I have a hexS and a wAPac and trying to implement the below topology
- internet from provider via PPPoE
- hexS with CAPsMAN for wAP ac (a single one for now, planned to add more to cover the house)
- two VLANs: one for LAN devices and another one for SmartHome devices
- L2TP IPSec VPN to access home network (LAN) from remote
Almost everything works as expected, the only thing that does not work is UPNP/DLNA?: if I log into VPN I can't see my media server advertised although the same server is reachable - e.g. via SMB: I can browse and download/upload...
Did I miss something? Should this setup - e.g. DLNA for VPN clients - work?
Many thanks, Janos
Code: Select all
# model = RB760iGS
#####################
# Basic Interfaces
#####################
/interface bridge add name=bridge-default admin-mac=**:**:**:**:**:** auto-mac=no fast-forward=no protocol-mode=none vlan-filtering=yes
/interface pppoe-client
add name=pppoe-out1 interface=ether1 add-default-route=yes allow=mschap1,mschap2 dial-on-demand=yes disabled=no keepalive-timeout=disabled \
user=**** password=****
/interface vlan
add name=vlan-default vlan-id=10 interface=bridge-default arp=proxy-arp
add name=vlan-SmartHome vlan-id=20 interface=bridge-default
/interface bridge port
add interface=ether2 pvid=20 bridge=bridge-default frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes
add interface=ether3 pvid=10 bridge=bridge-default frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes
add interface=ether4 pvid=10 bridge=bridge-default frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes
add interface=ether5 bridge=bridge-default
add interface=sfp1 bridge=bridge-default
/interface bridge vlan
add vlan-ids=10 bridge=bridge-default tagged=bridge-default,ether5 untagged=ether3,ether4
add vlan-ids=20 bridge=bridge-default tagged=bridge-default,ether5 untagged=ether2
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=IOT
/interface list member
add interface=ether1 list=WAN
add interface=vlan-default list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=vlan-SmartHome list=IOT
add interface=ether2 list=IOT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
#####################
# Basic IP
#####################
/ip dhcp-client
add interface=ether1 disabled=no
/ip address
add interface=vlan-default address=192.168.1.1/24 network=192.168.1.0
add interface=vlan-SmartHome address=192.168.2.1/24 network=192.168.2.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=30m
/ip pool
add name=dhcp-pool-default ranges=192.168.1.101-192.168.1.199
add name=dhcp-pool-SmartHome ranges=192.168.2.101-192.168.2.199
/ip dhcp-server
add name=dhcp-server-default address-pool=dhcp-pool-default disabled=no interface=vlan-default
add name=dhcp-server-SmartHome address-pool=dhcp-pool-SmartHome disabled=no interface=vlan-SmartHome
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4 domain=lan gateway=192.168.1.1 netmask=24 caps-manager=192.168.1.1 wins-server=192.168.1.1
add address=192.168.2.0/24 dns-server=8.8.8.8,8.8.4.4 domain=iot gateway=192.168.2.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.1.1 name=router.lan
add address=192.168.1.98 name=MikroTik-wAPac
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip smb
set domain=WORKGROUP enabled=yes interfaces=vlan-default
/ip upnp
set allow-disable-external-interface=yes enabled=yes
/ip upnp interfaces
add interface=vlan-default type=internal
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
#####################
# IP Firewall
#####################
/ip firewall filter
add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
add chain=input action=accept protocol=udp dst-port=500,4500,1701 comment="L2TP IPSec VPN - UDP 500,4500,1701"
add chain=input action=accept protocol=ipsec-esp comment="L2TP IPSec VPN - ESP"
add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
add chain=forward action=fasttrack-connection connection-mark=!ipsec connection-state=established,related comment="defconf: fasttrack"
add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
add chain=forward action=accept in-interface-list=LAN out-interface-list=IOT comment="allow from LAN to IOT"
add chain=forward action=reject in-interface-list=IOT out-interface-list=LAN reject-with=icmp-network-unreachable comment="reject from IOT to LAN"
add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=forward action=drop connection-nat-state=!dstnat connection-state=new in-interface-list=WAN comment="drop all from WAN not DSTNATed"
/ip firewall mangle
add chain=forward action=mark-connection ipsec-policy=in,ipsec new-connection-mark=ipsec passthrough=yes \
comment="mark ipsec connections to exclude them from fasttrack - in"
add chain=forward action=mark-connection ipsec-policy=out,ipsec new-connection-mark=ipsec passthrough=yes \
comment="mark ipsec connections to exclude them from fasttrack - out"
/ip firewall nat
add chain=srcnat action=masquerade ipsec-policy=out,none out-interface-list=WAN comment="defconf: masquerade"
#####################
# CAPsMAN
#####################
/caps-man channel
add name=channel-2ghz band=2ghz-g/n extension-channel=XX control-channel-width=20mhz
add name=channel-5ghz band=5ghz-a/n/ac extension-channel=XXXX skip-dfs-channels=no
/caps-man datapath
add name=datapath-default bridge=bridge-default client-to-client-forwarding=yes local-forwarding=no vlan-id=10 vlan-mode=use-tag
add name=datapath-SmartHome bridge=bridge-default client-to-client-forwarding=yes local-forwarding=no vlan-id=20 vlan-mode=use-tag
/caps-man rates
add name=rate-5ghz basic=24Mbps,36Mbps,48Mbps,54Mbps supported=12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps vht-basic-mcs=mcs0-7 \
vht-supported-mcs=mcs0-9
add name=rate-2ghz basic=6Mbps,54Mbps supported=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps vht-basic-mcs=mcs0-7 \
vht-supported-mcs=mcs0-9
/caps-man security
add name=security-5ghz authentication-types=wpa2-psk passphrase=**** disable-pmkid=yes encryption=aes-ccm group-key-update=5m \
group-encryption=aes-ccm
add name=security-2ghz authentication-types=wpa2-psk passphrase=**** disable-pmkid=yes encryption=aes-ccm group-key-update=5m
/caps-man configuration
add name=apCfg-5ghz ssid=myLAN channel=channel-5ghz datapath=datapath-default rates=rate-5ghz security=security-5ghz \
distance=indoors hw-retries=7 installation=indoor mode=ap country=**** rx-chains=0,1,2,3 tx-chains=0,1,2,3 guard-interval=any
add name=apCfg-2ghz ssid=mySmartHome channel=channel-2ghz datapath=datapath-SmartHome rates=rate-2ghz security=security-2ghz \
distance=indoors hw-retries=7 installation=indoor mode=ap country=**** rx-chains=0,1,2,3 tx-chains=0,1,2,3
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge-default
add disabled=no interface=ether5
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=ac,an master-configuration=apCfg-5ghz name-format=identity
add action=create-dynamic-enabled hw-supported-modes=b,gn master-configuration=apCfg-2ghz name-format=identity
#####################
# Generic
#####################
/system clock
set time-zone-name=Europe/****
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
#####################
# L2TP IPsec
#####################
/interface l2tp-server
add name=l2tp-in1 user=testuser
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 enc-algorithms="aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-cbc,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm"
/ip ipsec mode-config
add address-pool=dhcp-pool-default name=l2tp-mode split-include=0.0.0.0/0
/ppp profile
add name=l2tp-ipsec-profile dns-server=192.168.1.1 interface-list=LAN local-address=192.168.1.1 remote-address=dhcp-pool-default \
use-encryption=yes use-upnp=yes wins-server=192.168.1.1
set *FFFFFFFE bridge=bridge-default dns-server=192.168.1.1
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=l2tp-ipsec-profile enabled=yes ipsec-secret=**** use-ipsec=yes
/ppp secret
add name=testuser password=**** profile=l2tp-ipsec-profile
# vlan-default is already in upnp interfaces, just add the l2tp one
/ip upnp interfaces
add interface=l2tp-in type=internal