/interface bridge add arp=proxy-arp igmp-snooping=yes name=bridge-local protocol-mode=none #BEL JE OOK VIA KPN DMV EXPERIABOX > DAN ONDERSTAANDE REGEL TOEVOEGEN add name=bridge-tel /interface ethernet set [ find default-name=ether1 ] arp=proxy-arp l2mtu=1598 loop-protect=off # /interface wireless # managed by CAPsMAN # channel: 5785/20-eeCe/ac(27dBm)+5210/80(14dBm), SSID: Draadloos, CAPsMAN forwarding # set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX distance=indoors frequency=auto mode=ap-bridge radio-name=B869F4BE8107 secondary-channel=auto ssid=MikroTik station-roaming=enabled wireless-protocol=802.11 # managed by CAPsMAN # channel: 2442/20-eC/gn(27dBm), SSID: Draadloos, CAPsMAN forwarding # set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-XX distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik station-roaming=enabled wireless-protocol=802.11 /interface vlan add interface=ether1 name=vlan1.4 vlan-id=4 add interface=ether1 loop-protect=off name=vlan1.6 vlan-id=6 #BEL JE OOK VIA KPN DMV EXPERIABOX > DAN ONDERSTAANDE REGELS TOEVOEGEN add interface=ether1 name=vlan1.7 vlan-id=7 add interface=ether3 name=vlan3.7 vlan-id=7 /interface pppoe-client # VERANDER XX-XX-XX-XX-XX-XX IN HET MAC ADRES VAN JE KPN EXPERIA BOX add add-default-route=yes allow=pap disabled=no interface=vlan1.6 keepalive-timeout=20 max-mru=1500 max-mtu=1500 name=pppoe-client password=kpn user=XX-XX-XX-XX-XX-XX@internet /caps-man security add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=Draadloos passphrase=wifipass add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=Draadloos_Guest passphrase=wifipass_gast /caps-man configuration add channel.band=5ghz-a/n/ac datapath.bridge=bridge-local name="5ghz Config" security=Draadloos ssid=Draadloos add channel.band=5ghz-a/n/ac datapath.bridge=bridge-local name="5ghz Config Guest" security=Draadloos_Guest ssid=Draadloos_Guest add channel.band=2ghz-b/g/n datapath.bridge=bridge-local name="2.4ghz Config" security=Draadloos ssid=Draadloos add channel.band=2ghz-b/g/n datapath.bridge=bridge-local name="2.4ghz Config Guest" security=Draadloos_Guest ssid=Draadloos_Guest /interface ethernet switch port set 0 default-vlan-id=0 set 1 default-vlan-id=0 set 2 default-vlan-id=0 set 3 default-vlan-id=0 set 4 default-vlan-id=0 set 5 default-vlan-id=0 set 6 default-vlan-id=0 set 7 default-vlan-id=0 set 8 default-vlan-id=0 set 9 default-vlan-id=0 set 10 default-vlan-id=0 set 11 default-vlan-id=0 /interface list add name=WAN add name=LAN # /interface wireless security-profiles # set [ find default=yes ] supplicant-identity=MikroTik /ip dhcp-client option add code=60 name=option60-vendorclass value="'IPTV_RG'" /ip dhcp-server option add code=60 name=option60-vendorclass value="'IPTV_RG'" add code=28 name=option28-broadcast value="'192.168.88.255'" /ip dhcp-server option sets add name=IPTV options=option60-vendorclass,option28-broadcast /ip pool add name=dhcp-pool ranges=192.168.88.100-192.168.88.254 /ip dhcp-server add address-pool=dhcp-pool disabled=no interface=bridge-local lease-time=1h30m name=dhcp /ppp profile set *0 only-one=yes use-compression=yes use-ipv6=no use-upnp=no add name=default-ipv6 only-one=yes use-compression=yes use-upnp=no /routing bgp instance set default disabled=yes /user group set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp" /caps-man manager set enabled=yes package-path=/upgrade upgrade-policy=require-same-version /caps-man provisioning add action=create-dynamic-enabled hw-supported-modes=an master-configuration="5ghz Config" name-format=prefix name-prefix=WifiAP slave-configurations="5ghz Config Guest" add action=create-dynamic-enabled hw-supported-modes=gn master-configuration="2.4ghz Config" name-format=prefix name-prefix=WifiAP slave-configurations="2.4ghz Config Guest" /interface bridge port add bridge=bridge-local interface=ether2 add bridge=bridge-local interface=ether3 add bridge=bridge-local interface=ether4 add bridge=bridge-local interface=ether5 add bridge=bridge-local interface=ether6 add bridge=bridge-local interface=ether7 add bridge=bridge-local interface=ether8 add bridge=bridge-local interface=ether9 add bridge=bridge-local interface=ether10 add bridge=bridge-local interface=wlan1 add bridge=bridge-local interface=wlan2 add bridge=bridge-local interface=sfp-sfpplus1 #BEL JE OOK VIA KPN DMV EXPERIABOX > DAN ONDERSTAANDE REGELS TOEVOEGEN add bridge=bridge-tel interface=vlan1.7 add bridge=bridge-tel interface=vlan3.7 /ip neighbor discovery-settings set discover-interface-list=!dynamic /interface list member add interface=pppoe-client list=WAN add interface=bridge-local list=LAN add interface=vlan1.4 list=WAN add interface=vlan1.6 list=WAN #ONDERSTAANDE REGEL IS NIET NOODZAKELIJK add interface=bridge-tel list=LAN disabled=yes /interface wireless cap set caps-man-addresses=127.0.0.1 enabled=yes interfaces=wlan1,wlan2 /ip address add address=192.168.88.1/24 interface=bridge-local network=192.168.88.0 /ip cloud set ddns-enabled=yes /ip dhcp-client add default-route-distance=210 dhcp-options=option60-vendorclass disabled=no interface=vlan1.4 use-peer-dns=no use-peer-ntp=no add interface=bridge-local /ip dhcp-server config set store-leases-disk=15m /ip dhcp-server lease # DECODERS KRIJGEN EEN VAST IP ADRES OP BASIS VAN MAC ADRES. DIT KUN JE OOK TOEPASSEN DOOR JE EIGEN MAC ADRESSEN VAN JE DECODERS IN TE VULLEN # OF ALLE REGELS VERWIJDEREN EN DE DECODERS KRIJGEN AUTOMATISCH EEN IP ADRES VAN DE DHCP add address=192.168.88.40 comment="Decoder 1" dhcp-option-set=IPTV mac-address=XX:XX:XX:XX:XX:XX server=dhcp add address=192.168.88.41 comment="Decoder 2" dhcp-option-set=IPTV mac-address=XX:XX:XX:XX:XX:XX server=dhcp add address=192.168.88.42 comment="Decoder 3" dhcp-option-set=IPTV mac-address=XX:XX:XX:XX:XX:XX server=dhcp add address=192.168.88.43 comment="Decoder 4" dhcp-option-set=IPTV mac-address=XX:XX:XX:XX:XX:XX server=dhcp add address=192.168.88.44 comment="Decoder 5" dhcp-option-set=IPTV mac-address=XX:XX:XX:XX:XX:XX server=dhcp /ip dhcp-server network add address=192.168.88.0/24 dns-server=192.168.88.1 domain=thuis.local gateway=192.168.88.1 /ip dns set allow-remote-requests=yes cache-max-ttl=1d servers=8.8.8.8,8.8.4.4 /ip dns static add address=192.168.88.1 name=router.lan /ip firewall address-list add address=213.75.112.0/21 list=KPN-RoutedIPTV add address=217.166.0.0/16 list=KPN-RoutedIPTV add address=10.142.64.0/18 list=KPN-RoutedIPTV /ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid add action=accept chain=input in-interface=pppoe-client protocol=icmp add action=accept chain=input disabled=yes dst-address=224.0.0.0/8 protocol=igmp add action=accept chain=input dst-address=224.0.0.0/8 in-interface=vlan1.4 protocol=igmp add action=accept chain=input dst-address=224.0.0.0/8 in-interface=vlan1.4 protocol=udp add action=accept chain=input dst-port=8291 protocol=tcp add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked add action=accept chain=forward in-interface=vlan1.4 protocol=udp add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN /ip firewall nat add action=masquerade chain=srcnat comment="Needed for internet" out-interface=pppoe-client src-address=192.168.0.0/16 add action=masquerade chain=srcnat comment="Needed for IPTV" dst-address-list=KPN-RoutedIPTV out-interface=vlan1.4 # VOORBEELD PORTFORWARDING INDIEN ER EEN NAS/SERVER ACHTER DE FIREWALL STAAT add action=dst-nat chain=dstnat dst-address-type=local dst-port=80 protocol=tcp to-addresses=192.168.88.15 # NODIG BIJ NAS/SERVER OM DEZE INTERN TE KUNNEN BEREIKEN add action=masquerade chain=srcnat comment="HairPin rule" dst-address=192.168.88.15 out-interface=bridge-local protocol=tcp src-address=192.168.88.0/24 /ip upnp set show-dummy-rule=no /ip upnp interfaces add interface=bridge-local type=internal add interface=pppoe-client type=external # WEGLATEN ALS IPV6 PACKAGE NIET IS GEINSTALLEERD /ipv6 firewall address-list add address=::/128 comment="defconf: unspecified address" list=bad_ipv6 add address=::1/128 comment="defconf: lo" list=bad_ipv6 add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6 add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6 add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6 add address=100::/64 comment="defconf: discard only " list=bad_ipv6 add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6 add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6 add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6 add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6 add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6 add address=::/104 comment="defconf: other" list=bad_ipv6 add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6 # WEGLATEN ALS IPV6 PACKAGE NIET IS GEINSTALLEERD /ipv6 firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6 add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10 add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6 add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6 add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6 add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6 add action=accept chain=forward comment="defconf: accept HIP" protocol=139 add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN /routing igmp-proxy set quick-leave=yes /routing igmp-proxy interface add alternative-subnets=217.166.0.0/16,213.75.0.0/16,10.29.0.0/18 interface=vlan1.4 upstream=yes add interface=bridge-local /system clock set time-zone-name=Europe/Amsterdam /system identity set name="MikroTik RB4011iGS+RM - Meterkast" /system leds add interface=wlan2 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-led,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength add interface=wlan2 leds=wlan2_tx-led type=interface-transmit add interface=wlan2 leds=wlan2_rx-led type=interface-receive