26
Mikrotik zwei Router verbinden: ax2 bekommt keine IP
Hallo @aqui,
zu Mikrotik zwei Router verbinden: weitere Fragen:
Es hat bis gestern alles so gut funktioniert: den Netgear switch habe ich durch einen MT hEX POE ersetzt, und dann folgendes realisiert:
cap ax am ax3, ax2 am ax3, heX POE am ax2, und heX am heX POE
Dann habe ich irgendwann im LOG gesehen, dass dort ständig RX loop Packages auftauchen, auf den ax3 ether4.
Ich hatte dann am ax3 das ether4 disabled und wieder enabled, doch seither bekommt der ax2 keine IP-Adresse vom ax3 mehr zugewiesen. Wenn ich den hEX POE direkt an den ax3 an denselben Port hänge, dann erhält dieser eine IP, auch der hEX und all Geräte.
Ich habe den ax2 zurückgesetzt, die Konfiguration gelöscht, und ein minimales Setup erstellt, nur VLAN 111 als Trunk und als MGMNT. Trotzdem erhält der ax2 keine IP.
ax3:
Übrigens habe ich auch mal den Lease script unter /system script erstellt. Aber welchen Befehl muss ich dann im DHCP script angeben?
zu Mikrotik zwei Router verbinden: weitere Fragen:
Es hat bis gestern alles so gut funktioniert: den Netgear switch habe ich durch einen MT hEX POE ersetzt, und dann folgendes realisiert:
cap ax am ax3, ax2 am ax3, heX POE am ax2, und heX am heX POE
Dann habe ich irgendwann im LOG gesehen, dass dort ständig RX loop Packages auftauchen, auf den ax3 ether4.
Ich hatte dann am ax3 das ether4 disabled und wieder enabled, doch seither bekommt der ax2 keine IP-Adresse vom ax3 mehr zugewiesen. Wenn ich den hEX POE direkt an den ax3 an denselben Port hänge, dann erhält dieser eine IP, auch der hEX und all Geräte.
Ich habe den ax2 zurückgesetzt, die Konfiguration gelöscht, und ein minimales Setup erstellt, nur VLAN 111 als Trunk und als MGMNT. Trotzdem erhält der ax2 keine IP.
[SEadmin@MikroTik ax2] >
# 1970-01-02 00:44:47 by RouterOS 7.15.2
# software id = 5MCE-DL16
#
# model = C52iG-5HaxD2HaxD
# serial number = HGC09WRMRVQ
/interface bridge
add name=br_vlan pvid=111 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name="ether1 [TRUNK ax3]"
set [ find default-name=ether4 ] name="ether4 [MANAGEMENT]"
/interface vlan
add interface="ether1 [TRUNK ax3]" name=vlan111 vlan-id=111
/interface bridge port
add bridge=br_vlan interface="ether1 [TRUNK ax3]" pvid=111
add bridge=br_vlan frame-types=admit-only-untagged-and-priority-tagged interface="ether4 [MANAGEMENT]" pvid=111
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=br_vlan tagged=br_vlan vlan-ids=111
/ip dhcp-client
add interface=vlan111
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.10.111.1 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/system identity
set name="MikroTik ax2"
/system note
set show-at-login=no
/system routerboard settings
set auto-upgrade=yes
/tool romon
set enabled=yes
[SEadmin@MikroTik ax2] > ax3:
\n\r\
\n} else={\r\
\n# DHCP lease removed\r\
\n /ip dns static remove [find comment=\$token];\r\
\n} " lease-time=10m name=dhcp_200
add address-pool=dhcp_pool_40 interface="vlan40 [PROXMOX]" lease-script="# DNS TTL to set for DNS entries\r\
\n:local dnsttl \"00:15:00\";\r\
\n\r\
\n###\r\
\n# Script entry point\r\
\n#\r\
\n# Expected environment variables:\r\
\n# leaseBound 1 = lease bound, 0 = lease removed\r\
\n# leaseServerName Name of DHCP server\r\
\n# leaseActIP IP address of DHCP client\r\
\n# leaseActMAC MAC address of DHCP client\r\
\n###\r\
\n\r\
\n:local scriptName \"dhcp2dns\"\r\
\n:do {\r\
\n :local scriptObj [:parse [/system script get \$scriptName source]]\r\
\n \$scriptObj leaseBound=\$leaseBound leaseServerName=\$leaseServerName leaseActIP=\$leaseActIP leaseActMAC=\$leaseActMAC\r\
\n} on-error={ :log warning \"DHCP server '\$leaseServerName' lease script error\" };\r\
\n\r\
\n# \"a.b.c.d\" -> \"a-b-c-d\" for IP addresses used as replacement for missing host names\r\
\n:local ip2Host do=\\\r\
\n{\r\
\n :local outStr\r\
\n :for i from=0 to=([:len \$inStr] - 1) do=\\\r\
\n {\r\
\n :local tmp [:pick \$inStr \$i];\r\
\n :if (\$tmp =\".\") do=\\\r\
\n {\r\
\n :set tmp \"-\"\r\
\n }\r\
\n :set outStr (\$outStr . \$tmp)\r\
\n }\r\
\n :return \$outStr\r\
\n}\r\
\n\r\
\n:local mapHostName do={\r\
\n# param: name\r\
\n# max length = 63\r\
\n# allowed chars a-z,0-9,-\r\
\n :local allowedChars \"abcdefghijklmnopqrstuvwxyz0123456789-\";\r\
\n :local numChars [:len \$name];\r\
\n :if (\$numChars > 63) do={:set numChars 63};\r\
\n :local result \"\";\r\
\n\r\
\n :for i from=0 to=(\$numChars - 1) do={\r\
\n :local char [:pick \$name \$i];\r\
\n :if ([:find \$allowedChars \$char] < 0) do={:set char \"-\"};\r\
\n :set result (\$result . \$char);\r\
\n }\r\
\n :return \$result;\r\
\n}\r\
\n\r\
\n:local lowerCase do={\r\
\n# param: entry\r\
\n :local lower \"abcdefghijklmnopqrstuvwxyz\";\r\
\n :local upper \"ABCDEFGHIJKLMNOPQRSTUVWXYZ\";\r\
\n :local result \"\";\r\
\n :for i from=0 to=([:len \$entry] - 1) do={\r\
\n :local char [:pick \$entry \$i];\r\
\n :local pos [:find \$upper \$char];\r\
\n :if (\$pos > -1) do={:set char [:pick \$lower \$pos]};\r\
\n :set result (\$result . \$char);\r\
\n }\r\
\n :return \$result;\r\
\n}\r\
\n\r\
\n:local token \"\$leaseServerName-\$leaseActMAC\";\r\
\n:local LogPrefix \"DHCP2DNS (\$leaseServerName)\"\r\
\n\r\
\n:if ( [ :len \$leaseActIP ] <= 0 ) do=\\\r\
\n{\r\
\n :log error \"\$LogPrefix: empty lease address\"\r\
\n :error \"empty lease address\"\r\
\n}\r\
\n\r\
\n:if ( \$leaseBound = 1 ) do=\\\r\
\n{\r\
\n # new DHCP lease added\r\
\n /ip dhcp-server\r\
\n #:local dnsttl [ get [ find name=\$leaseServerName ] lease-time ]\r\
\n network\r\
\n :local domain [ get [ find \$leaseActIP in address ] domain ]\r\
\n #:log info \"\$LogPrefix: DNS domain is \$domain\"\r\
\n\r\
\n :local hostname [/ip dhcp-server lease get [:pick [find mac-address=\$leaseActMAC and server=\$leaseServerName] 0] value-name=host-name]\r\
\n #:log info \"\$LogPrefix: DHCP hostname is \$hostname\"\r\
\n\r\
\n #Hostname cleanup\r\
\n :if ( [ :len \$hostname ] <= 0 ) do=\\\r\
\n {\r\
\n :set hostname [ \$ip2Host inStr=\$leaseActIP ]\r\
\n :log info \"\$LogPrefix: Empty hostname for '\$leaseActIP', using generated host name '\$hostname'\"\r\
\n }\r\
\n :set hostname [\$lowerCase entry=\$hostname]\r\
\n :set hostname [\$mapHostName name=\$hostname]\r\
\n #:log info \"\$LogPrefix: Clean hostname for FQDN is \$hostname\";\r\
\n\r\
\n :if ( [ :len \$domain ] <= 0 ) do=\\\r\
\n {\r\
\n :log warning \"\$LogPrefix: Empty domainname for '\$leaseActIP', cannot create static DNS name\"\r\
\n :error \"Empty domainname for '\$leaseActIP'\"\r\
\n }\r\
\n\r\
\n :local fqdn (\$hostname . \".\" . \$domain)\r\
\n #:log info \"\$LogPrefix: FQDN for DNS is \$fqdn\"\r\
\n\r\
\n :if ([/ip dhcp-server lease get [:pick [find mac-address=\$leaseActMAC and server=\$leaseServerName] 0] ]) do={\r\
\n # :log info message=\"\$LogPrefix: \$leaseActMAC -> \$hostname\"\r\
\n :do {\r\
\n /ip dns static add address=\$leaseActIP name=\$fqdn ttl=\$dnsttl comment=\$token;\r\
\n } on-error={:log error message=\"\$LogPrefix: Failure during dns registration of \$fqdn with \$leaseActIP\"}\r\
\n }\r\
\n\r\
\n} else={\r\
\n# DHCP lease removed\r\
\n /ip dns static remove [find comment=\$token];\r\
\n} " lease-time=10m name=dhcp_40
add address-pool=dhcp_pool_50 interface="vlan50 [PHONE]" lease-script="# DNS TTL to set for DNS entries\r\
\n:local dnsttl \"00:15:00\";\r\
\n\r\
\n###\r\
\n# Script entry point\r\
\n#\r\
\n# Expected environment variables:\r\
\n# leaseBound 1 = lease bound, 0 = lease removed\r\
\n# leaseServerName Name of DHCP server\r\
\n# leaseActIP IP address of DHCP client\r\
\n# leaseActMAC MAC address of DHCP client\r\
\n###\r\
\n\r\
\n:local scriptName \"dhcp2dns\"\r\
\n:do {\r\
\n :local scriptObj [:parse [/system script get \$scriptName source]]\r\
\n \$scriptObj leaseBound=\$leaseBound leaseServerName=\$leaseServerName leaseActIP=\$leaseActIP leaseActMAC=\$leaseActMAC\r\
\n} on-error={ :log warning \"DHCP server '\$leaseServerName' lease script error\" };\r\
\n\r\
\n# \"a.b.c.d\" -> \"a-b-c-d\" for IP addresses used as replacement for missing host names\r\
\n:local ip2Host do=\\\r\
\n{\r\
\n :local outStr\r\
\n :for i from=0 to=([:len \$inStr] - 1) do=\\\r\
\n {\r\
\n :local tmp [:pick \$inStr \$i];\r\
\n :if (\$tmp =\".\") do=\\\r\
\n {\r\
\n :set tmp \"-\"\r\
\n }\r\
\n :set outStr (\$outStr . \$tmp)\r\
\n }\r\
\n :return \$outStr\r\
\n}\r\
\n\r\
\n:local mapHostName do={\r\
\n# param: name\r\
\n# max length = 63\r\
\n# allowed chars a-z,0-9,-\r\
\n :local allowedChars \"abcdefghijklmnopqrstuvwxyz0123456789-\";\r\
\n :local numChars [:len \$name];\r\
\n :if (\$numChars > 63) do={:set numChars 63};\r\
\n :local result \"\";\r\
\n\r\
\n :for i from=0 to=(\$numChars - 1) do={\r\
\n :local char [:pick \$name \$i];\r\
\n :if ([:find \$allowedChars \$char] < 0) do={:set char \"-\"};\r\
\n :set result (\$result . \$char);\r\
\n }\r\
\n :return \$result;\r\
\n}\r\
\n\r\
\n:local lowerCase do={\r\
\n# param: entry\r\
\n :local lower \"abcdefghijklmnopqrstuvwxyz\";\r\
\n :local upper \"ABCDEFGHIJKLMNOPQRSTUVWXYZ\";\r\
\n :local result \"\";\r\
\n :for i from=0 to=([:len \$entry] - 1) do={\r\
\n :local char [:pick \$entry \$i];\r\
\n :local pos [:find \$upper \$char];\r\
\n :if (\$pos > -1) do={:set char [:pick \$lower \$pos]};\r\
\n :set result (\$result . \$char);\r\
\n }\r\
\n :return \$result;\r\
\n}\r\
\n\r\
\n:local token \"\$leaseServerName-\$leaseActMAC\";\r\
\n:local LogPrefix \"DHCP2DNS (\$leaseServerName)\"\r\
\n\r\
\n:if ( [ :len \$leaseActIP ] <= 0 ) do=\\\r\
\n{\r\
\n :log error \"\$LogPrefix: empty lease address\"\r\
\n :error \"empty lease address\"\r\
\n}\r\
\n\r\
\n:if ( \$leaseBound = 1 ) do=\\\r\
\n{\r\
\n # new DHCP lease added\r\
\n /ip dhcp-server\r\
\n #:local dnsttl [ get [ find name=\$leaseServerName ] lease-time ]\r\
\n network\r\
\n :local domain [ get [ find \$leaseActIP in address ] domain ]\r\
\n #:log info \"\$LogPrefix: DNS domain is \$domain\"\r\
\n\r\
\n :local hostname [/ip dhcp-server lease get [:pick [find mac-address=\$leaseActMAC and server=\$leaseServerName] 0] value-name=host-name]\r\
\n #:log info \"\$LogPrefix: DHCP hostname is \$hostname\"\r\
\n\r\
\n #Hostname cleanup\r\
\n :if ( [ :len \$hostname ] <= 0 ) do=\\\r\
\n {\r\
\n :set hostname [ \$ip2Host inStr=\$leaseActIP ]\r\
\n :log info \"\$LogPrefix: Empty hostname for '\$leaseActIP', using generated host name '\$hostname'\"\r\
\n }\r\
\n :set hostname [\$lowerCase entry=\$hostname]\r\
\n :set hostname [\$mapHostName name=\$hostname]\r\
\n #:log info \"\$LogPrefix: Clean hostname for FQDN is \$hostname\";\r\
\n\r\
\n :if ( [ :len \$domain ] <= 0 ) do=\\\r\
\n {\r\
\n :log warning \"\$LogPrefix: Empty domainname for '\$leaseActIP', cannot create static DNS name\"\r\
\n :error \"Empty domainname for '\$leaseActIP'\"\r\
\n }\r\
\n\r\
\n :local fqdn (\$hostname . \".\" . \$domain)\r\
\n #:log info \"\$LogPrefix: FQDN for DNS is \$fqdn\"\r\
\n\r\
\n :if ([/ip dhcp-server lease get [:pick [find mac-address=\$leaseActMAC and server=\$leaseServerName] 0] ]) do={\r\
\n # :log info message=\"\$LogPrefix: \$leaseActMAC -> \$hostname\"\r\
\n :do {\r\
\n /ip dns static add address=\$leaseActIP name=\$fqdn ttl=\$dnsttl comment=\$token;\r\
\n } on-error={:log error message=\"\$LogPrefix: Failure during dns registration of \$fqdn with \$leaseActIP\"}\r\
\n }\r\
\n\r\
\n} else={\r\
\n# DHCP lease removed\r\
\n /ip dns static remove [find comment=\$token];\r\
\n} " lease-time=10m name=dhcp_50
add address-pool=dhcp_pool_60 interface="vlan60 [MOBILE OFFICE]" lease-script="# DNS TTL to set for DNS entries\r\
\n:local dnsttl \"00:15:00\";\r\
\n\r\
\n###\r\
\n# Script entry point\r\
\n#\r\
\n# Expected environment variables:\r\
\n# leaseBound 1 = lease bound, 0 = lease removed\r\
\n# leaseServerName Name of DHCP server\r\
\n# leaseActIP IP address of DHCP client\r\
\n# leaseActMAC MAC address of DHCP client\r\
\n###\r\
\n\r\
\n:local scriptName \"dhcp2dns\"\r\
\n:do {\r\
\n :local scriptObj [:parse [/system script get \$scriptName source]]\r\
\n \$scriptObj leaseBound=\$leaseBound leaseServerName=\$leaseServerName leaseActIP=\$leaseActIP leaseActMAC=\$leaseActMAC\r\
\n} on-error={ :log warning \"DHCP server '\$leaseServerName' lease script error\" };\r\
\n\r\
\n# \"a.b.c.d\" -> \"a-b-c-d\" for IP addresses used as replacement for missing host names\r\
\n:local ip2Host do=\\\r\
\n{\r\
\n :local outStr\r\
\n :for i from=0 to=([:len \$inStr] - 1) do=\\\r\
\n {\r\
\n :local tmp [:pick \$inStr \$i];\r\
\n :if (\$tmp =\".\") do=\\\r\
\n {\r\
\n :set tmp \"-\"\r\
\n }\r\
\n :set outStr (\$outStr . \$tmp)\r\
\n }\r\
\n :return \$outStr\r\
\n}\r\
\n\r\
\n:local mapHostName do={\r\
\n# param: name\r\
\n# max length = 63\r\
\n# allowed chars a-z,0-9,-\r\
\n :local allowedChars \"abcdefghijklmnopqrstuvwxyz0123456789-\";\r\
\n :local numChars [:len \$name];\r\
\n :if (\$numChars > 63) do={:set numChars 63};\r\
\n :local result \"\";\r\
\n\r\
\n :for i from=0 to=(\$numChars - 1) do={\r\
\n :local char [:pick \$name \$i];\r\
\n :if ([:find \$allowedChars \$char] < 0) do={:set char \"-\"};\r\
\n :set result (\$result . \$char);\r\
\n }\r\
\n :return \$result;\r\
\n}\r\
\n\r\
\n:local lowerCase do={\r\
\n# param: entry\r\
\n :local lower \"abcdefghijklmnopqrstuvwxyz\";\r\
\n :local upper \"ABCDEFGHIJKLMNOPQRSTUVWXYZ\";\r\
\n :local result \"\";\r\
\n :for i from=0 to=([:len \$entry] - 1) do={\r\
\n :local char [:pick \$entry \$i];\r\
\n :local pos [:find \$upper \$char];\r\
\n :if (\$pos > -1) do={:set char [:pick \$lower \$pos]};\r\
\n :set result (\$result . \$char);\r\
\n }\r\
\n :return \$result;\r\
\n}\r\
\n\r\
\n:local token \"\$leaseServerName-\$leaseActMAC\";\r\
\n:local LogPrefix \"DHCP2DNS (\$leaseServerName)\"\r\
\n\r\
\n:if ( [ :len \$leaseActIP ] <= 0 ) do=\\\r\
\n{\r\
\n :log error \"\$LogPrefix: empty lease address\"\r\
\n :error \"empty lease address\"\r\
\n}\r\
\n\r\
\n:if ( \$leaseBound = 1 ) do=\\\r\
\n{\r\
\n # new DHCP lease added\r\
\n /ip dhcp-server\r\
\n #:local dnsttl [ get [ find name=\$leaseServerName ] lease-time ]\r\
\n network\r\
\n :local domain [ get [ find \$leaseActIP in address ] domain ]\r\
\n #:log info \"\$LogPrefix: DNS domain is \$domain\"\r\
\n\r\
\n :local hostname [/ip dhcp-server lease get [:pick [find mac-address=\$leaseActMAC and server=\$leaseServerName] 0] value-name=host-name]\r\
\n #:log info \"\$LogPrefix: DHCP hostname is \$hostname\"\r\
\n\r\
\n #Hostname cleanup\r\
\n :if ( [ :len \$hostname ] <= 0 ) do=\\\r\
\n {\r\
\n :set hostname [ \$ip2Host inStr=\$leaseActIP ]\r\
\n :log info \"\$LogPrefix: Empty hostname for '\$leaseActIP', using generated host name '\$hostname'\"\r\
\n }\r\
\n :set hostname [\$lowerCase entry=\$hostname]\r\
\n :set hostname [\$mapHostName name=\$hostname]\r\
\n #:log info \"\$LogPrefix: Clean hostname for FQDN is \$hostname\";\r\
\n\r\
\n :if ( [ :len \$domain ] <= 0 ) do=\\\r\
\n {\r\
\n :log warning \"\$LogPrefix: Empty domainname for '\$leaseActIP', cannot create static DNS name\"\r\
\n :error \"Empty domainname for '\$leaseActIP'\"\r\
\n }\r\
\n\r\
\n :local fqdn (\$hostname . \".\" . \$domain)\r\
\n #:log info \"\$LogPrefix: FQDN for DNS is \$fqdn\"\r\
\n\r\
\n :if ([/ip dhcp-server lease get [:pick [find mac-address=\$leaseActMAC and server=\$leaseServerName] 0] ]) do={\r\
\n # :log info message=\"\$LogPrefix: \$leaseActMAC -> \$hostname\"\r\
\n :do {\r\
\n /ip dns static add address=\$leaseActIP name=\$fqdn ttl=\$dnsttl comment=\$token;\r\
\n } on-error={:log error message=\"\$LogPrefix: Failure during dns registration of \$fqdn with \$leaseActIP\"}\r\
\n }\r\
\n\r\
\n} else={\r\
\n# DHCP lease removed\r\
\n /ip dns static remove [find comment=\$token];\r\
\n} " lease-time=10m name=dhcp_60
add address-pool=dhcp_pool_100 interface="vlan100 [HOME]" lease-script="# DNS TTL to set for DNS entries\r\
\n:local dnsttl \"00:15:00\";\r\
\n\r\
\n###\r\
\n# Script entry point\r\
\n#\r\
\n# Expected environment variables:\r\
\n# leaseBound 1 = lease bound, 0 = lease removed\r\
\n# leaseServerName Name of DHCP server\r\
\n# leaseActIP IP address of DHCP client\r\
\n# leaseActMAC MAC address of DHCP client\r\
\n###\r\
\n\r\
\n:local scriptName \"dhcp2dns\"\r\
\n:do {\r\
\n :local scriptObj [:parse [/system script get \$scriptName source]]\r\
\n \$scriptObj leaseBound=\$leaseBound leaseServerName=\$leaseServerName leaseActIP=\$leaseActIP leaseActMAC=\$leaseActMAC\r\
\n} on-error={ :log warning \"DHCP server '\$leaseServerName' lease script error\" };\r\
\n\r\
\n# \"a.b.c.d\" -> \"a-b-c-d\" for IP addresses used as replacement for missing host names\r\
\n:local ip2Host do=\\\r\
\n{\r\
\n :local outStr\r\
\n :for i from=0 to=([:len \$inStr] - 1) do=\\\r\
\n {\r\
\n :local tmp [:pick \$inStr \$i];\r\
\n :if (\$tmp =\".\") do=\\\r\
\n {\r\
\n :set tmp \"-\"\r\
\n }\r\
\n :set outStr (\$outStr . \$tmp)\r\
\n }\r\
\n :return \$outStr\r\
\n}\r\
\n\r\
\n:local mapHostName do={\r\
\n# param: name\r\
\n# max length = 63\r\
\n# allowed chars a-z,0-9,-\r\
\n :local allowedChars \"abcdefghijklmnopqrstuvwxyz0123456789-\";\r\
\n :local numChars [:len \$name];\r\
\n :if (\$numChars > 63) do={:set numChars 63};\r\
\n :local result \"\";\r\
\n\r\
\n :for i from=0 to=(\$numChars - 1) do={\r\
\n :local char [:pick \$name \$i];\r\
\n :if ([:find \$allowedChars \$char] < 0) do={:set char \"-\"};\r\
\n :set result (\$result . \$char);\r\
\n }\r\
\n :return \$result;\r\
\n}\r\
\n\r\
\n:local lowerCase do={\r\
\n# param: entry\r\
\n :local lower \"abcdefghijklmnopqrstuvwxyz\";\r\
\n :local upper \"ABCDEFGHIJKLMNOPQRSTUVWXYZ\";\r\
\n :local result \"\";\r\
\n :for i from=0 to=([:len \$entry] - 1) do={\r\
\n :local char [:pick \$entry \$i];\r\
\n :local pos [:find \$upper \$char];\r\
\n :if (\$pos > -1) do={:set char [:pick \$lower \$pos]};\r\
\n :set result (\$result . \$char);\r\
\n }\r\
\n :return \$result;\r\
\n}\r\
\n\r\
\n:local token \"\$leaseServerName-\$leaseActMAC\";\r\
\n:local LogPrefix \"DHCP2DNS (\$leaseServerName)\"\r\
\n\r\
\n:if ( [ :len \$leaseActIP ] <= 0 ) do=\\\r\
\n{\r\
\n :log error \"\$LogPrefix: empty lease address\"\r\
\n :error \"empty lease address\"\r\
\n}\r\
\n\r\
\n:if ( \$leaseBound = 1 ) do=\\\r\
\n{\r\
\n # new DHCP lease added\r\
\n /ip dhcp-server\r\
\n #:local dnsttl [ get [ find name=\$leaseServerName ] lease-time ]\r\
\n network\r\
\n :local domain [ get [ find \$leaseActIP in address ] domain ]\r\
\n #:log info \"\$LogPrefix: DNS domain is \$domain\"\r\
\n\r\
\n :local hostname [/ip dhcp-server lease get [:pick [find mac-address=\$leaseActMAC and server=\$leaseServerName] 0] value-name=host-name]\r\
\n #:log info \"\$LogPrefix: DHCP hostname is \$hostname\"\r\
\n\r\
\n #Hostname cleanup\r\
\n :if ( [ :len \$hostname ] <= 0 ) do=\\\r\
\n {\r\
\n :set hostname [ \$ip2Host inStr=\$leaseActIP ]\r\
\n :log info \"\$LogPrefix: Empty hostname for '\$leaseActIP', using generated host name '\$hostname'\"\r\
\n }\r\
\n :set hostname [\$lowerCase entry=\$hostname]\r\
\n :set hostname [\$mapHostName name=\$hostname]\r\
\n #:log info \"\$LogPrefix: Clean hostname for FQDN is \$hostname\";\r\
\n\r\
\n :if ( [ :len \$domain ] <= 0 ) do=\\\r\
\n {\r\
\n :log warning \"\$LogPrefix: Empty domainname for '\$leaseActIP', cannot create static DNS name\"\r\
\n :error \"Empty domainname for '\$leaseActIP'\"\r\
\n }\r\
\n\r\
\n :local fqdn (\$hostname . \".\" . \$domain)\r\
\n #:log info \"\$LogPrefix: FQDN for DNS is \$fqdn\"\r\
\n\r\
\n :if ([/ip dhcp-server lease get [:pick [find mac-address=\$leaseActMAC and server=\$leaseServerName] 0] ]) do={\r\
\n # :log info message=\"\$LogPrefix: \$leaseActMAC -> \$hostname\"\r\
\n :do {\r\
\n /ip dns static add address=\$leaseActIP name=\$fqdn ttl=\$dnsttl comment=\$token;\r\
\n } on-error={:log error message=\"\$LogPrefix: Failure during dns registration of \$fqdn with \$leaseActIP\"}\r\
\n }\r\
\n\r\
\n} else={\r\
\n# DHCP lease removed\r\
\n /ip dns static remove [find comment=\$token];\r\
\n} " lease-time=10m name=dhcp_100
add address-pool=dhcp_pool_1 interface="vlan1 [DEFAULT]" lease-script="# DNS TTL to set for DNS entries\r\
\n:local dnsttl \"00:15:00\";\r\
\n\r\
\n###\r\
\n# Script entry point\r\
\n#\r\
\n# Expected environment variables:\r\
\n# leaseBound 1 = lease bound, 0 = lease removed\r\
\n# leaseServerName Name of DHCP server\r\
\n# leaseActIP IP address of DHCP client\r\
\n# leaseActMAC MAC address of DHCP client\r\
\n###\r\
\n\r\
\n:local scriptName \"dhcp2dns\"\r\
\n:do {\r\
\n :local scriptObj [:parse [/system script get \$scriptName source]]\r\
\n \$scriptObj leaseBound=\$leaseBound leaseServerName=\$leaseServerName leaseActIP=\$leaseActIP leaseActMAC=\$leaseActMAC\r\
\n} on-error={ :log warning \"DHCP server '\$leaseServerName' lease script error\" };\r\
\n\r\
\n# \"a.b.c.d\" -> \"a-b-c-d\" for IP addresses used as replacement for missing host names\r\
\n:local ip2Host do=\\\r\
\n{\r\
\n :local outStr\r\
\n :for i from=0 to=([:len \$inStr] - 1) do=\\\r\
\n {\r\
\n :local tmp [:pick \$inStr \$i];\r\
\n :if (\$tmp =\".\") do=\\\r\
\n {\r\
\n :set tmp \"-\"\r\
\n }\r\
\n :set outStr (\$outStr . \$tmp)\r\
\n }\r\
\n :return \$outStr\r\
\n}\r\
\n\r\
\n:local mapHostName do={\r\
\n# param: name\r\
\n# max length = 63\r\
\n# allowed chars a-z,0-9,-\r\
\n :local allowedChars \"abcdefghijklmnopqrstuvwxyz0123456789-\";\r\
\n :local numChars [:len \$name];\r\
\n :if (\$numChars > 63) do={:set numChars 63};\r\
\n :local result \"\";\r\
\n\r\
\n :for i from=0 to=(\$numChars - 1) do={\r\
\n :local char [:pick \$name \$i];\r\
\n :if ([:find \$allowedChars \$char] < 0) do={:set char \"-\"};\r\
\n :set result (\$result . \$char);\r\
\n }\r\
\n :return \$result;\r\
\n}\r\
\n\r\
\n:local lowerCase do={\r\
\n# param: entry\r\
\n :local lower \"abcdefghijklmnopqrstuvwxyz\";\r\
\n :local upper \"ABCDEFGHIJKLMNOPQRSTUVWXYZ\";\r\
\n :local result \"\";\r\
\n :for i from=0 to=([:len \$entry] - 1) do={\r\
\n :local char [:pick \$entry \$i];\r\
\n :local pos [:find \$upper \$char];\r\
\n :if (\$pos > -1) do={:set char [:pick \$lower \$pos]};\r\
\n :set result (\$result . \$char);\r\
\n }\r\
\n :return \$result;\r\
\n}\r\
\n\r\
\n:local token \"\$leaseServerName-\$leaseActMAC\";\r\
\n:local LogPrefix \"DHCP2DNS (\$leaseServerName)\"\r\
\n\r\
\n:if ( [ :len \$leaseActIP ] <= 0 ) do=\\\r\
\n{\r\
\n :log error \"\$LogPrefix: empty lease address\"\r\
\n :error \"empty lease address\"\r\
\n}\r\
\n\r\
\n:if ( \$leaseBound = 1 ) do=\\\r\
\n{\r\
\n # new DHCP lease added\r\
\n /ip dhcp-server\r\
\n #:local dnsttl [ get [ find name=\$leaseServerName ] lease-time ]\r\
\n network\r\
\n :local domain [ get [ find \$leaseActIP in address ] domain ]\r\
\n #:log info \"\$LogPrefix: DNS domain is \$domain\"\r\
\n\r\
\n :local hostname [/ip dhcp-server lease get [:pick [find mac-address=\$leaseActMAC and server=\$leaseServerName] 0] value-name=host-name]\r\
\n #:log info \"\$LogPrefix: DHCP hostname is \$hostname\"\r\
\n\r\
\n #Hostname cleanup\r\
\n :if ( [ :len \$hostname ] <= 0 ) do=\\\r\
\n {\r\
\n :set hostname [ \$ip2Host inStr=\$leaseActIP ]\r\
\n :log info \"\$LogPrefix: Empty hostname for '\$leaseActIP', using generated host name '\$hostname'\"\r\
\n }\r\
\n :set hostname [\$lowerCase entry=\$hostname]\r\
\n :set hostname [\$mapHostName name=\$hostname]\r\
\n #:log info \"\$LogPrefix: Clean hostname for FQDN is \$hostname\";\r\
\n\r\
\n :if ( [ :len \$domain ] <= 0 ) do=\\\r\
\n {\r\
\n :log warning \"\$LogPrefix: Empty domainname for '\$leaseActIP', cannot create static DNS name\"\r\
\n :error \"Empty domainname for '\$leaseActIP'\"\r\
\n }\r\
\n\r\
\n :local fqdn (\$hostname . \".\" . \$domain)\r\
\n #:log info \"\$LogPrefix: FQDN for DNS is \$fqdn\"\r\
\n\r\
\n :if ([/ip dhcp-server lease get [:pick [find mac-address=\$leaseActMAC and server=\$leaseServerName] 0] ]) do={\r\
\n # :log info message=\"\$LogPrefix: \$leaseActMAC -> \$hostname\"\r\
\n :do {\r\
\n /ip dns static add address=\$leaseActIP name=\$fqdn ttl=\$dnsttl comment=\$token;\r\
\n } on-error={:log error message=\"\$LogPrefix: Failure during dns registration of \$fqdn with \$leaseActIP\"}\r\
\n }\r\
\n\r\
\n} else={\r\
\n# DHCP lease removed\r\
\n /ip dns static remove [find comment=\$token];\r\
\n} " lease-time=10m name=dhcp_1
add address-pool=dhcp_pool_111 interface="vlan111 [MANAGEMENT]" lease-script="# DNS TTL to set for DNS entries\r\
\n:local dnsttl \"00:15:00\";\r\
\n\r\
\n###\r\
\n# Script entry point\r\
\n#\r\
\n# Expected environment variables:\r\
\n# leaseBound 1 = lease bound, 0 = lease removed\r\
\n# leaseServerName Name of DHCP server\r\
\n# leaseActIP IP address of DHCP client\r\
\n# leaseActMAC MAC address of DHCP client\r\
\n###\r\
\n\r\
\n:local scriptName \"dhcp2dns\"\r\
\n:do {\r\
\n :local scriptObj [:parse [/system script get \$scriptName source]]\r\
\n \$scriptObj leaseBound=\$leaseBound leaseServerName=\$leaseServerName leaseActIP=\$leaseActIP leaseActMAC=\$leaseActMAC\r\
\n} on-error={ :log warning \"DHCP server '\$leaseServerName' lease script error\" };\r\
\n\r\
\n# \"a.b.c.d\" -> \"a-b-c-d\" for IP addresses used as replacement for missing host names\r\
\n:local ip2Host do=\\\r\
\n{\r\
\n :local outStr\r\
\n :for i from=0 to=([:len \$inStr] - 1) do=\\\r\
\n {\r\
\n :local tmp [:pick \$inStr \$i];\r\
\n :if (\$tmp =\".\") do=\\\r\
\n {\r\
\n :set tmp \"-\"\r\
\n }\r\
\n :set outStr (\$outStr . \$tmp)\r\
\n }\r\
\n :return \$outStr\r\
\n}\r\
\n\r\
\n:local mapHostName do={\r\
\n# param: name\r\
\n# max length = 63\r\
\n# allowed chars a-z,0-9,-\r\
\n :local allowedChars \"abcdefghijklmnopqrstuvwxyz0123456789-\";\r\
\n :local numChars [:len \$name];\r\
\n :if (\$numChars > 63) do={:set numChars 63};\r\
\n :local result \"\";\r\
\n\r\
\n :for i from=0 to=(\$numChars - 1) do={\r\
\n :local char [:pick \$name \$i];\r\
\n :if ([:find \$allowedChars \$char] < 0) do={:set char \"-\"};\r\
\n :set result (\$result . \$char);\r\
\n }\r\
\n :return \$result;\r\
\n}\r\
\n\r\
\n:local lowerCase do={\r\
\n# param: entry\r\
\n :local lower \"abcdefghijklmnopqrstuvwxyz\";\r\
\n :local upper \"ABCDEFGHIJKLMNOPQRSTUVWXYZ\";\r\
\n :local result \"\";\r\
\n :for i from=0 to=([:len \$entry] - 1) do={\r\
\n :local char [:pick \$entry \$i];\r\
\n :local pos [:find \$upper \$char];\r\
\n :if (\$pos > -1) do={:set char [:pick \$lower \$pos]};\r\
\n :set result (\$result . \$char);\r\
\n }\r\
\n :return \$result;\r\
\n}\r\
\n\r\
\n:local token \"\$leaseServerName-\$leaseActMAC\";\r\
\n:local LogPrefix \"DHCP2DNS (\$leaseServerName)\"\r\
\n\r\
\n:if ( [ :len \$leaseActIP ] <= 0 ) do=\\\r\
\n{\r\
\n :log error \"\$LogPrefix: empty lease address\"\r\
\n :error \"empty lease address\"\r\
\n}\r\
\n\r\
\n:if ( \$leaseBound = 1 ) do=\\\r\
\n{\r\
\n # new DHCP lease added\r\
\n /ip dhcp-server\r\
\n #:local dnsttl [ get [ find name=\$leaseServerName ] lease-time ]\r\
\n network\r\
\n :local domain [ get [ find \$leaseActIP in address ] domain ]\r\
\n #:log info \"\$LogPrefix: DNS domain is \$domain\"\r\
\n\r\
\n :local hostname [/ip dhcp-server lease get [:pick [find mac-address=\$leaseActMAC and server=\$leaseServerName] 0] value-name=host-name]\r\
\n #:log info \"\$LogPrefix: DHCP hostname is \$hostname\"\r\
\n\r\
\n #Hostname cleanup\r\
\n :if ( [ :len \$hostname ] <= 0 ) do=\\\r\
\n {\r\
\n :set hostname [ \$ip2Host inStr=\$leaseActIP ]\r\
\n :log info \"\$LogPrefix: Empty hostname for '\$leaseActIP', using generated host name '\$hostname'\"\r\
\n }\r\
\n :set hostname [\$lowerCase entry=\$hostname]\r\
\n :set hostname [\$mapHostName name=\$hostname]\r\
\n #:log info \"\$LogPrefix: Clean hostname for FQDN is \$hostname\";\r\
\n\r\
\n :if ( [ :len \$domain ] <= 0 ) do=\\\r\
\n {\r\
\n :log warning \"\$LogPrefix: Empty domainname for '\$leaseActIP', cannot create static DNS name\"\r\
\n :error \"Empty domainname for '\$leaseActIP'\"\r\
\n }\r\
\n\r\
\n :local fqdn (\$hostname . \".\" . \$domain)\r\
\n #:log info \"\$LogPrefix: FQDN for DNS is \$fqdn\"\r\
\n\r\
\n :if ([/ip dhcp-server lease get [:pick [find mac-address=\$leaseActMAC and server=\$leaseServerName] 0] ]) do={\r\
\n # :log info message=\"\$LogPrefix: \$leaseActMAC -> \$hostname\"\r\
\n :do {\r\
\n /ip dns static add address=\$leaseActIP name=\$fqdn ttl=\$dnsttl comment=\$token;\r\
\n } on-error={:log error message=\"\$LogPrefix: Failure during dns registration of \$fqdn with \$leaseActIP\"}\r\
\n }\r\
\n\r\
\n} else={\r\
\n# DHCP lease removed\r\
\n /ip dns static remove [find comment=\$token];\r\
\n} " lease-time=10m name=dhcp_111
/ppp profile
add change-tcp-mss=yes dns-server=10.10.111.1 name=vpn
set *FFFFFFFE dns-server=10.10.200.1
/routing bgp template
set default disabled=no output.network=bgp-networks
/interface bridge port
add bridge=br_vlan frame-types=admit-only-untagged-and-priority-tagged interface="ether3 [MANAGEMENT]" pvid=111
add bridge=br_vlan frame-types=admit-only-vlan-tagged interface="wifi1 [5 GHz MASTER]" point-to-point=no pvid=2
add bridge=br_vlan frame-types=admit-only-vlan-tagged interface="wifi2 [2.4 GHz MASTER]" point-to-point=no pvid=2
add bridge=br_vlan frame-types=admit-only-vlan-tagged interface="wifi3 [HOMETEC 5] " point-to-point=no pvid=200
add bridge=br_vlan frame-types=admit-only-untagged-and-priority-tagged interface="ether2 [PHONE]" pvid=50
add bridge=br_vlan frame-types=admit-only-vlan-tagged interface="wifi4 [HOME 5]" point-to-point=no pvid=100
add bridge=br_vlan frame-types=admit-only-vlan-tagged interface="wifi5 [HOME 2.4]" point-to-point=no pvid=100
add bridge=br_vlan frame-types=admit-only-vlan-tagged interface="wifi6 [HOMETEC 2]" point-to-point=no pvid=200
add bridge=br_vlan interface="ether1[TRUNK AP]" pvid=111
add bridge=br_vlan interface="ether4 [TRUNK AX2]" pvid=111
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=br_vlan tagged=br_vlan vlan-ids=111
add bridge=br_vlan tagged="br_vlan,ether1[TRUNK AP],ether4 [TRUNK AX2],wifi3 [HOMETEC 5] ,wifi6 [HOMETEC 2]" vlan-ids=200
add bridge=br_vlan tagged="br_vlan,ether1[TRUNK AP],ether4 [TRUNK AX2],wifi1 [5 GHz MASTER],wifi2 [2.4 GHz MASTER]" vlan-ids=2
add bridge=br_vlan tagged="br_vlan,ether1[TRUNK AP],wifi4 [HOME 5],wifi5 [HOME 2.4],ether4 [TRUNK AX2]" vlan-ids=100
add bridge=br_vlan tagged="br_vlan,ether4 [TRUNK AX2],ether1[TRUNK AP]" vlan-ids=40
add bridge=br_vlan tagged="br_vlan,ether4 [TRUNK AX2],ether1[TRUNK AP]" vlan-ids=50
add bridge=br_vlan tagged="br_vlan,ether4 [TRUNK AX2],ether1[TRUNK AP]" vlan-ids=60
/interface detect-internet
set detect-interface-list=WAN
/interface l2tp-server server
set authentication=mschap2 enabled=yes use-ipsec=yes
/interface list member
add interface="vlan1 [DEFAULT]" list=LAN
add interface="vlan200 [HOMETEC]" list=LAN
add interface=pppoe-out1 list=WAN
add interface="vlan2 [WLAN]" list=LAN
add interface="vlan40 [PROXMOX]" list=LAN
add interface="vlan100 [HOME]" list=LAN
add interface="vlan50 [PHONE]" list=LAN
add interface="vlan60 [MOBILE OFFICE]" list=LAN
add interface="vlan111 [MANAGEMENT]" list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set authentication=mschap2
/ip address
add address=10.10.200.1/24 interface="vlan200 [HOMETEC]" network=10.10.200.0
add address=10.10.40.1/24 interface="vlan40 [PROXMOX]" network=10.10.40.0
add address=10.10.50.1/24 interface="vlan50 [PHONE]" network=10.10.50.0
add address=10.10.60.1/24 interface="vlan60 [MOBILE OFFICE]" network=10.10.60.0
add address=10.10.100.1/24 interface="vlan100 [HOME]" network=10.10.100.0
add address=10.10.1.1/24 interface="vlan1 [DEFAULT]" network=10.10.1.0
add address=10.10.111.1/24 interface="vlan111 [MANAGEMENT]" network=10.10.111.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-server lease
add address=10.10.111.2 client-id=1:d4:1:c3:7c:b7:b2 mac-address=D4:01:C3:7C:B7:B2 server=dhcp_111
add address=10.10.50.200 mac-address=58:9E:C6:36:4B:BB server=dhcp_50
add address=10.10.200.20 client-id=1:0:50:f4:36:f1:a7 comment="Lambda W\E4rmepumpe" mac-address=00:50:F4:36:F1:A7 server=dhcp_200
add address=10.10.111.4 client-id=1:2e:c8:1b:18:8c:4a mac-address=2E:C8:1B:18:8C:4A server=dhcp_111
add address=10.10.111.10 client-id=1:dc:2c:6e:74:d3:9b mac-address=DC:2C:6E:74:D3:9B server=dhcp_111
add address=10.10.40.117 client-id=1:2:58:8a:7c:5a:3f comment="Home Assistant" mac-address=02:58:8A:7C:5A:3F server=dhcp_40
add address=10.10.111.5 client-id=1:d4:1:c3:b8:f8:a6 mac-address=D4:01:C3:B8:F8:A6 server=dhcp_111
add address=10.10.200.193 client-id=1:dc:a6:32:f6:4a:47 mac-address=DC:A6:32:F6:4A:47 server=dhcp_200
add address=10.10.111.6 client-id=1:d4:1:c3:8a:64:75 mac-address=D4:01:C3:8A:64:75 server=dhcp_111
add address=10.10.200.130 client-id=1:dc:a6:32:2c:97:f mac-address=DC:A6:32:2C:97:0F server=dhcp_200
add address=10.10.100.116 client-id=1:6c:3c:7c:78:35:92 comment="Canon Drucker" mac-address=6C:3C:7C:78:35:92 server=dhcp_100
add address=10.10.200.132 client-id=1:e8:6b:ea:31:58:2c mac-address=E8:6B:EA:31:58:2C server=dhcp_200
/ip dhcp-server network
add address=10.10.1.0/24 dns-server=10.10.1.1 domain=fasan.home.arpa gateway=10.10.1.1
add address=10.10.20.0/24 dns-server=10.10.20.1 domain=fasan.home.arpa gateway=10.10.20.1
add address=10.10.40.0/24 dns-server=10.10.40.1 domain=fasan.home.arpa gateway=10.10.40.1
add address=10.10.50.0/24 dns-server=10.10.50.1 domain=fasan.home.arpa gateway=10.10.50.1
add address=10.10.60.0/24 dns-server=10.10.60.1 domain=fasan.home.arpa gateway=10.10.60.1
add address=10.10.100.0/24 dns-server=10.10.100.1 domain=fasan.home.arpa gateway=10.10.100.1
add address=10.10.111.0/24 dns-server=10.10.111.1 domain=fasan.home.arpa gateway=10.10.111.1
add address=10.10.200.0/24 dns-server=10.10.200.1 domain=fasan.home.arpa gateway=10.10.200.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.10.100.111 comment=dhcp_100-2A:B3:C4:F3:A3:16 name=10-10-100-111.fasan.home.arpa ttl=15m
add address=10.10.100.107 comment=dhcp_100-F0:B3:EC:1E:A7:9A name=appletvafzimmer.fasan.home.arpa ttl=15m
add address=10.10.50.200 comment=dhcp_50-58:9E:C6:36:4B:BB name=s850a-go.fasan.home.arpa ttl=15m
add address=10.10.200.105 comment=dhcp_200-D4:F9:8D:01:32:F0 name=espressif.fasan.home.arpa ttl=15m
add address=10.10.100.101 comment=dhcp_100-3C:6A:9D:17:6E:A8 name=-y------.fasan.home.arpa ttl=15m
add address=10.10.111.5 comment=dhcp_111-D4:01:C3:B8:F8:A6 name=mikrotik-cap-ax.fasan.home.arpa ttl=15m
add address=10.10.200.108 comment=dhcp_200-68:B6:B3:A2:1F:40 name=ecoflow.fasan.home.arpa ttl=15m
add address=10.10.100.110 comment=dhcp_100-96:EA:32:7A:16:6D name=10-10-100-110.fasan.home.arpa ttl=15m
add address=10.10.200.109 comment=dhcp_200-D4:F9:8D:02:08:74 name=espressif.fasan.home.arpa ttl=15m
add address=10.10.100.100 comment=dhcp_100-EC:DA:3B:A8:7B:D8 name=espressif.fasan.home.arpa ttl=15m
add address=10.10.200.102 comment=dhcp_200-D4:F9:8D:02:32:34 name=espressif.fasan.home.arpa ttl=15m
add address=10.10.200.112 comment=dhcp_200-B4:8A:0A:C0:98:BB name=esp-c098bb.fasan.home.arpa ttl=15m
add address=10.10.100.104 comment=dhcp_100-F6:13:48:5A:03:10 name=10-10-100-104.fasan.home.arpa ttl=15m
add address=10.10.200.132 comment=dhcp_200-E8:6B:EA:31:58:2C name=esp32-bluetooth-proxy-31582c.fasan.home.arpa ttl=15m
add address=10.10.200.107 comment=dhcp_200-68:67:25:B3:0C:B8 name=hw51-1637.fasan.home.arpa ttl=15m
add address=10.10.200.104 comment=dhcp_200-24:4C:AB:01:5D:5C name=tibber-host.fasan.home.arpa ttl=15m
add address=10.10.111.6 comment=dhcp_111-D4:01:C3:8A:64:75 name=mikrotik-hex-poe.fasan.home.arpa ttl=15m
add address=10.10.111.3 comment=dhcp_111-38:C9:86:1A:EA:84 name=imac.fasan.home.arpa ttl=15m
add address=10.10.200.193 comment=dhcp_200-DC:A6:32:F6:4A:47 name=contromeminiserver.fasan.home.arpa ttl=15m
/ip firewall address-list
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=10.10.111.222 comment="L2TP Hometec" list="L2TP Mikrotik"
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in IPSec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out IPSec policy" ipsec-policy=out,ipsec
add action=accept chain=input comment=L2TP/IPSec dst-port=500,1701,4500 protocol=udp
add action=accept chain=input comment=L2TP/IPSec protocol=ipsec-esp
add action=accept chain=input comment="accept DNS via VPN " dst-address=10.10.111.1 dst-port=53 protocol=tcp src-address-list="L2TP Mikrotik"
add action=accept chain=input comment="accept DNS via VPN " dst-address=10.10.111.1 dst-port=53 protocol=udp src-address-list="L2TP Mikrotik"
add action=accept chain=input comment="defconf: accept out IPSec policy" dst-port=53,123 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="defconf: accept out IPSec policy" dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP after RAW" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=log chain=forward disabled=yes log=yes log-prefix=XX
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv4
add action=drop chain=forward out-interface="vlan111 [MANAGEMENT]"
add action=drop chain=input comment="drop all not coming from MANAGEMENT VLAN" in-interface="!vlan111 [MANAGEMENT]"
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN
add action=accept chain=srcnat comment="defconf: accept all that matches IPSec policy" ipsec-policy=out,ipsec
add action=dst-nat chain=dstnat comment="Telefon S850A Go" dst-port=49004-49012 protocol=udp to-addresses=10.10.50.200 to-ports=49004-49012
add action=dst-nat chain=dstnat comment="Port 80 Forwarding Miniserver" disabled=yes dst-port=51820 in-interface-list=WAN protocol=tcp to-addresses=10.10.200.193 to-ports=80
add action=dst-nat chain=dstnat comment="Port 22 Forwarding Miniserver" disabled=yes dst-port=51830 in-interface-list=WAN protocol=tcp to-addresses=10.10.200.193 to-ports=22
add action=dst-nat chain=dstnat comment="Port 80 Forwarding Floor Gateway" disabled=yes dst-port=51720 in-interface-list=WAN protocol=tcp to-addresses=10.10.200.105 to-ports=80
add action=dst-nat chain=dstnat comment="Port 22 Forwarding Floor Gateway" disabled=yes dst-port=51730 in-interface-list=WAN protocol=tcp to-addresses=10.10.200.105 to-ports=22
/ip firewall raw
add action=accept chain=prerouting comment="defconf: enable for transparent firewall"
add action=accept chain=prerouting comment="defconf: accept DHCP discover" dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=udp src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=WAN src-address-list=not_global_ipv4
add action=drop chain=prerouting comment="defconf: drop forward to local lan from WAN" dst-address=192.168.88.0/24 in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop local if not from default IP range" in-interface-list=LAN src-address=!192.168.88.0/24
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 protocol=udp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment="defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 protocol=tcp
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp4 comment="defconf: host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp4 comment="defconf: protocol unreachable" icmp-options=3:2 protocol=icmp
add action=accept chain=icmp4 comment="defconf: port unreachable" icmp-options=3:3 protocol=icmp
add action=accept chain=icmp4 comment="defconf: fragmentation needed" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp4 comment="defconf: echo" icmp-options=8:0 limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: time exceeded " icmp-options=11:0-255 protocol=icmp
add action=drop chain=icmp4 comment="defconf: drop other icmp" protocol=icmp
/ip firewall service-port
set sip disabled=yes
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-192,aes-128
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl disabled=no
/ipv6 firewall address-list
add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=no_forward_ipv6
add address=ff00::/8 comment="defconf: multicast" list=no_forward_ipv6
add address=::1/128 comment="defconf: RFC6890 lo" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: RFC6890 IPv4 mapped" list=bad_ipv6
add address=2001::/23 comment="defconf: RFC6890" list=bad_ipv6
add address=2001:db8::/32 comment="defconf: RFC6890 documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: RFC6890 orchid" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: RFC6890 Discard-only" list=not_global_ipv6
add address=2001::/32 comment="defconf: RFC6890 TEREDO" list=not_global_ipv6
add address=2001:2::/48 comment="defconf: RFC6890 Benchmark" list=not_global_ipv6
add address=fc00::/7 comment="defconf: RFC6890 Unique-Local" list=not_global_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_dst_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_src_ipv6
add address=ff00::/8 comment="defconf: multicast" list=bad_src_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept ICMPv6 after RAW" protocol=icmpv6
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept IPSec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept IPSec ESP" protocol=ipsec-esp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6 after RAW" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
# no interface
add action=drop chain=input comment="drop all not coming from MANAGEMENT VLAN" in-interface=!*C
/ipv6 firewall raw
add action=accept chain=prerouting comment="defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: RFC4291, section 2.7.1" dst-address=ff02::1:ff00:0/104 icmp-options=135 protocol=icmpv6 src-address=::/128
add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_ipv6
add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_ipv6
add action=drop chain=prerouting comment="defconf: drop packets with bad SRC ipv6" src-address-list=bad_src_ipv6
add action=drop chain=prerouting comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_dst_ipv6
add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=WAN src-address-list=not_global_ipv6
add action=jump chain=prerouting comment="defconf: jump to ICMPv6 chain" jump-target=icmp6 protocol=icmpv6
add action=accept chain=prerouting comment="defconf: accept local multicast scope" dst-address=ff02::/16
add action=drop chain=prerouting comment="defconf: drop other multicast destinations" dst-address=ff00::/8
add action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WAN
add action=accept chain=prerouting comment="defconf: accept everything else from LAN" in-interface-list=LAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=drop chain=icmp6 comment="defconf: rfc4890 drop ll if hop-limit!=255" dst-address=fe80::/10 hop-limit=not-equal:255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: dst unreachable" icmp-options=1:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: packet too big" icmp-options=2:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: limit exceeded" icmp-options=3:0-1 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: bad header" icmp-options=4:0-2 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile home agent address discovery" icmp-options=144:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile home agent address discovery" icmp-options=145:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile prefix solic" icmp-options=146:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile prefix advert" icmp-options=147:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: echo request limit 5,10" icmp-options=128:0-255 limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: echo reply limit 5,10" icmp-options=129:0-255 limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 router solic limit 5,10 only LAN" hop-limit=equal:255 icmp-options=133:0-255 in-interface-list=LAN limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 router advert limit 5,10 only LAN" hop-limit=equal:255 icmp-options=134:0-255 in-interface-list=LAN limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 neighbor solic limit 5,10 only LAN" hop-limit=equal:255 icmp-options=135:0-255 in-interface-list=LAN limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 neighbor advert limit 5,10 only LAN" hop-limit=equal:255 icmp-options=136:0-255 in-interface-list=LAN limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 inverse ND solic limit 5,10 only LAN" hop-limit=equal:255 icmp-options=141:0-255 in-interface-list=LAN limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 inverse ND advert limit 5,10 only LAN" hop-limit=equal:255 icmp-options=142:0-255 in-interface-list=LAN limit=5,10:packet protocol=icmpv6
add action=drop chain=icmp6 comment="defconf: drop other icmp" protocol=icmpv6
/ppp secret
add local-address=10.10.111.1 name=Mikrotik profile=vpn remote-address=10.10.111.222 service=l2tp
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name="Mikrotik ax3"
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes multicast=yes
/system ntp client servers
add address=ntp0.fau.de
add address=ntp1.fau.de
add address=ntp2.fau.de
add address=ntp3.fau.de
add address=npt0.ewetel.de
add address=ntp1.ewetel.de
/tool romon
set enabled=yes
[SEadmin@Mikrotik ax3] > Übrigens habe ich auch mal den Lease script unter /system script erstellt. Aber welchen Befehl muss ich dann im DHCP script angeben?
Auf Facebook teilen
Auf Twitter teilen
Auf Reddit teilen
Auf Linkedin teilenBitte markiere auch die Kommentare, die zur Lösung des Beitrags beigetragen haben
Content-ID: 72663223652
Url: https://administrator.de/contentid/72663223652
Ausgedruckt am: 13.11.2024 um 12:11 Uhr
26 Kommentare
Neuester Kommentar
Moin.
Statische Route hier ist überflüssig
Und eine Firewall vollständig aktivieren bevor alles so läuft wie gewünscht ist auch nicht gerade intelligent fürs Debugging. Also intern immer erst mal auf Durchzug schalten.
Gruß
Aber welchen Befehl muss ich dann im DHCP script angeben?
Natürlich den zum Starten des Skriptes/system script run SCRIPTNAMEcap ax am ax3, ax2 am ax3, heX POE am ax2, und heX am heX POE
Bild der Netzwerktopologie, unvollständige configs vervollständigen und doppelt und dreifache Skripte aus den Configs eliminieren wäre als erstes mal sinnvoll für das Verständnis!Statische Route hier ist überflüssig
/ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.10.111.1 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
wenn sowieso ein DHCP Client die Default-Route setzt./ip dhcp-client add interface=vlan111
Und eine Firewall vollständig aktivieren bevor alles so läuft wie gewünscht ist auch nicht gerade intelligent fürs Debugging. Also intern immer erst mal auf Durchzug schalten.
Gruß
Danke @14135584197. Die statische Route hatte ich zuerst weg, und habe dann halt verschiedenes versucht.
verschiedenes versucht.
Trial&Error ist bei Mikrotik eine ganz schlechte Basis ...https://help.gowifi.co.nz/support/solutions/articles/48001077268-beginne ...
https://help.mikrotik.com/docs/display/ROS/First+Time+Configuration
https://nsrc.org/workshops/2024/nsrc-btnog11-cndo/networking/cndo/en/pre ...
https://mum.mikrotik.com/presentations/VN17/presentation_4332_1493289082 ...
Da gebe ich Dir recht, aber ich bin kein Netzwerker, sondern lerne Schritt für Schritt, vor allem auch durch die Hilfe aus diesem Forum
sondern lerne Schritt für Schritt,
Dann solltest du auch Schritt für Schritt vorgehen und nicht nur Copy n Paste in deine Router einfügen, denn das hast du mit den Firewall-Regeln gemacht, da sind einige drin die für deinen Router vollkommen fehlerhaft sind und wichtige Kommunikation zwischen dem Router und den Clients verhindern.Also auch Schritt für Schritt vorgehen, alle Firewall-Filter-Regeln deaktivieren und erst mal die Basics zu laufen bringen dann erst die Firewall wie ich oben schon angemerkt habe. Und dann aber bitte auch kein Copy n Paste sondern erst mal jede Regel einzeln verstehen was sie bewirkt, denn das ist essentiell für ein nachhaltiges Arbeiten mit dem Mikrotik sonst wirst du immer wie der Ochs vor dem Berg stehen wenn was nicht so funktioniert wie du dir das vorstellst und Router unnötigerweise immer wieder zurücksetzen obwohl das nicht nötig gewesen wäre. Im schlimmsten Fall öffnest du Tür und Tor für alle mit deinen Regeln.
Vor allem den Packetflow zu verstehen ist essentiell bei der Arbeit mit RouterOS seinen Interfaces und vor allem auch der Firewall
https://help.mikrotik.com/docs/display/ROS/Packet+Flow+in+RouterOS
So, jetzt hab ich alle Firewall Regeln disabled, bis auf drop input !LAN und bei Raw das passthrough prerouting, und schon bescheren sich meine Kinder, dass sie nicht mehr ins Internet kommen ...
Einen Fehler habe ich erkannt, der kam aber erst heute morgen rein, als ich den ax2 neu aufgesetzt hatte:
das V111 interface war auf ether1 anstelle der bridge zugeordnet. Trotzdem erhält der ax2 keine IP vom ax3.
Einen Fehler habe ich erkannt, der kam aber erst heute morgen rein, als ich den ax2 neu aufgesetzt hatte:
das V111 interface war auf ether1 anstelle der bridge zugeordnet. Trotzdem erhält der ax2 keine IP vom ax3.
und schon bescheren sich meine Kinder, dass sie nicht mehr ins Internet kommen ...
Naja wenn du das Masquerade am WAN auch deaktivierst was erwartest du 
?! Klar das dann nix mehr geht, deswegen schrieb ich ja explizit nur die Firewall-Filter-Regeln und nicht die NAT Regeln. Wenn deine Geräte mit privaten IPs ins Internet routen ohne das diese durch das Masquerading auf die Public IP des routers umgeschrieben werden klar das da nix zurück kommen kann .Me done ... good luck and happy learning 👋
Sorry, die mauernde Regel ist natürlich nich da, hatte ich nur nicht erwähnt. Internet war auch nur kurz weg …
Wenn ich den ax2 an einen Trunk Port am hEX POE hänge, und den hEX POE an den Trunk vom ax3, dann erhält der ax2 eine IP.
Beim Lease für den ax2 steht beim ax3 in der Spalte „Bridge“ anstelle von „ether…“ ein „br_vlan“.
Beim Lease für den ax2 steht beim ax3 in der Spalte „Bridge“ anstelle von „ether…“ ein „br_vlan“.
Wenn ich den ax2 ether1 (TRUNK PORT mit PVID 111) direkt am ax3 TRUNK port anschließe, dann ist dieser mit "alternate port" anstelle von "root port" gekennzeichnet.
Brillsche Aufsetze 🥸, fällt dir hier in der Config des AX2 nix auf ...?
/interface vlan
add interface="ether1 [TRUNK ax3]" name=vlan111 vlan-id=111
Na Fehler gefunden? Das VLAN-Interface selbst muss auf dem Bridge Interface erstellt werden und nicht auf ether1!add interface="ether1 [TRUNK ax3]" name=vlan111 vlan-id=111
/interface vlan add interface=br_vlan name=vlan111 vlan-id=111
Genau, das war ein Fehler. Ich habe jetzt bei jedem MT bei der Bridge die Priorität verändert. Dadurch kann ich jetzt alle MT´s in der Winbox sehen, allerdings ist das das alles noch nicht stabil, denn ab und zu sehe ich zwar die IP eine MT, kann mich aber nicht verbinden, dann geht es mal wieder. Ich denke das hat mit dem Spanning Tree Protokoll zu tun. Ich verwende zwar alle MT´s außer dem ax3 als Switch, aber die MT´s sind nicht alle in Reihe, sondern cap und ax2 am ax3, hEX POE und hEX am ax2.
Tja hier weiß ja keiner wie du sonst noch was wie verknotet und verloopt hast, und an der Prio spielen ist absoluter Blödsinn wenn alle Devices im MGMT Layer-2 Netz eine IP haben, geht man direkt per IP auf die Devices, hängt sich ins MGMT Netz (Neighbor Discovery Settings müssen auf das richtige Interface gesetzt sein) oder man regelt alles über RoMon.
Wie im ersten Post geschrieben Infos unvollständig, keine Struktur/Bild des Aufbaus etc. , die wird sich hier keiner aus den Fingern saugen wollen...
Wie im ersten Post geschrieben Infos unvollständig, keine Struktur/Bild des Aufbaus etc. , die wird sich hier keiner aus den Fingern saugen wollen...
Jetzt habe ich eine Zeichnung des Netzwerks erstellt.
- ax3 steht im EG
- cAP ax im OG, wird über POE vom ax3 versorgt, deshalb WAN auf ether5 beim ax3
- ax2, hEX POE und hEX im UG
In einem weiteren Schritt möchte ich für die WLAN´s fast roaming verwenden. Dazu muss ich dann aber alles mit dem neuen capsman machen, richtig?
Angenommen, ich verwerfe die ganze Sache mit den VLAN´s, und nehme einfach die Default Config bei allen MT´s, nehme noch ein paar Veränderungen vor wie WAN an ether5 beim ax3 und POE für cAP ax, wäre das einfach möglich? Das Problem das ich sehe ist zum einen, dass ich das Netzwerk relativ schnell zum Laufen bekommen muss, und gerade was die Firewall-Dinge angeht, noch vieles nicht weiß, zum anderen, was kann meine Familie machen, wenn ich einmal nicht da bin, und es Probleme mit dem Netzwerk gibt? Deshalb sollte es so einfach wie möglich sein. Wenn es aber einmal mit den VLAN´s funktioniert, soll nichts mehr groß verändert werden, aber auch mit neuen Updates kann es mal Probleme geben, usw.
- ax3 steht im EG
- cAP ax im OG, wird über POE vom ax3 versorgt, deshalb WAN auf ether5 beim ax3
- ax2, hEX POE und hEX im UG
In einem weiteren Schritt möchte ich für die WLAN´s fast roaming verwenden. Dazu muss ich dann aber alles mit dem neuen capsman machen, richtig?
Angenommen, ich verwerfe die ganze Sache mit den VLAN´s, und nehme einfach die Default Config bei allen MT´s, nehme noch ein paar Veränderungen vor wie WAN an ether5 beim ax3 und POE für cAP ax, wäre das einfach möglich? Das Problem das ich sehe ist zum einen, dass ich das Netzwerk relativ schnell zum Laufen bekommen muss, und gerade was die Firewall-Dinge angeht, noch vieles nicht weiß, zum anderen, was kann meine Familie machen, wenn ich einmal nicht da bin, und es Probleme mit dem Netzwerk gibt? Deshalb sollte es so einfach wie möglich sein. Wenn es aber einmal mit den VLAN´s funktioniert, soll nichts mehr groß verändert werden, aber auch mit neuen Updates kann es mal Probleme geben, usw.
Hier die configs, die DCHP Lease scripts habe ich jetzt wieder pro DHCP Eintrag und hier ausgeschnitten, da das andere nicht funktioniert hat, und ich das dann versuchen möchte, wenn alles andere funktioniert:
--> die sind zu lang, ich muss erste einen Link erstellen
--> die sind zu lang, ich muss erste einen Link erstellen
bzw. hier die configs nacheinander:
hEX:
hEX POE:
cAP ax:
hEX:
# 2024-08-15 09:56:36 by RouterOS 7.15.2
# software id = FL60-4C0P
#
# model = RB750Gr3
# serial number = D5030F4D57A1
/interface bridge
add igmp-snooping=yes name=br_vlan pvid=111 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name="ether1 [TRUNK]"
set [ find default-name=ether2 ] name="ether2 [HOMETEC]"
set [ find default-name=ether3 ] name="ether3 [HOMETEC]"
set [ find default-name=ether4 ] name="ether4 [HOMETEC]"
set [ find default-name=ether5 ] name="ether5 [MANAGEMENT]"
/interface vlan
add interface=br_vlan name="vlan111 [MANAGEMENT]" vlan-id=111
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=br_vlan interface="ether1 [TRUNK]" internal-path-cost=10 \
path-cost=10 pvid=111
add bridge=br_vlan frame-types=admit-only-untagged-and-priority-tagged \
interface="ether2 [HOMETEC]" pvid=200
add bridge=br_vlan frame-types=admit-only-untagged-and-priority-tagged \
interface="ether3 [HOMETEC]" pvid=200
add bridge=br_vlan frame-types=admit-only-untagged-and-priority-tagged \
interface="ether4 [HOMETEC]" pvid=200
add bridge=br_vlan frame-types=admit-only-untagged-and-priority-tagged \
interface="ether5 [MANAGEMENT]" pvid=111
/interface bridge vlan
add bridge=br_vlan tagged=br_vlan vlan-ids=111
add bridge=br_vlan tagged="br_vlan,ether1 [TRUNK]" vlan-ids=200
/ip dhcp-client
add interface="vlan111 [MANAGEMENT]"
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name="MikroTik hEX"
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=10.10.111.6
/tool romon
set enabled=yeshEX POE:
# 2024-08-15 09:55:10 by RouterOS 7.15.3
# software id = FF07-5KCU
#
# model = RB960PGS
# serial number = HGD09XWHZC6
/interface bridge
add igmp-snooping=yes name=br_vlan port-cost-mode=short priority=0x4000 pvid=\
111 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name="ether1 [TRUNK ax2]"
set [ find default-name=ether2 ] name="ether2 [Controme Miniserver POE]" \
poe-priority=11
set [ find default-name=ether3 ] name="ether3 [dLAN Controme FBHG]" poe-out=\
off poe-priority=14
set [ find default-name=ether4 ] name="ether4 [iMac]" poe-out=off \
poe-priority=13
set [ find default-name=ether5 ] name="ether5 [TRUNK hEX]" poe-out=off
/interface vlan
add interface=br_vlan name="vlan111 [MANAGEMENT]" vlan-id=111
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=br_vlan interface="ether1 [TRUNK ax2]" internal-path-cost=10 \
path-cost=10 pvid=111
add bridge=br_vlan frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=no interface="ether3 [dLAN Controme FBHG]" \
internal-path-cost=10 path-cost=10 pvid=200
add bridge=br_vlan frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=no interface="ether4 [iMac]" internal-path-cost=10 \
path-cost=10 pvid=111
add bridge=br_vlan ingress-filtering=no interface="ether5 [TRUNK hEX]" \
internal-path-cost=10 path-cost=10 pvid=111
add bridge=br_vlan frame-types=admit-only-untagged-and-priority-tagged \
interface="ether2 [Controme Miniserver POE]" pvid=200
/ip firewall connection tracking
set udp-timeout=10s
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=br_vlan tagged=br_vlan vlan-ids=111
add bridge=br_vlan tagged="br_vlan,ether1 [TRUNK ax2],ether5 [TRUNK hEX]" \
vlan-ids=200
add bridge=br_vlan tagged="br_vlan,ether1 [TRUNK ax2],ether5 [TRUNK hEX]" \
vlan-ids=40
add bridge=br_vlan tagged="br_vlan,ether1 [TRUNK ax2],ether5 [TRUNK hEX]" \
vlan-ids=60
add bridge=br_vlan tagged="br_vlan,ether1 [TRUNK ax2],ether5 [TRUNK hEX]" \
vlan-ids=100
/interface ovpn-server server
set auth=sha1,md5
/ip dhcp-client
add interface="vlan111 [MANAGEMENT]"
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name="MikroTik hEX POE"
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=10.10.111.2
/tool romon
set enabled=yescAP ax:
# 2024-08-15 09:53:07 by RouterOS 7.15.3
# software id = 20ZI-4D5V
#
# model = cAPGi-5HaxD2HaxD
# serial number = HGG09PJVQH1
/interface bridge
add name=br_vlan port-cost-mode=short pvid=111 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name="ether1 [TRUNK ax3]"
set [ find default-name=ether2 ] name="ether2 [MANAGEMENT] "
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .width=20/40/80mhz \
configuration.hide-ssid=yes .mode=ap .ssid=CAP_AX3_5 datapath.bridge=\
br_vlan .vlan-id=2 disabled=no name="wifi1 [MASTER 5]"
set [ find default-name=wifi2 ] channel.band=2ghz-ax .width=20mhz \
configuration.hide-ssid=yes .mode=ap .ssid=CAP_AX3_2 datapath.bridge=\
br_vlan .vlan-id=2 disabled=no name="wifi2 [MASTER 2]"
add configuration.mode=ap .ssid=Neuwlanstein_Home_5 datapath.bridge=br_vlan \
.vlan-id=100 disabled=no mac-address=D6:01:C3:B8:F8:A8 master-interface=\
"wifi1 [MASTER 5]" name="wifi3 [HOME 5]"
add configuration.mode=ap .ssid=Neuwlanstein_Home_2 datapath.bridge=br_vlan \
.vlan-id=100 disabled=no mac-address=D6:01:C3:B8:F8:AA master-interface=\
"wifi1 [MASTER 5]" name="wifi4 [HOME 2]"
add configuration.mode=ap .ssid=Neuwlanstein_Hometec_5 datapath.bridge=\
br_vlan .vlan-id=200 disabled=no mac-address=D6:01:C3:B8:F8:AB \
master-interface="wifi2 [MASTER 2]" name="wifi5 [HOMETEC 5]"
add configuration.mode=ap .ssid=Neuwlanstein_Hometec_2 datapath.bridge=\
br_vlan .vlan-id=200 disabled=no mac-address=D6:01:C3:B8:F8:A9 \
master-interface="wifi2 [MASTER 2]" name="wifi6 [HOMETEC 2]" \
security.group-key-update=2h
/interface vlan
add interface=br_vlan name="vlan111 [TRUNK]" vlan-id=111
/interface bridge port
add bridge=br_vlan interface="ether1 [TRUNK ax3]" internal-path-cost=10 \
path-cost=10 pvid=111
add bridge=br_vlan frame-types=admit-only-untagged-and-priority-tagged \
interface="ether2 [MANAGEMENT] " internal-path-cost=10 path-cost=10 pvid=\
111
add bridge=br_vlan frame-types=admit-only-vlan-tagged interface=\
"wifi3 [HOME 5]" pvid=100
add bridge=br_vlan frame-types=admit-only-vlan-tagged interface=\
"wifi4 [HOME 2]" pvid=100
add bridge=br_vlan frame-types=admit-only-vlan-tagged interface=\
"wifi5 [HOMETEC 5]" pvid=200
add bridge=br_vlan frame-types=admit-only-vlan-tagged interface=\
"wifi6 [HOMETEC 2]" pvid=200
add bridge=br_vlan frame-types=admit-only-vlan-tagged interface=\
"wifi1 [MASTER 5]" pvid=2
add bridge=br_vlan frame-types=admit-only-vlan-tagged interface=\
"wifi2 [MASTER 2]" pvid=2
/ip firewall connection tracking
set udp-timeout=10s
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=br_vlan tagged=br_vlan vlan-ids=111
add bridge=br_vlan tagged=\
"br_vlan,ether1 [TRUNK ax3],wifi3 [HOME 5],wifi4 [HOME 2]" vlan-ids=100
add bridge=br_vlan tagged=\
"br_vlan,ether1 [TRUNK ax3],wifi5 [HOMETEC 5],wifi6 [HOMETEC 2]" \
vlan-ids=200
/ip dhcp-client
add interface="vlan111 [TRUNK]"
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name="MikroTik cAP ax"
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=10.10.111.1
/tool romon
set enabled=yes
ax2:
# 2024-07-29 06:54:04 by RouterOS 7.15.2
# software id = 5MCE-DL16
#
# model = C52iG-5HaxD2HaxD
# serial number = HGC09WRMRVQ
/interface bridge
add name=br_vlan port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] name="ether1[TRUNK ax3]"
set [ find default-name=ether2 ] name="ether2 [PROXMOX]"
set [ find default-name=ether3 ] name="ether3 [PROXMOX]"
set [ find default-name=ether4 ] name="ether4 [PROXMOX]"
set [ find default-name=ether5 ] name="ether5 [TRUNK hEX POE]"
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .frequency=\
5805,5865,5300 .skip-dfs-channels=10min-cac .width=20/40/80mhz \
configuration.country=Germany .hide-ssid=yes .mode=ap .ssid=AX2_5 \
datapath.bridge=br_vlan .vlan-id=2 disabled=no name=\
"wifi1 [5 GHz MASTER]" security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.band=2ghz-ax .frequency=2432,2442 \
.width=20/40mhz configuration.country=Germany .hide-ssid=yes .mode=ap \
.ssid=AX2_2.4 datapath.bridge=br_vlan .vlan-id=2 disabled=no name=\
"wifi2 [2.4 GHz MASTER]" security.authentication-types=wpa2-psk,wpa3-psk
add configuration.mode=ap .ssid=Neuwlanstein_Hometec_5 datapath.bridge=\
br_vlan .vlan-id=200 disabled=no mac-address=D6:01:C3:7C:B7:B7 \
master-interface="wifi1 [5 GHz MASTER]" name="wifi3 [HOMETEC 5] "
add configuration.mode=ap .ssid=Neuwlanstein_Home_5 datapath.bridge=br_vlan \
.vlan-id=100 disabled=no mac-address=D6:01:C3:7C:B7:B8 master-interface=\
"wifi1 [5 GHz MASTER]" name="wifi4 [HOME 5]"
add configuration.mode=ap .ssid=Neuwlanstein_Hometec_2 datapath.bridge=\
br_vlan .vlan-id=200 disabled=no mac-address=D6:01:C3:7C:B7:B7 \
master-interface="wifi2 [2.4 GHz MASTER]" name="wifi5 [HOMETEC 2]"
/interface vlan
add interface=br_vlan name="vlan111 [MANAGEMENT]" vlan-id=111
/interface list
add comment="L2TP interfaces" name=L2TP
add comment="defconf: contains all VLAN interfaces" name=LAN
add comment="contains WAN interface" name=WAN
/interface bridge port
add bridge=br_vlan frame-types=admit-only-vlan-tagged interface=\
"wifi1 [5 GHz MASTER]" internal-path-cost=10 path-cost=10 pvid=2
add bridge=br_vlan frame-types=admit-only-vlan-tagged interface=\
"wifi2 [2.4 GHz MASTER]" internal-path-cost=10 path-cost=10 pvid=2
add bridge=br_vlan fast-leave=yes frame-types=\
admit-only-untagged-and-priority-tagged interface="ether2 [PROXMOX]" \
internal-path-cost=10 path-cost=10 pvid=200
add bridge=br_vlan frame-types=admit-only-vlan-tagged interface=\
"wifi3 [HOMETEC 5] " pvid=200
add bridge=br_vlan interface="ether1[TRUNK ax3]" pvid=111
add bridge=br_vlan interface="ether5 [TRUNK hEX POE]" pvid=111
add bridge=br_vlan frame-types=admit-only-untagged-and-priority-tagged \
interface="ether3 [PROXMOX]" pvid=200
add bridge=br_vlan frame-types=admit-only-untagged-and-priority-tagged \
interface="ether4 [PROXMOX]" pvid=111
add bridge=br_vlan frame-types=admit-only-vlan-tagged interface=\
"wifi4 [HOME 5]" pvid=100
add bridge=br_vlan frame-types=admit-only-vlan-tagged interface=\
"wifi5 [HOMETEC 2]" pvid=200
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=br_vlan tagged="br_vlan,ether1[TRUNK ax3],ether5 [TRUNK hEX POE],wi\
fi3 [HOMETEC 5] ,wifi5 [HOMETEC 2]" vlan-ids=200
add bridge=br_vlan tagged=br_vlan vlan-ids=111
add bridge=br_vlan tagged="br_vlan,ether1[TRUNK ax3],ether5 [TRUNK hEX POE],wi\
fi1 [5 GHz MASTER],wifi2 [2.4 GHz MASTER]" vlan-ids=2
add bridge=br_vlan tagged="br_vlan,ether1[TRUNK ax3],ether5 [TRUNK hEX POE],wi\
fi3 [HOMETEC 5] ,wifi4 [HOME 5]" vlan-ids=100
add bridge=br_vlan tagged="br_vlan,ether1[TRUNK ax3],ether5 [TRUNK hEX POE]" \
vlan-ids=40
add bridge=br_vlan tagged="br_vlan,ether1[TRUNK ax3],ether5 [TRUNK hEX POE]" \
vlan-ids=60
add bridge=br_vlan tagged="br_vlan,ether1[TRUNK ax3],ether5 [TRUNK hEX POE]" \
vlan-ids=20
/interface detect-internet
set detect-interface-list=WAN
/ip cloud
set ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-client
add interface="vlan111 [MANAGEMENT]"
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=\
bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=\
bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=\
bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=\
not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4
/ip firewall service-port
set sip disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
/ipv6 firewall address-list
add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=\
no_forward_ipv6
add address=ff00::/8 comment="defconf: multicast" list=no_forward_ipv6
add address=::1/128 comment="defconf: RFC6890 lo" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: RFC6890 IPv4 mapped" list=\
bad_ipv6
add address=2001::/23 comment="defconf: RFC6890" list=bad_ipv6
add address=2001:db8::/32 comment="defconf: RFC6890 documentation" list=\
bad_ipv6
add address=2001:10::/28 comment="defconf: RFC6890 orchid" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: RFC6890 Discard-only" list=\
not_global_ipv6
add address=2001::/32 comment="defconf: RFC6890 TEREDO" list=not_global_ipv6
add address=2001:2::/48 comment="defconf: RFC6890 Benchmark" list=\
not_global_ipv6
add address=fc00::/7 comment="defconf: RFC6890 Unique-Local" list=\
not_global_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_dst_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_src_ipv6
add address=ff00::/8 comment="defconf: multicast" list=bad_src_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept ICMPv6 after RAW" \
protocol=icmpv6
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept IPSec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept IPSec ESP" protocol=\
ipsec-esp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
src-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
dst-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6 after RAW" \
protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/ipv6 firewall raw
add action=accept chain=prerouting comment=\
"defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: RFC4291, section 2.7.1" \
dst-address=ff02::1:ff00:0/104 icmp-options=135 protocol=icmpv6 \
src-address=::/128
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
src-address-list=bad_ipv6
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
dst-address-list=bad_ipv6
add action=drop chain=prerouting comment=\
"defconf: drop packets with bad SRC ipv6" src-address-list=bad_src_ipv6
add action=drop chain=prerouting comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_dst_ipv6
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
in-interface-list=WAN src-address-list=not_global_ipv6
add action=jump chain=prerouting comment="defconf: jump to ICMPv6 chain" \
jump-target=icmp6 protocol=icmpv6
add action=accept chain=prerouting comment=\
"defconf: accept local multicast scope" dst-address=ff02::/16
add action=drop chain=prerouting comment=\
"defconf: drop other multicast destinations" dst-address=ff00::/8
add action=accept chain=prerouting comment=\
"defconf: accept everything else from WAN" in-interface-list=WAN
add action=accept chain=prerouting comment=\
"defconf: accept everything else from LAN" in-interface-list=LAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=drop chain=icmp6 comment=\
"defconf: rfc4890 drop ll if hop-limit!=255" dst-address=fe80::/10 \
hop-limit=not-equal:255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: dst unreachable" \
icmp-options=1:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: packet too big" icmp-options=\
2:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: limit exceeded" icmp-options=\
3:0-1 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: bad header" icmp-options=\
4:0-2 protocol=icmpv6
add action=accept chain=icmp6 comment=\
"defconf: Mobile home agent address discovery" icmp-options=144:0-255 \
protocol=icmpv6
add action=accept chain=icmp6 comment=\
"defconf: Mobile home agent address discovery" icmp-options=145:0-255 \
protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile prefix solic" \
icmp-options=146:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile prefix advert" \
icmp-options=147:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: echo request limit 5,10" \
icmp-options=128:0-255 limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: echo reply limit 5,10" \
icmp-options=129:0-255 limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment=\
"defconf: rfc4890 router solic limit 5,10 only LAN" hop-limit=equal:255 \
icmp-options=133:0-255 in-interface-list=LAN limit=5,10:packet protocol=\
icmpv6
add action=accept chain=icmp6 comment=\
"defconf: rfc4890 router advert limit 5,10 only LAN" hop-limit=equal:255 \
icmp-options=134:0-255 in-interface-list=LAN limit=5,10:packet protocol=\
icmpv6
add action=accept chain=icmp6 comment=\
"defconf: rfc4890 neighbor solic limit 5,10 only LAN" hop-limit=equal:255 \
icmp-options=135:0-255 in-interface-list=LAN limit=5,10:packet protocol=\
icmpv6
add action=accept chain=icmp6 comment=\
"defconf: rfc4890 neighbor advert limit 5,10 only LAN" hop-limit=\
equal:255 icmp-options=136:0-255 in-interface-list=LAN limit=5,10:packet \
protocol=icmpv6
add action=accept chain=icmp6 comment=\
"defconf: rfc4890 inverse ND solic limit 5,10 only LAN" hop-limit=\
equal:255 icmp-options=141:0-255 in-interface-list=LAN limit=5,10:packet \
protocol=icmpv6
add action=accept chain=icmp6 comment=\
"defconf: rfc4890 inverse ND advert limit 5,10 only LAN" hop-limit=\
equal:255 icmp-options=142:0-255 in-interface-list=LAN limit=5,10:packet \
protocol=icmpv6
add action=drop chain=icmp6 comment="defconf: drop other icmp" protocol=\
icmpv6
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name="Mikrotik ax2"
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set manycast=yes multicast=yes
/system ntp client servers
add address=10.10.111.1
/system routerboard settings
set auto-upgrade=yes
/tool romon
set enabled=yes
ax3 Teil1:
# 2024-08-15 09:47:07 by RouterOS 7.15.2
# software id = IER4-IVFN
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = HG809JAMHZ2
/interface bridge
add igmp-snooping=yes name=br_vlan port-cost-mode=short priority=0x4000 pvid=\
111 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] advertise="10M-baseT-half,10M-baseT-full,100M\
-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full" mac-address=\
D4:01:C3:7C:B7:B2 name="ether1[TRUNK AP]"
set [ find default-name=ether2 ] mac-address=D4:01:C3:7C:B7:B3 name=\
"ether2 [PHONE]"
set [ find default-name=ether3 ] mac-address=D4:01:C3:7C:B7:B4 name=\
"ether3 [MANAGEMENT]"
set [ find default-name=ether4 ] mac-address=D4:01:C3:7C:B7:B5 name=\
"ether4 [TRUNK AX2]"
set [ find default-name=ether5 ] mac-address=D4:01:C3:7C:B7:B6 name=\
"ether5 [WAN]"
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .frequency=5700 \
.skip-dfs-channels=10min-cac .width=20/40/80mhz configuration.country=\
Germany .hide-ssid=yes .mode=ap .ssid=AX3_5 datapath.bridge=br_vlan \
.vlan-id=2 disabled=no mac-address=D4:01:C3:7C:B7:B7 name=\
"wifi1 [5 GHz MASTER]" security.authentication-types=wpa2-psk,wpa3-psk \
.group-key-update=2h
set [ find default-name=wifi2 ] channel.band=2ghz-ax .width=20mhz \
configuration.country=Germany .hide-ssid=yes .mode=ap .ssid=AX3_2.4 \
datapath.bridge=br_vlan .vlan-id=2 disabled=no mac-address=\
D4:01:C3:7C:B7:B8 name="wifi2 [2.4 GHz MASTER]" \
security.authentication-types=wpa2-psk,wpa3-psk .group-key-update=2h
add configuration.mode=ap .ssid=Neuwlanstein_Hometec_5 datapath.bridge=\
br_vlan .vlan-id=200 disabled=no mac-address=D6:01:C3:7C:B7:B7 \
master-interface="wifi1 [5 GHz MASTER]" name="wifi3 [HOMETEC 5] " \
security.group-key-update=2h
add configuration.mode=ap .ssid=Neuwlanstein_Home_5 datapath.bridge=br_vlan \
.vlan-id=100 disabled=no mac-address=D6:01:C3:7C:B7:B8 master-interface=\
"wifi1 [5 GHz MASTER]" name="wifi4 [HOME 5]" security.group-key-update=\
20m
add configuration.mode=ap .ssid=Neuwlanstein_Home_2 datapath.bridge=br_vlan \
.vlan-id=100 disabled=no mac-address=D6:01:C3:7C:B7:B8 master-interface=\
"wifi2 [2.4 GHz MASTER]" name="wifi5 [HOME 2.4]" \
security.group-key-update=2h
add configuration.mode=ap .ssid=Neuwlanstein_Hometec_2 datapath.bridge=\
br_vlan .vlan-id=200 disabled=no mac-address=D6:01:C3:7C:B7:B7 \
master-interface="wifi2 [2.4 GHz MASTER]" name="wifi6 [HOMETEC 2]" \
security.group-key-update=2h
/interface vlan
add interface=br_vlan name="vlan1 [DEFAULT]" vlan-id=1
add interface=br_vlan name="vlan2 [WLAN]" vlan-id=2
add interface="ether5 [WAN]" name="vlan7 [TELEKOM]" vlan-id=7
add interface=br_vlan name="vlan40 [PROXMOX]" vlan-id=40
add interface=br_vlan name="vlan50 [PHONE]" vlan-id=50
add interface=br_vlan name="vlan60 [MOBILE OFFICE]" vlan-id=60
add interface=br_vlan name="vlan100 [HOME]" vlan-id=100
add arp=proxy-arp interface=br_vlan name="vlan111 [MANAGEMENT]" vlan-id=111
add interface=br_vlan name="vlan200 [HOMETEC]" vlan-id=200
/interface pppoe-client
add add-default-route=yes allow=pap,chap,mschap2 disabled=no interface=\
"vlan7 [TELEKOM]" name=pppoe-out1 use-peer-dns=yes user=\
0011859567335502844989420001@t-online.de
/interface list
add comment="L2TP interfaces" name=L2TP
add comment="defconf: contains all VLAN interfaces" name=LAN
add comment="contains WAN interface" name=WAN
/ip pool
add name=dhcp_pool_200 ranges=10.10.200.100-10.10.200.200
add name=dhcp_pool_20 ranges=10.10.20.100-10.10.20.200
add name=dhcp_pool_40 ranges=10.10.40.100-10.10.40.200
add name=dhcp_pool_50 ranges=10.10.50.100-10.10.50.200
add name=dhcp_pool_60 ranges=10.10.60.100-10.10.60.200
add name=dhcp_pool_100 ranges=10.10.100.100-10.10.100.200
add name=dhcp_pool_1 ranges=10.10.1.100-10.10.1.200
add name=dhcp_pool_111 ranges=10.10.111.1-10.10.111.50
/ip dhcp-server
add address-pool=dhcp_pool_200 interface="vlan200 [HOMETEC]"
\n" lease-time=10m name=dhcp_200
add address-pool=dhcp_pool_40 interface="vlan40 [PROXMOX]"
\n" lease-time=10m name=dhcp_40
add address-pool=dhcp_pool_50 interface="vlan50 [PHONE]"
\n" lease-time=10m name=dhcp_50
add address-pool=dhcp_pool_60 interface="vlan60 [MOBILE OFFICE]" \
\n" lease-time=10m name=dhcp_60
add address-pool=dhcp_pool_100 interface="vlan100 [HOME]"
\n" lease-time=10m name=dhcp_100
add address-pool=dhcp_pool_1 interface="vlan1 [DEFAULT]"
\n" lease-time=10m name=dhcp_1
add address-pool=dhcp_pool_111 interface="vlan111 [MANAGEMENT]"
\n" lease-time=10m name=dhcp_111
/ppp profile
add change-tcp-mss=yes dns-server=10.10.111.1 name=vpn
set *FFFFFFFE dns-server=10.10.200.1
/routing bgp template
set default disabled=no output.network=bgp-networks
/interface bridge port
add bridge=br_vlan frame-types=admit-only-untagged-and-priority-tagged \
interface="ether3 [MANAGEMENT]" pvid=111
add bridge=br_vlan frame-types=admit-only-vlan-tagged interface=\
"wifi1 [5 GHz MASTER]" point-to-point=no pvid=2
add bridge=br_vlan frame-types=admit-only-vlan-tagged interface=\
"wifi2 [2.4 GHz MASTER]" point-to-point=no pvid=2
add bridge=br_vlan frame-types=admit-only-vlan-tagged interface=\
"wifi3 [HOMETEC 5] " point-to-point=no pvid=200
add bridge=br_vlan frame-types=admit-only-untagged-and-priority-tagged \
interface="ether2 [PHONE]" pvid=50
add bridge=br_vlan frame-types=admit-only-vlan-tagged interface=\
"wifi4 [HOME 5]" point-to-point=no pvid=100
add bridge=br_vlan frame-types=admit-only-vlan-tagged interface=\
"wifi5 [HOME 2.4]" point-to-point=no pvid=100
add bridge=br_vlan frame-types=admit-only-vlan-tagged interface=\
"wifi6 [HOMETEC 2]" point-to-point=no pvid=200
add bridge=br_vlan interface="ether1[TRUNK AP]" pvid=111
add bridge=br_vlan interface="ether4 [TRUNK AX2]" pvid=111
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=br_vlan tagged=br_vlan vlan-ids=111
add bridge=br_vlan tagged="br_vlan,ether1[TRUNK AP],ether4 [TRUNK AX2],wifi3 [\
HOMETEC 5] ,wifi6 [HOMETEC 2]" vlan-ids=200
add bridge=br_vlan tagged="br_vlan,ether1[TRUNK AP],ether4 [TRUNK AX2],wifi1 [\
5 GHz MASTER],wifi2 [2.4 GHz MASTER]" vlan-ids=2
add bridge=br_vlan tagged="br_vlan,ether1[TRUNK AP],wifi4 [HOME 5],wifi5 [HOME\
\_2.4],ether4 [TRUNK AX2]" vlan-ids=100
add bridge=br_vlan tagged="br_vlan,ether4 [TRUNK AX2],ether1[TRUNK AP]" \
vlan-ids=40
add bridge=br_vlan tagged="br_vlan,ether4 [TRUNK AX2],ether1[TRUNK AP]" \
vlan-ids=50
add bridge=br_vlan tagged="br_vlan,ether4 [TRUNK AX2],ether1[TRUNK AP]" \
vlan-ids=60
/interface detect-internet
set detect-interface-list=WAN
/interface l2tp-server server
set authentication=mschap2 enabled=yes use-ipsec=yes
/interface list member
add interface="vlan1 [DEFAULT]" list=LAN
add interface="vlan200 [HOMETEC]" list=LAN
add interface=pppoe-out1 list=WAN
add interface="vlan2 [WLAN]" list=LAN
add interface="vlan40 [PROXMOX]" list=LAN
add interface="vlan100 [HOME]" list=LAN
add interface="vlan50 [PHONE]" list=LAN
add interface="vlan60 [MOBILE OFFICE]" list=LAN
add interface="vlan111 [MANAGEMENT]" list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set authentication=mschap2
/ip address
add address=10.10.200.1/24 interface="vlan200 [HOMETEC]" network=10.10.200.0
add address=10.10.40.1/24 interface="vlan40 [PROXMOX]" network=10.10.40.0
add address=10.10.50.1/24 interface="vlan50 [PHONE]" network=10.10.50.0
add address=10.10.60.1/24 interface="vlan60 [MOBILE OFFICE]" network=\
10.10.60.0
add address=10.10.100.1/24 interface="vlan100 [HOME]" network=10.10.100.0
add address=10.10.1.1/24 interface="vlan1 [DEFAULT]" network=10.10.1.0
add address=10.10.111.1/24 interface="vlan111 [MANAGEMENT]" network=\
10.10.111.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-server lease
add address=10.10.111.2 client-id=1:d4:1:c3:7c:b7:b2 mac-address=\
D4:01:C3:7C:B7:B2 server=dhcp_111
add address=10.10.50.200 mac-address=58:9E:C6:36:4B:BB server=dhcp_50
add address=10.10.200.20 client-id=1:0:50:f4:36:f1:a7 comment=\
"Lambda W\E4rmepumpe" mac-address=00:50:F4:36:F1:A7 server=dhcp_200
add address=10.10.111.4 client-id=1:2e:c8:1b:18:8c:4a mac-address=\
2E:C8:1B:18:8C:4A server=dhcp_111
add address=10.10.111.10 client-id=1:dc:2c:6e:74:d3:9b mac-address=\
DC:2C:6E:74:D3:9B server=dhcp_111
add address=10.10.40.117 client-id=1:2:58:8a:7c:5a:3f comment=\
"Home Assistant" mac-address=02:58:8A:7C:5A:3F server=dhcp_40
add address=10.10.111.5 client-id=1:d4:1:c3:b8:f8:a6 mac-address=\
D4:01:C3:B8:F8:A6 server=dhcp_111
add address=10.10.200.193 client-id=1:dc:a6:32:f6:4a:47 mac-address=\
DC:A6:32:F6:4A:47 server=dhcp_200
add address=10.10.111.6 client-id=1:d4:1:c3:8a:64:75 mac-address=\
D4:01:C3:8A:64:75 server=dhcp_111
add address=10.10.200.130 client-id=1:dc:a6:32:2c:97:f mac-address=\
DC:A6:32:2C:97:0F server=dhcp_200
add address=10.10.100.116 client-id=1:6c:3c:7c:78:35:92 comment=\
"Canon Drucker" mac-address=6C:3C:7C:78:35:92 server=dhcp_100
add address=10.10.200.132 client-id=1:e8:6b:ea:31:58:2c mac-address=\
E8:6B:EA:31:58:2C server=dhcp_200
add address=10.10.200.105 client-id=1:90:b2:e7:3:8:1 mac-address=\
90:B2:E7:03:08:01 server=dhcp_200
/ip dhcp-server network
add address=10.10.1.0/24 dns-server=10.10.1.1 domain=fasan.home.arpa gateway=\
10.10.1.1
add address=10.10.20.0/24 dns-server=10.10.20.1 domain=fasan.home.arpa \
gateway=10.10.20.1
add address=10.10.40.0/24 dns-server=10.10.40.1 domain=fasan.home.arpa \
gateway=10.10.40.1
add address=10.10.50.0/24 dns-server=10.10.50.1 domain=fasan.home.arpa \
gateway=10.10.50.1
add address=10.10.60.0/24 dns-server=10.10.60.1 domain=fasan.home.arpa \
gateway=10.10.60.1
add address=10.10.100.0/24 dns-server=10.10.100.1 domain=fasan.home.arpa \
gateway=10.10.100.1
add address=10.10.111.0/24 dns-server=10.10.111.1 domain=fasan.home.arpa \
gateway=10.10.111.1
add address=10.10.200.0/24 dns-server=10.10.200.1 domain=fasan.home.arpa \
gateway=10.10.200.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.10.50.200 comment=dhcp_50-58:9E:C6:36:4B:BB name=\
s850a-go.fasan.home.arpa ttl=15m
add address=10.10.100.101 comment=dhcp_100-3C:6A:9D:17:6E:A8 name=\
-y------.fasan.home.arpa ttl=15m
add address=10.10.200.102 comment=dhcp_200-D4:F9:8D:02:32:34 name=\
espressif.fasan.home.arpa ttl=15m
add address=10.10.200.109 comment=dhcp_200-D4:F9:8D:02:08:74 name=\
espressif.fasan.home.arpa ttl=15m
add address=10.10.200.103 comment=dhcp_200-D4:F9:8D:01:32:F0 name=\
espressif.fasan.home.arpa ttl=15m
add address=10.10.200.108 comment=dhcp_200-68:B6:B3:A2:1F:40 name=\
ecoflow.fasan.home.arpa ttl=15m
add address=10.10.111.6 comment=dhcp_111-D4:01:C3:8A:64:75 name=\
mikrotik-hex-poe.fasan.home.arpa ttl=15m
add address=10.10.111.10 comment=dhcp_111-DC:2C:6E:74:D3:9B name=\
mikrotik-hex.fasan.home.arpa ttl=15m
add address=10.10.200.193 comment=dhcp_200-DC:A6:32:F6:4A:47 name=\
contromeminiserver.fasan.home.arpa ttl=15m
add address=10.10.100.100 comment=dhcp_100-EC:DA:3B:A8:7B:D8 name=\
espressif.fasan.home.arpa ttl=15m
add address=10.10.200.20 comment=dhcp_200-00:50:F4:36:F1:A7 name=\
10-10-200-20.fasan.home.arpa ttl=15m
add address=10.10.200.104 comment=dhcp_200-24:4C:AB:01:5D:5C name=\
tibber-host.fasan.home.arpa ttl=15m
add address=10.10.100.107 comment=dhcp_100-F0:B3:EC:1E:A7:9A name=\
appletvafzimmer.fasan.home.arpa ttl=15m
add address=10.10.100.102 comment=dhcp_100-94:EA:32:7A:16:6C name=\
schlafzimmer.fasan.home.arpa ttl=15m
add address=10.10.100.118 comment=dhcp_100-C6:70:39:A2:8C:25 name=\
10-10-100-118.fasan.home.arpa ttl=15m
add address=10.10.200.107 comment=dhcp_200-68:67:25:B3:0C:B8 name=\
hw51-1637.fasan.home.arpa ttl=15m
add address=10.10.200.112 comment=dhcp_200-B4:8A:0A:C0:98:BB name=\
esp-c098bb.fasan.home.arpa ttl=15m
add address=10.10.111.3 comment=dhcp_111-38:C9:86:1A:EA:84 name=\
imac.fasan.home.arpa ttl=15m
add address=10.10.200.111 comment=dhcp_200-2C:F7:F1:1C:3E:5A name=\
10-10-200-111.fasan.home.arpa ttl=15m
add address=10.10.111.5 comment=dhcp_111-D4:01:C3:B8:F8:A6 name=\
mikrotik-cap-ax.fasan.home.arpa ttl=15m
add address=10.10.100.112 comment=dhcp_100-66:53:EE:71:9D:CA name=\
10-10-100-112.fasan.home.arpa ttl=15m
add address=10.10.200.105 comment=dhcp_200-90:B2:E7:03:08:01 name=\
wiznet030801.fasan.home.arpa ttl=15m
add address=10.10.200.132 comment=dhcp_200-E8:6B:EA:31:58:2C name=\
esp32-bluetooth-proxy-31582c.fasan.home.arpa ttl=15m
/ip firewall address-list
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=\
bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=\
bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=\
bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=\
not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=10.10.111.222 comment="L2TP Hometec" list="L2TP Mikrotik"
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in IPSec policy" \
disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out IPSec policy" \
disabled=yes ipsec-policy=out,ipsec
add action=accept chain=input comment=L2TP/IPSec disabled=yes dst-port=\
500,1701,4500 protocol=udp
add action=accept chain=input comment=L2TP/IPSec disabled=yes protocol=\
ipsec-esp
add action=accept chain=input comment="accept DNS via VPN " disabled=yes \
dst-address=10.10.111.1 dst-port=53 protocol=tcp src-address-list=\
"L2TP Mikrotik"
add action=accept chain=input comment="accept DNS via VPN " disabled=yes \
dst-address=10.10.111.1 dst-port=53 protocol=udp src-address-list=\
"L2TP Mikrotik"
add action=accept chain=input comment="defconf: accept out IPSec policy" \
disabled=yes dst-port=53,123 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="defconf: accept out IPSec policy" \
disabled=yes dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP after RAW" \
disabled=yes protocol=icmp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked disabled=yes
add action=accept chain=forward comment=\
"defconf: accept all that matches IPSec policy" disabled=yes \
ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
disabled=yes src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
disabled=yes dst-address-list=no_forward_ipv4
add action=drop chain=forward disabled=yes out-interface=\
"vlan111 [MANAGEMENT]"
add action=drop chain=input comment=\
"drop all not coming from MANAGEMENT VLAN" disabled=yes in-interface=\
"!vlan111 [MANAGEMENT]"
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface-list=WAN
add action=accept chain=srcnat comment=\
"defconf: accept all that matches IPSec policy" ipsec-policy=out,ipsec
add action=dst-nat chain=dstnat comment="Telefon S850A Go" dst-port=\
49004-49012 protocol=udp to-addresses=10.10.50.200 to-ports=49004-49012
add action=dst-nat chain=dstnat comment="Port 80 Forwarding Miniserver" \
dst-port=51820 in-interface-list=WAN protocol=tcp to-addresses=\
10.10.200.193 to-ports=80
add action=dst-nat chain=dstnat comment="Port 22 Forwarding Miniserver" \
disabled=yes dst-port=51830 in-interface-list=WAN protocol=tcp \
to-addresses=10.10.200.193 to-ports=22
add action=dst-nat chain=dstnat comment="Port 80 Forwarding Floor Gateway" \
dst-port=51720 in-interface-list=WAN protocol=tcp to-addresses=\
10.10.200.105 to-ports=80
add action=dst-nat chain=dstnat comment="Port 22 Forwarding Floor Gateway" \
disabled=yes dst-port=51730 in-interface-list=WAN protocol=tcp \
to-addresses=10.10.200.105 to-ports=22
/ip firewall raw
add action=accept chain=prerouting comment=\
"defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: accept DHCP discover" \
disabled=yes dst-address=255.255.255.255 dst-port=67 in-interface-list=\
LAN protocol=udp src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="defconf: drop bogon IP's" disabled=\
yes src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" disabled=\
yes dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" disabled=\
yes src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" disabled=\
yes dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
disabled=yes in-interface-list=WAN src-address-list=not_global_ipv4
add action=drop chain=prerouting comment=\
"defconf: drop forward to local lan from WAN" disabled=yes dst-address=\
192.168.88.0/24 in-interface-list=WAN
add action=drop chain=prerouting comment=\
"defconf: drop local if not from default IP range" disabled=yes \
in-interface-list=LAN src-address=!192.168.88.0/24
add action=drop chain=prerouting comment="defconf: drop bad UDP" disabled=yes \
port=0 protocol=udp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" \
disabled=yes jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" \
disabled=yes jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment=\
"defconf: accept everything else from LAN" disabled=yes \
in-interface-list=LAN
add action=accept chain=prerouting comment=\
"defconf: accept everything else from WAN" disabled=yes \
in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop the rest" disabled=\
yes
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" disabled=yes \
protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf disabled=yes protocol=tcp \
tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf disabled=yes protocol=tcp \
tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf disabled=yes protocol=tcp \
tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf disabled=yes protocol=tcp \
tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf disabled=yes protocol=tcp \
tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf disabled=yes protocol=tcp \
tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" disabled=yes \
port=0 protocol=tcp
add action=accept chain=icmp4 comment="defconf: echo reply" disabled=yes \
icmp-options=0:0 limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: net unreachable" disabled=yes \
icmp-options=3:0 protocol=icmp
add action=accept chain=icmp4 comment="defconf: host unreachable" disabled=\
yes icmp-options=3:1 protocol=icmp
add action=accept chain=icmp4 comment="defconf: protocol unreachable" \
disabled=yes icmp-options=3:2 protocol=icmp
add action=accept chain=icmp4 comment="defconf: port unreachable" disabled=\
yes icmp-options=3:3 protocol=icmp
add action=accept chain=icmp4 comment="defconf: fragmentation needed" \
disabled=yes icmp-options=3:4 protocol=icmp
add action=accept chain=icmp4 comment="defconf: echo" disabled=yes \
icmp-options=8:0 limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: time exceeded " disabled=yes \
icmp-options=11:0-255 protocol=icmp
add action=drop chain=icmp4 comment="defconf: drop other icmp" disabled=yes \
protocol=icmp
/ip firewall service-port
set sip disabled=yes
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-192,aes-128
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl disabled=no
ax3 Teil2:
/ipv6 firewall address-list
add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=\
no_forward_ipv6
add address=ff00::/8 comment="defconf: multicast" list=no_forward_ipv6
add address=::1/128 comment="defconf: RFC6890 lo" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: RFC6890 IPv4 mapped" list=\
bad_ipv6
add address=2001::/23 comment="defconf: RFC6890" list=bad_ipv6
add address=2001:db8::/32 comment="defconf: RFC6890 documentation" list=\
bad_ipv6
add address=2001:10::/28 comment="defconf: RFC6890 orchid" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: RFC6890 Discard-only" list=\
not_global_ipv6
add address=2001::/32 comment="defconf: RFC6890 TEREDO" list=not_global_ipv6
add address=2001:2::/48 comment="defconf: RFC6890 Benchmark" list=\
not_global_ipv6
add address=fc00::/7 comment="defconf: RFC6890 Unique-Local" list=\
not_global_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_dst_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_src_ipv6
add address=ff00::/8 comment="defconf: multicast" list=bad_src_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept ICMPv6 after RAW" \
protocol=icmpv6
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept IPSec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept IPSec ESP" protocol=\
ipsec-esp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
src-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
dst-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6 after RAW" \
protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
# no interface
add action=drop chain=input comment=\
"drop all not coming from MANAGEMENT VLAN" in-interface=!*C
/ipv6 firewall raw
add action=accept chain=prerouting comment=\
"defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: RFC4291, section 2.7.1" \
dst-address=ff02::1:ff00:0/104 icmp-options=135 protocol=icmpv6 \
src-address=::/128
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
src-address-list=bad_ipv6
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
dst-address-list=bad_ipv6
add action=drop chain=prerouting comment=\
"defconf: drop packets with bad SRC ipv6" src-address-list=bad_src_ipv6
add action=drop chain=prerouting comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_dst_ipv6
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
in-interface-list=WAN src-address-list=not_global_ipv6
add action=jump chain=prerouting comment="defconf: jump to ICMPv6 chain" \
jump-target=icmp6 protocol=icmpv6
add action=accept chain=prerouting comment=\
"defconf: accept local multicast scope" dst-address=ff02::/16
add action=drop chain=prerouting comment=\
"defconf: drop other multicast destinations" dst-address=ff00::/8
add action=accept chain=prerouting comment=\
"defconf: accept everything else from WAN" in-interface-list=WAN
add action=accept chain=prerouting comment=\
"defconf: accept everything else from LAN" in-interface-list=LAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=drop chain=icmp6 comment=\
"defconf: rfc4890 drop ll if hop-limit!=255" dst-address=fe80::/10 \
hop-limit=not-equal:255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: dst unreachable" \
icmp-options=1:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: packet too big" icmp-options=\
2:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: limit exceeded" icmp-options=\
3:0-1 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: bad header" icmp-options=\
4:0-2 protocol=icmpv6
add action=accept chain=icmp6 comment=\
"defconf: Mobile home agent address discovery" icmp-options=144:0-255 \
protocol=icmpv6
add action=accept chain=icmp6 comment=\
"defconf: Mobile home agent address discovery" icmp-options=145:0-255 \
protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile prefix solic" \
icmp-options=146:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile prefix advert" \
icmp-options=147:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: echo request limit 5,10" \
icmp-options=128:0-255 limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: echo reply limit 5,10" \
icmp-options=129:0-255 limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment=\
"defconf: rfc4890 router solic limit 5,10 only LAN" hop-limit=equal:255 \
icmp-options=133:0-255 in-interface-list=LAN limit=5,10:packet protocol=\
icmpv6
add action=accept chain=icmp6 comment=\
"defconf: rfc4890 router advert limit 5,10 only LAN" hop-limit=equal:255 \
icmp-options=134:0-255 in-interface-list=LAN limit=5,10:packet protocol=\
icmpv6
add action=accept chain=icmp6 comment=\
"defconf: rfc4890 neighbor solic limit 5,10 only LAN" hop-limit=equal:255 \
icmp-options=135:0-255 in-interface-list=LAN limit=5,10:packet protocol=\
icmpv6
add action=accept chain=icmp6 comment=\
"defconf: rfc4890 neighbor advert limit 5,10 only LAN" hop-limit=\
equal:255 icmp-options=136:0-255 in-interface-list=LAN limit=5,10:packet \
protocol=icmpv6
add action=accept chain=icmp6 comment=\
"defconf: rfc4890 inverse ND solic limit 5,10 only LAN" hop-limit=\
equal:255 icmp-options=141:0-255 in-interface-list=LAN limit=5,10:packet \
protocol=icmpv6
add action=accept chain=icmp6 comment=\
"defconf: rfc4890 inverse ND advert limit 5,10 only LAN" hop-limit=\
equal:255 icmp-options=142:0-255 in-interface-list=LAN limit=5,10:packet \
protocol=icmpv6
add action=drop chain=icmp6 comment="defconf: drop other icmp" protocol=\
icmpv6
/ppp secret
add local-address=10.10.111.1 name=Mikrotik profile=vpn remote-address=\
10.10.111.222 service=l2tp
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name="Mikrotik ax3"
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes multicast=yes
/system ntp client servers
add address=ntp0.fau.de
add address=ntp1.fau.de
add address=ntp2.fau.de
add address=ntp3.fau.de
add address=npt0.ewetel.de
add address=ntp1.ewetel.de
/tool romon
set enabled=yes
Wenn ich das so verkable, erhält der ax2 keine IP und damit auch kein Internet. Nur wenn ich ihn ganz herausnehme und den Trunk vom ax3 in den hEX POE ether1 stecke, erhalte ich Internet am Rechner, der am hEX POE ether 4 verbunden ist.
In EG und OG funktionieren alle WLAN´s einwandfrei
In EG und OG funktionieren alle WLAN´s einwandfrei
Naja wenn man auf einem VLAN-Durchlauferhitzer wie dem AX2 eine Firewall aktiviert die da völlig deplatziert ist und die auch für das Einsatz-Szenario nicht richtig konfiguriert ist , klar das da nix geht .... Hatte ich aber oben schon x mal erwähnt, aber du bist ziemlich beratungsresistent was das betrifft 
. Die Firewall gehört ausschließlich an den Perimeter am AX3 welcher die zentrale Routing-Instanz in deinem Netzwerk ist !
Außerdem ist das VLAN-Filtering auf dem AX2 in der Bridge deaktiviert, ohne VLAN-Filtering haben die PVIDs keine Wirkung.
Wenn du was haben willst was du nie wieder anfassen willst, tja dann bist du bei Mikrotik mit deinem Wissensstand absolut falsch. Mikrotik kauft man als Netzwerkspezi dem das Konfigurieren Spaß macht und der sich mit der Materie auch wirklich beschäftigen und lernen will, mit Copy n Paste und "auf gut Glück" wirst du dort immer Schiffbruch erleiden.
. Die Firewall gehört ausschließlich an den Perimeter am AX3 welcher die zentrale Routing-Instanz in deinem Netzwerk ist !Außerdem ist das VLAN-Filtering auf dem AX2 in der Bridge deaktiviert, ohne VLAN-Filtering haben die PVIDs keine Wirkung.
noch vieles nicht weiß, zum anderen, was kann meine Familie machen, wenn ich einmal nicht da bin, und es Probleme mit dem Netzwerk gibt? Deshalb sollte es so einfach wie möglich sein.
Dann kauf dir ne Fritte und ein paar Repeater verkabel die mit der Fritte und gut.Wenn es aber einmal mit den VLAN´s funktioniert, soll nichts mehr groß verändert werden, aber auch mit neuen Updates kann es mal Probleme geben, usw.
Wenn du dir einen ganzen Zoo an Mikrotiks holst und absoluter Anfänger bist solltest du langsam kapiert haben das man das dauerhaft nur nur mit tiefgehendem Netzwerk-Wissen stemmen kann, vor allem sollte man immer wissen was man tut auch bei Upgrades von Mikrotiks muss man immer einen Notfall Plan parat haben, denn die gehen schnell mal schief.Wenn du was haben willst was du nie wieder anfassen willst, tja dann bist du bei Mikrotik mit deinem Wissensstand absolut falsch. Mikrotik kauft man als Netzwerkspezi dem das Konfigurieren Spaß macht und der sich mit der Materie auch wirklich beschäftigen und lernen will, mit Copy n Paste und "auf gut Glück" wirst du dort immer Schiffbruch erleiden.
ok, beim ax2 sind noch ipv6 firewall rules drin, aber ipv6 habe ich disabled. Bei ipv4 sehe ich keine.
Ich hatte mit Mikrotik aufgrund der Empfehlung in diesem Forum angefangen, und denke, dass ich inzwischen manches gelernt habe, aber natürlich vieles auch noch nicht.
Ich sage ja nicht, dass ich nicht dazulernen möchte, und es macht mir auch Spaß, aber ich muss auch ein lauffähiges System haben, zumal bei uns manches dranhängt wie Wärmepumpe, Solar, usw.
Jedenfalls habe ich beim ax2 mal den bridge Protokoll-Mode auf "off" geschaltet, und dann wieder auf "RSTP", und jetzt funktioniert alles.
Ich hatte mit Mikrotik aufgrund der Empfehlung in diesem Forum angefangen, und denke, dass ich inzwischen manches gelernt habe, aber natürlich vieles auch noch nicht.
Ich sage ja nicht, dass ich nicht dazulernen möchte, und es macht mir auch Spaß, aber ich muss auch ein lauffähiges System haben, zumal bei uns manches dranhängt wie Wärmepumpe, Solar, usw.
Jedenfalls habe ich beim ax2 mal den bridge Protokoll-Mode auf "off" geschaltet, und dann wieder auf "RSTP", und jetzt funktioniert alles.
Außerdem ist das VLAN-Filtering auf dem AX2 in der Bridge deaktiviert, ohne VLAN-Filtering haben die PVIDs der Ports keine Wirkung, sobald Access-Ports in einer Bridge ins Spiel kommen ist VLAN-Filtering Pflicht sonst werden alle Ports mit sämtlichem Traffic geflutet.
.
Jedenfalls habe ich beim ax2 mal den bridge Protokoll-Mode auf "off" geschaltet, und dann wieder auf "RSTP", und jetzt funktioniert alles.
Zufall .
sorry, das hatte ich vor vorhin temporär deaktiviert gehabt, ist jetzt aber wieder aktiv
Das macht hier echt keinen Spaß ... Wenn man sich hier auf nix verlassen kann. Wir opfern hier unsere Zeit lesen die Configs hier durch und dann sowas 🤮.
Good luck, ich bin raus 🖖
Good luck, ich bin raus 🖖
sorry, trotzdem vielen Dank!
