Не стабильная работа Matter розеток от яндекса в сети CAPsMAN
Добавлено: 26 мар 2025, 05:12
MIB
Доброго времени суток. Подскажите пожалуйста новичку.
Частный дом, сеть из основного роутера HAP AC2 и 2 точки доступа HAP lite подключены кабелем последовательно. Сделана единая WI-Fi сеть с контроллером CAPsMAN на HAP AC2. И вроде бы все работает но отвыливаются умныерозетки Matter яндекса. В приложении умного дома по много раз на день то в сети то не в сети соответственно сценарии не всегда отрабатывают. При чем в логах роутера я про них ничего не нахожу. И когда в приложении яндекса они не в сети, то к сети wi-fi они остаются подключены и пингуются. До настройки CAPsMAN одна розетка висела на HAP lite он поднимал свою сеть и сбоев не было вообще. Подскажите где копать?
Настройки роутера
Настройки точек доступа
P.S. при выгрузке конфигурации заметил что на точке доступа очень медленно работает терминал.
Частный дом, сеть из основного роутера HAP AC2 и 2 точки доступа HAP lite подключены кабелем последовательно. Сделана единая WI-Fi сеть с контроллером CAPsMAN на HAP AC2. И вроде бы все работает но отвыливаются умныерозетки Matter яндекса. В приложении умного дома по много раз на день то в сети то не в сети соответственно сценарии не всегда отрабатывают. При чем в логах роутера я про них ничего не нахожу. И когда в приложении яндекса они не в сети, то к сети wi-fi они остаются подключены и пингуются. До настройки CAPsMAN одна розетка висела на HAP lite он поднимал свою сеть и сбоев не было вообще. Подскажите где копать?
Настройки роутера
[admin@MikroTik] > /export hide-sensitive
# 2025-03-26 10:05:13 by RouterOS 7.17
# software id = P6NB-HRAM
#
# model = RBD52G-5HacD2HnD
# serial number = BEEB0AE63C5A
/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled name=24GHz tx-power=17
add band=5ghz-onlyac control-channel-width=20mhz extension-channel=XX name=5GHz save-selected=yes skip-dfs-channels=yes tx-power=20
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled name=24GHz_point tx-power=12
/interface bridge
add admin-mac=74:4D:28:E4:BA:DB auto-mac=no comment=defconf name=bridge
/interface wireless
# managed by CAPsMAN
# channel: 2412/20/gn(14dBm), SSID: MATRIX, CAPsMAN forwarding
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX country=russia3 distance=indoors frequency=auto mode=ap-bridge ssid=MATRIX wireless-protocol=802.11
# managed by CAPsMAN
# channel: 5180/20-Ce/ac/P(17dBm), SSID: MATRIX, CAPsMAN forwarding
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=russia3 distance=indoors frequency=auto mode=ap-bridge ssid=MATRIX5 wireless-protocol=802.11
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 use-peer-dns=yes user=v42216765
/caps-man datapath
add bridge=bridge client-to-client-forwarding=yes local-forwarding=no name=datapath1
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm,tkip group-encryption=aes-ccm group-key-update=40m name=Home
/caps-man configuration
add channel=24GHz country=russia3 datapath=datapath1 distance=indoors guard-interval=long hw-protection-mode=rts-cts installation=indoor keepalive-frames=enabled max-sta-count=15 mode=ap \
multicast-helper=full name=MATRIX24 rx-chains=0,1,2,3 security=Home ssid=MATRIX tx-chains=0,1,2,3
add channel=5GHz country=russia3 datapath=datapath1 distance=indoors guard-interval=long hw-protection-mode=rts-cts installation=indoor keepalive-frames=enabled max-sta-count=15 mode=ap \
multicast-helper=full name=MATRIX5 rx-chains=0,1,2,3 security=Home ssid=MATRIX tx-chains=0,1,2,3
add channel=24GHz_point country=russia3 datapath=datapath1 distance=indoors guard-interval=long hw-protection-mode=rts-cts installation=indoor keepalive-frames=enabled max-sta-count=15 mode=\
ap multicast-helper=full name=MATRIX24_Point rx-chains=0,1,2,3 security=Home ssid=MATRIX tx-chains=0,1,2,3
/caps-man interface
add configuration=MATRIX5 disabled=no l2mtu=1600 mac-address=74:4D:28:E4:BA:E0 master-interface=none name=5GHz-MikroTik-1 radio-mac=74:4D:28:E4:BA:E0 radio-name=744D28E4BAE0 security=Home
add configuration=MATRIX24 disabled=no l2mtu=1600 mac-address=74:4D:28:E4:BA:DF master-interface=none name=24GHz-MikroTik-1 radio-mac=74:4D:28:E4:BA:DF radio-name=744D28E4BADF security=Home
add configuration=MATRIX24_Point disabled=no l2mtu=1600 mac-address=6C:3B:6B:AE:C2:1A master-interface=none name=24GHz-MikroTik-2 radio-mac=6C:3B:6B:AE:C2:1A radio-name=6C3B6BAEC21A security=\
Home
add configuration=MATRIX24 disabled=no l2mtu=1600 mac-address=78:9A:18:61:13:35 master-interface=none name=24Ghz1 radio-mac=78:9A:18:61:13:35 radio-name=789A18611335
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk group-ciphers=tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik unicast-ciphers=tkip,aes-ccm
/ip pool
add name=dhcp ranges=192.168.3.10-192.168.3.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-enabled hw-supported-modes=ac master-configuration=MATRIX5 name-format=prefix-identity name-prefix=5GHz
add action=create-enabled hw-supported-modes=gn master-configuration=MATRIX24 name-format=prefix name-prefix=24Ghz
add action=create-enabled master-configuration=MATRIX24_Point name-format=prefix name-prefix=24Ghz radio-mac=6C:3B:6B:AE:C2:1A
add action=create-enabled master-configuration=MATRIX24_Point name-format=prefix name-prefix=24Ghz radio-mac=78:9A:18:61:13:30
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/interface wireless cap
#
set bridge=bridge caps-man-addresses=127.0.0.1 enabled=yes interfaces=wlan1,wlan2
/ip address
add address=192.168.3.1/24 comment=defconf interface=bridge network=192.168.3.0
/ip cloud
set ddns-update-interval=10m
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.3.11 client-id=1:e0:bb:9e:e1:4c:21 mac-address=E0:BB:9E:E1:4C:21 server=defconf
add address=192.168.3.62 client-id=1:84:59:e0:e1:a9:ba mac-address=84:59:E0:E1:A9:BA server=defconf
add address=192.168.3.20 client-id=ff:6e:eb:e:5a:0:1:0:1:c7:92:bc:86:3c
4f:f:78:b2 comment=Garage mac-address=B8:87:6E:EB:0E:5A server=defconf
add address=192.168.3.22 client-id=1:3c4f:f5:27:b4 comment=Garage_Rozetka mac-address=3C:0B:4F:F5:27:B4 server=defconf
add address=192.168.3.25 client-id=1:3c4f:f4:86:c8 comment=2Stage_Rozetka mac-address=3C:0B:4F:F4:86:C8 server=defconf
add address=192.168.3.32 client-id=1:78:9a:18:61:13:35 mac-address=78:9A:18:61:13:35 server=defconf
add address=192.168.3.45 client-id=1:6c:3b:6b:ae:c2:16 mac-address=6C:3B:6B:AE:C2:16 server=defconf
add address=192.168.3.43 client-id=1:f0:a6:54:27:68:ef comment="My notebook" mac-address=F0:A6:54:27:68:EF server=defconf
add address=192.168.3.38 client-id=1:80:af:ca:a2:ae:bb comment=PC mac-address=80:AF:CA:A2:AE:BB server=defconf
add address=192.168.3.29 client-id=ff:4f:14:30:74:0:1:0:1:c7:92:bc:86:3c5f:14:30:74 comment=Gostynnaya mac-address=3C:0B:4F:14:30:74 server=defconf
/ip dhcp-server network
add address=192.168.3.0/24 comment=defconf dns-server=192.168.3.1 gateway=192.168.3.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.3.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip kid-control
add fri=0s-1d mon=0s-1d name=system-dummy sat=0s-1d sun=0s-1d thu=0s-1d tue=0s-1d tur-fri=0s-1d tur-mon=0s-1d tur-sat=0s-1d tur-sun=0s-1d tur-thu=0s-1d tur-tue=0s-1d tur-wed=0s-1d wed=0s-1d
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Asia/Irkutsk
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik] >
# 2025-03-26 10:05:13 by RouterOS 7.17
# software id = P6NB-HRAM
#
# model = RBD52G-5HacD2HnD
# serial number = BEEB0AE63C5A
/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled name=24GHz tx-power=17
add band=5ghz-onlyac control-channel-width=20mhz extension-channel=XX name=5GHz save-selected=yes skip-dfs-channels=yes tx-power=20
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled name=24GHz_point tx-power=12
/interface bridge
add admin-mac=74:4D:28:E4:BA:DB auto-mac=no comment=defconf name=bridge
/interface wireless
# managed by CAPsMAN
# channel: 2412/20/gn(14dBm), SSID: MATRIX, CAPsMAN forwarding
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX country=russia3 distance=indoors frequency=auto mode=ap-bridge ssid=MATRIX wireless-protocol=802.11
# managed by CAPsMAN
# channel: 5180/20-Ce/ac/P(17dBm), SSID: MATRIX, CAPsMAN forwarding
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=russia3 distance=indoors frequency=auto mode=ap-bridge ssid=MATRIX5 wireless-protocol=802.11
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 use-peer-dns=yes user=v42216765
/caps-man datapath
add bridge=bridge client-to-client-forwarding=yes local-forwarding=no name=datapath1
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm,tkip group-encryption=aes-ccm group-key-update=40m name=Home
/caps-man configuration
add channel=24GHz country=russia3 datapath=datapath1 distance=indoors guard-interval=long hw-protection-mode=rts-cts installation=indoor keepalive-frames=enabled max-sta-count=15 mode=ap \
multicast-helper=full name=MATRIX24 rx-chains=0,1,2,3 security=Home ssid=MATRIX tx-chains=0,1,2,3
add channel=5GHz country=russia3 datapath=datapath1 distance=indoors guard-interval=long hw-protection-mode=rts-cts installation=indoor keepalive-frames=enabled max-sta-count=15 mode=ap \
multicast-helper=full name=MATRIX5 rx-chains=0,1,2,3 security=Home ssid=MATRIX tx-chains=0,1,2,3
add channel=24GHz_point country=russia3 datapath=datapath1 distance=indoors guard-interval=long hw-protection-mode=rts-cts installation=indoor keepalive-frames=enabled max-sta-count=15 mode=\
ap multicast-helper=full name=MATRIX24_Point rx-chains=0,1,2,3 security=Home ssid=MATRIX tx-chains=0,1,2,3
/caps-man interface
add configuration=MATRIX5 disabled=no l2mtu=1600 mac-address=74:4D:28:E4:BA:E0 master-interface=none name=5GHz-MikroTik-1 radio-mac=74:4D:28:E4:BA:E0 radio-name=744D28E4BAE0 security=Home
add configuration=MATRIX24 disabled=no l2mtu=1600 mac-address=74:4D:28:E4:BA:DF master-interface=none name=24GHz-MikroTik-1 radio-mac=74:4D:28:E4:BA:DF radio-name=744D28E4BADF security=Home
add configuration=MATRIX24_Point disabled=no l2mtu=1600 mac-address=6C:3B:6B:AE:C2:1A master-interface=none name=24GHz-MikroTik-2 radio-mac=6C:3B:6B:AE:C2:1A radio-name=6C3B6BAEC21A security=\
Home
add configuration=MATRIX24 disabled=no l2mtu=1600 mac-address=78:9A:18:61:13:35 master-interface=none name=24Ghz1 radio-mac=78:9A:18:61:13:35 radio-name=789A18611335
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk group-ciphers=tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik unicast-ciphers=tkip,aes-ccm
/ip pool
add name=dhcp ranges=192.168.3.10-192.168.3.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-enabled hw-supported-modes=ac master-configuration=MATRIX5 name-format=prefix-identity name-prefix=5GHz
add action=create-enabled hw-supported-modes=gn master-configuration=MATRIX24 name-format=prefix name-prefix=24Ghz
add action=create-enabled master-configuration=MATRIX24_Point name-format=prefix name-prefix=24Ghz radio-mac=6C:3B:6B:AE:C2:1A
add action=create-enabled master-configuration=MATRIX24_Point name-format=prefix name-prefix=24Ghz radio-mac=78:9A:18:61:13:30
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/interface wireless cap
#
set bridge=bridge caps-man-addresses=127.0.0.1 enabled=yes interfaces=wlan1,wlan2
/ip address
add address=192.168.3.1/24 comment=defconf interface=bridge network=192.168.3.0
/ip cloud
set ddns-update-interval=10m
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.3.11 client-id=1:e0:bb:9e:e1:4c:21 mac-address=E0:BB:9E:E1:4C:21 server=defconf
add address=192.168.3.62 client-id=1:84:59:e0:e1:a9:ba mac-address=84:59:E0:E1:A9:BA server=defconf
add address=192.168.3.20 client-id=ff:6e:eb:e:5a:0:1:0:1:c7:92:bc:86:3c
4f:f:78:b2 comment=Garage mac-address=B8:87:6E:EB:0E:5A server=defconfadd address=192.168.3.22 client-id=1:3c
4f:f5:27:b4 comment=Garage_Rozetka mac-address=3C:0B:4F:F5:27:B4 server=defconfadd address=192.168.3.25 client-id=1:3c
4f:f4:86:c8 comment=2Stage_Rozetka mac-address=3C:0B:4F:F4:86:C8 server=defconfadd address=192.168.3.32 client-id=1:78:9a:18:61:13:35 mac-address=78:9A:18:61:13:35 server=defconf
add address=192.168.3.45 client-id=1:6c:3b:6b:ae:c2:16 mac-address=6C:3B:6B:AE:C2:16 server=defconf
add address=192.168.3.43 client-id=1:f0:a6:54:27:68:ef comment="My notebook" mac-address=F0:A6:54:27:68:EF server=defconf
add address=192.168.3.38 client-id=1:80:af:ca:a2:ae:bb comment=PC mac-address=80:AF:CA:A2:AE:BB server=defconf
add address=192.168.3.29 client-id=ff:4f:14:30:74:0:1:0:1:c7:92:bc:86:3c
5f:14:30:74 comment=Gostynnaya mac-address=3C:0B:4F:14:30:74 server=defconf/ip dhcp-server network
add address=192.168.3.0/24 comment=defconf dns-server=192.168.3.1 gateway=192.168.3.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.3.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip kid-control
add fri=0s-1d mon=0s-1d name=system-dummy sat=0s-1d sun=0s-1d thu=0s-1d tue=0s-1d tur-fri=0s-1d tur-mon=0s-1d tur-sat=0s-1d tur-sun=0s-1d tur-thu=0s-1d tur-tue=0s-1d tur-wed=0s-1d wed=0s-1d
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Asia/Irkutsk
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik] >
[admin@MikroTik_2] > /export hide-sensitive
# 2025-03-26 10:10:10 by RouterOS 7.18
# software id = HZ5S-GHGZ
#
# model = RB941-2nD
# serial number = HF3096F903Q
/interface bridge
add name=bridge1
/interface wireless
# managed by CAPsMAN
# channel: 2427/20/gn(15dBm), SSID: MATRIX, CAPsMAN forwarding
set [ find default-name=wlan1 ] ssid=MikroTik
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=ether1
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=wlan1 list=LAN
/interface wireless cap
#
set bridge=bridge1 discovery-interfaces=bridge1 enabled=yes interfaces=wlan1
/ip dhcp-client
add default-route-tables=main interface=bridge1
/system clock
set time-zone-name=Asia/Irkutsk
/system identity
set name=MikroTik_2
/system note
set show-at-login=no
[admin@MikroTik_2] >
# 2025-03-26 10:10:10 by RouterOS 7.18
# software id = HZ5S-GHGZ
#
# model = RB941-2nD
# serial number = HF3096F903Q
/interface bridge
add name=bridge1
/interface wireless
# managed by CAPsMAN
# channel: 2427/20/gn(15dBm), SSID: MATRIX, CAPsMAN forwarding
set [ find default-name=wlan1 ] ssid=MikroTik
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=ether1
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=wlan1 list=LAN
/interface wireless cap
#
set bridge=bridge1 discovery-interfaces=bridge1 enabled=yes interfaces=wlan1
/ip dhcp-client
add default-route-tables=main interface=bridge1
/system clock
set time-zone-name=Asia/Irkutsk
/system identity
set name=MikroTik_2
/system note
set show-at-login=no
[admin@MikroTik_2] >