Community discussions

MikroTik App
 
majestic
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 90
Joined: Mon Dec 05, 2016 11:19 am

[Issue/Bug] RB5009UPr+S+IN suffering with log spam saying "etherX detected poe-out status: no_valid_psu"

Tue Nov 22, 2022 12:11 am

Hi Guys,

I have recently purchased a RB5009UPr+S+IN (https://mikrotik.com/product/rb5009upr_s_in) and configrued it tonight. I have this powered by a CISCO SG250-08HP POE Switch with POE power being sent though ether1. Its has a bond (LACP) with ether1 and ether2 going back to the CISCO switch for my LAN as I don't have 2.5Gb/s LAN POE switches yet.

Everything is operating correctly, but I have noticed a warning which is now spamming the log every few mins and is coming from every port which is saying:
etherX detected poe-out status: no_valid_psu
etherX detected poe-out status: disabled
This wasn't happening when it was connected via DC jack earlier tonight, but started as soon as its ONLY being now powered by ether1 (POE).

I have made sure that all ports have POE set to OFF but the messages keeps coming, despite the router staying online/powered up.

I am running 7.6 latest stable release of ROS. Also the routerboard firmware is also running 7.6.

Is there away to stop these messages, or is something I have forgotten to do? or maybe a bug?

Summery
    SPF connected to ONT via vlan911 which provides my internet using PPOE.
    ether1 and ether2 connected to CISCO POE switch.
    Power is being sent on both but I believe its only working into ether1 (from what I can see this is normal even on this version)

    Below is a full copy of my running config, just with a few bits XX or YY out, but nothing which would make the config unreadable.
    # nov/21/2022 21:43:21 by RouterOS 7.6
    # software id = JJNA-ABWH
    #
    # model = RB5009UPr+S+
    # serial number = XXXXXXX
    /interface bridge
    add admin-mac=18:FD:XX:XX:XX:XX auto-mac=no disabled=yes name=bridge
    /interface ethernet
    set [ find default-name=ether1 ] comment="CISCO | SW01 | LAG| PORT 1" poe-out=off
    set [ find default-name=ether2 ] comment="CISCO | SW01 | LAG | PORT 2" poe-out=off
    set [ find default-name=ether3 ] disabled=yes poe-out=off
    set [ find default-name=ether4 ] disabled=yes poe-out=off
    set [ find default-name=ether5 ] disabled=yes poe-out=off
    set [ find default-name=ether6 ] disabled=yes poe-out=off
    set [ find default-name=ether7 ] disabled=yes poe-out=off
    set [ find default-name=ether8 ] disabled=yes poe-out=off
    set [ find default-name=sfp-sfpplus1 ] comment="City Fibre | ONT"
    /interface vlan
    add comment="Briant Broadband | VLAN" interface=sfp-sfpplus1 name=vlan911 vlan-id=911
    /interface bonding
    add comment="CISCO | SW01 | LCAP" mode=802.3ad name=bond0 slaves=ether1,ether2 transmit-hash-policy=layer-2-and-3
    /interface pppoe-client
    add add-default-route=yes comment="Briant Broadband | Internet" disabled=no interface=vlan911 name=pppoe0 use-peer-dns=yes user=XXXXXXXXXX
    /interface vlan
    add comment="Core | Network" interface=bond0 name=vlan2910 vlan-id=2910
    add comment="Trusted | Network" interface=bond0 name=vlan2920 vlan-id=2920
    add comment="Work | Network" interface=bond0 name=vlan2930 vlan-id=2930
    add comment="Guest | Network" interface=bond0 name=vlan2950 vlan-id=2950
    /interface list
    add comment=defconf name=WAN
    add comment=defconf name=LAN
    /interface wireless security-profiles
    set [ find default=yes ] supplicant-identity=MikroTik
    /ip pool
    add name=vlan2910 ranges=10.29.10.80-10.29.10.200
    add name=vlan2920 ranges=10.29.20.80-10.29.20.200
    add name=vlan2930 ranges=10.29.30.80-10.29.30.200
    add name=vlan2950 ranges=10.29.50.80-10.29.50.200
    /ip dhcp-server
    add address-pool=vlan2910 interface=vlan2910 name=vlan2910
    add address-pool=vlan2920 interface=vlan2920 name=vlan2920
    add address-pool=vlan2930 interface=vlan2930 name=vlan2930
    add address-pool=vlan2950 interface=vlan2950 name=vlan2950
    /interface bridge port
    add bridge=bridge comment=defconf interface=ether3
    add bridge=bridge comment=defconf interface=ether4
    add bridge=bridge comment=defconf interface=ether5
    add bridge=bridge comment=defconf interface=ether6
    add bridge=bridge comment=defconf interface=ether7
    add bridge=bridge comment=defconf interface=ether8
    add bridge=bridge comment=defconf interface=sfp-sfpplus1
    /ip neighbor discovery-settings
    set discover-interface-list=LAN
    /interface list member
    add comment=untagged interface=bond0 list=LAN
    add comment=untagged interface=sfp-sfpplus1 list=WAN
    add comment="Core | Network" interface=vlan2910 list=LAN
    add comment="Trusted | Network" interface=vlan2920 list=LAN
    add comment="Work | Network" interface=vlan2930 list=LAN
    add comment="Guest | Network" interface=vlan2950 list=LAN
    add comment="Briant | Broadband" interface=vlan911 list=WAN
    add comment="WAN | Internet" interface=pppoe0 list=WAN
    /ip address
    add address=10.29.10.254/24 interface=vlan2910 network=10.29.10.0
    add address=10.29.20.254/24 interface=vlan2920 network=10.29.20.0
    add address=10.29.30.254/24 interface=vlan2930 network=10.29.30.0
    add address=10.29.50.254/24 interface=vlan2950 network=10.29.50.0
    add address=10.29.10.1/24 interface=vlan2910 network=10.29.10.0
    add address=10.29.20.1/24 interface=vlan2920 network=10.29.20.0
    add address=10.29.30.1/24 interface=vlan2930 network=10.29.30.0
    add address=10.29.50.1/24 interface=vlan2950 network=10.29.50.0
    /ip dhcp-server network
    add address=10.29.10.0/24 comment=vlan2910 dns-server=10.29.10.1 gateway=10.29.10.1 netmask=24
    add address=10.29.20.0/24 comment=vlan2920 dns-server=10.29.20.1 gateway=10.29.20.1 netmask=24
    add address=10.29.30.0/24 comment=vlan2930 dns-server=10.29.30.1 gateway=10.29.30.1 netmask=24
    add address=10.29.50.0/24 comment=vlan2950 dns-server=10.29.50.1 gateway=10.29.50.1 netmask=24
    /ip dns
    set allow-remote-requests=yes servers=10.29.10.35,10.29.10.36
    /ip firewall address-list
    add address=82.XX.XX.XX comment="Dad's | Home" list=TRUSTED
    add address=159.XX.XX.XX comment="Simons | Home" list=TRUSTED
    add address=62.XX.XX.XX comment="Steven's | Work" list=TRUSTED
    add address=212.XX.XX.XX comment="Trudie's | Home" list=TRUSTED
    add address=10.XX.XX.0/24 comment="Core | Network" list=TRUSTED
    add address=10.XX.YY.0/24 comment="Trusted | Network" list=TRUSTED
    add address=176.XX.XX.XX comment="Hetzner | Dedicated" list=TRUSTED
    /ip firewall filter
    add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
    add action=accept chain=input comment="accept to local loopback" dst-address=127.0.0.1
    add action=jump chain=input comment="allow icmp" jump-target=icmp
    add action=drop chain=input comment="drop invalid" connection-state=invalid
    add action=jump chain=input comment="allow access to router" jump-target=router
    add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN log=yes log-prefix=drop_not_LAN
    add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
    add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
    add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related hw-offload=yes
    add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
    add action=drop chain=forward comment="drop invalid" connection-state=invalid
    add action=jump chain=forward comment="allow access to lan" jump-target=lan
    add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
    add action=accept chain=icmp comment="0:0 and limit for 5 packets per second" icmp-options=0:0-255 limit=5,5:packet protocol=icmp
    add action=accept chain=icmp comment="3:3 and limit for 5 packets per second" icmp-options=3:3 limit=5,5:packet protocol=icmp
    add action=accept chain=icmp comment="3:4 and limit for 5 packets per second" icmp-options=3:4 limit=5,5:packet protocol=icmp
    add action=accept chain=icmp comment="8:0 and limit for 5 packets per second" icmp-options=8:0-255 limit=5,5:packet protocol=icmp
    add action=accept chain=icmp comment="11:0 and limit for 5 packets per second" icmp-options=11:0-255 limit=5,5:packet protocol=icmp
    add action=accept chain=router comment="accept SSH to router *trusted*" dst-port=22 log=yes log-prefix=test_log protocol=tcp src-address-list=TRUSTED
    add action=accept chain=router comment="accept Winbox to router *trusted*" dst-port=8291 protocol=tcp src-address-list=TRUSTED
    add action=accept chain=lan comment="accept access to mgmt01 *trusted*" dst-port=10022 in-interface-list=WAN protocol=tcp src-address-list=TRUSTED
    add action=accept chain=router comment="accept udp dns queries from lan" dst-port=53 in-interface-list=LAN protocol=udp
    add action=accept chain=router comment="accept tcp dns queries from lan" dst-port=53 in-interface-list=LAN protocol=tcp
    add action=accept chain=router comment="accept udp ntp queries from lan" dst-port=123 in-interface-list=LAN protocol=tcp
    /ip firewall nat
    add action=masquerade chain=srcnat comment="masquerade" ipsec-policy=out,none out-interface-list=WAN
    add action=dst-nat chain=dstnat dst-port=10022 in-interface-list=WAN protocol=tcp to-addresses=10.XX.XX.100 to-ports=10022
    /ip service
    set telnet disabled=yes
    set ftp disabled=yes
    set www-ssl certificate=XXXX.xyz disabled=no tls-version=only-1.2
    set api disabled=yes
    set api-ssl certificate=XXXX.xyz tls-version=only-1.2
    /ipv6 firewall address-list
    add address=::/128 comment="unspecified address" list=bad_ipv6
    add address=::1/128 comment=lo list=bad_ipv6
    add address=fec0::/10 comment=site-local list=bad_ipv6
    add address=::ffff:0.0.0.0/96 comment=ipv4-mapped list=bad_ipv6
    add address=::/96 comment="ipv4 compat" list=bad_ipv6
    add address=100::/64 comment="discard only " list=bad_ipv6
    add address=2001:db8::/32 comment=documentation list=bad_ipv6
    add address=2001:10::/28 comment=ORCHID list=bad_ipv6
    add address=3ffe::/16 comment=6bone list=bad_ipv6
    /ipv6 firewall filter
    add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
    add action=drop chain=input comment="drop invalid" connection-state=invalid
    add action=accept chain=input comment="accept ICMPv6" protocol=icmpv6
    add action=accept chain=input comment="accept UDP traceroute" port=33434-33534 protocol=udp
    add action=accept chain=input comment="accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
    add action=accept chain=input comment="accept IKE" dst-port=500,4500 protocol=udp
    add action=accept chain=input comment="accept ipsec AH" protocol=ipsec-ah
    add action=accept chain=input comment="accept ipsec ESP" protocol=ipsec-esp
    add action=accept chain=input comment="accept all that matches ipsec policy" ipsec-policy=in,ipsec
    add action=drop chain=input comment="drop everything else not coming from LAN" in-interface-list=!LAN
    add action=accept chain=forward comment="accept established,related,untracked" connection-state=established,related,untracked
    add action=drop chain=forward comment="drop invalid" connection-state=invalid
    add action=drop chain=forward comment="drop packets with bad src ipv6" src-address-list=bad_ipv6
    add action=drop chain=forward comment="drop packets with bad dst ipv6" dst-address-list=bad_ipv6
    add action=drop chain=forward comment="rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
    add action=accept chain=forward comment="accept ICMPv6" protocol=icmpv6
    add action=accept chain=forward comment="accept HIP" protocol=139
    add action=accept chain=forward comment="accept IKE" dst-port=500,4500 protocol=udp
    add action=accept chain=forward comment="accept ipsec AH" protocol=ipsec-ah
    add action=accept chain=forward comment="accept ipsec ESP" protocol=ipsec-esp
    add action=accept chain=forward comment="accept all that matches ipsec policy" ipsec-policy=in,ipsec
    add action=drop chain=forward comment="drop everything else not coming from LAN" in-interface-list=!LAN
    /system clock
    set time-zone-autodetect=no time-zone-name=UTC
    /system identity
    set name=router01
    /system ntp client
    set enabled=yes
    /system ntp server
    set enabled=yes
    /system ntp client servers
    add address=ntp0.linx.net
    add address=ntp1.linx.net
    add address=ntp2.linx.net
    /tool mac-server
    set allowed-interface-list=LAN
    /tool mac-server mac-winbox
    set allowed-interface-list=LAN
    
    Also last note, if anyone has any suggestions for tweaks or improvements, please let me know.
    I am kinda rusty with MTK as been using UBNT over these past recent years.

    Looking forward to your reply.

    Simon
    Last edited by majestic on Tue Nov 22, 2022 12:27 am, edited 1 time in total.
     
    User avatar
    Znevna
    Forum Guru
    Forum Guru
    Posts: 1347
    Joined: Mon Sep 23, 2019 1:04 pm

    Re: [Issue/Bug] RB5009UPr+S+IN suffering with log spam saying "etherX detected poe-out status: no_valid_psu"

    Tue Nov 22, 2022 12:19 am

    4th topic's the charm.
    File a bug report.
     
    majestic
    Frequent Visitor
    Frequent Visitor
    Topic Author
    Posts: 90
    Joined: Mon Dec 05, 2016 11:19 am

    Re: [Issue/Bug] RB5009UPr+S+IN suffering with log spam saying "etherX detected poe-out status: no_valid_psu"

    Tue Nov 22, 2022 12:28 am

    4th topic's the charm.
    File a bug report.
    Thanks, will do.

    Applogies, I didn't notice any others, my bad.

    I now see that you were refering to myself/posts.
    This was an accdent, the post wasn't submitting, so I was shrinking it down as I thought the code was causing the problem. I then found saving a draft then saved fine and could edit it. After looking for what you mentioned, I noticed my post a few times. This really was not my intention, Applogies, I have just deleted the duplcate posts.
     
    majestic
    Frequent Visitor
    Frequent Visitor
    Topic Author
    Posts: 90
    Joined: Mon Dec 05, 2016 11:19 am

    Re: [Issue/Bug] RB5009UPr+S+IN suffering with log spam saying "etherX detected poe-out status: no_valid_psu"

    Wed Nov 23, 2022 2:19 pm

    Confirmed with Mikrotik support that there is a bug in 7.6 ROS with the RB5009UPr+S+IN which they managed to reproduce in their labs. This I am told will be fixed in the upcoming new release but no ETA on when this will be (yet).

    Thanks Mikrotik support for reproducing and creating a fix for this.

    Kind Regards,

    Simon
     
    brotherdust
    Member Candidate
    Member Candidate
    Posts: 130
    Joined: Tue Jun 05, 2007 1:31 am

    Re: [Issue/Bug] RB5009UPr+S+IN suffering with log spam saying "etherX detected poe-out status: no_valid_psu"

    Thu Feb 16, 2023 8:25 pm

    Confirmed with Mikrotik support that there is a bug in 7.6 ROS with the RB5009UPr+S+IN which they managed to reproduce in their labs. This I am told will be fixed in the upcoming new release but no ETA on when this will be (yet).

    Thanks Mikrotik support for reproducing and creating a fix for this.

    Kind Regards,

    Simon
    Can you please provide the ticket number for reference? We’re getting this error on a remote solar site and have exhausted every last idea of what it could be. Checking the RouterOS change logs from 7.6 to 7.8rc2, I’m not seeing this fix mentioned anywhere. It seems amazing to me that they haven’t fixed it yet so I’m going to open another ticket, hopefully referencing yours, and ask for an update.
     
    majestic
    Frequent Visitor
    Frequent Visitor
    Topic Author
    Posts: 90
    Joined: Mon Dec 05, 2016 11:19 am

    Re: [Issue/Bug] RB5009UPr+S+IN suffering with log spam saying "etherX detected poe-out status: no_valid_psu"

    Fri Feb 24, 2023 8:33 pm

    Confirmed with Mikrotik support that there is a bug in 7.6 ROS with the RB5009UPr+S+IN which they managed to reproduce in their labs. This I am told will be fixed in the upcoming new release but no ETA on when this will be (yet).

    Thanks Mikrotik support for reproducing and creating a fix for this.

    Kind Regards,

    Simon
    Can you please provide the ticket number for reference? We’re getting this error on a remote solar site and have exhausted every last idea of what it could be. Checking the RouterOS change logs from 7.6 to 7.8rc2, I’m not seeing this fix mentioned anywhere. It seems amazing to me that they haven’t fixed it yet so I’m going to open another ticket, hopefully referencing yours, and ask for an update.

    Hi @brotherdust,

    Sorry for the delay, only just noticed the reply.

    The support case ID is
    SUP-98865

    This has not been fixed yet, ive been testing and also checking change logs but still not resolved. ATM I have had to add power supply as the spam was getting stupid.

    I have pasted below their answer, I hope this helps.

    Oļegs Š.23/Nov/22 6:55 AM

    Hello,

    Thank you for the report!

    We have managed to reproduce the issue locally in our labs and look forward to fixing it on upcoming RouterOS versions, unfortunately, I cannot provide a release date now.

    Best regards,
     
    lvchen860217
    just joined
    Posts: 1
    Joined: Wed Jun 14, 2023 3:47 am

    Re: [Issue/Bug] RB5009UPr+S+IN suffering with log spam saying "etherX detected poe-out status: no_valid_psu"

    Wed Jun 14, 2023 3:55 am

    Have you resolved your problem?
    I also encountered similar issues when using routerOS 7.8. When I use the original power supply, it will appear “etherX detected poe-out status: no_valid_psu” once in the startup log every time. This log only appears once after rebooting. At first, I suspected it was a power issue, but I didn't see this message again after upgrading to 7.9.



    Hi Guys,

    I have recently purchased a RB5009UPr+S+IN (https://mikrotik.com/product/rb5009upr_s_in) and configrued it tonight. I have this powered by a CISCO SG250-08HP POE Switch with POE power being sent though ether1. Its has a bond (LACP) with ether1 and ether2 going back to the CISCO switch for my LAN as I don't have 2.5Gb/s LAN POE switches yet.

    Everything is operating correctly, but I have noticed a warning which is now spamming the log every few mins and is coming from every port which is saying:
    etherX detected poe-out status: no_valid_psu
    etherX detected poe-out status: disabled
    
    This wasn't happening when it was connected via DC jack earlier tonight, but started as soon as its ONLY being now powered by ether1 (POE).

    I have made sure that all ports have POE set to OFF but the messages keeps coming, despite the router staying online/powered up.

    I am running 7.6 latest stable release of ROS. Also the routerboard firmware is also running 7.6.

    Is there away to stop these messages, or is something I have forgotten to do? or maybe a bug?

    Summery
      SPF connected to ONT via vlan911 which provides my internet using PPOE.
      ether1 and ether2 connected to CISCO POE switch.
      Power is being sent on both but I believe its only working into ether1 (from what I can see this is normal even on this version)

      Below is a full copy of my running config, just with a few bits XX or YY out, but nothing which would make the config unreadable.
      # nov/21/2022 21:43:21 by RouterOS 7.6
      # software id = JJNA-ABWH
      #
      # model = RB5009UPr+S+
      # serial number = XXXXXXX
      /interface bridge
      add admin-mac=18:FD:XX:XX:XX:XX auto-mac=no disabled=yes name=bridge
      /interface ethernet
      set [ find default-name=ether1 ] comment="CISCO | SW01 | LAG| PORT 1" poe-out=off
      set [ find default-name=ether2 ] comment="CISCO | SW01 | LAG | PORT 2" poe-out=off
      set [ find default-name=ether3 ] disabled=yes poe-out=off
      set [ find default-name=ether4 ] disabled=yes poe-out=off
      set [ find default-name=ether5 ] disabled=yes poe-out=off
      set [ find default-name=ether6 ] disabled=yes poe-out=off
      set [ find default-name=ether7 ] disabled=yes poe-out=off
      set [ find default-name=ether8 ] disabled=yes poe-out=off
      set [ find default-name=sfp-sfpplus1 ] comment="City Fibre | ONT"
      /interface vlan
      add comment="Briant Broadband | VLAN" interface=sfp-sfpplus1 name=vlan911 vlan-id=911
      /interface bonding
      add comment="CISCO | SW01 | LCAP" mode=802.3ad name=bond0 slaves=ether1,ether2 transmit-hash-policy=layer-2-and-3
      /interface pppoe-client
      add add-default-route=yes comment="Briant Broadband | Internet" disabled=no interface=vlan911 name=pppoe0 use-peer-dns=yes user=XXXXXXXXXX
      /interface vlan
      add comment="Core | Network" interface=bond0 name=vlan2910 vlan-id=2910
      add comment="Trusted | Network" interface=bond0 name=vlan2920 vlan-id=2920
      add comment="Work | Network" interface=bond0 name=vlan2930 vlan-id=2930
      add comment="Guest | Network" interface=bond0 name=vlan2950 vlan-id=2950
      /interface list
      add comment=defconf name=WAN
      add comment=defconf name=LAN
      /interface wireless security-profiles
      set [ find default=yes ] supplicant-identity=MikroTik
      /ip pool
      add name=vlan2910 ranges=10.29.10.80-10.29.10.200
      add name=vlan2920 ranges=10.29.20.80-10.29.20.200
      add name=vlan2930 ranges=10.29.30.80-10.29.30.200
      add name=vlan2950 ranges=10.29.50.80-10.29.50.200
      /ip dhcp-server
      add address-pool=vlan2910 interface=vlan2910 name=vlan2910
      add address-pool=vlan2920 interface=vlan2920 name=vlan2920
      add address-pool=vlan2930 interface=vlan2930 name=vlan2930
      add address-pool=vlan2950 interface=vlan2950 name=vlan2950
      /interface bridge port
      add bridge=bridge comment=defconf interface=ether3
      add bridge=bridge comment=defconf interface=ether4
      add bridge=bridge comment=defconf interface=ether5
      add bridge=bridge comment=defconf interface=ether6
      add bridge=bridge comment=defconf interface=ether7
      add bridge=bridge comment=defconf interface=ether8
      add bridge=bridge comment=defconf interface=sfp-sfpplus1
      /ip neighbor discovery-settings
      set discover-interface-list=LAN
      /interface list member
      add comment=untagged interface=bond0 list=LAN
      add comment=untagged interface=sfp-sfpplus1 list=WAN
      add comment="Core | Network" interface=vlan2910 list=LAN
      add comment="Trusted | Network" interface=vlan2920 list=LAN
      add comment="Work | Network" interface=vlan2930 list=LAN
      add comment="Guest | Network" interface=vlan2950 list=LAN
      add comment="Briant | Broadband" interface=vlan911 list=WAN
      add comment="WAN | Internet" interface=pppoe0 list=WAN
      /ip address
      add address=10.29.10.254/24 interface=vlan2910 network=10.29.10.0
      add address=10.29.20.254/24 interface=vlan2920 network=10.29.20.0
      add address=10.29.30.254/24 interface=vlan2930 network=10.29.30.0
      add address=10.29.50.254/24 interface=vlan2950 network=10.29.50.0
      add address=10.29.10.1/24 interface=vlan2910 network=10.29.10.0
      add address=10.29.20.1/24 interface=vlan2920 network=10.29.20.0
      add address=10.29.30.1/24 interface=vlan2930 network=10.29.30.0
      add address=10.29.50.1/24 interface=vlan2950 network=10.29.50.0
      /ip dhcp-server network
      add address=10.29.10.0/24 comment=vlan2910 dns-server=10.29.10.1 gateway=10.29.10.1 netmask=24
      add address=10.29.20.0/24 comment=vlan2920 dns-server=10.29.20.1 gateway=10.29.20.1 netmask=24
      add address=10.29.30.0/24 comment=vlan2930 dns-server=10.29.30.1 gateway=10.29.30.1 netmask=24
      add address=10.29.50.0/24 comment=vlan2950 dns-server=10.29.50.1 gateway=10.29.50.1 netmask=24
      /ip dns
      set allow-remote-requests=yes servers=10.29.10.35,10.29.10.36
      /ip firewall address-list
      add address=82.XX.XX.XX comment="Dad's | Home" list=TRUSTED
      add address=159.XX.XX.XX comment="Simons | Home" list=TRUSTED
      add address=62.XX.XX.XX comment="Steven's | Work" list=TRUSTED
      add address=212.XX.XX.XX comment="Trudie's | Home" list=TRUSTED
      add address=10.XX.XX.0/24 comment="Core | Network" list=TRUSTED
      add address=10.XX.YY.0/24 comment="Trusted | Network" list=TRUSTED
      add address=176.XX.XX.XX comment="Hetzner | Dedicated" list=TRUSTED
      /ip firewall filter
      add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
      add action=accept chain=input comment="accept to local loopback" dst-address=127.0.0.1
      add action=jump chain=input comment="allow icmp" jump-target=icmp
      add action=drop chain=input comment="drop invalid" connection-state=invalid
      add action=jump chain=input comment="allow access to router" jump-target=router
      add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN log=yes log-prefix=drop_not_LAN
      add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
      add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
      add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related hw-offload=yes
      add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
      add action=drop chain=forward comment="drop invalid" connection-state=invalid
      add action=jump chain=forward comment="allow access to lan" jump-target=lan
      add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
      add action=accept chain=icmp comment="0:0 and limit for 5 packets per second" icmp-options=0:0-255 limit=5,5:packet protocol=icmp
      add action=accept chain=icmp comment="3:3 and limit for 5 packets per second" icmp-options=3:3 limit=5,5:packet protocol=icmp
      add action=accept chain=icmp comment="3:4 and limit for 5 packets per second" icmp-options=3:4 limit=5,5:packet protocol=icmp
      add action=accept chain=icmp comment="8:0 and limit for 5 packets per second" icmp-options=8:0-255 limit=5,5:packet protocol=icmp
      add action=accept chain=icmp comment="11:0 and limit for 5 packets per second" icmp-options=11:0-255 limit=5,5:packet protocol=icmp
      add action=accept chain=router comment="accept SSH to router *trusted*" dst-port=22 log=yes log-prefix=test_log protocol=tcp src-address-list=TRUSTED
      add action=accept chain=router comment="accept Winbox to router *trusted*" dst-port=8291 protocol=tcp src-address-list=TRUSTED
      add action=accept chain=lan comment="accept access to mgmt01 *trusted*" dst-port=10022 in-interface-list=WAN protocol=tcp src-address-list=TRUSTED
      add action=accept chain=router comment="accept udp dns queries from lan" dst-port=53 in-interface-list=LAN protocol=udp
      add action=accept chain=router comment="accept tcp dns queries from lan" dst-port=53 in-interface-list=LAN protocol=tcp
      add action=accept chain=router comment="accept udp ntp queries from lan" dst-port=123 in-interface-list=LAN protocol=tcp
      /ip firewall nat
      add action=masquerade chain=srcnat comment="masquerade" ipsec-policy=out,none out-interface-list=WAN
      add action=dst-nat chain=dstnat dst-port=10022 in-interface-list=WAN protocol=tcp to-addresses=10.XX.XX.100 to-ports=10022
      /ip service
      set telnet disabled=yes
      set ftp disabled=yes
      set www-ssl certificate=XXXX.xyz disabled=no tls-version=only-1.2
      set api disabled=yes
      set api-ssl certificate=XXXX.xyz tls-version=only-1.2
      /ipv6 firewall address-list
      add address=::/128 comment="unspecified address" list=bad_ipv6
      add address=::1/128 comment=lo list=bad_ipv6
      add address=fec0::/10 comment=site-local list=bad_ipv6
      add address=::ffff:0.0.0.0/96 comment=ipv4-mapped list=bad_ipv6
      add address=::/96 comment="ipv4 compat" list=bad_ipv6
      add address=100::/64 comment="discard only " list=bad_ipv6
      add address=2001:db8::/32 comment=documentation list=bad_ipv6
      add address=2001:10::/28 comment=ORCHID list=bad_ipv6
      add address=3ffe::/16 comment=6bone list=bad_ipv6
      /ipv6 firewall filter
      add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
      add action=drop chain=input comment="drop invalid" connection-state=invalid
      add action=accept chain=input comment="accept ICMPv6" protocol=icmpv6
      add action=accept chain=input comment="accept UDP traceroute" port=33434-33534 protocol=udp
      add action=accept chain=input comment="accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
      add action=accept chain=input comment="accept IKE" dst-port=500,4500 protocol=udp
      add action=accept chain=input comment="accept ipsec AH" protocol=ipsec-ah
      add action=accept chain=input comment="accept ipsec ESP" protocol=ipsec-esp
      add action=accept chain=input comment="accept all that matches ipsec policy" ipsec-policy=in,ipsec
      add action=drop chain=input comment="drop everything else not coming from LAN" in-interface-list=!LAN
      add action=accept chain=forward comment="accept established,related,untracked" connection-state=established,related,untracked
      add action=drop chain=forward comment="drop invalid" connection-state=invalid
      add action=drop chain=forward comment="drop packets with bad src ipv6" src-address-list=bad_ipv6
      add action=drop chain=forward comment="drop packets with bad dst ipv6" dst-address-list=bad_ipv6
      add action=drop chain=forward comment="rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
      add action=accept chain=forward comment="accept ICMPv6" protocol=icmpv6
      add action=accept chain=forward comment="accept HIP" protocol=139
      add action=accept chain=forward comment="accept IKE" dst-port=500,4500 protocol=udp
      add action=accept chain=forward comment="accept ipsec AH" protocol=ipsec-ah
      add action=accept chain=forward comment="accept ipsec ESP" protocol=ipsec-esp
      add action=accept chain=forward comment="accept all that matches ipsec policy" ipsec-policy=in,ipsec
      add action=drop chain=forward comment="drop everything else not coming from LAN" in-interface-list=!LAN
      /system clock
      set time-zone-autodetect=no time-zone-name=UTC
      /system identity
      set name=router01
      /system ntp client
      set enabled=yes
      /system ntp server
      set enabled=yes
      /system ntp client servers
      add address=ntp0.linx.net
      add address=ntp1.linx.net
      add address=ntp2.linx.net
      /tool mac-server
      set allowed-interface-list=LAN
      /tool mac-server mac-winbox
      set allowed-interface-list=LAN
      
      Also last note, if anyone has any suggestions for tweaks or improvements, please let me know.
      I am kinda rusty with MTK as been using UBNT over these past recent years.

      Looking forward to your reply.

      Simon

      Who is online

      Users browsing this forum: BinaryTB, raphaps, rplant and 77 guests