I'm running 7.14 stable on an RB5009, wired to an AX3 (also running 7.14). Most local clients connect via wifi to the AX3.
I'm experiencing less than desirable performance and trying to figure out why.
Speed test from the AX3 to the 5009 results in: 265us / 360us / 515us
Bandwidth test average: 956.4 Mbps/942.5 Mbps
Running a speed test from speedtest.net from a wifi-connected Windows laptop:
155Mb/s down
154Mb/s up
This laptop's connection to the AX3 shows 210tx/433rx Mbps
Running a speed test from speedtest.net from a Windows desktop PC wired directly to the 5009:
765Mb/s down
720Mb/s up
I then ran the following BW tests to a hEX at another location (connected via Wireguard over the public Internet):
From the 5009: 180tx Mbps /10.5Mbps rx total average
From the AX3: 124 Mbps tx / 700kbps rx total average
The AX3 does not have a direct wireguard connection to the hEX -- it routes to the 5009. Still seems like a major degradation in performance.
So I think I have reached the extent of my capability:
BW test between 5009 and AX3 show great results
BW test between 5009 and WG-connected remote hEX are good
BW test between AX3 and same remote hEX are dismal
Routing on AX3 is 'everything to 5009':
/ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.2.2 pref-src="" \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
What am I missing?
Is there a way of running an Internet speed test directly from a RouterOS device (so I can do away with having to use a WG-connected remote device)?
Thank you.
Re: Where's my bottleneck?
Have you thought of using IPERF for your testing??
Re: Where's my bottleneck?
Hey Anav -- thanks!
Usual disclaimer that I know nothing....
My understanding is that iperf should not be run on the MT device, but rather on devices connected immediately to MT devices.
As such, the test would look something like:
DEVICE-RUNNING-IPERF -> MT-DEVICE -> INTERNET -> MT-DEVICE -> DEVICE-RUNNING-IPERECT
with the 2 MT-DEVICES above connected with a WG tunnel.
I think the benefit would be that the MT-DEVICES would not be doing any of the traffic generation because the BW tests would be offloaded to the DEVICE(S)-RUNNING-IPERF.
Is this the benefit?
Usual disclaimer that I know nothing....
My understanding is that iperf should not be run on the MT device, but rather on devices connected immediately to MT devices.
As such, the test would look something like:
DEVICE-RUNNING-IPERF -> MT-DEVICE -> INTERNET -> MT-DEVICE -> DEVICE-RUNNING-IPERECT
with the 2 MT-DEVICES above connected with a WG tunnel.
I think the benefit would be that the MT-DEVICES would not be doing any of the traffic generation because the BW tests would be offloaded to the DEVICE(S)-RUNNING-IPERF.
Is this the benefit?
Re: Where's my bottleneck?
Is there a way of running an Internet speed test directly from a RouterOS device ...
ROS' own bandwidth test is a pretty CPU demanding application and is often limited due to that. So in essence it doesn't correspond to device performance (when device is used as switch/router) and frequently it doesn't show link performance.
So do as @anav suggests: use connected computer(s) running iperf or speedtest to do proper performance tests through network device.
Re: Where's my bottleneck?
You guys know so much!
I just ran iperf on a Windows 11 laptop connected via wifi to the AX3, on one side.
On the other side, a Windows 11 desktop connected via ethernet cable to the 5009.
That means:
Laptop (wifi to) -> AX3 (wired to) -> RB5009 (wired to) -> Desktop
Result from running test a few times are: 142, 161, and 117 mbits/sec.
This converts to 17.75, 20, and 14.65MB/s.
This is pretty crappy, right?
How can I isolate further to find the problem? Pretty sure the problem is between laptop and ax3, or between ax3 and 5009.
Connection between ax3 and 5009 is by ethernet cable, but it's about 70 feet from one floor to another. Connection shows 1Gbps in Winbox for AX3.
I just ran iperf on a Windows 11 laptop connected via wifi to the AX3, on one side.
On the other side, a Windows 11 desktop connected via ethernet cable to the 5009.
That means:
Laptop (wifi to) -> AX3 (wired to) -> RB5009 (wired to) -> Desktop
Result from running test a few times are: 142, 161, and 117 mbits/sec.
This converts to 17.75, 20, and 14.65MB/s.
This is pretty crappy, right?
How can I isolate further to find the problem? Pretty sure the problem is between laptop and ax3, or between ax3 and 5009.
Connection between ax3 and 5009 is by ethernet cable, but it's about 70 feet from one floor to another. Connection shows 1Gbps in Winbox for AX3.
Re: Where's my bottleneck?
try laptops on both sides of RB5009 and both sides of HAPAX3....
just give both routers a fixed private WANIP address of 192.168.55.5 ( gateway 192.168.55.1)
and the laptop on the router side 192.168.55.2 and run IPERF,
then you will get a good sense of the throughput on each router wan to lan and lan to wan as a starting point.
Eventually you should post both configs here for viewing of course
just give both routers a fixed private WANIP address of 192.168.55.5 ( gateway 192.168.55.1)
and the laptop on the router side 192.168.55.2 and run IPERF,
then you will get a good sense of the throughput on each router wan to lan and lan to wan as a starting point.
Eventually you should post both configs here for viewing of course
Re: Where's my bottleneck?
Test cable to cable first so you are 100% sure the problem is not there.
That's your baseline.
Laptop - cable - AX3 - cable - RB5009 - cable - desktop
As a reference: I have similar setup (also AX2 on top of RB5009 and AX3 at home).
When I run all cable, I get 950-ish as expected for gigabit ethernet.
When I run laptop (Wifi 6 card !!) - wifi - AX3 - RB5009 I get 700-800-ish.
What wireless card is in your laptop ?
That's your baseline.
Laptop - cable - AX3 - cable - RB5009 - cable - desktop
As a reference: I have similar setup (also AX2 on top of RB5009 and AX3 at home).
When I run all cable, I get 950-ish as expected for gigabit ethernet.
When I run laptop (Wifi 6 card !!) - wifi - AX3 - RB5009 I get 700-800-ish.
[SUM] 0.00-9.99 sec 934 MBytes 784 Mbits/sec sender
[SUM] 0.00-10.03 sec 938 MBytes 784 Mbits/sec receiver
iperf Done.
What wireless card is in your laptop ?
Re: Where's my bottleneck?
Well my test was mostly aimed at the laptops LOL........... I suspect they max out around 700
Re: Where's my bottleneck?
Okay, connected the laptop via cable to the AX3.
The test setup is:
Laptop - cable - AX3 - cable - RB5009 - cable - desktop
iperf from laptop to desktop is now:
500Mbit/s (62MB/s)
Not great, but much, much faster.
Then I took another laptop and wired it to the AX3, so the set up is:
Laptop via cable -> AX3 -> Laptop via cable
Oddly, I got the same results (500Mbit/s).
Same speed (and not particularly fast) with 2 laptops connected directly to AX3. I'm missing something here.
The test setup is:
Laptop - cable - AX3 - cable - RB5009 - cable - desktop
iperf from laptop to desktop is now:
500Mbit/s (62MB/s)
Not great, but much, much faster.
Then I took another laptop and wired it to the AX3, so the set up is:
Laptop via cable -> AX3 -> Laptop via cable
Oddly, I got the same results (500Mbit/s).
Same speed (and not particularly fast) with 2 laptops connected directly to AX3. I'm missing something here.
Re: Where's my bottleneck?
Time to show your config ...
Re: Where's my bottleneck?
Anything in the below config can explain a connectivity/throughput slowdown?
Here's the AX3 config:
.
.
.
Here is the RB5009 config:
Here's the AX3 config:
.
Code: Select all
# 2024-03-23 16:05:29 by RouterOS 7.14
# software id = 5NRD-V1QF
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = HDxxxxxx
/interface bridge
add disabled=yes name=Guest-Bridge port-cost-mode=short
add admin-mac=48:A9:8A:0F:04:8F auto-mac=no comment=defconf name=bridge \
port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] comment="To hEX" poe-out=off
set [ find default-name=ether3 ] comment=TV
set [ find default-name=ether4 ] comment=TV
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=all \
.width=20/40mhz configuration.country="United States" .mode=ap .ssid=\
Upstairs5g-0F0493 disabled=no security.authentication-types=wpa2-psk \
.passphrase=PASSWORD
set [ find default-name=wifi2 ] channel.band=2ghz-n .skip-dfs-channels=all \
.width=20mhz configuration.country="United States" .mode=ap .ssid=\
Upstairs-2G-0F0494 disabled=no security.authentication-types=wpa2-psk \
.passphrase=PASSWORD
add configuration.mode=ap .ssid=2point4 disabled=no mac-address=\
4A:A9:8A:0F:04:93 master-interface=wifi2 mtu=1500 name=Guest212 \
security.authentication-types=wpa2-psk,wpa3-psk .passphrase=PASSWORD
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add include=LAN,WAN name=ALL-JRS
add name=TRUSTED
/ip pool
add name=dhcp_pool0 ranges=172.16.0.2-172.16.0.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=Guest-Bridge name=dhcp1
/ip smb users
set [ find default=yes ] disabled=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=wifi1 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=wifi2 internal-path-cost=10 \
path-cost=10
add bridge=bridge interface=ether1 internal-path-cost=10 path-cost=10
add bridge=bridge interface=Guest212 internal-path-cost=10 path-cost=10
add bridge=bridge interface=*A internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/interface bridge vlan
add bridge=bridge vlan-ids=100
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=bridge list=TRUSTED
add interface=ether1 list=TRUSTED
add interface=wifi1 list=TRUSTED
add interface=wifi2 list=TRUSTED
/interface wifi access-list
add action=accept comment=HarmonyHub disabled=no mac-address=\
00:04:20:F9:31:D2
add action=accept comment=MFC-L3770 disabled=no mac-address=30:C9:AB:17:71:59
add action=accept comment="JRS iPhone" disabled=no mac-address=\
FC:AA:81:2A:1F:B4
add action=accept comment="\?\?\?" disabled=no mac-address=96:4E:A5:1A:A9:74
add action=accept comment="\?\?\?" disabled=no mac-address=52:DA:D4:46:23:5B
add action=accept comment="Thomas iPhone" disabled=no mac-address=\
46:B4:96:5E:1A:1B
add action=accept comment="SRN iPhone" disabled=no mac-address=\
4A:11:46:2B:5B:78
add action=accept comment="\?\?\?" disabled=no mac-address=02:2A:61:8A:88:A7
add action=accept comment="SRN iPad" disabled=no mac-address=\
16:31:50:11:6B:CF
add action=accept comment=DCP-L2550DW disabled=no mac-address=\
2C:6F:C9:5F:BC:EB
add action=accept comment=Laptop-JRS-AN51 disabled=no mac-address=\
94:E7:0B:29:30:E7
add action=accept comment="Tasmota switch" disabled=no mac-address=\
C4:5B:BE:E3:76:77
add action=accept comment="JRS Laptop 2023" disabled=no mac-address=\
64:49:7D:61:AE:2C
add action=accept comment="Living room (TV maybe)" disabled=no mac-address=\
D4:90:9C:D8:66:99
add action=accept comment="49TCLRokuTV - Thomas" disabled=no mac-address=\
0C:62:A6:1E:8B:18
add action=accept comment="SRN MS laptop" disabled=no mac-address=\
24:EE:9A:54:9A:E8
add action=accept comment=MFC-L2550 disabled=no mac-address=B2:38:0C:90:FE:04
add action=accept comment="THR316 Thomas BR" disabled=no mac-address=\
C8:F0:9E:E8:8A:E4
add action=accept comment="SRN iPhone" disabled=no mac-address=\
EA:C1:05:82:99:7C
/ip address
add address=192.168.2.5/24 comment=defconf interface=bridge network=\
192.168.2.0
add address=10.10.10.5/24 disabled=yes interface=bridge network=10.10.10.0
add address=172.16.0.1/24 disabled=yes interface=Guest-Bridge network=\
172.16.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=172.16.0.0/24 gateway=172.16.0.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=4w cache-size=32768KiB \
query-server-timeout=5s servers=192.168.2.2
/ip dns static
add address=192.168.2.5 comment=defconf name=hapax3.212.local
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked disabled=yes
add action=accept chain=input disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN
add action=accept chain=forward disabled=yes in-interface-list=LAN log=yes
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface-list=WAN
add action=accept chain=forward
add action=accept chain=input
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.2.2 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
/ip smb shares
set [ find default=yes ] directory=/pub
/snmp
set enabled=yes trap-version=2
/system clock
set time-zone-name=America/New_York
/system identity
set name=212hAP-Ax3
/system logging
add topics=wireless
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.2.2
add address=3.pool.ntp.org
add address=0.north-america.pool.ntp.org
/system scheduler
add interval=2d name=export-download on-event=export-download policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2023-02-01 start-time=16:44:58
add interval=2d name=dynamic-data-rextended on-event=dynamic-data-rextended \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2023-09-30 start-time=02:58:29
/system script
add dont-require-permissions=no name=export-download owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\
\r\
\n\r\
\n/system\r\
\n:local cdate [clock get date] \r\
\n:local yyyy [:pick \$cdate 0 4]\r\
\n:local MM [:pick \$cdate 5 7]\r\
\n:local dd [:pick \$cdate 8 10]\r\
\n:local identitydate \"\$[identity get name]_\$yyyy-\$MM-\$dd\"\r\
\n/export show-sensitive file=\"\$identitydate\"\r\
\n\r\
\n/tool fetch upload=yes mode=ftp ascii=no src-path=\"/\$[\$identitydate].\
rsc\" dst-path=\"/mikrotik-backups/\$[\$identitydate].rsc\" address=192.16\
8.2.22 port=21 user=mikrotik password=PASSWORD\r\
\n\r\
\n/file remove \"\$[\$identitydate]\""
add dont-require-permissions=no name=dynamic-data-rextended owner=admin \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source="/system\r\
\n:local identitydate \"\$[identity get name]_\$[clock get date]\"\r\
\n:local stringexec \"/system iden print; :put \\\"\\\\r\\\\n\\\"; /ip c\
loud pri; :put \\\"\\\\r\\\\n\\\"; /ip dhcp-server lease pri det; :put \\\
\"\\\\r\\\\n\\\"; /int bridge host pri det\"\r\
\n\r\
\n:if ([:len [/system package find where name=\"wifiwave2\"]] > 1) do={\r\
\n :set stringexec \"\$stringexec; :put \\\"\\\\r\\\\n\\\" /int wifiwav\
e2 reg pri det\"\r\
\n} \r\
\n\r\
\n:if ([:len [/system package find where name=\"wifiwave2\"]] > 1) do={\r\
\n :set stringexec \"\$stringexec; :put \\\"\\\\r\\\\n\\\" /int wireles\
s reg pri det\"\r\
\n}\r\
\n\r\
\n\r\
\n/file remove [find where name=tmpresults.txt]\r\
\n:delay 1s\r\
\n:execute \$stringexec file=tmpresults.txt\r\
\n:delay 2s\r\
\n\r\
\n/tool fetch upload=yes mode=ftp ascii=no address=192.168.2.22 port=21 us\
er=mikrotik password=PASSWORD \\\r\
\n src-path=tmpresults.txt dst-path=\"/mikrotik-backups/\$identitydate-\
dynamicdata.txt\"\r\
\n\r\
\n/file remove [find where name=tmpresults.txt]"
/tool graphing interface
add interface=wifi2
add
add interface=bridge
add interface=ether1
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=wifi1
/tool graphing queue
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=TRUSTED
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
/tool romon
set enabled=yes
/tool sniffer
set file-limit=10000KiB filter-mac-address=\
10:6F:D9:D4:AA:65/FF:FF:FF:FF:FF:FF memory-limit=1000KiB
.
Here is the RB5009 config:
Code: Select all
# 2024-03-23 16:05:57 by RouterOS 7.14
# software id = 2KBD-7ZZB
#
# model = RB5009UPr+S+
# serial number = HDA0xxxxx
/interface bridge
add admin-mac=18:FD:74:CF:7F:5D auto-mac=no comment=defconf name=bridge \
port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] comment=WAN poe-out=off
set [ find default-name=ether2 ] comment="Switch CSS 24" poe-out=off
set [ find default-name=ether3 ] comment="JRS PC port 3" poe-out=off
set [ find default-name=ether4 ] comment="hAP 16" poe-out=off
set [ find default-name=ether5 ] comment="15 wall port 5 -- Proxmox" poe-out=\
off
set [ find default-name=ether6 ] comment="MOCA adapter" poe-out=off
set [ find default-name=ether7 ] poe-out=off
set [ find default-name=ether8 ] poe-out=off
/interface wireguard
add listen-port=51820 mtu=1420 name=212-Wireguard private-key=\
"WIPjxxxxA="
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MANAGE
/iot lora servers
add address=eu.mikrotik.thethings.industries name=TTN-EU protocol=UDP
add address=us.mikrotik.thethings.industries name=TTN-US protocol=UDP
add address=eu1.cloud.thethings.industries name="TTS Cloud (eu1)" protocol=\
UDP
add address=nam1.cloud.thethings.industries name="TTS Cloud (nam1)" protocol=\
UDP
add address=au1.cloud.thethings.industries name="TTS Cloud (au1)" protocol=\
UDP
add address=eu1.cloud.thethings.network name="TTN V3 (eu1)" protocol=UDP
add address=nam1.cloud.thethings.network name="TTN V3 (nam1)" protocol=UDP
add address=au1.cloud.thethings.network name="TTN V3 (au1)" protocol=UDP
/iot mqtt brokers
add address=192.168.0.103 client-id=192.168.2.2 name=HA password=PASSWORD \
username=mqtt
add address=192.168.0.162 auto-connect=yes name="Home Assistant" password=\
PASSWORD username=mqtt
/ip pool
add name=dhcp ranges=192.168.2.100-192.168.2.200
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-script="\r\
\n/system\r\
\n:local cdate [clock get date] \r\
\n:local yyyy [:pick \$cdate 0 4]\r\
\n:local MM [:pick \$cdate 5 7]\r\
\n:local dd [:pick \$cdate 8 10]\r\
\n\r\
\n:local thistime [/system clock get time]\r\
\n:local thishour [:pick \$thistime 0 2]\r\
\n:local thisminute [:pick \$thistime 3 5]\r\
\n:local thissecond [:pick \$thistime 6 8]\r\
\n:local identitydatetime \"\$[identity get name]_\$yyyy-\$MM-\$dd_\$thish\
our:\$thisminute:\$thissecond\"\r\
\n:local datetime \"\$yyyy-\$MM-\$dd_\$thishour:\$thisminute:\$thissecond\
\"\r\
\n:local systemname \"\$[identity get name]\"\r\
\n\r\
\n#:if (\$leaseBound=1) do={\r\
\n\r\
\n# :log info \"testing after condition BOUND\" }\r\
\n\r\
\n#:if ([/ip dhcp-server lease find where dynamic mac-address=\$leaseActM\
AC]!=\"\") do={\r\
\n\r\
\n# :log info \"testing after condition DYNAMIC\"}\r\
\n\r\
\n\r\
\n:if ((\$leaseBound=1) && ([/ip dhcp-server lease find where dynamic ma\
c-address=\$leaseActMAC]!=\"\") && ([/ip dhcp-server lease find where comm\
ent mac-address=\$leaseActMAC]=\"\")) do={\r\
\n\r\
\n# :log info \"testing after conditions BOUND and DYNAMIC and EMPTY CO\
MMENT\" \r\
\n\r\
\n:local recipient \"email@email.com\"\r\
\n\r\
\n :tool e-mail send to=\$recipient subject=\"\$systemname DHCP Lease A\
ssigned to \$leaseActMAC\" body=\"MAC address \$leaseActMAC received IP ad\
dress \$leaseActIP with a hostname of \$[/ip/dhcp-server/lease/get value-n\
ame=host-name [find where mac-address=\$leaseActMAC]] from DHCP Server \$l\
easeServerName on \$datetime from \$systemname with comment \$[/ip/dhcp-se\
rver/lease/get value-name=comment [find where mac-address=\$leaseActMAC]]\
\"\r\
\n\r\
\n\r\
\n# :log info \"Sent DHCP alert for MAC \$leaseActMAC\"\r\
\n\r\
\n}\r\
\n\r\
\n\r\
\n\r\
\n\r\
\n" lease-time=1d name=defconf
/ip smb users
set [ find default=yes ] disabled=yes
/system logging action
set 3 remote=192.168.2.2
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
disabled=yes disabled=yes name=zt1 port=9993
/container config
set registry-url=https://registry-1.docker.io tmpdir=disk1/pull
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 \
internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether7 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether8 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set accept-redirects=no accept-router-advertisements=no disable-ipv6=yes \
forward=no max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=bridge list=MANAGE
add interface=*B list=MANAGE
add interface=212-Wireguard list=LAN
add interface=212-Wireguard list=MANAGE
/interface wireguard peers
add allowed-address=10.10.100.8/32 comment="JRS Laptop" interface=\
212-Wireguard public-key="b9iyIPXw9MQIGo852yC/Xd9Ds2VQoOKASosTxjRpJX8="
add allowed-address=\
10.10.100.2/32,192.168.88.0/24,10.10.100.40/32,192.168.40.0/24 comment=\
371 endpoint-address=371.dyndns.org endpoint-port=52820 interface=\
212-Wireguard persistent-keepalive=40s public-key=\
"xxxxx="
add allowed-address=10.10.100.9/32 comment="JRS iPhone" interface=\
212-Wireguard public-key="xxxxxx/fkSuBAuOb/ZBIFY="
add allowed-address=10.10.100.12/32,192.168.20.0/24 comment=629 \
endpoint-address=aaaaa.dyndns.org endpoint-port=51821 interface=\
212-Wireguard persistent-keepalive=40s public-key=\
"xxxxxx="
add allowed-address=10.10.100.50/32,192.168.0.0/24,192.168.5.0/24 comment=355 \
endpoint-address=aaaaa.dyndns.org endpoint-port=51833 interface=\
212-Wireguard persistent-keepalive=40s public-key=\
"Q8CPJm+/xxxxxxx="
add allowed-address=10.10.100.60/32,192.168.1.0/24 comment=255 \
endpoint-address=aaaaa.dyndns.org endpoint-port=51835 interface=\
212-Wireguard persistent-keepalive=40s public-key=\
"xxxxxx+r9bzZ0aWPK0PMwbRc="
add allowed-address=10.10.100.30/32,192.168.30.0/24 comment=76 \
endpoint-address=aaaa.dyndns.org endpoint-port=51830 interface=\
212-Wireguard persistent-keepalive=40s public-key=\
"xxxxx="
add allowed-address=10.10.90.0/24 comment="BI PC WG APP" endpoint-port=51820 \
interface=212-Wireguard public-key=\
"xxxxxx/RFr9FogUr5iBSC0jt9TV4="
add allowed-address=10.10.100.1/32,192.168.2.2/24 comment=\
"212 (local, just for reference); 192.168.2.2" disabled=yes \
endpoint-address=AAAA.dyndns.org endpoint-port=51820 interface=\
212-Wireguard public-key="xxxxxx/op1OqXrW4Ds="
add allowed-address=10.10.100.100/32 comment="JRS Laptop 201" disabled=yes \
interface=212-Wireguard public-key=\
"QJCXZaf5K/xxxx="
add allowed-address=10.10.100.101/32 endpoint-port=51840 interface=\
212-Wireguard public-key="N/t6/86S/xxxxx="
add allowed-address=10.10.100.70/32,192.168.70.0/24 comment=125 \
endpoint-address=AAAA.dyndns.org endpoint-port=51870 interface=\
212-Wireguard persistent-keepalive=40s public-key=\
"xxxxx="
add allowed-address=10.10.100.99/32,192.168.2.0/24 comment="JRS Laptop 2023" \
interface=212-Wireguard private-key=\
"ED8Ig6UntTB7Kg+xxxx//vOc9p2Q=" public-key=\
"w9XFUjODaOIOQbCeMVJ+xxxx="
add allowed-address=10.10.100.53/32,192.168.0.0/24 client-listen-port=51840 \
comment="WG Proxmox Win11" endpoint-address=aaaaa.dyndns.org \
endpoint-port=51844 interface=*12 public-key=\
"Wut4NWWjMvqM+xxxx+xxxx="
/ip address
add address=192.168.2.2/24 comment=defconf interface=bridge network=\
192.168.2.0
add address=10.10.100.1/24 interface=212-Wireguard network=10.10.100.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server alert
add interface=bridge
add alert-timeout=30m interface=bridge on-alert=rogue-dhcp
/ip dhcp-server lease
add address=192.168.2.100 comment=TV15 mac-address=78:6A:1F:8D:F9:C8 server=\
defconf
add address=192.168.2.121 client-id=1:da:f3:68:be:3f:b comment="Ipad SRN" \
mac-address=DA:F3:68:BE:3F:0B server=defconf
add address=192.168.2.102 comment=STB mac-address=78:6A:1F:8D:FC:B4 server=\
defconf
add address=192.168.2.101 comment=STB mac-address=78:6A:1F:8D:FC:0F server=\
defconf
add address=192.168.2.103 comment=STB mac-address=A0:68:7E:4D:D0:4B server=\
defconf
add address=192.168.2.138 client-id=1:30:c9:ab:17:71:59 comment=MFCL3770CDW \
lease-time=3d18h mac-address=30:C9:AB:17:71:59 server=defconf
add address=192.168.2.107 client-id=1:94:e7:b:29:30:e7 comment=JRSLaptopASUS \
mac-address=94:E7:0B:29:30:E7 server=defconf
add address=192.168.2.141 client-id=1:c2:5d:7f:1f:4c:f5 comment="JRS iPhone" \
mac-address=C2:5D:7F:1F:4C:F5 server=defconf
add address=192.168.2.106 client-id=1:18:fd:74:cf:7f:5c comment=RB5009 \
mac-address=18:FD:74:CF:7F:5C server=defconf
add address=192.168.2.109 client-id=1:0:6b:9e:d1:24:f3 comment="Vizio on 15" \
mac-address=00:6B:9E:D1:24:F3 server=defconf
add address=192.168.2.147 comment=TV mac-address=3C:59:1E:F4:02:EF server=\
defconf
add address=192.168.2.122 client-id=1:d4:90:9c:d8:66:99 comment=Homepod \
mac-address=D4:90:9C:D8:66:99 server=defconf
add address=192.168.2.191 comment="TV 15 SRN Office" mac-address=\
3C:59:1E:F4:3C:CB server=defconf
add address=192.168.2.199 client-id=1:c8:63:f1:f1:9f:44 comment=Playstation \
mac-address=C8:63:F1:F1:9F:44 server=defconf
add address=192.168.2.119 client-id=1:88:e9:fe:6e:97:9d comment=ThomasMBP \
mac-address=88:E9:FE:6E:97:9D server=defconf
add address=192.168.2.128 comment=MBR65TV mac-address=34:51:80:C8:BB:2C \
server=defconf
add address=192.168.2.200 client-id=1:0:4:20:f9:31:d2 comment=HarmonyHub \
lease-time=3d18h mac-address=00:04:20:F9:31:D2 server=defconf
add address=192.168.2.114 client-id=1:46:b4:96:5e:1a:1b comment=\
"Thomas iPhone" mac-address=46:B4:96:5E:1A:1B server=defconf
add address=192.168.2.176 client-id=1:18:3:73:3a:63:19 mac-address=\
18:03:73:3A:63:19 server=defconf
add address=192.168.2.142 client-id=1:4e:fe:92:a6:40:cd comment=SRNAppleWatch \
mac-address=4E:FE:92:A6:40:CD server=defconf
add address=192.168.2.124 client-id=1:2c:6f:c9:5f:bc:eb comment=Printer \
mac-address=2C:6F:C9:5F:BC:EB server=defconf
add address=192.168.2.173 client-id=1:24:ee:9a:54:9a:e8 comment=NC-LT-SN20 \
mac-address=24:EE:9A:54:9A:E8 server=defconf
add address=192.168.2.117 client-id=1:b4:22:0:95:59:8a comment=Printer \
mac-address=B4:22:00:95:59:8A server=defconf
add address=192.168.2.127 client-id=\
ff:a1:71:46:7d:0:1:0:1:2c:cb:11:8c:a:25:a1:71:46:7d comment=\
"Debian LXC under Proxmox" mac-address=0A:25:A1:71:46:7D server=defconf
add address=192.168.2.110 client-id=1:64:49:7d:61:ae:2c comment=\
JRS-Laptop-2023 mac-address=64:49:7D:61:AE:2C server=defconf
add address=192.168.2.166 comment="15 TV" mac-address=B0:A7:37:75:B6:60 \
server=defconf
add address=192.168.2.105 client-id=1:c4:17:fe:43:33:7 comment=Susans-iPhone \
mac-address=C4:17:FE:43:33:07 server=defconf
add address=192.168.2.108 client-id=1:0:5:cd:19:3c:7 comment="Denon AVR" \
mac-address=00:05:CD:19:3C:07 server=defconf
add address=192.168.2.116 client-id=1:ea:c1:5:82:99:7c comment="SRN iphone" \
mac-address=EA:C1:05:82:99:7C server=defconf
add address=192.168.2.120 client-id=1:96:4e:a5:1a:a9:74 comment=\
"Thomas iPad large" mac-address=96:4E:A5:1A:A9:74 server=defconf
add address=192.168.2.123 client-id=1:54:6c:eb:7b:a2:c3 comment="Thomas Acer" \
mac-address=54:6C:EB:7B:A2:C3 server=defconf
add address=192.168.2.113 client-id=1:18:fd:74:38:81:2b comment=hEX \
mac-address=18:FD:74:38:81:2B server=defconf
add address=192.168.2.112 client-id=1:fc:aa:81:2a:1f:b4 comment=\
"JRS iPhone 2023" mac-address=FC:AA:81:2A:1F:B4 server=defconf
add address=192.168.2.118 client-id=1:36:41:ef:17:d0:c9 comment=\
"SRN Apple Watch" mac-address=36:41:EF:17:D0:C9 server=defconf
add address=192.168.2.115 client-id=1:16:31:50:11:6b:cf comment="Susan iPad" \
mac-address=16:31:50:11:6B:CF server=defconf
add address=192.168.2.126 client-id=1:7a:49:88:57:e9:14 comment=\
"NOT any Thomas or Susan's Device" mac-address=7A:49:88:57:E9:14 server=\
defconf
add address=192.168.2.130 client-id=1:3c:6:30:20:1:70 comment="Padan\?" \
mac-address=3C:06:30:20:01:70 server=defconf
add address=192.168.2.133 client-id=1:f6:b9:88:dd:23:1a comment="\?\?\?\?\?" \
mac-address=F6:B9:88:DD:23:1A server=defconf
add address=192.168.2.134 client-id=1:be:22:c3:46:12:33 mac-address=\
BE:22:C3:46:12:33 server=defconf
add address=192.168.2.111 client-id=1:c8:f0:9e:e8:8a:e4 comment=\
"THR316D T BR" mac-address=C8:F0:9E:E8:8A:E4 server=defconf
add address=192.168.2.131 client-id=1:d6:a9:86:b1:c9:3e comment="SRN iwatch" \
mac-address=D6:A9:86:B1:C9:3E server=defconf
add address=192.168.2.129 client-id=1:22:bc:d8:7f:66:fd comment="Thomas -- " \
mac-address=22:BC:D8:7F:66:FD server=defconf
add address=192.168.2.132 client-id=1:3c:a6:f6:1f:87:ac mac-address=\
3C:A6:F6:1F:87:AC server=defconf
add address=192.168.2.139 client-id=1:1a:b9:14:b4:55:ea comment=\
"Rachel phone" mac-address=1A:B9:14:B4:55:EA server=defconf
add address=192.168.2.140 client-id=1:68:1d:ef:38:e5:9b comment=\
"Mini-PC from aliexpress" mac-address=68:1D:EF:38:E5:9B server=defconf
add address=192.168.2.125 client-id=1:2e:ef:fe:36:a1:5 comment=\
"Thomas iPhone" mac-address=2E:EF:FE:36:A1:05 server=defconf
add address=192.168.2.137 client-id=1:c8:7f:54:5a:69:13 comment=\
"JRS 2024 Desktop" mac-address=C8:7F:54:5A:69:13 server=defconf
add address=192.168.2.144 client-id=1:3c:6:30:c:ee:88 mac-address=\
3C:06:30:0C:EE:88 server=defconf
add address=192.168.2.154 comment=65TCLRokuTV mac-address=08:C3:B3:DF:26:62 \
server=defconf
add address=192.168.2.171 comment=49TCLRokuTV mac-address=0C:62:A6:1E:8B:18 \
server=defconf
add address=192.168.2.149 client-id=1:68:1d:ef:3a:da:e0 comment=\
"T8-Mini-PC-26NNQ3ARVB1\r\
\n" mac-address=68:1D:EF:3A:DA:E0 server=defconf
add address=192.168.2.143 client-id=1:b2:38:c:90:fe:4 comment=MFC-L2550 \
mac-address=B2:38:0C:90:FE:04 server=defconf
add address=192.168.2.161 client-id=1:ec:da:3b:d1:92:3c comment=\
"Presence sensor Screek D1923C" mac-address=EC:DA:3B:D1:92:3C server=\
defconf
add address=192.168.2.190 mac-address=48:55:19:F0:73:12 server=defconf
add address=192.168.2.150 client-id=1:84:57:33:9b:83:85 mac-address=\
84:57:33:9B:83:85 server=defconf
add address=192.168.2.162 client-id=1:7c:4b:26:5d:6:be mac-address=\
7C:4B:26:5D:06:BE server=defconf
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf dns-server=192.168.2.2 gateway=\
192.168.2.2 netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=8w4d cache-size=65536KiB servers=\
1.1.1.1,1.0.0.1,8.8.8.8,9.9.9.9
/ip dns static
add address=192.168.2.8 name=212-rb5009.212.local
add address=192.168.2.2 name=RB5009.212.local ttl=9w6d10h40m
add address=10.10.100.1 name=212.10.10.100.1.local ttl=9w6d10h40m
add address=192.168.2.100 comment="automatic-from-comment (magic comment)" \
name=TV15.212.local ttl=1h
add address=192.168.2.121 comment="automatic-from-comment (magic comment)" \
name="Ipad SRN.212.local" ttl=9w6d10h40m
add address=192.168.2.138 comment="automatic-from-comment (magic comment)" \
name=MFCL3770CDW.212.local ttl=9w6d10h40m
add address=192.168.2.141 comment="automatic-from-comment (magic comment)" \
name="JRS iPhone.212.local" ttl=9w6d10h40m
add address=192.168.2.109 comment="automatic-from-comment (magic comment)" \
name="Vizio on 15.212.local" ttl=9w6d10h40m
add address=192.168.2.122 comment="automatic-from-comment (magic comment)" \
name=Homepod.212.local ttl=9w6d10h40m
add address=192.168.2.199 comment="automatic-from-comment (magic comment)" \
name=Playstation.212.local ttl=9w6d10h40m
add address=192.168.2.142 comment="automatic-from-comment (magic comment)" \
name=SRNAppleWatch.212.local ttl=9w6d10h40m
add address=192.168.2.22 name=JRS-PC.212.local
add address=192.168.2.102 comment="automatic-from-dhcp (magic comment)" name=\
Master-Bedroom.212.local ttl=1h40m
add address=192.168.2.103 comment="automatic-from-dhcp (magic comment)" name=\
Family-Room.212.local ttl=1h40m
add address=192.168.2.138 comment="automatic-from-dhcp (magic comment)" name=\
MFC-L3770.212.local ttl=1h40m
add address=192.168.2.147 comment="automatic-from-dhcp (magic comment)" name=\
212LR.212.local ttl=1h40m
add address=192.168.2.191 comment="automatic-from-dhcp (magic comment)" name=\
SRNOffice.212.local ttl=1h40m
add address=192.168.2.128 comment="automatic-from-dhcp (magic comment)" name=\
212MBR.212.local ttl=1h40m
add address=192.168.2.200 comment="automatic-from-dhcp (magic comment)" name=\
HarmonyHub.212.local ttl=1h40m
add address=192.168.2.124 comment="automatic-from-dhcp (magic comment)" name=\
BRW2C6FC95FBCEB.212.local ttl=1h40m
add address=192.168.2.173 comment="automatic-from-dhcp (magic comment)" name=\
NC-LT-SN20.212.local ttl=1h40m
add address=192.168.2.137 comment="automatic-from-dhcp (magic comment)" name=\
tasmota-E37677-5751.212.local ttl=1h40m
add address=192.168.2.117 comment="automatic-from-dhcp (magic comment)" name=\
BRNB4220095598A.212.local ttl=1h40m
add address=192.168.2.127 comment="automatic-from-dhcp (magic comment)" name=\
Debian.212.local ttl=1h40m
add address=192.168.2.110 comment="automatic-from-dhcp (magic comment)" name=\
JRS-Laptop-2023.212.local ttl=1h40m
add address=192.168.2.108 comment="automatic-from-dhcp (magic comment)" name=\
0005CD193C07.212.local ttl=1h40m
/ip firewall address-list
add address=AAAA.dyndns.org list=dynamic-WANIP
add address=192.168.0.0/16 list=Authorized
add address=10.10.100.0/24 list=Authorized
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Loopback allow" dst-address=127.0.0.1
add action=accept chain=input comment="Allow incoming WG connections" \
dst-port=51820 protocol=udp
add action=accept chain=input comment="Allow Authorized" src-address-list=\
Authorized
add action=accept chain=input comment="Allow LAN" in-interface-list=LAN
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment="Allow LAN to WAN" in-interface-list=\
LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
connection-nat-state=dstnat
add action=accept chain=forward comment="Allows cross peer subnet traffic" \
in-interface=212-Wireguard out-interface=212-Wireguard
add action=accept chain=forward comment="Allow WG to subnet" dst-address=\
192.168.2.0/24 in-interface=212-Wireguard
add action=accept chain=forward comment="Allow all traffic out WG iface" \
out-interface=212-Wireguard
add action=drop chain=forward log=yes
/ip firewall mangle
add action=mark-connection chain=prerouting comment=\
"Mark connection for hairpin" disabled=yes dst-address-list=dynamic-WANIP \
log=yes new-connection-mark="Hairpin NAT" passthrough=yes src-address=\
192.168.2.0/24
add action=mark-connection chain=prerouting comment=\
"Mark connection for hairpin" disabled=yes dst-address-list=dynamic-WANIP \
log=yes new-connection-mark="Hairpin NAT" passthrough=yes src-address=\
192.168.2.0/24
add action=mark-connection chain=prerouting comment=\
"Mark connection for hairpin" disabled=yes dst-address-list=dynamic-WANIP \
log=yes new-connection-mark="Hairpin NAT" passthrough=yes src-address=\
192.168.2.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark=\
"Hairpin NAT" dst-address=192.168.2.0/24 src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment="NEW defconf: masquerade" \
out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-list=dynamic-WANIP dst-port=8123 \
protocol=tcp to-addresses=192.168.2.176
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark=\
"Hairpin NAT" dst-address=192.168.2.0/24 src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment="NEW defconf: masquerade" \
out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes dst-address-list=dynamic-WANIP \
dst-port=8123 protocol=tcp to-addresses=192.168.2.176
add action=dst-nat chain=dstnat disabled=yes dst-address-list=dynamic-WANIP \
dst-port=5911 log=yes protocol=tcp to-addresses=192.168.2.139
add action=dst-nat chain=dstnat disabled=yes dst-port=51833 protocol=udp \
to-addresses=192.168.2.50
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark=\
"Hairpin NAT" dst-address=192.168.2.0/24 src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment="NEW defconf: masquerade" \
out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes dst-address-list=dynamic-WANIP \
dst-port=8123 protocol=tcp to-addresses=192.168.2.176
add action=dst-nat chain=dstnat disabled=yes dst-address-list=dynamic-WANIP \
dst-port=5911 log=yes protocol=tcp to-addresses=192.168.2.139
add action=dst-nat chain=dstnat disabled=yes dst-port=51833 protocol=udp \
to-addresses=192.168.2.50
/ip route
add comment=371 disabled=yes distance=1 dst-address=192.168.88.0/24 gateway=\
*B pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add comment=355 disabled=yes distance=1 dst-address=192.168.0.0/24 gateway=*B \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add comment=255 disabled=yes distance=1 dst-address=192.168.1.0/24 gateway=*B \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=yes distance=1 dst-address=192.168.5.0/24 gateway=*B pref-src="" \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=629 disabled=yes distance=1 dst-address=192.168.20.0/24 gateway=\
*B pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.2.2 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add comment=355 disabled=no distance=1 dst-address=192.168.0.0/24 gateway=\
212-Wireguard pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add comment=255 disabled=no distance=1 dst-address=192.168.1.0/24 gateway=\
212-Wireguard pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add comment=355-Cameras disabled=no distance=1 dst-address=192.168.5.0/24 \
gateway=212-Wireguard pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add comment=629 disabled=no distance=1 dst-address=192.168.20.0/24 gateway=\
212-Wireguard pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.60.0/24 gateway=192.168.2.8 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add comment=76 disabled=no distance=1 dst-address=192.168.30.0/24 gateway=\
212-Wireguard pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add comment=371 disabled=no distance=1 dst-address=192.168.40.0/24 gateway=\
212-Wireguard pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add comment=125 disabled=no distance=1 dst-address=192.168.70.0/24 gateway=\
212-Wireguard pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
/ip smb shares
set [ find default=yes ] directory=/pub
/snmp
set enabled=yes trap-version=2
/system clock
set time-zone-name=America/New_York
/system identity
set name=212RB5009
/system logging
add disabled=yes topics=dude
add disabled=yes topics=wireguard
add disabled=yes topics=interface
add action=echo disabled=yes topics=wireguard
add disabled=yes topics=debug
add disabled=yes topics=mqtt
add topics=account
add disabled=yes topics=firewall
add disabled=yes topics=dhcp
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add address=216.239.35.4
add address=104.16.132.229
/system scheduler
add disabled=yes interval=1d name=Daily on-event=dyndns policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2022-10-18 start-time=02:00:00
add disabled=yes interval=10m name=Route355255371 on-event=\
"355 255 371 route status" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2022-11-24 start-time=04:42:54
add interval=4d name=export-download on-event=export-download policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2022-12-14 start-time=04:47:33
add disabled=yes interval=1h name="355 255 371 629 Route Status" on-event=\
"355 255 371 629 Route Status" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2023-01-23 start-time=16:22:48
add interval=2d name=dynamic-data-rextended on-event=dynamic-data-rextended \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2023-09-30 start-time=02:58:29
add interval=2d name=DynDNS on-event=DynDNS policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2022-10-18 start-time=02:00:00
add interval=30m name=Netwatch on-event=Netwatch policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2023-01-23 start-time=16:22:48
add interval=30m name=WG-iface-restart on-event=WG-iface-restart policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2023-03-13 start-time=06:41:55
add interval=5d name=IPlist on-event=IPlist policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2023-04-10 start-time=06:54:16
add disabled=yes name="Hassio Firmware Entity Publish" on-event=\
"Hassio Firmware Entity Publish" policy=read,test start-time=startup
add disabled=yes interval=6h name="Hassio Firmware State Publish" on-event=\
"Hassio Firmware State Publish" policy=read,write,policy,test start-time=\
startup
add disabled=yes name=HassioSensorHealthEntityPublish on-event=\
HassioSensorHealthEntityPublish policy=read,write,test start-time=startup
add disabled=yes interval=1h name=HassioSensorHealthStatePublish on-event=\
HassioSensorHealthStatePublish policy=read,write,test start-time=startup
add disabled=yes name=HassioSensorPoeEntityPublish on-event=\
HassioSensorPoeEntityPublish policy=read,write,test start-time=startup
add disabled=yes interval=1h name=HassioSensorPoeStatePublish on-event=\
HassioSensorPoeStatePublish policy=read,test start-time=startup
add interval=1d name=dhcpleasesftp on-event=dhcpleasesftp policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2022-12-14 start-time=04:47:33
add interval=30m name=WG-iface-restart-log-lasthandshake on-event=\
WG-iface-restart-log-lasthandshake policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2024-03-18 start-time=05:25:18
/system script
add dont-require-permissions=no name=DynDNS owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\
\r\
\n/system\r\
\n:local cdate [clock get date] \r\
\n:local yyyy [:pick \$cdate 0 4]\r\
\n:local MM [:pick \$cdate 5 7]\r\
\n:local dd [:pick \$cdate 8 10]\r\
\n:local identitydate \"\$[identity get name]_\$yyyy-\$MM-\$dd\"\r\
\n#/export show-sensitive file=\"\$identitydate\"\r\
\n\r\
\n# Export public IP and mail it\r\
\n\r\
\n/ip/address print file=\"\$identitydate-IP\"\r\
\n\r\
\n/tool fetch upload=yes mode=ftp ascii=no src-path=\"\$[\$identitydate]-I\
P.txt\" dst-path=\"/mikrotik-backups/\$[\$identitydate]-IP.txt\" address=1\
92.168.2.22 port=21 user=mikrotik password=PASSWORD\r\
\n\r\
\n/file remove \"\$identitydate-IP.txt\"\r\
\n\r\
\n# Set needed variables\r\
\n\t:local username \"AAAA\"\r\
\n\t:local clientkey \"9ac4f32e2bba11e788e206873aa78bc3\"\r\
\n\t:local hostname \"AAAA.dyndns.org\"\r\
\n\r\
\n\t:global dyndnsForce\r\
\n\t:global previousIP\r\
\n\r\
\n# get the current IP address from the internet (in case of double-nat)\r\
\n\t/tool fetch mode=http address=\"checkip.dyndns.org\" src-path=\"/\" ds\
t-path=\"/dyndns.checkip.html\"\r\
\n\t:delay 1\r\
\n\t:local result [/file get dyndns.checkip.html contents]\r\
\n\r\
\n# parse the current IP result\r\
\n\t:local resultLen [:len \$result]\r\
\n\t:local startLoc [:find \$result \": \" -1]\r\
\n\t:set startLoc (\$startLoc + 2)\r\
\n\t:local endLoc [:find \$result \"</body>\" -1]\r\
\n\t:local currentIP [:pick \$result \$startLoc \$endLoc]\r\
\n\t:log info \"UpdateDynDNS: currentIP = \$currentIP\"\r\
\n\r\
\n# Remove the # on next line to force an update every single time - usefu\
l for debugging,\r\
\n# but you could end up getting blacklisted by DynDNS!\r\
\n\r\
\n#:set dyndnsForce true\r\
\n\r\
\n# Determine if dyndns update is needed\r\
\n# more dyndns updater request details https://help.dyn.com/remote-access\
-api/perform-update/\r\
\n\t:log info \"UpdateDynDNS: previousIP = \$previousIP\"\r\
\n\t:if (\$dyndnsForce = true) do={ :log warning \"UpdateDynDNS: Forced up\
date on\" }\r\
\n\r\
\n\t:if ((\$currentIP != \$previousIP) || (\$dyndnsForce = true)) do={\r\
\n\t\t:set dyndnsForce false\r\
\n\t\t:set previousIP \$currentIP\r\
\n\r\
\n\t\t/tool fetch mode=https \\\r\
\n\t\turl=\"https://\$username:\$clientkey@members.dyndns.org/v3/update\?h\
ostname=\$hostname&myip=\$currentIP\" \\ \r\
\n\t\tdst-path=\"/dyndns.txt\"\r\
\n\r\
\n\t\t:delay 1\r\
\n\t\t:local result [/file get dyndns.txt contents]\r\
\n\t\t:log info (\"UpdateDynDNS: Dyndns update needed\")\r\
\n\t\t:log info (\"UpdateDynDNS: Dyndns Update Result: \".\$result)\r\
\n\t\t:put (\"Dyndns Update Result: \".\$result)\r\
\n\t} else={\r\
\n\t\t:log info (\"UpdateDynDNS: No dyndns update needed\")\r\
\n\t}\r\
\n\r\
\n"
add dont-require-permissions=no name=Netwatch owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="{\
\r\
\n:global prevstatus355;\r\
\n:global updown355;\r\
\n:global status355 [:ip route get value-name=active [:ip route find comme\
nt=\"355\"]]\r\
\n\r\
\n#:log info (\"status355 is \$status355\");\r\
\n#:log info (\"prevstatus355 is \$prevstatus355\");\r\
\n\r\
\n:if ( \"\$status355\" = true ) do={:set updown355 UP} else= {:set updown\
355 DOWN}\r\
\n\r\
\n#:log info (\"updown355 is \$updown355\");\r\
\n\r\
\n:if ( \"\$status355\" != \"\$prevstatus355\" ) do={ \r\
\n\r\
\n#:log warn \"355 connectivity is now \\\"\$updown355\\\" \";\r\
\n:tool e-mail send to=email@email.com subject=\"355 Connectivity n\
ow \\\"\$updown355\\\"\" body=( [ :system clock get date ] . \" \" . [ :sy\
stem clock get time ] . \" SENT FROM 212hEX: 355 connectivity changed sta\
tus from \\\"\$prevstatus355\\\" -> \\\"\$updown355\\\" \" )\r\
\n\r\
\n:set prevstatus355 \$status355\r\
\n\r\
\n}\r\
\n\r\
\n\r\
\n:global prevstatus371;\r\
\n:global updown371;\r\
\n:global status371 [:ip route get value-name=active [:ip route find comme\
nt=\"371\"]]\r\
\n\r\
\n#:log info (\"status371 is \$status371\");\r\
\n#:log info (\"prevstatus371 is \$prevstatus371\");\r\
\n\r\
\n:if ( \"\$status371\" = true ) do={:set updown371 UP} else= {:set updown\
371 DOWN}\r\
\n\r\
\n#:log info (\"updown371 is \$updown371\");\r\
\n\r\
\n:if ( \"\$status371\" != \"\$prevstatus371\" ) do={ \r\
\n\r\
\n#:log warn \"371 connectivity is now \\\"\$updown371\\\" \";\r\
\n:tool e-mail send to=email@email.com subject=\"371 Connectivity n\
ow \\\"\$updown371\\\"\" body=( [ :system clock get date ] . \" \" . [ :sy\
stem clock get time ] . \" SENT FROM 212hEX: 371 connectivity changed sta\
tus from \\\"\$prevstatus371\\\" -> \\\"\$updown371\\\" \" )\r\
\n\r\
\n:set prevstatus371 \$status371\r\
\n\r\
\n}\r\
\n\r\
\n\r\
\n:global prevstatus255;\r\
\n:global updown255;\r\
\n:global status255 [:ip route get value-name=active [:ip route find comme\
nt=\"255\"]]\r\
\n\r\
\n#:log info (\"status255 is \$status255\");\r\
\n#:log info (\"prevstatus255 is \$prevstatus255\");\r\
\n\r\
\n:if ( \"\$status255\" = true ) do={:set updown255 UP} else= {:set updown\
255 DOWN}\r\
\n\r\
\n#:log info (\"updown255 is \$updown255\");\r\
\n\r\
\n:if ( \"\$status255\" != \"\$prevstatus255\" ) do={ \r\
\n\r\
\n#:log warn \"255 connectivity is now \\\"\$updown255\\\" \";\r\
\n:tool e-mail send to=email@email.com subject=\"255 Connectivity n\
ow \\\"\$updown255\\\"\" body=( [ :system clock get date ] . \" \" . [ :sy\
stem clock get time ] . \" SENT FROM 212hEX: 255 connectivity changed sta\
tus from \\\"\$prevstatus255\\\" -> \\\"\$updown255\\\" \" )\r\
\n\r\
\n:set prevstatus255 \$status255\r\
\n\r\
\n}\r\
\n\r\
\n\r\
\n\r\
\n:global prevstatus629;\r\
\n:global updown629;\r\
\n:global status629 [:ip route get value-name=active [:ip route find comme\
nt=\"629\"]]\r\
\n\r\
\n#:log info (\"status629 is \$status629\");\r\
\n#:log info (\"prevstatus629 is \$prevstatus629\");\r\
\n\r\
\n:if ( \"\$status629\" = true ) do={:set updown629 UP} else= {:set updown\
629 DOWN}\r\
\n\r\
\n#:log info (\"updown629 is \$updown629\");\r\
\n\r\
\n:if ( \"\$status629\" != \"\$prevstatus629\" ) do={ \r\
\n\r\
\n#:log warn \"629 connectivity is now \\\"\$updown629\\\" \";\r\
\n:tool e-mail send to=email@email.com subject=\"629 Connectivity n\
ow \\\"\$updown629\\\"\" body=( [ :system clock get date ] . \" \" . [ :sy\
stem clock get time ] . \" SENT FROM 212hEX: 629 connectivity changed sta\
tus from \\\"\$prevstatus629\\\" -> \\\"\$updown629\\\" \" )\r\
\n\r\
\n:set prevstatus629 \$status629\r\
\n\r\
\n}\r\
\n\r\
\n\r\
\n\r\
\n\r\
\n\r\
\n:global prevstatus76;\r\
\n:global updown76;\r\
\n:global status76 [:ip route get value-name=active [:ip route find commen\
t=\"76\"]]\r\
\n\r\
\n#:log info (\"status76 is \$status76\");\r\
\n#:log info (\"prevstatus76 is \$prevstatus76\");\r\
\n\r\
\n:if ( \"\$status76\" = true ) do={:set updown76 UP} else= {:set updown76\
\_DOWN}\r\
\n\r\
\n#:log info (\"updown76 is \$updown76\");\r\
\n\r\
\n:if ( \"\$status76\" != \"\$prevstatus76\" ) do={ \r\
\n\r\
\n#:log warn \"629 connectivity is now \\\"\$updown629\\\" \";\r\
\n:tool e-mail send to=email@email.com subject=\"76 Connectivity no\
w \\\"\$updown76\\\"\" body=( [ :system clock get date ] . \" \" . [ :syst\
em clock get time ] . \" SENT FROM 212hEX: 76 connectivity changed status\
\_from \\\"\$prevstatus76\\\" -> \\\"\$updown76\\\" \" )\r\
\n\r\
\n:set prevstatus76 \$status76\r\
\n\r\
\n}\r\
\n\r\
\n\r\
\n}\r\
\n"
add dont-require-permissions=no name=GetIP owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
interface bridge host\r\
\n:foreach item in=[find] do={\r\
\n :local iface [get \$item interface]\r\
\n :local macadd [get \$item mac-address]\r\
\n :local idmac [/ip arp find where mac-address=\$macadd]\r\
\n :if ([:len \$idmac] = 1) do={\r\
\n :local ifip [/ip arp get \$idmac address]\r\
\n :put \"interface=\$iface mac=\$macadd ip=\$ifip\"\r\
\n }\r\
\n}"
add dont-require-permissions=no name="New route UP" owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
global prevstatus355\r\
\n{\r\
\n /ip route\r\
\n :local status355 [get [find where comment=\"355\"] active]\r\
\n :if (\$status355) do={:set status355 \"UP\"} else={:set status355 \"\
DOWN\"}\r\
\n :log info \"status355 is \$status355 and prevstatus355 is \$prevstat\
us355\"\r\
\n :if (\$status355 != \$prevstatus355) do={ \r\
\n :log warning \"355 connectivity is now \$status355\"\r\
\n /tool e-mail send to=email@email.com subject=\"355 Connec\
tivity is now \$status355\" \\\r\
\n body=\"\$[/system clock get date] \$[/system clock \
get time] 355 connectivity changed status \$prevstatus355 -> \$status355\"\
\r\
\n :set prevstatus355 \$status355\r\
\n }\r\
\n}\r\
\n"
add dont-require-permissions=no name=export-download owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\
\r\
\n\r\
\n/system\r\
\n:local cdate [clock get date] \r\
\n:local yyyy [:pick \$cdate 0 4]\r\
\n:local MM [:pick \$cdate 5 7]\r\
\n:local dd [:pick \$cdate 8 10]\r\
\n:local identitydate \"\$[identity get name]_\$yyyy-\$MM-\$dd\"\r\
\n/export show-sensitive file=\"\$identitydate\"\r\
\n\r\
\n/tool fetch upload=yes mode=ftp ascii=no src-path=\"/\$[\$identitydate].\
rsc\" dst-path=\"/mikrotik-backups/\$[\$identitydate].rsc\" address=192.16\
8.2.22 port=21 user=mikrotik password=PASSWORD\r\
\n\r\
\n/file remove \"\$identitydate.rsc\""
add dont-require-permissions=yes name=WG-iface-restart owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
foreach i in=[/interface/wireguard/peers/find where disabled=no endpoint-a\
ddress~\"[a-z]\\\$\"] do={\r\
\n :local LastHandshake [/interface/wireguard/peers/get \$i last-handshak\
e]\r\
\n\r\
\n# :if (([:tostr \$LastHandshake] = \"\") or (\$LastHandshake > [:totime\
\_\"5m\"])) do={\r\
\n \r\
\n :if ((\$LastHandshake > [:totime \"5m\"])) do={ \r\
\n /interface/wireguard/peers/set \$i endpoint-address=[/interface/wire\
guard/peers/get \$i endpoint-address]\r\
\n\r\
\n :local endpoint [/interface/wireguard/peers/get \$i endpoint-address]\
\r\
\n :log info \"WG-iface-restart script found WG peer with last handshake\
\_greater than 5 minutes; then reset the endpoint-address to reload dns of\
\_endpoint: \$endpoint\"\r\
\n\r\
\n }\r\
\n}\r\
\n\r\
\n"
add dont-require-permissions=no name=IPlist owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
\_Export public IP and mail it\r\
\n\r\
\n/ip/address print file=\"212-IP-\$[\$nowdate]\"\r\
\n\r\
\n/tool fetch upload=yes mode=ftp ascii=no src-path=\"212-IP-\$[\$nowdate]\
.txt\" dst-path=\"/mikrotik-backups/212-IP-\$[\$nowdate].txt\" address=192\
.168.2.22 port=21 user=mikrotik password=PASSWORD\r\
\n\r\
\n/file remove \"212-IP-\$[\$nowdate].txt\""
add dont-require-permissions=no name="DHCP to DNS" owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
\_SPDX-License-Identifier: CC0-1.0\
\n\r\
\n\r\r\r\r\
\n\r\
\n\r\r:local domains [:toarray \"212.local\"]\
\n\r\
\n\r\r:local dnsttl \"100m\"\
\n\r\
\n\r\r\
\n\r\
\n\r\r:local magiccomment \"automatic-from-dhcp (magic comment)\"\
\n\r\
\n\r\r:local activehosts [:toarray \"\"]\
\n\r\
\n\r\r\
\n\r\
\n\r\r:foreach lease in [/ip dhcp-server lease find] do={\
\n\r\
\n\r\r :local hostname [/ip dhcp-server lease get value-name=host-name \$\
lease]\
\n\r\
\n\r\r :local hostaddr [/ip dhcp-server lease get value-name=address \$le\
ase]\
\n\r\
\n\r\r\
\n\r\
\n\r\r :if ([:len \$hostname] > 0) do={\
\n\r\
\n\r\r :foreach domain in \$domains do={\
\n\r\
\n\r\r :local regdomain \"\$hostname.\$domain\"\
\n\r\
\n\r\r :set activehosts (\$activehosts, \$regdomain)\
\n\r\
\n\r\r\
\n\r\
\n\r\r :if ([:len [/ip dns static find where name=\$regdomain]] = 0) \
do={\
\n\r\
\n\r\r /ip dns static add name=\$regdomain address=\$hostaddr comme\
nt=\$magiccomment ttl=\$dnsttl\
\n\r\
\n\r\r } else={\
\n\r\
\n\r\r :if ([:len [/ip dns static find where name=\$regdomain comme\
nt=\$magiccomment]] = 1) do={\
\n\r\
\n\r\r /ip dns static set address=\$hostaddr [/ip dns static find\
\_name=\$regdomain comment=\$magiccomment]\
\n\r\
\n\r\r }\
\n\r\
\n\r\r }\
\n\r\
\n\r\r }\
\n\r\
\n\r\r }\
\n\r\
\n\r\r}\
\n\r\
\n\r\r\
\n\r\
\n\r\r:foreach dnsentry in [/ip dns static find where comment=\$magiccomme\
nt] do={\
\n\r\
\n\r\r :local hostname [/ip dns static get value-name=name \$dnsentry]\
\n\r\
\n\r\r :if ([:type [:find \$activehosts \$hostname]] = \"nil\") do={\
\n\r\
\n\r\r /ip dns static remove \$dnsentry\
\n\r\
\n\r\r }\
\n\r\
\n\r\r}\
\n\r\
\n\r\r"
add dont-require-permissions=no name="Comment to DNS" owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
\_SPDX-License-Identifier: CC0-1.0\
\n\r\
\n\r\r\r\r\
\n\r\
\n\r\r:local domains [:toarray \"212.local\"]\
\n\r\
\n\r\r:local dnsttl \"15m\"\
\n\r\
\n\r\r\
\n\r\
\n\r\r:local magiccomment \"automatic-from-comment (magic comment)\"\
\n\r\
\n\r\r:local activehosts [:toarray \"\"]\
\n\r\
\n\r\r\
\n\r\
\n\r\r:foreach lease in [/ip dhcp-server lease find] do={\
\n\r\
\n\r\r :local hostname [/ip dhcp-server lease get value-name=comment \$le\
ase]\
\n\r\
\n\r\r :local hostaddr [/ip dhcp-server lease get value-name=address \$le\
ase]\
\n\r\
\n\r\r\
\n\r\
\n\r\r :if ([:len \$hostname] > 0) do={\
\n\r\
\n\r\r :foreach domain in \$domains do={\
\n\r\
\n\r\r :local regdomain \"\$hostname.\$domain\"\
\n\r\
\n\r\r :set activehosts (\$activehosts, \$regdomain)\
\n\r\
\n\r\r\
\n\r\
\n\r\r :if ([:len [/ip dns static find where name=\$regdomain]] = 0) \
do={\
\n\r\
\n\r\r /ip dns static add name=\$regdomain address=\$hostaddr comme\
nt=\$magiccomment ttl=\$dnsttl\
\n\r\
\n\r\r } else={\
\n\r\
\n\r\r :if ([:len [/ip dns static find where name=\$regdomain comme\
nt=\$magiccomment]] = 1) do={\
\n\r\
\n\r\r /ip dns static set address=\$hostaddr [/ip dns static find\
\_name=\$regdomain comment=\$magiccomment]\
\n\r\
\n\r\r }\
\n\r\
\n\r\r }\
\n\r\
\n\r\r }\
\n\r\
\n\r\r }\
\n\r\
\n\r\r}\
\n\r\
\n\r\r\
\n\r\
\n\r\r:foreach dnsentry in [/ip dns static find where comment=\$magiccomme\
nt] do={\
\n\r\
\n\r\r :local hostname [/ip dns static get value-name=name \$dnsentry]\
\n\r\
\n\r\r :if ([:type [:find \$activehosts \$hostname]] = \"nil\") do={\
\n\r\
\n\r\r /ip dns static remove \$dnsentry\
\n\r\
\n\r\r }\
\n\r\
\n\r\r}\
\n\r\
\n\r\r"
add dont-require-permissions=no name="Get dhcp-client gatewat" owner=admin \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source="\r\
\n:local dhcpclientGW [/ip dhcp-client get [find interface=ether1] gatewa\
y]\r\
\n\r\
\n:log info \$dhcpclientGW\r\
\n"
add dont-require-permissions=no name=dynamic-data-rextended owner=admin \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source="/system\r\
\n:local identitydate \"\$[identity get name]_\$[clock get date]\"\r\
\n:local stringexec \"/system iden print; :put \\\"\\\\r\\\\n\\\"; /ip c\
loud pri; :put \\\"\\\\r\\\\n\\\"; /ip dhcp-server lease pri det; :put \\\
\"\\\\r\\\\n\\\"; /int bridge host pri det\"\r\
\n\r\
\n:if ([:len [/system package find where name=\"wifiwave2\"]] > 1) do={\r\
\n :set stringexec \"\$stringexec; :put \\\"\\\\r\\\\n\\\" /int wifiwav\
e2 reg pri det\"\r\
\n} \r\
\n\r\
\n:if ([:len [/system package find where name=\"wifiwave2\"]] > 1) do={\r\
\n :set stringexec \"\$stringexec; :put \\\"\\\\r\\\\n\\\" /int wireles\
s reg pri det\"\r\
\n}\r\
\n\r\
\n\r\
\n/file remove [find where name=tmpresults.txt]\r\
\n:delay 1s\r\
\n:execute \$stringexec file=tmpresults.txt\r\
\n:delay 2s\r\
\n\r\
\n/tool fetch upload=yes mode=ftp ascii=no address=192.168.2.22 port=21 us\
er=mikrotik password=PASSWORD \\\r\
\n src-path=tmpresults.txt dst-path=\"/mikrotik-backups/\$identitydate-\
dynamicdata.txt\"\r\
\n\r\
\n/file remove [find where name=tmpresults.txt]"
add dont-require-permissions=no name="mqtt to HA" owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
system script add dont-require-permissions=no name=mqttpublish owner=admin\
\_policy=\\\r\
\n ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon sou\
rce=\"#\\\r\
\n \\_Required packages: iot\\r\\\r\
\n \\n\\r\\\r\
\n \\n################################ Configuration ##################\
#######\\\r\
\n #######\\r\\\r\
\n \\n# Name of an existing MQTT broker that should be used for publish\
ing\\r\\\r\
\n \\n:local broker \\\"broker\\\"\\r\\\r\
\n \\n\\r\\\r\
\n \\n# MQTT topic where the message should be published\\r\\\r\
\n \\n:local topic \\\"my/test/topic\\\"\\r\\\r\
\n \\n\\r\\\r\
\n \\n#################################### System #####################\
#######\\\r\
\n #######\\r\\\r\
\n \\n:put (\\\"[*] Gathering system info...\\\")\\r\\\r\
\n \\n:local cpuLoad [/system resource get cpu-load]\\r\\\r\
\n \\n:local freeMemory [/system resource get free-memory]\\r\\\r\
\n \\n:local usedMemory ([/system resource get total-memory] - \\\$free\
Memory)\\r\\\r\
\n \\n:local rosVersion [/system package get value-name=version \\\\\\r\
\\\r\
\n \\n\\A0 \\A0 [/system package find where name ~ \\\"^routeros\\\"]]\
\\r\\\r\
\n \\n:local model [/system routerboard get value-name=model]\\r\\\r\
\n \\n:local serialNumber [/system routerboard get value-name=serial-nu\
mber]\\r\\\r\
\n \\n:local upTime [/system resource get uptime]\\r\\\r\
\n \\n\\r\\\r\
\n \\n#################################### MQTT #######################\
#######\\\r\
\n #######\\r\\\r\
\n \\n:local message \\\\\\r\\\r\
\n \\n\\A0 \\A0 \\\"{\\\\\\\"model\\\\\\\":\\\\\\\"\\\$model\\\\\\\",\\\
\\\\r\\\r\
\n \\n\\A0 \\A0 \\A0 \\A0 \\A0 \\A0 \\A0 \\A0 \\\\\\\"sn\\\\\\\":\\\\\\\
\"\\\$serialNumber\\\\\\\",\\\\\\r\\\r\
\n \\n\\A0 \\A0 \\A0 \\A0 \\A0 \\A0 \\A0 \\A0 \\\\\\\"ros\\\\\\\":\\\\\
\\\"\\\$rosVersion\\\\\\\",\\\\\\r\\\r\
\n \\n\\A0 \\A0 \\A0 \\A0 \\A0 \\A0 \\A0 \\A0 \\\\\\\"cpu\\\\\\\":\\\$c\
puLoad,\\\\\\r\\\r\
\n \\n\\A0 \\A0 \\A0 \\A0 \\A0 \\A0 \\A0 \\A0 \\\\\\\"umem\\\\\\\":\\\$\
usedMemory,\\\\\\r\\\r\
\n \\n\\A0 \\A0 \\A0 \\A0 \\A0 \\A0 \\A0 \\A0 \\\\\\\"fmem\\\\\\\":\\\$\
freeMemory,\\\\\\r\\\r\
\n \\n\\A0 \\A0 \\A0 \\A0 \\A0 \\A0 \\A0 \\A0 \\\\\\\"uptime\\\\\\\":\\\
\\\\\"\\\$upTime\\\\\\\"}\\\"\\r\\\r\
\n \\n\\r\\\r\
\n \\n:log info \\\"\\\$message\\\";\\r\\\r\
\n \\n:put (\\\"[*] Total message size: \\\$[:len \\\$message] bytes\\\
\")\\r\\\r\
\n \\n:put (\\\"[*] Sending message to MQTT broker...\\\")\\r\\\r\
\n \\n/iot mqtt publish broker=\\\$broker topic=\\\$topic message=\\\$m\
essage\\r\\\r\
\n \\n:put (\\\"[*] Done\\\")\""
add dont-require-permissions=no name=mqttpublish owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
\_Required packages: iot\r\
\n\r\
\n################################ Configuration #########################\
#######\r\
\n# Name of an existing MQTT broker that should be used for publishing\r\
\n:local broker \"broker\"\r\
\n\r\
\n# MQTT topic where the message should be published\r\
\n:local topic \"my/test/topic\"\r\
\n\r\
\n#################################### System ############################\
#######\r\
\n:put (\"[*] Gathering system info...\")\r\
\n:local cpuLoad [/system resource get cpu-load]\r\
\n:local freeMemory [/system resource get free-memory]\r\
\n:local usedMemory ([/system resource get total-memory] - \$freeMemory)\r\
\n:local rosVersion [/system package get value-name=version \\\r\
\n\A0 \A0 [/system package find where name ~ \"^routeros\"]]\r\
\n:local model [/system routerboard get value-name=model]\r\
\n:local serialNumber [/system routerboard get value-name=serial-number]\r\
\n:local upTime [/system resource get uptime]\r\
\n\r\
\n#################################### MQTT ##############################\
#######\r\
\n:local message \\\r\
\n\A0 \A0 \"{\\\"model\\\":\\\"\$model\\\",\\\r\
\n\A0 \A0 \A0 \A0 \A0 \A0 \A0 \A0 \\\"sn\\\":\\\"\$serialNumber\\\",\\\r\
\n\A0 \A0 \A0 \A0 \A0 \A0 \A0 \A0 \\\"ros\\\":\\\"\$rosVersion\\\",\\\r\
\n\A0 \A0 \A0 \A0 \A0 \A0 \A0 \A0 \\\"cpu\\\":\$cpuLoad,\\\r\
\n\A0 \A0 \A0 \A0 \A0 \A0 \A0 \A0 \\\"umem\\\":\$usedMemory,\\\r\
\n\A0 \A0 \A0 \A0 \A0 \A0 \A0 \A0 \\\"fmem\\\":\$freeMemory,\\\r\
\n\A0 \A0 \A0 \A0 \A0 \A0 \A0 \A0 \\\"uptime\\\":\\\"\$upTime\\\"}\"\r\
\n\r\
\n:log info \"\$message\";\r\
\n:put (\"[*] Total message size: \$[:len \$message] bytes\")\r\
\n:put (\"[*] Sending message to MQTT broker...\")\r\
\n/iot mqtt publish broker=\$broker topic=\$topic message=\$message\r\
\n:put (\"[*] Done\")"
add dont-require-permissions=no name="DHCP to DNS -- NEW" owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
\_SPDX-License-Identifier: CC0-1.0\r\
\n\r\
\n:local domains [:toarray \"212.local\"]\r\
\n:local dnsttl \"100m\"\r\
\n:local magiccomment \"automatic-from-dhcp (magic comment)\"\r\
\n:local activehosts [:toarray \"\"]\r\
\n\r\
\n:foreach lease in [/ip dhcp-server lease find] do={\r\
\n :local hostname [/ip dhcp-server lease get value-name=host-name \$leas\
e]\r\
\n :local hostaddr [/ip dhcp-server lease get value-name=address \$lease]\
\r\
\n :local macaddr [/ip dhcp-server lease get value-name=mac-address \$lea\
se]\r\
\n\r\
\n :if ([:len \$hostname] > 0) do={\r\
\n\r\
\n :foreach domain in \$domains do={\r\
\n\r\
\n :local regdomain \"\$hostname.\$domain\"\r\
\n :set activehosts (\$activehosts, \$regdomain)\r\
\n\r\
\n :if ([:len [/ip dns static find where name=\$regdomain]] = 0) do={\
\r\
\n /ip dns static add name=\$regdomain address=\$hostaddr comment=\
\$magiccomment ttl=\$dnsttl\r\
\n } else={\r\
\n :if ([/ip dns static find where name=\$regdomain] = \$hostname) \
| ([/ip dhcp-server lease find where address=\$hostaddr] = \$macaddr) do=(\
\r\
\n\t\t :set regdomain=(\"\$hostname\", \"-1\") \r\
\n :/ip dns static add name=\$regdomain address=\$hostaddr commen\
t=\$magiccomment ttl=\$dnsttl\r\
\n } \r\
\n else={\r\
\n /ip dns static add name=\$regdomain address=\$hostaddr comment\
=\$magiccomment ttl=\$dnsttl\r\
\n }\r\
\n\r\
\n\r\
\n :if ([:len [/ip dns static find where name=\$regdomain comment=\
\$magiccomment]] = 1) do={\r\
\n /ip dns static set address=\$hostaddr [/ip dns static find nam\
e=\$regdomain comment=\$magiccomment]\r\
\n \r\
\n }\r\
\n }\r\
\n }\r\
\n\r\
\n\r\
\n"
add dont-require-permissions=no name=rogue-dhcp owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
":log warning message=\"Rogue DHCP server detected!\""
add dont-require-permissions=no name=HassioLib_DeviceString owner=admin \
policy=read source="# Use\r\
\n# local DeviceString [parse [system/script/get \"HassioLib_DeviceString\
\" source]]\r\
\n# \$DeviceString\r\
\n#\r\
\nlocal ID\r\
\nlocal connections\r\
\nlocal hwversion\r\
\nlocal LowercaseHex [parse [system/script/get \"HassioLib_LowercaseHex\" \
source]]\r\
\n# Get serial\r\
\nif ([/system/resource/get board-name] != \"CHR\") do={\r\
\n set ID (\"\\\"\".[/system/routerboard get serial-number].\"\\\"\");#\
ID\r\
\n set \$hwversion [[:parse \"[system/routerboard/get revision]\"]]\r\
\n if ([len \$hwversion] >0) do={\r\
\n set \$hwversion (\"\\\"hw_version\\\":\\\"\".\$hwversion.\"\\\",\
\")\r\
\n }\r\
\n} else={\r\
\n set ID (\"\\\"\".[system/license/get system-id ].\"\\\"\")\r\
\n}\r\
\n\r\
\nlocal Name [/system/identity/get name]; #Name\r\
\nlocal Model [system/resource/get board-name]; #Mode\r\
\nlocal CSW [/system/resource/get version ]; #SW\r\
\nlocal Manu [/system/resource/get platform]; #Manufacturer\r\
\n\r\
\n\r\
\n# Get Ethernet MAC addresses\r\
\nforeach iface in=[interface/ethernet/find ] do={\r\
\n set \$connections (\$connections.\"[\\\"mac\\\",\\\"\".\\\r\
\n [\$LowercaseHex input=[/interface/ethernet/get \$iface mac-addre\
ss]].\\\r\
\n \"\\\"],\")\r\
\n}\r\
\n\r\
\n# Get Wi-Fi MAC addresses\r\
\nif ([len [system/package/find name=\"wifiwave2\"]] =0 ) do={\r\
\n local Action [parse \"local a [interface/wireless/get \\\$1 mac-addr\
ess];return \\\$a\"]\r\
\n foreach iface in=[[parse \"/interface/wireless/ find interface-type!\
=\\\"virtual\\\"\"]] do={\r\
\n set \$connections (\$connections.\"[\\\"mac\\\",\\\"\".\\\r\
\n [\$LowercaseHex input=[\$Action \$iface]].\\\r\
\n \"\\\"],\")\r\
\n }\r\
\n}\\\r\
\n# Get Wi-Fi Wave2 MAC Addresses\r\
\nelse={\r\
\n local Action [parse \"local a [/interface/wifiwave2/radio/get \\\$1 \
radio-mac];return \\\$a\"]\r\
\n foreach iface in=[[parse \"/interface/wifiwave2/radio/find\"]] do={\
\r\
\n set \$connections (\$connections.\"[\\\"mac\\\",\\\"\".\\\r\
\n [\$LowercaseHex input=[\$Action \$iface]].\\\r\
\n \"\\\"],\")\r\
\n }\r\
\n}\r\
\nset \$connections [pick \$connections -1 ([len \$connections]-1)]; #Remo\
ve trailing comma\r\
\n\r\
\n# Find a reasonable link to WebFig if enabled.\r\
\nlocal urldomain\r\
\nlocal ipaddress\r\
\n\r\
\nforeach bridge in=[/interface/bridge/find] do={\r\
\n foreach AddressIndex in=[ip/address/find where interface=[/interface\
/bridge/get \$bridge name]] do={\r\
\n set ipaddress [/ip/address/get \$AddressIndex address]\r\
\n set \$ipaddress [:pick \$ipaddress 0 [:find \$ipaddress \"/\"]]\
\r\
\n foreach UrlIndex in=[/ip/dns/static/ find address=\$ipaddress nam\
e] do={\r\
\n set \$urldomain [/ip/dns/static/ get \$UrlIndex name ]\r\
\n }\r\
\n }\r\
\n}\r\
\nif ([len \$ipaddress]=0) do={\r\
\n foreach addr in=[/ip/address/find] do={\r\
\n local TempAddress [/ip/address/get \$addr address]\r\
\n set \$TempAddress [:pick \$TempAddress 0 [:find \$TempAddress \"\
/\"]]\r\
\n foreach UrlIndex in=[/ip/dns/static/find address=\$TempAddress] \
do={\r\
\n local TempUrlDomain [ip/dns/static/get \$UrlIndex name]\r\
\n if ([len \$TempUrlDomain]>0) do={set \$urldomain \$TempUrlDo\
main}\r\
\n }\r\
\n }\r\
\n}\r\
\nif ([len \$urldomain]>0) do={set \$ipaddress \$urldomain}\r\
\n\r\
\nlocal url\r\
\nif ([len \$ipaddress] >0) do={\r\
\n :if (! [/ip/service/get www-ssl disabled ]) \\\r\
\n do={:set \$url \",\\\"cu\\\":\\\"https://\$ipaddress/\\\"\"} \\\
\r\
\n else={if (! [/ip/service/get www disabled]) \\\r\
\n do={:set \$url \",\\\"cu\\\":\\\"http://\$ipaddress/\\\"\"}}\r\
\n}\r\
\n #-------------------------------------------------------\r\
\n #Build device string\r\
\n #-------------------------------------------------------\r\
\n local dev \"\\\"dev\\\":{\\\r\
\n \\\"ids\\\":[\$ID],\\\r\
\n \\\"connections\\\":[\$connections],\\\r\
\n \\\"name\\\":\\\"\$Name\\\",\\\r\
\n \\\"mdl\\\":\\\"\$Model\\\",\$hwversion\\\r\
\n \\\"sw\\\":\\\"\$CSW\\\",\\\r\
\n \\\"mf\\\":\\\"\$Manu\\\"\$url}\"\r\
\n\r\
\n\r\
\nreturn \$dev"
add dont-require-permissions=no name=HassioLib_JsonEscape owner=admin policy=\
read source="# local JsonEscape [parse [system/script/get \"HassioLib_Json\
Escape\" source]]\
\n# \$JsonEscape input=\$a4\
\n#\
\n#global JsonEscape do= {\
\n #:global SearchReplace\
\n local SearchReplace [parse [system/script/get \"HassioLib_SearchRepl\
ace\" source]]\
\n :local escchars {\"\\\\\";\"\\\"\";\"/\";\"\\08\";\"\\0C\";\"\\0A\
\";\"\\0D\";\"\\08\"};\
\n :local escReplace {\"\\\\\\\\\";\"\\\\\\\"\";\"\\\\/\";\"\\\\b\";\"\
\\\\f\";\"\\\\n\";\"\\\\r\";\"\\\\t\"}\
\n foreach k,escchar in=\$escchars do={\
\n set \$input [\$SearchReplace input=\$input search=\$escchar repl\
ace=(\$escReplace->(\$k))]\
\n }\
\n return \$input\
\n\
\n#}"
add dont-require-permissions=no name=HassioLib_JsonPick owner=admin policy=\
read source="# Use\r\
\n# local JsonPick [parse [system/script/get \"HassioLib_JsonPick\" source\
]]\r\
\n# \$JsonPick input=\$a2 len=255\r\
\n#\r\
\n#global JsonPick do= {\r\
\n set \$input [pick \$input -1 \$len]\r\
\n local length [len \$input]\r\
\n if (([pick \$input (\$length-1)] = \"\\\\\") && ([pick \$input (\$le\
ngth-2)] != \"\\\\\")) do= {\r\
\n set \$input [:pick (\$input) -1 (\$length-1)]\r\
\n }\r\
\n return \$input\r\
\n#}"
add dont-require-permissions=no name=HassioLib_LowercaseHex owner=admin \
policy=read source="# Use\r\
\n# local LowercaseHex [parse [system/script/get \"HassioLib_LowercaseHex\
\" source]]\r\
\n# \$LowercaseHex input=\$a4\r\
\n#\r\
\n#global LowercaseHex do= {\r\
\n #:global SearchReplace\r\
\n local SearchReplace [parse [system/script/get \"HassioLib_SearchRepl\
ace\" source]]\r\
\n :local escchars {\"A\";\"B\";\"C\";\"D\";\"E\";\"F\"}\r\
\n :local escReplace {\"a\";\"b\";\"c\";\"d\";\"e\";\"f\"}\r\
\n foreach k,escchar in=\$escchars do={\r\
\n set \$input [\$SearchReplace input=\$input search=\$escchar repl\
ace=(\$escReplace->(\$k))]\r\
\n }\r\
\n return \$input\r\
\n\r\
\n#}"
add dont-require-permissions=no name=HassioLib_SearchReplace owner=admin \
policy=read source="# Use\r\
\n# local SearchReplace [parse [system/script/get \"HassioLib_SearchReplac\
e\" source]]\r\
\n# \$SearchReplace input=\"abc\" search=\"a\" replace=\"b\"\r\
\n#\r\
\n#global SearchReplace do= {\r\
\n :local out \"\"\r\
\n :local index 0\r\
\n :local length [:len \$input]\r\
\n :local findex\r\
\n\r\
\n set \$findex [find \$input \$search (\$index-1) ]\r\
\n while ([len \$findex] != \"0\") do={\r\
\n set \$out (\$out.[pick \$input \$index \$findex ].\$replace)\r\
\n set \$index (\$findex+[len \$search])\r\
\n set \$findex [find \$input \$search (\$index-1) ]\r\
\n }\r\
\n set \$out (\$out.[pick \$input (\$index) \$length ])\r\
\n :return \$out\r\
\n#}\r\
\n"
add dont-require-permissions=no name="Hassio Firmware Entity Publish" owner=\
admin policy=read,test source="if ([len [system/package/find name=\"iot\"]\
]=0) do={ ; # If IOT packages is not installed\r\
\n log/error message=\"HassioMQTT: IOT package not installed.\"\r\
\n} else={\r\
\n if ([len [iot/mqtt/brokers/find name=\"Home Assistant\"]]=0) do={ ;#\
\_If Home assistant broker does not exist\r\
\n log/error message=\"HassioMQTT: Broker does not exist.\"\r\
\n } else={\r\
\n while (![/iot/mqtt/brokers/get [/iot/mqtt/brokers/find name=\"Ho\
me Assistant\"] connected ]) do={ ;# If Home assistant broker is not conne\
cted\r\
\n log/info message=\"HassioMQTT: Broker not connected reattemp\
ting connection...\"\r\
\n delay 1m; # Wait and attempt reconnect\r\
\n iot/mqtt/connect broker=\"Home Assistant\"\r\
\n }\r\
\n\r\
\n\r\
\n local discoverypath \"homeassistant/\"\r\
\n local domainpath \"update/\"\r\
\n\r\
\n #-------------------------------------------------------\r\
\n #Get variables to build device string\r\
\n #-------------------------------------------------------\r\
\n\r\
\n local ID\r\
\n if ([/system/resource/get board-name] != \"CHR\") do={\r\
\n set ID [/system/routerboard get serial-number];#ID\r\
\n } else={\r\
\n set ID [system/license/get system-id ]\r\
\n }\r\
\n #-------------------------------------------------------\r\
\n #Build device string\r\
\n #-------------------------------------------------------\r\
\n local DeviceString [parse [system/script/get \"HassioLib_DeviceS\
tring\" source]]\r\
\n local dev [\$DeviceString]\r\
\n local buildconfig do= {\r\
\n\r\
\n #build config for Hassio\r\
\n local config \"{\\\"~\\\":\\\"\$discoverypath\$domainpath\$I\
D/\$name\\\",\\\r\
\n \\\"name\\\":\\\"\$name\\\",\\\r\
\n \\\"stat_t\\\":\\\"~/state\\\",\\\r\
\n \\\"uniq_id\\\":\\\"\$ID_\$name\\\",\\\r\
\n \\\"obj_id\\\":\\\"\$ID_\$name\\\",\\\r\
\n \$dev\\\r\
\n }\"\r\
\n /iot/mqtt/publish broker=\"Home Assistant\" message=\$config\
\_topic=\"\$discoverypath\$domainpath\$ID/\$name/config\" retain=yes \
\_ \r\
\n }\r\
\n #-------------------------------------------------------\r\
\n #Handle routerboard firmware for non CHR\r\
\n #-------------------------------------------------------\r\
\n if ([/system/resource/get board-name] != \"CHR\") do={\r\
\n \$buildconfig name=\"RouterBOARD\" ID=\$ID discoverypath=\$d\
iscoverypath domainpath=\$domainpath dev=\$dev\r\
\n }\r\
\n\r\
\n #-------------------------------------------------------\r\
\n #Handle RouterOS\r\
\n #-------------------------------------------------------\r\
\n \$buildconfig name=\"RouterOS\" ID=\$ID discoverypath=\$discover\
ypath domainpath=\$domainpath dev=\$dev\r\
\n\r\
\n #-------------------------------------------------------\r\
\n #Handle LTE interfaces\r\
\n #-------------------------------------------------------\r\
\n :foreach iface in=[/interface/lte/ find] do={\r\
\n local ifacename [/interface/lte get \$iface name]\r\
\n\r\
\n #Get manufacturer and model for LTE interface\r\
\n local lte [ [/interface/lte/monitor [/interface/lte get \$iface \
name] once as-value] manufacturer]\r\
\n if (\$lte->\"manufacturer\"=\"\\\"MikroTik\\\"\") do={\r\
\n {\r\
\n #build config for LTE\r\
\n local modemname [:pick (\$lte->\"model\")\\\r\
\n ([:find (\$lte->\"model\") \"\\\"\" -1] +1)\\\r\
\n [:find (\$lte->\"model\") \"\\\"\" [:find (\$lte->\"\
model\") \"\\\"\" -1]]]\r\
\n \$buildconfig name=\$modemname ID=\$ID discoverypath=\$d\
iscoverypath domainpath=\$domainpath dev=\$dev\r\
\n }\r\
\n }\r\
\n }\r\
\n }\r\
\n}"
add dont-require-permissions=no name="Hassio Firmware State Publish" owner=\
admin policy=read,write,policy,test source="if ([len [system/package/find \
name=\"iot\"]]=0) do={ ; # If IOT packages is not installed\r\
\n log/error message=\"HassioMQTT: IOT package not installed.\"\r\
\n} else={\r\
\n if ([len [iot/mqtt/brokers/find name=\"Home Assistant\"]]=0) do={ ;#\
\_If Home assistant broker does not exist\r\
\n log/error message=\"HassioMQTT: Broker does not exist.\"\r\
\n } else={\r\
\n local Ctr 0\r\
\n while ((![/iot/mqtt/brokers/get [/iot/mqtt/brokers/find name=\"H\
ome Assistant\"] connected ])&&(Ctr<12)) do={ ;# If Home assistant broker \
is not connected\r\
\n log/info message=\"HassioMQTT: Broker not connected reattemp\
ting connection...\"\r\
\n delay 1m; # Wait and attempt reconnect\r\
\n set \$Ctr (\$Ctr+1)\r\
\n iot/mqtt/connect broker=\"Home Assistant\"\r\
\n }\r\
\n local discoverypath \"homeassistant/\"\r\
\n local domainpath \"update/\"\r\
\n :global HassioReleaseNote\r\
\n #-------------------------------------------------------\r\
\n #Get variables to build device string\r\
\n #-------------------------------------------------------\r\
\n #ID\r\
\n local ID\r\
\n if ([/system/resource/get board-name] != \"CHR\") do={\r\
\n set ID [/system/routerboard get serial-number];#ID\r\
\n } else={\r\
\n set ID [system/license/get system-id ]\r\
\n }\r\
\n\r\
\n local poststate do= {\r\
\n if ((typeof \$url)!=nil) do={\r\
\n set \$url \",\\\"release_url\\\":\\\"\$url\\\"\"\r\
\n }\r\
\n\r\
\n if ((typeof \$note)!=nil) do={\r\
\n set \$note \",\\\"release_summary\\\":\\\"\$note\\\"\"\r\
\n }\r\
\n\r\
\n local state \"{\\\"installed_version\\\":\\\"\$cur\\\",\\\r\
\n \\\"latest_version\\\":\\\"\$new\\\"\$url\$note}\"\r\
\n /iot/mqtt/publish broker=\"Home Assistant\" message=\$state \
topic=\"\$discoverypath\$domainpath\$ID/\$name/state\" retain=yes\r\
\n }\r\
\n #-------------------------------------------------------\r\
\n #Handle routerboard firmware for non CHR\r\
\n #-------------------------------------------------------\r\
\n if ([/system/resource/get board-name] != \"CHR\") do={\r\
\n #Get routerboard firmware\r\
\n local Act [parse \"/system/routerboard/get current-firmware\
\"]\r\
\n local cur [\$Act]\r\
\n local Act [parse \"/system/routerboard/get upgrade-firmware\
\"]\r\
\n local new [\$Act]\r\
\n #post Routerboard firmware\r\
\n \$poststate name=\"RouterBOARD\" cur=\$cur new=\$new ID=\$ID\
\_discoverypath=\$discoverypath domainpath=\$domainpath\r\
\n }\r\
\n\r\
\n #-------------------------------------------------------\r\
\n #Handle RouterOS\r\
\n #-------------------------------------------------------\r\
\n #Get system software\r\
\n local versions [/system/package/update/check-for-updates as-valu\
e ]\r\
\n\r\
\n local cur (\$versions->\"installed-version\")\r\
\n local new (\$versions->\"latest-version\")\r\
\n\r\
\n #Get release note:\r\
\n if ((\$HassioReleaseNote->\"version\")!=new) do={\r\
\n #:global HassioReleaseNote\r\
\n\r\
\n :set (\$HassioReleaseNote->\"note\") ([/tool/fetch \"http://\
upgrade.mikrotik.com/routeros/\$new/CHANGELOG\" output=user as-value]->\"d\
ata\")\r\
\n :set (\$HassioReleaseNote->\"note\") [:pick (\$HassioRelease\
Note->\"note\") -1 255]\r\
\n\r\
\n #Text must be escaped before posting as JSON!\r\
\n local JsonEscape [parse [system/script/get \"HassioLib_JsonE\
scape\" source]]\r\
\n set (\$HassioReleaseNote->\"note\") [\$JsonEscape input=(\$H\
assioReleaseNote->\"note\")]\r\
\n\r\
\n local JsonPick [parse [system/script/get \"HassioLib_JsonPic\
k\" source]]\r\
\n set (\$HassioReleaseNote->\"note\") [\$JsonPick input=(\$Has\
sioReleaseNote->\"note\") len=255]\r\
\n :set (\$HassioReleaseNote->\"version\") \$new\r\
\n /log/debug message=\"HassioMQTT: Release note fetched.\"\r\
\n } else={/log/debug message=\"HassioMQTT: Release note already ca\
ched, not fetched.\"}\r\
\n\r\
\n local urls {development=\"https://mikrotik.com/download/changelo\
gs/development-release-tree\";\\\r\
\n long-term=\"https://mikrotik.com/download/changelogs/long-te\
rm-release-tree\";\\\r\
\n stable=\"https://mikrotik.com/download/changelogs/stable-rel\
ease-tree\";\\\r\
\n testing=\"https://mikrotik.com/download/changelogs/testing-r\
elease-tree\"}\r\
\n set urls (\$urls->[system/package/update/get channel ])\r\
\n\r\
\n \$poststate name=\"RouterOS\" cur=\$cur new=\$new url=\$urls not\
e=(\$HassioReleaseNote->\"note\") ID=\$ID discoverypath=\$discoverypath do\
mainpath=\$domainpath\r\
\n\r\
\n #-------------------------------------------------------\r\
\n #Handle LTE interfaces\r\
\n #-------------------------------------------------------\r\
\n :foreach iface in=[/interface/lte/ find] do={\r\
\n local ifacename [/interface/lte get \$iface name]\r\
\n\r\
\n #Get manufacturer and model for LTE interface\r\
\n local lte [ [/interface/lte/monitor [/interface/lte get \$iface \
name] once as-value] manufacturer]\r\
\n if (\$lte->\"manufacturer\"=\"\\\"MikroTik\\\"\") do={\r\
\n {\r\
\n #build config for LTE\r\
\n local modemname [:pick (\$lte->\"model\")\\\r\
\n ([:find (\$lte->\"model\") \"\\\"\" -1] +1)\\\r\
\n [:find (\$lte->\"model\") \"\\\"\" [:find (\$lte->\"\
model\") \"\\\"\" -1]]]\r\
\n\r\
\n #Get firmware version for LTE interface\r\
\n local Firmware [/interface/lte firmware-upgrade [/interf\
ace/lte get \$iface name] once as-value ]\r\
\n local cur (\$Firmware->\"installed\")\r\
\n local new (\$Firmware->\"latest\")\r\
\n\r\
\n \$poststate name=\$modemname cur=\$cur new=\$new ID=\$ID\
\_discoverypath=\$discoverypath domainpath=\$domainpath\r\
\n }\r\
\n }\r\
\n }\r\
\n }\r\
\n}"
add dont-require-permissions=no name=HassioSensorHealthEntityPublish owner=\
admin policy=read,test source="if ([len [system/package/find name=\"iot\"]\
]=0) do={ ; # If IOT packages is not installed\r\
\n log/error message=\"HassioMQTT: IOT package not installed.\"\r\
\n} else={\r\
\n if ([len [iot/mqtt/brokers/find name=\"Home Assistant\"]]=0) do={ ;#\
\_If Home assistant broker does not exist\r\
\n log/error message=\"HassioMQTT: Broker does not exist.\"\r\
\n } else={\r\
\n while (![/iot/mqtt/brokers/get [/iot/mqtt/brokers/find name=\"Ho\
me Assistant\"] connected ]) do={ ;# If Home assistant broker is not conne\
cted\r\
\n log/info message=\"HassioMQTT: Broker not connected reattemp\
ting connection...\"\r\
\n delay 1m; # Wait and attempt reconnect\r\
\n iot/mqtt/connect broker=\"Home Assistant\"\r\
\n }\r\
\n\r\
\n local discoverypath \"homeassistant/\"\r\
\n local domainpath \"sensor/\"\r\
\n\r\
\n #-------------------------------------------------------\r\
\n #Get variables to build device string\r\
\n #-------------------------------------------------------\r\
\n\r\
\n local ID [/system/routerboard get serial-number];#ID\r\
\n\r\
\n #-------------------------------------------------------\r\
\n #Build device string\r\
\n #-------------------------------------------------------\r\
\n local DeviceString [parse [system/script/get \"HassioLib_DeviceS\
tring\" source]]\r\
\n local dev [\$DeviceString]\r\
\n local buildconfig do= {\r\
\n local SearchReplace [parse [system/script/get \"HassioLib_Se\
archReplace\" source]]\r\
\n local jsonname (\"x\".[\$SearchReplace input=\$name search=\
\"-\" replace=\"_\"])\r\
\n\r\
\n #build config for Hassio\r\
\n local config \"{\\\"name\\\":\\\"\$name\\\",\\\r\
\n \\\"stat_t\\\":\\\"\$discoverypath\$domainpath\$ID/state\
\\\",\\\r\
\n \\\"uniq_id\\\":\\\"\$ID_\$name\\\",\\\r\
\n \\\"obj_id\\\":\\\"\$ID_\$name\\\",\\\r\
\n \\\"suggested_display_precision\\\": 1,\\\r\
\n \\\"unit_of_measurement\\\": \\\"\$unit\\\",\\\r\
\n \\\"value_template\\\": \\\"{{ value_json.\$jsonname }}\
\\\",\\\r\
\n \\\"expire_after\\\":70,\\\r\
\n \$dev\\\r\
\n }\"\r\
\n /iot/mqtt/publish broker=\"Home Assistant\" message=\$config\
\_topic=\"\$discoverypath\$domainpath\$ID/\$name/config\" retain=yes \
\_ \r\
\n }\r\
\n foreach sensor in=[/system/health/find] do={\r\
\n local name [/system/health/get \$sensor name];#name\r\
\n local unit [/system/health/get \$sensor type];#unit\r\
\n if (\$unit=\"C\") do={set \$unit \"\\C2\\B0\\43\"}\r\
\n \$buildconfig name=\$name unit=\$unit ID=\$ID discoverypath=\
\$discoverypath domainpath=\$domainpath dev=\$dev\r\
\n }\r\
\n }\r\
\n}"
add dont-require-permissions=no name=HassioSensorHealthStatePublish owner=\
admin policy=read,write,test source="if ([len [system/package/find name=\"\
iot\"]]=0) do={ ; # If IOT packages is not installed\r\
\n log/error message=\"HassioMQTT: IOT package not installed.\"\r\
\n} else={\r\
\n if ([len [iot/mqtt/brokers/find name=\"Home Assistant\"]]=0) do={ ;#\
\_If Home assistant broker does not exist\r\
\n log/error message=\"HassioMQTT: Broker does not exist.\"\r\
\n } else={\r\
\n local discoverypath \"homeassistant/\"\r\
\n local domainpath \"sensor/\"\r\
\n\r\
\n #-------------------------------------------------------\r\
\n #Get variables to build device string\r\
\n #-------------------------------------------------------\r\
\n #ID\r\
\n local ID [/system/routerboard get serial-number] \r\
\n\r\
\n local string \"{\"\r\
\n local SearchReplace [parse [system/script/get \"HassioLib_Search\
Replace\" source]]\r\
\n foreach sensor in=[/system/health/find] do={\r\
\n set \$string ((\$string).(\"\\\"\").\\\r\
\n (\"x\").([\$SearchReplace input=[/system/health/get \$se\
nsor name] search=\"-\" replace=\"_\"]).(\"\\\":\").\\\r\
\n ([/system/health/get \$sensor value]).(\",\"))\r\
\n }\r\
\n set \$string ([pick \$string -1 ([len \$string ]-1)].\"}\")\r\
\n \r\
\n /iot/mqtt/publish broker=\"Home Assistant\" message=\$string top\
ic=\"\$discoverypath\$domainpath\$ID/state\" retain=no \r\
\n }\r\
\n}"
add dont-require-permissions=no name=HassioSensorPoeEntityPublish owner=admin \
policy=read,test source="if ([len [system/package/find name=\"iot\"]]=0) d\
o={ ; # If IOT packages is not installed\
\n log/error message=\"HassioMQTT: IOT package not installed.\"\
\n} else={\
\n if ([len [iot/mqtt/brokers/find name=\"Home Assistant\"]]=0) do={ ;#\
\_If Home assistant broker does not exist\
\n log/error message=\"HassioMQTT: Broker does not exist.\"\
\n } else={\
\n while (![/iot/mqtt/brokers/get [/iot/mqtt/brokers/find name=\"Ho\
me Assistant\"] connected ]) do={ ;# If Home assistant broker is not conne\
cted\
\n log/info message=\"HassioMQTT: Broker not connected reattemp\
ting connection...\"\
\n delay 1m; # Wait and attempt reconnect\
\n iot/mqtt/connect broker=\"Home Assistant\"\
\n }\
\n\
\n local discoverypath \"homeassistant/\"\
\n local domainpath \"sensor/\"\
\n\
\n #-------------------------------------------------------\
\n #Get variables to build device string\
\n #-------------------------------------------------------\
\n\
\n local ID [/system/routerboard get serial-number];#ID\
\n #-------------------------------------------------------\
\n #Build device string\
\n #-------------------------------------------------------\
\n local DeviceString [parse [system/script/get \"HassioLib_DeviceS\
tring\" source]]\
\n local dev [\$DeviceString]\
\n local buildconfig do= {\
\n local SearchReplace [parse [system/script/get \"HassioLib_Se\
archReplace\" source]]\
\n local jsonname (\"x\".[\$SearchReplace input=\$name search=\
\"-\" replace=\"_\"])\
\n\
\n #build config for Hassio\
\n local config (\"{\\\"name\\\":\\\"\$name\".\" POE\".\"\\\",\
\\\
\n \\\"stat_t\\\":\\\"\$discoverypath\$domainpath\$ID/state\
\$NamePostfix\\\",\\\
\n \\\"uniq_id\\\":\\\"\$ID_\$name\$NamePostfix\\\",\\\
\n \\\"obj_id\\\":\\\"\$ID_\$name\$NamePostfix\\\",\\\
\n \\\"suggested_display_precision\\\": 1,\\\
\n \\\"unit_of_measurement\\\": \\\"\$unit\\\",\\\
\n \\\"value_template\\\": \\\"{{ value_json.\$jsonname | i\
s_defined}}\\\",\\\
\n \\\"expire_after\\\":70,\\\
\n \$dev\\\
\n }\")\
\n /iot/mqtt/publish broker=\"Home Assistant\" message=\$config\
\_topic=(\"\$discoverypath\$domainpath\$ID/\$name\$NamePostfix/config\") r\
etain=yes \
\n }\
\n foreach sensor in=[/interface/ethernet/poe/find] do={\
\n local name [/interface/ethernet/poe/get \$sensor name];#name\
\n \$buildconfig name=(\$name) unit=W NamePostfix=\"_poe\" ID=\
\$ID discoverypath=\$discoverypath domainpath=\$domainpath dev=\$dev\
\n }\
\n }\
\n}"
add dont-require-permissions=no name=HassioSensorPoeStatePublish owner=admin \
policy=read,test source="local discoverypath \"homeassistant/\"\
\nlocal domainpath \"sensor/\"\
\nlocal ID [/system/routerboard get serial-number] \
\n\
\nlocal Out \"{\"\
\n\
\nforeach iface in=[/interface/ethernet/poe/ find] do={\
\n local InterfaceName [/interface/ethernet/poe/get \$iface name]\
\n local InterfaceValue [interface/ethernet/poe/monitor \$iface once as\
-value ]\
\n if ([:len (\$InterfaceValue->\"poe-out-current\")]=0) do={set (\$Int\
erfaceValue->\"poe-out-current\") 0}\
\n set \$Out (\$Out.\"\\\"x\$InterfaceName\\\":\".\\\
\n [([:tonum [(\$InterfaceValue->\"poe-out-current\")]]/10) ].\\\
\n \".\".\\\
\n ([:tonum [(\$InterfaceValue->\"poe-out-current\")]]%10).\\\
\n \",\")\
\n}\
\nset \$Out ([pick \$Out -1 ([len \$Out]-1)].\"}\")\
\n/iot/mqtt/publish broker=\"Home Assistant\" message=\$Out topic=\"\$disc\
overypath\$domainpath\$ID/state_poe\" retain=no"
add dont-require-permissions=no name=DHCP-LEASE-TEST2 owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
system\r\
\n:local identitydate \"\$[identity get name]_\$[clock get date]\"\r\
\n\r\
\n\r\
\n:foreach i in=[/ip dhcp-server lease find] do={\r\
\n:put ([get \$i comment].\",\".[get \$i address].\",\".[get \$i mac-addre\
ss].\",\".[get \$i host-name])\r\
\n\r\
\nfile=\"test1.txt\"\r\
\n}"
add dont-require-permissions=no name=dhcpleasesftp owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\
\r\
\n/file remove [find where name=temp3.txt]\r\
\n\r\
\n/system\r\
\n\r\
\n:local identitydate \"\$[identity get name]\"\r\
\n\r\
\n:local stringexec \"/ip dhcp-server lease; :foreach i in=[find] do={ :pu\
t ([get \\\$i address].\\\",\\\".[get \\\$i comment].\\\",\\\",[get \\\$i \
mac-address].\\\",\\\".[get \\\$i host-name] ) }\"\r\
\n\r\
\n\r\
\n:execute \$stringexec file=temp3\r\
\n\r\
\n:delay 60\r\
\n\r\
\n/tool fetch address=192.168.2.22 port=21 user=mikrotik password=PASSWORD\
\_src-path=temp3.txt mode=ftp dst-path=\"/mikrotik-backups/\$identitydate-\
leases.txt\" upload=yes ascii=no\r\
\n\r\
\n\r\
\n\r\
\n\r\
\n"
add dont-require-permissions=no name=script1 owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\
\r\
\n/file remove [find where name=temp2.txt]\r\
\n\r\
\n/system\r\
\n\r\
\n:local identitydate \"\$[identity get name]_\$[clock get date]\"\r\
\n\r\
\n:local stringexec \"/ip dhcp-server lease; :foreach i in=[find] do={ :pu\
t ([get \\\$i address].\\\",\\\".[get \\\$i comment].\\\",\\\",[get \\\$i \
mac-address].\\\",\\\".[get\r\
\n \\\$i host-name] ) }\"\r\
\n\r\
\n\r\
\n:execute \$stringexec file=temp2.txt\r\
\n\r\
\n/tool fetch upload=yes mode=ftp ascii=no address=192.168.2.22 port=21 us\
er=mikrotik password=PASSWORD src-path=\"temp2.txt\" dst-path=\"/mikrotik-\
backups/\$identitydate-leases.txt\"\r\
\n\r\
\n\r\
\n\r\
\n\r\
\n\r\
\n"
add dont-require-permissions=yes name=WG-iface-restart-log-lasthandshake \
owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
foreach i in=[/interface/wireguard/peers/find where disabled=no endpoint-a\
ddress~\"[a-z]\\\$\"] do={\r\
\n :local LastHandshake [/interface/wireguard/peers/get \$i last-handshak\
e]\r\
\n\r\
\n# :if (([:tostr \$LastHandshake] = \"\") or (\$LastHandshake > [:totime\
\_\"2m\"])) do={\r\
\n\r\
\n :if ((\$LastHandshake > [:totime \"2m\"])) do={\r\
\n\r\
\n# :local lasthandshaketime [:totime]\r\
\n :local endpoint [/interface/wireguard/peers/get \$i endpoint-address]\
\r\
\n\r\
\n :log info \"WG-iface-restart-log-lasthandshake script found WG peer wi\
th last handshake greater than 2 minutes: \$endpoint \$LastHandshake\"\r\
\n \r\
\n# /interface/wireguard/peers/set \$i endpoint-address=[/interface/wir\
eguard/peers/get \$i endpoint-address]\r\
\n\r\
\n }\r\
\n}\r\
\n\r\
\n"
/system ups
add name=ups1 port=usbhid1
/system watchdog
set watchdog-timer=no
/tool bandwidth-server
set authenticate=no
/tool e-mail
set from=email@email.com password=PASSWORD port=587 server=\
smtp.gmail.com tls=starttls user=email@email.com
/tool graphing interface
add interface=bridge
add interface=bridge
add
add interface=bridge
add interface=bridge
add
/tool graphing queue
add
add
/tool graphing resource
add
add
/tool mac-server
set allowed-interface-list=MANAGE
/tool mac-server mac-winbox
set allowed-interface-list=MANAGE
/tool netwatch
add comment=212 disabled=yes down-script="" host=10.10.100.1 http-codes="" \
test-script="" type=simple up-script=""
add comment=371 disabled=yes down-script="" host=10.10.100.40 http-codes="" \
test-script="" type=simple up-script=""
add comment=355 disabled=yes down-script="" host=10.10.100.3 http-codes="" \
test-script="" type=simple up-script=""
add comment=255 disabled=yes down-script="" host=10.10.100.4 http-codes="" \
test-script="" type=simple up-script=""
add disabled=yes down-script="" host=10.10.100.5 http-codes="" test-script="" \
type=simple up-script=""
add comment=LAPTOP disabled=yes down-script="" host=10.10.100.8 http-codes="" \
test-script="" type=simple up-script=""
add comment=iPhone disabled=yes down-script="" host=10.10.100.9 http-codes="" \
test-script="" type=simple up-script=""
add comment=212 disabled=yes down-script="" host=192.168.2.2 http-codes="" \
test-script="" type=simple up-script=""
add comment=371 disabled=yes down-script="" host=192.168.88.1 http-codes="" \
interval=5s test-script="" type=simple up-script=""
add comment=629 disabled=yes down-script="" host=192.168.20.1 http-codes="" \
interval=5s test-script="" type=simple up-script=""
add comment=76 disabled=yes down-script="" host=192.168.30.2 http-codes="" \
interval=5s test-script="" type=simple up-script=""
add comment=LAPTOP disabled=yes down-script="" host=10.10.100.8 http-codes="" \
test-script="" type=simple up-script=""
add comment=iPhone disabled=yes down-script="" host=10.10.100.9 http-codes="" \
test-script="" type=simple up-script=""
add comment=355 disabled=yes down-script="" host=192.168.0.11 http-codes="" \
interval=5s test-script="" type=simple up-script=""
add comment=255 disabled=yes down-script="" host=192.168.1.2 http-codes="" \
interval=5s test-script="" type=simple up-script=""
add comment=LAPTOP disabled=yes down-script="" host=10.10.100.201 http-codes=\
"" test-script="" type=simple up-script=""
add disabled=yes down-script=":local thisBox [/system identity get name];\r\
\n\r\
\n:tool e-mail send to=email@email.com subject=\"\$thisBox DOWN\" b\
ody=( [ :system clock get date ] . \" \" . [ :system clock get time ] . \"\
\$thisBox DOWN to 8.8.8.8\" )" host=8.8.8.8 http-codes="" interval=5s \
test-script="" type=simple up-script=":local thisBox [/system identity get\
\_name];\r\
\n\r\
\n:tool e-mail send to=email@email.com subject=\"\$thisBox UP\" bod\
y=( [ :system clock get date ] . \" \" . [ :system clock get time ] . \"\$\
thisBox UP to 8.8.8.8\" )"
add disabled=no down-script=":local thisBox [/system identity get name];\r\
\n\r\
\n:tool e-mail send to=email@email.com subject=\"\$thisBox DOWN\" b\
ody=( [ :system clock get date ] . \" \" . [ :system clock get time ] . \"\
\$thisBox DOWN to 96.250.224.1)" host=96.250.224.1 http-codes="" \
interval=30m test-script="" type=simple up-script=":local thisBox [/system\
\_identity get name];\r\
\n\r\
\n:tool e-mail send to=email@email.com subject=\"\$thisBox UP body=\
( [ :system clock get date ] . \" \" . [ :system clock get time ] . \"\$th\
isBox UP to 96.250.224.1\" )"
/tool romon
set enabled=yes
/tool sniffer
set file-limit=10000KiB filter-mac-address=\
18:FD:74:38:81:2E/FF:FF:FF:FF:FF:FF memory-limit=10000KiB \
streaming-server=192.168.2.22
/tool traffic-monitor
add disabled=yes interface=ether1 name=tmon1
add disabled=yes interface=ether3 name=tmon2 traffic=received trigger=always
Re: Where's my bottleneck?
Little bit off topic, but you may want to check Mikrotik Router integration... 
Re: Where's my bottleneck?
I've played with the Mikrotik Home Assistant integration a while ago, but RouterOS's upgrade broke it.
https://github.com/tomaae/homeassistant ... issues/328
https://github.com/tomaae/homeassistant ... issues/328
Re: Where's my bottleneck?
Had a quick look at both configs.
How are both devices connected to each other ? From AX3 port x to RB5009 port y ?? What's x, what's y ?
AX3
a bit of mixed bag of several things.
A second bridge which is not used.
Interfaces lists which are not used.
Quite a lot of access list entries on wifi: you're that paranoid ? Anyone not belonging to your network, should not get its password. All the rest should be on a SEPARATE network (vlan) so they have no access to your main network.
Even settings for non-existing interface:
Wifi settings: a bit of comments but not touching that now. First get the ethernet part ok as it should be.
How do you want to use that device ? As pure access point ?
I might suggest to reset to default config, test how it works and then gradually modify and add your things again leaving out what's not needed.
Test after each step again. Where it "breaks" again, you know you did something wrong.
RB5009:
similar comment.
Also there interface which does not exist anymore
This comes back in NAT and route rules. Clean up.
Quite a bit of fixed leases (not my preference)
What's with all the schedules, netwatches and scripts ??
How are both devices connected to each other ? From AX3 port x to RB5009 port y ?? What's x, what's y ?
AX3
a bit of mixed bag of several things.
A second bridge which is not used.
Interfaces lists which are not used.
Quite a lot of access list entries on wifi: you're that paranoid ? Anyone not belonging to your network, should not get its password. All the rest should be on a SEPARATE network (vlan) so they have no access to your main network.
Even settings for non-existing interface:
Code: Select all
add bridge=bridge interface=*A internal-path-cost=10 path-cost=10How do you want to use that device ? As pure access point ?
I might suggest to reset to default config, test how it works and then gradually modify and add your things again leaving out what's not needed.
Test after each step again. Where it "breaks" again, you know you did something wrong.
RB5009:
similar comment.
Also there interface which does not exist anymore
Code: Select all
add interface=*B list=MANAGEQuite a bit of fixed leases (not my preference)
What's with all the schedules, netwatches and scripts ??
-
-
robmaltsystems
Long time Member
- Posts: 693
- Joined:
Re: Where's my bottleneck?
This sounds a sensible suggestion esp. as you can backup the configurations first and then restore if you need the current working config.I might suggest to reset to default config, test how it works and then gradually modify and add your things again leaving out what's not needed.
Test after each step again. Where it "breaks" again, you know you did something wrong.
Re: Where's my bottleneck?
As always, thank you so very much!
AX3:
The AX3 is used exclusived as (1) a wifi AP and (2) a switch.
ether1 on the AX3 is connected to the RB5009 port 4.
ether3 and ether4 to a tv set top box
The second bridge called "Guest-Bridge" is disabled and hasn't been enabled in a very long time. I don't remember exactly, but I suspect it was just me playing around.
Interface lists are indeed not used.
I use the access list entries on wifi to be able to add comments to know at a glance what devices are conneted. Not at all paranoid (I could probably do well with a little more concern for security).
I can't explain the "interface=*A" with certainty. I see it in Winbox: It shows up in BRIDGE | PORTS as #8 with INTERFACE named "unknown." I assume it was from me playing around.
RB5009:
I see the "interface=*B" in INTERFACE LIST. Interestingly, in winbox, in the table of interface lists, it shows MANAGE and unknown, but when I open that entry in the list, it shows:
List: MANAGE
Interface: ether1
The fixed DHCP leases are also a way to readily identify the connected clients.
The schedules/scripts are mostly me being curious, and wanting to preserve information about connections and usage. There's also a backup script (export-download) so I don't cry when a MT is lost (;-)
Do you see something in the AX3's wifi setting or the 5009's NAT and/or rules that could explain a performance problem?
AX3:
The AX3 is used exclusived as (1) a wifi AP and (2) a switch.
ether1 on the AX3 is connected to the RB5009 port 4.
ether3 and ether4 to a tv set top box
The second bridge called "Guest-Bridge" is disabled and hasn't been enabled in a very long time. I don't remember exactly, but I suspect it was just me playing around.
Interface lists are indeed not used.
I use the access list entries on wifi to be able to add comments to know at a glance what devices are conneted. Not at all paranoid (I could probably do well with a little more concern for security).
I can't explain the "interface=*A" with certainty. I see it in Winbox: It shows up in BRIDGE | PORTS as #8 with INTERFACE named "unknown." I assume it was from me playing around.
RB5009:
I see the "interface=*B" in INTERFACE LIST. Interestingly, in winbox, in the table of interface lists, it shows MANAGE and unknown, but when I open that entry in the list, it shows:
List: MANAGE
Interface: ether1
The fixed DHCP leases are also a way to readily identify the connected clients.
The schedules/scripts are mostly me being curious, and wanting to preserve information about connections and usage. There's also a backup script (export-download) so I don't cry when a MT is lost (;-)
Do you see something in the AX3's wifi setting or the 5009's NAT and/or rules that could explain a performance problem?
Re: Where's my bottleneck?
Not yet.
As said, I am first focusing on the ethernet part since that should work at around 950Mbps.
Since you already have a lower reported speed there, it means there is another issue between AX3/RB5009, not looking yet at wifi.
Can you try to export config (binary and export) and reset that AX3 to default ?
What happens then with iperf testing only using cable ?
PS for wifi, 2 things already:
1- 5Ghz, use 20/40/80 channel width. Similarly on 2Ghz, use 20/40 width.
2- don't use auto frequency. CHOOSE your frequency based on frequency scan of the environment so you can take a free range or best case the range with the least interference.
As said, I am first focusing on the ethernet part since that should work at around 950Mbps.
Since you already have a lower reported speed there, it means there is another issue between AX3/RB5009, not looking yet at wifi.
Can you try to export config (binary and export) and reset that AX3 to default ?
What happens then with iperf testing only using cable ?
PS for wifi, 2 things already:
1- 5Ghz, use 20/40/80 channel width. Similarly on 2Ghz, use 20/40 width.
2- don't use auto frequency. CHOOSE your frequency based on frequency scan of the environment so you can take a free range or best case the range with the least interference.
Re: Where's my bottleneck?
Good -- makes perfect sense to focus on the wired connection between the ax3 and 5009.
I will need to set aside time to focus and remain calm for the process of resetting the AX3. (Things like this tend to take 4 times longer and be 8 times as frustrating as they should.)
In the meantime, I ran a frequency-scan in my RF-congested location with the following results:
2.4ghz
5ghz:
I will need to set aside time to focus and remain calm for the process of resetting the AX3. (Things like this tend to take 4 times longer and be 8 times as frustrating as they should.)
In the meantime, I ran a frequency-scan in my RF-congested location with the following results:
2.4ghz
Code: Select all
# 2024-03-24 07:08:51 by RouterOS 7.14
# software id = 5NRD-V1QF
#
Flags: P - PRIMARY; S - SECONDARY
Columns: CHANNEL, NETWORKS, LOAD, NF, MAX-SIGNAL, MIN-SIGNAL
CHANNEL NETWORKS LOAD NF MAX-SIGNAL MIN-SIGNAL
P 2412 22 54% -85 -51 -85
PS 2417 6 25% -90 -74 -75
2422 33% -90
P 2427 2 31% -92 -77 -83
PS 2432 4 31% -85 -76 -82
PS 2437 33 44% -87 -41 -83
P 2442 2 24% -89 -66 -75
P 2447 6 27% -91 -80 -84
P 2452 3 47% -91 -68 -81
P 2457 2 13% -90 -80 -82
P 2462 16 62% -93 -67 -86
5ghz:
Code: Select all
# 2024-03-24 07:14:49 by RouterOS 7.14
# software id = 5NRD-V1QF
#
Flags: P - PRIMARY; S - SECONDARY
Columns: CHANNEL, NETWORKS, LOAD, NF, MAX-SIGNAL, MIN-SIGNAL
CHANNEL NETWORKS LOAD NF MAX-SIGNAL MIN-SIGNAL
P 5180 11 9% -95 -49 -88
PS 5200 1 1% -95 -78 -78
PS 5220 8 9% -95 -62 -88
PS 5240 13 5% -95 -61 -88
5260 -96
5280 -96
S 5300 -96
P 5320 1 -95 -86 -86
5500 -95
5520 -95
5540 1% -95
5560 -94
S 5580 -94
P 5600 6 1% -94 -52 -67
5620 1% -94
5640 -93
P 5660 3 1% -93 -69 -87
S 5680 1% -93
P 5700 2 1% -93 -84 -85
S 5720 -93
PS 5745 5 3% -93 -79 -86
PS 5765 3 1% -92 -75 -84
PS 5785 4 2% -92 -67 -76
PS 5805 6 2% -92 -77 -82
5825 -92
Re: Where's my bottleneck?
Scan shows that neighbours are well educated and mostly operate in 1-6-11 pattern. You should stick to it as well, channel 11 (2462MHz) seems slightly less loaded. And don't try to use 40MHz channel 2.4GHz band (outside deserted areas) simply doesn't have enough band width. Channel utilization also means that you should not expect to see maximum performance.2.4ghz
As expected this band is less crowded. And neighbours use the most attractive channels (channel 36 in 80MHz wide configuration). Channel 52 (5260MHz) is almost empty so I guess you should take it as quickly as possible (it allows high Tx power without DFS or TPC burden).5ghz:
Re: Where's my bottleneck?
THank you for the great analysis.
I try not to use 2.4 for anything other than IoT devices, so my interest is almost entirely in the 5ghz band.
When I enter 5250 as the frequency, I get the red message at the bottom of the INTERFACE <wifi1> box that says "no supported channels"
I've played around with individual frequencies and ranges. Most of what I tried does not work (by "work" I mean it does not result in the error).
I found one that works: 5735-5895
I try not to use 2.4 for anything other than IoT devices, so my interest is almost entirely in the 5ghz band.
When I enter 5250 as the frequency, I get the red message at the bottom of the INTERFACE <wifi1> box that says "no supported channels"
I've played around with individual frequencies and ranges. Most of what I tried does not work (by "work" I mean it does not result in the error).
I found one that works: 5735-5895
Re: Where's my bottleneck?
You can't "invent" frequency settings ... so go for 5260.
Frequency setting in MT is center frequency of control channel (so if setting frequency to 5260, set band to Ceee).
Frequency setting in MT is center frequency of control channel (so if setting frequency to 5260, set band to Ceee).
Re: Where's my bottleneck?
I found one that works: 5735-5895
Beware that these high channels are recent addition and not all station devices support them.
Re: Where's my bottleneck?
Band options include:
A
A/N
AC
AX
Width options are:
20/40/80Mhz
20/40Mhz
20/40Mhz Ce
20/40Mhz eC
20Mhz
Entering 5260 with AX and 20/40/80Mhz results in "no supported channels"
A
A/N
AC
AX
Width options are:
20/40/80Mhz
20/40Mhz
20/40Mhz Ce
20/40Mhz eC
20Mhz
Entering 5260 with AX and 20/40/80Mhz results in "no supported channels"
Re: Where's my bottleneck?
And US as country ?
Odd ...
Odd ...
Re: Where's my bottleneck?
Yes, US.
BTW, I just installed and ran inSSIDer and this is what my wifi environment looks like:
BTW, I just installed and ran inSSIDer and this is what my wifi environment looks like:
You do not have the required permissions to view the files attached to this post.
Re: Where's my bottleneck?
And you're sure you used as band 5GHz AX, not 2GHz by accident ?
Please repost wifi part of config.
Please repost wifi part of config.
Re: Where's my bottleneck?
I have been playing around with frequencies.
I found the following that do not result in an error:
5240-5320
5560-5895
5735-5895
5765
5220
I found the following that do not result in an error:
5240-5320
5560-5895
5735-5895
5765
5220
Code: Select all
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .frequency=5560-5895 \
.skip-dfs-channels=all .width=20/40/80mhz configuration.country=\
"United States" .mode=ap .ssid=Upstairs5g-0F0493 disabled=no \
security.authentication-types=wpa2-psk
set [ find default-name=wifi2 ] channel.band=2ghz-n .skip-dfs-channels=all \
.width=20mhz configuration.country="United States" .mode=ap .ssid=\
Upstairs-2G-0F0494 disabled=no security.authentication-types=wpa2-psk
add configuration.mode=ap .ssid=2point4 disabled=no mac-address=4A:A9:8A:0F:04:93 \
master-interface=wifi2 mtu=1500 name=Guest212 security.authentication-types=\
wpa2-psk,wpa3-psk
Re: Where's my bottleneck?
Code: Select all
frequency=5560-5895For 80Mhz channels:
5180
5260
5500
5580
5660
5745
5825
(last 2 may pose problems for older clients)
PS looks like we are moving focus away from the underlying interconnectivity problem between AX3 and RB5009 ...
Re: Where's my bottleneck?
The following work:
5180
5745
The following result in the "no supported channels" error:
5260
5500
5580
5660
5825
Problem is that 5180 is already busy
5745 is less busy than 5180, but still not empty.
Yes, this is not addressing the wired throughput problem. Not ready to wipe the device clean and start again just yet.
.
5180
5745
The following result in the "no supported channels" error:
5260
5500
5580
5660
5825
Problem is that 5180 is already busy
5745 is less busy than 5180, but still not empty.
Yes, this is not addressing the wired throughput problem. Not ready to wipe the device clean and start again just yet.
.
Who is online
Users browsing this forum: Bing [Bot] and 59 guests