tested phones: lg g6, samsung s10, iphone
tested laptops: lenovo thinkbook (ax201), hp elitebook 840 (ax201), lenovo y580 (intel ac7260)
tested frequency: 5GHz
Code: Select all
MikroTik RouterOS 7.8 (c) 1999-2023 https://www.mikrotik.com/
Press F1 for help
[Apo@hAP ac2] > export hide
# apr/22/2023 16:07:44 by RouterOS 7.8
# software id = xxx
#
# model = RBD52G-5HacD2HnD
# serial number = xxx
/caps-man channel
add band=5ghz-n/ac extension-channel=Ceee frequency=5180 name="5 GHz " skip-dfs-channels=yes tx-power=20
add band=2ghz-g/n extension-channel=Ce frequency=2412,2452 name="2.4 GHz" tx-power=13
/caps-man datapath
add client-to-client-forwarding=yes local-forwarding=yes name="local forward"
/interface bridge
add admin-mac=xxx arp=reply-only auto-mac=no name="Local Bridge"
add admin-mac=xxx auto-mac=no name="PPPoE Bridge"
/interface vlan
add interface="PPPoE Bridge" name="PPPoE vlan35" vlan-id=35
/interface pppoe-client
add add-default-route=yes allow=pap disabled=no interface="PPPoE vlan35" keepalive-timeout=60 name=PPPoE user=xxx
/caps-man rates
add name="Rate 2.4GHz"
add name="Rate 5GHz"
/caps-man security
add authentication-types=wpa2-psk disable-pmkid=yes encryption=aes-ccm group-encryption=aes-ccm name=Apo
/caps-man configuration
add datapath.local-forwarding=yes hw-protection-mode=rts-cts mode=ap name=Apo security=Apo ssid=Apo
add channel="2.4 GHz" country=turkey datapath="local forward" hw-protection-mode=rts-cts mode=ap name="Apo 2.4GHz" rates="Rate 2.4GHz" \
security=Apo ssid=Apo
add channel="5 GHz " country="united states" datapath="local forward" hw-protection-mode=rts-cts mode=ap name="Apo 5GHz" rates="Rate 5GHz" \
security=Apo ssid=Apo
add channel="2.4 GHz" country=turkey datapath="local forward" hw-protection-mode=rts-cts mode=ap name="slave Apo 2.4GHz" rates="Rate 2.4GHz" \
security=Apo ssid="Apo 2.4GHz"
add channel="5 GHz " country="united states" datapath="local forward" hw-protection-mode=rts-cts mode=ap name="slave Apo 5 GHz" rates=\
"Rate 5GHz" security=Apo ssid="Apo 5GHz"
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=Apo supplicant-identity=""
/interface wireless
# managed by CAPsMAN
# channel: 2412/20-Ce/gn(10dBm), SSID: Apo, local forwarding
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode band=2ghz-g/n channel-width=20/40mhz-XX country=no_country_set \
disabled=no frequency=auto frequency-mode=manual-txpower guard-interval=long hw-protection-mode=rts-cts mode=ap-bridge name="wlan 2.4GHz" \
security-profile=Apo ssid=Apo tx-power-mode=all-rates-fixed wmm-support=enabled wps-mode=disabled
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac(17dBm), SSID: Apo, local forwarding
set [ find default-name=wlan2 ] adaptive-noise-immunity=ap-and-client-mode band=5ghz-n/ac channel-width=20/40/80mhz-XXXX country=\
no_country_set disabled=no frequency=auto frequency-mode=manual-txpower guard-interval=long hw-protection-mode=rts-cts mode=ap-bridge \
name="wlan 5GHz" security-profile=Apo skip-dfs-channels=all ssid=Apo tx-power-mode=all-rates-fixed wmm-support=enabled wps-mode=disabled
/ip pool
add name=DHCP ranges=192.168.8.100-192.168.8.254
/ip dhcp-server
add add-arp=yes address-pool=DHCP interface="Local Bridge" name="Local DHCP"
/ppp profile
set *0 change-tcp-mss=default use-ipv6=default
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
add disabled=no name=default-v3 version=3
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
add disabled=yes instance=default-v3 name=backbone-v3
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface="Local Bridge"
/caps-man provisioning
add action=create-dynamic-enabled disabled=yes master-configuration=Apo name-format=identity
add action=create-dynamic-enabled hw-supported-modes=gn,g,b master-configuration="Apo 2.4GHz" name-format=prefix-identity name-prefix=\
"Wlan 2.4GHz" slave-configurations="slave Apo 2.4GHz"
add action=create-dynamic-enabled hw-supported-modes=ac,an,a master-configuration="Apo 5GHz" name-format=prefix-identity name-prefix=\
"Wlan 5GHz" slave-configurations="slave Apo 5 GHz"
/interface bridge port
add bridge="Local Bridge" ingress-filtering=no interface=ether2
add bridge="Local Bridge" ingress-filtering=no interface=ether3
add bridge="Local Bridge" ingress-filtering=no interface=ether4
add bridge="Local Bridge" ingress-filtering=no interface=ether5
add bridge="PPPoE Bridge" interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set accept-source-route=yes max-neighbor-entries=8192
/ipv6 settings
set max-neighbor-entries=8192
/interface list member
add interface="Local Bridge" list=LAN
add interface=PPPoE list=WAN
add interface=ether1 list=WAN
add interface="PPPoE vlan35" list=WAN
add interface="PPPoE Bridge" list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireless cap
#
set bridge="Local Bridge" discovery-interfaces="Local Bridge" enabled=yes interfaces="wlan 5GHz,wlan 2.4GHz"
/ip address
add address=192.168.8.59/24 interface="Local Bridge" network=192.168.8.0
/ip dhcp-client
add add-default-route=no dhcp-options=clientid disabled=yes interface="PPPoE Bridge" use-peer-dns=no use-peer-ntp=no
/ip dhcp-server config
set store-leases-disk=immediately
/ip dhcp-server network
add address=192.168.8.0/24 dns-server=192.168.8.59,192.168.8.49 gateway=192.168.8.59 ntp-server=162.159.200.123
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=2606:4700:4700::1001 name=cloudflare-dns.com type=AAAA
add address=2606:4700:4700::1111 name=cloudflare-dns.com type=AAAA
add address=1.0.0.1 name=cloudflare-dns.com
add address=1.1.1.1 name=cloudflare-dns.com
add address=104.16.248.249 name=cloudflare-dns.com
add address=104.16.249.249 name=cloudflare-dns.com
add address=192.168.8.59 name=ApoDNS1
add address=fe80::c6ad:34ff:fe01:4059 name=ApoDNS1 type=AAAA
/ip firewall address-list
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890 multicast" disabled=yes list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" disabled=yes list=no_forward_ipv4
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890 multicast" disabled=yes list=bad_dst_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" disabled=yes list=bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP after RAW" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment=capsman dst-address-type=local protocol=udp src-address-type=local src-port=5246,5247
add action=accept chain=input comment=capsman dst-address-type=local dst-port=5246,5247 protocol=udp src-address-type=local
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv4
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=accept chain=srcnat comment="defconf: accept all that matches IPSec policy" disabled=yes ipsec-policy=out,ipsec
add action=masquerade chain=srcnat out-interface=PPPoE
/ip firewall raw
add action=accept chain=prerouting comment="defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: accept DHCP discover" dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN \
protocol=udp src-address=0.0.0.0 src-port=68
add action=accept chain=prerouting comment=capsman dst-address-type=local dst-port=5246,5247 protocol=udp src-address-type=local
add action=accept chain=prerouting comment=capsman dst-address-type=local protocol=udp src-address-type=local src-port=5246,5247
add action=drop chain=prerouting comment="defconf: drop echo request from wan" icmp-options=8:0-255 in-interface-list=WAN protocol=icmp
add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=WAN src-address-list=not_global_ipv4
add action=drop chain=prerouting comment="defconf: drop forward to local lan from WAN" dst-address=192.168.8.0/24 in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop local if not from default IP range" in-interface-list=LAN src-address=!192.168.8.0/24
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 protocol=udp
add action=drop chain=prerouting comment="defconf: drop bad tcp" port=0 protocol=tcp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" disabled=yes jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" disabled=yes jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment="defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WAN
add action=accept chain=prerouting comment="defconf: drop the rest"
/ip firewall service-port
set rtsp disabled=no
/ip service
set www-ssl disabled=no
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=PPPoE type=external
add interface="Local Bridge" type=internal
/ipv6 address
add address=::c6ad:34ff:fe01:4059 eui-64=yes from-pool=ipv6 interface="Local Bridge"
/ipv6 dhcp-client
add interface=PPPoE pool-name=ipv6 request=prefix use-peer-dns=no
/ipv6 firewall address-list
add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" disabled=yes list=no_forward_ipv6
add address=ff00::/8 comment="defconf: multicast" disabled=yes list=no_forward_ipv6
add address=::1/128 comment="defconf: RFC6890 lo" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: RFC6890 IPv4 mapped" list=bad_ipv6
add address=2001::/23 comment="defconf: RFC6890" list=bad_ipv6
add address=2001:db8::/32 comment="defconf: RFC6890 documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: RFC6890 orchid" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: RFC6890 Discard-only" list=not_global_ipv6
add address=2001::/32 comment="defconf: RFC6890 TEREDO" list=not_global_ipv6
add address=2001:2::/48 comment="defconf: RFC6890 Benchmark" list=not_global_ipv6
add address=fc00::/7 comment="defconf: RFC6890 Unique-Local" list=not_global_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_dst_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_src_ipv6
add address=ff00::/8 comment="defconf: multicast" list=bad_src_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept ICMPv6 after RAW" protocol=icmpv6
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/16
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept IPSec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept IPSec ESP" protocol=ipsec-esp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop bad forward IPs" disabled=yes src-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: drop bad forward IPs" disabled=yes dst-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" disabled=yes hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6 after RAW" disabled=yes protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" disabled=yes protocol=139
add action=accept chain=forward comment="defconf: accept IKE" disabled=yes dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept AH" disabled=yes protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ESP" disabled=yes protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches IPSec policy" disabled=yes ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" disabled=yes in-interface-list=!LAN
/ipv6 firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
/ipv6 firewall raw
add action=accept chain=prerouting comment="defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: RFC4291, section 2.7.1" dst-address=ff02::1:ff00:0/104 icmp-options=135 protocol=icmpv6 \
src-address=::/128
add action=drop chain=prerouting comment="defconf: drop echo request from wan" icmp-options=128:0-255 in-interface-list=WAN protocol=icmpv6
add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_ipv6
add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_ipv6
add action=drop chain=prerouting comment="defconf: drop packets with bad SRC ipv6" src-address-list=bad_src_ipv6
add action=drop chain=prerouting comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_dst_ipv6
add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=WAN src-address-list=not_global_ipv6
add action=jump chain=prerouting comment="defconf: jump to ICMPv6 chain" disabled=yes jump-target=icmp6 protocol=icmpv6
add action=accept chain=prerouting comment="defconf: accept local multicast scope" dst-address=ff02::/16
add action=accept chain=prerouting comment="defconf: accept site multicast scope" dst-address=ff05::/16
add action=drop chain=prerouting comment="defconf: drop other multicast destinations" dst-address=ff00::/8
add action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WAN
add action=accept chain=prerouting comment="defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment="defconf: drop the rest"
/ipv6 nd
set [ find default=yes ] dns=fe80::c6ad:34ff:fe01:4059,fe80::4a8f:5aff:feef:d049 interface="Local Bridge"
/system clock
set time-zone-name=Europe/Istanbul
/system identity
set name="hAP ac2"
/system logging
add disabled=yes topics=dhcp,debug
add topics=caps
/system ntp client
set enabled=yes
/system ntp client servers
add address=2606:4700:f1::123
add address=162.159.200.123
/system routerboard reset-button
set enabled=yes hold-time=0s..5s on-event="system shutdown"
/system script
add dont-require-permissions=no name="cap on off" owner=Apo policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":lo\
g info message=(\"mode button was pressed\");\r\
\n:local i\r\
\n\r\
\n:if ([/int wir cap get enabled] = true) do={\r\
\n /interface wireless cap set enabled=no;\r\
\n :global SlackMessage \"Mode button was presssed. CAP is now disabled.\";\r\
\n :if ( [/int wir get 0 disabled ] = false ) do={\r\
\n :foreach i in= [ /int wir find ] do={ :int wir disable \$i };\r\
\n }\r\
\n} else={\r\
\n /interface wireless cap set enabled=yes\r\
\n :global SlackMessage \"Mode button was presssed. CAP is now enabled.\";\r\
\n}\r\
\n/system script run message2slack"
/tool sniffer
set filter-interface=PPPoE filter-ipv6-address=2a00:1450:4017:80f::200e/128
[Apo@hAP ac2] >