arcorpi
Goto Top

Mikrotik zwei Router verbinden: offer und conflict

Hallo @aqui, Hallo @13910172396, leider habe ich noch weitere Probleme mit dem Verbinden zweier Mikrotik-Router, siehe Mikrotik Router Kaskade:

Im Lease des ax3 steht der ax2 als "offered", manchmal sehe ich auch einen "conflict".

[SEadmin@Mikrotik ax2] > export hide-sensitive 
# 2024-07-20 07:30:36 by RouterOS 7.15.2
# software id = 5MCE-DL16
#
# model = C52iG-5HaxD2HaxD
# serial number = HGC09WRMRVQ
/interface bridge
add frame-types=admit-only-vlan-tagged name=br_vlan port-cost-mode=short pvid=1111 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name="ether1[TRUNK]"  
set [ find default-name=ether2 ] name="ether2 [DLAN/FBG]"  
set [ find default-name=ether5 ] name="ether5 [TRUNK SWITCH]"  
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=10min-cac .width=20/40/80mhz configuration.country=Germany .hide-ssid=yes .mode=\
    ap .ssid=AX2_5 datapath.bridge=br_vlan .vlan-id=2 disabled=no name="wifi1 [5 GHz MASTER]" security.authentication-types=wpa2-psk,wpa3-psk  
set [ find default-name=wifi2 ] channel.band=2ghz-ax .width=20/40mhz configuration.country=Germany .hide-ssid=yes .mode=ap .ssid=AX2_2.4 datapath.bridge=\
    br_vlan .vlan-id=2 disabled=no name="wifi2 [2.4 GHz MASTER]" security.authentication-types=wpa2-psk,wpa3-psk  
add configuration.mode=ap .ssid=Altwlanstein_Hometec_5 datapath.bridge=br_vlan .vlan-id=200 disabled=no mac-address=D6:01:C3:7C:B7:B7 master-interface=\
    "wifi1 [5 GHz MASTER]" name="wifi3 [HOMETEC 5G] "  
/interface vlan
add interface=br_vlan name="vlan111 [MANAGEMENT]" vlan-id=111  
/interface list
add comment="L2TP interfaces" name=L2TP  
add comment="defconf: contains all VLAN interfaces" name=LAN  
add comment="contains WAN interface" name=WAN  
/interface bridge port
add bridge=br_vlan frame-types=admit-only-vlan-tagged ingress-filtering=no interface="wifi1 [5 GHz MASTER]" internal-path-cost=10 path-cost=10 pvid=2  
add bridge=br_vlan frame-types=admit-only-vlan-tagged ingress-filtering=no interface="wifi2 [2.4 GHz MASTER]" internal-path-cost=10 path-cost=10 pvid=2  
add bridge=br_vlan fast-leave=yes frame-types=admit-only-untagged-and-priority-tagged interface="ether2 [DLAN/FBG]" internal-path-cost=10 path-cost=10 \  
    pvid=200
add bridge=br_vlan frame-types=admit-only-vlan-tagged ingress-filtering=no interface="wifi3 [HOMETEC 5G] " pvid=200  
add bridge=br_vlan interface="ether1[TRUNK]" pvid=111  
add bridge=br_vlan ingress-filtering=no interface="ether5 [TRUNK SWITCH]" pvid=111  
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=br_vlan tagged="br_vlan,ether1[TRUNK],ether5 [TRUNK SWITCH],wifi3 [HOMETEC 5G] " vlan-ids=200  
add bridge=br_vlan tagged=br_vlan vlan-ids=111
add bridge=br_vlan tagged="br_vlan,ether1[TRUNK],ether5 [TRUNK SWITCH],wifi1 [5 GHz MASTER],wifi2 [2.4 GHz MASTER]" vlan-ids=2  
/interface detect-internet
set detect-interface-list=WAN
/interface list member
add interface="vlan111 [MANAGEMENT]" list=LAN  
add interface="ether1[TRUNK]" list=WAN  
add interface="ether5 [TRUNK SWITCH]" list=WAN  
/ip address
add address=10.10.111.2 interface="vlan111 [MANAGEMENT]" network=10.10.111.0  
/ip cloud
set ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-client
add interface="vlan111 [MANAGEMENT]"  
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.10.111.10 comment=dhcp2-92:ED:BB:0D:42:59 name=10-10-111-10.fasan.home.arpa ttl=15m
add address=10.10.111.6 comment=dhcp_111-12:D4:47:62:82:10 name=10-10-111-6.fasan.home.arpa ttl=15m
add address=10.10.111.3 comment=dhcp_111-90:B2:E7:03:08:01 name=wiznet030801.fasan.home.arpa ttl=15m
add address=10.10.100.37 comment=dhcp_100-22:6D:E5:2A:E5:ED name=10-10-100-37.fasan.home.arpa ttl=15m
/ip firewall address-list
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4  
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4  
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4  
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4  
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4  
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4  
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4  
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4  
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4  
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4  
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4  
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4  
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4  
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4  
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4  
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4  
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4  
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=not_global_ipv4  
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4  
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4  
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4  
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4  
add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4  
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in IPSec policy" ipsec-policy=in,ipsec  
add action=accept chain=forward comment="defconf: accept out IPSec policy" ipsec-policy=out,ipsec  
add action=accept chain=input comment="defconf: accept ICMP after RAW" protocol=icmp  
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked  
add action=accept chain=forward in-interface="vlan111 [MANAGEMENT]" out-interface=all-vlan  
add action=accept chain=forward disabled=yes in-interface=all-vlan out-interface=all-vlan
add action=accept chain=forward disabled=yes in-interface=*19 out-interface=all-vlan
add action=drop chain=input comment="drop all not coming from MANAGEMENT VLAN" in-interface="!vlan111 [MANAGEMENT]"  
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN  
add action=accept chain=forward comment="defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec  
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes  
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked  
add action=accept chain=forward comment="accept all vlan to WAN udp" in-interface=all-vlan out-interface-list=WAN protocol=udp  
add action=accept chain=forward comment="accept all vlan to WAN tcp" in-interface=all-vlan out-interface-list=WAN protocol=tcp  
add action=accept chain=forward comment="accept all vlan to WAN icmp" in-interface=all-vlan out-interface-list=WAN protocol=icmp  
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid  
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN  
add action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv4  
add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv4  
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN  
add action=dst-nat chain=dstnat comment="Telefon S850A Go" dst-port=49004-49012 protocol=udp to-addresses=10.10.100.101 to-ports=49004-49012  
add action=accept chain=srcnat comment="defconf: accept all that matches IPSec policy" ipsec-policy=out,ipsec  
/ip firewall raw
add action=accept chain=prerouting comment="defconf: enable for transparent firewall"  
add action=accept chain=prerouting comment="defconf: accept DHCP discover" dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=udp \  
    src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_ipv4  
add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_ipv4  
add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_src_ipv4  
add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_dst_ipv4  
add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=WAN src-address-list=not_global_ipv4  
add action=drop chain=prerouting comment="defconf: drop forward to local lan from WAN" dst-address=192.168.88.0/24 in-interface-list=WAN  
add action=drop chain=prerouting comment="defconf: drop local if not from default IP range" in-interface-list=LAN src-address=!192.168.88.0/24  
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 protocol=udp  
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" jump-target=icmp4 protocol=icmp  
add action=jump chain=prerouting comment="defconf: jump to TCP chain" jump-target=bad_tcp protocol=tcp  
add action=accept chain=prerouting comment="defconf: accept everything else from LAN" in-interface-list=LAN  
add action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WAN  
add action=drop chain=prerouting comment="defconf: drop the rest"  
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack  
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 protocol=tcp  
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 limit=5,10:packet protocol=icmp  
add action=accept chain=icmp4 comment="defconf: net unreachable" icmp-options=3:0 protocol=icmp  
add action=accept chain=icmp4 comment="defconf: host unreachable" icmp-options=3:1 protocol=icmp  
add action=accept chain=icmp4 comment="defconf: protocol unreachable" icmp-options=3:2 protocol=icmp  
add action=accept chain=icmp4 comment="defconf: port unreachable" icmp-options=3:3 protocol=icmp  
add action=accept chain=icmp4 comment="defconf: fragmentation needed" icmp-options=3:4 protocol=icmp  
add action=accept chain=icmp4 comment="defconf: echo" icmp-options=8:0 limit=5,10:packet protocol=icmp  
add action=accept chain=icmp4 comment="defconf: time exceeded " icmp-options=11:0-255 protocol=icmp  
add action=drop chain=icmp4 comment="defconf: drop other icmp" protocol=icmp  
/ip firewall service-port
set sip disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
/ipv6 firewall address-list
add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=no_forward_ipv6  
add address=ff00::/8 comment="defconf: multicast" list=no_forward_ipv6  
add address=::1/128 comment="defconf: RFC6890 lo" list=bad_ipv6  
add address=::ffff:0.0.0.0/96 comment="defconf: RFC6890 IPv4 mapped" list=bad_ipv6  
add address=2001::/23 comment="defconf: RFC6890" list=bad_ipv6  
add address=2001:db8::/32 comment="defconf: RFC6890 documentation" list=bad_ipv6  
add address=2001:10::/28 comment="defconf: RFC6890 orchid" list=bad_ipv6  
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6  
add address=100::/64 comment="defconf: RFC6890 Discard-only" list=not_global_ipv6  
add address=2001::/32 comment="defconf: RFC6890 TEREDO" list=not_global_ipv6  
add address=2001:2::/48 comment="defconf: RFC6890 Benchmark" list=not_global_ipv6  
add address=fc00::/7 comment="defconf: RFC6890 Unique-Local" list=not_global_ipv6  
add address=::/128 comment="defconf: unspecified" list=bad_dst_ipv6  
add address=::/128 comment="defconf: unspecified" list=bad_src_ipv6  
add address=ff00::/8 comment="defconf: multicast" list=bad_src_ipv6  
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept ICMPv6 after RAW" protocol=icmpv6  
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked  
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp  
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10  
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp  
add action=accept chain=input comment="defconf: accept IPSec AH" protocol=ipsec-ah  
add action=accept chain=input comment="defconf: accept IPSec ESP" protocol=ipsec-esp  
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN  
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked  
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid  
add action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv6  
add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv6  
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6  
add action=accept chain=forward comment="defconf: accept ICMPv6 after RAW" protocol=icmpv6  
add action=accept chain=forward comment="defconf: accept HIP" protocol=139  
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp  
add action=accept chain=forward comment="defconf: accept AH" protocol=ipsec-ah  
add action=accept chain=forward comment="defconf: accept ESP" protocol=ipsec-esp  
add action=accept chain=forward comment="defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec  
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN  
/ipv6 firewall raw
add action=accept chain=prerouting comment="defconf: enable for transparent firewall" disabled=yes  
add action=accept chain=prerouting comment="defconf: RFC4291, section 2.7.1" dst-address=ff02::1:ff00:0/104 icmp-options=135 protocol=icmpv6 src-address=\  
    ::/128
add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_ipv6  
add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_ipv6  
add action=drop chain=prerouting comment="defconf: drop packets with bad SRC ipv6" src-address-list=bad_src_ipv6  
add action=drop chain=prerouting comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_dst_ipv6  
add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=WAN src-address-list=not_global_ipv6  
add action=jump chain=prerouting comment="defconf: jump to ICMPv6 chain" jump-target=icmp6 protocol=icmpv6  
add action=accept chain=prerouting comment="defconf: accept local multicast scope" dst-address=ff02::/16  
add action=drop chain=prerouting comment="defconf: drop other multicast destinations" dst-address=ff00::/8  
add action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WAN  
add action=accept chain=prerouting comment="defconf: accept everything else from LAN" in-interface-list=LAN  
add action=drop chain=prerouting comment="defconf: drop the rest"  
add action=drop chain=icmp6 comment="defconf: rfc4890 drop ll if hop-limit!=255" dst-address=fe80::/10 hop-limit=not-equal:255 protocol=icmpv6  
add action=accept chain=icmp6 comment="defconf: dst unreachable" icmp-options=1:0-255 protocol=icmpv6  
add action=accept chain=icmp6 comment="defconf: packet too big" icmp-options=2:0-255 protocol=icmpv6  
add action=accept chain=icmp6 comment="defconf: limit exceeded" icmp-options=3:0-1 protocol=icmpv6  
add action=accept chain=icmp6 comment="defconf: bad header" icmp-options=4:0-2 protocol=icmpv6  
add action=accept chain=icmp6 comment="defconf: Mobile home agent address discovery" icmp-options=144:0-255 protocol=icmpv6  
add action=accept chain=icmp6 comment="defconf: Mobile home agent address discovery" icmp-options=145:0-255 protocol=icmpv6  
add action=accept chain=icmp6 comment="defconf: Mobile prefix solic" icmp-options=146:0-255 protocol=icmpv6  
add action=accept chain=icmp6 comment="defconf: Mobile prefix advert" icmp-options=147:0-255 protocol=icmpv6  
add action=accept chain=icmp6 comment="defconf: echo request limit 5,10" icmp-options=128:0-255 limit=5,10:packet protocol=icmpv6  
add action=accept chain=icmp6 comment="defconf: echo reply limit 5,10" icmp-options=129:0-255 limit=5,10:packet protocol=icmpv6  
add action=accept chain=icmp6 comment="defconf: rfc4890 router solic limit 5,10 only LAN" hop-limit=equal:255 icmp-options=133:0-255 in-interface-list=\  
    LAN limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 router advert limit 5,10 only LAN" hop-limit=equal:255 icmp-options=134:0-255 in-interface-list=\  
    LAN limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 neighbor solic limit 5,10 only LAN" hop-limit=equal:255 icmp-options=135:0-255 in-interface-list=\  
    LAN limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 neighbor advert limit 5,10 only LAN" hop-limit=equal:255 icmp-options=136:0-255 \  
    in-interface-list=LAN limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 inverse ND solic limit 5,10 only LAN" hop-limit=equal:255 icmp-options=141:0-255 \  
    in-interface-list=LAN limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 inverse ND advert limit 5,10 only LAN" hop-limit=equal:255 icmp-options=142:0-255 \  
    in-interface-list=LAN limit=5,10:packet protocol=icmpv6
add action=drop chain=icmp6 comment="defconf: drop other icmp" protocol=icmpv6  
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name="Mikrotik ax2"  
/system note
set show-at-login=no
/system ntp server
set manycast=yes multicast=yes
/system ntp client servers
add address=10.10.111.1
/system routerboard settings
set auto-upgrade=yes
[SEadmin@Mikrotik ax2] > 

  
 ax3:
   \n\r\
    \n #Hostname cleanup\r\
    \n  :if ( [ :len \$hostname ] <= 0 ) do=\\\r\
    \n  {\r\
    \n    :set hostname [ \$ip2Host inStr=\$leaseActIP ]\r\
    \n    :log info \"\$LogPrefix: Empty hostname for '\$leaseActIP', using generated host name '\$hostname'\"\r\  
    \n  }\r\
    \n  :set hostname [\$lowerCase entry=\$hostname]\r\
    \n  :set hostname [\$mapHostName name=\$hostname]\r\
    \n  #:log info \"\$LogPrefix: Clean hostname for FQDN is \$hostname\";\r\ 
    \n\r\
    \n  :if ( [ :len \$domain ] <= 0 ) do=\\\r\
    \n  {\r\
    \n    :log warning \"\$LogPrefix: Empty domainname for '\$leaseActIP', cannot create static DNS name\"\r\  
    \n    :error \"Empty domainname for '\$leaseActIP'\"\r\  
    \n  }\r\
    \n\r\
    \n  :local fqdn (\$hostname . \".\" .  \$domain)\r\  
    \n  #:log info \"\$LogPrefix: FQDN for DNS is \$fqdn\"\r\ 
    \n\r\
    \n    :if ([/ip dhcp-server lease get [:pick [find mac-address=\$leaseActMAC and server=\$leaseServerName] 0] ]) do={\r\
    \n      # :log info message=\"\$LogPrefix: \$leaseActMAC -> \$hostname\"\r\ 
    \n      :do {\r\
    \n        /ip dns static add address=\$leaseActIP name=\$fqdn ttl=\$dnsttl comment=\$token;\r\
    \n      } on-error={:log error message=\"\$LogPrefix: Failure during dns registration of \$fqdn with \$leaseActIP\"}\r\  
    \n    }\r\
    \n\r\
    \n} else={\r\
    \n# DHCP lease removed\r\
    \n  /ip dns static remove [find comment=\$token];\r\
    \n} " lease-time=10m name=dhcp_30  
add address-pool=dhcp_pool_40 interface="vlan40 [PROXMOX]" lease-script="# DNS TTL to set for DNS entries\r\  
    \n:local dnsttl \"00:15:00\";\r\  
    \n\r\
    \n###\r\
    \n# Script entry point\r\
    \n#\r\
    \n# Expected environment variables:\r\
    \n# leaseBound         1 = lease bound, 0 = lease removed\r\
    \n# leaseServerName    Name of DHCP server\r\
    \n# leaseActIP         IP address of DHCP client\r\
    \n# leaseActMAC        MAC address of DHCP client\r\
    \n###\r\
    \n\r\
    \n:local scriptName \"dhcp2dns\"\r\  
    \n:do {\r\
    \n  :local scriptObj [:parse [/system script get \$scriptName source]]\r\
    \n  \$scriptObj leaseBound=\$leaseBound leaseServerName=\$leaseServerName leaseActIP=\$leaseActIP leaseActMAC=\$leaseActMAC\r\
    \n} on-error={ :log warning \"DHCP server '\$leaseServerName' lease script error\" };\r\  
    \n\r\
    \n# \"a.b.c.d\" -> \"a-b-c-d\" for IP addresses used as replacement for missing host names\r\ 
    \n:local ip2Host do=\\\r\
    \n{\r\
    \n  :local outStr\r\
    \n  :for i from=0 to=([:len \$inStr] - 1) do=\\\r\
    \n  {\r\
    \n    :local tmp [:pick \$inStr \$i];\r\
    \n    :if (\$tmp =\".\") do=\\\r\  
    \n    {\r\
    \n      :set tmp \"-\"\r\  
    \n    }\r\
    \n    :set outStr (\$outStr . \$tmp)\r\
    \n  }\r\
    \n  :return \$outStr\r\
    \n}\r\
    \n\r\
    \n:local mapHostName do={\r\
    \n# param: name\r\
    \n# max length = 63\r\
    \n# allowed chars a-z,0-9,-\r\
    \n  :local allowedChars \"abcdefghijklmnopqrstuvwxyz0123456789-\";\r\  
    \n  :local numChars [:len \$name];\r\
    \n  :if (\$numChars > 63) do={:set numChars 63};\r\
    \n  :local result \"\";\r\  
    \n\r\
    \n  :for i from=0 to=(\$numChars - 1) do={\r\
    \n    :local char [:pick \$name \$i];\r\
    \n    :if ([:find \$allowedChars \$char] < 0) do={:set char \"-\"};\r\  
    \n    :set result (\$result . \$char);\r\
    \n  }\r\
    \n  :return \$result;\r\
    \n}\r\
    \n\r\
    \n:local lowerCase do={\r\
    \n# param: entry\r\
    \n  :local lower \"abcdefghijklmnopqrstuvwxyz\";\r\  
    \n  :local upper \"ABCDEFGHIJKLMNOPQRSTUVWXYZ\";\r\  
    \n  :local result \"\";\r\  
    \n  :for i from=0 to=([:len \$entry] - 1) do={\r\
    \n    :local char [:pick \$entry \$i];\r\
    \n    :local pos [:find \$upper \$char];\r\
    \n    :if (\$pos > -1) do={:set char [:pick \$lower \$pos]};\r\
    \n    :set result (\$result . \$char);\r\
    \n  }\r\
    \n  :return \$result;\r\
    \n}\r\
    \n\r\
    \n:local token \"\$leaseServerName-\$leaseActMAC\";\r\  
    \n:local LogPrefix \"DHCP2DNS (\$leaseServerName)\"\r\  
    \n\r\
    \n:if ( [ :len \$leaseActIP ] <= 0 ) do=\\\r\
    \n{\r\
    \n  :log error \"\$LogPrefix: empty lease address\"\r\  
    \n  :error \"empty lease address\"\r\  
    \n}\r\
    \n\r\
    \n:if ( \$leaseBound = 1 ) do=\\\r\
    \n{\r\
    \n  # new DHCP lease added\r\
    \n  /ip dhcp-server\r\
    \n  #:local dnsttl [ get [ find name=\$leaseServerName ] lease-time ]\r\
    \n  network\r\
    \n  :local domain [ get [ find \$leaseActIP in address ] domain ]\r\
    \n  #:log info \"\$LogPrefix: DNS domain is \$domain\"\r\ 
    \n\r\
    \n  :local hostname [/ip dhcp-server lease get [:pick [find mac-address=\$leaseActMAC and server=\$leaseServerName] 0] value-name=host-name]\r\
    \n  #:log info \"\$LogPrefix: DHCP hostname is \$hostname\"\r\ 
    \n\r\
    \n #Hostname cleanup\r\
    \n  :if ( [ :len \$hostname ] <= 0 ) do=\\\r\
    \n  {\r\
    \n    :set hostname [ \$ip2Host inStr=\$leaseActIP ]\r\
    \n    :log info \"\$LogPrefix: Empty hostname for '\$leaseActIP', using generated host name '\$hostname'\"\r\  
    \n  }\r\
    \n  :set hostname [\$lowerCase entry=\$hostname]\r\
    \n  :set hostname [\$mapHostName name=\$hostname]\r\
    \n  #:log info \"\$LogPrefix: Clean hostname for FQDN is \$hostname\";\r\ 
    \n\r\
    \n  :if ( [ :len \$domain ] <= 0 ) do=\\\r\
    \n  {\r\
    \n    :log warning \"\$LogPrefix: Empty domainname for '\$leaseActIP', cannot create static DNS name\"\r\  
    \n    :error \"Empty domainname for '\$leaseActIP'\"\r\  
    \n  }\r\
    \n\r\
    \n  :local fqdn (\$hostname . \".\" .  \$domain)\r\  
    \n  #:log info \"\$LogPrefix: FQDN for DNS is \$fqdn\"\r\ 
    \n\r\
    \n    :if ([/ip dhcp-server lease get [:pick [find mac-address=\$leaseActMAC and server=\$leaseServerName] 0] ]) do={\r\
    \n      # :log info message=\"\$LogPrefix: \$leaseActMAC -> \$hostname\"\r\ 
    \n      :do {\r\
    \n        /ip dns static add address=\$leaseActIP name=\$fqdn ttl=\$dnsttl comment=\$token;\r\
    \n      } on-error={:log error message=\"\$LogPrefix: Failure during dns registration of \$fqdn with \$leaseActIP\"}\r\  
    \n    }\r\
    \n\r\
    \n} else={\r\
    \n# DHCP lease removed\r\
    \n  /ip dns static remove [find comment=\$token];\r\
    \n} " lease-time=10m name=dhcp_40  
add address-pool=dhcp_pool_50 interface="vlan50 [PHONE]" lease-script="# DNS TTL to set for DNS entries\r\  
    \n:local dnsttl \"00:15:00\";\r\  
    \n\r\
    \n###\r\
    \n# Script entry point\r\
    \n#\r\
    \n# Expected environment variables:\r\
    \n# leaseBound         1 = lease bound, 0 = lease removed\r\
    \n# leaseServerName    Name of DHCP server\r\
    \n# leaseActIP         IP address of DHCP client\r\
    \n# leaseActMAC        MAC address of DHCP client\r\
    \n###\r\
    \n\r\
    \n:local scriptName \"dhcp2dns\"\r\  
    \n:do {\r\
    \n  :local scriptObj [:parse [/system script get \$scriptName source]]\r\
    \n  \$scriptObj leaseBound=\$leaseBound leaseServerName=\$leaseServerName leaseActIP=\$leaseActIP leaseActMAC=\$leaseActMAC\r\
    \n} on-error={ :log warning \"DHCP server '\$leaseServerName' lease script error\" };\r\  
    \n\r\
    \n# \"a.b.c.d\" -> \"a-b-c-d\" for IP addresses used as replacement for missing host names\r\ 
    \n:local ip2Host do=\\\r\
    \n{\r\
    \n  :local outStr\r\
    \n  :for i from=0 to=([:len \$inStr] - 1) do=\\\r\
    \n  {\r\
    \n    :local tmp [:pick \$inStr \$i];\r\
    \n    :if (\$tmp =\".\") do=\\\r\  
    \n    {\r\
    \n      :set tmp \"-\"\r\  
    \n    }\r\
    \n    :set outStr (\$outStr . \$tmp)\r\
    \n  }\r\
    \n  :return \$outStr\r\
    \n}\r\
    \n\r\
    \n:local mapHostName do={\r\
    \n# param: name\r\
    \n# max length = 63\r\
    \n# allowed chars a-z,0-9,-\r\
    \n  :local allowedChars \"abcdefghijklmnopqrstuvwxyz0123456789-\";\r\  
    \n  :local numChars [:len \$name];\r\
    \n  :if (\$numChars > 63) do={:set numChars 63};\r\
    \n  :local result \"\";\r\  
    \n\r\
    \n  :for i from=0 to=(\$numChars - 1) do={\r\
    \n    :local char [:pick \$name \$i];\r\
    \n    :if ([:find \$allowedChars \$char] < 0) do={:set char \"-\"};\r\  
    \n    :set result (\$result . \$char);\r\
    \n  }\r\
    \n  :return \$result;\r\
    \n}\r\
    \n\r\
    \n:local lowerCase do={\r\
    \n# param: entry\r\
    \n  :local lower \"abcdefghijklmnopqrstuvwxyz\";\r\  
    \n  :local upper \"ABCDEFGHIJKLMNOPQRSTUVWXYZ\";\r\  
    \n  :local result \"\";\r\  
    \n  :for i from=0 to=([:len \$entry] - 1) do={\r\
    \n    :local char [:pick \$entry \$i];\r\
    \n    :local pos [:find \$upper \$char];\r\
    \n    :if (\$pos > -1) do={:set char [:pick \$lower \$pos]};\r\
    \n    :set result (\$result . \$char);\r\
    \n  }\r\
    \n  :return \$result;\r\
    \n}\r\
    \n\r\
    \n:local token \"\$leaseServerName-\$leaseActMAC\";\r\  
    \n:local LogPrefix \"DHCP2DNS (\$leaseServerName)\"\r\  
    \n\r\
    \n:if ( [ :len \$leaseActIP ] <= 0 ) do=\\\r\
    \n{\r\
    \n  :log error \"\$LogPrefix: empty lease address\"\r\  
    \n  :error \"empty lease address\"\r\  
    \n}\r\
    \n\r\
    \n:if ( \$leaseBound = 1 ) do=\\\r\
    \n{\r\
    \n  # new DHCP lease added\r\
    \n  /ip dhcp-server\r\
    \n  #:local dnsttl [ get [ find name=\$leaseServerName ] lease-time ]\r\
    \n  network\r\
    \n  :local domain [ get [ find \$leaseActIP in address ] domain ]\r\
    \n  #:log info \"\$LogPrefix: DNS domain is \$domain\"\r\ 
    \n\r\
    \n  :local hostname [/ip dhcp-server lease get [:pick [find mac-address=\$leaseActMAC and server=\$leaseServerName] 0] value-name=host-name]\r\
    \n  #:log info \"\$LogPrefix: DHCP hostname is \$hostname\"\r\ 
    \n\r\
    \n #Hostname cleanup\r\
    \n  :if ( [ :len \$hostname ] <= 0 ) do=\\\r\
    \n  {\r\
    \n    :set hostname [ \$ip2Host inStr=\$leaseActIP ]\r\
    \n    :log info \"\$LogPrefix: Empty hostname for '\$leaseActIP', using generated host name '\$hostname'\"\r\  
    \n  }\r\
    \n  :set hostname [\$lowerCase entry=\$hostname]\r\
    \n  :set hostname [\$mapHostName name=\$hostname]\r\
    \n  #:log info \"\$LogPrefix: Clean hostname for FQDN is \$hostname\";\r\ 
    \n\r\
    \n  :if ( [ :len \$domain ] <= 0 ) do=\\\r\
    \n  {\r\
    \n    :log warning \"\$LogPrefix: Empty domainname for '\$leaseActIP', cannot create static DNS name\"\r\  
    \n    :error \"Empty domainname for '\$leaseActIP'\"\r\  
    \n  }\r\
    \n\r\
    \n  :local fqdn (\$hostname . \".\" .  \$domain)\r\  
    \n  #:log info \"\$LogPrefix: FQDN for DNS is \$fqdn\"\r\ 
    \n\r\
    \n    :if ([/ip dhcp-server lease get [:pick [find mac-address=\$leaseActMAC and server=\$leaseServerName] 0] ]) do={\r\
    \n      # :log info message=\"\$LogPrefix: \$leaseActMAC -> \$hostname\"\r\ 
    \n      :do {\r\
    \n        /ip dns static add address=\$leaseActIP name=\$fqdn ttl=\$dnsttl comment=\$token;\r\
    \n      } on-error={:log error message=\"\$LogPrefix: Failure during dns registration of \$fqdn with \$leaseActIP\"}\r\  
    \n    }\r\
    \n\r\
    \n} else={\r\
    \n# DHCP lease removed\r\
    \n  /ip dns static remove [find comment=\$token];\r\
    \n} " lease-time=10m name=dhcp_50  
add address-pool=dhcp_pool_60 interface="vlan60 [MOBILE OFFICE]" lease-script="# DNS TTL to set for DNS entries\r\  
    \n:local dnsttl \"00:15:00\";\r\  
    \n\r\
    \n###\r\
    \n# Script entry point\r\
    \n#\r\
    \n# Expected environment variables:\r\
    \n# leaseBound         1 = lease bound, 0 = lease removed\r\
    \n# leaseServerName    Name of DHCP server\r\
    \n# leaseActIP         IP address of DHCP client\r\
    \n# leaseActMAC        MAC address of DHCP client\r\
    \n###\r\
    \n\r\
    \n:local scriptName \"dhcp2dns\"\r\  
    \n:do {\r\
    \n  :local scriptObj [:parse [/system script get \$scriptName source]]\r\
    \n  \$scriptObj leaseBound=\$leaseBound leaseServerName=\$leaseServerName leaseActIP=\$leaseActIP leaseActMAC=\$leaseActMAC\r\
    \n} on-error={ :log warning \"DHCP server '\$leaseServerName' lease script error\" };\r\  
    \n\r\
    \n# \"a.b.c.d\" -> \"a-b-c-d\" for IP addresses used as replacement for missing host names\r\ 
    \n:local ip2Host do=\\\r\
    \n{\r\
    \n  :local outStr\r\
    \n  :for i from=0 to=([:len \$inStr] - 1) do=\\\r\
    \n  {\r\
    \n    :local tmp [:pick \$inStr \$i];\r\
    \n    :if (\$tmp =\".\") do=\\\r\  
    \n    {\r\
    \n      :set tmp \"-\"\r\  
    \n    }\r\
    \n    :set outStr (\$outStr . \$tmp)\r\
    \n  }\r\
    \n  :return \$outStr\r\
    \n}\r\
    \n\r\
    \n:local mapHostName do={\r\
    \n# param: name\r\
    \n# max length = 63\r\
    \n# allowed chars a-z,0-9,-\r\
    \n  :local allowedChars \"abcdefghijklmnopqrstuvwxyz0123456789-\";\r\  
    \n  :local numChars [:len \$name];\r\
    \n  :if (\$numChars > 63) do={:set numChars 63};\r\
    \n  :local result \"\";\r\  
    \n\r\
    \n  :for i from=0 to=(\$numChars - 1) do={\r\
    \n    :local char [:pick \$name \$i];\r\
    \n    :if ([:find \$allowedChars \$char] < 0) do={:set char \"-\"};\r\  
    \n    :set result (\$result . \$char);\r\
    \n  }\r\
    \n  :return \$result;\r\
    \n}\r\
    \n\r\
    \n:local lowerCase do={\r\
    \n# param: entry\r\
    \n  :local lower \"abcdefghijklmnopqrstuvwxyz\";\r\  
    \n  :local upper \"ABCDEFGHIJKLMNOPQRSTUVWXYZ\";\r\  
    \n  :local result \"\";\r\  
    \n  :for i from=0 to=([:len \$entry] - 1) do={\r\
    \n    :local char [:pick \$entry \$i];\r\
    \n    :local pos [:find \$upper \$char];\r\
    \n    :if (\$pos > -1) do={:set char [:pick \$lower \$pos]};\r\
    \n    :set result (\$result . \$char);\r\
    \n  }\r\
    \n  :return \$result;\r\
    \n}\r\
    \n\r\
    \n:local token \"\$leaseServerName-\$leaseActMAC\";\r\  
    \n:local LogPrefix \"DHCP2DNS (\$leaseServerName)\"\r\  
    \n\r\
    \n:if ( [ :len \$leaseActIP ] <= 0 ) do=\\\r\
    \n{\r\
    \n  :log error \"\$LogPrefix: empty lease address\"\r\  
    \n  :error \"empty lease address\"\r\  
    \n}\r\
    \n\r\
    \n:if ( \$leaseBound = 1 ) do=\\\r\
    \n{\r\
    \n  # new DHCP lease added\r\
    \n  /ip dhcp-server\r\
    \n  #:local dnsttl [ get [ find name=\$leaseServerName ] lease-time ]\r\
    \n  network\r\
    \n  :local domain [ get [ find \$leaseActIP in address ] domain ]\r\
    \n  #:log info \"\$LogPrefix: DNS domain is \$domain\"\r\ 
    \n\r\
    \n  :local hostname [/ip dhcp-server lease get [:pick [find mac-address=\$leaseActMAC and server=\$leaseServerName] 0] value-name=host-name]\r\
    \n  #:log info \"\$LogPrefix: DHCP hostname is \$hostname\"\r\ 
    \n\r\
    \n #Hostname cleanup\r\
    \n  :if ( [ :len \$hostname ] <= 0 ) do=\\\r\
    \n  {\r\
    \n    :set hostname [ \$ip2Host inStr=\$leaseActIP ]\r\
    \n    :log info \"\$LogPrefix: Empty hostname for '\$leaseActIP', using generated host name '\$hostname'\"\r\  
    \n  }\r\
    \n  :set hostname [\$lowerCase entry=\$hostname]\r\
    \n  :set hostname [\$mapHostName name=\$hostname]\r\
    \n  #:log info \"\$LogPrefix: Clean hostname for FQDN is \$hostname\";\r\ 
    \n\r\
    \n  :if ( [ :len \$domain ] <= 0 ) do=\\\r\
    \n  {\r\
    \n    :log warning \"\$LogPrefix: Empty domainname for '\$leaseActIP', cannot create static DNS name\"\r\  
    \n    :error \"Empty domainname for '\$leaseActIP'\"\r\  
    \n  }\r\
    \n\r\
    \n  :local fqdn (\$hostname . \".\" .  \$domain)\r\  
    \n  #:log info \"\$LogPrefix: FQDN for DNS is \$fqdn\"\r\ 
    \n\r\
    \n    :if ([/ip dhcp-server lease get [:pick [find mac-address=\$leaseActMAC and server=\$leaseServerName] 0] ]) do={\r\
    \n      # :log info message=\"\$LogPrefix: \$leaseActMAC -> \$hostname\"\r\ 
    \n      :do {\r\
    \n        /ip dns static add address=\$leaseActIP name=\$fqdn ttl=\$dnsttl comment=\$token;\r\
    \n      } on-error={:log error message=\"\$LogPrefix: Failure during dns registration of \$fqdn with \$leaseActIP\"}\r\  
    \n    }\r\
    \n\r\
    \n} else={\r\
    \n# DHCP lease removed\r\
    \n  /ip dns static remove [find comment=\$token];\r\
    \n} " lease-time=10m name=dhcp_60  
add address-pool=dhcp_pool_100 interface="vlan100 [HOME]" lease-script="# DNS TTL to set for DNS entries\r\  
    \n:local dnsttl \"00:15:00\";\r\  
    \n\r\
    \n###\r\
    \n# Script entry point\r\
    \n#\r\
    \n# Expected environment variables:\r\
    \n# leaseBound         1 = lease bound, 0 = lease removed\r\
    \n# leaseServerName    Name of DHCP server\r\
    \n# leaseActIP         IP address of DHCP client\r\
    \n# leaseActMAC        MAC address of DHCP client\r\
    \n###\r\
    \n\r\
    \n:local scriptName \"dhcp2dns\"\r\  
    \n:do {\r\
    \n  :local scriptObj [:parse [/system script get \$scriptName source]]\r\
    \n  \$scriptObj leaseBound=\$leaseBound leaseServerName=\$leaseServerName leaseActIP=\$leaseActIP leaseActMAC=\$leaseActMAC\r\
    \n} on-error={ :log warning \"DHCP server '\$leaseServerName' lease script error\" };\r\  
    \n\r\
    \n# \"a.b.c.d\" -> \"a-b-c-d\" for IP addresses used as replacement for missing host names\r\ 
    \n:local ip2Host do=\\\r\
    \n{\r\
    \n  :local outStr\r\
    \n  :for i from=0 to=([:len \$inStr] - 1) do=\\\r\
    \n  {\r\
    \n    :local tmp [:pick \$inStr \$i];\r\
    \n    :if (\$tmp =\".\") do=\\\r\  
    \n    {\r\
    \n      :set tmp \"-\"\r\  
    \n    }\r\
    \n    :set outStr (\$outStr . \$tmp)\r\
    \n  }\r\
    \n  :return \$outStr\r\
    \n}\r\
    \n\r\
    \n:local mapHostName do={\r\
    \n# param: name\r\
    \n# max length = 63\r\
    \n# allowed chars a-z,0-9,-\r\
    \n  :local allowedChars \"abcdefghijklmnopqrstuvwxyz0123456789-\";\r\  
    \n  :local numChars [:len \$name];\r\
    \n  :if (\$numChars > 63) do={:set numChars 63};\r\
    \n  :local result \"\";\r\  
    \n\r\
    \n  :for i from=0 to=(\$numChars - 1) do={\r\
    \n    :local char [:pick \$name \$i];\r\
    \n    :if ([:find \$allowedChars \$char] < 0) do={:set char \"-\"};\r\  
    \n    :set result (\$result . \$char);\r\
    \n  }\r\
    \n  :return \$result;\r\
    \n}\r\
    \n\r\
    \n:local lowerCase do={\r\
    \n# param: entry\r\
    \n  :local lower \"abcdefghijklmnopqrstuvwxyz\";\r\  
    \n  :local upper \"ABCDEFGHIJKLMNOPQRSTUVWXYZ\";\r\  
    \n  :local result \"\";\r\  
    \n  :for i from=0 to=([:len \$entry] - 1) do={\r\
    \n    :local char [:pick \$entry \$i];\r\
    \n    :local pos [:find \$upper \$char];\r\
    \n    :if (\$pos > -1) do={:set char [:pick \$lower \$pos]};\r\
    \n    :set result (\$result . \$char);\r\
    \n  }\r\
    \n  :return \$result;\r\
    \n}\r\
    \n\r\
    \n:local token \"\$leaseServerName-\$leaseActMAC\";\r\  
    \n:local LogPrefix \"DHCP2DNS (\$leaseServerName)\"\r\  
    \n\r\
    \n:if ( [ :len \$leaseActIP ] <= 0 ) do=\\\r\
    \n{\r\
    \n  :log error \"\$LogPrefix: empty lease address\"\r\  
    \n  :error \"empty lease address\"\r\  
    \n}\r\
    \n\r\
    \n:if ( \$leaseBound = 1 ) do=\\\r\
    \n{\r\
    \n  # new DHCP lease added\r\
    \n  /ip dhcp-server\r\
    \n  #:local dnsttl [ get [ find name=\$leaseServerName ] lease-time ]\r\
    \n  network\r\
    \n  :local domain [ get [ find \$leaseActIP in address ] domain ]\r\
    \n  #:log info \"\$LogPrefix: DNS domain is \$domain\"\r\ 
    \n\r\
    \n  :local hostname [/ip dhcp-server lease get [:pick [find mac-address=\$leaseActMAC and server=\$leaseServerName] 0] value-name=host-name]\r\
    \n  #:log info \"\$LogPrefix: DHCP hostname is \$hostname\"\r\ 
    \n\r\
    \n #Hostname cleanup\r\
    \n  :if ( [ :len \$hostname ] <= 0 ) do=\\\r\
    \n  {\r\
    \n    :set hostname [ \$ip2Host inStr=\$leaseActIP ]\r\
    \n    :log info \"\$LogPrefix: Empty hostname for '\$leaseActIP', using generated host name '\$hostname'\"\r\  
    \n  }\r\
    \n  :set hostname [\$lowerCase entry=\$hostname]\r\
    \n  :set hostname [\$mapHostName name=\$hostname]\r\
    \n  #:log info \"\$LogPrefix: Clean hostname for FQDN is \$hostname\";\r\ 
    \n\r\
    \n  :if ( [ :len \$domain ] <= 0 ) do=\\\r\
    \n  {\r\
    \n    :log warning \"\$LogPrefix: Empty domainname for '\$leaseActIP', cannot create static DNS name\"\r\  
    \n    :error \"Empty domainname for '\$leaseActIP'\"\r\  
    \n  }\r\
    \n\r\
    \n  :local fqdn (\$hostname . \".\" .  \$domain)\r\  
    \n  #:log info \"\$LogPrefix: FQDN for DNS is \$fqdn\"\r\ 
    \n\r\
    \n    :if ([/ip dhcp-server lease get [:pick [find mac-address=\$leaseActMAC and server=\$leaseServerName] 0] ]) do={\r\
    \n      # :log info message=\"\$LogPrefix: \$leaseActMAC -> \$hostname\"\r\ 
    \n      :do {\r\
    \n        /ip dns static add address=\$leaseActIP name=\$fqdn ttl=\$dnsttl comment=\$token;\r\
    \n      } on-error={:log error message=\"\$LogPrefix: Failure during dns registration of \$fqdn with \$leaseActIP\"}\r\  
    \n    }\r\
    \n\r\
    \n} else={\r\
    \n# DHCP lease removed\r\
    \n  /ip dns static remove [find comment=\$token];\r\
    \n} " lease-time=10m name=dhcp_100  
add address-pool=dhcp_pool_1 interface="vlan1 [DEFAULT]" lease-script="# DNS TTL to set for DNS entries\r\  
    \n:local dnsttl \"00:15:00\";\r\  
    \n\r\
    \n###\r\
    \n# Script entry point\r\
    \n#\r\
    \n# Expected environment variables:\r\
    \n# leaseBound         1 = lease bound, 0 = lease removed\r\
    \n# leaseServerName    Name of DHCP server\r\
    \n# leaseActIP         IP address of DHCP client\r\
    \n# leaseActMAC        MAC address of DHCP client\r\
    \n###\r\
    \n\r\
    \n:local scriptName \"dhcp2dns\"\r\  
    \n:do {\r\
    \n  :local scriptObj [:parse [/system script get \$scriptName source]]\r\
    \n  \$scriptObj leaseBound=\$leaseBound leaseServerName=\$leaseServerName leaseActIP=\$leaseActIP leaseActMAC=\$leaseActMAC\r\
    \n} on-error={ :log warning \"DHCP server '\$leaseServerName' lease script error\" };\r\  
    \n\r\
    \n# \"a.b.c.d\" -> \"a-b-c-d\" for IP addresses used as replacement for missing host names\r\ 
    \n:local ip2Host do=\\\r\
    \n{\r\
    \n  :local outStr\r\
    \n  :for i from=0 to=([:len \$inStr] - 1) do=\\\r\
    \n  {\r\
    \n    :local tmp [:pick \$inStr \$i];\r\
    \n    :if (\$tmp =\".\") do=\\\r\  
    \n    {\r\
    \n      :set tmp \"-\"\r\  
    \n    }\r\
    \n    :set outStr (\$outStr . \$tmp)\r\
    \n  }\r\
    \n  :return \$outStr\r\
    \n}\r\
    \n\r\
    \n:local mapHostName do={\r\
    \n# param: name\r\
    \n# max length = 63\r\
    \n# allowed chars a-z,0-9,-\r\
    \n  :local allowedChars \"abcdefghijklmnopqrstuvwxyz0123456789-\";\r\  
    \n  :local numChars [:len \$name];\r\
    \n  :if (\$numChars > 63) do={:set numChars 63};\r\
    \n  :local result \"\";\r\  
    \n\r\
    \n  :for i from=0 to=(\$numChars - 1) do={\r\
    \n    :local char [:pick \$name \$i];\r\
    \n    :if ([:find \$allowedChars \$char] < 0) do={:set char \"-\"};\r\  
    \n    :set result (\$result . \$char);\r\
    \n  }\r\
    \n  :return \$result;\r\
    \n}\r\
    \n\r\
    \n:local lowerCase do={\r\
    \n# param: entry\r\
    \n  :local lower \"abcdefghijklmnopqrstuvwxyz\";\r\  
    \n  :local upper \"ABCDEFGHIJKLMNOPQRSTUVWXYZ\";\r\  
    \n  :local result \"\";\r\  
    \n  :for i from=0 to=([:len \$entry] - 1) do={\r\
    \n    :local char [:pick \$entry \$i];\r\
    \n    :local pos [:find \$upper \$char];\r\
    \n    :if (\$pos > -1) do={:set char [:pick \$lower \$pos]};\r\
    \n    :set result (\$result . \$char);\r\
    \n  }\r\
    \n  :return \$result;\r\
    \n}\r\
    \n\r\
    \n:local token \"\$leaseServerName-\$leaseActMAC\";\r\  
    \n:local LogPrefix \"DHCP2DNS (\$leaseServerName)\"\r\  
    \n\r\
    \n:if ( [ :len \$leaseActIP ] <= 0 ) do=\\\r\
    \n{\r\
    \n  :log error \"\$LogPrefix: empty lease address\"\r\  
    \n  :error \"empty lease address\"\r\  
    \n}\r\
    \n\r\
    \n:if ( \$leaseBound = 1 ) do=\\\r\
    \n{\r\
    \n  # new DHCP lease added\r\
    \n  /ip dhcp-server\r\
    \n  #:local dnsttl [ get [ find name=\$leaseServerName ] lease-time ]\r\
    \n  network\r\
    \n  :local domain [ get [ find \$leaseActIP in address ] domain ]\r\
    \n  #:log info \"\$LogPrefix: DNS domain is \$domain\"\r\ 
    \n\r\
    \n  :local hostname [/ip dhcp-server lease get [:pick [find mac-address=\$leaseActMAC and server=\$leaseServerName] 0] value-name=host-name]\r\
    \n  #:log info \"\$LogPrefix: DHCP hostname is \$hostname\"\r\ 
    \n\r\
    \n #Hostname cleanup\r\
    \n  :if ( [ :len \$hostname ] <= 0 ) do=\\\r\
    \n  {\r\
    \n    :set hostname [ \$ip2Host inStr=\$leaseActIP ]\r\
    \n    :log info \"\$LogPrefix: Empty hostname for '\$leaseActIP', using generated host name '\$hostname'\"\r\  
    \n  }\r\
    \n  :set hostname [\$lowerCase entry=\$hostname]\r\
    \n  :set hostname [\$mapHostName name=\$hostname]\r\
    \n  #:log info \"\$LogPrefix: Clean hostname for FQDN is \$hostname\";\r\ 
    \n\r\
    \n  :if ( [ :len \$domain ] <= 0 ) do=\\\r\
    \n  {\r\
    \n    :log warning \"\$LogPrefix: Empty domainname for '\$leaseActIP', cannot create static DNS name\"\r\  
    \n    :error \"Empty domainname for '\$leaseActIP'\"\r\  
    \n  }\r\
    \n\r\
    \n  :local fqdn (\$hostname . \".\" .  \$domain)\r\  
    \n  #:log info \"\$LogPrefix: FQDN for DNS is \$fqdn\"\r\ 
    \n\r\
    \n    :if ([/ip dhcp-server lease get [:pick [find mac-address=\$leaseActMAC and server=\$leaseServerName] 0] ]) do={\r\
    \n      # :log info message=\"\$LogPrefix: \$leaseActMAC -> \$hostname\"\r\ 
    \n      :do {\r\
    \n        /ip dns static add address=\$leaseActIP name=\$fqdn ttl=\$dnsttl comment=\$token;\r\
    \n      } on-error={:log error message=\"\$LogPrefix: Failure during dns registration of \$fqdn with \$leaseActIP\"}\r\  
    \n    }\r\
    \n\r\
    \n} else={\r\
    \n# DHCP lease removed\r\
    \n  /ip dns static remove [find comment=\$token];\r\
    \n} " lease-time=10m name=dhcp_1  
add address-pool=dhcp_pool_111 interface="vlan111 [MANAGEMENT]" lease-script="# DNS TTL to set for DNS entries\r\  
    \n:local dnsttl \"00:15:00\";\r\  
    \n\r\
    \n###\r\
    \n# Script entry point\r\
    \n#\r\
    \n# Expected environment variables:\r\
    \n# leaseBound         1 = lease bound, 0 = lease removed\r\
    \n# leaseServerName    Name of DHCP server\r\
    \n# leaseActIP         IP address of DHCP client\r\
    \n# leaseActMAC        MAC address of DHCP client\r\
    \n###\r\
    \n\r\
    \n:local scriptName \"dhcp2dns\"\r\  
    \n:do {\r\
    \n  :local scriptObj [:parse [/system script get \$scriptName source]]\r\
    \n  \$scriptObj leaseBound=\$leaseBound leaseServerName=\$leaseServerName leaseActIP=\$leaseActIP leaseActMAC=\$leaseActMAC\r\
    \n} on-error={ :log warning \"DHCP server '\$leaseServerName' lease script error\" };\r\  
    \n\r\
    \n# \"a.b.c.d\" -> \"a-b-c-d\" for IP addresses used as replacement for missing host names\r\ 
    \n:local ip2Host do=\\\r\
    \n{\r\
    \n  :local outStr\r\
    \n  :for i from=0 to=([:len \$inStr] - 1) do=\\\r\
    \n  {\r\
    \n    :local tmp [:pick \$inStr \$i];\r\
    \n    :if (\$tmp =\".\") do=\\\r\  
    \n    {\r\
    \n      :set tmp \"-\"\r\  
    \n    }\r\
    \n    :set outStr (\$outStr . \$tmp)\r\
    \n  }\r\
    \n  :return \$outStr\r\
    \n}\r\
    \n\r\
    \n:local mapHostName do={\r\
    \n# param: name\r\
    \n# max length = 63\r\
    \n# allowed chars a-z,0-9,-\r\
    \n  :local allowedChars \"abcdefghijklmnopqrstuvwxyz0123456789-\";\r\  
    \n  :local numChars [:len \$name];\r\
    \n  :if (\$numChars > 63) do={:set numChars 63};\r\
    \n  :local result \"\";\r\  
    \n\r\
    \n  :for i from=0 to=(\$numChars - 1) do={\r\
    \n    :local char [:pick \$name \$i];\r\
    \n    :if ([:find \$allowedChars \$char] < 0) do={:set char \"-\"};\r\  
    \n    :set result (\$result . \$char);\r\
    \n  }\r\
    \n  :return \$result;\r\
    \n}\r\
    \n\r\
    \n:local lowerCase do={\r\
    \n# param: entry\r\
    \n  :local lower \"abcdefghijklmnopqrstuvwxyz\";\r\  
    \n  :local upper \"ABCDEFGHIJKLMNOPQRSTUVWXYZ\";\r\  
    \n  :local result \"\";\r\  
    \n  :for i from=0 to=([:len \$entry] - 1) do={\r\
    \n    :local char [:pick \$entry \$i];\r\
    \n    :local pos [:find \$upper \$char];\r\
    \n    :if (\$pos > -1) do={:set char [:pick \$lower \$pos]};\r\
    \n    :set result (\$result . \$char);\r\
    \n  }\r\
    \n  :return \$result;\r\
    \n}\r\
    \n\r\
    \n:local token \"\$leaseServerName-\$leaseActMAC\";\r\  
    \n:local LogPrefix \"DHCP2DNS (\$leaseServerName)\"\r\  
    \n\r\
    \n:if ( [ :len \$leaseActIP ] <= 0 ) do=\\\r\
    \n{\r\
    \n  :log error \"\$LogPrefix: empty lease address\"\r\  
    \n  :error \"empty lease address\"\r\  
    \n}\r\
    \n\r\
    \n:if ( \$leaseBound = 1 ) do=\\\r\
    \n{\r\
    \n  # new DHCP lease added\r\
    \n  /ip dhcp-server\r\
    \n  #:local dnsttl [ get [ find name=\$leaseServerName ] lease-time ]\r\
    \n  network\r\
    \n  :local domain [ get [ find \$leaseActIP in address ] domain ]\r\
    \n  #:log info \"\$LogPrefix: DNS domain is \$domain\"\r\ 
    \n\r\
    \n  :local hostname [/ip dhcp-server lease get [:pick [find mac-address=\$leaseActMAC and server=\$leaseServerName] 0] value-name=host-name]\r\
    \n  #:log info \"\$LogPrefix: DHCP hostname is \$hostname\"\r\ 
    \n\r\
    \n #Hostname cleanup\r\
    \n  :if ( [ :len \$hostname ] <= 0 ) do=\\\r\
    \n  {\r\
    \n    :set hostname [ \$ip2Host inStr=\$leaseActIP ]\r\
    \n    :log info \"\$LogPrefix: Empty hostname for '\$leaseActIP', using generated host name '\$hostname'\"\r\  
    \n  }\r\
    \n  :set hostname [\$lowerCase entry=\$hostname]\r\
    \n  :set hostname [\$mapHostName name=\$hostname]\r\
    \n  #:log info \"\$LogPrefix: Clean hostname for FQDN is \$hostname\";\r\ 
    \n\r\
    \n  :if ( [ :len \$domain ] <= 0 ) do=\\\r\
    \n  {\r\
    \n    :log warning \"\$LogPrefix: Empty domainname for '\$leaseActIP', cannot create static DNS name\"\r\  
    \n    :error \"Empty domainname for '\$leaseActIP'\"\r\  
    \n  }\r\
    \n\r\
    \n  :local fqdn (\$hostname . \".\" .  \$domain)\r\  
    \n  #:log info \"\$LogPrefix: FQDN for DNS is \$fqdn\"\r\ 
    \n\r\
    \n    :if ([/ip dhcp-server lease get [:pick [find mac-address=\$leaseActMAC and server=\$leaseServerName] 0] ]) do={\r\
    \n      # :log info message=\"\$LogPrefix: \$leaseActMAC -> \$hostname\"\r\ 
    \n      :do {\r\
    \n        /ip dns static add address=\$leaseActIP name=\$fqdn ttl=\$dnsttl comment=\$token;\r\
    \n      } on-error={:log error message=\"\$LogPrefix: Failure during dns registration of \$fqdn with \$leaseActIP\"}\r\  
    \n    }\r\
    \n\r\
    \n} else={\r\
    \n# DHCP lease removed\r\
    \n  /ip dns static remove [find comment=\$token];\r\
    \n}" lease-time=10m name=dhcp_111  
/ppp profile
add change-tcp-mss=yes dns-server=10.10.200.1 name=vpn
/interface pppoe-client
add add-default-route=yes allow=pap,chap,mschap2 interface=*22 name=pppoe-out1 user=0011859567335502844989420001@t-online.de
/interface bridge port
add bridge=br_vlan interface="ether5 [TRUNK ax2]" internal-path-cost=10 path-cost=10 pvid=111  
add bridge=br_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no interface="ether3 [MANAGEMENT]" pvid=111  
add bridge=br_vlan frame-types=admit-only-vlan-tagged interface="wifi1 [5 GHz MASTER]" point-to-point=no pvid=2  
add bridge=br_vlan frame-types=admit-only-vlan-tagged interface="wifi2 [2.4 GHz MASTER]" point-to-point=no pvid=2  
add bridge=br_vlan frame-types=admit-only-vlan-tagged interface="wifi3 [HOMETEC 5G] " point-to-point=no pvid=200  
add bridge=br_vlan frame-types=admit-only-untagged-and-priority-tagged interface="ether2 [PHONE]" pvid=50  
add bridge=br_vlan frame-types=admit-only-untagged-and-priority-tagged interface="ether4 [HOME]" pvid=100  
add bridge=br_vlan frame-types=admit-only-vlan-tagged interface="wifi4 [HOME 5]" point-to-point=no pvid=100  
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=br_vlan tagged=br_vlan vlan-ids=111
add bridge=br_vlan tagged="br_vlan,ether5 [TRUNK ax2],wifi3 [HOMETEC 5G] " vlan-ids=200  
add bridge=br_vlan tagged="br_vlan,ether5 [TRUNK ax2],wifi1 [5 GHz MASTER],wifi2 [2.4 GHz MASTER]" vlan-ids=2  
add bridge=br_vlan tagged="br_vlan,ether5 [TRUNK ax2],wifi4 [HOME 5]" vlan-ids=100  
add bridge=br_vlan tagged="br_vlan,ether5 [TRUNK ax2]" vlan-ids=20  
add bridge=br_vlan tagged="br_vlan,ether5 [TRUNK ax2]" vlan-ids=30  
add bridge=br_vlan tagged="br_vlan,ether5 [TRUNK ax2]" vlan-ids=40  
add bridge=br_vlan tagged="br_vlan,ether5 [TRUNK ax2]" vlan-ids=50  
add bridge=br_vlan tagged="br_vlan,ether5 [TRUNK ax2]" vlan-ids=60  
/interface detect-internet
set detect-interface-list=WAN
/interface l2tp-server server
set authentication=mschap2 default-profile=default enabled=yes use-ipsec=yes
/interface list member
add interface="vlan1 [DEFAULT]" list=LAN  
add interface="vlan200 [HOMETEC]" list=LAN  
add interface="ether1[WAN]" list=WAN  
add interface="vlan2 [WLAN]" list=LAN  
add interface="vlan20 [PRINTER]" list=LAN  
add interface="vlan30 [GUEST]" list=LAN  
add interface="vlan40 [PROXMOX]" list=LAN  
add interface="vlan100 [HOME]" list=LAN  
add interface="vlan50 [PHONE]" list=LAN  
add interface="vlan60 [MOBILE OFFICE]" list=LAN  
add interface="vlan111 [MANAGEMENT]" list=LAN  
/ip address
add address=10.10.200.1/24 interface="vlan200 [HOMETEC]" network=10.10.200.0  
add address=10.10.20.1/24 interface="vlan20 [PRINTER]" network=10.10.20.0  
add address=10.10.30.1/24 interface="vlan30 [GUEST]" network=10.10.30.0  
add address=10.10.40.1/24 interface="vlan40 [PROXMOX]" network=10.10.40.0  
add address=10.10.50.1/24 interface="vlan50 [PHONE]" network=10.10.50.0  
add address=10.10.60.1/24 interface="vlan60 [MOBILE OFFICE]" network=10.10.60.0  
add address=10.10.100.1/24 interface="vlan100 [HOME]" network=10.10.100.0  
add address=10.10.1.1/24 interface="vlan1 [DEFAULT]" network=10.10.1.0  
add address=10.10.111.1/24 interface="vlan111 [MANAGEMENT]" network=10.10.111.0  
/ip cloud
set ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-server network
add address=10.10.1.0/24 dns-server=10.10.1.1 domain=fasan.home.arpa gateway=10.10.1.1
add address=10.10.20.0/24 dns-server=10.10.20.1 domain=fasan.home.arpa gateway=10.10.20.1
add address=10.10.30.0/24 dns-server=10.10.30.1 domain=fasan.home.arpa gateway=10.10.30.1
add address=10.10.40.0/24 dns-server=10.10.40.1 domain=fasan.home.arpa gateway=10.10.40.1
add address=10.10.50.0/24 dns-server=10.10.50.1 domain=fasan.home.arpa gateway=10.10.50.1
add address=10.10.60.0/24 dns-server=10.10.60.1 domain=fasan.home.arpa gateway=10.10.60.1
add address=10.10.100.0/24 dns-server=10.10.100.1 domain=fasan.home.arpa gateway=10.10.100.1
add address=10.10.111.0/24 dns-server=10.10.111.1 domain=fasan.home.arpa gateway=10.10.111.1
add address=10.10.200.0/24 dns-server=10.10.200.1 domain=fasan.home.arpa gateway=10.10.200.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.10.111.10 comment=dhcp2-92:ED:BB:0D:42:59 name=10-10-111-10.fasan.home.arpa ttl=15m
add address=10.10.111.6 comment=dhcp_111-12:D4:47:62:82:10 name=10-10-111-6.fasan.home.arpa ttl=15m
add address=10.10.111.3 comment=dhcp_111-90:B2:E7:03:08:01 name=wiznet030801.fasan.home.arpa ttl=15m
add address=10.10.100.37 comment=dhcp_100-22:6D:E5:2A:E5:ED name=10-10-100-37.fasan.home.arpa ttl=15m
add address=10.10.111.49 comment=dhcp_111-38:C9:86:1A:EA:84 name=imac.fasan.home.arpa ttl=15m
/ip firewall address-list
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4  
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4  
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4  
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4  
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4  
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4  
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4  
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4  
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4  
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4  
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4  
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4  
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4  
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4  
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4  
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4  
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4  
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=not_global_ipv4  
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4  
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4  
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4  
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4  
add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4  
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in IPSec policy" ipsec-policy=in,ipsec  
add action=accept chain=forward comment="defconf: accept out IPSec policy" ipsec-policy=out,ipsec  
add action=accept chain=input comment="defconf: accept out IPSec policy" dst-port=53,123 in-interface-list=LAN protocol=udp  
add action=accept chain=input comment="defconf: accept out IPSec policy" dst-port=53 in-interface-list=LAN protocol=tcp  
add action=accept chain=input comment="defconf: accept ICMP after RAW" protocol=icmp  
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked  
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN  
add action=drop chain=input comment="drop all not coming from MANAGEMENT VLAN" in-interface="!vlan111 [MANAGEMENT]"  
add action=accept chain=forward comment="defconf: accept all that matches IPSec policy" disabled=yes ipsec-policy=in,ipsec  
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes  
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked  
# no interface
add action=accept chain=forward in-interface=*C out-interface="vlan200 [HOMETEC]"  
# no interface
add action=accept chain=forward in-interface=*C out-interface="vlan100 [HOME]"  
# no interface
add action=accept chain=forward in-interface="vlan200 [HOMETEC]" out-interface=*C  
add action=accept chain=forward comment="accept all vlan to WAN udp" in-interface=all-vlan out-interface-list=WAN protocol=udp  
add action=accept chain=forward comment="accept all vlan to WAN tcp" in-interface=all-vlan out-interface-list=WAN protocol=tcp  
add action=accept chain=forward comment="accept all vlan to WAN icmp" disabled=yes in-interface=all-vlan out-interface-list=WAN protocol=icmp  
add action=accept chain=forward dst-port=22,80,443,502 in-interface="vlan200 [HOMETEC]" protocol=tcp  
add action=accept chain=forward disabled=yes dst-port=22,80,443,502 in-interface="vlan100 [HOME]" protocol=tcp  
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid  
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN  
add action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv4  
add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv4  
add action=drop chain=forward out-interface="vlan111 [MANAGEMENT]"  
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN  
add action=dst-nat chain=dstnat comment="Telefon S850A Go" dst-port=49004-49012 protocol=udp to-addresses=10.10.100.101 to-ports=49004-49012  
add action=accept chain=srcnat comment="defconf: accept all that matches IPSec policy" ipsec-policy=out,ipsec  
/ip firewall raw
add action=accept chain=prerouting comment="defconf: enable for transparent firewall"  
add action=accept chain=prerouting comment="defconf: accept DHCP discover" dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=udp src-address=0.0.0.0 src-port=68  
add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_ipv4  
add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_ipv4  
add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_src_ipv4  
add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_dst_ipv4  
add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=WAN src-address-list=not_global_ipv4  
add action=drop chain=prerouting comment="defconf: drop forward to local lan from WAN" dst-address=192.168.88.0/24 in-interface-list=WAN  
add action=drop chain=prerouting comment="defconf: drop local if not from default IP range" in-interface-list=LAN src-address=!192.168.88.0/24  
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 protocol=udp  
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" jump-target=icmp4 protocol=icmp  
add action=jump chain=prerouting comment="defconf: jump to TCP chain" jump-target=bad_tcp protocol=tcp  
add action=accept chain=prerouting comment="defconf: accept everything else from LAN" in-interface-list=LAN  
add action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WAN  
add action=drop chain=prerouting comment="defconf: drop the rest"  
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack  
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 protocol=tcp  
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 limit=5,10:packet protocol=icmp  
add action=accept chain=icmp4 comment="defconf: net unreachable" icmp-options=3:0 protocol=icmp  
add action=accept chain=icmp4 comment="defconf: host unreachable" icmp-options=3:1 protocol=icmp  
add action=accept chain=icmp4 comment="defconf: protocol unreachable" icmp-options=3:2 protocol=icmp  
add action=accept chain=icmp4 comment="defconf: port unreachable" icmp-options=3:3 protocol=icmp  
add action=accept chain=icmp4 comment="defconf: fragmentation needed" icmp-options=3:4 protocol=icmp  
add action=accept chain=icmp4 comment="defconf: echo" icmp-options=8:0 limit=5,10:packet protocol=icmp  
add action=accept chain=icmp4 comment="defconf: time exceeded " icmp-options=11:0-255 protocol=icmp  
add action=drop chain=icmp4 comment="defconf: drop other icmp" protocol=icmp  
/ip firewall service-port
set sip disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
/ipv6 firewall address-list
add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=no_forward_ipv6  
add address=ff00::/8 comment="defconf: multicast" list=no_forward_ipv6  
add address=::1/128 comment="defconf: RFC6890 lo" list=bad_ipv6  
add address=::ffff:0.0.0.0/96 comment="defconf: RFC6890 IPv4 mapped" list=bad_ipv6  
add address=2001::/23 comment="defconf: RFC6890" list=bad_ipv6  
add address=2001:db8::/32 comment="defconf: RFC6890 documentation" list=bad_ipv6  
add address=2001:10::/28 comment="defconf: RFC6890 orchid" list=bad_ipv6  
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6  
add address=100::/64 comment="defconf: RFC6890 Discard-only" list=not_global_ipv6  
add address=2001::/32 comment="defconf: RFC6890 TEREDO" list=not_global_ipv6  
add address=2001:2::/48 comment="defconf: RFC6890 Benchmark" list=not_global_ipv6  
add address=fc00::/7 comment="defconf: RFC6890 Unique-Local" list=not_global_ipv6  
add address=::/128 comment="defconf: unspecified" list=bad_dst_ipv6  
add address=::/128 comment="defconf: unspecified" list=bad_src_ipv6  
add address=ff00::/8 comment="defconf: multicast" list=bad_src_ipv6  
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept ICMPv6 after RAW" protocol=icmpv6  
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked  
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp  
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10  
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp  
add action=accept chain=input comment="defconf: accept IPSec AH" protocol=ipsec-ah  
add action=accept chain=input comment="defconf: accept IPSec ESP" protocol=ipsec-esp  
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN  
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked  
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid  
add action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv6  
add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv6  
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6  
add action=accept chain=forward comment="defconf: accept ICMPv6 after RAW" protocol=icmpv6  
add action=accept chain=forward comment="defconf: accept HIP" protocol=139  
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp  
add action=accept chain=forward comment="defconf: accept AH" protocol=ipsec-ah  
add action=accept chain=forward comment="defconf: accept ESP" protocol=ipsec-esp  
add action=accept chain=forward comment="defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec  
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN  
# no interface
add action=drop chain=input comment="drop all not coming from MANAGEMENT VLAN" in-interface=!*C  
/ipv6 firewall raw
add action=accept chain=prerouting comment="defconf: enable for transparent firewall" disabled=yes  
add action=accept chain=prerouting comment="defconf: RFC4291, section 2.7.1" dst-address=ff02::1:ff00:0/104 icmp-options=135 protocol=icmpv6 src-address=::/128  
add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_ipv6  
add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_ipv6  
add action=drop chain=prerouting comment="defconf: drop packets with bad SRC ipv6" src-address-list=bad_src_ipv6  
add action=drop chain=prerouting comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_dst_ipv6  
add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=WAN src-address-list=not_global_ipv6  
add action=jump chain=prerouting comment="defconf: jump to ICMPv6 chain" jump-target=icmp6 protocol=icmpv6  
add action=accept chain=prerouting comment="defconf: accept local multicast scope" dst-address=ff02::/16  
add action=drop chain=prerouting comment="defconf: drop other multicast destinations" dst-address=ff00::/8  
add action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WAN  
add action=accept chain=prerouting comment="defconf: accept everything else from LAN" in-interface-list=LAN  
add action=drop chain=prerouting comment="defconf: drop the rest"  
add action=drop chain=icmp6 comment="defconf: rfc4890 drop ll if hop-limit!=255" dst-address=fe80::/10 hop-limit=not-equal:255 protocol=icmpv6  
add action=accept chain=icmp6 comment="defconf: dst unreachable" icmp-options=1:0-255 protocol=icmpv6  
add action=accept chain=icmp6 comment="defconf: packet too big" icmp-options=2:0-255 protocol=icmpv6  
add action=accept chain=icmp6 comment="defconf: limit exceeded" icmp-options=3:0-1 protocol=icmpv6  
add action=accept chain=icmp6 comment="defconf: bad header" icmp-options=4:0-2 protocol=icmpv6  
add action=accept chain=icmp6 comment="defconf: Mobile home agent address discovery" icmp-options=144:0-255 protocol=icmpv6  
add action=accept chain=icmp6 comment="defconf: Mobile home agent address discovery" icmp-options=145:0-255 protocol=icmpv6  
add action=accept chain=icmp6 comment="defconf: Mobile prefix solic" icmp-options=146:0-255 protocol=icmpv6  
add action=accept chain=icmp6 comment="defconf: Mobile prefix advert" icmp-options=147:0-255 protocol=icmpv6  
add action=accept chain=icmp6 comment="defconf: echo request limit 5,10" icmp-options=128:0-255 limit=5,10:packet protocol=icmpv6  
add action=accept chain=icmp6 comment="defconf: echo reply limit 5,10" icmp-options=129:0-255 limit=5,10:packet protocol=icmpv6  
add action=accept chain=icmp6 comment="defconf: rfc4890 router solic limit 5,10 only LAN" hop-limit=equal:255 icmp-options=133:0-255 in-interface-list=LAN limit=5,10:packet protocol=icmpv6  
add action=accept chain=icmp6 comment="defconf: rfc4890 router advert limit 5,10 only LAN" hop-limit=equal:255 icmp-options=134:0-255 in-interface-list=LAN limit=5,10:packet protocol=icmpv6  
add action=accept chain=icmp6 comment="defconf: rfc4890 neighbor solic limit 5,10 only LAN" hop-limit=equal:255 icmp-options=135:0-255 in-interface-list=LAN limit=5,10:packet protocol=icmpv6  
add action=accept chain=icmp6 comment="defconf: rfc4890 neighbor advert limit 5,10 only LAN" hop-limit=equal:255 icmp-options=136:0-255 in-interface-list=LAN limit=5,10:packet protocol=icmpv6  
add action=accept chain=icmp6 comment="defconf: rfc4890 inverse ND solic limit 5,10 only LAN" hop-limit=equal:255 icmp-options=141:0-255 in-interface-list=LAN limit=5,10:packet protocol=icmpv6  
add action=accept chain=icmp6 comment="defconf: rfc4890 inverse ND advert limit 5,10 only LAN" hop-limit=equal:255 icmp-options=142:0-255 in-interface-list=LAN limit=5,10:packet protocol=icmpv6  
add action=drop chain=icmp6 comment="defconf: drop other icmp" protocol=icmpv6  
/ppp secret
add local-address=10.10.200.1 name=Heating profile=vpn remote-address=10.10.200.150 service=l2tp
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name="Mikrotik ax3"  
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes multicast=yes
/system ntp client servers
add address=ntp0.fau.de
add address=ntp1.fau.de
add address=ntp2.fau.de
add address=ntp3.fau.de
add address=npt0.ewetel.de
add address=ntp1.ewetel.de
[SEadmin@Mikrotik ax3] > 

Content-ID: 62785358722

Url: https://administrator.de/contentid/62785358722

Ausgedruckt am: 13.11.2024 um 22:11 Uhr

13910172396
13910172396 26.07.2024, aktualisiert am 27.07.2024 um 00:23:36 Uhr
Goto Top
Nabend.
Die aktive Firewall auf dem AX2 ist Unsinn. Erstens überflüssig weil das der AX3 am Perimeter erledigt, zweitens routet er deine Netze ja nicht und drittens, das ist der eigentliche Fehler, deklarierst du den Trunk und den Switch-Port als WAN-Port (Member der WAN Liste) was dazu führt das sämtlicher Traffic in der Firewall ausgehend auf den Ports auf die MGMT IP geNATed wird. Das führt dann genau dazu was du gerade als Fehler siehst, in der Luft hängende Leases und conflicts wegen dem Masquerading. Ergo, sämtliche Firewall-Rules und NAT-Regeln auf dem AX2 in den Orkus kippen das macht der AX3 zentral, der routet ja deine Netze, der AX2 kann es ja nicht da er selbst einzig und allein das MGMT als Netz kennt, die anderen VLANs sind ja dort nur auf Layer-2 Basis an den AX3 gekoppelt.

Des weiteren ist das dauernde Wiederholen des DNS Skriptes für jeden DHCP-Server ebenso überflüssiger Harzer-Käse, das hinterlegt man einmalig als Skript unter "/system script" und verweist dann in den DHCP-Servern darauf.

Bonne nuit.
Gruß Strods
ArcorPi
ArcorPi 27.07.2024 um 00:08:16 Uhr
Goto Top
Hallo @13910172396, vielen Dank für die ausführliche Analyse. Und das noch am späten Abend! Werde ich umsetzen …
aqui
aqui 27.07.2024 aktualisiert um 10:29:00 Uhr
Goto Top
Die aktive Firewall auf dem AX2 ist Unsinn.
Wieder das Tutorial nicht richtig gelesen!! 🧐 Es empfiehlt gleich am Anfang beim kaskadierten System die Default Konfig und damit die aktivierte Firewall zu löschen!
Kollege @13910172396 hat es oben schon gesagt. Wenn man das kaskadierte System eh rein als Layer 2 Switch verwendet wie du, ist eine L3 basierte Firewall so oder so überflüssig.
ArcorPi
ArcorPi 27.07.2024 um 15:13:08 Uhr
Goto Top
Hallo @aqui, habe ich gelöscht, aber dann die Firewall Regeln aus der MikroTik Doku reinkopiert
aqui
aqui 28.07.2024 aktualisiert um 18:27:44 Uhr
Goto Top
Aus welcher Doku genau?
So oder so recht sinnfrei, denn mit nur einem einzigen IP Interface (Management) bleibt da ja wenig bis gar nix zu tun für eine Firewall die in so einen reinen L2 Setup mehr oder minder ziemlich überflüssig ist.
ArcorPi
ArcorPi 28.07.2024 um 18:52:30 Uhr
Goto Top
Hallo @aqui, ich hatte auf dem ax2 und ax3 die Firewall-Regeln aus Building Advanced Firewall übernommen.
Nachdem ich alle auf dem ax2 gelöscht habe, funktioniert alles prima.

Jetzt noch eine weitere Frage: Leider reicht auch der ax3 nicht ganz aus, um alles bei uns per WLAN abzudecken.
Bevor ich einen CAP ax kaufe, wollte ich schon mal mit dem hAP Lite versuchen, diesen als AP an den ax3 anzubinden. Es gibt da diverse Modi:
ax3: ap, station, station-bridge, station-pseudo-bridge
haP Lite: ap-bridge, bridge, usw.

Was muss ich denn da nehmen, beim ax3 station-bridge und beim haP Lite ap-bridge?
Was muss ich sonst noch beachten? Reicht beim AP (haP Lite) ein einziges WLAN mit Mgmnt ID 111, beim ax3 würde ich ein weiteren virtuelles wifi mit dem Master 2.4Ghz mit ID 111 erstellen (auf dem ax3 habe ich die Master Wifi in VLAN 2, nit in 111), und alles admit only vlan tagged?
Ansonsten alles wie bei den bridge ports für Ethernet, und den Wifi Trunk bei den Geräte-Ports tagged mit derselben SSID?
aqui
aqui 29.07.2024 aktualisiert um 10:38:09 Uhr
Goto Top
Reicht beim AP (haP Lite) ein einziges WLAN mit Mgmnt ID 111
Sollte man im best practise nie machen, denn das Management Netz sollte man niemals in ein WLAN exponieren sondern immer nur per Kupfer betreiben. Der Grund liegt auf der Hand (Security). Es steht dir aber frei es dennoch zu tun, denn technisch ist das natürlich machbar.

Du musst den hAP-lite ja eh einzeln Standalone betreiben da er zur modernen CapsMan Implementation nicht kompatibel ist oder du 2 CapsMan Prozesse betreiben musst was für einen einzelnen AP ziemlich unsinnig wäre. Also einfach Standalone anklemmen und gut iss...

Du gehst exakt wie beim ax2 vor und implemetierst dann schlicht und einfach ein VLAN Setup auf dem hAP, setzt das Kupfer Interface auf PVID 111 und taggest alle deine MSSID VLANs bzw WLANs an diesem Interface. So wird Management und aktive WLANs an den hAP transportiert.
Den Anschlussport am Switch für diesen AP setzt du dann analog ebenfalls auf PVID 111 und taggest auch hier alle deine MSSID VLANs bzw WLANs die du mit dem hAP übertragen willst.
Der hAP wird dann entsprechend genau wie dein ax2 gehandhabt, denn auch der ist ja nur eine simple Layer 2 Bridge (V)LAN auf WLAN.
  • Keine Firewall
  • Nur ein einziges VLAN Interface 111 fürs Management einrichten und auf die Bridge mappen.
  • DHCP Client auf das Interface 111 mappen so das sich der hAP automatisch eine IP und Route aus dem Management Netz zieht.
  • Fertisch
Wie man MSSIDs auf die VLAN IDs mappt steht im Tutorial.

Im Prinzip exakt das gleiche Prozedere wie du es schon von deinem ax2 kennst. face-wink
ArcorPi
ArcorPi 29.07.2024 um 11:44:28 Uhr
Goto Top
Danke @aqui, das versuche ich.
ArcorPi
ArcorPi 29.07.2024 um 19:32:46 Uhr
Goto Top
Hallo @aqui, mit einer Trunk-Kabelverbindung funktioniert es. Ohne nicht. Ich hatte versucht, ein Wifi auf beiden Seiten mit 111 als "Funk"-Trunk-Verbindung zu machen, und wie den Kabel-Trunk zu konfigurieren (admit all), aber da ging nichts. Ich werde schauen, ob ich doch noch mit einem Kabel nach oben komme, ist die bessere Lösung.
aqui
aqui 29.07.2024, aktualisiert am 30.07.2024 um 10:53:10 Uhr
Goto Top
Ohne nicht
Logo! Wie sollte es auch klappen wenn du mit MSSIDs arbeitest die VLAN Tags erzwingen?!
Ich hatte versucht, ein Wifi auf beiden Seiten mit 111 als "Funk"-Trunk-Verbindung zu machen
Ginge auch aber das muss man dann auch richtig umsetzen!! Vermutlich hast du da wieder mal Fehler im Setup fabriziert?! 🤔
https://wiki.mikrotik.com/wiki/Manual:Wireless_VLAN_Trunk

Wegen des Mediums Funk und nicht verlässlichen Bandbreiten ist solche Lösung immer schlecht.
Da ist dann eine Power LAN (DLAN) sogar besser sofern man partout kein Kabel legen kann.
ArcorPi
ArcorPi 29.07.2024 um 22:18:34 Uhr
Goto Top
Danke @aqui!