorts comment=defconf interface=sfp1 pvid=40
add bridge=BridgeWlanEthernetPorts comment=defconf interface=Woodroot2 pvid=\
    40
add bridge=BridgeWlanEthernetPorts comment=defconf interface=Woodroot5 pvid=\
    40
add bridge=BridgeWlanEthernetPorts interface=ether1
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=BridgeWlanEthernetPorts tagged=ether1 untagged=\
    BridgeWlanEthernetPorts vlan-ids=5
add bridge=BridgeWlanEthernetPorts tagged=\
    BridgeWlanEthernetPorts,ether1,Woodroot2,Woodroot5 untagged=\
    ether2,ether3,ether4 vlan-ids=40
/interface list member
add comment=defconf list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=BridgeWlanEthernetPorts list=LAN
/ip address
add address=192.168.88.30/24 interface=ether5 network=192.168.88.0
add address=192.168.5.30/24 interface=BridgeWlanEthernetPorts network=\
    192.168.5.0
/ip dhcp-client
add interface=BridgeWlanEthernetPorts
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=192.168.5.1,192.168.2.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
    protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
    dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 gateway=192.168.5.5
add distance=1 dst-address=192.168.2.1/32 gateway=192.168.5.5
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=Wohnzimmer-AP
/system leds settings
set all-leds-off=after-1min
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Who is online

Users browsing this forum: No registered users and 24 guests