What is wrong with my configuration?
Code: Select all
/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2412,2462,2437 name=channel_24G \
reselect-interval=1d tx-power=20
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=Ce frequency=5180,5200,5220,5240 name=channel_5G \
reselect-interval=1d tx-power=20
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] comment=WAN name=ether1-WAN
set [ find default-name=ether2 ] comment=LAN
set [ find default-name=sfp1 ] disabled=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-WAN name=pppoe-byfly password=XXX use-peer-dns=yes user=\
YYYYY
/interface wireless
# managed by CAPsMAN
# channel: 2412/20/gn(20dBm), SSID: Lonli-Lokli, local forwarding
set [ find default-name=wlan1 ] antenna-gain=0 disabled=no ssid=MikroTik station-roaming=enabled
# managed by CAPsMAN
# channel: 5180/20-Ce/ac/P(20dBm), SSID: Lonli-Lokli5, local forwarding
set [ find default-name=wlan2 ] antenna-gain=0 disabled=no ssid=MikroTik station-roaming=enabled
/caps-man datapath
add bridge=bridge1 client-to-client-forwarding=yes local-forwarding=yes name=datapath1
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm group-key-update=1h name=security1 passphrase=\
XXXXX
/caps-man configuration
add channel=channel_5G datapath=datapath1 mode=ap multicast-helper=full name=cfg_5G rx-chains=0,1,2 security=security1 ssid=\
Lonli-Lokli5 tx-chains=0,1,2
add channel=channel_24G datapath=datapath1 mode=ap name=cfg_24G rx-chains=0,1,2 security=security1 ssid=Lonli-Lokli tx-chains=\
0,1,2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add connection-mark=blocked_resources name="Proton VPN mode config" responder=no
/ip ipsec policy group
add name=ProtonVPN
/ip ipsec profile
add dh-group=modp4096,modp2048,modp1024 dpd-interval=disable-dpd enc-algorithm=aes-256 hash-algorithm=sha256 name=\
"Proton VPN profile"
/ip ipsec peer
add address=us-free-07.protonvpn.net exchange-mode=ike2 name="Proton VPN server" profile="Proton VPN profile"
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=0s name="Proton VPN proposal" pfs-group=none
/ip pool
add name=dhcp-pc-1 ranges=192.168.88.2-192.168.88.199
/ip dhcp-server
add address-pool=dhcp-pc-1 disabled=no interface=bridge1 lease-time=8h name=dhcp-pc-1
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=an,ac master-configuration=cfg_5G
add action=create-dynamic-enabled hw-supported-modes=b,gn master-configuration=cfg_24G
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface wireless cap
#
set bridge=bridge1 caps-man-addresses=127.0.0.1 enabled=yes interfaces=wlan1,wlan2
/ip address
add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0
/ip dhcp-client
add disabled=no interface=ether1-WAN
/ip dhcp-server lease
add address=192.168.88.69 client-id=1:0:11:32:9a:5d:81 mac-address=00:11:32:9A:5D:81 server=dhcp-pc-1
add address=192.168.88.9 client-id=1:10:98:c3:e3:20:49 mac-address=10:98:C3:E3:20:49 server=dhcp-pc-1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 netmask=24 ntp-server=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=94.140.14.14,94.140.15.15
/ip firewall address-list
add address=radarr.video list=blocked_resources
add address=radarr.servarr.com list=blocked_resources
/ip firewall filter
add action=add-src-to-address-list address-list="Honeypot Hacker" address-list-timeout=4w2d chain=input comment=\
"block honeypot http" connection-state=new dst-port=9999 in-interface=ether1-WAN protocol=tcp
add action=add-src-to-address-list address-list="Honeypot Hacker" address-list-timeout=4w2d chain=input comment="block honeypot" \
connection-state=new dst-port=5060 in-interface=ether1-WAN protocol=udp
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=new dst-port=80,8291,22 in-interface=bridge1 protocol=tcp src-address=\
192.168.88.0/24
add action=accept chain=input connection-nat-state=dstnat dst-port=80 in-interface=pppoe-byfly protocol=tcp src-port=""
add action=accept chain=input connection-state=new dst-port=53,123 in-interface=bridge1 protocol=udp src-address=192.168.88.0/24
add action=accept chain=input connection-state=established,related
add action=accept chain=input dst-port=5246,5247 protocol=udp src-address=127.0.0.1
add action=accept chain=input dst-address=192.168.88.1 dst-port=5246,5247 protocol=udp
add action=accept chain=output connection-state=established,related,new
add action=accept chain=forward connection-state=established,related dst-address=192.168.88.0/24 in-interface=pppoe-byfly \
out-interface=bridge1
add action=accept chain=forward connection-state=established,new in-interface=bridge1 out-interface=pppoe-byfly src-address=\
192.168.88.0/24
add action=accept chain=forward comment="Redirection for Synology-related resources (VPN, deluge, Plex)" connection-nat-state=\
dstnat dst-address=192.168.88.69 in-interface=pppoe-byfly
add action=reject chain=input reject-with=icmp-network-unreachable
add action=reject chain=output reject-with=icmp-network-unreachable
add action=reject chain=forward reject-with=icmp-network-unreachable
/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new dst-port=62199 in-interface=pppoe-byfly new-connection-mark=\
allow_in passthrough=yes protocol=tcp
add action=mark-routing chain=prerouting dst-address-list=blocked_resources new-routing-mark=blocked_resources passthrough=yes
add action=change-mss chain=forward connection-mark=blocked_resources new-mss=1360 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=0-1360
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-byfly src-address=192.168.88.0/24
add action=redirect chain=dstnat comment="Router Admin Panel" dst-port=62199 in-interface=pppoe-byfly protocol=tcp to-ports=80
add action=dst-nat chain=dstnat comment=Deluge dst-port=26881 protocol=tcp to-addresses=192.168.88.69
add action=dst-nat chain=dstnat comment=Deluge dst-port=26881 protocol=udp to-addresses=192.168.88.69
add action=dst-nat chain=dstnat comment="Synology VPN Server" dst-port=1701,500,4500 protocol=udp to-addresses=192.168.88.69
add action=dst-nat chain=dstnat comment="Plex Media Server" dst-port=16881 in-interface=pppoe-byfly protocol=tcp to-addresses=\
192.168.88.69 to-ports=32400
add action=dst-nat chain=dstnat comment="Plex Media Server" dst-port=16881 in-interface=pppoe-byfly protocol=udp to-addresses=\
192.168.88.69 to-ports=32400
/ip firewall raw
add action=drop chain=prerouting in-interface=ether1-WAN src-address-list="Honeypot Hacker"
/ip ipsec identity
add auth-method=eap certificate="Proton VPN CA" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=\
"Proton VPN mode config" password=XXXXXXX peer="Proton VPN server" policy-template-group=ProtonVPN \
username=YYYYYYYYYYYY
/ip ipsec policy
add dst-address=0.0.0.0/0 group=ProtonVPN proposal="Proton VPN proposal" src-address=0.0.0.0/0 template=yes
/ip ssh
set forwarding-enabled=remote
/system identity
set name=CAPsMAN-CAP1
