I disabled the fastpath as I thought this was causing issues, so far no luck.
See the attached screenshot, got no clue what is causing this MAC: 00:0e:00:00:00:01
# nov/11/2022 14:19:21 by RouterOS 7.6
#
# model = RB4011iGS+5HacQ2HnD
/caps-man channel
add band=2ghz-onlyn control-channel-width=20mhz extension-channel=disabled \
frequency=2412 name=ch24.1
add band=2ghz-onlyn control-channel-width=20mhz extension-channel=disabled \
frequency=2437 name=ch24.6
add band=2ghz-onlyn control-channel-width=20mhz extension-channel=disabled \
frequency=2462 name=ch24.11
add band=5ghz-n/ac control-channel-width=20mhz extension-channel=XX \
frequency=5180 name=ch5.36 skip-dfs-channels=yes
add band=5ghz-n/ac control-channel-width=20mhz frequency=5220 name=ch5.44 \
skip-dfs-channels=yes
add band=5ghz-n/ac control-channel-width=20mhz extension-channel=XX name=\
ch5-auto save-selected=no
add band=5ghz-n/ac control-channel-width=20mhz frequency=5200 name=ch5.40 \
skip-dfs-channels=yes
add band=2ghz-g/n control-channel-width=20mhz name=ch24-auto \
reselect-interval=30m save-selected=yes
add band=5ghz-n/ac control-channel-width=20mhz frequency=5240 name=ch5.48 \
skip-dfs-channels=yes
/interface bridge
add name=bridgeGuests pvid=115 vlan-filtering=yes
add frame-types=admit-only-vlan-tagged name=bridgeIoT pvid=117 \
vlan-filtering=yes
add admin-mac=74:4D:28:BE:82:B6 auto-mac=no name=bridgeLAN
add name=bridgeWAN pvid=300 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN l2mtu=1500
set [ find default-name=ether2 ] comment="Werkkamer 1"
set [ find default-name=ether3 ] comment="Werkkamer 2" full-duplex=no speed=\
10Mbps
set [ find default-name=ether4 ] comment="Zolder LACP1"
set [ find default-name=ether5 ] comment="Zolder LACP2"
set [ find default-name=ether6 ] comment=KleineKamer-1
set [ find default-name=ether7 ] comment=KleineKamer-2
set [ find default-name=ether8 ] comment=WoonKamer-1
set [ find default-name=ether9 ] comment=WoonKamer-2
set [ find default-name=ether10 ] comment=Woonkamer-AP
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface wireless
# managed by CAPsMAN
# channel: 2412/20/gn(17dBm), SSID: Pleiades-2G, CAPsMAN forwarding
set [ find default-name=wlan2 ] amsdu-limit=2048 band=2ghz-g/n country=\
netherlands distance=indoors frequency=2422 installation=indoor mode=\
ap-bridge name=wlan-2G ssid=Pleiades-2G station-roaming=enabled wps-mode=\
disabled
# managed by CAPsMAN
# channel: 5180/20-Ce/ac/P(20dBm), SSID: Pleiades-5G, CAPsMAN forwarding
set [ find default-name=wlan1 ] amsdu-limit=2048 amsdu-threshold=2048 band=\
5ghz-n/ac channel-width=20/40/80mhz-XXXX country=netherlands frequency=\
5220 installation=indoor mode=ap-bridge name=wlan-5G ssid=Pleiades-5G \
station-roaming=enabled wireless-protocol=802.11 wps-mode=disabled
/interface bonding
add min-links=1 mode=802.3ad name=lacp-zolder slaves=ether4,ether5 \
transmit-hash-policy=layer-2-and-3
/caps-man datapath
add bridge=bridgeLAN client-to-client-forwarding=yes name=datapath-lan
add bridge=bridgeGuests client-to-client-forwarding=no name=datapath-guests \
vlan-id=115 vlan-mode=use-tag
add bridge=bridgeIoT client-to-client-forwarding=yes name=datapath-iot \
vlan-id=117 vlan-mode=use-tag
/caps-man rates
add basic=24Mbps comment="YT=QYGggSiV7aA" ht-basic-mcs=mcs-3 \
ht-supported-mcs="mcs-3,mcs-4,mcs-5,mcs-6,mcs-7,mcs-8,mcs-9,mcs-10,mcs-11,\
mcs-12,mcs-13,mcs-14,mcs-15,mcs-16,mcs-17,mcs-18,mcs-19,mcs-20,mcs-21,mcs-\
22,mcs-23" name=Rates-CSPE supported=24Mbps,36Mbps,48Mbps,54Mbps \
vht-basic-mcs="" vht-supported-mcs=""
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
group-key-update=5m name=secure-lan
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
group-key-update=5m name=guest-wifi
/caps-man configuration
add channel=ch24.1 country=netherlands datapath=datapath-lan distance=indoors \
hide-ssid=no installation=indoor mode=ap name=2G-CH1 rates=Rates-CSPE \
security=secure-lan ssid=Pleiades-2G
add channel=ch5.36 country=netherlands datapath=datapath-lan distance=indoors \
hide-ssid=no installation=indoor mode=ap name=5G-CH36 rates=Rates-CSPE \
security=secure-lan ssid=Pleiades-5G
add channel=ch24.6 country=netherlands datapath=datapath-lan distance=indoors \
hide-ssid=no installation=indoor mode=ap name=2G-CH6 rates=Rates-CSPE \
security=secure-lan ssid=Pleiades-2G
add channel=ch24.11 country=netherlands datapath=datapath-lan distance=\
indoors hide-ssid=no installation=indoor mode=ap name=2G-CH11 rates=\
Rates-CSPE security=secure-lan ssid=Pleiades-2G
add channel=ch5-auto comment=5G-Auto country=netherlands datapath=\
datapath-lan distance=indoors hide-ssid=no installation=indoor mode=ap \
name=5G-Auto rates=Rates-CSPE security=secure-lan ssid=Pleiades-5G
add channel=ch24-auto country=netherlands datapath=datapath-lan distance=\
indoors hide-ssid=no installation=indoor mode=ap name=2G-Auto rates=\
Rates-CSPE security=secure-lan ssid=Pleiades-2G
add country=netherlands datapath=datapath-guests distance=indoors hide-ssid=\
no installation=indoor mode=ap name=5G-Guest rates=Rates-CSPE security=\
guest-wifi ssid="Pleiades Guest"
/interface list
add name=WAN
add name=LAN-Filtered
add name=LAN-Secure
add name="LAN PPP"
add include="LAN-Filtered,LAN-Secure,LAN PPP" name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=\
allowed mode=dynamic-keys name=wifi-guests supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" management-protection=\
allowed mode=dynamic-keys name=wifi-iot supplicant-identity=""
/ip dhcp-server option
add code=15 name="15 Domain Name" value="s'int.example.nl'"
add code=12 name="12 HostName Suricata" value="s'suricata'"
add code=12 name="12 HostName eVeNG" value="s'eve-ng'"
add code=66 name="66 TFTP Server Name" value="s'192.168.160.8'"
add code=42 name="42 NTP Servers" value="'192.168.160.1'"
add code=4 name="04 Time Server" value="'192.168.160.1'"
/ip dhcp-server option sets
add name=DefaultOptions options=\
"15 Domain Name,42 NTP Servers,04 Time Server"
add name=RaspberryPi options=\
"15 Domain Name,42 NTP Servers,04 Time Server,66 TFTP Server Name"
/ip firewall layer7-protocol
add comment="Block Bit Torrent" name=layer7-bittorrent-exp regexp="^(\\x13bitt\
orrent protocol|azver\\x01\$|get /scrape\\\?info_hash=get /announce\\\?inf\
o_hash=|get /client/bitcomet/|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[\
RP]"
add name=Steam regexp="^..+\\\\.(steam|valve|steampowered|steamcommunity|steam\
ga\\\r\
\n mes|steamusercontent|steamcontent|steamstatic).*\\\$"
add name=SSH regexp="^ssh-[12]\\.[0-9]"
add name=SIP regexp="^(invite|register|cancel|message|subscribe|notify) sip[\\\
x09-\\x0d -~]*sip/[0-2]\\.[0-9]"
add name=RDP regexp=rdpdr.*cliprdr.*rdpsnd
add name=NNTP regexp=\
"^(20[01][\\x09-\\x0d -~]*AUTHINFO USER|20[01][\\x09-\\x0d -~]*news)"
add name=HTTP regexp="http/(0\\.9|1\\.0|1\\.1) [1-5][0-9][0-9] [\\x09-\\x0d -~\
]*(connection:|content-type:|content-length:|date:)|post [\\x09-\\x0d -~]*\
\_http/[01]\\.[019]"
add name=FTP regexp="^220[\\x09-\\x0d -~]*ftp"
add name=DNS regexp="^.\?.\?.\?.\?[\\x01\\x02].\?.\?.\?.\?.\?.\?[\\x01-\?][a-z\
0-9][\\x01-\?a-z]*[\\x02-\\x06][a-z][a-z][fglmoprstuvz]\?[aeop]\?(um)\?[\\\
x01-\\x10\\x1c][\\x01\\x03\\x04\\xFF]"
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256 \
hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=\
aes-256-cbc pfs-group=modp2048
/ip pool
add name=lan-dhcp ranges=192.168.160.200,192.168.160.254
add name=vpn-pool ranges=192.168.161.10,192.168.161.127
add name=vpn-server-pool ranges=192.168.161.1,192.168.161.9
add name=iot-dhcp ranges=192.168.117.2,192.168.117.254
add name=guests-dhcp ranges=192.168.115.2,192.168.115.10
/ip dhcp-server
add add-arp=yes address-pool=lan-dhcp dhcp-option-set=DefaultOptions \
interface=bridgeLAN lease-time=3d name="lan dhcp"
add add-arp=yes address-pool=iot-dhcp interface=bridgeIoT lease-time=3d name=\
"iot dhcp" server-address=192.168.117.1
add add-arp=yes address-pool=guests-dhcp dhcp-option-set=DefaultOptions \
interface=bridgeGuests lease-time=2h name="guests dhcp" server-address=\
192.168.115.1
/ipv6 dhcp-server
add address-pool=lan-dhcp disabled=yes interface=bridgeLAN name=lan-dhcp
/ipv6 pool
add name=lan-dhcp prefix=fd00::/8 prefix-length=8
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
add dns-server=192.168.160.17 interface-list="LAN PPP" local-address=\
vpn-server-pool name=ipsec_vpn remote-address=vpn-pool
add change-tcp-mss=yes dns-server=192.168.160.17,192.168.160.1 \
interface-list="LAN PPP" local-address=vpn-server-pool name=sstp_vpn \
remote-address=vpn-pool use-encryption=yes
add interface-list="LAN PPP" local-address=vpn-server-pool name=openvpn_vpn \
remote-address=vpn-pool use-encryption=yes
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=yes name=default-v2
add disabled=yes name=default-v3 version=3
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
add disabled=yes instance=default-v3 name=backbone-v3
/system logging action
set 1 disk-file-count=4 disk-lines-per-file=4096
/caps-man access-list
/caps-man manager
set ca-certificate=CAPsMAN-CA-744D28BE82B5 certificate=CAPsMAN-744D28BE82B5 \
enabled=yes require-peer-certificate=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridgeLAN
/caps-man provisioning
add action=create-dynamic-enabled comment=RB4011 hw-supported-modes=ac \
master-configuration=5G-CH36 name-format=prefix-identity name-prefix=5G \
radio-mac=74:4D:28:BE:82:C0 slave-configurations=5G-Guest
add action=create-dynamic-enabled comment=RB4011 hw-supported-modes=gn \
master-configuration=2G-CH1 name-format=prefix-identity name-prefix=2G \
radio-mac=B8:69:F4:E9:2D:60
add comment=AC-Lite hw-supported-modes=gn master-configuration=2G-Auto \
name-format=prefix-identity name-prefix=2G radio-mac=08:55:31:C1:9C:73
add action=create-dynamic-enabled comment=CAP1 hw-supported-modes=ac \
master-configuration=5G-Auto name-format=prefix-identity name-prefix=5G \
radio-mac=DC:2C:6E:E0:48:62 slave-configurations=5G-Guest
add action=create-dynamic-enabled comment=CAP2 hw-supported-modes=ac \
master-configuration=5G-Auto name-format=prefix-identity name-prefix=5G \
radio-mac=DC:2C:6E:E0:3E:C4 slave-configurations=5G-Guest
add action=create-dynamic-enabled comment=CAP1 hw-supported-modes=gn \
master-configuration=2G-CH6 name-format=prefix-identity name-prefix=2G \
radio-mac=DC:2C:6E:E0:48:61
add action=create-dynamic-enabled comment=CAP2 hw-supported-modes=gn \
master-configuration=2G-CH11 name-format=prefix-identity name-prefix=2G \
radio-mac=DC:2C:6E:E0:3E:C3
add comment=AC3 hw-supported-modes=gn master-configuration=2G-Auto \
name-format=prefix-identity name-prefix=2G radio-mac=08:55:31:D4:6E:B4
add action=create-dynamic-enabled comment=AC3 hw-supported-modes=ac \
master-configuration=5G-Auto name-format=prefix-identity name-prefix=5G \
radio-mac=08:55:31:D4:6E:B5
add action=create-dynamic-enabled comment=AC-Lite hw-supported-modes=ac \
master-configuration=5G-Auto name-format=prefix-identity name-prefix=5G \
radio-mac=08:55:31:C1:9C:72
/interface bridge port
add bridge=bridgeLAN ingress-filtering=no interface=ether6
add bridge=bridgeLAN ingress-filtering=no interface=ether7
add bridge=bridgeLAN ingress-filtering=no interface=ether8
add bridge=bridgeLAN ingress-filtering=no interface=ether9
add bridge=bridgeLAN ingress-filtering=no interface=ether10
add bridge=bridgeLAN ingress-filtering=no interface=sfp-sfpplus1
add bridge=bridgeLAN ingress-filtering=no interface=wlan-5G
add bridge=bridgeLAN ingress-filtering=no interface=wlan-2G
add bridge=bridgeWAN frame-types=admit-only-vlan-tagged interface=ether1 \
pvid=300
add bridge=bridgeLAN ingress-filtering=no interface=ether2
add bridge=bridgeLAN ingress-filtering=no interface=lacp-zolder
add bridge=bridgeLAN ingress-filtering=no interface=ether3
/interface bridge settings
set allow-fast-path=no use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set allow-fast-path=no max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes forward=no max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridgeWAN tagged=ether1 vlan-ids=300
add bridge=bridgeIoT tagged=*25 vlan-ids=117
add bridge=bridgeGuests tagged=*28 untagged=bridgeGuests vlan-ids=115
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN lan-interface-list=\
LAN wan-interface-list=WAN
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=ipsec_vpn enabled=yes \
keepalive-timeout=disabled use-ipsec=yes
/interface list member
add interface=bridgeWAN list=WAN
add interface=bridgeIoT list=LAN-Filtered
add interface=bridgeGuests list=LAN-Filtered
add interface=bridgeLAN list=LAN-Secure
add interface=*3D list=LAN-Secure
/interface ovpn-server server
set auth=sha1 certificate=*4 cipher=aes128,aes192,aes256 default-profile=\
openvpn_vpn require-client-certificate=yes
/interface sstp-server server
set authentication=mschap2 certificate=example.nl.pem_0 default-profile=\
sstp_vpn enabled=yes tls-version=only-1.2
/interface wireguard peers
add comment=ABC-PC interface=*3D public-key=\
"example.com"
add allowed-address=192.168.119.20/32 comment="Phone - All" interface=*3D \
public-key="example.com"
add allowed-address=192.168.119.21/32 comment="Phone - PrivateNetOnly" \
interface=*3D public-key="example.com"
/interface wireless access-list
add comment="P1meter " interface=wlan-2G mac-address=B8:27:EB:26:30:41
add comment=mobile-sony-xpremium interface=wlan-5G mac-address=\
84:C7:EA:90:D9:B8
add comment=mobile-sony-xcompact interface=wlan-5G mac-address=\
9C:5C:F9:E6:4E:27
add comment="Chromecast " interface=wlan-5G mac-address=88:3D:24:04:90:0A
add allow-signal-out-of-range=30s comment=Wifi-NanoStick interface=wlan-2G \
mac-address=74:DA:38:0E:3F:87 time=0s-1d,sun,mon,tue,wed,thu,fri,sat \
vlan-mode=no-tag
add comment="Samsung TV" interface=wlan-5G mac-address=84:A4:66:89:21:10
/interface wireless cap
#
set caps-man-addresses=127.0.0.1 certificate=CAP-744D28BE82B5 enabled=yes \
interfaces=wlan-2G,wlan-5G lock-to-caps-man=yes
/interface wireless snooper
set channel-time=2s
/ip address
add address=192.168.160.1/24 interface=bridgeLAN network=192.168.160.0
add address=192.168.117.1/24 interface=bridgeIoT network=192.168.117.0
add address=192.168.115.1/24 interface=bridgeGuests network=192.168.115.0
add address=192.168.180.1/24 interface=bridgeLAN network=192.168.180.0
add address=192.168.119.1/24 interface=*3D network=192.168.119.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add default-route-distance=5 interface=bridgeWAN use-peer-ntp=no
/ip dhcp-server lease
/ip dhcp-server matcher
add address-pool=lan-dhcp code=43 name="Raspberry Pi Boot" value=43
/ip dhcp-server network
add address=192.168.115.0/24 dns-server=192.168.160.17 domain=\
guest.example.nl gateway=192.168.115.1 netmask=24 ntp-server=\
192.168.115.1
add address=192.168.117.0/24 dns-server=192.168.160.17 domain=\
iot.example.nl gateway=192.168.117.1 netmask=24 ntp-server=\
192.168.117.1
add address=192.168.119.0/24 dns-server=192.168.160.17,192.168.119.1 domain=\
manage.example.nl gateway=192.168.119.1 netmask=24 ntp-server=\
192.168.119.1
add address=192.168.160.0/24 dhcp-option-set=DefaultOptions dns-server=\
192.168.160.17 domain=int.example.nl gateway=192.168.160.1 netmask=24 \
ntp-server=192.168.160.1
/ip dns
set allow-remote-requests=yes cache-size=4096KiB max-concurrent-queries=200
/ip firewall address-list
add address=192.168.160.17 list=PiHole
add address=192.168.160.0/24 list=LAN
add address=192.168.160.17 list=DNS-Servers
add address=192.168.160.1 list=Router
add address=192.168.160.1 list=DNS-Servers
add address=dns.google list="DoH Servers"
add address=cloudflare-dns.com list="DoH Servers"
add address=dns9.quad9.net list="DoH Servers"
add address=dns10.quad9.net list="DoH Servers"
add address=doh.cleanbrowsing.org list="DoH Servers"
add address=dns.dnsoverhttps.net list="DoH Servers"
add address=doh.crypto.sx list="DoH Servers"
add address=doh.powerdns.org list="DoH Servers"
add address=doh-jp.blahdns.com list="DoH Servers"
add address=dns.dns-over-https.com list="DoH Servers"
add address=doh.securedns.eu list="DoH Servers"
add address=dns.rubyfish.cn list="DoH Servers"
add address=doh.dnswarden.com list="DoH Servers"
add address=doh.captnemo.in list="DoH Servers"
add address=doh.tiar.app list="DoH Servers"
/ip firewall filter
add action=reject chain=forward comment="Drop not-allowed DNS" disabled=yes \
dst-port=53 log-prefix="dropped DNS udp-53" packet-mark=!allowed-dns \
protocol=udp reject-with=icmp-admin-prohibited
add action=reject chain=forward comment="Drop not-allowed DNS" disabled=yes \
dst-port=53 log-prefix="dropped DNS tcp-53" packet-mark=!allowed-dns \
protocol=tcp reject-with=icmp-admin-prohibited
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="accept IPsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="accept IPsec 1701, 500, 4500" port=\
1701,500,4500 protocol=udp
add action=accept chain=input comment="accept SSTP 443" dst-port=443 \
protocol=tcp
add action=accept chain=input comment="accept WireGuard 13231" dst-port=13231 \
log=yes log-prefix=wireQ protocol=udp
add action=accept chain=input comment="accept DNS from vpn" dst-address-list=\
DNS-Servers in-interface=all-ppp packet-mark=allowed-dns
add action=accept chain=input comment="accept DNS LanFiltered" \
dst-address-list=PiHole dst-port=53 in-interface-list=LAN-Filtered \
protocol=udp
add action=accept chain=input comment="accept CAPsMAN localhost" dst-port=\
5246,5247 protocol=udp src-address=127.0.0.1
add action=accept chain=input comment="accept CAPsMAN lan" dst-port=5246,5247 \
in-interface=bridgeLAN protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid log=yes log-prefix=drop-invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN log=yes log-prefix=drop-notLan
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked in-interface-list=LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment="accept DNS from Guests" dst-address=\
192.168.160.17 in-interface-list=LAN-Filtered out-interface-list=\
LAN-Secure packet-mark=allowed-dns
add action=drop chain=forward comment="drop all DoH" dst-address-list=\
"DoH Servers" log=yes log-prefix="DoH Drop" port=443 protocol=tcp \
src-address-list=!PiHole
add action=reject chain=forward comment=\
"drop all from insecure lan to secure LAN" in-interface-list=LAN-Filtered \
out-interface-list=LAN-Secure reject-with=icmp-admin-prohibited
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
/ip firewall mangle
add action=mark-packet chain=prerouting comment="Mark as DNS-packet" \
dst-port=53 in-interface-list=LAN new-packet-mark=dns-packet passthrough=\
yes protocol=udp
add action=mark-packet chain=prerouting comment="Mark as DNS-packet" \
dst-port=53 in-interface-list=LAN new-packet-mark=dns-packet passthrough=\
yes protocol=tcp
add action=mark-packet chain=prerouting comment="Mark as DNS-packet" \
dst-port=53 in-interface=all-ppp new-packet-mark=dns-packet passthrough=\
yes protocol=udp
add action=passthrough chain=prerouting comment=\
"dummy for DNS-packets towards router" dst-address-list=Router \
log-prefix="DNS-Packet towards router" packet-mark=dns-packet
add action=mark-packet chain=prerouting comment=\
"Mark Filtered-DNS-Clients-->!PiHole as intercept-dns" dst-address-list=\
!PiHole log-prefix="DNS-Packet intercept-dns" new-packet-mark=\
intercept-dns packet-mark=dns-packet passthrough=yes src-address-list=\
Filtered-DNS-Clients
add action=mark-packet chain=prerouting comment=\
"Mark DNS->DNS-Servers as allowed-dns" dst-address-list=Router \
log-prefix="DNS-Packet allowed-dns" new-packet-mark=allowed-dns \
packet-mark=dns-packet passthrough=yes src-address-list=DNS-Servers
add action=mark-packet chain=prerouting comment=\
"Mark DNS->!DNS-Servers as intercept-dns" dst-address-list=!DNS-Servers \
log-prefix="DNS-Packet intercept-dns" new-packet-mark=intercept-dns \
packet-mark=dns-packet passthrough=yes src-address-list=\
!Unfiltered-DNS-Clients
add action=mark-packet chain=prerouting comment=\
"Mark DNS->!DNS-Servers as intercept-dns" dst-address-list=!DNS-Servers \
log-prefix="DNS-Packet intercept-dns" new-packet-mark=intercept-dns \
packet-mark=dns-packet passthrough=yes
add action=mark-packet chain=prerouting comment=\
"Mark DNS->DNS-Servers as allowed-dns" dst-address-list=DNS-Servers \
log-prefix="DNS-Packet allowed-dns" new-packet-mark=allowed-dns \
packet-mark=dns-packet passthrough=yes
add action=change-mss chain=forward comment="change MMS (PMTU)" new-mss=\
clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none log=yes log-prefix="NAT MASQ" out-interface-list=\
WAN
add action=dst-nat chain=dstnat comment="Win7 RDP" disabled=yes dst-port=\
3389 protocol=tcp to-addresses=192.168.160.33 to-ports=3389
add action=dst-nat chain=dstnat comment=Plex dst-port=32400 protocol=tcp \
src-port="" to-addresses=192.168.160.34 to-ports=32400
add action=dst-nat chain=dstnat comment="Intercept DNS" disabled=yes \
log-prefix=dst-nat-to-pihole packet-mark=intercept-dns to-addresses=\
192.168.160.17
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=*1
set api disabled=yes
set api-ssl disabled=yes
/ipv6 address
add address=fd00::1 interface=bridgeLAN
/ipv6 firewall address-list
add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=\
no_forward_ipv6
add address=ff00::/8 comment="defconf: multicast" list=no_forward_ipv6
add address=::1/128 comment="defconf: RFC6890 lo" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: RFC6890 IPv4 mapped" list=\
bad_ipv6
add address=2001::/23 comment="defconf: RFC6890" list=bad_ipv6
add address=2001:db8::/32 comment="defconf: RFC6890 documentation" list=\
bad_ipv6
add address=2001:10::/28 comment="defconf: RFC6890 orchid" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: RFC6890 Discard-only" list=\
not_global_ipv6
add address=2001::/32 comment="defconf: RFC6890 TEREDO" list=not_global_ipv6
add address=2001:2::/48 comment="defconf: RFC6890 Benchmark" list=\
not_global_ipv6
add address=fc00::/7 comment="defconf: RFC6890 Unique-Local" list=\
not_global_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_dst_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_src_ipv6
add address=ff00::/8 comment="defconf: multicast" list=bad_src_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept ICMPv6 after RAW" \
protocol=icmpv6
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/16
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept IPSec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept IPSec ESP" protocol=\
ipsec-esp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
src-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
dst-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6 after RAW" \
protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/ipv6 firewall raw
add action=accept chain=prerouting comment=\
"defconf: enable for transparent firewall" disabled=yes
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
src-address-list=bad_ipv6
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
dst-address-list=bad_ipv6
add action=drop chain=prerouting comment=\
"defconf: drop packets with bad SRC ipv6" src-address-list=bad_src_ipv6
add action=drop chain=prerouting comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_dst_ipv6
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
in-interface-list=WAN src-address-list=not_global_ipv6
add action=jump chain=prerouting comment="defconf: jump to ICMPv6 chain" \
jump-target=icmp6 protocol=icmpv6
add action=accept chain=prerouting comment=\
"defconf: accept local multicast scope" dst-address=ff02::/16
add action=drop chain=prerouting comment=\
"defconf: drop other multicast destinations" dst-address=ff00::/8
add action=accept chain=prerouting comment=\
"defconf: accept everything else from WAN" in-interface-list=WAN
add action=accept chain=prerouting comment=\
"defconf: accept everything else from LAN" in-interface-list=LAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=accept chain=icmp6 comment=\
"defconf: rfc4890 drop ll if hop-limit!=255" dst-address=fe80::/10 \
hop-limit=not-equal:255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: dst unreachable" \
icmp-options=1:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: packet too big" icmp-options=\
2:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: limit exceeded" icmp-options=\
3:0-1 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: bad header" icmp-options=\
4:0-2 protocol=icmpv6
add action=accept chain=icmp6 comment=\
"defconf: Mobile home agent address discovery" icmp-options=144:0-255 \
protocol=icmpv6
add action=accept chain=icmp6 comment=\
"defconf: Mobile home agent address discovery" icmp-options=145:0-255 \
protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile prefix solic" \
icmp-options=146:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile prefix advert" \
icmp-options=147:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: echo request limit 5,10" \
icmp-options=128:0-255 limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: echo reply limit 5,10" \
icmp-options=129:0-255 limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment=\
"defconf: rfc4890 router solic limit 5,10 only LAN" hop-limit=equal:255 \
icmp-options=133:0-255 in-interface-list=LAN limit=5,10:packet protocol=\
icmpv6
add action=accept chain=icmp6 comment=\
"defconf: rfc4890 router advert limit 5,10 only LAN" hop-limit=equal:255 \
icmp-options=134:0-255 in-interface-list=LAN limit=5,10:packet protocol=\
icmpv6
add action=accept chain=icmp6 comment=\
"defconf: rfc4890 neighbor solic limit 5,10 only LAN" hop-limit=equal:255 \
icmp-options=135:0-255 in-interface-list=LAN limit=5,10:packet protocol=\
icmpv6
add action=accept chain=icmp6 comment=\
"defconf: rfc4890 neighbor advert limit 5,10 only LAN" hop-limit=\
equal:255 icmp-options=136:0-255 in-interface-list=LAN limit=5,10:packet \
protocol=icmpv6
add action=accept chain=icmp6 comment=\
"defconf: rfc4890 inverse ND solic limit 5,10 only LAN" hop-limit=\
equal:255 icmp-options=141:0-255 in-interface-list=LAN limit=5,10:packet \
protocol=icmpv6
add action=accept chain=icmp6 comment=\
"defconf: rfc4890 inverse ND advert limit 5,10 only LAN" hop-limit=\
equal:255 icmp-options=142:0-255 in-interface-list=LAN limit=5,10:packet \
protocol=icmpv6
add action=drop chain=icmp6 comment="defconf: drop other icmp" protocol=\
icmpv6
/ipv6 nd
add advertise-mac-address=no interface=bridgeLAN \
managed-address-configuration=yes other-configuration=yes
/ipv6 nd prefix
add autonomous=no interface=bridgeLAN
/ppp secret
add name=LaptopWerk profile=sstp_vpn service=sstp
add name=SonyMobiel profile=ipsec_vpn service=l2tp
add name=LaptopMSI profile=sstp_vpn service=sstp
add name=ABC-PC profile=sstp_vpn service=sstp
/radius incoming
set accept=yes
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name=Router
/system leds
add interface=wlan-2G leds="wlan-2G_signal1-led,wlan-2G_signal2-led,wlan-2G_si\
gnal3-led,wlan-2G_signal4-led,wlan-2G_signal5-led" type=\
wireless-signal-strength
add interface=wlan-2G leds=wlan-2G_tx-led type=interface-transmit
add interface=wlan-2G leds=wlan-2G_rx-led type=interface-receive
/system logging
add action=disk topics=critical
add action=disk topics=error
add action=disk topics=warning
/system ntp client
set enabled=yes
/system ntp client servers
add address=93.94.224.67
add address=185.172.91.110
add address=95.179.131.82
add address=174.138.107.7
add address=94.198.159.11
add address=154.51.12.220
/system resource irq rps
set sfp-sfpplus1 disabled=no
/system scheduler
add interval=1h name=dhcp-client on-event="/system script run dhcp-client" \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=oct/22/2019 start-time=13:00:00
add interval=1d name=ntp-update on-event=\
"/system script run ntp-client-update" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=oct/22/2019 start-time=03:15:00
/system script
add dont-require-permissions=no name=dhcp-client owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
\_Modified to add comments instead of hostnames. \
\n:local zone \"int.example.nl\";\
\n:local ttl \"00:05:00\"\
\n:local hostname\
\n:local comment\
\n:local ip\
\n:local dnsip\
\n:local dhcpip\
\n:local dnsnode\
\n:local dhcpnode\
\n\
\n/ip dns static;\
\n:foreach i in=[find where name ~ (\".*\\\\.\".\$zone) ] do={\
\n :set hostname [ get \$i name ];\
\n :set comment [get \$i comment ];\
\n :local foundttl [get \$i ttl ];\
\n :set hostname [ :pick \$hostname 0 ( [ :len \$hostname ] - ( [ :len \$\
zone ] + 1 ) ) ];\
\n\
\n /ip dhcp-server lease;\
\n :set dhcpnode [ find where comment=\$hostname ];\
\n :if ( [ :len \$dhcpnode ] > 0) do={\
\n :log debug (\"Lease for \".\$hostname.\" still exists. Not deleting.\
\");\
\n } else={\
\n # there's no lease by that name. Maybe this mac has a static name.\
\n :local found false\
\n /system script environment\
\n\
\n :foreach n in=[ find where name ~ \"shost[0-9A-F]+\" ] do={\
\n :if ( [ get \$n value ] = \$hostname ) do={\
\n :set found true;\
\n }\
\n }\
\n\
\n :log debug (\"Checking for static\")\
\n :if ( comment=\"static\" ) do={\
\n :log debug (\"Found static, setting found to true\");\
\n :set found true;\
\n }\
\n :if ( foundttl != ttl ) do={\
\n :log debug (\"Hostname \".\$hostname.\" has different ttl, assum\
e manual entry\");\
\n :set found true;\
\n }\
\n :if ( found ) do={\
\n :log debug (\"Hostname \".\$hostname.\" is static\");\
\n } else={\
\n :log info (\"Lease expired for \".\$hostname.\", deleting DNS entr\
y.\");\
\n /ip dns static remove \$i;\
\n }\
\n }\
\n} \
\n\
\n/ip dhcp-server lease;\
\n:foreach i in=[find] do={\
\n :set hostname \"\"\
\n :local mac\
\n :set dhcpip [ get \$i address ];\
\n :set mac [ get \$i mac-address ];\
\n :while (\$mac ~ \":\") do={\
\n :local pos [ :find \$mac \":\" ];\
\n :set mac ( [ :pick \$mac 0 \$pos ] . [ :pick \$mac (\$pos + 1) 999 ]\
);\
\n };\
\n :foreach n in=[ /system script environment find where name=(\"shost\" \
\_. \$mac) ] do={\
\n :set hostname [ /system script environment get \$n value ];\
\n }\
\n :if ( [ :len \$hostname ] = 0) do={\
\n :set hostname [ get \$i comment ];\
\n }\
\n :if ( [ :len \$hostname ] > 0) do={\
\n :set hostname ( \$hostname . \".\" . \$zone );\
\n\
\n /ip dns static;\
\n :set dnsnode [ find where name=\$hostname ];\
\n :if ( [ :len \$dnsnode ] > 0 ) do={\
\n # it exists. Is its IP the same\?\
\n :set dnsip [ get \$dnsnode address ];\
\n :if ( \$dnsip = \$dhcpip ) do={\
\n :log debug (\"DNS entry for \" . \$hostname . \" does not need u\
pdating.\");\
\n } else={\
\n :log info (\"Replacing DNS entry for \" . \$hostname);\
\n /ip dns static remove \$dnsnode;\
\n /ip dns static add name=\$hostname address=\$dhcpip ttl=\$ttl;\
\n }\
\n } else={\
\n # it doesn't exist. Add it\
\n :log info (\"Adding new DNS entry for \" . \$hostname);\
\n /ip dns static add name=\$hostname address=\$dhcpip ttl=\$ttl;\
\n }\
\n }\
\n }"
add dont-require-permissions=no name=ntp-client-update owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
system ntp client set primary-ntp=[:resolve 0.nl.pool.ntp.org]\r\
\n/system ntp client set secondary-ntp=[:resolve 1.nl.pool.ntp.org]"
/tool bandwidth-server
set authenticate=no enabled=no
/tool mac-server
set allowed-interface-list=LAN-Secure
/tool mac-server mac-winbox
set allowed-interface-list=LAN-Secure
/tool sniffer
set filter-interface=bridgeLAN filter-stream=yes streaming-enabled=yes \
streaming-server=192.168.160.50