Community discussions

MikroTik App
 
cyb2
just joined
Topic Author
Posts: 15
Joined: Tue Mar 14, 2023 6:25 pm

srcnat is undesiredly applied with mark-routing

Mon Apr 10, 2023 6:14 pm

Hi,

I want to route certain traffic which is heading to wan over a gateway.

I therefore added a mangle-action to mark the packets incoming on a certain interface and heading to non-private destinations:
/ip firewall mangle
add action=mark-routing chain=prerouting comment="route to wan over gateway" \
    dst-address=!192.168.0.0/16 in-interface=vlan2-intern \
    new-routing-mark=vlan2-to-wan passthrough=yes

In the route list I added a route with the desired gateway as destination evaluating the routing-mark set before:
/ip route
add distance=1 gateway=192.168.2.244 routing-mark=vlan2-to-wan

After that I was able to see the traffic on the gateway, but the source ip address was NATted, so I changed the existing srcnat-rule to ignore packets with the routing-mark:
/ip firewall nat
add action=masquerade chain=srcnat comment=\
    "Masquerade all outgoing communication" \ 
    out-interface=vlan100-wan routing-mark=!vlan2-to-wan

After that I was able to see on the gateway that some traffic is not NATted, while some other traffic is still NATted. I can see the same in Mikrotik Logs, when enabling logging on the mangle-action:
ROUTING:  prerouting: in:vlan2-intern out:(unknown 0), src-mac **:**, proto TCP (ACK), 192.168.2.21:51030->89.146.4.149:443, len 40
ROUTING:  prerouting: in:vlan2-intern out:(unknown 0), src-mac **:**, proto TCP (ACK,PSH), 192.168.2.21:51030->89.146.4.149:443, len 557
ROUTING:  prerouting: in:vlan2-intern out:(unknown 0), src-mac **:**, proto TCP (ACK,PSH), 192.168.2.21:51030->89.146.4.149:443, len 557
ROUTING:  prerouting: in:vlan2-intern out:(unknown 0), src-mac **:**, proto TCP (ACK,PSH), 192.168.2.21:51030->89.146.4.149:443, len 557
ROUTING:  prerouting: in:vlan2-intern out:(unknown 0), src-mac **:**, proto TCP (SYN), 192.168.2.21:51030->89.146.4.149:443, len 52
ROUTING:  prerouting: in:vlan2-intern out:(unknown 0), src-mac **:**, proto TCP (ACK), 192.168.2.21:50867->51.83.238.211:80, NAT (192.168.2.21:50867->192.168.100.254:50867)->51.83.238.211:80, len 40
ROUTING:  prerouting: in:vlan2-intern out:(unknown 0), src-mac **:**, proto TCP (ACK), 192.168.2.21:50867->51.83.238.211:80, NAT (192.168.2.21:50867->192.168.100.254:50867)->51.83.238.211:80, len 41

I do not understand why for some traffic the srcnat-action is applied while for other traffic (from the same source) apparently not.

Am I missing something?

Best regards,
cyb
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: srcnat is undesiredly applied with mark-routing

Mon Apr 10, 2023 6:26 pm

Dont understand at all.
network diagram
set of user requirements without discussion of config user/servers required traffic flow.
Full export
 
cyb2
just joined
Topic Author
Posts: 15
Joined: Tue Mar 14, 2023 6:25 pm

Re: srcnat is undesiredly applied with mark-routing

Mon Apr 10, 2023 8:06 pm

Sorry for giving not enough information. I thought it would be good to reduce it to the necessary, but apparently this was not a good idea.

I am using a Mikrotik RB4011 in my home, which is handling multiple VLANs, all the WiFI and which currently has one WAN interface. For testing purposes I additionally have an OPNsense build in my home lab. I currently want to route some traffic for testing from the client to RB4011 and from there to OPNsense, which should pass the traffic to the modem (which is also used on WAN interface of RB4011) connected to the internet.

So my requirement is that some traffic (namely the traffic from VLAN2, which is heading towards the internet) should not be passed by the RB4011 to the WAN interface, but should be routed to the OPNsense build for testing purposes.

After reading the docs and several threads in the forum the solution for this requirement seemed to be marking those packages in prerouting-chain and evaluating that package-mark in routing. This is actually working as expected.

But the thing I didn't think about is that the masquerading-action, which is actually applied to all traffic heading to the internet, is also applied to the marked packages, although they actually are sent to internal LAN (OPNsense). I then added the "ignore packages with routing-mark" to the masquerading-action, but it strangely seems only to work for some packages as described in the first post.

Best regards,
cyb
 
cyb2
just joined
Topic Author
Posts: 15
Joined: Tue Mar 14, 2023 6:25 pm

Re: srcnat is undesiredly applied with mark-routing

Sat Apr 15, 2023 5:37 pm

Hi,

maybe my intention is still unclear. So here is a simple diagram to explain the situation:
diagram.png
Client and Server VLANs are connected to RB4011 which is routing between them and the WAN (Router with Modem).

For testing purposes I have added OPNsense and want to route the traffic to the internet through that device.

Easiest solution would be to make a transfer network 192.168.4.0/24 for OPNsense, but in that case I would have to NAT the outgoing traffic from RB4011 and would actually not be able to identify the sources of the traffic in OPNsense.

So I tried to route the traffic from RB4011 to OPNsense as described above by
(a) using a firewall mangle rule to mark the traffic with a routing mark
(b) adding a route for traffic with the routing mark with OPNsense as gateway
(c) changing the firewall NAT rule for outgoing traffic to ignore traffic with the routing mark

I can see incoming traffic in OPNsense, which is not NATted (as expected and wanted), while some other traffic from the same host is NATted. I can see the same in Mikrotik Logs, when enabling logging on the firewall mangle rule marking the traffic with a routing mark. I do not understand why for some traffic the srcnat-action is applied while for other traffic (from the same source) apparently not.

I am not sure if it has something to do with the connection state. There is a rule in RB4011 firewall which accepts established/related connections.

Maybe somebody can give me a hint, I really would appreciate it!

Best regards,
cyb
You do not have the required permissions to view the files attached to this post.
 
User avatar
Frederick88
newbie
Posts: 49
Joined: Thu Jun 24, 2021 12:34 pm

Re: srcnat is undesiredly applied with mark-routing

Sat Apr 15, 2023 7:39 pm

i think you either need a second WAN external IP,
OR you put one router behind the other.

with only one external WAN IP, and two routers in the network, you’re gonna have to double NAT at some point….
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: srcnat is undesiredly applied with mark-routing

Sat Apr 15, 2023 9:08 pm

In terms of ensuring one vlan goes out a specific WAN, assuming you have two WANs.

Then yes
add table
add route to the wan using the table.
add a routing rule.

add action=lookup src-address=VLAN_interface_name table=useWANx

If you want the vlan not to fall back to main table if that WAN is not working change action to action=lookup-only-in-table.

++++++++++++++++
NO NEED for mangling.
 
cyb2
just joined
Topic Author
Posts: 15
Joined: Tue Mar 14, 2023 6:25 pm

Re: srcnat is undesiredly applied with mark-routing

Sun Apr 16, 2023 12:15 pm

i think you either need a second WAN external IP,
OR you put one router behind the other.

with only one external WAN IP, and two routers in the network, you’re gonna have to double NAT at some point….
I don't see what difference that would make. If I would have a second WAN external IP, I still would have to NAT on RB4011 to OPNsense to make it work, wouldn't I?

@anav: RB4011 is still using stable packages, meaning ROS 6.49.7. I guess your recommendation requires ROS 7. I used the mangling to explicitly mark traffic heading to WAN, because I do only want that traffic to be routed to OPNsense and not the internal traffic from e.g. client to server.

I suspect that it will not work as I imagined. I hoped that this traffic flow would work:
client/192.168.2.21 -> RB4011/192.168.2.254 -> OPNsense/192.168.2.244 -> Modem/192.168.3.1 -> Internet/1.1.1.1

But without NAT on RB4011 the reply would be 1.1.1.1 -> 192.168.3.1 -> 192.168.2.21, so RB4011 would be skipped which will not work I guess.

My initial idea was to extend the firewall capabilities of RB4011 with some NGFW features of OPNsense. This will work, but probably only with NAT, so OPNsense would be some kind of "blind" because all incoming traffic would have RB4011 as source address and not the original one.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: srcnat is undesiredly applied with mark-routing

Sun Apr 16, 2023 4:19 pm

YOu can accomplish same in RoS 6X

The difference is a table is not created in Ver6

Ver6
dst-address=0.0.0.0/0 gwy=ISP1 distance=5 check-gateway=ping
dst-address=0.0.0.0/0 gwy=ISP2 distance=10
dst-address=0.0.0./0 gwy=ISP2 routing-mark=useSecondary

[Step 2]
/ip routing rule
add src-address=SUBNET or IPaddress Action=Lookup-only-in-table table=useSecondary

Ver7
dst-address=0.0.0.0/0 gwy=ISP1 distance=5 check-gateway=ping
dst-address=0.0.0.0/0 gwy=ISP2 distance=10
dst-address=0.0.0./0 gwy=ISP2 routing-table=useSecondary

[Step 2]
/ip routing rule
add src-address=SUBNET or IPaddress Action=Lookup-only-in-table table=useSecondary

[Step 3]
/routing table
add name=useSecondary fib
 
cyb2
just joined
Topic Author
Posts: 15
Joined: Tue Mar 14, 2023 6:25 pm

Re: srcnat is undesiredly applied with mark-routing

Sun Apr 16, 2023 10:15 pm

YOu can accomplish same in RoS 6X
Okay, thanks for letting me know.

But nevertheless NAT is required so my idea to extend the firewall capabilities of RB4011 with some NGFW features of OPNsense will not work without NAT I guess.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: srcnat is undesiredly applied with mark-routing

Sun Apr 16, 2023 10:57 pm

Step1 - Provide a WANIP to the opensense router.
Soln. Put the opensense router on its own MT VLAN. into ether1 on opensense router.

Discussion: This is the route that the opensense will use to get its third party VPN connection.

Step2. Provide a opensense connection back to the MT ROUTER on port X. Which will act as a VPN WAN for MT users ( pick a specific subnet to use this VPN for example aka vlan2 )
Soln. Will consider port X on the MT as a second WAN connection for MT users but only a specific subnet. Set IP DHCP Client on portX. Set static route for mt subnet users or lets say an ethernet port, or vlan etc to port X


Lets GET RID OF ANY TALK OF VLAN1, its really not supposed to be used.

VLAN10 on bridge on MT - for client/servers 192.168.1.0/24
VLAN2 on bridge on MT - for clients/servers 192.168.2.0/24
VLAN30 is strictly to provide WANIP for opensense. 192.168.30.0/24

Opensense
ETHER1 is WAN PORT client on 192.168.30.0/24
ETHER2 is LAN port assigned 192.168.40.0/24

MT
ETHERX is attached by cable to ETHER2 on opensense router
ETHERX is a WAN port with IP DHCP CLient settings.

+++++++++++++++++++++++++++++++++++++++++++++++++++++
/ip route
add dst-address=0.0.0.0./0 gateway=192.168.3.1 routing-table=main ( to use ISP modem / router for MT )
add dst-address=0.0.0.0/0 gateway=192.168.40.1 routing-table=useOP ( for vlan2 )

/routing table
add name=useOP fib

/routing rule
add action=lookup src-address=192.168.2.0/24 table=useOP

+++++++++++++++++++++++++++++++++++++++++++++++++++++

Now users in vlan2 will get routed out the VPN tunnel of opensense for internet. If that is what you are looking for???
Some third party VPNs provide the option to choose different geographical locations with one account and thus this type of setup is really useful.
 
cyb2
just joined
Topic Author
Posts: 15
Joined: Tue Mar 14, 2023 6:25 pm

Re: srcnat is undesiredly applied with mark-routing

Tue Apr 18, 2023 9:33 pm

Oh man, thank you for your patience. Sadly I still don't get it to work as expected, I am really becoming desparate :(

This is how I configured it now, please ignore VLAN 1, will be moved to a different VLAN ID:
diagram(1).png
OPNsense has its own transfer networks, 192.168.71.0/24 on the LAN-side with incoming transfer from RB4011 and 192.168.72.0/24 on the WAN-side with all outgoing transfer to RB4011/Internet. I can ping 192.168.71.244 from RB4011 and I can ping 192.168.72.254 from OPNsense, so VLAN configuration should be okay.

The old mangling and NAT configuration I described before was removed. As you recommended I added
- a route with destination 0.0.0.0/0, gateway=192.168.77.244 and routing mark=useOP
- a routing rule with src-address=192.168.2.0/24, action="lookup only in table" and table=useOP

When pinging 1.1.1.1 from client 192.168.2.21 I can see the icmp-requests in OPNsense on the LAN-interface and I can also see leaving the requests OPNsense on the WAN-interface. But the ping is not successful.

In RB4011-log I can see DNS-requests from OPNsense to the Internet, which are successful. I can ping 1.1.1.1 from OPNsense and I can ping www.google.com from OPNsense.

Is this configuration actually really possible, meaning does RB4011 accept an incoming package from source ip 192.168.2.21 on interface vlan72?

I added allow all-rules for vlan72-interface at the beginning of the input- and forward-chains, but I don't see the pings from 192.168.2.21 neither in those rules, nor in the deny-all-rules.

Maybe anybody has some more ideas what I might (still) do wrong?

Thank you so much for your time and your help, I really appreciate it!

Best regards,
cyb
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: srcnat is undesiredly applied with mark-routing

Wed Apr 19, 2023 12:00 am

Latest config /export
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: srcnat is undesiredly applied with mark-routing

Wed Apr 19, 2023 12:01 am

Latest config /export ( minus router serial number and any public WANIP info )
 
cyb2
just joined
Topic Author
Posts: 15
Joined: Tue Mar 14, 2023 6:25 pm

Re: srcnat is undesiredly applied with mark-routing

Wed Apr 19, 2023 8:15 pm

# apr/19/2023 18:52:32 by RouterOS 6.49.6
# software id = EQI2-TTQV
#
# model = RB4011iGS+
/caps-man channel
add band=2ghz-onlyn control-channel-width=20mhz extension-channel=disabled \
    frequency=2412 name=ch1 tx-power=5
add band=2ghz-onlyn control-channel-width=20mhz extension-channel=disabled \
    frequency=2437 name=ch6 tx-power=14
add band=2ghz-onlyn control-channel-width=20mhz extension-channel=disabled \
    frequency=2462 name=ch11 tx-power=16
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=Ce \
    frequency=5180 name=ch36
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=Ce \
    frequency=5200 name=ch40
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=Ce \
    frequency=5220 name=ch44
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=Ce \
    frequency=5240 name=ch48
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=Ce \
    frequency=5260 name=ch52
/interface bridge
add dhcp-snooping=yes frame-types=admit-only-vlan-tagged ingress-filtering=\
    yes name=br-lan-wlan protocol-mode=none pvid=50 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether10 ] poe-out=off
/interface vlan
add interface=br-lan-wlan name=vlan10-server vlan-id=10
add interface=br-lan-wlan name=vlan20-client vlan-id=20
add interface=br-lan-wlan name=vlan30-k vlan-id=30
add interface=br-lan-wlan name=vlan40-iot vlan-id=40
add interface=br-lan-wlan name=vlan50-guest vlan-id=50
add interface=br-lan-wlan name=vlan71-transfer71 vlan-id=71
add interface=br-lan-wlan name=vlan72-transfer72 vlan-id=72
add interface=ether10 name=vlan77-wan vlan-id=77
add interface=ether9 name=vlan88-vpn vlan-id=88
add interface=br-lan-wlan name=vlan100-mgmt vlan-id=100
/caps-man datapath
add bridge=br-lan-wlan bridge-horizon=1 client-to-client-forwarding=no name=\
    dp-w1 vlan-id=30 vlan-mode=use-tag
add bridge=br-lan-wlan bridge-horizon=1 client-to-client-forwarding=no name=\
    dp-w2 vlan-id=40 vlan-mode=use-tag
add bridge=br-lan-wlan bridge-horizon=1 client-to-client-forwarding=no name=\
    dp-w3 vlan-id=50 vlan-mode=use-tag
/caps-man rates
add basic=12Mbps name="GN only - no B rates" supported=\
    12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
    group-key-update=1h name=sec-w1
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
    group-key-update=1h name=sec-w2
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
    group-key-update=30m name=sec-w3
/caps-man configuration
add country=germany datapath=dp-w1 installation=indoor mode=ap name=cfg-w1 \
    rates="GN only - no B rates" security=sec-w1 ssid=w1
add country=germany datapath=dp-w2 installation=indoor mode=ap name=cfg-w2 \
    rates="GN only - no B rates" security=sec-w2 ssid=w2
add country=germany datapath=dp-w3 installation=indoor mode=ap name=cfg-w3 \
    rates="GN only - no B rates" security=sec-w3 ssid=w3
/caps-man interface
add channel=ch11 channel.frequency=2462 comment="EG" configuration=cfg-w2 \
    disabled=no l2mtu=1600 mac-address=2C:C8:1B:E2:32:9C master-interface=\
    none name=cap00-2.4-w2 radio-mac=2C:C8:1B:E2:32:9C radio-name=\
    2CC81BE2329C
add channel=ch11 channel.frequency=2462 configuration=cfg-w3 disabled=yes \
    l2mtu=1600 mac-address=2C:C8:1B:E2:32:9C master-interface=cap00-2.4-w2 \
    name=cap00-2.4-w3 radio-mac=2C:C8:1B:E2:32:9C radio-name=2CC81BE2329C
add channel=ch44 channel.frequency=5220 configuration=cfg-w2 disabled=no \
    l2mtu=1600 mac-address=2C:C8:1B:E2:32:9D master-interface=none name=\
    cap00-5-w2 radio-mac=2C:C8:1B:E2:32:9D radio-name=2CC81BE2329D
add channel=ch44 configuration=cfg-w3 disabled=yes l2mtu=1600 mac-address=\
    2C:C8:1B:E2:32:9D master-interface=cap00-5-w2 name=cap00-5-w3 radio-mac=\
    2C:C8:1B:E2:32:9D radio-name=2CC81BE2329D
add channel=ch1 channel.frequency=2412 comment=K configuration=cfg-w2 \
    disabled=no l2mtu=1600 mac-address=C4:AD:34:98:62:1F master-interface=\
    none name=cap01-2.4-w2 radio-mac=C4:AD:34:98:62:1F radio-name=\
    C4AD3498621F
add channel=ch1 configuration=cfg-w3 disabled=yes l2mtu=1600 mac-address=\
    C6:AD:34:98:62:20 master-interface=cap01-2.4-w2 name=cap01-2.4-w3 \
    radio-mac=00:00:00:00:00:00 radio-name=""
add channel=ch52 channel.frequency=5260 configuration=cfg-w2 disabled=no \
    l2mtu=1600 mac-address=C4:AD:34:98:62:20 master-interface=none name=\
    cap01-5-w2 radio-mac=C4:AD:34:98:62:20 radio-name=C4AD34986220
add channel=ch52 configuration=cfg-w3 disabled=yes l2mtu=1600 mac-address=\
    C6:AD:34:98:62:22 master-interface=cap01-5-w2 name=cap01-5-w3 radio-mac=\
    00:00:00:00:00:00 radio-name=""
add channel=ch1 channel.frequency=2412 comment=HK configuration=\
    cfg-w2 disabled=no l2mtu=1600 mac-address=C4:AD:34:98:65:7B \
    master-interface=none name=cap02-2.4-w2 radio-mac=C4:AD:34:98:65:7B \
    radio-name=C4AD3498657B
add channel=ch1 channel.frequency=2412 configuration=cfg-w3 disabled=yes \
    l2mtu=1600 mac-address=C6:AD:34:98:65:7C master-interface=cap02-2.4-w2 \
    name=cap02-2.4-w3 radio-mac=00:00:00:00:00:00 radio-name=""
add channel=ch36 channel.frequency=5180 configuration=cfg-w2 disabled=no \
    l2mtu=1600 mac-address=C4:AD:34:98:65:7C master-interface=none name=\
    cap02-5-w2 radio-mac=C4:AD:34:98:65:7C radio-name=C4AD3498657C
add channel=ch36 configuration=cfg-w3 disabled=yes l2mtu=1600 mac-address=\
    C6:AD:34:98:65:7E master-interface=cap02-5-w2 name=cap02-5-w3 radio-mac=\
    00:00:00:00:00:00 radio-name=""
add channel=ch6 channel.frequency=2437 comment=SP configuration=cfg-w2 \
    disabled=no l2mtu=1600 mac-address=C4:AD:34:98:66:42 master-interface=\
    none name=cap03-2.4-w2 radio-mac=C4:AD:34:98:66:42 radio-name=\
    C4AD34986642
add channel=ch6 configuration=cfg-w3 disabled=yes l2mtu=1600 mac-address=\
    C6:AD:34:98:66:43 master-interface=cap03-2.4-w2 name=cap03-2.4-w3 \
    radio-mac=00:00:00:00:00:00 radio-name=""
add channel=ch36 channel.frequency=5180 configuration=cfg-w2 disabled=no \
    l2mtu=1600 mac-address=C4:AD:34:98:66:43 master-interface=none name=\
    cap03-5-w2 radio-mac=C4:AD:34:98:66:43 radio-name=C4AD34986643
add channel=ch36 configuration=cfg-w3 disabled=yes l2mtu=1600 mac-address=\
    C6:AD:34:98:66:45 master-interface=cap03-5-w2 name=cap03-5-w3 radio-mac=\
    00:00:00:00:00:00 radio-name=""
add channel=ch11 channel.frequency=2462 configuration=cfg-w1 disabled=yes \
    l2mtu=1600 mac-address=2C:C8:1B:E2:32:9C master-interface=cap00-2.4-w2 \
    name=cap00-2.4-w1 radio-mac=2C:C8:1B:E2:32:9C radio-name=2CC81BE2329C
add channel=ch44 channel.frequency=5220 configuration=cfg-w1 disabled=yes \
    l2mtu=1600 mac-address=2C:C8:1B:E2:32:9D master-interface=cap00-5-w2 \
    name=cap00-5-w1 radio-mac=2C:C8:1B:E2:32:9D radio-name=2CC81BE2329D
add channel=ch1 channel.frequency=2412 configuration=cfg-w1 disabled=no \
    l2mtu=1600 mac-address=C6:AD:34:98:62:1F master-interface=cap01-2.4-w2 \
    name=cap01-2.4-w1 radio-mac=00:00:00:00:00:00 radio-name=""
add channel=ch52 channel.frequency=5260 configuration=cfg-w1 disabled=no \
    l2mtu=1600 mac-address=C6:AD:34:98:62:21 master-interface=cap01-5-w2 \
    name=cap01-5-w1 radio-mac=00:00:00:00:00:00 radio-name=""
add channel=ch1 channel.frequency=2412 configuration=cfg-w1 disabled=yes \
    l2mtu=1600 mac-address=C6:AD:34:98:65:7B master-interface=cap02-2.4-w2 \
    name=cap02-2.4-w1 radio-mac=00:00:00:00:00:00 radio-name=""
add channel=ch36 channel.frequency=5180 configuration=cfg-w1 disabled=no \
    l2mtu=1600 mac-address=C6:AD:34:98:65:7D master-interface=cap02-5-w2 \
    name=cap02-5-w1 radio-mac=00:00:00:00:00:00 radio-name=""
add channel=ch6 configuration=cfg-w1 disabled=yes l2mtu=1600 mac-address=\
    C6:AD:34:98:66:42 master-interface=cap03-2.4-w2 name=cap03-2.4-w1 \
    radio-mac=00:00:00:00:00:00 radio-name=""
add channel=ch36 configuration=cfg-w1 disabled=yes l2mtu=1600 mac-address=\
    C6:AD:34:98:66:44 master-interface=cap03-5-w2 name=cap03-5-w1 radio-mac=\
    00:00:00:00:00:00 radio-name=""
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=LAN
add name=WAN
add name=vlans-dhcp
add name=VPN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool_dhcp30-k ranges=192.168.30.101-192.168.30.120
add name=pool_dhcp40-iot ranges=192.168.40.101-192.168.40.120
add name=pool_dhcp50-guest ranges=192.168.50.101-192.168.50.120
add name=pool_dhcp10-server ranges=192.168.1.101-192.168.1.120
/ip dhcp-server
add address-pool=pool_dhcp30-k disabled=no interface=vlan30-k \
    lease-time=4h name=dhcp30-k
add address-pool=pool_dhcp40-iot disabled=no interface=vlan40-iot lease-time=\
    4h name=dhcp40-iot
add address-pool=pool_dhcp50-guest disabled=no interface=vlan50-guest \
    lease-time=30m name=dhcp50-guest
add address-pool=pool_dhcp10-server interface=vlan10-server \
    lease-time=4h name=dhcp10-server
/system logging action
set 3 remote=192.168.2.11
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/caps-man access-list
add action=accept allow-signal-out-of-range=always comment=lk-bk \
    disabled=no interface=cap01-2.4-w1 mac-address=AC:CF:23:D1:A3:D0 \
    ssid-regexp=""
add action=accept allow-signal-out-of-range=always comment=lk-dk \
    disabled=no interface=cap01-2.4-w1 mac-address=AC:CF:23:D2:20:80 \
    ssid-regexp=""
add action=accept allow-signal-out-of-range=always comment=lk-ds \
    disabled=no interface=cap01-2.4-w1 mac-address=AC:CF:23:D2:44:88 \
    ssid-regexp=""
add action=accept allow-signal-out-of-range=always comment=lk-pod \
    disabled=no interface=cap01-2.4-w1 mac-address=F0:FE:6B:80:8A:10 \
    ssid-regexp=""
add action=accept allow-signal-out-of-range=3s comment=tablet-k-alt \
    disabled=no mac-address=C0:F4:E6:88:40:FB ssid-regexp=""
add action=accept allow-signal-out-of-range=3s comment=tablet-k disabled=\
    no mac-address=24:C6:13:CE:2D:77 ssid-regexp=""
add action=accept allow-signal-out-of-range=3s comment=tablet-wo-alt \
    disabled=no mac-address=48:88:CA:37:DF:2A ssid-regexp=""
add action=accept allow-signal-out-of-range=3s comment=tablet-wo disabled=\
    no mac-address=24:C6:13:DE:20:6F ssid-regexp=""
add action=accept allow-signal-out-of-range=3s comment=phone-ma disabled=\
    no mac-address=CA:A6:5F:88:67:BA ssid-regexp=""
add action=accept allow-signal-out-of-range=3s comment=phone-wo disabled=no \
    mac-address=32:77:1E:CD:64:3F ssid-regexp=""
add action=accept allow-signal-out-of-range=10s comment="phone-wo (alt)" \
    disabled=yes mac-address=A8:96:75:9D:60:9A ssid-regexp=""
add action=accept allow-signal-out-of-range=10s comment="remote control" \
    disabled=no mac-address=0C:B3:19:0B:76:DF ssid-regexp=""
add action=accept allow-signal-out-of-range=10s disabled=yes signal-range=\
    -70..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=always disabled=no ssid-regexp=""
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=vlan100-mgmt
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=cfg-w1 \
    slave-configurations=cfg-w2,cfg-w3
/interface bridge port
add bridge=br-lan-wlan frame-types=admit-only-vlan-tagged ingress-filtering=\
    yes interface=ether1 pvid=10
add bridge=br-lan-wlan frame-types=admit-only-vlan-tagged ingress-filtering=\
    yes interface=ether2 pvid=20
add bridge=br-lan-wlan frame-types=admit-only-vlan-tagged ingress-filtering=\
    yes interface=ether3 pvid=30
add bridge=br-lan-wlan frame-types=admit-only-vlan-tagged ingress-filtering=\
    yes interface=ether4 pvid=50
add bridge=br-lan-wlan frame-types=admit-only-vlan-tagged ingress-filtering=\
    yes interface=ether5 pvid=100
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set rp-filter=strict
/interface bridge vlan
add bridge=br-lan-wlan tagged=br-lan-wlan,ether1 vlan-ids=10
add bridge=br-lan-wlan tagged=br-lan-wlan,ether2 vlan-ids=20
add bridge=br-lan-wlan tagged=br-lan-wlan,ether3 vlan-ids=30
add bridge=br-lan-wlan tagged=br-lan-wlan,ether4 vlan-ids=40
add bridge=br-lan-wlan tagged=br-lan-wlan,ether4 vlan-ids=50
add bridge=br-lan-wlan tagged=br-lan-wlan,ether5 vlan-ids=100
add bridge=br-lan-wlan tagged=br-lan-wlan,ether4 vlan-ids=71
add bridge=br-lan-wlan tagged=br-lan-wlan,ether4 vlan-ids=72
/interface list member
add interface=br-lan-wlan list=LAN
add interface=vlan77-wan list=WAN
add interface=vlan30-k list=vlans-dhcp
add interface=vlan40-iot list=vlans-dhcp
add interface=vlan50-guest list=vlans-dhcp
add interface=vlan88-vpn list=VPN
add interface=vlan10-server list=vlans-dhcp
/ip address
add address=192.168.1.254/24 interface=vlan10-server network=\
    192.168.1.0
add address=192.168.2.254/24 interface=vlan20-client network=\
    192.168.2.0
add address=192.168.30.254/24 interface=vlan30-k network=192.168.30.0
add address=192.168.40.254/24 interface=vlan40-iot network=192.168.40.0
add address=192.168.50.254/24 interface=vlan50-guest network=192.168.50.0
add address=192.168.3.254/24 interface=vlan77-wan network=192.168.3.0
add address=192.168.1..254/24 interface=vlan100-mgmt network=192.168.1..0
add address=192.168.88.254/24 interface=vlan88-vpn network=192.168.88.0
add address=192.168.71.254/24 interface=vlan71-transfer71 network=\
    192.168.71.0
add address=192.168.72.254/24 interface=vlan72-transfer72 network=\
    192.168.72.0
/ip cloud
set update-time=no
/ip dhcp-server lease
add address=192.168.30.101 address-lists=\
    "dns on local,ntp http https on wan" client-id=\
    1:c0:f4:e6:88:40:fb comment=tablet-k-alt mac-address=C0:F4:E6:88:40:FB \
    server=dhcp30-k
add address=192.168.40.105 address-lists="dns on local,ntp http https on wan" \
    comment=tablet-wo-alt mac-address=48:88:CA:37:DF:2A server=dhcp40-iot
add address=192.168.40.102 address-lists="dns on local,ntp http https on wan,s\
    potify-connect on wan,sonos-update on wan" client-id=1:b8:e9:37:8d:df:9a \
    comment=sonos-b mac-address=B8:E9:37:8D:DF:9A server=dhcp40-iot
add address=192.168.40.101 address-lists="dns on local,ntp http https on wan,s\
    potify-connect on wan,sonos-update on wan" client-id=1:b8:e9:37:8d:de:16 \
    comment=sonos-e mac-address=B8:E9:37:8D:DE:16 server=dhcp40-iot
add address=192.168.40.107 address-lists="dns on local,ntp http https on wan,a\
    urora on wan,spo-connect on wan,sle on wan" client-id=\
    1:c:b3:19:b:76:df comment="remote control" mac-address=0C:B3:19:0B:76:DF \
    server=dhcp40-iot
add address=192.168.40.108 address-lists="dns on local,ntp http https on wan" \
    client-id=1:a8:96:75:9d:60:9a comment="phone-wo (alt)" mac-address=\
    A8:96:75:9D:60:9A server=dhcp40-iot
add address=192.168.40.110 address-lists="dns on local,ntp http https on wan,w\
    hatsapp on wan,ara on wan,mail on wan,syncthing on clt01,sle on wan,\
    fritzfon on wan,dns on local-neu" client-id=1:ca:a6:5f:88:67:ba comment=\
    phone-ma mac-address=CA:A6:5F:88:67:BA server=dhcp40-iot
add address=192.168.40.112 address-lists="dns on local,ntp http https on wan,w\
    hatsapp on wan,ara on wan,mail on wan,syncthing on clt01,sle on wan" \
    client-id=1:32:77:1e:cd:64:3f comment=phone-wo mac-address=\
    32:77:1E:CD:64:3F server=dhcp40-iot
add address=192.168.50.120 client-id=1:8c:8c:aa:5f:7a:1b comment=\
    "laptop" mac-address=8C:8C:AA:5F:7A:1B server=dhcp50-guest
add address=192.168.30.103 address-lists=\
    "dns on local,ntp http https on wan,sle on wan" client-id=\
    1:24:c6:13:ce:2d:77 comment=tablet-k mac-address=24:C6:13:CE:2D:77 \
    server=dhcp30-k
add address=192.168.40.103 address-lists="dns on local,ntp http https on wan" \
    client-id=1:24:c6:13:de:20:6f comment=tablet-wo mac-address=\
    24:C6:13:DE:20:6F server=dhcp40-iot
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.254 gateway=192.168.1.254
add address=192.168.30.0/24 dns-server=192.168.30.254 gateway=192.168.30.254
add address=192.168.40.0/24 dns-server=192.168.40.254 gateway=192.168.40.254
add address=192.168.50.0/24 dns-server=192.168.50.254 gateway=192.168.50.254
/ip dns
set allow-remote-requests=yes servers=192.168.3.1
/ip dns static
add address=192.168.1.11 name=srv01.intern.local
/ip firewall address-list
add address=192.168.30.11 comment=osmc-k list="ntp http https on wan"
add address=192.168.30.14 comment=pre list="ntp http https on wan"
add address=192.168.30.14 comment=pre list="spo-connect on wan"
add address=192.168.30.18 comment=sat-k list="ntp http https on wan"
add address=192.168.40.11 comment=sat-wz list="ntp http https on wan"
add address=192.168.40.12 comment=osmc-wz list="ntp http https on wan"
add address=192.168.30.11 comment=osmc-k list="dns on local"
add address=192.168.30.14 comment=pre list="dns on local"
add address=192.168.30.18 comment=sat-k list="dns on local"
add address=192.168.40.11 comment=sat-wz list="dns on local"
add address=192.168.40.12 comment=osmc-wz list="dns on local"
add address=192.168.30.11 comment=osmc-k list="nfs4 on srv02"
add address=192.168.40.12 comment=osmc-wz list="nfs4 on srv02"
add address=192.168.50.0/24 comment=lan-gast list="dns on local"
add address=192.168.50.0/24 comment=lan-gast list="ntp http https on wan"
add address=192.168.1.254 list="dns/ntp local destination"
add address=192.168.2.254 list="dns/ntp local destination"
add address=192.168.30.254 list="dns/ntp local destination"
add address=192.168.40.254 list="dns/ntp local destination"
add address=192.168.50.254 list="dns/ntp local destination"
add address=192.168.1..254 list="dns/ntp local destination"
add address=192.168.40.11 comment=sat-wz list="ping on wan"
add address=192.168.30.18 comment=sat-k list="ping on wan"
add address=192.168.1..250-192.168.1..253 comment=cap00-cap03 list=\
    "ntp http https on wan"
add address=192.168.1.12 comment=srv02 list="dns on local"
add address=192.168.2.11 comment=clt01 list="full access on local"
add address=192.168.2.12 comment=clt02 list="ntp on local"
add address=192.168.2.12 comment=clt02 list="dns on local"
add address=192.168.1..12-192.168.1..23 comment="srv02ipmi, switches01-03" \
    list="ntp on local"
add address=192.168.1..250-192.168.1..253 comment=cap00-cap03 list=\
    "dns on local"
add address=192.168.1..250-192.168.1..253 comment=cap00-cap03 list=\
    "ntp on local"
add address=192.168.30.26 comment=htpc list="ntp http https on wan"
add address=192.168.30.26 comment=htpc list="dns on local"
add address=192.168.30.26 comment=htpc list="smb on srv02"
add address=192.168.30.20 comment=ccu2 list="ntp on local"
add address=192.168.30.27 comment=ccu2-gw01 list="ntp on local"
add address=192.168.2.21 comment=docscan list="ntp on local"
add address=192.168.40.13 comment=sg150 list="dns on local"
add address=192.168.40.13 comment=sg150 list="ntp http https on wan"
add address=192.168.40.13 comment=sg150 list="ping on wan"
add address=192.168.1.12 comment=srv02 list="ntp on local"
add address=192.168.30.26 comment=htpc list="ntp on local"
add address=192.168.30.28 comment=automate01 list="dns on local"
add address=192.168.30.28 comment=automate01 list="ntp http https on wan"
add address=192.168.30.28 comment=automate01 list="ntp on local"
add address=192.168.3.250 comment=dns01 list=pi-holes
add address=192.168.1.12 comment=srv02 list="dns on local-neu"
add address=192.168.40.13 comment=s15 list="dns on local-neu"
/ip firewall filter
add action=accept chain=input comment=\
    "accept established/related connections" connection-state=\
    established,related
add action=drop chain=input comment="drop invalid connections" \
    connection-state=invalid log-prefix="INVALID INPUT: "
add action=accept chain=input comment="accept everything from opnsense" \
    in-interface=vlan72-transfer72 log=yes log-prefix="FROM INPUT: "
add action=accept chain=input comment="accept management" \
    src-address-list="full access on local"
add action=accept chain=input comment="LOCAL dns" disabled=yes dst-address-list=\
    "dns/ntp local destination" dst-port=53 protocol=udp src-address-list=\
    "dns on local"
add action=accept chain=input comment="srv02: LOCAL dns" dst-address-list=\
    "dns/ntp local destination" dst-port=53 protocol=udp src-address-list=\
    "dns on local-neu"
add action=accept chain=input comment=\
    "ntp" dst-address-list=\
    "dns/ntp local destination" dst-port=123 protocol=udp src-address-list=\
    "ntp on local"
add action=accept chain=input comment=\
    "vlan30-k, vlan40-iot, vlan50-guest: dhcp" dst-port=67 \
    in-interface-list=vlans-dhcp protocol=udp
add action=drop chain=input comment="drop everything else" log-prefix=DROP:
add action=fasttrack-connection chain=forward connection-state=\
    established,related disabled=yes
add action=accept chain=forward comment=\
    "accept established/related connections" connection-state=\
    established,related
add action=drop chain=forward comment="drop invalid connections" \
    connection-state=invalid log=yes log-prefix="INVALID FORWARD: "
add action=drop chain=forward comment="drop everything from hp to wan" \
    out-interface-list=WAN src-address=192.168.30.26
add action=drop chain=forward comment=\
    "accept everything from clt-vlan" dst-address=1.1.1.1 \
    in-interface=vlan20-client src-address=192.168.2.11
add action=accept chain=forward comment=\
    "accept everything from clt-vlan" in-interface=vlan20-client
add action=accept chain=forward comment=\
    "accept everything from srv-vlan" in-interface=vlan10-server
add action=accept chain=forward comment="accept everything from opnsense" \
    in-interface=vlan72-transfer72 log=yes log-prefix="FROM FWD: "
add action=accept chain=forward comment="dns" dst-address-list=pi-holes dst-port=53 \
    out-interface-list=WAN protocol=udp src-address-list="dns on local"
add action=accept chain=forward comment="dns" dst-address-list=pi-holes dst-port=53 \
    out-interface-list=WAN protocol=tcp src-address-list="dns on local"
add action=accept chain=forward comment="pihole > wan: allow all" \
    out-interface-list=WAN src-address-list=pi-holes
add action=accept chain=forward comment="wan: http, https" log-prefix="HU: " \
	src-address=192.168.40.110
add action=accept chain=forward comment="wan: http, https" dst-port=80,443 \
	out-interface-list=WAN protocol=tcp \
    src-address-list="ntp http https on wan"
add action=accept chain=forward comment=\
    "phone-ma, phone-wo > wan" dst-port=465,995 \
    out-interface-list=WAN protocol=tcp src-address-list="mail on wan"
add action=accept chain=forward comment=\
    "phone-ma, phone-wo > wan" dst-address=192.168.3.1 \
    protocol=tcp src-address-list="fritzfon on wan"
add action=accept chain=forward comment=\
    "phone-ma, phone-wo > wan" dst-address=192.168.3.1 \
    protocol=udp src-address-list="fritzfon on wan"
add action=accept chain=forward comment=\
    "phone-ma, remote control > wan" \
    dst-port=1337,5228 out-interface-list=WAN protocol=tcp src-address-list=\
    "ara on wan"
add action=accept chain=forward comment="wan: ntp" dst-port=123 \
	out-interface-list=WAN protocol=udp src-address-list=\
    "ntp http https on wan"
add action=accept chain=forward comment="smb" dst-address=\
    192.168.1.12 dst-port=445 protocol=tcp src-address-list="smb on srv02"
add action=accept chain=forward comment=\
    "nfs4" dst-address=\
    192.168.1.11 dst-port=2049 protocol=tcp src-address-list="nfs4 on srv02"
add action=accept chain=forward comment=\
    "nfs4" dst-address=\
    192.168.1.12 dst-port=2049 protocol=tcp src-address-list="nfs4 on srv02"
add action=accept chain=forward comment="wan: spo-connect" \
    dst-port=4070 out-interface-list=WAN protocol=tcp src-address-list=\
    "spo-connect on wan"
add action=accept chain=forward comment="wan: wa" dst-port=\
    5222,5223 out-interface-list=WAN protocol=tcp src-address-list=\
    "wa on wan"
add action=accept chain=forward comment="wan: wa" dst-port=\
    3478 out-interface-list=WAN protocol=udp src-address-list=\
    "wa on wan"
add action=accept chain=forward comment="wan: sle" dst-port=5061 \
    out-interface-list=WAN protocol=tcp src-address-list="sle on wan"
add action=accept chain=forward comment="wan: sle" dst-address=\
    217.19.174.18 out-interface-list=WAN protocol=udp src-address-list=\
    "sle on wan"
add action=accept chain=forward comment="wan: ping" \
    out-interface-list=WAN protocol=icmp src-address-list="ping on wan"
add action=accept chain=forward comment="wan: sonos-update" dst-port=\
    4444 out-interface-list=WAN protocol=tcp src-address-list=\
    "sonos-update on wan"
add action=accept chain=forward comment="Forward Sonos multicast traffic" \
    dst-address=239.255.255.250
add action=accept chain=forward comment=\
    "Forward Sonos remote control events to players" dst-port=1400,4444 \
    in-interface=vlan30-k out-interface=vlan40-iot protocol=tcp
add action=accept chain=forward comment=\
    "Forward Sonos remote control events from players" dst-port=\
    3400,3401,3500 in-interface=vlan40-iot out-interface=vlan30-k \
    protocol=tcp
add action=accept chain=forward comment=\
    "Forward Sonos UPnP device discovery events from players" dst-port=\
    1900,1901 in-interface=vlan40-iot out-interface=vlan30-k protocol=udp
add action=accept chain=forward comment="Forward Sonos" dst-port=32000-65535 \
    in-interface=vlan40-iot out-interface=vlan30-k protocol=udp
add action=accept chain=forward comment="openhabian > sonos" dst-address=\
    192.168.40.101 log=yes log-prefix="openhab: " src-address=192.168.30.21
add action=accept chain=forward comment=\
    "X sonos > openhabian source port 58578-58583,41706-41711" dst-address=\
    192.168.30.21 dst-port=8080 log-prefix="openhab: " protocol=tcp \
    src-address=192.168.40.101
add action=accept chain=forward comment="sonos > openhabian" dst-address=\
    192.168.30.21 log=yes log-prefix="openhab: " src-address=192.168.40.101
add action=accept chain=forward comment="phone > openhab" dst-address=\
    192.168.30.21 src-address=192.168.40.106
add action=accept chain=forward comment=sle dst-address=217.19.174.18 \
    log-prefix="sle sus: " src-address=192.168.40.13
add action=accept chain=forward comment=sle dst-address=217.19.174.19 \
    log-prefix="sle sus: " src-address=192.168.40.13
add action=accept chain=forward comment=sle log=yes log-prefix="sle: " \
    src-address=192.168.40.13
add action=accept chain=forward comment="wan: everything" \
    in-interface=vlan50-guest log=yes log-prefix="lan-gast: " \
    out-interface-list=WAN src-address=192.168.50.120
add action=drop chain=forward comment="drop everything else" log-prefix=\
    "DROP FWD:"
add action=accept chain=output comment="router02 > clt01: syslog" disabled=\
    yes dst-address=192.168.2.11 dst-port=514 protocol=udp src-address=\
    192.168.2.254
/ip firewall mangle
add action=mark-routing chain=prerouting comment="route to wan over opnsense" \
    disabled=yes dst-address=9.9.9.9 in-interface=vlan20-client \
    new-routing-mark=vlan20-to-wan passthrough=no src-address=192.168.2.21
/ip firewall nat
add action=masquerade chain=srcnat comment=\
    "Masquerade all outgoing communication except pihole" dst-address-list=\
    !pi-holes out-interface=vlan77-wan routing-mark=!vlan20-to-wan
add action=masquerade chain=srcnat comment="Masquerade opnsense mgmt access" \
    dst-address=192.168.71.244 out-interface=vlan71-transfer71
add action=dst-nat chain=dstnat comment="Force pihole usage except for srv02" \
    dst-port=53 protocol=udp src-address-list="!dns on local-neu" \
    to-addresses=192.168.3.250
add action=dst-nat chain=dstnat comment="Force pihole usage except for srv02" \
    dst-port=53 protocol=tcp src-address=!192.168.1.12 to-addresses=\
    192.168.3.250
/ip route
add disabled=yes distance=1 gateway=192.168.2.244 routing-mark=vlan20-to-wan
add disabled=yes distance=1 gateway=192.168.71.244 routing-mark=toFw
add distance=1 gateway=192.168.3.1
add disabled=yes distance=1 gateway=192.168.60.244
/ip route rule
add action=lookup-only-in-table disabled=yes src-address=192.168.40.110/32 \
    table=toFw
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=10022
set api disabled=yes
set api-ssl disabled=yes
/routing pim interface
add interface=vlan40-iot
add interface=vlan30-k
/routing pim rp
add address=192.168.40.254
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=router02
/system ntp client
set enabled=yes primary-ntp=192.53.103.108 secondary-ntp=192.53.103.104
/system ntp server
set enabled=yes manycast=no
/system scheduler
add interval=1d name=EnableW2-06-25 on-event="/system script run \"Func-Enable\
    Wlan\"\r\
    \n:global EnableWlan\r\
    \n:local runFunc [:parse (\":local input \\\"w2,{mon,tue,wed,thu,fri},{cap\
    00-2.4-w2,cap00-5-w2,cap02-2.4-w2,cap02-5-w2,cap03-2.4-w2,cap03-5-w2}\\\";\
    \_\" . \$EnableWlan)]\r\
    \n\$runFunc" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=mar/27/2021 start-time=06:25:00
add interval=1d name=EnableW2-08-30 on-event="/system script run \"Func-Enable\
    Wlan\"\r\
    \n:global EnableWlan\r\
    \n:local runFunc [:parse (\":local input \\\"w2,{sat,sun},{cap00-2.4-w2,ca\
    p00-5-w2,cap02-2.4-w2,cap02-5-w2,cap03-2.4-w2,cap03-5-w2}\\\"; \" . \$Enab\
    leWlan)]\r\
    \n\$runFunc" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=mar/27/2021 start-time=08:30:00
add interval=1d name=EnableW2-13-30 on-event="/system script run \"Func-Enable\
    Wlan\"\r\
    \n:global EnableWlan\r\
    \n:local runFunc [:parse (\":local input \\\"w2,{fri},{cap00-2.4-w2,cap00-\
    5-w2,cap02-2.4-w2,cap02-5-w2,cap03-2.4-w2,cap03-5-w2}\\\"; \" . \$EnableWl\
    an)]\r\
    \n\$runFunc" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=mar/27/2021 start-time=13:30:00
add interval=1d name=EnableW2-16-30 on-event="/system script run \"Func-Enable\
    Wlan\"\r\
    \n:global EnableWlan\r\
    \n:local runFunc [:parse (\":local input \\\"w2,{mon,tue,wed,thu},{cap00-2\
    .4-w2,cap00-5-w2,cap02-2.4-w2,cap02-5-w2,cap03-2.4-w2,cap03-5-w2}\\\"; \" \
    . \$EnableWlan)]\r\
    \n\$runFunc" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=mar/27/2021 start-time=16:30:00
add disabled=yes interval=1d name=DisableW2-08-00 on-event="/system script run\
    \_\"Func-DisableWlan\"\r\
    \n:global DisableWlan\r\
    \n:local runFunc [:parse (\":local input \\\"w2,{mon,tue,wed,thu,fri},{cap\
    00-2.4-w2,cap00-5-w2,cap02-2.4-w2,cap02-5-w2,cap03-2.4-w2,cap03-5-w2}\\\";\
    \_\" . \$DisableWlan)]\r\
    \n\$runFunc\r\
    \n" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=mar/27/2021 start-time=08:00:00
add interval=1d name=DisableW2-23-59 on-event="/system script run \"Func-Disab\
    leWlan\"\r\
    \n:global DisableWlan\r\
    \n:local runFunc [:parse (\":local input \\\"w2,{mon,tue,wed,thu,sun},{cap\
    00-2.4-w2,cap00-5-w2,cap02-2.4-w2,cap02-5-w2,cap03-2.4-w2,cap03-5-w2}\\\";\
    \_\" . \$DisableWlan)]\r\
    \n\$runFunc\r\
    \n" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=mar/27/2021 start-time=23:59:00
add interval=1d name=DisableW2-FR-01-00 on-event="/system script run \"Func-Di\
    sableWlan\"\r\
    \n:global DisableWlan\r\
    \n:local runFunc [:parse (\":local input \\\"w2,{sat},{cap00-2.4-w2,cap00-\
    5-w2,cap02-2.4-w2,cap02-5-w2,cap03-2.4-w2,cap03-5-w2}\\\"; \" . \$DisableW\
    lan)]\r\
    \n\$runFunc\r\
    \n" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=mar/27/2021 start-time=01:00:00
add interval=1d name=DisableW2-SA-01-00 on-event="/system script run \"Func-Di\
    sableWlan\"\r\
    \n:global DisableWlan\r\
    \n:local runFunc [:parse (\":local input \\\"w2,{sun},{cap00-2.4-w2,cap00-\
    5-w2,cap02-2.4-w2,cap02-5-w2,cap03-2.4-w2,cap03-5-w2}\\\"; \" . \$DisableW\
    lan)]\r\
    \n\$runFunc\r\
    \n" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=mar/27/2021 start-time=01:00:00
/system script
add dont-require-permissions=no name=Func-GetDayOfWeek owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
    \_GetDayOfWeek: Estimates day of week of today\r\
    \n# Input:\r\
    \n#\tnothing\r\
    \n# Output: \r\
    \n#\tstring day of week (\"sun\", \"mon\", \"tue\", \"wed\", \"thu\", \"fr\
    i\", \"sat\")\r\
    \n# original DayOfWeek-script by melboyscout (https://forum.mikrotik.com/v\
    iewtopic.php\?t=59029#p397102)\r\
    \n:global GetDayOfWeek \":local output \\\"\\\"\r\
    \n\t:local date [/system clock get date]\r\
    \n\r\
    \n\t:local months [:toarray \\\"jan,feb,mar,apr,may,jun,jul,aug,sep,oct,no\
    v,dec\\\"]\r\
    \n\t:local daytbl [:toarray \\\"sun,mon,tue,wed,thu,fri,sat\\\"]\r\
    \n\r\
    \n\t:local month [:pick \\\$date 0 3]\r\
    \n\t:local day [:pick \\\$date 4 6]\r\
    \n\t:local dayc [:pick \\\$date 5 6]\r\
    \n\t:local year [:pick \\\$date 7 11]\r\
    \n\r\
    \n\t:if ([:pick \\\$date 4 5] = 0) do={ :set day (\\\$dayc)}\r\
    \n\r\
    \n\t:local sum 0\r\
    \n\t:local aaa 0\r\
    \n\t:local yyy 0\r\
    \n\t:local mmm 0\r\
    \n\t:local nmonth 1\r\
    \n\r\
    \n\t:for mindex from=0 to=[:len \\\$months] do={\r\
    \n\t\t:if ([:pick \\\$months \\\$mindex] = \\\$month) do={:set nmonth (\\\
    \$mindex + 1) }\r\
    \n\t}\r\
    \n\r\
    \n\t:set aaa ((14 - \\\$nmonth) / 12)\r\
    \n\t:set yyy (\\\$year - \\\$aaa)\r\
    \n\t:set mmm (\\\$nmonth + 12 * \\\$aaa - 2)\r\
    \n\t:set sum (7000 + \\\$day + \\\$yyy + (\\\$yyy / 4) - (\\\$yyy / 100) +\
    \_(\\\$yyy / 400) + ((31 * \\\$mmm) / 12))\r\
    \n\t:set sum (\\\$sum - ((\\\$sum / 7) * 7))\r\
    \n\t:set output [:pick \\\$daytbl \\\$sum];\""
add dont-require-permissions=no name=Func-EnableWlan owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
    \_EnableWlan: \tChecks if today is in given array of days where wlan shoul\
    d be enabled\r\
    \n# \t\t\t\tand enables given caps-man interface(s) if so\r\
    \n# Input array:\r\
    \n#\t0 = string name of wlan (will just be logged) to enable\r\
    \n#\t1 = string comma-concatenated days of week when wlan should be enable\
    d, e.g. \"mon,tue,wed,thu,fri\"\r\
    \n#\t2 = string comma-concatenated names of caps-man interfaces to enable\
    \r\
    \n# Output:\r\
    \n#\tnothing\r\
    \n:global EnableWlan \":set input [:toarray \\\$input]\r\
    \n\t:if ([:len \\\$input] = 3) do={\r\
    \n\t\t:local wlanName [:tostr [:pick \\\$input 0]]\r\
    \n\t\t:local dayStr [:tostr [:pick \\\$input 1]]\r\
    \n\t\t:local capStr [:tostr [:pick \\\$input 2]]\r\
    \n\r\
    \n\t\t/system script run \\\"Func-GetDayOfWeek\\\"\r\
    \n\t\t:global GetDayOfWeek\r\
    \n\r\
    \n\t\t:global dayOfWeek \\\"\\\"\r\
    \n\t\t:local runFunc [:parse (\\\":global dayOfWeek;\\\" . \\\r\
    \n\t\t\t\\\$GetDayOfWeek . \\\r\
    \n\t\t\t\\\":set dayOfWeek \\\\\\\$output\\\")\r\
    \n\t\t]\r\
    \n\t\t\\\$runFunc\r\
    \n\t\t\r\
    \n\t\t:log info \\\"checking if wlan \\\$wlanName must be enabled on \\\$[\
    :pick [/system clock get time] 0 5]/\\\$dayOfWeek\\\"\r\
    \n\t\t:local days [:toarray \\\$dayStr]\r\
    \n\t\t:local match [:find \\\$days \\\$dayOfWeek]\r\
    \n\t\t:if ([:type \\\$match]!=\\\"nil\\\") do={\r\
    \n\t\t\t:log info \\\"wlan \\\$wlanName must be enabled\\\"\r\
    \n\t\t\t:foreach cap in=[:toarray \\\$capStr] do={\r\
    \n\t\t\t\t:log info \\\"now enabling interface \\\$cap\\\"\r\
    \n\t\t\t\t/caps-man interface enable \\\$cap;\r\
    \n\t\t\t};\r\
    \n\t\t} else={ :log info \\\"no need to enable wlan \\\$wlanName now\\\" }\
    \r\
    \n\t};\""
add dont-require-permissions=no name=Func-DisableWlan owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
    \_DisableWlan: \tChecks if today is in given array of days where wlan shou\
    ld be disabled\r\
    \n# \t\t\t\tand disables given caps-man interface(s) if so\r\
    \n# Input array:\r\
    \n#\t0 = string name of wlan (will just be logged) to disable\r\
    \n#\t1 = string comma-concatenated days of week when wlan should be disabl\
    ed, e.g. \"mon,tue,wed,thu,fri\"\r\
    \n#\t2 = string comma-concatenated names of caps-man interfaces to disable\
    \r\
    \n# Output:\r\
    \n#\tnothing\r\
    \n:global DisableWlan \":set input [:toarray \\\$input]\r\
    \n\t:if ([:len \\\$input] = 3) do={\r\
    \n\t\t:local wlanName [:tostr [:pick \\\$input 0]]\r\
    \n\t\t:local dayStr [:tostr [:pick \\\$input 1]]\r\
    \n\t\t:local capStr [:tostr [:pick \\\$input 2]]\r\
    \n\r\
    \n\t\t/system script run \\\"Func-GetDayOfWeek\\\"\r\
    \n\t\t:global GetDayOfWeek\r\
    \n\r\
    \n\t\t:global dayOfWeek \\\"\\\"\r\
    \n\t\t:local runFunc [:parse (\\\":global dayOfWeek;\\\" . \\\r\
    \n\t\t\t\\\$GetDayOfWeek . \\\r\
    \n\t\t\t\\\":set dayOfWeek \\\\\\\$output\\\")\r\
    \n\t\t]\r\
    \n\t\t\\\$runFunc\r\
    \n\t\t\r\
    \n\t\t:log info \\\"checking if wlan \\\$wlanName must be disabled on \\\$\
    [:pick [/system clock get time] 0 5]/\\\$dayOfWeek\\\"\r\
    \n\t\t:local days [:toarray \\\$dayStr]\r\
    \n\t\t:local match [:find \\\$days \\\$dayOfWeek]\r\
    \n\t\t:if ([:type \\\$match]!=\\\"nil\\\") do={\r\
    \n\t\t\t:log info \\\"wlan \\\$wlanName must be disabled\\\"\r\
    \n\t\t\t:foreach cap in=[:toarray \\\$capStr] do={\r\
    \n\t\t\t\t:log info \\\"now disabling interface \\\$cap\\\"\r\
    \n\t\t\t\t/caps-man interface disable \\\$cap;\r\
    \n\t\t\t};\r\
    \n\t\t} else={ :log info \\\"no need to disable wlan \\\$wlanName now\\\" \
    }\r\
    \n\t};\""
/tool bandwidth-server
set enabled=no
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: srcnat is undesiredly applied with mark-routing

Wed Apr 19, 2023 8:30 pm

Yeah your config is very much not standard, did you follow any guidance??
 
cyb2
just joined
Topic Author
Posts: 15
Joined: Tue Mar 14, 2023 6:25 pm

Re: srcnat is undesiredly applied with mark-routing

Wed Apr 19, 2023 8:41 pm

did you follow any guidance??
Of course.

When I started with Mikrotik components I spent a long time reading the documentation/wiki and several information in the forum.

What do you exactly mean with "very much not standard"?
Last edited by cyb2 on Wed Apr 19, 2023 9:07 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: srcnat is undesiredly applied with mark-routing

Wed Apr 19, 2023 9:07 pm

For example you have snooping set on bridge and a vlan other than default set on bridge, normally not required............... non-standard
 
cyb2
just joined
Topic Author
Posts: 15
Joined: Tue Mar 14, 2023 6:25 pm

Re: srcnat is undesiredly applied with mark-routing

Wed Apr 19, 2023 9:21 pm

The snooping on the bridge is configured to block third-party dhcp servers. The pvid=50 on the bridge is probably not required because of "admit-only-vlan-tagged" and only tagged traffic being used, but does probably not hurt, because in case of untagged ports being added to the bridge the pvid is configured to the most restrictive VLAN (guest lan).

If I remember it correctly... I configured the Mikrotik stuff around 3 years ago and did not keep myself busy with it anymore, because it was just running without problems. Of course I am not sure that the configuration is 100% best practice, I am not a Mikrotik professional.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: srcnat is undesiredly applied with mark-routing

Wed Apr 19, 2023 11:15 pm

Dont worry either am I. If its working for you , best advice is not to change it. I just dont use any of those things and manage to keep out of trouble as well.
I dont use capsman either I prefer to handle each device separately.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: srcnat is undesiredly applied with mark-routing

Wed Apr 19, 2023 11:27 pm

You have four IP pools aka four vlans but you have identified 10 vlans??
10,30,40,50 (with pool) 20,71,72,77,88,100 dont have pools ???

(77 is a WAN network so that is expected)

IP filter strict is not usual.........loose is the preferred setup.

Taking a look at your address lists, yeah not an easy job to try and mange all the needs........ eyes are bleeding LOL
 
cyb2
just joined
Topic Author
Posts: 15
Joined: Tue Mar 14, 2023 6:25 pm

Re: srcnat is undesiredly applied with mark-routing

Thu Apr 20, 2023 8:52 pm

You have four IP pools aka four vlans but you have identified 10 vlans??
Yes, I have 4 pools for the 4 vlans with a dhcp server. In the other vlans ip addresses are managed manually.

IP filter strict is not usual.........loose is the preferred setup.
I tried to make it as secure as possible nowadays. I changed it now to "loose", but this did not solve my problem.

I am still debugging and trying to find the problem. I am a little unsure if the routing rule really works as expected.

As you know I configured it as recommended:
- a route with destination 0.0.0.0/0, gateway=192.168.71.244 (opnsense-lan) and routing mark=useOP
- a routing rule with src-address=192.168.2.0/24, action="lookup only in table" and table=useOP

To me it seems, as if the packets are looping: 192.168.2.21 tries to send a dns request to 8.8.8.8:53 results in:
192.168.2.21 -> 192.168.2.254 (RB4011) -> routing to 192.168.71.244 -> 192.168.72.254 (RB4011) -> routing to 192.168.71.244 -> and so on

How shall the traffic "break out" to the internet after looping once above opensense?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: srcnat is undesiredly applied with mark-routing

Fri Apr 21, 2023 12:50 am

It will only work I think if the etherport on the MT to opensense is considered a WANPORT ip dhcpclient.
You have to distinguish
a. a subnet from the MT is feeding the opensense and the opensense considers this as a WAN input.
b. the opensense has its own subnets, not on the MT and one of these subnets is on a cable heading back to a different port on the MT
c. The MT considers this port as a second WAN. and then you can route users out to this WAN for t lets say a VPN connection.

This technique may not apply to you, it is what one OP used to provide a VPN connection through his DDR WRT router.
THe DDR WRT used the normal subnet coming from MT as WAN input to reach out to a third party VPN provider.
From here it created a VPN tranparent link through the MT internet connection.
Then by creating another subnet behind the DDRWR router it created a path for MT users to access said tunnel.
The MT considered that second port as a WAN port.

Not sure if it applies here.........

Who is online

Users browsing this forum: No registered users and 21 guests