# apr/19/2023 18:52:32 by RouterOS 6.49.6
# software id = EQI2-TTQV
#
# model = RB4011iGS+
/caps-man channel
add band=2ghz-onlyn control-channel-width=20mhz extension-channel=disabled \
frequency=2412 name=ch1 tx-power=5
add band=2ghz-onlyn control-channel-width=20mhz extension-channel=disabled \
frequency=2437 name=ch6 tx-power=14
add band=2ghz-onlyn control-channel-width=20mhz extension-channel=disabled \
frequency=2462 name=ch11 tx-power=16
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=Ce \
frequency=5180 name=ch36
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=Ce \
frequency=5200 name=ch40
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=Ce \
frequency=5220 name=ch44
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=Ce \
frequency=5240 name=ch48
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=Ce \
frequency=5260 name=ch52
/interface bridge
add dhcp-snooping=yes frame-types=admit-only-vlan-tagged ingress-filtering=\
yes name=br-lan-wlan protocol-mode=none pvid=50 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether10 ] poe-out=off
/interface vlan
add interface=br-lan-wlan name=vlan10-server vlan-id=10
add interface=br-lan-wlan name=vlan20-client vlan-id=20
add interface=br-lan-wlan name=vlan30-k vlan-id=30
add interface=br-lan-wlan name=vlan40-iot vlan-id=40
add interface=br-lan-wlan name=vlan50-guest vlan-id=50
add interface=br-lan-wlan name=vlan71-transfer71 vlan-id=71
add interface=br-lan-wlan name=vlan72-transfer72 vlan-id=72
add interface=ether10 name=vlan77-wan vlan-id=77
add interface=ether9 name=vlan88-vpn vlan-id=88
add interface=br-lan-wlan name=vlan100-mgmt vlan-id=100
/caps-man datapath
add bridge=br-lan-wlan bridge-horizon=1 client-to-client-forwarding=no name=\
dp-w1 vlan-id=30 vlan-mode=use-tag
add bridge=br-lan-wlan bridge-horizon=1 client-to-client-forwarding=no name=\
dp-w2 vlan-id=40 vlan-mode=use-tag
add bridge=br-lan-wlan bridge-horizon=1 client-to-client-forwarding=no name=\
dp-w3 vlan-id=50 vlan-mode=use-tag
/caps-man rates
add basic=12Mbps name="GN only - no B rates" supported=\
12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
group-key-update=1h name=sec-w1
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
group-key-update=1h name=sec-w2
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
group-key-update=30m name=sec-w3
/caps-man configuration
add country=germany datapath=dp-w1 installation=indoor mode=ap name=cfg-w1 \
rates="GN only - no B rates" security=sec-w1 ssid=w1
add country=germany datapath=dp-w2 installation=indoor mode=ap name=cfg-w2 \
rates="GN only - no B rates" security=sec-w2 ssid=w2
add country=germany datapath=dp-w3 installation=indoor mode=ap name=cfg-w3 \
rates="GN only - no B rates" security=sec-w3 ssid=w3
/caps-man interface
add channel=ch11 channel.frequency=2462 comment="EG" configuration=cfg-w2 \
disabled=no l2mtu=1600 mac-address=2C:C8:1B:E2:32:9C master-interface=\
none name=cap00-2.4-w2 radio-mac=2C:C8:1B:E2:32:9C radio-name=\
2CC81BE2329C
add channel=ch11 channel.frequency=2462 configuration=cfg-w3 disabled=yes \
l2mtu=1600 mac-address=2C:C8:1B:E2:32:9C master-interface=cap00-2.4-w2 \
name=cap00-2.4-w3 radio-mac=2C:C8:1B:E2:32:9C radio-name=2CC81BE2329C
add channel=ch44 channel.frequency=5220 configuration=cfg-w2 disabled=no \
l2mtu=1600 mac-address=2C:C8:1B:E2:32:9D master-interface=none name=\
cap00-5-w2 radio-mac=2C:C8:1B:E2:32:9D radio-name=2CC81BE2329D
add channel=ch44 configuration=cfg-w3 disabled=yes l2mtu=1600 mac-address=\
2C:C8:1B:E2:32:9D master-interface=cap00-5-w2 name=cap00-5-w3 radio-mac=\
2C:C8:1B:E2:32:9D radio-name=2CC81BE2329D
add channel=ch1 channel.frequency=2412 comment=K configuration=cfg-w2 \
disabled=no l2mtu=1600 mac-address=C4:AD:34:98:62:1F master-interface=\
none name=cap01-2.4-w2 radio-mac=C4:AD:34:98:62:1F radio-name=\
C4AD3498621F
add channel=ch1 configuration=cfg-w3 disabled=yes l2mtu=1600 mac-address=\
C6:AD:34:98:62:20 master-interface=cap01-2.4-w2 name=cap01-2.4-w3 \
radio-mac=00:00:00:00:00:00 radio-name=""
add channel=ch52 channel.frequency=5260 configuration=cfg-w2 disabled=no \
l2mtu=1600 mac-address=C4:AD:34:98:62:20 master-interface=none name=\
cap01-5-w2 radio-mac=C4:AD:34:98:62:20 radio-name=C4AD34986220
add channel=ch52 configuration=cfg-w3 disabled=yes l2mtu=1600 mac-address=\
C6:AD:34:98:62:22 master-interface=cap01-5-w2 name=cap01-5-w3 radio-mac=\
00:00:00:00:00:00 radio-name=""
add channel=ch1 channel.frequency=2412 comment=HK configuration=\
cfg-w2 disabled=no l2mtu=1600 mac-address=C4:AD:34:98:65:7B \
master-interface=none name=cap02-2.4-w2 radio-mac=C4:AD:34:98:65:7B \
radio-name=C4AD3498657B
add channel=ch1 channel.frequency=2412 configuration=cfg-w3 disabled=yes \
l2mtu=1600 mac-address=C6:AD:34:98:65:7C master-interface=cap02-2.4-w2 \
name=cap02-2.4-w3 radio-mac=00:00:00:00:00:00 radio-name=""
add channel=ch36 channel.frequency=5180 configuration=cfg-w2 disabled=no \
l2mtu=1600 mac-address=C4:AD:34:98:65:7C master-interface=none name=\
cap02-5-w2 radio-mac=C4:AD:34:98:65:7C radio-name=C4AD3498657C
add channel=ch36 configuration=cfg-w3 disabled=yes l2mtu=1600 mac-address=\
C6:AD:34:98:65:7E master-interface=cap02-5-w2 name=cap02-5-w3 radio-mac=\
00:00:00:00:00:00 radio-name=""
add channel=ch6 channel.frequency=2437 comment=SP configuration=cfg-w2 \
disabled=no l2mtu=1600 mac-address=C4:AD:34:98:66:42 master-interface=\
none name=cap03-2.4-w2 radio-mac=C4:AD:34:98:66:42 radio-name=\
C4AD34986642
add channel=ch6 configuration=cfg-w3 disabled=yes l2mtu=1600 mac-address=\
C6:AD:34:98:66:43 master-interface=cap03-2.4-w2 name=cap03-2.4-w3 \
radio-mac=00:00:00:00:00:00 radio-name=""
add channel=ch36 channel.frequency=5180 configuration=cfg-w2 disabled=no \
l2mtu=1600 mac-address=C4:AD:34:98:66:43 master-interface=none name=\
cap03-5-w2 radio-mac=C4:AD:34:98:66:43 radio-name=C4AD34986643
add channel=ch36 configuration=cfg-w3 disabled=yes l2mtu=1600 mac-address=\
C6:AD:34:98:66:45 master-interface=cap03-5-w2 name=cap03-5-w3 radio-mac=\
00:00:00:00:00:00 radio-name=""
add channel=ch11 channel.frequency=2462 configuration=cfg-w1 disabled=yes \
l2mtu=1600 mac-address=2C:C8:1B:E2:32:9C master-interface=cap00-2.4-w2 \
name=cap00-2.4-w1 radio-mac=2C:C8:1B:E2:32:9C radio-name=2CC81BE2329C
add channel=ch44 channel.frequency=5220 configuration=cfg-w1 disabled=yes \
l2mtu=1600 mac-address=2C:C8:1B:E2:32:9D master-interface=cap00-5-w2 \
name=cap00-5-w1 radio-mac=2C:C8:1B:E2:32:9D radio-name=2CC81BE2329D
add channel=ch1 channel.frequency=2412 configuration=cfg-w1 disabled=no \
l2mtu=1600 mac-address=C6:AD:34:98:62:1F master-interface=cap01-2.4-w2 \
name=cap01-2.4-w1 radio-mac=00:00:00:00:00:00 radio-name=""
add channel=ch52 channel.frequency=5260 configuration=cfg-w1 disabled=no \
l2mtu=1600 mac-address=C6:AD:34:98:62:21 master-interface=cap01-5-w2 \
name=cap01-5-w1 radio-mac=00:00:00:00:00:00 radio-name=""
add channel=ch1 channel.frequency=2412 configuration=cfg-w1 disabled=yes \
l2mtu=1600 mac-address=C6:AD:34:98:65:7B master-interface=cap02-2.4-w2 \
name=cap02-2.4-w1 radio-mac=00:00:00:00:00:00 radio-name=""
add channel=ch36 channel.frequency=5180 configuration=cfg-w1 disabled=no \
l2mtu=1600 mac-address=C6:AD:34:98:65:7D master-interface=cap02-5-w2 \
name=cap02-5-w1 radio-mac=00:00:00:00:00:00 radio-name=""
add channel=ch6 configuration=cfg-w1 disabled=yes l2mtu=1600 mac-address=\
C6:AD:34:98:66:42 master-interface=cap03-2.4-w2 name=cap03-2.4-w1 \
radio-mac=00:00:00:00:00:00 radio-name=""
add channel=ch36 configuration=cfg-w1 disabled=yes l2mtu=1600 mac-address=\
C6:AD:34:98:66:44 master-interface=cap03-5-w2 name=cap03-5-w1 radio-mac=\
00:00:00:00:00:00 radio-name=""
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=LAN
add name=WAN
add name=vlans-dhcp
add name=VPN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool_dhcp30-k ranges=192.168.30.101-192.168.30.120
add name=pool_dhcp40-iot ranges=192.168.40.101-192.168.40.120
add name=pool_dhcp50-guest ranges=192.168.50.101-192.168.50.120
add name=pool_dhcp10-server ranges=192.168.1.101-192.168.1.120
/ip dhcp-server
add address-pool=pool_dhcp30-k disabled=no interface=vlan30-k \
lease-time=4h name=dhcp30-k
add address-pool=pool_dhcp40-iot disabled=no interface=vlan40-iot lease-time=\
4h name=dhcp40-iot
add address-pool=pool_dhcp50-guest disabled=no interface=vlan50-guest \
lease-time=30m name=dhcp50-guest
add address-pool=pool_dhcp10-server interface=vlan10-server \
lease-time=4h name=dhcp10-server
/system logging action
set 3 remote=192.168.2.11
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/caps-man access-list
add action=accept allow-signal-out-of-range=always comment=lk-bk \
disabled=no interface=cap01-2.4-w1 mac-address=AC:CF:23:D1:A3:D0 \
ssid-regexp=""
add action=accept allow-signal-out-of-range=always comment=lk-dk \
disabled=no interface=cap01-2.4-w1 mac-address=AC:CF:23:D2:20:80 \
ssid-regexp=""
add action=accept allow-signal-out-of-range=always comment=lk-ds \
disabled=no interface=cap01-2.4-w1 mac-address=AC:CF:23:D2:44:88 \
ssid-regexp=""
add action=accept allow-signal-out-of-range=always comment=lk-pod \
disabled=no interface=cap01-2.4-w1 mac-address=F0:FE:6B:80:8A:10 \
ssid-regexp=""
add action=accept allow-signal-out-of-range=3s comment=tablet-k-alt \
disabled=no mac-address=C0:F4:E6:88:40:FB ssid-regexp=""
add action=accept allow-signal-out-of-range=3s comment=tablet-k disabled=\
no mac-address=24:C6:13:CE:2D:77 ssid-regexp=""
add action=accept allow-signal-out-of-range=3s comment=tablet-wo-alt \
disabled=no mac-address=48:88:CA:37:DF:2A ssid-regexp=""
add action=accept allow-signal-out-of-range=3s comment=tablet-wo disabled=\
no mac-address=24:C6:13:DE:20:6F ssid-regexp=""
add action=accept allow-signal-out-of-range=3s comment=phone-ma disabled=\
no mac-address=CA:A6:5F:88:67:BA ssid-regexp=""
add action=accept allow-signal-out-of-range=3s comment=phone-wo disabled=no \
mac-address=32:77:1E:CD:64:3F ssid-regexp=""
add action=accept allow-signal-out-of-range=10s comment="phone-wo (alt)" \
disabled=yes mac-address=A8:96:75:9D:60:9A ssid-regexp=""
add action=accept allow-signal-out-of-range=10s comment="remote control" \
disabled=no mac-address=0C:B3:19:0B:76:DF ssid-regexp=""
add action=accept allow-signal-out-of-range=10s disabled=yes signal-range=\
-70..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=always disabled=no ssid-regexp=""
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=vlan100-mgmt
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=cfg-w1 \
slave-configurations=cfg-w2,cfg-w3
/interface bridge port
add bridge=br-lan-wlan frame-types=admit-only-vlan-tagged ingress-filtering=\
yes interface=ether1 pvid=10
add bridge=br-lan-wlan frame-types=admit-only-vlan-tagged ingress-filtering=\
yes interface=ether2 pvid=20
add bridge=br-lan-wlan frame-types=admit-only-vlan-tagged ingress-filtering=\
yes interface=ether3 pvid=30
add bridge=br-lan-wlan frame-types=admit-only-vlan-tagged ingress-filtering=\
yes interface=ether4 pvid=50
add bridge=br-lan-wlan frame-types=admit-only-vlan-tagged ingress-filtering=\
yes interface=ether5 pvid=100
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set rp-filter=strict
/interface bridge vlan
add bridge=br-lan-wlan tagged=br-lan-wlan,ether1 vlan-ids=10
add bridge=br-lan-wlan tagged=br-lan-wlan,ether2 vlan-ids=20
add bridge=br-lan-wlan tagged=br-lan-wlan,ether3 vlan-ids=30
add bridge=br-lan-wlan tagged=br-lan-wlan,ether4 vlan-ids=40
add bridge=br-lan-wlan tagged=br-lan-wlan,ether4 vlan-ids=50
add bridge=br-lan-wlan tagged=br-lan-wlan,ether5 vlan-ids=100
add bridge=br-lan-wlan tagged=br-lan-wlan,ether4 vlan-ids=71
add bridge=br-lan-wlan tagged=br-lan-wlan,ether4 vlan-ids=72
/interface list member
add interface=br-lan-wlan list=LAN
add interface=vlan77-wan list=WAN
add interface=vlan30-k list=vlans-dhcp
add interface=vlan40-iot list=vlans-dhcp
add interface=vlan50-guest list=vlans-dhcp
add interface=vlan88-vpn list=VPN
add interface=vlan10-server list=vlans-dhcp
/ip address
add address=192.168.1.254/24 interface=vlan10-server network=\
192.168.1.0
add address=192.168.2.254/24 interface=vlan20-client network=\
192.168.2.0
add address=192.168.30.254/24 interface=vlan30-k network=192.168.30.0
add address=192.168.40.254/24 interface=vlan40-iot network=192.168.40.0
add address=192.168.50.254/24 interface=vlan50-guest network=192.168.50.0
add address=192.168.3.254/24 interface=vlan77-wan network=192.168.3.0
add address=192.168.1..254/24 interface=vlan100-mgmt network=192.168.1..0
add address=192.168.88.254/24 interface=vlan88-vpn network=192.168.88.0
add address=192.168.71.254/24 interface=vlan71-transfer71 network=\
192.168.71.0
add address=192.168.72.254/24 interface=vlan72-transfer72 network=\
192.168.72.0
/ip cloud
set update-time=no
/ip dhcp-server lease
add address=192.168.30.101 address-lists=\
"dns on local,ntp http https on wan" client-id=\
1:c0:f4:e6:88:40:fb comment=tablet-k-alt mac-address=C0:F4:E6:88:40:FB \
server=dhcp30-k
add address=192.168.40.105 address-lists="dns on local,ntp http https on wan" \
comment=tablet-wo-alt mac-address=48:88:CA:37:DF:2A server=dhcp40-iot
add address=192.168.40.102 address-lists="dns on local,ntp http https on wan,s\
potify-connect on wan,sonos-update on wan" client-id=1:b8:e9:37:8d:df:9a \
comment=sonos-b mac-address=B8:E9:37:8D:DF:9A server=dhcp40-iot
add address=192.168.40.101 address-lists="dns on local,ntp http https on wan,s\
potify-connect on wan,sonos-update on wan" client-id=1:b8:e9:37:8d:de:16 \
comment=sonos-e mac-address=B8:E9:37:8D:DE:16 server=dhcp40-iot
add address=192.168.40.107 address-lists="dns on local,ntp http https on wan,a\
urora on wan,spo-connect on wan,sle on wan" client-id=\
1:c:b3:19:b:76:df comment="remote control" mac-address=0C:B3:19:0B:76:DF \
server=dhcp40-iot
add address=192.168.40.108 address-lists="dns on local,ntp http https on wan" \
client-id=1:a8:96:75:9d:60:9a comment="phone-wo (alt)" mac-address=\
A8:96:75:9D:60:9A server=dhcp40-iot
add address=192.168.40.110 address-lists="dns on local,ntp http https on wan,w\
hatsapp on wan,ara on wan,mail on wan,syncthing on clt01,sle on wan,\
fritzfon on wan,dns on local-neu" client-id=1:ca:a6:5f:88:67:ba comment=\
phone-ma mac-address=CA:A6:5F:88:67:BA server=dhcp40-iot
add address=192.168.40.112 address-lists="dns on local,ntp http https on wan,w\
hatsapp on wan,ara on wan,mail on wan,syncthing on clt01,sle on wan" \
client-id=1:32:77:1e:cd:64:3f comment=phone-wo mac-address=\
32:77:1E:CD:64:3F server=dhcp40-iot
add address=192.168.50.120 client-id=1:8c:8c:aa:5f:7a:1b comment=\
"laptop" mac-address=8C:8C:AA:5F:7A:1B server=dhcp50-guest
add address=192.168.30.103 address-lists=\
"dns on local,ntp http https on wan,sle on wan" client-id=\
1:24:c6:13:ce:2d:77 comment=tablet-k mac-address=24:C6:13:CE:2D:77 \
server=dhcp30-k
add address=192.168.40.103 address-lists="dns on local,ntp http https on wan" \
client-id=1:24:c6:13:de:20:6f comment=tablet-wo mac-address=\
24:C6:13:DE:20:6F server=dhcp40-iot
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.254 gateway=192.168.1.254
add address=192.168.30.0/24 dns-server=192.168.30.254 gateway=192.168.30.254
add address=192.168.40.0/24 dns-server=192.168.40.254 gateway=192.168.40.254
add address=192.168.50.0/24 dns-server=192.168.50.254 gateway=192.168.50.254
/ip dns
set allow-remote-requests=yes servers=192.168.3.1
/ip dns static
add address=192.168.1.11 name=srv01.intern.local
/ip firewall address-list
add address=192.168.30.11 comment=osmc-k list="ntp http https on wan"
add address=192.168.30.14 comment=pre list="ntp http https on wan"
add address=192.168.30.14 comment=pre list="spo-connect on wan"
add address=192.168.30.18 comment=sat-k list="ntp http https on wan"
add address=192.168.40.11 comment=sat-wz list="ntp http https on wan"
add address=192.168.40.12 comment=osmc-wz list="ntp http https on wan"
add address=192.168.30.11 comment=osmc-k list="dns on local"
add address=192.168.30.14 comment=pre list="dns on local"
add address=192.168.30.18 comment=sat-k list="dns on local"
add address=192.168.40.11 comment=sat-wz list="dns on local"
add address=192.168.40.12 comment=osmc-wz list="dns on local"
add address=192.168.30.11 comment=osmc-k list="nfs4 on srv02"
add address=192.168.40.12 comment=osmc-wz list="nfs4 on srv02"
add address=192.168.50.0/24 comment=lan-gast list="dns on local"
add address=192.168.50.0/24 comment=lan-gast list="ntp http https on wan"
add address=192.168.1.254 list="dns/ntp local destination"
add address=192.168.2.254 list="dns/ntp local destination"
add address=192.168.30.254 list="dns/ntp local destination"
add address=192.168.40.254 list="dns/ntp local destination"
add address=192.168.50.254 list="dns/ntp local destination"
add address=192.168.1..254 list="dns/ntp local destination"
add address=192.168.40.11 comment=sat-wz list="ping on wan"
add address=192.168.30.18 comment=sat-k list="ping on wan"
add address=192.168.1..250-192.168.1..253 comment=cap00-cap03 list=\
"ntp http https on wan"
add address=192.168.1.12 comment=srv02 list="dns on local"
add address=192.168.2.11 comment=clt01 list="full access on local"
add address=192.168.2.12 comment=clt02 list="ntp on local"
add address=192.168.2.12 comment=clt02 list="dns on local"
add address=192.168.1..12-192.168.1..23 comment="srv02ipmi, switches01-03" \
list="ntp on local"
add address=192.168.1..250-192.168.1..253 comment=cap00-cap03 list=\
"dns on local"
add address=192.168.1..250-192.168.1..253 comment=cap00-cap03 list=\
"ntp on local"
add address=192.168.30.26 comment=htpc list="ntp http https on wan"
add address=192.168.30.26 comment=htpc list="dns on local"
add address=192.168.30.26 comment=htpc list="smb on srv02"
add address=192.168.30.20 comment=ccu2 list="ntp on local"
add address=192.168.30.27 comment=ccu2-gw01 list="ntp on local"
add address=192.168.2.21 comment=docscan list="ntp on local"
add address=192.168.40.13 comment=sg150 list="dns on local"
add address=192.168.40.13 comment=sg150 list="ntp http https on wan"
add address=192.168.40.13 comment=sg150 list="ping on wan"
add address=192.168.1.12 comment=srv02 list="ntp on local"
add address=192.168.30.26 comment=htpc list="ntp on local"
add address=192.168.30.28 comment=automate01 list="dns on local"
add address=192.168.30.28 comment=automate01 list="ntp http https on wan"
add address=192.168.30.28 comment=automate01 list="ntp on local"
add address=192.168.3.250 comment=dns01 list=pi-holes
add address=192.168.1.12 comment=srv02 list="dns on local-neu"
add address=192.168.40.13 comment=s15 list="dns on local-neu"
/ip firewall filter
add action=accept chain=input comment=\
"accept established/related connections" connection-state=\
established,related
add action=drop chain=input comment="drop invalid connections" \
connection-state=invalid log-prefix="INVALID INPUT: "
add action=accept chain=input comment="accept everything from opnsense" \
in-interface=vlan72-transfer72 log=yes log-prefix="FROM INPUT: "
add action=accept chain=input comment="accept management" \
src-address-list="full access on local"
add action=accept chain=input comment="LOCAL dns" disabled=yes dst-address-list=\
"dns/ntp local destination" dst-port=53 protocol=udp src-address-list=\
"dns on local"
add action=accept chain=input comment="srv02: LOCAL dns" dst-address-list=\
"dns/ntp local destination" dst-port=53 protocol=udp src-address-list=\
"dns on local-neu"
add action=accept chain=input comment=\
"ntp" dst-address-list=\
"dns/ntp local destination" dst-port=123 protocol=udp src-address-list=\
"ntp on local"
add action=accept chain=input comment=\
"vlan30-k, vlan40-iot, vlan50-guest: dhcp" dst-port=67 \
in-interface-list=vlans-dhcp protocol=udp
add action=drop chain=input comment="drop everything else" log-prefix=DROP:
add action=fasttrack-connection chain=forward connection-state=\
established,related disabled=yes
add action=accept chain=forward comment=\
"accept established/related connections" connection-state=\
established,related
add action=drop chain=forward comment="drop invalid connections" \
connection-state=invalid log=yes log-prefix="INVALID FORWARD: "
add action=drop chain=forward comment="drop everything from hp to wan" \
out-interface-list=WAN src-address=192.168.30.26
add action=drop chain=forward comment=\
"accept everything from clt-vlan" dst-address=1.1.1.1 \
in-interface=vlan20-client src-address=192.168.2.11
add action=accept chain=forward comment=\
"accept everything from clt-vlan" in-interface=vlan20-client
add action=accept chain=forward comment=\
"accept everything from srv-vlan" in-interface=vlan10-server
add action=accept chain=forward comment="accept everything from opnsense" \
in-interface=vlan72-transfer72 log=yes log-prefix="FROM FWD: "
add action=accept chain=forward comment="dns" dst-address-list=pi-holes dst-port=53 \
out-interface-list=WAN protocol=udp src-address-list="dns on local"
add action=accept chain=forward comment="dns" dst-address-list=pi-holes dst-port=53 \
out-interface-list=WAN protocol=tcp src-address-list="dns on local"
add action=accept chain=forward comment="pihole > wan: allow all" \
out-interface-list=WAN src-address-list=pi-holes
add action=accept chain=forward comment="wan: http, https" log-prefix="HU: " \
src-address=192.168.40.110
add action=accept chain=forward comment="wan: http, https" dst-port=80,443 \
out-interface-list=WAN protocol=tcp \
src-address-list="ntp http https on wan"
add action=accept chain=forward comment=\
"phone-ma, phone-wo > wan" dst-port=465,995 \
out-interface-list=WAN protocol=tcp src-address-list="mail on wan"
add action=accept chain=forward comment=\
"phone-ma, phone-wo > wan" dst-address=192.168.3.1 \
protocol=tcp src-address-list="fritzfon on wan"
add action=accept chain=forward comment=\
"phone-ma, phone-wo > wan" dst-address=192.168.3.1 \
protocol=udp src-address-list="fritzfon on wan"
add action=accept chain=forward comment=\
"phone-ma, remote control > wan" \
dst-port=1337,5228 out-interface-list=WAN protocol=tcp src-address-list=\
"ara on wan"
add action=accept chain=forward comment="wan: ntp" dst-port=123 \
out-interface-list=WAN protocol=udp src-address-list=\
"ntp http https on wan"
add action=accept chain=forward comment="smb" dst-address=\
192.168.1.12 dst-port=445 protocol=tcp src-address-list="smb on srv02"
add action=accept chain=forward comment=\
"nfs4" dst-address=\
192.168.1.11 dst-port=2049 protocol=tcp src-address-list="nfs4 on srv02"
add action=accept chain=forward comment=\
"nfs4" dst-address=\
192.168.1.12 dst-port=2049 protocol=tcp src-address-list="nfs4 on srv02"
add action=accept chain=forward comment="wan: spo-connect" \
dst-port=4070 out-interface-list=WAN protocol=tcp src-address-list=\
"spo-connect on wan"
add action=accept chain=forward comment="wan: wa" dst-port=\
5222,5223 out-interface-list=WAN protocol=tcp src-address-list=\
"wa on wan"
add action=accept chain=forward comment="wan: wa" dst-port=\
3478 out-interface-list=WAN protocol=udp src-address-list=\
"wa on wan"
add action=accept chain=forward comment="wan: sle" dst-port=5061 \
out-interface-list=WAN protocol=tcp src-address-list="sle on wan"
add action=accept chain=forward comment="wan: sle" dst-address=\
217.19.174.18 out-interface-list=WAN protocol=udp src-address-list=\
"sle on wan"
add action=accept chain=forward comment="wan: ping" \
out-interface-list=WAN protocol=icmp src-address-list="ping on wan"
add action=accept chain=forward comment="wan: sonos-update" dst-port=\
4444 out-interface-list=WAN protocol=tcp src-address-list=\
"sonos-update on wan"
add action=accept chain=forward comment="Forward Sonos multicast traffic" \
dst-address=239.255.255.250
add action=accept chain=forward comment=\
"Forward Sonos remote control events to players" dst-port=1400,4444 \
in-interface=vlan30-k out-interface=vlan40-iot protocol=tcp
add action=accept chain=forward comment=\
"Forward Sonos remote control events from players" dst-port=\
3400,3401,3500 in-interface=vlan40-iot out-interface=vlan30-k \
protocol=tcp
add action=accept chain=forward comment=\
"Forward Sonos UPnP device discovery events from players" dst-port=\
1900,1901 in-interface=vlan40-iot out-interface=vlan30-k protocol=udp
add action=accept chain=forward comment="Forward Sonos" dst-port=32000-65535 \
in-interface=vlan40-iot out-interface=vlan30-k protocol=udp
add action=accept chain=forward comment="openhabian > sonos" dst-address=\
192.168.40.101 log=yes log-prefix="openhab: " src-address=192.168.30.21
add action=accept chain=forward comment=\
"X sonos > openhabian source port 58578-58583,41706-41711" dst-address=\
192.168.30.21 dst-port=8080 log-prefix="openhab: " protocol=tcp \
src-address=192.168.40.101
add action=accept chain=forward comment="sonos > openhabian" dst-address=\
192.168.30.21 log=yes log-prefix="openhab: " src-address=192.168.40.101
add action=accept chain=forward comment="phone > openhab" dst-address=\
192.168.30.21 src-address=192.168.40.106
add action=accept chain=forward comment=sle dst-address=217.19.174.18 \
log-prefix="sle sus: " src-address=192.168.40.13
add action=accept chain=forward comment=sle dst-address=217.19.174.19 \
log-prefix="sle sus: " src-address=192.168.40.13
add action=accept chain=forward comment=sle log=yes log-prefix="sle: " \
src-address=192.168.40.13
add action=accept chain=forward comment="wan: everything" \
in-interface=vlan50-guest log=yes log-prefix="lan-gast: " \
out-interface-list=WAN src-address=192.168.50.120
add action=drop chain=forward comment="drop everything else" log-prefix=\
"DROP FWD:"
add action=accept chain=output comment="router02 > clt01: syslog" disabled=\
yes dst-address=192.168.2.11 dst-port=514 protocol=udp src-address=\
192.168.2.254
/ip firewall mangle
add action=mark-routing chain=prerouting comment="route to wan over opnsense" \
disabled=yes dst-address=9.9.9.9 in-interface=vlan20-client \
new-routing-mark=vlan20-to-wan passthrough=no src-address=192.168.2.21
/ip firewall nat
add action=masquerade chain=srcnat comment=\
"Masquerade all outgoing communication except pihole" dst-address-list=\
!pi-holes out-interface=vlan77-wan routing-mark=!vlan20-to-wan
add action=masquerade chain=srcnat comment="Masquerade opnsense mgmt access" \
dst-address=192.168.71.244 out-interface=vlan71-transfer71
add action=dst-nat chain=dstnat comment="Force pihole usage except for srv02" \
dst-port=53 protocol=udp src-address-list="!dns on local-neu" \
to-addresses=192.168.3.250
add action=dst-nat chain=dstnat comment="Force pihole usage except for srv02" \
dst-port=53 protocol=tcp src-address=!192.168.1.12 to-addresses=\
192.168.3.250
/ip route
add disabled=yes distance=1 gateway=192.168.2.244 routing-mark=vlan20-to-wan
add disabled=yes distance=1 gateway=192.168.71.244 routing-mark=toFw
add distance=1 gateway=192.168.3.1
add disabled=yes distance=1 gateway=192.168.60.244
/ip route rule
add action=lookup-only-in-table disabled=yes src-address=192.168.40.110/32 \
table=toFw
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=10022
set api disabled=yes
set api-ssl disabled=yes
/routing pim interface
add interface=vlan40-iot
add interface=vlan30-k
/routing pim rp
add address=192.168.40.254
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=router02
/system ntp client
set enabled=yes primary-ntp=192.53.103.108 secondary-ntp=192.53.103.104
/system ntp server
set enabled=yes manycast=no
/system scheduler
add interval=1d name=EnableW2-06-25 on-event="/system script run \"Func-Enable\
Wlan\"\r\
\n:global EnableWlan\r\
\n:local runFunc [:parse (\":local input \\\"w2,{mon,tue,wed,thu,fri},{cap\
00-2.4-w2,cap00-5-w2,cap02-2.4-w2,cap02-5-w2,cap03-2.4-w2,cap03-5-w2}\\\";\
\_\" . \$EnableWlan)]\r\
\n\$runFunc" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=mar/27/2021 start-time=06:25:00
add interval=1d name=EnableW2-08-30 on-event="/system script run \"Func-Enable\
Wlan\"\r\
\n:global EnableWlan\r\
\n:local runFunc [:parse (\":local input \\\"w2,{sat,sun},{cap00-2.4-w2,ca\
p00-5-w2,cap02-2.4-w2,cap02-5-w2,cap03-2.4-w2,cap03-5-w2}\\\"; \" . \$Enab\
leWlan)]\r\
\n\$runFunc" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=mar/27/2021 start-time=08:30:00
add interval=1d name=EnableW2-13-30 on-event="/system script run \"Func-Enable\
Wlan\"\r\
\n:global EnableWlan\r\
\n:local runFunc [:parse (\":local input \\\"w2,{fri},{cap00-2.4-w2,cap00-\
5-w2,cap02-2.4-w2,cap02-5-w2,cap03-2.4-w2,cap03-5-w2}\\\"; \" . \$EnableWl\
an)]\r\
\n\$runFunc" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=mar/27/2021 start-time=13:30:00
add interval=1d name=EnableW2-16-30 on-event="/system script run \"Func-Enable\
Wlan\"\r\
\n:global EnableWlan\r\
\n:local runFunc [:parse (\":local input \\\"w2,{mon,tue,wed,thu},{cap00-2\
.4-w2,cap00-5-w2,cap02-2.4-w2,cap02-5-w2,cap03-2.4-w2,cap03-5-w2}\\\"; \" \
. \$EnableWlan)]\r\
\n\$runFunc" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=mar/27/2021 start-time=16:30:00
add disabled=yes interval=1d name=DisableW2-08-00 on-event="/system script run\
\_\"Func-DisableWlan\"\r\
\n:global DisableWlan\r\
\n:local runFunc [:parse (\":local input \\\"w2,{mon,tue,wed,thu,fri},{cap\
00-2.4-w2,cap00-5-w2,cap02-2.4-w2,cap02-5-w2,cap03-2.4-w2,cap03-5-w2}\\\";\
\_\" . \$DisableWlan)]\r\
\n\$runFunc\r\
\n" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=mar/27/2021 start-time=08:00:00
add interval=1d name=DisableW2-23-59 on-event="/system script run \"Func-Disab\
leWlan\"\r\
\n:global DisableWlan\r\
\n:local runFunc [:parse (\":local input \\\"w2,{mon,tue,wed,thu,sun},{cap\
00-2.4-w2,cap00-5-w2,cap02-2.4-w2,cap02-5-w2,cap03-2.4-w2,cap03-5-w2}\\\";\
\_\" . \$DisableWlan)]\r\
\n\$runFunc\r\
\n" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=mar/27/2021 start-time=23:59:00
add interval=1d name=DisableW2-FR-01-00 on-event="/system script run \"Func-Di\
sableWlan\"\r\
\n:global DisableWlan\r\
\n:local runFunc [:parse (\":local input \\\"w2,{sat},{cap00-2.4-w2,cap00-\
5-w2,cap02-2.4-w2,cap02-5-w2,cap03-2.4-w2,cap03-5-w2}\\\"; \" . \$DisableW\
lan)]\r\
\n\$runFunc\r\
\n" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=mar/27/2021 start-time=01:00:00
add interval=1d name=DisableW2-SA-01-00 on-event="/system script run \"Func-Di\
sableWlan\"\r\
\n:global DisableWlan\r\
\n:local runFunc [:parse (\":local input \\\"w2,{sun},{cap00-2.4-w2,cap00-\
5-w2,cap02-2.4-w2,cap02-5-w2,cap03-2.4-w2,cap03-5-w2}\\\"; \" . \$DisableW\
lan)]\r\
\n\$runFunc\r\
\n" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=mar/27/2021 start-time=01:00:00
/system script
add dont-require-permissions=no name=Func-GetDayOfWeek owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
\_GetDayOfWeek: Estimates day of week of today\r\
\n# Input:\r\
\n#\tnothing\r\
\n# Output: \r\
\n#\tstring day of week (\"sun\", \"mon\", \"tue\", \"wed\", \"thu\", \"fr\
i\", \"sat\")\r\
\n# original DayOfWeek-script by melboyscout (https://forum.mikrotik.com/v\
iewtopic.php\?t=59029#p397102)\r\
\n:global GetDayOfWeek \":local output \\\"\\\"\r\
\n\t:local date [/system clock get date]\r\
\n\r\
\n\t:local months [:toarray \\\"jan,feb,mar,apr,may,jun,jul,aug,sep,oct,no\
v,dec\\\"]\r\
\n\t:local daytbl [:toarray \\\"sun,mon,tue,wed,thu,fri,sat\\\"]\r\
\n\r\
\n\t:local month [:pick \\\$date 0 3]\r\
\n\t:local day [:pick \\\$date 4 6]\r\
\n\t:local dayc [:pick \\\$date 5 6]\r\
\n\t:local year [:pick \\\$date 7 11]\r\
\n\r\
\n\t:if ([:pick \\\$date 4 5] = 0) do={ :set day (\\\$dayc)}\r\
\n\r\
\n\t:local sum 0\r\
\n\t:local aaa 0\r\
\n\t:local yyy 0\r\
\n\t:local mmm 0\r\
\n\t:local nmonth 1\r\
\n\r\
\n\t:for mindex from=0 to=[:len \\\$months] do={\r\
\n\t\t:if ([:pick \\\$months \\\$mindex] = \\\$month) do={:set nmonth (\\\
\$mindex + 1) }\r\
\n\t}\r\
\n\r\
\n\t:set aaa ((14 - \\\$nmonth) / 12)\r\
\n\t:set yyy (\\\$year - \\\$aaa)\r\
\n\t:set mmm (\\\$nmonth + 12 * \\\$aaa - 2)\r\
\n\t:set sum (7000 + \\\$day + \\\$yyy + (\\\$yyy / 4) - (\\\$yyy / 100) +\
\_(\\\$yyy / 400) + ((31 * \\\$mmm) / 12))\r\
\n\t:set sum (\\\$sum - ((\\\$sum / 7) * 7))\r\
\n\t:set output [:pick \\\$daytbl \\\$sum];\""
add dont-require-permissions=no name=Func-EnableWlan owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
\_EnableWlan: \tChecks if today is in given array of days where wlan shoul\
d be enabled\r\
\n# \t\t\t\tand enables given caps-man interface(s) if so\r\
\n# Input array:\r\
\n#\t0 = string name of wlan (will just be logged) to enable\r\
\n#\t1 = string comma-concatenated days of week when wlan should be enable\
d, e.g. \"mon,tue,wed,thu,fri\"\r\
\n#\t2 = string comma-concatenated names of caps-man interfaces to enable\
\r\
\n# Output:\r\
\n#\tnothing\r\
\n:global EnableWlan \":set input [:toarray \\\$input]\r\
\n\t:if ([:len \\\$input] = 3) do={\r\
\n\t\t:local wlanName [:tostr [:pick \\\$input 0]]\r\
\n\t\t:local dayStr [:tostr [:pick \\\$input 1]]\r\
\n\t\t:local capStr [:tostr [:pick \\\$input 2]]\r\
\n\r\
\n\t\t/system script run \\\"Func-GetDayOfWeek\\\"\r\
\n\t\t:global GetDayOfWeek\r\
\n\r\
\n\t\t:global dayOfWeek \\\"\\\"\r\
\n\t\t:local runFunc [:parse (\\\":global dayOfWeek;\\\" . \\\r\
\n\t\t\t\\\$GetDayOfWeek . \\\r\
\n\t\t\t\\\":set dayOfWeek \\\\\\\$output\\\")\r\
\n\t\t]\r\
\n\t\t\\\$runFunc\r\
\n\t\t\r\
\n\t\t:log info \\\"checking if wlan \\\$wlanName must be enabled on \\\$[\
:pick [/system clock get time] 0 5]/\\\$dayOfWeek\\\"\r\
\n\t\t:local days [:toarray \\\$dayStr]\r\
\n\t\t:local match [:find \\\$days \\\$dayOfWeek]\r\
\n\t\t:if ([:type \\\$match]!=\\\"nil\\\") do={\r\
\n\t\t\t:log info \\\"wlan \\\$wlanName must be enabled\\\"\r\
\n\t\t\t:foreach cap in=[:toarray \\\$capStr] do={\r\
\n\t\t\t\t:log info \\\"now enabling interface \\\$cap\\\"\r\
\n\t\t\t\t/caps-man interface enable \\\$cap;\r\
\n\t\t\t};\r\
\n\t\t} else={ :log info \\\"no need to enable wlan \\\$wlanName now\\\" }\
\r\
\n\t};\""
add dont-require-permissions=no name=Func-DisableWlan owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
\_DisableWlan: \tChecks if today is in given array of days where wlan shou\
ld be disabled\r\
\n# \t\t\t\tand disables given caps-man interface(s) if so\r\
\n# Input array:\r\
\n#\t0 = string name of wlan (will just be logged) to disable\r\
\n#\t1 = string comma-concatenated days of week when wlan should be disabl\
ed, e.g. \"mon,tue,wed,thu,fri\"\r\
\n#\t2 = string comma-concatenated names of caps-man interfaces to disable\
\r\
\n# Output:\r\
\n#\tnothing\r\
\n:global DisableWlan \":set input [:toarray \\\$input]\r\
\n\t:if ([:len \\\$input] = 3) do={\r\
\n\t\t:local wlanName [:tostr [:pick \\\$input 0]]\r\
\n\t\t:local dayStr [:tostr [:pick \\\$input 1]]\r\
\n\t\t:local capStr [:tostr [:pick \\\$input 2]]\r\
\n\r\
\n\t\t/system script run \\\"Func-GetDayOfWeek\\\"\r\
\n\t\t:global GetDayOfWeek\r\
\n\r\
\n\t\t:global dayOfWeek \\\"\\\"\r\
\n\t\t:local runFunc [:parse (\\\":global dayOfWeek;\\\" . \\\r\
\n\t\t\t\\\$GetDayOfWeek . \\\r\
\n\t\t\t\\\":set dayOfWeek \\\\\\\$output\\\")\r\
\n\t\t]\r\
\n\t\t\\\$runFunc\r\
\n\t\t\r\
\n\t\t:log info \\\"checking if wlan \\\$wlanName must be disabled on \\\$\
[:pick [/system clock get time] 0 5]/\\\$dayOfWeek\\\"\r\
\n\t\t:local days [:toarray \\\$dayStr]\r\
\n\t\t:local match [:find \\\$days \\\$dayOfWeek]\r\
\n\t\t:if ([:type \\\$match]!=\\\"nil\\\") do={\r\
\n\t\t\t:log info \\\"wlan \\\$wlanName must be disabled\\\"\r\
\n\t\t\t:foreach cap in=[:toarray \\\$capStr] do={\r\
\n\t\t\t\t:log info \\\"now disabling interface \\\$cap\\\"\r\
\n\t\t\t\t/caps-man interface disable \\\$cap;\r\
\n\t\t\t};\r\
\n\t\t} else={ :log info \\\"no need to disable wlan \\\$wlanName now\\\" \
}\r\
\n\t};\""
/tool bandwidth-server
set enabled=no