The ethernet ports showing Rx Drops:
- ether2-trunk-eetkamer (trunk port)
- ether9-trunk-woonkamer (trunk port)
- ether10-ap-boven (hybrid port)
My current config (any improvements are more than welcome):
Code: Select all
# model = RB4011iGS+
# serial number = **********
/interface bridge
add admin-mac=**:**:**:**:**:** auto-mac=no ingress-filtering=no name=\
bridge-LAN protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] disabled=yes
set [ find default-name=ether2 ] name=ether2-trunk-eetkamer
set [ find default-name=ether3 ] name=ether3-printer
set [ find default-name=ether4 ] name=ether4-nassie
set [ find default-name=ether5 ] name=ether5-nassie
set [ find default-name=ether6 ] name=ether6-solar
set [ find default-name=ether7 ] name=ether7-hue
set [ find default-name=ether8 ] name=ether8-tv-boven
set [ find default-name=ether9 ] name=ether9-trunk-woonkamer
set [ find default-name=ether10 ] name=ether10-ap-boven
set [ find default-name=sfp-sfpplus1 ] name=sfp1-WAN
/interface wireguard
add listen-port=13231 mtu=1420 name=WG-Interface private-key=\
"********************************"
/interface vlan
add interface=sfp1-WAN name=DELTA-VLAN-INTERNET vlan-id=100
add interface=bridge-LAN name=GUEST_VLAN vlan-id=51
add interface=bridge-LAN name=HOME_VLAN vlan-id=50
add interface=bridge-LAN name=MGT-LAN vlan-id=99
add interface=bridge-LAN name=SOLAR_VLAN vlan-id=53
add interface=bridge-LAN name=VIDEO_VLAN vlan-id=52
/interface bonding
add mode=802.3ad name=LCAP_DS1019+ slaves=ether4-nassie,ether5-nassie \
transmit-hash-policy=layer-2-and-3
/interface list
add name=WAN
add name=LAN
add name=IoT
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
add dh-group=modp4096 enc-algorithm=aes-256,aes-128 hash-algorithm=sha512 \
name=secure-profile
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=HOME_POOL ranges=192.168.50.50-192.168.50.150
add name=GUEST_POOL ranges=192.168.51.50-192.168.51.150
add name=VIDEO_POOL ranges=192.168.52.50-192.168.52.150
add name=SOLAR_POOL ranges=192.168.53.50-192.168.53.150
add name=LT2P_POOL ranges=192.168.100.50-192.168.100.150
add name=VPN_POOL ranges=192.168.89.50-192.168.89.150
add name=MGT_POOL ranges=192.168.99.50-192.168.99.150
/ip dhcp-server
add address-pool=HOME_POOL interface=HOME_VLAN lease-time=4h name=HOME_DHCP
add address-pool=GUEST_POOL interface=GUEST_VLAN lease-time=4h name=\
GUEST_DHCP
add address-pool=VIDEO_POOL interface=VIDEO_VLAN lease-time=1d name=\
VIDEO_DHCP
add address-pool=SOLAR_POOL interface=SOLAR_VLAN lease-time=1d name=\
SOLAR_DHCP
add address-pool=MGT_POOL interface=MGT-LAN lease-time=1d name=MGT_DHCP
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
set *FFFFFFFE dns-server=192.168.89.254 local-address=192.168.89.254 \
remote-address=VPN_POOL use-upnp=no
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no in-filter-chain=ospf-in name=default-v2 out-filter-chain=\
ospf-out
/routing ospf area
add disabled=no instance=default-v2 name=backbone-v2
/routing table
add fib name=""
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,rest-api"
/dude
set enabled=yes
/interface bridge port
add bridge=bridge-LAN frame-types=admit-only-vlan-tagged interface=\
ether2-trunk-eetkamer
add bridge=bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
interface=ether3-printer pvid=50
add bridge=bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
interface=ether6-solar pvid=53
add bridge=bridge-LAN frame-types=admit-only-vlan-tagged interface=\
ether9-trunk-woonkamer
add bridge=bridge-LAN interface=ether10-ap-boven pvid=99
add bridge=bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
interface=ether7-hue pvid=50
add bridge=bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
interface=ether8-tv-boven pvid=50
add bridge=bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
interface=LCAP_DS1019+ pvid=50
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge-LAN tagged=\
bridge-LAN,ether2-trunk-eetkamer,ether9-trunk-woonkamer,ether10-ap-boven \
untagged=ether7-hue,ether8-tv-boven,LCAP_DS1019+ vlan-ids=50
add bridge=bridge-LAN tagged=\
bridge-LAN,ether2-trunk-eetkamer,ether9-trunk-woonkamer,ether10-ap-boven \
vlan-ids=51
add bridge=bridge-LAN tagged=bridge-LAN,ether2-trunk-eetkamer vlan-ids=52
add bridge=bridge-LAN tagged=bridge-LAN untagged=ether6-solar vlan-ids=53
add bridge=bridge-LAN tagged=\
bridge-LAN,ether2-trunk-eetkamer,ether9-trunk-woonkamer untagged=\
ether10-ap-boven vlan-ids=99
/interface l2tp-server server
set authentication=mschap1,mschap2 ipsec-secret=********** max-mru=1460 \
max-mtu=1460 use-ipsec=required
/interface list member
add interface=HOME_VLAN list=LAN
add interface=GUEST_VLAN list=LAN
add interface=VIDEO_VLAN list=IoT
add interface=SOLAR_VLAN list=LAN
add interface=DELTA-VLAN-INTERNET list=WAN
add interface=MGT-LAN list=LAN
add interface=WG-Interface list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=10.0.0.51/32 comment="Mobiel Emiel" interface=\
WG-Interface persistent-keepalive=1m public-key=\
"*********************************************"
add allowed-address=192.168.60.0/24 comment="Site-2-site ouders" \
endpoint-address=********************************************* endpoint-port=13231 \
interface=WG-Interface persistent-keepalive=1m public-key=\
"*********************************************"
add allowed-address=10.0.0.50/32 comment="ShareValue laptop" interface=\
WG-Interface persistent-keepalive=1m public-key=\
"*********************************************"
add allowed-address=10.0.0.55/32 comment=Travelrouter interface=WG-Interface \
persistent-keepalive=1m public-key=\
"*********************************************"
/ip address
add address=192.168.50.254/24 interface=HOME_VLAN network=192.168.50.0
add address=192.168.51.254/24 interface=GUEST_VLAN network=192.168.51.0
add address=192.168.52.254/24 interface=VIDEO_VLAN network=192.168.52.0
add address=192.168.53.254/24 interface=SOLAR_VLAN network=192.168.53.0
add address=192.168.99.254/24 interface=MGT-LAN network=192.168.99.0
add address=10.0.0.1/24 interface=WG-Interface network=10.0.0.0
/ip cloud
set ddns-enabled=yes update-time=no
/ip dhcp-client
add dhcp-options=clientid,hostname interface=DELTA-VLAN-INTERNET \
use-peer-dns=no
/ip dhcp-server lease
add address=192.168.50.10 client-id=1:0:11:32:c8:3b:51 mac-address=\
00:11:32:C8:3B:51 server=HOME_DHCP
add address=192.168.53.150 mac-address=80:97:1B:01:7A:10 server=SOLAR_DHCP
add address=192.168.50.200 client-id=1:84:2a:fd:7:5a:c5 mac-address=\
84:2A:FD:07:5A:C5 server=HOME_DHCP
add address=192.168.99.250 client-id=1:cc:2d:e0:41:b4:6 mac-address=\
CC:2D:E0:41:B4:06 server=MGT_DHCP
add address=192.168.99.241 mac-address=C0:74:AD:3E:50:E8 server=MGT_DHCP
add address=192.168.99.240 mac-address=00:0B:82:B5:27:7C server=MGT_DHCP
add address=192.168.99.251 client-id=1:8:55:31:14:58:80 mac-address=\
08:55:31:14:58:80 server=MGT_DHCP
add address=192.168.99.252 client-id=1:64:d1:54:96:2e:38 mac-address=\
64:D1:54:96:2E:38 server=MGT_DHCP
add address=192.168.99.242 mac-address=C0:74:AD:25:D4:C8 server=MGT_DHCP
add address=192.168.52.150 client-id=1:e0:50:8b:c:65:22 mac-address=\
E0:50:8B:0C:65:22 server=VIDEO_DHCP
add address=192.168.52.151 client-id=1:24:52:6a:35:5d:2b mac-address=\
24:52:6A:35:5D:2B server=VIDEO_DHCP
add address=192.168.99.243 mac-address=C0:74:AD:4E:1A:D8 server=MGT_DHCP
/ip dhcp-server network
add address=192.168.50.0/24 dns-server=\
192.168.50.23,192.168.50.24,192.168.60.24 gateway=192.168.50.254 \
ntp-server=192.168.50.254
add address=192.168.51.0/24 dns-server=\
192.168.50.23,192.168.50.24,192.168.60.24 gateway=192.168.51.254 \
ntp-server=192.168.51.254
add address=192.168.52.0/24 dns-none=yes
add address=192.168.53.0/24 dns-server=9.9.9.9,208.67.222.222,208.67.220.220 \
gateway=192.168.53.254 ntp-server=192.168.53.254
add address=192.168.99.0/24 dns-server=9.9.9.9,208.67.222.222,208.67.220.220 \
gateway=192.168.99.254 ntp-server=192.168.99.254
/ip dns
set allow-remote-requests=yes servers=9.9.9.9,208.67.222.222,208.67.220.220
/ip dns static
add address=192.168.50.254 name=router
add address=192.168.50.10 name=nassie
add address=192.168.50.200 name=laserjet
add address=192.168.50.10 name=nassie.elconsultancy.nl
add address=192.168.60.10 name=nas
add address=192.168.60.10 name=nas.elconsultancy.nl
add address=192.168.50.254 name=vpn.elconsultancy.nl
add address=192.168.50.10 name=pihole1
add address=192.168.50.11 name=pihole2
add address=192.168.50.254 name=time.elconsultancy.nl
/ip firewall address-list
add address=roblox.com list="Games Blocklist"
add address=supercell.com list="Games Blocklist"
add address=www.roblox.com list="Games Blocklist"
add address=rbxcdn.com list="Games Blocklist"
add address=192.168.50.10 list="DNS server list"
add address=192.168.60.23 list="DNS server list"
add address=********************************************* list=WAN-IP
add address=192.168.60.24 list="DNS server list"
add address=192.168.50.24 list="DNS server list"
add address=192.168.50.23 list="DNS server list"
add address=********************************************* list=WAN-IP-ouders
add address=10.0.0.0/24 list=allowed_to_router
add address=192.168.60.0/24 list=allowed_to_router
add address=192.168.50.0/24 list=allowed_to_router
add address=192.168.99.0/24 list=allowed_to_router
add address=127.0.0.1 list=allowed_to_router
/ip firewall filter
add action=accept chain=input comment="Accept established,related, untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment="Wireguard rule" dst-port=13231 \
in-interface=DELTA-VLAN-INTERNET log-prefix=WIREGUARD protocol=udp
add action=accept chain=input comment="Allow input ICMP" protocol=icmp
add action=accept chain=input comment="Allow access to addresslist" \
src-address-list=allowed_to_router
add action=drop chain=input comment="Drop everything else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"Accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
# inactive time
add action=drop chain=forward comment="Drop Games 11:30 - 15:00 (za-zo)" \
dst-address-list="Games Blocklist" time=11h30m-15h,sun,sat
# inactive time
add action=drop chain=forward comment="Drop Games 22:30 - 0:00 (ma-zo)" \
dst-address-list="Games Blocklist" time=\
22h30m-23h59m59s,sun,mon,tue,wed,thu,fri,sat
# inactive time
add action=drop chain=forward comment="Drop Games 8:30 - 15:00 (ma-vr)" \
dst-address-list="Games Blocklist" time=8h30m-15h,mon,tue,wed,thu,fri
add action=accept chain=forward comment="Wireguard forwards" dst-address=\
192.168.60.0/24 src-address=192.168.50.0/24
add action=accept chain=forward dst-address=192.168.50.0/24 src-address=\
192.168.60.0/24
add action=accept chain=forward dst-address=10.0.0.0/24 src-address=\
192.168.50.0/24
add action=accept chain=forward dst-address=192.168.50.0/24 src-address=\
10.0.0.0/24
add action=accept chain=forward dst-address=192.168.60.0/24 src-address=\
10.0.0.0/24
add action=accept chain=forward dst-address=192.168.99.0/24 src-address=\
10.0.0.0/24
add action=accept chain=forward comment="Allow forward to DNS" \
dst-address-list="DNS server list" dst-port=53 protocol=tcp
add action=accept chain=forward dst-address-list="DNS server list" dst-port=\
53 protocol=udp
add action=accept chain=forward comment="Allow forward from Marian to backup" \
dst-address=192.168.50.10 dst-port=6281 protocol=tcp src-address=\
*********************************************
add action=accept chain=forward comment="Allow forward to Jamulus" \
dst-address=192.168.50.10 dst-port=22124 protocol=udp
add action=accept chain=forward comment="Allow access to Internet" \
in-interface=HOME_VLAN out-interface-list=WAN
add action=accept chain=forward in-interface=GUEST_VLAN out-interface-list=\
WAN
add action=accept chain=forward in-interface=SOLAR_VLAN out-interface-list=\
WAN
add action=accept chain=forward in-interface=MGT-LAN out-interface-list=WAN
add action=accept chain=forward in-interface=WG-Interface out-interface-list=\
WAN
add action=accept chain=forward comment=Camera in-interface=HOME_VLAN \
out-interface=VIDEO_VLAN
add action=accept chain=forward in-interface=WG-Interface out-interface=\
VIDEO_VLAN
add action=drop chain=forward in-interface=VIDEO_VLAN out-interface=\
DELTA-VLAN-INTERNET
add action=drop chain=forward in-interface=VIDEO_VLAN out-interface=HOME_VLAN
add action=accept chain=forward comment="Management VLAN" in-interface=\
HOME_VLAN out-interface=MGT-LAN
add action=drop chain=forward comment="Drop everything else" log=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Synology backup Marian" \
dst-address-list=WAN-IP dst-port=6281 protocol=tcp src-address=\
********************************************* to-addresses=192.168.50.10 to-ports=6281
add action=dst-nat chain=dstnat comment="Jamulus server" dst-address-list=\
WAN-IP dst-port=22124 log=yes protocol=udp to-addresses=192.168.50.10 \
to-ports=22124
/ip firewall service-port
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add comment="Wireguard ouders" disabled=no distance=1 dst-address=\
192.168.60.0/24 gateway=WG-Interface pref-src="" routing-table=main \
scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name=RB4011
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes multicast=yes
/system ntp client servers
add address=0.nl.pool.ntp.org
add address=1.nl.pool.ntp.org
add address=2.nl.pool.ntp.org
add address=3.nl.pool.ntp.org
/system resource irq rps
set sfp1-WAN disabled=no
/tool graphing interface
add interface=DELTA-VLAN-INTERNET
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN