A few months ago, all devices were migrated to wifi-qcom / wifi-capsman, resulting in outstanding roaming and band steering performance: every modern WiFi client (phone, laptop, tablet) started seamlessly connecting to the nearest AP, favoring 5G. However, at that time, I lost the isolated WiFi network for guests.
Following the wise advice from this forum, I redesigned the configuration using VLANs, achieving an isolated guest network combined with wifi-qcom / wifi-capsman. Everything is almost perfect. Almost — because I’ve noticed that roaming between APs behaves strangely. As a result, devices either disconnect from the internet or experience limited bandwidth. Below is the router log illustrating the undesirable behavior: one instance in the home VLAN, and another in the guest VLAN. Both problematic devices are new DELL laptops. Further down, I’ve included the complete configurations of the router and one of the access points. "FT Enabled" and "FT Over DS" seem to be still enabled, but somehow not effective at APs level.
Other recommendations for improving or simplifying this configuration are also welcome.
LOG:
Code: Select all
# 2025-01-23 08:57:26 by RouterOS 7.17
# software id = CH1L-4YX8
#
2025-01-22 15:29:58 wireless,info C0:3C:59:E8:C2:EA@ap-salon_5G connected, signal strength -63
# device "C0:3C:59:E8:C2:EA" physically moved from "ap-salon" to "ap-gabinet" and struggling 15 minutes to roam:
2025-01-22 17:15:05 wireless,info C0:3C:59:E8:C2:EA@ap-salon_5G reconnecting, signal strength -102
2025-01-22 17:15:05 wireless,info C0:3C:59:E8:C2:EA@ap-salon_5G connected, signal strength -102
2025-01-22 17:15:06 wireless,info C0:3C:59:E8:C2:EA@ap-salon_5G disconnected, connection lost, signal strength -101
2025-01-22 17:15:07 wireless,info C0:3C:59:E8:C2:EA@ap-salon_5G connected, signal strength -103
2025-01-22 17:23:10 wireless,info C0:3C:59:E8:C2:EA@ap-salon_5G reconnecting, signal strength -104
2025-01-22 17:23:55 wireless,info C0:3C:59:E8:C2:EA@ap-salon_5G connected, signal strength -104
2025-01-22 17:24:16 wireless,info C0:3C:59:E8:C2:EA@ap-salon_5G reconnecting, signal strength -102
2025-01-22 17:24:23 wireless,info C0:3C:59:E8:C2:EA@ap-salon_5G connected, signal strength -105
2025-01-22 17:24:37 wireless,info C0:3C:59:E8:C2:EA@ap-salon_5G disconnected, connection lost, signal strength -104
2025-01-22 17:24:43 wireless,info C0:3C:59:E8:C2:EA@ap-salon_5G connected, signal strength -103
2025-01-22 17:24:59 wireless,info C0:3C:59:E8:C2:EA@ap-salon_5G disconnected, connection lost, signal strength -104
2025-01-22 17:25:01 wireless,info C0:3C:59:E8:C2:EA@ap-salon_5G connected, signal strength -103
2025-01-22 17:29:21 wireless,info C0:3C:59:E8:C2:EA@ap-salon_5G disconnected, not responding, signal strength -104
2025-01-22 17:29:21 wireless,info C0:3C:59:E8:C2:EA@ap-gabinet_5G connected, signal strength -72
# device "4C:5F:70:93:4B:AD" stays immobile in a best range of "ap-salon" but keeps jumping through all 3 APs:
2025-01-22 18:23:05 wireless,info 4C:5F:70:93:4B:AD@ap-salon_guest reconnecting, signal strength -63
2025-01-22 18:23:05 wireless,info 4C:5F:70:93:4B:AD@ap-salon_guest connected, signal strength -63
2025-01-22 18:23:06 wireless,info 4C:5F:70:93:4B:AD@ap-salon_guest disconnected, connection lost, signal strength -63
2025-01-22 18:23:06 wireless,info 4C:5F:70:93:4B:AD@ap-salon_guest connected, signal strength -64
2025-01-22 19:38:48 wireless,info 4C:5F:70:93:4B:AD@ap-salon_guest reconnecting, signal strength -57
2025-01-22 19:38:55 wireless,info 4C:5F:70:93:4B:AD@ap-salon_guest connected, signal strength -55
2025-01-22 19:46:12 wireless,info 4C:5F:70:93:4B:AD@ap-salon_guest disconnected, not responding, signal strength -54
2025-01-22 19:46:13 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -79
2025-01-22 19:46:17 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest reconnecting, signal strength -78
2025-01-22 19:46:18 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -78
2025-01-22 19:46:30 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest disconnected, connection lost, signal strength -77
2025-01-22 19:46:33 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -81
2025-01-22 19:46:36 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest disconnected, connection lost, signal strength -77
2025-01-22 19:46:36 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -80
2025-01-22 19:46:41 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest reconnecting, signal strength -79
2025-01-22 19:46:48 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -79
2025-01-22 19:46:57 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest disconnected, connection lost, signal strength -78
2025-01-22 19:46:59 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -79
2025-01-22 19:47:11 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest disconnected, connection lost, signal strength -80
2025-01-22 19:47:12 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -80
2025-01-22 19:47:14 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest disconnected, connection lost, signal strength -80
2025-01-22 19:47:14 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -78
2025-01-22 19:47:27 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest disconnected, connection lost, signal strength -77
2025-01-22 19:47:30 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -80
2025-01-22 19:47:36 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest disconnected, connection lost, signal strength -77
2025-01-22 19:47:36 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -79
2025-01-22 19:47:50 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest disconnected, connection lost, signal strength -77
2025-01-22 19:47:55 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -82
2025-01-22 19:48:16 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest disconnected, connection lost, signal strength -77
2025-01-22 19:48:16 wireless,info 4C:5F:70:93:4B:AD@ap-salon_guest connected, signal strength -59
2025-01-22 20:08:51 wireless,info 4C:5F:70:93:4B:AD@ap-salon_guest disconnected, connection lost, signal strength -52
2025-01-22 20:09:19 wireless,info 4C:5F:70:93:4B:AD@ap-salon_guest connected, signal strength -54
2025-01-22 20:13:27 wireless,info 4C:5F:70:93:4B:AD@ap-salon_guest disconnected, connection lost, signal strength -51
2025-01-22 20:13:46 wireless,info 4C:5F:70:93:4B:AD@ap-salon_guest connected, signal strength -50
2025-01-22 20:14:02 wireless,info 4C:5F:70:93:4B:AD@ap-salon_guest disconnected, not responding, signal strength -52
2025-01-22 20:14:02 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -83
2025-01-22 20:14:10 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest reconnecting, signal strength -82
2025-01-22 20:14:15 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -80
2025-01-22 20:14:18 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest reconnecting, signal strength -80
2025-01-22 20:14:30 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -74
2025-01-22 20:14:52 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest disconnected, connection lost, signal strength -74
2025-01-22 20:14:54 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -77
2025-01-22 20:14:56 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest reconnecting, signal strength -78
2025-01-22 20:14:58 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -76
2025-01-22 20:15:14 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest disconnected, connection lost, signal strength -77
2025-01-22 20:15:15 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -78
2025-01-22 20:15:31 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest disconnected, connection lost, signal strength -77
2025-01-22 20:15:34 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -78
2025-01-22 20:15:50 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest disconnected, connection lost, signal strength -77
2025-01-22 20:15:55 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -78
2025-01-22 20:16:01 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest reconnecting, signal strength -76
2025-01-22 20:16:08 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -78
2025-01-22 20:16:21 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest reconnecting, signal strength -83
2025-01-22 20:16:27 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -80
2025-01-22 20:16:58 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest disconnected, connection lost, signal strength -76
2025-01-22 20:17:00 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -76
2025-01-22 20:17:15 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest disconnected, connection lost, signal strength -78
2025-01-22 20:17:16 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -77
2025-01-22 20:17:20 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest disconnected, connection lost, signal strength -77
2025-01-22 20:17:20 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -76
2025-01-22 20:17:38 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest disconnected, connection lost, signal strength -74
2025-01-22 20:17:38 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -78
2025-01-22 20:17:52 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest disconnected, connection lost, signal strength -77
2025-01-22 20:17:54 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -77
2025-01-22 20:18:15 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest disconnected, connection lost, signal strength -77
2025-01-22 20:18:15 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -78
2025-01-22 20:18:17 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest reconnecting, signal strength -72
2025-01-22 20:18:19 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -71
2025-01-22 20:18:22 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest reconnecting, signal strength -78
2025-01-22 20:18:30 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -76
2025-01-22 20:18:56 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest disconnected, connection lost, signal strength -78
2025-01-22 20:18:57 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -74
2025-01-22 20:19:38 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest disconnected, connection lost, signal strength -78
2025-01-22 20:19:38 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -78
2025-01-22 20:19:41 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest reconnecting, signal strength -79
2025-01-22 20:19:44 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -77
2025-01-22 20:19:53 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest disconnected, connection lost, signal strength -76
2025-01-22 20:19:53 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -76
2025-01-22 20:20:01 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest disconnected, connection lost, signal strength -75
2025-01-22 20:20:30 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -79
2025-01-22 20:20:36 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest reconnecting, signal strength -79
2025-01-22 20:20:40 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -75
2025-01-22 20:20:44 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest reconnecting, signal strength -78
2025-01-22 20:20:51 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -79
2025-01-22 20:21:17 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest disconnected, connection lost, signal strength -78
2025-01-22 20:21:28 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -79
2025-01-22 20:21:38 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest disconnected, connection lost, signal strength -78
2025-01-22 20:21:39 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -84
2025-01-22 20:21:47 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest reconnecting, signal strength -79
2025-01-22 20:21:47 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -79
2025-01-22 20:22:03 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest disconnected, connection lost, signal strength -78
2025-01-22 20:22:05 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -79
2025-01-22 20:22:25 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest disconnected, connection lost, signal strength -81
2025-01-22 20:22:27 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -78
2025-01-22 20:22:35 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest reconnecting, signal strength -81
2025-01-22 20:22:44 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -79
2025-01-22 20:23:14 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest disconnected, connection lost, signal strength -78
2025-01-22 20:23:16 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -77
2025-01-22 20:23:20 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest disconnected, connection lost, signal strength -77
2025-01-22 20:23:20 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -76
2025-01-22 20:23:25 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest reconnecting, signal strength -77
2025-01-22 20:23:31 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -75
2025-01-22 20:23:40 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest disconnected, connection lost, signal strength -77
2025-01-22 20:23:43 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -77
2025-01-22 20:23:56 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest disconnected, connection lost, signal strength -78
2025-01-22 20:23:57 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -75
2025-01-22 20:24:34 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest disconnected, connection lost, signal strength -82
2025-01-22 20:24:35 wireless,info 4C:5F:70:93:4B:AD@ap-salon_guest connected, signal strength -54
2025-01-22 20:44:22 wireless,info 4C:5F:70:93:4B:AD@ap-salon_guest connected, signal strength -49
2025-01-22 21:08:37 wireless,info 4C:5F:70:93:4B:AD@ap-salon_guest disconnected, not responding, signal strength -50
2025-01-22 21:08:37 wireless,info 4C:5F:70:93:4B:AD@ap-sypialnia_guest connected, signal strength -82
2025-01-22 21:08:42 wireless,info 4C:5F:70:93:4B:AD@ap-sypialnia_guest disconnected, not responding, signal strength -82
2025-01-22 21:08:43 wireless,info 4C:5F:70:93:4B:AD@ap-salon_guest connected, signal strength -51
2025-01-22 21:26:10 wireless,info 4C:5F:70:93:4B:AD@ap-salon_guest disconnected, not responding, signal strength -55
2025-01-22 21:26:11 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -76
2025-01-22 21:26:13 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest reconnecting, signal strength -76
2025-01-22 21:26:20 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -73
2025-01-22 21:26:33 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest disconnected, connection lost, signal strength -75
2025-01-22 21:26:43 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -73
2025-01-22 21:26:52 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest disconnected, connection lost, signal strength -78
2025-01-22 21:26:54 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -73
2025-01-22 21:26:56 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest reconnecting, signal strength -72
2025-01-22 21:26:59 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -74
2025-01-22 21:27:01 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest disconnected, connection lost, signal strength -74
2025-01-22 21:27:02 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -73
2025-01-22 21:27:17 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest disconnected, connection lost, signal strength -78
2025-01-22 21:27:26 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -75
2025-01-22 21:27:53 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest disconnected, connection lost, signal strength -76
2025-01-22 21:27:55 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -74
2025-01-22 21:28:02 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest disconnected, connection lost, signal strength -74
2025-01-22 21:28:04 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest connected, signal strength -72
2025-01-22 21:28:13 wireless,info 4C:5F:70:93:4B:AD@ap-gabinet_guest disconnected, connection lost, signal strength -77
2025-01-22 21:28:14 wireless,info 4C:5F:70:93:4B:AD@ap-salon_guest connected, signal strength -55
ROUTER:
Code: Select all
# 2025-01-23 09:24:07 by RouterOS 7.17
# software id = CH1L-4YX8
#
# model = RB5009UG+S+
/interface bridge add admin-mac=D4:01:C3:2A:00:AF arp=proxy-arp auto-mac=no comment="home / trusted" name=bridge port-cost-mode=short vlan-filtering=yes
/interface ethernet set [ find default-name=ether1 ] comment=tech-media-wan mac-address=B8:69:F4:A4:D3:E3
/interface ethernet set [ find default-name=ether2 ] comment=olfisz name=ether2-master
/interface ethernet set [ find default-name=ether3 ] comment=ap-salon
/interface ethernet set [ find default-name=ether4 ] comment=ap-sypialnia
/interface ethernet set [ find default-name=ether5 ] comment=ap-gabinet
/interface ethernet set [ find default-name=ether6 ] comment=hp-printer name=ether6-master
/interface ethernet set [ find default-name=ether7 ] comment=ipcam-strych
/interface ethernet set [ find default-name=ether8 ] comment=alarm-satel-ethm
/interface ethernet set [ find default-name=sfp-sfpplus1 ] comment="SFP for fiber" disabled=yes
/interface wireguard add listen-port=33231 mtu=1420 name=wire-guard-vpn
/interface vlan add interface=bridge name=vlan_10_mgmt vlan-id=10
/interface vlan add interface=bridge name=vlan_20_home vlan-id=20
/interface vlan add interface=bridge name=vlan_30_guest vlan-id=30
/interface list add name=WAN
/interface lte apn set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wifi channel add band=2ghz-n comment=gabinet disabled=no frequency=2472 name=2.4g_ch13 width=20mhz
/interface wifi channel add band=5ghz-ac comment=gabinet_5g disabled=no frequency=5260 name=5.0g_ch52 width=20/40/80mhz
/interface wifi channel add band=2ghz-n comment=salon disabled=no frequency=2422 name=2.4g_ch03 width=20mhz
/interface wifi channel add band=2ghz-n comment=sypialnia disabled=no frequency=2447 name=2.4g_ch08 width=20mhz
/interface wifi channel add band=5ghz-ac comment=salon_5g disabled=no frequency=5180 name=5.0g_ch36 width=20/40/80mhz
/interface wifi channel add band=5ghz-ac comment=sypialnia_5g disabled=no frequency=5500 name=5.0g_ch100 width=20/40/80mhz
/interface wifi datapath add bridge=bridge disabled=no name=main
/interface wifi datapath add bridge=bridge client-isolation=yes disabled=no name=guest
/interface wifi security add authentication-types=wpa2-psk disabled=no encryption="" ft=yes ft-over-ds=yes ft-preserve-vlanid=no name=main_security wps=disable
/interface wifi security add authentication-types=wpa2-psk disabled=no ft=yes ft-over-ds=yes ft-preserve-vlanid=no name=guest_security wps=disable
/interface wifi steering add disabled=no name=steering_main neighbor-group=dynamic-klemens_wafelek-13de67f5 rrm=yes wnm=yes
/interface wifi steering add disabled=no name=steering_guest neighbor-group=dynamic-200_e_goscie-d711cc46 rrm=yes wnm=yes
/interface wifi configuration add channel.band=2ghz-n datapath=main disabled=no manager=local mode=ap name=main_2g security=main_security ssid=klemens_wafelek steering=steering_main tx-power=20
/interface wifi configuration add channel.band=5ghz-ac .skip-dfs-channels=10min-cac datapath=main disabled=no manager=local mode=ap name=main_5g security=main_security ssid=klemens_wafelek steering=steering_main tx-power=24
/interface wifi configuration add channel.band=2ghz-n datapath=guest disabled=no manager=local mode=ap name=guest_2g security=guest_security ssid=200_e_goscie steering=steering_guest
/interface wifi
# operated by CAP 74:4D:28:2E:8C:8F%vlan_10_mgmt, traffic processing on CAP
add configuration=main_2g disabled=no name=ap-gabinet_2G radio-mac=74:4D:28:2E:8C:91
/interface wifi
# operated by CAP 74:4D:28:2E:8C:8F%vlan_10_mgmt, traffic processing on CAP
add configuration=main_5g disabled=no name=ap-gabinet_5G radio-mac=74:4D:28:2E:8C:92
/interface wifi
# operated by CAP 74:4D:28:2E:8C:8F%vlan_10_mgmt, traffic processing on CAP
add configuration=guest_2g configuration.mode=ap disabled=no mac-address=76:4D:28:2E:8C:91 master-interface=ap-gabinet_2G name=ap-gabinet_guest
/interface wifi
# operated by CAP C4:AD:34:F5:82:4C%vlan_10_mgmt, traffic processing on CAP
add channel=2.4g_ch03 channel.frequency=2422 configuration=main_2g configuration.country=Poland .mode=ap datapath=main disabled=no name=ap-salon_2G radio-mac=C4:AD:34:F5:82:4E security=main_security steering=steering_main
/interface wifi
# operated by CAP C4:AD:34:F5:82:4C%vlan_10_mgmt, traffic processing on CAP
add channel=5.0g_ch36 channel.frequency=5180 configuration=main_5g configuration.country=Poland .mode=ap datapath=main disabled=no name=ap-salon_5G radio-mac=C4:AD:34:F5:82:4F security=main_security steering=steering_main
/interface wifi
# operated by CAP C4:AD:34:F5:82:4C%vlan_10_mgmt, traffic processing on CAP
add configuration=guest_2g configuration.mode=ap datapath=guest disabled=no mac-address=C6:AD:34:F5:82:4E master-interface=ap-salon_2G name=ap-salon_guest security=guest_security steering=steering_guest
/interface wifi
# operated by CAP 74:4D:28:BE:F1:C7%vlan_10_mgmt, traffic processing on CAP
add channel=2.4g_ch08 channel.frequency=2447 configuration=main_2g configuration.country=Poland .mode=ap datapath=main disabled=no mtu=1500 name=ap-sypialnia_2G radio-mac=74:4D:28:BE:F1:C9 security=main_security steering=steering_main
/interface wifi
# operated by CAP 74:4D:28:BE:F1:C7%vlan_10_mgmt, traffic processing on CAP
add channel=5.0g_ch100 channel.frequency=5500 configuration=main_5g configuration.country=Poland .mode=ap datapath=main disabled=no name=ap-sypialnia_5G radio-mac=74:4D:28:BE:F1:CA security=main_security steering=steering_main
/interface wifi
# operated by CAP 74:4D:28:BE:F1:C7%vlan_10_mgmt, traffic processing on CAP
add configuration=guest_2g configuration.mode=ap datapath=guest disabled=no mac-address=76:4D:28:BE:F1:C9 master-interface=ap-sypialnia_2G name=ap-sypialnia_guest security=guest_security steering=steering_guest
/ip hotspot profile set [ find default=yes ] html-directory=hotspot
/ip ipsec proposal set [ find default=yes ] auth-algorithms=sha512,sha256 enc-algorithms=aes-256-cbc pfs-group=none
/ip pool add comment="new home devices before making static" name=home-dynamic ranges=192.168.5.224-192.168.5.238
/ip pool add comment="address pool for SSTP VPN belonging to the safe home IP range" name=sstp-pool ranges=192.168.5.239-192.168.5.254
/ip pool add comment="wifi guest DHCP pool" name=guests ranges=192.168.6.129-192.168.6.254
/ip pool add comment="blocked on firewall, only local" name=home-no-routing ranges=192.168.5.2-192.168.5.127
/ip pool add comment="defined static leases" name=home-static ranges=192.168.5.128-192.168.5.223
/ip pool add comment="for AP management" name=management ranges=192.168.4.2-192.168.4.254
/ip dhcp-server add address-pool=home-dynamic interface=vlan_20_home lease-time=2m name=dhcp_home server-address=192.168.5.1
/ip dhcp-server add address-pool=guests interface=vlan_30_guest lease-time=10m name=dhcp_guest server-address=192.168.6.1
/ip dhcp-server add address-pool=management interface=vlan_10_mgmt lease-time=2m name=dhcp_mgmt server-address=192.168.4.1
/ip smb users set [ find default=yes ] disabled=yes
/ppp profile add bridge=bridge dns-server=192.168.5.1,1.1.1.1 local-address=192.168.5.1 name=sstp only-one=no remote-address=sstp-pool use-compression=no use-encryption=required use-ipv6=no use-mpls=no use-upnp=no
/ppp profile add change-tcp-mss=yes name=tech-media-ppoe only-one=yes use-compression=no use-ipv6=no
/interface pppoe-client add add-default-route=yes disabled=no interface=ether1 keepalive-timeout=20 max-mtu=1492 name=tech-media profile=tech-media-ppoe use-peer-dns=yes user=DASZYNSKIEGO200E
/queue type set 0 pfifo-limit=500
/queue type set 5 pcq-limit=200KiB pcq-total-limit=4000KiB
/queue type set 6 pcq-limit=200KiB pcq-total-limit=4000KiB
/queue simple add comment="for testing unrestricted speeds" disabled=yes max-limit=1G/1G name=unrestricted packet-marks=mark_nat_packet queue=pcq-upload-default/pcq-download-default target=192.168.0.0/16
/queue simple add comment="root - queues only for NAT traffic" max-limit=100M/500M name=parent_nat packet-marks=mark_nat_packet queue=pcq-upload-default/pcq-download-default target=192.168.0.0/16
/queue simple add burst-limit=70M/200M burst-threshold=20M/50M burst-time=10s/10s limit-at=1M/2M max-limit=20M/50M name="vpn_sstp (r)" parent=parent_nat priority=6/6 queue=pcq-upload-default/pcq-download-default target=192.168.5.224/28
/queue simple add burst-limit=90M/400M burst-threshold=70M/100M burst-time=1m/1m limit-at=5M/5M max-limit=70M/100M name="vpn_wg_tomek (r)" parent=parent_nat priority=5/5 queue=pcq-upload-default/pcq-download-default target=192.168.105.2/32,192.168.105.3/32
/queue simple add burst-limit=90M/400M burst-threshold=50M/100M burst-time=1m/1m limit-at=3M/3M max-limit=50M/100M name="vpn_wg_justyna (r)" parent=parent_nat priority=6/6 queue=pcq-upload-default/pcq-download-default target=192.168.105.4/32
/queue simple add burst-limit=20M/50M burst-threshold=5M/10M burst-time=25s/25s limit-at=1M/1M max-limit=5M/10M name=mgmt-aps parent=parent_nat priority=6/6 queue=pcq-upload-default/pcq-download-default target=192.168.4.0/24
/queue simple add limit-at=50M/400M max-limit=100M/500M name=home parent=parent_nat priority=2/2 queue=pcq-upload-default/pcq-download-default target=192.168.5.128/25
/queue simple add burst-limit=90M/450M burst-threshold=70M/400M burst-time=1m/1m limit-at=15M/100M max-limit=70M/400M name=home_tomek_dell parent=home priority=3/3 queue=pcq-upload-default/pcq-download-default target=192.168.5.128/32,192.168.5.135/32
/queue simple add burst-limit=90M/450M burst-threshold=70M/400M burst-time=1m/1m limit-at=15M/100M max-limit=70M/400M name=olfisz parent=home priority=2/2 queue=pcq-upload-default/pcq-download-default target=192.168.5.144/32
/queue simple add burst-limit=40M/100M burst-threshold=20M/50M burst-time=10s/10s limit-at=2M/5M max-limit=20M/50M name=alarm_satel_ethm parent=home priority=2/2 queue=pcq-upload-default/pcq-download-default target=192.168.5.151/32
/queue simple add burst-limit=90M/450M burst-threshold=70M/300M burst-time=1m/1m limit-at=15M/100M max-limit=70M/300M name=home_remaining_traffic parent=home priority=5/5 queue=pcq-upload-default/pcq-download-default target=192.168.5.128/25
/queue simple add burst-limit=30M/200M burst-threshold=20M/100M burst-time=2m/2m limit-at=2M/10M max-limit=20M/100M name=guest_wifi parent=parent_nat queue=pcq-upload-default/pcq-download-default target=192.168.6.0/24
/queue simple add name=parent_remaining_traffic parent=parent_nat queue=pcq-upload-default/pcq-download-default target=192.168.0.0/16
/routing bgp template set default disabled=no output.network=bgp-networks
/routing ospf instance add disabled=no name=default-v2
/routing ospf area add disabled=yes instance=default-v2 name=backbone-v2
/system logging action set 0 memory-lines=8192
/system logging action set 1 disk-lines-per-file=8192
/interface bridge port add bridge=bridge comment=olfisz interface=ether2-master internal-path-cost=10 path-cost=10 pvid=20 trusted=yes
/interface bridge port add bridge=bridge comment=ap-salon frame-types=admit-only-vlan-tagged interface=ether3 internal-path-cost=10 path-cost=10 pvid=10 trusted=yes
/interface bridge port add bridge=bridge comment=ap-sypialnia frame-types=admit-only-vlan-tagged interface=ether4 internal-path-cost=10 path-cost=10 pvid=10 trusted=yes
/interface bridge port add bridge=bridge comment=ap-gabinet frame-types=admit-only-vlan-tagged interface=ether5 internal-path-cost=10 path-cost=10 pvid=10 trusted=yes
/interface bridge port add bridge=bridge comment=hp-printer interface=ether6-master internal-path-cost=10 path-cost=10 pvid=20 trusted=yes
/interface bridge port add bridge=bridge comment=ip-cams-strych interface=ether7 internal-path-cost=10 path-cost=10 pvid=20 trusted=yes
/interface bridge port add bridge=bridge comment=alarm-satel interface=ether8 internal-path-cost=10 path-cost=10 pvid=20 trusted=yes
/ip neighbor discovery-settings set discover-interface-list=!WAN
/interface bridge vlan add bridge=bridge comment=vlan-30-guest tagged=bridge,ether3,ether4,ether5 vlan-ids=30
/interface bridge vlan add bridge=bridge comment=vlan-20-home tagged=bridge,ether3,ether4,ether5 untagged=ether2-master,ether6-master,ether7,ether8 vlan-ids=20
/interface bridge vlan add bridge=bridge comment=vlan-10-mgmt tagged=bridge,ether3,ether4,ether5 vlan-ids=10
/interface list member add interface=ether1 list=WAN
/interface list member add interface=tech-media list=WAN
/interface list member add interface=sfp-sfpplus1 list=WAN
/interface ovpn-server server add auth=sha1,md5 mac-address=FE:49:36:72:D1:F6 name=ovpn-server1
/interface sstp-server server set authentication=mschap2 certificate=SSTP-server default-profile=sstp enabled=yes pfs=yes tls-version=only-1.2
/interface wifi access-list add action=reject allow-signal-out-of-range=10s client-isolation=yes comment="reject all low signal guests" disabled=no signal-range=-120..-91 ssid-regexp=200_e_goscie
/interface wifi access-list add action=accept allow-signal-out-of-range=10s client-isolation=yes comment="strong signal guests" disabled=no signal-range=-90..120 ssid-regexp=200_e_goscie
/interface wifi access-list add action=accept client-isolation=no comment=rainbird-esp-rzxe disabled=no mac-address=4C:A1:61:05:41:A1
# here an entire white-list of safe home devices follows
/interface wifi access-list add action=reject client-isolation=yes comment="!!! reject all not listed above !!!" disabled=no
/interface wifi capsman set ca-certificate=CAPsMAN-CA certificate=CAPsMAN enabled=yes interfaces=vlan_10_mgmt package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning add action=create-enabled disabled=no master-configuration=main_2g name-format=%I_2G slave-configurations=guest_2g slave-name-format=%I_guest supported-bands=2ghz-n
/interface wifi provisioning add action=create-enabled disabled=no master-configuration=main_5g name-format=%I_5G supported-bands=5ghz-ac
/interface wireguard peers add allowed-address=192.168.105.2/32 client-address=192.168.105.2/32 client-dns=8.8.8.8,192.168.5.1 interface=wire-guard-vpn name=tomek-dell-9570 public-key="c6hcQJ8Ag1r2P69j0i0fw8ExWFwnyMTfVSnpZLHk+AU="
/interface wireguard peers add allowed-address=192.168.105.3/32 client-address=192.168.105.3/32 client-dns=8.8.8.8,192.168.5.1 interface=wire-guard-vpn name=tomek-s24u public-key="chIDCuj+9TfV+35b97hZD0hzgp0hYFnvGIteFEpzwns="
/interface wireguard peers add allowed-address=192.168.105.4/32 client-address=192.168.105.4/32 client-dns=192.168.5.1,1.1.1.1 interface=wire-guard-vpn name=justyna-dell-7410 public-key="3eCAF8D4HuZN/unN8y/D+CZ/Fac/Ikuh2+KANHS4qzw="
/ip address add address=192.168.5.1/24 interface=vlan_20_home network=192.168.5.0
/ip address add address=192.168.6.1/24 interface=vlan_30_guest network=192.168.6.0
/ip address add address=192.168.105.1/24 interface=wire-guard-vpn network=192.168.105.0
/ip address add address=192.168.4.1/24 interface=vlan_10_mgmt network=192.168.4.0
/ip arp add address=192.168.5.132 comment=hp-1320n interface=bridge mac-address=00:14:38:5D:AA:7B
/ip arp add address=192.168.5.151 comment=alarm_satel interface=bridge mac-address=00:1B:9C:09:6A:76
/ip arp add address=192.168.5.144 comment=olfisz_ii_hp interface=bridge mac-address=B4:B5:2F:D3:0A:E1
/ip cloud set ddns-update-interval=8h
/ip dhcp-client add comment="PPPoE from ISP doesn't provide DHCP" disabled=yes interface=ether1
/ip dhcp-server lease add address=192.168.5.128 client-id=1:58:a0:23:25:6d:4 comment=tomek-dell-9570-wifi lease-time=1d mac-address=58:A0:23:25:6D:04 server=dhcp_home
/ip dhcp-server lease add address=192.168.4.254 client-id=1:74:4d:28:2e:8c:8f comment=ap-gabinet lease-time=2d mac-address=74:4D:28:2E:8C:8F server=dhcp_mgmt use-src-mac=yes
/ip dhcp-server lease add address=192.168.4.253 client-id=1:74:4d:28:be:f1:c7 comment=ap-sypialnia lease-time=2d mac-address=74:4D:28:BE:F1:C7 server=dhcp_mgmt use-src-mac=yes
/ip dhcp-server lease add address=192.168.4.252 client-id=1:c4:ad:34:f5:82:4c comment=ap-salon lease-time=2d mac-address=C4:AD:34:F5:82:4C server=dhcp_mgmt use-src-mac=yes
# entire list of static DHCP leases follows here
/ip dhcp-server network add address=192.168.4.0/24 comment=mgmt dns-server=192.168.4.1,1.1.1.1,8.8.8.8 gateway=192.168.4.1 netmask=24
/ip dhcp-server network add address=192.168.5.0/24 comment=home dns-server=192.168.5.1,1.1.1.1,8.8.8.8 gateway=192.168.5.1 netmask=24
/ip dhcp-server network add address=192.168.6.0/24 comment=guest dns-server=192.168.6.1,1.1.1.1,8.8.8.8 gateway=192.168.6.1 netmask=24
/ip dns set allow-remote-requests=yes servers=1.1.1.1
/ip dns static add address=192.168.5.1 name=router.lan type=A
/ip dns static add address=192.168.5.132 name=hp_1320.lan type=A
/ip firewall address-list add address=255.255.255.255 list=broadcast
/ip firewall address-list add address=192.168.5.128/25 list=all_local
/ip firewall address-list add address=192.168.6.0/24 list=all_local
/ip firewall address-list add address=192.168.105.0/24 list=all_local
/ip firewall address-list add address=224.0.0.0/4 list=broadcast
/ip firewall address-list add address=169.254.0.0/16 list=broadcast
/ip firewall address-list add address=0.0.0.0/8 list=broadcast
/ip firewall address-list add address=192.168.5.128/25 list=safe_local
/ip firewall address-list add address=192.168.105.0/24 list=safe_local
/ip firewall address-list add address=192.168.4.0/24 list=all_local
/ip firewall address-list add address=192.168.4.0/24 list=safe_local
/ip firewall filter add action=drop chain=forward comment="drop invalid forward" connection-state=invalid log-prefix="FW invalid fwd "
/ip firewall filter add action=drop chain=forward comment="explicitly drop forwarding attacks, redundant\?" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix="FW NAT attack"
/ip firewall filter add action=accept chain=forward comment="accept all related traffic (also answers from NAT for everybody)" connection-state=established,related,untracked
/ip firewall filter add action=accept chain=forward comment="allow local traffic between safe networks (VPN included but not guest network)" connection-state="" dst-address-list=safe_local src-address-list=safe_local
/ip firewall filter add action=accept chain=forward comment="allow NAT for all local subnets (including guests)" connection-nat-state="" connection-state="" out-interface-list=WAN src-address-list=all_local
/ip firewall filter add action=drop chain=forward comment="drop all remaining forwards (also LAN to guests)" connection-nat-state="" connection-state="" log=yes log-prefix="FW fwd other"
/ip firewall filter add action=drop chain=input comment="drop invalid input" connection-state=invalid log-prefix="FW INVALID"
/ip firewall filter add action=drop chain=input comment="drop broadcasts, multicasts from outside" dst-address-list=broadcast in-interface-list=WAN
/ip firewall filter add action=accept chain=input comment="accept all related input (also answers to the router itself NTP, DNS, etc.)" connection-state=established,related
/ip firewall filter add action=accept chain=input comment="allow local inputs (also winbox from LAN + VPN)" in-interface-list=!WAN log-prefix="TEMP: " src-address-type=""
/ip firewall filter add action=accept chain=input comment="accept ICMP (ping, traceroute)" protocol=icmp
/ip firewall filter add action=accept chain=input comment="SSTP VPN connects on port 443" dst-port=443 protocol=tcp src-port=""
/ip firewall filter add action=accept chain=input comment="WireGuard on non-standard 33231 UDP" dst-port=33231 protocol=udp src-port=""
/ip firewall filter add action=drop chain=input comment="drop everything else on input" log-prefix="FW IN"
/ip firewall mangle add action=mark-packet chain=forward comment="Mark NAT traffic" connection-nat-state=srcnat connection-state="" new-packet-mark=mark_nat_packet
/ip firewall nat add action=masquerade chain=srcnat comment="NAT for local subnets (inc. SSTP and guest VLAN)" dst-address-list=!all_local src-address-list=all_local
/ip firewall raw add action=drop chain=prerouting comment="attempt to drop unkown MAC addresses\?" disabled=yes src-address=192.168.5.2-192.168.5.127
/ip firewall service-port set ftp disabled=yes
/ip firewall service-port set h323 disabled=yes
/ip firewall service-port set sip disabled=yes sip-direct-media=no
/ip ipsec policy set 0 dst-address=0.0.0.0/0 src-address=192.168.0.0/16
/ip ipsec profile set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=aes-256 hash-algorithm=sha256 prf-algorithm=sha256 proposal-check=strict
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set www address=192.168.5.128/25,192.168.105.0/24 disabled=yes
/ip service set ssh address=192.168.5.128/25,192.168.105.0/24
/ip service set www-ssl address=192.168.5.128/25,192.168.105.0/24 tls-version=only-1.2
/ip service set api disabled=yes
/ip service set winbox address=192.168.5.128/25,192.168.105.0/24
/ip service set api-ssl disabled=yes
/ip smb shares set [ find default=yes ] directory=/pub
/ip ssh set ciphers=aes-gcm,aes-ctr,aes-cbc,3des-cbc,null forwarding-enabled=remote
/ipv6 firewall filter add action=reject chain=forward log=yes log-prefix=IP6 reject-with=icmp-admin-prohibited
/ipv6 firewall filter add action=reject chain=input log-prefix=IP6 reject-with=icmp-admin-prohibited
/ppp secret add name=tomek profile=sstp service=sstp
/ppp secret add name=justyna profile=sstp service=sstp
/system clock set time-zone-autodetect=no time-zone-name=Europe/Warsaw
/system identity set name=Mikrobi-RB5009
/system logging add disabled=yes prefix=debug topics=debug
/system logging add disabled=yes topics=debug,caps
/system logging add disabled=yes topics=dhcp
/system logging add disabled=yes topics=bridge
/system logging add topics=firewall
/system note set show-at-login=no
/system ntp client set enabled=yes
/system ntp server set manycast=yes
/system ntp client servers add address=0.pl.pool.ntp.org
/system ntp client servers add address=1.pl.pool.ntp.org
/system ntp client servers add address=2.pl.pool.ntp.org
/system ntp client servers add address=3.pl.pool.ntp.org
/tool bandwidth-server set enabled=no
/tool graphing interface add allow-address=192.168.0.0/16 interface=tech-media store-on-disk=no
/tool graphing resource add allow-address=192.168.0.0/16 store-on-disk=no
/tool mac-server set allowed-interface-list=none
/tool mac-server mac-winbox set allowed-interface-list=none
/tool mac-server ping set enabled=no
/tool romon set enabled=yes
/tool romon port add cost=50 disabled=no forbid=yes interface=WAN
/tool traffic-monitor add interface=tech-media name="WAN TX" on-event=":log info \"WAN upload > 80M\"" threshold=80000000
/tool traffic-monitor add interface=tech-media name="WAN RX" on-event=":log info \"WAN download > 400M\"" threshold=400000000 traffic=received
AP:
Code: Select all
# 2025-01-23 09:48:04 by RouterOS 7.17
# software id = 0XUW-545H
#
# model = RBcAPGi-5acD2nD
/interface bridge add admin-mac=C4:AD:34:F5:82:4C auto-mac=no ingress-filtering=no name=bridge port-cost-mode=short vlan-filtering=yes
/interface vlan add interface=ether1 name=vlan_10_mgmt vlan-id=10
/interface lte apn set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wifi datapath add bridge=bridge disabled=no name=cap_path
/interface wifi
# managed by CAPsMAN D4:01:C3:2A:00:AF%vlan_10_mgmt, traffic processing on CAP
# mode: AP, SSID: klemens_wafelek, channel: 2422/n
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap datapath=cap_path disabled=no name=home_2g
/interface wifi
# managed by CAPsMAN D4:01:C3:2A:00:AF%vlan_10_mgmt, traffic processing on CAP
# mode: AP, SSID: klemens_wafelek, channel: 5180/ac/Ceee
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap datapath=cap_path disabled=no name=home_5g
/interface wifi
# managed by CAPsMAN D4:01:C3:2A:00:AF%vlan_10_mgmt, traffic processing on CAP
# mode: AP, SSID: 200_e_goscie
add configuration.mode=ap datapath=cap_path disabled=no mac-address=C6:AD:34:F5:82:4E master-interface=home_2g name=guest_2g
/ip smb users set [ find default=yes ] disabled=yes
/routing bgp template set default disabled=no output.network=bgp-networks
/routing ospf instance add disabled=no name=default-v2
/routing ospf area add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port add bridge=bridge ingress-filtering=no interface=ether1 internal-path-cost=10 path-cost=10 pvid=10
/interface bridge port add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no interface=ether2 internal-path-cost=10 path-cost=10 pvid=20
/interface bridge port add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=guest_2g pvid=30
/interface bridge port add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=home_5g pvid=20
/interface bridge port add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=home_2g pvid=20
/ip firewall connection tracking set udp-timeout=10s
/ip neighbor discovery-settings set discover-interface-list=!dynamic
/ip settings set max-neighbor-entries=8192
/ipv6 settings set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan add bridge=bridge comment=mgmt tagged=bridge,ether1 vlan-ids=10
/interface bridge vlan add bridge=bridge comment=home tagged=bridge,ether1 untagged=home_2g,home_5g,ether2 vlan-ids=20
/interface bridge vlan add bridge=bridge comment=guest tagged=bridge,ether1 untagged=guest_2g vlan-ids=30
/interface ovpn-server server add auth=sha1,md5 mac-address=FE:8A:04:34:84:9D name=ovpn-server1
/interface wifi cap set caps-man-addresses=192.168.5.1 certificate=request discovery-interfaces=vlan_10_mgmt enabled=yes lock-to-caps-man=yes slaves-datapath=cap_path slaves-static=yes
/ip dhcp-client add interface=vlan_10_mgmt
/ip ipsec profile set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set www disabled=yes
/ip service set ssh address=192.168.5.128/25,192.168.105.0/24,192.168.4.0/24
/ip service set api disabled=yes
/ip service set winbox address=192.168.5.128/25,192.168.105.0/24,192.168.4.0/24
/ip service set api-ssl disabled=yes
/ip smb shares set [ find default=yes ] directory=/flash/pub
/routing bfd configuration add disabled=no
/system clock set time-zone-name=Europe/Warsaw
/system identity set name=ap-salon
/system note set show-at-login=no
/system routerboard mode-button set enabled=yes on-event=dark-mode
/system script add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\r\
\n :if ([system leds settings get all-leds-off] = \"never\") do={\r\
\n /system leds settings set all-leds-off=immediate \r\
\n } else={\r\
\n /system leds settings set all-leds-off=never \r\
\n }\r\
\n "
/tool romon set enabled=yes