# 2023-10-31 13:03:40 by RouterOS 7.11.2 # model = RB4011iGS+ /interface bridge add arp=proxy-arp fast-forward=no igmp-snooping=yes name=bridge-local /interface ethernet set [ find default-name=sfp-sfpplus1 ] arp=proxy-arp auto-negotiation=no l2mtu=1598 loop-protect=off speed=1Gbps /interface vlan add interface=sfp-sfpplus1 name=vlan1.4 vlan-id=4 add interface=sfp-sfpplus1 loop-protect=off name=vlan1.6 vlan-id=6 /interface pppoe-client # VERANDER XX-XX-XX-XX-XX-XX IN HET MAC ADRES VAN JE KPN EXPERIA BOX add add-default-route=yes allow=pap disabled=no interface=vlan1.6 keepalive-timeout=20 max-mru=1500 max-mtu=1500 name=pppoe-client password=kpn user=XX-XX-XX-XX-XX-XX@internet /interface list add name=WAN add name=LAN /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /ip dhcp-client option add code=60 name=option60-vendorclass value="'IPTV_RG'" /ip dhcp-server option add code=60 name=option60-vendorclass value="'IPTV_RG'" add code=28 name=option28-broadcast value="'192.168.88.255'" /ip dhcp-server option sets add name=IPTV options=option60-vendorclass,option28-broadcast /ip pool add name=dhcp-pool ranges=192.168.88.100-192.168.88.150 /ip dhcp-server add address-pool=dhcp-pool interface=bridge-local lease-time=1h30m name=dhcp /port set 0 name=serial0 set 1 name=serial1 /ppp profile set *0 only-one=yes use-compression=yes use-ipv6=no use-upnp=no add name=default-ipv6 only-one=yes use-compression=yes use-upnp=no add address-list="" name=kpn-ipv6 only-one=yes remote-ipv6-prefix-pool=*0 use-compression=yes use-upnp=no /routing bgp template set default disabled=yes output.network=bgp-networks /user group set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp" /interface bridge port add bridge=bridge-local interface=ether1 add bridge=bridge-local interface=ether2 add bridge=bridge-local interface=ether3 add bridge=bridge-local interface=ether4 add bridge=bridge-local interface=ether5 add bridge=bridge-local interface=ether6 add bridge=bridge-local interface=ether7 add bridge=bridge-local interface=ether8 add bridge=bridge-local interface=ether9 add bridge=bridge-local interface=ether10 /ip neighbor discovery-settings set discover-interface-list=!dynamic /interface list member add interface=pppoe-client list=WAN add interface=bridge-local list=LAN add interface=vlan1.6 list=WAN add interface=sfp-sfpplus1 list=WAN add interface=vlan1.4 list=WAN /ip address add address=192.168.88.1/24 interface=bridge-local network=192.168.88.0 /ip cloud set ddns-enabled=yes /ip dhcp-client add default-route-distance=210 dhcp-options=option60-vendorclass interface=vlan1.4 use-peer-dns=no use-peer-ntp=no /ip dhcp-server config set store-leases-disk=15m /ip dhcp-server lease # DECODERS KRIJGEN EEN VAST IP ADRES OP BASIS VAN MAC ADRES. DIT KUN JE OOK TOEPASSEN DOOR JE EIGEN MAC ADRESSEN VAN JE DECODERS IN TE VULLEN # OF ALLE REGELS VERWIJDEREN EN DE DECODERS KRIJGEN AUTOMATISCH EEN IP ADRES VAN DE DHCP add address=192.168.88.40 comment="Decoder 1" dhcp-option-set=IPTV mac-address=XX:XX:XX:XX:XX:XX server=dhcp add address=192.168.88.41 comment="Decoder 2" dhcp-option-set=IPTV mac-address=XX:XX:XX:XX:XX:XX server=dhcp add address=192.168.88.42 comment="Decoder 3" dhcp-option-set=IPTV mac-address=XX:XX:XX:XX:XX:XX server=dhcp add address=192.168.88.43 comment="Decoder 4" dhcp-option-set=IPTV mac-address=XX:XX:XX:XX:XX:XX server=dhcp add address=192.168.88.44 comment="Decoder 5" dhcp-option-set=IPTV mac-address=XX:XX:XX:XX:XX:XX server=dhcp /ip dhcp-server network add address=192.168.88.0/24 dns-server=192.168.88.1 domain=local.lan gateway=192.168.88.1 /ip dns set allow-remote-requests=yes cache-max-ttl=1d servers=8.8.8.8,8.8.4.4 /ip dns static add address=192.168.88.1 name=router.lan /ip firewall address-list add address=10.0.0.0/8 comment=Extra list=KPN-RoutedIPTV add address=10.142.64.0/18 comment=Extra list=KPN-RoutedIPTV add address=10.207.0.0/20 comment=Extra list=KPN-RoutedIPTV add address=213.75.112.0/21 comment=Original list=KPN-RoutedIPTV add address=213.75.160.0/19 comment=Extra disabled=yes list=KPN-RoutedIPTV add address=217.166.0.0/16 comment=Original list=KPN-RoutedIPTV /ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp disabled=yes add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp disabled=yes add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp disabled=yes add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid add action=accept chain=input in-interface=pppoe-client protocol=icmp add action=accept chain=input disabled=yes dst-address=224.0.0.0/8 protocol=igmp add action=accept chain=input dst-address=224.0.0.0/8 in-interface=vlan1.4 protocol=igmp add action=accept chain=input dst-address=224.0.0.0/8 in-interface=vlan1.4 protocol=udp add action=accept chain=input dst-port=8291 protocol=tcp add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes hw-offload=yes add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked add action=accept chain=forward in-interface=vlan1.4 protocol=udp add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked /ip firewall nat add action=masquerade chain=srcnat comment="Needed for internet" out-interface=pppoe-client src-address=192.168.0.0/16 add action=masquerade chain=srcnat comment="Needed for IPTV" dst-address-list=KPN-RoutedIPTV out-interface=vlan1.4 # VOORBEELD PORTFORWARDING INDIEN ER EEN NAS/SERVER ACHTER DE FIREWALL STAAT add action=dst-nat chain=dstnat dst-address-type=local dst-port=80 protocol=tcp to-addresses=192.168.88.15 # NODIG BIJ NAS/SERVER OM DEZE INTERN TE KUNNEN BEREIKEN add action=masquerade chain=srcnat comment="HairPin rule" dst-address=192.168.88.15 out-interface=bridge-local protocol=tcp src-address=192.168.88.0/24 /ip upnp set show-dummy-rule=no /ip upnp interfaces add interface=bridge-local type=internal add interface=pppoe-client type=external /routing igmp-proxy set quick-leave=yes /routing igmp-proxy interface add alternative-subnets=0.0.0.0/0 interface=vlan1.4 upstream=yes add interface=bridge-local /system clock set time-zone-name=Europe/Amsterdam /system identity set name="Miktrotik RB4011iGS+RM" # DEZE REGELS HEB JE NODIG OM JE WIFI TE REGELEN VIA CAPSMAN /caps-man security add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=Draadloos passphrase=wifipass add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=Draadloos_Guest passphrase=wifipass_gast /caps-man configuration add channel.band=5ghz-a/n/ac datapath.bridge=bridge-local name="5ghz Config" security=Draadloos ssid=Draadloos add channel.band=5ghz-a/n/ac datapath.bridge=bridge-local name="5ghz Config Guest" security=Draadloos_Guest ssid=Draadloos_Guest add channel.band=2ghz-b/g/n datapath.bridge=bridge-local name="2.4ghz Config" security=Draadloos ssid=Draadloos add channel.band=2ghz-b/g/n datapath.bridge=bridge-local name="2.4ghz Config Guest" security=Draadloos_Guest ssid=Draadloos_Guest /caps-man manager set enabled=yes package-path=/upgrade upgrade-policy=require-same-version /caps-man provisioning add action=create-dynamic-enabled hw-supported-modes=an master-configuration="5ghz Config" name-format=prefix name-prefix=WifiAP slave-configurations="5ghz Config Guest" add action=create-dynamic-enabled hw-supported-modes=gn master-configuration="2.4ghz Config" name-format=prefix name-prefix=WifiAP slave-configurations="2.4ghz Config Guest"