Hi Guys
For some reason my VLAN dhcp is not going through to my client WLAN, it used to work but something went wrong and I cannot locate the problem. My apologies for my config that looks a bit messy, but over the last year a lot has changed. Basically my main router has dhcp for my admin network, then we added the VLAN for students. The dhcp is refusing to work. Any help would be appreciated.
Here is some of my config. The first 4 images are my main router. The last one is ONE of the AP's. I have 20 of these that need to work.
VLAN DHCP on MAIN router not working to WLAN on AP
You do not have the required permissions to view the files attached to this post.
Re: VLAN DHCP on MAIN router not working to WLAN on AP
Since you didn't post full configuration, only a few screenshots, we can only guess. You can post full config: execute /export hide-sensitive from terminal window and copy-paste the output.
Other than that: I guess vlan20 interface should not be member of bridge bridge-Staff.
Other than that: I guess vlan20 interface should not be member of bridge bridge-Staff.
Re: VLAN DHCP on MAIN router not working to WLAN on AP
Hi mkx
Thank you for the reply. Here is the export. I removed the VLAN from the bridge but still no change.
Thank you for the reply. Here is the export. I removed the VLAN from the bridge but still no change.
Code: Select all
[admin@OHS Core Router] > /export hide-sensitive
# oct/19/2020 11:23:03 by RouterOS 6.47.4
# software id = TI6T-J0B7
#
# model = CCR1016-12S-1S+
# serial number = 4CB302FDFA9D
/interface bridge
add arp=proxy-arp mtu=1500 name=bridge-Staff priority=0x1000 vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment="WKOD Proxy Gateway" l2mtu=1590
set [ find default-name=sfp2 ] advertise=10M-full,100M-full,1000M-full,2500M-full,5000M-full,10000M-full comment="OHS K18 C Brink" l2mtu=1590
set [ find default-name=sfp3 ] advertise=10M-full,100M-full,1000M-full l2mtu=1590
set [ find default-name=sfp4 ] advertise=10M-full,100M-full,1000M-full l2mtu=1590
set [ find default-name=sfp5 ] advertise=10M-full,100M-full,1000M-full,2500M-full,5000M-full,10000M-full comment="10.80.8.5 OHS I-7 Onderwyservoorligter A sfp5 fiber 5-Fibre-Organiser" l2mtu=1590
set [ find default-name=sfp6 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment="NeoTel Fibre Gateway" l2mtu=1590
set [ find default-name=sfp7 ] advertise=10M-full,100M-full,1000M-full,2500M-full,5000M-full,10000M-full comment="10.80.8.2 OHS Admin Office 1-24 sfp7-Bottom-SW" l2mtu=1590 loop-protect=on
set [ find default-name=sfp8 ] advertise=10M-full,100M-full,1000M-full comment="10.80.8.3 OHS Admin Office 25-48 sfp8-Middle-SW" l2mtu=1590
set [ find default-name=sfp9 ] advertise=10M-full,100M-full,1000M-full l2mtu=1590
set [ find default-name=sfp10 ] advertise=10M-full,100M-full,1000M-full,2500M-full,5000M-full,10000M-full comment="Team Room" l2mtu=1590 loop-protect=on
set [ find default-name=sfp11 ] advertise=10M-full,100M-full,1000M-full comment=Kitchen l2mtu=1590 rx-flow-control=auto tx-flow-control=auto
set [ find default-name=sfp12 ] advertise=10M-full,100M-full,1000M-full comment="OHS Kuns Sentrum" l2mtu=1590 rx-flow-control=auto tx-flow-control=auto
set [ find default-name=sfpplus1 ] advertise=10M-full,100M-full,1000M-full l2mtu=1590
/interface pppoe-client
add add-default-route=yes interface=sfp1 keepalive-timeout=60 max-mru=1480 max-mtu=1480 mrru=1600 name=pppoe-out001@dv user=out001@dv
/interface vlan
add comment="Student Vlan20" interface=bridge-Staff loop-protect=on name=vlan20 vlan-id=20
add arp=proxy-arp comment="Labs Vlan" interface=bridge-Staff loop-protect=on name=vlan120 vlan-id=120
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity="OHS Core Router"
/ip dhcp-server option
add code=66 name=Phones value="'http:\\\\192.168.2.1\\tftp'"
/ip dhcp-server option sets
add name=Phones_set1 options=Phones
/ip firewall layer7-protocol
add name=BITTORRENT_ANNOUNCE regexp=^get.+announce.
add name=BITTORENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrape\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]\\r\\n"
add name=youtubeBW regexp=youtube.com
add comment="Block Bit Torrent - tabela regex" name=layer7-bittorrent-exp regexp=\
"^(\\x13bittorrent protocol|azver\\x01\$|get /scrape\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"
add name=buzzfeed regexp="^.+(buzzfeed.com).*\$"
add name="All Video files" regexp=\
"^.*get.+\\.(webm|mkv|flv|flv|vob|ogv|ogg|drc|gifv|mng|avi|mov|qt|wmv|yuv|rm|rmvb|asf|amv|mp4|m4p|m4v|mpg|mp2|mpeg|mpe|mpv|mpg|mpeg|m2v|m4v|svi|3gp|3g2|mxf|roq|nsv|flv|f4v|f4p|f4a|f4b).*\$"
add name="All Archive files" regexp="^.*get.+\\.(7z|s7z|ace|afa|alz|apk|arc|arj|b1|b6z|ba|bh|cab|car|cfs|cpt|dar|dd|dgc|dmg|ear|gca|ha|hki|ice|jar|kgb|lzh|lha|lzx|pak|partimg|paq6|paq7|paq8|pea|pim\
|pit|qda|rar|rk|sda|sea|sen|sfx|shk|sit|sitx|sqx|uca|uha|war|wim|xar|xp3|yz1|zip|zipx|zoo|zpaq|zz|targz|tgz|tarZ|tarbz2|tbz2|tarlzma|tlz|tarxz|txz|uc|uc0|uc2|ucn|ur2|ue2).*\$"
add name="All Document files" regexp="^.*get.+\\.(pdf|doc|docx|xlsx|xls|rtf|ppt|ppt|accdb|xps).*\$"
add name="All Audio files" regexp=\
"^.*get.+\\.(3gp|aa|aac|aax|act|aiff|amr|ape|au|awb|dct|dss|dvf|flac|gsm|iklax|ivs|m4a|m4b|m4p|mmf|mp3|mpc|msv|ogg|oga|mogg|opus|ra|rm|raw|sln|tta|vox|wav|wma|wv|webm|8svx).*\$"
add name=torrent-dns regexp="^.+(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|torrentz|vertor|h33t|btscene|bitunity|bittoxic|thunderbytes|entertane|zoozle|vcdq|bitnova\
|bitsoup|meganova|fulldls|btbot|flixflux|seedpeer|fenopy|gpirate|commonbits).*\$"
add name=torrent-wwws regexp="^.*(get|GET).+(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|torrentz|vertor|h33t|btscene|bitunity|bittoxic|thunderbytes|entertane|zoozle|\
vcdq|bitnova|bitsoup|meganova|fulldls|btbot|flixflux|seedpeer|fenopy|gpirate|commonbits).*\$"
add name=krunker regexp="^.+(krunker|crazygames|miniclip).*\$"
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256,aes-128,3des name=profile_1
/ip ipsec peer
add local-address=41.164.24.142 name=peer3 passive=yes profile=profile_1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc,3des
/ip pool
add name=dhcp_pool1_Admin ranges=192.168.0.100-192.168.0.200,192.168.1.50-192.168.1.200,192.168.2.50-192.168.2.200,192.168.3.50-192.168.3.200,192.168.4.50-192.168.4.200,192.168.5.50-192.168.5.200
add name=VPN_pool1 ranges=192.168.10.10-192.168.10.20
add name=vlan20_Pool_Koshuise ranges=172.168.1.100-172.168.10.200
add name=vlan120_pool_RTT ranges=192.168.50.49-192.168.50.240
add name=dhcp_pool11 ranges=192.151.247.100-192.151.247.200
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool1_Admin allow-dual-stack-queue=no always-broadcast=yes disabled=no interface=bridge-Staff lease-time=1w name=dhcp1
add add-arp=yes address-pool=vlan20_Pool_Koshuise allow-dual-stack-queue=no bootp-support=none disabled=no insert-queue-before=bottom interface=vlan20 lease-time=1h name=vlan20
add add-arp=yes address-pool=vlan120_pool_RTT disabled=no interface=vlan120 lease-time=1w name=vlan120
/ppp profile
add bridge=bridge-Staff dns-server=8.8.8.8,192.168.0.2 local-address=192.168.0.1 name=vpn138 remote-address=dhcp_pool1_Admin
add bridge=bridge-Staff dns-server=8.8.8.8,192.168.0.2 local-address=VPN_pool1 name=vpn137 remote-address=VPN_pool1
/queue simple
add dst=sfp6 limit-at=1M/1M max-limit=70M/90M name=queue2 priority=4/4 target=192.168.1.68/32
add limit-at=128k/128k max-limit=30M/50M name=OHS-System target=192.168.3.127/32
add disabled=yes limit-at=1M/1M max-limit=80M/60M name=OHS-FS priority=3/3 target=192.168.0.8/32
add limit-at=384k/512k max-limit=70M/70M name=Synology-23 priority=4/4 target=192.168.0.23/32
add limit-at=256k/256k max-limit=70M/70M name=Henry target=192.168.0.143/32
add limit-at=512k/512k max-limit=5M/4M name=JWG-Netbook target=192.168.1.97/32
add limit-at=512k/512k max-limit=30M/30M name=KwaggaTV2 priority=4/4 target=192.168.0.118/32
add dst=sfp6 limit-at=64k/64k max-limit=384k/512k name=queue4 target=192.168.1.194/32
add dst=sfp6 limit-at=64k/64k max-limit=512k/512k name=queue6 target=192.168.2.142/32
add disabled=yes dst=sfp6 limit-at=512k/512k max-limit=1M/1M name=BTH2 target=192.168.1.83/32
add disabled=yes dst=sfp6 limit-at=512k/512k max-limit=3M/2M name=BTHKoshuis target=192.168.2.108/32
add disabled=yes dst=sfp6 limit-at=512k/512k max-limit=1M/1M name=Klas67-05 target=192.168.2.127/32
add disabled=yes dst=sfp6 limit-at=512k/512k max-limit=1M/1M name=Klas67-03 target=192.168.2.132/32
add disabled=yes dst=sfp6 limit-at=512k/512k max-limit=3M/3M name=Klas67-PC target=192.168.2.110/32
add disabled=yes dst=sfp6 limit-at=512k/512k max-limit=1M/1M name=klas02 target=192.168.4.124/32
add disabled=yes dst=sfp6 limit-at=512k/512k max-limit=1M/1M name=ontwerp7 target=192.168.2.152/32
add disabled=yes dst=sfp6 limit-at=512k/512k max-limit=1M/1M name=dreyer target=192.168.0.177/32
add disabled=yes dst=sfp6 limit-at=512k/512k max-limit=1M/1M name=klas67-07 target=192.168.1.147/32
add disabled=yes dst=sfp6 limit-at=512k/512k max-limit=2M/2M name=Musiek2 target=192.168.2.41/32
add disabled=yes dst=sfp6 limit-at=512k/512k max-limit=2M/2M name=Klas42 target=192.168.3.77/32
add disabled=yes dst=sfp6 limit-at=512k/512k max-limit=2M/2M name=Kassier target=192.168.2.197/32
add disabled=yes dst=sfp6 limit-at=512k/512k max-limit=2M/2M name=Ontwerp-01 target=192.168.1.173/32
add disabled=yes dst=sfp6 limit-at=512k/512k max-limit=512k/512k name=queue3 target=192.168.2.160/32
add disabled=yes dst=sfp6 limit-at=512k/512k max-limit=512k/512k name=queue12 target=192.168.0.119/32
add disabled=yes dst=sfp6 limit-at=512k/512k max-limit=512k/512k name=queue11 target=192.168.0.126/32
add disabled=yes dst=sfp6 limit-at=512k/512k max-limit=512k/512k name=queue10 target=192.168.3.128/32
add disabled=yes dst=sfp6 limit-at=512k/512k max-limit=512k/512k name=queue9 target=192.168.0.114/32
add disabled=yes dst=sfp6 limit-at=512k/512k max-limit=512k/512k name=temp target=192.168.0.125/32
add disabled=yes dst=sfp6 limit-at=512k/512k max-limit=512k/512k name=cellP target=192.168.0.142/32
add disabled=yes dst=sfp6 limit-at=512k/512k max-limit=512k/512k name=queue8 target=192.168.2.112/32
add disabled=yes dst=sfp6 limit-at=512k/512k max-limit=512k/512k name=queue7 target=192.168.0.117/32
add disabled=yes dst=sfp1 limit-at=5M/5M max-limit=30M/30M name=Labs target=192.168.50.0/24
add dst=sfp6 limit-at=512k/512k max-limit=40M/40M name=Labs50 target=vlan120
add dst=sfp6 limit-at=512k/512k max-limit=60M/70M name="ALL STAFF" packet-marks=NET1-PM target=192.168.0.0/18
add dst=192.168.0.0/18 name=LAN target=192.168.0.0/18
/queue tree
add comment="Download Limit Set by Geo - Comcen" disabled=yes max-limit=18M name=queue1 packet-mark=NET1-PM parent=bridge-Staff
add comment="Upload Limit set by Geo - Comcen" disabled=yes max-limit=15M name=queue2 packet-mark=NET1-PM parent=sfp6 priority=6
add disabled=yes max-limit=2G name="All Bandwidth" parent=global
add disabled=yes max-limit=30M name=Downloads parent="All Bandwidth"
add disabled=yes max-limit=10M name=Archives packet-mark=archives_dw_pk parent=Downloads priority=3
add disabled=yes max-limit=8M name=Audio packet-mark=audio_dw_pk parent=Downloads priority=5
add disabled=yes max-limit=15M name=Documents packet-mark=doc_dw_pk parent=Downloads priority=2
add disabled=yes max-limit=10M name=Video packet-mark=video_dw_pk parent=Downloads priority=4
add comment="Browsing - Do Not Enable" disabled=yes max-limit=15M name=Other packet-mark=other_pk parent=Downloads
add disabled=yes max-limit=50M name=Upload packet-mark=upload_pk parent="All Bandwidth"
add disabled=yes limit-at=2M max-limit=10M name=PING_Queue packet-mark=PING_packet parent=global
add disabled=yes limit-at=4 max-limit=10M name=queue3 packet-mark=VOIP_Packets parent=global priority=1
/queue type
set 5 pcq-burst-time=30s pcq-total-limit=3000KiB
set 6 pcq-burst-time=20s pcq-total-limit=3000KiB
/queue simple
add limit-at=1M/1M max-limit=5M/5M name=VOIP_Queue priority=1/1 queue=default/default target=192.168.10.0/24
add limit-at=4M/4M max-limit=10M/10M name="VOIP Packets" packet-marks=VOIP_Packets priority=1/1 queue=default/default target=""
add limit-at=4M/4M max-limit=10M/10M name=Voip_Packets packet-marks=VOIP_Packets priority=1/1 queue=default/default target=bridge-Staff
add disabled=yes limit-at=4M/4M max-limit=50M/50M name=queue1 packet-marks=NET1-PM priority=1/1 queue=default/default target=192.168.10.0/24
add comment="Youtube Limiting" dst=sfp6 limit-at=384k/512k max-limit=10M/5M name=Youtube packet-marks="youtube packet" queue=default/default target=bridge-Staff
/system logging action
set 0 memory-lines=2000
set 1 disk-lines-per-file=2000
/tool user-manager customer
set admin access=own-routers,own-users,own-profiles,own-limits,config-payment-gw
/user group
add name=sniffer policy=ssh,read,sniff,!local,!telnet,!ftp,!reboot,!write,!policy,!test,!winbox,!password,!web,!sensitive,!api,!romon,!dude,!tikapp
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge-Staff
/interface bridge filter
add action=drop chain=input mac-protocol=ipv6
/interface bridge port
add auto-isolate=yes bridge=bridge-Staff hw=no interface=sfp12
add auto-isolate=yes bridge=bridge-Staff interface=sfp11 learn=yes
add auto-isolate=yes bridge=bridge-Staff hw=no interface=sfp10
add auto-isolate=yes bridge=bridge-Staff hw=no interface=sfp9
add auto-isolate=yes bridge=bridge-Staff hw=no interface=sfp8
add auto-isolate=yes bridge=bridge-Staff interface=sfp7
add auto-isolate=yes bridge=bridge-Staff hw=no interface=sfp5
add auto-isolate=yes bridge=bridge-Staff hw=no interface=sfp4
add auto-isolate=yes bridge=bridge-Staff hw=no interface=sfp3
add auto-isolate=yes bridge=bridge-Staff interface=sfp2
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set accept-redirects=yes max-neighbor-entries=16384
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=vpn138 enabled=yes max-sessions=3 one-session-per-host=yes use-ipsec=yes
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=vpn137 enabled=yes
/ip accounting
set enabled=yes threshold=2560
/ip accounting web-access
set accessible-via-web=yes address=192.168.1.68/32
/ip address
add address=10.80.8.1/24 comment="Mikrotik Routers Connected IP" interface=bridge-Staff network=10.80.8.0
add address=192.168.0.1/18 comment=";;;;Local Lan IP" interface=bridge-Staff network=192.168.0.0
add address=172.168.0.1/18 comment="VLAN20 - Student WiFi" interface=vlan20 network=172.168.0.0
add address=192.168.50.254/24 comment="VLAN120 Labs" interface=vlan120 network=192.168.50.0
add address=192.151.247.1/24 comment=Phones interface=bridge-Staff network=192.151.247.0
add address=192.168.10.3/24 interface=bridge-Staff network=192.168.10.0
add address=102.39.55.91/29 comment="VOX IP - OHS" interface=sfp6 network=102.39.55.88
add address=10.10.10.1/24 interface=sfp6 network=10.10.10.0
/ip arp
add address=172.168.1.153 interface=vlan20 mac-address=DE:22:6B:41:AC:00
/ip cloud
set ddns-enabled=yes
/ip dhcp-server config
set store-leases-disk=10m
/ip dhcp-server lease
add address=192.168.1.83 client-id=1:6c:f0:49:af:fa:a9 mac-address=6C:F0:49:AF:FA:A9 server=dhcp1
add address=192.168.0.48 client-id=1:14:18:77:9e:3:90 mac-address=14:18:77:9E:03:90 server=dhcp1
add address=192.168.2.41 client-id=1:e0:d5:5e:2c:40:12 mac-address=E0:D5:5E:2C:40:12 server=dhcp1
add address=192.168.2.127 client-id=1:70:85:c2:2f:3d:36 mac-address=70:85:C2:2F:3D:36 server=dhcp1
add address=192.168.2.170 client-id=1:d0:27:88:b0:bd:8c mac-address=D0:27:88:B0:BD:8C server=dhcp1
add address=192.168.2.132 client-id=1:d0:27:88:b0:ca:7a mac-address=D0:27:88:B0:CA:7A server=dhcp1
add address=192.168.0.193 client-id=1:10:60:4b:19:eb:d0 comment="Hoof se Printer" mac-address=10:60:4B:19:EB:D0 server=dhcp1
add address=192.168.0.21 always-broadcast=yes client-id=1:0:11:32:a8:1a:8a comment="Rackstation port1" mac-address=00:11:32:A8:1A:8A server=dhcp1
add address=192.168.50.46 client-id=1:0:d8:61:23:c0:2e mac-address=00:D8:61:23:C0:2E server=vlan120
add address=192.168.50.37 client-id=1:ec:8e:b5:f:a2:27 comment="Heiletha Laptop" mac-address=EC:8E:B5:0F:A2:27 server=vlan120
add address=192.168.3.73 client-id=1:d0:17:c2:96:de:36 mac-address=D0:17:C2:96:DE:36 server=dhcp1
add address=192.168.3.146 client-id=1:70:85:c2:2f:39:ed mac-address=70:85:C2:2F:39:ED server=dhcp1
add address=192.168.2.152 client-id=1:74:d4:35:2f:25:29 mac-address=74:D4:35:2F:25:29 server=dhcp1
add address=192.168.4.144 client-id=1:74:d4:35:4a:3f:4a mac-address=74:D4:35:4A:3F:4A server=dhcp1
add address=192.168.2.200 client-id=1:30:7:4d:4c:d3:f4 mac-address=30:07:4D:4C:D3:F4 server=dhcp1
add address=192.168.1.60 client-id=1:fc:18:3c:48:95:6c mac-address=FC:18:3C:48:95:6C server=dhcp1
add address=192.168.4.148 client-id=1:ec:89:14:1:52:e8 mac-address=EC:89:14:01:52:E8 server=dhcp1
add address=192.168.4.167 client-id=1:70:85:c2:2f:a0:86 mac-address=70:85:C2:2F:A0:86 server=dhcp1
add address=192.168.0.121 client-id=1:74:d4:35:4a:3f:56 mac-address=74:D4:35:4A:3F:56 server=dhcp1
add address=192.168.0.109 client-id=1:24:18:1d:9c:1c:49 mac-address=24:18:1D:9C:1C:49 server=dhcp1
add address=192.168.0.23 client-id=1:0:11:32:a8:1a:8c comment="Rackstation port 3" mac-address=00:11:32:A8:1A:8C server=dhcp1
add address=192.168.0.24 client-id=1:0:11:32:a8:1a:8d comment="Rackstation port 4" mac-address=00:11:32:A8:1A:8D server=dhcp1
add address=192.168.50.36 client-id=1:f8:d0:27:39:85:d6 comment="Klas 35 Epson L6170" mac-address=F8:D0:27:39:85:D6
add address=192.168.50.25 client-id=1:f8:d0:27:38:f3:23 comment="Klas 26 Epson L6170" mac-address=F8:D0:27:38:F3:23
add address=192.168.50.14 always-broadcast=yes client-id=1:a0:36:9f:50:a6:58 mac-address=A0:36:9F:50:A6:58 server=vlan120
add address=192.168.2.131 client-id=1:94:c6:91:a4:d6:a mac-address=94:C6:91:A4:D6:0A server=dhcp1
add address=192.168.3.157 client-id=1:48:2a:e3:c:bd:c7 mac-address=48:2A:E3:0C:BD:C7 server=dhcp1
add address=192.168.0.106 client-id=1:bc:e2:65:a:b8:cc mac-address=BC:E2:65:0A:B8:CC server=dhcp1
add address=192.168.4.101 client-id=1:98:29:a6:65:a6:8d mac-address=98:29:A6:65:A6:8D server=dhcp1
add address=192.168.1.68 client-id=1:34:97:f6:bb:2f:96 mac-address=34:97:F6:BB:2F:96 server=dhcp1
add address=192.168.0.118 client-id=1:80:fa:5b:5a:19:61 mac-address=80:FA:5B:5A:19:61 server=dhcp1
add address=192.168.0.3 always-broadcast=yes client-id=1:0:15:5d:2:79:1 mac-address=00:15:5D:02:79:01 server=dhcp1
add address=192.168.0.19 always-broadcast=yes client-id=1:0:15:5d:2:79:2 mac-address=00:15:5D:02:79:02 server=dhcp1
add address=192.168.0.5 always-broadcast=yes client-id=1:0:15:5d:6a:ed:3 mac-address=00:15:5D:6A:ED:03 server=dhcp1
add address=192.168.0.4 always-broadcast=yes client-id=1:0:15:5d:6a:ed:2 mac-address=00:15:5D:6A:ED:02 server=dhcp1
add address=192.168.0.8 client-id=1:0:15:5d:6a:ed:5 mac-address=00:15:5D:6A:ED:05 server=dhcp1
add address=192.168.15.1 always-broadcast=yes client-id=1:0:15:5d:2:79:3 mac-address=00:15:5D:02:79:03 server=dhcp1
add address=192.168.1.194 client-id=1:8c:16:45:10:f4:94 mac-address=8C:16:45:10:F4:94 server=dhcp1
add address=192.168.0.13 always-broadcast=yes client-id=1:0:15:5d:6a:ed:7 mac-address=00:15:5D:6A:ED:07 server=dhcp1
add address=192.168.3.127 client-id=1:80:fa:5b:58:4a:f3 mac-address=80:FA:5B:58:4A:F3 server=dhcp1
add address=192.168.0.6 always-broadcast=yes client-id=1:a4:bf:1:1f:48:a2 mac-address=A4:BF:01:1F:48:A2 server=dhcp1
add address=vlan20_Pool_Koshuise address-lists=Black-List block-access=yes client-id=76:F8:DB:28:E7:D5 mac-address=76:F8:DB:28:E7:D5 server=vlan20
add address=vlan20_Pool_Koshuise address-lists=Black-list block-access=yes client-id=00:00:00:00:00:00 server=vlan20
add address=172.168.11.200 always-broadcast=yes block-access=yes mac-address=DE:22:6B:41:AC:00
/ip dhcp-server network
add address=172.168.0.0/18 comment=Koshuise dns-server=172.168.0.1,10.80.8.1 gateway=172.168.0.1 ntp-server=172.168.0.1
add address=192.151.247.0/24 dhcp-option=Phones dhcp-option-set=Phones_set1 dns-server=192.151.247.1 gateway=192.151.247.1
add address=192.168.0.0/18 comment=Admin dns-server=192.168.0.13,192.168.0.3 domain=kwagga.local gateway=192.168.0.1 netmask=18 ntp-server=192.168.0.1
add address=192.168.50.0/24 comment=Labs dns-server=192.168.50.1 domain=outeniqua.co.za gateway=192.168.50.254
/ip dns
set allow-remote-requests=yes cache-max-ttl=1h servers=8.8.8.8,8.8.4.4,196.22.218.248,209.203.10.208
/ip dns static
add address=10.0.241.226 name=proxy.wcgschools.gov.za
add address=10.0.100.36 name=wcgschools.gov.za
add address=192.168.50.1 name=ohs-rtt.outeniqua.co.za
add address=192.168.50.1 name=ohs-rtt
add address=196.44.224.69 name=birgitte.digichilli.co.za
add address=216.239.38.120 comment="Secure Search" name=google.com
add address=216.239.38.120 comment="Secure Search" name=www.google.com
add address=216.239.38.120 comment="Secure Search" name=https://google.com
add address=216.239.38.120 comment="Secure Search" name=https://www.google.com
add address=216.239.38.120 comment="Secure Search" name=google.com.mx
add address=216.239.38.120 comment="Secure Search" name=www.google.com.mx
add address=216.239.38.120 comment="Secure Search" name=https://google.com.mx
add address=216.239.38.120 comment="Secure Search" name=https://www.google.com.mx
add address=216.239.38.120 comment="Secure Search" regexp="^(www|images|encrypted).google(\\.[a-z][a-z][a-z]\?)(\\.[a-z][a-z][a-z]\?)\?\$"
add address=8.8.4.4 name=google1
add address=192.96.15.69 name=vpn.nmmu.ac.za
/ip firewall address-list
add address=192.168.0.0/18 list=Local
add address=proxy.wcgschools.gov.za list=WKOD
add address=outeniqua.co.za list=outeniqua.co.za
add address=msappproxy.net list="MS PORTS"
add address=windows.net list="MS PORTS"
add address=microsoftonline.com list="MS PORTS"
add address=msocsp.com list="MS PORTS"
add address=microsoft.com list="MS PORTS"
add address=cloud.mikrotik.com list=Clouds
add address=gregsowell.com list=gregsowell
add address=download.mikrotik.com list=Mikrotik
add address=update.mikrotik.com list=Mikrotik
add address=autodiscover.outlook.com list=autod
add address=outlook.office365.com list=outlook365
add address=wcgschools.gov.za list=wcgschools
add address=vpn.nmmu.ac.za list=nmmu
add address=za.pool.ntp.org list=ntp-pool
add address=activation.sls.microsoft.com list="MS PORTS"
add address=crl.microsoft.com list="MS PORTS"
add address=odc.officeapps.live.com list="MS PORTS"
add address=officeapps.live.com list="MS PORTS"
add address=ols.officeapps.live.com list="MS PORTS"
add address=sls.microsoft.com list="MS PORTS"
add address=officecdn.microsoft.com list="MS PORTS"
add address=go.microsoft.com list="MS PORTS"
add address=office15client.microsoft.com list="MS PORTS"
add address=officeclient.microsoft.com list="MS PORTS"
add address=154.0.173.211 list=outeniqua
/ip firewall filter
add action=accept chain=forward dst-address=192.168.0.19
add action=accept chain=forward out-interface=vlan120
add action=accept chain=forward dst-address=192.168.50.1
add action=accept chain=forward src-address=192.168.50.1
add action=reject chain=forward disabled=yes reject-with=icmp-admin-prohibited src-mac-address=76:F8:DB:28:E7:D5
add action=reject chain=forward disabled=yes reject-with=icmp-admin-prohibited src-mac-address=DE:22:6B:41:AC:00
add action=accept chain=forward out-interface=sfp6 src-address=172.168.0.0/18
add action=accept chain=forward dst-port=4444 protocol=tcp
add action=accept chain=input src-address=192.168.1.68
add action=accept chain=forward dst-port=8291 protocol=tcp
add action=accept chain=forward dst-address-list=digitv
add action=accept chain=forward dst-address=10.10.10.0/24
add action=accept chain=input protocol=icmp src-address=192.168.0.0/18
add action=accept chain=forward dst-port=443 protocol=tcp src-address=192.168.0.0/18
add action=accept chain=forward dst-port=3128 protocol=tcp
add action=accept chain=forward dst-address=10.0.241.226
add action=accept chain=forward dst-address=10.0.241.226 src-address=192.168.50.0/24
add action=accept chain=input packet-mark=LABS-OHS-Packet
add action=accept chain=forward in-interface=all-vlan out-interface=bridge-Staff
add action=accept chain=input comment="related & established" connection-state=established,related
add action=accept chain=forward comment="related & established" connection-state=established,related
add action=accept chain=forward src-address=192.168.0.15
add action=accept chain=forward dst-address=192.168.0.15
add action=accept chain=forward comment="NTP Pool - DO NOT REMOVE" dst-address-list=ntp-pool
add action=accept chain=forward comment="Microsoft Servers" dst-address-list="MS PORTS"
add action=accept chain=forward comment="Microsoft Servers" src-address-list="MS PORTS"
add action=accept chain=forward dst-port=8000 protocol=tcp
add action=accept chain=forward dst-port=8000 protocol=udp
add action=accept chain=forward dst-port=5567 protocol=tcp
add action=accept chain=forward dst-port=5567 protocol=udp
add action=accept chain=forward comment=Website dst-address-list=outeniqua.co.za
add action=drop chain=input dst-port=53 in-interface=sfp6 protocol=tcp
add action=drop chain=input dst-port=445 in-interface=sfp6 protocol=tcp
add action=drop chain=input dst-port=53 in-interface=sfp6 protocol=udp
add action=drop chain=input dst-port=445 in-interface=sfp6 protocol=udp
add action=drop chain=forward comment="Outeniqua HS WiFi block" dst-address=192.168.0.0/18 src-address=172.16.0.0/18
add action=drop chain=forward comment="Koshuis VLAN drop" dst-address=192.168.0.0/18 src-address=172.168.0.0/18
# no interface
add action=accept chain=input in-interface=*F00002
add action=accept chain=forward src-address=192.168.0.230
add action=accept chain=forward src-address=192.168.0.17
add action=drop chain=forward comment="RTT game drop" disabled=yes layer7-protocol=krunker
add action=accept chain=forward comment="NMMU VPN" disabled=yes dst-address=192.96.15.69
add action=accept chain=forward dst-address=192.168.0.6 src-address=192.168.50.0/24
add action=accept chain=forward dst-address=192.168.0.6
add action=accept chain=forward comment="Update Server" dst-address=192.168.50.4
add action=accept chain=forward comment="Update Server" src-address=192.168.50.4
add action=accept chain=forward dst-address=192.168.0.24
add action=accept chain=forward dst-address=192.168.0.23
add action=accept chain=forward dst-address=192.168.0.22
add action=accept chain=forward dst-address=192.168.0.21
add action=accept chain=forward src-address=192.168.2.97
add action=accept chain=forward dst-port=!0-1024,8291,5900,5800,3389,14147,5222,59905 protocol=tcp src-address=192.168.1.68 src-address-list=Torrent-Conn
add action=accept chain=forward dst-port=!0-1024,8291,5900,5800,3389,14147,5222,59905 protocol=tcp src-address=192.168.0.148 src-address-list=Torrent-Conn
add action=accept chain=forward src-address=192.168.0.148
add action=accept chain=forward src-address=192.151.247.0/24
add action=accept chain=forward dst-address=192.151.247.0/24
add action=accept chain=input comment="VPN Port" dst-port=1723 protocol=tcp
add action=accept chain=input comment="VPN Port" dst-port=1701 protocol=udp
add action=accept chain=input comment="VPN allow" protocol=gre
add action=accept chain=forward dst-address=192.168.50.0/24 src-address=192.168.0.19
add action=accept chain=forward dst-address=192.168.50.35
add action=accept chain=forward dst-address=192.168.50.46
add action=accept chain=forward dst-address=192.168.50.26
add action=accept chain=forward src-address=192.168.50.1
add action=accept chain=forward src-address=192.168.50.35
add action=accept chain=forward src-address=192.168.50.46
add action=accept chain=forward src-address=192.168.50.26
add action=accept chain=forward dst-address=192.168.50.235
add action=accept chain=forward out-interface=sfp6 src-address=192.168.0.2
add action=accept chain=forward dst-address=13.64.117.133
add action=accept chain=forward comment=Cloud dst-address-list=Clouds
add action=accept chain=forward comment="MS PORTS" dst-address-list="MS PORTS"
add action=accept chain=forward comment=gregsowell dst-address-list=gregsowell
add action=accept chain=forward comment="Heiletha Laptop" src-address=192.168.50.37
add action=add-src-to-address-list address-list=DDOS_Check address-list-timeout=5m chain=input connection-limit=50,32 disabled=yes protocol=tcp
add action=tarpit chain=input connection-limit=50,32 disabled=yes protocol=tcp src-address-list=DDOS_Check
add action=drop chain=forward dst-port=68 protocol=udp src-address=!10.80.8.1 src-port=67
add action=drop chain=forward comment="LABS VOX" disabled=yes out-interface=sfp6 src-address=192.168.50.0/24
add action=drop chain=forward comment="LABS WCED Proxy" disabled=yes out-interface=sfp1 src-address=192.168.50.0/24
add action=drop chain=forward disabled=yes out-interface=sfp1 src-address=192.168.50.0/24 time=8m-13m,mon,tue,wed,thu,fri
add action=drop chain=forward comment="Unknown Laptop Blocked - to many uploads" disabled=yes src-mac-address=F4:30:B9:98:BC:84
add action=drop chain=forward comment="Surveilance PC" disabled=yes out-interface=sfp6 src-address=192.168.3.52
add action=drop chain=forward comment="Surveilance PC" disabled=yes out-interface=sfp6 src-address=192.168.1.70
add action=drop chain=forward comment="Surveilance PC" disabled=yes out-interface=sfp1 src-address=192.168.3.52
add action=drop chain=forward comment="Surveilance PC" disabled=yes out-interface=sfp1 src-address=192.168.1.70
add action=drop chain=forward comment="Koshuis BTH 4" disabled=yes out-interface=sfp6 src-address=192.168.1.94
add action=drop chain=forward comment="Torrent wwws" disabled=yes layer7-protocol=torrent-wwws out-interface=sfp6
add action=drop chain=forward comment="Torrent dns" disabled=yes dst-port=53 layer7-protocol=torrent-dns out-interface=sfp6 protocol=udp
add action=add-src-to-address-list address-list=Torrent-Conn address-list-timeout=1m chain=forward disabled=yes layer7-protocol=layer7-bittorrent-exp out-interface=sfp6 src-address-list=!allow-bit
add action=add-src-to-address-list address-list=Torrent-Conn address-list-timeout=1m chain=forward comment="Torrent Announce" disabled=yes layer7-protocol=BITTORRENT_ANNOUNCE out-interface=sfp6 \
src-address-list=!allow-bit
add action=add-src-to-address-list address-list="Torrent Announce" address-list-timeout=3m chain=forward comment=______Announce____ disabled=yes dst-address-list=!torrent_permit layer7-protocol=\
BITTORRENT_ANNOUNCE out-interface=sfp6 src-address-list=!torrent_permit time=0s-23h59m,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward comment="Torrent Announce" disabled=yes dst-address-list=!torrent_permit layer7-protocol=BITTORRENT_ANNOUNCE out-interface=sfp6 src-address-list=!torrent_permit time=\
0s-23h59m,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward comment="Torrent Conn" disabled=yes dst-port=!0-1024,5900,5800,14147,5222,59905 out-interface=sfp6 protocol=tcp src-address-list=Torrent-Conn
add action=drop chain=forward comment="Torrent Conn" disabled=yes dst-port=!0-1024,8291,5900,5800,14147,5222,59905 out-interface=sfp6 protocol=udp src-address-list=Torrent-Conn
add action=drop chain=forward comment="Torrent Conn" disabled=yes dst-port=!0-1024,8291,5900,5800,3389,14147,5222,59905 protocol=tcp src-address-list=Torrent-Conn
add action=drop chain=forward comment="Torrent Conn" disabled=yes dst-port=!0-1024,8291,5900,5800,3389,14147,5222,59905 protocol=udp src-address-list=Torrent-Conn
add action=accept chain=forward comment="ADMIN ADSL - Temporary" disabled=yes src-address=192.168.0.181
add action=accept chain=forward disabled=yes src-address=192.168.0.127
add action=accept chain=forward disabled=yes src-address=192.168.2.113
add action=accept chain=forward disabled=yes src-address=192.168.0.130
add action=accept chain=forward disabled=yes src-address=192.168.1.68
add action=accept chain=forward disabled=yes src-address=192.168.0.156
add action=accept chain=forward disabled=yes src-address=192.168.1.138
add action=accept chain=forward disabled=yes src-address=192.168.2.94
add action=accept chain=forward disabled=yes src-address=192.168.0.123
add action=accept chain=forward disabled=yes src-address=192.168.0.181
add action=accept chain=forward disabled=yes src-address=192.168.2.108
add action=accept chain=forward disabled=yes src-address=192.168.2.115
add action=accept chain=forward disabled=yes src-address=192.168.1.128
add action=accept chain=forward disabled=yes src-address=192.168.0.149
add action=accept chain=forward disabled=yes src-address=192.168.0.102
add action=accept chain=forward disabled=yes src-address=192.168.2.136
add action=accept chain=forward disabled=yes src-address=192.168.1.84
add action=accept chain=forward disabled=yes src-address=192.168.0.159
add action=accept chain=forward disabled=yes src-address=192.168.1.150
add action=accept chain=forward disabled=yes src-address=192.168.1.152
add action=accept chain=forward disabled=yes src-address=192.168.1.187
add action=accept chain=forward disabled=yes src-address=192.168.1.191
add action=accept chain=forward disabled=yes src-address=192.168.0.2
add action=accept chain=forward disabled=yes src-address=192.168.0.150
add action=accept chain=forward disabled=yes src-address=192.168.1.127
add action=accept chain=forward disabled=yes src-address=192.168.0.48
add action=accept chain=forward disabled=yes src-address=192.168.0.153
add action=accept chain=forward disabled=yes src-address=192.168.2.85
add action=accept chain=forward disabled=yes src-address=192.168.0.132
add action=accept chain=forward disabled=yes src-address=192.168.1.132
add action=accept chain=forward disabled=yes src-address=192.168.1.190
add action=accept chain=forward disabled=yes src-address=192.168.2.77
add action=accept chain=forward dst-address=10.0.241.226
add action=drop chain=forward comment="Emergency Bandwidth Drop" disabled=yes dst-address=0.0.0.0/0 src-address=192.168.0.0/18
add action=drop chain=forward comment="Emergency Bandwidth Drop" disabled=yes dst-address=0.0.0.0/0 src-address=192.168.50.0/24
add action=passthrough chain=forward disabled=yes dst-address=192.168.0.0/18 src-address=192.168.50.0/24
add action=accept chain=forward dst-port=1935 protocol=tcp
add action=accept chain=forward dst-port=1935 protocol=udp
add action=accept chain=forward protocol=tcp src-port=1935
add action=accept chain=forward protocol=udp src-port=1935
add action=accept chain=forward dst-port=5353 protocol=tcp
add action=accept chain=forward dst-port=5353 protocol=udp
add action=accept chain=forward comment="Local RDP" dst-address=192.168.0.2 dst-port=3389,4490,4491 protocol=tcp src-address=192.168.0.0/18
add action=accept chain=forward comment="Local RDP" dst-address=192.168.50.1 dst-port=3389,4490,4491 protocol=tcp src-address=192.168.50.0/24
add action=accept chain=forward comment="Remote Winbox" dst-port=8129 protocol=tcp
add action=accept chain=forward disabled=yes dst-port=139,445 protocol=tcp
add action=accept chain=input comment="Remote Winbox" dst-port=8291 protocol=tcp
add action=accept chain=input comment="RDP Allowed ports" disabled=yes dst-address=41.164.24.138-41.164.24.142 dst-port=8291,4490,4491 protocol=tcp
add action=drop chain=forward comment="Unknown Devices Blocked" disabled=yes src-mac-address=54:E1:AD:94:2A:14
add action=drop chain=forward comment="Unknown Devices Blocked" disabled=yes src-mac-address=08:62:66:B5:95:9A
add action=drop chain=input comment="Drop Incomming SSH" dst-port=22 in-interface=sfp6 protocol=tcp
add action=drop chain=input comment="Drop Incomming SSH" dst-port=22 in-interface=sfp6 protocol=udp
add action=drop chain=forward comment="Unknown Devices Downloading" disabled=yes src-address=192.168.0.109
add action=drop chain=forward comment=Buzzfeed disabled=yes layer7-protocol=buzzfeed src-address=192.168.0.0/18 time=7h30m-14h,mon,tue,wed,thu,fri
add action=drop chain=forward comment="BattleNET Game block" disabled=yes dst-port=6881-6999 out-interface=sfp6 protocol=udp src-address=192.168.0.0/18
add action=drop chain=forward comment="Online Game block" disabled=yes dst-port=9330-9340 protocol=tcp src-address=192.168.0.0/18
add action=drop chain=forward comment="Online Game block" disabled=yes dst-port=9330-9340 protocol=udp src-address=192.168.0.0/18
add action=drop chain=forward comment="WOW Game block" disabled=yes dst-port=3724,1119 out-interface=sfp6 protocol=tcp src-address=192.168.0.0/18
add action=drop chain=forward comment="WOW Game block" disabled=yes dst-port=3724,1119 out-interface=sfp6 protocol=udp src-address=192.168.0.0/18
add action=drop chain=forward comment="Counter Strike Game block" disabled=yes dst-port=27000-27050 protocol=udp src-address=192.168.0.0/18
add action=drop chain=forward comment="Counter Strike Game block" disabled=yes dst-port=27000-27050 protocol=tcp src-address=192.168.0.0/18
add action=drop chain=forward comment="BattleNET Game block" disabled=yes dst-port=6112-6119,4000 out-interface=sfp6 protocol=tcp src-address=192.168.0.0/18
add action=drop chain=forward comment="BattleNET Game block" disabled=yes dst-port=6112-6119,4000 out-interface=sfp6 protocol=udp src-address=192.168.0.0/18
add action=drop chain=forward comment="Blizzard Game block" disabled=yes dst-port=6881-6999 out-interface=sfp6 protocol=udp src-address=192.168.0.0/18
add action=drop chain=forward comment="Blizzard Game block" disabled=yes dst-address=!192.168.0.0/18 dst-port=6881-6999 out-interface=sfp6 protocol=tcp src-address=192.168.0.0/18
add action=drop chain=input disabled=yes src-address=185.153.198.213
add action=drop chain=input disabled=yes dst-address=185.153.198.213
add action=drop chain=input comment="WAN RDP Block" disabled=yes dst-port=3389 protocol=tcp src-address=!192.168.0.0/18
add action=drop chain=forward comment="Unknown Devices Blocked" disabled=yes src-mac-address=9C:E0:63:13:9C:74
add action=add-src-to-address-list address-list=spammer address-list-timeout=3d chain=virus comment="add to spammer list" connection-limit=30,32 dst-port=25 limit=50,5:packet log=yes protocol=tcp
add action=drop chain=virus comment="Drop Spammer" dst-port=25 protocol=tcp src-address-list=spammer
add action=drop chain=forward dst-port=!80,443 out-interface=sfp6 protocol=tcp src-address-list=bit-list
add action=drop chain=forward comment=keyword_drop content=torrent disabled=yes out-interface=sfp6
add action=drop chain=forward comment=trackers_drop content=tracker disabled=yes out-interface=sfp6
add action=drop chain=forward comment=get_peers_drop content=getpeers disabled=yes out-interface=sfp6
add action=drop chain=forward comment=info_hash_drop content=info_hash disabled=yes out-interface=sfp6
add action=drop chain=forward comment=announce_peers_drop content=announce_peers disabled=yes out-interface=sfp6
add action=drop chain=forward comment="NETCM Drop invalid" connection-mark=NET1-CM disabled=yes out-interface=sfp6 protocol=udp
add action=drop chain=forward comment=Invalid connection-state=invalid
/ip firewall mangle
add action=passthrough chain=prerouting dst-port=4444 protocol=tcp
add action=accept chain=forward dst-address=192.168.50.0/24 src-address=192.168.0.0/18
add action=mark-connection chain=postrouting dst-address=192.168.10.0/24 new-connection-mark="IP Phones Conn" passthrough=yes
add action=mark-connection chain=postrouting new-connection-mark="IP Phones Conn" passthrough=yes src-address=192.168.10.0/24
add action=mark-packet chain=output connection-mark="IP Phones Conn" new-packet-mark=VOIP_Packets passthrough=no
add action=mark-routing chain=prerouting comment="NTP-POOL - do not remove" dst-address-list=ntp-pool new-routing-mark=ADSL passthrough=no
add action=mark-routing chain=prerouting comment="Microsoft Servers" dst-address-list="MS PORTS" new-routing-mark=ADSL passthrough=no
add action=accept chain=forward src-address=10.80.8.0/24
add action=mark-connection chain=postrouting comment="VOIP Network" new-connection-mark=VOIP_Conn passthrough=no src-address=192.168.10.0/24
add action=mark-connection chain=postrouting comment="VOIP Network" dst-address=192.168.10.0/24 new-connection-mark=VOIP_Conn passthrough=no
add action=mark-packet chain=postrouting connection-mark=VOIP_Conn new-packet-mark=VOIP_Packets passthrough=no
add action=mark-connection chain=forward comment="Network Priority" new-connection-mark=NET1-CM out-interface=sfp6 passthrough=yes src-address=192.168.0.0/18
add action=mark-packet chain=forward connection-mark=NET1-CM new-packet-mark=NET1-PM passthrough=yes
add action=accept chain=prerouting disabled=yes dst-address=192.168.0.6
add action=accept chain=prerouting comment="Update Server" dst-address=192.168.50.4
# no interface
add action=accept chain=prerouting in-interface=*F00002
add action=mark-routing chain=prerouting comment="Route emails to ADSL - Temporary" disabled=yes dst-port=443,25,587,143,993 new-routing-mark=EMAILS passthrough=no protocol=tcp
add action=mark-routing chain=prerouting comment="Route emails to ADSL - Temporary" disabled=yes new-routing-mark=EMAILS passthrough=no protocol=tcp src-port=443,25,587,143,993
add action=accept chain=prerouting dst-address=192.168.50.0/24 src-address=192.168.0.0/18
add action=mark-routing chain=prerouting dst-address=10.0.241.226 new-routing-mark=EduLanProxy passthrough=no
add action=accept chain=prerouting dst-address=13.64.117.133
add action=accept chain=prerouting dst-port=5353 protocol=udp
add action=accept chain=prerouting dst-port=5353 protocol=tcp
add action=accept chain=prerouting dst-port="" protocol=tcp src-port=1935
add action=accept chain=prerouting protocol=udp src-port=1935
add action=accept chain=prerouting dst-port=1935 protocol=tcp
add action=accept chain=prerouting dst-port=1935 protocol=udp
add action=accept chain=prerouting dst-address=192.168.0.0/18 src-address=192.168.0.0/18
add action=accept chain=prerouting src-address=192.168.0.2
add action=accept chain=forward dst-address=192.168.0.0/18 src-address=192.168.50.0/24
add action=mark-packet chain=forward comment="youtube - Limited by Geo - Comcen" layer7-protocol=youtubeBW new-packet-mark="youtube packet" passthrough=no
add action=mark-packet chain=forward comment="youtube - Limited by Geo - Comcen" disabled=yes layer7-protocol="All Video files" new-packet-mark="youtube packet" passthrough=no
add action=mark-connection chain=forward comment=dw_conn disabled=yes dst-address=192.168.0.0/18 new-connection-mark=dw_conn passthrough=yes
add action=mark-packet chain=forward comment=archives_dw_pk connection-mark=dw_conn disabled=yes layer7-protocol="All Archive files" new-packet-mark=archives_dw_pk passthrough=no
add action=mark-packet chain=forward comment=audio_dw_pk connection-mark=dw_conn disabled=yes layer7-protocol="All Audio files" new-packet-mark=audio_dw_pk passthrough=no
add action=mark-packet chain=forward comment=doc_dw_pk connection-mark=dw_conn disabled=yes layer7-protocol="All Document files" new-packet-mark=doc_dw_pk passthrough=no
add action=mark-packet chain=forward comment=video_dw_pk connection-mark=dw_conn disabled=yes layer7-protocol="All Video files" new-packet-mark=video_dw_pk passthrough=no
add action=mark-packet chain=forward comment=other_pk connection-mark=dw_conn disabled=yes new-packet-mark=other_pk passthrough=no
add action=mark-connection chain=forward comment=upload_conn disabled=yes new-connection-mark=upload_conn passthrough=yes src-address=192.168.0.0/18
add action=mark-packet chain=forward comment=upload_pk connection-mark=upload_conn disabled=yes new-packet-mark=upload_pk passthrough=no
/ip firewall nat
add action=accept chain=srcnat out-interface=sfp6 protocol=tcp src-address=192.168.50.0/24
add action=masquerade chain=srcnat comment="VOX Gateway" out-interface=sfp6
add action=masquerade chain=srcnat comment="VOX Gateway" out-interface=sfp6 src-address=172.168.0.0/18
add action=masquerade chain=srcnat comment="Masquerade WKOD" disabled=yes out-interface=sfp1
add action=accept chain=srcnat dst-address=192.168.0.0/18 src-address=192.168.50.1
add action=accept chain=srcnat dst-address=192.168.50.1 src-address=192.168.0.0/18
add action=masquerade chain=srcnat comment=PHONES dst-address=192.168.10.0/24
add action=dst-nat chain=dstnat dst-port=4444 protocol=tcp to-addresses=192.168.10.1 to-ports=443
add action=dst-nat chain=dstnat dst-port=4444 protocol=udp to-addresses=192.168.10.1 to-ports=443
add action=accept chain=dstnat dst-port=8291 protocol=tcp
add action=accept chain=srcnat src-address=192.168.10.1
add action=accept chain=dstnat src-address=192.168.10.1
add action=accept chain=dstnat dst-address=192.168.10.1
add action=accept chain=srcnat dst-address=192.168.10.1
add action=masquerade chain=srcnat comment="Masquerade ALL" disabled=yes
add action=passthrough chain=dstnat disabled=yes src-address=192.168.1.68 to-addresses=8.8.8.8
add action=dst-nat chain=dstnat comment="Safety Net" disabled=yes dst-port=53 protocol=udp src-address=192.168.0.0/18 to-addresses=208.67.220.220 to-ports=53
add action=dst-nat chain=dstnat comment="Safety Net" disabled=yes dst-port=53 protocol=tcp src-address=192.168.0.0/18 to-addresses=208.67.222.222 to-ports=53
add action=accept chain=srcnat dst-address=192.168.0.0/18 src-address=192.168.50.26
add action=accept chain=srcnat dst-address=192.168.0.0/18 src-address=192.168.50.35
add action=accept chain=srcnat dst-address=192.168.0.19 src-address=192.168.50.35
add action=accept chain=srcnat dst-address=192.168.0.0/18 src-address=192.168.50.46
add action=dst-nat chain=dstnat comment="Local RDP OHS RTT" dst-address=192.168.50.1 dst-port=3389 protocol=tcp src-address=192.168.0.0/18 to-ports=4490
add action=accept chain=srcnat dst-address=192.168.0.0/18 src-address=192.168.50.2
add action=accept chain=srcnat dst-address=192.168.0.0/18 src-address=192.168.50.4
add action=accept chain=srcnat dst-address=192.168.0.0/18 src-address=192.168.50.235
add action=accept chain=srcnat dst-address=192.168.0.0/18 src-address=192.168.50.254
add action=accept chain=dstnat dst-port=5353 protocol=udp
add action=accept chain=dstnat dst-port=5353 protocol=tcp
add action=accept chain=srcnat dst-port=1935 protocol=tcp
add action=accept chain=srcnat protocol=tcp src-port=1935
add action=accept chain=dstnat dst-port=1935 protocol=tcp
add action=accept chain=dstnat protocol=tcp src-port=1935
add action=accept chain=srcnat dst-port=1935 protocol=udp
add action=accept chain=srcnat protocol=udp src-port=1935
add action=accept chain=dstnat dst-port=1935 protocol=udp
add action=accept chain=dstnat protocol=udp src-port=1935
add action=dst-nat chain=dstnat comment=RDP dst-port=4468 protocol=tcp to-addresses=192.168.1.68 to-ports=3389
/ip firewall service-port
set ftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
/ip ipsec identity
add generate-policy=port-override peer=peer3
/ip proxy
set cache-path=web-proxy1
/ip route
add comment="WCED Proxy Gateway" distance=2 gateway=10.10.10.254 routing-mark=EduLanProxy
add distance=1 gateway=10.10.10.254 routing-mark=Clouds
add distance=1 gateway=10.10.10.254
add comment="VOX Internet" disabled=yes distance=1 gateway=192.168.101.1
add distance=1 dst-address=192.168.100.0/24 gateway=10.80.8.8
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh address=192.168.0.0/18
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip traffic-flow
set interfaces=sfp1
/lcd
set time-interval=hour
/lcd interface pages
set 0 interfaces=sfpplus1,sfp1,sfp2,sfp3,sfp4
/ppp secret
add name=vpn138 profile=vpn138 service=l2tp
add name=vpn137 profile=vpn137 service=pptp
/routing pim
set switch-to-spt=no
/system clock
set time-zone-autodetect=no time-zone-name=Africa/Johannesburg
/system identity
set name="OHS Core Router"
/system leds
set 0 interface=sfp1
set 1 interface=sfp2
set 2 interface=sfp3
set 3 interface=sfp4
set 4 interface=sfp5
set 5 interface=sfp6
set 6 interface=sfp7
set 7 interface=sfp8
set 8 interface=sfp9
set 9 interface=sfp10
set 10 interface=sfp11
set 11 interface=sfp12
set 12 interface=sfpplus1
set 13 interface=sfpplus1
/system logging
set 3 action=disk
add topics=pptp
add action=echo topics=interface,warning
add topics=wireless,debug
add topics=bridge,info,interface
/system ntp client
set enabled=yes primary-ntp=216.239.35.8 secondary-ntp=196.9.24.88
/system ntp server
set broadcast=yes broadcast-addresses=192.168.0.1,192.168.50.254,172.16.0.1,10.80.8.1 enabled=yes multicast=yes
/system script
add dont-require-permissions=no name=spammers owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":global spamip;\r\
\n:if ([:len [/ip firewall address-list find list=spammer]]>0) do= {\r\
\n:log error \"--------- IP's detected as SPAMMERS ---------\";\r\
\n:foreach i in [/ip firewall address-list find list=spammer] do={ :set spamip [/ip firewall address-list get \$i address];\r\
\n:log error \$spamip };\r\
\n}"
add dont-require-permissions=no name="spammers mailto" owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":local emailip\r\
\n:local spamip\r\
\n:local keepflag 0\r\
\n:foreach j in [/ip firewall address-list find list=email-log] do={\r\
\n :set emailip [/ip firewall address-list get \$j address]\r\
\n :foreach i in [/ip firewall address-list find list=spammer] do={\r\
\n :set spamip [/ip firewall address-list get \$i address]\r\
\n :if (\$emailip=\$spamip) do={:set keepflag 1}\r\
\n }\r\
\n :if (\$keepflag=0) do={/ip firewall address-list remove \$j} else= {:set keepflag 0}\r\
\n}\r\
\n:if ([:len [/ip firewall address-list find list=spammer]]>0) do={\r\
\n :local bodymsg \"\"\r\
\n :local emailflag 0\r\
\n :log error \"---------- IP's detected as SPAMMERS ----------\"\r\
\n :foreach i in [/ip firewall address-list find list=spammer] do={\r\
\n :set spamip [/ip firewall address-list get \$i address]\r\
\n :log error \$spamip\r\
\n }\r\
\n :foreach i in [/ip firewall address-list find list=spammer] do={\r\
\n :set spamip [/ip firewall address-list get \$i address]\r\
\n :foreach j in [/ip firewall address-list find list=email-log] do={\r\
\n :set emailip [/ip firewall address-list get \$j address]\r\
\n :if (\$spamip=\$emailip) do={:set emailflag 1}\r\
\n }\r\
\n :if (\$emailflag=0) do={\r\
\n :set bodymsg (\$bodymsg . \$spamip . \"\\r\\n\")\r\
\n /ip firewall address-list add address=\$spamip list=email-log\r\
\n } else= {:set emailflag 0}\r\
\n }\r\
\n :if ([:len \$bodymsg]>0) do={\r\
\n /tool e-mail send from=itdata@outeniqua.co.za server=40.97.128.194 to=itdata@outeniqua.co.za subject=\"IP's detected as SPAMMERS\" body=\$bodymsg\r\
\n :set bodymsg \"\"\r\
\n }\r\
\n}"
/tool bandwidth-server
set enabled=no
/tool e-mail
set address=smtp.office365.com from=itdata@outeniqua.co.za port=587 start-tls=yes
/tool graphing interface
add allow-address=192.168.0.0/18
/tool romon
set enabled=yes
/tool sniffer
set filter-ip-protocol=tcp filter-port=1935
/tool traffic-monitor
add interface=sfp6 name="WAN 75M" on-event=":log info \"WAN 75M reached\"" threshold=75000000
add interface=sfp6 name="WAN 75M down" on-event=":log info \"WAN 75M Down Reached\"" threshold=75000000 traffic=received
/tool user-manager database
set db-path=web-proxy1
[admin@OHS Core Router] >Re: VLAN DHCP on MAIN router not working to WLAN on AP
You have set the bridge to be VLAN-aware but not configured any bridge VLANs, so no tagged traffic will pass through the bridge. See https://wiki.mikrotik.com/wiki/Manual:I ... _Filtering
Re: VLAN DHCP on MAIN router not working to WLAN on AP
I read through that wiki, I'm sorry I still don's know what I am missing. Please be more specific. I am not good with VLAN's yet. Thank you in advance.You have set the bridge to be VLAN-aware but not configured any bridge VLANs, so no tagged traffic will pass through the bridge. See https://wiki.mikrotik.com/wiki/Manual:I ... _Filtering
Re: VLAN DHCP on MAIN router not working to WLAN on AP
You need to specify which tagged VLANs are made available to the various bridge ports, including the bridge itself as a bridge has two roles - a switch-like role for transporting packets between ports, and a port-like role for transporting packets between the bridge and other functions provided by the Mikrotik.
So
/interface bridge vlan
add name=bridge-Staff tagged=bridge-Staff,sfpX,sfpX,... vlan-ids=20
with the appropriate interfaces which should present VLAN 20.
The AP will need configuring similarly.
So
/interface bridge vlan
add name=bridge-Staff tagged=bridge-Staff,sfpX,sfpX,... vlan-ids=20
with the appropriate interfaces which should present VLAN 20.
The AP will need configuring similarly.
Re: VLAN DHCP on MAIN router not working to WLAN on AP
This is new to me then, it used to work without that added. But I will try. I hope I dont kick my users off while they are working.You need to specify which tagged VLANs are made available to the various bridge ports, including the bridge itself as a bridge has two roles - a switch-like role for transporting packets between ports, and a port-like role for transporting packets between the bridge and other functions provided by the Mikrotik.
So
/interface bridge vlan
add name=bridge-Staff tagged=bridge-Staff,sfpX,sfpX,... vlan-ids=20
with the appropriate interfaces which should present VLAN 20.
The AP will need configuring similarly.
Re: VLAN DHCP on MAIN router not working to WLAN on AP
If a bridge has vlan-filtering=yes only untagged traffic will pass through the bridge ports. However, if vlan-filtering=no the bridge behaves similarly to an unmanaged switch so any VLAN tagged traffic will pass through all bridge ports.
Re: VLAN DHCP on MAIN router not working to WLAN on AP
Surprised hasnt been noted yet but your best reference is this!
viewtopic.php?t=143620
Once you follow this thread, and have modified your config, then post your config if still having problems.
viewtopic.php?t=143620
Once you follow this thread, and have modified your config, then post your config if still having problems.
Re: VLAN DHCP on MAIN router not working to WLAN on AP
Thank you for all your help, my VLAN filtering was always off so even turning it on did nothing.
It turned out something was wrong with my DHCP. Removed and recreated it and problem solved. Nothing was wrong with my initial setup.
I had to remove the whole bridge for some reason and create it again to get the DHCP working.
Thanks everyone
It turned out something was wrong with my DHCP. Removed and recreated it and problem solved. Nothing was wrong with my initial setup.
I had to remove the whole bridge for some reason and create it again to get the DHCP working.
Thanks everyone
Re: VLAN DHCP on MAIN router not working to WLAN on AP [SOLVED]
Setting this:my VLAN filtering was always off so even turning it on did nothing.
It turned out something was wrong with my DHCP. Removed and recreated it and problem solved. Nothing was wrong with my initial setup.
I had to remove the whole bridge for some reason and create it again to get the DHCP working.
Thanks everyone
/interface bridge
add arp=proxy-arp mtu=1500 name=bridge-Staff priority=0x1000 vlan-filtering=yes
as seen in your export.
Is enabling VLAN filtering. This requires the proper setting of the VLAN table and all VLAN setting as explained by TDW, because the VLAN traffic is filtered according these settings.
Removing and rebuilding the bridge will give you a bridge with vlan-filtering=no (the default setting) and then the vlan20 will reach the WLAN20 again, because there is no filtering.
With vlan-filtering=no all VLAN information in the bridge setup is ignored, VLAN packets are handled like untagged packets. VLAN tagging at the WLAN interface works independently.
This is one (the first one) of the 3 ways to handle VLAN's.
1. dump-switch/bridge no filtering (vlan-filtering=no)
2. Switch defined filtering and handling (ethernet ports only)
3. Bridge defined VLAN filtering and handling (vlan-filtering=yes)
https://wiki.mikrotik.com/wiki/Manual:B ... _switching
Re: VLAN DHCP on MAIN router not working to WLAN on AP
Thank you bpwl
I think you are right, recreating the original bridge did reset something. Just to note, that my filtering was off (set to no) initially when the VLAN on the wifi stopped working. The tagging was set on the v-wlan interface as always. I turned the filtering to yes after a recommendation on the forum, but then even turning it back off and restarting did not fix the problem. Something must have been stuck somewhere in the config. The delete definitely did reset something, but I do not see what it was now.
But thank you everyone for your help.
Problem solved!!! :-)
I think you are right, recreating the original bridge did reset something. Just to note, that my filtering was off (set to no) initially when the VLAN on the wifi stopped working. The tagging was set on the v-wlan interface as always. I turned the filtering to yes after a recommendation on the forum, but then even turning it back off and restarting did not fix the problem. Something must have been stuck somewhere in the config. The delete definitely did reset something, but I do not see what it was now.
But thank you everyone for your help.
Problem solved!!! :-)
Re: VLAN DHCP on MAIN router not working to WLAN on AP
Mikrotik is using VLAN (SVID ??) under the hood to make the ethernet-ports connected to the etherx definitions of RouterOS.. On top we configure VLAN's (CVID ??) on the same hardware.
There are more cases of VLAN failure with 6.47.4 in this forum.
My little problem may have been something of the same origin: viewtopic.php?f=2&t=167155&p=824033#p824033
There are more cases of VLAN failure with 6.47.4 in this forum.
My little problem may have been something of the same origin: viewtopic.php?f=2&t=167155&p=824033#p824033
Re: VLAN DHCP on MAIN router not working to WLAN on AP
True, i was (still am) also running latest OS. Thats when the problem started.
Who is online
Users browsing this forum: eworm and 53 guests