My ISP's GPON ONT is currently connected to Ether16, but I intend to replace that with a GPON SFP when it arrives. A PPPoE client is configured on both of those interfaces.
I can't figure out where I've gone wrong. My config is below, and I hope some fresh eyes can pick up what I've missed.
Code: Select all
# dec/01/2022 21:50:54 by RouterOS 7.6
# software id = TDSR-7LYJ
#
# model = CCR2004-16G-2S+
/interface bridge
add add-dhcp-option82=yes admin-mac=18:FD:74:A2:32:B7 auto-mac=no dhcp-snooping=yes fast-forward=no frame-types=admit-only-vlan-tagged name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="Master Bedroom"
set [ find default-name=ether2 ] comment="Guest Bedroom"
set [ find default-name=ether3 ] comment="Living Room"
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=ether11 ] disabled=yes
set [ find default-name=ether12 ] disabled=yes
set [ find default-name=ether13 ] disabled=yes
set [ find default-name=ether14 ] disabled=yes
set [ find default-name=ether15 ] comment=Management
set [ find default-name=ether16 ] comment="Etisalat ONT"
set [ find default-name=sfp-sfpplus1 ] comment="SFP GPON ONT"
set [ find default-name=sfp-sfpplus2 ] disabled=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=sfp-sfpplus1,ether16 name=pppoe-etisalat user=username
/interface vlan
add interface=bridge1 name=vlan10-untrusted vlan-id=10
add interface=bridge1 name=vlan20-AE vlan-id=20
/interface list
add comment="contains all WAN interfaces" name=wan
add comment="contains all trusted interfaces" name=trusted
add comment="contains all untrusted interfaces" include=wan name=untrusted
add comment="contains all VLAN interfaces" name=vlans
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add comment=vlan20-AE name=vlan20_pool ranges=10.20.0.100-10.20.0.254
add comment=vlan10-untrusted name=vlan10_pool ranges=10.10.0.100-10.10.0.254
/ip dhcp-server
add address-pool=vlan20_pool comment=vlan20-AE interface=vlan20-AE name=vlan20_dhcp
add address-pool=vlan10_pool comment=vlan10-untrusted interface=vlan10-untrusted name=vlan10_dhcp
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
set *0 use-ipv6=no use-upnp=no
/caps-man manager interface
set [ find default=yes ] forbid=yes
/interface bridge port
add bridge=bridge1 comment="Master Bedroom (WAP)" interface=ether1 pvid=10
add bridge=bridge1 comment="Guest Bedroom (WAP)" interface=ether2 pvid=10
add bridge=bridge1 comment="Living Room" frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge1 vlan-ids=10
add bridge=bridge1 tagged=ether1,ether2 vlan-ids=20
/interface list member
add interface=sfp-sfpplus1 list=wan
add interface=ether16 list=wan
add interface=pppoe-etisalat list=wan
add interface=vlan10-untrusted list=untrusted
add interface=vlan10-untrusted list=vlans
add interface=vlan20-AE list=vlans
add interface=vlan20-AE list=trusted
add interface=ether15 list=trusted
/ip address
add address=10.10.0.1/24 comment=vlan10-untrusted interface=vlan10-untrusted network=10.10.0.0
add address=10.20.0.1/24 comment=vlan20-AE interface=vlan20-AE network=10.20.0.0
/ip dhcp-server network
add address=10.10.0.0/24 comment=vlan10-untrusted gateway=10.10.0.1
add address=10.20.0.0/24 comment=vlan20-AE gateway=10.20.0.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d cache-size=102400KiB max-concurrent-queries=10000 max-concurrent-tcp-sessions=50 use-doh-server=https://dns.google/dns-query verify-doh-cert=yes
/ip dns static
add address=8.8.8.8 name=dns.google
add address=8.8.4.4 name=dns.google
/ip firewall filter
add action=accept chain=input comment="accept established, related, untracked" connection-state=established,related,untracked
add action=accept chain=input comment="accept DNS & DHCP requests" dst-port=53,67,68 in-interface-list=!wan protocol=udp
add action=accept chain=input comment="accept management from trusted interfaces" dst-port=22,8291 in-interface-list=trusted protocol=tcp
add action=accept chain=input comment="accept icmp echo request" icmp-options=8:0-255 protocol=icmp
add action=drop chain=input comment="default drop" in-interface=!ether15
add action=accept chain=forward comment="forward established, related" connection-state=established,related in-interface-list=wan
add action=accept chain=forward comment="forward all traffic from VLANs to WAN" in-interface-list=vlans out-interface-list=wan
add action=accept chain=forward comment="forward from trusted to untrusted" in-interface-list=trusted out-interface-list=untrusted
add action=drop chain=forward comment="drop untrusted to trusted" in-interface-list=untrusted out-interface-list=trusted
add action=drop chain=forward comment="defaut drop"
/ip firewall nat
add action=masquerade chain=srcnat comment="masquerade traffic leaving WAN interfaces" out-interface-list=wan
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-autodetect=no time-zone-name=Asia/Dubai
/system identity
set name=CCR2004-16G-2S+
/system leds
add interface=pppoe-etisalat leds=user-led type=interface-status
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
add address=3.pool.ntp.org
/system routerboard settings
set auto-upgrade=yes
/tool mac-server mac-winbox
set allowed-interface-list=trusted