Sun Jan 15, 2023 6:31 pm
Yes that makes sense, in terms of keys............
Okay normally I would use vlans for multiple wlans as it makes life simple for me.
However, I will try something without vlans first to see what works.......
By putting wlan3 on its own subnet................ Changes will be obvious below.
Also no clue about facepalm so removed it altogether............ just confusing the picture for now.
/interface bridge
add admin-mac=18:FD:74:FD:88:BC auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] advertise=100M-full,1000M-half,1000M-full \
speed=1Gbps
/interface wifiwave2
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac \
configuration.country="United Kingdom" .mode=ap .ssid=sufband disabled=no \
security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac \
configuration.country="United Kingdom" .mode=ap .ssid=sufband disabled=no \
security.authentication-types=wpa2-psk,wpa3-psk
add configuration.country="United Kingdom" .hide-ssid=yes .mode=ap .ssid=\
sufband-pl disabled=no mac-address=1A:FD:74:FD:88:C0 master-interface=\
wifi1 name=wifi3 security.authentication-types=wpa2-psk,wpa3-psk
/interface wireguard
add listen-port=13231 mtu=1420 name=wg-pl1
/interface vlan
add interface=ether1 name=vlan911 vlan-id=911
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan911 name=pppoe-out1 \
use-peer-dns=yes user=GN*****@giga.net.uk
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_wifipool ranges=192.168.11.2-192.168.11.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=dhcp-lan
add address-pool=dhcp_wifipool interface=wifi3 name=dhcpwifi
/port
set 0 name=serial0
/routing table
add fib name=wifiUsers
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2 {removed from bridge was wifi3 }
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=wifi3 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=10.65.192.76/24 interface=wg-pl1 network=10.65.192.0
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
add address=192.168.11.1/24 interface=wifi3 network=192.168.11.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1 dns-server=192.168.88.1\
add address=192.168.11.0/24 gateway=192.168.11.1 dns-server=10.64.0.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="allow port forwardiing" connection-nat-state=dstnat
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward in-interface=wifi3 out-interface=wg-pl1
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wg-pl1
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wg-pl1 pref-src="" \ { good rule just wanted to emphasize it }
routing-table=wifiUsers suppress-hw-offload=no
/ip service
set www-ssl disabled=no
/ip smb
set enabled=yes
/ip smb shares
set [ find default=yes ] disabled=yes
add directory=/usb1 name=usb1
/ip smb users
add name=admin read-only=no
/system clock
set time-zone-name=Europe/London
/tool e-mail
set address=smtp.office365.com from=mikrotik@***.net port=857 tls=\
starttls user=mikrotik@***.net
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN
These two rules were removed as their purpose is unknown and doubtful in terms of practicality or security.
add action=accept chain=output dst-address=45.134.212.6 dst-port=51820 \
protocol=udp
add action=accept chain=input protocol=udp src-address=45.134.212.66 \
src-port=51820
Note you can remove all IPV6 rules if not using IPV6 ISP........
Last edited by
anav on Mon Jan 16, 2023 1:48 am, edited 1 time in total.