I have a wireless device (Xiaomi Mi Hub) with static IP address leased by the DHCP Server that every 5 minutes generates this info logs (this device is very near to the access point and had a very strong wireless signal):
Code: Select all
dhcpd-IOT deassigned 192.168.30.129 for MAC_ADD lumi_gateway_mgl03
dhcpd-IOT assigned 192.168.30.129 for MAC_ADD lumi_gateway_mgl03
Code: Select all
# 2024-03-04 18:05:43 by RouterOS 7.14
# software id = ID_SOFTWARE
#
# model = RB3011UiAS
# serial number = SERIAL_KILLER
/interface bridge
add name=bridge-LAN-SW1 protocol-mode=none
add name=bridge-LAN-SW2 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] comment="AP Entrada"
set [ find default-name=ether2 ] comment="AP Sala de TV"
set [ find default-name=ether3 ] comment="HA Yellow"
set [ find default-name=ether4 ] comment="Omada OC200 WLC"
set [ find default-name=ether5 ] comment="Trunk to 2 Chip Switch"
set [ find default-name=ether6 ] comment="Trunk to 1 Chip Switch"
set [ find default-name=ether7 ] comment="XBOX Series X"
set [ find default-name=ether8 ] comment="Chromecast Salacomedor"
set [ find default-name=ether9 ] comment="LG WebOS TV"
set [ find default-name=ether10 ] comment="Amcrest Camera"
set [ find default-name=sfp1 ] auto-negotiation=no comment="To Movistar HGU" \
speed=1G-baseT-full
/interface vlan
add interface=bridge-LAN-SW1 loop-protect=off name=vlan99-MGMT-SW1 vlan-id=99
add interface=bridge-LAN-SW2 loop-protect=off name=vlan99-MGMT-SW2 vlan-id=99
add interface=bridge-LAN-SW1 loop-protect=off name=vlan200-USERS-SW1 vlan-id=\
200
add interface=bridge-LAN-SW2 loop-protect=off name=vlan200-USERS-SW2 vlan-id=\
200
add interface=bridge-LAN-SW1 loop-protect=off name=vlan250-GAME-SW1 vlan-id=\
250
add interface=bridge-LAN-SW2 loop-protect=off name=vlan250-GAME-SW2 vlan-id=\
250
add interface=bridge-LAN-SW1 loop-protect=off name=vlan300-IOT-SW1 vlan-id=\
300
add interface=bridge-LAN-SW2 loop-protect=off name=vlan300-IOT-SW2 vlan-id=\
300
add interface=bridge-LAN-SW1 loop-protect=off name=vlan1000-GUEST-SW1 \
vlan-id=1000
add interface=bridge-LAN-SW2 loop-protect=off name=vlan1000-GUEST-SW2 \
vlan-id=1000
/interface pppoe-client
add add-default-route=yes allow=chap comment="Internet Movistar PPPoE" \
disabled=no interface=sfp1 keepalive-timeout=60 name=pppoe-out-INTERNET \
use-peer-dns=yes user=user_name
/interface ethernet switch port
set 0 vlan-header=add-if-missing vlan-mode=secure
set 1 vlan-header=add-if-missing vlan-mode=secure
set 2 default-vlan-id=300 vlan-mode=secure
set 3 default-vlan-id=99 vlan-mode=secure
set 4 vlan-header=add-if-missing vlan-mode=secure
set 5 vlan-header=add-if-missing vlan-mode=secure
set 6 default-vlan-id=250 vlan-mode=secure
set 7 default-vlan-id=200 vlan-mode=secure
set 8 default-vlan-id=200 vlan-mode=secure
set 9 default-vlan-id=300 vlan-mode=secure
set 10 vlan-mode=secure
set 11 vlan-mode=secure
/interface list
add comment=VLANS name=VLANs
add comment="WAN / Internet" name=WAN
add name=NOT_FROM_VLAN99
add name=NOT_FROM_VLAN300
add name=NOT_FROM_VLAN250
add name=NOT_FROM_VLAN1000
add name=NOT_FROM_VLAN200
add comment="VLAN 99 MGMT" name=MGMT-VLAN99
add comment="VLAN 200 USERS" name=USERS-VLAN200
add comment="VLAN 250 GAME" name=GAME-VLAN250
add comment="VLAN 300 IOT" name=IOT-VLAN300
add comment="VLAN 1000 GUEST" name=GUEST-VLAN1000
/ip pool
add name=pool-MGMT ranges=192.168.99.3-192.168.99.254
add name=pool-USERS ranges=192.168.20.5-192.168.20.250
add name=pool-GAME ranges=192.168.25.245-192.168.25.250
add name=pool-IOT ranges=192.168.30.5-192.168.30.254
add name=pool-GUEST ranges=192.168.100.10-192.168.100.200
/ip dhcp-server
add address-pool=pool-USERS comment=USERS insert-queue-before=bottom \
interface=vlan200-USERS-SW1 lease-time=1d name=dhcpd-USERS
add address-pool=pool-GAME comment=GAME insert-queue-before=bottom interface=\
vlan250-GAME-SW1 lease-time=1d name=dhcpd-GAME
add address-pool=pool-GUEST comment=GUESTS insert-queue-before=bottom \
interface=vlan1000-GUEST-SW1 lease-time=2h name=dhcpd-GUEST
add address-pool=pool-IOT comment=IOT insert-queue-before=bottom interface=\
vlan300-IOT-SW1 lease-time=1d name=dhcpd-IOT
add address-pool=pool-MGMT comment=MGMT insert-queue-before=bottom interface=\
vlan99-MGMT-SW1 lease-time=1d name=dhcpd-MGMT
/port
set 0 name=serial0
/user group
add name=ha_user_group policy="reboot,read,write,policy,test,api,!local,!telne\
t,!ssh,!ftp,!winbox,!password,!web,!sniff,!sensitive,!romon,!rest-api"
/interface bridge port
add bridge=bridge-LAN-SW1 interface=ether1
add bridge=bridge-LAN-SW1 interface=ether2
add bridge=bridge-LAN-SW1 interface=ether3
add bridge=bridge-LAN-SW1 interface=ether4
add bridge=bridge-LAN-SW1 interface=ether5
add bridge=bridge-LAN-SW2 interface=ether6
add bridge=bridge-LAN-SW2 interface=ether7
add bridge=bridge-LAN-SW2 interface=ether8
add bridge=bridge-LAN-SW2 interface=ether9
add bridge=bridge-LAN-SW2 interface=ether10
/ip settings
set tcp-syncookies=yes
/ipv6 settings
set disable-ipv6=yes
/interface detect-internet
set internet-interface-list=WAN lan-interface-list=VLANs wan-interface-list=\
WAN
/interface ethernet switch vlan
add independent-learning=yes ports=ether1,ether2,ether5,ether4,switch1-cpu \
switch=switch1 vlan-id=99
add independent-learning=yes ports=ether1,ether2,ether5,ether3,switch1-cpu \
switch=switch1 vlan-id=300
add independent-learning=yes ports=ether1,ether2,ether5,switch1-cpu switch=\
switch1 vlan-id=200
add independent-learning=yes ports=ether1,ether2,ether5,switch1-cpu switch=\
switch1 vlan-id=250
add independent-learning=yes ports=ether1,ether2,ether5,switch1-cpu switch=\
switch1 vlan-id=1000
add independent-learning=yes ports=ether6,switch2-cpu switch=switch2 vlan-id=\
99
add independent-learning=yes ports=ether6,ether8,ether9,switch2-cpu switch=\
switch2 vlan-id=200
add independent-learning=yes ports=ether6,ether7,switch2-cpu switch=switch2 \
vlan-id=250
add independent-learning=yes ports=ether6,ether10,switch2-cpu switch=switch2 \
vlan-id=300
add independent-learning=yes ports=ether6,switch2-cpu switch=switch2 vlan-id=\
1000
/interface list member
add interface=vlan99-MGMT-SW1 list=VLANs
add interface=vlan200-USERS-SW1 list=VLANs
add interface=vlan250-GAME-SW1 list=VLANs
add interface=vlan300-IOT-SW1 list=VLANs
add interface=vlan1000-GUEST-SW1 list=VLANs
add interface=vlan200-USERS-SW1 list=NOT_FROM_VLAN99
add interface=vlan250-GAME-SW1 list=NOT_FROM_VLAN99
add interface=vlan300-IOT-SW1 list=NOT_FROM_VLAN99
add interface=vlan1000-GUEST-SW1 list=NOT_FROM_VLAN99
add interface=vlan99-MGMT-SW1 list=NOT_FROM_VLAN200
add interface=vlan250-GAME-SW1 list=NOT_FROM_VLAN200
add interface=vlan300-IOT-SW1 list=NOT_FROM_VLAN200
add interface=vlan1000-GUEST-SW1 list=NOT_FROM_VLAN200
add interface=vlan99-MGMT-SW1 list=NOT_FROM_VLAN250
add interface=vlan200-USERS-SW1 list=NOT_FROM_VLAN250
add interface=vlan300-IOT-SW1 list=NOT_FROM_VLAN250
add interface=vlan1000-GUEST-SW1 list=NOT_FROM_VLAN250
add interface=vlan99-MGMT-SW1 list=NOT_FROM_VLAN300
add interface=vlan200-USERS-SW1 list=NOT_FROM_VLAN300
add interface=vlan250-GAME-SW1 list=NOT_FROM_VLAN300
add interface=vlan1000-GUEST-SW1 list=NOT_FROM_VLAN300
add interface=vlan99-MGMT-SW1 list=NOT_FROM_VLAN1000
add interface=vlan200-USERS-SW1 list=NOT_FROM_VLAN1000
add interface=vlan250-GAME-SW1 list=NOT_FROM_VLAN1000
add interface=vlan300-IOT-SW1 list=NOT_FROM_VLAN1000
add interface=vlan99-MGMT-SW1 list=MGMT-VLAN99
add interface=vlan99-MGMT-SW2 list=MGMT-VLAN99
add interface=vlan200-USERS-SW2 list=NOT_FROM_VLAN99
add interface=vlan250-GAME-SW2 list=NOT_FROM_VLAN99
add interface=vlan300-IOT-SW2 list=NOT_FROM_VLAN99
add interface=vlan1000-GUEST-SW2 list=NOT_FROM_VLAN99
add interface=vlan99-MGMT-SW2 list=NOT_FROM_VLAN200
add interface=vlan250-GAME-SW2 list=NOT_FROM_VLAN200
add interface=vlan300-IOT-SW2 list=NOT_FROM_VLAN200
add interface=vlan1000-GUEST-SW2 list=NOT_FROM_VLAN200
add interface=vlan99-MGMT-SW2 list=NOT_FROM_VLAN250
add interface=vlan200-USERS-SW2 list=NOT_FROM_VLAN250
add interface=vlan300-IOT-SW2 list=NOT_FROM_VLAN250
add interface=vlan1000-GUEST-SW2 list=NOT_FROM_VLAN250
add interface=vlan99-MGMT-SW2 list=NOT_FROM_VLAN300
add interface=vlan200-USERS-SW2 list=NOT_FROM_VLAN300
add interface=vlan250-GAME-SW2 list=NOT_FROM_VLAN300
add interface=vlan1000-GUEST-SW2 list=NOT_FROM_VLAN300
add interface=vlan99-MGMT-SW2 list=NOT_FROM_VLAN1000
add interface=vlan200-USERS-SW2 list=NOT_FROM_VLAN1000
add interface=vlan250-GAME-SW2 list=NOT_FROM_VLAN1000
add interface=vlan300-IOT-SW2 list=NOT_FROM_VLAN1000
add interface=vlan99-MGMT-SW2 list=VLANs
add interface=vlan200-USERS-SW2 list=VLANs
add interface=vlan250-GAME-SW2 list=VLANs
add interface=vlan300-IOT-SW2 list=VLANs
add interface=vlan1000-GUEST-SW2 list=VLANs
add interface=vlan200-USERS-SW1 list=USERS-VLAN200
add interface=vlan200-USERS-SW2 list=USERS-VLAN200
add interface=vlan300-IOT-SW1 list=IOT-VLAN300
add interface=vlan300-IOT-SW2 list=IOT-VLAN300
add interface=vlan250-GAME-SW1 list=GAME-VLAN250
add interface=vlan250-GAME-SW2 list=GAME-VLAN250
add interface=vlan1000-GUEST-SW1 list=GUEST-VLAN1000
add interface=vlan1000-GUEST-SW2 list=GUEST-VLAN1000
add interface=pppoe-out-INTERNET list=WAN
/ip address
add address=192.168.99.1/24 comment=MGMT interface=vlan99-MGMT-SW1 network=\
192.168.99.0
add address=192.168.20.1/24 comment=USERS interface=vlan200-USERS-SW1 \
network=192.168.20.0
add address=192.168.25.1/24 comment=GAME interface=vlan250-GAME-SW1 network=\
192.168.25.0
add address=192.168.30.1/24 comment=IOT interface=vlan300-IOT-SW1 network=\
192.168.30.0
add address=192.168.100.1/24 comment=GUESTS interface=vlan1000-GUEST-SW1 \
network=192.168.100.0
add address=192.168.20.2/24 comment=USERS disabled=yes interface=\
vlan200-USERS-SW2 network=192.168.20.0
add address=192.168.25.2/24 comment=GAME disabled=yes interface=\
vlan250-GAME-SW2 network=192.168.25.0
add address=192.168.30.2/24 comment=IOT disabled=yes interface=\
vlan300-IOT-SW2 network=192.168.30.0
add address=192.168.99.2/24 comment=MGMT disabled=yes interface=\
vlan99-MGMT-SW2 network=192.168.99.0
add address=192.168.100.2/24 comment=GUESTS disabled=yes interface=\
vlan250-GAME-SW2 network=192.168.100.0
/ip dhcp-server lease
STATIC LEASES
/ip dhcp-server network
add address=192.168.20.0/25 comment="USERS - USUARIOS" dns-server=\
192.168.20.1 gateway=192.168.20.1 netmask=24 ntp-server=192.168.20.1
add address=192.168.20.128/26 comment="USERS - MULTIMEDIA" dns-server=\
9.9.9.9,1.1.1.1 gateway=192.168.20.1 netmask=24 ntp-server=192.168.20.1
add address=192.168.25.0/24 comment=GAME dns-server=9.9.9.9,8.8.8.8 gateway=\
192.168.25.1 netmask=24
add address=192.168.30.0/25 comment="I0T - 1" dns-none=yes netmask=24 \
ntp-server=192.168.30.1
add address=192.168.30.128/26 comment="I0T - 2" dns-server=192.168.30.1 \
gateway=192.168.30.1 netmask=24 ntp-server=192.168.30.1
add address=192.168.30.192/26 comment="I0T - 3" dns-server=192.168.30.1 \
gateway=192.168.30.1 netmask=24 ntp-server=192.168.30.1
add address=192.168.99.0/24 comment=MGMT dns-server=192.168.99.1 gateway=\
192.168.99.1 netmask=24 ntp-server=192.168.99.1
add address=192.168.100.0/24 comment=GUESTS dns-server=9.9.9.9 gateway=\
192.168.100.1 netmask=24
/ip dns
set allow-remote-requests=yes max-udp-packet-size=8192
/ip firewall address-list
add address=192.168.20.0/24 list=USERS
add address=192.168.25.0/24 list=GAME
add address=192.168.30.0/24 list=IOT
add address=192.168.100.0/24 list=GUESTS
add address=192.168.99.0/24 list=MGMT
add address=192.168.20.129 list=WebOS_TV
add address=192.168.30.0/24 list=HA_CON
add address=192.168.20.0/24 list=HA_CON
add address=192.168.99.0/24 list=HA_CON
add address=192.168.20.130 list=WebOS_TV
add address=192.168.20.131 list=WebOS_TV
/ip firewall filter
add action=accept chain=input comment=\
"def: input - established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="def: input - invalid" connection-state=\
invalid
add action=accept chain=input comment="API Mikrotik from HA Yellow" dst-port=\
18728 protocol=tcp src-address=192.168.30.10
add action=accept chain=input comment="Winbox from MGMT 99" dst-port=65500 \
in-interface-list=MGMT-VLAN99 protocol=tcp
add action=accept chain=input comment="SSH from MGMT 99" dst-port=22222 \
in-interface-list=MGMT-VLAN99 protocol=tcp
add action=accept chain=input comment="Accept DNS from VLANs" dst-port=53 \
in-interface-list=VLANs protocol=udp
add action=accept chain=input comment="Accept NTP from VLANs" dst-port=123 \
in-interface-list=VLANs protocol=udp
add action=accept chain=input comment="Allos UPNP from GAME VLAN - UDP/1900" \
dst-port=1900 in-interface-list=GAME-VLAN250 log-prefix=UPnP protocol=udp
add action=accept chain=input comment="Allos UPNP from GAME VLAN - TCP/2828" \
dst-port=2828 in-interface-list=GAME-VLAN250 log-prefix=UPnP protocol=tcp
add action=accept chain=input comment="def: ICMP from MGMT 99" \
in-interface-list=MGMT-VLAN99 protocol=icmp
add action=drop chain=input comment="input - Drop all"
add action=fasttrack-connection chain=forward comment="def: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"Allows HA to communicate with WebOS (TCP 3000-3001)" dst-address=\
192.168.30.10 protocol=tcp src-address-list=WebOS_TV src-port=3000,3001
add action=accept chain=forward comment="Allows USERS to communicate with HA" \
dst-address=192.168.30.10 dst-port=8123,8443,9541 in-interface-list=\
USERS-VLAN200 log-prefix=US-HA protocol=tcp
add action=reject chain=forward comment="Blocks traffic to VLAN 99 MGMT" \
in-interface-list=MGMT-VLAN99 out-interface-list=NOT_FROM_VLAN99 \
reject-with=icmp-net-prohibited
add action=reject chain=forward comment="Blocks traffic to VLAN 200 USERS" \
in-interface-list=USERS-VLAN200 log-prefix=VLAN200 out-interface-list=\
NOT_FROM_VLAN200 reject-with=icmp-net-prohibited
add action=reject chain=forward comment="Blocks traffic to VLAN 250 GAME" \
in-interface-list=GAME-VLAN250 out-interface-list=NOT_FROM_VLAN250 \
reject-with=icmp-net-prohibited
add action=reject chain=forward comment="Blocks traffic to VLAN 300 IOT" \
in-interface-list=IOT-VLAN300 out-interface-list=NOT_FROM_VLAN300 \
reject-with=icmp-net-prohibited
add action=reject chain=forward comment="Blocks traffic to VLAN 1000 GUEST" \
in-interface-list=GUEST-VLAN1000 out-interface-list=NOT_FROM_VLAN1000 \
reject-with=icmp-net-prohibited
add action=accept chain=forward comment=\
"def: forward - established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="def: forward - invalid" \
connection-state=invalid
add action=drop chain=forward comment="def: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="forward- Drop all" disabled=yes
/ip firewall nat
add action=redirect chain=dstnat comment=\
"Redirige tr\E1fico LAN de NTP (UDP-123) a enrutador." dst-port=123 \
protocol=udp src-address=192.168.111.0/24
add action=masquerade chain=srcnat comment="Hairpin NAT para HA" dst-address=\
192.168.30.10 src-address-list=HA_CON
add action=dst-nat chain=dstnat comment="HA Yellow-Acceso desde Internet" \
dst-port=8443 in-interface-list=WAN protocol=tcp to-addresses=\
192.168.30.10 to-ports=8443
add action=masquerade chain=srcnat comment="NAT Internet for VLANs" \
out-interface-list=WAN
/ip nat-pmp interfaces
add interface=pppoe-out-INTERNET type=external
add interface=vlan250-GAME-SW2 type=internal
add interface=vlan250-GAME-SW1 type=internal
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=22222
set api port=18728
set winbox port=65500
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=pppoe-out-INTERNET type=external
add interface=vlan250-GAME-SW2 type=internal
add interface=vlan250-GAME-SW1 type=internal
/lcd
set backlight-timeout=5m default-screen=interfaces
/system clock
set time-zone-name=SECRET/SECRET
/system identity
set name="MikroTik RB3011"
/system logging
add disabled=yes prefix=DHCP topics=dhcp,debug
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes
/system ntp client servers
add address=2.pool.ntp.org
add address=3.pool.ntp.org
add address=pool.ntp.org
/system routerboard settings
set auto-upgrade=yes
There is some issue with this device or my configuration? Thanks.