Community discussions

MikroTik App
 
User avatar
myriad
just joined
Topic Author
Posts: 15
Joined: Mon Jun 27, 2016 6:15 pm

Help needed for Router-Switch-AP (all in one) scenario

Sat Mar 25, 2023 9:07 pm

Hey Vlan experts,

I am trying to modify the Router-Switch-AP (all in one) scenario to suit my purposes, which is sending ether4 (Green VLAN) out to a dumb ppoe switch to feed three HP WAP's. When I connect to the internal (wlan2) GREEN AP it works fine. However, when I connect the switch to ether4 the WAP's don't receive IP addresses or internet. Is there something more I should be doing in the config to enable vlan tagging on ether4?

Richard
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18968
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help needed for Router-Switch-AP (all in one) scenario

Sun Mar 26, 2023 4:16 am

Of course I can, because I can see through the internet with my spy camera and see your config.

Access port or Router: --> . untag data upon leaving device tag data upon renentering device.
Trunk port on Router --> leave tags on as traffic going to smart device which returns tagged traffic.

Suspect you have an error in either your
/interface bridge port settings or /interface bridge vlan settings or both.
 
User avatar
myriad
just joined
Topic Author
Posts: 15
Joined: Mon Jun 27, 2016 6:15 pm

Re: Help needed for Router-Switch-AP (all in one) scenario

Sun Mar 26, 2023 2:29 pm

Sorry Anav, here is the config:
# mar/26/2023 07:35:36 by RouterOS 7.8
# software id = 5MCY-99KG
#
# model = RB2011UiAS-2HnD
# serial number = xxxxxxxxxxxxxx
/interface bridge
add ageing-time=5m arp=enabled arp-timeout=auto auto-mac=yes dhcp-snooping=no \
    disabled=no ether-type=0x8100 fast-forward=yes frame-types=admit-all \
    igmp-snooping=no ingress-filtering=yes mtu=auto name=BR1 protocol-mode=\
    none pvid=1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
    disabled=no full-duplex=yes l2mtu=1598 loop-protect=default \
    loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
    E4:8D:8C:36:5C:BD mtu=1500 name=ether1 orig-mac-address=E4:8D:8C:36:5C:BD \
    rx-flow-control=off speed=1Gbps tx-flow-control=off
set [ find default-name=ether2 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
    disabled=no full-duplex=yes l2mtu=1598 loop-protect=default \
    loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
    E4:8D:8C:36:5C:BE mtu=1500 name=ether2 orig-mac-address=E4:8D:8C:36:5C:BE \
    rx-flow-control=off speed=1Gbps tx-flow-control=off
set [ find default-name=ether3 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
    disabled=no full-duplex=yes l2mtu=1598 loop-protect=default \
    loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
    E4:8D:8C:36:5C:BF mtu=1500 name=ether3 orig-mac-address=E4:8D:8C:36:5C:BF \
    rx-flow-control=off speed=1Gbps tx-flow-control=off
set [ find default-name=ether4 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
    disabled=no full-duplex=yes l2mtu=1598 loop-protect=default \
    loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
    E4:8D:8C:36:5C:C0 mtu=1500 name=ether4 orig-mac-address=E4:8D:8C:36:5C:C0 \
    rx-flow-control=off speed=1Gbps tx-flow-control=off
set [ find default-name=ether5 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
    disabled=no full-duplex=yes l2mtu=1598 loop-protect=default \
    loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
    E4:8D:8C:36:5C:C1 mtu=1500 name=ether5 orig-mac-address=E4:8D:8C:36:5C:C1 \
    rx-flow-control=off speed=1Gbps tx-flow-control=off
set [ find default-name=ether6 ] advertise=\
    10M-half,10M-full,100M-half,100M-full arp=enabled arp-timeout=auto \
    auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no \
    full-duplex=yes l2mtu=1598 loop-protect=default \
    loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
    E4:8D:8C:36:5C:C2 mtu=1500 name=ether6 orig-mac-address=E4:8D:8C:36:5C:C2 \
    rx-flow-control=off speed=100Mbps tx-flow-control=off
set [ find default-name=ether7 ] advertise=\
    10M-half,10M-full,100M-half,100M-full arp=enabled arp-timeout=auto \
    auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no \
    full-duplex=yes l2mtu=1598 loop-protect=default \
    loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
    E4:8D:8C:36:5C:C3 mtu=1500 name=ether7 orig-mac-address=E4:8D:8C:36:5C:C3 \
    rx-flow-control=off speed=100Mbps tx-flow-control=off
set [ find default-name=ether8 ] advertise=\
    10M-half,10M-full,100M-half,100M-full arp=enabled arp-timeout=auto \
    auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no \
    full-duplex=yes l2mtu=1598 loop-protect=default \
    loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
    E4:8D:8C:36:5C:C4 mtu=1500 name=ether8 orig-mac-address=E4:8D:8C:36:5C:C4 \
    rx-flow-control=off speed=100Mbps tx-flow-control=off
set [ find default-name=ether9 ] advertise=\
    10M-half,10M-full,100M-half,100M-full arp=enabled arp-timeout=auto \
    auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no \
    full-duplex=yes l2mtu=1598 loop-protect=default \
    loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
    E4:8D:8C:36:5C:C5 mtu=1500 name=ether9 orig-mac-address=E4:8D:8C:36:5C:C5 \
    rx-flow-control=off speed=100Mbps tx-flow-control=off
set [ find default-name=ether10 ] advertise=\
    10M-half,10M-full,100M-half,100M-full arp=enabled arp-timeout=auto \
    auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no \
    full-duplex=yes l2mtu=1598 loop-protect=default \
    loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
    E4:8D:8C:36:5C:C6 mtu=1500 name=ether10 orig-mac-address=\
    E4:8D:8C:36:5C:C6 poe-lldp-enabled=no poe-out=auto-on poe-priority=10 \
    power-cycle-interval=none !power-cycle-ping-address \
    power-cycle-ping-enabled=no !power-cycle-ping-timeout rx-flow-control=off \
    speed=100Mbps tx-flow-control=off
set [ find default-name=sfp1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
    disabled=no full-duplex=yes l2mtu=1598 loop-protect=default \
    loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
    E4:8D:8C:36:5C:BC mtu=1500 name=sfp1 orig-mac-address=E4:8D:8C:36:5C:BC \
    rx-flow-control=off sfp-rate-select=high sfp-shutdown-temperature=95C \
    speed=1Gbps tx-flow-control=off
/queue interface
set BR1 queue=no-queue
/interface vlan
add arp=enabled arp-timeout=auto disabled=no interface=BR1 loop-protect=\
    default loop-protect-disable-time=5m loop-protect-send-interval=5s mtu=\
    1500 name=BASE_VLAN use-service-tag=no vlan-id=99
add arp=enabled arp-timeout=auto disabled=no interface=BR1 loop-protect=\
    default loop-protect-disable-time=5m loop-protect-send-interval=5s mtu=\
    1500 name=BLUE_VLAN use-service-tag=no vlan-id=20
add arp=enabled arp-timeout=auto disabled=no interface=BR1 loop-protect=\
    default loop-protect-disable-time=5m loop-protect-send-interval=5s mtu=\
    1500 name=GREEN_VLAN use-service-tag=no vlan-id=10
/queue interface
set BASE_VLAN queue=no-queue
set BLUE_VLAN queue=no-queue
set GREEN_VLAN queue=no-queue
/interface ethernet switch
set 0 cpu-flow-control=yes mirror-source=none mirror-target=none name=switch1
set 1 cpu-flow-control=yes mirror-source=none mirror-target=none name=switch2
/interface ethernet switch port
set 0 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 1 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 2 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 3 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 4 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 5 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 6 default-vlan-id=0 vlan-header=leave-as-is vlan-mode=disabled
set 7 default-vlan-id=0 vlan-header=leave-as-is vlan-mode=disabled
set 8 default-vlan-id=0 vlan-header=leave-as-is vlan-mode=disabled
set 9 default-vlan-id=0 vlan-header=leave-as-is vlan-mode=disabled
set 10 default-vlan-id=0 vlan-header=leave-as-is vlan-mode=disabled
set 11 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 12 default-vlan-id=0 vlan-header=leave-as-is vlan-mode=disabled
/interface list
set [ find name=all ] comment="contains all interfaces" exclude="" include="" \
    name=all
set [ find name=none ] comment="contains no interfaces" exclude="" include="" \
    name=none
set [ find name=dynamic ] comment="contains dynamic interfaces" exclude="" \
    include="" name=dynamic
set [ find name=static ] comment="contains static interfaces" exclude="" \
    include="" name=static
add exclude="" include="" name=WAN
add exclude="" include="" name=VLAN
add exclude="" include="" name=BASE
/interface lte apn
set [ find default=yes ] add-default-route=yes apn=internet authentication=\
    none default-route-distance=2 ip-type=auto name=default use-network-apn=\
    yes use-peer-dns=yes
/interface macsec profile
set [ find default-name=default ] name=default server-priority=10
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk disable-pmkid=no \
    eap-methods=passthrough group-ciphers=aes-ccm group-key-update=5m \
    interim-update=0s management-protection=disabled mode=dynamic-keys \
    mschapv2-username="" name=default radius-called-format=mac:ssid \
    radius-eap-accounting=no radius-mac-accounting=no \
    radius-mac-authentication=no radius-mac-caching=disabled \
    radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username \
    static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=\
    none static-sta-private-algo=none static-transmit-key=key-0 \
    supplicant-identity=MikroTik tls-certificate=none tls-mode=\
    no-certificates unicast-ciphers=aes-ccm
add authentication-types=wpa2-psk disable-pmkid=no eap-methods=passthrough \
    group-ciphers=aes-ccm group-key-update=5m interim-update=0s \
    management-protection=disabled mode=dynamic-keys mschapv2-username="" \
    name=guest radius-called-format=mac:ssid radius-eap-accounting=no \
    radius-mac-accounting=no radius-mac-authentication=no radius-mac-caching=\
    disabled radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username \
    static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=\
    none static-sta-private-algo=none static-transmit-key=key-0 \
    supplicant-identity=MikroTik tls-certificate=none tls-mode=\
    no-certificates unicast-ciphers=aes-ccm
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=none allow-sharedkey=\
    no ampdu-priorities=0 amsdu-limit=8192 amsdu-threshold=8192 antenna-gain=\
    4 area="" arp=enabled arp-timeout=auto band=2ghz-b/g basic-rates-a/g=\
    6Mbps basic-rates-b=1Mbps bridge-mode=enabled channel-width=20mhz \
    compression=no country=etsi default-ap-tx-limit=0 default-authentication=\
    yes default-client-tx-limit=0 default-forwarding=yes \
    disable-running-check=no disabled=no disconnect-timeout=3s distance=\
    dynamic frame-lifetime=0 frequency=auto frequency-mode=regulatory-domain \
    frequency-offset=0 guard-interval=any hide-ssid=no ht-basic-mcs=\
    mcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7 ht-supported-mcs="mcs-0,mc\
    s-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7,mcs-8,mcs-9,mcs-10,mcs-11,mcs-12,m\
    cs-13,mcs-14,mcs-15,mcs-16,mcs-17,mcs-18,mcs-19,mcs-20,mcs-21,mcs-22,mcs-2\
    3" hw-fragmentation-threshold=disabled hw-protection-mode=none \
    hw-protection-threshold=0 hw-retries=7 installation=any \
    interworking-profile=disabled keepalive-frames=enabled l2mtu=1600 \
    mac-address=E4:8D:8C:36:5C:C7 max-station-count=2007 mode=ap-bridge mtu=\
    1500 multicast-buffering=enabled multicast-helper=default name=wlan1 \
    noise-floor-threshold=default nv2-cell-radius=30 nv2-downlink-ratio=50 \
    nv2-mode=dynamic-downlink nv2-noise-floor-offset=default nv2-qos=default \
    nv2-queue-count=2 nv2-security=disabled nv2-sync-secret="" \
    on-fail-retry-time=100ms preamble-mode=both radio-name=E48D8C365CC7 \
    rate-selection=advanced rate-set=default rx-chains=0,1 scan-list=default \
    secondary-frequency="" security-profile=default skip-dfs-channels=\
    disabled ssid=BLUE station-bridge-clone-mac=00:00:00:00:00:00 \
    station-roaming=disabled supported-rates-a/g=\
    6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps supported-rates-b=\
    1Mbps,2Mbps,5.5Mbps,11Mbps tdma-period-size=2 tx-chains=0,1 \
    tx-power-mode=default update-stats-interval=disabled vlan-id=1 vlan-mode=\
    no-tag wds-cost-range=50-150 wds-default-bridge=none wds-default-cost=100 \
    wds-ignore-ssid=no wds-mode=disabled wireless-protocol=any wmm-support=\
    disabled wps-mode=push-button
add area="" arp=enabled arp-timeout=auto bridge-mode=enabled \
    default-ap-tx-limit=0 default-authentication=yes default-client-tx-limit=\
    0 default-forwarding=yes disable-running-check=no disabled=no hide-ssid=\
    no interworking-profile=disabled keepalive-frames=enabled l2mtu=1600 \
    mac-address=E6:8D:8C:36:5C:C7 master-interface=wlan1 max-station-count=\
    2007 mode=ap-bridge mtu=1500 multicast-buffering=enabled \
    multicast-helper=default name=wlan2 security-profile=guest ssid=GREEN \
    station-bridge-clone-mac=00:00:00:00:00:00 station-roaming=disabled \
    update-stats-interval=disabled vlan-id=1 vlan-mode=no-tag wds-cost-range=\
    50-150 wds-default-bridge=none wds-default-cost=100 wds-ignore-ssid=no \
    wds-mode=disabled wmm-support=disabled wps-mode=push-button
/ip dhcp-client option
set clientid_duid code=61 name=clientid_duid value="0xff\$(CLIENT_DUID)"
set clientid code=61 name=clientid value="0x01\$(CLIENT_MAC)"
set hostname code=12 name=hostname value="\$(HOSTNAME)"
/ip hotspot profile
set [ find default=yes ] dns-name="" hotspot-address=0.0.0.0 html-directory=\
    hotspot html-directory-override="" http-cookie-lifetime=3d http-proxy=\
    0.0.0.0:0 install-hotspot-queue=no login-by=cookie,http-chap name=default \
    smtp-server=0.0.0.0 split-user-domain=no use-radius=no
/ip hotspot user profile
set [ find default=yes ] add-mac-cookie=yes address-list="" idle-timeout=none \
    !insert-queue-before keepalive-timeout=2m mac-cookie-timeout=3d name=\
    default !parent-queue !queue-type shared-users=1 status-autorefresh=1m \
    transparent-proxy=no
/ip ipsec mode-config
set [ find default=yes ] name=request-only responder=no use-responder-dns=\
    exclusively
/ip ipsec policy group
set [ find default=yes ] name=default
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048,modp1024 dpd-interval=2m \
    dpd-maximum-failures=5 enc-algorithm=aes-128,3des hash-algorithm=sha1 \
    lifetime=1d name=default nat-traversal=yes proposal-check=obey
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=\
    aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m name=default pfs-group=\
    modp1024
/ip pool
add name=BLUE_POOL ranges=10.0.10.2-10.0.10.254
add name=GREEN_POOL ranges=192.168.10.50-192.168.10.254
add name=BASE_POOL ranges=192.168.0.254-192.168.88.10
/ip dhcp-server
add address-pool=BLUE_POOL authoritative=yes disabled=no interface=BLUE_VLAN \
    lease-script="" lease-time=10m name=BLUE_DHCP use-radius=no
add address-pool=GREEN_POOL authoritative=yes disabled=no interface=\
    GREEN_VLAN lease-script="" lease-time=10m name=GREEN_DHCP use-radius=no
add address-pool=BASE_POOL authoritative=yes disabled=no interface=BASE_VLAN \
    lease-script="" lease-time=10m name=BASE_DHCP use-radius=no
/port
set 0 baud-rate=auto data-bits=8 flow-control=none name=serial0 parity=none \
    stop-bits=1
/ppp profile
set *0 address-list="" !bridge !bridge-horizon bridge-learning=default \
    !bridge-path-cost !bridge-port-priority change-tcp-mss=yes !dns-server \
    !idle-timeout !incoming-filter !insert-queue-before !interface-list \
    !local-address name=default on-down="" on-up="" only-one=default \
    !outgoing-filter !parent-queue !queue-type !rate-limit !remote-address \
    !session-timeout use-compression=default use-encryption=default use-ipv6=\
    yes use-mpls=default use-upnp=default !wins-server
set *FFFFFFFE address-list="" !bridge !bridge-horizon bridge-learning=default \
    !bridge-path-cost !bridge-port-priority change-tcp-mss=yes !dns-server \
    !idle-timeout !incoming-filter !insert-queue-before !interface-list \
    !local-address name=default-encryption on-down="" on-up="" only-one=\
    default !outgoing-filter !parent-queue !queue-type !rate-limit \
    !remote-address !session-timeout use-compression=default use-encryption=\
    yes use-ipv6=yes use-mpls=default use-upnp=default !wins-server
/queue type
set 0 kind=pfifo name=default pfifo-limit=50
set 1 kind=pfifo name=ethernet-default pfifo-limit=50
set 2 kind=sfq name=wireless-default sfq-allot=1514 sfq-perturb=5
set 3 kind=red name=synchronous-default red-avg-packet=1000 red-burst=20 \
    red-limit=60 red-max-threshold=50 red-min-threshold=10
set 4 kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=5
set 5 kind=pcq name=pcq-upload-default pcq-burst-rate=0 pcq-burst-threshold=0 \
    pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 \
    pcq-dst-address6-mask=128 pcq-limit=50KiB pcq-rate=0 \
    pcq-src-address-mask=32 pcq-src-address6-mask=128 pcq-total-limit=2000KiB
set 6 kind=pcq name=pcq-download-default pcq-burst-rate=0 \
    pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=dst-address \
    pcq-dst-address-mask=32 pcq-dst-address6-mask=128 pcq-limit=50KiB \
    pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=128 \
    pcq-total-limit=2000KiB
set 7 kind=none name=only-hardware-queue
set 8 kind=mq-pfifo mq-pfifo-limit=50 name=multi-queue-ethernet-default
set 9 kind=pfifo name=default-small pfifo-limit=10
/queue interface
set ether1 queue=only-hardware-queue
set ether2 queue=only-hardware-queue
set ether3 queue=only-hardware-queue
set ether4 queue=only-hardware-queue
set ether5 queue=only-hardware-queue
set ether6 queue=only-hardware-queue
set ether7 queue=only-hardware-queue
set ether8 queue=only-hardware-queue
set ether9 queue=only-hardware-queue
set ether10 queue=only-hardware-queue
set sfp1 queue=only-hardware-queue
set wlan1 queue=wireless-default
set wlan2 queue=wireless-default
/interface wireless nstreme
set wlan1 disable-csma=no enable-nstreme=no enable-polling=yes framer-limit=\
    3200 framer-policy=none
/interface wireless manual-tx-power-table
set wlan1 manual-tx-powers="1Mbps:17,2Mbps:17,5.5Mbps:17,11Mbps:17,6Mbps:17,9M\
    bps:17,12Mbps:17,18Mbps:17,24Mbps:17,36Mbps:17,48Mbps:17,54Mbps:17,HT20-0:\
    17,HT20-1:17,HT20-2:17,HT20-3:17,HT20-4:17,HT20-5:17,HT20-6:17,HT20-7:17,H\
    T40-0:17,HT40-1:17,HT40-2:17,HT40-3:17,HT40-4:17,HT40-5:17,HT40-6:17,HT40-\
    7:17"
/routing bgp template
set default as=65530 name=default
/snmp community
set [ find default=yes ] addresses=::/0 authentication-protocol=MD5 disabled=\
    no encryption-protocol=DES name=public read-access=yes security=none \
    write-access=no
/system logging action
set 0 memory-lines=1000 memory-stop-on-full=no name=memory target=memory
set 1 disk-file-count=2 disk-file-name=log disk-lines-per-file=1000 \
    disk-stop-on-full=no name=disk target=disk
set 2 name=echo remember=yes target=echo
set 3 bsd-syslog=no name=remote remote=0.0.0.0 remote-port=514 src-address=\
    0.0.0.0 syslog-facility=daemon syslog-severity=auto syslog-time-format=\
    bsd-syslog target=remote
/user group
set read name=read policy="local,telnet,ssh,reboot,read,test,winbox,password,w\
    eb,sniff,sensitive,api,romon,rest-api,!ftp,!write,!policy" skin=default
set write name=write policy="local,telnet,ssh,reboot,read,write,test,winbox,pa\
    ssword,web,sniff,sensitive,api,romon,rest-api,!ftp,!policy" skin=default
set full name=full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,\
    winbox,password,web,sniff,sensitive,api,romon,rest-api" skin=default
/caps-man aaa
set called-format=mac:ssid interim-update=disabled mac-caching=disabled \
    mac-format=XX:XX:XX:XX:XX:XX mac-mode=as-username
/caps-man manager
set ca-certificate=none certificate=none enabled=no package-path="" \
    require-peer-certificate=no upgrade-policy=none
/caps-man manager interface
set [ find default=yes ] disabled=no forbid=no interface=all
/certificate settings
set crl-download=no crl-store=ram crl-use=no
/interface bridge port
add auto-isolate=no bpdu-guard=no bridge=BR1 broadcast-flood=yes disabled=no \
    edge=auto fast-leave=no frame-types=\
    admit-only-untagged-and-priority-tagged horizon=none hw=yes \
    ingress-filtering=yes interface=ether2 internal-path-cost=10 learn=auto \
    multicast-router=temporary-query path-cost=10 point-to-point=auto \
    priority=0x80 pvid=20 restricted-role=no restricted-tcn=no tag-stacking=\
    no trusted=no unknown-multicast-flood=yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=BR1 broadcast-flood=yes disabled=no \
    edge=auto fast-leave=no frame-types=\
    admit-only-untagged-and-priority-tagged horizon=none hw=yes \
    ingress-filtering=yes interface=ether3 internal-path-cost=10 learn=auto \
    multicast-router=temporary-query path-cost=10 point-to-point=auto \
    priority=0x80 pvid=20 restricted-role=no restricted-tcn=no tag-stacking=\
    no trusted=no unknown-multicast-flood=yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=BR1 broadcast-flood=yes disabled=no \
    edge=auto fast-leave=no frame-types=\
    admit-only-untagged-and-priority-tagged horizon=none ingress-filtering=\
    yes interface=wlan1 internal-path-cost=10 learn=auto multicast-router=\
    temporary-query path-cost=10 point-to-point=auto priority=0x80 pvid=20 \
    restricted-role=no restricted-tcn=no tag-stacking=no trusted=no \
    unknown-multicast-flood=yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=BR1 broadcast-flood=yes disabled=no \
    edge=auto fast-leave=no frame-types=\
    admit-only-untagged-and-priority-tagged horizon=none hw=yes \
    ingress-filtering=yes interface=ether4 internal-path-cost=10 learn=auto \
    multicast-router=temporary-query path-cost=10 point-to-point=auto \
    priority=0x80 pvid=10 restricted-role=no restricted-tcn=no tag-stacking=\
    no trusted=no unknown-multicast-flood=yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=BR1 broadcast-flood=yes disabled=no \
    edge=auto fast-leave=no frame-types=\
    admit-only-untagged-and-priority-tagged horizon=none ingress-filtering=\
    yes interface=wlan2 internal-path-cost=10 learn=auto multicast-router=\
    temporary-query path-cost=10 point-to-point=auto priority=0x80 pvid=10 \
    restricted-role=no restricted-tcn=no tag-stacking=no trusted=no \
    unknown-multicast-flood=yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=BR1 broadcast-flood=yes comment=\
    "Admin Access" disabled=no edge=auto fast-leave=no frame-types=\
    admit-only-untagged-and-priority-tagged horizon=none hw=yes \
    ingress-filtering=yes interface=ether5 internal-path-cost=10 learn=auto \
    multicast-router=temporary-query path-cost=10 point-to-point=auto \
    priority=0x80 pvid=99 restricted-role=no restricted-tcn=no tag-stacking=\
    no trusted=no unknown-multicast-flood=yes unknown-unicast-flood=yes
/interface bridge port-controller
# disabled
set bridge=none cascade-ports="" switch=none
/interface bridge port-extender
# disabled
set control-ports="" excluded-ports="" switch=none
/interface bridge settings
set allow-fast-path=yes use-ip-firewall=no use-ip-firewall-for-pppoe=no \
    use-ip-firewall-for-vlan=no
/ip firewall connection tracking
set enabled=auto generic-timeout=10m icmp-timeout=10s loose-tcp-tracking=yes \
    tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=\
    1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-max-retrans-timeout=5m tcp-syn-received-timeout=5s \
    tcp-syn-sent-timeout=5s tcp-time-wait-timeout=10s tcp-unacked-timeout=5m \
    udp-stream-timeout=3m udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=BASE lldp-med-net-policy-vlan=disabled mode=\
    tx-and-rx protocol=cdp,lldp,mndp
/ip settings
set accept-redirects=no accept-source-route=no allow-fast-path=yes \
    arp-timeout=30s icmp-rate-limit=10 icmp-rate-mask=0x1818 ip-forward=yes \
    max-neighbor-entries=4096 route-cache=yes rp-filter=no secure-redirects=\
    yes send-redirects=yes tcp-syncookies=no
/ipv6 settings
set accept-redirects=yes-if-forwarding-disabled accept-router-advertisements=\
    yes-if-forwarding-disabled disable-ipv6=no forward=yes \
    max-neighbor-entries=2048
/interface bridge vlan
add bridge=BR1 disabled=no tagged=BR1 untagged="" vlan-ids=10
add bridge=BR1 disabled=no tagged=BR1 untagged="" vlan-ids=20
add bridge=BR1 disabled=no tagged=BR1 untagged="" vlan-ids=99
/interface detect-internet
set detect-interface-list=none internet-interface-list=none \
    lan-interface-list=none wan-interface-list=none
/interface l2tp-server server
set accept-proto-version=all accept-pseudowire-type=all allow-fast-path=no \
    authentication=pap,chap,mschap1,mschap2 caller-id-type=ip-address \
    default-profile=default-encryption enabled=no keepalive-timeout=30 \
    l2tpv3-circuit-id="" l2tpv3-cookie-length=0 l2tpv3-digest-hash=md5 \
    !l2tpv3-ether-interface-list max-mru=1450 max-mtu=1450 max-sessions=\
    unlimited mrru=disabled one-session-per-host=no use-ipsec=no
/interface list member
add disabled=no interface=ether1 list=WAN
add disabled=no interface=BASE_VLAN list=VLAN
add disabled=no interface=BLUE_VLAN list=VLAN
add disabled=no interface=GREEN_VLAN list=VLAN
add disabled=no interface=BASE_VLAN list=BASE
/interface lte settings
set firmware-path=firmware mode=auto
/interface ovpn-server server
set auth=sha1,md5,sha256,sha512 certificate=*0 cipher=blowfish128,aes128-cbc \
    default-profile=default enable-tun-ipv6=no enabled=no ipv6-prefix-len=64 \
    keepalive-timeout=60 mac-address=FE:D3:17:B5:26:BB max-mtu=1500 mode=ip \
    netmask=24 port=1194 protocol=tcp redirect-gateway=disabled reneg-sec=\
    3600 require-client-certificate=no tls-version=any tun-server-ipv6=::
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set authentication=mschap1,mschap2 default-profile=default-encryption \
    enabled=no keepalive-timeout=30 max-mru=1450 max-mtu=1450 mrru=disabled
/interface sstp-server server
set authentication=pap,chap,mschap1,mschap2 certificate=none default-profile=\
    default enabled=no keepalive-timeout=60 max-mru=1500 max-mtu=1500 mrru=\
    disabled pfs=no port=443 tls-version=any verify-client-certificate=no
/interface wireless align
set active-mode=yes audio-max=-20 audio-min=-100 audio-monitor=\
    00:00:00:00:00:00 filter-mac=00:00:00:00:00:00 frame-size=300 \
    frames-per-second=25 receive-all=no ssid-all=no
/interface wireless cap
set bridge=none caps-man-addresses="" caps-man-certificate-common-names="" \
    caps-man-names="" certificate=none discovery-interfaces="" enabled=no \
    interfaces="" lock-to-caps-man=no static-virtual=no
/interface wireless sniffer
set channel-time=200ms file-limit=10 file-name="" memory-limit=10 \
    multiple-channels=no only-headers=no receive-errors=no streaming-enabled=\
    no streaming-max-rate=0 streaming-server=0.0.0.0
/interface wireless snooper
set channel-time=200ms multiple-channels=yes receive-errors=no
/ip address
add address=192.168.0.1/24 disabled=no interface=BASE_VLAN network=\
    192.168.0.0
add address=10.0.10.1/24 disabled=no interface=BLUE_VLAN network=10.0.10.0
add address=192.168.10.1/24 disabled=no interface=GREEN_VLAN network=\
    192.168.10.0
/ip cloud
set ddns-enabled=no ddns-update-interval=none update-time=yes
/ip cloud advanced
set use-local-address=no
/ip dhcp-client
add add-default-route=yes default-route-distance=1 dhcp-options=\
    hostname,clientid disabled=no interface=ether1 use-peer-dns=yes \
    use-peer-ntp=yes
/ip dhcp-server config
set accounting=yes interim-update=0s radius-password=empty store-leases-disk=\
    5m
/ip dhcp-server network
add address=10.0.10.0/24 caps-manager="" dhcp-option="" dns-server=\
    192.168.0.1 gateway=10.0.10.1 !next-server ntp-server="" wins-server=""
add address=192.168.10.0/24 caps-manager="" dhcp-option="" dns-server=\
    192.168.10.1 gateway=192.168.10.1 !next-server ntp-server="" wins-server=\
    ""
add address=192.168.88.0/24 caps-manager="" dhcp-option="" dns-server=\
    192.168.88.1 gateway=192.168.88.1 !next-server ntp-server="" wins-server=\
    ""
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \
    doh-max-concurrent-queries=50 doh-max-server-connections=5 doh-timeout=5s \
    max-concurrent-queries=100 max-concurrent-tcp-sessions=20 \
    max-udp-packet-size=4096 query-server-timeout=2s query-total-timeout=10s \
    servers=9.9.9.9 use-doh-server="" verify-doh-cert=no
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
    in-interface=BASE_VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN !to-addresses !to-ports
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=yes ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes sip-timeout=1h
set pptp disabled=no
set rtsp disabled=yes ports=554
set udplite disabled=no
set dccp disabled=no
set sctp disabled=no
/ip hotspot service-port
set ftp disabled=no ports=21
/ip hotspot user
set [ find default=yes ] comment="counters and limits for trial users" \
    disabled=no name=default-trial
/ip ipsec policy
set 0 disabled=no dst-address=::/0 group=default proposal=default protocol=\
    all src-address=::/0 template=yes
/ip ipsec settings
set accounting=yes interim-update=0s xauth-use-radius=no
/ip proxy
set always-from-cache=no anonymous=no cache-administrator=webmaster \
    cache-hit-dscp=4 cache-on-disk=no cache-path=web-proxy enabled=no \
    max-cache-object-size=2048KiB max-cache-size=unlimited \
    max-client-connections=600 max-fresh-time=3d max-server-connections=600 \
    parent-proxy=:: parent-proxy-port=0 port=8080 serialize-connections=no \
    src-address=::
/ip service
set telnet address="" disabled=no port=23 vrf=main
set ftp address="" disabled=no port=21
set www address="" disabled=no port=80 vrf=main
set ssh address="" disabled=no port=22 vrf=main
set www-ssl address="" certificate=none disabled=yes port=443 tls-version=any \
    vrf=main
set api address="" disabled=no port=8728 vrf=main
set winbox address="" disabled=no port=8291 vrf=main
set api-ssl address="" certificate=none disabled=no port=8729 tls-version=any \
    vrf=main
/ip smb
set allow-guests=yes comment=MikrotikSMB domain=MSHOME enabled=no interfaces=\
    all
/ip smb shares
set [ find default=yes ] comment="default share" directory=/pub disabled=no \
    max-sessions=10 name=pub
/ip smb users
set [ find default=yes ] disabled=no name=guest read-only=yes
/ip socks
set auth-method=none connection-idle-timeout=2m enabled=no max-connections=\
    200 port=1080 version=4
/ip ssh
set allow-none-crypto=no always-allow-password-login=no forwarding-enabled=no \
    host-key-size=2048 strong-crypto=no
/ip tftp settings
set max-block-size=4096
/ip traffic-flow
set active-flow-timeout=30m cache-entries=32k enabled=no \
    inactive-flow-timeout=15s interfaces=all packet-sampling=no \
    sampling-interval=0 sampling-space=0
/ip traffic-flow ipfix
set bytes=yes dst-address=yes dst-address-mask=yes dst-mac-address=yes \
    dst-port=yes first-forwarded=yes gateway=yes icmp-code=yes icmp-type=yes \
    igmp-type=yes in-interface=yes ip-header-length=yes ip-total-length=yes \
    ipv6-flow-label=yes is-multicast=yes last-forwarded=yes nat-dst-address=\
    yes nat-dst-port=yes nat-events=no nat-src-address=yes nat-src-port=yes \
    out-interface=yes packets=yes protocol=yes src-address=yes \
    src-address-mask=yes src-mac-address=yes src-port=yes sys-init-time=yes \
    tcp-ack-num=yes tcp-flags=yes tcp-seq-num=yes tcp-window-size=yes tos=yes \
    ttl=yes udp-length=yes
/ip upnp
set allow-disable-external-interface=no enabled=no show-dummy-rule=yes
/ipv6 nd
set [ find default=yes ] advertise-dns=yes advertise-mac-address=yes \
    disabled=no dns="" hop-limit=unspecified interface=all \
    managed-address-configuration=no mtu=unspecified other-configuration=no \
    pref64="" ra-delay=3s ra-interval=3m20s-10m ra-lifetime=30m \
    ra-preference=medium reachable-time=unspecified retransmit-interval=\
    unspecified
/ipv6 nd prefix default
set autonomous=yes preferred-lifetime=1w valid-lifetime=4w2d
/lcd
set backlight-timeout=30m color-scheme=dark default-screen=main-menu enabled=\
    yes flip-screen=no read-only-mode=no time-interval=min touch-screen=\
    enabled
/lcd pin
set hide-pin-number=no pin-number=1234
/lcd interface
set sfp1 disabled=no max-speed=auto timeout=10s
set ether1 disabled=no max-speed=auto timeout=10s
set ether2 disabled=no max-speed=auto timeout=10s
set ether3 disabled=no max-speed=auto timeout=10s
set ether4 disabled=no max-speed=auto timeout=10s
set ether5 disabled=no max-speed=auto timeout=10s
set ether6 disabled=no max-speed=auto timeout=10s
set ether7 disabled=no max-speed=auto timeout=10s
set ether8 disabled=no max-speed=auto timeout=10s
set ether9 disabled=no max-speed=auto timeout=10s
set ether10 disabled=no max-speed=auto timeout=10s
set wlan1 disabled=no max-speed=auto timeout=10s
/lcd interface pages
set 0 interfaces="sfp1,ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8\
    ,ether9,ether10"
/lcd screen
set 0 disabled=no timeout=10s
set 1 disabled=no timeout=10s
set 2 disabled=no timeout=10s
set 3 disabled=no timeout=10s
set 4 disabled=no timeout=10s
set 5 disabled=no timeout=10s
/ppp aaa
set accounting=yes interim-update=0s use-circuit-id-in-nas-port-id=no \
    use-radius=no
/radius incoming
set accept=no port=3799 vrf=main
/routing igmp-proxy
set query-interval=2m5s query-response-interval=10s quick-leave=no
/snmp
set contact="" enabled=no engine-id="" location="" src-address=:: \
    trap-community=public trap-generators=temp-exception trap-target="" \
    trap-version=1 vrf=main
/system clock
set time-zone-autodetect=yes time-zone-name=America/Toronto
/system clock manual
set dst-delta=+00:00 dst-end="jan/01/1970 00:00:00" dst-start=\
    "jan/01/1970 00:00:00" time-zone=+00:00
/system console
set [ find port=serial0 ] channel=0 disabled=no port=serial0 term=vt102
/system identity
set name=RouterSwitchAP
/system leds settings
set all-leds-off=never
/system logging
set 0 action=memory disabled=no prefix="" topics=info
set 1 action=memory disabled=no prefix="" topics=error
set 2 action=memory disabled=no prefix="" topics=warning
set 3 action=echo disabled=no prefix="" topics=critical
/system note
set note="" show-at-login=yes
/system ntp client
set enabled=no mode=unicast servers="" vrf=main
/system ntp server
set auth-key=none broadcast=no broadcast-addresses="" enabled=no \
    local-clock-stratum=5 manycast=no multicast=no use-local-clock=no vrf=\
    main
/system resource irq
set 0 cpu=auto
set 1 cpu=auto
set 2 cpu=auto
set 3 cpu=auto
set 4 cpu=auto
set 5 cpu=auto
set 6 cpu=auto
set 7 cpu=auto
set 8 cpu=auto
/system resource usb settings
set authorization=no
/system routerboard settings
set auto-upgrade=no baud-rate=115200 boot-delay=2s boot-device=\
    nand-if-fail-then-ethernet boot-protocol=bootp enable-jumper-reset=yes \
    enter-setup-on=any-key force-backup-booter=no protected-routerboot=\
    disabled reformat-hold-button=20s reformat-hold-button-max=10m \
    silent-boot=no
/system routerboard reset-button
set enabled=no hold-time=0s..1m on-event=""
/system routerboard usb
set usb-mode=automatic
/system script
add dont-require-permissions=no name=script1 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
    ##########################################################################\
    ####\r\
    \n# Topic:\t\tUsing RouterOS to VLAN your network\r\
    \n# Example:\t\tRouter-Switch-AP all in one device\r\
    \n# Web:\t\t\thttps://forum.mikrotik.com/viewtopic.php\?t=143620\r\
    \n# RouterOS:\t\t6.47.10\r\
    \n# Date:\t\t\tFebruary 17, 2023\r\
    \n# Notes:\t\tStart with a reset (/system reset-configuration)\r\
    \n# Thanks:\t\tmkx, sindy\r\
    \n########################################################################\
    #######\r\
    \n\r\
    \n#######################################\r\
    \n# Naming\r\
    \n#######################################\r\
    \n\r\
    \n# name the device being configured\r\
    \n/system identity set name=\"RouterSwitchAP\"\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n# VLAN Overview\r\
    \n#######################################\r\
    \n\r\
    \n# 10 = BLUE\r\
    \n# 20 = GREEN\r\
    \n# 99 = BASE (MGMT) VLAN\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n# WIFI Setup\r\
    \n#\r\
    \n# Example wireless settings only. Do\r\
    \n# NOT use in production!\r\
    \n#######################################\r\
    \n\r\
    \n# Blue SSID\r\
    \n/interface wireless security-profiles set [ find default=yes ] authentic\
    ation-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key=\"password\"\r\
    \n/interface wireless set [ find default-name=wlan1 ] ssid=BLUE frequency=\
    auto mode=ap-bridge disabled=no\r\
    \n\r\
    \n# Green SSID\r\
    \n/interface wireless security-profiles add name=guest authentication-type\
    s=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key=\"password\"\r\
    \n/interface wireless add name=wlan2 ssid=GREEN master-interface=wlan1 sec\
    urity-profile=guest disabled=no\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n# Bridge\r\
    \n#######################################\r\
    \n\r\
    \n# create one bridge, set VLAN mode off while we configure\r\
    \n/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n#\r\
    \n# -- Access Ports --\r\
    \n#\r\
    \n#######################################\r\
    \n\r\
    \n# ingress behavior\r\
    \n/interface bridge port\r\
    \n\r\
    \n# Blue VLAN 20\r\
    \nadd bridge=BR1 interface=ether2 pvid=20\r\
    \nadd bridge=BR1 interface=ether3 pvid=20\r\
    \nadd bridge=BR1 interface=wlan1  pvid=20\r\
    \n\r\
    \n# Green VLAN 10\r\
    \nadd bridge=BR1 interface=ether4 pvid=10\r\
    \nadd bridge=BR1 interface=wlan2  pvid=10\r\
    \n\r\
    \n# BASE_VLAN, set aside a port for admin access to Winbox the device.\r\
    \nadd bridge=BR1 interface=ether5 pvid=99\r\
    \n\r\
    \n# egress behavior, handled automatically\r\
    \n\r\
    \n# L3 switching so Bridge must be a tagged member\r\
    \n/interface bridge vlan\r\
    \nadd bridge=BR1 tagged=BR1 vlan-ids=10\r\
    \nadd bridge=BR1 tagged=BR1 vlan-ids=20\r\
    \nadd bridge=BR1 tagged=BR1 vlan-ids=99\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n# IP Addressing & Routing\r\
    \n#######################################\r\
    \n\r\
    \n# LAN facing router's IP address on the BASE_VLAN\r\
    \n/interface vlan add interface=BR1 name=BASE_VLAN vlan-id=99\r\
    \n/ip address add address=192.168.0.1/24 interface=BASE_VLAN\r\
    \n\r\
    \n# DNS server, set to cache for LAN\r\
    \n/ip dns set allow-remote-requests=yes servers=\"9.9.9.9\"\r\
    \n\r\
    \n# Yellow WAN facing port with IP Address and route provided by ISP\r\
    \n/ip address add interface=ether1 address=a.a.a.a/aa network=a.a.a.0\r\
    \n/ip route add distance=1 gateway=b.b.b.b\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n# IP Services\r\
    \n#######################################\r\
    \n\r\
    \n# Blue VLAN interface creation, IP assignment, and DHCP service\r\
    \n/interface vlan add interface=BR1 name=BLUE_VLAN vlan-id=20\r\
    \n/ip address add interface=BLUE_VLAN address=10.0.10.1/24\r\
    \n/ip pool add name=BLUE_POOL ranges=10.0.10.2-10.0.10.254\r\
    \n/ip dhcp-server add address-pool=BLUE_POOL interface=BLUE_VLAN name=BLUE\
    _DHCP disabled=no\r\
    \n/ip dhcp-server network add address=10.0.10.0/24 dns-server=192.168.0.1 \
    gateway=10.0.10.1\r\
    \n\r\
    \n# Green VLAN interface creation, IP assignment, and DHCP service\r\
    \n/interface vlan add interface=BR1 name=GREEN_VLAN vlan-id=10\r\
    \n/ip address add interface=GREEN_VLAN address=192.168.10.1/24\r\
    \n/ip pool add name=GREEN_POOL ranges=192.168.10.50-192.168.10.254\r\
    \n/ip dhcp-server add address-pool=GREEN_POOL interface=GREEN_VLAN name=GR\
    EEN_DHCP disabled=no\r\
    \n/ip dhcp-server network add address=192.168.10.0/24 dns-server=192.168.1\
    0.1 gateway=192.168.10.1\r\
    \n\r\
    \n# Optional: Create a DHCP instance for BASE_VLAN. Convenience feature fo\
    r an admin.\r\
    \n /ip pool add name=BASE_POOL ranges=192.168.88.10-192.168.0.254\r\
    \n /ip dhcp-server add address-pool=BASE_POOL interface=BASE_VLAN name=BAS\
    E_DHCP disabled=no\r\
    \n /ip dhcp-server network add address=192.168.88.0/24 dns-server=192.168.\
    88.1 gateway=192.168.88.1\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n# Firewalling & NAT\r\
    \n# A good firewall for WAN. Up to you\r\
    \n# about how you want LAN to behave.\r\
    \n#######################################\r\
    \n\r\
    \n# Use MikroTik's \"list\" feature for easy rule matchmaking.\r\
    \n\r\
    \n/interface list add name=WAN\r\
    \n/interface list add name=VLAN\r\
    \n/interface list add name=BASE\r\
    \n\r\
    \n/interface list member\r\
    \nadd interface=ether1     list=WAN\r\
    \nadd interface=BASE_VLAN  list=VLAN\r\
    \nadd interface=BLUE_VLAN  list=VLAN\r\
    \nadd interface=GREEN_VLAN list=VLAN\r\
    \nadd interface=BASE_VLAN  list=BASE\r\
    \n\r\
    \n# VLAN aware firewall. Order is important.\r\
    \n/ip firewall filter\r\
    \n\r\
    \n\r\
    \n##################\r\
    \n# INPUT CHAIN\r\
    \n##################\r\
    \nadd chain=input action=accept connection-state=established,related comme\
    nt=\"Allow Estab & Related\"\r\
    \n\r\
    \n# Allow VLANs to access router services like DNS, Winbox. Naturally, you\
    \_SHOULD make it more granular.\r\
    \nadd chain=input action=accept in-interface-list=VLAN comment=\"Allow VLA\
    N\"\r\
    \n\r\
    \n# Allow BASE_VLAN full access to the device for Winbox, etc.\r\
    \nadd chain=input action=accept in-interface=BASE_VLAN comment=\"Allow Bas\
    e_Vlan Full Access\"\r\
    \n\r\
    \nadd chain=input action=drop comment=\"Drop\"\r\
    \n\r\
    \n##################\r\
    \n# FORWARD CHAIN\r\
    \n##################\r\
    \nadd chain=forward action=accept connection-state=established,related com\
    ment=\"Allow Estab & Related\"\r\
    \n\r\
    \n# Allow all VLANs to access the Internet only, NOT each other\r\
    \nadd chain=forward action=accept connection-state=new in-interface-list=V\
    LAN out-interface-list=WAN comment=\"VLAN Internet Access only\"\r\
    \n\r\
    \nadd chain=forward action=drop comment=\"Drop\"\r\
    \n\r\
    \n##################\r\
    \n# NAT\r\
    \n##################\r\
    \n/ip firewall nat add chain=srcnat action=masquerade out-interface-list=W\
    AN comment=\"Default masquerade\"\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n# VLAN Security\r\
    \n#######################################\r\
    \n\r\
    \n# Only allow ingress packets without tags on Access Ports\r\
    \n/interface bridge port\r\
    \nset bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and\
    -priority-tagged [find interface=ether2]\r\
    \nset bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and\
    -priority-tagged [find interface=ether3]\r\
    \nset bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and\
    -priority-tagged [find interface=ether4]\r\
    \nset bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and\
    -priority-tagged [find interface=ether5]\r\
    \nset bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and\
    -priority-tagged [find interface=wlan1]\r\
    \nset bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and\
    -priority-tagged [find interface=wlan2]\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n# MAC Server settings\r\
    \n#######################################\r\
    \n\r\
    \n# Ensure only visibility and availability from BASE_VLAN, the MGMT netwo\
    rk\r\
    \n/ip neighbor discovery-settings set discover-interface-list=BASE\r\
    \n/tool mac-server mac-winbox set allowed-interface-list=BASE\r\
    \n/tool mac-server set allowed-interface-list=BASE\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n# Turn on VLAN mode\r\
    \n#######################################\r\
    \n/interface bridge set BR1 vlan-filtering=yes\r\
    \n\r\
    \n"
add dont-require-permissions=no name=script2 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
    \_Blue VLAN interface creation, IP assignment, and DHCP service\r\
    \n/interface vlan add interface=BR1 name=BLUE_VLAN vlan-id=20\r\
    \n/ip address add interface=BLUE_VLAN address=10.0.10.1/24\r\
    \n/ip pool add name=BLUE_POOL ranges=10.0.10.2-10.0.10.254\r\
    \n/ip dhcp-server add address-pool=BLUE_POOL interface=BLUE_VLAN name=BLUE\
    _DHCP disabled=no\r\
    \n/ip dhcp-server network add address=10.0.10.0/24 dns-server=192.168.0.1 \
    gateway=10.0.10.1\r\
    \n\r\
    \n# Green VLAN interface creation, IP assignment, and DHCP service\r\
    \n/interface vlan add interface=BR1 name=GREEN_VLAN vlan-id=10\r\
    \n/ip address add interface=GREEN_VLAN address=192.168.10.1/24\r\
    \n/ip pool add name=GREEN_POOL ranges=192.168.10.50-192.168.10.254\r\
    \n/ip dhcp-server add address-pool=GREEN_POOL interface=GREEN_VLAN name=GR\
    EEN_DHCP disabled=no\r\
    \n/ip dhcp-server network add address=192.168.10.0/24 dns-server=192.168.1\
    0.1 gateway=192.168.10.1\r\
    \n\r\
    \n# Optional: Create a DHCP instance for BASE_VLAN. Convenience feature fo\
    r an admin.\r\
    \n /ip pool add name=BASE_POOL ranges=192.168.88.10-192.168.0.254\r\
    \n /ip dhcp-server add address-pool=BASE_POOL interface=BASE_VLAN name=BAS\
    E_DHCP disabled=no\r\
    \n /ip dhcp-server network add address=192.168.88.0/24 dns-server=192.168.\
    88.1 gateway=192.168.88.1\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n# Firewalling & NAT\r\
    \n# A good firewall for WAN. Up to you\r\
    \n# about how you want LAN to behave.\r\
    \n#######################################\r\
    \n\r\
    \n# Use MikroTik's \"list\" feature for easy rule matchmaking.\r\
    \n\r\
    \n/interface list add name=WAN\r\
    \n/interface list add name=VLAN\r\
    \n/interface list add name=BASE\r\
    \n\r\
    \n/interface list member\r\
    \nadd interface=ether1     list=WAN\r\
    \nadd interface=BASE_VLAN  list=VLAN\r\
    \nadd interface=BLUE_VLAN  list=VLAN\r\
    \nadd interface=GREEN_VLAN list=VLAN\r\
    \nadd interface=BASE_VLAN  list=BASE\r\
    \n\r\
    \n# VLAN aware firewall. Order is important.\r\
    \n/ip firewall filter\r\
    \n\r\
    \n\r\
    \n##################\r\
    \n# INPUT CHAIN\r\
    \n##################\r\
    \nadd chain=input action=accept connection-state=established,related comme\
    nt=\"Allow Estab & Related\"\r\
    \n\r\
    \n# Allow VLANs to access router services like DNS, Winbox. Naturally, you\
    \_SHOULD make it more granular.\r\
    \nadd chain=input action=accept in-interface-list=VLAN comment=\"Allow VLA\
    N\"\r\
    \n\r\
    \n# Allow BASE_VLAN full access to the device for Winbox, etc.\r\
    \nadd chain=input action=accept in-interface=BASE_VLAN comment=\"Allow Bas\
    e_Vlan Full Access\"\r\
    \n\r\
    \nadd chain=input action=drop comment=\"Drop\"\r\
    \n\r\
    \n##################\r\
    \n# FORWARD CHAIN\r\
    \n##################\r\
    \nadd chain=forward action=accept connection-state=established,related com\
    ment=\"Allow Estab & Related\"\r\
    \n\r\
    \n# Allow all VLANs to access the Internet only, NOT each other\r\
    \nadd chain=forward action=accept connection-state=new in-interface-list=V\
    LAN out-interface-list=WAN comment=\"VLAN Internet Access only\"\r\
    \n\r\
    \nadd chain=forward action=drop comment=\"Drop\"\r\
    \n\r\
    \n##################\r\
    \n# NAT\r\
    \n##################\r\
    \n/ip firewall nat add chain=srcnat action=masquerade out-interface-list=W\
    AN comment=\"Default masquerade\"\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n# VLAN Security\r\
    \n#######################################\r\
    \n\r\
    \n# Only allow ingress packets without tags on Access Ports\r\
    \n/interface bridge port\r\
    \nset bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and\
    -priority-tagged [find interface=ether2]\r\
    \nset bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and\
    -priority-tagged [find interface=ether3]\r\
    \nset bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and\
    -priority-tagged [find interface=ether4]\r\
    \nset bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and\
    -priority-tagged [find interface=ether5]\r\
    \nset bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and\
    -priority-tagged [find interface=wlan1]\r\
    \nset bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and\
    -priority-tagged [find interface=wlan2]\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n# MAC Server settings\r\
    \n#######################################\r\
    \n\r\
    \n# Ensure only visibility and availability from BASE_VLAN, the MGMT netwo\
    rk\r\
    \n/ip neighbor discovery-settings set discover-interface-list=BASE\r\
    \n/tool mac-server mac-winbox set allowed-interface-list=BASE\r\
    \n/tool mac-server set allowed-interface-list=BASE\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n# Turn on VLAN mode\r\
    \n#######################################\r\
    \n/interface bridge set BR1 vlan-filtering=yes\r\
    \n"
/system upgrade mirror
set check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=\
    0.0.0.0 user=""
/system watchdog
set auto-send-supout=no automatic-supout=yes ping-start-after-boot=5m \
    ping-timeout=1m watch-address=none watchdog-timer=yes
/tool bandwidth-server
set allocate-udp-ports-from=2000 authenticate=yes enabled=yes max-sessions=\
    100
/tool e-mail
set address=0.0.0.0 from=<> port=25 tls=no user="" vrf=main
/tool graphing
set page-refresh=300 store-every=5min
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE
/tool mac-server ping
set enabled=yes
/tool romon
set enabled=no id=00:00:00:00:00:00
/tool romon port
set [ find default=yes ] cost=100 disabled=no forbid=no interface=all
/tool sms
set allowed-number="" auto-erase=no channel=0 port=none receive-enabled=no
/tool sniffer
set file-limit=1000KiB file-name="" filter-cpu="" filter-direction=any \
    filter-dst-ip-address="" filter-dst-ipv6-address="" \
    filter-dst-mac-address="" filter-dst-port="" filter-interface="" \
    filter-ip-address="" filter-ip-protocol="" filter-ipv6-address="" \
    filter-mac-address="" filter-mac-protocol="" \
    filter-operator-between-entries=or filter-port="" filter-size="" \
    filter-src-ip-address="" filter-src-ipv6-address="" \
    filter-src-mac-address="" filter-src-port="" filter-stream=no \
    filter-vlan="" memory-limit=100KiB memory-scroll=yes only-headers=no \
    streaming-enabled=no streaming-server=0.0.0.0:37008
/tool traffic-generator
set latency-distribution-max=100us measure-out-of-order=yes \
    stats-samples-to-keep=100 test-id=0
/user aaa
set accounting=yes default-group=read exclude-groups="" interim-update=0s \
    use-radius=no
/user settings
set minimum-categories=0 minimum-password-length=0
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18968
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help needed for Router-Switch-AP (all in one) scenario

Sun Mar 26, 2023 2:44 pm

Looks good so far........

1. Minor point even though you have a correct config for /interface bridge vlans it doesnt really communicate well so always do it manually so to crosscheck easily the bridge ports.
/interface bridge vlan
add bridge=BR1 tagged=BR1 vlan-ids=10
add bridge=BR1 tagged=BR1 vlan-ids=20
add bridge=BR1 tagged=BR1 vlan-ids=99


I prefer to see...........
/interface bridge vlan
add bridge=BR1 tagged=BR1 untagged=ether4,wlan2 vlan-ids=10
add bridge=BR1 tagged=BR1 untagged=ether2,ether3,wlan1 vlan-ids=20
add bridge=BR1 tagged=BR1 untagged=ether5 vlan-ids=99


2. YOUR ISSUE....

/ip dhcp-server network
add address=10.0.10.0/24 dns-server=192.168.0.1 gateway=10.0.10.1
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1


Should be
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=192.168.0.1 gateway=10.0.10.1
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
 
User avatar
myriad
just joined
Topic Author
Posts: 15
Joined: Mon Jun 27, 2016 6:15 pm

Re: Help needed for Router-Switch-AP (all in one) scenario

Sun Mar 26, 2023 2:57 pm

Thanks for the fast response. I made the changes and connected the PPOE dumb switch into ether4 and I can get IP and internet on BLUE Vlan but on GREEN Vlan I am not getting an IP (though on internal MT router wlan I am getting correct IP). Can I/should I use the built-in Atheros8327 switch to create a trunk port? Here is the updated config:
# mar/26/2023 07:50:33 by RouterOS 7.8
# software id = 5MCY-99KG
#
# model = RB2011UiAS-2HnD
# serial number = XXXXXXXXXXXXXX
/interface bridge
add ageing-time=5m arp=enabled arp-timeout=auto auto-mac=yes dhcp-snooping=no \
    disabled=no ether-type=0x8100 fast-forward=yes frame-types=admit-all \
    igmp-snooping=no ingress-filtering=yes mtu=auto name=BR1 protocol-mode=\
    none pvid=1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
    disabled=no full-duplex=yes l2mtu=1598 loop-protect=default \
    loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
    E4:8D:8C:36:5C:BD mtu=1500 name=ether1 orig-mac-address=E4:8D:8C:36:5C:BD \
    rx-flow-control=off speed=1Gbps tx-flow-control=off
set [ find default-name=ether2 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
    disabled=no full-duplex=yes l2mtu=1598 loop-protect=default \
    loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
    E4:8D:8C:36:5C:BE mtu=1500 name=ether2 orig-mac-address=E4:8D:8C:36:5C:BE \
    rx-flow-control=off speed=1Gbps tx-flow-control=off
set [ find default-name=ether3 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
    disabled=no full-duplex=yes l2mtu=1598 loop-protect=default \
    loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
    E4:8D:8C:36:5C:BF mtu=1500 name=ether3 orig-mac-address=E4:8D:8C:36:5C:BF \
    rx-flow-control=off speed=1Gbps tx-flow-control=off
set [ find default-name=ether4 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
    disabled=no full-duplex=yes l2mtu=1598 loop-protect=default \
    loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
    E4:8D:8C:36:5C:C0 mtu=1500 name=ether4 orig-mac-address=E4:8D:8C:36:5C:C0 \
    rx-flow-control=off speed=1Gbps tx-flow-control=off
set [ find default-name=ether5 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
    disabled=no full-duplex=yes l2mtu=1598 loop-protect=default \
    loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
    E4:8D:8C:36:5C:C1 mtu=1500 name=ether5 orig-mac-address=E4:8D:8C:36:5C:C1 \
    rx-flow-control=off speed=1Gbps tx-flow-control=off
set [ find default-name=ether6 ] advertise=\
    10M-half,10M-full,100M-half,100M-full arp=enabled arp-timeout=auto \
    auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no \
    full-duplex=yes l2mtu=1598 loop-protect=default \
    loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
    E4:8D:8C:36:5C:C2 mtu=1500 name=ether6 orig-mac-address=E4:8D:8C:36:5C:C2 \
    rx-flow-control=off speed=100Mbps tx-flow-control=off
set [ find default-name=ether7 ] advertise=\
    10M-half,10M-full,100M-half,100M-full arp=enabled arp-timeout=auto \
    auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no \
    full-duplex=yes l2mtu=1598 loop-protect=default \
    loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
    E4:8D:8C:36:5C:C3 mtu=1500 name=ether7 orig-mac-address=E4:8D:8C:36:5C:C3 \
    rx-flow-control=off speed=100Mbps tx-flow-control=off
set [ find default-name=ether8 ] advertise=\
    10M-half,10M-full,100M-half,100M-full arp=enabled arp-timeout=auto \
    auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no \
    full-duplex=yes l2mtu=1598 loop-protect=default \
    loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
    E4:8D:8C:36:5C:C4 mtu=1500 name=ether8 orig-mac-address=E4:8D:8C:36:5C:C4 \
    rx-flow-control=off speed=100Mbps tx-flow-control=off
set [ find default-name=ether9 ] advertise=\
    10M-half,10M-full,100M-half,100M-full arp=enabled arp-timeout=auto \
    auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no \
    full-duplex=yes l2mtu=1598 loop-protect=default \
    loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
    E4:8D:8C:36:5C:C5 mtu=1500 name=ether9 orig-mac-address=E4:8D:8C:36:5C:C5 \
    rx-flow-control=off speed=100Mbps tx-flow-control=off
set [ find default-name=ether10 ] advertise=\
    10M-half,10M-full,100M-half,100M-full arp=enabled arp-timeout=auto \
    auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no \
    full-duplex=yes l2mtu=1598 loop-protect=default \
    loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
    E4:8D:8C:36:5C:C6 mtu=1500 name=ether10 orig-mac-address=\
    E4:8D:8C:36:5C:C6 poe-lldp-enabled=no poe-out=auto-on poe-priority=10 \
    power-cycle-interval=none !power-cycle-ping-address \
    power-cycle-ping-enabled=no !power-cycle-ping-timeout rx-flow-control=off \
    speed=100Mbps tx-flow-control=off
set [ find default-name=sfp1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
    disabled=no full-duplex=yes l2mtu=1598 loop-protect=default \
    loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
    E4:8D:8C:36:5C:BC mtu=1500 name=sfp1 orig-mac-address=E4:8D:8C:36:5C:BC \
    rx-flow-control=off sfp-rate-select=high sfp-shutdown-temperature=95C \
    speed=1Gbps tx-flow-control=off
/queue interface
set BR1 queue=no-queue
/interface vlan
add arp=enabled arp-timeout=auto disabled=no interface=BR1 loop-protect=\
    default loop-protect-disable-time=5m loop-protect-send-interval=5s mtu=\
    1500 name=BASE_VLAN use-service-tag=no vlan-id=99
add arp=enabled arp-timeout=auto disabled=no interface=BR1 loop-protect=\
    default loop-protect-disable-time=5m loop-protect-send-interval=5s mtu=\
    1500 name=BLUE_VLAN use-service-tag=no vlan-id=20
add arp=enabled arp-timeout=auto disabled=no interface=BR1 loop-protect=\
    default loop-protect-disable-time=5m loop-protect-send-interval=5s mtu=\
    1500 name=GREEN_VLAN use-service-tag=no vlan-id=10
/queue interface
set BASE_VLAN queue=no-queue
set BLUE_VLAN queue=no-queue
set GREEN_VLAN queue=no-queue
/interface ethernet switch
set 0 cpu-flow-control=yes mirror-source=none mirror-target=none name=switch1
set 1 cpu-flow-control=yes mirror-source=none mirror-target=none name=switch2
/interface ethernet switch port
set 0 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 1 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 2 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 3 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 4 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 5 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 6 default-vlan-id=0 vlan-header=leave-as-is vlan-mode=disabled
set 7 default-vlan-id=0 vlan-header=leave-as-is vlan-mode=disabled
set 8 default-vlan-id=0 vlan-header=leave-as-is vlan-mode=disabled
set 9 default-vlan-id=0 vlan-header=leave-as-is vlan-mode=disabled
set 10 default-vlan-id=0 vlan-header=leave-as-is vlan-mode=disabled
set 11 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 12 default-vlan-id=0 vlan-header=leave-as-is vlan-mode=disabled
/interface list
set [ find name=all ] comment="contains all interfaces" exclude="" include="" \
    name=all
set [ find name=none ] comment="contains no interfaces" exclude="" include="" \
    name=none
set [ find name=dynamic ] comment="contains dynamic interfaces" exclude="" \
    include="" name=dynamic
set [ find name=static ] comment="contains static interfaces" exclude="" \
    include="" name=static
add exclude="" include="" name=WAN
add exclude="" include="" name=VLAN
add exclude="" include="" name=BASE
/interface lte apn
set [ find default=yes ] add-default-route=yes apn=internet authentication=\
    none default-route-distance=2 ip-type=auto name=default use-network-apn=\
    yes use-peer-dns=yes
/interface macsec profile
set [ find default-name=default ] name=default server-priority=10
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk disable-pmkid=no \
    eap-methods=passthrough group-ciphers=aes-ccm group-key-update=5m \
    interim-update=0s management-protection=disabled mode=dynamic-keys \
    mschapv2-username="" name=default radius-called-format=mac:ssid \
    radius-eap-accounting=no radius-mac-accounting=no \
    radius-mac-authentication=no radius-mac-caching=disabled \
    radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username \
    static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=\
    none static-sta-private-algo=none static-transmit-key=key-0 \
    supplicant-identity=MikroTik tls-certificate=none tls-mode=\
    no-certificates unicast-ciphers=aes-ccm
add authentication-types=wpa2-psk disable-pmkid=no eap-methods=passthrough \
    group-ciphers=aes-ccm group-key-update=5m interim-update=0s \
    management-protection=disabled mode=dynamic-keys mschapv2-username="" \
    name=guest radius-called-format=mac:ssid radius-eap-accounting=no \
    radius-mac-accounting=no radius-mac-authentication=no radius-mac-caching=\
    disabled radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username \
    static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=\
    none static-sta-private-algo=none static-transmit-key=key-0 \
    supplicant-identity=MikroTik tls-certificate=none tls-mode=\
    no-certificates unicast-ciphers=aes-ccm
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=none allow-sharedkey=\
    no ampdu-priorities=0 amsdu-limit=8192 amsdu-threshold=8192 antenna-gain=\
    4 area="" arp=enabled arp-timeout=auto band=2ghz-b/g basic-rates-a/g=\
    6Mbps basic-rates-b=1Mbps bridge-mode=enabled channel-width=20mhz \
    compression=no country=etsi default-ap-tx-limit=0 default-authentication=\
    yes default-client-tx-limit=0 default-forwarding=yes \
    disable-running-check=no disabled=no disconnect-timeout=3s distance=\
    dynamic frame-lifetime=0 frequency=auto frequency-mode=regulatory-domain \
    frequency-offset=0 guard-interval=any hide-ssid=no ht-basic-mcs=\
    mcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7 ht-supported-mcs="mcs-0,mc\
    s-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7,mcs-8,mcs-9,mcs-10,mcs-11,mcs-12,m\
    cs-13,mcs-14,mcs-15,mcs-16,mcs-17,mcs-18,mcs-19,mcs-20,mcs-21,mcs-22,mcs-2\
    3" hw-fragmentation-threshold=disabled hw-protection-mode=none \
    hw-protection-threshold=0 hw-retries=7 installation=any \
    interworking-profile=disabled keepalive-frames=enabled l2mtu=1600 \
    mac-address=E4:8D:8C:36:5C:C7 max-station-count=2007 mode=ap-bridge mtu=\
    1500 multicast-buffering=enabled multicast-helper=default name=wlan1 \
    noise-floor-threshold=default nv2-cell-radius=30 nv2-downlink-ratio=50 \
    nv2-mode=dynamic-downlink nv2-noise-floor-offset=default nv2-qos=default \
    nv2-queue-count=2 nv2-security=disabled nv2-sync-secret="" \
    on-fail-retry-time=100ms preamble-mode=both radio-name=E48D8C365CC7 \
    rate-selection=advanced rate-set=default rx-chains=0,1 scan-list=default \
    secondary-frequency="" security-profile=default skip-dfs-channels=\
    disabled ssid=BLUE station-bridge-clone-mac=00:00:00:00:00:00 \
    station-roaming=disabled supported-rates-a/g=\
    6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps supported-rates-b=\
    1Mbps,2Mbps,5.5Mbps,11Mbps tdma-period-size=2 tx-chains=0,1 \
    tx-power-mode=default update-stats-interval=disabled vlan-id=1 vlan-mode=\
    no-tag wds-cost-range=50-150 wds-default-bridge=none wds-default-cost=100 \
    wds-ignore-ssid=no wds-mode=disabled wireless-protocol=any wmm-support=\
    disabled wps-mode=push-button
add area="" arp=enabled arp-timeout=auto bridge-mode=enabled \
    default-ap-tx-limit=0 default-authentication=yes default-client-tx-limit=\
    0 default-forwarding=yes disable-running-check=no disabled=no hide-ssid=\
    no interworking-profile=disabled keepalive-frames=enabled l2mtu=1600 \
    mac-address=E6:8D:8C:36:5C:C7 master-interface=wlan1 max-station-count=\
    2007 mode=ap-bridge mtu=1500 multicast-buffering=enabled \
    multicast-helper=default name=wlan2 security-profile=guest ssid=GREEN \
    station-bridge-clone-mac=00:00:00:00:00:00 station-roaming=disabled \
    update-stats-interval=disabled vlan-id=1 vlan-mode=no-tag wds-cost-range=\
    50-150 wds-default-bridge=none wds-default-cost=100 wds-ignore-ssid=no \
    wds-mode=disabled wmm-support=disabled wps-mode=push-button
/ip dhcp-client option
set clientid_duid code=61 name=clientid_duid value="0xff\$(CLIENT_DUID)"
set clientid code=61 name=clientid value="0x01\$(CLIENT_MAC)"
set hostname code=12 name=hostname value="\$(HOSTNAME)"
/ip hotspot profile
set [ find default=yes ] dns-name="" hotspot-address=0.0.0.0 html-directory=\
    hotspot html-directory-override="" http-cookie-lifetime=3d http-proxy=\
    0.0.0.0:0 install-hotspot-queue=no login-by=cookie,http-chap name=default \
    smtp-server=0.0.0.0 split-user-domain=no use-radius=no
/ip hotspot user profile
set [ find default=yes ] add-mac-cookie=yes address-list="" idle-timeout=none \
    !insert-queue-before keepalive-timeout=2m mac-cookie-timeout=3d name=\
    default !parent-queue !queue-type shared-users=1 status-autorefresh=1m \
    transparent-proxy=no
/ip ipsec mode-config
set [ find default=yes ] name=request-only responder=no use-responder-dns=\
    exclusively
/ip ipsec policy group
set [ find default=yes ] name=default
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048,modp1024 dpd-interval=2m \
    dpd-maximum-failures=5 enc-algorithm=aes-128,3des hash-algorithm=sha1 \
    lifetime=1d name=default nat-traversal=yes proposal-check=obey
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=\
    aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m name=default pfs-group=\
    modp1024
/ip pool
add name=BLUE_POOL ranges=10.0.10.2-10.0.10.254
add name=GREEN_POOL ranges=192.168.10.50-192.168.10.254
add name=BASE_POOL ranges=192.168.0.254-192.168.88.10
/ip dhcp-server
add address-pool=BLUE_POOL authoritative=yes disabled=no interface=BLUE_VLAN \
    lease-script="" lease-time=10m name=BLUE_DHCP use-radius=no
add address-pool=GREEN_POOL authoritative=yes disabled=no interface=\
    GREEN_VLAN lease-script="" lease-time=10m name=GREEN_DHCP use-radius=no
add address-pool=BASE_POOL authoritative=yes disabled=no interface=BASE_VLAN \
    lease-script="" lease-time=10m name=BASE_DHCP use-radius=no
/port
set 0 baud-rate=auto data-bits=8 flow-control=none name=serial0 parity=none \
    stop-bits=1
/ppp profile
set *0 address-list="" !bridge !bridge-horizon bridge-learning=default \
    !bridge-path-cost !bridge-port-priority change-tcp-mss=yes !dns-server \
    !idle-timeout !incoming-filter !insert-queue-before !interface-list \
    !local-address name=default on-down="" on-up="" only-one=default \
    !outgoing-filter !parent-queue !queue-type !rate-limit !remote-address \
    !session-timeout use-compression=default use-encryption=default use-ipv6=\
    yes use-mpls=default use-upnp=default !wins-server
set *FFFFFFFE address-list="" !bridge !bridge-horizon bridge-learning=default \
    !bridge-path-cost !bridge-port-priority change-tcp-mss=yes !dns-server \
    !idle-timeout !incoming-filter !insert-queue-before !interface-list \
    !local-address name=default-encryption on-down="" on-up="" only-one=\
    default !outgoing-filter !parent-queue !queue-type !rate-limit \
    !remote-address !session-timeout use-compression=default use-encryption=\
    yes use-ipv6=yes use-mpls=default use-upnp=default !wins-server
/queue type
set 0 kind=pfifo name=default pfifo-limit=50
set 1 kind=pfifo name=ethernet-default pfifo-limit=50
set 2 kind=sfq name=wireless-default sfq-allot=1514 sfq-perturb=5
set 3 kind=red name=synchronous-default red-avg-packet=1000 red-burst=20 \
    red-limit=60 red-max-threshold=50 red-min-threshold=10
set 4 kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=5
set 5 kind=pcq name=pcq-upload-default pcq-burst-rate=0 pcq-burst-threshold=0 \
    pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 \
    pcq-dst-address6-mask=128 pcq-limit=50KiB pcq-rate=0 \
    pcq-src-address-mask=32 pcq-src-address6-mask=128 pcq-total-limit=2000KiB
set 6 kind=pcq name=pcq-download-default pcq-burst-rate=0 \
    pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=dst-address \
    pcq-dst-address-mask=32 pcq-dst-address6-mask=128 pcq-limit=50KiB \
    pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=128 \
    pcq-total-limit=2000KiB
set 7 kind=none name=only-hardware-queue
set 8 kind=mq-pfifo mq-pfifo-limit=50 name=multi-queue-ethernet-default
set 9 kind=pfifo name=default-small pfifo-limit=10
/queue interface
set ether1 queue=only-hardware-queue
set ether2 queue=only-hardware-queue
set ether3 queue=only-hardware-queue
set ether4 queue=only-hardware-queue
set ether5 queue=only-hardware-queue
set ether6 queue=only-hardware-queue
set ether7 queue=only-hardware-queue
set ether8 queue=only-hardware-queue
set ether9 queue=only-hardware-queue
set ether10 queue=only-hardware-queue
set sfp1 queue=only-hardware-queue
set wlan1 queue=wireless-default
set wlan2 queue=wireless-default
/interface wireless nstreme
set wlan1 disable-csma=no enable-nstreme=no enable-polling=yes framer-limit=\
    3200 framer-policy=none
/interface wireless manual-tx-power-table
set wlan1 manual-tx-powers="1Mbps:17,2Mbps:17,5.5Mbps:17,11Mbps:17,6Mbps:17,9M\
    bps:17,12Mbps:17,18Mbps:17,24Mbps:17,36Mbps:17,48Mbps:17,54Mbps:17,HT20-0:\
    17,HT20-1:17,HT20-2:17,HT20-3:17,HT20-4:17,HT20-5:17,HT20-6:17,HT20-7:17,H\
    T40-0:17,HT40-1:17,HT40-2:17,HT40-3:17,HT40-4:17,HT40-5:17,HT40-6:17,HT40-\
    7:17"
/routing bgp template
set default as=65530 name=default
/snmp community
set [ find default=yes ] addresses=::/0 authentication-protocol=MD5 disabled=\
    no encryption-protocol=DES name=public read-access=yes security=none \
    write-access=no
/system logging action
set 0 memory-lines=1000 memory-stop-on-full=no name=memory target=memory
set 1 disk-file-count=2 disk-file-name=log disk-lines-per-file=1000 \
    disk-stop-on-full=no name=disk target=disk
set 2 name=echo remember=yes target=echo
set 3 bsd-syslog=no name=remote remote=0.0.0.0 remote-port=514 src-address=\
    0.0.0.0 syslog-facility=daemon syslog-severity=auto syslog-time-format=\
    bsd-syslog target=remote
/user group
set read name=read policy="local,telnet,ssh,reboot,read,test,winbox,password,w\
    eb,sniff,sensitive,api,romon,rest-api,!ftp,!write,!policy" skin=default
set write name=write policy="local,telnet,ssh,reboot,read,write,test,winbox,pa\
    ssword,web,sniff,sensitive,api,romon,rest-api,!ftp,!policy" skin=default
set full name=full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,\
    winbox,password,web,sniff,sensitive,api,romon,rest-api" skin=default
/caps-man aaa
set called-format=mac:ssid interim-update=disabled mac-caching=disabled \
    mac-format=XX:XX:XX:XX:XX:XX mac-mode=as-username
/caps-man manager
set ca-certificate=none certificate=none enabled=no package-path="" \
    require-peer-certificate=no upgrade-policy=none
/caps-man manager interface
set [ find default=yes ] disabled=no forbid=no interface=all
/certificate settings
set crl-download=no crl-store=ram crl-use=no
/interface bridge port
add auto-isolate=no bpdu-guard=no bridge=BR1 broadcast-flood=yes disabled=no \
    edge=auto fast-leave=no frame-types=\
    admit-only-untagged-and-priority-tagged horizon=none hw=yes \
    ingress-filtering=yes interface=ether2 internal-path-cost=10 learn=auto \
    multicast-router=temporary-query path-cost=10 point-to-point=auto \
    priority=0x80 pvid=20 restricted-role=no restricted-tcn=no tag-stacking=\
    no trusted=no unknown-multicast-flood=yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=BR1 broadcast-flood=yes disabled=no \
    edge=auto fast-leave=no frame-types=\
    admit-only-untagged-and-priority-tagged horizon=none hw=yes \
    ingress-filtering=yes interface=ether3 internal-path-cost=10 learn=auto \
    multicast-router=temporary-query path-cost=10 point-to-point=auto \
    priority=0x80 pvid=20 restricted-role=no restricted-tcn=no tag-stacking=\
    no trusted=no unknown-multicast-flood=yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=BR1 broadcast-flood=yes disabled=no \
    edge=auto fast-leave=no frame-types=\
    admit-only-untagged-and-priority-tagged horizon=none ingress-filtering=\
    yes interface=wlan1 internal-path-cost=10 learn=auto multicast-router=\
    temporary-query path-cost=10 point-to-point=auto priority=0x80 pvid=20 \
    restricted-role=no restricted-tcn=no tag-stacking=no trusted=no \
    unknown-multicast-flood=yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=BR1 broadcast-flood=yes disabled=no \
    edge=auto fast-leave=no frame-types=\
    admit-only-untagged-and-priority-tagged horizon=none hw=yes \
    ingress-filtering=yes interface=ether4 internal-path-cost=10 learn=auto \
    multicast-router=temporary-query path-cost=10 point-to-point=auto \
    priority=0x80 pvid=10 restricted-role=no restricted-tcn=no tag-stacking=\
    no trusted=no unknown-multicast-flood=yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=BR1 broadcast-flood=yes disabled=no \
    edge=auto fast-leave=no frame-types=\
    admit-only-untagged-and-priority-tagged horizon=none ingress-filtering=\
    yes interface=wlan2 internal-path-cost=10 learn=auto multicast-router=\
    temporary-query path-cost=10 point-to-point=auto priority=0x80 pvid=10 \
    restricted-role=no restricted-tcn=no tag-stacking=no trusted=no \
    unknown-multicast-flood=yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=BR1 broadcast-flood=yes comment=\
    "Admin Access" disabled=no edge=auto fast-leave=no frame-types=\
    admit-only-untagged-and-priority-tagged horizon=none hw=yes \
    ingress-filtering=yes interface=ether5 internal-path-cost=10 learn=auto \
    multicast-router=temporary-query path-cost=10 point-to-point=auto \
    priority=0x80 pvid=99 restricted-role=no restricted-tcn=no tag-stacking=\
    no trusted=no unknown-multicast-flood=yes unknown-unicast-flood=yes
/interface bridge port-controller
# disabled
set bridge=none cascade-ports="" switch=none
/interface bridge port-extender
# disabled
set control-ports="" excluded-ports="" switch=none
/interface bridge settings
set allow-fast-path=yes use-ip-firewall=no use-ip-firewall-for-pppoe=no \
    use-ip-firewall-for-vlan=no
/ip firewall connection tracking
set enabled=auto generic-timeout=10m icmp-timeout=10s loose-tcp-tracking=yes \
    tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=\
    1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-max-retrans-timeout=5m tcp-syn-received-timeout=5s \
    tcp-syn-sent-timeout=5s tcp-time-wait-timeout=10s tcp-unacked-timeout=5m \
    udp-stream-timeout=3m udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=BASE lldp-med-net-policy-vlan=disabled mode=\
    tx-and-rx protocol=cdp,lldp,mndp
/ip settings
set accept-redirects=no accept-source-route=no allow-fast-path=yes \
    arp-timeout=30s icmp-rate-limit=10 icmp-rate-mask=0x1818 ip-forward=yes \
    max-neighbor-entries=4096 route-cache=yes rp-filter=no secure-redirects=\
    yes send-redirects=yes tcp-syncookies=no
/ipv6 settings
set accept-redirects=yes-if-forwarding-disabled accept-router-advertisements=\
    yes-if-forwarding-disabled disable-ipv6=no forward=yes \
    max-neighbor-entries=2048
/interface bridge vlan
add bridge=BR1 disabled=no tagged=BR1 untagged=ether4,wlan2 vlan-ids=10
add bridge=BR1 disabled=no tagged=BR1 untagged=ether2,ether3,wlan1 vlan-ids=\
    20
add bridge=BR1 disabled=no tagged=BR1 untagged=ether5 vlan-ids=99
/interface detect-internet
set detect-interface-list=none internet-interface-list=none \
    lan-interface-list=none wan-interface-list=none
/interface l2tp-server server
set accept-proto-version=all accept-pseudowire-type=all allow-fast-path=no \
    authentication=pap,chap,mschap1,mschap2 caller-id-type=ip-address \
    default-profile=default-encryption enabled=no keepalive-timeout=30 \
    l2tpv3-circuit-id="" l2tpv3-cookie-length=0 l2tpv3-digest-hash=md5 \
    !l2tpv3-ether-interface-list max-mru=1450 max-mtu=1450 max-sessions=\
    unlimited mrru=disabled one-session-per-host=no use-ipsec=no
/interface list member
add disabled=no interface=ether1 list=WAN
add disabled=no interface=BASE_VLAN list=VLAN
add disabled=no interface=BLUE_VLAN list=VLAN
add disabled=no interface=GREEN_VLAN list=VLAN
add disabled=no interface=BASE_VLAN list=BASE
/interface lte settings
set firmware-path=firmware mode=auto
/interface ovpn-server server
set auth=sha1,md5,sha256,sha512 certificate=*0 cipher=blowfish128,aes128-cbc \
    default-profile=default enable-tun-ipv6=no enabled=no ipv6-prefix-len=64 \
    keepalive-timeout=60 mac-address=FE:D3:17:B5:26:BB max-mtu=1500 mode=ip \
    netmask=24 port=1194 protocol=tcp redirect-gateway=disabled reneg-sec=\
    3600 require-client-certificate=no tls-version=any tun-server-ipv6=::
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set authentication=mschap1,mschap2 default-profile=default-encryption \
    enabled=no keepalive-timeout=30 max-mru=1450 max-mtu=1450 mrru=disabled
/interface sstp-server server
set authentication=pap,chap,mschap1,mschap2 certificate=none default-profile=\
    default enabled=no keepalive-timeout=60 max-mru=1500 max-mtu=1500 mrru=\
    disabled pfs=no port=443 tls-version=any verify-client-certificate=no
/interface wireless align
set active-mode=yes audio-max=-20 audio-min=-100 audio-monitor=\
    00:00:00:00:00:00 filter-mac=00:00:00:00:00:00 frame-size=300 \
    frames-per-second=25 receive-all=no ssid-all=no
/interface wireless cap
set bridge=none caps-man-addresses="" caps-man-certificate-common-names="" \
    caps-man-names="" certificate=none discovery-interfaces="" enabled=no \
    interfaces="" lock-to-caps-man=no static-virtual=no
/interface wireless sniffer
set channel-time=200ms file-limit=10 file-name="" memory-limit=10 \
    multiple-channels=no only-headers=no receive-errors=no streaming-enabled=\
    no streaming-max-rate=0 streaming-server=0.0.0.0
/interface wireless snooper
set channel-time=200ms multiple-channels=yes receive-errors=no
/ip address
add address=192.168.0.1/24 disabled=no interface=BASE_VLAN network=\
    192.168.0.0
add address=10.0.10.1/24 disabled=no interface=BLUE_VLAN network=10.0.10.0
add address=192.168.10.1/24 disabled=no interface=GREEN_VLAN network=\
    192.168.10.0
/ip cloud
set ddns-enabled=no ddns-update-interval=none update-time=yes
/ip cloud advanced
set use-local-address=no
/ip dhcp-client
add add-default-route=yes default-route-distance=1 dhcp-options=\
    hostname,clientid disabled=no interface=ether1 use-peer-dns=yes \
    use-peer-ntp=yes
/ip dhcp-server config
set accounting=yes interim-update=0s radius-password=empty store-leases-disk=\
    5m
/ip dhcp-server network
add address=10.0.10.0/24 caps-manager="" dhcp-option="" dns-server=\
    192.168.0.1 gateway=10.0.10.1 !next-server ntp-server="" wins-server=""
add address=192.168.0.0/24 caps-manager="" dhcp-option="" dns-server=\
    192.168.0.1 gateway=192.168.0.1 !next-server ntp-server="" wins-server=""
add address=192.168.10.0/24 caps-manager="" dhcp-option="" dns-server=\
    192.168.10.1 gateway=192.168.10.1 !next-server ntp-server="" wins-server=\
    ""
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \
    doh-max-concurrent-queries=50 doh-max-server-connections=5 doh-timeout=5s \
    max-concurrent-queries=100 max-concurrent-tcp-sessions=20 \
    max-udp-packet-size=4096 query-server-timeout=2s query-total-timeout=10s \
    servers=9.9.9.9 use-doh-server="" verify-doh-cert=no
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
    in-interface=BASE_VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN !to-addresses !to-ports
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=yes ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes sip-timeout=1h
set pptp disabled=no
set rtsp disabled=yes ports=554
set udplite disabled=no
set dccp disabled=no
set sctp disabled=no
/ip hotspot service-port
set ftp disabled=no ports=21
/ip hotspot user
set [ find default=yes ] comment="counters and limits for trial users" \
    disabled=no name=default-trial
/ip ipsec policy
set 0 disabled=no dst-address=::/0 group=default proposal=default protocol=\
    all src-address=::/0 template=yes
/ip ipsec settings
set accounting=yes interim-update=0s xauth-use-radius=no
/ip proxy
set always-from-cache=no anonymous=no cache-administrator=webmaster \
    cache-hit-dscp=4 cache-on-disk=no cache-path=web-proxy enabled=no \
    max-cache-object-size=2048KiB max-cache-size=unlimited \
    max-client-connections=600 max-fresh-time=3d max-server-connections=600 \
    parent-proxy=:: parent-proxy-port=0 port=8080 serialize-connections=no \
    src-address=::
/ip service
set telnet address="" disabled=no port=23 vrf=main
set ftp address="" disabled=no port=21
set www address="" disabled=no port=80 vrf=main
set ssh address="" disabled=no port=22 vrf=main
set www-ssl address="" certificate=none disabled=yes port=443 tls-version=any \
    vrf=main
set api address="" disabled=no port=8728 vrf=main
set winbox address="" disabled=no port=8291 vrf=main
set api-ssl address="" certificate=none disabled=no port=8729 tls-version=any \
    vrf=main
/ip smb
set allow-guests=yes comment=MikrotikSMB domain=MSHOME enabled=no interfaces=\
    all
/ip smb shares
set [ find default=yes ] comment="default share" directory=/pub disabled=no \
    max-sessions=10 name=pub
/ip smb users
set [ find default=yes ] disabled=no name=guest read-only=yes
/ip socks
set auth-method=none connection-idle-timeout=2m enabled=no max-connections=\
    200 port=1080 version=4
/ip ssh
set allow-none-crypto=no always-allow-password-login=no forwarding-enabled=no \
    host-key-size=2048 strong-crypto=no
/ip tftp settings
set max-block-size=4096
/ip traffic-flow
set active-flow-timeout=30m cache-entries=32k enabled=no \
    inactive-flow-timeout=15s interfaces=all packet-sampling=no \
    sampling-interval=0 sampling-space=0
/ip traffic-flow ipfix
set bytes=yes dst-address=yes dst-address-mask=yes dst-mac-address=yes \
    dst-port=yes first-forwarded=yes gateway=yes icmp-code=yes icmp-type=yes \
    igmp-type=yes in-interface=yes ip-header-length=yes ip-total-length=yes \
    ipv6-flow-label=yes is-multicast=yes last-forwarded=yes nat-dst-address=\
    yes nat-dst-port=yes nat-events=no nat-src-address=yes nat-src-port=yes \
    out-interface=yes packets=yes protocol=yes src-address=yes \
    src-address-mask=yes src-mac-address=yes src-port=yes sys-init-time=yes \
    tcp-ack-num=yes tcp-flags=yes tcp-seq-num=yes tcp-window-size=yes tos=yes \
    ttl=yes udp-length=yes
/ip upnp
set allow-disable-external-interface=no enabled=no show-dummy-rule=yes
/ipv6 nd
set [ find default=yes ] advertise-dns=yes advertise-mac-address=yes \
    disabled=no dns="" hop-limit=unspecified interface=all \
    managed-address-configuration=no mtu=unspecified other-configuration=no \
    pref64="" ra-delay=3s ra-interval=3m20s-10m ra-lifetime=30m \
    ra-preference=medium reachable-time=unspecified retransmit-interval=\
    unspecified
/ipv6 nd prefix default
set autonomous=yes preferred-lifetime=1w valid-lifetime=4w2d
/lcd
set backlight-timeout=30m color-scheme=dark default-screen=main-menu enabled=\
    yes flip-screen=no read-only-mode=no time-interval=min touch-screen=\
    enabled
/lcd pin
set hide-pin-number=no pin-number=1234
/lcd interface
set sfp1 disabled=no max-speed=auto timeout=10s
set ether1 disabled=no max-speed=auto timeout=10s
set ether2 disabled=no max-speed=auto timeout=10s
set ether3 disabled=no max-speed=auto timeout=10s
set ether4 disabled=no max-speed=auto timeout=10s
set ether5 disabled=no max-speed=auto timeout=10s
set ether6 disabled=no max-speed=auto timeout=10s
set ether7 disabled=no max-speed=auto timeout=10s
set ether8 disabled=no max-speed=auto timeout=10s
set ether9 disabled=no max-speed=auto timeout=10s
set ether10 disabled=no max-speed=auto timeout=10s
set wlan1 disabled=no max-speed=auto timeout=10s
/lcd interface pages
set 0 interfaces="sfp1,ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8\
    ,ether9,ether10"
/lcd screen
set 0 disabled=no timeout=10s
set 1 disabled=no timeout=10s
set 2 disabled=no timeout=10s
set 3 disabled=no timeout=10s
set 4 disabled=no timeout=10s
set 5 disabled=no timeout=10s
/ppp aaa
set accounting=yes interim-update=0s use-circuit-id-in-nas-port-id=no \
    use-radius=no
/radius incoming
set accept=no port=3799 vrf=main
/routing igmp-proxy
set query-interval=2m5s query-response-interval=10s quick-leave=no
/snmp
set contact="" enabled=no engine-id="" location="" src-address=:: \
    trap-community=public trap-generators=temp-exception trap-target="" \
    trap-version=1 vrf=main
/system clock
set time-zone-autodetect=yes time-zone-name=America/Toronto
/system clock manual
set dst-delta=+00:00 dst-end="jan/01/1970 00:00:00" dst-start=\
    "jan/01/1970 00:00:00" time-zone=+00:00
/system console
set [ find port=serial0 ] channel=0 disabled=no port=serial0 term=vt102
/system identity
set name=RouterSwitchAP
/system leds settings
set all-leds-off=never
/system logging
set 0 action=memory disabled=no prefix="" topics=info
set 1 action=memory disabled=no prefix="" topics=error
set 2 action=memory disabled=no prefix="" topics=warning
set 3 action=echo disabled=no prefix="" topics=critical
/system note
set note="" show-at-login=yes
/system ntp client
set enabled=no mode=unicast servers="" vrf=main
/system ntp server
set auth-key=none broadcast=no broadcast-addresses="" enabled=no \
    local-clock-stratum=5 manycast=no multicast=no use-local-clock=no vrf=\
    main
/system resource irq
set 0 cpu=auto
set 1 cpu=auto
set 2 cpu=auto
set 3 cpu=auto
set 4 cpu=auto
set 5 cpu=auto
set 6 cpu=auto
set 7 cpu=auto
set 8 cpu=auto
/system resource usb settings
set authorization=no
/system routerboard settings
set auto-upgrade=no baud-rate=115200 boot-delay=2s boot-device=\
    nand-if-fail-then-ethernet boot-protocol=bootp enable-jumper-reset=yes \
    enter-setup-on=any-key force-backup-booter=no protected-routerboot=\
    disabled reformat-hold-button=20s reformat-hold-button-max=10m \
    silent-boot=no
/system routerboard reset-button
set enabled=no hold-time=0s..1m on-event=""
/system routerboard usb
set usb-mode=automatic
/system script
add dont-require-permissions=no name=script1 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
    ##########################################################################\
    ####\r\
    \n# Topic:\t\tUsing RouterOS to VLAN your network\r\
    \n# Example:\t\tRouter-Switch-AP all in one device\r\
    \n# Web:\t\t\thttps://forum.mikrotik.com/viewtopic.php\?t=143620\r\
    \n# RouterOS:\t\t6.47.10\r\
    \n# Date:\t\t\tFebruary 17, 2023\r\
    \n# Notes:\t\tStart with a reset (/system reset-configuration)\r\
    \n# Thanks:\t\tmkx, sindy\r\
    \n########################################################################\
    #######\r\
    \n\r\
    \n#######################################\r\
    \n# Naming\r\
    \n#######################################\r\
    \n\r\
    \n# name the device being configured\r\
    \n/system identity set name=\"RouterSwitchAP\"\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n# VLAN Overview\r\
    \n#######################################\r\
    \n\r\
    \n# 10 = BLUE\r\
    \n# 20 = GREEN\r\
    \n# 99 = BASE (MGMT) VLAN\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n# WIFI Setup\r\
    \n#\r\
    \n# Example wireless settings only. Do\r\
    \n# NOT use in production!\r\
    \n#######################################\r\
    \n\r\
    \n# Blue SSID\r\
    \n/interface wireless security-profiles set [ find default=yes ] authentic\
    ation-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key=\"password\"\r\
    \n/interface wireless set [ find default-name=wlan1 ] ssid=BLUE frequency=\
    auto mode=ap-bridge disabled=no\r\
    \n\r\
    \n# Green SSID\r\
    \n/interface wireless security-profiles add name=guest authentication-type\
    s=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key=\"password\"\r\
    \n/interface wireless add name=wlan2 ssid=GREEN master-interface=wlan1 sec\
    urity-profile=guest disabled=no\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n# Bridge\r\
    \n#######################################\r\
    \n\r\
    \n# create one bridge, set VLAN mode off while we configure\r\
    \n/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n#\r\
    \n# -- Access Ports --\r\
    \n#\r\
    \n#######################################\r\
    \n\r\
    \n# ingress behavior\r\
    \n/interface bridge port\r\
    \n\r\
    \n# Blue VLAN 20\r\
    \nadd bridge=BR1 interface=ether2 pvid=20\r\
    \nadd bridge=BR1 interface=ether3 pvid=20\r\
    \nadd bridge=BR1 interface=wlan1  pvid=20\r\
    \n\r\
    \n# Green VLAN 10\r\
    \nadd bridge=BR1 interface=ether4 pvid=10\r\
    \nadd bridge=BR1 interface=wlan2  pvid=10\r\
    \n\r\
    \n# BASE_VLAN, set aside a port for admin access to Winbox the device.\r\
    \nadd bridge=BR1 interface=ether5 pvid=99\r\
    \n\r\
    \n# egress behavior, handled automatically\r\
    \n\r\
    \n# L3 switching so Bridge must be a tagged member\r\
    \n/interface bridge vlan\r\
    \nadd bridge=BR1 tagged=BR1 vlan-ids=10\r\
    \nadd bridge=BR1 tagged=BR1 vlan-ids=20\r\
    \nadd bridge=BR1 tagged=BR1 vlan-ids=99\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n# IP Addressing & Routing\r\
    \n#######################################\r\
    \n\r\
    \n# LAN facing router's IP address on the BASE_VLAN\r\
    \n/interface vlan add interface=BR1 name=BASE_VLAN vlan-id=99\r\
    \n/ip address add address=192.168.0.1/24 interface=BASE_VLAN\r\
    \n\r\
    \n# DNS server, set to cache for LAN\r\
    \n/ip dns set allow-remote-requests=yes servers=\"9.9.9.9\"\r\
    \n\r\
    \n# Yellow WAN facing port with IP Address and route provided by ISP\r\
    \n/ip address add interface=ether1 address=a.a.a.a/aa network=a.a.a.0\r\
    \n/ip route add distance=1 gateway=b.b.b.b\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n# IP Services\r\
    \n#######################################\r\
    \n\r\
    \n# Blue VLAN interface creation, IP assignment, and DHCP service\r\
    \n/interface vlan add interface=BR1 name=BLUE_VLAN vlan-id=20\r\
    \n/ip address add interface=BLUE_VLAN address=10.0.10.1/24\r\
    \n/ip pool add name=BLUE_POOL ranges=10.0.10.2-10.0.10.254\r\
    \n/ip dhcp-server add address-pool=BLUE_POOL interface=BLUE_VLAN name=BLUE\
    _DHCP disabled=no\r\
    \n/ip dhcp-server network add address=10.0.10.0/24 dns-server=192.168.0.1 \
    gateway=10.0.10.1\r\
    \n\r\
    \n# Green VLAN interface creation, IP assignment, and DHCP service\r\
    \n/interface vlan add interface=BR1 name=GREEN_VLAN vlan-id=10\r\
    \n/ip address add interface=GREEN_VLAN address=192.168.10.1/24\r\
    \n/ip pool add name=GREEN_POOL ranges=192.168.10.50-192.168.10.254\r\
    \n/ip dhcp-server add address-pool=GREEN_POOL interface=GREEN_VLAN name=GR\
    EEN_DHCP disabled=no\r\
    \n/ip dhcp-server network add address=192.168.10.0/24 dns-server=192.168.1\
    0.1 gateway=192.168.10.1\r\
    \n\r\
    \n# Optional: Create a DHCP instance for BASE_VLAN. Convenience feature fo\
    r an admin.\r\
    \n /ip pool add name=BASE_POOL ranges=192.168.88.10-192.168.0.254\r\
    \n /ip dhcp-server add address-pool=BASE_POOL interface=BASE_VLAN name=BAS\
    E_DHCP disabled=no\r\
    \n /ip dhcp-server network add address=192.168.88.0/24 dns-server=192.168.\
    88.1 gateway=192.168.88.1\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n# Firewalling & NAT\r\
    \n# A good firewall for WAN. Up to you\r\
    \n# about how you want LAN to behave.\r\
    \n#######################################\r\
    \n\r\
    \n# Use MikroTik's \"list\" feature for easy rule matchmaking.\r\
    \n\r\
    \n/interface list add name=WAN\r\
    \n/interface list add name=VLAN\r\
    \n/interface list add name=BASE\r\
    \n\r\
    \n/interface list member\r\
    \nadd interface=ether1     list=WAN\r\
    \nadd interface=BASE_VLAN  list=VLAN\r\
    \nadd interface=BLUE_VLAN  list=VLAN\r\
    \nadd interface=GREEN_VLAN list=VLAN\r\
    \nadd interface=BASE_VLAN  list=BASE\r\
    \n\r\
    \n# VLAN aware firewall. Order is important.\r\
    \n/ip firewall filter\r\
    \n\r\
    \n\r\
    \n##################\r\
    \n# INPUT CHAIN\r\
    \n##################\r\
    \nadd chain=input action=accept connection-state=established,related comme\
    nt=\"Allow Estab & Related\"\r\
    \n\r\
    \n# Allow VLANs to access router services like DNS, Winbox. Naturally, you\
    \_SHOULD make it more granular.\r\
    \nadd chain=input action=accept in-interface-list=VLAN comment=\"Allow VLA\
    N\"\r\
    \n\r\
    \n# Allow BASE_VLAN full access to the device for Winbox, etc.\r\
    \nadd chain=input action=accept in-interface=BASE_VLAN comment=\"Allow Bas\
    e_Vlan Full Access\"\r\
    \n\r\
    \nadd chain=input action=drop comment=\"Drop\"\r\
    \n\r\
    \n##################\r\
    \n# FORWARD CHAIN\r\
    \n##################\r\
    \nadd chain=forward action=accept connection-state=established,related com\
    ment=\"Allow Estab & Related\"\r\
    \n\r\
    \n# Allow all VLANs to access the Internet only, NOT each other\r\
    \nadd chain=forward action=accept connection-state=new in-interface-list=V\
    LAN out-interface-list=WAN comment=\"VLAN Internet Access only\"\r\
    \n\r\
    \nadd chain=forward action=drop comment=\"Drop\"\r\
    \n\r\
    \n##################\r\
    \n# NAT\r\
    \n##################\r\
    \n/ip firewall nat add chain=srcnat action=masquerade out-interface-list=W\
    AN comment=\"Default masquerade\"\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n# VLAN Security\r\
    \n#######################################\r\
    \n\r\
    \n# Only allow ingress packets without tags on Access Ports\r\
    \n/interface bridge port\r\
    \nset bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and\
    -priority-tagged [find interface=ether2]\r\
    \nset bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and\
    -priority-tagged [find interface=ether3]\r\
    \nset bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and\
    -priority-tagged [find interface=ether4]\r\
    \nset bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and\
    -priority-tagged [find interface=ether5]\r\
    \nset bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and\
    -priority-tagged [find interface=wlan1]\r\
    \nset bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and\
    -priority-tagged [find interface=wlan2]\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n# MAC Server settings\r\
    \n#######################################\r\
    \n\r\
    \n# Ensure only visibility and availability from BASE_VLAN, the MGMT netwo\
    rk\r\
    \n/ip neighbor discovery-settings set discover-interface-list=BASE\r\
    \n/tool mac-server mac-winbox set allowed-interface-list=BASE\r\
    \n/tool mac-server set allowed-interface-list=BASE\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n# Turn on VLAN mode\r\
    \n#######################################\r\
    \n/interface bridge set BR1 vlan-filtering=yes\r\
    \n\r\
    \n"
add dont-require-permissions=no name=script2 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
    \_Blue VLAN interface creation, IP assignment, and DHCP service\r\
    \n/interface vlan add interface=BR1 name=BLUE_VLAN vlan-id=20\r\
    \n/ip address add interface=BLUE_VLAN address=10.0.10.1/24\r\
    \n/ip pool add name=BLUE_POOL ranges=10.0.10.2-10.0.10.254\r\
    \n/ip dhcp-server add address-pool=BLUE_POOL interface=BLUE_VLAN name=BLUE\
    _DHCP disabled=no\r\
    \n/ip dhcp-server network add address=10.0.10.0/24 dns-server=192.168.0.1 \
    gateway=10.0.10.1\r\
    \n\r\
    \n# Green VLAN interface creation, IP assignment, and DHCP service\r\
    \n/interface vlan add interface=BR1 name=GREEN_VLAN vlan-id=10\r\
    \n/ip address add interface=GREEN_VLAN address=192.168.10.1/24\r\
    \n/ip pool add name=GREEN_POOL ranges=192.168.10.50-192.168.10.254\r\
    \n/ip dhcp-server add address-pool=GREEN_POOL interface=GREEN_VLAN name=GR\
    EEN_DHCP disabled=no\r\
    \n/ip dhcp-server network add address=192.168.10.0/24 dns-server=192.168.1\
    0.1 gateway=192.168.10.1\r\
    \n\r\
    \n# Optional: Create a DHCP instance for BASE_VLAN. Convenience feature fo\
    r an admin.\r\
    \n /ip pool add name=BASE_POOL ranges=192.168.88.10-192.168.0.254\r\
    \n /ip dhcp-server add address-pool=BASE_POOL interface=BASE_VLAN name=BAS\
    E_DHCP disabled=no\r\
    \n /ip dhcp-server network add address=192.168.88.0/24 dns-server=192.168.\
    88.1 gateway=192.168.88.1\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n# Firewalling & NAT\r\
    \n# A good firewall for WAN. Up to you\r\
    \n# about how you want LAN to behave.\r\
    \n#######################################\r\
    \n\r\
    \n# Use MikroTik's \"list\" feature for easy rule matchmaking.\r\
    \n\r\
    \n/interface list add name=WAN\r\
    \n/interface list add name=VLAN\r\
    \n/interface list add name=BASE\r\
    \n\r\
    \n/interface list member\r\
    \nadd interface=ether1     list=WAN\r\
    \nadd interface=BASE_VLAN  list=VLAN\r\
    \nadd interface=BLUE_VLAN  list=VLAN\r\
    \nadd interface=GREEN_VLAN list=VLAN\r\
    \nadd interface=BASE_VLAN  list=BASE\r\
    \n\r\
    \n# VLAN aware firewall. Order is important.\r\
    \n/ip firewall filter\r\
    \n\r\
    \n\r\
    \n##################\r\
    \n# INPUT CHAIN\r\
    \n##################\r\
    \nadd chain=input action=accept connection-state=established,related comme\
    nt=\"Allow Estab & Related\"\r\
    \n\r\
    \n# Allow VLANs to access router services like DNS, Winbox. Naturally, you\
    \_SHOULD make it more granular.\r\
    \nadd chain=input action=accept in-interface-list=VLAN comment=\"Allow VLA\
    N\"\r\
    \n\r\
    \n# Allow BASE_VLAN full access to the device for Winbox, etc.\r\
    \nadd chain=input action=accept in-interface=BASE_VLAN comment=\"Allow Bas\
    e_Vlan Full Access\"\r\
    \n\r\
    \nadd chain=input action=drop comment=\"Drop\"\r\
    \n\r\
    \n##################\r\
    \n# FORWARD CHAIN\r\
    \n##################\r\
    \nadd chain=forward action=accept connection-state=established,related com\
    ment=\"Allow Estab & Related\"\r\
    \n\r\
    \n# Allow all VLANs to access the Internet only, NOT each other\r\
    \nadd chain=forward action=accept connection-state=new in-interface-list=V\
    LAN out-interface-list=WAN comment=\"VLAN Internet Access only\"\r\
    \n\r\
    \nadd chain=forward action=drop comment=\"Drop\"\r\
    \n\r\
    \n##################\r\
    \n# NAT\r\
    \n##################\r\
    \n/ip firewall nat add chain=srcnat action=masquerade out-interface-list=W\
    AN comment=\"Default masquerade\"\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n# VLAN Security\r\
    \n#######################################\r\
    \n\r\
    \n# Only allow ingress packets without tags on Access Ports\r\
    \n/interface bridge port\r\
    \nset bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and\
    -priority-tagged [find interface=ether2]\r\
    \nset bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and\
    -priority-tagged [find interface=ether3]\r\
    \nset bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and\
    -priority-tagged [find interface=ether4]\r\
    \nset bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and\
    -priority-tagged [find interface=ether5]\r\
    \nset bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and\
    -priority-tagged [find interface=wlan1]\r\
    \nset bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and\
    -priority-tagged [find interface=wlan2]\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n# MAC Server settings\r\
    \n#######################################\r\
    \n\r\
    \n# Ensure only visibility and availability from BASE_VLAN, the MGMT netwo\
    rk\r\
    \n/ip neighbor discovery-settings set discover-interface-list=BASE\r\
    \n/tool mac-server mac-winbox set allowed-interface-list=BASE\r\
    \n/tool mac-server set allowed-interface-list=BASE\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n# Turn on VLAN mode\r\
    \n#######################################\r\
    \n/interface bridge set BR1 vlan-filtering=yes\r\
    \n"
/system upgrade mirror
set check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=\
    0.0.0.0 user=""
/system watchdog
set auto-send-supout=no automatic-supout=yes ping-start-after-boot=5m \
    ping-timeout=1m watch-address=none watchdog-timer=yes
/tool bandwidth-server
set allocate-udp-ports-from=2000 authenticate=yes enabled=yes max-sessions=\
    100
/tool e-mail
set address=0.0.0.0 from=<> port=25 tls=no user="" vrf=main
/tool graphing
set page-refresh=300 store-every=5min
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE
/tool mac-server ping
set enabled=yes
/tool romon
set enabled=no id=00:00:00:00:00:00
/tool romon port
set [ find default=yes ] cost=100 disabled=no forbid=no interface=all
/tool sms
set allowed-number="" auto-erase=no channel=0 port=none receive-enabled=no
/tool sniffer
set file-limit=1000KiB file-name="" filter-cpu="" filter-direction=any \
    filter-dst-ip-address="" filter-dst-ipv6-address="" \
    filter-dst-mac-address="" filter-dst-port="" filter-interface="" \
    filter-ip-address="" filter-ip-protocol="" filter-ipv6-address="" \
    filter-mac-address="" filter-mac-protocol="" \
    filter-operator-between-entries=or filter-port="" filter-size="" \
    filter-src-ip-address="" filter-src-ipv6-address="" \
    filter-src-mac-address="" filter-src-port="" filter-stream=no \
    filter-vlan="" memory-limit=100KiB memory-scroll=yes only-headers=no \
    streaming-enabled=no streaming-server=0.0.0.0:37008
/tool traffic-generator
set latency-distribution-max=100us measure-out-of-order=yes \
    stats-samples-to-keep=100 test-id=0
/user aaa
set accounting=yes default-group=read exclude-groups="" interim-update=0s \
    use-radius=no
/user settings
set minimum-categories=0 minimum-password-length=0
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18968
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help needed for Router-Switch-AP (all in one) scenario

Sun Mar 26, 2023 4:02 pm

Next time please dont use verbose unless requested LOL>
Sorry for not picking this up the first go around!

Here it is.........
/ip pool
add name=BLUE_POOL ranges=10.0.10.2-10.0.10.254
add name=GREEN_POOL ranges=192.168.10.50-192.168.10.254
add name=BASE_POOL ranges=192.168.0.254-192.168.88.10


Should be:
/ip pool
add name=BLUE_POOL ranges=10.0.10.2-10.0.10.254
add name=GREEN_POOL ranges=192.168.10.50-192.168.10.254
add name=BASE_POOL ranges=192.168.0.2-192.168.0.254


Should work now, if it doesnt the problem is not on MT but on the AP attached.
 
User avatar
myriad
just joined
Topic Author
Posts: 15
Joined: Mon Jun 27, 2016 6:15 pm

Re: Help needed for Router-Switch-AP (all in one) scenario

Sun Mar 26, 2023 4:12 pm

Sorry about the verbose. No there is still no IP on VLAN10 from ether4. Is the RB2011 actually tagging traffic out of this port or should it be going through the Atheros switch? I had this switch (Mokerlink POE-G080G) in use with a previous wifi setup with 8 waps linked to an Aruba switch trunked from a PFsense appliance and it worked perfectly. I guess the question is: can the RB2011 act as a trunk using the Atheros chip in the MT?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18968
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help needed for Router-Switch-AP (all in one) scenario

Sun Mar 26, 2023 4:15 pm

NO, you have setup ether4 to strip the vlan tag when leaving the port ( access port pvid=XX ) and then adding the tag back in when the data from the AP comes back into the router port.
If your intention was to send tagged data to the AP, then this assumes the AP is a smart AP???

What are you sending the traffic to, what device......................
 
User avatar
myriad
just joined
Topic Author
Posts: 15
Joined: Mon Jun 27, 2016 6:15 pm

Re: Help needed for Router-Switch-AP (all in one) scenario

Sun Mar 26, 2023 4:16 pm

Yes the AP is a smart AP (MSM430). It is setup to accept VLAN 10 tagged traffic.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18968
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help needed for Router-Switch-AP (all in one) scenario

Sun Mar 26, 2023 4:46 pm

Then clearly you had not only a mismatch between /interface bridge ports and /interface bridge vlan but also both had errors.
Remember an ACCESS port strips tags on the way out for the identified PVID and puts them back on for returning traffic.
A Trunk port carries the vlans to the other side.
A Hybrid port strips tags on the way out for the identified PVID and puts it back for returning traffic AND Carries other vlans with no change.

/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2 pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 pvid=20
add bridge=BR1 frame-types=admit-only-tagged-vlans ingress-filtering=yes interface=ether4
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5 pvid=99
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan1 pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan2 pvid=10
/interface bridge vlan
add bridge=BR1 disabled=no tagged=BR1,ether4 untagged=wlan2 vlan-ids=10
add bridge=BR1 disabled=no tagged=BR1 untagged=ether2,ether3,wlan1 vlan-ids=20
add bridge=BR1 disabled=no tagged=BR1 untagged=ether5 vlan-ids=99

In practice I disagree with the approach.
The access point should be sent both vlan10 and vlan99.
The AP should get an IP address from the management network vlan99.
 
User avatar
myriad
just joined
Topic Author
Posts: 15
Joined: Mon Jun 27, 2016 6:15 pm

Re: Help needed for Router-Switch-AP (all in one) scenario

Sun Mar 26, 2023 5:01 pm

Well that didn't work unfortunately. It broke access to VLAN20 and I still can't receive any address on Vlan 10. I was hoping to use the MT as a trunk port carrying VLAN20 on one radio and VLAN10 on the other radio of the HP WAP through ether4 but I am not having much luck at this point. Is it even possible for the RB2011 to achieve this simple scenario?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18968
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help needed for Router-Switch-AP (all in one) scenario

Sun Mar 26, 2023 5:02 pm

Yes if you are honest with the information provided.

Are you saying the RB2011 is NOT a router here, but simply acting as an AP.Switch behind an upstream router that is handing out DHCP???

If now you are actually stating that the WAP should get both vlan20 and vlan10 tagged then of course it wont work. NEW information aka honest?
no where did we know vlan20 was also going to ether4!!!!

interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2 pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 pvid=20
add bridge=BR1 frame-types=admit-only-tagged-vlans ingress-filtering=yes interface=ether4
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5 pvid=99
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan1 pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan2 pvid=10
/interface bridge vlan
add bridge=BR1 disabled=no tagged=BR1,ether4 untagged=wlan2 vlan-ids=10
add bridge=BR1 disabled=no tagged=BR1,ether4 untagged=ether2,ether3,wlan1 vlan-ids=20
add bridge=BR1 disabled=no tagged=BR1,ether4 untagged=ether5 vlan-ids=99

AND ensure the HP WAP gets an IP address on the vlan99 network!
 
User avatar
myriad
just joined
Topic Author
Posts: 15
Joined: Mon Jun 27, 2016 6:15 pm

Re: Help needed for Router-Switch-AP (all in one) scenario

Sun Mar 26, 2023 6:00 pm

OK. The good news is VLAN10 now works but VLAN20 doesn't. But at least I know that I can use VLAN10 on this WAP and it is successfully accepting tagged data. BTW, thanks for helping me with this Anav, You once helped me back on DSL reports with a Zxzel router about 12 years ago. I'm glad your'e still around. Here is the current config:
# mar/26/2023 10:54:51 by RouterOS 7.8
# software id = 5MCY-99KG
#
# model = RB2011UiAS-2HnD
# serial number = 608C05B57440
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] disabled=no frequency=auto mode=ap-bridge \
    ssid=BLUE
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=BLUE_VLAN vlan-id=20
add interface=BR1 name=GREEN_VLAN vlan-id=10
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=guest \
    supplicant-identity=MikroTik
/interface wireless
add disabled=no mac-address=E6:8D:8C:36:5C:C7 master-interface=wlan1 name=\
    wlan2 security-profile=guest ssid=GREEN
/ip pool
add name=BLUE_POOL ranges=10.0.10.2-10.0.10.254
add name=GREEN_POOL ranges=192.168.10.50-192.168.10.254
add name=BASE_POOL ranges=192.168.0.50-192.168.0.254
/ip dhcp-server
add address-pool=BLUE_POOL interface=BLUE_VLAN name=BLUE_DHCP
add address-pool=GREEN_POOL interface=GREEN_VLAN name=GREEN_DHCP
add address-pool=BASE_POOL interface=BASE_VLAN name=BASE_DHCP
/port
set 0 name=serial0
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether2 pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether3 pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    wlan1 pvid=20
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether4 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    wlan2 pvid=10
add bridge=BR1 comment="Admin Access" frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether5 pvid=99
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether4 untagged=wlan2 vlan-ids=10
add bridge=BR1 tagged=BR1,ether4 untagged=ether2,ether3,wlan1 vlan-ids=20
add bridge=BR1 tagged=BR1,ether4 untagged=ether5 vlan-ids=99
/interface list member
add interface=ether1 list=WAN
add interface=BASE_VLAN list=VLAN
add interface=BLUE_VLAN list=VLAN
add interface=GREEN_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
/ip address
add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0
add address=10.0.10.1/24 interface=BLUE_VLAN network=10.0.10.0
add address=192.168.10.1/24 interface=GREEN_VLAN network=192.168.10.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=192.168.0.1 gateway=10.0.10.1
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
    in-interface=BASE_VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
/system clock
set time-zone-name=America/Toronto
/system identity
set name=RouterSwitchAP
/system script
add dont-require-permissions=no name=script1 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
    ##########################################################################\
    ####\r\
    \n# Topic:\t\tUsing RouterOS to VLAN your network\r\
    \n# Example:\t\tRouter-Switch-AP all in one device\r\
    \n# Web:\t\t\thttps://forum.mikrotik.com/viewtopic.php\?t=143620\r\
    \n# RouterOS:\t\t6.47.10\r\
    \n# Date:\t\t\tFebruary 17, 2023\r\
    \n# Notes:\t\tStart with a reset (/system reset-configuration)\r\
    \n# Thanks:\t\tmkx, sindy\r\
    \n########################################################################\
    #######\r\
    \n\r\
    \n#######################################\r\
    \n# Naming\r\
    \n#######################################\r\
    \n\r\
    \n# name the device being configured\r\
    \n/system identity set name=\"RouterSwitchAP\"\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n# VLAN Overview\r\
    \n#######################################\r\
    \n\r\
    \n# 10 = BLUE\r\
    \n# 20 = GREEN\r\
    \n# 99 = BASE (MGMT) VLAN\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n# WIFI Setup\r\
    \n#\r\
    \n# Example wireless settings only. Do\r\
    \n# NOT use in production!\r\
    \n#######################################\r\
    \n\r\
    \n# Blue SSID\r\
    \n/interface wireless security-profiles set [ find default=yes ] authentic\
    ation-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key=\"password\"\r\
    \n/interface wireless set [ find default-name=wlan1 ] ssid=BLUE frequency=\
    auto mode=ap-bridge disabled=no\r\
    \n\r\
    \n# Green SSID\r\
    \n/interface wireless security-profiles add name=guest authentication-type\
    s=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key=\"password\"\r\
    \n/interface wireless add name=wlan2 ssid=GREEN master-interface=wlan1 sec\
    urity-profile=guest disabled=no\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n# Bridge\r\
    \n#######################################\r\
    \n\r\
    \n# create one bridge, set VLAN mode off while we configure\r\
    \n/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n#\r\
    \n# -- Access Ports --\r\
    \n#\r\
    \n#######################################\r\
    \n\r\
    \n# ingress behavior\r\
    \n/interface bridge port\r\
    \n\r\
    \n# Blue VLAN 20\r\
    \nadd bridge=BR1 interface=ether2 pvid=20\r\
    \nadd bridge=BR1 interface=ether3 pvid=20\r\
    \nadd bridge=BR1 interface=wlan1  pvid=20\r\
    \n\r\
    \n# Green VLAN 10\r\
    \nadd bridge=BR1 interface=ether4 pvid=10\r\
    \nadd bridge=BR1 interface=wlan2  pvid=10\r\
    \n\r\
    \n# BASE_VLAN, set aside a port for admin access to Winbox the device.\r\
    \nadd bridge=BR1 interface=ether5 pvid=99\r\
    \n\r\
    \n# egress behavior, handled automatically\r\
    \n\r\
    \n# L3 switching so Bridge must be a tagged member\r\
    \n/interface bridge vlan\r\
    \nadd bridge=BR1 tagged=BR1 vlan-ids=10\r\
    \nadd bridge=BR1 tagged=BR1 vlan-ids=20\r\
    \nadd bridge=BR1 tagged=BR1 vlan-ids=99\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n# IP Addressing & Routing\r\
    \n#######################################\r\
    \n\r\
    \n# LAN facing router's IP address on the BASE_VLAN\r\
    \n/interface vlan add interface=BR1 name=BASE_VLAN vlan-id=99\r\
    \n/ip address add address=192.168.0.1/24 interface=BASE_VLAN\r\
    \n\r\
    \n# DNS server, set to cache for LAN\r\
    \n/ip dns set allow-remote-requests=yes servers=\"9.9.9.9\"\r\
    \n\r\
    \n# Yellow WAN facing port with IP Address and route provided by ISP\r\
    \n/ip address add interface=ether1 address=a.a.a.a/aa network=a.a.a.0\r\
    \n/ip route add distance=1 gateway=b.b.b.b\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n# IP Services\r\
    \n#######################################\r\
    \n\r\
    \n# Blue VLAN interface creation, IP assignment, and DHCP service\r\
    \n/interface vlan add interface=BR1 name=BLUE_VLAN vlan-id=20\r\
    \n/ip address add interface=BLUE_VLAN address=10.0.10.1/24\r\
    \n/ip pool add name=BLUE_POOL ranges=10.0.10.2-10.0.10.254\r\
    \n/ip dhcp-server add address-pool=BLUE_POOL interface=BLUE_VLAN name=BLUE\
    _DHCP disabled=no\r\
    \n/ip dhcp-server network add address=10.0.10.0/24 dns-server=192.168.0.1 \
    gateway=10.0.10.1\r\
    \n\r\
    \n# Green VLAN interface creation, IP assignment, and DHCP service\r\
    \n/interface vlan add interface=BR1 name=GREEN_VLAN vlan-id=10\r\
    \n/ip address add interface=GREEN_VLAN address=192.168.10.1/24\r\
    \n/ip pool add name=GREEN_POOL ranges=192.168.10.50-192.168.10.254\r\
    \n/ip dhcp-server add address-pool=GREEN_POOL interface=GREEN_VLAN name=GR\
    EEN_DHCP disabled=no\r\
    \n/ip dhcp-server network add address=192.168.10.0/24 dns-server=192.168.1\
    0.1 gateway=192.168.10.1\r\
    \n\r\
    \n# Optional: Create a DHCP instance for BASE_VLAN. Convenience feature fo\
    r an admin.\r\
    \n /ip pool add name=BASE_POOL ranges=192.168.88.10-192.168.0.254\r\
    \n /ip dhcp-server add address-pool=BASE_POOL interface=BASE_VLAN name=BAS\
    E_DHCP disabled=no\r\
    \n /ip dhcp-server network add address=192.168.88.0/24 dns-server=192.168.\
    88.1 gateway=192.168.88.1\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n# Firewalling & NAT\r\
    \n# A good firewall for WAN. Up to you\r\
    \n# about how you want LAN to behave.\r\
    \n#######################################\r\
    \n\r\
    \n# Use MikroTik's \"list\" feature for easy rule matchmaking.\r\
    \n\r\
    \n/interface list add name=WAN\r\
    \n/interface list add name=VLAN\r\
    \n/interface list add name=BASE\r\
    \n\r\
    \n/interface list member\r\
    \nadd interface=ether1     list=WAN\r\
    \nadd interface=BASE_VLAN  list=VLAN\r\
    \nadd interface=BLUE_VLAN  list=VLAN\r\
    \nadd interface=GREEN_VLAN list=VLAN\r\
    \nadd interface=BASE_VLAN  list=BASE\r\
    \n\r\
    \n# VLAN aware firewall. Order is important.\r\
    \n/ip firewall filter\r\
    \n\r\
    \n\r\
    \n##################\r\
    \n# INPUT CHAIN\r\
    \n##################\r\
    \nadd chain=input action=accept connection-state=established,related comme\
    nt=\"Allow Estab & Related\"\r\
    \n\r\
    \n# Allow VLANs to access router services like DNS, Winbox. Naturally, you\
    \_SHOULD make it more granular.\r\
    \nadd chain=input action=accept in-interface-list=VLAN comment=\"Allow VLA\
    N\"\r\
    \n\r\
    \n# Allow BASE_VLAN full access to the device for Winbox, etc.\r\
    \nadd chain=input action=accept in-interface=BASE_VLAN comment=\"Allow Bas\
    e_Vlan Full Access\"\r\
    \n\r\
    \nadd chain=input action=drop comment=\"Drop\"\r\
    \n\r\
    \n##################\r\
    \n# FORWARD CHAIN\r\
    \n##################\r\
    \nadd chain=forward action=accept connection-state=established,related com\
    ment=\"Allow Estab & Related\"\r\
    \n\r\
    \n# Allow all VLANs to access the Internet only, NOT each other\r\
    \nadd chain=forward action=accept connection-state=new in-interface-list=V\
    LAN out-interface-list=WAN comment=\"VLAN Internet Access only\"\r\
    \n\r\
    \nadd chain=forward action=drop comment=\"Drop\"\r\
    \n\r\
    \n##################\r\
    \n# NAT\r\
    \n##################\r\
    \n/ip firewall nat add chain=srcnat action=masquerade out-interface-list=W\
    AN comment=\"Default masquerade\"\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n# VLAN Security\r\
    \n#######################################\r\
    \n\r\
    \n# Only allow ingress packets without tags on Access Ports\r\
    \n/interface bridge port\r\
    \nset bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and\
    -priority-tagged [find interface=ether2]\r\
    \nset bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and\
    -priority-tagged [find interface=ether3]\r\
    \nset bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and\
    -priority-tagged [find interface=ether4]\r\
    \nset bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and\
    -priority-tagged [find interface=ether5]\r\
    \nset bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and\
    -priority-tagged [find interface=wlan1]\r\
    \nset bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and\
    -priority-tagged [find interface=wlan2]\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n# MAC Server settings\r\
    \n#######################################\r\
    \n\r\
    \n# Ensure only visibility and availability from BASE_VLAN, the MGMT netwo\
    rk\r\
    \n/ip neighbor discovery-settings set discover-interface-list=BASE\r\
    \n/tool mac-server mac-winbox set allowed-interface-list=BASE\r\
    \n/tool mac-server set allowed-interface-list=BASE\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n# Turn on VLAN mode\r\
    \n#######################################\r\
    \n/interface bridge set BR1 vlan-filtering=yes\r\
    \n\r\
    \n"
add dont-require-permissions=no name=script2 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
    \_Blue VLAN interface creation, IP assignment, and DHCP service\r\
    \n/interface vlan add interface=BR1 name=BLUE_VLAN vlan-id=20\r\
    \n/ip address add interface=BLUE_VLAN address=10.0.10.1/24\r\
    \n/ip pool add name=BLUE_POOL ranges=10.0.10.2-10.0.10.254\r\
    \n/ip dhcp-server add address-pool=BLUE_POOL interface=BLUE_VLAN name=BLUE\
    _DHCP disabled=no\r\
    \n/ip dhcp-server network add address=10.0.10.0/24 dns-server=192.168.0.1 \
    gateway=10.0.10.1\r\
    \n\r\
    \n# Green VLAN interface creation, IP assignment, and DHCP service\r\
    \n/interface vlan add interface=BR1 name=GREEN_VLAN vlan-id=10\r\
    \n/ip address add interface=GREEN_VLAN address=192.168.10.1/24\r\
    \n/ip pool add name=GREEN_POOL ranges=192.168.10.50-192.168.10.254\r\
    \n/ip dhcp-server add address-pool=GREEN_POOL interface=GREEN_VLAN name=GR\
    EEN_DHCP disabled=no\r\
    \n/ip dhcp-server network add address=192.168.10.0/24 dns-server=192.168.1\
    0.1 gateway=192.168.10.1\r\
    \n\r\
    \n# Optional: Create a DHCP instance for BASE_VLAN. Convenience feature fo\
    r an admin.\r\
    \n /ip pool add name=BASE_POOL ranges=192.168.88.10-192.168.0.254\r\
    \n /ip dhcp-server add address-pool=BASE_POOL interface=BASE_VLAN name=BAS\
    E_DHCP disabled=no\r\
    \n /ip dhcp-server network add address=192.168.88.0/24 dns-server=192.168.\
    88.1 gateway=192.168.88.1\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n# Firewalling & NAT\r\
    \n# A good firewall for WAN. Up to you\r\
    \n# about how you want LAN to behave.\r\
    \n#######################################\r\
    \n\r\
    \n# Use MikroTik's \"list\" feature for easy rule matchmaking.\r\
    \n\r\
    \n/interface list add name=WAN\r\
    \n/interface list add name=VLAN\r\
    \n/interface list add name=BASE\r\
    \n\r\
    \n/interface list member\r\
    \nadd interface=ether1     list=WAN\r\
    \nadd interface=BASE_VLAN  list=VLAN\r\
    \nadd interface=BLUE_VLAN  list=VLAN\r\
    \nadd interface=GREEN_VLAN list=VLAN\r\
    \nadd interface=BASE_VLAN  list=BASE\r\
    \n\r\
    \n# VLAN aware firewall. Order is important.\r\
    \n/ip firewall filter\r\
    \n\r\
    \n\r\
    \n##################\r\
    \n# INPUT CHAIN\r\
    \n##################\r\
    \nadd chain=input action=accept connection-state=established,related comme\
    nt=\"Allow Estab & Related\"\r\
    \n\r\
    \n# Allow VLANs to access router services like DNS, Winbox. Naturally, you\
    \_SHOULD make it more granular.\r\
    \nadd chain=input action=accept in-interface-list=VLAN comment=\"Allow VLA\
    N\"\r\
    \n\r\
    \n# Allow BASE_VLAN full access to the device for Winbox, etc.\r\
    \nadd chain=input action=accept in-interface=BASE_VLAN comment=\"Allow Bas\
    e_Vlan Full Access\"\r\
    \n\r\
    \nadd chain=input action=drop comment=\"Drop\"\r\
    \n\r\
    \n##################\r\
    \n# FORWARD CHAIN\r\
    \n##################\r\
    \nadd chain=forward action=accept connection-state=established,related com\
    ment=\"Allow Estab & Related\"\r\
    \n\r\
    \n# Allow all VLANs to access the Internet only, NOT each other\r\
    \nadd chain=forward action=accept connection-state=new in-interface-list=V\
    LAN out-interface-list=WAN comment=\"VLAN Internet Access only\"\r\
    \n\r\
    \nadd chain=forward action=drop comment=\"Drop\"\r\
    \n\r\
    \n##################\r\
    \n# NAT\r\
    \n##################\r\
    \n/ip firewall nat add chain=srcnat action=masquerade out-interface-list=W\
    AN comment=\"Default masquerade\"\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n# VLAN Security\r\
    \n#######################################\r\
    \n\r\
    \n# Only allow ingress packets without tags on Access Ports\r\
    \n/interface bridge port\r\
    \nset bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and\
    -priority-tagged [find interface=ether2]\r\
    \nset bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and\
    -priority-tagged [find interface=ether3]\r\
    \nset bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and\
    -priority-tagged [find interface=ether4]\r\
    \nset bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and\
    -priority-tagged [find interface=ether5]\r\
    \nset bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and\
    -priority-tagged [find interface=wlan1]\r\
    \nset bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and\
    -priority-tagged [find interface=wlan2]\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n# MAC Server settings\r\
    \n#######################################\r\
    \n\r\
    \n# Ensure only visibility and availability from BASE_VLAN, the MGMT netwo\
    rk\r\
    \n/ip neighbor discovery-settings set discover-interface-list=BASE\r\
    \n/tool mac-server mac-winbox set allowed-interface-list=BASE\r\
    \n/tool mac-server set allowed-interface-list=BASE\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n# Turn on VLAN mode\r\
    \n#######################################\r\
    \n/interface bridge set BR1 vlan-filtering=yes\r\
    \n"
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18968
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help needed for Router-Switch-AP (all in one) scenario

Sun Mar 26, 2023 6:08 pm

Hehehe your attention to detail is lousy........ Whey did you keep pvid on a Trunk port, remove please.

/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
ether2 pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
ether3 pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
wlan1 pvid=20

add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether4 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
wlan2 pvid=10
add bridge=BR1 comment="Admin Access" frame-types=\
admit-only-untagged-and-priority-tagged interface=ether5 pvid=99
 
User avatar
myriad
just joined
Topic Author
Posts: 15
Joined: Mon Jun 27, 2016 6:15 pm

Re: Help needed for Router-Switch-AP (all in one) scenario

Sun Mar 26, 2023 7:10 pm

Removed Pvid10, but Pvid has now been forced to 1. Vlan 20 still not working.
# mar/26/2023 12:10:47 by RouterOS 7.8
# software id = 5MCY-99KG
#
# model = RB2011UiAS-2HnD
# serial number = XXXXXXXXXXXXXX
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] disabled=no frequency=auto mode=ap-bridge \
    ssid=BLUE
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=BLUE_VLAN vlan-id=20
add interface=BR1 name=GREEN_VLAN vlan-id=10
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=guest \
    supplicant-identity=MikroTik
/interface wireless
add disabled=no mac-address=E6:8D:8C:36:5C:C7 master-interface=wlan1 name=\
    wlan2 security-profile=guest ssid=GREEN
/ip pool
add name=BLUE_POOL ranges=10.0.10.2-10.0.10.254
add name=GREEN_POOL ranges=192.168.10.50-192.168.10.254
add name=BASE_POOL ranges=192.168.0.50-192.168.0.254
/ip dhcp-server
add address-pool=BLUE_POOL interface=BLUE_VLAN name=BLUE_DHCP
add address-pool=GREEN_POOL interface=GREEN_VLAN name=GREEN_DHCP
add address-pool=BASE_POOL interface=BASE_VLAN name=BASE_DHCP
/port
set 0 name=serial0
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether2 pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether3 pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    wlan1 pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    wlan2 pvid=10
add bridge=BR1 comment="Admin Access" frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether5 pvid=99
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=no \
    interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether4 untagged=wlan2 vlan-ids=10
add bridge=BR1 tagged=BR1,ether4 untagged=ether2,ether3,wlan1 vlan-ids=20
add bridge=BR1 tagged=BR1,ether4 untagged=ether5 vlan-ids=99
/interface list member
add interface=ether1 list=WAN
add interface=BASE_VLAN list=VLAN
add interface=BLUE_VLAN list=VLAN
add interface=GREEN_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
/ip address
add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0
add address=10.0.10.1/24 interface=BLUE_VLAN network=10.0.10.0
add address=192.168.10.1/24 interface=GREEN_VLAN network=192.168.10.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=192.168.0.1 gateway=10.0.10.1
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
    in-interface=BASE_VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
/system clock
set time-zone-name=America/Toronto
/system identity
set name=RouterSwitchAP
/system script
add dont-require-permissions=no name=script1 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
    ##########################################################################\
    ####\r\
    \n# Topic:\t\tUsing RouterOS to VLAN your network\r\
    \n# Example:\t\tRouter-Switch-AP all in one device\r\
    \n# Web:\t\t\thttps://forum.mikrotik.com/viewtopic.php\?t=143620\r\
    \n# RouterOS:\t\t6.47.10\r\
    \n# Date:\t\t\tFebruary 17, 2023\r\
    \n# Notes:\t\tStart with a reset (/system reset-configuration)\r\
    \n# Thanks:\t\tmkx, sindy\r\
    \n########################################################################\
    #######\r\
    \n\r\
    \n#######################################\r\
    \n# Naming\r\
    \n#######################################\r\
    \n\r\
    \n# name the device being configured\r\
    \n/system identity set name=\"RouterSwitchAP\"\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n# VLAN Overview\r\
    \n#######################################\r\
    \n\r\
    \n# 10 = BLUE\r\
    \n# 20 = GREEN\r\
    \n# 99 = BASE (MGMT) VLAN\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n# WIFI Setup\r\
    \n#\r\
    \n# Example wireless settings only. Do\r\
    \n# NOT use in production!\r\
    \n#######################################\r\
    \n\r\
    \n# Blue SSID\r\
    \n/interface wireless security-profiles set [ find default=yes ] authentic\
    ation-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key=\"password\"\r\
    \n/interface wireless set [ find default-name=wlan1 ] ssid=BLUE frequency=\
    auto mode=ap-bridge disabled=no\r\
    \n\r\
    \n# Green SSID\r\
    \n/interface wireless security-profiles add name=guest authentication-type\
    s=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key=\"password\"\r\
    \n/interface wireless add name=wlan2 ssid=GREEN master-interface=wlan1 sec\
    urity-profile=guest disabled=no\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n# Bridge\r\
    \n#######################################\r\
    \n\r\
    \n# create one bridge, set VLAN mode off while we configure\r\
    \n/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n#\r\
    \n# -- Access Ports --\r\
    \n#\r\
    \n#######################################\r\
    \n\r\
    \n# ingress behavior\r\
    \n/interface bridge port\r\
    \n\r\
    \n# Blue VLAN 20\r\
    \nadd bridge=BR1 interface=ether2 pvid=20\r\
    \nadd bridge=BR1 interface=ether3 pvid=20\r\
    \nadd bridge=BR1 interface=wlan1  pvid=20\r\
    \n\r\
    \n# Green VLAN 10\r\
    \nadd bridge=BR1 interface=ether4 pvid=10\r\
    \nadd bridge=BR1 interface=wlan2  pvid=10\r\
    \n\r\
    \n# BASE_VLAN, set aside a port for admin access to Winbox the device.\r\
    \nadd bridge=BR1 interface=ether5 pvid=99\r\
    \n\r\
    \n# egress behavior, handled automatically\r\
    \n\r\
    \n# L3 switching so Bridge must be a tagged member\r\
    \n/interface bridge vlan\r\
    \nadd bridge=BR1 tagged=BR1 vlan-ids=10\r\
    \nadd bridge=BR1 tagged=BR1 vlan-ids=20\r\
    \nadd bridge=BR1 tagged=BR1 vlan-ids=99\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n# IP Addressing & Routing\r\
    \n#######################################\r\
    \n\r\
    \n# LAN facing router's IP address on the BASE_VLAN\r\
    \n/interface vlan add interface=BR1 name=BASE_VLAN vlan-id=99\r\
    \n/ip address add address=192.168.0.1/24 interface=BASE_VLAN\r\
    \n\r\
    \n# DNS server, set to cache for LAN\r\
    \n/ip dns set allow-remote-requests=yes servers=\"9.9.9.9\"\r\
    \n\r\
    \n# Yellow WAN facing port with IP Address and route provided by ISP\r\
    \n/ip address add interface=ether1 address=a.a.a.a/aa network=a.a.a.0\r\
    \n/ip route add distance=1 gateway=b.b.b.b\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n# IP Services\r\
    \n#######################################\r\
    \n\r\
    \n# Blue VLAN interface creation, IP assignment, and DHCP service\r\
    \n/interface vlan add interface=BR1 name=BLUE_VLAN vlan-id=20\r\
    \n/ip address add interface=BLUE_VLAN address=10.0.10.1/24\r\
    \n/ip pool add name=BLUE_POOL ranges=10.0.10.2-10.0.10.254\r\
    \n/ip dhcp-server add address-pool=BLUE_POOL interface=BLUE_VLAN name=BLUE\
    _DHCP disabled=no\r\
    \n/ip dhcp-server network add address=10.0.10.0/24 dns-server=192.168.0.1 \
    gateway=10.0.10.1\r\
    \n\r\
    \n# Green VLAN interface creation, IP assignment, and DHCP service\r\
    \n/interface vlan add interface=BR1 name=GREEN_VLAN vlan-id=10\r\
    \n/ip address add interface=GREEN_VLAN address=192.168.10.1/24\r\
    \n/ip pool add name=GREEN_POOL ranges=192.168.10.50-192.168.10.254\r\
    \n/ip dhcp-server add address-pool=GREEN_POOL interface=GREEN_VLAN name=GR\
    EEN_DHCP disabled=no\r\
    \n/ip dhcp-server network add address=192.168.10.0/24 dns-server=192.168.1\
    0.1 gateway=192.168.10.1\r\
    \n\r\
    \n# Optional: Create a DHCP instance for BASE_VLAN. Convenience feature fo\
    r an admin.\r\
    \n /ip pool add name=BASE_POOL ranges=192.168.88.10-192.168.0.254\r\
    \n /ip dhcp-server add address-pool=BASE_POOL interface=BASE_VLAN name=BAS\
    E_DHCP disabled=no\r\
    \n /ip dhcp-server network add address=192.168.88.0/24 dns-server=192.168.\
    88.1 gateway=192.168.88.1\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n# Firewalling & NAT\r\
    \n# A good firewall for WAN. Up to you\r\
    \n# about how you want LAN to behave.\r\
    \n#######################################\r\
    \n\r\
    \n# Use MikroTik's \"list\" feature for easy rule matchmaking.\r\
    \n\r\
    \n/interface list add name=WAN\r\
    \n/interface list add name=VLAN\r\
    \n/interface list add name=BASE\r\
    \n\r\
    \n/interface list member\r\
    \nadd interface=ether1     list=WAN\r\
    \nadd interface=BASE_VLAN  list=VLAN\r\
    \nadd interface=BLUE_VLAN  list=VLAN\r\
    \nadd interface=GREEN_VLAN list=VLAN\r\
    \nadd interface=BASE_VLAN  list=BASE\r\
    \n\r\
    \n# VLAN aware firewall. Order is important.\r\
    \n/ip firewall filter\r\
    \n\r\
    \n\r\
    \n##################\r\
    \n# INPUT CHAIN\r\
    \n##################\r\
    \nadd chain=input action=accept connection-state=established,related comme\
    nt=\"Allow Estab & Related\"\r\
    \n\r\
    \n# Allow VLANs to access router services like DNS, Winbox. Naturally, you\
    \_SHOULD make it more granular.\r\
    \nadd chain=input action=accept in-interface-list=VLAN comment=\"Allow VLA\
    N\"\r\
    \n\r\
    \n# Allow BASE_VLAN full access to the device for Winbox, etc.\r\
    \nadd chain=input action=accept in-interface=BASE_VLAN comment=\"Allow Bas\
    e_Vlan Full Access\"\r\
    \n\r\
    \nadd chain=input action=drop comment=\"Drop\"\r\
    \n\r\
    \n##################\r\
    \n# FORWARD CHAIN\r\
    \n##################\r\
    \nadd chain=forward action=accept connection-state=established,related com\
    ment=\"Allow Estab & Related\"\r\
    \n\r\
    \n# Allow all VLANs to access the Internet only, NOT each other\r\
    \nadd chain=forward action=accept connection-state=new in-interface-list=V\
    LAN out-interface-list=WAN comment=\"VLAN Internet Access only\"\r\
    \n\r\
    \nadd chain=forward action=drop comment=\"Drop\"\r\
    \n\r\
    \n##################\r\
    \n# NAT\r\
    \n##################\r\
    \n/ip firewall nat add chain=srcnat action=masquerade out-interface-list=W\
    AN comment=\"Default masquerade\"\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n# VLAN Security\r\
    \n#######################################\r\
    \n\r\
    \n# Only allow ingress packets without tags on Access Ports\r\
    \n/interface bridge port\r\
    \nset bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and\
    -priority-tagged [find interface=ether2]\r\
    \nset bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and\
    -priority-tagged [find interface=ether3]\r\
    \nset bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and\
    -priority-tagged [find interface=ether4]\r\
    \nset bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and\
    -priority-tagged [find interface=ether5]\r\
    \nset bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and\
    -priority-tagged [find interface=wlan1]\r\
    \nset bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and\
    -priority-tagged [find interface=wlan2]\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n# MAC Server settings\r\
    \n#######################################\r\
    \n\r\
    \n# Ensure only visibility and availability from BASE_VLAN, the MGMT netwo\
    rk\r\
    \n/ip neighbor discovery-settings set discover-interface-list=BASE\r\
    \n/tool mac-server mac-winbox set allowed-interface-list=BASE\r\
    \n/tool mac-server set allowed-interface-list=BASE\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n# Turn on VLAN mode\r\
    \n#######################################\r\
    \n/interface bridge set BR1 vlan-filtering=yes\r\
    \n\r\
    \n"
add dont-require-permissions=no name=script2 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
    \_Blue VLAN interface creation, IP assignment, and DHCP service\r\
    \n/interface vlan add interface=BR1 name=BLUE_VLAN vlan-id=20\r\
    \n/ip address add interface=BLUE_VLAN address=10.0.10.1/24\r\
    \n/ip pool add name=BLUE_POOL ranges=10.0.10.2-10.0.10.254\r\
    \n/ip dhcp-server add address-pool=BLUE_POOL interface=BLUE_VLAN name=BLUE\
    _DHCP disabled=no\r\
    \n/ip dhcp-server network add address=10.0.10.0/24 dns-server=192.168.0.1 \
    gateway=10.0.10.1\r\
    \n\r\
    \n# Green VLAN interface creation, IP assignment, and DHCP service\r\
    \n/interface vlan add interface=BR1 name=GREEN_VLAN vlan-id=10\r\
    \n/ip address add interface=GREEN_VLAN address=192.168.10.1/24\r\
    \n/ip pool add name=GREEN_POOL ranges=192.168.10.50-192.168.10.254\r\
    \n/ip dhcp-server add address-pool=GREEN_POOL interface=GREEN_VLAN name=GR\
    EEN_DHCP disabled=no\r\
    \n/ip dhcp-server network add address=192.168.10.0/24 dns-server=192.168.1\
    0.1 gateway=192.168.10.1\r\
    \n\r\
    \n# Optional: Create a DHCP instance for BASE_VLAN. Convenience feature fo\
    r an admin.\r\
    \n /ip pool add name=BASE_POOL ranges=192.168.88.10-192.168.0.254\r\
    \n /ip dhcp-server add address-pool=BASE_POOL interface=BASE_VLAN name=BAS\
    E_DHCP disabled=no\r\
    \n /ip dhcp-server network add address=192.168.88.0/24 dns-server=192.168.\
    88.1 gateway=192.168.88.1\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n# Firewalling & NAT\r\
    \n# A good firewall for WAN. Up to you\r\
    \n# about how you want LAN to behave.\r\
    \n#######################################\r\
    \n\r\
    \n# Use MikroTik's \"list\" feature for easy rule matchmaking.\r\
    \n\r\
    \n/interface list add name=WAN\r\
    \n/interface list add name=VLAN\r\
    \n/interface list add name=BASE\r\
    \n\r\
    \n/interface list member\r\
    \nadd interface=ether1     list=WAN\r\
    \nadd interface=BASE_VLAN  list=VLAN\r\
    \nadd interface=BLUE_VLAN  list=VLAN\r\
    \nadd interface=GREEN_VLAN list=VLAN\r\
    \nadd interface=BASE_VLAN  list=BASE\r\
    \n\r\
    \n# VLAN aware firewall. Order is important.\r\
    \n/ip firewall filter\r\
    \n\r\
    \n\r\
    \n##################\r\
    \n# INPUT CHAIN\r\
    \n##################\r\
    \nadd chain=input action=accept connection-state=established,related comme\
    nt=\"Allow Estab & Related\"\r\
    \n\r\
    \n# Allow VLANs to access router services like DNS, Winbox. Naturally, you\
    \_SHOULD make it more granular.\r\
    \nadd chain=input action=accept in-interface-list=VLAN comment=\"Allow VLA\
    N\"\r\
    \n\r\
    \n# Allow BASE_VLAN full access to the device for Winbox, etc.\r\
    \nadd chain=input action=accept in-interface=BASE_VLAN comment=\"Allow Bas\
    e_Vlan Full Access\"\r\
    \n\r\
    \nadd chain=input action=drop comment=\"Drop\"\r\
    \n\r\
    \n##################\r\
    \n# FORWARD CHAIN\r\
    \n##################\r\
    \nadd chain=forward action=accept connection-state=established,related com\
    ment=\"Allow Estab & Related\"\r\
    \n\r\
    \n# Allow all VLANs to access the Internet only, NOT each other\r\
    \nadd chain=forward action=accept connection-state=new in-interface-list=V\
    LAN out-interface-list=WAN comment=\"VLAN Internet Access only\"\r\
    \n\r\
    \nadd chain=forward action=drop comment=\"Drop\"\r\
    \n\r\
    \n##################\r\
    \n# NAT\r\
    \n##################\r\
    \n/ip firewall nat add chain=srcnat action=masquerade out-interface-list=W\
    AN comment=\"Default masquerade\"\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n# VLAN Security\r\
    \n#######################################\r\
    \n\r\
    \n# Only allow ingress packets without tags on Access Ports\r\
    \n/interface bridge port\r\
    \nset bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and\
    -priority-tagged [find interface=ether2]\r\
    \nset bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and\
    -priority-tagged [find interface=ether3]\r\
    \nset bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and\
    -priority-tagged [find interface=ether4]\r\
    \nset bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and\
    -priority-tagged [find interface=ether5]\r\
    \nset bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and\
    -priority-tagged [find interface=wlan1]\r\
    \nset bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and\
    -priority-tagged [find interface=wlan2]\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n# MAC Server settings\r\
    \n#######################################\r\
    \n\r\
    \n# Ensure only visibility and availability from BASE_VLAN, the MGMT netwo\
    rk\r\
    \n/ip neighbor discovery-settings set discover-interface-list=BASE\r\
    \n/tool mac-server mac-winbox set allowed-interface-list=BASE\r\
    \n/tool mac-server set allowed-interface-list=BASE\r\
    \n\r\
    \n\r\
    \n#######################################\r\
    \n# Turn on VLAN mode\r\
    \n#######################################\r\
    \n/interface bridge set BR1 vlan-filtering=yes\r\
    \n"
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18968
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help needed for Router-Switch-AP (all in one) scenario

Sun Mar 26, 2023 7:24 pm

Yes completely normal.
Every trunk port be it MT, DSTINK, NETCRAP, TP-SHTINK has the native vlan1 set on every port.
Its transparent and in the background. The only time it changes is if one sets a pvid, access port which replaces vlan id 1.

The MT is configured properly suggest you figure out what the HP WAP really needs. (model number?)
 
User avatar
myriad
just joined
Topic Author
Posts: 15
Joined: Mon Jun 27, 2016 6:15 pm

Re: Help needed for Router-Switch-AP (all in one) scenario

Sun Mar 26, 2023 8:33 pm

HP MSM430 https://support.hpe.com/hpesc/public/do ... =c04915279 I have used this WAP in a VLAN environment successfully as described above.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18968
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help needed for Router-Switch-AP (all in one) scenario

Sun Mar 26, 2023 9:53 pm

Completely useless link,
This one seems better --> https://cdn.cnetcontent.com/63/39/6339b ... 99d29a.pdf

However it would appear HP has quite an involved process which I trust you have mastered.

There should be three vlans going to the HP VLAN99 to give it an IP address on the base vlan.
The other two as data vlans 10,20

A normal smart AP would be expecting a trunk port from the MT with 3 tagged vlans as per our latest setup.
Perhaps the HP is expecting a hybrid setup, where vlan99 is untagged and the other two vlans tagged.

Can you confirm what IP address the HP currently has ??
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18968
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help needed for Router-Switch-AP (all in one) scenario

Sun Mar 26, 2023 10:06 pm

A hybrid ether4 setup.

/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
ether2 pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
ether3 pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
wlan1 pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
wlan2 pvid=10
add bridge=BR1 comment="Admin Access" frame-types=\
admit-only-untagged-and-priority-tagged interface=ether5 pvid=99

add bridge=BR1 frame-types=admit-all ingress-filtering=no interface=ether4 pvid=99
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether4 untagged=wlan2 vlan-ids=10
add bridge=BR1 tagged=BR1,ether4 untagged=ether2,ether3,wlan1 vlan-ids=20

add bridge=BR1 tagged=BR1 untagged=ether5,ether4 vlan-ids=99
 
User avatar
myriad
just joined
Topic Author
Posts: 15
Joined: Mon Jun 27, 2016 6:15 pm

Re: Help needed for Router-Switch-AP (all in one) scenario

Sun Mar 26, 2023 11:04 pm

Ok, I checked the IP on the HP and the bridge interface is set to 10.0.10.2 (which is vlan10 subnet). VLAN10 is assigned as the 'guest' vlan with id of 10. I added a new VLAN20 and set it to the main wifi. It now works. I have a question though. I created 3 network profiles: base, main, guest. The only profile that has a static address is main which is the bridge interface. If I wanted to be able to manage the WAPs through the wifi, would I change the bridge interface to the base and give it a static IP say 192.168.0.2 and use your latest config change?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18968
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help needed for Router-Switch-AP (all in one) scenario

Sun Mar 26, 2023 11:38 pm

I think so, your idea is the correct one for sure......

Who is online

Users browsing this forum: mkx, xaar and 57 guests