I've an RB2011 that thanks to your supporto I managed to configure as I needed.
After a couple of day of good working behaviour, it started showing problems with the pppoe dial up (EOLO).
Looking at log, it tries to initiate the connection but terminate and disconnect every 10 seconds. If I switch the cable back to the ISP router, it gets a steady connection in less than 15".
I think I should revert to "bridge" configuration and use the ISP router as a modem, but I would like to spare a device...
This is the last working config:
Code: Select all
# aug/05/2022 11:41:47 by RouterOS 7.4
# software id = EBV1-UKWG
#
# model = RB2011UiAS-2HnD
# serial number = HCJ087SPZEY
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="Connessione Eolo"
set [ find default-name=ether10 ] name=ether10-safe
/interface wireless
set [ find default-name=wlan1 ] disabled=no frequency=auto hide-ssid=yes \
mode=ap-bridge ssid=theFarmSvc
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=BLUE_VLAN vlan-id=10
add interface=ether1 name=EOLO_VLAN vlan-id=100
add interface=BR1 name=GREEN_VLAN vlan-id=20
/interface pppoe-client
add add-default-route=yes disabled=no interface=EOLO_VLAN name=pppoe-out1 \
user=WB3611188119
/interface list
add name=WAN
add name=VLAN
add name=BASE
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik
/ip pool
add name=BLUE_POOL ranges=192.168.3.2-192.168.3.254
add name=GREEN_POOL ranges=192.168.203.2-192.168.203.254
add name=BASE_POOL ranges=192.168.0.10-192.168.0.20
/ip dhcp-server
add address-pool=BLUE_POOL interface=BLUE_VLAN lease-time=1d name=BLUE_DHCP
add address-pool=GREEN_POOL interface=GREEN_VLAN name=GREEN_DHCP
add address-pool=BASE_POOL interface=BASE_VLAN lease-time=1d name=BASE_DHCP
/port
set 0 name=serial0
/interface bridge port
add bridge=BR1 interface=ether2 pvid=10
add bridge=BR1 interface=ether3 pvid=10
add bridge=BR1 interface=wlan1 pvid=20
add bridge=BR1 interface=ether4 pvid=20
add bridge=BR1 interface=ether5 pvid=20
add bridge=BR1 interface=ether9 pvid=99
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=BR1 tagged=BR1 untagged=ether4,ether5 vlan-ids=20
add bridge=BR1 tagged=BR1 untagged=ether2,ether3,wlan1 vlan-ids=10
add bridge=BR1 tagged=BR1 untagged=ether9 vlan-ids=99
/interface list member
add interface=BLUE_VLAN list=VLAN
add interface=GREEN_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
add interface=ether10-safe list=BASE
add interface=BR1 list=LAN
add interface=pppoe-out1 list=WAN
/interface wireguard peers
add allowed-address=192.168.103.254/32 comment=homerPhone interface=\
wireguard1 public-key="pubKeyA"
/ip address
add address=10.10.0.1/24 interface=BR1 network=10.10.0.0
add address=192.168.3.1/24 interface=BLUE_VLAN network=192.168.3.0
add address=192.168.203.1/24 interface=GREEN_VLAN network=192.168.203.0
add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0
add address=192.168.103.1/24 interface=wireguard1 network=192.168.103.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
add address=192.168.3.0/24 dns-server=192.168.0.1 gateway=192.168.3.1
add address=192.168.203.0/24 dns-server=192.168.0.1 gateway=192.168.203.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9
/ip firewall filter
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
protocol=udp
add action=accept chain=input comment="allow WireGuard traffic" src-address=\
192.168.103.0/24
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=BASE
add action=accept chain=input dst-port=53 in-interface-list=VLAN protocol=tcp
add action=accept chain=input dst-port=53 in-interface-list=VLAN protocol=udp
add action=drop chain=input comment="drop everything else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" \
in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward in-interface-list=BASE out-interface-list=WAN
add action=accept chain=forward comment="allow wireguard to VLAN" \
in-interface=wireguard1 out-interface-list=VLAN
add action=accept chain=forward comment="enable homerPhone to BLUE" \
out-interface=BLUE_VLAN src-mac-address=xxxxxx
add action=accept chain=forward comment="enable BASE control everywhere" \
in-interface-list=BASE out-interface-list=VLAN
add action=accept chain=forward comment="allow port forwarding" \
connection-nat-state=dstnat
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface-list=WAN
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=MTtheFarm
/tool mac-server mac-winbox
set allowed-interface-list=BASE