We need to see the full latest config of the CCR1009
/export hide-sensitive file=anynameyouwish
Also you need to provide a network diagram for the CCR1009.
It is not clear at all what is attached to etc. both upstream and downstream
@anav here is a stripped down network diagram that shows how the CRS309 is connected to the CCR-1009:
To answer your questions
A. What port is the CCR1009 coming in on for the Switch - Switch comes into CCR1009 on SFP8 and Ether 1. Ether 1 via another Switch and SFP8 directly to CCR1009.
B. Is the traffic coming in on a vlan - Not at the moment.
C. Is all the traffic on the switch supposed to be using the same subnet that is coming in on ether1 - No. Traffic will come in on other subnets.
D. Is that subnet 192.168.48.0/24 - Subnet for ether 1 is 192.168.104.0.
E. Is there only one link between the router and the switch - No there are two.
Here is the full config for CCR-1009:
# model = CCR1009-8G-1S-1S+
/interface bridge
add admin-mac=4C:5E:0C:03:20:22 auto-mac=no fast-forward=no name=\
"Direct Clients Bridge"
/interface ethernet
set [ find default-name=ether1 ] name="ether1-switch master" speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] comment="Unifi Switch Copper SFP upstream-1" \
speed=100Mbps
set [ find default-name=ether6 ] comment="Unifi Switch Copper SFP upstream-2" \
mac-address=4C:5E:0C:03:20:26 speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] advertise=100M-full,1000M-full comment=\
"WAN Interface" name=ether8-gateway speed=100Mbps
set [ find default-name=sfp-sfpplus1 ] advertise=\
10M-full,100M-full,1000M-full,10000M-full
set [ find default-name=sfp1 ] advertise=10M-full,100M-full,1000M-full \
mac-address=4C:5E:0C:03:20:22
/interface bonding
add lacp-rate=1sec mode=802.3ad name="Home Network Trunk Ports" slaves=\
ether5,ether6
/interface vrrp
add authentication=ah comment="VLAN 1 Network" interface=\
"Home Network Trunk Ports" name=mgmt-net-vrrp priority=250 version=2 \
vrid=48
/interface vlan
add comment="DMZ Network" interface="Home Network Trunk Ports" name=dmz-net \
vlan-id=122
add comment="Guest network" disabled=yes interface="Home Network Trunk Ports" \
name=guest-net vlan-id=90
add comment="IOT Devices Network" interface="Home Network Trunk Ports" name=\
iot-net vlan-id=50
add comment="Lab Network" interface="Home Network Trunk Ports" name=lab-vlan \
vlan-id=54
add comment="Untrusted Client(s) network" interface=\
"Home Network Trunk Ports" name=others-net vlan-id=75
add comment="Server network" interface="Home Network Trunk Ports" name=\
server-net vlan-id=20
add comment="\"Trusted\" clients network" interface=\
"Home Network Trunk Ports" name=trusted-clients-net vlan-id=104
/interface vrrp
add authentication=ah interface=dmz-net name=dmz-net-vrrp priority=250 \
version=2 vrid=122
add authentication=ah interface=iot-net name=iot-net-vrrp priority=250 \
version=2 vrid=50
add authentication=ah interface=lab-vlan name=lab-vlan-vrrp priority=250 \
version=2 vrid=54
add authentication=ah interface=others-net name=others-net-vrrp priority=250 \
version=2 vrid=75
add authentication=ah interface=server-net name=server-net-vrrp on-master=\
" /system script run force-update-odns" priority=250 version=2 vrid=20
add authentication=ah interface=trusted-clients-net name=trusted-clients-vrrp \
on-master="/tool e-mail send to=avggeek@domain.tld subject=\"Primary Ro\
uter Failover Triggered\" body=\"Primary Router is now VRRP Master\"" \
priority=250 version=2 vrid=104
/interface list
add name=WAN-All
add name=LAN
add name=Native-WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=15 name=labdomain value="'lab.domain.tld'"
add code=119 name=domainsearch value=\
"s'srv.domain.tld,clients.domain.tld,lab.domain.tld'"
add code=15 name=clientdomain value="'clients.domain.tld'"
add code=15 name=srvdomain value="'srv.domain.tld'"
add code=15 name=mgmtdomain value="'mgmt.domain.tld'"
add code=15 name=iotdomain value="'iot.domain.tld'"
/ip dhcp-server option sets
add name=lab-dhcp-options options=labdomain,domainsearch
add name=client-dhcp-options options=clientdomain,domainsearch
add name=srv-dhcp-options options=srvdomain,domainsearch
add name=mgmt-dhcp-options options=mgmtdomain
/ip pool
add comment="Management IP Range" name=mgmt-iprange ranges=\
192.168.48.100-192.168.48.200
add comment="IP Range for Lab Network" name=lab-iprange ranges=\
192.168.54.192-192.168.54.230
add comment="IP Range for direct attached clients" name=direct-iprange \
ranges=192.168.88.10-192.168.88.20
add comment="IP Range for Servers" name=server-iprange ranges=\
192.168.20.20-192.168.20.100
add comment="IP range for IOT network" name=iot-iprange ranges=\
192.168.50.20-192.168.50.50
add comment="IP Range for untrusted clients" name=others-iprange ranges=\
192.168.75.20-192.168.75.30
add comment="IP Range for Guest Network" name=guest-iprange ranges=\
192.168.90.10-192.168.90.20
add comment="IP Range for \"trusted\" clients" name=trusted-iprange ranges=\
192.168.104.100-192.168.104.200
add comment="IP Range for external facing hosts" name=dmz-iprange ranges=\
192.168.122.90/31
/ip dhcp-server
add address-pool=direct-iprange disabled=no interface="Direct Clients Bridge" \
lease-time=1d name=direct-dhcp
add address-pool=mgmt-iprange disabled=no interface=\
"Home Network Trunk Ports" lease-time=1d name=mgmt-dhcp
add address-pool=lab-iprange disabled=no interface=lab-vlan-vrrp \
lease-script=":local scriptName \"dhcp2dns\"\r\
\n:do {\r\
\n :local scriptSrc [ /system script get [ find name=\$scriptName ] sour\
ce ]\r\
\n :local scriptObj [ :parse \$scriptSrc ]\r\
\n \$scriptObj leaseBound=\$leaseBound leaseServerName=\$leaseServerName\
\_leaseActIP=\$leaseActIP leaseActMAC=\$leaseActMAC\r\
\n} on-error={ :log warning \"DHCP server '\$leaseServerName' lease script\
\_error\" }\r\
\n" lease-time=1h name=lab-dhcp
add add-arp=yes address-pool=server-iprange disabled=no interface=server-net \
lease-script=":local scriptName \"dhcp2dns\"\r\
\n:do {\r\
\n :local scriptSrc [ /system script get [ find name=\$scriptName ] sour\
ce ]\r\
\n :local scriptObj [ :parse \$scriptSrc ]\r\
\n \$scriptObj leaseBound=\$leaseBound leaseServerName=\$leaseServerName\
\_leaseActIP=\$leaseActIP leaseActMAC=\$leaseActMAC\r\
\n} on-error={ :log warning \"DHCP server '\$leaseServerName' lease script\
\_error\" }\r\
\n" lease-time=3d name=server-dhcp
add address-pool=guest-iprange interface=guest-net lease-time=1h name=\
guest-dhcp
add address-pool=iot-iprange disabled=no interface=iot-net lease-script=":loca\
l scriptName \"dhcp2dns\"\r\
\n:do {\r\
\n :local scriptSrc [ /system script get [ find name=\$scriptName ] sour\
ce ]\r\
\n :local scriptObj [ :parse \$scriptSrc ]\r\
\n \$scriptObj leaseBound=\$leaseBound leaseServerName=\$leaseServerName\
\_leaseActIP=\$leaseActIP leaseActMAC=\$leaseActMAC\r\
\n} on-error={ :log warning \"DHCP server '\$leaseServerName' lease script\
\_error\" }\r\
\n" lease-time=1d name=iot-dhcp
add address-pool=others-iprange disabled=no interface=others-net-vrrp \
lease-time=12h name=others-dhcp
add add-arp=yes address-pool=trusted-iprange disabled=no interface=\
trusted-clients-net lease-script=":local scriptName \"dhcp2dns\"\r\
\n:do {\r\
\n :local scriptSrc [ /system script get [ find name=\$scriptName ] sour\
ce ]\r\
\n :local scriptObj [ :parse \$scriptSrc ]\r\
\n \$scriptObj leaseBound=\$leaseBound leaseServerName=\$leaseServerName\
\_leaseActIP=\$leaseActIP leaseActMAC=\$leaseActMAC\r\
\n} on-error={ :log warning \"DHCP server '\$leaseServerName' lease script\
\_error\" }\r\
\n" lease-time=1d name=trusted-dhcp
add address-pool=dmz-iprange disabled=no interface=dmz-net lease-time=1d \
name=dmz-dhcp
/queue type
set 5 pcq-limit=1000KiB pcq-total-limit=1000KiB
set 6 pcq-limit=5000KiB pcq-total-limit=5000KiB
/queue simple
add burst-limit=5M/25M burst-threshold=5M/25M burst-time=5s/10s max-limit=\
3M/20M name=others-net-queue queue=ethernet-default/ethernet-default \
target=192.168.75.0/24 total-queue=ethernet-default
add burst-limit=2M/5M burst-threshold=2M/5M burst-time=5s/5s limit-at=256k/1M \
max-limit=1M/3M name=guest-net-queue queue=\
ethernet-default/ethernet-default target=guest-net
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
add disk-file-count=4 disk-file-name=disk1/log disk-lines-per-file=2000 name=\
sdcard target=disk
/interface bridge port
add bridge="Direct Clients Bridge" interface="ether1-switch master"
add bridge="Direct Clients Bridge" interface=ether2
add bridge="Direct Clients Bridge" interface=ether3
add bridge="Direct Clients Bridge" interface=ether4
add bridge="Direct Clients Bridge" interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=!WAN-All
/interface bridge vlan
add tagged=lab-vlan untagged="Direct Clients Bridge" vlan-ids=5
/interface detect-internet
set detect-interface-list=Native-WAN internet-interface-list=WAN-All \
lan-interface-list=LAN wan-interface-list=WAN-All
/interface list member
add interface=ether8-gateway list=WAN-All
add interface="Direct Clients Bridge" list=LAN
add interface="Home Network Trunk Ports" list=LAN
add interface=dmz-net list=LAN
add interface="ether1-switch master" list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=guest-net list=LAN
add interface=iot-net list=LAN
add interface=others-net list=LAN
add interface=server-net list=LAN
add interface=trusted-clients-net list=LAN
add interface=lab-vlan list=LAN
add interface=dmz-net-vrrp list=LAN
add interface=iot-net-vrrp list=LAN
add interface=mgmt-net-vrrp list=LAN
add interface=others-net-vrrp list=LAN
add interface=server-net-vrrp list=LAN
add interface=lab-vlan-vrrp list=LAN
add interface=trusted-clients-vrrp list=LAN
add interface=l2tp-evpn-IN list=WAN-All
add interface=l2tp-evpn-US list=WAN-All
add interface=ether8-gateway list=Native-WAN
/ip address
add address=192.168.88.3/24 comment="Address for directly attached clients" \
interface="Direct Clients Bridge" network=192.168.88.0
add address=192.168.48.1/24 comment="Management network" interface=\
"Home Network Trunk Ports" network=192.168.48.0
add address=192.168.54.1/24 comment="Lab Network" interface=lab-vlan network=\
192.168.54.0
add address=192.168.20.1/24 comment="Server Network" interface=server-net \
network=192.168.20.0
add address=192.168.50.1/24 comment="IOT Network" interface=iot-net network=\
192.168.50.0
add address=192.168.75.1/24 comment="Untrusted Clients" interface=others-net \
network=192.168.75.0
add address=192.168.90.1/24 comment="Guest Network (Inactive)" disabled=yes \
interface=guest-net network=192.168.90.0
add address=192.168.104.1/24 comment="Trusted Clients" interface=\
trusted-clients-net network=192.168.104.0
add address=192.168.122.1/24 comment="DMZ Network" interface=dmz-net network=\
192.168.122.0
add address=192.168.54.254 interface=lab-vlan-vrrp network=192.168.54.254
add address=192.168.20.254 interface=server-net-vrrp network=192.168.20.254
add address=192.168.48.254 interface=mgmt-net-vrrp network=192.168.48.254
add address=192.168.50.254 interface=iot-net-vrrp network=192.168.50.254
add address=192.168.75.254 interface=others-net-vrrp network=192.168.75.254
add address=192.168.104.254 interface=trusted-clients-vrrp network=\
192.168.104.254
add address=192.168.122.254 interface=dmz-net-vrrp network=192.168.122.254
add address=192.168.50.19 interface=iot-net network=192.168.50.19
add address=192.168.75.19 interface=others-net network=192.168.75.19
/ip arp
add address=192.168.48.255 comment="Broadcast MAC for WOL" interface=\
"Home Network Trunk Ports" mac-address=FF:FF:FF:FF:FF:FF
add address=192.168.48.51 interface="Home Network Trunk Ports" mac-address=\
FC:EC:DA:3A:96:66
add address=192.168.48.50 interface="Home Network Trunk Ports" mac-address=\
FC:EC:DA:3A:9A:8B
/ip cloud
set update-time=no
/ip dhcp-client
add disabled=no interface=ether8-gateway use-peer-dns=no use-peer-ntp=no
add interface=sfp1
/ip dhcp-server lease
add address=192.168.104.11 comment="Mikrotik CRS309-1G-8S+ Management" \
mac-address=2C:C8:1B:20:06:CA server=trusted-dhcp
add address=192.168.48.10 comment=\
"10Gbe Switch (Mikrotik CRS309-1G-8S+)" disabled=yes mac-address=\
2C:C8:1B:20:06:C8
/ip dhcp-server network
add address=192.168.20.0/24 comment="Server VLAN IP Pool" dhcp-option-set=\
srv-dhcp-options dns-server=192.168.20.254 domain=srv.domain.tld \
gateway=192.168.20.254
add address=192.168.48.0/24 comment="Management IP Pool" dhcp-option-set=\
mgmt-dhcp-options dns-server=192.168.48.254 domain=mgmt.domain.tld \
gateway=192.168.48.254 netmask=24
add address=192.168.50.0/24 comment="IOT VLAN IP Pool" dhcp-option=iotdomain \
dns-server=192.168.50.19 domain=iot.domain.tld gateway=192.168.50.254
add address=192.168.54.0/24 comment="Lab VLAN IP Pool" dhcp-option-set=\
lab-dhcp-options dns-server=192.168.54.230 domain=lab.domain.tld \
gateway=192.168.54.254
add address=192.168.75.0/24 comment="Others VLAN IP Pool" dns-server=\
192.168.75.19 gateway=192.168.75.254
add address=192.168.88.0/24 comment="Direct Attached Clients IP Pool" \
dhcp-option-set=client-dhcp-options dns-server=192.168.88.254 domain=\
clients.domain.tld gateway=192.168.88.254
add address=192.168.90.0/24 comment="Guest VLAN IP Pool (Inactive)" \
dns-server=8.8.8.8 gateway=192.168.90.1
add address=192.168.104.0/24 comment="\"Trusted\" VLAN IP Pool" \
dhcp-option-set=client-dhcp-options dns-server=192.168.104.254 domain=\
clients.domain.tld gateway=192.168.104.254
add address=192.168.122.0/24 comment="DMZ VLAN IP Pool" dns-none=yes gateway=\
192.168.122.254
/ip dns
set allow-remote-requests=yes servers=9.9.9.9,208.67.220.222
/ip dns static
add address=192.168.88.1 name=router.lan ttl=1w3d
add address=192.168.20.1 name=ccr1009-router.srv.domain.tld ttl=1w3d
add address=192.168.50.1 name=ccr1009-router.iot.domain.tld ttl=1w3d
add address=192.168.54.1 name=ccr1009-router.lab.domain.tld ttl=1w3d
add address=192.168.75.1 name=ccr1009-router.others.domain.tld ttl=1w3d
add address=192.168.104.1 name=ccr1009-router.clients.domain.tld ttl=1w3d
add address=192.168.122.1 name=ccr1009-router.dmz.domain.tld ttl=1w3d
add address=192.168.20.254 name=router.srv.domain.tld ttl=1w3d
add address=192.168.50.254 name=router.iot.domain.tld ttl=1w3d
add address=192.168.54.254 name=router.lab.domain.tld ttl=1w3d
add address=192.168.75.254 name=router.others.domain.tld ttl=1w3d
add address=192.168.104.254 name=router.clients.domain.tld ttl=1w3d
add address=192.168.122.254 name=router.dmz.domain.tld ttl=1w3d
/ip firewall address-list
add address=192.168.88.2 comment="Exclude from PCC Example" disabled=yes \
list="Exclude from PCC"
add address=0.0.0.0/8 comment=RFC6890 list=NotPublic
add address=10.0.0.0/8 comment=RFC6890 list=NotPublic
add address=100.64.0.0/10 comment=RFC6890 list=NotPublic
add address=127.0.0.0/8 comment=RFC6890 list=NotPublic
add address=169.254.0.0/16 comment=RFC6890 list=NotPublic
add address=172.16.0.0/12 comment=RFC6890 list=NotPublic
add address=192.0.0.0/24 comment=RFC6890 list=NotPublic
add address=192.0.2.0/24 comment=RFC6890 list=NotPublic
add address=192.168.0.0/16 comment=RFC6890 list=NotPublic
add address=192.88.99.0/24 comment=RFC3068 list=NotPublic
add address=198.18.0.0/15 comment=RFC6890 list=NotPublic
add address=198.51.100.0/24 comment=RFC6890 list=NotPublic
add address=203.0.113.0/24 comment=RFC6890 list=NotPublic
add address=224.0.0.0/4 comment=RFC4601 list=NotPublic
add address=240.0.0.0/4 comment=RFC6890 list=NotPublic
add address=192.168.48.0/24 comment="Critical LAN Network Ranges" list=\
Sensitive-Internal
add address=192.168.20.0/24 comment="Critical LAN Network Ranges" list=\
Sensitive-Internal
add address=192.168.122.0/24 comment="Critical LAN Network Ranges" list=\
Sensitive-Internal
add address=192.168.50.21 comment="IOT Devices with DNS Whitelist" list=\
IOT-Whitelist
add address=192.168.50.22 comment="IOT Devices with DNS Whitelist" list=\
IOT-Whitelist
add address=192.168.54.226 comment="Lab DNS Whitelist" list=Lab-Whitelist
add address=192.168.104.0/24 comment="Client LAN Network Ranges" list=\
Client-LAN
add address=192.168.50.0/24 comment="Client LAN Network Ranges" list=\
Client-LAN
add address=192.168.75.0/24 comment="Non-default Client Networks" list=\
External-Client
add address=192.168.90.0/24 comment="Non-default Client Networks" list=\
External-Client
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN-All
add action=drop chain=input comment="Block Winbox connections on WAN" \
dst-port=8291 in-interface=ether8-gateway protocol=tcp
add action=drop chain=input comment=\
"Block Mikrotik Bandwidth Test connections on WAN" dst-port=2000 \
in-interface=ether8-gateway protocol=tcp
add action=drop chain=input comment="Drop inbound TCP DNS" dst-port=53 \
in-interface=ether8-gateway protocol=tcp
add action=drop chain=input comment="Drop inbound UDP DNS" disabled=yes \
dst-port=53 in-interface=ether8-gateway protocol=udp
add action=drop chain=input comment=\
"Drop all packets which does not have unicast source IP address" \
src-address-type=!unicast
add action=drop chain=input comment="Drop all packets from public internet whi\
ch should not exist in public network" in-interface-list=WAN-All \
src-address-list=NotPublic
add action=fasttrack-connection chain=forward connection-state=\
established,related dst-address-list=!External-Client src-address-list=\
!External-Client
add action=drop chain=forward log-prefix=DMZ protocol=tcp src-address=\
192.168.122.90 src-port=!443
add action=drop chain=forward comment="Drop all packets from public internet w\
hich should not exist in public network" in-interface-list=WAN-All \
src-address-list=NotPublic
add action=drop chain=forward comment="Drop all packets in local network which\
\_does not have local network address" in-interface-list=LAN src-address=\
!192.168.0.0/16
add action=drop chain=forward comment="Drop all packets from local network to \
internet which should not exist in public network" disabled=yes \
dst-address-list=NotPublic in-interface-list=LAN
add action=drop chain=forward comment=\
"Block IOT Traffic to critical LAN Segments" connection-state=\
invalid,new,untracked dst-address-list=Sensitive-Internal in-interface=\
iot-net log=yes log-prefix=iot-drop src-mac-address=!90:DD:5D:CA:59:A7
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="drop all from WAN" in-interface=\
ether8-gateway
/ip firewall mangle
add action=mark-connection chain=prerouting in-interface=others-net-vrrp \
new-connection-mark=non-trusted passthrough=yes
# guest-net not ready
add action=mark-connection chain=prerouting in-interface=guest-net \
new-connection-mark=non-trusted passthrough=yes
add action=mark-connection chain=prerouting comment=\
"DNS Mark for fast.com" dst-port=53 layer7-protocol=\
Netflix-Fast log-prefix=nflx-fast new-connection-mark=nflx-fast \
passthrough=yes protocol=udp src-address-list=Client-LAN
add action=mark-connection chain=prerouting comment=\
"DNS Mark for Netflix Domains" dst-port=53 layer7-protocol=Netflix \
log-prefix=nflx-conn new-connection-mark=nflx-conn passthrough=yes \
protocol=udp src-address-list=Client-LAN
add action=mark-connection chain=prerouting comment=\
"DNS Mark for Netflix Domains" dst-port=53 layer7-protocol=Netflix \
log-prefix=nflx-conn new-connection-mark=nflx-conn passthrough=yes \
protocol=tcp src-address-list=Client-LAN
add action=mark-connection chain=prerouting comment=\
"DNS Mark for Disney+ Domains" disabled=yes dst-port=53 layer7-protocol=\
Disney+ log-prefix=dplus-conn new-connection-mark=dplus-conn passthrough=\
yes protocol=udp src-address-list=Client-LAN
add action=mark-connection chain=prerouting comment=\
"DNS Mark for Disney+ Domains" disabled=yes dst-port=53 layer7-protocol=\
Disney+ log-prefix=dplus-conn new-connection-mark=dplus-conn passthrough=\
yes protocol=tcp src-address-list=Client-LAN
add action=mark-connection chain=prerouting comment=\
"DNS Mark for IOT Devices" dst-address=!192.168.50.19 dst-port=53 \
in-interface=iot-net-vrrp layer7-protocol=!Netflix log-prefix=iot-dns \
new-connection-mark=iot-dns passthrough=yes protocol=udp src-address=\
!192.168.50.19 src-address-list=""
add action=mark-connection chain=prerouting comment=\
"DNS Mark for IOT Devices" dst-address=!192.168.50.19 dst-port=53 \
in-interface=iot-net-vrrp layer7-protocol=!Netflix new-connection-mark=\
iot-dns passthrough=yes protocol=tcp src-address=!192.168.50.19 \
src-address-list=""
add action=mark-connection chain=prerouting comment=\
"DNS Mark for Lab Devices" dst-address=!192.168.54.230 dst-port=53 \
in-interface=lab-vlan-vrrp log-prefix=lab-dns new-connection-mark=lab-dns \
passthrough=yes protocol=udp src-address-list=!Lab-Whitelist
add action=mark-packet chain=prerouting disabled=yes layer7-protocol=Netflix \
log=yes new-packet-mark=nflx-pkt passthrough=yes src-address=\
192.168.104.0/24
add action=mark-connection chain=prerouting comment=\
"DNS Reroute for VQTV Box" disabled=yes dst-port=53 new-connection-mark=\
evpn-dns passthrough=yes protocol=tcp src-address=192.168.50.22
add action=mark-connection chain=prerouting comment=\
"DNS Reroute for VQTV Box" disabled=yes dst-port=53 new-connection-mark=\
evpn-dns passthrough=yes protocol=udp src-address=192.168.50.22
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface-list=WAN-All
add action=dst-nat chain=dstnat comment=Plex dst-port=32400 in-interface=\
ether8-gateway protocol=tcp to-addresses=192.168.48.100 to-ports=32400
add action=dst-nat chain=dstnat comment="Forward to jumphost SSL Multiplexer" \
dst-port=443 in-interface=ether8-gateway protocol=tcp to-addresses=\
192.168.122.90 to-ports=443
add action=dst-nat chain=dstnat comment="Forward to jumphost UDP OpenVPN " \
dst-port=1194 in-interface=ether8-gateway log-prefix=udp-vpn protocol=udp \
to-addresses=192.168.122.91 to-ports=1194
add action=dst-nat chain=dstnat comment="Redirect IOT UDP DNS to PiHole" \
connection-mark=iot-dns dst-port=53 log-prefix=iot-dns-nat protocol=udp \
to-addresses=192.168.50.19 to-ports=53
add action=masquerade chain=srcnat comment="Redirect IOT UDP DNS to PiHole" \
connection-mark=iot-dns dst-address=192.168.50.19 dst-port=53 log-prefix=\
iot-dns-masq protocol=udp src-address=192.168.50.0/24
add action=dst-nat chain=dstnat comment="Redirect IOT TCP DNS to PiHole" \
connection-mark=iot-dns dst-port=53 log-prefix=iot-dns-nat protocol=tcp \
to-addresses=192.168.50.19 to-ports=53
add action=masquerade chain=srcnat comment="Redirect IOT TCP DNS to PiHole" \
connection-mark=iot-dns dst-address=192.168.50.19 dst-port=53 log-prefix=\
iot-dns-masq protocol=tcp src-address=192.168.50.0/24
add action=dst-nat chain=dstnat comment="Redirect Lab UDP DNS to PiHole" \
connection-mark=lab-dns dst-port=53 log-prefix=lab-dns-nat protocol=udp \
to-addresses=192.168.54.230 to-ports=53
add action=masquerade chain=srcnat comment="Redirect Lab UDP DNS to PiHole" \
connection-mark=lab-dns dst-address=192.168.54.230 dst-port=53 \
log-prefix=lab-dns-masq protocol=udp src-address=192.168.54.0/24
add action=dst-nat chain=dstnat comment=\
"Redirect UDP DNS for Netflix to Express VPN Mediastreamer" \
connection-mark=nflx-conn dst-port=53 protocol=udp to-addresses=\
85.203.37.1 to-ports=53
add action=masquerade chain=srcnat comment=\
"Redirect UDP DNS via Express VPN Mediastreamer" connection-mark=\
nflx-conn disabled=yes dst-address=192.168.104.254 dst-port=53 \
log-prefix=nflx-dns-masq protocol=udp src-address=192.168.104.0/24
add action=dst-nat chain=dstnat comment=\
"Redirect TCP DNS for Netflix to Express VPN Mediastreamer" \
connection-mark=nflx-conn dst-port=53 protocol=tcp to-addresses=\
85.203.37.1 to-ports=53
add action=masquerade chain=srcnat comment=\
"Redirect TCP DNS via Express VPN Mediastreamer" connection-mark=\
nflx-conn disabled=yes dst-address=192.168.104.254 dst-port=53 \
log-prefix=nflx-dns-masq protocol=tcp src-address=192.168.104.0/24
add action=dst-nat chain=dstnat comment=\
"Redirect UDP DNS for Disney+ to Express VPN Mediastreamer" \
connection-mark=dplus-conn disabled=yes dst-port=53 protocol=udp \
to-addresses=85.203.37.1 to-ports=53
add action=dst-nat chain=dstnat comment=\
"Redirect TCP DNS for Disney+ to Express VPN Mediastreamer" \
connection-mark=dplus-conn disabled=yes dst-port=53 protocol=tcp \
to-addresses=85.203.37.1 to-ports=53
/ip route
add disabled=yes distance=1 dst-address=192.168.88.0/24 gateway=\
"Direct Clients Bridge" routing-mark=wan1
add disabled=yes distance=1 dst-address=192.168.88.0/24 gateway=\
"Direct Clients Bridge" routing-mark=wan2
add disabled=yes distance=1 gateway=ether7
add disabled=yes distance=1 gateway=ether8-gateway
add comment="VPN TCP" distance=1 dst-address=192.168.126.0/24 gateway=\
192.168.48.174
add comment="VPN UDP" distance=1 dst-address=192.168.166.0/24 gateway=\
192.168.48.174
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.0.0/16
set ssh address=192.168.0.0/16
set api address=192.168.0.0/16
set winbox address=192.168.0.0/16
set api-ssl address=192.168.0.0/16
/ip ssh
set always-allow-password-login=yes forwarding-enabled=remote strong-crypto=\
yes
/ip upnp interfaces
add interface=ether8-gateway type=external
add interface="Direct Clients Bridge" type=internal
add interface="Home Network Trunk Ports" type=internal
/lcd
set backlight-timeout=10m default-screen=stat-slideshow time-interval=hour
/lcd interface
set sfp-sfpplus1 disabled=yes
set sfp1 disabled=yes
/routing filter
add chain=dynamic-in distance=3 set-routing-mark=wan1
add chain=dynamic-in distance=4 set-routing-mark=wan2
/routing igmp-proxy interface
add alternative-subnets=0.0.0.0/0 interface=trusted-clients-vrrp upstream=yes
add interface=iot-net-vrrp
/routing igmp-proxy mfc
add downstream-interfaces=trusted-clients-net group=239.255.255.250 source=\
192.168.104.108 upstream-interface=iot-net
add downstream-interfaces=trusted-clients-net group=224.0.0.1 source=\
192.168.104.108 upstream-interface=iot-net
add downstream-interfaces=trusted-clients-net group=224.0.0.251 source=\
192.168.104.108 upstream-interface=iot-net
/system clock
set time-zone-name=Asia/Singapore
/system health
set cpu-overtemp-threshold=110C
/system identity
set name="MikroTik CCR1009 Router (Primary)"
/system leds
set 0 interface=sfp-sfpplus1
set 1 interface=sfp-sfpplus1
set 2 interface=sfp1
/system logging
set 0 action=sdcard
set 1 action=disk
set 2 action=disk
add action=sdcard topics=script
add action=disk topics=interface
add action=disk topics=critical
/system ntp client
set enabled=yes server-dns-names=0.sg.pool.ntp.org,1.sg.pool.ntp.org
/system scheduler
add comment="Update DNS-O-Matic IP on reboot" name=dynip-update on-event=\
force-update-odns policy=ftp,read,write,policy,test start-time=startup
add comment="Check for Dynamic IP updates 15 minutes past midnight every day" \
interval=1d name=dynip-24hupdate on-event=check-update-odns policy=\
ftp,read,write,policy,test start-date=sep/12/2020 start-time=00:15:00
add comment="Disable WAN Netwatch on Reboot for Primary Router" name=\
netwatch-disable on-event=disable-wan-netwatch policy=\
reboot,read,write,policy,test start-time=startup
add comment="Enable WAN Netwatch on Reboot for Primary Router" name=\
netwatch-enable on-event=enable-wan-netwatch policy=\
reboot,read,write,policy,test start-time=startup
add dont-require-permissions=no name=vlan-down owner=admin policy=\
reboot,read,write,test source=":local i value=0;\r\
\n:while ((\$i < 20) && ([/ping address=8.8.8.8 interval=3 count=1]=0)) do\
={\r\
\n :set i value=(\$i+1)\r\
\n :delay 3s;\r\
\n } ;\r\
\n:if (\$i=20) do={\r\
\n:log info message=\"Warning: 10 unsuccessful pings to 8.8.8.8\";\r\
\n# Disable VLAN Interfaces based on VLAN ID's\r\
\n/interface vlan disable [/interface vlan find vlan-id=20]\r\
\n/interface vlan disable [/interface vlan find vlan-id=50]\r\
\n/interface vlan disable [/interface vlan find vlan-id=54]\r\
\n/interface vlan disable [/interface vlan find vlan-id=75]\r\
\n/interface vlan disable [/interface vlan find vlan-id=104]\r\
\n/interface vlan disable [/interface vlan find vlan-id=122]\r\
\n\r\
\n# VRRP for Management IP's is not tied to a VLAN so we must disable the \
VRRP\r\
\n/interface vrrp disable [/interface vrrp find vrid=48]\r\
\n};"
add dont-require-permissions=no name=vlan-up owner=admin policy=\
reboot,read,write,test source="# Enable VLAN Interfaces based on VLAN ID's\
\r\
\n/interface vlan enable [/interface vlan find vlan-id=20]\r\
\n/interface vlan enable [/interface vlan find vlan-id=50]\r\
\n/interface vlan enable [/interface vlan find vlan-id=54]\r\
\n/interface vlan enable [/interface vlan find vlan-id=75]\r\
\n/interface vlan enable [/interface vlan find vlan-id=104]\r\
\n/interface vlan enable [/interface vlan find vlan-id=122]\r\
\n\r\
\n# VRRP for Management IP's is not tied to a VLAN so we must enable the V\
RRP\r\
\n/interface vrrp enable [/interface vrrp find vrid=48]"
add dont-require-permissions=no name=dhcp2dns owner=admin policy=\
reboot,read,write,test source="# DNS TTL to set for DNS entries\r\
\n:local dnsttl \"00:15:00\";\r\
\n\r\
\n###\r\
\n# Script entry point\r\
\n#\r\
\n# Expected environment variables:\r\
\n# leaseBound 1 = lease bound, 0 = lease removed\r\
\n# leaseServerName Name of DHCP server\r\
\n# leaseActIP IP address of DHCP client\r\
\n#leaseActMAC MAC address of DHCP client\r\
\n###\r\
\n\r\
\n# \"a.b.c.d\" -> \"a-b-c-d\" for IP addresses used as replacement for mi\
ssing host names\r\
\n:local ip2Host do=\\\r\
\n{\r\
\n :local outStr\r\
\n :for i from=0 to=([:len \$inStr] - 1) do=\\\r\
\n {\r\
\n :local tmp [:pick \$inStr \$i];\r\
\n :if (\$tmp =\".\") do=\\\r\
\n {\r\
\n :set tmp \"-\"\r\
\n }\r\
\n :set outStr (\$outStr . \$tmp)\r\
\n }\r\
\n :return \$outStr\r\
\n}\r\
\n\r\
\n:local mapHostName do={\r\
\n# param: name\r\
\n# max length = 63\r\
\n# allowed chars a-z,0-9,-\r\
\n :local allowedChars \"abcdefghijklmnopqrstuvwxyz0123456789-\";\r\
\n :local numChars [:len \$name];\r\
\n :if (\$numChars > 63) do={:set numChars 63};\r\
\n :local result \"\";\r\
\n\r\
\n :for i from=0 to=(\$numChars - 1) do={\r\
\n :local char [:pick \$name \$i];\r\
\n :if ([:find \$allowedChars \$char] < 0) do={:set char \"-\"};\r\
\n :set result (\$result . \$char);\r\
\n }\r\
\n :return \$result;\r\
\n}\r\
\n\r\
\n:local lowerCase do={\r\
\n# param: entry\r\
\n :local lower \"abcdefghijklmnopqrstuvwxyz\";\r\
\n :local upper \"ABCDEFGHIJKLMNOPQRSTUVWXYZ\";\r\
\n :local result \"\";\r\
\n :for i from=0 to=([:len \$entry] - 1) do={\r\
\n :local char [:pick \$entry \$i];\r\
\n :local pos [:find \$upper \$char];\r\
\n :if (\$pos > -1) do={:set char [:pick \$lower \$pos]};\r\
\n :set result (\$result . \$char);\r\
\n }\r\
\n :return \$result;\r\
\n}\r\
\n\r\
\n:local token \"\$leaseServerName-\$leaseActMAC\";\r\
\n:local LogPrefix \"DHCP2DNS (\$leaseServerName)\"\r\
\n\r\
\n:if ( [ :len \$leaseActIP ] <= 0 ) do=\\\r\
\n{\r\
\n :log error \"\$LogPrefix: empty lease address\"\r\
\n :error \"empty lease address\"\r\
\n}\r\
\n\r\
\n:if ( \$leaseBound = 1 ) do=\\\r\
\n{\r\
\n # new DHCP lease added\r\
\n /ip dhcp-server\r\
\n #:local dnsttl [ get [ find name=\$leaseServerName ] lease-time ]\r\
\n network\r\
\n :local domain [ get [ find \$leaseActIP in address ] domain ]\r\
\n #:log info \"\$LogPrefix: DNS domain is \$domain\"\r\
\n\r\
\n :local hostname [/ip dhcp-server lease get [:pick [find mac-address=\$\
leaseActMAC and server=\$leaseServerName] 0] value-name=host-name]\r\
\n #:log info \"\$LogPrefix: DHCP hostname is \$hostname\"\r\
\n\r\
\n #Hostname cleanup\r\
\n :if ( [ :len \$hostname ] <= 0 ) do=\\\r\
\n {\r\
\n :set hostname [ \$ip2Host inStr=\$leaseActIP ]\r\
\n :log info \"\$LogPrefix: Empty hostname for '\$leaseActIP', using ge\
nerated host name '\$hostname'\"\r\
\n }\r\
\n :set hostname [\$lowerCase entry=\$hostname]\r\
\n :set hostname [\$mapHostName name=\$hostname]\r\
\n #:log info \"\$LogPrefix: Clean hostname for FQDN is \$hostname\";\r\
\n\r\
\n :if ( [ :len \$domain ] <= 0 ) do=\\\r\
\n {\r\
\n :log warning \"\$LogPrefix: Empty domainname for '\$leaseActIP', can\
not create static DNS name\"\r\
\n :error \"Empty domainname for '\$leaseActIP'\"\r\
\n }\r\
\n\r\
\n :local fqdn (\$hostname . \".\" . \$domain)\r\
\n #:log info \"\$LogPrefix: FQDN for DNS is \$fqdn\"\r\
\n\r\
\n :if ([/ip dhcp-server lease get [:pick [find mac-address=\$leaseActM\
AC and server=\$leaseServerName] 0] ]) do={\r\
\n # :log info message=\"\$LogPrefix: \$leaseActMAC -> \$hostname\"\r\
\n :do {\r\
\n /ip dns static add address=\$leaseActIP name=\$fqdn ttl=\$dnsttl\
\_comment=\$token;\r\
\n } on-error={:log error message=\"\$LogPrefix: Failure during dns r\
egistration of \$fqdn with \$leaseActIP\"}\r\
\n }\r\
\n\r\
\n} else={\r\
\n# DHCP lease removed\r\
\n /ip dns static remove [find comment=\$token];\r\
\n}"
add dont-require-permissions=no name=testscript owner=admin policy=\
read,write,policy,test source=\
"/tool netwatch enable [/tool netwatch find comment=\"WAN\"]"
add dont-require-permissions=no name=disable-wan-netwatch owner=admin policy=\
reboot,read,write,policy,test source=\
"/tool netwatch disable [find where host=\"8.8.8.8\"]"
add dont-require-permissions=no name=enable-wan-netwatch owner=admin policy=\
reboot,read,write,policy,test source=":log info message=\"Disabing externa\
l netwatch via startup script\";\r\
\n/tool netwatch disable [find where host=\"8.8.8.8\"]\r\
\n\r\
\n:while ([ :len [ / interface detect-internet state find where state=inte\
rnet ] ] = 0) do={\r\
\n :delay 2000ms;\r\
\n}\r\
\n\r\
\n:log info message=\"Enabling external netwatch via startup script\";\r\
\n/tool netwatch enable [find where host=\"8.8.8.8\"]"
/tool bandwidth-server
set enabled=no
/tool graphing interface
add allow-address=192.168.0.0/16 interface=ether8-gateway
add allow-address=192.168.48.0/24 interface="Home Network Trunk Ports"
add allow-address=192.168.104.0/24 interface="Home Network Trunk Ports"
add allow-address=192.168.88.0/24 interface="Direct Clients Bridge"
/tool graphing resource
add allow-address=192.168.48.0/24
add allow-address=192.168.104.0/24
add allow-address=192.168.88.0/24
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
/tool netwatch
add comment=WAN down-script=":log info message=\"External Netwatch failed. Exe\
cuting down script now\";\r\
\nvlan-down" host=8.8.8.8 interval=30s timeout=2s up-script=":log info mes\
sage=\"External Netwatch succeeded. Executing up script now\";\r\
\nvlan-up"
add comment="Secondary Router Monitor" down-script="/tool e-mail send to=me@th\
eaveragegeek.com subject=\"Secondary Router Down\" body=\"Netwatch Test fr\
om Primary Router Failed\"" host=192.168.20.2 interval=30s up-script="/too\
l e-mail send to=me@theaveragegeek.com subject=\"Secondary Router Availabl\
e\" body=\"Netwatch Test from Primary Router Suceeded\""
/tool romon port
add