Dear Gurus,

I am not sure if my current Mikrotik setting for VLANs is the best possible configuration. I have a suspicion that it is not as indicated by a number of issues.

So may I ask if some Mikrotik guru who's kind to help review the MT settings that I have below whether you, as an expert, would have arranged it differently, given the network layout as follows.

Many thanks for your interest.

Network layout:

Internet
|
|
Mikrotik RB450G
|
---------------------------------------------
- 1st connection to RB450G is RB411A (all wireless devices are in VL101)

- 2nd connection to RB450G is HP Procurve 1810G-24 (where all wired devices are in VL101, VL102, VL103 and VL104.

All VLANs talk to one another, except VLAN VL104 (VoIP) which is normally not talking to the remaining VLANs by being blocked at /ip firewall mangle.


And here are my current MT settings:

# Router RB450G
# dec/07/2010 07:36:53 by RouterOS 4.2

/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes \
comment="" disabled=no forward-delay=15s l2mtu=1520 max-message-age=20s \
mtu=1500 name=bridge1 priority=0x8000 protocol-mode=none \
transmit-hold-count=6

/interface ethernet
set 0 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
"Router link to Modem" disabled=no full-duplex=yes l2mtu=1524 \
mac-address=00:0C:42:53:FB:43 master-port=none mtu=1500 name=ether1 \
speed=1Gbps
set 1 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
"Router link to Procurce 1810G-24" disabled=no full-duplex=yes l2mtu=\
1524 mac-address=00:0C:42:53:FB:44 master-port=none mtu=1500 name=ether2 \
speed=1Gbps
set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
"2nd Router link to Procurve 1810G-24" disabled=yes full-duplex=yes l2mtu=\
1524 mac-address=00:0C:42:53:FB:45 master-port=none mtu=1500 name=ether3\
speed=1Gbps
set 3 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
"Router link to Wireless RB411A" disabled=no full-duplex=yes l2mtu=1524 \
mac-address=00:0C:42:53:FB:46 master-port=none mtu=1500 name=ether4 \
speed=1Gbps
set 4 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
Spare disabled=no full-duplex=yes l2mtu=1524 mac-address=\
00:0C:42:53:FB:47 master-port=none mtu=1500 name=ether5 speed=10Mbps

/interface vlan
add arp=enabled comment="" disabled=no interface=ether2 l2mtu=1520 mtu=1500 \
name=VL-101 use-service-tag=no vlan-id=101
add arp=enabled comment="" disabled=no interface=ether2 l2mtu=1520 mtu=1500 \
name=VL-102 use-service-tag=no vlan-id=102
add arp=enabled comment="" disabled=no interface=ether2 l2mtu=1520 mtu=1500 \
name=VL-103 use-service-tag=no vlan-id=103
add arp=enabled comment="" disabled=no interface=ether2 l2mtu=1520 mtu=1500 \
name=VL-104 use-service-tag=no vlan-id=104

/ip dhcp-server
add add-arp=yes address-pool=static-only authoritative=after-2sec-delay \
bootp-support=static disabled=no interface=bridge1 lease-time=3d name=\
server1
add add-arp=yes address-pool=static-only authoritative=after-2sec-delay \
bootp-support=static disabled=yes interface=bridge1 lease-time=3d name=\
server2

/ip pool
add name=dhcp_pool1 ranges=192.168.104.11

/interface bridge port
add bridge=bridge1 comment="" disabled=no edge=auto external-fdb=auto \
horizon=none interface=VL-101 path-cost=10 point-to-point=auto priority=\
0x80
add bridge=bridge1 comment="" disabled=yes edge=auto external-fdb=auto \
horizon=none interface=VL-102 path-cost=10 point-to-point=auto priority=\
0x80
add bridge=bridge1 comment="" disabled=yes edge=auto external-fdb=auto \
horizon=none interface=VL-103 path-cost=10 point-to-point=auto priority=\
0x80
add bridge=bridge1 comment="" disabled=yes edge=auto external-fdb=auto \
horizon=none interface=VL-104 path-cost=10 point-to-point=auto priority=\
0x80
add bridge=bridge1 comment="" disabled=yes edge=auto external-fdb=auto \
horizon=none interface=ether1 path-cost=10 point-to-point=auto priority=\
0x80
add bridge=bridge1 comment="" disabled=yes edge=auto external-fdb=auto \
horizon=none interface=ether2 path-cost=10 point-to-point=auto priority=\
0x80
add bridge=bridge1 comment="" disabled=no edge=auto external-fdb=auto \
horizon=none interface=ether4 path-cost=10 point-to-point=auto priority=\
0x80

/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=no \
use-ip-firewall-for-vlan=yes

/ip address
add address=192.168.101.1/27 broadcast=192.168.101.31 comment="" disabled=no \
interface=VL-101 network=192.168.101.0
add address=192.168.102.1/27 broadcast=192.168.102.31 comment="" disabled=no \
interface=VL-102 network=192.168.102.0
add address=192.168.103.1/27 broadcast=192.168.103.31 comment="" disabled=no \
interface=VL-103 network=192.168.103.0
add address=192.168.104.1/27 broadcast=192.168.104.31 comment="" disabled=no \
interface=VL-104 network=192.168.104.0

/ip dhcp-client
add add-default-route=yes comment="" default-route-distance=0 disabled=no \
interface=ether1 use-peer-dns=yes use-peer-ntp=yes

/ip dhcp-server lease
add address=192.168.101.11 comment="" disabled=no mac-address=\
00:60:B0:CC:8B:D6 use-src-mac=yes

/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \
max-udp-packet-size=512 primary-dns=61.9.134.49 secondary-dns=\
61.9.133.193

/ip firewall mangle
add action=mark-packet chain=prerouting comment="" disabled=no dscp=26 \
new-packet-mark=VoIP-SIP passthrough=yes
add action=mark-packet chain=prerouting comment="" disabled=no dscp=46 \
new-packet-mark=VoIP-RTP passthrough=yes

/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no out-interface=\
ether1
add action=masquerade chain=srcnat comment="" disabled=no src-address=\
192.168.0.0/16

/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no

/ip neighbor discovery
set ether1 discover=yes
set ether2 discover=yes
set ether3 discover=yes
set ether4 discover=yes
set ether5 discover=yes
set VL-101 discover=yes
set VL-102 discover=yes
set VL-103 discover=yes
set VL-104 discover=yes
set bridge1 discover=yes

/queue interface
set ether1 queue=ethernet-default
set ether2 queue=ethernet-default
set ether3 queue=ethernet-default
set ether4 queue=ethernet-default
set ether5 queue=ethernet-default
set VL-101 queue=default
set VL-102 queue=default
set VL-103 queue=default
set VL-104 queue=default
set bridge1 queue=default

So - what issues are you experiencing?

fewi,

Slow network data transfer as one issue.

But interestingly, I have read sort of conflicting advice in this forum regarding the correct (best) VLAN settings. I really want to be sure on my VLAN understanding before moving on to my next topic.

I bought the book written about Mikrotik. But not surprisingly, it's too general in most cases to follow and learn for myself.

I thank you for your interest.

Ok. In my opinion your bridging is causing those problems. I'll post a solution and explanation later from work if no one else does in the mean time.

You're bridging all your VLANs together - that's a bad idea. You're propagating broadcast traffic unnecessarily, and bridging happens in software and is inefficient. VLANs are the logical equivalent to hardware switched broadcast domains; you wouldn't needlessly want to bridge those together, either. The whole point of switches is to break up broadcast domains.

Change your physical layout to connect ALL VLANs to the HP switch, and to run the RB411A connected to the switch as well. In what you described there is absolutely no need to run it off the router. Set a port on the switch for VLAN 101 and run the RB411A from that port. Remove all the bridge settings on your router, and run ether2 just as a trunk link that carries all the layer 3 interfaces for all VLANs.

If you have to run the RB411A off the router for a reason that is not yet clear keep it on a separate network by itself that runs without VLANs on ether4 directly so you can get rid of the bridge.

Also remove this NAT configuration: The other NAT line will work just fine to NAT traffic out to the Internet, there is no need to NAT between the VLANs - which that line would do. Only NAT when you have to.

fewi,

Thank you for your reply.

I have initially shown only a simply diagram of my network so not to complicate my question. But your poking question is sharp and to the right spot.

What I also have are two Netgear GS108T switches connected to the main HP switch. One to family room at the back where all game consoles and media unit are connected to. The second Netgear my son's room to enable him to do multimedia studies with all kind of video editing and all that jazz.

Attached is a full diagram.
[img][IMG]http://img713.imageshack.us/img713/4687 ... ubnets.jpg[/img]

The contents of two NAS boxes (denoted as 101.4 and 101.5) are accessed by others across all VLANS, except VoIP.

I changed my wireless to a diff VLAN in the past but gave up after it did not work out so I had to leave them in the main VLAN. If I removed the brige, my VLANS will not talk to one another.

I have removed the NAT restriction and will reboot the router later today to see if it makes any difference.

Thank you for your interest.

I changed my wireless to a diff VLAN in the past but gave up after it did not work out so I left them in the main VLAN. If I removed the brige, my VLANS will not talk to one another.

That shouldn't be true. All the VLANs terminate on the same router, so it will - by default - route traffic between them just fine. Can you show the output of "/ip route print detail" and "/ip firewall filter export"?

Fewi,

I am at work (Australia) and unable to reply to you properly. But I will when I get gome tonight.

Thank you for your interest.

fewi,

I have to send you an image of the /ip route list instead since it's not shown up in the export script.

[img][IMG]http://img823.imageshack.us/img823/6513/iproutelist.jpg[/img]


The /ip filter is shown up however

/ip firewall filter
add action=drop chain=forward comment="Invalid Connections" connection-state=\
invalid disabled=no
add action=drop chain=forward comment="Morningblk _DF" disabled=no \
src-address-list=DFBlck time=0s-5h15m,mon,tue,wed,thu,fri,sat
add action=drop chain=forward comment="Morningblk_ Study" disabled=no \
src-address-list="Study PCs" time=0s-5h15m,mon,tue,wed,thu,fri
add action=drop chain=forward comment=NightBlk disabled=no src-address-list=\
DFBlck time=23h45m-1d,sun,mon,tue,wed,thu
add action=drop chain=forward comment="Drop Connection fr Bridge to VoIP" \
disabled=no in-interface=bridge1 out-interface=VL-104
add action=drop chain=forward comment="Drop Connection fr VoIP to Bridge" \
disabled=no in-interface=VL-104 out-interface=bridge1
add action=accept chain=forward comment="Established Connections" \
connection-state=established disabled=no
add action=accept chain=forward comment="Related connections" \
connection-state=related disabled=no

The top part was to disconect my son from the Net after midnight, and for VoIP isolation.

Should I not give you the right info, pls let me know.

I thank you for your interest in helping to a Mikrotik learner.

Let's start by removing all the rules in the firewall filters, or disabling them at least: Then remove the bridge and have everything routed.

I do believe the bridging is the root cause of your problems. Once it's working without firewall rules we can then work on putting them back and make them work.

Fewi,

Thank you. I'd really like your suggestion.

1. I have removed all firewalls. Reboot the RB450G. Tried a file transfer and speed remains the same as before.

2. Next, I took a deep breath and removed the bridge. Reboot RB450G. Then retried connecting a device in a different VLAN and the connection is established. That's a relief for me, Fewi. This is why the wireless RB411A is plugged directly into RB450G so I can have a backup communication channel with the RB450B as I broke the wired connection due to an incorrect setting at the switch or the router itself. It happened to me so many times during the first couple of months of having the Mikrotik router. So I developed a cold feet mentality when it comes to changes. Hope it makes sense.

I next tried a few file transfers. Rebooting a few more devices but no change to speed within network.

What should I do next? Btw, I am running 4.2.

Thank your for interest.

Cheers

Can you please post the configuration as it is now? I think it would be helpful to see a snapshot of it rather than try to construct it from the deltas of what you originally had and then did to it.

How are you testing performance? Try loading up a bandwidth tester such as iperf (clients/servers for virtually all operating systems exist) and see what results that gives you. Test between VLANs, as well as inter-VLAN. Are things slow just from switchport to switchport on the same VLAN? That rules out the router. Is that fast, but VLAN to VLAN is slow? That implicates the router. What kind of speeds are you expecting, and what are you seeing?

I would also capture the test with something like wireshark and see if you get a lot of retransmits or errors.

And, of course, upgrade to the latest version of stable, which is 4.13 (pre-emptive: four dot thirteen is more recent than four dot two, and there is no such thing as four dot one dot three).

Fewi,

Here is the configursation script as is after all firewalls were removed. A bit long and intimidating for me at my level.

I have done some prelim testing of the current configuration with a different app than Iperf which I have not been able to install on my Windows so far.

Rather posting them here at this stage without comparison. I want to wait till after your feedback of the attached script and will run some more testing and forward them both then. It would make more sense to me this way.

Thank you for your interest, Fewi.


# dec/10/2010 18:26:29 by RouterOS 4.2
# software id =
#
/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes \
comment="" disabled=yes forward-delay=15s max-message-age=20s mtu=1500 \
name=bridge1 priority=0x8000 protocol-mode=none transmit-hold-count=6

/interface ethernet
set 0 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
"Router link to Modem" disabled=no full-duplex=yes l2mtu=1524 \
mac-address=00:0C:42:53:FB:43 master-port=none mtu=1500 name=ether1 \
speed=1Gbps
set 1 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
"Router link to HP Procurce 1810G-24" disabled=no full-duplex=yes l2mtu=\
1524 mac-address=00:0C:42:53:FB:44 master-port=none mtu=1500 name=ether2 \
speed=1Gbps
set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
"2nd Router link to HP Procurve 1810G-24" disabled=no full-duplex=yes \
l2mtu=1524 mac-address=00:0C:42:53:FB:45 master-port=none mtu=1500 name=\
ether3 speed=1Gbps
set 3 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
"Router link to Wireless RB411A" disabled=no full-duplex=yes l2mtu=1524 \
mac-address=00:0C:42:53:FB:46 master-port=none mtu=1500 name=ether4 \
speed=1Gbps
set 4 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
Spare disabled=no full-duplex=yes l2mtu=1524 mac-address=\
00:0C:42:53:FB:47 master-port=none mtu=1500 name=ether5 speed=1Gbps

/interface vlan
add arp=enabled comment="Mgt VLAN" disabled=no interface=ether2 l2mtu=1520 \
mtu=1500 name=VL-101 use-service-tag=no vlan-id=101
add arp=enabled comment="Game Consoles" disabled=no interface=ether2 l2mtu=\
1520 mtu=1500 name=VL-103 use-service-tag=no vlan-id=103
add arp=enabled comment=VoIP disabled=no interface=ether2 l2mtu=1520 mtu=1500 \
name=VL-104 use-service-tag=no vlan-id=104
add arp=enabled comment="David VLAN" disabled=no interface=ether2 l2mtu=1520 \
mtu=1500 name=VL-102 use-service-tag=no vlan-id=102
add arp=enabled comment="For printer" disabled=no interface=ether2 l2mtu=1520 \
mtu=1500 name=VL-105 use-service-tag=no vlan-id=105

/interface ethernet switch
set switch1 mirror-source=none mirror-target=none name=switch1 \
switch-all-ports=yes

/interface wireless security-profiles
set default authentication-types="" eap-methods=passthrough group-ciphers="" \
group-key-update=5m interim-update=0s management-protection=disabled \
management-protection-key="" mode=none name=default \
radius-eap-accounting=no radius-mac-accounting=no \
radius-mac-authentication=no radius-mac-caching=disabled \
radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username \
static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=\
none static-key-0="" static-key-1="" static-key-2="" static-key-3="" \
static-sta-private-algo=none static-sta-private-key="" \
static-transmit-key=key-0 supplicant-identity=MikroTik tls-certificate=\
none tls-mode=no-certificates unicast-ciphers="" wpa-pre-shared-key="" \
wpa2-pre-shared-key=""

/ip dhcp-server
add add-arp=yes address-pool=static-only authoritative=after-2sec-delay \
bootp-support=static disabled=no interface=bridge1 lease-time=3d name=\
server1

/ip hotspot profile
set default dns-name="" hotspot-address=0.0.0.0 html-directory=hotspot \
http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=cookie,http-chap \
name=default rate-limit="" smtp-server=0.0.0.0 split-user-domain=no \
use-radius=no

/ip hotspot user profile
set default idle-timeout=none keepalive-timeout=2m name=default shared-users=\
1 status-autorefresh=1m transparent-proxy=no

/ip ipsec proposal
set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m \
name=default pfs-group=modp1024

/ip pool
add name=dhcp_pool1 ranges=192.168.104.11
add name=dhcp_pool3 ranges=192.168.103.11
add name=dhcp_pool2 ranges=192.168.102.11
add name=dhcp_pool4 ranges=192.168.105.2-192.168.105.30

/port
set 0 baud-rate=auto data-bits=8 flow-control=none name=serial0 parity=none \
stop-bits=1

/ppp profile
set default change-tcp-mss=yes comment="" name=default only-one=default \
use-compression=default use-encryption=default use-vj-compression=default
set default-encryption change-tcp-mss=yes comment="" name=default-encryption \
only-one=default use-compression=default use-encryption=yes \
use-vj-compression=default

/queue type
set default kind=pfifo name=default pfifo-limit=50
set ethernet-default kind=pfifo name=ethernet-default pfifo-limit=50
set wireless-default kind=sfq name=wireless-default sfq-allot=1514 \
sfq-perturb=5
set synchronous-default kind=red name=synchronous-default red-avg-packet=1000 \
red-burst=20 red-limit=60 red-max-threshold=50 red-min-threshold=10
set hotspot-default kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=5
set default-small kind=pfifo name=default-small pfifo-limit=10

/queue simple
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s comment="" \
direction=both disabled=no dst-address=0.0.0.0/0 interface=all limit-at=\
0/0 max-limit=0/0 name=VoIP-SIP packet-marks=VoIP-SIP parent=none \
priority=1 queue=default-small/default-small total-queue=default-small
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s comment="" \
direction=both disabled=no dst-address=0.0.0.0/0 interface=all limit-at=\
0/0 max-limit=0/0 name=VoIP-RTP packet-marks=VoIP-RTP parent=none \
priority=1 queue=default-small/default-small total-queue=default-small

/routing bgp instance
set default as=65530 client-to-client-reflection=yes comment="" disabled=no \
ignore-as-path-len=no name=default out-filter="" redistribute-connected=\
no redistribute-ospf=no redistribute-other-bgp=no redistribute-rip=no \
redistribute-static=no router-id=0.0.0.0

/routing ospf instance
set default comment="" disabled=no distribute-default=never in-filter=ospf-in \
metric-bgp=auto metric-connected=20 metric-default=1 metric-other-ospf=\
auto metric-rip=20 metric-static=20 name=default out-filter=ospf-out \
redistribute-bgp=no redistribute-connected=no redistribute-other-ospf=no \
redistribute-rip=no redistribute-static=no router-id=0.0.0.0

/routing ospf area
set backbone area-id=0.0.0.0 comment="" disabled=no instance=default name=\
backbone type=default

/snmp
set contact="" enabled=yes engine-boots=27 engine-id="" location="" \
time-window=15 trap-sink=0.0.0.0 trap-version=1

/snmp community
set public address=0.0.0.0/0 authentication-password="" \
authentication-protocol=MD5 encryption-password="" encryption-protocol=\
DES name=public read-access=yes security=none write-access=no

/system logging action
set memory memory-lines=100 memory-stop-on-full=no name=memory target=memory
set disk disk-file-count=2 disk-file-name=log disk-lines-per-file=100 \
disk-stop-on-full=no name=disk target=disk
set echo name=echo remember=yes target=echo
set remote bsd-syslog=no name=remote remote=0.0.0.0:514 src-address=0.0.0.0 \
syslog-facility=daemon syslog-severity=auto target=remote

/system routerboard settings
set baud-rate=115200 boot-delay=2s boot-device=nand-only boot-protocol=bootp \
cpu-frequency=680MHz enable-jumper-reset=yes enter-setup-on=any-key \
force-backup-booter=no
set baud-rate=115200 boot-delay=2s boot-device=nand-only boot-protocol=bootp \
cpu-frequency=680MHz enable-jumper-reset=yes enter-setup-on=any-key \
force-backup-booter=no

/user group
add comment="" name=read policy="local,telnet,ssh,reboot,read,test,winbox,pass\
word,web,sniff,sensitive,!ftp,!write,!policy"
add comment="" name=write policy="local,telnet,ssh,reboot,read,write,test,winb\
ox,password,web,sniff,sensitive,!ftp,!policy"
add comment="" name=full policy="local,telnet,ssh,ftp,reboot,read,write,policy\
,test,winbox,password,web,sniff,sensitive"

/interface bridge port
add bridge=bridge1 comment="" disabled=no edge=auto external-fdb=auto \
horizon=none interface=ether4 path-cost=10 point-to-point=auto priority=\
0x80
add bridge=bridge1 comment="" disabled=yes edge=auto external-fdb=auto \
horizon=none interface=VL-102 path-cost=10 point-to-point=auto priority=\
0x80
add bridge=bridge1 comment="" disabled=no edge=auto external-fdb=auto \
horizon=none interface=VL-101 path-cost=10 point-to-point=auto priority=\
0x80
add bridge=bridge1 comment="" disabled=yes edge=auto external-fdb=auto \
horizon=none interface=VL-103 path-cost=10 point-to-point=auto priority=\
0x80
add bridge=bridge1 comment="" disabled=yes edge=auto external-fdb=auto \
horizon=none interface=VL-104 path-cost=10 point-to-point=auto priority=\
0x80
add bridge=bridge1 comment="" disabled=yes edge=auto external-fdb=auto \
horizon=none interface=ether1 path-cost=10 point-to-point=auto priority=\
0x80
add bridge=bridge1 comment="" disabled=yes edge=auto external-fdb=auto \
horizon=none interface=ether2 path-cost=10 point-to-point=auto priority=\
0x80

/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=no \
use-ip-firewall-for-vlan=yes

/interface ethernet switch port
set (unknown) vlan-mode=fallback
set (unknown) vlan-mode=fallback
set (unknown) vlan-mode=fallback
set (unknown) vlan-mode=fallback
set (unknown) vlan-mode=fallback

/interface l2tp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=\
default-encryption enabled=no max-mru=1460 max-mtu=1460 mrru=disabled

/interface ovpn-server server
set auth=sha1,md5 certificate=none cipher=blowfish128,aes128 default-profile=\
default enabled=no keepalive-timeout=60 mac-address=FE:00:0D:BC:FE:16 \
max-mtu=1500 mode=ip netmask=24 port=1194 require-client-certificate=no

/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption \
enabled=no keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled

/interface wireless align
set active-mode=yes audio-max=-20 audio-min=-100 audio-monitor=\
00:00:00:00:00:00 filter-mac=00:00:00:00:00:00 frame-size=300 \
frames-per-second=25 receive-all=no ssid-all=no

/interface wireless sniffer
set channel-time=200ms file-limit=10 file-name="" memory-limit=10 \
multiple-channels=no only-headers=no receive-errors=no streaming-enabled=\
no streaming-max-rate=0 streaming-server=0.0.0.0

/interface wireless snooper
set channel-time=200ms multiple-channels=yes receive-errors=no

/ip accounting
set account-local-traffic=no enabled=no threshold=256
/ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0

/ip address
add address=192.168.101.1/27 broadcast=192.168.101.31 comment="" disabled=no \
interface=VL-101 network=192.168.101.0
add address=192.168.102.1/27 broadcast=192.168.102.31 comment="" disabled=no \
interface=VL-102 network=192.168.102.0
add address=192.168.103.1/27 broadcast=192.168.103.31 comment="" disabled=no \
interface=VL-103 network=192.168.103.0
add address=192.168.104.1/27 broadcast=192.168.104.31 comment="" disabled=no \
interface=VL-104 network=192.168.104.0
add address=192.168.105.1/27 broadcast=192.168.105.31 comment="" disabled=no \
interface=VL-105 network=192.168.105.0

/ip dhcp-client
add add-default-route=yes comment="" default-route-distance=0 disabled=no \
interface=ether1 use-peer-dns=yes use-peer-ntp=yes

/ip dhcp-server config
set store-leases-disk=5m

/ip dhcp-server lease
add address=192.168.101.11 comment="" disabled=no mac-address=\
00:60:B0:CC:8B:D6 use-src-mac=yes

/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \
max-udp-packet-size=512 primary-dns=61.9.134.49 secondary-dns=\
61.9.133.193

/ip firewall address-list
add address=192.168.102.2 comment=Centurion disabled=no list=DFBlck
add address=192.168.101.26 comment="HP 2023" disabled=no list=DFBlck
add address=192.168.103.2 comment=Wii disabled=no list=DFBlck
add address=192.168.103.3 comment=XBox disabled=no list=DFBlck
add address=192.168.101.8 comment="DF_Studio Switch" disabled=no list=DFBlck
add address=192.168.103.5 comment=SonyTV disabled=no list=DFBlck
add address=192.168.103.6 comment=PS3 disabled=no list=DFBlck
add address=192.168.101.9 comment=XCube disabled=no list=DFBlck
add address=192.168.101.29 comment="Nokia E65" disabled=no list=DFBlck
add address=192.168.101.7 comment=Cmaster disabled=no list="Study PCs"

/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s

/ip firewall filter
add action=drop chain=forward comment="Invalid Connections" connection-state=\
invalid disabled=yes
add action=drop chain=forward comment="Morningblk _DF" disabled=yes \
src-address-list=DFBlck time=0s-5h15m,mon,tue,wed,thu,fri,sat
add action=drop chain=forward comment="Morningblk_ Study" disabled=yes \
src-address-list="Study PCs" time=0s-5h15m,mon,tue,wed,thu,fri
add action=drop chain=forward comment=NightBlk disabled=yes src-address-list=\
DFBlck time=23h45m-1d,sun,mon,tue,wed,thu
add action=drop chain=forward comment="Drop Connection fr Bridge to VoIP" \
disabled=yes in-interface=bridge1 out-interface=VL-104
add action=drop chain=forward comment="Drop Connection fr VoIP to Bridge" \
disabled=yes in-interface=VL-104 out-interface=bridge1
add action=accept chain=forward comment="Established Connections" \
connection-state=established disabled=yes
add action=accept chain=forward comment="Related connections" \
connection-state=related disabled=yes

/ip firewall mangle
add action=mark-packet chain=prerouting comment="" disabled=no dscp=26 \
new-packet-mark=VoIP-SIP passthrough=yes
add action=mark-packet chain=prerouting comment="" disabled=no dscp=46 \
new-packet-mark=VoIP-RTP passthrough=yes

/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no out-interface=\
ether1
add action=masquerade chain=srcnat comment="" disabled=yes src-address=\
192.168.0.0/16

/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no

/ip hotspot service-port
set ftp disabled=no ports=21

/ip neighbor discovery
set ether1 discover=yes
set ether2 discover=yes
set ether3 discover=yes
set ether4 discover=yes
set ether5 discover=yes
set VL-101 discover=yes
set VL-103 discover=yes
set VL-104 discover=yes
set VL-102 discover=yes
set bridge1 discover=yes
set VL-105 discover=no

/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 \
cache-on-disk=no enabled=no max-cache-size=none max-client-connections=\
600 max-fresh-time=3d max-server-connections=600 parent-proxy=0.0.0.0 \
parent-proxy-port=0 port=8080 serialize-connections=no src-address=\
0.0.0.0

/ip service
set telnet address=0.0.0.0/0 disabled=yes port=23
set ftp address=0.0.0.0/0 disabled=yes port=21
set www address=0.0.0.0/0 disabled=no port=80
set ssh address=0.0.0.0/0 disabled=yes port=22
set www-ssl address=0.0.0.0/0 certificate=none disabled=yes port=443
set api address=0.0.0.0/0 disabled=yes port=8728
set winbox address=0.0.0.0/0 disabled=no port=8291

/ip socks
set connection-idle-timeout=2m enabled=no max-connections=200 port=1080

/ip traffic-flow
set active-flow-timeout=30m cache-entries=4k enabled=no \
inactive-flow-timeout=15s interfaces=all

/ip upnp
set allow-disable-external-interface=yes enabled=no show-dummy-rule=yes

/mpls
set dynamic-label-range=16-1048575 propagate-ttl=yes

/mpls interface
add comment="" disabled=no interface=all mpls-mtu=1508

/mpls ldp
set distribute-for-default-route=no enabled=no hop-limit=255 loop-detect=no \
lsr-id=0.0.0.0 path-vector-limit=255 transport-address=0.0.0.0 \
use-explicit-null=no

/ppp aaa
set accounting=yes interim-update=0s use-radius=no

/queue interface
set ether1 queue=ethernet-default
set ether2 queue=ethernet-default
set ether3 queue=ethernet-default
set ether4 queue=ethernet-default
set ether5 queue=ethernet-default
set VL-101 queue=default
set VL-103 queue=default
set VL-104 queue=default
set VL-102 queue=default
set bridge1 queue=default
set VL-105 queue=default

/radius incoming
set accept=no port=3799

/routing mme
set bidirectional-timeout=2 gateway-class=none gateway-keepalive=1m \
gateway-selection=no-gateway origination-interval=5s preferred-gateway=\
0.0.0.0 timeout=1m ttl=50

/routing rip
set distribute-default=never garbage-timer=2m metric-bgp=1 metric-connected=1 \
metric-default=1 metric-ospf=1 metric-static=1 redistribute-bgp=no \
redistribute-connected=no redistribute-ospf=no redistribute-static=no \
routing-table=main timeout-timer=3m update-timer=30s

/store
add comment="" disabled=no disk=system name=web-proxy1 type=web-proxy

/system clock
set time-zone-name=Australia/Melbourne

/system clock manual
set dst-delta=+01:00 dst-end="apr/04/2010 03:00:00" dst-start=\
"oct/04/2009 02:00:00" time-zone=+10:00

/system console
add disabled=no port=serial0 term=vt102

/system health
set

/system identity
set name=MktRB450G

/system logging
add action=memory disabled=no prefix="" topics=info
add action=memory disabled=no prefix="" topics=error
add action=memory disabled=no prefix="" topics=warning
add action=echo disabled=no prefix="" topics=critical

/system note
set note="" show-at-login=yes

/system ntp client
set enabled=yes mode=unicast primary-ntp=128.105.39.11 secondary-ntp=\
128.105.39.12

/system upgrade mirror
set check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=\
0.0.0.0 user=""

/system watchdog
set auto-send-supout=no automatic-supout=yes no-ping-delay=5m watch-address=\
none watchdog-timer=yes

/tool bandwidth-server
set allocate-udp-ports-from=2000 authenticate=yes enabled=yes max-sessions=\
100

/tool e-mail
set from=<> password="" server=0.0.0.0:25 username=""

/tool graphing
set page-refresh=300 store-every=5min

/tool graphing interface
add allow-address=0.0.0.0/0 disabled=no interface=all store-on-disk=yes

/tool mac-server
add disabled=no interface=all

/tool mac-server ping
set enabled=yes

/tool sms
set allowed-number="" channel=0 keep-max-sms=0 receive-enabled=no secret=""

/tool sniffer
set file-limit=10 file-name="" filter-address1=0.0.0.0/0:0-65535 \
filter-address2=0.0.0.0/0:0-65535 filter-protocol=ip-only filter-stream=\
yes interface=all memory-limit=10 memory-scroll=no only-headers=no \
streaming-enabled=no streaming-server=0.0.0.0

/user aaa
set accounting=yes default-group=read interim-update=0s use-radius=no