Router R1 — MikroTik CCR2004 / hAP ax³¶
Model: E62iUGS-2axD5axT
RouterOS: 7.22.1
Serial: HKD0ARBX2SG
Role: Edge router / main gateway
WAN: Claro GPON (PPPoE)
Location: Santo Domingo, DR
Port Mapping¶
| Port | Role | VLAN | Notes |
|---|---|---|---|
| SFP1 | WAN uplink | 100 (Claro Internet) | ONT access on native VLAN 1 (192.168.1.0/24) |
| Ether1 | CCTV | 50 (pvid 50) | Untagged, camera network |
| Ether2 | MGMT | 99 (pvid 99) | Untagged, management access |
| Ether3 | MGMT | 99 (pvid 99) | Untagged secondary MGMT |
| Ether4 | HOME | 10 (pvid 10) | Untagged, main home LAN |
| Ether5 | Trunk | Tagged (10,20,40,50,99,300) | Inter-switch trunk to rest of network |
VLAN Layout¶
| VLAN | Name | Subnet | DHCP | Purpose |
|---|---|---|---|---|
| 1 | Native | — | — | ONT / default bridge native |
| 10 | HOME | 10.0.10.0/24 |
Router (pool: .100-.250) | Main home devices |
| 20 | LAB | 10.0.20.0/24 |
External (disabled on R1) | Servers, homelab |
| 40 | IoT | 10.0.40.0/24 |
Router (pool: .100-.250) | IoT devices, rate-limited 1Mbps |
| 50 | CCTV | 10.0.50.0/24 |
Router (pool: .100-.250) | Cameras |
| 60 | DEV | 10.0.60.0/24 |
Not active | Reserved for development |
| 99 | MGMT | 10.0.99.0/24 |
Router (pool: .100-.250) | Management interfaces |
| 100 | WAN | — | — | Claro Internet (PPPoE on vlan100) |
| 300 | VoIP | — | — | Claro VoIP → Proxmox via trunk |
Bridge¶
- bridge-trunk — main switch bridge with VLAN filtering enabled
- containers — separate bridge for container veth interfaces
VLAN assignment on bridge¶
10 → ether4 (untagged), bridge-trunk + ether5 (tagged)
20 → bridge-trunk + ether5 + ether3 (tagged)
40 → bridge-trunk + ether5 (tagged)
50 → bridge-trunk + ether5 (tagged)
99 → ether2 (untagged), bridge-trunk + ether5 (tagged)
300 → bridge-trunk + sfp1 + ether5 (tagged)
1 → sfp1 + bridge-trunk (untagged)
Wi-Fi¶
Hardware radios: wifi1 (2.4GHz), wifi2 (5GHz)
Virtual APs¶
| Interface | SSID | VLAN | Security | Band |
|---|---|---|---|---|
| wifi1-home | CAROLAM.- | 10 | WPA2-PSK | 2.4GHz |
| wifi2-home | CAROLAM.- | 10 | WPA2-PSK | 5GHz |
| wifi1-iot | IoT | 40 | WPA2-PSK | 2.4GHz |
| wifi1-cctv | GS | 50 | WPA2-PSK | 2.4GHz (hidden) |
| wifi1-mgmt | GNTECH-MGMT-2G | 99 | WPA2-PSK | 2.4GHz (hidden) |
| wifi2-mgmt | GNTECH-MGMT | 99 | WPA2-PSK | 5GHz |
A master SSID R1-MASTER-2G / R1-MASTER-5G exists but is hidden — it serves as the configuration template origin.
Internet Connection¶
- ISP: Clardo (Claro República Dominicana)
- Type: GPON FTTH
- Encapsulation: PPPoE on VLAN 100
- Interface:
pppoe-out1onvlan100-wan(SFP1) - IPv6: DHCPv6-PD via pppoe-out1 → delegated to all VLANs
- DDNS: MikroTik Cloud DDNS via
back-to-home-vpn
IPv6¶
- DHCPv6 client on
pppoe-out1requests prefix - Prefix pool:
ipv6-pd - Each VLAN gets a
/64subnet viafrom-pool=ipv6-pd - ND enabled on all VLAN interfaces
Firewall Summary¶
IPv4 Forward Rules (ordered)¶
| # | Action | Match | Purpose |
|---|---|---|---|
| 1 | accept | established/related | Allow return traffic |
| 2 | drop | invalid | Drop invalid states |
| 3 | accept | in=LAN out=WAN | Each VLAN → Internet |
| 4 | accept | in=vlan-mgmt out=LAN | MGMT → all VLANs |
| 5 | accept | dst=10.0.20.10,10.0.20.30 | All VLANs → servers |
| 6 | accept | src=10.0.20.15,10.0.20.30 dst=10.0.50.0/24 | Frigate hosts → CCTV |
| 7 | accept | in=back-to-home-vpn | VPN → Internet + LAN |
| 8 | accept | dport=53 out=WAN | Allow DNS outgoing |
| 9 | accept | src=LAN dst=172.31.255.0/24 | LAN → containers |
| 10 | accept | MGMT→Asterisk SIP/RTP | VoIP rules |
| 11 | reject | dport=853 from LAN | Block DNS-over-TLS |
| 12 | drop | * | Default drop inter-VLAN |
IPv6 Forward Rules¶
Mirrors IPv4 logic with ICMPv6 allowed.
Containers¶
Router hosts containers via veth pairs on bridge containers (172.31.255.0/24):
| Container | IP | Image | Purpose |
|---|---|---|---|
| docker-cloudflared | 172.31.255.2 | ghcr.io/shmick/docker-cloudflared |
Cloudflare Tunnel |
| veth1 | 172.31.255.2 | — | Cloudflared interface |
| veth2 | 172.31.255.3 | — | Reserved |
Containers have Internet access and can reach:
- LAB VLAN (10.0.20.0/24) — full access
- MGMT VLAN (10.0.99.2-10.0.99.10) — limited hosts via cloudflared-mgmt-allowed list
Registry: registry-1.docker.io (no auth), tmpdir: /usb1/tmp
Services¶
| Service | Status | Allowed Sources |
|---|---|---|
| SSH | Enabled | 10.0.99.0/24 |
| WinBox | Enabled | 10.0.99.0/24 |
| WebFig (HTTP) | Enabled (port 8080) | 10.0.99.0/24, 172.31.255.2 |
| WebFig (HTTPS) | Enabled | 10.0.99.0/24, 172.31.255.2 |
| FTP | Disabled | — |
| Telnet | Disabled | — |
| API | Disabled | — |
| API-SSL | Disabled | — |
| DNS | Enabled (recursive) | All LAN (ad-block upstream: 1.1.1.1, 8.8.8.8) |
| DHCP | Enabled (HOME, IoT, CCTV, MGMT) | Per-VLAN pools |
| LEDs | All disabled (dark) | — |
Rate Limiting¶
- IoT VLAN (10.0.40.0/24) → 1Mbps limit via
limit-iot-1msimple queue
VPN¶
- WireGuard:
back-to-home-vpnon port 46209, MTU 1420 - DDNS: MikroTik Cloud enables
back-to-home-vpnDDNS (updates every 10 min) - Allowed: VPN → Internet + all LAN VLANs
Notes¶
- All LED indicators disabled for silent/dark operation
- ONT accessible at 192.168.1.x from MGMT VLAN (SNAT'd)
- DNS-over-TLS (port 853) blocked from LAN to prevent DHCP DNS bypass
- VoIP VLAN 300 passed transparently to Proxmox via trunk
- hAP ac² (R2) has a reserved MGMT lease at 10.0.99.2
Full RouterOS Export¶
Exported 2026-05-07 22:14:54 AST. Credentials redacted below — see router-r1-secrets.md for the full version with PPPoE/WiFi/container secrets.
/interface bridge
add comment="Main trunk bridge" name=bridge-trunk vlan-filtering=yes
add name=containers
/interface veth
add address="" container-mac-address=02:8D:49:31:8B:D0 dhcp=no gateway="" gateway6="" \
mac-address=02:8D:49:31:8B:CF name=agh
add address=172.31.255.2/24 container-mac-address=0C:68:F5:5E:70:49 dhcp=no gateway=172.31.255.1 \
gateway6="" mac-address=0C:68:F5:5E:70:48 name=veth1
add address=172.31.255.3/24 container-mac-address=0C:68:F5:5E:70:51 dhcp=no gateway=172.31.255.1 \
gateway6="" mac-address=0C:68:F5:5E:70:50 name=veth2
/interface wireguard
add comment=back-to-home-vpn listen-port=46209 mtu=1420 name=back-to-home-vpn
/interface vlan
add comment="VLAN 50 CCTV" interface=bridge-trunk name=vlan-cctv vlan-id=50
add comment="VLAN 10 HOME" interface=bridge-trunk name=vlan-home vlan-id=10
add comment="VLAN 40 IoT" interface=bridge-trunk name=vlan-iot vlan-id=40
add comment="VLAN 20 LAB" interface=bridge-trunk name=vlan-lab vlan-id=20
add comment="VLAN 99 MGMT" interface=bridge-trunk name=vlan-mgmt vlan-id=99
add comment="Claro Internet VLAN 100" interface=sfp1 name=vlan100-wan vlan-id=100
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan100-wan name=pppoe-out1 user=<pppoe-user>
/interface list
add comment="WAN interfaces" name=WAN
add comment="LAN interfaces" name=LAN
/interface wifi configuration
add country="United States" hide-ssid=yes name=cfg-master-2g ssid=R1-MASTER-2G
add country="United States" hide-ssid=yes name=cfg-master-5g ssid=R1-MASTER-5G
/interface wifi
set [ find default-name=wifi1 ] channel.frequency=2412 .reselect-interval=1m..2m .width=20mhz \
configuration=cfg-master-2g configuration.country="United States" .mode=ap .tx-power=17 disabled=no
set [ find default-name=wifi2 ] channel.frequency=5180 .skip-dfs-channels=all .width=20/40mhz \
configuration=cfg-master-5g configuration.country="United States" .hide-ssid=yes .mode=ap \
.ssid=R1-MASTER-5G .tx-power=18 disabled=no
/interface wifi datapath
add bridge=bridge-trunk name=dp-home vlan-id=10
add bridge=bridge-trunk name=dp-iot vlan-id=40
add bridge=bridge-trunk name=dp-cctv vlan-id=50
add bridge=bridge-trunk name=dp-mgmt vlan-id=99
/interface wifi security
add authentication-types=wpa2-psk disabled=no name=sec-home
add authentication-types=wpa2-psk name=sec-iot
add authentication-types=wpa2-psk name=sec-cctv
add authentication-types=wpa2-psk name=sec-mgmt
/interface wifi configuration
add antenna-gain=3 country="Dominican Republic" datapath=dp-home name=cfg-home security=sec-home ssid=CAROLAM.- tx-power=17
add country="Dominican Republic" datapath=dp-iot name=cfg-iot security=sec-iot ssid=IoT
add country="Dominican Republic" datapath=dp-cctv disabled=no hide-ssid=yes name=cfg-cctv security=sec-cctv ssid=GS
add antenna-gain=3 country="Dominican Republic" datapath=dp-home name=cfg-home-2g security=sec-home ssid=CAROLAM.- tx-power=16
add channel.skip-dfs-channels=10min-cac country="United States" datapath=dp-home disabled=no name=cfg-home-5g security=sec-home ssid=CAROLAM.-
add country="United States" datapath=dp-mgmt disabled=no hide-ssid=yes name=cfg-mgmt security=sec-mgmt ssid=GNTECH-MGMT
/interface wifi
add configuration=cfg-cctv configuration.hide-ssid=yes .mode=ap disabled=no \
mac-address=06:F4:1C:C5:42:DA master-interface=wifi1 name=wifi1-cctv
add configuration=cfg-home-2g configuration.hide-ssid=yes .mode=ap .ssid=CAROLAM-2G disabled=no \
mac-address=06:F4:1C:C5:42:DC master-interface=wifi1 name=wifi1-home
add configuration=cfg-iot configuration.mode=ap disabled=no mac-address=06:F4:1C:C5:42:D9 \
master-interface=wifi1 name=wifi1-iot
add configuration=cfg-mgmt configuration.hide-ssid=yes .mode=ap .ssid=GNTECH-MGMT-2G disabled=no \
mac-address=06:F4:1C:C5:42:DE master-interface=wifi1 name=wifi1-mgmt
add configuration=cfg-home-5g configuration.hide-ssid=no .mode=ap .ssid=CAROLAM.- disabled=no \
mac-address=06:F4:1C:C5:42:DD master-interface=wifi2 name=wifi2-home
add configuration=cfg-mgmt configuration.hide-ssid=no .mode=ap .ssid=GNTECH-MGMT disabled=no \
mac-address=06:F4:1C:C5:42:DF master-interface=wifi2 name=wifi2-mgmt
/ip dhcp-server option
add code=6 name=option-bypass value="'1.1.1.1'"
/ip pool
add name=pool-home ranges=10.0.10.100-10.0.10.250
add name=pool-lab ranges=10.0.20.100-10.0.20.250
add name=pool-iot ranges=10.0.40.100-10.0.40.250
add name=pool-cctv ranges=10.0.50.100-10.0.50.250
add name=pool-mgmt ranges=10.0.99.100-10.0.99.250
/ip dhcp-server
add address-pool=pool-home comment="DHCP HOME" interface=vlan-home name=dhcp-home
add address-pool=pool-lab comment="LAB DHCP handled elsewhere" disabled=yes interface=vlan-lab name=dhcp-lab
add address-pool=pool-iot comment="DHCP IoT" interface=vlan-iot name=dhcp-iot
add address-pool=pool-cctv comment="DHCP CCTV" interface=vlan-cctv name=dhcp-cctv
add address-pool=pool-mgmt comment="DHCP MGMT" interface=vlan-mgmt name=dhcp-mgmt
/queue simple
add max-limit=1M/1M name=limit-iot-1m target=10.0.40.0/24
/container
add cmd="tunnel --no-autoupdate run --token <cloudflare-tunnel-token>" \
dns=1.1.1.1,1.0.0.1 hostname=CF interface=veth1 \
logging=yes name=docker-cloudflared remote-image=ghcr.io/shmick/docker-cloudflared \
root-dir=/usb1/container/cloudflared start-on-boot=yes workdir=/usr/local/bin
/container config
set registry-url=https://registry-1.docker.io tmpdir=/usb1/tmp
/interface bridge port
add bridge=bridge-trunk comment="MGMT access" frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=99
add bridge=bridge-trunk comment="MGMT access" interface=ether3 pvid=99
add bridge=bridge-trunk comment="HOME access" frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=10
add bridge=bridge-trunk comment="CCTV access" frame-types=admit-only-untagged-and-priority-tagged interface=ether1 pvid=50
add bridge=bridge-trunk comment="Trunk tagged only" frame-types=admit-only-vlan-tagged interface=ether5
add bridge=containers interface=veth1
add bridge=containers interface=veth2
add bridge=bridge-trunk interface=sfp1
/interface bridge vlan
add bridge=bridge-trunk comment=HOME tagged=bridge-trunk,ether5 untagged=ether4 vlan-ids=10
add bridge=bridge-trunk comment=LAB tagged=bridge-trunk,ether5,ether3 vlan-ids=20
add bridge=bridge-trunk comment=IoT tagged=bridge-trunk,ether5 vlan-ids=40
add bridge=bridge-trunk comment=CCTV tagged=bridge-trunk,ether5 vlan-ids=50
add bridge=bridge-trunk comment=MGMT tagged=bridge-trunk,ether5 untagged=ether2 vlan-ids=99
add bridge=bridge-trunk comment="ISP VoIP VLAN 300 to Proxmox" tagged=bridge-trunk,sfp1,ether5 vlan-ids=300
add bridge=bridge-trunk untagged=sfp1,bridge-trunk vlan-ids=1
/interface list member
add interface=vlan-home list=LAN
add interface=vlan-lab list=LAN
add interface=vlan-iot list=LAN
add interface=vlan-cctv list=LAN
add interface=vlan-mgmt list=LAN
add interface=pppoe-out1 list=WAN
/ip address
add address=10.0.99.1/24 comment="MGMT gateway" interface=vlan-mgmt network=10.0.99.0
add address=10.0.10.1/24 comment="HOME gateway" interface=vlan-home network=10.0.10.0
add address=10.0.20.1/24 comment="LAB gateway" interface=vlan-lab network=10.0.20.0
add address=10.0.40.1/24 comment="IoT gateway" interface=vlan-iot network=10.0.40.0
add address=10.0.50.1/24 comment="CCTV gateway" interface=vlan-cctv network=10.0.50.0
add address=172.31.255.1/24 interface=containers network=172.31.255.0
add address=192.168.1.2/24 comment="ONT access" interface=sfp1 network=192.168.1.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes ddns-update-interval=10m
/ip cloud back-to-home-user
add allow-lan=yes comment="R1 | hAP ax S" name="iPhone 15 Pro" public-key="<peer-public-key>"
/ip dhcp-server lease
add address=10.0.99.2 comment="hAP ac2" mac-address=18:FD:74:1C:B5:75
/ip dhcp-server network
add address=10.0.10.0/24 comment=HOME dns-server=10.0.10.1 gateway=10.0.10.1
add address=10.0.20.0/24 comment=LAB dns-server=10.0.20.1 gateway=10.0.20.1
add address=10.0.40.0/24 comment=IoT dns-server=10.0.40.1 gateway=10.0.40.1
add address=10.0.50.0/24 comment=CCTV dns-server=10.0.50.1 gateway=10.0.50.1
add address=10.0.60.0/24 comment=DEV dns-server=10.0.60.1 gateway=10.0.60.1
add address=10.0.99.0/24 comment=MGMT dns-server=10.0.99.1 gateway=10.0.99.1 next-server=10.0.99.249
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d cache-size=8192KiB max-udp-packet-size=1232 servers=1.1.1.1,8.8.8.8
/ip dns static
add address=10.97.50.62 name=ims.claro.com.do type=A
add address=10.97.51.62 name=ims.claro.com.do type=A
/ip firewall address-list
add address=10.0.99.2-10.0.99.10 comment="MGMT hosts allowed from containers" list=cloudflared-mgmt-allowed
/ip firewall filter
add action=accept chain=forward comment="Allow established/related" connection-state=established,related
add action=accept chain=input comment="Allow established/related" connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=forward comment="Containers to Internet" in-interface=containers out-interface-list=WAN
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input comment="Allow DHCP" dst-port=67 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow DNS UDP" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow DNS TCP" dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="MGMT access to router" in-interface=vlan-mgmt
add action=drop chain=input comment="Drop from WAN" in-interface-list=WAN
add action=drop chain=input comment="Block IoT to router" in-interface=vlan-iot
add action=drop chain=input comment="Drop everything else"
add action=accept chain=forward comment="HOME to Internet" in-interface=vlan-home out-interface-list=WAN
add action=accept chain=forward comment="LAB to Internet" in-interface=vlan-lab out-interface-list=WAN
add action=accept chain=forward comment="IoT to Internet" in-interface=vlan-iot out-interface-list=WAN
add action=accept chain=forward comment="CCTV to Internet" in-interface=vlan-cctv out-interface-list=WAN
add action=accept chain=forward comment="MGMT to Internet" in-interface=vlan-mgmt out-interface-list=WAN
add action=accept chain=forward comment="MGMT to all VLANs" in-interface=vlan-mgmt out-interface-list=LAN
add action=accept chain=forward comment="Allow all VLANs to server 10.0.20.10" dst-address=10.0.20.10
add action=accept chain=forward comment="Allow all VLANs to server 10.0.20.30" dst-address=10.0.20.30
add action=accept chain=forward comment="Allow Frigate host to CCTV VLAN" dst-address=10.0.50.0/24 src-address=10.0.20.15
add action=accept chain=forward comment="Allow Frigate host to CCTV VLAN" dst-address=10.0.50.0/24 src-address=10.0.20.30
add action=accept chain=forward comment="VPN to Internet" in-interface=back-to-home-vpn out-interface-list=WAN
add action=accept chain=forward comment="VPN to LAN" in-interface=back-to-home-vpn out-interface-list=LAN
add action=accept chain=forward comment="Allow DNS UDP to Internet" dst-port=53 out-interface-list=WAN protocol=udp
add action=accept chain=forward comment="Allow DNS TCP to Internet" dst-port=53 out-interface-list=WAN protocol=tcp
add action=accept chain=forward comment="LAN to containers" dst-address=172.31.255.0/24 in-interface-list=LAN
add action=accept chain=forward comment="MGMT to Asterisk SIP" dst-address=10.0.20.25 dst-port=5160 in-interface=vlan-mgmt protocol=udp
add action=accept chain=forward comment="MGMT to Asterisk RTP" dst-address=10.0.20.25 dst-port=10000-20000 in-interface=vlan-mgmt protocol=udp
add action=accept chain=forward comment="HOME to Asterisk SIP" dst-address=10.0.20.25 dst-port=5160 in-interface=vlan-home protocol=udp
add action=accept chain=forward comment="HOME to Asterisk RTP" dst-address=10.0.20.25 dst-port=10000-20000 in-interface=vlan-home protocol=udp
add action=accept chain=forward comment="Asterisk SIP to MGMT" out-interface=vlan-mgmt protocol=udp src-address=10.0.20.25 src-port=5160
add action=accept chain=forward comment="Asterisk RTP to MGMT" out-interface=vlan-mgmt protocol=udp src-address=10.0.20.25 src-port=10000-20000
add action=accept chain=forward comment="Asterisk SIP to HOME" out-interface=vlan-home protocol=udp src-address=10.0.20.25 src-port=5160
add action=accept chain=forward comment="Asterisk RTP to HOME" out-interface=vlan-home protocol=udp src-address=10.0.20.25 src-port=10000-20000
add action=accept chain=forward comment="Allow PBX to Zoiper" dst-address=10.0.99.250 src-address=10.0.20.25
add action=accept chain=forward comment="Allow Zoiper to PBX" dst-address=10.0.20.25 src-address=10.0.99.250
add action=accept chain=forward comment="Allow MicroSIP MGMT to Asterisk" dst-address=10.0.20.25 src-address=10.0.99.250
add action=accept chain=forward comment="Allow Asterisk to MicroSIP MGMT" dst-address=10.0.99.250 src-address=10.0.20.25
add action=accept chain=forward comment="Access ONT" dst-address=192.168.1.0/24 src-address=10.0.99.0/24
add action=reject chain=forward comment="Block DoT from LAN" dst-port=853 in-interface-list=LAN protocol=tcp
add action=accept chain=forward comment="Allow containers to LAB" in-interface=containers out-interface=vlan-lab
add action=accept chain=forward comment="Containers to selected MGMT hosts" dst-address-list=cloudflared-mgmt-allowed src-address=172.31.255.0/24
add action=drop chain=forward comment="Drop other inter-VLAN"
/ip firewall nat
add action=masquerade chain=srcnat comment="MGMT to ONT" dst-address=192.168.1.0/24 src-address=10.0.99.0/24
add action=masquerade chain=srcnat comment="NAT via WAN" out-interface-list=WAN
/ip service
set ftp disabled=yes
set ssh address=10.0.99.0/24
set telnet disabled=yes
set www-ssl address=10.0.99.0/24,172.31.255.2/32 disabled=no
set www address=10.0.99.0/24,172.31.255.2/32 port=8080
set winbox address=10.0.99.0/24
set api disabled=yes
set api-ssl disabled=yes
/ipv6 address
add from-pool=ipv6-pd interface=vlan-home
add from-pool=ipv6-pd interface=vlan-lab
add from-pool=ipv6-pd interface=vlan-iot
add from-pool=ipv6-pd interface=vlan-cctv
add from-pool=ipv6-pd interface=vlan-mgmt
/ipv6 dhcp-client
add add-default-route=yes interface=pppoe-out1 pool-name=ipv6-pd request=prefix
/ipv6 firewall filter
add action=accept chain=input comment="Allow established/related" connection-state=established,related
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment="Allow ICMPv6" protocol=icmpv6
add action=accept chain=input comment="Allow DHCPv6 client" dst-port=546 protocol=udp
add action=accept chain=input comment="Allow DNS UDP" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow DNS TCP" dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="MGMT access to router" in-interface=vlan-mgmt
add action=drop chain=input comment="Drop from WAN" in-interface-list=WAN
add action=drop chain=input comment="Drop everything else"
add action=accept chain=forward comment="Allow established/related" connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=accept chain=forward comment="Allow ICMPv6 forward" protocol=icmpv6
add action=accept chain=forward comment="HOME to Internet" in-interface=vlan-home out-interface=pppoe-out1
add action=accept chain=forward comment="LAB to Internet" in-interface=vlan-lab out-interface=pppoe-out1
add action=accept chain=forward comment="IoT to Internet" in-interface=vlan-iot out-interface=pppoe-out1
add action=accept chain=forward comment="CCTV to Internet" in-interface=vlan-cctv out-interface=pppoe-out1
add action=accept chain=forward comment="MGMT to Internet" in-interface=vlan-mgmt out-interface=pppoe-out1
add action=accept chain=forward comment="MGMT to all VLANs" in-interface=vlan-mgmt out-interface-list=LAN
add action=drop chain=forward comment="Drop other inter-VLAN"
/ipv6 nd
add interface=vlan-home
add interface=vlan-lab
add interface=vlan-iot
add interface=vlan-cctv
add interface=vlan-mgmt
/system clock
set time-zone-name=America/Santo_Domingo
/system identity
set name=R1
/system leds
set 0 disabled=yes interface=ether5 leds=ether5-led type=interface-status
set 1 disabled=yes interface=ether5 leds=poe-led type=interface-status
/system leds settings
set all-leds-off=immediate