CRS309 behind CCR2004 setup questions

FinlayDaG33k · Thu Feb 06, 2025 6:28 pm

Hii there,

I currently have the network setup shown in the "current situation" attachment.
However, the CCR2004(-1G-12S+2XS) struggles really hard when transferring data between say, VLAN1001 (eg. my desktop) and VLAN1003 (eg. my NAS), reaching just 5Gbps at max (this is a router bottleneck, the NAS and PC itself are more than capable of it).
As such, I wanted to throw a CRS309 between the CCR2004, CRS317 and CRS326 (see "proposed situation" attachment).
This would also allow me to more easily update the CCR2004 (as it's the main gatekeeper between my LAN and the wild west of the internet) without affecting the LAN as much.

The CCR2004 will only handle things related to my ISP (connecting to the ISP, handling traffic from and to ISP, firewall etc.)
The CRS309 will handle things related to my LAN (DHCP server, Inter-VLAN connections etc.)

But this leaves some questions:

Would this allow me to reach wirespeed between VLANs even with some firewall rules?
- Currently, `established` and `related` get fasttracked on the CCR2004, there are no other fancy things just "accept+fasttrack/drop".
- I have read about Fasttrack HW Offloading which is what I intend to use, so that should be fine right?
How would portforwarding work?
- CCR2004 will handle the stuff coming from the ISP (eg. someone trying to reach a website hosted here).
- I think I could just have the CCR2004 do DST-NAT as usual (`action=dst-nat to-addresses=192.168.3.X to-ports=25565`), it will then send the packet to the CRS309 and the CRS309 will figure out from here?
Where would I setup queues (only affects uplink to ISP, internally everything can just go as fast as possible)? CCR2004 or CRS309?
- I assume on the CRS309 as CCR2004 only sees 1 IP address (the CRS309) or am I wrong?
Would I need to add some extra static routes of sorts?
- I assume if I set the `default gateway` for each of the VLANs to the CRS309 and a static route `0.0.0.0/0` to be reachable via `192.168.0.1/24` (the CCR2004), it'll work?
- Probably need to add static routes in the CCR2004 to forward things to the CRS309?
- Would I need some other extra config (eg. a masquerade rule or something)?
  I hope this explanation and the questions made enough sense.
  
  Thanks in advance!

ConradPino · Fri Feb 07, 2025 5:36 am

Consider posting CCR2004 config after removing sensitive information (serial number, IP addresses, user credentials, etc).

/export terse file=ccr2004-FinlayDaG33k.rsc

CRS309 can do the job at Layer 2 alone, Layer 3 routing not required but that won't have the LAN independence from CCR2004 downtime you want.
CRS309 supports Layer 3 Hardware Offloading which will provide the LAN independence from CCR2004 downtime you want.
I used to route on CRS309 but moved that job over to an RB5009. Do you run any LAN to LAN firewall rules on CCR2004?

Avoid firewall rules on CRS309 if possible; it can hardware offload some firewall rules but not in large numbers.
If needed a few LAN to LAN rules should be OK and leave WAN rules on CCR2004.
Disclose Spanning Tree Protocol requirements.

FinlayDaG33k · Fri Feb 07, 2025 12:54 pm

I used to route on CRS309 but moved that job over to an RB5009. Do you run any LAN to LAN firewall rules on CCR2004?

Yes, I do.
They are basically just:

If allowed: Return -> Accept -> Fasttrack.
If not allowed: Drop on the spot.

/ip firewall filter 
  add action=fasttrack-connection chain=forward comment="Fasttrack LAN" connection-state=established,related hw-offload=yes in-interface-list=LAN out-interface-list=LAN
  add action=jump chain=forward comment="Chain for LAN Access Control" connection-state=new dst-address-list=lan-addresses jump-target=lan-access src-address-list=lan-addresses
  add action=accept chain=forward comment="Accept return from lan-access" connection-state=new
  add action=accept chain=forward comment="Accept established and related" connection-state=established,related
  add action=return chain=lan-access comment="Allow Private VLAN" in-interface=vlan1000
  add action=return chain=lan-access comment="Allow Virtual VLAN" in-interface=vlan1003
  add action=return chain=lan-access comment="Allow Wireguard" in-interface=wireguard1
  add action=return chain=lan-access comment="Allow DNS" dst-address=192.168.0.7 dst-port=53 protocol=tcp
  add action=return chain=lan-access comment="Allow DNS" dst-address=192.168.0.7 dst-port=53 protocol=udp
  add action=return chain=lan-access comment="Allow DNS" dst-address=192.168.0.7 dst-port=853 protocol=tcp
  add action=return chain=lan-access comment="Allow DNS" dst-address=192.168.0.7 dst-port=853 protocol=udp
  add action=return chain=lan-access comment="Allow Plex" dst-address=192.168.3.109 dst-port=32400 protocol=tcp
  add action=return chain=lan-access comment="Allow Printer Access" dst-address=192.168.5.2
  add action=return chain=lan-access comment="Allow Tablet to OBS" dst-address=192.168.1.2 dst-port=4455 protocol=tcp src-address=192.168.5.233
  add action=drop chain=lan-access comment="Isolate Parents (to self)" in-interface=vlan1002 out-interface=!vlan1002
  add action=drop chain=lan-access comment="Isolate IOT" in-interface=vlan1005
  add action=drop chain=lan-access comment="Isolate Guests" in-interface=vlan1255

Disclose Spanning Tree Protocol requirements.

I don't know if you mean this but:

CRS317 will connect to the CRS326 as well (I seem to have forgotten that little line).
There will be 2 clients connected to both the CRS317 and CRS326.
There will be an RB5009 connected to the CRS317, CRS326, CCR2004 and likely CRS309 (used for stuff like RoMON, AdGuard Home, MKTXP etc. etc.).

ConradPino · Fri Feb 07, 2025 3:52 pm

RouterOS documentation Spanning Tree Protocol has multiple flavors.

I really mean export the entire CCR2004 configuration (redact only security sensitive items).
Failing to fully disclose creates protracted dialogues leading to annoyance and destroying motivation to help.
Your choice do you make it easy for forum users or shall we just ignore you?
Export CRS317 and CRS326 configurations as well please.
Quote configurations as code blocks is typical.
File attachments only add extra steps.
Quote and attach both is optional.

FinlayDaG33k · Fri Feb 07, 2025 5:02 pm

RouterOS documentation Spanning Tree Protocol has multiple flavors.

I really mean export the entire CCR2004 configuration (redact only security sensitive items).
Failing to fully disclose creates protracted dialogues leading to annoyance and destroying motivation to help.
Your choice do you make it easy for forum users or shall we just ignore you?
Export CRS317 and CRS326 configurations as well please.
Quote configurations as code blocks is typical.
File attachments only add extra steps.
Quote and attach both is optional.

Here is the CCR2004 (I did manually remove some entries (IPv6, DHCP static leases and Wireguard peers):

# 2025-02-07 17:39:04 by RouterOS 7.16.1
# software id = REDACTED
#
# model = CCR2004-1G-12S+2XS
# serial number = REDACTED
/interface bridge
add ingress-filtering=no name=bridge1 port-cost-mode=short priority=0x7000 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=Management name=mgmt
set [ find default-name=sfp-sfpplus1 ] comment="To Modem" l2mtu=1600 loop-protect=off
set [ find default-name=sfp-sfpplus2 ] comment="To CRS317-1G-16S+RM"
set [ find default-name=sfp-sfpplus3 ] comment="To CRS326-24G-2S+"
set [ find default-name=sfp-sfpplus4 ] comment=RB5009UG+S+
set [ find default-name=sfp-sfpplus5 ] disabled=yes
set [ find default-name=sfp-sfpplus6 ] disabled=yes
set [ find default-name=sfp-sfpplus7 ] disabled=yes
set [ find default-name=sfp-sfpplus8 ] disabled=yes
set [ find default-name=sfp-sfpplus9 ] disabled=yes
set [ find default-name=sfp-sfpplus10 ] disabled=yes
set [ find default-name=sfp-sfpplus11 ] disabled=yes
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add comment="Delta Internet" interface=sfp-sfpplus1 loop-protect=off name=delta-vlan100 vlan-id=100
add comment="Delta IPTV" interface=sfp-sfpplus1 name=delta-vlan101 vlan-id=101
add comment="Delta VoIP" interface=sfp-sfpplus1 name=delta-vlan102 vlan-id=102
add comment="Private VLAN" interface=bridge1 name=vlan10 vlan-id=10
add comment="Virtual Devices" interface=bridge1 name=vlan30 vlan-id=30
add comment="Main Infra (New)" interface=bridge1 name=vlan1000 vlan-id=1000
add comment="Private VLAN (New)" interface=bridge1 name=vlan1001 vlan-id=1001
add comment=Parents interface=bridge1 name=vlan1002 vlan-id=1002
add comment=IOT interface=bridge1 name=vlan1005 vlan-id=1005
add comment=Guests interface=bridge1 name=vlan1255 vlan-id=1255
/interface list
add name=WAN
add name=LAN
add comment="Neighbours for MNDP Attack mitigation" name=Neighbour
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip dhcp-client option
add code=60 name=iptv_rg value="'IPTV_RG'"
/ip pool
add name=vlan10 ranges=192.168.1.10-192.168.1.254
add name=vlan1255 ranges=192.168.255.10-192.168.255.254
add name=vlan1002 ranges=192.168.2.10-192.168.2.254
add name=vlan30 ranges=192.168.3.10-192.168.3.254
add name=vlan1005 ranges=192.168.5.10-192.168.5.243
add name=vlan1000 ranges=192.168.0.2-192.168.0.254
/ip dhcp-server
add add-arp=yes address-pool=vlan10 interface=vlan10 lease-time=10m name=vlan10
add add-arp=yes address-pool=vlan1255 interface=vlan1255 lease-time=10m name=vlan1255
add add-arp=yes address-pool=vlan1002 interface=vlan1002 lease-time=10m name=vlan1002
add add-arp=yes address-pool=vlan30 interface=vlan30 lease-time=10m name=vlan30
add add-arp=yes address-pool=vlan1005 interface=vlan1005 lease-time=10m name=vlan1005
add add-arp=yes address-pool=vlan10 interface=vlan1001 lease-time=10m name=vlan1001
add add-arp=yes address-pool=vlan1000 interface=vlan1000 lease-time=10m name=vlan1000
/ip smb users
set [ find default=yes ] disabled=yes
/ipv6 pool
add name=ULA prefix=fc00::/7 prefix-length=64
/port
set 0 name=serial0
set 1 name=serial1
/queue type
set 0 pfifo-limit=250
add cake-nat=yes cake-rtt-scheme=internet kind=cake name=cake-upload
add kind=fq-codel name=fq_codel
add cake-nat=yes cake-rtt-scheme=internet kind=cake name=cake-download
set 11 mq-pfifo-limit=5
/queue simple
add bucket-size=0/0 dst=delta-vlan100 limit-at=980M/980M max-limit=980M/980M name=ISP priority=1/1 queue=fq_codel/fq_codel target="" total-queue=default
add bucket-size=0/0 dst=delta-vlan100 limit-at=890M/890M max-limit=980M/980M name="Private Wired" parent=ISP priority=1/1 queue=fq_codel/fq_codel target=vlan10 total-queue=default
add bucket-size=0/0 dst=delta-vlan100 limit-at=50M/50M max-limit=900M/900M name=Servers parent=ISP priority=2/2 queue=fq_codel/fq_codel target=vlan30 total-queue=default
add bucket-size=0/0 dst=delta-vlan100 limit-at=25M/25M max-limit=900M/900M name=Parents parent=ISP queue=pcq-upload-default/pcq-download-default target=vlan1002 total-queue=default
add bucket-size=0/0 dst=delta-vlan100 limit-at=1M/10M max-limit=1M/50M name=IOT parent=ISP queue=pcq-upload-default/pcq-download-default target=vlan1005 total-queue=default
add limit-at=10M/10M max-limit=980M/980M name=Guest parent=ISP queue=pcq-upload-default/pcq-download-default target=vlan1255 total-queue=default
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
add disabled=no name=default-v3 version=3
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
add disabled=yes instance=default-v3 name=backbone-v3
/user group
add name=dudes policy=read,winbox,!local,!telnet,!ssh,!ftp,!reboot,!write,!policy,!test,!password,!web,!sniff,!sensitive,!api,!romon,!rest-api
add name=ninym policy=read,api,rest-api,!local,!telnet,!ssh,!ftp,!reboot,!write,!policy,!test,!winbox,!password,!web,!sniff,!sensitive,!romon
add name=mktxp policy=read,api,!local,!telnet,!ssh,!ftp,!reboot,!write,!policy,!test,!winbox,!password,!web,!sniff,!sensitive,!romon,!rest-api
add name=disallow
/interface bridge port
add bridge=bridge1 ingress-filtering=no interface=sfp-sfpplus2 internal-path-cost=10 multicast-router=disabled path-cost=10
add bridge=bridge1 ingress-filtering=no interface=sfp-sfpplus3 internal-path-cost=10 multicast-router=disabled path-cost=10
add bridge=bridge1 disabled=yes ingress-filtering=no interface=sfp-sfpplus5 internal-path-cost=10 path-cost=10
add bridge=bridge1 disabled=yes ingress-filtering=no interface=sfp-sfpplus6 internal-path-cost=10 path-cost=10
add bridge=bridge1 disabled=yes ingress-filtering=no interface=sfp-sfpplus7 internal-path-cost=10 path-cost=10
add bridge=bridge1 disabled=yes ingress-filtering=no interface=sfp-sfpplus8 internal-path-cost=10 path-cost=10
add bridge=bridge1 disabled=yes ingress-filtering=no interface=sfp-sfpplus9 internal-path-cost=10 path-cost=10
add bridge=bridge1 disabled=yes ingress-filtering=no interface=sfp-sfpplus10 internal-path-cost=10 path-cost=10
add bridge=bridge1 disabled=yes ingress-filtering=no interface=sfp28-1 internal-path-cost=10 path-cost=10
add bridge=bridge1 disabled=yes ingress-filtering=no interface=sfp28-2 internal-path-cost=10 path-cost=10
add bridge=bridge1 disabled=yes interface=sfp-sfpplus11 internal-path-cost=10 path-cost=10
add bridge=bridge1 ingress-filtering=no interface=sfp-sfpplus12 internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=sfp-sfpplus4
/interface bridge settings
set use-ip-firewall-for-vlan=yes
/ip firewall connection tracking
set udp-timeout=3m
/ip neighbor discovery-settings
set discover-interface-list=Neighbour lldp-max-frame-size=yes lldp-vlan-info=yes
/ip settings
set max-neighbor-entries=8192 tcp-syncookies=yes
/ipv6 settings
set accept-redirects=no accept-router-advertisements=no disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,sfp-sfpplus2,sfp-sfpplus3 vlan-ids=10
add bridge=bridge1 tagged=bridge1,sfp-sfpplus2,sfp-sfpplus3 vlan-ids=30
add bridge=bridge1 tagged=bridge1,sfp-sfpplus2,sfp-sfpplus3 vlan-ids=1002
add bridge=bridge1 tagged=bridge1,sfp-sfpplus2,sfp-sfpplus3 vlan-ids=1005
add bridge=bridge1 tagged=bridge1,sfp-sfpplus2,sfp-sfpplus3 vlan-ids=99
add bridge=bridge1 tagged=bridge1,sfp-sfpplus2,sfp-sfpplus3 vlan-ids=1255
add bridge=bridge1 tagged=bridge1,sfp-sfpplus2,sfp-sfpplus3 vlan-ids=1001
add bridge=bridge1 tagged=sfp-sfpplus2,sfp-sfpplus3,bridge1,sfp-sfpplus4 vlan-ids=1000
/interface detect-internet
set internet-interface-list=WAN lan-interface-list=LAN wan-interface-list=WAN
/interface list member
add interface=vlan10 list=LAN
add interface=vlan30 list=LAN
add interface=vlan1002 list=LAN
add interface=delta-vlan100 list=WAN
add interface=vlan1005 list=LAN
add interface=delta-vlan102 list=WAN
add interface=delta-vlan101 list=WAN
add interface=vlan1001 list=LAN
add interface=vlan1000 list=Neighbour
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.2.1/24 interface=vlan1002 network=192.168.2.0
add address=192.168.1.1/24 interface=vlan10 network=192.168.1.0
add address=192.168.255.1/24 interface=vlan1255 network=192.168.255.0
add address=192.168.3.1/24 interface=vlan30 network=192.168.3.0
add address=192.168.5.1/24 interface=vlan1005 network=192.168.5.0
add address=192.168.254.1/24 interface=wireguard1 network=192.168.254.0
add address=192.168.1.1/24 disabled=yes interface=vlan1001 network=192.168.1.0
add address=192.168.0.1/24 interface=vlan1000 network=192.168.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=15m
/ip dhcp-client
add add-default-route=no comment="Delta VoIP" dhcp-options=clientid,clientid_duid interface=delta-vlan102 use-peer-dns=no use-peer-ntp=no
add comment="Delta Internet" interface=delta-vlan100 use-peer-dns=no use-peer-ntp=no
add add-default-route=no comment="Delta IPTV" dhcp-options=iptv_rg,hostname,clientid interface=delta-vlan101 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server alert
add alert-timeout=1d disabled=no interface=vlan30 on-alert=":log error message=\"Unauthorized DHCP Server Discovered\"" valid-server=2C:C8:1B:39:8D:BD
add alert-timeout=1d disabled=no interface=vlan1005 on-alert=":log error message=\"Unauthorized DHCP Server Discovered\"" valid-server=2C:C8:1B:39:8D:BD
add alert-timeout=1d disabled=no interface=vlan1002 on-alert=":log error message=\"Unauthorized DHCP Server Discovered\"" valid-server=2C:C8:1B:39:8D:BD
add alert-timeout=1d disabled=no interface=*40 on-alert=":log error message=\"Unauthorized DHCP Server Discovered\"" valid-server=2C:C8:1B:39:8D:BD
add alert-timeout=1d disabled=no interface=vlan1255 on-alert=":log error message=\"Unauthorized DHCP Server Discovered\"" valid-server=2C:C8:1B:39:8D:BD
add alert-timeout=1d disabled=no interface=vlan10 on-alert=":log error message=\"Unauthorized DHCP Server Discovered\"" valid-server=2C:C8:1B:39:8D:BD
add alert-timeout=1d disabled=no interface=vlan1001 on-alert=":log error message=\"Unauthorized DHCP Server Discovered\"" valid-server=2C:C8:1B:39:8D:BD
/ip dhcp-server config
set store-leases-disk=never
/ip dhcp-server network
add address=192.168.0.0/24 caps-manager=192.168.0.7 dns-server=192.168.0.7 gateway=192.168.0.1 netmask=24 ntp-server=192.168.0.7
add address=192.168.1.0/24 dns-server=192.168.0.7 gateway=192.168.1.1 netmask=24 ntp-server=192.168.0.7
add address=192.168.2.0/24 dns-server=192.168.0.7 gateway=192.168.2.1 netmask=24 ntp-server=192.168.0.7
add address=192.168.3.0/24 dns-server=192.168.0.7 gateway=192.168.3.1 netmask=24 ntp-server=192.168.0.7
add address=192.168.5.0/24 dns-server=192.168.0.7 gateway=192.168.5.1 netmask=24 ntp-server=192.168.0.7
add address=192.168.255.0/24 dns-server=192.168.0.7 gateway=192.168.255.1 netmask=24 ntp-server=192.168.0.7
/ip dns
set allow-remote-requests=yes cache-size=262144KiB servers=192.168.0.7
/ip firewall address-list
add address=81.172.152.214 list=my-wan-addresses
add address=192.168.0.0/24 list=lan-addresses
add address=192.168.1.0/24 list=lan-addresses
add address=192.168.2.0/24 list=lan-addresses
add address=192.168.3.0/24 list=lan-addresses
add address=192.168.5.0/24 list=lan-addresses
add address=192.168.255.0/24 list=lan-addresses
add address=192.168.254.0/24 list=lan-addresses
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad-ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad-ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=bad-ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=bad-ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=bad-ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad-ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not-global-ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not-global-ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not-global-ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not-global-ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not-global-ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not-global-ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not-global-ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=not-global-ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not-global-ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad-src-ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad-src-ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad-dst-ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad-dst-ipv4
/ip firewall filter
add action=fasttrack-connection chain=forward comment="Fasttrack LAN" connection-state=established,related hw-offload=yes in-interface-list=LAN out-interface-list=LAN
add action=fasttrack-connection chain=forward comment="Fasttrack IPTV" hw-offload=yes out-interface=delta-vlan101
add action=fasttrack-connection chain=forward comment="Fasttrack VoIP" hw-offload=yes out-interface=delta-vlan102
add action=fasttrack-connection chain=forward comment="Fasttrack DNS (DNS.Watch)" dst-address=84.200.70.40 hw-offload=yes src-address=192.168.0.7
add action=fasttrack-connection chain=forward comment="Fasttrack DNS (LibreDNS)" dst-address=116.202.176.26 hw-offload=yes src-address=192.168.0.7
add action=fasttrack-connection chain=forward comment="Fasttrack DNS (Google)" dst-address=8.8.8.8 hw-offload=yes src-address=192.168.0.7
add action=fasttrack-connection chain=forward comment="Fasttrack DNS (CloudFlare)" dst-address=1.1.1.1 hw-offload=yes src-address=192.168.0.7
add action=fasttrack-connection chain=forward comment="Fasttrack DNS (CloudFlare)" dst-address=1.0.0.1 hw-offload=yes src-address=192.168.0.7
add action=fasttrack-connection chain=forward comment="Fasttrack DNS (Quad9)" dst-address=9.9.9.11 hw-offload=yes src-address=192.168.0.7
add action=jump chain=forward comment="Chain for LAN Access Control" connection-state=new dst-address-list=lan-addresses jump-target=lan-access src-address-list=lan-addresses
add action=accept chain=forward comment="Accept established and related" connection-state=established,related
add action=jump chain=input comment="Fuck anyone trying to get into my router" in-interface-list=WAN jump-target=detect-remote-intrusion
add action=accept chain=input comment="Accept established,related,untracked" connection-state=established,related,untracked
add action=jump chain=detect-remote-intrusion comment="MikroTik Service: ssh" dst-port=22 jump-target=add-block-list protocol=tcp
add action=jump chain=detect-remote-intrusion comment="MikroTik Service: api-ssl" dst-port=8729 jump-target=add-block-list protocol=tcp
add action=jump chain=detect-remote-intrusion comment="MikroTik Service: api" dst-port=8728 jump-target=add-block-list protocol=tcp
add action=jump chain=detect-remote-intrusion comment="MikroTik Service: winbox" dst-port=8291 jump-target=add-block-list protocol=tcp
add action=jump chain=detect-remote-intrusion comment="BFD: WAN (control)" dst-port=3784 jump-target=add-block-list protocol=udp
add action=jump chain=detect-remote-intrusion comment="BFD: WAN (echo)" dst-port=3785 jump-target=add-block-list protocol=udp
add action=jump chain=detect-remote-intrusion comment="BFD: WAN (multihop control)" dst-port=4784 jump-target=add-block-list protocol=udp
add action=jump chain=detect-remote-intrusion comment="BFD: WAN (multihop control)" dst-port=4784 jump-target=add-block-list protocol=tcp
add action=add-src-to-address-list address-list=remote-intrusion address-list-timeout=4w2d chain=add-block-list comment="Block address for 30d"
add action=drop chain=add-block-list comment="Drop packet immediately"
add action=return chain=lan-access comment="Allow Private VLAN" in-interface=vlan10
add action=return chain=lan-access comment="Allow Private VLAN" in-interface=vlan1001
add action=return chain=lan-access comment="Allow Virtual VLAN" in-interface=vlan30
add action=return chain=lan-access comment="Allow Wireguard" in-interface=wireguard1
add action=return chain=lan-access comment="Allow DNS" dst-address=192.168.0.7 dst-port=53 protocol=tcp
add action=return chain=lan-access comment="Allow DNS" dst-address=192.168.0.7 dst-port=53 protocol=udp
add action=return chain=lan-access comment="Allow DNS" dst-address=192.168.0.7 dst-port=853 protocol=tcp
add action=return chain=lan-access comment="Allow DNS" dst-address=192.168.0.7 dst-port=853 protocol=udp
add action=return chain=lan-access comment="Allow Plex" dst-address=192.168.3.109 dst-port=32400 protocol=tcp
add action=return chain=lan-access comment="Allow Printer Access" dst-address=192.168.5.2
add action=return chain=lan-access comment="Allow Tablet to OBS" dst-address=192.168.1.2 dst-port=4455 protocol=tcp src-address=192.168.5.233
add action=drop chain=lan-access comment="Isolate Parents (to self)" in-interface=vlan1002 log-prefix="[FILTER]" out-interface=!vlan1002
add action=drop chain=lan-access comment="Isolate IOT" in-interface=vlan1005 log-prefix="[FILTER]"
add action=drop chain=lan-access comment="Isolate Guests" in-interface=vlan1255 log-prefix="[FILTER]"
/ip firewall mangle
add action=mark-connection chain=prerouting comment="Mark connections for hairpint NAT" dst-address-list=my-wan-addresses new-connection-mark="Hairpin NAT" passthrough=yes src-address-list=lan-addresses
/ip firewall nat
add action=accept chain=input comment="Allow connection to Wireguard server" dst-address-list=my-wan-addresses dst-port=13231 protocol=udp
add action=jump chain=srcnat comment="Create chain for LAN access" jump-target=lan-access
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark="Hairpin NAT"
add action=masquerade chain=srcnat comment="Allow outgoing to internet" out-interface-list=WAN
add action=jump chain=dstnat comment="Create chain to force AGH usage (UDP)" disabled=yes dst-address-list=!my-wan-addresses dst-port=53 jump-target=dns-redirection log-prefix="[DNS REDIR]" protocol=udp
add action=jump chain=dstnat comment="Create chain to force AGH usage (TCP)" disabled=yes dst-address-list=!my-wan-addresses dst-port=53 jump-target=dns-redirection log-prefix="[DNS REDIR]" protocol=tcp
add action=jump chain=dstnat comment="Create chain for Portforwards" dst-address-list=my-wan-addresses jump-target=port-forwards log-prefix="[pf]"
add action=dst-nat chain=port-forwards comment="Traefik Ingress (HTTP)" dst-port=80 protocol=tcp to-addresses=192.168.3.122 to-ports=80
add action=dst-nat chain=port-forwards comment="Traefik Ingress (HTTPS)" dst-port=443 protocol=tcp to-addresses=192.168.3.122 to-ports=443
add action=dst-nat chain=port-forwards comment="Traefik Ingress (HTTPS/3)" dst-port=443 protocol=udp to-addresses=192.168.3.122 to-ports=443
add action=dst-nat chain=port-forwards comment="Modoboa (SMTP)" dst-port=25 protocol=tcp to-addresses=192.168.3.6 to-ports=25
add action=dst-nat chain=port-forwards comment="Modoboa (SMTPS)" dst-port=587 protocol=tcp to-addresses=192.168.3.6 to-ports=587
add action=dst-nat chain=port-forwards comment="Modoboa (SMTPS)" dst-port=465 protocol=tcp to-addresses=192.168.3.6 to-ports=465
add action=dst-nat chain=port-forwards comment="Modoboa (IMAP)" dst-port=143 protocol=tcp to-addresses=192.168.3.6 to-ports=143
add action=dst-nat chain=port-forwards comment="Modoboa (IMAPS)" dst-port=993 protocol=tcp to-addresses=192.168.3.6 to-ports=993
add action=dst-nat chain=port-forwards comment=Plex dst-port=32400 protocol=tcp to-addresses=192.168.3.109 to-ports=32400
add action=dst-nat chain=port-forwards comment=Minecraft dst-port=25565 protocol=tcp to-addresses=192.168.3.101 to-ports=25565
add action=dst-nat chain=port-forwards comment=Minecraft dst-port=25565 protocol=udp to-addresses=192.168.3.101 to-ports=25565
add action=dst-nat chain=port-forwards comment="pDNS AFXR (TCP)" dst-port=53 protocol=tcp to-addresses=192.168.3.122 to-ports=9053
add action=dst-nat chain=port-forwards comment="pDNS AFXR (UDP)" dst-port=53 protocol=udp to-addresses=192.168.3.122 to-ports=9053
add action=dst-nat chain=port-forwards comment=Portainer disabled=yes dst-port=888 protocol=tcp to-addresses=192.168.3.122 to-ports=9000
add action=dst-nat chain=port-forwards comment="BiglyBT (TCP)" dst-port=44769 protocol=tcp to-addresses=192.168.1.3 to-ports=44769
add action=dst-nat chain=port-forwards comment="BiglyBT (UDP)" dst-port=44769 protocol=udp to-addresses=192.168.1.3 to-ports=44769
add action=dst-nat chain=port-forwards comment="BiglyBT Remote" disabled=yes dst-port=48674 protocol=tcp to-addresses=192.168.1.3 to-ports=48674
add action=masquerade chain=lan-access comment="Printer Access" dst-address=192.168.5.2
add action=masquerade chain=lan-access comment="Masquerade Resolve Server" dst-address=192.168.1.251 src-address=!192.168.1.0/24
add action=accept chain=dns-redirection comment="Allow AGH out (UDP)" dst-port=53 protocol=udp src-address=192.168.0.7
add action=accept chain=dns-redirection comment="Allow AGH out (TCP)" dst-port=53 protocol=tcp src-address=192.168.0.7
add action=accept chain=dns-redirection comment="Allow PDNS out (UDP)" dst-port=53 protocol=udp src-address=192.168.3.122
add action=accept chain=dns-redirection comment="Allow PDNS out (TCP)" dst-port=53 protocol=tcp src-address=192.168.3.122
add action=dst-nat chain=dns-redirection comment="Force AGH usage (UDP)" dst-port=53 protocol=udp src-address=!192.168.0.7 to-addresses=192.168.0.7 to-ports=53
add action=dst-nat chain=dns-redirection comment="Force AGH usage (TCP)" dst-port=53 protocol=tcp src-address=!192.168.0.7 to-addresses=192.168.0.7 to-ports=53
/ip firewall raw
add action=drop chain=prerouting comment="Drop banned IPs in remote intrusion list" log-prefix="[DoS]" src-address-list=remote-intrusion
add action=accept chain=prerouting comment="defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: accept DHCP discover" dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=udp src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad-ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad-ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad-src-ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad-dst-ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=WAN src-address-list=not-global-ipv4
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 protocol=udp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" jump-target=bad-tcp protocol=tcp
add action=accept chain=prerouting comment="defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WAN
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp4 comment="defconf: host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp4 comment="defconf: protocol unreachable" icmp-options=3:2 protocol=icmp
add action=accept chain=icmp4 comment="defconf: port unreachable" icmp-options=3:3 protocol=icmp
add action=accept chain=icmp4 comment="defconf: fragmentation needed" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp4 comment="defconf: echo" icmp-options=8:0 protocol=icmp
add action=accept chain=icmp4 comment="defconf: time exceeded" icmp-options=11:0-255 protocol=icmp
add action=drop chain=icmp4 comment="defconf: drop other" protocol=icmp
add action=drop chain=bad-tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad-tcp comment="defconf: drop fin,syn" protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad-tcp comment="defconf: drop fin,rst" protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad-tcp comment="defconf: drop fin,!ack" protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad-tcp comment="defconf: drop fin,urg" protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad-tcp comment="defconf: drop syn,rst" protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad-tcp comment="defconf: drop rst,urg" protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad-tcp comment="defconf: TCP port 0 drop" port=0 protocol=tcp
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add comment="Delta IPTV" disabled=no distance=1 dst-address=62.45.57.36/32 gateway=delta-vlan100 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Delta VoIP" disabled=no distance=1 dst-address=62.45.58.162/32 gateway=10.224.192.1 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Delta VoIP" disabled=no distance=1 dst-address=62.45.58.180/32 gateway=10.224.192.1 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Delta VoIP" disabled=no distance=1 dst-address=62.45.59.36/32 gateway=10.224.192.1 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Delta VoIP" disabled=no distance=1 dst-address=62.45.59.50/32 gateway=10.224.192.1 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Delta VoIP" disabled=no distance=1 dst-address=62.45.60.3/32 gateway=10.224.192.1 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Delta VoIP" disabled=no distance=1 dst-address=62.45.60.2/32 gateway=10.224.192.1 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Delta IPTV" disabled=no dst-address=62.45.57.34/32 gateway=10.188.168.1 routing-table=main suppress-hw-offload=no
add comment="Delta IPTV" disabled=no distance=1 dst-address=62.45.57.0/24 gateway=10.188.168.1 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Delta IPTV" disabled=no distance=1 dst-address=62.45.61.64/28 gateway=10.188.168.1 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Delta IPTV" disabled=no distance=1 dst-address=62.45.76.0/24 gateway=10.188.168.1 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Delta IPTV" disabled=no distance=1 dst-address=62.45.58.226/32 gateway=10.188.168.1 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Delta IPTV" disabled=no distance=1 dst-address=62.45.45.150/32 gateway=10.188.168.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Delta IPTV" disabled=no distance=1 dst-address=62.45.49.0/24 gateway=10.188.168.1 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Delta IPTV" disabled=no distance=1 dst-address=212.115.196.0/25 gateway=10.188.168.1 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Delta IPTV" disabled=no distance=1 dst-address=217.63.90.128/25 gateway=10.188.168.1 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Delta IPTV" disabled=no distance=1 dst-address=62.45.61.16/28 gateway=10.188.168.1 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Delta IPTV" disabled=no distance=1 dst-address=62.45.61.32/27 gateway=10.188.168.1 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Delta IPTV" disabled=no distance=1 dst-address=217.102.255.57/32 gateway=10.188.168.1 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Delta IPTV" disabled=no dst-address=217.63.91.0/26 gateway=10.188.168.1 routing-table=main suppress-hw-offload=no
add comment="Delta IPTV" disabled=no dst-address=62.45.59.0/24 gateway=10.188.168.1 routing-table=main suppress-hw-offload=no
add comment="Delta IPTV (Undocumented)" disabled=no distance=1 dst-address=62.45.158.17/32 gateway=10.188.168.1 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Delta IPTV (Undocumented)" disabled=no distance=1 dst-address=62.45.158.29/32 gateway=10.188.168.1 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Delta IPTV (Undocumented)" disabled=no distance=1 dst-address=62.45.158.13/32 gateway=10.188.168.1 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Delta IPTV (Undocumented)" disabled=no distance=1 dst-address=62.45.158.15/32 gateway=10.188.168.1 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Delta IPTV (Undocumented)" disabled=no distance=1 dst-address=62.45.158.27/32 gateway=10.188.168.1 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Delta IPTV (Undocumented)" disabled=no distance=1 dst-address=62.45.158.11/32 gateway=10.188.168.1 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.1.0/24
set www-ssl address=192.168.1.0/24 certificate=webfig disabled=no
set api address=192.168.1.0/24,192.168.3.0/24,192.168.0.0/24
set winbox address=192.168.1.0/24,192.168.0.0/24,192.168.254.0/24
set api-ssl address=10.0.0.0/8,192.168.1.0/24 certificate=*10 disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/radius
add address=192.168.0.7 service=login
/routing igmp-proxy
set quick-leave=yes
/routing rule
add action=lookup-only-in-table disabled=yes src-address=192.168.5.241/32 table=*400
/snmp
set enabled=yes trap-version=3
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Amsterdam
/system health settings
set fan-control-interval=10s fan-min-speed-percent=0% fan-target-temp=60C
/system identity
set name=CCR2004-1G-12S+2XS
/system logging
set 0 topics=info,!dhcp
set 3 action=memory
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set local-clock-stratum=3
/system ntp client servers
add address=192.168.0.7
/system resource irq rps
set mgmt disabled=no
/system routerboard settings
set boot-delay=1s
/tool bandwidth-server
set authenticate=no enabled=no
/tool graphing
set store-every=24hours
/tool netwatch
add comment=CRS317-1G-16S+ disabled=no down-script="" host=192.168.0.2 http-codes="" interval=1m test-script="" timeout=1s type=simple up-script=""
add comment=CRS326-24G-2S+ disabled=no down-script="" host=192.168.0.3 http-codes="" interval=1m test-script="" timeout=1s type=simple up-script=""
add comment="AP Attic" disabled=no down-script="" host=192.168.0.5 http-codes="" interval=1m packet-count=4 packet-interval=20ms test-script="" timeout=1s type=simple up-script=""
add comment="AP Parents" disabled=no down-script="" host=192.168.0.6 http-codes="" interval=1m test-script="" thr-loss-percent=50% timeout=1s type=simple up-script=""
add comment=RB5009UG+S+ disabled=no down-script="" host=192.168.0.7 http-codes="" interval=1m test-script="" timeout=1s type=simple up-script=""
add comment="Switch Bedroom" disabled=no down-script="" host=192.168.0.9 http-codes="" interval=1m test-script="" timeout=1s type=simple up-script=""
/tool romon
set enabled=yes id=2C:C8:1B:39:8D:BD
/user aaa
set default-group=disallow use-radius=yes

And the CRS326:

# 2025-02-07 17:40:46 by RouterOS 7.14.2
# software id = REDACTED
#
# model = CRS326-24G-2S+
# serial number = REDACTED
/interface bridge
add admin-mac=B8:69:F4:8C:A1:06 auto-mac=no ingress-filtering=no name=bridge port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=bonding1-slave
set [ find default-name=ether2 ] comment=bonding1-slave
set [ find default-name=ether3 ] comment="Richthoven (MOBO1)"
set [ find default-name=ether4 ] comment=finlay-aspire3
set [ find default-name=ether5 ] comment="Isoroku IPMI"
set [ find default-name=ether6 ] comment=RB5009UG+S+IN
set [ find default-name=ether7 ] comment="Local DNS"
set [ find default-name=ether8 ] comment="User Manager"
set [ find default-name=ether9 ] comment="AP Attic"
set [ find default-name=ether10 ] comment="AP Parents"
set [ find default-name=ether11 ] comment="Switch Bedroom"
set [ find default-name=sfp-sfpplus1 ] comment=CCR2004-1G-12S+2XS
set [ find default-name=sfp-sfpplus2 ] comment=CRS317-1G-16S+
/interface vlan
add interface=bridge name=vlan1000 vlan-id=1000
/interface bonding
add comment="Isoroku (gigabit + mgmt)" mode=802.3ad name=bonding1 slaves=ether1,ether2 transmit-hash-policy=layer-2-and-3
/interface ethernet switch
set 0 l3-hw-offloading=yes
/interface list
add name=Neighbours
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/user group
add name=mktxp policy=read,api,!local,!telnet,!ssh,!ftp,!reboot,!write,!policy,!test,!winbox,!password,!web,!sniff,!sensitive,!romon,!rest-api
add name=disallow
/interface bridge port
add bridge=bridge comment=defconf disabled=yes ingress-filtering=no interface=ether1 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf disabled=yes ingress-filtering=no interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no interface=ether3 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no interface=ether4 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no interface=ether5 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether11 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether12 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether13 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether14 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether15 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether16 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether17 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether18 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether19 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether20 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no interface=ether21 internal-path-cost=10 path-cost=10 pvid=1005
add bridge=bridge comment=defconf ingress-filtering=no interface=ether22 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether23 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether24 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus1 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus2 internal-path-cost=10 path-cost=10
add bridge=bridge ingress-filtering=no interface=bonding1 internal-path-cost=10 path-cost=10 pvid=30
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=Neighbours
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge tagged=sfp-sfpplus1,sfp-sfpplus2,bridge,ether9,ether10,ether11 vlan-ids=1005
add bridge=bridge tagged=sfp-sfpplus1,sfp-sfpplus2,bridge,bonding1,ether9,ether10 untagged=ether4,ether5,ether3 vlan-ids=10
add bridge=bridge tagged=sfp-sfpplus1,sfp-sfpplus2,bridge untagged=bonding1 vlan-ids=30
add bridge=bridge tagged=bridge,sfp-sfpplus1,sfp-sfpplus2,ether9,ether10 vlan-ids=1002
add bridge=bridge tagged=bridge,sfp-sfpplus1,sfp-sfpplus2,ether9,ether10 vlan-ids=1255
add bridge=bridge tagged=sfp-sfpplus1,sfp-sfpplus2,bridge,bonding1,ether9,ether10 untagged=ether4,ether5,ether3 vlan-ids=1001
add bridge=bridge tagged=bridge,sfp-sfpplus1,sfp-sfpplus2,ether6,ether7,ether8,ether9,ether10,ether11 vlan-ids=1000
/interface list member
add interface=vlan1000 list=Neighbours
/ip dhcp-client
add interface=vlan1000
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/radius
add address=192.168.0.7 service=login
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Amsterdam
/system identity
set name=CRS326-24G-2S+
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system routerboard settings
set boot-os=router-os
/system swos
set allow-from-ports=p25,p26 identity=CRS326-24G-2S+ static-ip-address=192.168.0.3
/tool romon
set enabled=yes id=B8:69:F4:8C:A1:06
/tool sniffer
set filter-mac-address=D0:50:99:F1:92:82/FF:FF:FF:FF:FF:FF
/user aaa
set default-group=disallow use-radius=yes

And CRS317:

# 2025-02-07 17:40:08 by RouterOS 7.14.2
# software id = REDACTED
#
# model = CRS317-1G-16S+
# serial number = REDACTED
/interface bridge
add admin-mac=2C:C8:1B:2F:B9:CB auto-mac=no ingress-filtering=no name=bridge \
    port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] l2mtu=1592
set [ find default-name=sfp-sfpplus1 ] comment=CCR2004-1G-12S+2XS l2mtu=1592
set [ find default-name=sfp-sfpplus2 ] comment=CRS326-24G-2S+ l2mtu=1592
set [ find default-name=sfp-sfpplus3 ] comment=Richthoven l2mtu=1592
set [ find default-name=sfp-sfpplus4 ] comment=Isoroku l2mtu=1592
set [ find default-name=sfp-sfpplus5 ] comment=RB5009UG+S+IN l2mtu=1592
set [ find default-name=sfp-sfpplus6 ] l2mtu=1592
set [ find default-name=sfp-sfpplus7 ] l2mtu=1592
set [ find default-name=sfp-sfpplus8 ] l2mtu=1592
set [ find default-name=sfp-sfpplus9 ] l2mtu=1592
set [ find default-name=sfp-sfpplus10 ] l2mtu=1592
set [ find default-name=sfp-sfpplus11 ] l2mtu=1592
set [ find default-name=sfp-sfpplus12 ] l2mtu=1592
set [ find default-name=sfp-sfpplus13 ] l2mtu=1592
set [ find default-name=sfp-sfpplus14 ] l2mtu=1592
set [ find default-name=sfp-sfpplus15 ] l2mtu=1592
set [ find default-name=sfp-sfpplus16 ] l2mtu=1592
/interface vlan
add interface=bridge name=vlan1000 vlan-id=1000
/interface ethernet switch
set 0 l3-hw-offloading=yes
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/user group
add name=mktxp policy="read,api,!local,!telnet,!ssh,!ftp,!reboot,!write,!policy,\
    !test,!winbox,!password,!web,!sniff,!sensitive,!romon,!rest-api"
add name=disallow
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus1 \
    internal-path-cost=10 path-cost=10 trusted=yes
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus2 \
    internal-path-cost=10 path-cost=10 trusted=yes
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus3 \
    internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus4 \
    internal-path-cost=10 path-cost=10 pvid=30
add bridge=bridge comment=defconf interface=sfp-sfpplus5 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus6 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus7 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus8 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus9 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus10 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus11 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus12 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus13 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus14 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus15 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus16 internal-path-cost=10 \
    path-cost=10
/ip firewall connection tracking
set enabled=no udp-timeout=10s
/interface bridge vlan
add bridge=bridge tagged=\
    bridge,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus4,sfp-sfpplus5 untagged=\
    sfp-sfpplus3 vlan-ids=10
add bridge=bridge tagged=bridge,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3 \
    untagged=sfp-sfpplus4 vlan-ids=30
add bridge=bridge tagged=bridge,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus5 \
    vlan-ids=1002
add bridge=bridge tagged=bridge,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus5 \
    vlan-ids=1005
add bridge=bridge tagged=bridge,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus5 \
    vlan-ids=1255
add bridge=bridge tagged=\
    bridge,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus4,sfp-sfpplus5 untagged=\
    sfp-sfpplus3 vlan-ids=1001
add bridge=bridge tagged=sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus5,bridge \
    vlan-ids=1000
/ip dhcp-client
add interface=vlan1000
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/radius
add address=192.168.0.7 service=login
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Amsterdam
/system health settings
set fan-control-interval=5s fan-min-speed-percent=0% fan-target-temp=60C
/system identity
set name=CRS317-1G-16S+
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system routerboard settings
set boot-os=router-os
/system swos
set allow-from-ports=p1,p2 allow-from-vlan=99 identity=CRS317-1G-16S+ \
    static-ip-address=192.168.0.2
/tool bandwidth-server
set authenticate=no enabled=no
/tool romon
set enabled=yes id=2C:C8:1B:2F:B9:CB
/tool sniffer
set filter-vlan=10
/user aaa
set default-group=disallow use-radius=yes

Hopefully this is good?

one minor side-note: It says VLAN10 and VLAN30 here while in my original question I used VLAN1001 and VLAN1003, this is because when I make the entire migration, I want to move VLAN10 to 1001 and VLAN30 to VLAN1003, hence the discrepancy.

ConradPino · Fri Feb 07, 2025 6:24 pm

Definite progress, thank you. By now you've seen this forum is doesn't handle code blocks consistently.
Please edit last post to add a blank line or two above code block begin and below code block close.

All exports start with comment lines, first is device model (not sensitive) and third is serial number (redact).
Leaving first two comment lines improves recognition significantly as do the extra blank lines surrounding code blocks.

FinlayDaG33k · Fri Feb 07, 2025 6:42 pm

Edited the blocks.
They looked fine for me (for some reason, I had the old phpBB layout) but I've swapped to the "normal" layout to see if it worked (and will just stick to that, I don't know why it swapped).

Also added the comment blocks you asked for, sans software ID and serial number.

ConradPino · Fri Feb 07, 2025 6:49 pm

OK, I see enough to draft a CRS309 configuration; that could be a further discussion starting point.
But it occurred to me CRS309 has L3HW Offload idiosyncrasies that must be kept front and center for best results.
We can work on improving current configurations prior to diving into the future.
Do you have a preference on where you prefer to go next?

anav · Fri Feb 07, 2025 6:50 pm

1. Question: Is the same pool for two different DCHP vlan servers intentional??

/ip dhcp-server
add add-arp=yes address-pool=vlan10 interface=vlan10 lease-time=10m name=vlan10
add add-arp=yes address-pool=vlan1255 interface=vlan1255 lease-time=10m name=vlan1255
add add-arp=yes address-pool=vlan1002 interface=vlan1002 lease-time=10m name=vlan1002
add add-arp=yes address-pool=vlan30 interface=vlan30 lease-time=10m name=vlan30
add add-arp=yes address-pool=vlan1005 interface=vlan1005 lease-time=10m name=vlan1005
add add-arp=yes address-pool=vlan10 interface=vlan1001 lease-time=10m name=vlan1001
add add-arp=yes address-pool=vlan1000 interface=vlan1000 lease-time=10m name=vlan1000

2. Any particular reason you need to use bridge filtering vice normal filter rules ( forward and input chain ) ????
/interface bridge settings
set use-ip-firewall-for-vlan=yes ?????

3. Recommend you set this to none, as its known to cause weird issues.
/interface detect-internet
set internet-interface-list=WAN lan-interface-list=LAN wan-interface-list=WAN

4. The complexity of your config grows with each line, you have much queueing but then have a plethora of fast track rules.
Suggesting fastrack may not be compatible to use????? Somebody use to complex would be better qualified to comment.

5. Many firewall rules are bloatware and should be removed, would stick to defaults and then add traffic needed. It would seem your focus
is blocking traffic vice simply allowing only needed traffic.

Cannot help much more on the router side.
+++++++++++++++++++++++++++++++++++++++++++++++

6. As for the switches, the main error I see is that all vlan-ids are tagged with the bridge in /interface bridge vlan settings.
ONLY the vlan-id=1000 should be tagged for the bridge.

FinlayDaG33k · Fri Feb 07, 2025 7:36 pm

OK, I see enough to draft a CRS309 configuration; that could be a further discussion starting point.
But it occurred to me CRS309 has L3HW Offload idiosyncrasies that must be kept front and center for best results.
We can work on improving current configurations prior to diving into the future.
Do you have a preference on where you prefer to go next?

I do not know what oddities I'd have to deal with with the CRS309?
I could opt for a CRS310 instead if that would be less of a headache?
Or maybe another one of those CRS317's Altho that would be stretching the budget quite hard (I'd like to stay below 300 bucks).

1. Question: Is the same pool for two different DCHP vlan servers intentional??

Yes, I was in the progress of moving VLAN10 to VLAN1000 but got distracted by something and haven't found the time to finish that bit of migration yet.

2. Any particular reason you need to use bridge filtering vice normal filter rules ( forward and input chain ) ????
/interface bridge settings
set use-ip-firewall-for-vlan=yes ?????

No particular reason, I very likely followed some guide or something while doing that.
It was my first time using VLANs (so I might have made a bunch of mistakes here and there) but since it was almost 2 years ago, I can't exactly remember what I did.
Can I just disable that setting ("use-ip-firewall-for-vlan=no")?

3. Recommend you set this to none, as its known to cause weird issues.
/interface detect-internet
set internet-interface-list=WAN lan-interface-list=LAN wan-interface-list=WAN

Fixed.

4. The complexity of your config grows with each line, you have much queueing but then have a plethora of fast track rules.
Suggesting fastrack may not be compatible to use????? Somebody used to complex would be better qualified to comment.

The queueing is just how fast clients (eg. my desktop or my parent's their devices) can go when trying to do stuff on the WAN.
The FT rules are for the IPTV and landline/VoIP (which run on a separate VLANs to the ISP and don't count towards my transfer speed), as well as some DNS-related stuff (which should just get through ASAP); Hence they are fasttracked to lower resource usage (at least, that's the idea).

5. Many firewall rules are bloatware and should be removed, would stick to defaults and then add traffic needed. It would seem your focus
is blocking traffic vice simply allowing only needed traffic.

I think you mean the things like the `lan-access` chain and the `detect-remote-intrusion` chains?
A lot of the rules could be considered "bloatware", although I have them in there mostly to make it easier for me to follow what is going on (I mostly use WinBox).
So unless they hurt performance really badly (or otherwise cause major issues), I'd prefer to keep them there.

6. As for the switches, the main error I see is that all vlan-ids are tagged with the bridge in /interface bridge vlan settings.
ONLY the vlan-id=1000 should be tagged for the bridge.

So you mean that only outgoing ports (not those that face the client itself) need to be tagged?
So is say "sfp-sfpplus1" goes to my router and "sfp-sfpplus2" goes to my client, only "sfp-sfpplus1" needs to have the tag?

anav · Fri Feb 07, 2025 8:35 pm

Vlan1000 is your management or trusted vlan as all smart devices get their IP address on that vlan, and all the other vlans have nothing to do with the bridge.
Coming in tagged on etherX and then going out either tagged or untagged on the rest of the switch ports.

FinlayDaG33k · Fri Feb 07, 2025 10:01 pm

Ahh, I see.
I'll try to poke around with it this weekend to see if stuff breaks or not.
Already was kind of wondering about it in the past given how "unscalable" it felt, just never really played around with it.

ConradPino · Fri Feb 07, 2025 11:41 pm

OK, I see enough to draft a CRS309 configuration; that could be a further discussion starting point.
But it occurred to me CRS309 has L3HW Offload idiosyncrasies that must be kept front and center for best results.
We can work on improving current configurations prior to diving into the future.
Do you have a preference on where you prefer to go next?

Thank you for working with @anav which has saved us time by pointing out current configurations have room for improvement and will affect new intermediate switch at firewall level so I suggest let's get current firewall(s) relatively clean before writing a new switch draft configuration.

I do not know what oddities I'd have to deal with with the CRS309?
I could opt for a CRS310 instead if that would be less of a headache?
Or maybe another one of those CRS317's Altho that would be stretching the budget quite hard (I'd like to stay below 300 bucks).

I see a misunderstanding here; let's get up to speed on MikroTik Product+Naming, in particular read sections:

CloudCoreRouter naming details
CloudRouterSwitch and CloudSmartSwitch naming details

CCR products are classic routers deriving their routing performance from robust CPU designs. - Outstanding routers, *meh* switches.
CSS products are classic switches deriving their switching performance from robust switch chip designs. - Outstanding switches, *weak* routers.
CRS products are hybrid designs with CSS level CPU and CSS level switch chip capabilities with Layer 3 Hardware Offloading features. - Outstanding switches but good routers only within model specific constraints.

IMO reviewing Switch Chip Features is worthwhile and in particular drill deep into:

CRS3xx, CRS5xx, CCR2116, CCR2216 switch chip features section Models to learn specific switch chip model numbers corresponding to the CRS3xx products under consideration.
Review carefully TCAM references in L3 Hardware Offloading then scroll down this page and match up switch chip model numbers in the following sections:
- L3HW Feature Support - IMO the critical table on that page.
- L3HW Device Support
  - CRS3xx: Switch DX3000 and DX2000 Series
  - CRS3xx, CRS5xx: Switch DX8000 and DX4000 Series

Switch chip TCAM memory varies substantially and is a limiting factor in maintaining L3HW Offload wire speed performance.
TL;DR change from CRS309 to any CRSxxx product changes nothing qualitatively, only quantities at which pain points arise vary.
I have not drilled into currently posted configurations but will do so and follow up with additional posts as discoveries merit.

FinlayDaG33k · Fri Feb 07, 2025 11:57 pm

IMO reviewing Switch Chip Features is worthwhile and in particular drill deep into:

CRS3xx, CRS5xx, CCR2116, CCR2216 switch chip features section Models to learn specific switch chip model numbers corresponding to the CRS3xx products under consideration.

Review carefully TCAM references in L3 Hardware Offloading then scroll down this page and match up switch chip model numbers in the following sections:

L3HW Feature Support - IMO the critical table on that page.

L3HW Device Support

CRS3xx: Switch DX3000 and DX2000 Series

CRS3xx, CRS5xx: Switch DX8000 and DX4000 Series

Switch chip TCAM memory varies substantially and is a limiting factor in maintaining L3HW Offload wire speed performance.
TL;DR change from CRS309 to any CRSxxx product changes nothing qualitatively, only quantities at which pain points arise vary.
I have not drilled into currently posted configurations but will do so and follow up with additional posts as discoveries merit.

I have looked at the table but I couldn't really make out from it was was important and what wasn't (in-fact, if it wasn't for you mentioning the TCAM memory, I wouldn't have known it existed).
I don't use IPv6, so that should "save" me a lot of resources.
Seems like the CRS310 I proposed doesn't support FT offloading, so it seems that that won't do then? Am I correct?

ConradPino · Sat Feb 08, 2025 12:01 am

Seems like the CRS310 I proposed doesn't support FT offloading, so it seems that that won't do then? Am I correct?

Define FT please.

FinlayDaG33k · Sat Feb 08, 2025 12:07 am

Define FT please.

FastTrack

ConradPino · Sat Feb 08, 2025 12:52 am

FastTrack

Thank you.

Agreed, per CRS3xx: Switch DX3000 and DX2000 Series CRS310 does not hardware offload Fasttrack nor NAT whereas CRS309 per CRS3xx, CRS5xx: Switch DX8000 and DX4000 Series can hardware offloat Fasttrack and NAT but that is not a recommendation as all devices there are TCAM constrained as each HW FT connection uses TCAM.

Consider instead if current LAN to LAN firewall rules can be substituted with Switch Rules (ACL) per section Stateless Hardware Firewall and if so then you have CCR2004 downtime affecting only WAN links and not LAN links assuming all required Switch Rules fit within device TCAM limits.

IMO the device constraining issues surrounding your request are now exposed in this topic. Skills demonstrated so far suggest capability to self service the request are within reach once device specific issues are understood. Let's continue the design discussion and decide later if configuration drafting is still an attractive play.

FinlayDaG33k · Sat Feb 08, 2025 1:45 am

Consider instead if current LAN to LAN firewall rules can be substituted with Switch Rules (ACL) per section Stateless Hardware Firewall and if so then you have CCR2004 downtime affecting only WAN links and not LAN links assuming all required Switch Rules fit within device TCAM limits.

Oh yes, they very likely can.
The firewall rules are just there because the CCR2004 doesn't have that feature.
They would very likely fit within the limits (my network isn't anything insane, just think small homelab)?

I appreciate all the help so far tho!

ConradPino · Sat Feb 08, 2025 1:49 am

Oops, I'm late in reading existing device details. Please note CRS317 is more capable than CRS309 which is more capable than CRS310,

Consider moving CRS310 to CCR2004 connections downstream of the CRS317 and deploy L3 HW routing with a Stateless Hardware Firewall on CRS317.

FinlayDaG33k · Sat Feb 08, 2025 2:08 am

Oops, I'm late in reading existing device details. Please note CRS317 is more capable than CRS309 which is more capable than CRS310,

Consider moving CRS310 to CCR2004 connections downstream of the CRS317 and deploy L3 HW routing with a Stateless Hardware Firewall on CRS317.

Ok so, viewing from the WAN side (incoming from ISP):

ISP
CCR2004
CRS317
CRS309* + CRS326

CRS310 only has 4 SFP+ ports, which isn't enough, CRS309 would have enough ports for the foreseeable future while still giving me options to expand.
Would moving the CRS309 down 1 step be a big improvement?
From what I can tell, the biggest differences are just the amount of ports and the amount of RAM (and an RS232 port whiiiiiich I never really use)?

ConradPino · Sat Feb 08, 2025 2:18 am

 Model    SwChip    ROS   IPv4 Pre    IPv4 Host   IPv6 Pre   IPv4 Host   Nexthop   Fasttrack   NAT    VXLAN
CRS310   98DX226S   7.1   13312       3328                               4K
CRS309   98DX8208   7.1   16K-6K      16K         4K-6K      8K          8K        4.5K        3.9K     +
CRS317   98DX8216   7.1   120K-240K   64K         30K-40K    32K         8K        4.5K        4K       +

Source: L3 Hardware Offloading § L3HW Device Support

FinlayDaG33k · Sat Feb 08, 2025 2:29 am

Oh... Those are some significant differences yes.
Altho... 16K IPv4 routes and 16K IPv4 hosts should be more than plenty, I think?
Checking the "/ip/firewall/connection" on my CCR2004, I get about 3.4K entries.
So would that additional 104K IPv4 routes do much for me? Or would it be reasonable enough to keep the CRS317 where it is now and enjoy the extra flexibility in ports?

ConradPino · Sat Feb 08, 2025 2:29 am

Ok so, viewing from the WAN side (incoming from ISP):

ISP

CCR2004

CRS317

CRS309* + CRS326

I misread diagram device CRS326 as CRS310 and apologize. My suggestion was:

ISP
CCR2004
CRS317
CRS326

which presumes CRS317 has enough free ports to downstream the CRS326 which I don't know at this time.

If not so then proposed 3rd device remains attractive with CRS310 still in contention provided future requirements remain within it's constraints,
This leaves the CRS309 US $70 more still the better future risk reduction choice.

ConradPino · Sat Feb 08, 2025 2:46 am

Above table apples to L3 HW Offloading and is irrelevant to Stateless Hardware Firewall and Switch Rules (ACL) whose limits are shown in ACL Rules column:

 Model    SwChip    CPU Cores   SFP+  ACL Rules   Unicast FDB   Jumbo Frame
CRS310    98DX226S  1 800MHz    4     128         16,000        10218
CRS309    98DX8208  2 800MHz    8     1024        32,000        10218
CRS317    98DX8216  2 800MHz    16    1024        128,000       10218

Source: CRS3xx, CRS5xx, CCR2116, CCR2216 switch chip features § Models

Connection tracking stateful firewall rules add and drop reciprocal rules as connections come up and drop.
Stateless firewall rules must include corresponding dynamic stateful reciprocal rules for a rule multiplier of about two.
Differences in packet matching capabilities play a major role in contracting or expanding the required rules population.

FinlayDaG33k · Sat Feb 08, 2025 12:21 pm

I see, though according to that table, they do have the same amount of ACL rule capacity.
I don't know if the "Unicast FDB" is an important thing?
It's a small homelab network, not hundreds of machines that have a high amount of packets flowing all the time.

ConradPino · Sat Feb 08, 2025 9:11 pm

I don't know if the "Unicast FDB" is an important thing?

Unicast FDB (Forwarding Database) is mentioned here: CRS3xx, CRS5xx, CCR2116, CCR2216 switch chip features § Features
Yes, it's important and requires an entry for every MAC address a given switch sees.

FinlayDaG33k · Sat Feb 08, 2025 9:17 pm

Yes, it's important and requires an entry for every MAC address a given switch sees.

I have about 125-ish devices on the network (though this can sometimes reach 150 when some of my friends come over).
I doubt that would be big enough to cause any issues with the CRS309's smaller Unicast FDB?

ConradPino · Sat Feb 08, 2025 9:33 pm

Yes, it's important and requires an entry for every MAC address a given switch sees.
I have about 125-ish devices on the network (though this can sometimes reach 150 when some of my friends come over).
I doubt that would be big enough to cause any issues with the CRS309's smaller Unicast FDB?

The CRS310 at 16,000 entries is as substantially larger number than the above and CRS309 (32,000), CRS317 (128,000) numbers are ...

ConradPino · Sat Feb 08, 2025 9:34 pm

It's a small homelab network, not hundreds of machines that have a high amount of packets flowing all the time.

Thank you, that's helpful.

Can you enumerate how many ports are free and used on current CCR2004, CRS317, and CRS326?

@anav suggested firewall and configuration improvements which received an affirmative response.
May I suggest completing that work before we study Stateless Hardware Firewall requirements?

Previous post mentioned VLAN number reassignment to be accomplished during execution of this topic.
VLAN renumbering is very manageable with short down time (brief moment during switch chip update).
May I suggest we do such on the current deployment before adding new hardware?

FinlayDaG33k · Sat Feb 08, 2025 10:43 pm

Can you enumerate how many ports are free and used on current CCR2004, CRS317, and CRS326?

CCR2004 only has 4 ports in use.

sfp-sfpplus1: ISP
sfp-sfpplus2: CRS317
sfp-sfpplus3: CRS326
sfp-sfpplus4: RB5009

CRS317 has 5 ports in use.
This number is expected to go up substantially this year (high likelihood of me getting 2 new NAS's and possibly a small 3-node cluster).

sfp-sfpplus1: CCR2004
sfp-sfpplus2: CRS326
sfp-sfpplus3: Main workstation
sfp-sfpplus4: Main virtualization server
sfp-sfpplus5: RB5009

CRS326 has 9 rj45 ports in use + both SFP+ ports.

ether1: Main virtualization server (bond with ether2)
ether2: Main virtualization server (bond with ether1)
ether3: Main workstation
ether4: Laptop
ether5: Main virtualization server (IPMI)
ether6: RB5009
ether9: hAP AX3 (Attic)
ether10: hAP AX3 (Living room)
ether11: hAP AC Lite (Only serves as a little switch for some stuff on bedroom, not too important)
sfp-sfpplus1: CCR2004
sfp-sfpplus2: CRS317

@anav suggested firewall and configuration improvements which received an affirmative response.
May I suggest completing that work before we study Stateless Hardware Firewall requirements?

That's fine if that will make a migration less of a hassle.

Previous post mentioned VLAN number reassignment to be accomplished during execution of this topic.
VLAN renumbering is very manageable with short down time (brief moment during switch chip update).
May I suggest we do such on the current deployment before adding new hardware?

That's fine.
The CCR2004 does not have a switch chip though.

EDIT: VLAN10 has been migrated to VLAN1001. Will try to do VLAN30 -> VLAN1003 tomorrow, otherwise Monday (as this requires me to take the virtualization server offline, not a great idea at midnight).

EDIT2: VLAN30 has been migrated to VLAN1003.

ConradPino · Sun Feb 09, 2025 3:09 am

Please interpret, "May I suggest ..." as an introduction to further discussion and NOT necessarily a call to action.

Thank you for an outstanding reply which I will address in part now as I must attend to my work and will return later to reply in depth.

EDIT: VLAN10 has been migrated to VLAN1001.

Thank you, I am glad that was not difficult.

Will try to do VLAN30 -> VLAN1003 tomorrow, otherwise Monday (as this requires me to take the virtualization server offline, not a great idea at midnight).

May I suggest you consider postponing this part so we can continue the planning process?

FinlayDaG33k · Sun Feb 09, 2025 9:36 am

May I suggest you consider postponing this part so we can continue the planning process?

Too late for that, already rolled out of bed and finished it.

ConradPino · Sun Feb 09, 2025 10:12 am

Sip, mmmmm ... Cafe

I'm bring up Spanning Tree Protocol to make clear MikroTik default enables RSTP on all software bridges and switch chips. The switching loops in the current connection topology will not produce broadcast storms while RSTP remains enabled. Spanning Tree Protocol § Summary excerpt:

"As a best practice, it is always recommended to manually set up each bridge's priority, port priority, and port path cost to ensure proper Layer2 functionality at all times. Leaving STP related values to defaults is acceptable for a network that consists of 1 to 2 bridges running with (R/M)STP enabled, but it is highly recommended to manually set these values for larger networks. Since STP elects a root bridge and root ports by checking STP related values from bridges over the network, then leaving STP settings to automatic may elect an undesired root bridge and root ports and in case of a hardware failure can result in an inaccessible network."

Consider deploying MSTP if your requirements benefit from root bridge management at the VLAN level. For this topic, addressing STP remains optional but should get attention over the long haul.

When configurations change and are stable again, publish changed versions in new post please.

Too late for that, already rolled out of bed and finished it.

What do you want to focus on next?

FinlayDaG33k · Sun Feb 09, 2025 10:56 am

Consider deploying MSTP if your requirements benefit from root bridge management at the VLAN level. For this topic, addressing STP remains optional but should get attention over the long haul.

I don't know if it will benefit from it as I'm not familiar with it outside it preventing loops.
I think sticking with RSTP is fine for now to prevent changing too much in one go about things I don't know about.

When configurations change and are stable again, publish changed versions in new post please.

CCR2004 (again, minus IPv6, static DHCP leases and Wireguard peers):

# 2025-02-09 09:39:14 by RouterOS 7.16.1
# software id = REDACTED
#
# model = CCR2004-1G-12S+2XS
# serial number = REDACTED
/interface bridge
add ingress-filtering=no name=bridge1 port-cost-mode=short priority=0x7000 \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=Management name=mgmt
set [ find default-name=sfp-sfpplus1 ] comment="To Modem" l2mtu=1600 \
    loop-protect=off
set [ find default-name=sfp-sfpplus2 ] comment="To CRS317-1G-16S+RM"
set [ find default-name=sfp-sfpplus3 ] comment="To CRS326-24G-2S+"
set [ find default-name=sfp-sfpplus4 ] comment=RB5009UG+S+
set [ find default-name=sfp-sfpplus5 ] disabled=yes
set [ find default-name=sfp-sfpplus6 ] disabled=yes
set [ find default-name=sfp-sfpplus7 ] disabled=yes
set [ find default-name=sfp-sfpplus8 ] disabled=yes
set [ find default-name=sfp-sfpplus9 ] disabled=yes
set [ find default-name=sfp-sfpplus10 ] disabled=yes
set [ find default-name=sfp-sfpplus11 ] disabled=yes
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add comment="Delta Internet" interface=sfp-sfpplus1 loop-protect=off name=\
    delta-vlan100 vlan-id=100
add comment="Delta IPTV" interface=sfp-sfpplus1 name=delta-vlan101 vlan-id=101
add comment="Delta VoIP" interface=sfp-sfpplus1 name=delta-vlan102 vlan-id=102
add comment="Main Infra" interface=bridge1 name=vlan1000 vlan-id=1000
add comment="Private VLAN" interface=bridge1 name=vlan1001 vlan-id=1001
add comment=Parents interface=bridge1 name=vlan1002 vlan-id=1002
add comment="Virtual Devices" interface=bridge1 name=vlan1003 vlan-id=1003
add comment=IOT interface=bridge1 name=vlan1005 vlan-id=1005
add comment=Guests interface=bridge1 name=vlan1255 vlan-id=1255
/interface list
add name=WAN
add name=LAN
add comment="Neighbours for MNDP Attack mitigation" name=Neighbour
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip dhcp-client option
add code=60 name=iptv_rg value="'IPTV_RG'"
/ip pool
add name=vlan1001 ranges=192.168.1.10-192.168.1.254
add name=vlan1255 ranges=192.168.255.10-192.168.255.254
add name=vlan1002 ranges=192.168.2.10-192.168.2.254
add name=vlan1003 ranges=192.168.3.10-192.168.3.254
add name=vlan1005 ranges=192.168.5.10-192.168.5.243
add name=vlan1000 ranges=192.168.0.2-192.168.0.254
/ip dhcp-server
add add-arp=yes address-pool=vlan1255 interface=vlan1255 lease-time=10m name=\
    vlan1255
add add-arp=yes address-pool=vlan1002 interface=vlan1002 lease-time=10m name=\
    vlan1002
add add-arp=yes address-pool=vlan1003 interface=vlan1003 lease-time=10m name=\
    vlan1003
add add-arp=yes address-pool=vlan1005 interface=vlan1005 lease-time=10m name=\
    vlan1005
add add-arp=yes address-pool=vlan1001 interface=vlan1001 lease-time=10m name=\
    vlan1001
add add-arp=yes address-pool=vlan1000 interface=vlan1000 lease-time=10m name=\
    vlan1000
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
set 1 name=serial1
/queue type
set 0 pfifo-limit=250
add cake-nat=yes cake-rtt-scheme=internet kind=cake name=cake-upload
add kind=fq-codel name=fq_codel
add cake-nat=yes cake-rtt-scheme=internet kind=cake name=cake-download
set 11 mq-pfifo-limit=5
/queue simple
add bucket-size=0/0 dst=delta-vlan100 limit-at=980M/980M max-limit=980M/980M \
    name=ISP priority=1/1 queue=fq_codel/fq_codel target="" total-queue=default
add bucket-size=0/0 dst=delta-vlan100 limit-at=890M/890M max-limit=980M/980M \
    name="Private Wired" parent=ISP priority=1/1 queue=fq_codel/fq_codel \
    target=vlan1001 total-queue=default
add bucket-size=0/0 dst=delta-vlan100 limit-at=50M/50M max-limit=900M/900M \
    name=Servers parent=ISP priority=2/2 queue=fq_codel/fq_codel target=\
    vlan1003 total-queue=default
add bucket-size=0/0 dst=delta-vlan100 limit-at=25M/25M max-limit=900M/900M \
    name=Parents parent=ISP queue=pcq-upload-default/pcq-download-default \
    target=vlan1002 total-queue=default
add bucket-size=0/0 dst=delta-vlan100 limit-at=1M/10M max-limit=1M/50M name=IOT \
    parent=ISP queue=pcq-upload-default/pcq-download-default target=vlan1005 \
    total-queue=default
add limit-at=10M/10M max-limit=980M/980M name=Guest parent=ISP queue=\
    pcq-upload-default/pcq-download-default target=vlan1255 total-queue=default
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
add disabled=no name=default-v3 version=3
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
add disabled=yes instance=default-v3 name=backbone-v3
/user group
add name=dudes policy="read,winbox,!local,!telnet,!ssh,!ftp,!reboot,!write,!poli\
    cy,!test,!password,!web,!sniff,!sensitive,!api,!romon,!rest-api"
add name=ninym policy="read,api,rest-api,!local,!telnet,!ssh,!ftp,!reboot,!write\
    ,!policy,!test,!winbox,!password,!web,!sniff,!sensitive,!romon"
add name=mktxp policy="read,api,!local,!telnet,!ssh,!ftp,!reboot,!write,!policy,\
    !test,!winbox,!password,!web,!sniff,!sensitive,!romon,!rest-api"
add name=disallow
/interface bridge port
add bridge=bridge1 ingress-filtering=no interface=sfp-sfpplus2 \
    internal-path-cost=10 multicast-router=disabled path-cost=10
add bridge=bridge1 ingress-filtering=no interface=sfp-sfpplus3 \
    internal-path-cost=10 multicast-router=disabled path-cost=10
add bridge=bridge1 disabled=yes ingress-filtering=no interface=sfp-sfpplus5 \
    internal-path-cost=10 path-cost=10
add bridge=bridge1 disabled=yes ingress-filtering=no interface=sfp-sfpplus6 \
    internal-path-cost=10 path-cost=10
add bridge=bridge1 disabled=yes ingress-filtering=no interface=sfp-sfpplus7 \
    internal-path-cost=10 path-cost=10
add bridge=bridge1 disabled=yes ingress-filtering=no interface=sfp-sfpplus8 \
    internal-path-cost=10 path-cost=10
add bridge=bridge1 disabled=yes ingress-filtering=no interface=sfp-sfpplus9 \
    internal-path-cost=10 path-cost=10
add bridge=bridge1 disabled=yes ingress-filtering=no interface=sfp-sfpplus10 \
    internal-path-cost=10 path-cost=10
add bridge=bridge1 disabled=yes ingress-filtering=no interface=sfp28-1 \
    internal-path-cost=10 path-cost=10
add bridge=bridge1 disabled=yes ingress-filtering=no interface=sfp28-2 \
    internal-path-cost=10 path-cost=10
add bridge=bridge1 disabled=yes interface=sfp-sfpplus11 internal-path-cost=10 \
    path-cost=10
add bridge=bridge1 ingress-filtering=no interface=sfp-sfpplus12 \
    internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=sfp-sfpplus4
/interface bridge settings
set use-ip-firewall-for-vlan=yes
/ip firewall connection tracking
set udp-timeout=3m
/ip neighbor discovery-settings
set discover-interface-list=Neighbour lldp-max-frame-size=yes lldp-vlan-info=\
    yes
/ip settings
set max-neighbor-entries=8192 tcp-syncookies=yes
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,sfp-sfpplus2,sfp-sfpplus3 vlan-ids=1003
add bridge=bridge1 tagged=bridge1,sfp-sfpplus2,sfp-sfpplus3 vlan-ids=1002
add bridge=bridge1 tagged=bridge1,sfp-sfpplus2,sfp-sfpplus3 vlan-ids=1005
add bridge=bridge1 tagged=bridge1,sfp-sfpplus2,sfp-sfpplus3 vlan-ids=1255
add bridge=bridge1 tagged=bridge1,sfp-sfpplus2,sfp-sfpplus3 vlan-ids=1001
add bridge=bridge1 tagged=sfp-sfpplus2,sfp-sfpplus3,bridge1,sfp-sfpplus4 \
    vlan-ids=1000
/interface detect-internet
set lan-interface-list=LAN wan-interface-list=WAN
/interface list member
add interface=vlan1003 list=LAN
add interface=vlan1002 list=LAN
add interface=delta-vlan100 list=WAN
add interface=vlan1005 list=LAN
add interface=delta-vlan102 list=WAN
add interface=delta-vlan101 list=WAN
add interface=vlan1001 list=LAN
add interface=vlan1000 list=Neighbour
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.2.1/24 interface=vlan1002 network=192.168.2.0
add address=192.168.255.1/24 interface=vlan1255 network=192.168.255.0
add address=192.168.3.1/24 interface=vlan1003 network=192.168.3.0
add address=192.168.5.1/24 interface=vlan1005 network=192.168.5.0
add address=192.168.254.1/24 interface=wireguard1 network=192.168.254.0
add address=192.168.1.1/24 interface=vlan1001 network=192.168.1.0
add address=192.168.0.1/24 interface=vlan1000 network=192.168.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=15m
/ip dhcp-client
add add-default-route=no comment="Delta VoIP" dhcp-options=\
    clientid,clientid_duid interface=delta-vlan102 use-peer-dns=no \
    use-peer-ntp=no
add comment="Delta Internet" interface=delta-vlan100 use-peer-dns=no \
    use-peer-ntp=no
add add-default-route=no comment="Delta IPTV" dhcp-options=\
    iptv_rg,hostname,clientid interface=delta-vlan101 use-peer-dns=no \
    use-peer-ntp=no
/ip dhcp-server alert
add alert-timeout=1d disabled=no interface=vlan1003 on-alert=\
    ":log error message=\"Unauthorized DHCP Server Discovered\"" valid-server=\
    2C:C8:1B:39:8D:BD
add alert-timeout=1d disabled=no interface=vlan1005 on-alert=\
    ":log error message=\"Unauthorized DHCP Server Discovered\"" valid-server=\
    2C:C8:1B:39:8D:BD
add alert-timeout=1d disabled=no interface=vlan1002 on-alert=\
    ":log error message=\"Unauthorized DHCP Server Discovered\"" valid-server=\
    2C:C8:1B:39:8D:BD
add alert-timeout=1d disabled=no interface=vlan1000 on-alert=\
    ":log error message=\"Unauthorized DHCP Server Discovered\"" valid-server=\
    2C:C8:1B:39:8D:BD
add alert-timeout=1d disabled=no interface=vlan1255 on-alert=\
    ":log error message=\"Unauthorized DHCP Server Discovered\"" valid-server=\
    2C:C8:1B:39:8D:BD
add alert-timeout=1d disabled=no interface=vlan1001 on-alert=\
    ":log error message=\"Unauthorized DHCP Server Discovered\"" valid-server=\
    2C:C8:1B:39:8D:BD
/ip dhcp-server config
set store-leases-disk=never
/ip dhcp-server network
add address=192.168.0.0/24 caps-manager=192.168.0.7 dns-server=192.168.0.7 \
    gateway=192.168.0.1 netmask=24 ntp-server=192.168.0.7
add address=192.168.1.0/24 dns-server=192.168.0.7 gateway=192.168.1.1 netmask=\
    24 ntp-server=192.168.0.7
add address=192.168.2.0/24 dns-server=192.168.0.7 gateway=192.168.2.1 netmask=\
    24 ntp-server=192.168.0.7
add address=192.168.3.0/24 dns-server=192.168.0.7 gateway=192.168.3.1 netmask=\
    24 ntp-server=192.168.0.7
add address=192.168.5.0/24 dns-server=192.168.0.7 gateway=192.168.5.1 netmask=\
    24 ntp-server=192.168.0.7
add address=192.168.255.0/24 dns-server=192.168.0.7 gateway=192.168.255.1 \
    netmask=24 ntp-server=192.168.0.7
/ip dns
set allow-remote-requests=yes cache-size=262144KiB servers=192.168.0.7
/ip firewall address-list
add address=81.172.152.214 list=my-wan-addresses
add address=192.168.0.0/24 list=lan-addresses
add address=192.168.1.0/24 list=lan-addresses
add address=192.168.2.0/24 list=lan-addresses
add address=192.168.3.0/24 list=lan-addresses
add address=192.168.5.0/24 list=lan-addresses
add address=192.168.255.0/24 list=lan-addresses
add address=192.168.254.0/24 list=lan-addresses
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad-ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad-ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=bad-ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=\
    bad-ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=\
    bad-ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad-ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not-global-ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not-global-ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not-global-ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not-global-ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not-global-ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not-global-ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not-global-ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=\
    not-global-ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not-global-ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad-src-ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad-src-ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad-dst-ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad-dst-ipv4
/ip firewall filter
add action=fasttrack-connection chain=forward comment="Fasttrack LAN" \
    connection-state=established,related hw-offload=yes in-interface-list=LAN \
    out-interface-list=LAN
add action=fasttrack-connection chain=forward comment="Fasttrack IPTV" \
    hw-offload=yes out-interface=delta-vlan101
add action=fasttrack-connection chain=forward comment="Fasttrack VoIP" \
    hw-offload=yes out-interface=delta-vlan102
add action=fasttrack-connection chain=forward comment=\
    "Fasttrack DNS (DNS.Watch)" dst-address=84.200.70.40 hw-offload=yes \
    src-address=192.168.0.7
add action=fasttrack-connection chain=forward comment=\
    "Fasttrack DNS (LibreDNS)" dst-address=116.202.176.26 hw-offload=yes \
    src-address=192.168.0.7
add action=fasttrack-connection chain=forward comment="Fasttrack DNS (Google)" \
    dst-address=8.8.8.8 hw-offload=yes src-address=192.168.0.7
add action=fasttrack-connection chain=forward comment=\
    "Fasttrack DNS (CloudFlare)" dst-address=1.1.1.1 hw-offload=yes \
    src-address=192.168.0.7
add action=fasttrack-connection chain=forward comment=\
    "Fasttrack DNS (CloudFlare)" dst-address=1.0.0.1 hw-offload=yes \
    src-address=192.168.0.7
add action=fasttrack-connection chain=forward comment="Fasttrack DNS (Quad9)" \
    dst-address=9.9.9.11 hw-offload=yes src-address=192.168.0.7
add action=jump chain=forward comment="Chain for LAN Access Control" \
    connection-state=new dst-address-list=lan-addresses jump-target=lan-access \
    src-address-list=lan-addresses
add action=accept chain=forward comment="Accept established and related" \
    connection-state=established,related
add action=jump chain=input comment="Fuck anyone trying to get into my router" \
    in-interface-list=WAN jump-target=detect-remote-intrusion
add action=accept chain=input comment="Accept established,related,untracked" \
    connection-state=established,related,untracked
add action=jump chain=detect-remote-intrusion comment="MikroTik Service: ssh" \
    dst-port=22 jump-target=add-block-list protocol=tcp
add action=jump chain=detect-remote-intrusion comment=\
    "MikroTik Service: api-ssl" dst-port=8729 jump-target=add-block-list \
    protocol=tcp
add action=jump chain=detect-remote-intrusion comment="MikroTik Service: api" \
    dst-port=8728 jump-target=add-block-list protocol=tcp
add action=jump chain=detect-remote-intrusion comment=\
    "MikroTik Service: winbox" dst-port=8291 jump-target=add-block-list \
    protocol=tcp
add action=jump chain=detect-remote-intrusion comment="BFD: WAN (control)" \
    dst-port=3784 jump-target=add-block-list protocol=udp
add action=jump chain=detect-remote-intrusion comment="BFD: WAN (echo)" \
    dst-port=3785 jump-target=add-block-list protocol=udp
add action=jump chain=detect-remote-intrusion comment=\
    "BFD: WAN (multihop control)" dst-port=4784 jump-target=add-block-list \
    protocol=udp
add action=jump chain=detect-remote-intrusion comment=\
    "BFD: WAN (multihop control)" dst-port=4784 jump-target=add-block-list \
    protocol=tcp
add action=add-src-to-address-list address-list=remote-intrusion \
    address-list-timeout=4w2d chain=add-block-list comment=\
    "Block address for 30d"
add action=drop chain=add-block-list comment="Drop packet immediately"
add action=return chain=lan-access comment="Allow Private VLAN" in-interface=\
    vlan1001
add action=return chain=lan-access comment="Allow Private VLAN" in-interface=\
    vlan1001
add action=return chain=lan-access comment="Allow Virtual VLAN" in-interface=\
    vlan1003
add action=return chain=lan-access comment="Allow Wireguard" in-interface=\
    wireguard1
add action=return chain=lan-access comment="Allow DNS" dst-address=192.168.0.7 \
    dst-port=53 protocol=tcp
add action=return chain=lan-access comment="Allow DNS" dst-address=192.168.0.7 \
    dst-port=53 protocol=udp
add action=return chain=lan-access comment="Allow DNS" dst-address=192.168.0.7 \
    dst-port=853 protocol=tcp
add action=return chain=lan-access comment="Allow DNS" dst-address=192.168.0.7 \
    dst-port=853 protocol=udp
add action=return chain=lan-access comment="Allow Plex" dst-address=\
    192.168.3.109 dst-port=32400 protocol=tcp
add action=return chain=lan-access comment="Allow Printer Access" dst-address=\
    192.168.5.2
add action=return chain=lan-access comment="Allow Tablet to OBS" dst-address=\
    192.168.1.2 dst-port=4455 protocol=tcp src-address=192.168.5.233
add action=drop chain=lan-access comment="Isolate Parents (to self)" \
    in-interface=vlan1002 log-prefix="[FILTER]" out-interface=!vlan1002
add action=drop chain=lan-access comment="Isolate IOT" in-interface=vlan1005 \
    log-prefix="[FILTER]"
add action=drop chain=lan-access comment="Isolate Guests" in-interface=vlan1255 \
    log-prefix="[FILTER]"
/ip firewall mangle
add action=mark-connection chain=prerouting comment=\
    "Mark connections for hairpint NAT" dst-address-list=my-wan-addresses \
    new-connection-mark="Hairpin NAT" passthrough=yes src-address-list=\
    lan-addresses
/ip firewall nat
add action=accept chain=input comment="Allow connection to Wireguard server" \
    dst-address-list=my-wan-addresses dst-port=13231 protocol=udp
add action=jump chain=srcnat comment="Create chain for LAN access" jump-target=\
    lan-access
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark=\
    "Hairpin NAT"
add action=masquerade chain=srcnat comment="Allow outgoing to internet" \
    out-interface-list=WAN
add action=jump chain=dstnat comment="Create chain to force AGH usage (UDP)" \
    disabled=yes dst-address-list=!my-wan-addresses dst-port=53 jump-target=\
    dns-redirection log-prefix="[DNS REDIR]" protocol=udp
add action=jump chain=dstnat comment="Create chain to force AGH usage (TCP)" \
    disabled=yes dst-address-list=!my-wan-addresses dst-port=53 jump-target=\
    dns-redirection log-prefix="[DNS REDIR]" protocol=tcp
add action=jump chain=dstnat comment="Create chain for Portforwards" \
    dst-address-list=my-wan-addresses jump-target=port-forwards log-prefix=\
    "[pf]"
add action=dst-nat chain=port-forwards comment="Traefik Ingress (HTTP)" \
    dst-port=80 protocol=tcp to-addresses=192.168.3.122 to-ports=80
add action=dst-nat chain=port-forwards comment="Traefik Ingress (HTTPS)" \
    dst-port=443 protocol=tcp to-addresses=192.168.3.122 to-ports=443
add action=dst-nat chain=port-forwards comment="Traefik Ingress (HTTPS/3)" \
    dst-port=443 protocol=udp to-addresses=192.168.3.122 to-ports=443
add action=dst-nat chain=port-forwards comment="Modoboa (SMTP)" dst-port=25 \
    protocol=tcp to-addresses=192.168.3.6 to-ports=25
add action=dst-nat chain=port-forwards comment="Modoboa (SMTPS)" dst-port=587 \
    protocol=tcp to-addresses=192.168.3.6 to-ports=587
add action=dst-nat chain=port-forwards comment="Modoboa (SMTPS)" dst-port=465 \
    protocol=tcp to-addresses=192.168.3.6 to-ports=465
add action=dst-nat chain=port-forwards comment="Modoboa (IMAP)" dst-port=143 \
    protocol=tcp to-addresses=192.168.3.6 to-ports=143
add action=dst-nat chain=port-forwards comment="Modoboa (IMAPS)" dst-port=993 \
    protocol=tcp to-addresses=192.168.3.6 to-ports=993
add action=dst-nat chain=port-forwards comment=Plex dst-port=32400 protocol=tcp \
    to-addresses=192.168.3.109 to-ports=32400
add action=dst-nat chain=port-forwards comment=Minecraft dst-port=25565 \
    protocol=tcp to-addresses=192.168.3.101 to-ports=25565
add action=dst-nat chain=port-forwards comment=Minecraft dst-port=25565 \
    protocol=udp to-addresses=192.168.3.101 to-ports=25565
add action=dst-nat chain=port-forwards comment="pDNS AFXR (TCP)" dst-port=53 \
    protocol=tcp to-addresses=192.168.3.122 to-ports=9053
add action=dst-nat chain=port-forwards comment="pDNS AFXR (UDP)" dst-port=53 \
    protocol=udp to-addresses=192.168.3.122 to-ports=9053
add action=dst-nat chain=port-forwards comment=Portainer disabled=yes dst-port=\
    888 protocol=tcp to-addresses=192.168.3.122 to-ports=9000
add action=dst-nat chain=port-forwards comment="BiglyBT (TCP)" dst-port=44769 \
    protocol=tcp to-addresses=192.168.1.3 to-ports=44769
add action=dst-nat chain=port-forwards comment="BiglyBT (UDP)" dst-port=44769 \
    protocol=udp to-addresses=192.168.1.3 to-ports=44769
add action=dst-nat chain=port-forwards comment="BiglyBT Remote" disabled=yes \
    dst-port=48674 protocol=tcp to-addresses=192.168.1.3 to-ports=48674
add action=masquerade chain=lan-access comment="Printer Access" dst-address=\
    192.168.5.2
add action=masquerade chain=lan-access comment="Masquerade Resolve Server" \
    dst-address=192.168.1.251 src-address=!192.168.1.0/24
add action=accept chain=dns-redirection comment="Allow AGH out (UDP)" dst-port=\
    53 protocol=udp src-address=192.168.0.7
add action=accept chain=dns-redirection comment="Allow AGH out (TCP)" dst-port=\
    53 protocol=tcp src-address=192.168.0.7
add action=accept chain=dns-redirection comment="Allow PDNS out (UDP)" \
    dst-port=53 protocol=udp src-address=192.168.3.122
add action=accept chain=dns-redirection comment="Allow PDNS out (TCP)" \
    dst-port=53 protocol=tcp src-address=192.168.3.122
add action=dst-nat chain=dns-redirection comment="Force AGH usage (UDP)" \
    dst-port=53 protocol=udp src-address=!192.168.0.7 to-addresses=192.168.0.7 \
    to-ports=53
add action=dst-nat chain=dns-redirection comment="Force AGH usage (TCP)" \
    dst-port=53 protocol=tcp src-address=!192.168.0.7 to-addresses=192.168.0.7 \
    to-ports=53
/ip firewall raw
add action=drop chain=prerouting comment=\
    "Drop banned IPs in remote intrusion list" log-prefix="[DoS]" \
    src-address-list=remote-intrusion
add action=accept chain=prerouting comment=\
    "defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: accept DHCP discover" \
    dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=udp \
    src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad-ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad-ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad-src-ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad-dst-ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
    in-interface-list=WAN src-address-list=not-global-ipv4
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 \
    protocol=udp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" \
    jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" \
    jump-target=bad-tcp protocol=tcp
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from WAN" in-interface-list=WAN
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 \
    limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: net unreachable" icmp-options=\
    3:0 protocol=icmp
add action=accept chain=icmp4 comment="defconf: host unreachable" icmp-options=\
    3:1 protocol=icmp
add action=accept chain=icmp4 comment="defconf: protocol unreachable" \
    icmp-options=3:2 protocol=icmp
add action=accept chain=icmp4 comment="defconf: port unreachable" icmp-options=\
    3:3 protocol=icmp
add action=accept chain=icmp4 comment="defconf: fragmentation needed" \
    icmp-options=3:4 protocol=icmp
add action=accept chain=icmp4 comment="defconf: echo" icmp-options=8:0 \
    protocol=icmp
add action=accept chain=icmp4 comment="defconf: time exceeded" icmp-options=\
    11:0-255 protocol=icmp
add action=drop chain=icmp4 comment="defconf: drop other" protocol=icmp
add action=drop chain=bad-tcp comment="defconf: TCP flag filter" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad-tcp comment="defconf: drop fin,syn" protocol=tcp \
    tcp-flags=fin,syn
add action=drop chain=bad-tcp comment="defconf: drop fin,rst" protocol=tcp \
    tcp-flags=fin,rst
add action=drop chain=bad-tcp comment="defconf: drop fin,!ack" protocol=tcp \
    tcp-flags=fin,!ack
add action=drop chain=bad-tcp comment="defconf: drop fin,urg" protocol=tcp \
    tcp-flags=fin,urg
add action=drop chain=bad-tcp comment="defconf: drop syn,rst" protocol=tcp \
    tcp-flags=syn,rst
add action=drop chain=bad-tcp comment="defconf: drop rst,urg" protocol=tcp \
    tcp-flags=rst,urg
add action=drop chain=bad-tcp comment="defconf: TCP port 0 drop" port=0 \
    protocol=tcp
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add comment="Delta IPTV" disabled=no distance=1 dst-address=62.45.57.36/32 \
    gateway=delta-vlan100 pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="Delta VoIP" disabled=no distance=1 dst-address=62.45.58.162/32 \
    gateway=10.224.192.1 pref-src=0.0.0.0 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="Delta VoIP" disabled=no distance=1 dst-address=62.45.58.180/32 \
    gateway=10.224.192.1 pref-src=0.0.0.0 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="Delta VoIP" disabled=no distance=1 dst-address=62.45.59.36/32 \
    gateway=10.224.192.1 pref-src=0.0.0.0 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="Delta VoIP" disabled=no distance=1 dst-address=62.45.59.50/32 \
    gateway=10.224.192.1 pref-src=0.0.0.0 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="Delta VoIP" disabled=no distance=1 dst-address=62.45.60.3/32 \
    gateway=10.224.192.1 pref-src=0.0.0.0 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="Delta VoIP" disabled=no distance=1 dst-address=62.45.60.2/32 \
    gateway=10.224.192.1 pref-src=0.0.0.0 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="Delta IPTV" disabled=no dst-address=62.45.57.34/32 gateway=\
    10.188.168.1 routing-table=main suppress-hw-offload=no
add comment="Delta IPTV" disabled=no distance=1 dst-address=62.45.57.0/24 \
    gateway=10.188.168.1 pref-src=0.0.0.0 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="Delta IPTV" disabled=no distance=1 dst-address=62.45.61.64/28 \
    gateway=10.188.168.1 pref-src=0.0.0.0 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="Delta IPTV" disabled=no distance=1 dst-address=62.45.76.0/24 \
    gateway=10.188.168.1 pref-src=0.0.0.0 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="Delta IPTV" disabled=no distance=1 dst-address=62.45.58.226/32 \
    gateway=10.188.168.1 pref-src=0.0.0.0 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="Delta IPTV" disabled=no distance=1 dst-address=62.45.45.150/32 \
    gateway=10.188.168.1 pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="Delta IPTV" disabled=no distance=1 dst-address=62.45.49.0/24 \
    gateway=10.188.168.1 pref-src=0.0.0.0 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="Delta IPTV" disabled=no distance=1 dst-address=212.115.196.0/25 \
    gateway=10.188.168.1 pref-src=0.0.0.0 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="Delta IPTV" disabled=no distance=1 dst-address=217.63.90.128/25 \
    gateway=10.188.168.1 pref-src=0.0.0.0 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="Delta IPTV" disabled=no distance=1 dst-address=62.45.61.16/28 \
    gateway=10.188.168.1 pref-src=0.0.0.0 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="Delta IPTV" disabled=no distance=1 dst-address=62.45.61.32/27 \
    gateway=10.188.168.1 pref-src=0.0.0.0 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="Delta IPTV" disabled=no distance=1 dst-address=217.102.255.57/32 \
    gateway=10.188.168.1 pref-src=0.0.0.0 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="Delta IPTV" disabled=no dst-address=217.63.91.0/26 gateway=\
    10.188.168.1 routing-table=main suppress-hw-offload=no
add comment="Delta IPTV" disabled=no dst-address=62.45.59.0/24 gateway=\
    10.188.168.1 routing-table=main suppress-hw-offload=no
add comment="Delta IPTV (Undocumented)" disabled=no distance=1 dst-address=\
    62.45.158.17/32 gateway=10.188.168.1 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="Delta IPTV (Undocumented)" disabled=no distance=1 dst-address=\
    62.45.158.29/32 gateway=10.188.168.1 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="Delta IPTV (Undocumented)" disabled=no distance=1 dst-address=\
    62.45.158.13/32 gateway=10.188.168.1 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="Delta IPTV (Undocumented)" disabled=no distance=1 dst-address=\
    62.45.158.15/32 gateway=10.188.168.1 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="Delta IPTV (Undocumented)" disabled=no distance=1 dst-address=\
    62.45.158.27/32 gateway=10.188.168.1 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="Delta IPTV (Undocumented)" disabled=no distance=1 dst-address=\
    62.45.158.11/32 gateway=10.188.168.1 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.1.0/24
set www-ssl address=192.168.1.0/24 certificate=webfig disabled=no
set api address=192.168.1.0/24,192.168.3.0/24,192.168.0.0/24
set winbox address=192.168.1.0/24,192.168.0.0/24,192.168.254.0/24
set api-ssl address=10.0.0.0/8,192.168.1.0/24 certificate=*10 disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/radius
add address=192.168.0.7 service=login
/routing igmp-proxy
set quick-leave=yes
/routing rule
add action=lookup-only-in-table disabled=yes src-address=192.168.5.241/32 \
    table=*400
/snmp
set enabled=yes trap-version=3
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Amsterdam
/system health settings
set fan-control-interval=10s fan-min-speed-percent=0% fan-target-temp=60C
/system identity
set name=CCR2004-1G-12S+2XS
/system logging
set 0 topics=info,!dhcp
set 3 action=memory
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set local-clock-stratum=3
/system ntp client servers
add address=192.168.0.7
/system resource irq rps
set mgmt disabled=no
/system routerboard settings
set boot-delay=1s
/tool bandwidth-server
set authenticate=no enabled=no
/tool graphing
set store-every=24hours
/tool netwatch
add comment=CRS317-1G-16S+ disabled=no down-script="" host=192.168.0.2 \
    http-codes="" interval=1m test-script="" timeout=1s type=simple up-script=\
    ""
add comment=CRS326-24G-2S+ disabled=no down-script="" host=192.168.0.3 \
    http-codes="" interval=1m test-script="" timeout=1s type=simple up-script=\
    ""
add comment="AP Attic" disabled=no down-script="" host=192.168.0.5 http-codes=\
    "" interval=1m packet-count=4 packet-interval=20ms test-script="" timeout=\
    1s type=simple up-script=""
add comment="AP Parents" disabled=no down-script="" host=192.168.0.6 \
    http-codes="" interval=1m test-script="" thr-loss-percent=50% timeout=1s \
    type=simple up-script=""
add comment=RB5009UG+S+ disabled=no down-script="" host=192.168.0.7 http-codes=\
    "" interval=1m test-script="" timeout=1s type=simple up-script=""
add comment="Switch Bedroom" disabled=no down-script="" host=192.168.0.9 \
    http-codes="" interval=1m test-script="" timeout=1s type=simple up-script=\
    ""
/tool romon
set enabled=yes id=2C:C8:1B:39:8D:BD
/tool sniffer
set filter-interface=vlan1005 filter-mac-address=\
    5C:0F:FB:0D:09:08/FF:FF:FF:FF:FF:FF filter-operator-between-entries=and \
    filter-stream=yes memory-limit=10000KiB streaming-server=192.168.1.2
/user aaa
set default-group=disallow use-radius=yes

CRS317:

# 2025-02-09 09:44:29 by RouterOS 7.14.2
# software id = REDACTED
#
# model = CRS317-1G-16S+
# serial number = REDACTED
/interface bridge
add admin-mac=2C:C8:1B:2F:B9:CB auto-mac=no ingress-filtering=no name=bridge port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] l2mtu=1592
set [ find default-name=sfp-sfpplus1 ] comment=CCR2004-1G-12S+2XS l2mtu=1592
set [ find default-name=sfp-sfpplus2 ] comment=CRS326-24G-2S+ l2mtu=1592
set [ find default-name=sfp-sfpplus3 ] comment=Richthoven l2mtu=1592
set [ find default-name=sfp-sfpplus4 ] comment=Isoroku l2mtu=1592
set [ find default-name=sfp-sfpplus5 ] comment=RB5009UG+S+IN l2mtu=1592
set [ find default-name=sfp-sfpplus6 ] l2mtu=1592
set [ find default-name=sfp-sfpplus7 ] l2mtu=1592
set [ find default-name=sfp-sfpplus8 ] l2mtu=1592
set [ find default-name=sfp-sfpplus9 ] l2mtu=1592
set [ find default-name=sfp-sfpplus10 ] l2mtu=1592
set [ find default-name=sfp-sfpplus11 ] l2mtu=1592
set [ find default-name=sfp-sfpplus12 ] l2mtu=1592
set [ find default-name=sfp-sfpplus13 ] l2mtu=1592
set [ find default-name=sfp-sfpplus14 ] l2mtu=1592
set [ find default-name=sfp-sfpplus15 ] l2mtu=1592
set [ find default-name=sfp-sfpplus16 ] l2mtu=1592
/interface vlan
add interface=bridge name=vlan1000 vlan-id=1000
/interface ethernet switch
set 0 l3-hw-offloading=yes
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/user group
add name=mktxp policy=read,api,!local,!telnet,!ssh,!ftp,!reboot,!write,!policy,!test,!winbox,!password,!web,!sniff,!sensitive,!romon,!rest-api
add name=disallow
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus1 internal-path-cost=10 path-cost=10 trusted=yes
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus2 internal-path-cost=10 path-cost=10 trusted=yes
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no interface=sfp-sfpplus3 internal-path-cost=10 path-cost=10 pvid=1001
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus4 internal-path-cost=10 path-cost=10 pvid=1003
add bridge=bridge comment=defconf interface=sfp-sfpplus5 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus6 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus7 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus8 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus9 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus10 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus11 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus12 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus13 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus14 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus15 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus16 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set enabled=no udp-timeout=10s
/interface bridge vlan
add bridge=bridge tagged=bridge,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3 untagged=sfp-sfpplus4 vlan-ids=1003
add bridge=bridge tagged=bridge,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus5 vlan-ids=1002
add bridge=bridge tagged=bridge,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus5 vlan-ids=1005
add bridge=bridge tagged=bridge,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus5 vlan-ids=1255
add bridge=bridge tagged=bridge,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus4,sfp-sfpplus5 untagged=sfp-sfpplus3 vlan-ids=1001
add bridge=bridge tagged=sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus5,bridge vlan-ids=1000
/ip dhcp-client
add interface=vlan1000
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/radius
add address=192.168.0.7 service=login
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Amsterdam
/system health settings
set fan-control-interval=5s fan-min-speed-percent=0% fan-target-temp=60C
/system identity
set name=CRS317-1G-16S+
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system routerboard settings
set boot-os=router-os
/system swos
set allow-from-ports=p1,p2 allow-from-vlan=99 identity=CRS317-1G-16S+ static-ip-address=192.168.0.2
/tool bandwidth-server
set authenticate=no enabled=no
/tool romon
set enabled=yes id=2C:C8:1B:2F:B9:CB
/tool sniffer
set filter-vlan=10
/user aaa
set default-group=disallow use-radius=yes

CRS326:

# 2025-02-09 09:46:53 by RouterOS 7.14.2
# software id = REDACTED
#
# model = CRS326-24G-2S+
# serial number = REDACTED
/interface bridge
add admin-mac=B8:69:F4:8C:A1:06 auto-mac=no ingress-filtering=no name=bridge port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=bonding1-slave
set [ find default-name=ether2 ] comment=bonding1-slave
set [ find default-name=ether3 ] comment="Richthoven (MOBO1)"
set [ find default-name=ether4 ] comment=finlay-aspire3
set [ find default-name=ether5 ] comment="Isoroku IPMI"
set [ find default-name=ether6 ] comment=RB5009UG+S+IN
set [ find default-name=ether7 ] comment="Local DNS"
set [ find default-name=ether8 ] comment="User Manager"
set [ find default-name=ether9 ] comment="AP Attic"
set [ find default-name=ether10 ] comment="AP Parents"
set [ find default-name=ether11 ] comment="Switch Bedroom"
set [ find default-name=sfp-sfpplus1 ] comment=CCR2004-1G-12S+2XS
set [ find default-name=sfp-sfpplus2 ] comment=CRS317-1G-16S+
/interface vlan
add interface=bridge name=vlan1000 vlan-id=1000
/interface bonding
add comment="Isoroku (gigabit + mgmt)" mode=802.3ad name=bonding1 slaves=ether1,ether2 transmit-hash-policy=layer-2-and-3
/interface ethernet switch
set 0 l3-hw-offloading=yes
/interface list
add name=Neighbours
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/user group
add name=mktxp policy=read,api,!local,!telnet,!ssh,!ftp,!reboot,!write,!policy,!test,!winbox,!password,!web,!sniff,!sensitive,!romon,!rest-api
add name=disallow
/interface bridge port
add bridge=bridge comment=defconf disabled=yes ingress-filtering=no interface=ether1 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf disabled=yes ingress-filtering=no interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no interface=ether3 internal-path-cost=10 path-cost=10 pvid=1001
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no interface=ether4 internal-path-cost=10 path-cost=10 pvid=1001
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no interface=ether5 internal-path-cost=10 path-cost=10 pvid=1001
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether11 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether12 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether13 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether14 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether15 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether16 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether17 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether18 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether19 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether20 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no interface=ether21 internal-path-cost=10 path-cost=10 pvid=1005
add bridge=bridge comment=defconf ingress-filtering=no interface=ether22 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether23 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether24 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus1 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus2 internal-path-cost=10 path-cost=10
add bridge=bridge ingress-filtering=no interface=bonding1 internal-path-cost=10 path-cost=10 pvid=1003
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=Neighbours
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge tagged=sfp-sfpplus1,sfp-sfpplus2,bridge,ether9,ether10,ether11 vlan-ids=1005
add bridge=bridge tagged=sfp-sfpplus1,sfp-sfpplus2,bridge untagged=bonding1 vlan-ids=1003
add bridge=bridge tagged=bridge,sfp-sfpplus1,sfp-sfpplus2,ether9,ether10 vlan-ids=1002
add bridge=bridge tagged=bridge,sfp-sfpplus1,sfp-sfpplus2,ether9,ether10 vlan-ids=1255
add bridge=bridge tagged=sfp-sfpplus1,sfp-sfpplus2,bridge,bonding1,ether9,ether10 untagged=ether4,ether5,ether3 vlan-ids=1001
add bridge=bridge tagged=bridge,sfp-sfpplus1,sfp-sfpplus2,ether6,ether7,ether8,ether9,ether10,ether11 vlan-ids=1000
/interface list member
add interface=vlan1000 list=Neighbours
/ip dhcp-client
add interface=vlan1000
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/radius
add address=192.168.0.7 service=login
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Amsterdam
/system identity
set name=CRS326-24G-2S+
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system routerboard settings
set boot-os=router-os
/system swos
set allow-from-ports=p25,p26 identity=CRS326-24G-2S+ static-ip-address=192.168.0.3
/tool romon
set enabled=yes id=B8:69:F4:8C:A1:06
/tool sniffer
set filter-mac-address=D0:50:99:F1:92:82/FF:FF:FF:FF:FF:FF
/user aaa
set default-group=disallow use-radius=yes

What do you want to focus on next?

Not quite sure.
I mostly just want to get ready to migrate to the new topology (and figure out how to do that).
The configs don't have to be perfect, just good enough for a smooth-ish migration without major issues.

ConradPino · Mon Feb 10, 2025 10:57 pm

A rush project landed on my desk this morning; I will be short on personal time but will add to specific topics as time permits.

FinlayDaG33k · Tue Feb 11, 2025 12:50 pm

Don't worry, the forums are voluntary, take your time.

ConradPino · Tue Feb 11, 2025 11:05 pm

Sip, mmmmm ... Cafe is wonderful.

Over the weekend I made some progress reading configurations which raised questions best left for later.

In the mean time, RB5009 is another bridge switch chip in play and where the root bridge moves when devices go down is critical considerations in what interconnections survive. Please add RB5009 connections list similar your 08 Feb 2025 12:43 post. The RB5009 configuration may be very useful especially if VLAN are configured there as well.

FinlayDaG33k · Wed Feb 12, 2025 12:05 am

Please add RB5009 connections list.

The RB5009 just serves a few purposes but it doesn't need to run traffic beyond it (its purpose is closer to a server than a router/switch).

CAPsMAN
UserMan
DNS server (Docker container with AdGuard Home)
Metrics collection for Prometheus (Docker container with MKTXP)

Here is the list of what it's connected to.
The reason why it's so connected across everything is just so that RoMON can have the most direct connection to a device as possible (only the APs aren't on that list because aren't that high on the priority list).

sfp-sfpplus1: CCR2004
ether1: CRS317
ether2: CRS326
ether7: Provisioning, just a port that I can use to plug in a new MikroTik device (eg. AP) and quickly access it to get it set up.
ether8: Management, just a port that I can hook up a laptop or PC to (without needing to fuss around in the settings), to quickly log into the routers/switches using WinBox+RoMON.

And the config for good measure:

# 2025-02-11 22:43:18 by RouterOS 7.16
# software id = REDACTED
#
# model = RB5009UG+S+
# serial number = REDACTED
/interface bridge
add admin-mac=78:9A:18:47:B0:37 auto-mac=no name=bridge port-cost-mode=short priority=0x9000 vlan-filtering=yes
add name=containers
/interface ethernet
set [ find default-name=ether1 ] comment=CRS317-1G-16S+
set [ find default-name=ether2 ] comment=CRS326-24G-2S+
set [ find default-name=ether7 ] comment=Provisioning
set [ find default-name=ether8 ] comment=Management
set [ find default-name=sfp-sfpplus1 ] comment="CCR2004-1G-12S+2XS"
/interface veth
add address=172.17.0.3/24 gateway=172.17.0.1 gateway6="" name="adguard exporter"
add address=172.17.0.2/24 gateway=172.17.0.1 gateway6="" name="adguard home"
add address=172.17.0.4/24 gateway=172.17.0.1 gateway6=:: name=mktxp
/interface vlan
add interface=bridge name=vlan1000 vlan-id=1000
/container mounts
add dst=/ name=adguard src=/usb1/containers/adguard
add dst=/ name="adguard exporter" src=/usb1/containers/adguard-exporter
add dst=/ name=mktxp src=/usb1/containers/mktxp
/disk
add media-interface=none media-sharing=no slot=ram tmpfs-max-size=512000000 type=tmpfs
set usb1 media-interface=none media-sharing=no
set usb2 media-interface=none media-sharing=no
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=neighbours
/interface wifi channel
add band=2ghz-ax disabled=no frequency=2412,2437,2462 name=2.4GHz reselect-interval=1h..2h width=20mhz
add band=5ghz-ax disabled=no frequency=5160,5180,5200,5220,5240 name=5Ghz reselect-interval=1h..2h width=20mhz
/interface wifi datapath
add bridge=bridge disabled=no name="Roelofs (Main)"
add bridge=bridge client-isolation=yes disabled=no name="Roelofs (Guests)" vlan-id=1255
add bridge=bridge client-isolation=yes disabled=no name="Roelofs (IOT)" vlan-id=1005
/interface wifi interworking
add disabled=no esr=no internet=yes ipv4-availability=single-nated ipv6-availability=not-available name="Roelofs (Guest)" network-type=private uesa=no venue=residential-private wan-status=test wan-symmetric=yes
/interface wifi security
add authentication-types=wpa2-eap,wpa3-eap connect-priority=0/1 disabled=no eap-accounting=yes eap-methods=peap ft=yes ft-over-ds=yes ft-preserve-vlanid=yes group-key-update=1h name="Roelofs (Main)"
add authentication-types=wpa-psk,wpa2-psk connect-priority=0/1 disabled=no ft=yes ft-over-ds=yes ft-preserve-vlanid=yes group-key-update=1h management-protection=allowed name="Roelofs (IOT)"
add authentication-types=wpa-psk,wpa2-psk connect-priority=0/1 disabled=no ft=yes ft-over-ds=yes ft-preserve-vlanid=yes group-key-update=1h management-protection=allowed name="Roelofs (Guest)"
/interface wifi configuration
add channel=2.4GHz datapath="Roelofs (IOT)" disabled=no mode=ap name="Roelofs IOT" security="Roelofs (IOT)" ssid="Roelofs IOT"
add channel=2.4GHz datapath="Roelofs (Guests)" disabled=no mode=ap name="Roelofs Guests" security="Roelofs (Guest)" ssid="Roelofs Guests"
/interface wifi steering
add disabled=no name=Roelofs neighbor-group=Roelofs-a50658fd rrm=yes wnm=yes
/interface wifi configuration
add antenna-gain=4 channel=2.4GHz country=Netherlands datapath="Roelofs (Main)" disabled=no mode=ap name="Roelofs (2.4GHz)" security="Roelofs (Main)" ssid=Roelofs steering=Roelofs steering.neighbor-group=Roelofs-a50658fd .rrm=yes .wnm=yes tx-power=3
add antenna-gain=6 channel=5Ghz country=Netherlands datapath="Roelofs (Main)" disabled=no mode=ap multicast-enhance=enabled name="Roelofs (5GHz)" security="Roelofs (Main)" ssid=Roelofs steering=Roelofs
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=Management ranges=172.16.0.2-172.16.0.254
/ip dhcp-server
add add-arp=yes address-pool=Management interface=ether8 name=Management
/ip smb users
set [ find default=yes ] disabled=yes
/user group
add name=mktxp policy=read,api,!local,!telnet,!ssh,!ftp,!reboot,!write,!policy,!test,!winbox,!password,!web,!sniff,!sensitive,!romon,!rest-api
add name=disallow
/user-manager limitation
add name=Roelofs
/user-manager profile
add name=Finster name-for-users=Finster validity=unlimited
add name=Roelofs name-for-users=Roelofs validity=unlimited
/user-manager user
add attributes=Mikrotik-Wireless-VLANID:1001,Mikrotik-Group:full name=REDACTED shared-users=unlimited
add attributes=Mikrotik-Wireless-VLANID:1002 name=REDACTED shared-users=unlimited
add attributes=Mikrotik-Wireless-VLANID:1002 name=REDACTED shared-users=unlimited
add attributes=Mikrotik-Wireless-VLANID:1255 disabled=yes name=REDACTED shared-users=unlimited
/caps-man aaa
set interim-update=1m mac-caching=12h mac-mode=as-username-and-password
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/container
add interface="adguard home" mounts=adguard root-dir=usb1/containers/adguard start-on-boot=yes workdir=/opt/adguardhome/work
add envlist=ADGUARD_EXPORTER interface="adguard exporter" root-dir=usb1/containers/adguard-exporter start-on-boot=yes workdir=/
add interface=mktxp root-dir=usb1/containers/mktxp start-on-boot=yes workdir=/mktxp
/container config
set ram-high=768.0MiB registry-url=https://registry-1.docker.io tmpdir=usb1/tmp
/container envs
add key=ADGUARD_SERVERS name=ADGUARD_EXPORTER value=http://172.17.0.2
add key=ADGUARD_USERNAMES name=ADGUARD_EXPORTER value=REDACTED
add key=ADGUARD_PASSWORDS name=ADGUARD_EXPORTER value=REDACTED
add key=INTERVAL name=ADGUARD_EXPORTER value=10s
/dude
set data-directory=/usb1/dude
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether7 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus1 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether1 internal-path-cost=10 path-cost=10
add bridge=containers interface="adguard home"
add bridge=containers interface="adguard exporter"
add bridge=containers interface=mktxp
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=neighbours lldp-max-frame-size=yes lldp-vlan-info=yes
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge tagged=bridge,sfp-sfpplus1,ether1,ether2,ether7 vlan-ids=1000
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=vlan1000 list=WAN
add interface=vlan1000 list=neighbours
/interface wifi capsman
set ca-certificate=auto certificate=auto enabled=yes interfaces=vlan1000 package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled comment="AP Attic (2.4GHz)" disabled=no master-configuration="Roelofs (2.4GHz)" name-format=%I-2.4GHz radio-mac=78:9A:18:62:E7:7F slave-configurations="Roelofs Guests,Roelofs IOT"
add action=create-dynamic-enabled comment="AP Attic (5GHz)" disabled=no master-configuration="Roelofs (5GHz)" name-format=%I-5GHz radio-mac=78:9A:18:62:E7:7E
add action=create-dynamic-enabled comment="AP Parents (2.4GHz)" disabled=no master-configuration="Roelofs (2.4GHz)" name-format=%I-2.4GHz radio-mac=F4:1E:57:2C:F5:E2 slave-configurations="Roelofs Guests,Roelofs IOT"
add action=create-dynamic-enabled comment="AP Parents (5GHz)" disabled=no master-configuration="Roelofs (5GHz)" name-format=%I-5GHz radio-mac=F4:1E:57:2C:F5:E1
/ip address
add address=172.17.0.1/24 interface=containers network=172.17.0.0
add address=172.16.0.1/24 interface=ether8 network=172.16.0.0
/ip dhcp-client
add interface=vlan1000 use-peer-ntp=no
/ip dhcp-server network
add address=172.16.0.0/24 gateway=172.16.0.1 netmask=24
/ip firewall nat
add action=dst-nat chain=dstnat comment="Input to AdGuard" dst-address=192.168.0.7 dst-port=53 protocol=udp to-addresses=172.17.0.2 to-ports=53
add action=dst-nat chain=dstnat comment="Input to AdGuard" dst-address=192.168.0.7 dst-port=53 protocol=tcp to-addresses=172.17.0.2 to-ports=53
add action=dst-nat chain=dstnat comment="AdGuard Interface" dst-address=192.168.0.7 dst-port=80 protocol=tcp to-addresses=172.17.0.2 to-ports=80
add action=dst-nat chain=dstnat comment="AdGuard Interface" dst-address=192.168.0.7 dst-port=3000 protocol=tcp to-addresses=172.17.0.2 to-ports=3000
add action=dst-nat chain=dstnat comment="AdGuard Exporter" dst-address=192.168.0.7 dst-port=9618 protocol=tcp to-addresses=172.17.0.3 to-ports=9618
add action=dst-nat chain=dstnat comment=MKTXP dst-address=192.168.0.7 dst-port=49090 protocol=tcp to-addresses=172.17.0.4 to-ports=49090
add action=masquerade chain=srcnat comment="Masquerade outgoing" src-address=172.17.0.0/24
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set www disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/radius
add address=127.0.0.1 require-message-auth=no service=login timeout=500ms
add address=127.0.0.1 require-message-auth=no service=wireless timeout=2s
/radius incoming
set accept=yes
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Amsterdam
/system identity
set name=RB5009UG+S+
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes enabled=yes local-clock-stratum=3 manycast=yes use-local-clock=yes
/system ntp client servers
add address=94.198.159.10
add address=94.198.159.14
/system scheduler
add interval=1d name="Userman Session Clean" on-event="/user-manager/session remove [find where active=no]" policy=read,write start-date=2024-02-08 start-time=00:00:00
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add comment=CRS317-1G-16S+ disabled=no down-script="" host=192.168.0.2 http-codes="" interval=1m test-script="" timeout=1s type=simple up-script=""
add comment=CRS326-24G-2S+ disabled=no down-script="" host=192.168.0.3 http-codes="" interval=1m test-script="" timeout=1s type=simple up-script=""
add comment="AP Attic" disabled=no down-script="" host=192.168.0.5 http-codes="" interval=1m packet-count=4 packet-interval=20ms test-script="" timeout=1s type=simple up-script=""
add comment="AP Parents" disabled=no down-script="" host=192.168.0.6 http-codes="" interval=1m test-script="" thr-loss-percent=50% timeout=1s type=simple up-script=""
add comment=RB5009UG+S+ disabled=no down-script="" host=192.168.0.7 http-codes="" interval=1m test-script="" timeout=1s type=simple up-script=""
add comment="hAP AC Lite (Bedroom)" disabled=no down-script="" host=192.168.0.4 http-codes="" interval=1m test-script="" timeout=1s type=simple up-script=""
add comment=CCR2004-1G-12S+2XS disabled=no down-script="" host=192.168.0.1 http-codes="" interval=1m test-script="" timeout=1s type=simple up-script=""
/tool romon
set enabled=yes
/tool sniffer
set filter-mac-address=20:F4:78:2C:D1:EE/FF:FF:FF:FF:FF:FF
/user aaa
set default-group=disallow use-radius=yes
/user-manager
set certificate=RADIUS enabled=yes require-message-auth=no
/user-manager router
add address=192.168.0.6 name="AP Parents"
add address=192.168.0.5 name="AP Bedroom"
add address=192.168.0.2 name=CRS317-1G-16S+
add address=192.168.0.1 name=CCR2004-1G-12S+2XS
add address=127.0.0.1 name=RB5009UG+S+
add address=192.168.0.3 name=CRS326-24G-2S+
add address=192.168.0.9 name="Switch Bedroom"
/user-manager user-profile
add profile=Roelofs user=REDACTED
add profile=Roelofs user=REDACTED
add profile=Roelofs user=REDACTED

FinlayDaG33k · Wed Feb 12, 2025 8:11 am

(accidentally hit "quote" instead of editing previous post and can't delete this one somehow, ignore it pls)

CRS309 behind CCR2004 setup questions

CRS309 behind CCR2004 setup questions

Re: CRS309 behind CCR2004 setup questions

Re: CRS309 behind CCR2004 setup questions

Re: CRS309 behind CCR2004 setup questions

Re: CRS309 behind CCR2004 setup questions

Re: CRS309 behind CCR2004 setup questions

Re: CRS309 behind CCR2004 setup questions

Re: CRS309 behind CCR2004 setup questions

Re: CRS309 behind CCR2004 setup questions

Re: CRS309 behind CCR2004 setup questions

Re: CRS309 behind CCR2004 setup questions

Re: CRS309 behind CCR2004 setup questions

Re: CRS309 behind CCR2004 setup questions

Re: CRS309 behind CCR2004 setup questions

Re: CRS309 behind CCR2004 setup questions

Re: CRS309 behind CCR2004 setup questions

Re: CRS309 behind CCR2004 setup questions

Re: CRS309 behind CCR2004 setup questions

Re: CRS309 behind CCR2004 setup questions

Re: CRS309 behind CCR2004 setup questions

Re: CRS309 behind CCR2004 setup questions

Re: CRS309 behind CCR2004 setup questions

Re: CRS309 behind CCR2004 setup questions

Re: CRS309 behind CCR2004 setup questions

Re: CRS309 behind CCR2004 setup questions

Re: CRS309 behind CCR2004 setup questions

Re: CRS309 behind CCR2004 setup questions

Re: CRS309 behind CCR2004 setup questions

Re: CRS309 behind CCR2004 setup questions

Re: CRS309 behind CCR2004 setup questions

Re: CRS309 behind CCR2004 setup questions

Re: CRS309 behind CCR2004 setup questions

Re: CRS309 behind CCR2004 setup questions

Re: CRS309 behind CCR2004 setup questions

Re: CRS309 behind CCR2004 setup questions

Re: CRS309 behind CCR2004 setup questions

Re: CRS309 behind CCR2004 setup questions

Re: CRS309 behind CCR2004 setup questions

Re: CRS309 behind CCR2004 setup questions