Thank you Jim, those instructions were helpful. Code below.
So, I'm not a total beginner, but not an expert. RouterOS gets pretty technical mighty fast!
This setup was largely created by a friend who is more proficient. I have done a small amount of tinkering over the years, but trying to be very careful and not playing with things I don't understand.
That said, I have got this stuff to learn with.
Setup: Terraced house, three floors. I've done wifi scans, and while the neighbours do have networks, I think we're not too congested.
There's a 2.GHhz baby monitor in the house, but it's not always running.
The access list rules (accept/reject) are intended to stop smart phones from clinging on to distant, weak AP signals.
A device should never be more than about 10m from an AP, even if through a wall or floor. I do have a couple more HaP AC2s in boxes, but I feel they shouldn't be necessary?
What might be the problem? Or problems? Have I done something stupid? What can I improve?
Very much open to suggestions, and keen to learn.
Thank you!
# sep/02/2021 00:46:53 by RouterOS 6.48.4
# software id = 8NSR-U1IH
#
# model = RB4011iGS+5HacQ2HnD
# serial number = 968909******
/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
frequency=2412 name=channel1
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
frequency=2437 name=channel6
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
frequency=2462 name=channel11
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=Ce \
frequency=5180 name=channel36
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=Ce \
frequency=5220 name=channel44
/interface bridge
add arp=proxy-arp name=bridge-Home priority=0x1000
/interface wireless
# managed by CAPsMAN
# channel: 5500/20-Ceee/ac/DP(27dBm)+5210/80/P(20dBm), SSID: Lancelot, local forwarding
set [ find default-name=wlan1 ] antenna-gain=0 country=no_country_set \
disabled=no frequency-mode=manual-txpower radio-name=B869F4BE97AB ssid=\
MikroTik station-roaming=enabled
# managed by CAPsMAN
# channel: 2412/20/gn(20dBm), SSID: Lancelot, local forwarding
set [ find default-name=wlan2 ] antenna-gain=0 country=no_country_set \
disabled=no frequency-mode=manual-txpower ssid=MikroTik station-roaming=\
enabled
add disabled=no mac-address=BA:69:F4:B2:9F:30 master-interface=wlan2 name=\
wlan3 station-roaming=enabled
add disabled=no mac-address=BA:69:F4:BE:97:AC master-interface=wlan1 name=\
wlan5 station-roaming=enabled
add disabled=no mac-address=BA:69:F4:B2:9F:30 master-interface=wlan2 name=\
wlan6 station-roaming=enabled
add disabled=no mac-address=BA:69:F4:BE:97:AC master-interface=wlan1 name=\
wlan7 station-roaming=enabled
add disabled=no mac-address=B8:69:F4:BE:97:AC master-interface=wlan1 name=\
wlan12
/interface ethernet
set [ find default-name=ether1 ] name=ether1-VIRGINMEDIA
set [ find default-name=ether2 ] name=ether2-WAN2
set [ find default-name=ether3 ] name=ether3LAN
set [ find default-name=ether4 ] arp=reply-only name=ether4LAN
set [ find default-name=ether5 ] arp=reply-only name=ether5LAN
/interface vlan
add comment=\
"VLAN for guests - can't get onto home devices, e.g. Sonos, URC etc" \
interface=bridge-Home name=vlan20-GUESTS vlan-id=20
/caps-man datapath
add bridge=bridge-Home client-to-client-forwarding=yes local-forwarding=yes \
name=datapath-DdV vlan-mode=no-tag
add bridge=bridge-Home client-to-client-forwarding=yes local-forwarding=yes \
name=datapath-guest vlan-id=20 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=DdVSEC
add authentication-types=wpa2-psk encryption=aes-ccm name=GuestSEC
/caps-man configuration
add country="united kingdom" datapath=datapath-DdV mode=ap name=cfg-DdV \
security=DdVSEC ssid=Lancelot
add country="united kingdom" datapath=datapath-guest name=cfg-Guest security=\
GuestSEC ssid=Guests
/caps-man interface
add channel=channel6 channel.frequency=2437 configuration=cfg-DdV disabled=no \
l2mtu=1600 mac-address=CC:2D:E0:CA:20:61 master-interface=none name=\
cap-Kitch2GLance radio-mac=CC:2D:E0:CA:20:61 radio-name=""
add channel.frequency=2437 configuration=cfg-Guest disabled=yes l2mtu=1600 \
mac-address=CE:2D:E0:CA:20:61 master-interface=cap-Kitch2GLance name=\
cap-Kitch2Gguest radio-mac=00:00:00:00:00:00 radio-name=""
add channel=channel36 channel.frequency=5180 configuration=cfg-DdV datapath=\
datapath-DdV disabled=no l2mtu=1600 mac-address=CC:2D:E0:CA:20:62 \
master-interface=none name=cap-Kitch5GLance radio-mac=CC:2D:E0:CA:20:62 \
radio-name="" security=DdVSEC
add channel=channel36 channel.frequency=5180 configuration=cfg-Guest \
disabled=yes l2mtu=1600 mac-address=CE:2D:E0:CA:20:62 name=\
cap-Kitch5Gguest radio-mac=00:00:00:00:00:00 radio-name=""
add channel=channel1 channel.frequency=2412 configuration=cfg-DdV disabled=no \
l2mtu=1600 mac-address=B8:69:F4:B2:9F:30 master-interface=none name=\
cap-LivRm2GLance radio-mac=B8:69:F4:B2:9F:30 radio-name=B869F4B29F30
add configuration=cfg-Guest disabled=yes l2mtu=1600 mac-address=\
BA:69:F4:B2:9F:30 master-interface=cap-LivRm2GLance name=\
cap-LivRm2Gguests radio-mac=00:00:00:00:00:00 radio-name=""
add configuration=cfg-DdV disabled=no l2mtu=1600 mac-address=\
B8:69:F4:BE:97:AC master-interface=none name=cap-LivRm5GLance radio-mac=\
B8:69:F4:BE:97:AC radio-name=B869F4BE97AC
add channel=channel11 configuration=cfg-DdV disabled=no l2mtu=1600 \
mac-address=CC:2D:E0:CA:1F:9F master-interface=none name=cap-Off2GLance \
radio-mac=CC:2D:E0:CA:1F:9F radio-name=CC2DE0CA1F9F
add channel=channel44 channel.frequency=5220 configuration=cfg-DdV disabled=\
no l2mtu=1600 mac-address=CC:2D:E0:CA:1F:A0 master-interface=none name=\
cap-Off5GLance radio-mac=CC:2D:E0:CA:1F:A0 radio-name=CC2DE0CA1FA0
add configuration=cfg-Guest disabled=yes l2mtu=1600 mac-address=\
CE:2D:E0:CA:1F:9F master-interface=cap-Off2GLance name=cap-off2G-Guest \
radio-mac=00:00:00:00:00:00 radio-name=""
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=0s \
pfs-group=none
/ip kid-control
add name="Test user"
/ip pool
add name=pool-LAN ranges=192.168.18.60-192.168.18.150
add name=pool-Guests ranges=192.168.5.10-192.168.5.200
add name=pool-VPN ranges=10.10.10.210-10.10.10.219
/ip dhcp-server
add add-arp=yes address-pool=pool-LAN disabled=no interface=bridge-Home \
lease-time=8h10m name=dhcp-LAN
add add-arp=yes address-pool=pool-Guests disabled=no interface=vlan20-GUESTS \
lease-time=2h10m name=dhcp-Guests
/ppp profile
add dns-server=8.8.8.8,8.8.4.4 local-address=10.10.10.1 name=L2TP-IPSEC \
queue-type=multi-queue-ethernet-default remote-address=pool-VPN \
use-encryption=required
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/caps-man access-list
add action=accept allow-signal-out-of-range=10s disabled=no signal-range=\
-75..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s disabled=no signal-range=\
-120..-76 ssid-regexp=""
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes upgrade-policy=\
suggest-same-version
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=cfg-DdV \
slave-configurations=cfg-Guest
/interface bridge port
add bridge=bridge-Home interface=ether3LAN
add bridge=bridge-Home interface=ether4LAN
add bridge=bridge-Home interface=ether5LAN
add bridge=bridge-Home interface=vlan20-GUESTS
add bridge=bridge-Home interface=ether6
add bridge=bridge-Home interface=ether7
add bridge=bridge-Home interface=ether8
add bridge=bridge-Home interface=ether9
add bridge=bridge-Home interface=ether10
add bridge=bridge-Home interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=L2TP-IPSEC enabled=yes \
keepalive-timeout=disabled max-mru=1400 max-mtu=1460
/interface list member
add interface=ether1-VIRGINMEDIA list=WAN
add interface=ether2-WAN2 list=LAN
add interface=ether3LAN list=LAN
add interface=ether4LAN list=LAN
add interface=ether5LAN list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=wlan2 list=LAN
/interface wireless cap
#
set bridge=bridge-Home certificate=request discovery-interfaces=bridge-Home \
enabled=yes interfaces=wlan1,wlan2
/ip address
add address=192.168.18.1/24 interface=bridge-Home network=192.168.18.0
add address=192.168.5.1/24 interface=vlan20-GUESTS network=192.168.5.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=6h
/ip dhcp-client
add disabled=no interface=ether1-VIRGINMEDIA use-peer-dns=no
add add-default-route=no disabled=no interface=ether2-WAN2
/ip dhcp-server lease
add address=192.168.18.140 client-id=1:b0:c5:54:e:aa:6f mac-address=\
B0:C5:54:0E:AA:6F server=dhcp-LAN
add address=192.168.18.98 client-id=1:8:ed:ed:28:e1:14 comment=\
"IC Realtime NVR" mac-address=08:ED:ED:28:E1:14 server=dhcp-LAN
/ip dhcp-server network
add address=192.168.5.0/24 dns-server=192.168.5.1 gateway=192.168.5.1
add address=192.168.18.0/24 dns-server=192.168.18.1 gateway=192.168.18.1 \
netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=accept chain=input comment=L2TP/IPSEC dst-port=500 protocol=udp
add action=accept chain=input comment=L2TP/IPSEC dst-port=1701 protocol=udp
add action=accept chain=input comment=L2TP/IPSEC dst-port=4500 protocol=udp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input comment=\
"allow winbox from Dud - everyone else can take a running jump" \
dst-port=8291 in-interface=ether1-VIRGINMEDIA protocol=tcp src-address=\
93.89.xxx.xxx
add action=accept chain=input comment="allow www" dst-port=8080 in-interface=\
ether1-VIRGINMEDIA protocol=tcp
add action=accept chain=input comment="allow www" dst-port=8080 in-interface=\
ether2-WAN2 protocol=tcp
add action=accept chain=input comment="Allow SSH" dst-port=62222 \
in-interface=ether1-VIRGINMEDIA protocol=tcp
add action=drop chain=input dst-address=192.168.18.0/24 src-address=\
192.168.5.0/24
add action=drop chain=input in-interface=ether1-VIRGINMEDIA
add action=accept chain=input comment="allow IC Realtime NVR access" \
dst-port=8081 in-interface=ether1-VIRGINMEDIA protocol=tcp
add action=accept chain=input comment="IC Realtime NVR remote access" \
dst-port=4443 in-interface=ether1-VIRGINMEDIA protocol=tcp
add action=accept chain=input comment="allow IC Realtime NVR" dst-port=37777 \
in-interface=ether1-VIRGINMEDIA protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
192.168.18.0/24 src-address=192.168.18.0/24
add action=masquerade chain=srcnat out-interface=ether1-VIRGINMEDIA
add action=masquerade chain=srcnat out-interface=ether2-WAN2
add action=masquerade chain=srcnat comment="L2TP/IPSEC NAT" dst-address=\
!10.10.10.0/24 src-address=10.10.10.0/24
add action=dst-nat chain=dstnat comment="NVR Web page" dst-port=4443 \
in-interface=ether1-VIRGINMEDIA protocol=tcp to-addresses=192.168.18.98
add action=dst-nat chain=dstnat comment="NVR Port Fwd Rule 1" dst-port=37777 \
in-interface=ether1-VIRGINMEDIA protocol=tcp to-addresses=192.168.18.98 \
to-ports=37777
add action=dst-nat chain=dstnat comment="NVR Port Fwd Rule 2" dst-port=554 \
in-interface=ether1-VIRGINMEDIA protocol=tcp to-addresses=192.168.18.98 \
to-ports=554
add action=dst-nat chain=dstnat comment="NVR Port Fwd Rule 3" dst-port=37778 \
in-interface=ether1-VIRGINMEDIA protocol=udp to-addresses=192.168.18.98 \
to-ports=37778
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8080
set ssh port=62222
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ppp secret
add name=xxxxxx profile=L2TP-IPSEC service=l2tp
/system clock
set time-zone-name=Europe/London
/system identity
set name=MikroTik-LivRm
/system leds
add interface=wlan2 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le\
d,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system routerboard settings
set auto-upgrade=yes
/tool traffic-monitor
add interface=ether1-VIRGINMEDIA name=tmon1
add interface=ether1-VIRGINMEDIA name=tmon2 threshold=0 traffic=received \
trigger=always