After research and hours of testing I can't make it works... Unfortunately...
I need to set a subnet exclusive to the wifi 2.4GHz interface with access to Internet, local DNS server and local NTP server.
Do not want to use VLANs and do not need mesh (for the 2.4GHz WiFi).
Can you help me, please?
The network diagram is:
The main router (gateway) configuration export:
Code: Select all
# sep/08/2022 23:07:22 by RouterOS 7.5
# software id = FZPI-1FMU
#
# model = RB760iGS
/interface bridge
add admin-mac=74:4D:28:AD:73:42 auto-mac=no comment=defconf name=bridge
add admin-mac=3E:C6:77:F7:7D:13 auto-mac=no name=bridge-iot
/interface ethernet
set [ find default-name=ether1 ] name=ether1-lan
set [ find default-name=ether2 ] name=ether2-wan
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes poe-out=off
set [ find default-name=sfp1 ] disabled=yes
/interface pppoe-client
add add-default-route=yes allow=pap,chap disabled=no interface=ether2-wan \
keepalive-timeout=30 name=pppoe user=cliente@cliente
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] add-default-route=no use-network-apn=no \
use-peer-dns=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp-pool1 ranges=192.168.1.101-192.168.1.254
add name=dhcp-iot ranges=192.168.2.11-192.168.2.100
/ip dhcp-server
add address-pool=dhcp-pool1 allow-dual-stack-queue=no interface=bridge name=\
dhcp-srv1
add address-pool=dhcp-iot allow-dual-stack-queue=no interface=bridge-iot \
name=dhcp-iot
/port
set 0 name=serial0
/caps-man aaa
set called-format=mac mac-format=""
/interface bridge port
add bridge=bridge ingress-filtering=no interface=ether1-lan
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set rp-filter=loose
/ipv6 settings
set accept-redirects=no accept-router-advertisements=no disable-ipv6=yes \
forward=no max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether2-wan list=WAN
add interface=pppoe list=WAN
add interface=bridge-iot list=LAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
192.168.1.0
add address=192.168.15.2/24 comment="Enable to acess ISP Bridged Modem" \
interface=ether2-wan network=192.168.15.0
add address=192.168.2.1/24 interface=bridge-iot network=192.168.2.0
/ip cloud
set update-time=no
/ip dhcp-server alert
add disabled=no interface=ether1-lan valid-server=3E:C6:77:F7:7D:13
/ip dhcp-server lease
add address=192.168.1.10 client-id=1:4c:5e:c:d5:3b:49 mac-address=\
4C:5E:0C:D5:3B:49 server=dhcp-srv1
add address=192.168.1.4 client-id=1:e4:8d:8c:9f:8c:23 mac-address=\
E4:8D:8C:9F:8C:23 server=dhcp-srv1
add address=192.168.1.2 client-id=1:64:d1:54:c6:8d:2e mac-address=\
64:D1:54:C6:8D:2E server=dhcp-srv1
add address=192.168.1.8 mac-address=04:18:D6:06:7F:E3 server=dhcp-srv1
add address=192.168.1.32 comment="Pi-Hole DNS" mac-address=B8:27:EB:61:D9:8E \
server=dhcp-srv1 use-src-mac=yes
add address=192.168.1.31 comment="NTP Server" mac-address=D8:B0:4C:F0:00:55 \
server=dhcp-srv1 use-src-mac=yes
add address=192.168.1.3 mac-address=CC:2D:E0:E1:23:42 server=dhcp-srv1
/ip dhcp-server network
add address=192.168.1.0/24 comment="DHCP Server Subnet 1" dns-server=\
192.168.1.32 gateway=192.168.1.1 netmask=24 ntp-server=192.168.1.31
add address=192.168.2.0/24 comment="DHCP Server Subnet 2" dns-server=\
192.168.1.32 gateway=192.168.2.1 netmask=24 ntp-server=192.168.1.31
/ip dns
set servers=192.168.1.32
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
add address=192.168.1.32 name=pi.hole
/ip firewall address-list
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=\
bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=\
bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=\
bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=\
not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=192.168.1.0/24 list=LAN-Subnets
add address=192.168.2.0/24 list=LAN-Subnets
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP after RAW" \
protocol=icmp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop all coming from WAN" \
in-interface=pppoe log-prefix=DROP-FROM-WAN
add action=accept chain=forward comment=\
"defconf: accept all that matches IPSec policy" disabled=yes \
ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment="defconf: drop NTP out" \
connection-state="" dst-port=123 log=yes log-prefix=NTP-OUT: \
out-interface-list=!LAN protocol=udp
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=pppoe
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
dst-address-list=no_forward_ipv4
/ip firewall mangle
add action=mark-packet chain=prerouting in-interface=ether2-wan \
layer7-protocol=*1 log=yes log-prefix=BLCK-EXE-DWNLD new-packet-mark=\
EXE-pckt passthrough=no
/ip firewall nat
add action=accept chain=srcnat comment=\
"defconf: accept all that matches IPSec policy" disabled=yes \
ipsec-policy=out,ipsec
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
out-interface-list=WAN
add action=masquerade chain=srcnat comment="defconf: masquerade" log-prefix=\
MASQ
add action=dst-nat chain=dstnat connection-type="" dst-limit=\
1,5,dst-address/1m40s dst-port=53 log-prefix="[RED]DNS-OUT[UDP]" \
protocol=udp src-address=!192.168.1.32 to-addresses=192.168.1.32 \
to-ports=53
add action=dst-nat chain=dstnat dst-port=53 log-prefix="[RED]DNS-OUT[TCP]" \
protocol=tcp src-address=!192.168.1.32 to-addresses=192.168.1.32 \
to-ports=53
add action=dst-nat chain=dstnat dst-port=123 in-interface-list=LAN \
log-prefix="[RED]NTP-OUT[UDP]" protocol=udp to-addresses=192.168.1.31 \
to-ports=123
add action=dst-nat chain=dstnat dst-port=123 log-prefix="[RED]NTP-OUT[TCP]" \
protocol=tcp to-addresses=192.168.1.31 to-ports=123
/ip firewall raw
add action=accept chain=prerouting comment=\
"defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: accept DHCP discover" \
dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN log=yes \
log-prefix=DHCP-DISCOVER protocol=udp src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
src-address-list=bad_ipv4
add action=drop chain=prerouting comment=\
"defconf: drop bogon IP's (Disrupt CAPsMAN!)" dst-address-list=bad_ipv4 \
log-prefix=DROP-BOGON
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
dst-address-list=bad_dst_ipv4 log-prefix=DROP-BOGON-IP4:
add action=accept chain=prerouting comment=\
"defconf: accept ISP bridge from WAN" in-interface=pppoe log-prefix=\
ACC-NOT-GLOBAL: protocol=tcp src-address=192.168.15.1 src-port=80
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
in-interface=pppoe log-prefix=DROP-NOT-GLOBAL: src-address-list=\
not_global_ipv4
add action=drop chain=prerouting comment=\
"defconf: drop forward to local lan from WAN" dst-address=192.168.1.0/24 \
in-interface=pppoe
add action=drop chain=prerouting comment=\
"defconf: drop local if not from default IP range" in-interface-list=LAN \
src-address-list=!LAN-Subnets
add action=drop chain=prerouting comment=\
"defconf: drop local if not from default IP range" in-interface-list=LAN \
src-address=!192.168.1.0/24
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 \
protocol=udp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" \
jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" \
jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment=\
"defconf: accept everything else from LAN" in-interface-list=LAN \
log-prefix=ACCEPT-RAW-LAN
add action=accept chain=prerouting comment=\
"defconf: accept everything else from WAN" in-interface=pppoe log-prefix=\
ACCEPT-RAW-WAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" disabled=yes \
protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf disabled=yes protocol=tcp \
tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf disabled=yes protocol=tcp \
tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf disabled=yes protocol=tcp \
tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf disabled=yes protocol=tcp \
tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf disabled=yes protocol=tcp \
tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf disabled=yes protocol=tcp \
tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" disabled=yes \
port=0 protocol=tcp
add action=accept chain=icmp4 comment="defconf: echo reply" disabled=yes \
icmp-options=0:0 limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: net unreachable" disabled=yes \
icmp-options=3:0 protocol=icmp
add action=accept chain=icmp4 comment="defconf: host unreachable" disabled=\
yes icmp-options=3:1 protocol=icmp
add action=accept chain=icmp4 comment="defconf: protocol unreachable" \
disabled=yes icmp-options=3:2 protocol=icmp
add action=accept chain=icmp4 comment="defconf: port unreachable" disabled=\
yes icmp-options=3:3 protocol=icmp
add action=accept chain=icmp4 comment="defconf: fragmentation needed" \
disabled=yes icmp-options=3:4 protocol=icmp
add action=accept chain=icmp4 comment="defconf: echo" disabled=yes \
icmp-options=8:0 limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: time exceeded " disabled=yes \
icmp-options=11:0-255 protocol=icmp
add action=drop chain=icmp4 comment="defconf: drop other icmp" disabled=yes \
protocol=icmp
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.1.0/24
set api-ssl disabled=yes
/ip traffic-flow
set enabled=yes interfaces=pppoe
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=\
no_forward_ipv6
add address=ff00::/8 comment="defconf: multicast" list=no_forward_ipv6
add address=2001::/23 comment="defconf: RFC6890" list=bad_ipv6
add address=100::/64 comment="defconf: RFC6890 Discard-only" list=\
not_global_ipv6
add address=2001::/32 comment="defconf: RFC6890 TEREDO" list=not_global_ipv6
add address=2001:2::/48 comment="defconf: RFC6890 Benchmark" list=\
not_global_ipv6
add address=fc00::/7 comment="defconf: RFC6890 Unique-Local" list=\
not_global_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_dst_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_src_ipv6
add address=ff00::/8 comment="defconf: multicast" list=bad_src_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/ipv6 firewall raw
add action=accept chain=prerouting comment=\
"defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: RFC4291, section 2.7.1" \
dst-address=ff02::1:ff00:0/104 icmp-options=135 protocol=icmpv6 \
src-address=::/128
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
src-address-list=bad_ipv6
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
dst-address-list=bad_ipv6
add action=drop chain=prerouting comment=\
"defconf: drop packets with bad SRC ipv6" src-address-list=bad_src_ipv6
add action=drop chain=prerouting comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_dst_ipv6
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
in-interface-list=WAN src-address-list=not_global_ipv6
add action=jump chain=prerouting comment="defconf: jump to ICMPv6 chain" \
jump-target=icmp6 protocol=icmpv6
add action=accept chain=prerouting comment=\
"defconf: accept local multicast scope" dst-address=ff02::/16
add action=drop chain=prerouting comment=\
"defconf: drop other multicast destinations" dst-address=ff00::/8
add action=accept chain=prerouting comment=\
"defconf: accept everything else from WAN" in-interface-list=WAN
add action=accept chain=prerouting comment=\
"defconf: accept everything else from LAN" in-interface-list=LAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=accept chain=icmp6 comment=\
"defconf: rfc4890 drop ll if hop-limit!=255" dst-address=fe80::/10 \
hop-limit=not-equal:255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: dst unreachable" \
icmp-options=1:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: packet too big" icmp-options=\
2:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: limit exceeded" icmp-options=\
3:0-1 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: bad header" icmp-options=\
4:0-2 protocol=icmpv6
add action=accept chain=icmp6 comment=\
"defconf: Mobile home agent address discovery" icmp-options=144:0-255 \
protocol=icmpv6
add action=accept chain=icmp6 comment=\
"defconf: Mobile home agent address discovery" icmp-options=145:0-255 \
protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile prefix solic" \
icmp-options=146:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile prefix advert" \
icmp-options=147:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: echo request limit 5,10" \
icmp-options=128:0-255 limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: echo reply limit 5,10" \
icmp-options=129:0-255 limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment=\
"defconf: rfc4890 router solic limit 5,10 only LAN" hop-limit=equal:255 \
icmp-options=133:0-255 in-interface-list=LAN limit=5,10:packet protocol=\
icmpv6
add action=accept chain=icmp6 comment=\
"defconf: rfc4890 router advert limit 5,10 only LAN" hop-limit=equal:255 \
icmp-options=134:0-255 in-interface-list=LAN limit=5,10:packet protocol=\
icmpv6
add action=accept chain=icmp6 comment=\
"defconf: rfc4890 neighbor solic limit 5,10 only LAN" hop-limit=equal:255 \
icmp-options=135:0-255 in-interface-list=LAN limit=5,10:packet protocol=\
icmpv6
add action=accept chain=icmp6 comment=\
"defconf: rfc4890 neighbor advert limit 5,10 only LAN" hop-limit=\
equal:255 icmp-options=136:0-255 in-interface-list=LAN limit=5,10:packet \
protocol=icmpv6
add action=accept chain=icmp6 comment=\
"defconf: rfc4890 inverse ND solic limit 5,10 only LAN" hop-limit=\
equal:255 icmp-options=141:0-255 in-interface-list=LAN limit=5,10:packet \
protocol=icmpv6
add action=accept chain=icmp6 comment=\
"defconf: rfc4890 inverse ND advert limit 5,10 only LAN" hop-limit=\
equal:255 icmp-options=142:0-255 in-interface-list=LAN limit=5,10:packet \
protocol=icmpv6
add action=drop chain=icmp6 comment="defconf: drop other icmp" protocol=\
icmpv6
/system clock
set time-zone-name=America/Sao_Paulo
/system identity
set name=RTR-GATEWAY
/system logging
add disabled=yes prefix=NTP-LOGs topics=ntp
add disabled=yes topics=dns
add disabled=yes topics=pppoe
add topics=dhcp,debug
add disabled=yes prefix=CAPS topics=caps,debug
add disabled=yes prefix=WIFI topics=wireless,debug
add disabled=yes prefix=RAW topics=raw,info
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.1.31
/system routerboard settings
set auto-upgrade=yes
/system watchdog
set ping-timeout=2m watch-address=1.1.1.1
/tool bandwidth-server
set enabled=no
/tool graphing
set store-every=hour
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
And... The RBcAPGi-5acD2nD config export is:
Code: Select all
# sep/21/2022 01:02:14 by RouterOS 7.5
# software id = ER1U-M8FA
#
# model = RBcAPGi-5acD2nD
#
/interface bridge
add admin-mac=74:4D:XX:XX:XX:XX auto-mac=no name=bridge
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-a/n/ac country=brazil disabled=no \
frequency-mode=superchannel installation=indoor mode=ap-bridge ssid=HomeWiFi \
wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=iot-wlan-pwd supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n country=etsi disabled=no \
frequency=2447 mode=ap-bridge security-profile=iot-wlan-pwd ssid=iotwifi \
wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
/system ntp key
add key-id=1
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge interface=wlan2
add bridge=bridge interface=wlan1
/ip settings
set rp-filter=loose
/interface detect-internet
set detect-interface-list=LAN
/interface list member
add interface=bridge list=LAN
/ip address
add address=192.168.1.7/24 interface=bridge network=192.168.1.0
/ip dns
set servers=192.168.1.22
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=America/Sao_Paulo
/system identity
set name=XPTO
/system logging
add disabled=yes topics=wireless,debug
add disabled=yes topics=interface,debug
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add address=192.168.1.20 auth-key=1
add address=192.168.1.1
/tool mac-server
set allowed-interface-list=LAN