my apologies for the intrusion, but i'm stymied. i've got an RB4011iGS+5HacQ2HnD running routerOS 6.48.6 handling 300mbps comcast cable internet, and decided to finally throw an AP or two at my setup. in preparation, i figured it'd probably be wise to set up CAPsMAN for the internal WLAN interfaces for familiarity and ensuring that existing devices will play nice, but once operational, wifi speed essentially gets cut in half (at least on 5ghz). wired networking is unaffected, naturally.
i promise i've read many, many, many, many threads and posts but am likely too simple to notice the flaw(s?) in my plans - i also admit i'm not even slightly knowledgeable regarding wireless networking beyond the absolute minimum basics required to make internet magically happen through the air.
wifi topology is pretty straightforward; arris cable modem feeds into RB4011 eth01, which internally powers the only wifi access point(s) in my home.
when CAP is disabled in the wireless interfaces, i can pretty effectively saturate my connection:
immediately after enabling CAP and reconnecting to wifi, tested speed is significantly lower:
i know the wiki states "creating many slave interfaces can decrease the overall performance of access point" but i'd surely think that 2 virtual SSIDs per radio wouldn't be _that_ detrimental... particularly since this is the exact same configuration that i was enjoying 300mbps with mere minutes ago, the only difference being CAPsMAN's involvement
i created exports before and after enabling CAP on the wireless tables, the (anonymized) "CAP enabled" config is as follows:
Code: Select all
# jan/16/2022 09:54:05 by RouterOS 6.48.6
# software id = P715-DLE2
#
# model = RB4011iGS+5HacQ2HnD
# serial number = Fxxxxxxxxxxx
/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=XX name=\
2.4g tx-power=18
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=XXXX name=\
5g tx-power=18
/interface bridge
add admin-mac=2C:C8:1B:xx:xx:xx auto-mac=no comment=defconf name=bridge pvid=\
100 vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
# channel: 2412/20-Ce/gn(15dBm), SSID: djabacus.net, CAPsMAN forwarding
set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
distance=indoors frequency=auto installation=indoor mode=ap-bridge name=\
2g ssid=djabacus.net wireless-protocol=802.11
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac(15dBm)+5775/80(27dBm), SSID: 5g.djabacus.net, CAPsMAN forwarding
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor \
mode=ap-bridge name=5g ssid=5g.djabacus.net wireless-protocol=802.11
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full \
speed=1Gbps
/interface vlan
add interface=bridge name=guestVlan vlan-id=140
add interface=bridge name=iotVlan vlan-id=150
add interface=bridge name=mainVlan vlan-id=100
add interface=bridge name=serverVlan vlan-id=130
add interface=bridge name=wifiVlan vlan-id=120
/caps-man datapath
add bridge=bridge client-to-client-forwarding=yes local-forwarding=yes name=\
wifipath
/caps-man configuration
add channel=2.4g country="united states3" datapath=wifipath datapath.bridge=\
bridge datapath.local-forwarding=no datapath.vlan-id=140 \
datapath.vlan-mode=use-tag installation=any name=guest2g_cap_config \
security.authentication-types=wpa-psk,wpa2-psk ssid=guest.djabacus.net
add channel=2.4g country="united states3" datapath=wifipath datapath.bridge=\
bridge datapath.local-forwarding=no datapath.vlan-id=150 \
datapath.vlan-mode=use-tag installation=any name=iot2g_cap_config \
security.authentication-types=wpa-psk,wpa2-psk ssid=iot.djabacus.net
add channel=2.4g country="united states3" datapath=wifipath datapath.bridge=\
bridge datapath.local-forwarding=no datapath.vlan-id=120 \
datapath.vlan-mode=use-tag installation=any name=wifi2g_cap_config \
security.authentication-types=wpa-psk,wpa2-psk ssid=djabacus.net
add channel=5g country="united states3" datapath=wifipath datapath.bridge=\
bridge datapath.local-forwarding=no datapath.vlan-id=120 \
datapath.vlan-mode=use-tag installation=any name=wifi5g_cap_config \
security.authentication-types=wpa-psk,wpa2-psk ssid=5g.djabacus.net
add channel=5g country="united states3" datapath=wifipath datapath.bridge=\
bridge datapath.local-forwarding=no datapath.vlan-id=140 \
datapath.vlan-mode=use-tag installation=any name=guest5g_cap_config \
security.authentication-types=wpa-psk,wpa2-psk ssid=guest.djabacus.net
add channel=5g country="united states3" datapath=wifipath datapath.bridge=\
bridge datapath.local-forwarding=no datapath.vlan-id=150 \
datapath.vlan-mode=use-tag installation=any name=iot5g_cap_config \
security.authentication-types=wpa-psk,wpa2-psk ssid=iot.djabacus.net
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MGMT
add name=VLAN
add name="TRUSTED LAN"
add name="UNTRUSTED LAN"
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=dynamic-keys \
name=guestSecProfile supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=dynamic-keys \
name=iotSecProfile supplicant-identity=""
/interface wireless
add disabled=no mac-address=2E:C8:1B::xx:xx:xx master-interface=2g name=\
"guest 2g" security-profile=guestSecProfile ssid=guest.djabacus.net
add disabled=no mac-address=2E:C8:1B::xx:xx:xx master-interface=5g name=\
"guest 5g" security-profile=guestSecProfile ssid=guest.djabacus.net
add disabled=no keepalive-frames=disabled mac-address=2E:C8:1B::xx:xx:xx \
master-interface=2g multicast-buffering=disabled name="iot 2g" \
security-profile=iotSecProfile ssid=iot.djabacus.net wds-cost-range=0 \
wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=2E:C8:1B::xx:xx:xx \
master-interface=5g multicast-buffering=disabled name="iot 5g" \
security-profile=iotSecProfile ssid=iot.djabacus.net wds-cost-range=0 \
wds-default-cost=0 wps-mode=disabled
/ip firewall layer7-protocol
add name="crappy youtube test" regexp="^.+(ytstatic.l.google.com|youtube-ui.l.\
google.com|youtubei.googleapis.com|youtube.googleapis.com|youtube.com|www.\
youtube.com|m.youtube.com|ytimg.com|s.ytimg.com|ytimg.l.google.com|youtube\
.l.google.com|i.google.com|googlevideo.com|youtu.be|youtube-nocookie.com).\
*\$"
/ip pool
add name=mainPool ranges=192.168.101.10-192.168.101.254
add name=wifiPool ranges=192.168.120.10-192.168.120.254
add name=serverPool ranges=192.168.130.50-192.168.130.254
add name=guestPool ranges=192.168.140.50-192.168.140.254
add name=iotPool ranges=192.168.150.50-192.168.150.254
/ip dhcp-server
add address-pool=mainPool disabled=no interface=mainVlan name=mainDhcp
add address-pool=serverPool disabled=no interface=serverVlan name=serverDhcp
add address-pool=wifiPool disabled=no interface=wifiVlan name=wifiDhcp
add address-pool=guestPool disabled=no interface=guestVlan name=guestDhcp
add address-pool=iotPool disabled=no interface=iotVlan name=iotDhcp
/system logging action
set 3 remote=192.168.130.11
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge
add disabled=no interface=mainVlan
add disabled=no interface=guestVlan
add disabled=no interface=iotVlan
add disabled=no interface=wifiVlan
add disabled=no interface=serverVlan
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=a,an,ac \
master-configuration=wifi5g_cap_config name-format=prefix-identity \
name-prefix=wifi5g_cap_ slave-configurations=\
guest5g_cap_config,iot5g_cap_config
add action=create-dynamic-enabled hw-supported-modes=b,g,gn \
master-configuration=wifi2g_cap_config name-format=prefix-identity \
name-prefix=wifi2g_cap_ slave-configurations=\
guest2g_cap_config,iot2g_cap_config
/interface bridge filter
# guest 5g not ready
# in/out-bridge-port matcher not possible when interface (guest 5g) is not slave
add action=drop chain=forward in-interface="guest 5g"
# guest 5g not ready
# in/out-bridge-port matcher not possible when interface (guest 5g) is not slave
add action=drop chain=forward out-interface="guest 5g"
# guest 2g not ready
# in/out-bridge-port matcher not possible when interface (guest 2g) is not slave
add action=drop chain=forward in-interface="guest 2g"
# guest 2g not ready
# in/out-bridge-port matcher not possible when interface (guest 2g) is not slave
add action=drop chain=forward out-interface="guest 2g"
/interface bridge port
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether2 pvid=100
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether3 pvid=100
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether4 pvid=100
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether5 pvid=100
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether6 pvid=100
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether7 pvid=100
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether8 pvid=100
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether9 pvid=100
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether10 pvid=100
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
ingress-filtering=yes interface=sfp-sfpplus1
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=5g pvid=120
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=2g pvid=120
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
interface="guest 5g" pvid=140
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
interface="guest 2g" pvid=140
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
interface="iot 5g" pvid=150
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
interface="iot 2g" pvid=150
/ip neighbor discovery-settings
set discover-interface-list="TRUSTED LAN"
/interface bridge vlan
add bridge=bridge comment="hopefully just normal" tagged=bridge,sfp-sfpplus1 \
untagged=ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10 \
vlan-ids=100
add bridge=bridge comment="hopefully wifi vlan" tagged=bridge untagged=5g,2g \
vlan-ids=120
add bridge=bridge comment="hopefully server/VM vlan" tagged=\
bridge,sfp-sfpplus1 vlan-ids=130
add bridge=bridge comment="hopefully guest wifi vlan" tagged=bridge untagged=\
"guest 5g,guest 2g" vlan-ids=140
add bridge=bridge comment="hopefully iot vlan" tagged=bridge,sfp-sfpplus1 \
untagged="iot 2g,iot 5g" vlan-ids=150
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=mainVlan list=LAN
add interface=serverVlan list=LAN
add interface=wifiVlan list=LAN
add interface=mainVlan list=MGMT
add interface=mainVlan list=VLAN
add interface=serverVlan list=VLAN
add interface=wifiVlan list=VLAN
add interface=serverVlan list="TRUSTED LAN"
add interface=mainVlan list="TRUSTED LAN"
add interface=wifiVlan list="TRUSTED LAN"
add interface=guestVlan list="UNTRUSTED LAN"
add interface=bridge list="TRUSTED LAN"
add interface=iotVlan list="UNTRUSTED LAN"
/interface wireless cap
#
set bridge=bridge caps-man-addresses=127.0.0.1 discovery-interfaces=bridge \
enabled=yes interfaces=5g,2g
/ip address
add address=192.168.101.1/24 interface=mainVlan network=192.168.101.0
add address=192.168.120.1/24 interface=wifiVlan network=192.168.120.0
add address=192.168.130.1/24 interface=serverVlan network=192.168.130.0
add address=192.168.140.1/24 interface=guestVlan network=192.168.140.0
add address=192.168.150.1/24 interface=iotVlan network=192.168.150.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.130.5 mac-address=EC:8E:B5::xx:xx:xx server=serverDhcp
add address=192.168.130.11 client-id=\
ff::xx:xx:xx mac-address=\
3A:CD:DB::xx:xx:xx server=serverDhcp
add address=192.168.130.12 client-id=1:8a::xx:xx:xx mac-address=\
8A:F8:AD::xx:xx:xx server=serverDhcp
add address=192.168.150.11 client-id=1:2c::xx:xx:xx mac-address=\
2C:AA:8E::xx:xx:xx server=iotDhcp
add address=192.168.150.12 client-id=1:2c::xx:xx:xx mac-address=\
2C:AA:8E::xx:xx:xx server=iotDhcp
add address=192.168.150.251 comment="garage door" mac-address=\
24:18:C6::xx:xx:xx server=iotDhcp
add address=192.168.150.250 comment="christmas lights switch" mac-address=\
B4:E6:2D::xx:xx:xx server=iotDhcp
add address=192.168.150.248 comment="philips hue hub" mac-address=\
00:17:88::xx:xx:xx server=iotDhcp
add address=192.168.150.13 client-id=1:2c::xx:xx:xx mac-address=\
2C:AA:8E::xx:xx:xx server=iotDhcp
add address=192.168.130.4 client-id=1:b8::xx:xx:xx mac-address=\
B8:69:F4::xx:xx:xx server=serverDhcp
add address=192.168.101.10 client-id=1:d4::xx:xx:xx mac-address=\
D4:76:A0::xx:xx:xx server=mainDhcp
add address=192.168.130.18 client-id=\
ff::xx:xx:xx mac-address=\
26:F7:6F::xx:xx:xx server=serverDhcp
add address=192.168.130.19 mac-address=A2:FC:68::xx:xx:xx server=serverDhcp
add address=192.168.150.246 mac-address=F4:F5:D8::xx:xx:xx server=iotDhcp
add address=192.168.150.245 mac-address=E4:F0:42::xx:xx:xx server=iotDhcp
add address=192.168.150.244 client-id=ff::xx:xx:xx \
comment=ecobee mac-address=44:61:32::xx:xx:xx server=iotDhcp
add address=192.168.130.41 client-id=\
ff::xx:xx:xx mac-address=\
16:5D:26::xx:xx:xx server=serverDhcp
add address=192.168.130.20 mac-address=32:12:61::xx:xx:xx server=serverDhcp
add address=192.168.130.9 client-id=1:6e::xx:xx:xx comment=\
"nginx reverse proxy" mac-address=6E:55:01::xx:xx:xx server=serverDhcp
add address=192.168.130.61 client-id=\
ff::xx:xx:xx mac-address=\
B6:37:1F::xx:xx:xx server=serverDhcp
add address=192.168.101.4 client-id=1:b8::xx:xx:xx mac-address=\
B8:69:F4::xx:xx:xx server=mainDhcp
add address=192.168.101.22 client-id=1:dc::xx:xx:xx mac-address=\
DC:2C:6E::xx:xx:xx server=mainDhcp
add address=192.168.101.23 client-id=1:dc::xx:xx:xx mac-address=\
DC:2C:6E::xx:xx:xx server=mainDhcp
/ip dhcp-server network
add address=192.168.101.0/24 gateway=192.168.101.1
add address=192.168.120.0/24 gateway=192.168.120.1
add address=192.168.130.0/24 gateway=192.168.130.1
add address=192.168.140.0/24 gateway=192.168.140.1
add address=192.168.150.0/24 gateway=192.168.150.1
/ip dns
set servers=192.168.130.11,192.168.130.16,192.168.130.17
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid log=yes log-prefix="DROP INVALID"
add action=accept chain=input comment="mgmt vlan allowed for everything" \
in-interface-list=MGMT
add action=accept chain=input comment="server vlan allowed for everything" \
in-interface=serverVlan
add action=accept chain=input comment="wifi vlan allowed for everything" \
in-interface=wifiVlan
add action=accept chain=input comment="allow VLAN DHCP" dst-port=67 \
in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="allow VLAN UDP DNS" dst-port=53 \
in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="allow VLAN TCP DNS" dst-port=53 \
in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="allow VLAN TCP DNS over TLS" dst-port=\
853 in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="capsman self cap" dst-port=5246,5247 \
protocol=udp src-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN log=yes log-prefix="DROP NOT LAN INPUT RULE"
add action=drop chain=input comment="drop wan explicitly" in-interface-list=\
WAN log=yes log-prefix="DROP WAN"
add action=accept chain=output comment="self-CAPsMAN i think" dst-address=\
127.0.0.1 log=yes log-prefix="wtf capsman" protocol=udp src-address=\
127.0.0.1 src-port=5246,5247
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment="VLAN internet access" \
connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="trusted lan can do everything" \
in-interface-list="TRUSTED LAN" log-prefix=omgfirewall
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment="wireguard\?" dst-address=\
192.168.130.5 dst-port=51820 in-interface=ether1 log=yes log-prefix=\
wireguardFirewallPls protocol=udp
add action=accept chain=forward comment=\
"allow port forwarding DSTNAT - enable if needed for server" \
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid log=yes log-prefix="DROP INVALID FWD"
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN log=yes log-prefix=\
"DROP NON DSTNAT WAN FWD"
add action=accept chain=forward comment="guest lan gotta get DNS i suppose" \
dst-port=53 in-interface-list="UNTRUSTED LAN" protocol=udp
add action=accept chain=forward comment=\
"guest lan gotta get DNS over TLS too i suppose" dst-port=853 \
in-interface-list="UNTRUSTED LAN" protocol=tcp
add action=accept chain=forward comment="let untrusted talk back to trusted" \
connection-state=established,related in-interface-list="UNTRUSTED LAN" \
out-interface-list="TRUSTED LAN"
add action=drop chain=forward comment="block guest vlan from other vlans" \
in-interface-list="UNTRUSTED LAN" log-prefix="bad guest" \
out-interface-list="TRUSTED LAN"
add action=drop chain=forward comment="block guest vlan from modem" \
dst-address=192.168.100.1 in-interface-list="UNTRUSTED LAN" log-prefix=\
"bad guest"
add action=accept chain=forward comment=\
"i guess i have to tell it that guests can talk to the internet at least" \
connection-state=new in-interface-list="UNTRUSTED LAN" \
out-interface-list=WAN
add action=drop chain=forward comment="just drop everything not listed above" \
log=yes log-prefix="DROP EVERYTHING ELSE FWD"
/ip firewall mangle
add action=passthrough chain=forward comment="debiphone download" disabled=\
yes dst-address=192.168.120.236
add action=passthrough chain=forward comment="obelisk download" disabled=yes \
dst-address=192.168.120.241
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="laptop wireguard" dst-port=51820 \
in-interface-list=WAN log=yes log-prefix=wireguardPls protocol=udp \
to-addresses=192.168.130.5 to-ports=51820
add action=dst-nat chain=dstnat comment="omv-plex remote access" dst-port=\
32400 in-interface-list=WAN log=yes log-prefix=PLEX_REMOTE protocol=tcp \
to-addresses=192.168.130.13 to-ports=32400
add action=dst-nat chain=dstnat comment="fg40f tls acme" dst-port=443 \
in-interface-list=WAN log=yes log-prefix=fg40f-tls-acme protocol=tcp \
to-addresses=192.168.101.10 to-ports=443
add action=dst-nat chain=dstnat comment="fg40f insec acme" dst-port=80 \
in-interface-list=WAN log=yes log-prefix=fg40f-insec-acme protocol=tcp \
to-addresses=192.168.101.10 to-ports=80
add action=dst-nat chain=dstnat comment="fg40f sslvpn" dst-port=4443 \
in-interface-list=WAN log=yes log-prefix=fg40f-sslvpn protocol=tcp \
to-addresses=192.168.101.10 to-ports=4443
add action=dst-nat chain=dstnat comment="fg40f remote https" dst-port=16443 \
in-interface-list=WAN log=yes log-prefix=fg40f-sec protocol=tcp \
to-addresses=192.168.101.10 to-ports=16443
add action=dst-nat chain=dstnat comment="fg40f remote http" dst-port=16280 \
in-interface-list=WAN log=yes log-prefix=fg40f-insec protocol=tcp \
to-addresses=192.168.101.10 to-ports=16280
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/routing igmp-proxy interface
add alternative-subnets=192.168.120.0/24 interface=serverVlan upstream=yes
add interface=mainVlan
add interface=wifiVlan
/system clock
set time-zone-name=America/Chicago
/system identity
set name=rb4011
/system leds
add interface=2g leds="2g_signal1-led,2g_signal2-led,2g_signal3-led,2g_signal4\
-led,2g_signal5-led" type=wireless-signal-strength
add interface=2g leds=2g_tx-led type=interface-transmit
add interface=2g leds=2g_rx-led type=interface-receive
/system logging
set 0 action=remote topics=info,!firewall
set 1 action=remote
set 2 action=remote
set 3 action=remote
add action=remote prefix=syslog-firewall topics=firewall,info
add action=echo topics=critical
add topics=error
add topics=info,!firewall,!wireless,!dhcp
add topics=warning
add action=remote prefix=syslog-wireless topics=wireless,info
add action=remote prefix=syslog-dhcp topics=dhcp,info
add topics=critical
add action=remote prefix=syslog-caps topics=caps
/system ntp server
set broadcast=yes enabled=yes multicast=yes
/system package update
set channel=long-term
/system scheduler
add interval=1d name=backup-config-to-ftp on-event=backup-ros-config policy=\
ftp,read,write,policy,test,password,sensitive start-date=dec/29/2021 \
start-time=23:45:00
/system script
add dont-require-permissions=yes name=backup-ros-config owner=djabacus \
policy=ftp,read,write,policy,test,password,sensitive source="#\r\
\n# Backup ROS to FTP\r\
\n#\r\
\n# Define variables\r\
\n:local ftphost \"192.168.130.13\"\r\
\n:local ftpuser \"REDACTED\"\r\
\n:local ftppassword \"REDACTED\"\r\
\n:local ftppath \"/baseShare/rosbkup/\"\r\
\n:local backupfilename \"rOS_v\"\r\
\n:local localbackuppath \"cfgbkp\"\r\
\n#\r\
\n# Get date and time\r\
\n#\r\
\n{\r\
\n:local curDate [/system clock get date]\r\
\n:local curTime [/system clock get time]\r\
\n:local systemName [/system identity get name]\r\
\n:local systemFirmware [/system routerboard get current-firmware]\r\
\n:local curMonth [:pick \$curDate 0 3]\r\
\n :set curMonth ( [ :find key=\"\$curMonth\" in=\"jan,feb,mar,apr,may,jun\
,jul,aug,sep,oct,nov,dec\" from=-1 ] / 4 + 1)\r\
\n if ( \$curMonth < 10 ) do={\r\
\n :set curMonth ( \"0\".\$curMonth )\r\
\n } else={\r\
\n :set curMonth \$curMonth\r\
\n }\r\
\n:local curDay [:pick \$curDate 4 6]\r\
\n:local curYear [:pick \$curDate 7 13]\r\
\n:local curHour [:pick \$curTime 0 2]\r\
\n:local curMin [:pick \$curTime 3 5]\r\
\n:local now (\"\$curYear\".\"\$curMonth\".\"\$curDay\" .\"-\".\"\$curHour\
\".\"\$curMin\")\r\
\n#\r\
\n# Make config backup locally\r\
\n#\r\
\n:log warn message=\"local backup started\";\r\
\nexport file=\"\$localbackuppath/\$now_\$systemName_\$backupfilename_\$sy\
stemFirmware\"\r\
\n/system backup save name=\"\$localbackuppath/\$now_\$systemName_\$backup\
filename_\$systemFirmware\"\r\
\n:log warn message=\"local backup finished\";\r\
\n#\r\
\n# Copy config backup to FTP\r\
\n#\r\
\n:log warn message=\"config backup to FTP started\";\r\
\n/tool fetch address=\"\$ftphost\" src-path=\"\$localbackuppath/\$now_\$s\
ystemName_\$backupfilename_\$systemFirmware.backup\" user=\"\$ftpuser\" mo\
de=ftp password=\"\$ftppassword\" dst-path=\"\$ftppath/\$systemName/\$now_\
\$systemName_\$backupfilename_\$systemFirmware.backup\" upload=yes\r\
\n/tool fetch address=\"\$ftphost\" src-path=\"\$localbackuppath/\$now_\$s\
ystemName_\$backupfilename_\$systemFirmware.rsc\" user=\"\$ftpuser\" mode=\
ftp password=\"\$ftppassword\" dst-path=\"\$ftppath/\$systemName/\$now_\$s\
ystemName_\$backupfilename_\$systemFirmware.rsc\" upload=yes\r\
\n:log warn message=\"config backup to FTP finished\";\r\
\n#\r\
\n# Remove locally created files\r\
\n#\r\
\n:log warn message=\"removing local backup\";\r\
\nfile remove \"\$localbackuppath/\$now_\$systemName_\$backupfilename_\$sy\
stemFirmware.backup\"\r\
\nfile remove \"\$localbackuppath/\$now_\$systemName_\$backupfilename_\$sy\
stemFirmware.rsc\"\r\
\n:log warn message=\"local backup removed\";\r\
\n#\r\
\n}"
/tool graphing interface
add allow-address=192.168.120.0/24
add allow-address=192.168.101.0/24
add allow-address=192.168.130.0/24
/tool graphing resource
add allow-address=192.168.101.0/24
add allow-address=192.168.120.0/24
add allow-address=192.168.130.0/24
/tool mac-server
set allowed-interface-list="TRUSTED LAN"
/tool mac-server mac-winbox
set allowed-interface-list="TRUSTED LAN"
/tool romon
set enabled=yes
--
--
i am fully expecting this to be a shameful, embarrassing oversight on my end and readily await being yelled at for making such an obvious, noobish mistake and will probably be a little disappointed if i get out of this unscathed
thanks in advance for any assistance or even just giving this a glance!
-tim