raxxis990
Goto Top

Mikrotik cAP AX Wifiwave2 Einstellung Hexs

Guten Morgen

habe mir jetzt einen MT cAP AX besorgt um so langsam die Aruba AP 22 abzulösen.

Das gesamte Netzwerk Verwaltet der Hexs also Vlan und jetzt CAPSMAN ( WIFIwave2 ).

Anbei dann die Config für den cAP AX und für den Hexs.

Die zwei anleitungen habe ich mir von @aqui durchgelesen und hoffe es richtig umgesetzt zu haben.

Meine Frage bzw Problem ist habe ich laut Config das WLAN Richtig eingestellt weil irgendwie verbinden sich alles Clients nur per 2,4 Ghz.

2,4Ghz hab ich auf 20mhz gestellt nur der Kanal ist noch nicht fix. Sowie auf AX.

5Ghz steht auch auf 20-80 mhz und auch auf AX.

Vlan technisch gesehen läuft das denke auch weil die Clients auch aus dem Vlan z.b. 20 eine IP bekommen sowie auch aus der Vlan 30.

Die Anleitungen unterscheiden sich schon etwas zum alten Capsman oder?

Config Hexs:

# 2023-09-26 09:47:32 by RouterOS 7.11.2
# software id = L19P-LU1R
#
# model = RB760iGS
# serial number = HD9085N1F9A
/interface bridge
add ageing-time=5m arp=enabled arp-timeout=auto auto-mac=yes dhcp-snooping=no \
    disabled=no ether-type=0x8100 fast-forward=yes forward-delay=15s \
    frame-types=admit-all igmp-snooping=no ingress-filtering=yes \
    max-message-age=20s mtu=auto name=vlan-bridge priority=0x8000 \
    protocol-mode=rstp pvid=1 transmit-hold-count=6 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
    disabled=no l2mtu=1596 loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mac-address=18:FD:74:C6:00:56 mtu=1500 \
    name=Eth1-Fritzbox-Uplink orig-mac-address=18:FD:74:C6:00:56 \
    rx-flow-control=off tx-flow-control=off
set [ find default-name=ether2 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
    disabled=no l2mtu=1596 loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mac-address=18:FD:74:C6:00:57 mtu=1500 \
    name=Eth2-Admin orig-mac-address=18:FD:74:C6:00:57 rx-flow-control=off \
    tx-flow-control=off
set [ find default-name=sfp1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
    disabled=no l2mtu=1596 loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mac-address=18:FD:74:C6:00:5B mtu=1500 \
    name=Sft1-Cisco-Uplink orig-mac-address=18:FD:74:C6:00:5B \
    rx-flow-control=off sfp-shutdown-temperature=95C tx-flow-control=off
set [ find default-name=ether3 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
    disabled=no l2mtu=1596 loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mac-address=18:FD:74:C6:00:58 mtu=1500 \
    name=ether3 orig-mac-address=18:FD:74:C6:00:58 rx-flow-control=off \
    tx-flow-control=off
set [ find default-name=ether4 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
    disabled=no l2mtu=1596 loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mac-address=18:FD:74:C6:00:59 mtu=1500 \
    name=ether4 orig-mac-address=18:FD:74:C6:00:59 rx-flow-control=off \
    tx-flow-control=off
set [ find default-name=ether5 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
    disabled=no l2mtu=1596 loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mac-address=18:FD:74:C6:00:5A mtu=1500 \
    name=ether5 orig-mac-address=18:FD:74:C6:00:5A poe-lldp-enabled=no \
    poe-out=auto-on poe-priority=10 power-cycle-interval=none \
    !power-cycle-ping-address power-cycle-ping-enabled=no \
    !power-cycle-ping-timeout rx-flow-control=off tx-flow-control=off
/queue interface
set vlan-bridge queue=no-queue
/interface wireguard
add disabled=no listen-port=51820 mtu=1420 name=wireguard1
/interface vlan
add arp=enabled arp-timeout=auto disabled=no interface=vlan-bridge \
    loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mtu=1500 name=1-Default use-service-tag=no \
    vlan-id=1
add arp=enabled arp-timeout=auto disabled=no interface=vlan-bridge \
    loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mtu=1500 name=4-Server use-service-tag=no \
    vlan-id=4
add arp=enabled arp-timeout=auto disabled=no interface=vlan-bridge \
    loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mtu=1500 name=10-Server use-service-tag=no \
    vlan-id=10
add arp=enabled arp-timeout=auto disabled=no interface=vlan-bridge \
    loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mtu=1500 name=20-Wlan use-service-tag=no \
    vlan-id=20
add arp=enabled arp-timeout=auto disabled=no interface=vlan-bridge \
    loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mtu=1500 name=30-Iot use-service-tag=no \
    vlan-id=30
add arp=enabled arp-timeout=auto disabled=no interface=vlan-bridge \
    loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mtu=1500 name=40-Gaeste-Wlan \
    use-service-tag=no vlan-id=40
/queue interface
set "1-Default" queue=no-queue  
set "4-Server" queue=no-queue  
set "10-Server" queue=no-queue  
set "20-Wlan" queue=no-queue  
set "30-Iot" queue=no-queue  
set "40-Gaeste-Wlan" queue=no-queue  
set wireguard1 queue=no-queue
/interface ethernet switch
set 0 !cpu-flow-control mirror-source=none mirror-target=none name=switch1
/interface ethernet switch port
set 0 !egress-rate !ingress-rate
set 1 !egress-rate !ingress-rate
set 2 !egress-rate !ingress-rate
set 3 !egress-rate !ingress-rate
set 4 !egress-rate !ingress-rate
set 5 !egress-rate !ingress-rate
/interface list
set [ find name=all ] comment="contains all interfaces" exclude="" include="" \  
    name=all
set [ find name=none ] comment="contains no interfaces" exclude="" include="" \  
    name=none
set [ find name=dynamic ] comment="contains dynamic interfaces" exclude="" \  
    include="" name=dynamic  
set [ find name=static ] comment="contains static interfaces" exclude="" \  
    include="" name=static  
add comment="WAN Ports" exclude="" include="" name=WAN  
add comment="LAN Ports" exclude="" include="" name=LAN  
/interface lte apn
set [ find default=yes ] add-default-route=yes apn=internet authentication=\
    none default-route-distance=2 ip-type=auto name=default use-network-apn=\
    yes use-peer-dns=yes
/interface macsec profile
set [ find default-name=default ] name=default server-priority=10
/interface wifiwave2 configuration
add channel.band=5ghz-ax .width=20/40/80mhz datapath.bridge=vlan-bridge \
    .vlan-id=20 disabled=no mode=ap name=heimnetz.werk5 \
    security.authentication-types=wpa2-psk,wpa3-psk .encryption=ccmp .wps=\
    disable ssid=heimnetz.werk
add channel.band=2ghz-ax .width=20mhz country="United States" \  
    datapath.bridge=vlan-bridge .vlan-id=20 disabled=no mode=ap name=\
    heimnetz.werk security.authentication-types=wpa2-psk,wpa3-psk \
    .encryption=ccmp .wps=disable ssid=heimnetz.werk
add channel.band=5ghz-ax .width=20/40/80mhz country="United States" \  
    datapath.bridge=vlan-bridge .vlan-id=30 disabled=no mode=ap name=\
    "heimnetz.werk IOT5" security.authentication-types=wpa2-psk,wpa3-psk \  
    .wps=disable ssid="heimnetz.werk IOT"  
add channel.band=2ghz-ax .width=20mhz country="United States" \  
    datapath.bridge=vlan-bridge .vlan-id=30 disabled=no mode=ap name=\
    "heimnetz.werk IOT" security.authentication-types=wpa2-psk,wpa3-psk .wps=\  
    disable ssid="heimnetz.werk IOT"  
add channel.band=2ghz-ax .width=20mhz country="United States" \  
    datapath.bridge=vlan-bridge .vlan-id=10 disabled=no mode=ap name=\
    "heimnetz.werk SERV" security.authentication-types=wpa2-psk,wpa3-psk \  
    .wps=disable ssid="heimnetz.werk SERV"  
add channel.band=5ghz-ax .width=20/40/80mhz country="United States" \  
    datapath.bridge=vlan-bridge .vlan-id=10 disabled=no mode=ap name=\
    "heimnetz.werk SERV5" security.authentication-types=wpa2-psk,wpa3-psk \  
    .wps=disable ssid="heimnetz.werk SERV"  
/interface wifiwave2
add arp-timeout=auto configuration=heimnetz.werk configuration.mode=ap \
    disabled=no mac-address=48:A9:8A:C5:51:7F name="heimnetz.werk2 DEFAULT" \  
    security.authentication-types=wpa2-psk,wpa3-psk .encryption=ccmp
add arp-timeout=auto configuration=heimnetz.werk5 configuration.mode=ap \
    disabled=no mac-address=48:A9:8A:C5:51:7E name="heimnetz.werk5 DEFAULT" \  
    security.authentication-types=wpa2-psk,wpa3-psk .encryption=ccmp
add arp-timeout=auto configuration="heimnetz.werk IOT" configuration.mode=ap \  
    disabled=no mac-address=4A:A9:8A:C5:51:7F master-interface=\
    "heimnetz.werk2 DEFAULT" name="heimnetz.werk IOT" \  
    security.authentication-types=wpa2-psk,wpa3-psk .encryption=ccmp
add arp-timeout=auto configuration="heimnetz.werk IOT5" configuration.mode=ap \  
    disabled=no mac-address=4A:A9:8A:C5:51:7E master-interface=\
    "heimnetz.werk5 DEFAULT" name="heimnetz.werk IOT5" \  
    security.authentication-types=wpa2-psk,wpa3-psk .encryption=ccmp
add arp-timeout=auto configuration="heimnetz.werk SERV" configuration.mode=ap \  
    disabled=no mac-address=4A:A9:8A:C5:51:80 master-interface=\
    "heimnetz.werk2 DEFAULT" name="heimnetz.werk SERV" \  
    security.authentication-types=wpa2-psk,wpa3-psk .encryption=ccmp
add arp-timeout=auto configuration="heimnetz.werk SERV5" configuration.mode=\  
    ap disabled=no mac-address=4A:A9:8A:C5:51:81 master-interface=\
    "heimnetz.werk5 DEFAULT" name="heimnetz.werk SERV5" \  
    security.authentication-types=wpa2-psk,wpa3-psk .encryption=ccmp
/ip dhcp-client option
set clientid_duid code=61 name=clientid_duid value="0xff\$(CLIENT_DUID)"  
set clientid code=61 name=clientid value="0x01\$(CLIENT_MAC)"  
set hostname code=12 name=hostname value="\$(HOSTNAME)"  
/ip hotspot profile
set [ find default=yes ] dns-name="" hotspot-address=172.16.40.1 \  
    html-directory=flash/hotspot html-directory-override="" \  
    http-cookie-lifetime=3d http-proxy=0.0.0.0:0 install-hotspot-queue=no \
    login-by=cookie,http-chap,https name=default smtp-server=0.0.0.0 \
    split-user-domain=no ssl-certificate=none use-radius=no
/ip hotspot user profile
set [ find default=yes ] add-mac-cookie=yes address-list="" idle-timeout=none \  
    !insert-queue-before keepalive-timeout=2m mac-cookie-timeout=3d name=\
    default !parent-queue !queue-type shared-users=1 status-autorefresh=1m \
    transparent-proxy=no
/ip ipsec mode-config
set [ find default=yes ] name=request-only responder=no use-responder-dns=\
    exclusively
/ip ipsec policy group
set [ find default=yes ] name=default
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048,modp1024 dpd-interval=2m \
    dpd-maximum-failures=5 enc-algorithm=aes-128,3des hash-algorithm=sha1 \
    lifetime=1d name=default nat-traversal=yes proposal-check=obey
add dh-group=modp1024 dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=\
    aes-256,3des hash-algorithm=sha1 lifetime=1d name=l2tp-vpn-peer-profile \
    nat-traversal=yes proposal-check=obey
/ip ipsec peer
add disabled=no exchange-mode=aggressive name=l2tp-vpn-peer-profile passive=\
    yes profile=l2tp-vpn-peer-profile send-initial-contact=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=\
    aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m name=default pfs-group=\
    modp1024
add auth-algorithms=sha1 disabled=no enc-algorithms=aes-256-cbc,3des \
    lifetime=30m name=l2tp-vpn-proposal pfs-group=none
/ip pool
add name=1-Default ranges=172.16.5.100-172.16.5.150
add name=4-Server ranges=172.16.4.100-172.16.4.150
add name=10-Server ranges=172.16.10.100-172.16.10.150
add name=20-Wlan ranges=172.16.20.100-172.16.20.150
add name=30-Iot ranges=172.16.30.100-172.16.30.150
add name=40-Gaeste-Wlan ranges=172.16.40.100-172.16.40.150
add name=15-Ipsec ranges=172.16.15.100-172.16.15.150
/ip dhcp-server
add address-pool=1-Default authoritative=yes disabled=no interface=1-Default \
    lease-script=DHCP lease-time=30m name=1-Default use-radius=no
add address-pool=4-Server authoritative=yes disabled=no interface=4-Server \
    lease-script=DHCP lease-time=30m name=4-Server use-radius=no
add address-pool=10-Server authoritative=yes disabled=no interface=10-Server \
    lease-script=DHCP lease-time=30m name=10-Server use-radius=no
add address-pool=20-Wlan authoritative=yes disabled=no interface=20-Wlan \
    lease-script=DHCP lease-time=30m name=20-Wlan use-radius=no
add address-pool=30-Iot authoritative=yes disabled=no interface=30-Iot \
    lease-script=DHCP lease-time=30m name=30-Iot use-radius=no
add address-pool=40-Gaeste-Wlan authoritative=yes disabled=no interface=\
    40-Gaeste-Wlan lease-script=DHCP lease-time=30m name=40-Gaeste-Wlan \
    use-radius=no
/ip hotspot
add address-pool=40-Gaeste-Wlan addresses-per-mac=2 disabled=no idle-timeout=\
    5m interface=40-Gaeste-Wlan keepalive-timeout=none login-timeout=none \
    name=server1 profile=default
/ip ipsec mode-config
add address-pool=15-Ipsec address-prefix-length=24 name=l2tp-vpn-mode-config \
    split-dns="" system-dns=yes  
/port
set 0 baud-rate=auto data-bits=8 flow-control=none name=serial0 parity=none \
    stop-bits=1
/ppp profile
set *0 address-list="" !bridge !bridge-horizon bridge-learning=default \  
    !bridge-path-cost !bridge-port-priority change-tcp-mss=yes !dns-server \
    !idle-timeout !incoming-filter !insert-queue-before !interface-list \
    !local-address name=default on-down="" on-up="" only-one=default \  
    !outgoing-filter !parent-queue !queue-type !rate-limit !remote-address \
    !session-timeout use-compression=default use-encryption=default use-ipv6=\
    yes use-mpls=default use-upnp=default !wins-server
add address-list="" !bridge !bridge-horizon bridge-learning=default \  
    !bridge-path-cost !bridge-port-priority change-tcp-mss=yes dns-server=\
    172.16.5.1 !idle-timeout !incoming-filter !insert-queue-before \
    !interface-list local-address=172.16.5.1 name=l2tp-vpn-profile on-down="" \  
    on-up="" only-one=default !outgoing-filter !parent-queue !queue-type \  
    !rate-limit remote-address=15-Ipsec !session-timeout use-compression=\
    default use-encryption=required use-ipv6=yes use-mpls=yes use-upnp=\
    default !wins-server
set *FFFFFFFE address-list="" !bridge !bridge-horizon bridge-learning=default \  
    !bridge-path-cost !bridge-port-priority change-tcp-mss=yes !dns-server \
    !idle-timeout !incoming-filter !insert-queue-before !interface-list \
    !local-address name=default-encryption on-down="" on-up="" only-one=\  
    default !outgoing-filter !parent-queue !queue-type !rate-limit \
    !remote-address !session-timeout use-compression=default use-encryption=\
    yes use-ipv6=yes use-mpls=default use-upnp=default !wins-server
/queue type
set 0 kind=pfifo name=default pfifo-limit=50
set 1 kind=pfifo name=ethernet-default pfifo-limit=50
set 2 kind=sfq name=wireless-default sfq-allot=1514 sfq-perturb=5
set 3 kind=red name=synchronous-default red-avg-packet=1000 red-burst=20 \
    red-limit=60 red-max-threshold=50 red-min-threshold=10
set 4 kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=5
set 5 kind=pcq name=pcq-upload-default pcq-burst-rate=0 pcq-burst-threshold=0 \
    pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 \
    pcq-dst-address6-mask=128 pcq-limit=50KiB pcq-rate=0 \
    pcq-src-address-mask=32 pcq-src-address6-mask=128 pcq-total-limit=2000KiB
set 6 kind=pcq name=pcq-download-default pcq-burst-rate=0 \
    pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=dst-address \
    pcq-dst-address-mask=32 pcq-dst-address6-mask=128 pcq-limit=50KiB \
    pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=128 \
    pcq-total-limit=2000KiB
set 7 kind=none name=only-hardware-queue
set 8 kind=mq-pfifo mq-pfifo-limit=50 name=multi-queue-ethernet-default
set 9 kind=pfifo name=default-small pfifo-limit=10
/queue interface
set Eth1-Fritzbox-Uplink queue=only-hardware-queue
set Eth2-Admin queue=only-hardware-queue
set Sft1-Cisco-Uplink queue=only-hardware-queue
set ether3 queue=only-hardware-queue
set ether4 queue=only-hardware-queue
set ether5 queue=only-hardware-queue
set "heimnetz.werk IOT" queue=wireless-default  
set "heimnetz.werk IOT5" queue=wireless-default  
set "heimnetz.werk SERV" queue=wireless-default  
set "heimnetz.werk SERV5" queue=wireless-default  
set "heimnetz.werk2 DEFAULT" queue=wireless-default  
set "heimnetz.werk5 DEFAULT" queue=wireless-default  
/routing bgp template
set default as=65530 name=default
/snmp community
set [ find default=yes ] addresses=::/0 authentication-protocol=MD5 disabled=\
    no encryption-protocol=DES name=public read-access=yes security=none \
    write-access=no
/system logging action
set 0 memory-lines=1000 memory-stop-on-full=no name=memory target=memory
set 1 disk-file-count=2 disk-file-name=flash/log disk-lines-per-file=1000 \
    disk-stop-on-full=no name=disk target=disk
set 2 name=echo remember=yes target=echo
set 3 bsd-syslog=no name=remote remote=0.0.0.0 remote-port=514 src-address=\
    0.0.0.0 syslog-facility=daemon syslog-severity=auto syslog-time-format=\
    bsd-syslog target=remote
/user group
set read name=read policy="local,telnet,ssh,reboot,read,test,winbox,password,w\  
    eb,sniff,sensitive,api,romon,rest-api,!ftp,!write,!policy" skin=default  
set write name=write policy="local,telnet,ssh,reboot,read,write,test,winbox,pa\  
    ssword,web,sniff,sensitive,api,romon,rest-api,!ftp,!policy" skin=default  
set full name=full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,\  
    winbox,password,web,sniff,sensitive,api,romon,rest-api" skin=default  
/certificate settings
set crl-download=no crl-store=ram crl-use=no
/interface bridge port
add auto-isolate=no bpdu-guard=no bridge=vlan-bridge broadcast-flood=yes \
    disabled=no edge=auto fast-leave=no frame-types=admit-all horizon=none \
    hw=yes ingress-filtering=yes interface=Sft1-Cisco-Uplink \
    internal-path-cost=10 learn=auto multicast-router=temporary-query \
    path-cost=10 point-to-point=auto priority=0x80 pvid=1 restricted-role=no \
    restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes \
    unknown-unicast-flood=yes
/interface bridge port-controller
# disabled
set bridge=none cascade-ports="" switch=none  
/interface bridge port-extender
# disabled
set control-ports="" excluded-ports="" switch=none  
/interface bridge settings
set allow-fast-path=yes use-ip-firewall=no use-ip-firewall-for-pppoe=no \
    use-ip-firewall-for-vlan=no
/ip firewall connection tracking
set enabled=auto generic-timeout=10m icmp-timeout=10s loose-tcp-tracking=yes \
    tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=\
    1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-max-retrans-timeout=5m tcp-syn-received-timeout=5s \
    tcp-syn-sent-timeout=5s tcp-time-wait-timeout=10s tcp-unacked-timeout=5m \
    udp-stream-timeout=3m udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=static lldp-med-net-policy-vlan=disabled mode=\
    tx-and-rx protocol=cdp,lldp,mndp
/ip settings
set accept-redirects=no accept-source-route=no allow-fast-path=yes \
    arp-timeout=30s icmp-rate-limit=10 icmp-rate-mask=0x1818 ip-forward=yes \
    max-neighbor-entries=8192 route-cache=yes rp-filter=no secure-redirects=\
    yes send-redirects=yes tcp-syncookies=no
/ipv6 settings
set accept-redirects=yes-if-forwarding-disabled accept-router-advertisements=\
    yes-if-forwarding-disabled disable-ipv6=yes forward=yes \
    max-neighbor-entries=4096
/interface bridge vlan
add bridge=vlan-bridge disabled=no tagged=vlan-bridge untagged=\
    Sft1-Cisco-Uplink vlan-ids=1
add bridge=vlan-bridge disabled=no tagged=vlan-bridge,Sft1-Cisco-Uplink \
    untagged="" vlan-ids=4  
add bridge=vlan-bridge disabled=no tagged=vlan-bridge,Sft1-Cisco-Uplink \
    untagged="" vlan-ids=10  
add bridge=vlan-bridge disabled=no tagged=vlan-bridge,Sft1-Cisco-Uplink \
    untagged="" vlan-ids=20  
add bridge=vlan-bridge disabled=no tagged=vlan-bridge,Sft1-Cisco-Uplink \
    untagged="" vlan-ids=30  
add bridge=vlan-bridge disabled=no tagged=vlan-bridge,Sft1-Cisco-Uplink \
    untagged="" vlan-ids=40  
/interface detect-internet
set detect-interface-list=all internet-interface-list=WAN lan-interface-list=\
    LAN wan-interface-list=WAN
/interface l2tp-server server
set accept-proto-version=all accept-pseudowire-type=all allow-fast-path=no \
    authentication=mschap2 caller-id-type=ip-address default-profile=\
    l2tp-vpn-profile enabled=yes keepalive-timeout=30 l2tpv3-circuit-id="" \  
    l2tpv3-cookie-length=0 l2tpv3-digest-hash=md5 \
    !l2tpv3-ether-interface-list max-mru=1450 max-mtu=1450 max-sessions=\
    unlimited mrru=disabled one-session-per-host=no use-ipsec=yes
/interface list member
add disabled=no interface=Eth1-Fritzbox-Uplink list=WAN
add disabled=no interface=4-Server list=LAN
add disabled=no interface=1-Default list=LAN
add disabled=no interface=10-Server list=LAN
add disabled=no interface=20-Wlan list=LAN
add disabled=no interface=30-Iot list=LAN
add disabled=no interface=40-Gaeste-Wlan list=LAN
/interface lte settings
set firmware-path=firmware mode=auto
/interface ovpn-server server
set auth=sha1,md5,sha256,sha512 certificate=*0 cipher=blowfish128,aes128-cbc \
    default-profile=default enable-tun-ipv6=no enabled=no ipv6-prefix-len=64 \
    keepalive-timeout=60 mac-address=FE:0E:1A:BB:AF:58 max-mtu=1500 mode=ip \
    netmask=24 port=1194 protocol=tcp redirect-gateway=disabled reneg-sec=\
    3600 require-client-certificate=no tls-version=any tun-server-ipv6=::
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set authentication=mschap1,mschap2 default-profile=default-encryption \
    enabled=no keepalive-timeout=30 max-mru=1450 max-mtu=1450 mrru=disabled
/interface sstp-server server
set authentication=pap,chap,mschap1,mschap2 certificate=none default-profile=\
    default enabled=no keepalive-timeout=60 max-mru=1500 max-mtu=1500 mrru=\
    disabled pfs=no port=443 tls-version=any verify-client-certificate=no
/interface wifiwave2 cap
set enabled=no
/interface wifiwave2 capsman
set ca-certificate=auto enabled=yes package-path="" require-peer-certificate=\  
    no upgrade-policy=none
/interface wifiwave2 provisioning
add action=create-dynamic-enabled disabled=no master-configuration=\
    heimnetz.werk slave-configurations="heimnetz.werk5,heimnetz.werk IOT,heimn\  
    etz.werk IOT5,heimnetz.werk SERV,heimnetz.werk SERV5"  
/ip address
add address=172.16.0.3/24 disabled=no interface=Eth1-Fritzbox-Uplink network=\
    172.16.0.0
add address=172.16.5.1/24 disabled=no interface=1-Default network=172.16.5.0
add address=172.16.4.1/24 disabled=no interface=4-Server network=172.16.4.0
add address=172.16.10.1/24 disabled=no interface=10-Server network=\
    172.16.10.0
add address=172.16.20.1/24 disabled=no interface=20-Wlan network=172.16.20.0
add address=172.16.30.1/24 disabled=no interface=30-Iot network=172.16.30.0
add address=172.16.40.1/24 disabled=no interface=40-Gaeste-Wlan network=\
    172.16.40.0
/ip cloud
set ddns-enabled=no ddns-update-interval=none update-time=yes
/ip cloud advanced
set use-local-address=no
/ip dhcp-server config
set accounting=yes interim-update=0s radius-password=empty store-leases-disk=\
    5m
/ip dhcp-server lease
add address=172.16.4.7 address-lists="" client-id=1:70:f0:96:38:f2:37 \  
    dhcp-option="" disabled=no !insert-queue-before mac-address=\  
    70:F0:96:38:F2:37 server=4-Server
add address=172.16.20.147 address-lists="" dhcp-option="" disabled=no \  
    !insert-queue-before mac-address=B0:73:9C:C7:89:38 server=20-Wlan
add address=172.16.30.4 address-lists="" dhcp-option="" disabled=no \  
    !insert-queue-before mac-address=48:55:19:07:4A:70 server=30-Iot
add address=172.16.30.2 address-lists="" client-id=1:b8:27:eb:41:63:df \  
    dhcp-option="" disabled=no !insert-queue-before mac-address=\  
    B8:27:EB:41:63:DF server=30-Iot
add address=172.16.10.7 address-lists="" client-id=4e:c3:cf:2e:24:14 \  
    dhcp-option="" disabled=no !insert-queue-before mac-address=\  
    4E:C3:CF:2E:24:14 server=10-Server
add address=172.16.10.106 address-lists="" client-id=\  
    ff:6a:ff:3f:8:0:1:0:1:2c:51:ac:85:de:a1:6a:ff:3f:8 dhcp-option="" \  
    disabled=no !insert-queue-before mac-address=DE:A1:6A:FF:3F:08 server=\
    10-Server
add address=172.16.10.10 address-lists="" client-id=\  
    ff:85:12:12:45:0:1:0:1:2c:77:b1:49:12:45:85:12:12:45 dhcp-option="" \  
    disabled=no !insert-queue-before mac-address=12:45:85:12:12:45 server=\
    10-Server
add address=172.16.4.4 address-lists="" client-id=1:60:26:ef:cb:bb:76 \  
    dhcp-option="" disabled=no !insert-queue-before mac-address=\  
    60:26:EF:CB:BB:76 server=4-Server
add address=172.16.4.5 address-lists="" client-id=1:60:26:ef:cb:c3:6 \  
    dhcp-option="" disabled=no !insert-queue-before mac-address=\  
    60:26:EF:CB:C3:06 server=4-Server
add address=172.16.4.20 address-lists="" client-id=1:0:d8:61:c0:f9:e1 \  
    dhcp-option="" disabled=no !insert-queue-before mac-address=\  
    00:D8:61:C0:F9:E1 server=4-Server
add address=172.16.4.9 address-lists="" dhcp-option="" disabled=no \  
    !insert-queue-before mac-address=00:11:32:83:96:26 server=4-Server
add address=172.16.10.3 address-lists="" client-id=\  
    ff:cf:2e:24:17:0:1:0:1:2b:4:cf:b4:4e:c3:cf:2e:24:17 dhcp-option="" \  
    disabled=no !insert-queue-before mac-address=4E:C3:CF:2E:24:17 server=\
    10-Server
/ip dhcp-server network
add address=172.16.4.0/24 caps-manager="" dhcp-option="" dns-server=\  
    172.16.4.1 domain=heimnetz.werk gateway=172.16.4.1 !next-server \
    ntp-server="" wins-server=""  
add address=172.16.5.0/24 caps-manager="" dhcp-option="" dns-server=\  
    172.16.5.1 domain=heimnetz.werk gateway=172.16.5.1 !next-server \
    ntp-server="" wins-server=""  
add address=172.16.10.0/24 caps-manager="" dhcp-option="" dns-server=\  
    172.16.10.1 domain=heimnetz.werk gateway=172.16.10.1 !next-server \
    ntp-server="" wins-server=""  
add address=172.16.20.0/24 caps-manager="" dhcp-option="" dns-server=\  
    172.16.20.1 domain=heimnetz.werk gateway=172.16.20.1 !next-server \
    ntp-server="" wins-server=""  
add address=172.16.30.0/24 caps-manager="" dhcp-option="" dns-server=\  
    172.16.30.1 domain=heimnetz.werk gateway=172.16.30.1 !next-server \
    ntp-server="" wins-server=""  
add address=172.16.40.0/24 caps-manager="" dhcp-option="" dns-server=\  
    172.16.40.1 domain=heimnetz.werk gateway=172.16.40.1 !next-server \
    ntp-server="" wins-server=""  
/ip dns
set address-list-extra-time=0s allow-remote-requests=yes cache-max-ttl=1w \
    cache-size=2048KiB doh-max-concurrent-queries=50 \
    doh-max-server-connections=5 doh-timeout=5s max-concurrent-queries=100 \
    max-concurrent-tcp-sessions=20 max-udp-packet-size=4096 \
    query-server-timeout=2s query-total-timeout=10s servers=172.16.10.200 \
    use-doh-server="" verify-doh-cert=no  
/ip dns static
add address=172.16.20.110 comment=20-Wlan-EC:0D:E4:F9:40:16 disabled=no name=\
    172-16-20-110.heimnetz.werk ttl=15m
add address=172.16.20.109 comment=20-Wlan-00:26:AB:E5:9F:BB disabled=no name=\
    epsone59fbb.heimnetz.werk ttl=15m
add address=172.16.20.108 comment=20-Wlan-C4:95:00:92:B6:62 disabled=no name=\
    amazon-abcc5474b.heimnetz.werk ttl=15m
add address=172.16.20.107 comment=20-Wlan-00:E0:4C:5F:FD:32 disabled=no name=\
    dymond-5ffd33.heimnetz.werk ttl=15m
add address=172.16.4.1 disabled=no name=hEXs.heimnetz.werk ttl=1d
add address=172.16.30.1 disabled=no name=hEXs.heimnetz.werk ttl=1d
add address=172.16.20.1 disabled=no name=hEXs.heimnetz.werk ttl=1d
add address=172.16.10.1 disabled=no name=hEXs.heimnetz.werk ttl=1d
add address=172.16.5.1 disabled=no name=hEXs.heimnetz.werk ttl=1d
add address=172.16.20.145 comment=20-Wlan-A6:CB:2D:C0:78:4A disabled=no name=\
    172-16-20-145.heimnetz.werk ttl=15m
add address=172.16.20.146 comment=20-Wlan-94:AD:23:AD:EF:35 disabled=no name=\
    jennifesiphone2.heimnetz.werk ttl=15m
add address=172.16.4.100 comment=4-Server-48:A9:8A:C5:51:7C disabled=no name=\
    mikrotik.heimnetz.werk ttl=15m
add address=172.16.20.142 comment=20-Wlan-68:B6:91:E2:66:84 disabled=no name=\
    172-16-20-142.heimnetz.werk ttl=15m
add address=172.16.4.4 comment=4-Server-60:26:EF:CB:BB:76 disabled=no name=\
    ap22-og.heimnetz.werk ttl=15m
add address=172.16.30.2 comment=30-Iot-B8:27:EB:41:63:DF disabled=no name=\
    rpi.heimnetz.werk ttl=15m
add address=172.16.30.4 comment=30-Iot-48:55:19:07:4A:70 disabled=no name=\
    tasmota-074a70-2672.heimnetz.werk ttl=15m
add address=172.16.20.105 comment=20-Wlan-C4:5B:BE:C3:40:E8 disabled=no name=\
    esp-c340e8.heimnetz.werk ttl=15m
add address=172.16.4.20 comment=4-Server-00:D8:61:C0:F9:E1 disabled=no name=\
    admin.heimnetz.werk ttl=15m
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes  
add action=accept chain=forward comment="IPSEC IN - fasttrack bypass" \  
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="IPSEC OUT - fasttrack bypass" \  
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=Fasttrack \
    connection-state=established,related hw-offload=yes
add action=accept chain=input comment="Ping bis auf WAN erlauben" \  
    !connection-bytes !connection-limit !connection-mark \
    !connection-nat-state !connection-rate !connection-state !connection-type \
    !content disabled=no !dscp !dst-address !dst-address-list \
    !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options \
    !in-bridge-port !in-bridge-port-list in-interface=!Eth1-Fritzbox-Uplink \
    !in-interface-list !ingress-priority !ipsec-policy !ipv4-options \
    !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port \  
    !out-bridge-port-list !out-interface !out-interface-list !packet-mark \
    !packet-size !per-connection-classifier !port !priority protocol=icmp \
    !psd !random !routing-mark !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !tls-host !ttl
add action=accept chain=input comment="IPSEC zur Firewall erlauben" \  
    !connection-bytes !connection-limit !connection-mark \
    !connection-nat-state !connection-rate connection-state=new \
    !connection-type !content disabled=no !dscp !dst-address \
    !dst-address-list !dst-address-type !dst-limit dst-port=500,1701,4500 \
    !fragment !hotspot !icmp-options !in-bridge-port !in-bridge-port-list \
    in-interface=Eth1-Fritzbox-Uplink !in-interface-list !ingress-priority \
    !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" \  
    !nth !out-bridge-port !out-bridge-port-list !out-interface \
    !out-interface-list !packet-mark !packet-size !per-connection-classifier \
    !port !priority protocol=udp !psd !random !routing-mark !src-address \
    !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags \
    !tcp-mss !time !tls-host !ttl
add action=accept chain=input !connection-bytes !connection-limit \
    !connection-mark !connection-nat-state !connection-rate !connection-state \
    !connection-type !content disabled=no !dscp !dst-address \
    !dst-address-list !dst-address-type !dst-limit !dst-port !fragment \
    !hotspot !icmp-options !in-bridge-port !in-bridge-port-list in-interface=\
    Eth1-Fritzbox-Uplink !in-interface-list !ingress-priority !ipsec-policy \
    !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth \  
    !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list \
    !packet-mark !packet-size !per-connection-classifier !port !priority \
    protocol=ipsec-esp !psd !random !routing-mark !src-address \
    !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags \
    !tcp-mss !time !tls-host !ttl
add action=accept chain=input comment="Wireguard zur Firewall erlauben" \  
    !connection-bytes !connection-limit !connection-mark \
    !connection-nat-state !connection-rate !connection-state !connection-type \
    !content disabled=no !dscp !dst-address !dst-address-list \
    !dst-address-type !dst-limit dst-port=51820 !fragment !hotspot \
    !icmp-options !in-bridge-port !in-bridge-port-list in-interface=\
    Eth1-Fritzbox-Uplink !in-interface-list !ingress-priority !ipsec-policy \
    !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth \  
    !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list \
    !packet-mark !packet-size !per-connection-classifier !port !priority \
    protocol=udp !psd !random !routing-mark !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !tls-host !ttl
add action=accept chain=input comment="DNS erlauben zu 10-Server-Adguard" \  
    !connection-bytes !connection-limit !connection-mark \
    !connection-nat-state !connection-rate !connection-state !connection-type \
    !content disabled=no !dscp !dst-address !dst-address-list \
    !dst-address-type !dst-limit dst-port=53 !fragment !hotspot !icmp-options \
    !in-bridge-port !in-bridge-port-list in-interface=10-Server \
    !in-interface-list !ingress-priority !ipsec-policy !ipv4-options \
    !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port \  
    !out-bridge-port-list !out-interface !out-interface-list !packet-mark \
    !packet-size !per-connection-classifier !port !priority protocol=tcp !psd \
    !random !routing-mark !src-address !src-address-list !src-address-type \
    !src-mac-address !src-port !tcp-flags !tcp-mss !time !tls-host !ttl
add action=accept chain=input !connection-bytes !connection-limit \
    !connection-mark !connection-nat-state !connection-rate !connection-state \
    !connection-type !content disabled=no !dscp !dst-address \
    !dst-address-list !dst-address-type !dst-limit dst-port=53 !fragment \
    !hotspot !icmp-options !in-bridge-port !in-bridge-port-list in-interface=\
    10-Server !in-interface-list !ingress-priority !ipsec-policy \
    !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth \  
    !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list \
    !packet-mark !packet-size !per-connection-classifier !port !priority \
    protocol=udp !psd !random !routing-mark !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !tls-host !ttl
add action=accept chain=input !connection-bytes !connection-limit \
    !connection-mark !connection-nat-state !connection-rate !connection-state \
    !connection-type !content disabled=no !dscp !dst-address \
    !dst-address-list !dst-address-type !dst-limit dst-port=53 !fragment \
    !hotspot !icmp-options !in-bridge-port !in-bridge-port-list in-interface=\
    40-Gaeste-Wlan !in-interface-list !ingress-priority !ipsec-policy \
    !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth \  
    !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list \
    !packet-mark !packet-size !per-connection-classifier !port !priority \
    protocol=udp !psd !random !routing-mark !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !tls-host !ttl
add action=accept chain=input !connection-bytes !connection-limit \
    !connection-mark !connection-nat-state !connection-rate !connection-state \
    !connection-type !content disabled=no !dscp !dst-address \
    !dst-address-list !dst-address-type !dst-limit dst-port=53 !fragment \
    !hotspot !icmp-options !in-bridge-port !in-bridge-port-list in-interface=\
    20-Wlan !in-interface-list !ingress-priority !ipsec-policy !ipv4-options \
    !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port \  
    !out-bridge-port-list !out-interface !out-interface-list !packet-mark \
    !packet-size !per-connection-classifier !port !priority protocol=udp !psd \
    !random !routing-mark !src-address !src-address-list !src-address-type \
    !src-mac-address !src-port !tcp-flags !tcp-mss !time !tls-host !ttl
add action=accept chain=input !connection-bytes !connection-limit \
    !connection-mark !connection-nat-state !connection-rate !connection-state \
    !connection-type !content disabled=no !dscp !dst-address \
    !dst-address-list !dst-address-type !dst-limit dst-port=53 !fragment \
    !hotspot !icmp-options !in-bridge-port !in-bridge-port-list in-interface=\
    4-Server !in-interface-list !ingress-priority !ipsec-policy !ipv4-options \
    !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port \  
    !out-bridge-port-list !out-interface !out-interface-list !packet-mark \
    !packet-size !per-connection-classifier !port !priority protocol=udp !psd \
    !random !routing-mark !src-address !src-address-list !src-address-type \
    !src-mac-address !src-port !tcp-flags !tcp-mss !time !tls-host !ttl
add action=accept chain=input !connection-bytes !connection-limit \
    !connection-mark !connection-nat-state !connection-rate !connection-state \
    !connection-type !content disabled=no !dscp !dst-address \
    !dst-address-list !dst-address-type !dst-limit dst-port=53 !fragment \
    !hotspot !icmp-options !in-bridge-port !in-bridge-port-list in-interface=\
    1-Default !in-interface-list !ingress-priority !ipsec-policy \
    !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth \  
    !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list \
    !packet-mark !packet-size !per-connection-classifier !port !priority \
    protocol=udp !psd !random !routing-mark !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !tls-host !ttl
add action=accept chain=input !connection-bytes !connection-limit \
    !connection-mark !connection-nat-state !connection-rate !connection-state \
    !connection-type !content disabled=no !dscp !dst-address \
    !dst-address-list !dst-address-type !dst-limit dst-port=53 !fragment \
    !hotspot !icmp-options !in-bridge-port !in-bridge-port-list in-interface=\
    40-Gaeste-Wlan !in-interface-list !ingress-priority !ipsec-policy \
    !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth \  
    !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list \
    !packet-mark !packet-size !per-connection-classifier !port !priority \
    protocol=tcp !psd !random !routing-mark !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !tls-host !ttl
add action=accept chain=input !connection-bytes !connection-limit \
    !connection-mark !connection-nat-state !connection-rate !connection-state \
    !connection-type !content disabled=no !dscp !dst-address \
    !dst-address-list !dst-address-type !dst-limit dst-port=53 !fragment \
    !hotspot !icmp-options !in-bridge-port !in-bridge-port-list in-interface=\
    30-Iot !in-interface-list !ingress-priority !ipsec-policy !ipv4-options \
    !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port \  
    !out-bridge-port-list !out-interface !out-interface-list !packet-mark \
    !packet-size !per-connection-classifier !port !priority protocol=tcp !psd \
    !random !routing-mark !src-address !src-address-list !src-address-type \
    !src-mac-address !src-port !tcp-flags !tcp-mss !time !tls-host !ttl
add action=accept chain=input !connection-bytes !connection-limit \
    !connection-mark !connection-nat-state !connection-rate !connection-state \
    !connection-type !content disabled=no !dscp !dst-address \
    !dst-address-list !dst-address-type !dst-limit dst-port=53 !fragment \
    !hotspot !icmp-options !in-bridge-port !in-bridge-port-list in-interface=\
    20-Wlan !in-interface-list !ingress-priority !ipsec-policy !ipv4-options \
    !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port \  
    !out-bridge-port-list !out-interface !out-interface-list !packet-mark \
    !packet-size !per-connection-classifier !port !priority protocol=tcp !psd \
    !random !routing-mark !src-address !src-address-list !src-address-type \
    !src-mac-address !src-port !tcp-flags !tcp-mss !time !tls-host !ttl
add action=accept chain=input !connection-bytes !connection-limit \
    !connection-mark !connection-nat-state !connection-rate !connection-state \
    !connection-type !content disabled=no !dscp !dst-address \
    !dst-address-list !dst-address-type !dst-limit dst-port=53 !fragment \
    !hotspot !icmp-options !in-bridge-port !in-bridge-port-list in-interface=\
    1-Default !in-interface-list !ingress-priority !ipsec-policy \
    !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth \  
    !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list \
    !packet-mark !packet-size !per-connection-classifier !port !priority \
    protocol=tcp !psd !random !routing-mark !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !tls-host !ttl
add action=accept chain=input !connection-bytes !connection-limit \
    !connection-mark !connection-nat-state !connection-rate !connection-state \
    !connection-type !content disabled=no !dscp !dst-address \
    !dst-address-list !dst-address-type !dst-limit dst-port=53 !fragment \
    !hotspot !icmp-options !in-bridge-port !in-bridge-port-list in-interface=\
    4-Server !in-interface-list !ingress-priority !ipsec-policy !ipv4-options \
    !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port \  
    !out-bridge-port-list !out-interface !out-interface-list !packet-mark \
    !packet-size !per-connection-classifier !port !priority protocol=tcp !psd \
    !random !routing-mark !src-address !src-address-list !src-address-type \
    !src-mac-address !src-port !tcp-flags !tcp-mss !time !tls-host !ttl
add action=accept chain=input !connection-bytes !connection-limit \
    !connection-mark !connection-nat-state !connection-rate !connection-state \
    !connection-type !content disabled=no !dscp !dst-address \
    !dst-address-list !dst-address-type !dst-limit !dst-port !fragment \
    !hotspot !icmp-options !in-bridge-port !in-bridge-port-list in-interface=\
    all-ppp !in-interface-list !ingress-priority !ipsec-policy !ipv4-options \
    !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port \  
    !out-bridge-port-list !out-interface !out-interface-list !packet-mark \
    !packet-size !per-connection-classifier !port !priority !protocol !psd \
    !random !routing-mark !src-address !src-address-list !src-address-type \
    !src-mac-address !src-port !tcp-flags !tcp-mss !time !tls-host !ttl
add action=accept chain=input comment="Zugriff zur Firewall" \  
    !connection-bytes !connection-limit !connection-mark \
    !connection-nat-state !connection-rate !connection-state !connection-type \
    !content disabled=no !dscp !dst-address !dst-address-list \
    !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options \
    !in-bridge-port !in-bridge-port-list in-interface=4-Server \
    !in-interface-list !ingress-priority !ipsec-policy !ipv4-options \
    !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port \  
    !out-bridge-port-list !out-interface !out-interface-list !packet-mark \
    !packet-size !per-connection-classifier !port !priority !protocol !psd \
    !random !routing-mark !src-address !src-address-list !src-address-type \
    !src-mac-address !src-port !tcp-flags !tcp-mss !time !tls-host !ttl
add action=accept chain=input !connection-bytes !connection-limit \
    !connection-mark !connection-nat-state !connection-rate !connection-state \
    !connection-type !content disabled=no !dscp !dst-address \
    !dst-address-list !dst-address-type !dst-limit !dst-port !fragment \
    !hotspot !icmp-options !in-bridge-port !in-bridge-port-list in-interface=\
    10-Server !in-interface-list !ingress-priority !ipsec-policy \
    !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth \  
    !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list \
    !packet-mark !packet-size !per-connection-classifier !port !priority \
    !protocol !psd !random !routing-mark !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !tls-host !ttl
add action=accept chain=input comment=\
    "ALLG. | Aufgebaute Verbindungen erlauben - Estab.,related" \  
    connection-state=established,related
add action=drop chain=input comment=\
    "ALLG. | Alles ohne Verbindungsstatus blockieren"  
add action=accept chain=forward comment="Internetzugriff erlauben" \  
    !connection-bytes !connection-limit !connection-mark \
    !connection-nat-state !connection-rate !connection-state !connection-type \
    !content disabled=no !dscp !dst-address !dst-address-list \
    !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options \
    !in-bridge-port !in-bridge-port-list in-interface=4-Server \
    !in-interface-list !ingress-priority !ipsec-policy !ipv4-options \
    !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port \  
    !out-bridge-port-list !out-interface !out-interface-list !packet-mark \
    !packet-size !per-connection-classifier !port !priority !protocol !psd \
    !random !routing-mark !src-address !src-address-list !src-address-type \
    !src-mac-address !src-port !tcp-flags !tcp-mss !time !tls-host !ttl
add action=accept chain=forward !connection-bytes !connection-limit \
    !connection-mark !connection-nat-state !connection-rate !connection-state \
    !connection-type !content disabled=no !dscp !dst-address \
    !dst-address-list !dst-address-type !dst-limit !dst-port !fragment \
    !hotspot !icmp-options !in-bridge-port !in-bridge-port-list in-interface=\
    10-Server !in-interface-list !ingress-priority !ipsec-policy \
    !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth \  
    !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list \
    !packet-mark !packet-size !per-connection-classifier !port !priority \
    !protocol !psd !random !routing-mark !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !tls-host !ttl
add action=accept chain=forward !connection-bytes !connection-limit \
    !connection-mark !connection-nat-state !connection-rate !connection-state \
    !connection-type !content disabled=no !dscp !dst-address \
    !dst-address-list !dst-address-type !dst-limit !dst-port !fragment \
    !hotspot !icmp-options !in-bridge-port !in-bridge-port-list in-interface=\
    40-Gaeste-Wlan !in-interface-list !ingress-priority !ipsec-policy \
    !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth \  
    !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list \
    !packet-mark !packet-size !per-connection-classifier !port !priority \
    !protocol !psd !random !routing-mark !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !tls-host !ttl
add action=accept chain=forward !connection-bytes !connection-limit \
    !connection-mark !connection-nat-state !connection-rate !connection-state \
    !connection-type !content disabled=no !dscp !dst-address \
    !dst-address-list !dst-address-type !dst-limit !dst-port !fragment \
    !hotspot !icmp-options !in-bridge-port !in-bridge-port-list in-interface=\
    30-Iot !in-interface-list !ingress-priority !ipsec-policy !ipv4-options \
    !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port \  
    !out-bridge-port-list !out-interface !out-interface-list !packet-mark \
    !packet-size !per-connection-classifier !port !priority !protocol !psd \
    !random !routing-mark !src-address !src-address-list !src-address-type \
    !src-mac-address !src-port !tcp-flags !tcp-mss !time !tls-host !ttl
add action=accept chain=forward !connection-bytes !connection-limit \
    !connection-mark !connection-nat-state !connection-rate !connection-state \
    !connection-type !content disabled=no !dscp !dst-address \
    !dst-address-list !dst-address-type !dst-limit !dst-port !fragment \
    !hotspot !icmp-options !in-bridge-port !in-bridge-port-list in-interface=\
    all-ppp !in-interface-list !ingress-priority !ipsec-policy !ipv4-options \
    !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port \  
    !out-bridge-port-list !out-interface !out-interface-list !packet-mark \
    !packet-size !per-connection-classifier !port !priority !protocol !psd \
    !random !routing-mark !src-address !src-address-list !src-address-type \
    !src-mac-address !src-port !tcp-flags !tcp-mss !time !tls-host !ttl
add action=accept chain=forward !connection-bytes !connection-limit \
    !connection-mark !connection-nat-state !connection-rate !connection-state \
    !connection-type !content disabled=no !dscp !dst-address \
    !dst-address-list !dst-address-type !dst-limit !dst-port !fragment \
    !hotspot !icmp-options !in-bridge-port !in-bridge-port-list in-interface=\
    20-Wlan !in-interface-list !ingress-priority !ipsec-policy !ipv4-options \
    !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port \  
    !out-bridge-port-list !out-interface !out-interface-list !packet-mark \
    !packet-size !per-connection-classifier !port !priority !protocol !psd \
    !random !routing-mark !src-address !src-address-list !src-address-type \
    !src-mac-address !src-port !tcp-flags !tcp-mss !time !tls-host !ttl
add action=accept chain=forward comment="Erlauben DSTNAT" !connection-bytes \  
    !connection-limit !connection-mark connection-nat-state=dstnat \
    !connection-rate !connection-state !connection-type !content disabled=no \
    !dscp !dst-address !dst-address-list !dst-address-type !dst-limit \
    !dst-port !fragment !hotspot !icmp-options !in-bridge-port \
    !in-bridge-port-list in-interface=Eth1-Fritzbox-Uplink !in-interface-list \
    !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
    log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list \  
    !out-interface !out-interface-list !packet-mark !packet-size \
    !per-connection-classifier !port !priority !protocol !psd !random \
    !routing-mark !src-address !src-address-list !src-address-type \
    !src-mac-address !src-port !tcp-flags !tcp-mss !time !tls-host !ttl
add action=accept chain=forward comment=\
    "ALLG. | Aufgebaute Verbindungen erlauben - Estab.,related" \  
    !connection-bytes !connection-limit !connection-mark \
    !connection-nat-state !connection-rate connection-state=\
    established,related !connection-type !content disabled=no !dscp \
    !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port \
    !fragment !hotspot !icmp-options !in-bridge-port !in-bridge-port-list \
    !in-interface !in-interface-list !ingress-priority !ipsec-policy \
    !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth \  
    !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list \
    !packet-mark !packet-size !per-connection-classifier !port !priority \
    !protocol !psd !random !routing-mark !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !tls-host !ttl
add action=drop chain=forward comment="ALLG. | Alles andere verwerfen" \  
    !connection-bytes !connection-limit !connection-mark \
    !connection-nat-state !connection-rate !connection-state !connection-type \
    !content disabled=no !dscp !dst-address !dst-address-list \
    !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options \
    !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list \
    !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
    log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list \  
    !out-interface !out-interface-list !packet-mark !packet-size \
    !per-connection-classifier !port !priority !protocol !psd !random \
    !routing-mark !src-address !src-address-list !src-address-type \
    !src-mac-address !src-port !tcp-flags !tcp-mss !time !tls-host !ttl
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes !to-addresses !to-ports  
add action=masquerade chain=srcnat comment=masquerade !connection-bytes \
    !connection-limit !connection-mark !connection-rate !connection-type \
    !content disabled=no !dscp !dst-address !dst-address-list \
    !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options \
    !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list \
    !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
    log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list \  
    !out-interface out-interface-list=WAN !packet-mark !packet-size \
    !per-connection-classifier !port !priority !protocol !psd !random \
    !routing-mark !src-address !src-address-list !src-address-type \
    !src-mac-address !src-port !tcp-mss !time !to-addresses !to-ports !ttl
add action=dst-nat chain=dstnat comment="Portforwarding Mailcow" \  
    !connection-bytes !connection-limit !connection-mark !connection-rate \
    !connection-type !content disabled=yes !dscp !dst-address \
    !dst-address-list !dst-address-type !dst-limit dst-port=\
    25,465,587,143,993,80,443 !fragment !hotspot !icmp-options \
    !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list \
    !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
    log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list \  
    !out-interface !out-interface-list !packet-mark !packet-size \
    !per-connection-classifier !port !priority protocol=tcp !psd !random \
    !routing-mark !src-address !src-address-list !src-address-type \
    !src-mac-address !src-port !tcp-mss !time to-addresses=172.16.10.10 \
    !to-ports !ttl
add action=dst-nat chain=dstnat comment=NPM !connection-bytes \
    !connection-limit !connection-mark !connection-rate !connection-type \
    !content disabled=yes !dscp !dst-address !dst-address-list \
    !dst-address-type !dst-limit dst-port=443,80 !fragment !hotspot \
    !icmp-options !in-bridge-port !in-bridge-port-list in-interface=\
    Eth1-Fritzbox-Uplink !in-interface-list !ingress-priority !ipsec-policy \
    !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth \  
    !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list \
    !packet-mark !packet-size !per-connection-classifier !port !priority \
    protocol=tcp !psd !random !routing-mark !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-mss !time to-addresses=\
    172.16.10.3 !to-ports !ttl
add action=dst-nat chain=dstnat comment=Minecraft !connection-bytes \
    !connection-limit !connection-mark !connection-rate !connection-type \
    !content disabled=no !dscp !dst-address !dst-address-list \
    !dst-address-type !dst-limit dst-port=25565 !fragment !hotspot \
    !icmp-options !in-bridge-port !in-bridge-port-list in-interface=\
    Eth1-Fritzbox-Uplink !in-interface-list !ingress-priority !ipsec-policy \
    !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth \  
    !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list \
    !packet-mark !packet-size !per-connection-classifier !port !priority \
    protocol=tcp !psd !random !routing-mark !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-mss !time to-addresses=\
    172.16.10.106 to-ports=25565 !ttl
add action=dst-nat chain=dstnat comment=LS22 !connection-bytes \
    !connection-limit !connection-mark !connection-rate !connection-type \
    !content disabled=no !dscp !dst-address !dst-address-list \
    !dst-address-type !dst-limit dst-port=10823 !fragment !hotspot \
    !icmp-options !in-bridge-port !in-bridge-port-list in-interface=\
    Eth1-Fritzbox-Uplink !in-interface-list !ingress-priority !ipsec-policy \
    !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth \  
    !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list \
    !packet-mark !packet-size !per-connection-classifier !port !priority \
    protocol=tcp !psd !random !routing-mark !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-mss !time to-addresses=\
    172.16.4.20 to-ports=10823 !ttl
add action=dst-nat chain=dstnat comment=LS22 !connection-bytes \
    !connection-limit !connection-mark !connection-rate !connection-type \
    !content disabled=no !dscp !dst-address !dst-address-list \
    !dst-address-type !dst-limit dst-port=10823 !fragment !hotspot \
    !icmp-options !in-bridge-port !in-bridge-port-list in-interface=\
    Eth1-Fritzbox-Uplink !in-interface-list !ingress-priority !ipsec-policy \
    !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth \  
    !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list \
    !packet-mark !packet-size !per-connection-classifier !port !priority \
    protocol=udp !psd !random !routing-mark !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-mss !time to-addresses=\
    172.16.4.20 to-ports=10823 !ttl
add action=dst-nat chain=dstnat comment=Bitwarden !connection-bytes \
    !connection-limit !connection-mark !connection-rate !connection-type \
    !content disabled=no !dscp !dst-address !dst-address-list \
    !dst-address-type !dst-limit dst-port=8555 !fragment !hotspot \
    !icmp-options !in-bridge-port !in-bridge-port-list in-interface=\
    Eth1-Fritzbox-Uplink !in-interface-list !ingress-priority !ipsec-policy \
    !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth \  
    !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list \
    !packet-mark !packet-size !per-connection-classifier !port !priority \
    protocol=tcp !psd !random !routing-mark !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-mss !time to-addresses=\
    172.16.10.3 to-ports=8555 !ttl
add action=dst-nat chain=dstnat !connection-bytes !connection-limit \
    !connection-mark !connection-rate !connection-type !content disabled=no \
    !dscp dst-address=172.16.15.0/24 !dst-address-list !dst-address-type \
    !dst-limit dst-port=9 !fragment !hotspot !icmp-options !in-bridge-port \
    !in-bridge-port-list !in-interface !in-interface-list !ingress-priority \
    !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" \  
    !nth !out-bridge-port !out-bridge-port-list !out-interface \
    !out-interface-list !packet-mark !packet-size !per-connection-classifier \
    !port !priority protocol=udp !psd !random !routing-mark !src-address \
    !src-address-list !src-address-type !src-mac-address !src-port !tcp-mss \
    !time to-addresses=172.16.15.254 !to-ports !ttl
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=yes ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes sip-timeout=1h
set pptp disabled=no
set rtsp disabled=yes ports=554
set udplite disabled=no
set dccp disabled=no
set sctp disabled=no
/ip hotspot service-port
set ftp disabled=no ports=21
/ip hotspot user
set [ find default=yes ] comment="counters and limits for trial users" \  
    disabled=no name=default-trial
add disabled=no name=test profile=default
/ip ipsec policy
set 0 disabled=no dst-address=::/0 group=default proposal=default protocol=\
    all src-address=::/0 template=yes
add disabled=no dst-address=0.0.0.0/0 group=default proposal=\
    l2tp-vpn-proposal protocol=all src-address=0.0.0.0/0 template=yes
/ip ipsec settings
set accounting=yes interim-update=0s xauth-use-radius=no
/ip proxy
set always-from-cache=no anonymous=no cache-administrator=webmaster \
    cache-hit-dscp=4 cache-on-disk=no cache-path=web-proxy enabled=no \
    max-cache-object-size=2048KiB max-cache-size=unlimited \
    max-client-connections=600 max-fresh-time=3d max-server-connections=600 \
    parent-proxy=:: parent-proxy-port=0 port=8080 serialize-connections=no \
    src-address=::
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=172.16.0.1 routing-table=main \
    suppress-hw-offload=no
/ip service
set telnet address="" disabled=no port=23 vrf=main  
set ftp address="" disabled=no port=21  
set www address="" disabled=no port=80 vrf=main  
set ssh address="" disabled=no port=22 vrf=main  
set www-ssl address="" certificate=none disabled=yes port=443 tls-version=any \  
    vrf=main
set api address="" disabled=no port=8728 vrf=main  
set winbox address="" disabled=no port=8291 vrf=main  
set api-ssl address="" certificate=none disabled=no port=8729 tls-version=any \  
    vrf=main
/ip smb
set allow-guests=yes comment=MikrotikSMB domain=MSHOME enabled=no interfaces=\
    all
/ip smb shares
set [ find default=yes ] comment="default share" directory=/flash/pub \  
    disabled=no max-sessions=10 name=pub
/ip smb users
set [ find default=yes ] disabled=no name=guest read-only=yes
/ip socks
set auth-method=none connection-idle-timeout=2m enabled=no max-connections=\
    200 port=1080 version=4 vrf=main
/ip ssh
set allow-none-crypto=no always-allow-password-login=no forwarding-enabled=no \
    host-key-size=2048 host-key-type=rsa strong-crypto=no
/ip tftp settings
set max-block-size=4096
/ip traffic-flow
set active-flow-timeout=30m cache-entries=64k enabled=no \
    inactive-flow-timeout=15s interfaces=all packet-sampling=no \
    sampling-interval=0 sampling-space=0
/ip traffic-flow ipfix
set bytes=yes dst-address=yes dst-address-mask=yes dst-mac-address=yes \
    dst-port=yes first-forwarded=yes gateway=yes icmp-code=yes icmp-type=yes \
    igmp-type=yes in-interface=yes ip-header-length=yes ip-total-length=yes \
    ipv6-flow-label=yes is-multicast=yes last-forwarded=yes nat-dst-address=\
    yes nat-dst-port=yes nat-events=no nat-src-address=yes nat-src-port=yes \
    out-interface=yes packets=yes protocol=yes src-address=yes \
    src-address-mask=yes src-mac-address=yes src-port=yes sys-init-time=yes \
    tcp-ack-num=yes tcp-flags=yes tcp-seq-num=yes tcp-window-size=yes tos=yes \
    ttl=yes udp-length=yes
/ip upnp
set allow-disable-external-interface=no enabled=yes show-dummy-rule=yes
/ip upnp interfaces
add disabled=no !forced-ip interface=Eth1-Fritzbox-Uplink type=external
add disabled=no !forced-ip interface=vlan-bridge type=internal
/ipv6 nd
set [ find default=yes ] advertise-dns=yes advertise-mac-address=yes \
    disabled=no dns="" hop-limit=unspecified interface=all \  
    managed-address-configuration=no mtu=unspecified other-configuration=no \
    pref64="" ra-delay=3s ra-interval=3m20s-10m ra-lifetime=30m \  
    ra-preference=medium reachable-time=unspecified retransmit-interval=\
    unspecified
/ipv6 nd prefix default
set autonomous=yes preferred-lifetime=1w valid-lifetime=4w2d
/mpls settings
set allow-fast-path=yes dynamic-label-range=16-1048575 propagate-ttl=yes
/ppp aaa
set accounting=yes interim-update=0s use-circuit-id-in-nas-port-id=no \
    use-radius=no
/ppp secret
add caller-id="" disabled=no ipv6-routes="" limit-bytes-in=0 limit-bytes-out=\  
    0 !local-address name=vpn-nico-iphone profile=l2tp-vpn-profile \
    !remote-address !remote-ipv6-prefix routes="" service=l2tp  
/radius
add accounting-backup=no accounting-port=1813 address=127.0.0.1 \
    authentication-port=1812 called-id="" certificate=none disabled=no \  
    domain="" protocol=udp realm="" service=wireless src-address=127.0.0.1 \  
    timeout=300ms
/radius incoming
set accept=no port=3799 vrf=main
/routing igmp-proxy
set query-interval=2m5s query-response-interval=10s quick-leave=no
/snmp
set contact="" enabled=no engine-id-suffix="" location="" src-address=:: \  
    trap-community=public trap-generators=temp-exception trap-target="" \  
    trap-version=1 vrf=main
/system clock
set time-zone-autodetect=yes time-zone-name=Europe/Berlin
/system clock manual
set dst-delta=+00:00 dst-end="1970-01-01 00:00:00" dst-start=\  
    "1970-01-01 00:00:00" time-zone=+00:00  
/system console
set [ find port=serial0 ] channel=0 disabled=no port=serial0 term=vt102
/system identity
set name=hEXs
/system leds
set 0 disabled=no interface=Sft1-Cisco-Uplink leds=sfp-led type=\
    interface-activity
/system leds settings
set all-leds-off=never
/system logging
set 0 action=memory disabled=no prefix="" topics=info  
set 1 action=memory disabled=no prefix="" topics=error  
set 2 action=memory disabled=no prefix="" topics=warning  
set 3 action=echo disabled=no prefix="" topics=critical  
add action=memory disabled=no prefix="" topics=caps,debug  
add action=memory disabled=no prefix="" topics=caps,debug  
/system note
set note="" show-at-login=no  
/system ntp client
set enabled=no mode=unicast servers="" vrf=main  
/system ntp server
set auth-key=none broadcast=no broadcast-addresses="" enabled=no \  
    local-clock-stratum=5 manycast=no multicast=no use-local-clock=no vrf=\
    main
/system resource irq
set 0 cpu=auto
set 1 cpu=auto
set 2 cpu=auto
set 3 cpu=auto
set 4 cpu=auto
/system resource irq rps
set Eth1-Fritzbox-Uplink disabled=no
set Eth2-Admin disabled=no
set ether3 disabled=no
set ether4 disabled=no
set ether5 disabled=no
set Sft1-Cisco-Uplink disabled=no
/system resource usb settings
set authorization=no
/system routerboard settings
set auto-upgrade=no boot-device=nand-if-fail-then-ethernet boot-protocol=\
    bootp disable-pci=no force-backup-booter=no preboot-etherboot=disabled \
    preboot-etherboot-server=any protected-routerboot=disabled \
    reformat-hold-button=20s reformat-hold-button-max=10m silent-boot=no
/system routerboard mode-button
set enabled=no hold-time=0s..1m on-event=""  
/system routerboard reset-button
set enabled=no hold-time=0s..1m on-event=""  
/system script
add dont-require-permissions=no name=DHCP owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\  
    \_DNS TTL to set for DNS entries\r\
    \n:local dnsttl \"00:15:00\";\r\  
    \n\r\
    \n###\r\
    \n# Script entry point\r\
    \n#\r\
    \n# Expected environment variables:\r\
    \n# leaseBound         1 = lease bound, 0 = lease removed\r\
    \n# leaseServerName    Name of DHCP server\r\
    \n# leaseActIP         IP address of DHCP client\r\
    \n# leaseActMAC        MAC address of DHCP client\r\
    \n###\r\
    \n\r\
    \n:local scriptName \"dhcp2dns\"\r\  
    \n:do {\r\
    \n  :local scriptObj [:parse [/system script get \$scriptName source]]\r\
    \n  \$scriptObj leaseBound=\$leaseBound leaseServerName=\$leaseServerName \
    leaseActIP=\$leaseActIP leaseActMAC=\$leaseActMAC\r\
    \n} on-error={ :log warning \"DHCP server '\$leaseServerName' lease script\  
    \_error\" };\r\  
    \n\r\
    \n# \"a.b.c.d\" -> \"a-b-c-d\" for IP addresses used as replacement for mi\  
    ssing host names\r\
    \n:local ip2Host do=\\\r\
    \n{\r\
    \n  :local outStr\r\
    \n  :for i from=0 to=([:len \$inStr] - 1) do=\\\r\
    \n  {\r\
    \n    :local tmp [:pick \$inStr \$i];\r\
    \n    :if (\$tmp =\".\") do=\\\r\  
    \n    {\r\
    \n      :set tmp \"-\"\r\  
    \n    }\r\
    \n    :set outStr (\$outStr . \$tmp)\r\
    \n  }\r\
    \n  :return \$outStr\r\
    \n}\r\
    \n\r\
    \n:local mapHostName do={\r\
    \n# param: name\r\
    \n# max length = 63\r\
    \n# allowed chars a-z,0-9,-\r\
    \n  :local allowedChars \"abcdefghijklmnopqrstuvwxyz0123456789-\";\r\  
    \n  :local numChars [:len \$name];\r\
    \n  :if (\$numChars > 63) do={:set numChars 63};\r\
    \n  :local result \"\";\r\  
    \n\r\
    \n  :for i from=0 to=(\$numChars - 1) do={\r\
    \n    :local char [:pick \$name \$i];\r\
    \n    :if ([:find \$allowedChars \$char] < 0) do={:set char \"-\"};\r\  
    \n    :set result (\$result . \$char);\r\
    \n  }\r\
    \n  :return \$result;\r\
    \n}\r\
    \n\r\
    \n:local lowerCase do={\r\
    \n# param: entry\r\
    \n  :local lower \"abcdefghijklmnopqrstuvwxyz\";\r\  
    \n  :local upper \"ABCDEFGHIJKLMNOPQRSTUVWXYZ\";\r\  
    \n  :local result \"\";\r\  
    \n  :for i from=0 to=([:len \$entry] - 1) do={\r\
    \n    :local char [:pick \$entry \$i];\r\
    \n    :local pos [:find \$upper \$char];\r\
    \n    :if (\$pos > -1) do={:set char [:pick \$lower \$pos]};\r\
    \n    :set result (\$result . \$char);\r\
    \n  }\r\
    \n  :return \$result;\r\
    \n}\r\
    \n\r\
    \n:local token \"\$leaseServerName-\$leaseActMAC\";\r\  
    \n:local LogPrefix \"DHCP2DNS (\$leaseServerName)\"\r\  
    \n\r\
    \n:if ( [ :len \$leaseActIP ] <= 0 ) do=\\\r\
    \n{\r\
    \n  :log error \"\$LogPrefix: empty lease address\"\r\  
    \n  :error \"empty lease address\"\r\  
    \n}\r\
    \n\r\
    \n:if ( \$leaseBound = 1 ) do=\\\r\
    \n{\r\
    \n  # new DHCP lease added\r\
    \n  /ip dhcp-server\r\
    \n  #:local dnsttl [ get [ find name=\$leaseServerName ] lease-time ]\r\
    \n  network\r\
    \n  :local domain [ get [ find \$leaseActIP in address ] domain ]\r\
    \n  #:log info \"\$LogPrefix: DNS domain is \$domain\"\r\  
    \n\r\
    \n  :local hostname [/ip dhcp-server lease get [:pick [find mac-address=\$\
    leaseActMAC and server=\$leaseServerName] 0] value-name=host-name]\r\
    \n  #:log info \"\$LogPrefix: DHCP hostname is \$hostname\"\r\  
    \n\r\
    \n #Hostname cleanup\r\
    \n  :if ( [ :len \$hostname ] <= 0 ) do=\\\r\
    \n  {\r\
    \n    :set hostname [ \$ip2Host inStr=\$leaseActIP ]\r\
    \n    :log info \"\$LogPrefix: Empty hostname for '\$leaseActIP', using ge\  
    nerated host name '\$hostname'\"\r\  
    \n  }\r\
    \n  :set hostname [\$lowerCase entry=\$hostname]\r\
    \n  :set hostname [\$mapHostName name=\$hostname]\r\
    \n  #:log info \"\$LogPrefix: Clean hostname for FQDN is \$hostname\";\r\  
    \n\r\
    \n  :if ( [ :len \$domain ] <= 0 ) do=\\\r\
    \n  {\r\
    \n    :log warning \"\$LogPrefix: Empty domainname for '\$leaseActIP', can\  
    not create static DNS name\"\r\  
    \n    :error \"Empty domainname for '\$leaseActIP'\"\r\  
    \n  }\r\
    \n\r\
    \n  :local fqdn (\$hostname . \".\" .  \$domain)\r\  
    \n  #:log info \"\$LogPrefix: FQDN for DNS is \$fqdn\"\r\  
    \n\r\
    \n    :if ([/ip dhcp-server lease get [:pick [find mac-address=\$leaseActM\
    AC and server=\$leaseServerName] 0] ]) do={\r\
    \n      # :log info message=\"\$LogPrefix: \$leaseActMAC -> \$hostname\"\r\  
    \n      :do {\r\
    \n        /ip dns static add address=\$leaseActIP name=\$fqdn ttl=\$dnsttl\
    \_comment=\$token;\r\
    \n      } on-error={:log error message=\"\$LogPrefix: Failure during dns r\  
    egistration of \$fqdn with \$leaseActIP\"}\r\  
    \n    }\r\
    \n\r\
    \n} else={\r\
    \n# DHCP lease removed\r\
    \n  /ip dns static remove [find comment=\$token];\r\
    \n} "  
/system upgrade mirror
set check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=\
    0.0.0.0 user=""  
/system watchdog
set auto-send-supout=no automatic-supout=yes ping-start-after-boot=5m \
    ping-timeout=1m watch-address=none watchdog-timer=yes
/tool bandwidth-server
set allocate-udp-ports-from=2000 authenticate=yes enabled=yes max-sessions=\
    100
/tool e-mail
set address=0.0.0.0 from=<> port=25 tls=no user="" vrf=main  
/tool graphing
set page-refresh=300 store-every=5min
/tool mac-server
set allowed-interface-list=all
/tool mac-server mac-winbox
set allowed-interface-list=all
/tool mac-server ping
set enabled=yes
/tool romon
set enabled=no id=00:00:00:00:00:00
/tool romon port
set [ find default=yes ] cost=100 disabled=no forbid=no interface=all
/tool sms
set allowed-number="" auto-erase=no channel=0 port=none receive-enabled=no  
/tool sniffer
set file-limit=1000KiB file-name="" filter-cpu="" filter-direction=any \  
    filter-dst-ip-address="" filter-dst-ipv6-address="" \  
    filter-dst-mac-address="" filter-dst-port="" filter-interface="" \  
    filter-ip-address="" filter-ip-protocol="" filter-ipv6-address="" \  
    filter-mac-address="" filter-mac-protocol="" \  
    filter-operator-between-entries=or filter-port="" filter-size="" \  
    filter-src-ip-address="" filter-src-ipv6-address="" \  
    filter-src-mac-address="" filter-src-port="" filter-stream=no \  
    filter-vlan="" memory-limit=100KiB memory-scroll=yes only-headers=no \  
    streaming-enabled=no streaming-server=0.0.0.0:37008
/tool traffic-generator
set latency-distribution-max=100us measure-out-of-order=no \
    stats-samples-to-keep=100 test-id=0
/user aaa
set accounting=yes default-group=read exclude-groups="" interim-update=0s \  
    use-radius=no
/user settings
set minimum-categories=0 minimum-password-length=0

Config cAP AX:

# 2023-09-26 09:45:50 by RouterOS 7.11.2
# software id = ZWCE-ZKET
#
# model = cAPGi-5HaxD2HaxD
# serial number = HEF08Z38MEP
/interface bridge
add admin-mac=48:A9:8A:C5:51:7C auto-mac=no comment=defconf name=bridgeLocal
/interface wifiwave2 datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifiwave2
# managed by CAPsMAN
# mode: AP, SSID: heimnetz.werk, channel: 5845/ax/eCee
set [ find default-name=wifi1 ] configuration.manager=capsman datapath=capdp \
    disabled=no
# managed by CAPsMAN
# mode: AP, SSID: heimnetz.werk, channel: 2412/ax
set [ find default-name=wifi2 ] configuration.manager=capsman datapath=capdp \
    disabled=no
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
/interface wifiwave2 cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp
/ip dhcp-client
add comment=defconf interface=bridgeLocal
/system clock
set time-zone-name=Europe/Berlin
/system note
set show-at-login=no

Content-Key: 4904795538

Url: https://administrator.de/contentid/4904795538

Printed on: February 23, 2024 at 21:02 o'clock

Member: aqui
aqui Sep 26, 2023 at 10:17:01 (UTC)
Goto Top
Das hast du dir angesehen und entsprechend umgesetzt?
https://www.youtube.com/watch?v=JRbAqie1_AM
Member: aqui
aqui Oct 24, 2023 at 14:08:21 (UTC)
Goto Top
Wenn es das war bitte nicht vergessen deinen Thread hier als erledigt zu markieren!