Hello everyone,
I was hoping someone could help me with configuring VLANs on CRS for Ubiquiti APs. I come from cisco and the concept of VLANs on MikroTik is still a bit confusing for me. My scenario is following: I have one CRS125 acting as gateway for entire network. Then I have 3 UniFi APs, each broadcasting two SSIDs, "Users" and "Guests". I want to separate Guest traffic using VLANs. Let's say I want to have Two VLANs, VLAN10 for Users and VLAN 20 for Guests. Ath this point, there is no need for management VLAN, so the APs should be part of VLAN10. The guestion is how to setup the hybrid trunk ports connecting the AP. A suppose that the VLAN10 traffic should be untagged on these ports and VLAN20 traffic tagged. The untagged traffic comming from APs (Users WLAN and AP management traffic) would become part of VLAN10. Could anyone show me how to achieve this? Thank you for any advice.
-
-
mpreissner
Member
- Posts: 357
- Joined:
- Location: Columbia, MD
Re: Configuring VLANs on CRS for Ubiquiti
Set up switch port to allow traffic with desired VLAN tags:
/interface ethernet switch vlan add ports=ethXX,ethXX,... vlan-id=10 learn=yes
/interface ethernet switch vlan add ports=ethXX,ethXX,... vlan-id=20 learn=yes
Set up ingress vlan translation to treat untagged traffic as tagged:
/interface ethernet switch ingress-vlan-translation add ports=ethXX,ethXX,... customer-vlan-format=untagged-or-tagged customer-vid=0 new-customer=vid=10 sa-learning=yes
Set up egress vlan tagging to handle tagged traffic returning to the AP:
/interface ethernet switch egress-vlan-tag add vlan-id=20 tagged-ports=ethXX,ethXX,...
Since you're familiar with Cisco, it's just like setting up a converged VoIP port...you have to set up the port to handle tagged and untagged traffic. In MikroTik, ingress vlan translation is the same as Cisco PVID. Assuming the rest of your switch VLAN is set up and you've got appropriate routes and firewall rules configured, as well as a properly configured UniFi AP, this should get things working as expected.
/interface ethernet switch vlan add ports=ethXX,ethXX,... vlan-id=10 learn=yes
/interface ethernet switch vlan add ports=ethXX,ethXX,... vlan-id=20 learn=yes
Set up ingress vlan translation to treat untagged traffic as tagged:
/interface ethernet switch ingress-vlan-translation add ports=ethXX,ethXX,... customer-vlan-format=untagged-or-tagged customer-vid=0 new-customer=vid=10 sa-learning=yes
Set up egress vlan tagging to handle tagged traffic returning to the AP:
/interface ethernet switch egress-vlan-tag add vlan-id=20 tagged-ports=ethXX,ethXX,...
Since you're familiar with Cisco, it's just like setting up a converged VoIP port...you have to set up the port to handle tagged and untagged traffic. In MikroTik, ingress vlan translation is the same as Cisco PVID. Assuming the rest of your switch VLAN is set up and you've got appropriate routes and firewall rules configured, as well as a properly configured UniFi AP, this should get things working as expected.
Re: Configuring VLANs on CRS for Ubiquiti
Thank you for your advice. After few hours I finally get tagged traffic as desired. Untagged traffic from APs becomes tagged as VLAN10 and when returning to APs, the tags are stripped with egress-vlan-translation. Both VLANs include switch-cpu interface. Then there are two VLAN interfaces, VLAN Home (10) and VLAN Guest (20). These have IP addresses and DHCP servers running on them.
So far so good.
BUT: The connection to the outside network keeps dropping for some reason. About 50 ping to google's DNS are fine, next 50 ping timeout and so on. If I run ping directly from CRS, everything is ok, all ping return in about 20ms. If I choose one of the VLAN interfaces as source for ping, no ping returns, ever. Originally I thought it might have had something to do with DHCP client on Gateway interface, but it also happens with statically assigned IP and default route. So I guess the issue is somewhere in the switch configuration, even though I have no idea what might cause this behavior. Here is the output of my /interface ethernet configuration. I have no firewall rules applied, nor quees or anything yet. Only simple masquerade on outgoing interface.
Any ideas on this matter, please?
IP addresses configuration and NAT
So far so good.
BUT: The connection to the outside network keeps dropping for some reason. About 50 ping to google's DNS are fine, next 50 ping timeout and so on. If I run ping directly from CRS, everything is ok, all ping return in about 20ms. If I choose one of the VLAN interfaces as source for ping, no ping returns, ever. Originally I thought it might have had something to do with DHCP client on Gateway interface, but it also happens with statically assigned IP and default route. So I guess the issue is somewhere in the switch configuration, even though I have no idea what might cause this behavior. Here is the output of my /interface ethernet configuration. I have no firewall rules applied, nor quees or anything yet. Only simple masquerade on outgoing interface.
Any ideas on this matter, please?
Code: Select all
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether4,ether5,ether6,switch1-cpu vlan-id=10
add tagged-ports=ether4,ether5,ether6,switch1-cpu vlan-id=20Code: Select all
/interface ethernet switch egress-vlan-translation
add customer-vid=10 customer-vlan-format=untagged-or-tagged new-customer-vid=0 \
ports=ether4,ether5,ether6 service-vlan-format=untagged-or-taggedCode: Select all
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=10 ports="ether4,ether5,ether6,ether7,ether8\
,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether17,ethe\
r18,ether19,ether20,ether21,ether22,ether23,ether24" sa-learning=noCode: Select all
/interface ethernet switch port
set 0 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 1 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 2 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 3 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 4 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 5 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 6 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 7 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 8 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 9 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 10 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 11 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 12 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 13 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 14 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 15 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 16 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 17 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 18 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 19 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 20 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 21 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 22 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 23 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 24 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 25 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"Code: Select all
/interface ethernet switch vlan
add learn=no ports="ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,et\
her12,ether13,ether14,ether15,ether16,ether17,ether18,ether19,ether20,ether2\
1,ether22,ether23,ether24,switch1-cpu" vlan-id=10
add learn=no ports=ether4,ether5,ether6,switch1-cpu vlan-id=20Code: Select all
/ip address
add address=10.0.1.1/24 comment=Management interface=ether3 network=10.0.1.0
add address=10.0.0.1/24 comment="Home Network" interface="VLAN Home" network=10.0.0.0
add address=10.0.2.1/24 comment="Guest Network" interface="VLAN Guest" network=10.0.2.0
-
-
mpreissner
Member
- Posts: 357
- Joined:
- Location: Columbia, MD
Re: Configuring VLANs on CRS for Ubiquiti
I've never had to use egress-vlan-translation to get my Ubiquiti AP's working correctly, so I'm not sure why you did. As far as you WAN connection dropping, it does seem to be something in the routing. One thing to remember is that while the CRS does have routing capabilities, it's weak CPU limits those capabilities greatly. The CRS was never truly intended to be used as a router, but rather as a managed switch, despite MT's advertisements calling it a "perfect SOHO router".
Can't really tell much from the code you've posted. Need to see the whole config. Run an export and post the whole thing up here and maybe we can help you figure it out.
Can't really tell much from the code you've posted. Need to see the whole config. Run an export and post the whole thing up here and maybe we can help you figure it out.
Re: Configuring VLANs on CRS for Ubiquiti
Thank you for pointing out the egress-vlan-translation thing. I read somewhere that without this, tagged traffic is send back to access ports... I deleted egress-vlan-translation and egress-vlan-tagging for VLAN10 for Ubiquiti ports and suddenly everything seems to be working great. Of 4000 pings only two got lost (and that's probably because of my wireless WAN connectivity in my lab). Thank you! One last thing.. Any idea why I can't get reply to pings originating from VLAN interface? Just currious.
Here is the complete config in case anyone had the same problems:
Here is the complete config in case anyone had the same problems:
Code: Select all
# jul/06/2016 11:19:22 by RouterOS 6.35.4
# software id = R8PL-GH4X
#
/interface ethernet
set [ find default-name=ether1 ] comment="Gateway Primary"
set [ find default-name=ether2 ] comment="Gateway Secondary"
set [ find default-name=ether3 ] comment=Management
set [ find default-name=ether4 ] comment="Master Local & UniFi AP 1"
set [ find default-name=ether5 ] comment="UniFi AP 2" master-port=ether4
set [ find default-name=ether6 ] comment="UniFi AP 3" master-port=ether4
set [ find default-name=ether7 ] master-port=ether4
set [ find default-name=ether8 ] master-port=ether4
set [ find default-name=ether9 ] master-port=ether4
set [ find default-name=ether10 ] master-port=ether4
set [ find default-name=ether11 ] master-port=ether4
set [ find default-name=ether12 ] master-port=ether4
set [ find default-name=ether13 ] master-port=ether4
set [ find default-name=ether14 ] master-port=ether4
set [ find default-name=ether15 ] master-port=ether4
set [ find default-name=ether16 ] master-port=ether4
set [ find default-name=ether17 ] master-port=ether4
set [ find default-name=ether18 ] master-port=ether4
set [ find default-name=ether19 ] master-port=ether4
set [ find default-name=ether20 ] master-port=ether4
set [ find default-name=ether21 ] master-port=ether4
set [ find default-name=ether22 ] master-port=ether4
set [ find default-name=ether23 ] master-port=ether4
set [ find default-name=ether24 ] master-port=ether4
/ip neighbor discovery
set ether1 comment="Gateway Primary"
set ether2 comment="Gateway Secondary"
set ether3 comment=Management
set ether4 comment="Master Local & UniFi AP 1"
set ether5 comment="UniFi AP 2"
set ether6 comment="UniFi AP 3"
/interface vlan
add interface=ether4 name="VLAN Guest" vlan-id=20
add interface=ether4 name="VLAN Home" vlan-id=10
/ip pool
add name="POOL Home" ranges=10.0.0.100-10.0.0.200
add name="POOL Management" ranges=10.0.1.20-10.0.1.50
add name="Pool Guest" ranges=10.0.2.10-10.0.2.254
/ip dhcp-server
add add-arp=yes address-pool="POOL Home" authoritative=yes disabled=no \
interface="VLAN Home" lease-time=12h name="DHCP Home"
add address-pool="Pool Guest" authoritative=yes disabled=no interface=\
"VLAN Guest" lease-time=30m name="DHCP Guest"
add address-pool="POOL Management" authoritative=yes disabled=no interface=\
ether3 lease-time=1h name="DHCP Management"
/queue simple
add disabled=yes name=Parent target=""
add disabled=yes max-limit=1M/5M name="Guest Limit" parent=Parent target=\
"VLAN Guest"
/interface ethernet switch egress-vlan-tag
add tagged-ports=switch1-cpu vlan-id=10
add tagged-ports=ether4,ether5,ether6,switch1-cpu vlan-id=20
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=10 ports="ether4,ether5,ether6,ether7,ethe\
r8,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether17,\
ether18,ether19,ether20,ether21,ether22,ether23,ether24" sa-learning=no
/interface ethernet switch port
set 0 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:\
8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 1 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:\
8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 2 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:\
8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 3 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:\
8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 4 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:\
8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 5 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:\
8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 6 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:\
8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 7 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:\
8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 8 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:\
8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 9 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:\
8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 10 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\
:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 11 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\
:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 12 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\
:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 13 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\
:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 14 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\
:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 15 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\
:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 16 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\
:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 17 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\
:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 18 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\
:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 19 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\
:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 20 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\
:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 21 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\
:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 22 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\
:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 23 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\
:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 24 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\
:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 25 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\
:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
/interface ethernet switch vlan
add learn=no ports="ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,\
ether12,ether13,ether14,ether15,ether16,ether17,ether18,ether19,ether20,et\
her21,ether22,ether23,ether24,switch1-cpu" vlan-id=10
add learn=no ports=ether4,ether5,ether6,switch1-cpu vlan-id=20
/ip address
add address=10.0.1.1/24 comment=Management interface=ether3 network=10.0.1.0
add address=10.0.0.1/24 comment="Home Network" interface="VLAN Home" network=\
10.0.0.0
add address=10.0.2.1/24 comment="Guest Network" interface="VLAN Guest" \
network=10.0.2.0
add address=192.168.1.115/24 interface=ether1 network=192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment="Primary Gateway DHCP" dhcp-options=hostname,clientid interface=\
ether1 use-peer-dns=no use-peer-ntp=no
add comment="Secondary Gateway DHCP" default-route-distance=2 dhcp-options=\
hostname interface=ether2 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=10.0.0.13 always-broadcast=yes client-id=1:44:d9:e7:dc:d0:16 \
comment="UniFi AP 3" mac-address=44:D9:E7:DC:D0:16 server="DHCP Home"
/ip dhcp-server network
add address=10.0.0.0/24 comment="Home Network" dns-server=10.0.0.1 domain=\
home.zapletal gateway=10.0.0.1 netmask=24 ntp-server=10.0.0.1
add address=10.0.1.0/24 comment="Management Network" dns-server=10.0.1.1 \
domain=management.zapletal gateway=10.0.1.1 netmask=24 ntp-server=\
10.0.1.1
add address=10.0.2.0/24 comment="Guest Network" dns-server=10.0.2.1 domain=\
guest.zapletal gateway=10.0.2.1 netmask=24 ntp-server=10.0.2.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d cache-size=4096KiB servers=\
8.8.8.8,8.8.4.4
/ip firewall filter
add chain=input connection-state=established,related in-interface=ether1
add chain=forward connection-state=established,related in-interface=ether1
add chain=input connection-state=established,related in-interface=ether2
add chain=forward connection-state=established,related in-interface=ether2
add chain=input comment="WinBox, SSH" dst-port=8291,20022 in-interface=ether1 \
protocol=tcp
add chain=input comment="WinBox, SSH" dst-port=8291,20022 in-interface=ether2 \
protocol=tcp
add action=drop chain=input connection-nat-state=!dstnat in-interface=ether1
add action=drop chain=forward connection-nat-state=!dstnat in-interface=\
ether1
add action=drop chain=input connection-nat-state=!dstnat in-interface=ether2
add action=drop chain=forward connection-nat-state=!dstnat in-interface=\
ether2
/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=p2p_conn p2p=\
all-p2p
add action=mark-packet chain=prerouting connection-mark=p2p_conn \
new-packet-mark=p2p_packets passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT ether1" out-interface=ether1 \
src-address=10.0.0.0/22
add action=masquerade chain=srcnat comment="NAT ether2" out-interface=ether2 \
src-address=10.0.0.0/22
/ip route
add distance=1 gateway=192.168.1.1
/ip service
set telnet disabled=yes
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Prague
/system identity
set name=Zapletal
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set ether1 disabled=yes display-time=5s
set ether2 disabled=yes display-time=5s
set ether3 disabled=yes display-time=5s
set ether4 disabled=yes display-time=5s
set ether5 disabled=yes display-time=5s
set ether6 disabled=yes display-time=5s
set ether7 disabled=yes display-time=5s
set ether8 disabled=yes display-time=5s
set ether9 disabled=yes display-time=5s
set ether10 disabled=yes display-time=5s
set ether11 disabled=yes display-time=5s
set ether21 disabled=yes display-time=5s
set ether22 disabled=yes display-time=5s
set ether23 disabled=yes display-time=5s
set ether24 disabled=yes display-time=5s
set sfp1 disabled=yes display-time=5s
set ether17 disabled=yes display-time=5s
set ether18 disabled=yes display-time=5s
set ether19 disabled=yes display-time=5s
set ether20 disabled=yes display-time=5s
set ether12 disabled=yes display-time=5s
set ether13 disabled=yes display-time=5s
set ether14 disabled=yes display-time=5s
set ether15 disabled=yes display-time=5s
set ether16 disabled=yes display-time=5s
set "VLAN Home" disabled=yes display-time=5s
set "VLAN Guest" disabled=yes display-time=5s
/system ntp client
set enabled=yes primary-ntp=195.113.144.201 secondary-ntp=195.113.144.238
/system ntp server
set broadcast=yes broadcast-addresses=10.0.0.255,10.0.2.255 enabled=yes \
multicast=yes
/system routerboard settings
set protected-routerboot=disabled