and ping from iPhone to router is working without problems.
The ip address of the iPhone is out of one vlan ( 192.168.76.0/24) and the bridge and VLAN is using Proxy-arp.
The iPhone can't reach any resources inside 192.168.76.0.
I removed the scripts from export file because they are only setting dynamic hostnames and are running correctly.
Code: Select all
# mar/07/2023 15:31:16 by RouterOS 6.49.7
#
#
# model = RB4011iGS+
#
/interface bridge
add arp=proxy-arp igmp-snooping=yes igmp-version=3 name=BR1 protocol-mode=\
none vlan-filtering=yes
/interface vlan
add interface=BR1 name=AQUA_VLAN vlan-id=30
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=BLUE_VLAN vlan-id=111
add arp=proxy-arp interface=BR1 name=GREEN_VLAN vlan-id=20
add interface=BR1 name=LIME_VLAN vlan-id=60
add interface=BR1 name=RED_VLAN vlan-id=10
add interface=ether1 name=vlan-07-fiber vlan-id=7
add disabled=yes interface=ether10 name=vlan-07-telekom vlan-id=7
/interface pppoe-client
add comment="Magenta 100" interface=vlan-07-telekom max-mtu=1480 name=\
pppoe-Magenta
add comment="fiber 500 telekom" disabled=no interface=vlan-07-fiber max-mtu=\
1500 name=pppoe-fiber
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment="contains all WAN interfaces" name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-128,3des
/ip pool
add name=BLUE_POOL ranges=192.168.111.100-192.168.111.200
add name=GREEN_POOL ranges=192.168.76.100-192.168.76.200
add name=RED_POOL ranges=192.168.222.100-192.168.222.200
add name=LIME_POOL ranges=192.168.10.100-192.168.10.200
add name=BASE_POOL ranges=192.168.1.102-192.168.1.199
add name=AQUA_POOL ranges=192.168.33.100-192.168.33.200
/ip dhcp-server
add address-pool=BLUE_POOL disabled=no interface=BLUE_VLAN name=BLUE_DHCP
add address-pool=GREEN_POOL interface=GREEN_VLAN name=GREEN_DHCP
add address-pool=RED_POOL disabled=no interface=RED_VLAN name=RED_DHCP
add address-pool=LIME_POOL disabled=no interface=LIME_VLAN name=LIME_DHCP
add address-pool=BASE_POOL disabled=no interface=BASE_VLAN name=BASE_DHCP
add address-pool=AQUA_POOL disabled=no interface=AQUA_VLAN lease-script=\
dhcp-leases-to-dns name=AQUA_DHCP
/ppp profile
set *0 dns-server=192.168.76.135
set *FFFFFFFE comment="default mit DNS 192.168.76.135" dns-server=\
192.168.76.135 local-address=192.168.76.254
/system logging action
set 3 remote=192.168.76.187
/interface bridge port
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
interface=ether2 multicast-router=disabled
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
interface=ether3 multicast-router=disabled
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
interface=sfp-sfpplus1 multicast-router=disabled
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
interface=ether5 multicast-router=disabled
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
interface=ether4 multicast-router=disabled
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether3,ether4,ether5,sfp-sfpplus1,ether2 vlan-ids=\
99
add bridge=BR1 tagged=BR1,sfp-sfpplus1,ether4,ether5,ether3,ether2 vlan-ids=\
111
add bridge=BR1 tagged=BR1,sfp-sfpplus1,ether5,ether4,ether3,ether2 vlan-ids=\
10
add bridge=BR1 tagged=BR1,sfp-sfpplus1,ether4,ether5,ether3,ether2 vlan-ids=\
20
add bridge=BR1 tagged=BR1,sfp-sfpplus1,ether4,ether5,ether3,ether2 vlan-ids=\
60
add bridge=BR1 tagged=BR1,sfp-sfpplus1,ether3,ether4,ether5,ether2 vlan-ids=\
30
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add disabled=yes interface=pppoe-Magenta list=WAN
add interface=BASE_VLAN list=VLAN
add interface=BLUE_VLAN list=VLAN
add interface=GREEN_VLAN list=VLAN
add interface=RED_VLAN list=VLAN
add interface=LIME_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
add interface=AQUA_VLAN list=VLAN
add interface=pppoe-fiber list=WAN
/interface pptp-server server
set default-profile=default
/ip address
add address=192.168.1.254/24 interface=BASE_VLAN network=192.168.1.0
add address=192.168.111.254/24 interface=BLUE_VLAN network=192.168.111.0
add address=192.168.76.254/24 interface=GREEN_VLAN network=192.168.76.0
add address=192.168.222.254/24 interface=RED_VLAN network=192.168.222.0
add address=192.168.10.254/24 interface=LIME_VLAN network=192.168.10.0
add address=192.168.30.9/24 disabled=yes interface=ether1 network=\
192.168.30.0
add address=192.168.33.254/24 interface=AQUA_VLAN network=192.168.33.0
add address=192.168.100.100/24 interface=ether1 network=192.168.100.0
/ip dhcp-relay
add dhcp-server=192.168.76.187 disabled=no interface=GREEN_VLAN name=\
GREEN_RELAY
/ip dhcp-server lease
add address=192.168.1.243 client-id=1:8:55:31:a0:e8:1b mac-address=\
08:55:31:A0:E8:1B server=BASE_DHCP
add address=192.168.222.199 client-id=1:b8:27:eb:12:a1:71 mac-address=\
B8:27:EB:12:A1:71 server=RED_DHCP
add address=192.168.10.199 client-id=1:b8:27:eb:12:a1:71 mac-address=\
B8:27:EB:12:A1:71 server=LIME_DHCP
add address=192.168.1.199 client-id=1:b8:27:eb:12:a1:71 mac-address=\
B8:27:EB:12:A1:71 server=BASE_DHCP
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.254 gateway=192.168.1.254
add address=192.168.10.0/24 dns-server=192.168.1.254 gateway=192.168.10.254
add address=192.168.33.0/24 dns-server=192.168.1.254 domain=<removed> \
gateway=192.168.33.254
add address=192.168.76.0/24 dns-server=192.168.1.254 gateway=192.168.76.254
add address=192.168.111.0/24 dns-server=192.168.1.254 gateway=192.168.111.254
add address=192.168.222.0/24 dns-server=192.168.1.254 gateway=192.168.222.254
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9
/ip firewall address-list
add address=232.0.0.0/16 list=iptv_destination
add address=239.35.0.0/16 list=iptv_destination
add address=224.0.0.0/4 list=iptv_destination
add address=<fqdn> list=Dyndns_haj
/ip firewall filter
add action=accept chain=input comment="Allow L2TP VPN" dst-port=500 \
in-interface-list=WAN protocol=udp src-port=""
add action=accept chain=input dst-port=1701 in-interface-list=WAN protocol=\
udp
add action=accept chain=input dst-port=4500 in-interface-list=WAN protocol=\
udp
add action=accept chain=input in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=input comment="Allow Estab & Related" \
connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
in-interface=BASE_VLAN
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input comment="Allow IGMP-MagentaTV" \
dst-address-list=iptv_destination
add action=drop chain=input comment=Drop log-prefix=DropLast-INP
add action=accept chain=forward comment="Accept Estab & Related" \
connection-state=established,related
add action=accept chain=forward comment="Allow Mgt<-> Green_VLAN" \
connection-state=new in-interface=BASE_VLAN log-prefix=MgtGreen \
out-interface=GREEN_VLAN
add action=accept chain=forward connection-state=new in-interface=GREEN_VLAN \
out-interface=BASE_VLAN
add action=accept chain=forward comment="VLAN Internet Access only" \
connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment=IGMP-Magenta dst-address-list=\
iptv_destination
add action=accept chain=forward comment="Allow Port Forwarding" \
connection-nat-state=dstnat log-prefix=log-Accept-dstnat
add action=accept chain=forward comment="Allow LAN<->cable modem" \
dst-address=192.168.100.1 in-interface-list=VLAN out-interface=ether1 \
src-address=192.168.0.0/16
add action=drop chain=forward comment="drop not destination" \
connection-nat-state=!dstnat connection-state=new connection-type="" \
in-interface=pppoe-fiber log=yes log-prefix=fwd-drop
add action=drop chain=forward comment="Drop state invalid" connection-state=\
invalid log-prefix=drop-invalid
add action=drop chain=forward comment=\
"Should be DROP but too much arriving here" log-prefix=DropLast-FWD
/ip firewall nat
add action=masquerade chain=srcnat comment="masquerade LAN->cable modem" \
dst-address=192.168.100.1 out-interface=ether1 src-address=192.168.0.0/16
add action=masquerade chain=srcnat comment="Default masquerade" \
out-interface-list=WAN
add action=dst-nat chain=dstnat comment="VoIP Auerswald" dst-port=30000-31000 \
in-interface=pppoe-fiber protocol=udp to-addresses=192.168.111.111 \
to-ports=30000-31000
add action=dst-nat chain=dstnat dst-address=0.0.0.0 dst-port=40000-41000 \
in-interface=pppoe-fiber protocol=udp to-addresses=192.168.111.111 \
to-ports=40000-41000
add action=dst-nat chain=dstnat dst-port=5070-5080 in-interface=pppoe-fiber \
protocol=udp to-addresses=192.168.111.111 to-ports=5070-5080
add action=dst-nat chain=dstnat comment=WWW-DSTNAT-SSL dst-address-list=\
Dyndns_haj dst-port=443 protocol=tcp to-addresses=192.168.76.187 \
to-ports=443
add action=dst-nat chain=dstnat comment=WWW-DSTNAT dst-address-list=\
Dyndns_haj dst-port=80 protocol=tcp to-addresses=192.168.76.187 to-ports=\
80
/ip firewall raw
add action=drop chain=prerouting comment=\
"TCP invalid combination of flags attack (7 rules)" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=prerouting protocol=tcp tcp-flags=fin,syn
add action=drop chain=prerouting protocol=tcp tcp-flags=fin,rst
add action=drop chain=prerouting protocol=tcp tcp-flags=fin,!ack
add action=drop chain=prerouting protocol=tcp tcp-flags=fin,urg
add action=drop chain=prerouting protocol=tcp tcp-flags=syn,rst
add action=drop chain=prerouting protocol=tcp tcp-flags=rst,urg
add action=drop chain=prerouting comment="TCP Port 0 attack (2 rules)" \
protocol=tcp src-port=0
add action=drop chain=prerouting dst-port=0 protocol=tcp
add action=drop chain=prerouting comment="UDP Port 0 attack (2 rules)" \
protocol=udp src-port=0
add action=drop chain=prerouting dst-port=0 protocol=udp
add action=drop chain=prerouting comment="SYN fragmented attack" fragment=yes \
protocol=tcp tcp-flags=syn
add action=drop chain=prerouting comment="IP option loose-source-routing" \
ipv4-options=loose-source-routing
add action=drop chain=prerouting comment="IP option strict-source-routing" \
ipv4-options=strict-source-routing
add action=drop chain=prerouting comment="IP option record-route" \
ipv4-options=record-route
add action=drop chain=prerouting comment="IP option router-alert" \
ipv4-options=router-alert
add action=drop chain=prerouting comment="IP option timestamp" ipv4-options=\
timestamp
add action=drop chain=prerouting comment=\
"IP options left, except IP Stream used by the IGMP protocol" \
ipv4-options=any protocol=!igmp
/ip firewall service-port
set sip disabled=yes
/ip route
add comment="All traffic fiber 500" distance=10 gateway=pppoe-fiber
/ip service
set www port=8080
set www-ssl port=4433
/ip ssh
set always-allow-password-login=yes
/ppp secret
add local-address=192.168.76.254 name=testuser remote-address=192.168.76.41 \
service=l2tp
add local-address=192.168.76.254 name=ipadM remote-address=192.168.76.42 \
service=l2tp
add local-address=192.168.76.254 name=iphoneM remote-address=192.168.76.43 \
service=l2tp
add local-address=192.168.76.254 name=mpischke remote-address=192.168.76.44 \
service=l2tp
/routing igmp-proxy interface
add alternative-subnets=87.141.215.251/32 interface=pppoe-fiber upstream=yes
add interface=BLUE_VLAN
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=haydn
/system logging
add disabled=yes prefix=ipsec topics=ipsec,debug
add action=remote prefix=Mikrotik topics=system
add action=remote prefix=fw topics=firewall
/tool graphing interface
add interface=ether5
add interface=pppoe-Magenta
add interface=ether4
add interface=ether3
add interface=sfp-sfpplus1
add interface=GREEN_VLAN
add interface=pppoe-fiber
add interface=BLUE_VLAN
/tool graphing resource
add
/tool sniffer
set file-limit=1000000KiB file-name=sniffer.pcap filter-interface=GREEN_VLAN \
memory-limit=1024KiB memory-scroll=no
/tool traffic-monitor
add interface=pppoe-fiber name=Above50M on-event=\
":log info \"WAN above 50Mbit\"" threshold=50000000 traffic=received