Community discussions

MikroTik App
 
toolongformt
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Wed Jan 24, 2024 10:05 am

bst configuration with capsman for 2 different accesspoints

Wed Oct 23, 2024 12:34 pm

hi,
I use a CRS328 with current software as CAPSMAN.
I have 3 antennas (2x cAPGi-5HaxD2HaxD and 1x RBwAPG-5HacD2HnD) and a (hopefully) suitable configuration.
At least I have 3 sets of configuration that differ regarding the available bands per accesspoint:
* 1 config for 5AX which is only provisioned to the cAPGi's)
* 1 config for 5A for the RBwAPG
* 1 config for 2G for all
* 1 config for 2N for all
They all provide the SSIDs and security for the different devices I have.
For example the MEROSS devices that work 2 weeks with G, than they work 2 weeks with N, sometimes they prefer 5A, it's a mess with this crap, but with this solution, to provide the SSID+security on all wifi technologies, they run well so far. So, I need this config.
My airconditioner needs other settings, so there's another config just for it.
The rest of my kitchendevices like 2 ovens, dishwasher etc... have also shown advanced stability with the different wifi technologies and settings... while they were happy with N for a long time. Out of a sudden they wanted G, so now they can choose...
For my laptop, ipads, iphones etc. I use the 5AX indoor. The RBw provides 5A for outdoor.
In summary I am happy with the config, but I cannot get wifi6 running with appropriate speed.
My network card on a desktop PC is wifi6 compatible card and connects with wifi6, but only with 360 Mbps.
My 2 newest ipads have wifi6, speedtest doesnt go over around100Mbps download, though my internetconnections provides 150 (via cable, so: stable, it's a business account and so it's not a shared speed. With wired computers I get 150 down, stable and constantly). So it's wifi that slows my desktop down.
The question is now, why am I not able to get more than 360 Mbps between the desktop-pc and the antenna?
They are 5m away from each other.
During speedtest there is no more traffic in my network.
I cannot exclude more, and I would think that my construction should be able to deliver more then 360Mbps.

Thank you for assisting me, this is my current config:
# 2024-10-23 11:32:44 by RouterOS 7.16.1
# software id = WZPE-N3D7
#
# model = CRS328-24P-4S+
# serial number = ***
/interface wifi channel
add band=2ghz-g disabled=no name=2.G.20/40 width=20mhz
add band=5ghz-n disabled=no name=5.A/N.20 width=20/40mhz-Ce
add band=5ghz-a disabled=no name=5.A
add band=2ghz-n disabled=no name=2.N.20/40 skip-dfs-channels=all width=20/40/80+80mhz
add band=5ghz-ax disabled=no name=5.AX
add band=2ghz-ax disabled=no name=2.AX
add band=5ghz-ax disabled=yes name=5.G.AX width=20/40/80mhz
/interface wifi datapath
add bridge=BRIDGE1 disabled=no name=datapath1
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=R403-Clients wps=push-button
add authentication-types=wpa2-psk disabled=no name=R403-Heimautomatisierung
add authentication-types=wpa2-psk disabled=no name=R403-AC
/interface wifi configuration
add channel=5.A/N.20 country=Austria datapath=datapath1 disabled=no mode=ap name=Config:5A security=R403-Clients ssid=R403
add channel=2.G.20/40 country=Austria disabled=no mode=ap name=Config:2G security=R403-Heimautomatisierung ssid=R403-2.4G
add channel=2.N.20/40 country=Austria datapath=datapath1 disabled=no mode=ap name=Config:2N security=R403-Heimautomatisierung ssid=R403-2.4G
add channel=2.AX country=Austria datapath=datapath1 disabled=yes mode=ap name=Config:2.AX security=R403-Heimautomatisierung ssid=R403-2.4G
add channel=2.G.20/40 country=Austria datapath=datapath1 disabled=no mode=ap name=Config.AC security=R403-AC ssid=R403.AC
add channel=5.AX country=Austria datapath=datapath1 disabled=no mode=ap name=R403-5G-AX security=R403-Clients ssid=R403-5G-AX
/interface wifi capsman
set enabled=yes interfaces=BRIDGE1 package-path="" require-peer-certificate=no upgrade-policy=suggest-same-version
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=Config:2G radio-mac=C4:AD:34:58:8A:AC slave-configurations=Config.AC,Config:2N
add action=create-dynamic-enabled disabled=no master-configuration=Config:2G radio-mac=D4:01:C3:04:F4:01 slave-configurations=Config.AC,Config:2N
add action=create-dynamic-enabled disabled=no master-configuration=R403-5G-AX radio-mac=D4:01:C3:94:99:A1
add action=create-dynamic-enabled disabled=no master-configuration=Config:2G radio-mac=D4:01:C3:94:99:A2 slave-configurations=Config.AC,Config:2N
add action=create-dynamic-enabled disabled=no master-configuration=Config:5A radio-mac=D4:01:C3:04:F4:02
add action=create-dynamic-enabled disabled=no master-configuration=Config:5A radio-mac=C4:AD:34:58:8A:AD
add action=create-dynamic-enabled disabled=no master-configuration=R403-5G-AX radio-mac=D4:01:C3:97:B1:06
add action=create-dynamic-enabled disabled=no master-configuration=Config:2G radio-mac=D4:01:C3:97:B1:07 slave-configurations=Config.AC,Config:2N
 
erlinden
Forum Guru
Forum Guru
Posts: 2494
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: bst configuration with capsman for 2 different accesspoints

Wed Oct 23, 2024 12:46 pm

Just a couple of remarks that can be improved on your config:
  • Use 20MHz bandwidth on the 2.4GHz radios
  • Set fixed frequencies on all radios (and make them non-overlapping)
  • When not setting band, it will support to newest supported standard: "Frequency band and wireless standard that will be used by the AP. Defaults to newest supported standard." Makes no sense to set it explicitely.
In regards to your question: what wireless interface is used in the desktop-pc? What are the TX and RX rates? And signal strength?
 
toolongformt
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Wed Jan 24, 2024 10:05 am

Re: bst configuration with capsman for 2 different accesspoints

Wed Oct 23, 2024 1:06 pm

as soon as I set fixed frequencies (e.g. those that are currently being used), I get the answer that these frequencies are not operational.
How am I supposed to understand that I should set fixed frequencies on all radio devices? Do I have to set the frequency on each access point?
I have to set the band for each configuration because the automatic system is not able to use the available bands and assign them automatically.
I would prefer it if I only had to set the SSID and security and each radio device would automatically send what is possible on all available bands.
But unfortunately that doesn't work.
The card used in the PC is Intel(R) Wi-Fi 6E AX210 160MHz
Last edited by toolongformt on Wed Oct 23, 2024 2:03 pm, edited 1 time in total.
 
erlinden
Forum Guru
Forum Guru
Posts: 2494
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: bst configuration with capsman for 2 different accesspoints

Wed Oct 23, 2024 1:18 pm

Channel can be set on the configuration, when selecting the corresponding radio (through it's MAC address) it will be set. If it shows incorrect frequency, it shows that you are assigning incorrect frequency to that radio (i.e. a 2.4GHz frequency to a 5GHz radio or vice versa).

Auto is not that bad, unfortunately it is not as advanced (on startup all radios might be on the same frequency). A way to handle this is by using reselect-interval. Then periodically the radios will check best channel option (and avoid interference).

Still waiting for the rates to get insights on the underperforming connection.
 
toolongformt
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Wed Jan 24, 2024 10:05 am

Re: bst configuration with capsman for 2 different accesspoints

Wed Oct 23, 2024 1:32 pm

well, the channels are not even accepted as soon as I set them.
The access point apparently cannot do 80+80 or 80/160, for example.
I always have to leave a lot of things blank, because as soon as I set what is selected automatically, I get the message that there are no available channels or frequencies.

I still don't understand which device I should set the channel on? On the CAPSMAN or on the access point?
I also don't know the frequencies that I could set. The channel does show numbers that look like frequencies, but it says channel there.
For example, 5500/ax/Ceee.
The column with the frequency is empty, so all my access points are transmitting without frequencies (if I can believe the CAPSMAN).

On the PC I get a net of around 20-50 MBit (bit!!) per second when I transfer data to a local NAS (which delivers a net of 0.6GBit/s -> 50MB/s).

I got the information from another thread (viewtopic.php?t=199864) that it makes sense to use channel 36 with 5180 MHz.

I've now set that up. Speed ​​test on the iPhone around 10-20 MBit/s in download (instead of 150), and the connection breaks off every time when uploading.

I can't give a rate at the moment...
Last edited by toolongformt on Wed Oct 23, 2024 2:01 pm, edited 1 time in total.
 
erlinden
Forum Guru
Forum Guru
Posts: 2494
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: bst configuration with capsman for 2 different accesspoints

Wed Oct 23, 2024 1:49 pm

Can you please translate your responses to English? I now have to use Google Translate.

Just use 20/40/80MHz as bandwidth (for 5GHz radios), they won't do more.
Just use 20MHz bandwidth for 2.4GHz radios, the spectrum is already overcrowded.
All configuration should be done on the CAPsMAN (that's why is is called a manager).
See on (i.e.) Wikipedia which channel corresponds with which frequency:
https://en.wikipedia.org/wiki/List_of_W ... /ac/ax/be)
In CAPsMAN you can see multiple columns showing frequencies, make sure the correct column is selected
Network speed is shown in Mbps, please use it correct.

Configuring is not as simple as customer grade devices, you have to be very precise.
 
toolongformt
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Wed Jan 24, 2024 10:05 am

Re: bst configuration with capsman for 2 different accesspoints

Wed Oct 23, 2024 2:00 pm

Can you please translate your responses to English? I now have to use Google Translate.

Just use 20/40/80MHz as bandwidth (for 5GHz radios), they won't do more.
Just use 20MHz bandwidth for 2.4GHz radios, the spectrum is already overcrowded.
All configuration should be done on the CAPsMAN (that's why is is called a manager).
See on (i.e.) Wikipedia which channel corresponds with which frequency:
https://en.wikipedia.org/wiki/List_of_W ... /ac/ax/be)
In CAPsMAN you can see multiple columns showing frequencies, make sure the correct column is selected
Network speed is shown in Mbps, please use it correct.

Configuring is not as simple as customer grade devices, you have to be very precise.
I had already used 20/40/80 - that is the configuration which provides me with "no performance".
For 2,4 GHz: as in the config shown, I already restricted to 20MHz, cause everything else lets my shitty MEROSS devices cry and they lose connections...
 
toolongformt
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Wed Jan 24, 2024 10:05 am

Re: bst configuration with capsman for 2 different accesspoints

Wed Oct 23, 2024 2:03 pm

Can you please translate your responses to English? I now have to use Google Translate.
sorry, I thought that google uses the automatic translator ... ok, it's google...
I have translated by hand and republished my comment in english.
 
toolongformt
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Wed Jan 24, 2024 10:05 am

Re: bst configuration with capsman for 2 different accesspoints

Wed Oct 23, 2024 2:18 pm

Channel can be set on the configuration
in the CAPSMAN configuration when I select "channel", I have the list of my channel-configurations.
In my channel-configs I can set Band and Channel Width, but no channel.
I can only set a frequency.
When I have to chose everything myself, I could take out the config for the country, right?
When I lookup wikipedia and set a channel / frequency that should fit, I reduce my available speed. Now I am at 8 mega bit per second.
Btw, what was wrong with my netspeed? You mentioned I should use it correctly...
 
toolongformt
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Wed Jan 24, 2024 10:05 am

Re: bst configuration with capsman for 2 different accesspoints

Wed Oct 23, 2024 2:24 pm

oh, I just see, I cannot use those accesspoints in austria.
Only 5,470–5,725 MHz are allowed.
As soon as I use one of them, the accesspoints say "no supported channels".
I played around and set to just use 5720. This works with mikrotik, but neither the pc nor the IOS devices see wifi.

Well, this seems like the end of my journey... I can send those accesspoint to the recycler - now that I finally know that I bought something illegal.
 
toolongformt
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Wed Jan 24, 2024 10:05 am

Re: bst configuration with capsman for 2 different accesspoints

Wed Oct 23, 2024 2:47 pm

next test... I switched from AX to AC with the same settings. Now I get instead 8 Mbps at least 30 Mbps. (Wow, that's insane... hopefully the HP Z230 can handle that :D)
But only with this network card in the desktop pc. iPhone makes 47 down and 4 Mbps up.
When I deactivate AC mode in the network adapter, I can connect to AC wifi.
I repeat: When I "DE-activate" **AC** mode in the network adapter, I can connect to AC (and only AC!) wifi.
Should I be proud of being able to do the impossible?
No, but I tell you, why this works. It's because when I set the accesspoint to make AC, they don't make AC, they make A. Only A. And all my device connect with A.

Is there a translation table for this? What do I have to set when I want 5 GHz AC. 2,4 G? Or 6 Ghz N?
At least that would explain why all my devices don't work out of the box, when I set wifi to what the vendor tells me.
They say 802.11n, I set it to 802.11n and nothing works. As soon as I switch to 802.11a and 5ghz, the 2.4 n-devices work. And other things like that...
So, where can I find the translation table? Thanks!
 
neki
Member Candidate
Member Candidate
Posts: 216
Joined: Thu Sep 07, 2023 10:20 am

Re: bst configuration with capsman for 2 different accesspoints

Wed Oct 23, 2024 4:45 pm

Why do you have so many channels?
R403-AC is for air conditioner or AC as wifi5 standard?
Why do you have provisioning for each individual MAC?
 
toolongformt
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Wed Jan 24, 2024 10:05 am

Re: bst configuration with capsman for 2 different accesspoints

Wed Oct 23, 2024 6:05 pm

Why do you have so many channels?
R403-AC is for air conditioner or AC as wifi5 standard?
Why do you have provisioning for each individual MAC?
R403.AC is for AirConditioner. Should be R403-AC, but the airconditioner doesn't work with wifis that include a "-"
And the mass of different SSIDs with their channels is to provide:
- all devices (notebook, iphones younger and older, 2 different wifi document scanner, macbook, 2 different imacs with older and newer wifi capabilities, 2 oven + 1 dishwasher + 1 stove + 1 hotplate from Bosch)
- under all conditions (indoor, outdoor (only the mobil devices, not the stove ;) ) -> different type of accesspoint (depending on the distance) -> because mikrotik is not able to provide the same technology for indoor+outdoor)
Some devices don't work with "." in ssid and/or password (the meross devices were already configured when I got the AC. I didn't want to reconfigure this meross crap, cause every device takes about 1 hour until it works. Yes, it's the crappiest bullshit on earth... Meross, Bosch and Toshiba need different settings for wifi)
Some devices don't work with g mode
Some devices don't work with n mode
Some devices don't work with 5 GHz, others are too slow in 2,4
Mikrotiks 2,4 GHz N is limited to 36 MBit on all accesspoints, so it's useless for a phone/ipad
And the meross-shits chose their capabilities 10 times per month, as I already wrote before (changing between N and G). They are not stable, and after every update they have to be reset to discover the same wifi again, so this wifi has a very simple password.
But at least meross can see online when I open the window...!

Provisioning for every single accesspoint is because they don't fit together and have completely different technologies.
Some can A in 5 G, some can N and G in 2.4 G, some can A, some can AX, some can AC, but not all find suitable channels in 5 GHz ...
A simple config with N in 2.4 and 5 G should be possible, but it isn't. All my (currently online) and all currently offline accesspoints should do that, but this config lets 5 of 5 devices fail with "no channel".
This is most likely because mikrotik lets the 5ghz antennas get 2,4ghz config and vice versa. Therefore I chose to give every antenna its own provisioning.
A kind of filter "let all 5ghz devices get 5ghz config" doesn't work either.

Yes, thats the fun I have...
 
neki
Member Candidate
Member Candidate
Posts: 216
Joined: Thu Sep 07, 2023 10:20 am

Re: bst configuration with capsman for 2 different accesspoints

Wed Oct 23, 2024 7:29 pm

A kind of filter "let all 5ghz devices get 5ghz config" doesn't work either.
Why? What is it doing then? ...this config is a mess and should be simplified
 
toolongformt
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Wed Jan 24, 2024 10:05 am

Re: bst configuration with capsman for 2 different accesspoints

Wed Oct 23, 2024 8:14 pm

A kind of filter "let all 5ghz devices get 5ghz config" doesn't work either.
Why? What is it doing then? ...this config is a mess and should be simplified
2ghz antennas get 5ghz config and vice versa
 
neki
Member Candidate
Member Candidate
Posts: 216
Joined: Thu Sep 07, 2023 10:20 am

Re: bst configuration with capsman for 2 different accesspoints

Wed Oct 23, 2024 8:36 pm

Do you have export from that time? Are you willing to try it again?
 
toolongformt
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Wed Jan 24, 2024 10:05 am

Re: bst configuration with capsman for 2 different accesspoints

Wed Oct 23, 2024 9:04 pm

Do you have export from that time? Are you willing to try it again?
please see initial post...
what would you simplify?
 
neki
Member Candidate
Member Candidate
Posts: 216
Joined: Thu Sep 07, 2023 10:20 am

Re: bst configuration with capsman for 2 different accesspoints

Wed Oct 23, 2024 10:20 pm

It seems that you are convinced that your observations are 100% correct, just watch out for tunnel vision.....

/interface wifi channel
add disabled=no frequency=2412,2437,2462 name=channel-2G width=20mhz
add disabled=no frequency=5180,5220,5745,5785 name=channel-5G width=20/40mhz-Ce

/interface wifi security
add authentication-types=wpa2-psk disabled=no name=security-clients
add authentication-types=wpa2-psk disabled=no name=security-IoT
add authentication-types=wpa2-psk disabled=no name=security-AC

/interface wifi configuration
add channel=channel-5G country="United States" disabled=no mode=ap name=config-clients-5G security=security-clients ssid=R403
add channel=channel-2G country="United States" disabled=no mode=ap name=config-clients-2G security=security-clients ssid=R403
add channel=channel-2G country="United States" disabled=no mode=ap name=config-IoT-2G security=security-IoT ssid=R403IoT
add channel=channel-2G country="United States" disabled=no mode=ap name=config-AC-2G security=security-AC ssid=R403AC

/interface wifi provisioning
add action=create-enabled disabled=no master-configuration=config-clients-5G supported-bands=5ghz-ax
add action=create-enabled disabled=no master-configuration=config-clients-2G supported-bands=2ghz-ax slave-configurations=config-IoT-2G,config-AC-2G
add action=create-enabled disabled=no master-configuration=config-clients-5G supported-bands=5ghz-ac
add action=create-enabled disabled=no master-configuration=config-clients-2G supported-bands=2ghz-n slave-configurations=config-IoT-2G,config-AC-2G
 
toolongformt
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Wed Jan 24, 2024 10:05 am

Re: bst configuration with capsman for 2 different accesspoints

Thu Oct 24, 2024 10:27 am

/interface wifi channel
add disabled=no frequency=2412,2437,2462 name=channel-2G width=20mhz
add disabled=no frequency=5180,5220,5745,5785 name=channel-5G width=20/40mhz-Ce

/interface wifi security
add authentication-types=wpa2-psk disabled=no name=security-clients
add authentication-types=wpa2-psk disabled=no name=security-IoT
add authentication-types=wpa2-psk disabled=no name=security-AC

/interface wifi configuration
add channel=channel-5G country="United States" disabled=no mode=ap name=config-clients-5G security=security-clients ssid=R403
add channel=channel-2G country="United States" disabled=no mode=ap name=config-clients-2G security=security-clients ssid=R403
add channel=channel-2G country="United States" disabled=no mode=ap name=config-IoT-2G security=security-IoT ssid=R403IoT
add channel=channel-2G country="United States" disabled=no mode=ap name=config-AC-2G security=security-AC ssid=R403AC

/interface wifi provisioning
add action=create-enabled disabled=no master-configuration=config-clients-5G supported-bands=5ghz-ax
add action=create-enabled disabled=no master-configuration=config-clients-2G supported-bands=2ghz-ax slave-configurations=config-IoT-2G,config-AC-2G
add action=create-enabled disabled=no master-configuration=config-clients-5G supported-bands=5ghz-ac
add action=create-enabled disabled=no master-configuration=config-clients-2G supported-bands=2ghz-n slave-configurations=config-IoT-2G,config-AC-2G
Hi, thank you for this proposal. It won't work, I can tell you.
I already was at this point during the development of my "mess". Just had different ssid-names.
It will have 2 effects: a lot of antennas won't work and say, that they have no channel, and the rest will result in IoT-devices from Meross that won't connect.
You use US as country, I must use Austria. This may result in other frequencies that are allowed, and may result in reduced tx/rx power. E.g. 5745,5785 - they are only for short range distance allowed in europe. When I use it, I have to reduce to 25mW. Up to 5640 I may use 50mW.

When I change my config now, I will have to reset all Meross devices, all other IoT devices, this will take up to 10 weeks until I can say if everything works fine without any bigger loss (Meross tends to just forget that they are able to connect to g, sometimes they forget that they are able to connect to n,... so this will be another hard time of tests and not working automations... puh...
And if that won't work, I will re-import the current config and the 10 weeks begin from start... This is the main reason why I am not amused to change those things, but I will give it a try...
 
toolongformt
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Wed Jan 24, 2024 10:05 am

Re: bst configuration with capsman for 2 different accesspoints

Thu Oct 24, 2024 1:03 pm

48mbps (when I believe the system control) with 802.11ax in 2.4g at the desktop pc - not helpful, because it's even worse.
Speedtest result is 5,5mbps

speedtest on iphone and ipads stops in the middle because of "connection lost"
IoT things react slowly or not at all. I used the same SSID so I don't have to reprogram all devices. It's not new, it's not better. I just could reprogram them...
And the newer model of my 2 Bosch ovens doesn't connect at all, but that seemed to be solved with another complete reset (I am used to it).
 
toolongformt
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Wed Jan 24, 2024 10:05 am

Re: bst configuration with capsman for 2 different accesspoints

Thu Oct 24, 2024 7:09 pm

I give up. The more I do, the slower everything gets.
And the worst thing is, I cannot go back, because every step back to like it was before, makes it even worse.
Meanwhile I am a 1 mbps up and down, with all devices.
It's enough to get 3 mails per day, but I don't want to lose that, too.
For iphone and ipads I will buy those cablenetwork adaptors.
And the meross stuff doesn't work anymore, but ok, I have the mechanical switches to replace everything.
Ovens and dishwasher...? pfff, don't need them in wifi.

Was a /nice/ journey, but (again) a very bad experience with mikrotik. Could go back to my Cisco devices, at least they provided 1,3gbps, which resultet in nearly 80 mBps on this desktop computer.
 
erlinden
Forum Guru
Forum Guru
Posts: 2494
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: bst configuration with capsman for 2 different accesspoints

Thu Oct 24, 2024 7:32 pm

Too bad it isn't working for you. Unfortunately, MikroTik is not the right tool for everyone.
I would really have liked to get you a working environment, hte hardware is more than capable.

Especially the code @meki provided should have given you a working environment.
Apart from the fact that US has to be changed to Austria (and use corresponding frequencies), something like:
/interface wifi channel
add disabled=no frequency=2412,2437,2462 name=channel-2G width=20mhz
add disabled=no frequency=5180,5260,5500,5660 name=channel-5G width=20/40/80mhz

/interface wifi datapath
add bridge=BRIDGE1 disabled=no name=datapath1

/interface wifi security
add authentication-types=wpa2-psk disabled=no name=security-clients
add authentication-types=wpa2-psk disabled=no name=security-IoT
add authentication-types=wpa2-psk disabled=no name=security-AC

/interface wifi configuration
add channel=channel-5G country="Austria"  datapath=datapath1 disabled=no mode=ap name=config-clients-5G security=security-clients ssid=R403
add channel=channel-2G country="Austria"  datapath=datapath1 disabled=no mode=ap name=config-clients-2G security=security-clients ssid=R403
add channel=channel-2G country="Austria"  datapath=datapath1 disabled=no mode=ap name=config-IoT-2G security=security-IoT ssid=R403IoT
add channel=channel-2G country="Austria"  datapath=datapath1 disabled=no mode=ap name=config-AC-2G security=security-AC ssid=R403AC

/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=config-clients-5G supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=config-clients-2G supported-bands=2ghz-ax slave-configurations=config-IoT-2G,config-AC-2G
add action=create-dynamic-enabled disabled=no master-configuration=config-clients-5G supported-bands=5ghz-ac
add action=create-dynamic-enabled disabled=no master-configuration=config-clients-2G supported-bands=2ghz-n slave-configurations=config-IoT-2G,config-AC-2G
If you remove all wifi settings you have and replace it with the above, no errors should be shown and you should have a working wireless network.

Feel free to give it another try and please post all relevant info on any update:
- used config
- RX and TX rates (to get insights on the connection of the wireless devices
 
neki
Member Candidate
Member Candidate
Posts: 216
Joined: Thu Sep 07, 2023 10:20 am

Re: bst configuration with capsman for 2 different accesspoints

Thu Oct 24, 2024 7:38 pm

You use US as country, I must use Austria.
If there are police officers running around with antennas hunting casual home owners with misconfigured wifi routers then you are right :)

SSIDs were just meaningless proposal, you were talking about allowed and disallowed characters in it....

Anyway, you should narrow down your issue, so pick one CAP and disable the remainging two. Also post config exports, whole configs, for both devices. (make three new lines between code blocks)
 
toolongformt
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Wed Jan 24, 2024 10:05 am

Re: bst configuration with capsman for 2 different accesspoints

Thu Oct 24, 2024 7:53 pm

You use US as country, I must use Austria.
If there are police officers running around with antennas hunting casual home owners with misconfigured wifi routers then you are right :)

SSIDs were just meaningless proposal, you were talking about allowed and disallowed characters in it....

Anyway, you should narrow down your issue, so pick one CAP and disable the remainging two. Also post config exports, whole configs, for both devices. (make three new lines between code blocks)
yes, in Austria there are checks and you get charged.
But that's not a problem for the config, I searched for the valid frequency. It's just 2 that are allowed and running in combination with the 20MHz.
All other allowed frequencies are just not working with the accesspoints and 20MHz.

I just checked how much influence a smaller distance between AP and PC has. I get 32 mbps with 3m between.

I have a budget of 600 euro to put myself into a plane and search for an implementation with the same accesspoints and a gigabit speed... mikrotik says there's more possible, but 1.000 mbps are enough. Where can I see that live?
 
toolongformt
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Wed Jan 24, 2024 10:05 am

Re: bst configuration with capsman for 2 different accesspoints

Thu Oct 24, 2024 8:17 pm

Feel free to give it another try and please post all relevant info on any update:
- used config
- RX and TX rates (to get insights on the connection of the wireless devices
If only copy-paste would work... But I have to type my current config down into the notepad (as backup).
Then I have to type in your config after cleanup. And if that doesn't end in a running config (what I expect), I have to type in my own config again...
 
neki
Member Candidate
Member Candidate
Posts: 216
Joined: Thu Sep 07, 2023 10:20 am

Re: bst configuration with capsman for 2 different accesspoints

Thu Oct 24, 2024 8:31 pm

Do you know that you can export to file? You don't need to type anything.... (ecxept of the export command)

Use
export file=anynameyouwish
Then download created file and thats it. You can then open that .rsc file in notepad.

I'm now really wondering about another important thing: How exactly are you testing the speed?
 
toolongformt
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Wed Jan 24, 2024 10:05 am

Re: bst configuration with capsman for 2 different accesspoints

Thu Oct 24, 2024 8:33 pm

this config makes all wifis end in "no ssid set".
great!
Too bad it isn't working for you. Unfortunately, MikroTik is not the right tool for everyone.
I would really have liked to get you a working environment, hte hardware is more than capable.

Especially the code @meki provided should have given you a working environment.
Apart from the fact that US has to be changed to Austria (and use corresponding frequencies), something like:
/interface wifi channel
add disabled=no frequency=2412,2437,2462 name=channel-2G width=20mhz
add disabled=no frequency=5180,5260,5500,5660 name=channel-5G width=20/40/80mhz

/interface wifi datapath
add bridge=BRIDGE1 disabled=no name=datapath1

/interface wifi security
add authentication-types=wpa2-psk disabled=no name=security-clients
add authentication-types=wpa2-psk disabled=no name=security-IoT
add authentication-types=wpa2-psk disabled=no name=security-AC

/interface wifi configuration
add channel=channel-5G country="Austria"  datapath=datapath1 disabled=no mode=ap name=config-clients-5G security=security-clients ssid=R403
add channel=channel-2G country="Austria"  datapath=datapath1 disabled=no mode=ap name=config-clients-2G security=security-clients ssid=R403
add channel=channel-2G country="Austria"  datapath=datapath1 disabled=no mode=ap name=config-IoT-2G security=security-IoT ssid=R403IoT
add channel=channel-2G country="Austria"  datapath=datapath1 disabled=no mode=ap name=config-AC-2G security=security-AC ssid=R403AC

/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=config-clients-5G supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=config-clients-2G supported-bands=2ghz-ax slave-configurations=config-IoT-2G,config-AC-2G
add action=create-dynamic-enabled disabled=no master-configuration=config-clients-5G supported-bands=5ghz-ac
add action=create-dynamic-enabled disabled=no master-configuration=config-clients-2G supported-bands=2ghz-n slave-configurations=config-IoT-2G,config-AC-2G
If you remove all wifi settings you have and replace it with the above, no errors should be shown and you should have a working wireless network.

Feel free to give it another try and please post all relevant info on any update:
- used config
- RX and TX rates (to get insights on the connection of the wireless devices
 
toolongformt
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Wed Jan 24, 2024 10:05 am

Re: bst configuration with capsman for 2 different accesspoints

Thu Oct 24, 2024 8:35 pm

Do you know that you can export to file? You don't need to type anything.... (ecxept of the export command)

Use
export file=anynameyouwish
Then download created file and thats it. You can then open that .rsc file in notepad.

I'm now really wondering about another important thing: How exactly are you testing the speed?
I know how to export the complete config, but in this case I just need to copy / paste the relevant part.
I have an ssh session now. That proves, that the winbox-builtin terminal is also NOT READY!!
Copy-paste in ssh is done. As I wrote, erlinden's config made a bunch of "no ssid set", and my complete wifi went down.
 
toolongformt
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Wed Jan 24, 2024 10:05 am

Re: bst configuration with capsman for 2 different accesspoints

Thu Oct 24, 2024 8:38 pm

I replaced dynamic enabled by "create enabled".
I thought that this should be clear already, that "dynamic" never worked...
I have some wifis in grey now... As I said at the beginning, such simple provisionings don't work at all...
 
neki
Member Candidate
Member Candidate
Posts: 216
Joined: Thu Sep 07, 2023 10:20 am

Re: bst configuration with capsman for 2 different accesspoints

Thu Oct 24, 2024 8:42 pm

Hit: It's common for terminals that you must use CTRL+SHIFT+C instead of CTRL+C


Difference in create-enabled and create-dynamic-enabled is that create-enabled allows you to manually change settings of created interfaces. You can completely ignore that for now.
 
toolongformt
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Wed Jan 24, 2024 10:05 am

Re: bst configuration with capsman for 2 different accesspoints

Thu Oct 24, 2024 8:47 pm

I'm now really wondering about another important thing: How exactly are you testing the speed?
on iphone and ipad with the app "rtr netztest". Thats a brilliant app from the austrian regulatory authority.
on windows:
1. website netztest.at
2. website www.speedtest.net
3. transmitting files in my local network from my local server which all deliver more than 1Gbps. Tested with 5GB ISO files. No jumbo-packets, only standard. Including the accesspoints there are 2 devices between pc and server (2nd is a HP Aruba 2530 switch). Servers are connected with 2-cable lb/failover. With cable I get the full 128MBps. With wifi only 300-500 kBps.
4. no test, just what windows says in wifi connection (win11, the new user interface that shows information about the wifi connection, it says "transmit speed xxx/yyy (Mbps)". Mostly far beneath 100. Sometimes only 6 to 11 Mbps with ax in 5ghz. With ax in 2,4ghz I get around 229/229, but it drops to under 10 under speedtest load.

With the current config of erlinden I get 229/229 in the new ux, only 24 mbps in the old interface (control -> network...), and speedtest.net says 3mbps down, 6 up.
Last edited by toolongformt on Thu Oct 24, 2024 8:56 pm, edited 2 times in total.
 
toolongformt
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Wed Jan 24, 2024 10:05 am

Re: bst configuration with capsman for 2 different accesspoints

Thu Oct 24, 2024 8:50 pm

Hit: It's common for terminals that you must use CTRL+SHIFT+C instead of CTRL+C


Difference in create-enabled and create-dynamic-enabled is that create-enabled allows you to manually change settings of created interfaces. You can completely ignore that for now.
sorry, no, I cannot ignore that, because with dynamic I get "no ssid set" on all wifis

CTRL+SHIFT+C instead of CTRL+C
and paste? It's not crtl+shift+v, that makes it worse ;)
 
toolongformt
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Wed Jan 24, 2024 10:05 am

Re: bst configuration with capsman for 2 different accesspoints

Thu Oct 24, 2024 9:16 pm

if I should mention that my iot things are all disconnect now...?
They don't work with the 3 channels that erlinden told me to configure.

The more we do, the more we can see that my config "overall" did the best of all worlds.
Nothing so far improved anything...
ipads disconnect during speedtest (always!)
pc flaps connected/disconnected
iot things are all disconnected

as soon as I deactivate your proposals and reactivated my configs, everything connted back again.
and the desktop connects to wifi 5ax with at least 320mbit up and down.
It's not what I call "performance", because under the same circumstances I got over 850Mbps with Cisco wap371 ap's, but it's enough to do my homeoffice work without a cable.
 
erlinden
Forum Guru
Forum Guru
Posts: 2494
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: bst configuration with capsman for 2 different accesspoints

Thu Oct 24, 2024 9:41 pm

Either you want to be helped...or not.

Provide all configs for all involved devices (I would expect four configs) and follow instructions afterwards by the letter. Again the hardware is capable, but it requires proper config. And from the error message you provided it is clear that your current config is messed up.
 
toolongformt
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Wed Jan 24, 2024 10:05 am

Re: bst configuration with capsman for 2 different accesspoints

Thu Oct 24, 2024 10:38 pm

Either you want to be helped...or not.

Provide all configs for all involved devices (I would expect four configs) and follow instructions afterwards by the letter. Again the hardware is capable, but it requires proper config. And from the error message you provided it is clear that your current config is messed up.
and why do I get 3mbps with provided configs and 350 with mine?
all accesspoints are simply out of the box and configured for capsman.
I already provided the config for the capsman controller... there's nothing more that would tell you more about the config, but I can post this stuff...
 
toolongformt
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Wed Jan 24, 2024 10:05 am

Re: bst configuration with capsman for 2 different accesspoints

Thu Oct 24, 2024 10:44 pm

[admin@SW.OG.1] > export
# 2024-10-24 21:41:47 by RouterOS 7.16.1
# software id = WZPE-N3D7
#
# model = CRS328-24P-4S+
# serial number = HD508BTMHMH
/caps-man channel
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled \
    frequency=5180 name=Ch36_20M
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled \
    frequency=2412 name=Ch1 skip-dfs-channels=yes
/interface bridge
add admin-mac=18:FD:74:A8:66:F9 auto-mac=no comment=defconf name=BRIDGE1 \
    port-cost-mode=short protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether01 poe-out=off
set [ find default-name=ether2 ] name=ether02
set [ find default-name=ether3 ] name=ether03
set [ find default-name=ether4 ] name=ether04
set [ find default-name=ether5 ] name=ether05
set [ find default-name=ether6 ] name=ether06
set [ find default-name=ether7 ] name=ether07
set [ find default-name=ether8 ] name=ether08
set [ find default-name=ether9 ] name=ether09
set [ find default-name=ether24 ] advertise=1G-baseT-half,1G-baseT-full \
    poe-out=off
/interface vlan
add interface=BRIDGE1 name=VLAN1-R403-intern vlan-id=1
add interface=ether01 name=VLAN2-R403-Heimautomatisierung vlan-id=1
add interface=ether17 name=gast vlan-id=1
/interface bonding
add name=Bond-MacPro slaves=ether07,ether08
/caps-man datapath
add bridge=BRIDGE1 client-to-client-forwarding=yes local-forwarding=yes name=\
    datapath1
/caps-man rates
add basic=6Mbps name="GN Only - No B rates" supported=\
    6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
/caps-man security
add authentication-types=wpa2-psk comment=.** disable-pmkid=yes \
    encryption=aes-ccm group-encryption=aes-ccm group-key-update=1h name=\
    R403.security
add authentication-types=wpa2-psk comment=** disable-pmkid=yes \
    encryption=aes-ccm group-encryption=aes-ccm group-key-update=1h name=\
    R403-Homekit.Security
/caps-man configuration
add country=austria datapath=datapath1 distance=indoors installation=any \
    mode=ap name=R403-HOME security=R403-Homekit.Security ssid=R403-HOME
add comment="R403 (5Ghz)" country=austria datapath=datapath1 installation=any \
    mode=ap name=R403 security=R403.security ssid=R403
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wifi channel
add band=2ghz-g disabled=no name=2.G.20 width=20mhz
add band=5ghz-n disabled=no name=5.A/N.20 width=20/40mhz-Ce
add band=5ghz-a disabled=no name=5.A
add band=2ghz-n disabled=no name=2.N.20 skip-dfs-channels=all width=20mhz
add band=5ghz-ax disabled=no frequency=5680 name=5.AX width=20/40/80mhz
add band=2ghz-ax disabled=no name=2.AX
add band=5ghz-ax disabled=no name=5.G.AX width=20/40/80mhz
add band=5ghz-ac disabled=no frequency=2300-7300 name=5.AC width=20/40/80mhz
add disabled=yes frequency=2412,2437,2462 name=alt.channel-2G width=20mhz
add disabled=yes frequency=5180,5260,5500,5660 name=alt.channel-5G width=\
    20/40/80mhz
add disabled=yes frequency=2412,2437,2462 name=channel-2G width=20mhz
add disabled=yes frequency=5180,5260,5500,5660 name=channel-5G width=\
    20/40/80mhz
/interface wifi datapath
add bridge=BRIDGE1 disabled=no name=datapath1
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=R403-Clients wps=\
    push-button
add authentication-types=wpa2-psk disabled=no name=R403-Heimautomatisierung
add authentication-types=wpa2-psk disabled=no name=R403-AC
add authentication-types=wpa2-psk disabled=no name=security-clients
add authentication-types=wpa2-psk disabled=no name=security-IoT
add authentication-types=wpa2-psk disabled=no name=security-AC
/interface wifi configuration
add channel=5.A/N.20 country=Austria datapath=datapath1 disabled=no mode=ap \
    name=Config:5A security=R403-Clients ssid=R403
add channel=2.G.20 country=Austria disabled=no mode=ap name=Config:2G \
    security=R403-Heimautomatisierung ssid=R403-2.4G
add channel=2.N.20 country=Austria datapath=datapath1 disabled=no mode=ap \
    name=Config:2N security=R403-Heimautomatisierung ssid=R403-2.4G
add channel=2.AX country=Austria datapath=datapath1 disabled=no mode=ap name=\
    Config:2.AX security=R403-Heimautomatisierung ssid=R403-2.4G
add channel=2.G.20 country=Austria datapath=datapath1 disabled=no mode=ap \
    name=Config.AC security=R403-AC ssid=R403.AC
add channel=5.AX country=Austria datapath=datapath1 disabled=no mode=ap name=\
    R403-5G-AX security=R403-Clients ssid=R403-5G-AX
add channel=5.AC country=Austria datapath=datapath1 disabled=no mode=ap name=\
    R403-5G-AC security=R403-Clients ssid=R403-5G-AC
add channel=channel-5G country=Austria datapath=datapath1 disabled=yes mode=\
    ap name=config-clients-5G security=security-clients ssid=R403
add channel=channel-2G country=Austria datapath=datapath1 disabled=yes mode=\
    ap name=config-clients-2G security=security-clients ssid=R403
add channel=channel-2G country=Austria datapath=datapath1 disabled=yes mode=\
    ap name=config-IoT-2G security=security-IoT ssid=R403-Heimautomatisierung
add channel=channel-2G country=Austria datapath=datapath1 disabled=yes mode=\
    ap name=config-AC-2G security=security-AC ssid=R403-AC
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group
add name=group1
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 dpd-interval=2m \
    dpd-maximum-failures=5 enc-algorithm=aes-256,3des hash-algorithm=sha256
add dh-group=modp1536 dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=\
    aes-256,aes-192,aes-128 name=IPsec-Profile-**
add dh-group=modp1024 dpd-interval=30s dpd-maximum-failures=3 enc-algorithm=\
    aes-256,aes-192,aes-128 name=Private-S2S-VPNs
/ip ipsec peer
add address=hff0915c2k1.sn.mynetname.net name=G21 profile=Private-S2S-VPNs
add address=** name=**profile=IPsec-Profile-**
/ip ipsec proposal
add auth-algorithms=sha1,md5 enc-algorithms=\
    aes-256-cbc,aes-256-gcm,aes-192-cbc,aes-192-ctr,aes-128-cbc,3des name=\
    proposal-**pfs-group=modp1536
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-192-cbc name=\
    proposal-R403 pfs-group=modp1536
/ip pool
add name=VLAN0-DHCP ranges=10.43.210.101-10.43.210.200
/ip dhcp-server
add add-arp=yes address-pool=VLAN0-DHCP authoritative=no interface=BRIDGE1 \
    lease-time=23h name=DHCP-INTERN
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/caps-man manager
set ca-certificate=auto certificate=auto upgrade-policy=require-same-version
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=BRIDGE1
/caps-man provisioning
add action=create-enabled master-configuration=R403 name-format=\
    prefix-identity name-prefix=Prefix- slave-configurations=R403-HOME
/ip smb
set domain=R403
/interface bridge port
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether01 \
    internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether02 \
    internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether03 \
    internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether04 \
    internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether05 \
    internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether06 \
    internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether09 \
    internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether10 \
    internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether11 \
    internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether12 \
    internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether13 \
    internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether14 \
    internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether15 \
    internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether19 \
    internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether20 \
    internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether21 \
    internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether22 \
    internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether23 \
    internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 ingress-filtering=no interface=sfp-sfpplus1 \
    internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 ingress-filtering=no interface=ether16 internal-path-cost=\
    10 path-cost=10
add bridge=BRIDGE1 ingress-filtering=no interface=ether17 internal-path-cost=\
    10 path-cost=10
add bridge=BRIDGE1 ingress-filtering=no interface=ether18 internal-path-cost=\
    10 path-cost=10
add bridge=BRIDGE1 interface=sfp-sfpplus4 internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 interface=sfp-sfpplus3 internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 interface=Bond-MacPro
add bridge=BRIDGE1 interface=sfp-sfpplus2
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=BRIDGE1 vlan-ids=1
/interface detect-internet
set detect-interface-list=WAN
/interface ethernet switch
set 0 name=SW1-OG
/interface list member
add interface=ether01 list=LAN
add interface=ether02 list=LAN
add interface=ether03 list=LAN
add interface=ether04 list=LAN
add interface=ether05 list=LAN
add interface=ether06 list=LAN
add interface=ether07 list=LAN
add interface=ether08 list=LAN
add interface=ether09 list=LAN
add interface=ether10 list=LAN
add interface=ether11 list=LAN
add interface=ether12 list=LAN
add interface=ether13 list=LAN
add interface=ether14 list=LAN
add interface=ether15 list=LAN
add interface=ether16 list=LAN
add interface=ether17 list=LAN
add interface=ether18 list=LAN
add interface=ether19 list=LAN
add interface=ether20 list=LAN
add interface=ether21 list=LAN
add interface=ether22 list=LAN
add interface=ether23 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
add interface=sfp-sfpplus3 list=LAN
add interface=sfp-sfpplus4 list=LAN
add interface=BRIDGE1 list=LAN
add interface=ether24 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wifi capsman
set enabled=yes interfaces=BRIDGE1 package-path="" require-peer-certificate=\
    no upgrade-policy=suggest-same-version
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=Config:2G \
    radio-mac=C4:AD:34:58:8A:AC slave-configurations=Config.AC,Config:2N
add action=create-dynamic-enabled disabled=no master-configuration=Config:2G \
    radio-mac=D4:01:C3:04:F4:01 slave-configurations=Config.AC,Config:2N
add action=create-dynamic-enabled disabled=no master-configuration=R403-5G-AX \
    radio-mac=D4:01:C3:94:99:A1 slave-configurations=R403-5G-AC
add action=create-dynamic-enabled disabled=no master-configuration=Config:2G \
    radio-mac=D4:01:C3:94:99:A2 slave-configurations=Config.AC,Config:2N
add action=create-dynamic-enabled disabled=no master-configuration=Config:5A \
    radio-mac=D4:01:C3:04:F4:02
add action=create-dynamic-enabled disabled=no master-configuration=Config:5A \
    radio-mac=C4:AD:34:58:8A:AD
add action=create-dynamic-enabled disabled=no master-configuration=R403-5G-AX \
    radio-mac=D4:01:C3:97:B1:06 slave-configurations=R403-5G-AC
add action=create-dynamic-enabled disabled=no master-configuration=Config:2G \
    radio-mac=D4:01:C3:97:B1:07 slave-configurations=Config.AC,Config:2N
add action=create-enabled disabled=yes master-configuration=config-clients-5G \
    supported-bands=5ghz-ax
add action=create-enabled disabled=yes master-configuration=config-clients-2G \
    slave-configurations=config-IoT-2G,config-AC-2G supported-bands=2ghz-g
add action=create-enabled disabled=yes master-configuration=config-clients-5G \
    supported-bands=5ghz-ac
add action=create-enabled disabled=yes master-configuration=config-AC-2G \
    slave-configurations=config-IoT-2G,config-clients-2G supported-bands=\
    2ghz-n
/ip address
add address=10.43.210.254/24 comment=defconf interface=BRIDGE1 network=\
    10.43.210.0
add address=93.83.243.146/30 interface=ether24 network=93.83.243.144
add address=10.43.220.254/24 interface=gast network=10.43.220.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip cloud advanced
set use-local-address=yes
/ip dhcp-server lease
add address=10.43.210.188 comment="Jal EG Wirtschaftsraum" mac-address=\
    48:E1:E9:A9:55:DB server=DHCP-INTERN
add address=10.43.210.34 client-id=1:dc:a9:4:88:53:ba comment="MacBook Erik" \
    mac-address=DC:A9:04:88:53:BA server=DHCP-INTERN
add address=10.43.210.181 comment="Jal OG Buero" mac-address=\
    48:E1:E9:A9:59:97 server=DHCP-INTERN
add address=10.43.210.182 comment="Jal OG Schlafzimmer" mac-address=\
    48:E1:E9:A2:4B:90 server=DHCP-INTERN
add address=10.43.210.183 comment="Jal OG Balkon" mac-address=\
    48:E1:E9:A9:6B:99 server=DHCP-INTERN
add address=10.43.210.184 comment="Jal EG Veranda" mac-address=\
    48:E1:E9:A2:4E:F6 server=DHCP-INTERN
add address=10.43.210.185 comment="Jal EG Kueche Sued" mac-address=\
    48:E1:E9:A9:54:76 server=DHCP-INTERN
add address=10.43.210.186 comment="Jal EG Kueche West" mac-address=\
    48:E1:E9:A9:51:6B server=DHCP-INTERN
add address=10.43.210.187 comment="Jal EG Wohnzimmer Nord" mac-address=\
    48:E1:E9:A9:6A:93 server=DHCP-INTERN
add address=10.43.210.189 comment="Jal EG Wohnzimmer West" mac-address=\
    48:E1:E9:A9:60:5B server=DHCP-INTERN
add address=10.43.210.201 comment="SWITCH HP ARUBA2530 48 POE OG" \
    mac-address=A0:1D:48:34:0A:00 server=DHCP-INTERN
add address=10.43.210.35 comment=MacPro6 mac-address=00:3E:E1:BD:F9:55 \
    server=DHCP-INTERN
add address=10.43.210.100 client-id=1:f0:92:1c:e7:4c:90 mac-address=\
    F0:92:1C:E7:4C:90 server=DHCP-INTERN
add address=10.43.210.203 mac-address=48:A9:8A:47:38:14 server=DHCP-INTERN
add address=10.43.210.91 client-id=1:4:79:b7:b0:1a:f1 comment=\
    "Wechselrichter Kostal" mac-address=04:79:B7:B0:1A:F1 server=DHCP-INTERN
add address=10.43.210.92 client-id=1:0:d0:93:4d:41:11 mac-address=\
    00:D0:93:4D:41:11 server=DHCP-INTERN
add address=10.43.210.212 client-id=1:d4:1:c3:94:99:9f mac-address=\
    D4:01:C3:94:99:9F server=DHCP-INTERN
add address=10.43.210.214 client-id=1:d4:1:c3:97:b1:4 mac-address=\
    D4:01:C3:97:B1:04 server=DHCP-INTERN
add address=10.43.210.211 client-id=1:c4:ad:34:58:8a:aa mac-address=\
    C4:AD:34:58:8A:AA server=DHCP-INTERN
add address=10.43.210.213 client-id=1:d4:1:c3:4:f3:ff mac-address=\
    D4:01:C3:04:F3:FF server=DHCP-INTERN
add address=10.43.210.3 client-id=1:0:8:9b:c3:cb:93 mac-address=\
    00:08:9B:C3:CB:93 server=DHCP-INTERN
add address=10.43.210.2 client-id=1:0:8:9b:f1:be:ba mac-address=\
    00:08:9B:F1:BE:BA server=DHCP-INTERN
add address=10.43.210.18 mac-address=F0:92:1C:E7:42:0F server=DHCP-INTERN
/ip dhcp-server network
add address=10.43.210.0/24 dns-server=\
    10.43.210.1,10.43.210.11,8.8.8.8,192.168.121.201 domain=r403.local \
    gateway=10.43.210.254 ntp-server=10.43.210.254
/ip dns
set allow-remote-requests=yes cache-max-ttl=1h servers=8.8.8.8
/ip firewall filter
add action=accept chain=input dst-port=4443,8291 protocol=tcp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward protocol=icmp
add action=accept chain=forward disabled=yes dst-address=192.168.0.0/16 \
    src-address=10.43.210.0/24
add action=drop chain=forward disabled=yes dst-address=10.43.210.0/24 \
    src-address=192.168.10.0/24
add action=accept chain=forward dst-address=10.43.210.0/24 src-address=\
    10.21.0.0/24
add action=accept chain=forward dst-address=10.21.0.0/24 src-address=\
    10.43.210.0/24
add action=accept chain=forward dst-address=10.43.210.1 dst-port=443 \
    protocol=tcp src-port=443
add action=accept chain=forward dst-address=213.33.98.136 dst-port=53 \
    protocol=udp
add action=accept chain=input dst-address=10.43.210.2 dst-port=5000 \
    in-interface-list=WAN protocol=tcp
add action=accept chain=forward dst-address=10.43.210.1 dst-port=443 \
    in-interface-list=WAN protocol=tcp
add action=accept chain=forward
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="defconf: accept in ipsec policy" \
    in-interface=all-ppp ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=input in-interface=ether24 protocol=ipsec-esp
add action=accept chain=input dst-port=500,1701,4500 in-interface=ether24 \
    protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=dstnat dst-address=10.43.210.11 dst-port=443 \
    in-interface=ether24 protocol=tcp
/ip firewall nat
add action=accept chain=srcnat dst-address=10.21.0.0/24 src-address=\
    10.43.210.0/24
add action=accept chain=srcnat dst-address=192.168.0.0/16 src-address=\
    10.43.210.0/24
add action=dst-nat chain=dstnat comment="Forwarding rule" dst-port=5000 \
    in-interface-list=WAN protocol=tcp src-port="" to-addresses=10.43.210.2 \
    to-ports=5000
add action=masquerade chain=srcnat out-interface=ether24
/ip ipsec identity
add peer=G21
add comment=HalloWelt403 mode-config=request-only peer=**
/ip ipsec policy
set 0 disabled=yes proposal=proposal-**
add dst-address=192.168.10.0/24 level=unique peer=**proposal=\
    proposal-**src-address=10.43.210.0/24 tunnel=yes
add dst-address=192.168.121.0/24 level=unique peer=**proposal=\
    proposal-**src-address=10.43.210.0/24 tunnel=yes
add dst-address=192.168.122.0/24 level=unique peer=**proposal=\
    proposal-**src-address=10.43.210.0/24 tunnel=yes
add dst-address=192.168.70.0/24 level=unique peer=**proposal=\
    proposal-**src-address=10.43.210.0/24 tunnel=yes
add dst-address=10.21.0.0/24 peer=G21 proposal=proposal-R403 src-address=\
    10.43.210.0/24 tunnel=yes
add dst-address=192.168.50.0/24 level=unique peer=**proposal=\
    proposal-*src-address=10.43.210.0/24 tunnel=yes
/ip proxy
set max-cache-size=100000KiB
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    93.83.243.145 pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.0.0.0/8
set ssh address=10.0.0.0/8
set www-ssl address=10.0.0.0/8 certificate=cert1 disabled=no port=8443
set winbox address=10.0.0.0/8
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/routing bfd configuration
add disabled=no interfaces=all min-rx=200us min-tx=200us multiplier=5
/system clock
set time-zone-name=Europe/Vienna
/system identity
set name=SW.OG.1
/system logging
add topics=debug,dhcp
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add address=178.189.127.148
/system package update
set channel=testing
/system routerboard settings
# Firmware upgraded successfully, please reboot for changes to take effect!
set auto-upgrade=yes
/tool graphing interface
add
Last edited by toolongformt on Thu Oct 24, 2024 10:52 pm, edited 1 time in total.
 
toolongformt
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Wed Jan 24, 2024 10:05 am

Re: bst configuration with capsman for 2 different accesspoints

Thu Oct 24, 2024 10:45 pm

[admin@WAP.BALKON] > export
# 2024-10-24 21:45:29 by RouterOS 7.16.1
# software id = 9VJZ-MB0K
#
# model = RBwAPG-5HacD2HnD
# serial number = HFM09SMSG9E
/interface bridge
add admin-mac=D4:01:C3:04:F3:FF auto-mac=no comment=defconf name=bridgeLocal
/interface wifi
# managed by CAPsMAN
# mode: AP, SSID: R403-2.4G, channel: 2437/g
set [ find default-name=wifi1 ] configuration.manager=capsman-or-local .mode=ap disabled=no
# managed by CAPsMAN
# mode: AP, SSID: R403, channel: 5260/n/Ce
set [ find default-name=wifi2 ] configuration.manager=capsman-or-local .mode=ap disabled=no
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal interface=wifi1
add bridge=bridgeLocal interface=wifi2
add bridge=bridgeLocal interface=dynamic
/interface wifi cap
set caps-man-addresses=10.43.210.254 discovery-interfaces=bridgeLocal enabled=yes
/ip dhcp-client
add comment=defconf interface=bridgeLocal
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/system clock
set time-zone-name=Europe/Vienna
/system identity
set name=WAP.BALKON
/system note
set show-at-login=no
 
toolongformt
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Wed Jan 24, 2024 10:05 am

Re: bst configuration with capsman for 2 different accesspoints

Thu Oct 24, 2024 10:46 pm

[admin@WAP.KELLER] > export
# 2024-10-24 21:46:17 by RouterOS 7.16.1
# software id = PQFY-1VZU
#
# model = RBwAPGR-5HacD2HnD
# serial number = B7380B589768
/interface bridge
add admin-mac=C4:AD:34:58:8A:AA auto-mac=no comment=defconf name=bridgeLocal
/interface wifi
# managed by CAPsMAN
# mode: AP, SSID: R403-2.4G, channel: 2412/g
set [ find default-name=wifi1 ] configuration.manager=capsman-or-local .mode=ap disabled=no name=WAP.KELLER.wifi1
# managed by CAPsMAN
# mode: AP, SSID: R403, channel: 5500/n/Ce
set [ find default-name=wifi2 ] configuration.manager=capsman-or-local .mode=ap disabled=no name=WAP.KELLER.wifi2
/interface lte
set [ find default-name=lte1 ] allow-roaming=no band="" sms-protocol=auto sms-read=no
/interface bridge port
add bridge=bridgeLocal comment=defconf ingress-filtering=no interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal interface=WAP.KELLER.wifi1
add bridge=bridgeLocal interface=WAP.KELLER.wifi2
add bridge=bridgeLocal interface=dynamic
/interface wifi cap
set caps-man-addresses=10.43.210.254 discovery-interfaces=bridgeLocal enabled=yes
/ip dhcp-client
add comment=defconf interface=bridgeLocal
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/system clock
set time-zone-name=Europe/Vienna
/system identity
set name=WAP.KELLER
/system note
set show-at-login=no
/system routerboard settings
# Firmware upgraded successfully, please reboot for changes to take effect!
set auto-upgrade=yes
[admin@WAP.KELLER] > 
 
toolongformt
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Wed Jan 24, 2024 10:05 am

Re: bst configuration with capsman for 2 different accesspoints

Thu Oct 24, 2024 10:47 pm

[admin@WAP.OG.BUERO] > export
# 2024-10-24 21:46:58 by RouterOS 7.16.1
# software id = 9J12-2RZ6
#
# model = cAPGi-5HaxD2HaxD
# serial number = HGD09JVZ8BG
/interface bridge
add admin-mac=D4:01:C3:94:99:9F auto-mac=no comment=defconf name=bridgeLocal
/interface wifi
# managed by CAPsMAN
# mode: AP, SSID: R403-5G-AX, channel: 5680/ax/eCee
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap disabled=no
# managed by CAPsMAN
# mode: AP, SSID: R403-2.4G, channel: 2437/g
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap disabled=no
/interface vlan
add interface=bridgeLocal name=vlan1 vlan-id=1
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal interface=wifi1
add bridge=bridgeLocal interface=wifi2
add bridge=bridgeLocal interface=dynamic
/interface wifi cap
set caps-man-addresses=10.43.210.254 discovery-interfaces=bridgeLocal enabled=yes
/ip dhcp-client
add comment=defconf interface=bridgeLocal
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/system clock
set time-zone-name=Europe/Vienna
/system identity
set name=WAP.OG.BUERO
/system note
set show-at-login=no
[admin@WAP.OG.BUERO] > 
 
toolongformt
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Wed Jan 24, 2024 10:05 am

Re: bst configuration with capsman for 2 different accesspoints

Thu Oct 24, 2024 10:48 pm

[admin@WAP.EG.FLUR] > export
# 2024-10-24 21:47:44 by RouterOS 7.16.1
# software id = 07E9-A8LY
#
# model = cAPGi-5HaxD2HaxD
# serial number = HGD09QMH2N0
/interface bridge
add name=bridgeLocal
/interface wifi
# managed by CAPsMAN
# mode: AP, SSID: R403-5G-AX, channel: 5680/ax/eCee
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap disabled=no name=WAP.EG.FLUR.wifi1
# managed by CAPsMAN
# mode: AP, SSID: R403-2.4G, channel: 2412/g
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap disabled=no name=WAP.EG.FLUR.wifi2
/interface bridge port
add bridge=bridgeLocal ingress-filtering=no interface=ether1
add bridge=bridgeLocal interface=ether2
add bridge=bridgeLocal interface=*1A
add bridge=bridgeLocal interface=*1B
add bridge=bridgeLocal interface=WAP.EG.FLUR.wifi1
add bridge=bridgeLocal interface=WAP.EG.FLUR.wifi2
add bridge=bridgeLocal interface=dynamic
/ip firewall connection tracking
set udp-timeout=10s
/interface wifi cap
set caps-man-addresses=10.43.210.254 discovery-interfaces=bridgeLocal enabled=yes
/ip dhcp-client
add interface=bridgeLocal
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/system clock
set time-zone-name=Europe/Vienna
/system identity
set name=WAP.EG.FLUR
/system logging
add prefix="debug, dhcp" topics=debug
add topics=wireless
/system note
set show-at-login=no
[admin@WAP.EG.FLUR] > 
 
neki
Member Candidate
Member Candidate
Posts: 216
Joined: Thu Sep 07, 2023 10:20 am

Re: bst configuration with capsman for 2 different accesspoints

Thu Oct 24, 2024 11:15 pm

What packages do you have installed on wAPs and CRS?
 
toolongformt
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Wed Jan 24, 2024 10:05 am

Re: bst configuration with capsman for 2 different accesspoints

Thu Oct 24, 2024 11:21 pm

What packages do you have installed on wAPs and CRS?
ros and wifi-qcom 7.16.1 on all devices (wifi only on accesspoints)
 
neki
Member Candidate
Member Candidate
Posts: 216
Joined: Thu Sep 07, 2023 10:20 am

Re: bst configuration with capsman for 2 different accesspoints

Thu Oct 24, 2024 11:40 pm

So... Reset all CAPs to CAP MODE. This is NOT default config. It's almost default, but with removed datapath option and manually added bridge ports. It is for sure causing issues with slave interfaces. For starter edit ONLY identity of the device.

For the CAPsMAN it looks like you have wireless package installed, there shouldn't be any "caps-man" and "wireless" related options. Also remove all datapath options and definitions. And anything that mentions VLAN, start with VLAN interfaces.

....and disable your provisioning rules and enable those that I provided

Then post all four configs (you can do that in one post, just make 3 new lines between the code blocks)
 
toolongformt
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Wed Jan 24, 2024 10:05 am

Re: bst configuration with capsman for 2 different accesspoints

Fri Oct 25, 2024 9:50 am

So... Reset all CAPs to CAP MODE. This is NOT default config. It's almost default, but with removed datapath option and manually added bridge ports. It is for sure causing issues with slave interfaces. For starter edit ONLY identity of the device.

For the CAPsMAN it looks like you have wireless package installed, there shouldn't be any "caps-man" and "wireless" related options. Also remove all datapath options and definitions. And anything that mentions VLAN, start with VLAN interfaces.

....and disable your provisioning rules and enable those that I provided

Then post all four configs (you can do that in one post, just make 3 new lines between the code blocks)
Hi,
you may be surprised, but all CAPs are default config after reset and capsmode. I didn't change anything! And they are all new, so I can exclude that someone before me has altered the config (which indeed should be reflashed after reset).
I have 2 more sets of wifis (family and a friend) which also bought new devices, one of them has exact the same set of devices like me, but without the two smaller CAPs, only the AX's.
They looked identically when I reset them to CAP mode.
When I now reset one of them, and the config is the same like now, what then? I mean, in the 10 month I play around with them, I resetted those CAPs a hundred times... So my hope of expecting any difference is zero. But ok, I reset them and show you, that they are like now, just without the capsman entry...
 
toolongformt
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Wed Jan 24, 2024 10:05 am

Re: bst configuration with capsman for 2 different accesspoints

Fri Oct 25, 2024 9:52 am

For the CAPsMAN it looks like you have wireless package installed, there shouldn't be any "caps-man" and "wireless" related options. Also remove all datapath options and definitions. And anything that mentions VLAN, start with VLAN interfaces.
edit: ok, wireless is scheduled for remove, will reboot in 3 hours
 
toolongformt
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Wed Jan 24, 2024 10:05 am

Re: bst configuration with capsman for 2 different accesspoints

Fri Oct 25, 2024 10:22 am

....and disable your provisioning rules and enable those that I provided
done!
all accesspoints react with
"--- SSID not set"
at least I don't have a slow connection now ... I have not one at all :wink:
 
toolongformt
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Wed Jan 24, 2024 10:05 am

Re: bst configuration with capsman for 2 different accesspoints

Fri Oct 25, 2024 10:49 am

well, I deleted all of my configs and only inserted your config, just that I added the security part before to keep wpa2 settings and passphrases... well, the one for IoT is now simplified, I'll test if meross and the AC are dealing with it...

I reset the AP that is 3m away from my desktop. It doesn't show a registrated pc, but I see the registered pc on the accesspoint 10m away. And I get ~20mbit. I mean, why should I get more? The pc is connected with a slow 2,4ghz connection to a far away accesspoint, instead of 5ghz with the nearest (JUST RESET!!) CAP.
There is no way to tell this wifi card that it must use 5ghz, I can only deactivate 6ghz.
So, if all clients use 2,4ghz, I can delete the 5ghz config, which is what I will do now.

When we always do the same, why do we expect to receive a change?

edit: I removed all 5ghz config now, I'll just stay on 2,4n. I don't expect any improvements. At least I have a range of 10m.
Last edited by toolongformt on Fri Oct 25, 2024 11:58 am, edited 1 time in total.
 
toolongformt
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Wed Jan 24, 2024 10:05 am

Re: bst configuration with capsman for 2 different accesspoints

Fri Oct 25, 2024 10:57 am

Switch (capsman):
# 2024-10-25 09:54:12 by RouterOS 7.16.1
# software id = WZPE-N3D7
#
# model = CRS328-24P-4S+
# serial number = HD508BTMHMH
/interface wifi
add arp-timeout=auto disabled=yes mac-address=D4:01:C3:04:F4:02 name=cap-wifi1 radio-mac=D4:01:C3:04:F4:02
add arp-timeout=auto disabled=yes mac-address=D4:01:C3:94:99:A1 name=cap-wifi3 radio-mac=D4:01:C3:94:99:A1
add arp-timeout=auto disabled=yes mac-address=D4:01:C3:97:B1:06 name=cap-wifi4 radio-mac=D4:01:C3:97:B1:06
add arp-timeout=auto disabled=yes mac-address=C4:AD:34:58:8A:AD name=cap-wifi5 radio-mac=C4:AD:34:58:8A:AD
/interface wifi channel
add disabled=no frequency=2412,2437,2462 name=channel-2G width=20mhz
/interface wifi datapath
add bridge=BRIDGE1 disabled=no name=datapath1
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=R403-Clients wps=push-button
add authentication-types=wpa2-psk disabled=no name=R403-Heimautomatisierung
add authentication-types=wpa2-psk disabled=no name=R403-AC
add authentication-types=wpa2-psk disabled=no name=security-clients wps=push-button
add authentication-types=wpa2-psk disabled=no name=security-IoT
/interface wifi configuration
add channel=channel-2G country="United States" disabled=no mode=ap name=config-clients-2G security=security-clients ssid=R403
add channel=channel-2G country="United States" disabled=no mode=ap name=config-IoT-2G security=security-IoT ssid=R403.IoT
/interface wifi
add arp-timeout=auto configuration=config-clients-2G disabled=no mac-address=D4:01:C3:04:F4:01 name=cap-wifi2 radio-mac=D4:01:C3:04:F4:01
add arp-timeout=auto configuration=config-IoT-2G disabled=no mac-address=D6:01:C3:04:F4:01 master-interface=cap-wifi2 name=cap-wifi2-virtual1
add arp-timeout=auto configuration=config-clients-2G disabled=no mac-address=D4:01:C3:94:99:A2 name=cap-wifi6 radio-mac=D4:01:C3:94:99:A2
add arp-timeout=auto configuration=config-IoT-2G disabled=no mac-address=D6:01:C3:94:99:A2 master-interface=cap-wifi6 name=cap-wifi6-virtual1
add arp-timeout=auto configuration=config-clients-2G disabled=no mac-address=D4:01:C3:97:B1:07 name=cap-wifi7 radio-mac=D4:01:C3:97:B1:07
add arp-timeout=auto configuration=config-IoT-2G disabled=no mac-address=D6:01:C3:97:B1:07 master-interface=cap-wifi7 name=cap-wifi7-virtual1
add arp-timeout=auto configuration=config-clients-2G disabled=no mac-address=C4:AD:34:58:8A:AC name=cap-wifi8 radio-mac=C4:AD:34:58:8A:AC
add arp-timeout=auto configuration=config-IoT-2G disabled=no mac-address=C6:AD:34:58:8A:AC master-interface=cap-wifi8 name=cap-wifi8-virtual1
/interface wifi cap
set enabled=no
/interface wifi capsman
set enabled=yes interfaces=BRIDGE1 package-path="" require-peer-certificate=no upgrade-policy=suggest-same-version
/interface wifi provisioning
add action=create-enabled disabled=no master-configuration=config-clients-2G slave-configurations=config-IoT-2G supported-bands=2ghz-n

CAP1 after reset:
# 2024-10-25 09:56:54 by RouterOS 7.16.1
# software id = 07E9-A8LY
#
# model = cAPGi-5HaxD2HaxD
# serial number = HGD09QMH2N0
/interface bridge
add admin-mac=D4:01:C3:97:B1:04 auto-mac=no comment=defconf name=bridgeLocal
/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifi
# managed by CAPsMAN
set [ find default-name=wifi1 ] configuration.manager=capsman datapath=capdp
# managed by CAPsMAN
# mode: AP, SSID: R403, channel: 2462/ax
set [ find default-name=wifi2 ] configuration.manager=capsman datapath=capdp disabled=no
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
/interface wifi cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp
 
toolongformt
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Wed Jan 24, 2024 10:05 am

Re: bst configuration with capsman for 2 different accesspoints

Fri Oct 25, 2024 11:16 am

After seeing no improvement I don't reset all the other caps, that's just for ego. They are not manually configured in any way.
What they have, do they have after reset.

I have tried to reconnect my IoT devices. The meross do like they do when I made a shit config (like now):
They can be connected, they are online for some minutes, then the are not reachable in apple home anymore.

When should I decide what I can believe and what is better when I do it...? I mean:
PC: connection slower and unstable
iphones: connection unstable during speedtest
IoT meross: disconnected and gone after some minutes
IoT Bosch: not configured yet, it's much too complicated to reset and reconfigure them (they have no wifi reset, they have to be reset completely, with loss of all settings, favourites, programs, bought cooking receipies, own programs are gone, etc... that's a year of work I lose on 4 devices)
IoT AC: not configured yet, my motivation is gone

oh, didn't i mention that meross is hating n mode and g mode and a mode, depending on the weather in the weather in Sahara and if their asian boss had s*x last night?
Today they don't want to n today.
 
toolongformt
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Wed Jan 24, 2024 10:05 am

Re: bst configuration with capsman for 2 different accesspoints

Fri Oct 25, 2024 12:09 pm

your config made 2,4 ax mode available. No one connects with 2,4 ghz ax.
It seemed to confuse meross more than it improved anything, so I set band to 2,4 ghz n only.
And suddenly apple device run a full speed test without interrupting the connection.

For which reasion do you propose 2,4 ax ? Trying to make a connection for the desktop faster?
PC runas at 130/130 now, speedtest makes around 25 up and down.
I guess more (+stable +working +IoT +AC) is not possible.

This is my current config on capsman:
# 2024-10-25 11:20:05 by RouterOS 7.16.1
# software id = WZPE-N3D7
#
# model = CRS328-24P-4S+
# serial number = HD508BTMHMH
/interface wifi
add name=cap-wifi1 radio-mac=D4:01:C3:04:F4:02
add name=cap-wifi3 radio-mac=D4:01:C3:94:99:A1
add name=cap-wifi4 radio-mac=D4:01:C3:97:B1:06
add name=cap-wifi5 radio-mac=C4:AD:34:58:8A:AD
/interface wifi channel
add band=2ghz-n disabled=no frequency=2412,2437,2462 name=channel-2G width=20mhz
/interface wifi datapath
add bridge=BRIDGE1 disabled=no name=datapath1
/interface wifi security
add authentication-types=wpa2-psk disabled=no name=security-clients wps=push-button
add authentication-types=wpa2-psk disabled=no name=security-IoT
/interface wifi configuration
add channel=channel-2G country="United States" disabled=no mode=ap name=config-clients-2G security=security-clients ssid=R403
add channel=channel-2G country="United States" disabled=no mode=ap name=config-IoT-2G security=security-IoT ssid=R403.IoT
/interface wifi
add configuration=config-clients-2G disabled=no name=cap-wifi2 radio-mac=D4:01:C3:04:F4:01
add configuration=config-IoT-2G disabled=no mac-address=D6:01:C3:04:F4:01 master-interface=cap-wifi2 name=cap-wifi2-virtual1
add configuration=config-clients-2G disabled=no name=cap-wifi6 radio-mac=D4:01:C3:94:99:A2
add configuration=config-IoT-2G disabled=no mac-address=D6:01:C3:94:99:A2 master-interface=cap-wifi6 name=cap-wifi6-virtual1
add configuration=config-clients-2G disabled=no name=cap-wifi7 radio-mac=D4:01:C3:97:B1:07
add configuration=config-IoT-2G disabled=no mac-address=D6:01:C3:97:B1:07 master-interface=cap-wifi7 name=cap-wifi7-virtual1
add configuration=config-clients-2G disabled=no name=cap-wifi8 radio-mac=C4:AD:34:58:8A:AC
add configuration=config-IoT-2G disabled=no mac-address=C6:AD:34:58:8A:AC master-interface=cap-wifi8 name=cap-wifi8-virtual1
/interface wifi capsman
set enabled=yes interfaces=BRIDGE1 package-path="" require-peer-certificate=no upgrade-policy=suggest-same-version
/interface wifi provisioning
add action=create-enabled disabled=no master-configuration=config-clients-2G slave-configurations=config-IoT-2G supported-bands=2ghz-n
[admin@SW.OG.1] /interface/wifi>

 
toolongformt
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Wed Jan 24, 2024 10:05 am

Re: bst configuration with capsman for 2 different accesspoints

Fri Oct 25, 2024 1:22 pm

So... Reset all CAPs to CAP MODE. This is NOT default config. It's almost default, but with removed datapath option and manually added bridge ports. It is for sure causing issues with slave interfaces. For starter edit ONLY identity of the device.
there's no improvement after resetting this CAP compared to before ... just that I cannot distinguish between the accesspoints respectively wifis anymore
 
neki
Member Candidate
Member Candidate
Posts: 216
Joined: Thu Sep 07, 2023 10:20 am

Re: bst configuration with capsman for 2 different accesspoints

Fri Oct 25, 2024 7:29 pm

Your attitude is really strange, you are asking for help and then sudently "know better". If you won't follow instructions or use them just partially then nobody will help you. Is that clear?

Saying that the configs were not altered in any way is simply lie.

Reset all CAPs to CAP MODE. This is NOT default config. It's almost default, but with removed datapath option and manually added bridge ports. It is for sure causing issues with slave interfaces. For starter edit ONLY identity of the device.
You did reset just one CAP and even that was done just partialy because you chose not to do it all.

Hint: It is wise to choose something meaningful for the identity (cAP-ax-01, wAP-ac-01).

Post all, whole, configs of your CAPs after you finish this first task. Do not bother to post anything else...
 
toolongformt
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Wed Jan 24, 2024 10:05 am

Re: bst configuration with capsman for 2 different accesspoints

Sat Oct 26, 2024 12:13 am

nearest to PC:
CAP "1" (R403.CAP:EG.FLUR)
# model = cAPGi-5HaxD2HaxD
# serial number = HGD09QMH2N0
/interface bridge
add admin-mac=D4:01:C3:97:B1:04 ageing-time=5m arp=enabled arp-timeout=auto \
    auto-mac=no comment=defconf dhcp-snooping=no disabled=no fast-forward=yes \
    forward-delay=15s igmp-snooping=no max-learned-entries=auto \
    max-message-age=20s mtu=auto mvrp=no name=bridgeLocal port-cost-mode=long \
    priority=0x8000 protocol-mode=rstp transmit-hold-count=6 vlan-filtering=no
/interface ethernet
set [ find default-name=ether1 ] advertise="10M-baseT-half,10M-baseT-full,100M-b\
    aseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full" arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
    disabled=no l2mtu=1568 loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mac-address=D4:01:C3:97:B1:04 mtu=1500 name=\
    ether1 orig-mac-address=D4:01:C3:97:B1:04 rx-flow-control=off \
    tx-flow-control=off
set [ find default-name=ether2 ] advertise="10M-baseT-half,10M-baseT-full,100M-b\
    aseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full" arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
    disabled=no l2mtu=1568 loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mac-address=D4:01:C3:97:B1:05 mtu=1500 name=\
    ether2 orig-mac-address=D4:01:C3:97:B1:05 poe-out=auto-on poe-priority=10 \
    power-cycle-interval=none !power-cycle-ping-address \
    power-cycle-ping-enabled=no !power-cycle-ping-timeout rx-flow-control=off \
    tx-flow-control=off
/queue interface
set bridgeLocal queue=no-queue
/interface ethernet switch
set 0 !cpu-flow-control mirror-source=none mirror-target=none name=switch1
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
/interface ethernet switch port-isolation
set 0 !forwarding-override
set 1 !forwarding-override
set 2 !forwarding-override
/interface list
set [ find name=all ] comment="contains all interfaces" exclude="" include="" \
    name=all
set [ find name=none ] comment="contains no interfaces" exclude="" include="" \
    name=none
set [ find name=dynamic ] comment="contains dynamic interfaces" exclude="" \
    include="" name=dynamic
set [ find name=static ] comment="contains static interfaces" exclude="" \
    include="" name=static
/interface lte apn
set [ find default=yes ] add-default-route=yes apn=internet authentication=none \
    default-route-distance=2 ip-type=auto name=default use-network-apn=yes \
    use-peer-dns=yes
/interface macsec profile
set [ find default-name=default ] name=default server-priority=10
/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifi
# managed by CAPsMAN
set [ find default-name=wifi1 ] arp-timeout=auto configuration.manager=capsman \
    datapath=capdp disabled=no l2mtu=1560 mac-address=D4:01:C3:97:B1:06 name=\
    wifi1 radio-mac=D4:01:C3:97:B1:06
# managed by CAPsMAN
set [ find default-name=wifi2 ] arp-timeout=auto configuration.manager=capsman \
    datapath=capdp disabled=no l2mtu=1560 mac-address=D4:01:C3:97:B1:07 name=\
    wifi2 radio-mac=D4:01:C3:97:B1:07
/ip dhcp-client option
set clientid_duid code=61 name=clientid_duid value="0xff\$(CLIENT_DUID)"
set clientid code=61 name=clientid value="0x01\$(CLIENT_MAC)"
set hostname code=12 name=hostname value="\$(HOSTNAME)"
/ip hotspot profile
set [ find default=yes ] dns-name="" hotspot-address=0.0.0.0 html-directory=\
    hotspot html-directory-override="" http-cookie-lifetime=3d http-proxy=\
    0.0.0.0:0 install-hotspot-queue=no login-by=cookie,http-chap name=default \
    smtp-server=0.0.0.0 split-user-domain=no use-radius=no
/ip hotspot user profile
set [ find default=yes ] add-mac-cookie=yes address-list="" idle-timeout=none \
    !insert-queue-before keepalive-timeout=2m mac-cookie-timeout=3d name=\
    default !parent-queue !queue-type shared-users=1 status-autorefresh=1m \
    transparent-proxy=no
/ip ipsec mode-config
set [ find default=yes ] name=request-only responder=no use-responder-dns=\
    exclusively
/ip ipsec policy group
set [ find default=yes ] name=default
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048,modp1024 dpd-interval=8s \
    dpd-maximum-failures=4 enc-algorithm=aes-128,3des hash-algorithm=sha1 \
    lifetime=1d name=default nat-traversal=yes proposal-check=obey
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=\
    aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m name=default pfs-group=\
    modp1024
/ip smb users
set [ find default=yes ] disabled=no name=guest read-only=yes
/ppp profile
set *0 address-list="" !bridge !bridge-horizon bridge-learning=default \
    !bridge-path-cost !bridge-port-priority change-tcp-mss=yes !dns-server \
    !idle-timeout !incoming-filter !insert-queue-before !interface-list \
    !local-address name=default on-down="" on-up="" only-one=default \
    !outgoing-filter !parent-queue !queue-type !rate-limit !remote-address \
    !session-timeout use-compression=default use-encryption=default use-ipv6=\
    yes use-mpls=default use-upnp=default !wins-server
set *FFFFFFFE address-list="" !bridge !bridge-horizon bridge-learning=default \
    !bridge-path-cost !bridge-port-priority change-tcp-mss=yes !dns-server \
    !idle-timeout !incoming-filter !insert-queue-before !interface-list \
    !local-address name=default-encryption on-down="" on-up="" only-one=default \
    !outgoing-filter !parent-queue !queue-type !rate-limit !remote-address \
    !session-timeout use-compression=default use-encryption=yes use-ipv6=yes \
    use-mpls=default use-upnp=default !wins-server
/queue type
set 0 kind=pfifo name=default pfifo-limit=50
set 1 kind=pfifo name=ethernet-default pfifo-limit=50
set 2 kind=sfq name=wireless-default sfq-allot=1514 sfq-perturb=5
set 3 kind=red name=synchronous-default red-avg-packet=1000 red-burst=20 \
    red-limit=60 red-max-threshold=50 red-min-threshold=10
set 4 kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=5
set 5 kind=pcq name=pcq-upload-default pcq-burst-rate=0 pcq-burst-threshold=0 \
    pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 \
    pcq-dst-address6-mask=128 pcq-limit=50KiB pcq-rate=0 pcq-src-address-mask=\
    32 pcq-src-address6-mask=128 pcq-total-limit=2000KiB
set 6 kind=pcq name=pcq-download-default pcq-burst-rate=0 pcq-burst-threshold=0 \
    pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 \
    pcq-dst-address6-mask=128 pcq-limit=50KiB pcq-rate=0 pcq-src-address-mask=\
    32 pcq-src-address6-mask=128 pcq-total-limit=2000KiB
set 7 kind=none name=only-hardware-queue
set 8 kind=mq-pfifo mq-pfifo-limit=50 name=multi-queue-ethernet-default
set 9 kind=pfifo name=default-small pfifo-limit=10
/queue interface
set ether1 queue=only-hardware-queue
set ether2 queue=only-hardware-queue
# managed by CAPsMAN
set wifi1 queue=wireless-default
# managed by CAPsMAN
set wifi2 queue=wireless-default
/routing bgp template
set default as=65530 name=default
/snmp community
set [ find default=yes ] addresses=::/0 authentication-protocol=MD5 disabled=no \
    encryption-protocol=DES name=public read-access=yes security=none \
    write-access=no
/system logging action
set 0 memory-lines=1000 memory-stop-on-full=no name=memory target=memory
set 1 disk-file-count=2 disk-file-name=log disk-lines-per-file=1000 \
    disk-stop-on-full=no name=disk target=disk
set 2 name=echo remember=yes target=echo
set 3 bsd-syslog=no name=remote remote=0.0.0.0 remote-port=514 src-address=\
    0.0.0.0 syslog-facility=daemon syslog-severity=auto syslog-time-format=\
    bsd-syslog target=remote
/user group
set read name=read policy="local,telnet,ssh,reboot,read,test,winbox,password,web\
    ,sniff,sensitive,api,romon,rest-api,!ftp,!write,!policy" skin=default
set write name=write policy="local,telnet,ssh,reboot,read,write,test,winbox,pass\
    word,web,sniff,sensitive,api,romon,rest-api,!ftp,!policy" skin=default
set full name=full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,wi\
    nbox,password,web,sniff,sensitive,api,romon,rest-api" skin=default
/certificate settings
set crl-download=no crl-store=ram crl-use=no
/console settings
set sanitize-names=no
/disk settings
set auto-media-interface=none auto-media-sharing=no auto-smb-sharing=no \
    auto-smb-user=guest
/ip smb
set comment=MikrotikSMB domain=MSHOME enabled=auto interfaces=all
/interface bridge port
add auto-isolate=no bpdu-guard=no bridge=bridgeLocal broadcast-flood=yes \
    comment=defconf disabled=no edge=auto fast-leave=no frame-types=admit-all \
    horizon=none hw=yes ingress-filtering=yes interface=ether1 \
    !internal-path-cost learn=auto multicast-router=temporary-query \
    mvrp-applicant-state=normal-participant mvrp-registrar-state=normal \
    !path-cost point-to-point=auto priority=0x80 pvid=1 restricted-role=no \
    restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes \
    unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridgeLocal broadcast-flood=yes \
    comment=defconf disabled=no edge=auto fast-leave=no frame-types=admit-all \
    horizon=none hw=yes ingress-filtering=yes interface=ether2 \
    !internal-path-cost learn=auto multicast-router=temporary-query \
    mvrp-applicant-state=normal-participant mvrp-registrar-state=normal \
    !path-cost point-to-point=auto priority=0x80 pvid=1 restricted-role=no \
    restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes \
    unknown-unicast-flood=yes
/interface bridge port-controller
# disabled
set bridge=none cascade-ports="" switch=none
/interface bridge port-extender
# disabled
set control-ports="" excluded-ports="" switch=none
/interface bridge settings
set allow-fast-path=yes use-ip-firewall=no use-ip-firewall-for-pppoe=no \
    use-ip-firewall-for-vlan=no
/ip firewall connection tracking
set enabled=auto generic-timeout=10m icmp-timeout=10s loose-tcp-tracking=yes \
    tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-max-retrans-timeout=\
    5m tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s \
    tcp-time-wait-timeout=10s tcp-unacked-timeout=5m udp-stream-timeout=3m \
    udp-timeout=30s
/ip neighbor discovery-settings
set discover-interface-list=static discover-interval=30s lldp-mac-phy-config=no \
    lldp-max-frame-size=no lldp-med-net-policy-vlan=disabled lldp-poe-power=yes \
    lldp-vlan-info=no mode=tx-and-rx protocol=cdp,lldp,mndp
/ip settings
set accept-redirects=no accept-source-route=no allow-fast-path=yes arp-timeout=\
    30s icmp-rate-limit=10 icmp-rate-mask=0x1818 ip-forward=yes \
    ipv4-multipath-hash-policy=l3 max-neighbor-entries=16384 rp-filter=no \
    secure-redirects=yes send-redirects=yes tcp-syncookies=no
/ipv6 settings
set accept-redirects=yes-if-forwarding-disabled accept-router-advertisements=\
    yes-if-forwarding-disabled disable-ipv6=no forward=yes \
    max-neighbor-entries=14336 multipath-hash-policy=l3
/interface detect-internet
set detect-interface-list=none internet-interface-list=none lan-interface-list=\
    none wan-interface-list=none
/interface l2tp-server server
set accept-proto-version=all accept-pseudowire-type=all allow-fast-path=no \
    authentication=pap,chap,mschap1,mschap2 caller-id-type=ip-address \
    default-profile=default-encryption enabled=no keepalive-timeout=30 \
    l2tpv3-circuit-id="" l2tpv3-cookie-length=0 l2tpv3-digest-hash=md5 \
    !l2tpv3-ether-interface-list max-mru=1450 max-mtu=1450 max-sessions=\
    unlimited mrru=disabled one-session-per-host=no use-ipsec=no
/interface lte settings
set firmware-path=firmware mode=auto
/interface ovpn-server server
set auth=sha1,md5,sha256,sha512 certificate=*0 cipher=blowfish128,aes128-cbc \
    default-profile=default enable-tun-ipv6=no enabled=no ipv6-prefix-len=64 \
    keepalive-timeout=60 mac-address=FE:BD:2E:66:9A:B3 max-mtu=1500 mode=ip \
    netmask=24 port=1194 protocol=tcp push-routes="" redirect-gateway=disabled \
    reneg-sec=3600 require-client-certificate=no tls-version=any \
    tun-server-ipv6=::
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN
 protocol instead
set authentication=mschap1,mschap2 default-profile=default-encryption enabled=\
    no keepalive-timeout=30 max-mru=1450 max-mtu=1450 mrru=disabled
/interface sstp-server server
set authentication=pap,chap,mschap1,mschap2 certificate=none ciphers=\
    aes256-sha,aes256-gcm-sha384 default-profile=default enabled=no \
    keepalive-timeout=60 max-mru=1500 max-mtu=1500 mrru=disabled pfs=no port=\
    443 tls-version=any verify-client-certificate=no
/interface wifi cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp
/interface wifi capsman
set enabled=no
/ip cloud
set back-to-home-vpn=revoked-and-disabled ddns-enabled=no ddns-update-interval=\
    none update-time=yes
/ip cloud advanced
set use-local-address=no
/ip dhcp-client
add add-default-route=yes comment=defconf default-route-distance=1 \
    dhcp-options=hostname,clientid disabled=no interface=bridgeLocal \
    use-peer-dns=yes use-peer-ntp=yes
/ip dhcp-server config
set accounting=yes interim-update=0s radius-password=empty store-leases-disk=5m
/ip dns
set address-list-extra-time=0s allow-remote-requests=no cache-max-ttl=1w \
    cache-size=2048KiB doh-max-concurrent-queries=50 \
    doh-max-server-connections=5 doh-timeout=5s max-concurrent-queries=100 \
    max-concurrent-tcp-sessions=20 max-udp-packet-size=4096 mdns-repeat-ifaces=\
    "" query-server-timeout=2s query-total-timeout=10s servers="" \
    use-doh-server="" verify-doh-cert=no vrf=main
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=yes ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes sip-timeout=1h
set pptp disabled=no
set rtsp disabled=yes ports=554
set udplite disabled=no
set dccp disabled=no
set sctp disabled=no
/ip hotspot service-port
set ftp disabled=no ports=21
/ip hotspot user
set [ find default=yes ] comment="counters and limits for trial users" \
    disabled=no name=default-trial
/ip ipsec policy
set 0 disabled=no dst-address=::/0 group=default proposal=default protocol=all \
    src-address=::/0 template=yes
/ip ipsec settings
set accounting=yes interim-update=0s xauth-use-radius=no
/ip media settings
set thumbnails=""
/ip nat-pmp
set enabled=no
/ip proxy
set always-from-cache=no anonymous=no cache-administrator=webmaster \
    cache-hit-dscp=4 cache-on-disk=no cache-path=web-proxy enabled=no \
    max-cache-object-size=2048KiB max-cache-size=unlimited \
    max-client-connections=600 max-fresh-time=3d max-server-connections=600 \
    parent-proxy=:: parent-proxy-port=0 port=8080 serialize-connections=no \
    src-address=::
/ip service
set telnet address="" disabled=no max-sessions=20 port=23 vrf=main
set ftp address="" disabled=no max-sessions=20 port=21
set www address="" disabled=no max-sessions=20 port=80 vrf=main
set ssh address="" disabled=no max-sessions=20 port=22 vrf=main
set www-ssl address="" certificate=none disabled=yes max-sessions=20 port=443 \
    tls-version=any vrf=main
set api address="" disabled=no max-sessions=20 port=8728 vrf=main
set winbox address="" disabled=no max-sessions=20 port=8291 vrf=main
set api-ssl address="" certificate=none disabled=no max-sessions=20 port=8729 \
    tls-version=any vrf=main
/ip smb shares
set [ find default=yes ] directory=pub disabled=yes invalid-users="" name=pub \
    read-only=no require-encryption=no valid-users=""
/ip socks
set auth-method=none connection-idle-timeout=2m enabled=no max-connections=200 \
    port=1080 version=4 vrf=main
/ip ssh
set allow-none-crypto=no always-allow-password-login=no forwarding-enabled=no \
    host-key-size=2048 host-key-type=rsa strong-crypto=no
/ip tftp settings
set max-block-size=4096
/ip traffic-flow
set active-flow-timeout=30m cache-entries=256k enabled=no \
    inactive-flow-timeout=15s interfaces=all packet-sampling=no \
    sampling-interval=0 sampling-space=0
/ip traffic-flow ipfix
set bytes=yes dst-address=yes dst-address-mask=yes dst-mac-address=yes \
    dst-port=yes first-forwarded=yes gateway=yes icmp-code=yes icmp-type=yes \
    igmp-type=yes in-interface=yes ip-header-length=yes ip-total-length=yes \
    ipv6-flow-label=yes is-multicast=yes last-forwarded=yes nat-dst-address=yes \
    nat-dst-port=yes nat-events=no nat-src-address=yes nat-src-port=yes \
    out-interface=yes packets=yes protocol=yes src-address=yes \
    src-address-mask=yes src-mac-address=yes src-port=yes sys-init-time=yes \
    tcp-ack-num=yes tcp-flags=yes tcp-seq-num=yes tcp-window-size=yes tos=yes \
    ttl=yes udp-length=yes
/ip upnp
set allow-disable-external-interface=no enabled=no show-dummy-rule=yes
/ipv6 nd
set [ find default=yes ] advertise-dns=yes advertise-mac-address=yes disabled=\
    no hop-limit=unspecified interface=all managed-address-configuration=no \
    mtu=unspecified other-configuration=no ra-delay=3s ra-interval=3m20s-10m \
    ra-lifetime=30m ra-preference=medium reachable-time=unspecified \
    retransmit-interval=unspecified
/ipv6 nd prefix default
set autonomous=yes preferred-lifetime=1w valid-lifetime=4w2d
/mpls settings
set allow-fast-path=yes dynamic-label-range=16-1048575 propagate-ttl=yes
/ppp aaa
set accounting=yes enable-ipv6-accounting=no interim-update=0s \
    use-circuit-id-in-nas-port-id=no use-radius=no
/radius incoming
set accept=no port=3799 vrf=main
/routing igmp-proxy
set query-interval=2m5s query-response-interval=10s quick-leave=no
/routing settings
set single-process=no
/snmp
set contact="" enabled=no engine-id-suffix="" location="" src-address=:: \
    trap-community=public trap-generators=temp-exception trap-target="" \
    trap-version=1 vrf=main
/system clock
set time-zone-autodetect=yes time-zone-name=Europe/Vienna
/system clock manual
set dst-delta=+00:00 dst-end="1970-01-01 00:00:00" dst-start=\
    "1970-01-01 00:00:00" time-zone=+00:00
/system identity
set name=R403.CAP:EG.FLUR
/system leds
set 0 disabled=no leds=poe-led type=poe-out
/system leds settings
set all-leds-off=never
/system logging
set 0 action=memory disabled=no prefix="" topics=info
set 1 action=memory disabled=no prefix="" topics=error
set 2 action=memory disabled=no prefix="" topics=warning
set 3 action=echo disabled=no prefix="" topics=critical
/system note
set note="" show-at-cli-login=no show-at-login=no
/system ntp client
set enabled=no mode=unicast servers="" vrf=main
/system ntp server
set auth-key=none broadcast=no broadcast-addresses="" enabled=no \
    local-clock-stratum=5 manycast=no multicast=no use-local-clock=no vrf=main
/system package update
set channel=long-term
/system resource irq
set 0 cpu=auto
set 1 cpu=auto
set 2 cpu=auto
set 3 cpu=auto
set 4 cpu=auto
set 5 cpu=auto
set 6 cpu=auto
set 7 cpu=auto
set 8 cpu=auto
set 9 cpu=auto
set 10 cpu=auto
set 11 cpu=auto
set 12 cpu=auto
set 13 cpu=auto
set 14 cpu=auto
set 15 cpu=auto
set 16 cpu=auto
set 17 cpu=auto
set 18 cpu=auto
set 19 cpu=auto
set 20 cpu=auto
set 21 cpu=auto
set 22 cpu=auto
set 23 cpu=auto
set 24 cpu=auto
set 25 cpu=auto
set 26 cpu=auto
set 27 cpu=auto
set 28 cpu=auto
set 29 cpu=auto
set 30 cpu=auto
set 31 cpu=auto
set 32 cpu=auto
set 33 cpu=auto
set 34 cpu=auto
set 35 cpu=auto
set 36 cpu=auto
set 37 cpu=auto
set 38 cpu=auto
set 39 cpu=auto
set 40 cpu=auto
set 41 cpu=auto
set 42 cpu=auto
set 43 cpu=auto
set 44 cpu=auto
set 45 cpu=auto
set 46 cpu=auto
set 47 cpu=auto
set 48 cpu=auto
/system resource irq rps
set ether1 disabled=yes
set ether2 disabled=yes
/system resource usb settings
set authorization=no
/system routerboard mode-button
set enabled=no hold-time=0s..1m on-event=""
/system routerboard reset-button
set enabled=no hold-time=0s..1m on-event=""
/system routerboard settings
set auto-upgrade=no boot-device=nand-if-fail-then-ethernet boot-protocol=bootp \
    force-backup-booter=no preboot-etherboot=disabled preboot-etherboot-server=\
    any protected-routerboot=disabled reformat-hold-button=20s \
    reformat-hold-button-max=10m silent-boot=no
/system upgrade mirror
set check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=\
    0.0.0.0 user=""
/system watchdog
set auto-send-supout=no automatic-supout=yes ping-start-after-boot=5m \
    ping-timeout=1m watch-address=none watchdog-timer=yes
/tool bandwidth-server
set allocate-udp-ports-from=2000 authenticate=yes enabled=yes max-sessions=100
/tool e-mail
set from=<> port=25 server=0.0.0.0 tls=no user="" vrf=main
/tool graphing
set page-refresh=300 store-every=5min
/tool mac-server
set allowed-interface-list=all
/tool mac-server mac-winbox
set allowed-interface-list=all
/tool mac-server ping
set enabled=yes
/tool romon
set enabled=no id=00:00:00:00:00:00
/tool romon port
set [ find default=yes ] cost=100 disabled=no forbid=no interface=all
/tool sms
set allowed-number="" channel=0 polling=no port=none receive-enabled=no \
    sms-storage=sim
/tool sniffer
set file-limit=1000KiB file-name="" filter-cpu="" filter-direction=any \
    filter-dst-ip-address="" filter-dst-ipv6-address="" filter-dst-mac-address=\
    "" filter-dst-port="" filter-interface="" filter-ip-address="" \
    filter-ip-protocol="" filter-ipv6-address="" filter-mac-address="" \
    filter-mac-protocol="" filter-operator-between-entries=or filter-port="" \
    filter-size="" filter-src-ip-address="" filter-src-ipv6-address="" \
    filter-src-mac-address="" filter-src-port="" filter-stream=no filter-vlan=\
    "" memory-limit=100KiB memory-scroll=yes only-headers=no quick-rows=20 \
    quick-show-frame=no streaming-enabled=no streaming-server=0.0.0.0:37008
/tool traffic-generator
set latency-distribution-max=100us measure-out-of-order=no \
    stats-samples-to-keep=100 test-id=0
/user aaa
set accounting=yes default-group=read exclude-groups="" interim-update=0s \
    use-radius=no
/user settings
set minimum-categories=0 minimum-password-length=0

CAP "2" (R403.CAP:OG.BALKON)
# model = RBwAPGR-5HacD2HnD
# serial number = B7380B589768
/interface bridge
add admin-mac=C4:AD:34:58:8A:AA ageing-time=5m arp=enabled arp-timeout=auto auto-mac=no comment=defconf dhcp-snooping=no disabled=no \
    fast-forward=yes forward-delay=15s igmp-snooping=no max-learned-entries=auto max-message-age=20s mtu=auto mvrp=no name=bridgeLocal \
    port-cost-mode=long priority=0x8000 protocol-mode=rstp transmit-hold-count=6 vlan-filtering=no
/interface ethernet
set [ find default-name=ether1 ] advertise=10M-baseT-half,10M-baseT-full,100M-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full arp=\
    enabled arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no l2mtu=1598 loop-protect=default \
    loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=C4:AD:34:58:8A:AA mtu=1500 name=ether1 orig-mac-address=\
    C4:AD:34:58:8A:AA rx-flow-control=off tx-flow-control=off
set [ find default-name=ether2 ] advertise=10M-baseT-half,10M-baseT-full,100M-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full arp=\
    enabled arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no l2mtu=1598 loop-protect=default \
    loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=C4:AD:34:58:8A:AB mtu=1500 name=ether2 orig-mac-address=\
    C4:AD:34:58:8A:AB rx-flow-control=off tx-flow-control=off
/queue interface
set bridgeLocal queue=no-queue
/interface ethernet switch
set 0 cpu-flow-control=yes mirror-source=none mirror-target=none name=switch1
/interface ethernet switch port
set 0 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 1 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 2 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
/interface ethernet switch port-isolation
set 0 !forwarding-override
set 1 !forwarding-override
set 2 !forwarding-override
/interface list
set [ find name=all ] comment="contains all interfaces" exclude="" include="" name=all
set [ find name=none ] comment="contains no interfaces" exclude="" include="" name=none
set [ find name=dynamic ] comment="contains dynamic interfaces" exclude="" include="" name=dynamic
set [ find name=static ] comment="contains static interfaces" exclude="" include="" name=static
/interface lte apn
set [ find default=yes ] add-default-route=yes apn=internet authentication=none default-route-distance=2 ip-type=auto name=default \
    use-network-apn=yes use-peer-dns=yes
/interface lte
set [ find default-name=lte1 ] allow-roaming=no apn-profiles=default band="" disabled=no !modem-init mtu=1500 name=lte1 network-mode=\
    gsm,3g,lte sms-protocol=auto sms-read=no
/queue interface
set lte1 queue=no-queue
/interface macsec profile
set [ find default-name=default ] name=default server-priority=10
/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifi
# managed by CAPsMAN
set [ find default-name=wifi1 ] arp-timeout=auto configuration.manager=capsman datapath=capdp disabled=no l2mtu=1560 mac-address=\
    C4:AD:34:58:8A:AC name=wifi1 radio-mac=C4:AD:34:58:8A:AC
# managed by CAPsMAN
set [ find default-name=wifi2 ] arp-timeout=auto configuration.manager=capsman datapath=capdp disabled=no l2mtu=1560 mac-address=\
    C4:AD:34:58:8A:AD name=wifi2 radio-mac=C4:AD:34:58:8A:AD
/ip dhcp-client option
set clientid_duid code=61 name=clientid_duid value="0xff\$(CLIENT_DUID)"
set clientid code=61 name=clientid value="0x01\$(CLIENT_MAC)"
set hostname code=12 name=hostname value="\$(HOSTNAME)"
/ip hotspot profile
set [ find default=yes ] dns-name="" hotspot-address=0.0.0.0 html-directory=hotspot html-directory-override="" http-cookie-lifetime=3d \
    http-proxy=0.0.0.0:0 install-hotspot-queue=no login-by=cookie,http-chap name=default smtp-server=0.0.0.0 split-user-domain=no use-radius=\
    no
/ip hotspot user profile
set [ find default=yes ] add-mac-cookie=yes address-list="" idle-timeout=none !insert-queue-before keepalive-timeout=2m mac-cookie-timeout=3d \
    name=default !parent-queue !queue-type shared-users=1 status-autorefresh=1m transparent-proxy=no
/ip ipsec mode-config
set [ find default=yes ] name=request-only responder=no use-responder-dns=exclusively
/ip ipsec policy group
set [ find default=yes ] name=default
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048,modp1024 dpd-interval=8s dpd-maximum-failures=4 enc-algorithm=aes-128,3des hash-algorithm=sha1 \
    lifetime=1d name=default nat-traversal=yes proposal-check=obey
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m name=default \
    pfs-group=modp1024
/ip smb users
set [ find default=yes ] disabled=no name=guest read-only=yes
/ppp profile
set *0 address-list="" !bridge !bridge-horizon bridge-learning=default !bridge-path-cost !bridge-port-priority change-tcp-mss=yes !dns-server \
    !idle-timeout !incoming-filter !insert-queue-before !interface-list !local-address name=default on-down="" on-up="" only-one=default \
    !outgoing-filter !parent-queue !queue-type !rate-limit !remote-address !session-timeout use-compression=default use-encryption=default \
    use-ipv6=yes use-mpls=default use-upnp=default !wins-server
set *FFFFFFFE address-list="" !bridge !bridge-horizon bridge-learning=default !bridge-path-cost !bridge-port-priority change-tcp-mss=yes \
    !dns-server !idle-timeout !incoming-filter !insert-queue-before !interface-list !local-address name=default-encryption on-down="" on-up="" \
    only-one=default !outgoing-filter !parent-queue !queue-type !rate-limit !remote-address !session-timeout use-compression=default \
    use-encryption=yes use-ipv6=yes use-mpls=default use-upnp=default !wins-server
/queue type
set 0 kind=pfifo name=default pfifo-limit=50
set 1 kind=pfifo name=ethernet-default pfifo-limit=50
set 2 kind=sfq name=wireless-default sfq-allot=1514 sfq-perturb=5
set 3 kind=red name=synchronous-default red-avg-packet=1000 red-burst=20 red-limit=60 red-max-threshold=50 red-min-threshold=10
set 4 kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=5
set 5 kind=pcq name=pcq-upload-default pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=src-address \
    pcq-dst-address-mask=32 pcq-dst-address6-mask=128 pcq-limit=50KiB pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=128 \
    pcq-total-limit=2000KiB
set 6 kind=pcq name=pcq-download-default pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=dst-address \
    pcq-dst-address-mask=32 pcq-dst-address6-mask=128 pcq-limit=50KiB pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=128 \
    pcq-total-limit=2000KiB
set 7 kind=none name=only-hardware-queue
set 8 kind=mq-pfifo mq-pfifo-limit=50 name=multi-queue-ethernet-default
set 9 kind=pfifo name=default-small pfifo-limit=10
/queue interface
set ether1 queue=only-hardware-queue
set ether2 queue=only-hardware-queue
# managed by CAPsMAN
set wifi1 queue=wireless-default
# managed by CAPsMAN
set wifi2 queue=wireless-default
/routing bgp template
set default as=65530 name=default
/snmp community
set [ find default=yes ] addresses=::/0 authentication-protocol=MD5 disabled=no encryption-protocol=DES name=public read-access=yes security=\
    none write-access=no
/system logging action
set 0 memory-lines=1000 memory-stop-on-full=no name=memory target=memory
set 1 disk-file-count=2 disk-file-name=flash/log disk-lines-per-file=1000 disk-stop-on-full=no name=disk target=disk
set 2 name=echo remember=yes target=echo
set 3 bsd-syslog=no name=remote remote=0.0.0.0 remote-port=514 src-address=0.0.0.0 syslog-facility=daemon syslog-severity=auto \
    syslog-time-format=bsd-syslog target=remote
/user group
set read name=read policy=local,telnet,ssh,reboot,read,test,winbox,password,web,sniff,sensitive,api,romon,rest-api,!ftp,!write,!policy skin=\
    default
set write name=write policy=local,telnet,ssh,reboot,read,write,test,winbox,password,web,sniff,sensitive,api,romon,rest-api,!ftp,!policy skin=\
    default
set full name=full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,rest-api skin=\
    default
/certificate settings
set crl-download=no crl-store=ram crl-use=no
/console settings
set sanitize-names=no
/disk settings
set auto-media-interface=none auto-media-sharing=no auto-smb-sharing=no auto-smb-user=guest
/ip smb
set comment=MikrotikSMB domain=MSHOME enabled=auto interfaces=all
/interface bridge port
add auto-isolate=no bpdu-guard=no bridge=bridgeLocal broadcast-flood=yes comment=defconf disabled=no edge=auto fast-leave=no frame-types=\
    admit-all horizon=none hw=yes ingress-filtering=yes interface=ether1 !internal-path-cost learn=auto multicast-router=temporary-query \
    mvrp-applicant-state=normal-participant mvrp-registrar-state=normal !path-cost point-to-point=auto priority=0x80 pvid=1 restricted-role=no \
    restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridgeLocal broadcast-flood=yes comment=defconf disabled=no edge=auto fast-leave=no frame-types=\
    admit-all horizon=none hw=yes ingress-filtering=yes interface=ether2 !internal-path-cost learn=auto multicast-router=temporary-query \
    mvrp-applicant-state=normal-participant mvrp-registrar-state=normal !path-cost point-to-point=auto priority=0x80 pvid=1 restricted-role=no \
    restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes unknown-unicast-flood=yes
/interface bridge port-controller
# disabled
set bridge=none cascade-ports="" switch=none
/interface bridge port-extender
# disabled
set control-ports="" excluded-ports="" switch=none
/interface bridge settings
set allow-fast-path=yes use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=no
/ip firewall connection tracking
set enabled=auto generic-timeout=10m icmp-timeout=10s loose-tcp-tracking=yes tcp-close-timeout=10s tcp-close-wait-timeout=10s \
    tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-max-retrans-timeout=5m tcp-syn-received-timeout=5s \
    tcp-syn-sent-timeout=5s tcp-time-wait-timeout=10s tcp-unacked-timeout=5m udp-stream-timeout=3m udp-timeout=30s
/ip neighbor discovery-settings
set discover-interface-list=static discover-interval=30s lldp-mac-phy-config=no lldp-max-frame-size=no lldp-med-net-policy-vlan=disabled \
    lldp-vlan-info=no mode=tx-and-rx protocol=cdp,lldp,mndp
/ip settings
set accept-redirects=no accept-source-route=no allow-fast-path=yes arp-timeout=30s icmp-rate-limit=10 icmp-rate-mask=0x1818 ip-forward=yes \
    ipv4-multipath-hash-policy=l3 max-neighbor-entries=4096 rp-filter=no secure-redirects=yes send-redirects=yes tcp-syncookies=no
/ipv6 settings
set accept-redirects=yes-if-forwarding-disabled accept-router-advertisements=yes-if-forwarding-disabled disable-ipv6=no forward=yes \
    max-neighbor-entries=2048 multipath-hash-policy=l3
/interface detect-internet
set detect-interface-list=none internet-interface-list=none lan-interface-list=none wan-interface-list=none
/interface l2tp-server server
set accept-proto-version=all accept-pseudowire-type=all allow-fast-path=no authentication=pap,chap,mschap1,mschap2 caller-id-type=ip-address \
    default-profile=default-encryption enabled=no keepalive-timeout=30 l2tpv3-circuit-id="" l2tpv3-cookie-length=0 l2tpv3-digest-hash=md5 \
    !l2tpv3-ether-interface-list max-mru=1450 max-mtu=1450 max-sessions=unlimited mrru=disabled one-session-per-host=no use-ipsec=no
/interface lte settings
set firmware-path=firmware mode=auto
/interface ovpn-server server
set auth=sha1,md5,sha256,sha512 certificate=*0 cipher=blowfish128,aes128-cbc default-profile=default enable-tun-ipv6=no enabled=no \
    ipv6-prefix-len=64 keepalive-timeout=60 mac-address=FE:E2:6D:B4:A3:7C max-mtu=1500 mode=ip netmask=24 port=1194 protocol=tcp push-routes=\
    "" redirect-gateway=disabled reneg-sec=3600 require-client-certificate=no tls-version=any tun-server-ipv6=::
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set authentication=mschap1,mschap2 default-profile=default-encryption enabled=no keepalive-timeout=30 max-mru=1450 max-mtu=1450 mrru=disabled
/interface sstp-server server
set authentication=pap,chap,mschap1,mschap2 certificate=none ciphers=aes256-sha,aes256-gcm-sha384 default-profile=default enabled=no \
    keepalive-timeout=60 max-mru=1500 max-mtu=1500 mrru=disabled pfs=no port=443 tls-version=any verify-client-certificate=no
/interface wifi cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp
/interface wifi capsman
set enabled=no
/ip cloud
set back-to-home-vpn=revoked-and-disabled ddns-enabled=no ddns-update-interval=none update-time=yes
/ip cloud advanced
set use-local-address=no
/ip dhcp-client
add add-default-route=yes comment=defconf default-route-distance=1 dhcp-options=hostname,clientid disabled=no interface=bridgeLocal \
    use-peer-dns=yes use-peer-ntp=yes
/ip dhcp-server config
set accounting=yes interim-update=0s radius-password=empty store-leases-disk=5m
/ip dns
set address-list-extra-time=0s allow-remote-requests=no cache-max-ttl=1w cache-size=2048KiB doh-max-concurrent-queries=50 \
    doh-max-server-connections=5 doh-timeout=5s max-concurrent-queries=100 max-concurrent-tcp-sessions=20 max-udp-packet-size=4096 \
    mdns-repeat-ifaces="" query-server-timeout=2s query-total-timeout=10s servers="" use-doh-server="" verify-doh-cert=no vrf=main
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=yes ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes sip-timeout=1h
set pptp disabled=no
set rtsp disabled=yes ports=554
set udplite disabled=no
set dccp disabled=no
set sctp disabled=no
/ip hotspot service-port
set ftp disabled=no ports=21
/ip hotspot user
set [ find default=yes ] comment="counters and limits for trial users" disabled=no name=default-trial
/ip ipsec policy
set 0 disabled=no dst-address=::/0 group=default proposal=default protocol=all src-address=::/0 template=yes
/ip ipsec settings
set accounting=yes interim-update=0s xauth-use-radius=no
/ip media settings
set thumbnails=""
/ip nat-pmp
set enabled=no
/ip proxy
set always-from-cache=no anonymous=no cache-administrator=webmaster cache-hit-dscp=4 cache-on-disk=no cache-path=web-proxy enabled=no \
    max-cache-object-size=2048KiB max-cache-size=unlimited max-client-connections=600 max-fresh-time=3d max-server-connections=600 \
    parent-proxy=:: parent-proxy-port=0 port=8080 serialize-connections=no src-address=::
/ip service
set telnet address="" disabled=no max-sessions=20 port=23 vrf=main
set ftp address="" disabled=no max-sessions=20 port=21
set www address="" disabled=no max-sessions=20 port=80 vrf=main
set ssh address="" disabled=no max-sessions=20 port=22 vrf=main
set www-ssl address="" certificate=none disabled=yes max-sessions=20 port=443 tls-version=any vrf=main
set api address="" disabled=no max-sessions=20 port=8728 vrf=main
set winbox address="" disabled=no max-sessions=20 port=8291 vrf=main
set api-ssl address="" certificate=none disabled=no max-sessions=20 port=8729 tls-version=any vrf=main
/ip smb shares
set [ find default=yes ] directory=flash/pub disabled=yes invalid-users="" name=pub read-only=no require-encryption=no valid-users=""
/ip socks
set auth-method=none connection-idle-timeout=2m enabled=no max-connections=200 port=1080 version=4 vrf=main
/ip ssh
set allow-none-crypto=no always-allow-password-login=no forwarding-enabled=no host-key-size=2048 host-key-type=rsa strong-crypto=no
/ip tftp settings
set max-block-size=4096
/ip traffic-flow
set active-flow-timeout=30m cache-entries=32k enabled=no inactive-flow-timeout=15s interfaces=all packet-sampling=no sampling-interval=0 \
    sampling-space=0
/ip traffic-flow ipfix
set bytes=yes dst-address=yes dst-address-mask=yes dst-mac-address=yes dst-port=yes first-forwarded=yes gateway=yes icmp-code=yes icmp-type=\
    yes igmp-type=yes in-interface=yes ip-header-length=yes ip-total-length=yes ipv6-flow-label=yes is-multicast=yes last-forwarded=yes \
    nat-dst-address=yes nat-dst-port=yes nat-events=no nat-src-address=yes nat-src-port=yes out-interface=yes packets=yes protocol=yes \
    src-address=yes src-address-mask=yes src-mac-address=yes src-port=yes sys-init-time=yes tcp-ack-num=yes tcp-flags=yes tcp-seq-num=yes \
    tcp-window-size=yes tos=yes ttl=yes udp-length=yes
/ip upnp
set allow-disable-external-interface=no enabled=no show-dummy-rule=yes
/ipv6 nd
set [ find default=yes ] advertise-dns=yes advertise-mac-address=yes disabled=no hop-limit=unspecified interface=all \
    managed-address-configuration=no mtu=unspecified other-configuration=no ra-delay=3s ra-interval=3m20s-10m ra-lifetime=30m ra-preference=\
    medium reachable-time=unspecified retransmit-interval=unspecified
/ipv6 nd prefix default
set autonomous=yes preferred-lifetime=1w valid-lifetime=4w2d
/mpls settings
set allow-fast-path=yes dynamic-label-range=16-1048575 propagate-ttl=yes
/ppp aaa
set accounting=yes enable-ipv6-accounting=no interim-update=0s use-circuit-id-in-nas-port-id=no use-radius=no
/radius incoming
set accept=no port=3799 vrf=main
/routing igmp-proxy
set query-interval=2m5s query-response-interval=10s quick-leave=no
/routing settings
set single-process=no
/snmp
set contact="" enabled=no engine-id-suffix="" location="" src-address=:: trap-community=public trap-generators=temp-exception trap-target="" \
    trap-version=1 vrf=main
/system clock
set time-zone-autodetect=yes time-zone-name=Europe/Vienna
/system clock manual
set dst-delta=+00:00 dst-end="1970-01-01 00:00:00" dst-start="1970-01-01 00:00:00" time-zone=+00:00
/system identity
set name=R403.CAP:OG.BALKON
/system leds
set 0 disabled=no interface=lte1 leds=lte-led type=interface-activity
/system leds settings
set all-leds-off=never
/system logging
set 0 action=memory disabled=no prefix="" topics=info
set 1 action=memory disabled=no prefix="" topics=error
set 2 action=memory disabled=no prefix="" topics=warning
set 3 action=echo disabled=no prefix="" topics=critical
/system note
set note="" show-at-cli-login=no show-at-login=no
/system ntp client
set enabled=no mode=unicast servers="" vrf=main
/system ntp server
set auth-key=none broadcast=no broadcast-addresses="" enabled=no local-clock-stratum=5 manycast=no multicast=no use-local-clock=no vrf=main
/system resource irq
set 0 cpu=auto
set 1 cpu=auto
set 2 cpu=auto
set 3 cpu=auto
set 4 cpu=auto
set 5 cpu=auto
set 6 cpu=auto
/system resource irq rps
set ether1 disabled=yes
set ether2 disabled=yes
/system resource usb settings
set authorization=no
/system routerboard reset-button
set enabled=no hold-time=0s..1m on-event=""
/system routerboard settings
set auto-upgrade=yes boot-device=nand-if-fail-then-ethernet boot-protocol=bootp force-backup-booter=no preboot-etherboot=disabled \
    preboot-etherboot-server=any protected-routerboot=disabled reformat-hold-button=20s reformat-hold-button-max=10m silent-boot=no
/system upgrade mirror
set check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=0.0.0.0 user=""
/system watchdog
set auto-send-supout=no automatic-supout=yes ping-start-after-boot=5m ping-timeout=1m watch-address=none watchdog-timer=yes
/tool bandwidth-server
set allocate-udp-ports-from=2000 authenticate=yes enabled=yes max-sessions=100
/tool e-mail
set from=<> port=25 server=0.0.0.0 tls=no user="" vrf=main
/tool graphing
set page-refresh=300 store-every=5min
/tool mac-server
set allowed-interface-list=all
/tool mac-server mac-winbox
set allowed-interface-list=all
/tool mac-server ping
set enabled=yes
/tool romon
set enabled=no id=00:00:00:00:00:00
/tool romon port
set [ find default=yes ] cost=100 disabled=no forbid=no interface=all
/tool sms
set allowed-number="" channel=0 polling=no port=none receive-enabled=no sms-storage=sim
/tool sniffer
set file-limit=1000KiB file-name="" filter-cpu="" filter-direction=any filter-dst-ip-address="" filter-dst-ipv6-address="" \
    filter-dst-mac-address="" filter-dst-port="" filter-interface="" filter-ip-address="" filter-ip-protocol="" filter-ipv6-address="" \
    filter-mac-address="" filter-mac-protocol="" filter-operator-between-entries=or filter-port="" filter-size="" filter-src-ip-address="" \
    filter-src-ipv6-address="" filter-src-mac-address="" filter-src-port="" filter-stream=no filter-vlan="" memory-limit=100KiB memory-scroll=\
    yes only-headers=no quick-rows=20 quick-show-frame=no streaming-enabled=no streaming-server=0.0.0.0:37008
/tool traffic-generator
set latency-distribution-max=100us measure-out-of-order=no stats-samples-to-keep=100 test-id=0
/user aaa
set accounting=yes default-group=read exclude-groups="" interim-update=0s use-radius=no
/user settings
set minimum-categories=0 minimum-password-length=0




CAP "3" (R403.CAP:OG.BUERO)
# model = cAPGi-5HaxD2HaxD
# serial number = HGD09JVZ8BG
/interface bridge
add admin-mac=D4:01:C3:94:99:9F ageing-time=5m arp=enabled arp-timeout=auto auto-mac=no comment=defconf dhcp-snooping=no disabled=no \
    fast-forward=yes forward-delay=15s igmp-snooping=no max-learned-entries=auto max-message-age=20s mtu=auto mvrp=no name=bridgeLocal \
    port-cost-mode=long priority=0x8000 protocol-mode=rstp transmit-hold-count=6 vlan-filtering=no
/interface ethernet
set [ find default-name=ether1 ] advertise=10M-baseT-half,10M-baseT-full,100M-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no l2mtu=1568 loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mac-address=D4:01:C3:94:99:9F mtu=1500 name=ether1 orig-mac-address=D4:01:C3:94:99:9F rx-flow-control=off \
    tx-flow-control=off
set [ find default-name=ether2 ] advertise=10M-baseT-half,10M-baseT-full,100M-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no l2mtu=1568 loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mac-address=D4:01:C3:94:99:A0 mtu=1500 name=ether2 orig-mac-address=D4:01:C3:94:99:A0 poe-out=auto-on \
    poe-priority=10 power-cycle-interval=none !power-cycle-ping-address power-cycle-ping-enabled=no !power-cycle-ping-timeout rx-flow-control=off \
    tx-flow-control=off
/queue interface
set bridgeLocal queue=no-queue
/interface ethernet switch
set 0 !cpu-flow-control mirror-source=none mirror-target=none name=switch1
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
/interface ethernet switch port-isolation
set 0 !forwarding-override
set 1 !forwarding-override
set 2 !forwarding-override
/interface list
set [ find name=all ] comment="contains all interfaces" exclude="" include="" name=all
set [ find name=none ] comment="contains no interfaces" exclude="" include="" name=none
set [ find name=dynamic ] comment="contains dynamic interfaces" exclude="" include="" name=dynamic
set [ find name=static ] comment="contains static interfaces" exclude="" include="" name=static
/interface lte apn
set [ find default=yes ] add-default-route=yes apn=internet authentication=none default-route-distance=2 ip-type=auto name=default \
    use-network-apn=yes use-peer-dns=yes
/interface macsec profile
set [ find default-name=default ] name=default server-priority=10
/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifi
# managed by CAPsMAN
set [ find default-name=wifi1 ] arp-timeout=auto configuration.manager=capsman datapath=capdp disabled=no l2mtu=1560 mac-address=\
    D4:01:C3:94:99:A1 name=wifi1 radio-mac=D4:01:C3:94:99:A1
# managed by CAPsMAN
set [ find default-name=wifi2 ] arp-timeout=auto configuration.manager=capsman datapath=capdp disabled=no l2mtu=1560 mac-address=\
    D4:01:C3:94:99:A2 name=wifi2 radio-mac=D4:01:C3:94:99:A2
/ip dhcp-client option
set clientid_duid code=61 name=clientid_duid value="0xff\$(CLIENT_DUID)"
set clientid code=61 name=clientid value="0x01\$(CLIENT_MAC)"
set hostname code=12 name=hostname value="\$(HOSTNAME)"
/ip hotspot profile
set [ find default=yes ] dns-name="" hotspot-address=0.0.0.0 html-directory=hotspot html-directory-override="" http-cookie-lifetime=3d \
    http-proxy=0.0.0.0:0 install-hotspot-queue=no login-by=cookie,http-chap name=default smtp-server=0.0.0.0 split-user-domain=no use-radius=no
/ip hotspot user profile
set [ find default=yes ] add-mac-cookie=yes address-list="" idle-timeout=none !insert-queue-before keepalive-timeout=2m mac-cookie-timeout=3d \
    name=default !parent-queue !queue-type shared-users=1 status-autorefresh=1m transparent-proxy=no
/ip ipsec mode-config
set [ find default=yes ] name=request-only responder=no use-responder-dns=exclusively
/ip ipsec policy group
set [ find default=yes ] name=default
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048,modp1024 dpd-interval=8s dpd-maximum-failures=4 enc-algorithm=aes-128,3des hash-algorithm=sha1 \
    lifetime=1d name=default nat-traversal=yes proposal-check=obey
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m name=default pfs-group=\
    modp1024
/ip smb users
set [ find default=yes ] disabled=no name=guest read-only=yes
/ppp profile
set *0 address-list="" !bridge !bridge-horizon bridge-learning=default !bridge-path-cost !bridge-port-priority change-tcp-mss=yes !dns-server \
    !idle-timeout !incoming-filter !insert-queue-before !interface-list !local-address name=default on-down="" on-up="" only-one=default \
    !outgoing-filter !parent-queue !queue-type !rate-limit !remote-address !session-timeout use-compression=default use-encryption=default \
    use-ipv6=yes use-mpls=default use-upnp=default !wins-server
set *FFFFFFFE address-list="" !bridge !bridge-horizon bridge-learning=default !bridge-path-cost !bridge-port-priority change-tcp-mss=yes \
    !dns-server !idle-timeout !incoming-filter !insert-queue-before !interface-list !local-address name=default-encryption on-down="" on-up="" \
    only-one=default !outgoing-filter !parent-queue !queue-type !rate-limit !remote-address !session-timeout use-compression=default \
    use-encryption=yes use-ipv6=yes use-mpls=default use-upnp=default !wins-server
/queue type
set 0 kind=pfifo name=default pfifo-limit=50
set 1 kind=pfifo name=ethernet-default pfifo-limit=50
set 2 kind=sfq name=wireless-default sfq-allot=1514 sfq-perturb=5
set 3 kind=red name=synchronous-default red-avg-packet=1000 red-burst=20 red-limit=60 red-max-threshold=50 red-min-threshold=10
set 4 kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=5
set 5 kind=pcq name=pcq-upload-default pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=\
    32 pcq-dst-address6-mask=128 pcq-limit=50KiB pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=128 pcq-total-limit=2000KiB
set 6 kind=pcq name=pcq-download-default pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=dst-address \
    pcq-dst-address-mask=32 pcq-dst-address6-mask=128 pcq-limit=50KiB pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=128 \
    pcq-total-limit=2000KiB
set 7 kind=none name=only-hardware-queue
set 8 kind=mq-pfifo mq-pfifo-limit=50 name=multi-queue-ethernet-default
set 9 kind=pfifo name=default-small pfifo-limit=10
/queue interface
set ether1 queue=only-hardware-queue
set ether2 queue=only-hardware-queue
# managed by CAPsMAN
set wifi1 queue=wireless-default
# managed by CAPsMAN
set wifi2 queue=wireless-default
/routing bgp template
set default as=65530 name=default
/snmp community
set [ find default=yes ] addresses=::/0 authentication-protocol=MD5 disabled=no encryption-protocol=DES name=public read-access=yes security=none \
    write-access=no
/system logging action
set 0 memory-lines=1000 memory-stop-on-full=no name=memory target=memory
set 1 disk-file-count=2 disk-file-name=log disk-lines-per-file=1000 disk-stop-on-full=no name=disk target=disk
set 2 name=echo remember=yes target=echo
set 3 bsd-syslog=no name=remote remote=0.0.0.0 remote-port=514 src-address=0.0.0.0 syslog-facility=daemon syslog-severity=auto \
    syslog-time-format=bsd-syslog target=remote
/user group
set read name=read policy=local,telnet,ssh,reboot,read,test,winbox,password,web,sniff,sensitive,api,romon,rest-api,!ftp,!write,!policy skin=\
    default
set write name=write policy=local,telnet,ssh,reboot,read,write,test,winbox,password,web,sniff,sensitive,api,romon,rest-api,!ftp,!policy skin=\
    default
set full name=full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,rest-api skin=default
/certificate settings
set crl-download=no crl-store=ram crl-use=no
/console settings
set sanitize-names=no
/disk settings
set auto-media-interface=none auto-media-sharing=no auto-smb-sharing=no auto-smb-user=guest
/ip smb
set comment=MikrotikSMB domain=MSHOME enabled=auto interfaces=all
/interface bridge port
add auto-isolate=no bpdu-guard=no bridge=bridgeLocal broadcast-flood=yes comment=defconf disabled=no edge=auto fast-leave=no frame-types=\
    admit-all horizon=none hw=yes ingress-filtering=yes interface=ether1 !internal-path-cost learn=auto multicast-router=temporary-query \
    mvrp-applicant-state=normal-participant mvrp-registrar-state=normal !path-cost point-to-point=auto priority=0x80 pvid=1 restricted-role=no \
    restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridgeLocal broadcast-flood=yes comment=defconf disabled=no edge=auto fast-leave=no frame-types=\
    admit-all horizon=none hw=yes ingress-filtering=yes interface=ether2 !internal-path-cost learn=auto multicast-router=temporary-query \
    mvrp-applicant-state=normal-participant mvrp-registrar-state=normal !path-cost point-to-point=auto priority=0x80 pvid=1 restricted-role=no \
    restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes unknown-unicast-flood=yes
/interface bridge port-controller
# disabled
set bridge=none cascade-ports="" switch=none
/interface bridge port-extender
# disabled
set control-ports="" excluded-ports="" switch=none
/interface bridge settings
set allow-fast-path=yes use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=no
/ip firewall connection tracking
set enabled=auto generic-timeout=10m icmp-timeout=10s loose-tcp-tracking=yes tcp-close-timeout=10s tcp-close-wait-timeout=10s \
    tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-max-retrans-timeout=5m tcp-syn-received-timeout=5s \
    tcp-syn-sent-timeout=5s tcp-time-wait-timeout=10s tcp-unacked-timeout=5m udp-stream-timeout=3m udp-timeout=30s
/ip neighbor discovery-settings
set discover-interface-list=static discover-interval=30s lldp-mac-phy-config=no lldp-max-frame-size=no lldp-med-net-policy-vlan=disabled \
    lldp-poe-power=yes lldp-vlan-info=no mode=tx-and-rx protocol=cdp,lldp,mndp
/ip settings
set accept-redirects=no accept-source-route=no allow-fast-path=yes arp-timeout=30s icmp-rate-limit=10 icmp-rate-mask=0x1818 ip-forward=yes \
    ipv4-multipath-hash-policy=l3 max-neighbor-entries=16384 rp-filter=no secure-redirects=yes send-redirects=yes tcp-syncookies=no
/ipv6 settings
set accept-redirects=yes-if-forwarding-disabled accept-router-advertisements=yes-if-forwarding-disabled disable-ipv6=no forward=yes \
    max-neighbor-entries=14336 multipath-hash-policy=l3
/interface detect-internet
set detect-interface-list=none internet-interface-list=none lan-interface-list=none wan-interface-list=none
/interface l2tp-server server
set accept-proto-version=all accept-pseudowire-type=all allow-fast-path=no authentication=pap,chap,mschap1,mschap2 caller-id-type=ip-address \
    default-profile=default-encryption enabled=no keepalive-timeout=30 l2tpv3-circuit-id="" l2tpv3-cookie-length=0 l2tpv3-digest-hash=md5 \
    !l2tpv3-ether-interface-list max-mru=1450 max-mtu=1450 max-sessions=unlimited mrru=disabled one-session-per-host=no use-ipsec=no
/interface lte settings
set firmware-path=firmware mode=auto
/interface ovpn-server server
set auth=sha1,md5,sha256,sha512 certificate=*0 cipher=blowfish128,aes128-cbc default-profile=default enable-tun-ipv6=no enabled=no \
    ipv6-prefix-len=64 keepalive-timeout=60 mac-address=FE:C1:FB:44:85:24 max-mtu=1500 mode=ip netmask=24 port=1194 protocol=tcp push-routes="" \
    redirect-gateway=disabled reneg-sec=3600 require-client-certificate=no tls-version=any tun-server-ipv6=::
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set authentication=mschap1,mschap2 default-profile=default-encryption enabled=no keepalive-timeout=30 max-mru=1450 max-mtu=1450 mrru=disabled
/interface sstp-server server
set authentication=pap,chap,mschap1,mschap2 certificate=none ciphers=aes256-sha,aes256-gcm-sha384 default-profile=default enabled=no \
    keepalive-timeout=60 max-mru=1500 max-mtu=1500 mrru=disabled pfs=no port=443 tls-version=any verify-client-certificate=no
/interface wifi cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp
/interface wifi capsman
set enabled=no
/ip cloud
set back-to-home-vpn=revoked-and-disabled ddns-enabled=no ddns-update-interval=none update-time=yes
/ip cloud advanced
set use-local-address=no
/ip dhcp-client
add add-default-route=yes comment=defconf default-route-distance=1 dhcp-options=hostname,clientid disabled=no interface=bridgeLocal use-peer-dns=\
    yes use-peer-ntp=yes
/ip dhcp-server config
set accounting=yes interim-update=0s radius-password=empty store-leases-disk=5m
/ip dns
set address-list-extra-time=0s allow-remote-requests=no cache-max-ttl=1w cache-size=2048KiB doh-max-concurrent-queries=50 \
    doh-max-server-connections=5 doh-timeout=5s max-concurrent-queries=100 max-concurrent-tcp-sessions=20 max-udp-packet-size=4096 \
    mdns-repeat-ifaces="" query-server-timeout=2s query-total-timeout=10s servers="" use-doh-server="" verify-doh-cert=no vrf=main
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=yes ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes sip-timeout=1h
set pptp disabled=no
set rtsp disabled=yes ports=554
set udplite disabled=no
set dccp disabled=no
set sctp disabled=no
/ip hotspot service-port
set ftp disabled=no ports=21
/ip hotspot user
set [ find default=yes ] comment="counters and limits for trial users" disabled=no name=default-trial
/ip ipsec policy
set 0 disabled=no dst-address=::/0 group=default proposal=default protocol=all src-address=::/0 template=yes
/ip ipsec settings
set accounting=yes interim-update=0s xauth-use-radius=no
/ip media settings
set thumbnails=""
/ip nat-pmp
set enabled=no
/ip proxy
set always-from-cache=no anonymous=no cache-administrator=webmaster cache-hit-dscp=4 cache-on-disk=no cache-path=web-proxy enabled=no \
    max-cache-object-size=2048KiB max-cache-size=unlimited max-client-connections=600 max-fresh-time=3d max-server-connections=600 parent-proxy=\
    :: parent-proxy-port=0 port=8080 serialize-connections=no src-address=::
/ip service
set telnet address="" disabled=no max-sessions=20 port=23 vrf=main
set ftp address="" disabled=no max-sessions=20 port=21
set www address="" disabled=no max-sessions=20 port=80 vrf=main
set ssh address="" disabled=no max-sessions=20 port=22 vrf=main
set www-ssl address="" certificate=none disabled=yes max-sessions=20 port=443 tls-version=any vrf=main
set api address="" disabled=no max-sessions=20 port=8728 vrf=main
set winbox address="" disabled=no max-sessions=20 port=8291 vrf=main
set api-ssl address="" certificate=none disabled=no max-sessions=20 port=8729 tls-version=any vrf=main
/ip smb shares
set [ find default=yes ] directory=pub disabled=yes invalid-users="" name=pub read-only=no require-encryption=no valid-users=""
/ip socks
set auth-method=none connection-idle-timeout=2m enabled=no max-connections=200 port=1080 version=4 vrf=main
/ip ssh
set allow-none-crypto=no always-allow-password-login=no forwarding-enabled=no host-key-size=2048 host-key-type=rsa strong-crypto=no
/ip tftp settings
set max-block-size=4096
/ip traffic-flow
set active-flow-timeout=30m cache-entries=256k enabled=no inactive-flow-timeout=15s interfaces=all packet-sampling=no sampling-interval=0 \
    sampling-space=0
/ip traffic-flow ipfix
set bytes=yes dst-address=yes dst-address-mask=yes dst-mac-address=yes dst-port=yes first-forwarded=yes gateway=yes icmp-code=yes icmp-type=yes \
    igmp-type=yes in-interface=yes ip-header-length=yes ip-total-length=yes ipv6-flow-label=yes is-multicast=yes last-forwarded=yes \
    nat-dst-address=yes nat-dst-port=yes nat-events=no nat-src-address=yes nat-src-port=yes out-interface=yes packets=yes protocol=yes \
    src-address=yes src-address-mask=yes src-mac-address=yes src-port=yes sys-init-time=yes tcp-ack-num=yes tcp-flags=yes tcp-seq-num=yes \
    tcp-window-size=yes tos=yes ttl=yes udp-length=yes
/ip upnp
set allow-disable-external-interface=no enabled=no show-dummy-rule=yes
/ipv6 nd
set [ find default=yes ] advertise-dns=yes advertise-mac-address=yes disabled=no hop-limit=unspecified interface=all \
    managed-address-configuration=no mtu=unspecified other-configuration=no ra-delay=3s ra-interval=3m20s-10m ra-lifetime=30m ra-preference=\
    medium reachable-time=unspecified retransmit-interval=unspecified
/ipv6 nd prefix default
set autonomous=yes preferred-lifetime=1w valid-lifetime=4w2d
/mpls settings
set allow-fast-path=yes dynamic-label-range=16-1048575 propagate-ttl=yes
/ppp aaa
set accounting=yes enable-ipv6-accounting=no interim-update=0s use-circuit-id-in-nas-port-id=no use-radius=no
/radius incoming
set accept=no port=3799 vrf=main
/routing igmp-proxy
set query-interval=2m5s query-response-interval=10s quick-leave=no
/routing settings
set single-process=no
/snmp
set contact="" enabled=no engine-id-suffix="" location="" src-address=:: trap-community=public trap-generators=temp-exception trap-target="" \
    trap-version=1 vrf=main
/system clock
set time-zone-autodetect=yes time-zone-name=Europe/Vienna
/system clock manual
set dst-delta=+00:00 dst-end="1970-01-01 00:00:00" dst-start="1970-01-01 00:00:00" time-zone=+00:00
/system identity
set name=R403.CAP:OG.BUERO
/system leds
set 0 disabled=no leds=poe-led type=poe-out
/system leds settings
set all-leds-off=never
/system logging
set 0 action=memory disabled=no prefix="" topics=info
set 1 action=memory disabled=no prefix="" topics=error
set 2 action=memory disabled=no prefix="" topics=warning
set 3 action=echo disabled=no prefix="" topics=critical
/system note
set note="" show-at-cli-login=no show-at-login=no
/system ntp client
set enabled=no mode=unicast servers="" vrf=main
/system ntp server
set auth-key=none broadcast=no broadcast-addresses="" enabled=no local-clock-stratum=5 manycast=no multicast=no use-local-clock=no vrf=main
/system package update
set channel=long-term
/system resource irq
set 0 cpu=auto
set 1 cpu=auto
set 2 cpu=auto
set 3 cpu=auto
set 4 cpu=auto
set 5 cpu=auto
set 6 cpu=auto
set 7 cpu=auto
set 8 cpu=auto
set 9 cpu=auto
set 10 cpu=auto
set 11 cpu=auto
set 12 cpu=auto
set 13 cpu=auto
set 14 cpu=auto
set 15 cpu=auto
set 16 cpu=auto
set 17 cpu=auto
set 18 cpu=auto
set 19 cpu=auto
set 20 cpu=auto
set 21 cpu=auto
set 22 cpu=auto
set 23 cpu=auto
set 24 cpu=auto
set 25 cpu=auto
set 26 cpu=auto
set 27 cpu=auto
set 28 cpu=auto
set 29 cpu=auto
set 30 cpu=auto
set 31 cpu=auto
set 32 cpu=auto
set 33 cpu=auto
set 34 cpu=auto
set 35 cpu=auto
set 36 cpu=auto
set 37 cpu=auto
set 38 cpu=auto
set 39 cpu=auto
set 40 cpu=auto
set 41 cpu=auto
set 42 cpu=auto
set 43 cpu=auto
set 44 cpu=auto
set 45 cpu=auto
set 46 cpu=auto
set 47 cpu=auto
set 48 cpu=auto
/system resource irq rps
set ether1 disabled=yes
set ether2 disabled=yes
/system resource usb settings
set authorization=no
/system routerboard mode-button
set enabled=no hold-time=0s..1m on-event=""
/system routerboard reset-button
set enabled=no hold-time=0s..1m on-event=""
/system routerboard settings
set auto-upgrade=yes boot-device=nand-if-fail-then-ethernet boot-protocol=bootp force-backup-booter=no preboot-etherboot=disabled \
    preboot-etherboot-server=any protected-routerboot=disabled reformat-hold-button=20s reformat-hold-button-max=10m silent-boot=no
/system upgrade mirror
set check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=0.0.0.0 user=""
/system watchdog
set auto-send-supout=no automatic-supout=yes ping-start-after-boot=5m ping-timeout=1m watch-address=none watchdog-timer=yes
/tool bandwidth-server
set allocate-udp-ports-from=2000 authenticate=yes enabled=yes max-sessions=100
/tool e-mail
set from=<> port=25 server=0.0.0.0 tls=no user="" vrf=main
/tool graphing
set page-refresh=300 store-every=5min
/tool mac-server
set allowed-interface-list=all
/tool mac-server mac-winbox
set allowed-interface-list=all
/tool mac-server ping
set enabled=yes
/tool romon
set enabled=no id=00:00:00:00:00:00
/tool romon port
set [ find default=yes ] cost=100 disabled=no forbid=no interface=all
/tool sms
set allowed-number="" channel=0 polling=no port=none receive-enabled=no sms-storage=sim
/tool sniffer
set file-limit=1000KiB file-name="" filter-cpu="" filter-direction=any filter-dst-ip-address="" filter-dst-ipv6-address="" \
    filter-dst-mac-address="" filter-dst-port="" filter-interface="" filter-ip-address="" filter-ip-protocol="" filter-ipv6-address="" \
    filter-mac-address="" filter-mac-protocol="" filter-operator-between-entries=or filter-port="" filter-size="" filter-src-ip-address="" \
    filter-src-ipv6-address="" filter-src-mac-address="" filter-src-port="" filter-stream=no filter-vlan="" memory-limit=100KiB memory-scroll=yes \
    only-headers=no quick-rows=20 quick-show-frame=no streaming-enabled=no streaming-server=0.0.0.0:37008
/tool traffic-generator
set latency-distribution-max=100us measure-out-of-order=no stats-samples-to-keep=100 test-id=0
/user aaa
set accounting=yes default-group=read exclude-groups="" interim-update=0s use-radius=no
/user settings
set minimum-categories=0 minimum-password-length=0


CAP "4" (R403.CAP:UG.KELLER)
# model = RBwAPG-5HacD2HnD
# serial number = HFM09SMSG9E
/interface bridge
add admin-mac=D4:01:C3:04:F3:FF ageing-time=5m arp=enabled arp-timeout=auto auto-mac=no comment=defconf dhcp-snooping=no disabled=no fast-forward=yes \
    forward-delay=15s igmp-snooping=no max-learned-entries=auto max-message-age=20s mtu=auto mvrp=no name=bridgeLocal port-cost-mode=long priority=0x8000 \
    protocol-mode=rstp transmit-hold-count=6 vlan-filtering=no
/interface ethernet
set [ find default-name=ether1 ] advertise=10M-baseT-half,10M-baseT-full,100M-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full arp=enabled arp-timeout=\
    auto auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no l2mtu=1598 loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mac-address=D4:01:C3:04:F3:FF mtu=1500 name=ether1 orig-mac-address=D4:01:C3:04:F3:FF rx-flow-control=off tx-flow-control=\
    off
set [ find default-name=ether2 ] advertise=10M-baseT-half,10M-baseT-full,100M-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full arp=enabled arp-timeout=\
    auto auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no l2mtu=1598 loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mac-address=D4:01:C3:04:F4:00 mtu=1500 name=ether2 orig-mac-address=D4:01:C3:04:F4:00 rx-flow-control=off tx-flow-control=\
    off
/queue interface
set bridgeLocal queue=no-queue
/interface ethernet switch
set 0 cpu-flow-control=yes mirror-source=none mirror-target=none name=switch1
/interface ethernet switch port
set 0 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 1 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 2 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
/interface ethernet switch port-isolation
set 0 !forwarding-override
set 1 !forwarding-override
set 2 !forwarding-override
/interface list
set [ find name=all ] comment="contains all interfaces" exclude="" include="" name=all
set [ find name=none ] comment="contains no interfaces" exclude="" include="" name=none
set [ find name=dynamic ] comment="contains dynamic interfaces" exclude="" include="" name=dynamic
set [ find name=static ] comment="contains static interfaces" exclude="" include="" name=static
/interface lte apn
set [ find default=yes ] add-default-route=yes apn=internet authentication=none default-route-distance=2 ip-type=auto name=default use-network-apn=yes \
    use-peer-dns=yes
/interface macsec profile
set [ find default-name=default ] name=default server-priority=10
/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifi
# managed by CAPsMAN
set [ find default-name=wifi1 ] arp-timeout=auto configuration.manager=capsman datapath=capdp disabled=no l2mtu=1560 mac-address=D4:01:C3:04:F4:01 name=wifi1 \
    radio-mac=D4:01:C3:04:F4:01
# managed by CAPsMAN
set [ find default-name=wifi2 ] arp-timeout=auto configuration.manager=capsman datapath=capdp disabled=no l2mtu=1560 mac-address=D4:01:C3:04:F4:02 name=wifi2 \
    radio-mac=D4:01:C3:04:F4:02
/ip dhcp-client option
set clientid_duid code=61 name=clientid_duid value="0xff\$(CLIENT_DUID)"
set clientid code=61 name=clientid value="0x01\$(CLIENT_MAC)"
set hostname code=12 name=hostname value="\$(HOSTNAME)"
/ip hotspot profile
set [ find default=yes ] dns-name="" hotspot-address=0.0.0.0 html-directory=hotspot html-directory-override="" http-cookie-lifetime=3d http-proxy=0.0.0.0:0 \
    install-hotspot-queue=no login-by=cookie,http-chap name=default smtp-server=0.0.0.0 split-user-domain=no use-radius=no
/ip hotspot user profile
set [ find default=yes ] add-mac-cookie=yes address-list="" idle-timeout=none !insert-queue-before keepalive-timeout=2m mac-cookie-timeout=3d name=default \
    !parent-queue !queue-type shared-users=1 status-autorefresh=1m transparent-proxy=no
/ip ipsec mode-config
set [ find default=yes ] name=request-only responder=no use-responder-dns=exclusively
/ip ipsec policy group
set [ find default=yes ] name=default
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048,modp1024 dpd-interval=8s dpd-maximum-failures=4 enc-algorithm=aes-128,3des hash-algorithm=sha1 lifetime=1d name=\
    default nat-traversal=yes proposal-check=obey
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m name=default pfs-group=modp1024
/ip smb users
set [ find default=yes ] disabled=no name=guest read-only=yes
/ppp profile
set *0 address-list="" !bridge !bridge-horizon bridge-learning=default !bridge-path-cost !bridge-port-priority change-tcp-mss=yes !dns-server !idle-timeout \
    !incoming-filter !insert-queue-before !interface-list !local-address name=default on-down="" on-up="" only-one=default !outgoing-filter !parent-queue \
    !queue-type !rate-limit !remote-address !session-timeout use-compression=default use-encryption=default use-ipv6=yes use-mpls=default use-upnp=default \
    !wins-server
set *FFFFFFFE address-list="" !bridge !bridge-horizon bridge-learning=default !bridge-path-cost !bridge-port-priority change-tcp-mss=yes !dns-server \
    !idle-timeout !incoming-filter !insert-queue-before !interface-list !local-address name=default-encryption on-down="" on-up="" only-one=default \
    !outgoing-filter !parent-queue !queue-type !rate-limit !remote-address !session-timeout use-compression=default use-encryption=yes use-ipv6=yes use-mpls=\
    default use-upnp=default !wins-server
/queue type
set 0 kind=pfifo name=default pfifo-limit=50
set 1 kind=pfifo name=ethernet-default pfifo-limit=50
set 2 kind=sfq name=wireless-default sfq-allot=1514 sfq-perturb=5
set 3 kind=red name=synchronous-default red-avg-packet=1000 red-burst=20 red-limit=60 red-max-threshold=50 red-min-threshold=10
set 4 kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=5
set 5 kind=pcq name=pcq-upload-default pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 \
    pcq-dst-address6-mask=128 pcq-limit=50KiB pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=128 pcq-total-limit=2000KiB
set 6 kind=pcq name=pcq-download-default pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 \
    pcq-dst-address6-mask=128 pcq-limit=50KiB pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=128 pcq-total-limit=2000KiB
set 7 kind=none name=only-hardware-queue
set 8 kind=mq-pfifo mq-pfifo-limit=50 name=multi-queue-ethernet-default
set 9 kind=pfifo name=default-small pfifo-limit=10
/queue interface
set ether1 queue=only-hardware-queue
set ether2 queue=only-hardware-queue
# managed by CAPsMAN
set wifi1 queue=wireless-default
# managed by CAPsMAN
set wifi2 queue=wireless-default
/routing bgp template
set default as=65530 name=default
/snmp community
set [ find default=yes ] addresses=::/0 authentication-protocol=MD5 disabled=no encryption-protocol=DES name=public read-access=yes security=none \
    write-access=no
/system logging action
set 0 memory-lines=1000 memory-stop-on-full=no name=memory target=memory
set 1 disk-file-count=2 disk-file-name=flash/log disk-lines-per-file=1000 disk-stop-on-full=no name=disk target=disk
set 2 name=echo remember=yes target=echo
set 3 bsd-syslog=no name=remote remote=0.0.0.0 remote-port=514 src-address=0.0.0.0 syslog-facility=daemon syslog-severity=auto syslog-time-format=bsd-syslog \
    target=remote
/user group
set read name=read policy=local,telnet,ssh,reboot,read,test,winbox,password,web,sniff,sensitive,api,romon,rest-api,!ftp,!write,!policy skin=default
set write name=write policy=local,telnet,ssh,reboot,read,write,test,winbox,password,web,sniff,sensitive,api,romon,rest-api,!ftp,!policy skin=default
set full name=full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,rest-api skin=default
/certificate settings
set crl-download=no crl-store=ram crl-use=no
/console settings
set sanitize-names=no
/disk settings
set auto-media-interface=none auto-media-sharing=no auto-smb-sharing=no auto-smb-user=guest
/ip smb
set comment=MikrotikSMB domain=MSHOME enabled=auto interfaces=all
/interface bridge port
add auto-isolate=no bpdu-guard=no bridge=bridgeLocal broadcast-flood=yes comment=defconf disabled=no edge=auto fast-leave=no frame-types=admit-all horizon=\
    none hw=yes ingress-filtering=yes interface=ether1 !internal-path-cost learn=auto multicast-router=temporary-query mvrp-applicant-state=normal-participant \
    mvrp-registrar-state=normal !path-cost point-to-point=auto priority=0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no \
    unknown-multicast-flood=yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridgeLocal broadcast-flood=yes comment=defconf disabled=no edge=auto fast-leave=no frame-types=admit-all horizon=\
    none hw=yes ingress-filtering=yes interface=ether2 !internal-path-cost learn=auto multicast-router=temporary-query mvrp-applicant-state=normal-participant \
    mvrp-registrar-state=normal !path-cost point-to-point=auto priority=0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no \
    unknown-multicast-flood=yes unknown-unicast-flood=yes
/interface bridge port-controller
# disabled
set bridge=none cascade-ports="" switch=none
/interface bridge port-extender
# disabled
set control-ports="" excluded-ports="" switch=none
/interface bridge settings
set allow-fast-path=yes use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=no
/ip firewall connection tracking
set enabled=auto generic-timeout=10m icmp-timeout=10s loose-tcp-tracking=yes tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-max-retrans-timeout=5m tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-time-wait-timeout=10s \
    tcp-unacked-timeout=5m udp-stream-timeout=3m udp-timeout=30s
/ip neighbor discovery-settings
set discover-interface-list=static discover-interval=30s lldp-mac-phy-config=no lldp-max-frame-size=no lldp-med-net-policy-vlan=disabled lldp-vlan-info=no \
    mode=tx-and-rx protocol=cdp,lldp,mndp
/ip settings
set accept-redirects=no accept-source-route=no allow-fast-path=yes arp-timeout=30s icmp-rate-limit=10 icmp-rate-mask=0x1818 ip-forward=yes \
    ipv4-multipath-hash-policy=l3 max-neighbor-entries=4096 rp-filter=no secure-redirects=yes send-redirects=yes tcp-syncookies=no
/ipv6 settings
set accept-redirects=yes-if-forwarding-disabled accept-router-advertisements=yes-if-forwarding-disabled disable-ipv6=no forward=yes max-neighbor-entries=2048 \
    multipath-hash-policy=l3
/interface detect-internet
set detect-interface-list=none internet-interface-list=none lan-interface-list=none wan-interface-list=none
/interface l2tp-server server
set accept-proto-version=all accept-pseudowire-type=all allow-fast-path=no authentication=pap,chap,mschap1,mschap2 caller-id-type=ip-address default-profile=\
    default-encryption enabled=no keepalive-timeout=30 l2tpv3-circuit-id="" l2tpv3-cookie-length=0 l2tpv3-digest-hash=md5 !l2tpv3-ether-interface-list \
    max-mru=1450 max-mtu=1450 max-sessions=unlimited mrru=disabled one-session-per-host=no use-ipsec=no
/interface lte settings
set firmware-path=firmware mode=auto
/interface ovpn-server server
set auth=sha1,md5,sha256,sha512 certificate=*0 cipher=blowfish128,aes128-cbc default-profile=default enable-tun-ipv6=no enabled=no ipv6-prefix-len=64 \
    keepalive-timeout=60 mac-address=FE:C4:86:1A:0A:98 max-mtu=1500 mode=ip netmask=24 port=1194 protocol=tcp push-routes="" redirect-gateway=disabled \
    reneg-sec=3600 require-client-certificate=no tls-version=any tun-server-ipv6=::
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set authentication=mschap1,mschap2 default-profile=default-encryption enabled=no keepalive-timeout=30 max-mru=1450 max-mtu=1450 mrru=disabled
/interface sstp-server server
set authentication=pap,chap,mschap1,mschap2 certificate=none ciphers=aes256-sha,aes256-gcm-sha384 default-profile=default enabled=no keepalive-timeout=60 \
    max-mru=1500 max-mtu=1500 mrru=disabled pfs=no port=443 tls-version=any verify-client-certificate=no
/interface wifi cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp
/interface wifi capsman
set enabled=no
/ip cloud
set back-to-home-vpn=revoked-and-disabled ddns-enabled=no ddns-update-interval=none update-time=yes
/ip cloud advanced
set use-local-address=no
/ip dhcp-client
add add-default-route=yes comment=defconf default-route-distance=1 dhcp-options=hostname,clientid disabled=no interface=bridgeLocal use-peer-dns=yes \
    use-peer-ntp=yes
/ip dhcp-server config
set accounting=yes interim-update=0s radius-password=empty store-leases-disk=5m
/ip dns
set address-list-extra-time=0s allow-remote-requests=no cache-max-ttl=1w cache-size=2048KiB doh-max-concurrent-queries=50 doh-max-server-connections=5 \
    doh-timeout=5s max-concurrent-queries=100 max-concurrent-tcp-sessions=20 max-udp-packet-size=4096 mdns-repeat-ifaces="" query-server-timeout=2s \
    query-total-timeout=10s servers="" use-doh-server="" verify-doh-cert=no vrf=main
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=yes ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes sip-timeout=1h
set pptp disabled=no
set rtsp disabled=yes ports=554
set udplite disabled=no
set dccp disabled=no
set sctp disabled=no
/ip hotspot service-port
set ftp disabled=no ports=21
/ip hotspot user
set [ find default=yes ] comment="counters and limits for trial users" disabled=no name=default-trial
/ip ipsec policy
set 0 disabled=no dst-address=::/0 group=default proposal=default protocol=all src-address=::/0 template=yes
/ip ipsec settings
set accounting=yes interim-update=0s xauth-use-radius=no
/ip media settings
set thumbnails=""
/ip nat-pmp
set enabled=no
/ip proxy
set always-from-cache=no anonymous=no cache-administrator=webmaster cache-hit-dscp=4 cache-on-disk=no cache-path=web-proxy enabled=no max-cache-object-size=\
    2048KiB max-cache-size=unlimited max-client-connections=600 max-fresh-time=3d max-server-connections=600 parent-proxy=:: parent-proxy-port=0 port=8080 \
    serialize-connections=no src-address=::
/ip service
set telnet address="" disabled=no max-sessions=20 port=23 vrf=main
set ftp address="" disabled=no max-sessions=20 port=21
set www address="" disabled=no max-sessions=20 port=80 vrf=main
set ssh address="" disabled=no max-sessions=20 port=22 vrf=main
set www-ssl address="" certificate=none disabled=yes max-sessions=20 port=443 tls-version=any vrf=main
set api address="" disabled=no max-sessions=20 port=8728 vrf=main
set winbox address="" disabled=no max-sessions=20 port=8291 vrf=main
set api-ssl address="" certificate=none disabled=no max-sessions=20 port=8729 tls-version=any vrf=main
/ip smb shares
set [ find default=yes ] directory=flash/pub disabled=yes invalid-users="" name=pub read-only=no require-encryption=no valid-users=""
/ip socks
set auth-method=none connection-idle-timeout=2m enabled=no max-connections=200 port=1080 version=4 vrf=main
/ip ssh
set allow-none-crypto=no always-allow-password-login=no forwarding-enabled=no host-key-size=2048 host-key-type=rsa strong-crypto=no
/ip tftp settings
set max-block-size=4096
/ip traffic-flow
set active-flow-timeout=30m cache-entries=32k enabled=no inactive-flow-timeout=15s interfaces=all packet-sampling=no sampling-interval=0 sampling-space=0
/ip traffic-flow ipfix
set bytes=yes dst-address=yes dst-address-mask=yes dst-mac-address=yes dst-port=yes first-forwarded=yes gateway=yes icmp-code=yes icmp-type=yes igmp-type=yes \
    in-interface=yes ip-header-length=yes ip-total-length=yes ipv6-flow-label=yes is-multicast=yes last-forwarded=yes nat-dst-address=yes nat-dst-port=yes \
    nat-events=no nat-src-address=yes nat-src-port=yes out-interface=yes packets=yes protocol=yes src-address=yes src-address-mask=yes src-mac-address=yes \
    src-port=yes sys-init-time=yes tcp-ack-num=yes tcp-flags=yes tcp-seq-num=yes tcp-window-size=yes tos=yes ttl=yes udp-length=yes
/ip upnp
set allow-disable-external-interface=no enabled=no show-dummy-rule=yes
/ipv6 nd
set [ find default=yes ] advertise-dns=yes advertise-mac-address=yes disabled=no hop-limit=unspecified interface=all managed-address-configuration=no mtu=\
    unspecified other-configuration=no ra-delay=3s ra-interval=3m20s-10m ra-lifetime=30m ra-preference=medium reachable-time=unspecified retransmit-interval=\
    unspecified
/ipv6 nd prefix default
set autonomous=yes preferred-lifetime=1w valid-lifetime=4w2d
/mpls settings
set allow-fast-path=yes dynamic-label-range=16-1048575 propagate-ttl=yes
/ppp aaa
set accounting=yes enable-ipv6-accounting=no interim-update=0s use-circuit-id-in-nas-port-id=no use-radius=no
/radius incoming
set accept=no port=3799 vrf=main
/routing igmp-proxy
set query-interval=2m5s query-response-interval=10s quick-leave=no
/routing settings
set single-process=no
/snmp
set contact="" enabled=no engine-id-suffix="" location="" src-address=:: trap-community=public trap-generators=temp-exception trap-target="" trap-version=1 \
    vrf=main
/system clock
set time-zone-autodetect=yes time-zone-name=Europe/Vienna
/system clock manual
set dst-delta=+00:00 dst-end="1970-01-01 00:00:00" dst-start="1970-01-01 00:00:00" time-zone=+00:00
/system identity
set name=R403.CAP:UG.KELLER
/system leds settings
set all-leds-off=never
/system logging
set 0 action=memory disabled=no prefix="" topics=info
set 1 action=memory disabled=no prefix="" topics=error
set 2 action=memory disabled=no prefix="" topics=warning
set 3 action=echo disabled=no prefix="" topics=critical
/system note
set note="" show-at-cli-login=no show-at-login=no
/system ntp client
set enabled=no mode=unicast servers="" vrf=main
/system ntp server
set auth-key=none broadcast=no broadcast-addresses="" enabled=no local-clock-stratum=5 manycast=no multicast=no use-local-clock=no vrf=main
/system resource irq
set 0 cpu=auto
set 1 cpu=auto
set 2 cpu=auto
set 3 cpu=auto
set 4 cpu=auto
set 5 cpu=auto
set 6 cpu=auto
/system resource irq rps
set ether1 disabled=yes
set ether2 disabled=yes
/system resource usb settings
set authorization=no
/system routerboard reset-button
set enabled=no hold-time=0s..1m on-event=""
/system routerboard settings
set auto-upgrade=yes boot-device=nand-if-fail-then-ethernet boot-protocol=bootp force-backup-booter=no preboot-etherboot=disabled preboot-etherboot-server=any \
    protected-routerboot=disabled reformat-hold-button=20s reformat-hold-button-max=10m silent-boot=no
/system upgrade mirror
set check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=0.0.0.0 user=""
/system watchdog
set auto-send-supout=no automatic-supout=yes ping-start-after-boot=5m ping-timeout=1m watch-address=none watchdog-timer=yes
/tool bandwidth-server
set allocate-udp-ports-from=2000 authenticate=yes enabled=yes max-sessions=100
/tool e-mail
set from=<> port=25 server=0.0.0.0 tls=no user="" vrf=main
/tool graphing
set page-refresh=300 store-every=5min
/tool mac-server
set allowed-interface-list=all
/tool mac-server mac-winbox
set allowed-interface-list=all
/tool mac-server ping
set enabled=yes
/tool romon
set enabled=no id=00:00:00:00:00:00
/tool romon port
set [ find default=yes ] cost=100 disabled=no forbid=no interface=all
/tool sms
set allowed-number="" channel=0 polling=no port=none receive-enabled=no sms-storage=sim
/tool sniffer
set file-limit=1000KiB file-name="" filter-cpu="" filter-direction=any filter-dst-ip-address="" filter-dst-ipv6-address="" filter-dst-mac-address="" \
    filter-dst-port="" filter-interface="" filter-ip-address="" filter-ip-protocol="" filter-ipv6-address="" filter-mac-address="" filter-mac-protocol="" \
    filter-operator-between-entries=or filter-port="" filter-size="" filter-src-ip-address="" filter-src-ipv6-address="" filter-src-mac-address="" \
    filter-src-port="" filter-stream=no filter-vlan="" memory-limit=100KiB memory-scroll=yes only-headers=no quick-rows=20 quick-show-frame=no \
    streaming-enabled=no streaming-server=0.0.0.0:37008
/tool traffic-generator
set latency-distribution-max=100us measure-out-of-order=no stats-samples-to-keep=100 test-id=0
/user aaa
set accounting=yes default-group=read exclude-groups="" interim-update=0s use-radius=no
/user settings
set minimum-categories=0 minimum-password-length=0


CAPSMAN:
# model = CRS328-24P-4S+
# serial number = HD508BTMHMH
/interface bridge
add admin-mac=18:FD:74:A8:66:F9 auto-mac=no comment=defconf name=BRIDGE1 port-cost-mode=short protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether01 poe-out=off
set [ find default-name=ether2 ] name=ether02
set [ find default-name=ether3 ] name=ether03
set [ find default-name=ether4 ] name=ether04
set [ find default-name=ether5 ] name=ether05
set [ find default-name=ether6 ] name=ether06
set [ find default-name=ether7 ] name=ether07
set [ find default-name=ether8 ] name=ether08
set [ find default-name=ether9 ] name=ether09
set [ find default-name=ether24 ] advertise=1G-baseT-half,1G-baseT-full poe-out=off
/interface vlan
add interface=BRIDGE1 name=VLAN1-R403-intern vlan-id=1
add interface=ether01 name=VLAN2-R403-Heimautomatisierung vlan-id=1
add interface=ether17 name=gast vlan-id=1
/interface bonding
add name=Bond-MacPro slaves=ether07,ether08
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wifi channel
add disabled=no frequency=2412,2437,2462 name=channel-2G width=20mhz
add disabled=no frequency=5180,5220,5745,5785 name=channel-5G width=20/40mhz-Ce
/interface wifi datapath
add bridge=BRIDGE1 disabled=no name=datapath1
/interface wifi security
add authentication-types=wpa2-psk disabled=no name=security-clients
add authentication-types=wpa2-psk disabled=no name=security-IoT
add authentication-types=wpa2-psk disabled=no name=security-AC
/interface wifi configuration
add channel=channel-5G country="United States" disabled=no mode=ap name=config-clients-5G security=security-clients ssid=R403
add channel=channel-2G country="United States" disabled=no mode=ap name=config-clients-2G security=security-clients ssid=R403
add channel=channel-2G country="United States" disabled=no mode=ap name=config-IoT-2G security=security-IoT ssid=R403IoT
add channel=channel-2G country="United States" disabled=no mode=ap name=config-AC-2G security=security-AC ssid=R403AC
/interface wifi
# must specify passphrase for PSK
add configuration=config-clients-2G disabled=no name=cap-wifi1 radio-mac=D4:01:C3:04:F4:01
add configuration=config-IoT-2G disabled=no mac-address=D6:01:C3:04:F4:01 master-interface=cap-wifi1 name=cap-wifi1-virtual1
add configuration=config-AC-2G disabled=no mac-address=D6:01:C3:04:F4:02 master-interface=cap-wifi1 name=cap-wifi1-virtual2
# must specify passphrase for PSK
add configuration=config-clients-5G disabled=no name=cap-wifi2 radio-mac=D4:01:C3:04:F4:02
# must specify passphrase for PSK
add configuration=config-clients-5G disabled=no name=cap-wifi3 radio-mac=D4:01:C3:97:B1:06
# must specify passphrase for PSK
add configuration=config-clients-5G disabled=no name=cap-wifi4 radio-mac=D4:01:C3:94:99:A1
# must specify passphrase for PSK
add configuration=config-clients-2G disabled=no name=cap-wifi5 radio-mac=D4:01:C3:94:99:A2
add configuration=config-IoT-2G disabled=no mac-address=D6:01:C3:94:99:A2 master-interface=cap-wifi5 name=cap-wifi5-virtual1
add configuration=config-AC-2G disabled=no mac-address=D6:01:C3:94:99:A3 master-interface=cap-wifi5 name=cap-wifi5-virtual2
# must specify passphrase for PSK
add configuration=config-clients-5G disabled=no name=cap-wifi6 radio-mac=C4:AD:34:58:8A:AD
# must specify passphrase for PSK
add configuration=config-clients-2G disabled=no name=cap-wifi7 radio-mac=D4:01:C3:97:B1:07
add configuration=config-IoT-2G disabled=no mac-address=D6:01:C3:97:B1:07 master-interface=cap-wifi7 name=cap-wifi7-virtual1
add configuration=config-AC-2G disabled=no mac-address=D6:01:C3:97:B1:08 master-interface=cap-wifi7 name=cap-wifi7-virtual2
# must specify passphrase for PSK
add configuration=config-clients-2G disabled=no name=cap-wifi8 radio-mac=C4:AD:34:58:8A:AC
add configuration=config-IoT-2G disabled=no mac-address=C6:AD:34:58:8A:AC master-interface=cap-wifi8 name=cap-wifi8-virtual1
add configuration=config-AC-2G disabled=no mac-address=C6:AD:34:58:8A:AD master-interface=cap-wifi8 name=cap-wifi8-virtual2
/ip ipsec policy group
add name=group1
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=aes-256,3des hash-algorithm=sha256
add dh-group=modp1536 dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=aes-256,aes-192,aes-128 name=IPsec-Profile-comp
add dh-group=modp1024 dpd-interval=30s dpd-maximum-failures=3 enc-algorithm=aes-256,aes-192,aes-128 name=Private-S2S-VPNs
/ip ipsec peer
add address=hff0915c2k1.sn.mynetname.net name=G21 profile=Private-S2S-VPNs
add address=*****/32 name=comp profile=IPsec-Profile-comp 
/ip ipsec proposal
add auth-algorithms=sha1,md5 enc-algorithms=aes-256-cbc,aes-256-gcm,aes-192-cbc,aes-192-ctr,aes-128-cbc,3des name=proposal-comp pfs-group=modp1536
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-192-cbc name=proposal-R403 pfs-group=modp1536
/ip pool
add name=VLAN0-DHCP ranges=10.43.210.101-10.43.210.200
/ip dhcp-server
add add-arp=yes address-pool=VLAN0-DHCP authoritative=no interface=BRIDGE1 lease-time=23h name=DHCP-INTERN
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/ip smb
set domain=R403
/interface bridge port
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether01 internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether02 internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether03 internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether04 internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether05 internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether06 internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether09 internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether10 internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether11 internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether12 internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether13 internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether14 internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether15 internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether19 internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether20 internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether21 internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether22 internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 comment=defconf ingress-filtering=no interface=ether23 internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 ingress-filtering=no interface=sfp-sfpplus1 internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 ingress-filtering=no interface=ether16 internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 ingress-filtering=no interface=ether17 internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 ingress-filtering=no interface=ether18 internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 interface=sfp-sfpplus4 internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 interface=sfp-sfpplus3 internal-path-cost=10 path-cost=10
add bridge=BRIDGE1 interface=Bond-MacPro
add bridge=BRIDGE1 interface=sfp-sfpplus2
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=BRIDGE1 vlan-ids=1
/interface detect-internet
set detect-interface-list=WAN
/interface ethernet switch
set 0 name=SW1-OG
/interface list member
add interface=ether01 list=LAN
add interface=ether02 list=LAN
add interface=ether03 list=LAN
add interface=ether04 list=LAN
add interface=ether05 list=LAN
add interface=ether06 list=LAN
add interface=ether07 list=LAN
add interface=ether08 list=LAN
add interface=ether09 list=LAN
add interface=ether10 list=LAN
add interface=ether11 list=LAN
add interface=ether12 list=LAN
add interface=ether13 list=LAN
add interface=ether14 list=LAN
add interface=ether15 list=LAN
add interface=ether16 list=LAN
add interface=ether17 list=LAN
add interface=ether18 list=LAN
add interface=ether19 list=LAN
add interface=ether20 list=LAN
add interface=ether21 list=LAN
add interface=ether22 list=LAN
add interface=ether23 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
add interface=sfp-sfpplus3 list=LAN
add interface=sfp-sfpplus4 list=LAN
add interface=BRIDGE1 list=LAN
add interface=ether24 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wifi capsman
set enabled=yes interfaces=BRIDGE1 package-path="" require-peer-certificate=no upgrade-policy=suggest-same-version
/interface wifi provisioning
add action=create-enabled disabled=no master-configuration=config-clients-5G supported-bands=5ghz-ax
add action=create-enabled disabled=no master-configuration=config-clients-2G slave-configurations=config-IoT-2G,config-AC-2G supported-bands=2ghz-ax
add action=create-enabled disabled=no master-configuration=config-clients-5G supported-bands=5ghz-ac
add action=create-enabled disabled=no master-configuration=config-clients-2G slave-configurations=config-IoT-2G,config-AC-2G supported-bands=2ghz-n
/ip address
add address=10.43.210.254/24 comment=defconf interface=BRIDGE1 network=10.43.210.0
add address=93.83.243.146/30 interface=ether24 network=93.83.243.144
add address=10.43.220.254/24 interface=gast network=10.43.220.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip cloud advanced
set use-local-address=yes
/ip dhcp-server lease
add address=10.43.210.188 comment="Jal EG Wirtschaftsraum" mac-address=48:E1:E9:A9:55:DB server=DHCP-INTERN
add address=10.43.210.34 client-id=1:dc:a9:4:88:53:ba comment="MacBook Erik" mac-address=DC:A9:04:88:53:BA server=DHCP-INTERN
add address=10.43.210.181 comment="Jal OG Buero" mac-address=48:E1:E9:A9:59:97 server=DHCP-INTERN
add address=10.43.210.182 comment="Jal OG Schlafzimmer" mac-address=48:E1:E9:A2:4B:90 server=DHCP-INTERN
add address=10.43.210.183 comment="Jal OG Balkon" mac-address=48:E1:E9:A9:6B:99 server=DHCP-INTERN
add address=10.43.210.184 comment="Jal EG Veranda" mac-address=48:E1:E9:A2:4E:F6 server=DHCP-INTERN
add address=10.43.210.185 comment="Jal EG Kueche Sued" mac-address=48:E1:E9:A9:54:76 server=DHCP-INTERN
add address=10.43.210.186 comment="Jal EG Kueche West" mac-address=48:E1:E9:A9:51:6B server=DHCP-INTERN
add address=10.43.210.187 comment="Jal EG Wohnzimmer Nord" mac-address=48:E1:E9:A9:6A:93 server=DHCP-INTERN
add address=10.43.210.189 comment="Jal EG Wohnzimmer West" mac-address=48:E1:E9:A9:60:5B server=DHCP-INTERN
add address=10.43.210.201 comment="SWITCH HP ARUBA2530 48 POE OG" mac-address=A0:1D:48:34:0A:00 server=DHCP-INTERN
add address=10.43.210.35 comment=MacPro6 mac-address=00:3E:E1:BD:F9:55 server=DHCP-INTERN
add address=10.43.210.100 client-id=1:f0:92:1c:e7:4c:90 mac-address=F0:92:1C:E7:4C:90 server=DHCP-INTERN
add address=10.43.210.203 mac-address=48:A9:8A:47:38:14 server=DHCP-INTERN
add address=10.43.210.91 client-id=1:4:79:b7:b0:1a:f1 comment="Wechselrichter Kostal" mac-address=04:79:B7:B0:1A:F1 server=DHCP-INTERN
add address=10.43.210.92 client-id=1:0:d0:93:4d:41:11 mac-address=00:D0:93:4D:41:11 server=DHCP-INTERN
add address=10.43.210.212 client-id=1:d4:1:c3:94:99:9f mac-address=D4:01:C3:94:99:9F server=DHCP-INTERN
add address=10.43.210.214 client-id=1:d4:1:c3:97:b1:4 mac-address=D4:01:C3:97:B1:04 server=DHCP-INTERN
add address=10.43.210.211 client-id=1:c4:ad:34:58:8a:aa mac-address=C4:AD:34:58:8A:AA server=DHCP-INTERN
add address=10.43.210.213 client-id=1:d4:1:c3:4:f3:ff mac-address=D4:01:C3:04:F3:FF server=DHCP-INTERN
add address=10.43.210.3 client-id=1:0:8:9b:c3:cb:93 mac-address=00:08:9B:C3:CB:93 server=DHCP-INTERN
add address=10.43.210.2 client-id=1:0:8:9b:f1:be:ba mac-address=00:08:9B:F1:BE:BA server=DHCP-INTERN
add address=10.43.210.18 mac-address=F0:92:1C:E7:42:0F server=DHCP-INTERN
/ip dhcp-server network
add address=10.43.210.0/24 dns-server=10.43.210.1,10.43.210.11,8.8.8.8,192.168.121.201 domain=r403.local gateway=10.43.210.254 ntp-server=10.43.210.254
/ip dns
set allow-remote-requests=yes cache-max-ttl=1h servers=8.8.8.8
/ip firewall filter
add action=accept chain=input dst-port=4443,8291 protocol=tcp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward protocol=icmp
add action=accept chain=forward disabled=yes dst-address=192.168.0.0/16 src-address=10.43.210.0/24
add action=drop chain=forward disabled=yes dst-address=10.43.210.0/24 src-address=192.168.10.0/24
add action=accept chain=forward dst-address=10.43.210.0/24 src-address=10.21.0.0/24
add action=accept chain=forward dst-address=10.21.0.0/24 src-address=10.43.210.0/24
add action=accept chain=forward dst-address=10.43.210.1 dst-port=443 protocol=tcp src-port=443
add action=accept chain=forward dst-address=213.33.98.136 dst-port=53 protocol=udp
add action=accept chain=input dst-address=10.43.210.2 dst-port=5000 in-interface-list=WAN protocol=tcp
add action=accept chain=forward dst-address=10.43.210.1 dst-port=443 in-interface-list=WAN protocol=tcp
add action=accept chain=forward
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="defconf: accept in ipsec policy" in-interface=all-ppp ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input in-interface=ether24 protocol=ipsec-esp
add action=accept chain=input dst-port=500,1701,4500 in-interface=ether24 protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=dstnat dst-address=10.43.210.11 dst-port=443 in-interface=ether24 protocol=tcp
/ip firewall nat
add action=accept chain=srcnat dst-address=10.21.0.0/24 src-address=10.43.210.0/24
add action=accept chain=srcnat dst-address=192.168.0.0/16 src-address=10.43.210.0/24
add action=dst-nat chain=dstnat comment="Forwarding rule" dst-port=5000 in-interface-list=WAN protocol=tcp src-port="" to-addresses=10.43.210.2 to-ports=5000
add action=masquerade chain=srcnat out-interface=ether24
/ip ipsec identity
add peer=G21
add comment=** mode-config=request-only peer=comp
/ip ipsec policy
set 0 disabled=yes proposal=proposal-comp
add dst-address=192.168.10.0/24 level=unique peer=comp proposal=proposal-comp src-address=10.43.210.0/24 tunnel=yes
add dst-address=192.168.121.0/24 level=unique peer=comp proposal=proposal-comp src-address=10.43.210.0/24 tunnel=yes
add dst-address=192.168.122.0/24 level=unique peer=comp proposal=proposal-comp src-address=10.43.210.0/24 tunnel=yes
add dst-address=192.168.70.0/24 level=unique peer=comp proposal=proposal-comp src-address=10.43.210.0/24 tunnel=yes
add dst-address=10.21.0.0/24 peer=G21 proposal=proposal-R403 src-address=10.43.210.0/24 tunnel=yes
add dst-address=192.168.50.0/24 level=unique peer=comp proposal=proposal-comp src-address=10.43.210.0/24 tunnel=yes
/ip proxy
set max-cache-size=100000KiB
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=93.83.243.145 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.0.0.0/8
set ssh address=10.0.0.0/8
set www-ssl address=10.0.0.0/8 certificate=cert1 disabled=no port=8443
set winbox address=10.0.0.0/8
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/routing bfd configuration
add disabled=no interfaces=all min-rx=200us min-tx=200us multiplier=5
/system clock
set time-zone-name=Europe/Vienna
/system identity
set name=SW.OG.1
/system logging
add topics=debug,dhcp
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add address=178.189.127.148
/system package update
set channel=testing
/system routerboard settings
set auto-upgrade=yes
/tool graphing interface
add

Last edited by toolongformt on Sat Oct 26, 2024 2:27 pm, edited 12 times in total.
 
toolongformt
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Wed Jan 24, 2024 10:05 am

Re: bst configuration with capsman for 2 different accesspoints

Sat Oct 26, 2024 12:16 am

It's almost default, but with removed datapath option and manually added bridge ports. It is for sure causing issues with slave interfaces.
Do you have an explanation, why adding ports (which is based on a hint in this forum) is the reason for my pc to chose 2,4ghz instead of 5?
You wrote that it's a cause for failures, so... which cause is that?
 
toolongformt
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Wed Jan 24, 2024 10:05 am

Re: bst configuration with capsman for 2 different accesspoints

Sat Oct 26, 2024 11:27 am

not current and important anymore, but i cannot delete it.
Last edited by toolongformt on Sat Oct 26, 2024 2:25 pm, edited 1 time in total.
 
toolongformt
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Wed Jan 24, 2024 10:05 am

Re: bst configuration with capsman for 2 different accesspoints

Sat Oct 26, 2024 1:56 pm

Now I have cleaned up capsman, threw everything out and put in your config.
All AP's say "SSID not set"
I did what you told me, I shall not change any other settings.
No surprise, my complete IoT devices are offline, in the meantime I will reset them to factory defaults.
Until I get a new response I plug in my cisco accesspoints, I need wifi (at least for phones and ipads), and I won't do anything on this config until your next instructions... ;)
 
toolongformt
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Wed Jan 24, 2024 10:05 am

Re: bst configuration with capsman for 2 different accesspoints

Sat Oct 26, 2024 7:47 pm

we will stop here; or, at least I want to ask you to stop any further attempts to "help" me...

my desktop pc slowed down its connection to 1.000 Kps (!!)
my IoT devices still don't have a connection (how could they, you let me delete my wpa2 config)

I will recover the wpa settings now and remove the wifi for highspeed.
It's just not working, and I see no reason to believe that someone will get more than constant and stable 300mbps out of those devices.

Who is online

Users browsing this forum: eider, vinalopo and 7 guests