# mar/17/2022 05:47:05 by RouterOS 7.1.3
# software id =
#
# model = RBcAPGi-5acD2nD
# serial number =
/interface bridge
add name=bridge1
add name=bridge2
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=dynamic-keys \
name= supplicant-identity=""
add authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=dynamic-keys \
name= supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n comment="2.4 GHz" country=\
croatia disabled=no installation=indoor mode=ap-bridge security-profile=\
ssid="" wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-n/ac comment="5 GHz" country=\
croatia disabled=no installation=indoor mode=ap-bridge security-profile=\
ssid="" wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address= \
master-interface=wlan1 multicast-buffering=disabled name=wlan3 \
security-profile= ssid=Gosti vlan-id=10 vlan-mode=use-tag \
wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface wireless manual-tx-power-table
set wlan1 comment="2.4 GHz"
set wlan2 comment="5 GHz"
/interface wireless nstreme
set wlan1 comment="2.4 GHz"
set wlan2 comment="5 GHz"
/interface vlan
add interface=wlan3 name=VLAN10_GOSTI vlan-id=10
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool2 ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=dhcp_pool2 interface=bridge2 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=wlan2
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=ether1
add bridge=bridge2 interface=VLAN10_GOSTI
add bridge=bridge2 interface=wlan3
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=wlan2 list=LAN
add interface=wlan1 list=LAN
/ip address
add address=192.168.10.1/24 interface=bridge2 network=192.168.10.0
/ip dhcp-client
add interface=bridge1
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=8.8.8.8 gateway=192.168.10.1
/system clock
set time-zone-name=Europe/Zagreb
/system routerboard settings
set cpu-frequency=auto
# mar/18/2022 05:27:12 by RouterOS 7.1.3
# software id =
#
# model = RB760iGS
# serial number =
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address= interface=ether1 network=
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.88.229 client-id=1:a4:d7:3c:3:3e:ad comment=Printer \
mac-address=A4:D7:3C:03:3E:AD server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes servers=
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip upnp
set enabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name=
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
@anav I agree with you that having a set of rules and standard configs can make it easier to manage, or to provide a working setup for someone that doesn't want to take the considerable time to understand well enough to "build a configuration from scratch".Well its not necessarily the RIGHT way, there are many successful ways to configure these devices. I am just fond of a clear and easy path for the beginner.
Once one gets more familiar with MT functionality, then exploring is up to the user.
It is good you have extra routers to learn with. It makes experimenting possible without having to worry about breaking internet access for everyone in the house.So right now, I have two routers, for learning purposes:
-> hEXs is "main router", it's without WiFi interfaces, it has internet connection on ether1 (right now it's connected to ISP2 or as you said, slow ISP) and it's running Mikrotik's default configuration.
-> hAP ac lite, configured as WISP AP bridge mode, not router, connected to hEXs on ether5 (because im using poe out on hEXs)
This setup is for learning purposes because if i mess things up it doesn't matter. When I learn more then i will configure my home network.
---snip---
I also have HP aruba 8 port managed switch, and im waiting for mikrotik's switch (have to wait until may due to chip shortages)
Yes, plan is to keep both ISP until fiber internet become available (in about 2-3 years hopefully). "Slow" ISP is here just as a redundancy for my wife. If "Fast" ISP goes down she can connect to "Slow" ISP. As for the speeds, "Fast" ISP is about 165/130 Mbps DL/UL, and "Slow" ISP is 23/1.25 Mbps DL/UL. I could order the RB5009 if needed. It would be nice to have automatic failover. I already searched a little for informations about that topic.
As for the switches, i ordered CSS106-1G-4P-1S (RB260GSP) but as I said, i have to wait until may for it to arrive. Aruba I have is 1930 instant on JL680A, 8×1Gig rj45 and 2×SFP
As for configuring hexS with vlan-filtering, i would like that for sure. I will update FW on routers with this testing FW.
In the future, probably hexS or RB5009 would be main router, and capac would be downstairs AP and hapac3 would be upstairs AP.
This may seem like nitpicking, but 172.0.0.0/24 is in the public address space. the rfc1918 172 ip block is 172.16.0.0/12 (or 172.16.0.0 - 172.31.255.255)Little update, I changed subnets from default to something else so there is no "default" subnets. I hope that i will later this day manage to find some time to start with @anav tutorial.
# mar/20/2022 15:24:28 by RouterOS 7.2rc4
# software id =
#
# model = RB760iGS
# serial number =
/interface bridge
add ingress-filtering=no name=Test_network vlan-filtering=yes
add admin-mac=DC:2C:6E:0D:34:53 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether2 ] comment="Managment port" name=ether2-mgmt
/interface vlan
add interface=Test_network name=CCTV_network vlan-id=20
add interface=Test_network name=Guest_network vlan-id=15
add interface=Test_network name=Home_network vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Home
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool2 ranges=172.16.0.2-172.16.0.5
add name=dhcp_pool3 ranges=172.16.5.2-172.16.5.254
/ip dhcp-server
add address-pool=dhcp_pool2 interface=ether2-mgmt name=dhcp1
add address-pool=dhcp_pool3 interface=bridge name=dhcp2
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
add bridge=Test_network frame-types=admit-only-untagged-and-priority-tagged \
interface=Home_network pvid=10
add bridge=Test_network frame-types=admit-only-untagged-and-priority-tagged \
interface=Guest_network pvid=15
add bridge=Test_network frame-types=admit-only-untagged-and-priority-tagged \
interface=CCTV_network pvid=20
add bridge=Test_network interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=Home
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=Test_network tagged=ether1,Test_network untagged=\
Home_network,ether4 vlan-ids=10
add bridge=Test_network tagged=ether1,Test_network untagged=Guest_network \
vlan-ids=15
add bridge=Test_network tagged=ether1,Test_network untagged=CCTV_network \
vlan-ids=20
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether2-mgmt list=LAN
add interface=Home_network list=Home
add interface=Guest_network list=Home
add interface=CCTV_network list=Home
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=172.16.5.1/24 comment=defconf interface=bridge network=172.16.5.0
add address=172.16.0.1/24 comment=Managment interface=ether2-mgmt network=\
172.16.0.0
add address=172.16.10.1/24 interface=Home_network network=172.16.10.0
add address=172.16.15.1/24 interface=Guest_network network=172.16.15.0
add address=172.16.20.1/24 interface=CCTV_network network=172.16.20.0
/ip dhcp-client
# DHCP client can not run on slave interface!
add comment=defconf interface=ether1
/ip dhcp-server network
add address=172.16.0.0/24 dns-server=172.16.0.1 gateway=172.16.0.1
add address=172.16.5.0/24 dns-server=172.16.5.1 gateway=172.16.5.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=172.16.10.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=172.16.10.1
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name=MikroTik_eth_router
/system package update
set channel=testing
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=Home
# mar/20/2022 17:24:19 by RouterOS 7.2rc4
# software id =
#
# model = RB760iGS
# serial number =
/interface bridge
add admin- auto-mac=no comment=defconf \
ingress-filtering=no name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=CCTV_network vlan-id=20
add interface=bridge name=Guest_network vlan-id=15
add interface=bridge name=Home_network vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Home
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=172.16.10.2-172.16.10.254
add name=dhcp_pool2 ranges=172.16.15.2-172.16.15.254
add name=dhcp_pool3 ranges=172.16.20.2-172.16.20.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=dhcp_pool1 interface=Home_network name=dhcp1
add address-pool=dhcp_pool2 interface=Guest_network name=dhcp2
add address-pool=dhcp_pool3 interface=CCTV_network name=dhcp3
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether4 pvid=10
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=Home
/interface bridge vlan
add bridge=bridge tagged=bridge,ether5 untagged=ether4 vlan-ids=10
add bridge=bridge tagged=bridge,ether5 vlan-ids=15
add bridge=bridge tagged=bridge,ether5 vlan-ids=20
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=Home_network list=Home
add interface=ether2 list=Home
add interface=Home_network list=LAN
add interface=Guest_network list=LAN
add interface=CCTV_network list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=172.16.0.1/24 interface=ether2 network=172.16.0.0
add address=172.16.10.1/24 interface=Home_network network=172.16.10.0
add address=172.16.15.1/24 interface=Guest_network network=172.16.15.0
add address=172.16.20.1/24 interface=CCTV_network network=172.16.20.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=172.16.10.0/24 gateway=172.16.10.1
add address=172.16.15.0/24 gateway=172.16.15.1
add address=172.16.20.0/24 gateway=172.16.20.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/Zagreb
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=Home
WHY ???I followed configuration from this topic viewtopic.php?t=182276
Thanks for letting me know. I forgot to add the link, now fixed in the original post (edited).Also link for anav tutorial that you provided is not working, error 404
Changed
[url]NEW USER PATHWAY TO CONFIG SUCCESS[/url]
to
[url=https://forum.mikrotik.com/viewtopic.php?p=906567]NEW USER PATHWAY TO CONFIG SUCCESS[/url]
Yup!!Yea, i realized that later... my mistake... I've made new configuration. Now I have to configure hapac lite using instructions from that topic I presume ? Just modify it to suite my needs.
Think about it.Internet present on ether4, also i get 172.16.10.X address and can connect to winbox
managment port on ether2, have internet but can't connect if i choose IP address in winbox (router visible in winbox), but if i choose MAC address i can connect.
/ip dhcp-server network
add address=172.16.10.0/24 gateway=172.16.10.1
add address=172.16.15.0/24 gateway=172.16.15.1
add address=172.16.20.0/24 gateway=172.16.20.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
The config, posted in that post, is garbage:This is how I interpret the config in viewtopic.php?t=184164#p920240
# mar/21/2022 18:31:11 by RouterOS 7.2rc4
# software id = 2NZF-BKUH
#
# model = RB760iGS
# serial number = D4500FA09027
/interface bridge
add admin-mac=DC:2C:6E:0D:34:53 auto-mac=no comment=defconf \
ingress-filtering=no name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=CCTV_network vlan-id=20
add interface=bridge name=Guest_network vlan-id=15
add interface=bridge name=Home_network vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Home
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=172.16.10.2-172.16.10.254
add name=dhcp_pool2 ranges=172.16.15.2-172.16.15.254
add name=dhcp_pool3 ranges=172.16.20.2-172.16.20.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=Home_network name=dhcp1
add address-pool=dhcp_pool2 interface=Guest_network name=dhcp2
add address-pool=dhcp_pool3 interface=CCTV_network name=dhcp3
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether4 pvid=10
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=Home
/interface bridge vlan
add bridge=bridge tagged=bridge,ether5 untagged=ether4,ether3 vlan-ids=10
add bridge=bridge tagged=bridge,ether5 vlan-ids=15
add bridge=bridge tagged=bridge,ether5 vlan-ids=20
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=Home_network list=Home
add interface=ether2 list=Home
add interface=Home_network list=LAN
add interface=Guest_network list=LAN
add interface=CCTV_network list=LAN
/ip address
add address=172.16.0.1/24 interface=ether2 network=172.16.0.0
add address=172.16.10.1/24 interface=Home_network network=172.16.10.0
add address=172.16.15.1/24 interface=Guest_network network=172.16.15.0
add address=172.16.20.1/24 interface=CCTV_network network=172.16.20.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=172.16.10.254 client-id=1:f4:30:b9:d7:5:5a comment="Admin laptop" \
mac-address=F4:30:B9:D7:05:5A server=dhcp1
/ip dhcp-server network
add address=172.16.10.0/24 gateway=172.16.10.1
add address=172.16.15.0/24 gateway=172.16.15.1
add address=172.16.20.0/24 gateway=172.16.20.1
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=172.16.10.254 list=authorized
add address=172.16.0.2 list=authorized
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="Winbox access" dst-port=8291 \
in-interface-list=Home protocol=tcp src-address-list=authorized
add action=accept chain=input comment="Service (DNS)" dst-port=53 \
in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Service (DNS)" dst-port=53 \
in-interface-list=LAN protocol=tcp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=input comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/Zagreb
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=Home
One question, which router should i buy, RB5009 or RB4011 ?
Yea, and it has 10 ports plus sfp (i have sfp to rj45 adapter) ...
# jan/02/1970 01:12:40 by RouterOS 7.2rc4
# software id =
#
# model = RB952Ui-5ac2nD
# serial number =
/interface bridge
add ingress-filtering=no name=bridgeAP vlan-filtering=yes
/interface vlan
add interface=bridgeAP name=CCTV_network vlan-id=20
add interface=bridgeAP name=Guest_network vlan-id=15
add interface=bridgeAP name=Home_network vlan-id=10
/interface list
add name=Home
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Home \
supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Guest \
supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=CCTV \
supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n basic-rates-b="" country=\
croatia disabled=no frequency=2437 mode=ap-bridge name=GostiWiFi \
rate-set=configured security-profile=Guest skip-dfs-channels=all ssid=\
GostiWiFi supported-rates-b=11Mbps wireless-protocol=802.11 wmm-support=\
enabled wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=20/40mhz-Ce \
country=croatia disabled=no mode=ap-bridge name=KucniWifi \
security-profile=Home skip-dfs-channels=all ssid=Kucni_WiFi \
wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=XX:XX:XX:XX:XX:XX \
master-interface=GostiWiFi multicast-buffering=disabled name=\
Mreza_za_Goste_15 security-profile=Guest ssid=Gosti vlan-id=15 vlan-mode=\
use-tag wds-cost-range=0 wds-default-cost=0 wmm-support=enabled wps-mode=\
disabled
add disabled=no keepalive-frames=disabled mac-address=XX:XX:XX:XX:XX:XX \
master-interface=GostiWiFi multicast-buffering=disabled name=\
CCTV_mreza_20 security-profile=CCTV ssid=CCTV vlan-id=20 vlan-mode=\
use-tag wds-cost-range=0 wds-default-cost=0 wmm-support=enabled wps-mode=\
disabled
add disabled=no keepalive-frames=disabled mac-address=XX:XX:XX:XX:XX:XX \
master-interface=KucniWifi multicast-buffering=disabled name=\
Kucna_mreza_10 security-profile=Home ssid="Kucni wifi" vlan-id=10 \
vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wmm-support=enabled \
wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/interface bridge port
add bridge=bridgeAP frame-types=admit-only-untagged-and-priority-tagged \
interface=Kucna_mreza_10 pvid=10
add bridge=bridgeAP interface=ether1
add bridge=bridgeAP frame-types=admit-only-untagged-and-priority-tagged \
interface=Mreza_za_Goste_15 pvid=15
add bridge=bridgeAP frame-types=admit-only-untagged-and-priority-tagged \
interface=CCTV_mreza_20 pvid=20
/ip neighbor discovery-settings
set discover-interface-list=Home
/interface bridge vlan
add bridge=bridgeAP tagged=ether1,bridgeAP untagged=Kucna_mreza_10 vlan-ids=\
10
add bridge=bridgeAP tagged=ether1,bridgeAP untagged=Mreza_za_Goste_15 \
vlan-ids=15
add bridge=bridgeAP tagged=ether1,bridgeAP untagged=CCTV_mreza_20 vlan-ids=20
/interface list member
add interface=Kucna_mreza_10 list=Home
add interface=Mreza_za_Goste_15 list=Home
add interface=CCTV_mreza_20 list=Home
/ip address
add address=172.16.50.1/24 interface=ether2 network=172.16.50.0
add address=172.16.10.254/24 interface=ether1 network=172.16.10.0
/ip dns
set allow-remote-requests=yes servers=172.16.10.1
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=172.16.10.1
@anav, I realize you know more about this than me, but can you explain why the address should be added to bridgeAP instead of Home_network? Since this is for vlan 10 (not the base PVID 1).(3) THE MAIN PROBLEM - Your IP address is incorrectly assigned to ether1. FIX ASAP!!
Corrected
/ip address
add address=172.16.50.1/24 interface=ether2 network=172.16.50.0
add address=172.16.10.254/24 interface=bridgeAP network=172.16.10.0
# jan/02/1970 01:12:40 by RouterOS 7.2rc4
# software id =
#
# model = RB952Ui-5ac2nD
# serial number =
/interface bridge
add ingress-filtering=no name=bridgeAP vlan-filtering=yes
/interface vlan
add interface=bridgeAP name=CCTV_network vlan-id=20
add interface=bridgeAP name=Guest_network vlan-id=15
add interface=bridgeAP name=Home_network vlan-id=10
/interface list
add name=Home
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Home \
supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Guest \
supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=CCTV \
supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n basic-rates-b="" country=\
croatia disabled=no frequency=2437 mode=ap-bridge name=GostiWiFi \
rate-set=configured security-profile=Guest skip-dfs-channels=all ssid=\
GostiWiFi supported-rates-b=11Mbps wireless-protocol=802.11 wmm-support=\
enabled wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=20/40mhz-Ce \
country=croatia disabled=no mode=ap-bridge name=KucniWifi \
security-profile=Home skip-dfs-channels=all ssid=Kucni_WiFi \
wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=XX:XX:XX:XX:XX:XX \
master-interface=GostiWiFi multicast-buffering=disabled name=\
Mreza_za_Goste_15 security-profile=Guest ssid=Gosti vlan-id=15 vlan-mode=\
use-tag wds-cost-range=0 wds-default-cost=0 wmm-support=enabled wps-mode=\
disabled
add disabled=no keepalive-frames=disabled mac-address=XX:XX:XX:XX:XX:XX \
master-interface=GostiWiFi multicast-buffering=disabled name=\
CCTV_mreza_20 security-profile=CCTV ssid=CCTV vlan-id=20 vlan-mode=\
use-tag wds-cost-range=0 wds-default-cost=0 wmm-support=enabled wps-mode=\
disabled
add disabled=no keepalive-frames=disabled mac-address=XX:XX:XX:XX:XX:XX \
master-interface=KucniWifi multicast-buffering=disabled name=\
Kucna_mreza_10 security-profile=Home ssid="Kucni wifi" vlan-id=10 \
vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wmm-support=enabled \
wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/interface bridge port
add bridge=bridgeAP frame-types=admit-only-untagged-and-priority-tagged \
interface=Kucna_mreza_10 pvid=10
add bridge=bridgeAP interface=ether1
add bridge=bridgeAP frame-types=admit-only-untagged-and-priority-tagged \
interface=Mreza_za_Goste_15 pvid=15
add bridge=bridgeAP frame-types=admit-only-untagged-and-priority-tagged \
interface=CCTV_mreza_20 pvid=20
/ip neighbor discovery-settings
set discover-interface-list=Home
/interface bridge vlan
add bridge=bridgeAP tagged=ether1,bridgeAP untagged=Kucna_mreza_10 vlan-ids=\
10
add bridge=bridgeAP tagged=ether1,bridgeAP untagged=Mreza_za_Goste_15 \
vlan-ids=15
add bridge=bridgeAP tagged=ether1,bridgeAP untagged=CCTV_mreza_20 vlan-ids=20
/interface list member
add interface=Kucna_mreza_10 list=Home
add interface=Mreza_za_Goste_15 list=Home
add interface=CCTV_mreza_20 list=Home
/ip address
add address=172.16.50.1/24 interface=ether2 network=172.16.50.0
add address=172.16.10.253/24 interface=Home_network network=172.16.10.0
/ip dns
set allow-remote-requests=yes servers=172.16.10.1
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=172.16.10.1
If you do that, the hap ac lite will try to route within the hap ac lite, because it will have "connected" routes to all subnets.Regarding adding VLANs 15 and 20 instead only 10, is it okay if i do that way in the future ? As you said, it's maybe easier to know what is happening.
.................... good just one more step.........
/ip address
add address=172.16.50.1/24 interface=ether2 network=172.16.50.0
add address=172.16.10.253/24 interface=Home_network network=172.16.10.0
Did you assign the address .253 manually on the AP, (its what I would do).
Next step is to go to the Router and DHCP leases, with the mac address of the AP and add your AP to the vlan manually, as a fixed static IP.
To be honest, I haven't looked at how this works, my assumption was that there would still be a single bridge, but that part of it would be software based but with an "internal" trunk to the switch chip.So I just need to add trusted subnet, in my case Home_network @ 172.16.10.0/24, and then i add into HAP's bridge new configured virtual wifi interfaces and untagged them with the correct ID ? And Hex will send all VLAN's from his ether5 which is tagged for all VLANs(10,15,20) to ether1 on hap lite where are ether1 and bridgeAP tagged so they accept all VLANs . And then virtual wifi interfaces are access ports, i untagged them with vlan's i want on that interface. I hope i understand correctly.
I stole most of that from the hap ac lite block diagram. These block diagrams exist for all MikroTik routers that I have been interested in.Damn, that is really detail schematics
# mar/25/2022 16:27:35 by RouterOS 7.2rc4
# software id = 2NZF-BKUH
#
# model = RB760iGS
# serial number = D4500FA09027
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf \
ingress-filtering=no name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=CCTV_network vlan-id=20
add interface=bridge name=Guest_network vlan-id=15
add interface=bridge name=Home_network vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Home
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=172.16.10.2-172.16.10.254
add name=dhcp_pool2 ranges=172.16.15.2-172.16.15.254
add name=dhcp_pool3 ranges=172.16.20.2-172.16.20.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=Home_network name=dhcp1
add address-pool=dhcp_pool2 interface=Guest_network name=dhcp2
add address-pool=dhcp_pool3 interface=CCTV_network name=dhcp3
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether4 pvid=10
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=Home
/interface bridge vlan
add bridge=bridge tagged=bridge,ether5 untagged=ether4,ether3 vlan-ids=10
add bridge=bridge tagged=bridge,ether5 vlan-ids=15
add bridge=bridge tagged=bridge,ether5 vlan-ids=20
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=Home_network list=Home
add interface=ether2 list=Home
add interface=Home_network list=LAN
add interface=Guest_network list=LAN
add interface=CCTV_network list=LAN
/ip address
add address=172.16.0.1/24 interface=ether2 network=172.16.0.0
add address=172.16.10.1/24 interface=Home_network network=172.16.10.0
add address=172.16.15.1/24 interface=Guest_network network=172.16.15.0
add address=172.16.20.1/24 interface=CCTV_network network=172.16.20.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=172.16.10.254 client-id=1:zz:zz:zz:zz:zz:zz comment="Admin laptop" \
mac-address=ZZ:ZZ:ZZ:ZZ:ZZ:ZZ server=dhcp1
add address=172.16.10.253 mac-address=YY:YY:YY:YY:YY:YY \
server=dhcp1
/ip dhcp-server network
add address=172.16.10.0/24 gateway=172.16.10.1
add address=172.16.15.0/24 gateway=172.16.15.1
add address=172.16.20.0/24 gateway=172.16.20.1
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=172.16.10.254 list=authorized
add address=172.16.0.2 list=authorized
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="Winbox access" dst-port=8291 \
in-interface-list=Home protocol=tcp src-address-list=authorized
add action=accept chain=input comment="Service (DNS)" dst-port=53 \
in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Service (DNS)" dst-port=53 \
in-interface-list=LAN protocol=tcp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=input comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/Zagreb
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=Home
Given your situation, I would partition the problem.So in HexS under Leases i added IP address i reserved for AP = 172.16.10.253. I added MAC address and choose dhcp server dhcp1 but there is no connection. Status is waiting
[demo@MikroTik] /ip/dhcp-server/lease> add
address client-id disabled queue-type
address-lists comment insert-queue-before rate-limit
allow-dual-stack-queue copy-from lease-time routes
always-broadcast dhcp-option mac-address server
block-access dhcp-option-set parent-queue use-src-mac
I wouldn't untag multiple vlans on the same port, maybe that's not what you did, but what you said makes it sound like there were multiple vlans on the port. PVID only tells the switch what to do with incoming untagged ethernet frames. Having multiple vlans definged for the bridge port but untagging them all can lead to interesting results. I've seen it done on TP-Link SG108E switches to have asymmetric vlans for "port isolation", but that's not the way port isolation is usually implemented.So I tried to asign every VLAN to ether4 and i get IP with correct format (172.16.15.x for VLAN_15, 172.16.20.x for VLAN_20), and i get internet access (I'm writing this while on VLAN20) so i can presume that there is no problem with wire connection on hexs. (I untagged every VLAN on desired port and i changed PVID in port settings)
Regarding specifying dns-server in dhcp server, i don't know, but it's working without it.
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetLink (TM) Gigabit Ethernet
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . :
IPv4 Address. . . . . . . . . . . : 192.168.101.196(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Monday, March 07, 2022 11:40:33 PM
Lease Expires . . . . . . . . . . : Sunday, March 27, 2022 5:35:26 PM
Default Gateway . . . . . . . . . : 192.168.101.1
DHCP Server . . . . . . . . . . . : 192.168.101.1
DHCPv6 IAID . . . . . . . . . . . : 247214171
DHCPv6 Client DUID. . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.101.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Can you post updated hap ac lite config? before and after if you make change below.Ok, i tried to untag ether3 on switch/AP and nothing, can't get IP, so something is wrong with switch settings ? I have aruba smart switch so i can test if i can get all vlans on him.
# jan/02/1970 07:34:35 by RouterOS 7.2rc5
# software id =
#
# model = RB952Ui-5ac2nD
# serial number =
/interface bridge
add ingress-filtering=no name=bridgeAP vlan-filtering=yes
/interface vlan
add interface=bridgeAP name=CCTV_network vlan-id=20
add interface=bridgeAP name=Guest_network vlan-id=15
add interface=bridgeAP name=Home_network vlan-id=10
/interface list
add name=Home
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Home \
supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Guest \
supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=CCTV \
supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n basic-rates-b="" country=\
croatia disabled=no frequency=2437 mode=ap-bridge name=GostiWiFi \
rate-set=configured security-profile=Guest skip-dfs-channels=all ssid=\
GostiWiFi supported-rates-b=11Mbps wireless-protocol=802.11 wmm-support=\
enabled wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=20/40mhz-Ce \
country=croatia disabled=no mode=ap-bridge name=KucniWifi \
security-profile=Home skip-dfs-channels=all ssid=Kucni_WiFi \
wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address= \
master-interface=GostiWiFi multicast-buffering=disabled name=\
Mreza_za_Goste_15 security-profile=Guest ssid=Gosti vlan-id=15 vlan-mode=\
use-tag wds-cost-range=0 wds-default-cost=0 wmm-support=enabled wps-mode=\
disabled
add disabled=no keepalive-frames=disabled mac-address= \
master-interface=GostiWiFi multicast-buffering=disabled name=\
CCTV_mreza_20 security-profile=CCTV ssid=CCTV vlan-id=20 vlan-mode=\
use-tag wds-cost-range=0 wds-default-cost=0 wmm-support=enabled wps-mode=\
disabled
add disabled=no keepalive-frames=disabled mac-address= \
master-interface=KucniWifi multicast-buffering=disabled name=\
Kucna_mreza_10 security-profile=Home ssid="Kucni wifi" vlan-id=10 \
vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wmm-support=enabled \
wps-mode=disabled
/interface bridge port
add bridge=bridgeAP frame-types=admit-only-untagged-and-priority-tagged \
interface=Kucna_mreza_10 pvid=10
add bridge=bridgeAP frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridgeAP frame-types=admit-only-untagged-and-priority-tagged \
interface=Mreza_za_Goste_15 pvid=15
add bridge=bridgeAP frame-types=admit-only-untagged-and-priority-tagged \
interface=CCTV_mreza_20 pvid=20
add bridge=bridgeAP frame-types=admit-only-untagged-and-priority-tagged \
interface=ether3 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=Home
/interface bridge vlan
add bridge=bridgeAP tagged=ether1,bridgeAP untagged=Kucna_mreza_10,ether3 \
vlan-ids=10
add bridge=bridgeAP tagged=ether1,bridgeAP untagged=Mreza_za_Goste_15 \
vlan-ids=15
add bridge=bridgeAP tagged=ether1,bridgeAP untagged=CCTV_mreza_20 vlan-ids=20
/interface list member
add interface=Kucna_mreza_10 list=Home
add interface=ether2 list=Home
/ip address
add address=172.16.50.1/24 interface=ether2 network=172.16.50.0
add address=172.16.10.253/24 interface=Home_network network=172.16.10.0
/ip dns
set allow-remote-requests=yes servers=172.16.10.1
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=172.16.10.1
/system package update
set channel=testing
/tool mac-server mac-winbox
set allowed-interface-list=Home
# jan/02/1970 07:42:53 by RouterOS 7.2rc5
# software id =
#
# model = RB952Ui-5ac2nD
# serial number =
/interface bridge
add ingress-filtering=no name=bridgeAP vlan-filtering=yes
/interface vlan
add interface=bridgeAP name=CCTV_network vlan-id=20
add interface=bridgeAP name=Guest_network vlan-id=15
add interface=bridgeAP name=Home_network vlan-id=10
/interface list
add name=Home
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Home \
supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Guest \
supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=CCTV \
supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n basic-rates-b="" country=\
croatia disabled=no frequency=2437 mode=ap-bridge name=GostiWiFi \
rate-set=configured security-profile=Guest skip-dfs-channels=all ssid=\
GostiWiFi supported-rates-b=11Mbps wireless-protocol=802.11 wmm-support=\
enabled wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=20/40mhz-Ce \
country=croatia disabled=no mode=ap-bridge name=KucniWifi \
security-profile=Home skip-dfs-channels=all ssid=Kucni_WiFi \
wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address= \
master-interface=GostiWiFi multicast-buffering=disabled name=\
Mreza_za_Goste_15 security-profile=Guest ssid=Gosti vlan-id=15 vlan-mode=\
use-tag wds-cost-range=0 wds-default-cost=0 wmm-support=enabled wps-mode=\
disabled
add disabled=no keepalive-frames=disabled mac-address= \
master-interface=GostiWiFi multicast-buffering=disabled name=\
CCTV_mreza_20 security-profile=CCTV ssid=CCTV vlan-id=20 vlan-mode=\
use-tag wds-cost-range=0 wds-default-cost=0 wmm-support=enabled wps-mode=\
disabled
add disabled=no keepalive-frames=disabled mac-address= \
master-interface=KucniWifi multicast-buffering=disabled name=\
Kucna_mreza_10 security-profile=Home ssid="Kucni wifi" vlan-id=10 \
vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wmm-support=enabled \
wps-mode=disabled
/interface bridge port
add bridge=bridgeAP frame-types=admit-only-untagged-and-priority-tagged \
interface=Kucna_mreza_10 pvid=10
add bridge=bridgeAP frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridgeAP frame-types=admit-only-untagged-and-priority-tagged \
interface=Mreza_za_Goste_15 pvid=15
add bridge=bridgeAP frame-types=admit-only-untagged-and-priority-tagged \
interface=CCTV_mreza_20 pvid=20
add bridge=bridgeAP interface=ether3 pvid=10
add bridge=bridgeAP interface=ether4 pvid=15
add bridge=bridgeAP interface=ether5 pvid=20
/ip neighbor discovery-settings
set discover-interface-list=Home
/interface bridge vlan
add bridge=bridgeAP tagged=ether1,bridgeAP untagged=Kucna_mreza_10,ether3 \
vlan-ids=10
add bridge=bridgeAP tagged=ether1,bridgeAP untagged=Mreza_za_Goste_15,ether4 \
vlan-ids=15
add bridge=bridgeAP tagged=ether1,bridgeAP untagged=CCTV_mreza_20,ether5 \
vlan-ids=20
/interface list member
add interface=Kucna_mreza_10 list=Home
add interface=ether2 list=Home
/ip address
add address=172.16.50.1/24 interface=ether2 network=172.16.50.0
add address=172.16.10.253/24 interface=Home_network network=172.16.10.0
/ip dns
set allow-remote-requests=yes servers=172.16.10.1
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=172.16.10.1
/system package update
set channel=testing
/tool mac-server mac-winbox
set allowed-interface-list=Home
Yes, I had several errors there... sorry.Here is config before changes (just my test)
---snip---
And here is after @anav config changes (Note: when i tried to input for eg. add interface=ether3 pvid=10 when i hit enter it asked me to provide bridge so i put bridgeAP. When i tried to input other command it asked me for a nubmer at the end, i just hit enter and then i saw that none of the interfaces were untagged so i untag them manually)
/interface bridge
add ingress-filtering=no name=bridgeAP vlan-filtering=yes
/interface vlan
add interface=bridgeAP name=Home_network vlan-id=10
/interface list
add name=Home
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Home \
supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Guest \
supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=CCTV \
supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n basic-rates-b="" country=\
croatia disabled=no frequency=2437 mode=ap-bridge name=Mreza_za_Goste_15 \
rate-set=configured security-profile=Guest skip-dfs-channels=all ssid=\
GostiWiFi supported-rates-b=11Mbps wireless-protocol=802.11 wmm-support=\
enabled wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=20/40mhz-Ce \
country=croatia disabled=no mode=ap-bridge name=Kucna_mreza_10 \
security-profile=Home skip-dfs-channels=all ssid=Kucni_WiFi \
wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address= \
master-interface=GostiWiFi multicast-buffering=disabled name=\
CCTV_mreza_20 security-profile=CCTV ssid=CCTV vwds-cost-range=0\
wds-default-cost=0 wmm-support=enabled wps-mode=disabled
/interface bridge port
add bridge=bridgeAP frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes\
interface=Kucna_mreza_10 pvid=10
add bridge=bridgeAP frame-types=admit-only-vlan-tagged ingress filtering=yes
interface=ether1
add bridge=bridgeAP frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes \
interface=Mreza_za_Goste_15 pvid=15
add bridge=bridgeAP frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes\
interface=CCTV_mreza_20 pvid=20
add bridge=bridgeAP interface=ether3 pvid=10 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes
add bridge=bridgeAP interface=ether4 pvid=15 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes
add bridge=bridgeAP interface=ether5 pvid=20 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes
/ip neighbor discovery-settings
set discover-interface-list=Home
/interface bridge vlan
add bridge=bridgeAP tagged=ether1,bridgeAP untagged=Kucna_mreza_10,ether3 \
vlan-ids=10
add bridge=bridgeAP tagged=ether1 untagged=Mreza_za_Goste_15,ether4 \
vlan-ids=15
add bridge=bridgeAP tagged=ether1 untagged=CCTV_mreza_20,ether5 \
vlan-ids=20
/interface list member
add interface=Home_network list=Home
add interface=ether2 list=Home
/ip address
add address=172.16.50.1/24 interface=ether2 network=172.16.50.0
add address=172.16.10.253/24 interface=Home_network network=172.16.10.0
/ip dns
set allow-remote-requests=yes servers=172.16.10.1
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=172.16.10.1
/system package update
set channel=testing
/tool mac-server mac-winbox
set allowed-interface-list=Home
Since it doesn't seem that firewall is enabled, I don't know if this makes any difference or not. But it probably is affecting the ability of mac-winbox to work with vlan-10And here is after @anav config changes
(1) CORRECT, good catch!!
Since it doesn't seem that firewall is enabled, I don't know if this makes any difference or not. But it probably is affecting the ability of mac-winbox to work with vlan-10
So this is more of a question, than a suggestion.
Shouldn't Kucna_mreza_10 be replaced with Home_network as the home interface list member?
(2) No, the only required member of the interface list is the trusted subnet./interface list member
add interface=Home_network list=Home
add interface=Guest_network list=Home
add interface=CCTV_network list=Home
add interface=ether2 list=Home
(2) No, the only required member of the interface list is the trusted subnet.
It will show up properly in winbox and is accessible from the trusted subnet only for configuration purposes.
There is no security reason to let all vlans see mac address of managed devices.
Same goes why ether2 is there as well.
So on hAP ac lite i have ether2 as managment port with different address (172.16.50.1) and that is how i connect to AP and make any changes.
# jan/02/1970 17:00:03 by RouterOS 7.2rc5
# software id =
#
# model = RB952Ui-5ac2nD
# serial number =
/interface bridge
add ingress-filtering=no name=bridgeAP vlan-filtering=yes
/interface vlan
add interface=bridgeAP name=Home_network vlan-id=10
/interface list
add name=Home
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Home \
supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Guest \
supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=CCTV \
supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n basic-rates-b="" country=\
croatia disabled=no frequency=2437 mode=ap-bridge name=GostiWiFi \
rate-set=configured security-profile=Guest skip-dfs-channels=all ssid=\
GostiWiFi supported-rates-b=11Mbps wireless-protocol=802.11 wmm-support=\
enabled wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=20/40mhz-Ce \
country=croatia disabled=no mode=ap-bridge name=KucniWifi \
security-profile=Home skip-dfs-channels=all ssid=KucniWiFi \
wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=4A:8F:5A:63:DC:11 \
master-interface=GostiWiFi multicast-buffering=disabled name=\
CCTV_mreza_20 security-profile=CCTV ssid=CCTV wds-cost-range=0 \
wds-default-cost=0 wmm-support=enabled wps-mode=disabled
/interface bridge port
add bridge=bridgeAP frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridgeAP frame-types=admit-only-untagged-and-priority-tagged \
interface=ether3 pvid=10
add bridge=bridgeAP frame-types=admit-only-untagged-and-priority-tagged \
interface=ether4 pvid=15
add bridge=bridgeAP frame-types=admit-only-untagged-and-priority-tagged \
interface=ether5 pvid=20
add bridge=bridgeAP frame-types=admit-only-untagged-and-priority-tagged \
interface=KucniWifi pvid=10
add bridge=bridgeAP frame-types=admit-only-untagged-and-priority-tagged \
interface=GostiWiFi pvid=15
add bridge=bridgeAP frame-types=admit-only-untagged-and-priority-tagged \
interface=CCTV_mreza_20 pvid=20
/ip neighbor discovery-settings
set discover-interface-list=Home
/interface bridge vlan
add bridge=bridgeAP tagged=ether1,bridgeAP untagged=KucniWifi,ether3 \
vlan-ids=10
add bridge=bridgeAP tagged=ether1 untagged=GostiWiFi,ether4 vlan-ids=15
add bridge=bridgeAP tagged=ether1 untagged=ether5,CCTV_mreza_20 vlan-ids=20
/interface list member
add interface=Home_network list=Home
add interface=ether2 list=Home
/ip address
add address=172.16.50.1/24 interface=ether2 network=172.16.50.0
add address=172.16.10.253/24 interface=Home_network network=172.16.10.0
/ip dns
set allow-remote-requests=yes servers=172.16.10.1
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=172.16.10.1
/system package update
set channel=testing
/tool mac-server mac-winbox
set allowed-interface-list=Home
What do the previous commands display when issued from the hex, and from the hap (except using ether1 instead of ether5) display? It seems unlikely (but possible) that the cable is bad, but the output fromI'm sure because I'm supplying power to the hAP ac lite (ether1 poe in) from HexS poe out port (ether5) and they are on top of each other connected with a 50cm (or about 1.64 feet) cat6 eth cable.
I will buy new cable just to be sure... and test cable so i'm sure it's not hardware problem (i once had one wire broken inside cable... poe was working but data not...)
[admin@MikroTik] > /interface ethernet monitor ether5 once
name: ether5
status: link-ok
auto-negotiation: done
rate: 100Mbps
full-duplex: yes
tx-flow-control: no
rx-flow-control: no
advertising: 10M-half,10M-full,100M-half,100M-full,1000M-half,
1000M-full
link-partner-advertising: 10M-half,10M-full,100M-half,100M-full
[admin@MikroTik] > /interface ethernet print stats-detail from=ether5
Flags: X - disabled, R - running; S - slave
0 RS name="ether5" driver-rx-byte=46 228 driver-rx-packet=182
driver-tx-byte=3 372 846 driver-tx-packet=47 440 rx-bytes=5 434 448
rx-packet=34 rx-too-short=0 rx-64=84 174 rx-65-127=84 rx-128-255=55
rx-256-511=4 rx-512-1023=0 rx-1024-1518=24 rx-too-long=0 rx-broadcast=11
rx-pause=0 rx-multicast=84 296 rx-fcs-error=0 rx-align-error=0
rx-fragment=0 rx-jabber=0 rx-drop=0 tx-bytes=4 465 300 tx-packet=67
tx-64=42 811 tx-65-127=2 325 tx-128-255=6 409 tx-256-511=37
tx-512-1023=323 tx-1024-1518=124 tx-broadcast=3 412 tx-pause=0
tx-multicast=48 550 tx-collision=0 tx-excessive-collision=0
tx-multiple-collision=0 tx-single-collision=0 tx-deferred=2
tx-late-collision=0 tx-drop=0 tx-fcs-error=0
[admin@MikroTik] > /interface ethernet monitor ether1 once
name: ether1
status: link-ok
auto-negotiation: done
rate: 100Mbps
full-duplex: yes
tx-flow-control: no
rx-flow-control: no
advertising: 10M-half,10M-full,100M-half,100M-full
link-partner-advertising: 10M-half,10M-full,100M-half,100M-full
[admin@MikroTik] > /interface ethernet print stats-detail from=ether1
Flags: X - disabled, R - running; S - slave
0 RS name="ether1" driver-rx-byte=50 055 driver-rx-packet=536
driver-tx-byte=33 968 driver-tx-packet=555 rx-bytes=52 199 rx-too-short=0
rx-64=293 rx-65-127=167 rx-128-255=66 rx-256-511=2 rx-512-1023=8
rx-1024-1518=0 rx-1519-max=0 rx-too-long=0 rx-broadcast=126 rx-pause=0
rx-multicast=392 rx-fcs-error=0 rx-align-error=0 rx-fragment=0
rx-overflow=0 tx-bytes=36 188 tx-64=547 tx-65-127=2 tx-128-255=6
tx-256-511=0 tx-512-1023=0 tx-1024-1518=0 tx-1519-max=0 tx-too-long=0
tx-broadcast=1 tx-pause=0 tx-multicast=554 tx-underrun=0 tx-collision=0
tx-excessive-collision=0 tx-multiple-collision=0 tx-single-collision=0
tx-excessive-deferred=0 tx-deferred=0 tx-late-collision=0
[demo@MikroTik] > /interface ethernet print stats
name: eth4-BR-SW_U10_T241 ether1-WAN ether2-BR-SW-Base-U1 ether3-BR-SW-U241 ether5-off_bridge_wrk sfp1
driver-rx-byte: 0 109 881 491 1 625 786 376 915 0 0
driver-rx-packet: 0 986 952 14 602 4 490 0 0
driver-tx-byte: 0 315 839 9 381 017 12 888 470 0 0
driver-tx-packet: 0 3 534 130 783 155 598 0 0
rx-bytes: 0 113 829 299 1 684 540 394 811 0 0
rx-packet: 0 2 673 14 599 4 346 0 0
rx-too-short: 0 0 0 0 0 0
rx-64: 0 421 522 1 932 443 0
rx-65-127: 0 184 699 10 406 4 020 0
rx-128-255: 0 368 311 194 11 0
rx-256-511: 0 11 981 2 031 13 0
rx-512-1023: 0 350 0 0 0
rx-1024-1518: 0 89 40 3 0
rx-too-long: 0 0 0 0 0 0
rx-broadcast: 0 357 798 4 15 0
rx-pause: 0 0 0 0 0 0
rx-multicast: 0 626 481 0 129 0
rx-fcs-error: 0 0 0 0 0 0
rx-align-error: 0 0 0 0 0
rx-fragment: 0 0 0 0 0
rx-overflow: 0
rx-jabber: 0 0 0 0 0
rx-drop: 0 0 0 0 0
tx-bytes: 0 329 975 9 897 657 13 398 530 0 0
tx-packet: 0 3 522 3 555 12 934 0 0
tx-64: 0 1 315 117 586 116 058 0
tx-65-127: 0 2 164 429 10 062 0
tx-128-255: 0 4 11 840 28 072 0
tx-256-511: 0 11 928 1 304 0
tx-512-1023: 0 0 0 91 0
tx-1024-1518: 0 40 0 9 0
tx-broadcast: 0 5 3 858 7 718 0
tx-pause: 0 0 0 0 0
tx-multicast: 0 7 123 370 134 944 0
tx-collision: 0 0 0 0 0
tx-excessive-collision: 0 0 0 0 0
tx-multiple-collision: 0 0 0 0 0
tx-single-collision: 0 0 0 0 0
tx-deferred: 0 0 0 0 0
tx-late-collision: 0 0 0 0 0
tx-total-collision: 0
tx-drop: 0 0 0 0 0
tx-fcs-error: 0 0 0 0 0
[demo@MikroTik] > /interface ethernet monitor ether1-WAN once
name: ether1-WAN
status: link-ok
auto-negotiation: done
rate: 1Gbps
full-duplex: yes
tx-flow-control: no
rx-flow-control: no
advertising: 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
link-partner-advertising: 10M-half,10M-full,100M-half,100M-full,1000M-full
[demo@MikroTik] > /interface ethernet monitor ether2-BR-SW-Base-U1 once
name: ether2-BR-SW-Base-U1
status: link-ok
auto-negotiation: done
rate: 1Gbps
full-duplex: yes
tx-flow-control: no
rx-flow-control: no
advertising: 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
link-partner-advertising: 10M-half,10M-full,100M-half,100M-full,1000M-full
[demo@MikroTik] > /interface ethernet monitor ether3-BR-SW-U241 once
name: ether3-BR-SW-U241
status: link-ok
auto-negotiation: done
rate: 1Gbps
full-duplex: yes
tx-flow-control: no
rx-flow-control: no
advertising: 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
link-partner-advertising: 10M-half,10M-full,100M-half,100M-full,1000M-full
[demo@MikroTik] > /interface ethernet monitor eth4-BR-SW_U10_T241 once
name: eth4-BR-SW_U10_T241
status: no-link
auto-negotiation: done
advertising: 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
link-partner-advertising:
[demo@MikroTik] > /interface ethernet monitor ether5-off_bridge_wrk once
name: ether5-off_bridge_wrk
status: no-link
auto-negotiation: done
advertising: 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
link-partner-advertising:
[demo@MikroTik] >
When you say it is working with the switch, I assume you mean the RB760iGS trunk port ether5.I think that problem could be on hap side... Is there any chance that there is some kind of firmware problem ?
I mean, it's working with this switch. Then again, this is switchOS, not RouterOS
I'm running 7.2rc5, i will try to repeat test again
I am not going to be much help with the hap ac lite, as I don't have one, in fact the only MiktroTik router I have ever touched is the hEX S that I have had for less than 2 months.Only difference between switch and hap ac lite that i can think of is that i needed to set ip on hap ac lite manually, and hex S.
On switch I only had to assign vlans, tag trunk port, and untag access ports.
[admin@MikroTik] > /ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 address=172.16.50.1/24 network=172.16.50.0 interface=ether2
actual-interface=ether2
1 address=172.16.10.253/24 network=172.16.10.0 interface=Home_network
actual-interface=Home_network
[admin@MikroTik] > /interface print detail
Flags: D - dynamic; X - disabled, R - running; S - slave
0 RS name="ether1" default-name="ether1" type="ether" mtu=1500 actual-mtu=1500
l2mtu=1598 max-l2mtu=2028 mac-address=48:8F:5A:63:DC:0A ifname="eth0"
ifindex=10 id=1 last-link-up-time=jan/03/1970 16:33:04 link-downs=0
1 name="ether2" default-name="ether2" type="ether" mtu=1500 actual-mtu=1500
l2mtu=1598 max-l2mtu=2028 mac-address=48:8F:5A:63:DC:0B ifname="eth1"
ifindex=11 id=2 link-downs=0
2 RS name="ether3" default-name="ether3" type="ether" mtu=1500 actual-mtu=1500
l2mtu=1598 max-l2mtu=2028 mac-address=48:8F:5A:63:DC:0C ifname="eth2"
ifindex=12 id=3 last-link-up-time=jan/03/1970 16:38:31 link-downs=0
3 S name="ether4" default-name="ether4" type="ether" mtu=1500 actual-mtu=1500
l2mtu=1598 max-l2mtu=2028 mac-address=48:8F:5A:63:DC:0D ifname="eth3"
ifindex=13 id=4 link-downs=0
4 S name="ether5" default-name="ether5" type="ether" mtu=1500 actual-mtu=1500
l2mtu=1598 max-l2mtu=2028 mac-address=48:8F:5A:63:DC:0E ifname="eth4"
ifindex=14 id=5 link-downs=0
5 S name="CCTV_mreza_20" type="wlan" mtu=1500 actual-mtu=1500 l2mtu=1600
max-l2mtu=2290 mac-address=4A:8F:5A:63:DC:11 ifname="ath0-0" ifindex=15
8 R name="Home_network" type="vlan" mtu=1500 actual-mtu=1500 l2mtu=1594
mac-address=48:8F:5A:63:DC:0A ifname="vlan9" ifindex=18 id=9
last-link-down-time=jan/03/1970 16:41:40 last-link-up-time=jan/03/1970 16:41:40
link-downs=2
9 R name="bridgeAP" type="bridge" mtu=auto actual-mtu=1500 l2mtu=1598
mac-address=48:8F:5A:63:DC:0A ifname="br0" ifindex=6 id=8
last-link-up-time=jan/03/1970 16:33:00 link-downs=0
[admin@MikroTik] > /interface bridge print detail
Flags: X - disabled, R - running
0 R name="bridgeAP" mtu=auto actual-mtu=1500 l2mtu=1598 arp=enabled arp-timeout=auto
mac-address=48:8F:5A:63:DC:0A protocol-mode=rstp fast-forward=yes igmp-snooping=no
auto-mac=yes ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s
transmit-hold-count=6 vlan-filtering=yes ether-type=0x8100 pvid=1
frame-types=admit-all ingress-filtering=no dhcp-snooping=no
[admin@MikroTik] > /interface bridge port print detail
Flags: X - disabled, I - inactive; D - dynamic; H - hw-offload
0 interface=ether1 bridge=bridgeAP priority=0x80 path-cost=10 internal-path-cost=10
edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no
restricted-role=no restricted-tcn=no pvid=1 frame-types=admit-only-vlan-tagged
ingress-filtering=yes unknown-unicast-flood=yes unknown-multicast-flood=yes
broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no
multicast-router=temporary-query fast-leave=no
1 interface=ether3 bridge=bridgeAP priority=0x80 path-cost=10 internal-path-cost=10
edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no
restricted-role=no restricted-tcn=no pvid=10
frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes
unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes
tag-stacking=no bpdu-guard=no trusted=no multicast-router=temporary-query
fast-leave=no
2 I interface=ether4 bridge=bridgeAP priority=0x80 path-cost=10 internal-path-cost=10
edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no
restricted-role=no restricted-tcn=no pvid=15
frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes
unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes
tag-stacking=no bpdu-guard=no trusted=no multicast-router=temporary-query
fast-leave=no
3 I interface=ether5 bridge=bridgeAP priority=0x80 path-cost=10 internal-path-cost=10
edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no
restricted-role=no restricted-tcn=no pvid=20
frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes
unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes
tag-stacking=no bpdu-guard=no trusted=no multicast-router=temporary-query
fast-leave=no
4 I interface=KucniWifi bridge=bridgeAP priority=0x80 path-cost=10
internal-path-cost=10 edge=auto point-to-point=auto learn=auto horizon=none
restricted-role=no restricted-tcn=no pvid=15 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes unknown-unicast-flood=yes
unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no multicast-router=temporary-query fast-leave=no
6 I interface=CCTV_mreza_20 bridge=bridgeAP priority=0x80 path-cost=10 internal-path-cost=10 edge=auto point-to-point=auto learn=auto horizon=none auto-isolate=no
restricted-role=no restricted-tcn=no pvid=20 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes unknown-unicast-flood=yes
unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no multicast-router=temporary-query fast-leave=no
[admin@MikroTik] > /interface bridge vlan print detail
Flags: X - disabled, D - dynamic
0 bridge=bridgeAP vlan-ids=10 tagged=ether1,bridgeAP untagged=KucniWifi,ether3 current-tagged=bridgeAP,ether1 current-untagged=ether3
1 bridge=bridgeAP vlan-ids=15 tagged=ether1 untagged=GostiWiFi,ether4 current-tagged=ether1 current-untagged=""
2 bridge=bridgeAP vlan-ids=20 tagged=ether1 untagged=ether5,CCTV_mreza_20 current-tagged=ether1 current-untagged=""
3 D bridge=bridgeAP vlan-ids=1 tagged="" untagged="" current-tagged="" current-untagged=bridgeAP
[admin@MikroTik] > /ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 address=172.16.0.1/24 network=172.16.0.0 interface=ether2
actual-interface=ether2
1 address=172.16.10.1/24 network=172.16.10.0 interface=Home_network
actual-interface=Home_network
2 address=172.16.15.1/24 network=172.16.15.0 interface=Guest_network
actual-interface=Guest_network
3 address=172.16.20.1/24 network=172.16.20.0 interface=CCTV_network
actual-interface=CCTV_network
4 D address=192.168.1.107/24 network=192.168.1.0 interface=ether1
actual-interface=ether1
[admin@MikroTik] > /interface print detail
Flags: D - dynamic; X - disabled, R - running; S - slave
0 R name="ether1" default-name="ether1" type="ether" mtu=1500 actual-mtu=1500
l2mtu=1596 max-l2mtu=2026 mac-address=DC:2C:6E:0D:34:52 ifname="eth0"
ifindex=7 id=1 last-link-up-time=apr/01/2022 14:09:37 link-downs=0
1 name="ether2" default-name="ether2" type="ether" mtu=1500 actual-mtu=1500
l2mtu=1596 max-l2mtu=2026 mac-address=DC:2C:6E:0D:34:53 ifname="eth1"
ifindex=8 id=2 link-downs=0
2 RS name="ether3" default-name="ether3" type="ether" mtu=1500 actual-mtu=1500
l2mtu=1596 max-l2mtu=2026 mac-address=DC:2C:6E:0D:34:54 ifname="eth2"
ifindex=9 id=3 last-link-down-time=apr/01/2022 14:20:10
last-link-up-time=apr/01/2022 14:20:12 link-downs=2
3 S name="ether4" default-name="ether4" type="ether" mtu=1500 actual-mtu=1500
l2mtu=1596 max-l2mtu=2026 mac-address=DC:2C:6E:0D:34:55 ifname="eth3"
ifindex=10 id=4 link-downs=0
4 RS name="ether5" default-name="ether5" type="ether" mtu=1500 actual-mtu=1500
l2mtu=1596 max-l2mtu=2026 mac-address=DC:2C:6E:0D:34:56 ifname="eth4"
ifindex=11 id=5 last-link-down-time=apr/01/2022 14:09:57
last-link-up-time=apr/01/2022 14:09:59 link-downs=1
[admin@MikroTik] > /interface bridge print detail
Flags: X - disabled, R - running
0 R name="bridgeAP" mtu=auto actual-mtu=1500 l2mtu=1598 arp=enabled arp-timeout=auto mac-address=48:8F:5A:63:DC:0A protocol-mode=rstp fast-forward=yes igmp-snooping=no
auto-mac=yes ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=yes ether-type=0x8100 pvid=1
frame-types=admit-all ingress-filtering=no dhcp-snooping=no
[admin@MikroTik] > /interface bridge port print detail
Flags: X - disabled, I - inactive; D - dynamic; H - hw-offload
0 H ;;; defconf
interface=ether3 bridge=bridge priority=0x80 path-cost=10 internal-path-cost=10 edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no
restricted-role=no restricted-tcn=no pvid=10 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes unknown-unicast-flood=yes
unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no multicast-router=temporary-query fast-leave=no
1 I H ;;; defconf
interface=ether4 bridge=bridge priority=0x80 path-cost=10 internal-path-cost=10 edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no
restricted-role=no restricted-tcn=no pvid=20 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes unknown-unicast-flood=yes
unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no multicast-router=temporary-query fast-leave=no
2 H ;;; defconf
interface=ether5 bridge=bridge priority=0x80 path-cost=10 internal-path-cost=10 edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no
restricted-role=no restricted-tcn=no pvid=1 frame-types=admit-only-vlan-tagged ingress-filtering=yes unknown-unicast-flood=yes unknown-multicast-flood=yes
broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no multicast-router=temporary-query fast-leave=no
3 I ;;; defconf
interface=sfp1 bridge=bridge priority=0x80 path-cost=10 internal-path-cost=10 edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no
restricted-role=no restricted-tcn=no pvid=1 frame-types=admit-all ingress-filtering=yes unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes
tag-stacking=no bpdu-guard=no trusted=no multicast-router=temporary-query fast-leave=no
[admin@MikroTik] > /interface bridge vlan print detail
Flags: X - disabled, D - dynamic
0 bridge=bridge vlan-ids=10 tagged=bridge,ether5 untagged=ether3 current-tagged=bridge,ether5 current-untagged=ether3
1 bridge=bridge vlan-ids=15 tagged=bridge,ether5 untagged="" current-tagged=bridge,ether5 current-untagged=""
2 bridge=bridge vlan-ids=20 tagged=bridge,ether5 untagged=ether4 current-tagged=bridge,ether5 current-untagged=""
3 D bridge=bridge vlan-ids=1 tagged="" untagged="" current-tagged="" current-untagged=bridge
I don't understand why your hex isn't showing the bridge and vlans under /interfaces. There is also some inconsistency in the bridge naming, some places the name is "bridge" others it is "bridgeAP".And output from hex:
Code: Select all[admin@MikroTik] > /interface print detail Flags: D - dynamic; X - disabled, R - running; S - slave 0 R name="ether1" default-name="ether1" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1596 max-l2mtu=2026 mac-address=DC:2C:6E:0D:34:52 ifname="eth0" ifindex=7 id=1 last-link-up-time=apr/01/2022 14:09:37 link-downs=0 1 name="ether2" default-name="ether2" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1596 max-l2mtu=2026 mac-address=DC:2C:6E:0D:34:53 ifname="eth1" ifindex=8 id=2 link-downs=0 2 RS name="ether3" default-name="ether3" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1596 max-l2mtu=2026 mac-address=DC:2C:6E:0D:34:54 ifname="eth2" ifindex=9 id=3 last-link-down-time=apr/01/2022 14:20:10 last-link-up-time=apr/01/2022 14:20:12 link-downs=2 3 S name="ether4" default-name="ether4" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1596 max-l2mtu=2026 mac-address=DC:2C:6E:0D:34:55 ifname="eth3" ifindex=10 id=4 link-downs=0 4 RS name="ether5" default-name="ether5" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1596 max-l2mtu=2026 mac-address=DC:2C:6E:0D:34:56 ifname="eth4" ifindex=11 id=5 last-link-down-time=apr/01/2022 14:09:57 last-link-up-time=apr/01/2022 14:09:59 link-downs=1
[demo@MikroTik] > /ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf
address=192.168.88.1/24 network=192.168.88.0 interface=BR-SW actual-interface=BR-SW
1 address=192.168.89.1/24 network=192.168.89.0 interface=ether5-off_bridge_wrk actual-interface=ether5-off_bridge_wrk
2 D address=192.168.101.87/24 network=192.168.101.0 interface=ether1-WAN actual-interface=ether1-WAN
3 D address=192.168.241.94/24 network=192.168.241.0 interface=vlan241 actual-interface=vlan241
[demo@MikroTik] > /interface print detail
Flags: D - dynamic; X - disabled, R - running; S - slave
0 S name="eth4-BR-SW_U10_T241" default-name="ether4" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1596 max-l2mtu=2026
mac-address=DC:2C:6E:7B:10:F4 ifname="eth3" ifindex=10 id=4 link-downs=0
1 R name="ether1-WAN" default-name="ether1" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1596 max-l2mtu=2026 mac-address=DC:2C:6E:7B:10:F1
ifname="eth0" ifindex=7 id=1 last-link-up-time=mar/31/2022 04:59:49 link-downs=0
2 RS name="ether2-BR-SW-Base-U1" default-name="ether2" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1596 max-l2mtu=2026
mac-address=DC:2C:6E:7B:10:F2 ifname="eth1" ifindex=8 id=2 last-link-up-time=mar/31/2022 04:59:52 link-downs=0
3 RS name="ether3-BR-SW-U241" default-name="ether3" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1596 max-l2mtu=2026
mac-address=DC:2C:6E:7B:10:F3 ifname="eth2" ifindex=9 id=3 last-link-up-time=mar/31/2022 04:59:49 link-downs=0
4 name="ether5-off_bridge_wrk" default-name="ether5" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1596 max-l2mtu=2026
mac-address=DC:2C:6E:7B:10:F5 ifname="eth4" ifindex=11 id=5 last-link-down-time=mar/31/2022 18:44:26
last-link-up-time=mar/31/2022 04:59:51 link-downs=1
5 S name="sfp1" default-name="sfp1" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1596 max-l2mtu=2026 mac-address=DC:2C:6E:7B:10:F6
ifname="eth5" ifindex=12 id=6 link-downs=0
6 R ;;; defconf
name="BR-SW" type="bridge" mtu=auto actual-mtu=1500 l2mtu=1596 mac-address=DC:2C:6E:7B:10:F2 ifname="br0" ifindex=13 id=7
last-link-up-time=mar/31/2022 04:59:37 link-downs=0
7 R name="vlan10" type="vlan" mtu=1500 actual-mtu=1500 l2mtu=1592 mac-address=DC:2C:6E:7B:10:F2 ifname="vlan9" ifindex=15 id=9
last-link-up-time=mar/31/2022 04:59:37 link-downs=0
8 R name="vlan241" type="vlan" mtu=1500 actual-mtu=1500 l2mtu=1592 mac-address=DC:2C:6E:7B:10:F2 ifname="vlan8" ifindex=14 id=8
last-link-up-time=mar/31/2022 04:59:37 link-downs=0
[demo@MikroTik] > /interface bridge print detail
Flags: X - disabled, R - running
0 R ;;; defconf
name="BR-SW" mtu=auto actual-mtu=1500 l2mtu=1596 arp=enabled arp-timeout=auto mac-address=DC:2C:6E:7B:10:F2 protocol-mode=rstp
fast-forward=yes igmp-snooping=no auto-mac=no admin-mac=DC:2C:6E:7B:10:F2 ageing-time=5m priority=0x8000 max-message-age=20s
forward-delay=15s transmit-hold-count=6 vlan-filtering=yes ether-type=0x8100 pvid=1 frame-types=admit-all ingress-filtering=yes
dhcp-snooping=no
[demo@MikroTik] > /interface bridge port print detail
Flags: X - disabled, I - inactive; D - dynamic; H - hw-offload
0 H ;;; defconf
interface=ether2-BR-SW-Base-U1 bridge=BR-SW priority=0x80 path-cost=10 internal-path-cost=10 edge=auto point-to-point=auto learn=auto
horizon=none hw=yes auto-isolate=no restricted-role=no restricted-tcn=no pvid=1 frame-types=admit-all ingress-filtering=yes
unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no
multicast-router=temporary-query fast-leave=no
1 H ;;; defconf
interface=ether3-BR-SW-U241 bridge=BR-SW priority=0x80 path-cost=10 internal-path-cost=10 edge=auto point-to-point=auto learn=auto
horizon=none hw=yes auto-isolate=no restricted-role=no restricted-tcn=no pvid=241 frame-types=admit-only-untagged-and-priority-tagged
ingress-filtering=yes unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no
trusted=no multicast-router=temporary-query fast-leave=no
2 I H ;;; defconf
interface=eth4-BR-SW_U10_T241 bridge=BR-SW priority=0x80 path-cost=10 internal-path-cost=10 edge=auto point-to-point=auto learn=auto
horizon=none hw=yes auto-isolate=no restricted-role=no restricted-tcn=no pvid=10 frame-types=admit-all ingress-filtering=yes
unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no
multicast-router=temporary-query fast-leave=no
3 I ;;; defconf
interface=sfp1 bridge=BR-SW priority=0x80 path-cost=10 internal-path-cost=10 edge=auto point-to-point=auto learn=auto horizon=none
hw=yes auto-isolate=no restricted-role=no restricted-tcn=no pvid=1 frame-types=admit-all ingress-filtering=yes
unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no
multicast-router=temporary-query fast-leave=no
[demo@MikroTik] > /interface bridge vlan print detail
Flags: X - disabled, D - dynamic
0 bridge=BR-SW vlan-ids=241 tagged=BR-SW,eth4-BR-SW_U10_T241 untagged=ether3-BR-SW-U241 current-tagged=BR-SW
current-untagged=ether3-BR-SW-U241
1 bridge=BR-SW vlan-ids=10 tagged=BR-SW untagged=eth4-BR-SW_U10_T241 current-tagged=BR-SW current-untagged=""
2 D bridge=BR-SW vlan-ids=1 tagged="" untagged="" current-tagged="" current-untagged=BR-SW,ether2-BR-SW-Base-U1
[demo@MikroTik] >
# apr/02/2022 07:26:12 by RouterOS 7.2rc5
# software id = 2NZF-BKUH
#
# model = RB760iGS
# serial number = D4500FA09027
/interface bridge
add admin-mac=DC:2C:6E:0D:34:53 auto-mac=no comment=defconf \
ingress-filtering=no name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=CCTV_network vlan-id=20
add interface=bridge name=Guest_network vlan-id=15
add interface=bridge name=Home_network vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Home
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=172.16.10.2-172.16.10.254
add name=dhcp_pool2 ranges=172.16.15.2-172.16.15.254
add name=dhcp_pool3 ranges=172.16.20.2-172.16.20.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=Home_network name=dhcp1
add address-pool=dhcp_pool2 interface=Guest_network name=dhcp2
add address-pool=dhcp_pool3 interface=CCTV_network name=dhcp3
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether4 pvid=20
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=Home
/interface bridge vlan
add bridge=bridge tagged=bridge,ether5 untagged=ether3 vlan-ids=10
add bridge=bridge tagged=bridge,ether5 vlan-ids=15
add bridge=bridge tagged=bridge,ether5 untagged=ether4 vlan-ids=20
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=Home_network list=Home
add interface=ether2 list=Home
add interface=Home_network list=LAN
add interface=Guest_network list=LAN
add interface=CCTV_network list=LAN
/ip address
add address=172.16.0.1/24 interface=ether2 network=172.16.0.0
add address=172.16.10.1/24 interface=Home_network network=172.16.10.0
add address=172.16.15.1/24 interface=Guest_network network=172.16.15.0
add address=172.16.20.1/24 interface=CCTV_network network=172.16.20.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=172.16.10.253 mac-address=48:8F:5A:63:DC:0A server=dhcp1
/ip dhcp-server network
add address=172.16.10.0/24 gateway=172.16.10.1
add address=172.16.15.0/24 gateway=172.16.15.1
add address=172.16.20.0/24 gateway=172.16.20.1
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=172.16.10.254 list=authorized
add address=172.16.0.2 list=authorized
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="Winbox access" dst-port=8291 \
in-interface-list=Home protocol=tcp src-address-list=authorized
add action=accept chain=input comment="Service (DNS)" dst-port=53 \
in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Service (DNS)" dst-port=53 \
in-interface-list=LAN protocol=tcp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=input comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/Zagreb
/system package update
set channel=testing
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=Home
Are hardware offloaded vlans supported on the hap ac lite?
# jan/02/1970 00:15:33 by RouterOS 7.2rc7
# software id =
#
# model = RB952Ui-5ac2nD
# serial number =
/interface bridge
add ingress-filtering=no name=bridge vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik
/interface vlan
add interface=bridge name=Home_network vlan-id=10
/interface list
add name=Home
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
interface=ether3 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
interface=ether4 pvid=15
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
interface=ether5 pvid=20
/ip neighbor discovery-settings
set discover-interface-list=Home
/interface bridge vlan
add bridge=bridge tagged=ether1,bridge untagged=ether3 vlan-ids=10
add bridge=bridge tagged=ether1,bridge untagged=ether4 vlan-ids=15
add bridge=bridge tagged=ether1,bridge untagged=ether5 vlan-ids=20
/interface list member
add interface=Home_network list=Home
add interface=ether2 list=Home
/ip address
add address=172.16.50.1/24 interface=ether2 network=172.16.50.0
add address=172.16.10.253/24 interface=Home_network network=172.16.10.0
/ip dns
set allow-remote-requests=yes servers=172.16.10.1
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=172.16.10.1
/tool mac-server mac-winbox
set allowed-interface-list=Home
# jan/02/1970 00:30:52 by RouterOS 6.47.10
# software id =
#
# model = RB4011iGS+
# serial number =
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge \
vlan-filtering=yes
/interface vlan
add interface=bridge name=CCTV_network vlan-id=20
add interface=bridge name=Guest_network vlan-id=15
add interface=bridge name=Home_network vlan-id=10
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Home
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_home ranges=172.16.10.2-172.16.10.254
add name=dhcp_guest ranges=172.16.15.2-172.16.15.254
add name=dhcp_cctv ranges=172.16.20.2-172.16.20.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_home disabled=no interface=Home_network name=\
dhcp-srv-home
add address-pool=dhcp_guest disabled=no interface=Guest_network name=\
dhcp-srv-guest
add address-pool=dhcp_cctv disabled=no interface=CCTV_network name=\
dhcp-srv-cctv
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether4 pvid=15
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether5 pvid=20
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether10 untagged=ether3 vlan-ids=10
add bridge=bridge tagged=bridge,ether10 untagged=ether4 vlan-ids=15
add bridge=bridge tagged=bridge,ether10 untagged=ether5 vlan-ids=20
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=Home_network list=Home
add interface=Home_network list=LAN
add interface=Guest_network list=LAN
add interface=CCTV_network list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=172.16.10.1/24 interface=Home_network network=172.16.10.0
add address=172.16.15.1/24 interface=Guest_network network=172.16.15.0
add address=172.16.20.1/24 interface=CCTV_network network=172.16.20.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=172.16.10.253 mac-address=48:8F:5A:63:DC:0A server=dhcp-srv-home
/ip dhcp-server network
add address=172.16.10.0/24 gateway=172.16.10.1
add address=172.16.15.0/24 gateway=172.16.15.1
add address=172.16.20.0/24 gateway=172.16.20.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
I don't see any issue, but maybe there is an issue with v7 on the hap ac lite. Who knows?So i tried to config hap ac lite from the beginning, without wifi for now but no luck... still not working...
Somehow I missed the part with about the hap ac lite working via the trunk to the RB4011. I read the comment as the RB4011 was working, and without reading the config, assumed that you had configured the RB4011 as the access porint instead of the hap ac lite, but still connected to the hEX S. I realize that jumping to conclusions and making assumptions is a bad troubleshooting practice.It's working on RB4011, it worked right away, as soon as i plugged in the hap ac lite.
Why is it working ? I really don't know. My plan now is to backup hex config, downgrade it to 6.48.6 and restore configuration. If it works, that would indicate some strange firmware problem I presume ?
I am aware or problems that doing a factory reset an restoring seem to fix, and in a lab/home situation it may make the most sense. But then we won't learn the root cause.Why is it working ? I really don't know. My plan now is to backup hex config, downgrade it to 6.48.6 and restore configuration. If it works, that would indicate some strange firmware problem I presume ?
There were gremlin-type problems discussed in the past on this forum. In such cases the cure was to reset the configuration (change in SW version was not necessary) and then re-do the config ... either manual configuration or import the exported config. Restoring from (binary) backup did not help. Which might indicate that there's some configuration lingering which doesn't show in UI but affects how device operates.
So my advice: reset configuration, install whichever ROS version you want to have (7.2rc or 6.48.6 or anything in between; if you decide to install the devce, you might as well netinstall it to be 100% sure any lingering configuration gets removed) and then configure device from scratch. You know what kind of config it needs because you've got it on your RB4011, no sidesteps are needed now.
# apr/05/2022 18:05:21 by RouterOS 7.2
# software id = 2NZF-BKUH
#
# model = RB760iGS
# serial number = D4500FA09027
/interface bridge
add admin-mac=DC:2C:6E:0D:34:53 auto-mac=no comment=defconf name=bridge \
vlan-filtering=yes
/interface vlan
add interface=bridge name=CCTV_network vlan-id=20
add interface=bridge name=Guest_network vlan-id=15
add interface=bridge name=Home_network vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Home
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_home ranges=172.16.10.2-172.16.10.254
add name=dhcp_guest ranges=172.16.15.2-172.16.15.254
add name=dhcp_cctv ranges=172.16.20.2-172.16.20.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=dhcp_home interface=Home_network name=dhcp-srv-home
add address-pool=dhcp_guest interface=Guest_network name=dhcp-srv-guest
add address-pool=dhcp_cctv interface=CCTV_network name=dhcp-srv-cctv
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether4 pvid=15
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether5 untagged=ether3 vlan-ids=10
add bridge=bridge tagged=bridge,ether5 untagged=ether4 vlan-ids=15
add bridge=bridge tagged=bridge,ether5 vlan-ids=20
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=Home_network list=Home
add interface=Home_network list=LAN
add interface=Guest_network list=LAN
add interface=CCTV_network list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=172.16.10.1/24 interface=Home_network network=172.16.10.0
add address=172.16.15.1/24 interface=Guest_network network=172.16.15.0
add address=172.16.20.1/24 interface=CCTV_network network=172.16.20.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=172.16.10.253 mac-address=48:8F:5A:63:DC:0A server=dhcp-srv-home
/ip dhcp-server network
add address=172.16.10.0/24 dns-server=172.16.10.1 gateway=172.16.10.1
add address=172.16.15.0/24 dns-server=172.16.15.1 gateway=172.16.15.1
add address=172.16.20.0/24 dns-server=172.16.20.1 gateway=172.16.20.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/Zagreb
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
# jan/02/1970 00:31:38 by RouterOS 6.48.6
# software id =
#
# model = RB952Ui-5ac2nD
# serial number =
/interface bridge
add name=bridge vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik
/interface vlan
add interface=bridge name=Home_network use-service-tag=yes vlan-id=10
/interface list
add name=Home
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
interface=ether3 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
interface=ether4 pvid=15
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
interface=ether5 pvid=20
/ip neighbor discovery-settings
set discover-interface-list=Home
/interface bridge vlan
add bridge=bridge tagged=ether1,bridge untagged=ether3 vlan-ids=10
add bridge=bridge tagged=ether1 untagged=ether4 vlan-ids=15
add bridge=bridge tagged=ether1 untagged=ether5 vlan-ids=20
/interface list member
add interface=Home_network list=Home
add interface=ether2 list=Home
/ip address
add address=172.16.50.1/24 interface=ether2 network=172.16.50.0
add address=172.16.10.253/24 interface=Home_network network=172.16.10.0
/ip dns
set allow-remote-requests=yes servers=172.16.10.1
/ip route
add distance=1 gateway=172.16.10.1
/system identity
set name=RouterOS
# apr/06/2022 19:42:21 by RouterOS 6.48.6
# software id =
#
# model = RB760iGS
# serial number =
/interface bridge
add admin-mac=DC:2C:6E:0D:34:53 auto-mac=no comment=defconf name=bridge \
vlan-filtering=yes
/interface vlan
add interface=bridge name=CCTV_network vlan-id=20
add interface=bridge name=Guest_network vlan-id=15
add interface=bridge name=Home_network vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Home
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_home ranges=172.16.10.2-172.16.10.254
add name=dhcp_guest ranges=172.16.15.2-172.16.15.254
add name=dhcp_cctv ranges=172.16.20.2-172.16.20.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_home disabled=no interface=Home_network name=\
dhcp_srv_home
add address-pool=dhcp_guest disabled=no interface=Guest_network name=\
dhcp_srv_guest
add address-pool=dhcp_cctv disabled=no interface=CCTV_network name=\
dhcp_srv_cctv
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether4 pvid=20
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
interface=ether3 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=Home
/interface bridge vlan
add bridge=bridge tagged=bridge,ether5 untagged=ether3 vlan-ids=10
add bridge=bridge tagged=bridge,ether5 untagged=ether4 vlan-ids=20
add bridge=bridge tagged=bridge,ether5 vlan-ids=15
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=Home_network list=Home
add interface=Home_network list=LAN
add interface=Guest_network list=LAN
add interface=CCTV_network list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=172.16.10.1/24 interface=Home_network network=172.16.10.0
add address=172.16.15.1/24 interface=Guest_network network=172.16.15.0
add address=172.16.20.1/24 interface=CCTV_network network=172.16.20.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=172.16.10.0/24 gateway=172.16.10.1
add address=172.16.15.0/24 gateway=172.16.15.1
add address=172.16.20.0/24 gateway=172.16.20.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name=RouterOS
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Wasn't that ether5 trunk port on the hEX S? Running 7.2rc5 ?So i did one experiment, i wanted to see if this new switch will work with ether5 trunk port and it's working, all VLANs are working.
Laptop gets IP address by DHCP and I have internet access.
What does VLANs working on hEXs ports mean? Be specific.hEXs on 7.2 stable (No netinstall, just regular upgrade), hap ac lite on 7.2 stable, VLANs working on hEXs ports, on hap ac lite not working...
But didn't you say the trunk port worked when connected to the switch? But I never understood the reason for using the SFP port on the switch when you configured the switch (post #94). How did you connect ether5 to the SFP port? Did you use a SFP to RJ45 copper 1Gbps module?So, when i say that VLAN's are working on hEX ports, i mean that when I untag VLAN's 10,15 and 20 on hEX ports 2,3 and 4 i get IP address and internet access.
But when i connect hap ac lite to ether5 which is trunk port then i get nothing.
# apr/07/2022 11:45:09 by RouterOS 7.2
# software id =
#
# model = RB952Ui-5ac2nD
# serial number =
/interface bridge
add ingress-filtering=no name=bridge vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n country=croatia disabled=no \
mode=ap-bridge ssid=CCTV
set [ find default-name=wlan2 ] band=5ghz-n/ac channel-width=20/40mhz-Ce \
country=croatia disabled=no mode=ap-bridge ssid=Gazda wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=4A:8F:5A:63:DC:10 \
master-interface=wlan1 multicast-buffering=disabled name=wlan3 ssid=Gosti \
wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface vlan
add interface=bridge name=Home_network use-service-tag=yes vlan-id=10
/interface list
add name=Home
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
mode=dynamic-keys supplicant-identity=MikroTik
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=no \
interface=ether1
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=no interface=ether3 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=no interface=ether4 pvid=15
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=no interface=ether5 pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=no interface=wlan1 pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=no interface=wlan3 pvid=15
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=no interface=wlan2 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=Home
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge tagged=ether1,bridge untagged=ether3,wlan2 vlan-ids=10
add bridge=bridge tagged=ether1 untagged=ether4,wlan3 vlan-ids=15
add bridge=bridge tagged=ether1 untagged=ether5,wlan1 vlan-ids=20
/interface list member
add interface=Home_network list=Home
add interface=ether2 list=Home
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=172.16.50.1/24 interface=ether2 network=172.16.50.0
add address=172.16.10.253/24 interface=Home_network network=172.16.10.0
/ip dns
set allow-remote-requests=yes servers=172.16.10.1
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=172.16.10.1
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name=RouterOS
Service Tag is used when we need management access in cases that double VLAN tagging is used...use-service-tag=yes