# dec/30/2022 20:50:07 by RouterOS 7.6
# software id = BXS9-F76C
#
# model = RBD53iG-5HacD2HnD
# serial number = HD10846D5W3
/caps-man datapath
add name=dpath-mgmt
/interface bridge
add admin-mac=18:FD:74:85:DD:FC auto-mac=no comment=defconf \
ingress-filtering=no name=br-main vlan-filtering=yes
add name=br-mgmt
/interface ethernet
set [ find default-name=ether1 ] name=eth1-WAN
set [ find default-name=ether2 ] name=eth2-CAP-01
set [ find default-name=ether3 ] name=eth3-CAP-02
set [ find default-name=ether4 ] name=eth4-SW
set [ find default-name=ether5 ] name=eth5-mgmt poe-out=off
/interface wireless
# managed by CAPsMAN
# channel: 5520/20-eCee/ac/DP(21dBm), SSID: MT-5, CAPsMAN forwarding
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX country=canada distance=indoors frequency=auto \
installation=indoor mode=ap-bridge name=wlan-5 ssid=MT-5 \
wireless-protocol=802.11
# managed by CAPsMAN
# channel: 2442/20-eC/gn(27dBm), SSID: MT-24, CAPsMAN forwarding
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
distance=indoors frequency=auto installation=indoor mode=ap-bridge name=\
wlan-24 ssid=MikroTik-85DE00 wireless-protocol=802.11
/interface vlan
add interface=br-main name=vl-guest vlan-id=66
add interface=br-main name=vl-iot vlan-id=55
add interface=br-main name=vl-kids vlan-id=77
add interface=br-main name=vl-mgmt vlan-id=11
add interface=br-main name=vl-mgmt-old vlan-id=199
add interface=br-main name=vl-tr-wifi vlan-id=99
add interface=br-main name=vl-tr-wired vlan-id=88
/caps-man datapath
add bridge=br-main name=dpath-trusted vlan-id=99 vlan-mode=use-tag
add bridge=br-main name=dpath-guest vlan-id=66 vlan-mode=use-tag
add bridge=br-main name=dpath-kids vlan-id=77 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=capsec-mgmt
add authentication-types=wpa2-psk encryption=aes-ccm name=capsec-trusted
add authentication-types=wpa2-psk encryption=aes-ccm name=capsec-kids
add authentication-types=wpa2-psk encryption=aes-ccm name=capsec-guest
add authentication-types=wpa2-psk encryption=aes-ccm name=capsec-IOT
/caps-man configuration
add channel.band=2ghz-b/g/n country=canada datapath.bridge=br-mgmt \
.client-to-client-forwarding=no .local-forwarding=no distance=indoors \
installation=any mode=ap name=capcfg-mgmt-24 security=capsec-mgmt ssid=\
MT-24
add channel.band=5ghz-a/n/ac country=canada datapath.bridge=br-mgmt distance=\
indoors installation=any mode=ap name=capcfg-mgmt-5 security=capsec-mgmt \
ssid=MT-5
add channel.band=2ghz-b/g/n country=canada datapath=dpath-kids distance=\
indoors installation=any mode=ap name=capcfg-kids-24 security=capsec-kids \
ssid=Dity-24
add channel.band=5ghz-a/n/ac country=canada datapath=dpath-kids distance=\
indoors installation=any mode=ap name=capcfg-kids-5 security=capsec-kids \
ssid=Dity-5
add channel.band=5ghz-a/n/ac country=canada datapath=dpath-guest distance=\
indoors installation=any mode=ap name=capcfg-guest-5 security=\
capsec-guest ssid=IDontTrustYou5
add channel.band=2ghz-b/g/n country=canada datapath=dpath-guest distance=\
indoors installation=any mode=ap name=capcfg-guest-24 security=\
capsec-guest ssid=IDontTrustYou24
add channel.band=2ghz-b/g/n country=canada datapath=dpath-trusted distance=\
indoors installation=any mode=ap name=capcfg-trusted-24 security=\
capsec-trusted ssid=Doviryayu24
add channel.band=5ghz-a/n/ac country=canada datapath=dpath-trusted distance=\
indoors installation=any mode=ap name=capcfg-trusted-5 security=\
capsec-trusted ssid=Doviryayut5
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/caps-man datapath
add bridge=br-main interface-list=all name=dpath-iot vlan-id=55 vlan-mode=\
use-tag
/caps-man configuration
add channel.band=5ghz-a/n/ac country=canada datapath=dpath-iot distance=\
indoors installation=any mode=ap name=capcfg-iot-5 security=capsec-IOT \
ssid=IOT-5
add channel.band=2ghz-b/g/n country=canada datapath=dpath-iot distance=\
indoors installation=any mode=ap name=capcfg-iot-24 security=capsec-IOT \
ssid=IOT-24
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik
/ip pool
add name=pool-dhcp-default ranges=10.0.199.22-10.0.199.222
add name=pool-dhcp-iot ranges=10.0.55.22-10.0.55.222
add name=pool-dhcp-guest ranges=10.0.66.22-10.0.66.222
add name=pool-dhcp-kids ranges=10.0.77.22-10.0.77.222
add name=pool-dhcp-tr-wifi ranges=10.0.99.22-10.0.99.222
add name=pool-dhcp-tr-wired ranges=10.0.88.22-10.0.88.222
add name=pool-dhcp-mgmt ranges=10.0.11.22-10.0.11.222
/ip dhcp-server
add address-pool=pool-dhcp-default interface=br-main name=defconf
add address-pool=pool-dhcp-iot interface=vl-iot name=dhcp-iot
add address-pool=pool-dhcp-guest interface=vl-guest name=dhcp-guest
add address-pool=pool-dhcp-kids interface=vl-kids name=dhcp-kids
add address-pool=pool-dhcp-tr-wifi interface=vl-tr-wifi name=dhcp-wifi
add address-pool=pool-dhcp-tr-wired interface=vl-tr-wired name=dhcp-tr-wired
add address-pool=pool-dhcp-mgmt interface=br-mgmt name=dhcp-mgmt
/caps-man manager
set ca-certificate=CAPsMAN-CA-18FD7485DDFB certificate=CAPsMAN-18FD7485DDFB \
enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=capcfg-mgmt-24 \
radio-mac=18:FD:74:85:DE:00 slave-configurations=\
capcfg-guest-24,capcfg-iot-24,capcfg-kids-24,capcfg-trusted-24
add action=create-dynamic-enabled master-configuration=capcfg-mgmt-5 \
radio-mac=18:FD:74:85:DE:01 slave-configurations=\
capcfg-guest-5,capcfg-iot-5,capcfg-kids-5,capcfg-trusted-5
add action=create-dynamic-enabled master-configuration=capcfg-mgmt-24 \
radio-mac=18:FD:74:99:87:16 slave-configurations=\
capcfg-guest-24,capcfg-iot-24,capcfg-kids-24,capcfg-trusted-24
add action=create-dynamic-enabled master-configuration=capcfg-mgmt-5 \
radio-mac=18:FD:74:99:87:17 slave-configurations=\
capcfg-guest-5,capcfg-iot-5,capcfg-kids-5,capcfg-trusted-5
add action=create-dynamic-enabled master-configuration=capcfg-mgmt-24 \
radio-mac=18:FD:74:5F:AE:A6 slave-configurations=\
capcfg-guest-24,capcfg-iot-24,capcfg-kids-24,capcfg-trusted-24
add action=create-dynamic-enabled master-configuration=capcfg-mgmt-5 \
radio-mac=18:FD:74:5F:AE:A7 slave-configurations=\
capcfg-guest-5,capcfg-iot-5,capcfg-kids-5,capcfg-trusted-5
/interface bridge port
add bridge=br-main comment=defconf ingress-filtering=no interface=eth2-CAP-01
add bridge=br-main comment=defconf interface=eth3-CAP-02
add bridge=br-main comment=defconf frame-types=admit-only-vlan-tagged \
interface=eth4-SW
add bridge=br-mgmt comment=defconf interface=eth5-mgmt
add bridge=br-main comment=defconf interface=wlan-24
add bridge=br-main comment=defconf interface=wlan-5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
# port with pvid added to untagged group which might cause problems, consider adding a seperate VLAN entry
add bridge=br-main tagged=eth4-SW vlan-ids=55,1,11,66,77,88,99,199
add bridge=br-mgmt vlan-ids=11,199
/interface list member
add comment=defconf interface=br-main list=LAN
add comment=defconf interface=eth1-WAN list=WAN
/interface wireless cap
#
set bridge=br-main caps-man-addresses=127.0.0.1 certificate=\
CAPsMAN-18FD7485DDFB discovery-interfaces=br-main enabled=yes interfaces=\
wlan-24,wlan-5
/ip address
add address=10.0.199.1/24 interface=br-main network=10.0.199.0
add address=10.0.55.1/24 interface=vl-iot network=10.0.55.0
add address=10.0.88.1/24 interface=vl-tr-wired network=10.0.88.0
add address=10.0.99.1/24 interface=vl-tr-wifi network=10.0.99.0
add address=10.0.77.1/24 interface=vl-kids network=10.0.77.0
add address=10.0.66.1/24 interface=vl-guest network=10.0.66.0
add address=10.0.11.1/24 interface=br-mgmt network=10.0.11.0
/ip dhcp-client
add comment=defconf interface=eth1-WAN
/ip dhcp-server network
add address=10.0.11.0/24 dns-server=10.0.11.1 gateway=10.0.11.1
add address=10.0.55.0/24 dns-server=10.0.55.1 gateway=10.0.55.1
add address=10.0.66.0/24 dns-server=10.0.66.1 gateway=10.0.66.1
add address=10.0.77.0/24 dns-server=10.0.77.1 gateway=10.0.77.1
add address=10.0.88.0/24 dns-server=10.0.88.1 gateway=10.0.88.1
add address=10.0.99.0/24 dns-server=10.0.99.1 gateway=10.0.99.1
add address=10.0.199.0/24 comment=defconf dns-server=10.0.199.1 gateway=\
10.0.199.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.0.199.1 comment=defconf name=router.lan
/ip firewall address-list
add address=10.0.55.0/24 list=SN-WF-IOT
add address=10.0.66.0/24 list=SN-WF-GUEST
add address=10.0.77.0/24 list=SN-WF-KIDS
add address=10.0.88.0/24 list=SN-TR-WIRED
add address=10.0.99.0/24 list=SN-TR-WIFI
add address=10.0.0.0/8 list=RFC1918-10
add address=172.16.0.0/12 list=RFC1918-172-16
add address=192.168.0.0/16 list=RFC1918-192-168
add address=10.0.199.0/24 list=SN-OLD-MGMT
add address=10.0.0.0/8 list=RFC1918
add address=172.16.0.0/12 list=RFC1918
add address=192.168.0.0/16 list=RFC1918
add address=10.0.11.0/24 list=SN-MGMT
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=forward connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward connection-state=invalid
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="drop all coming in from WAN" \
in-interface-list=WAN
add action=accept chain=input comment=\
"IOT has no access to other internal subnets" dst-address=10.0.55.1 \
dst-port=67,53,123 protocol=udp src-address-list=SN-WF-IOT
add action=drop chain=input dst-address-list=RFC1918 in-interface=vl-iot \
src-address-list=SN-WF-IOT
add action=drop chain=forward dst-address-list=RFC1918 src-address-list=\
SN-WF-IOT
add action=accept chain=input comment=\
"allow trusted wifi to all internal subnets" dst-address-list=RFC1918 \
in-interface=vl-tr-wifi src-address-list=SN-TR-WIFI
add action=accept chain=forward dst-address-list=RFC1918 src-address-list=\
SN-TR-WIFI
add action=accept chain=input comment=\
"allow kids to IOT and Guest networks but nothing else" dst-address=\
10.0.77.1 dst-port=67,53,123 protocol=udp src-address-list=SN-WF-KIDS
add action=accept chain=input dst-address-list=SN-WF-IOT in-interface=vl-kids \
src-address-list=SN-WF-KIDS
add action=accept chain=forward dst-address-list=SN-WF-IOT src-address-list=\
SN-WF-KIDS
add action=accept chain=input dst-address-list=SN-WF-GUEST in-interface=\
vl-kids src-address-list=SN-WF-KIDS
add action=accept chain=forward dst-address-list=SN-WF-GUEST \
src-address-list=SN-WF-KIDS
add action=drop chain=input dst-address-list=RFC1918 in-interface=vl-kids \
src-address-list=SN-WF-KIDS
add action=drop chain=forward dst-address-list=RFC1918 src-address-list=\
SN-WF-KIDS
add action=accept chain=input comment="allow MGMT to all internal subnets" \
dst-address-list=RFC1918 in-interface=br-mgmt src-address-list=SN-MGMT
add action=accept chain=forward dst-address-list=RFC1918 src-address-list=\
SN-MGMT
add action=accept chain=input comment=\
"allow trusted wired to all internal subnets" dst-address-list=RFC1918 \
in-interface=vl-tr-wired src-address-list=SN-TR-WIRED
add action=accept chain=forward dst-address-list=RFC1918 src-address-list=\
SN-TR-WIRED
add action=accept chain=input comment=\
"Block GUESTs from all internal subnets" dst-address=10.0.66.1 dst-port=\
67,53,123 protocol=udp src-address-list=SN-WF-GUEST
add action=drop chain=input dst-address-list=RFC1918 in-interface=vl-guest \
src-address-list=SN-WF-GUEST
add action=drop chain=forward dst-address-list=RFC1918 src-address-list=\
SN-WF-GUEST
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.0.11.0/24,10.0.88.0/24,10.0.99.0/24,10.0.199.0/24
set ssh address=10.0.11.0/24,10.0.88.0/24,10.0.99.0/24,10.0.199.0/24
set www-ssl address=10.0.11.0/24,10.0.88.0/24,10.0.99.0/24,10.0.199.0/24 \
disabled=no
set winbox address=10.0.99.0/24,10.0.88.0/24,10.0.199.0/24,10.0.11.0/24
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=America/Toronto
/system identity
set name=MT-Router-01
/system ntp server
set enabled=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN