/caps-man channel
add band=2ghz-onlyn control-channel-width=20mhz frequency=2412 name="CANAL1 - 2,4GHz" tx-power=20
add band=5ghz-onlyac frequency=5180 name="FRECUENCIA 5GHz" skip-dfs-channels=yes tx-power=20
/interface bridge
add name=bridge1-CASA
add name=bridge2-INVITADOS
add name=bridge3-DOMOTICA
add name=bridge4-PEQUES
/interface wireless
# managed by CAPsMAN
# channel: 2412/20-Ce/gn(17dBm), SSID: Daniel y Cristian, CAPsMAN forwarding
set [ find default-name=wlan1 ] ssid=MikroTik
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac/P(17dBm), SSID: Daniel y Cristian, CAPsMAN forwarding
set [ find default-name=wlan2 ] ssid=MikroTik
/caps-man datapath
add bridge=bridge1-CASA client-to-client-forwarding=yes local-forwarding=no name=RED-CASA
add bridge=bridge2-INVITADOS client-to-client-forwarding=no local-forwarding=no name=RED-INVITADOS
add bridge=bridge3-DOMOTICA client-to-client-forwarding=no local-forwarding=no name=RED-DOMOTICA
add bridge=bridge4-PEQUES client-to-client-forwarding=no local-forwarding=no name=RED-PEQUES
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=INVITADOS
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=WIFI-CASA
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=DOMOTICA
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=WIFI-PEQUES
/caps-man configuration
add channel="CANAL1 - 2,4GHz" channel.tx-power=20 country=spain datapath=RED-CASA installation=indoor mode=ap name=RED-CASA security=WIFI-CASA ssid="Daniel y Cristian"
add channel="CANAL1 - 2,4GHz" channel.tx-power=20 country=spain datapath=RED-INVITADOS installation=indoor mode=ap name=INVITADOS security=INVITADOS ssid="WiFi Invitados - DyC"
add channel="CANAL1 - 2,4GHz" channel.tx-power=20 country=spain datapath=RED-DOMOTICA installation=indoor mode=ap name=DOMOTICA security=DOMOTICA ssid="WiFI IoT"
add channel="FRECUENCIA 5GHz" channel.tx-power=20 country=spain datapath=RED-CASA installation=indoor mode=ap name=RED-CASA-5GHz security=WIFI-CASA ssid="Daniel y Cristian"
add channel="CANAL1 - 2,4GHz" channel.tx-power=20 country=spain datapath=RED-PEQUES installation=indoor name=WIFI-PEQUES security=WIFI-PEQUES ssid="WiFi los pitufos"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.30.2-192.168.30.254
add name=dhcp_pool1 ranges=192.168.32.2-192.168.32.254
add name=dhcp_pool2 ranges=192.168.33.2-192.168.33.254
add name=dhcp_pool3 ranges=192.168.40.2-192.168.40.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1-CASA name=dhcp1
add address-pool=dhcp_pool1 interface=bridge2-INVITADOS name=dhcp2
add address-pool=dhcp_pool2 interface=bridge3-DOMOTICA name=dhcp3
add address-pool=dhcp_pool3 interface=bridge4-PEQUES name=dhcp4
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=WAN-FTTH profile=default-encryption use-peer-dns=yes user=JjeroGabe2
/queue type
add kind=fq-codel name=TEST
/queue simple
add max-limit=5M/10M name=INVITADOS queue=TEST/TEST target=bridge2-INVITADOS
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes require-peer-certificate=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=RED-CASA name-format=identity radio-mac=XXXXXXXX slave-configurations=INVITADOS,DOMOTICA,WIFI-PEQUES
add action=create-dynamic-enabled master-configuration=RED-CASA name-format=identity radio-mac=XXXXXXXX slave-configurations=INVITADOS,DOMOTICA,WIFI-PEQUES
add action=create-dynamic-enabled master-configuration=RED-CASA-5GHz name-format=identity radio-mac=XXXXXXXX slave-configurations=INVITADOS,WIFI-PEQUES
add action=create-dynamic-enabled master-configuration=RED-CASA name-format=identity radio-mac=XXXXXXXX slave-configurations=INVITADOS,DOMOTICA,WIFI-PEQUES
/interface bridge port
add bridge=bridge1-CASA interface=ether2
add bridge=bridge1-CASA interface=ether3
add bridge=bridge1-CASA interface=ether4
add bridge=bridge1-CASA interface=ether5
/interface wireless cap
#
set caps-man-addresses=127.0.0.1 certificate=CAP-XXXXXXXX enabled=yes interfaces=wlan1,wlan2 lock-to-caps-man=yes
/ip address
add address=192.168.30.1/24 interface=bridge1-CASA network=192.168.30.0
add address=192.168.32.1/24 interface=bridge2-INVITADOS network=192.168.32.0
add address=192.168.33.1/24 interface=bridge3-DOMOTICA network=192.168.33.0
add address=192.168.40.1/24 interface=bridge4-PEQUES network=192.168.40.0
/ip dhcp-server network
add address=192.168.30.0/24 gateway=192.168.30.1
add address=192.168.32.0/24 gateway=192.168.32.1
add address=192.168.33.0/24 gateway=192.168.33.1
add address=192.168.40.0/24 dns-server=94.140.14.15,94.140.15.16 gateway=192.168.40.1
/ip firewall filter
add action=fasttrack-connection chain=forward hw-offload=yes in-interface=bridge1-CASA
add action=add-src-to-address-list address-list=LOGINS_FALLIDOS address-list-timeout=none-dynamic chain=input comment="REGISTRO DE LOGINS FALLIDOS" connection-state=new dst-port=8289 limit=\
!1/1m,3:packet protocol=tcp
add action=add-src-to-address-list address-list=LOGINS_FALLIDOS_TELEGRAM address-list-timeout=none-dynamic chain=input connection-state=new dst-port=8289 limit=!1/1m,3:packet protocol=tcp
add action=drop chain=forward comment="ACCESO A INTERNET BLOQUEDO POR EXCESO DE LOGINS" src-address-list=LOGINS_FALLIDOS
add action=drop chain=input comment="Drop escaneadores de puertos" src-address-list="SCAN DE PUERTOS"
add action=drop chain=forward comment="Drop escaneadores de puertos" src-address-list="SCAN DE PUERTOS"
add action=add-src-to-address-list address-list="SCAN DE PUERTOS" address-list-timeout=4w2d chain=input comment="------Escaneadores de puertos" protocol=tcp psd=10,3s,3,1
add action=add-src-to-address-list address-list="SCAN DE PUERTOS" address-list-timeout=4w2d chain=input comment="------NMAP FIN Stealth scan" protocol=tcp tcp-flags=\
fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="SCAN DE PUERTOS" address-list-timeout=4w2d chain=input comment="------SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="SCAN DE PUERTOS" address-list-timeout=4w2d chain=input comment="------SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="SCAN DE PUERTOS" address-list-timeout=4w2d chain=input comment="------FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="SCAN DE PUERTOS" address-list-timeout=4w2d chain=input comment="------ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="SCAN DE PUERTOS" address-list-timeout=4w2d chain=input comment="------NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="Drop to Syn flood list" src-address-list="SYN FLOOD"
add action=add-src-to-address-list address-list="SYN FLOOD" address-list-timeout=30m chain=input comment="------AGREGA IP SYN FLOOD A ADDRESS LIST" connection-limit=30,32 protocol=tcp \
tcp-flags=syn
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=output connection-state=established,related
add action=drop chain=output connection-state=invalid
add action=drop chain=input comment="DROPEA TODO MENOS CAPsMAN Y ACCESO DESDE RED MIA" dst-address=!127.0.0.1 in-interface=!bridge1-CASA
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN-FTTH
add action=dst-nat chain=dstnat comment="DNS PROTECCION INFANTIL POR COJINES!" dst-port=53 in-interface=bridge4-PEQUES protocol=udp to-addresses=94.140.14.15 to-ports=53
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
