Skip to content

Router R1 — MikroTik CCR2004 / hAP ax³

Model: E62iUGS-2axD5axT
RouterOS: 7.22.1
Serial: HKD0ARBX2SG
Role: Edge router / main gateway
WAN: Claro GPON (PPPoE)
Location: Santo Domingo, DR


Port Mapping

Port Role VLAN Notes
SFP1 WAN uplink 100 (Claro Internet) ONT access on native VLAN 1 (192.168.1.0/24)
Ether1 CCTV 50 (pvid 50) Untagged, camera network
Ether2 MGMT 99 (pvid 99) Untagged, management access
Ether3 MGMT 99 (pvid 99) Untagged secondary MGMT
Ether4 HOME 10 (pvid 10) Untagged, main home LAN
Ether5 Trunk Tagged (10,20,40,50,99,300) Inter-switch trunk to rest of network

VLAN Layout

VLAN Name Subnet DHCP Purpose
1 Native ONT / default bridge native
10 HOME 10.0.10.0/24 Router (pool: .100-.250) Main home devices
20 LAB 10.0.20.0/24 External (disabled on R1) Servers, homelab
40 IoT 10.0.40.0/24 Router (pool: .100-.250) IoT devices, rate-limited 1Mbps
50 CCTV 10.0.50.0/24 Router (pool: .100-.250) Cameras
60 DEV 10.0.60.0/24 Not active Reserved for development
99 MGMT 10.0.99.0/24 Router (pool: .100-.250) Management interfaces
100 WAN Claro Internet (PPPoE on vlan100)
300 VoIP Claro VoIP → Proxmox via trunk

Bridge

  • bridge-trunk — main switch bridge with VLAN filtering enabled
  • containers — separate bridge for container veth interfaces

VLAN assignment on bridge

10  → ether4 (untagged), bridge-trunk + ether5 (tagged)
20  → bridge-trunk + ether5 + ether3 (tagged)
40  → bridge-trunk + ether5 (tagged)
50  → bridge-trunk + ether5 (tagged)
99  → ether2 (untagged), bridge-trunk + ether5 (tagged)
300 → bridge-trunk + sfp1 + ether5 (tagged)
1   → sfp1 + bridge-trunk (untagged)

Wi-Fi

Hardware radios: wifi1 (2.4GHz), wifi2 (5GHz)

Virtual APs

Interface SSID VLAN Security Band
wifi1-home CAROLAM.- 10 WPA2-PSK 2.4GHz
wifi2-home CAROLAM.- 10 WPA2-PSK 5GHz
wifi1-iot IoT 40 WPA2-PSK 2.4GHz
wifi1-cctv GS 50 WPA2-PSK 2.4GHz (hidden)
wifi1-mgmt GNTECH-MGMT-2G 99 WPA2-PSK 2.4GHz (hidden)
wifi2-mgmt GNTECH-MGMT 99 WPA2-PSK 5GHz

A master SSID R1-MASTER-2G / R1-MASTER-5G exists but is hidden — it serves as the configuration template origin.


Internet Connection

  • ISP: Clardo (Claro República Dominicana)
  • Type: GPON FTTH
  • Encapsulation: PPPoE on VLAN 100
  • Interface: pppoe-out1 on vlan100-wan (SFP1)
  • IPv6: DHCPv6-PD via pppoe-out1 → delegated to all VLANs
  • DDNS: MikroTik Cloud DDNS via back-to-home-vpn

IPv6

  • DHCPv6 client on pppoe-out1 requests prefix
  • Prefix pool: ipv6-pd
  • Each VLAN gets a /64 subnet via from-pool=ipv6-pd
  • ND enabled on all VLAN interfaces

Firewall Summary

IPv4 Forward Rules (ordered)

# Action Match Purpose
1 accept established/related Allow return traffic
2 drop invalid Drop invalid states
3 accept in=LAN out=WAN Each VLAN → Internet
4 accept in=vlan-mgmt out=LAN MGMT → all VLANs
5 accept dst=10.0.20.10,10.0.20.30 All VLANs → servers
6 accept src=10.0.20.15,10.0.20.30 dst=10.0.50.0/24 Frigate hosts → CCTV
7 accept in=back-to-home-vpn VPN → Internet + LAN
8 accept dport=53 out=WAN Allow DNS outgoing
9 accept src=LAN dst=172.31.255.0/24 LAN → containers
10 accept MGMT→Asterisk SIP/RTP VoIP rules
11 reject dport=853 from LAN Block DNS-over-TLS
12 drop * Default drop inter-VLAN

IPv6 Forward Rules

Mirrors IPv4 logic with ICMPv6 allowed.


Containers

Router hosts containers via veth pairs on bridge containers (172.31.255.0/24):

Container IP Image Purpose
docker-cloudflared 172.31.255.2 ghcr.io/shmick/docker-cloudflared Cloudflare Tunnel
veth1 172.31.255.2 Cloudflared interface
veth2 172.31.255.3 Reserved

Containers have Internet access and can reach: - LAB VLAN (10.0.20.0/24) — full access - MGMT VLAN (10.0.99.2-10.0.99.10) — limited hosts via cloudflared-mgmt-allowed list

Registry: registry-1.docker.io (no auth), tmpdir: /usb1/tmp


Services

Service Status Allowed Sources
SSH Enabled 10.0.99.0/24
WinBox Enabled 10.0.99.0/24
WebFig (HTTP) Enabled (port 8080) 10.0.99.0/24, 172.31.255.2
WebFig (HTTPS) Enabled 10.0.99.0/24, 172.31.255.2
FTP Disabled
Telnet Disabled
API Disabled
API-SSL Disabled
DNS Enabled (recursive) All LAN (ad-block upstream: 1.1.1.1, 8.8.8.8)
DHCP Enabled (HOME, IoT, CCTV, MGMT) Per-VLAN pools
LEDs All disabled (dark)

Rate Limiting

  • IoT VLAN (10.0.40.0/24) → 1Mbps limit via limit-iot-1m simple queue

VPN

  • WireGuard: back-to-home-vpn on port 46209, MTU 1420
  • DDNS: MikroTik Cloud enables back-to-home-vpn DDNS (updates every 10 min)
  • Allowed: VPN → Internet + all LAN VLANs

Notes

  • All LED indicators disabled for silent/dark operation
  • ONT accessible at 192.168.1.x from MGMT VLAN (SNAT'd)
  • DNS-over-TLS (port 853) blocked from LAN to prevent DHCP DNS bypass
  • VoIP VLAN 300 passed transparently to Proxmox via trunk
  • hAP ac² (R2) has a reserved MGMT lease at 10.0.99.2

Full RouterOS Export

Exported 2026-05-07 22:14:54 AST. Credentials redacted below — see router-r1-secrets.md for the full version with PPPoE/WiFi/container secrets.

/interface bridge
add comment="Main trunk bridge" name=bridge-trunk vlan-filtering=yes
add name=containers

/interface veth
add address="" container-mac-address=02:8D:49:31:8B:D0 dhcp=no gateway="" gateway6="" \
    mac-address=02:8D:49:31:8B:CF name=agh
add address=172.31.255.2/24 container-mac-address=0C:68:F5:5E:70:49 dhcp=no gateway=172.31.255.1 \
    gateway6="" mac-address=0C:68:F5:5E:70:48 name=veth1
add address=172.31.255.3/24 container-mac-address=0C:68:F5:5E:70:51 dhcp=no gateway=172.31.255.1 \
    gateway6="" mac-address=0C:68:F5:5E:70:50 name=veth2

/interface wireguard
add comment=back-to-home-vpn listen-port=46209 mtu=1420 name=back-to-home-vpn

/interface vlan
add comment="VLAN 50 CCTV" interface=bridge-trunk name=vlan-cctv vlan-id=50
add comment="VLAN 10 HOME" interface=bridge-trunk name=vlan-home vlan-id=10
add comment="VLAN 40 IoT" interface=bridge-trunk name=vlan-iot vlan-id=40
add comment="VLAN 20 LAB" interface=bridge-trunk name=vlan-lab vlan-id=20
add comment="VLAN 99 MGMT" interface=bridge-trunk name=vlan-mgmt vlan-id=99
add comment="Claro Internet VLAN 100" interface=sfp1 name=vlan100-wan vlan-id=100

/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan100-wan name=pppoe-out1 user=<pppoe-user>

/interface list
add comment="WAN interfaces" name=WAN
add comment="LAN interfaces" name=LAN

/interface wifi configuration
add country="United States" hide-ssid=yes name=cfg-master-2g ssid=R1-MASTER-2G
add country="United States" hide-ssid=yes name=cfg-master-5g ssid=R1-MASTER-5G

/interface wifi
set [ find default-name=wifi1 ] channel.frequency=2412 .reselect-interval=1m..2m .width=20mhz \
    configuration=cfg-master-2g configuration.country="United States" .mode=ap .tx-power=17 disabled=no
set [ find default-name=wifi2 ] channel.frequency=5180 .skip-dfs-channels=all .width=20/40mhz \
    configuration=cfg-master-5g configuration.country="United States" .hide-ssid=yes .mode=ap \
    .ssid=R1-MASTER-5G .tx-power=18 disabled=no

/interface wifi datapath
add bridge=bridge-trunk name=dp-home vlan-id=10
add bridge=bridge-trunk name=dp-iot vlan-id=40
add bridge=bridge-trunk name=dp-cctv vlan-id=50
add bridge=bridge-trunk name=dp-mgmt vlan-id=99

/interface wifi security
add authentication-types=wpa2-psk disabled=no name=sec-home
add authentication-types=wpa2-psk name=sec-iot
add authentication-types=wpa2-psk name=sec-cctv
add authentication-types=wpa2-psk name=sec-mgmt

/interface wifi configuration
add antenna-gain=3 country="Dominican Republic" datapath=dp-home name=cfg-home security=sec-home ssid=CAROLAM.- tx-power=17
add country="Dominican Republic" datapath=dp-iot name=cfg-iot security=sec-iot ssid=IoT
add country="Dominican Republic" datapath=dp-cctv disabled=no hide-ssid=yes name=cfg-cctv security=sec-cctv ssid=GS
add antenna-gain=3 country="Dominican Republic" datapath=dp-home name=cfg-home-2g security=sec-home ssid=CAROLAM.- tx-power=16
add channel.skip-dfs-channels=10min-cac country="United States" datapath=dp-home disabled=no name=cfg-home-5g security=sec-home ssid=CAROLAM.-
add country="United States" datapath=dp-mgmt disabled=no hide-ssid=yes name=cfg-mgmt security=sec-mgmt ssid=GNTECH-MGMT

/interface wifi
add configuration=cfg-cctv configuration.hide-ssid=yes .mode=ap disabled=no \
    mac-address=06:F4:1C:C5:42:DA master-interface=wifi1 name=wifi1-cctv
add configuration=cfg-home-2g configuration.hide-ssid=yes .mode=ap .ssid=CAROLAM-2G disabled=no \
    mac-address=06:F4:1C:C5:42:DC master-interface=wifi1 name=wifi1-home
add configuration=cfg-iot configuration.mode=ap disabled=no mac-address=06:F4:1C:C5:42:D9 \
    master-interface=wifi1 name=wifi1-iot
add configuration=cfg-mgmt configuration.hide-ssid=yes .mode=ap .ssid=GNTECH-MGMT-2G disabled=no \
    mac-address=06:F4:1C:C5:42:DE master-interface=wifi1 name=wifi1-mgmt
add configuration=cfg-home-5g configuration.hide-ssid=no .mode=ap .ssid=CAROLAM.- disabled=no \
    mac-address=06:F4:1C:C5:42:DD master-interface=wifi2 name=wifi2-home
add configuration=cfg-mgmt configuration.hide-ssid=no .mode=ap .ssid=GNTECH-MGMT disabled=no \
    mac-address=06:F4:1C:C5:42:DF master-interface=wifi2 name=wifi2-mgmt

/ip dhcp-server option
add code=6 name=option-bypass value="'1.1.1.1'"

/ip pool
add name=pool-home ranges=10.0.10.100-10.0.10.250
add name=pool-lab ranges=10.0.20.100-10.0.20.250
add name=pool-iot ranges=10.0.40.100-10.0.40.250
add name=pool-cctv ranges=10.0.50.100-10.0.50.250
add name=pool-mgmt ranges=10.0.99.100-10.0.99.250

/ip dhcp-server
add address-pool=pool-home comment="DHCP HOME" interface=vlan-home name=dhcp-home
add address-pool=pool-lab comment="LAB DHCP handled elsewhere" disabled=yes interface=vlan-lab name=dhcp-lab
add address-pool=pool-iot comment="DHCP IoT" interface=vlan-iot name=dhcp-iot
add address-pool=pool-cctv comment="DHCP CCTV" interface=vlan-cctv name=dhcp-cctv
add address-pool=pool-mgmt comment="DHCP MGMT" interface=vlan-mgmt name=dhcp-mgmt

/queue simple
add max-limit=1M/1M name=limit-iot-1m target=10.0.40.0/24

/container
add cmd="tunnel --no-autoupdate run --token <cloudflare-tunnel-token>" \
    dns=1.1.1.1,1.0.0.1 hostname=CF interface=veth1 \
    logging=yes name=docker-cloudflared remote-image=ghcr.io/shmick/docker-cloudflared \
    root-dir=/usb1/container/cloudflared start-on-boot=yes workdir=/usr/local/bin

/container config
set registry-url=https://registry-1.docker.io tmpdir=/usb1/tmp

/interface bridge port
add bridge=bridge-trunk comment="MGMT access" frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=99
add bridge=bridge-trunk comment="MGMT access" interface=ether3 pvid=99
add bridge=bridge-trunk comment="HOME access" frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=10
add bridge=bridge-trunk comment="CCTV access" frame-types=admit-only-untagged-and-priority-tagged interface=ether1 pvid=50
add bridge=bridge-trunk comment="Trunk tagged only" frame-types=admit-only-vlan-tagged interface=ether5
add bridge=containers interface=veth1
add bridge=containers interface=veth2
add bridge=bridge-trunk interface=sfp1

/interface bridge vlan
add bridge=bridge-trunk comment=HOME tagged=bridge-trunk,ether5 untagged=ether4 vlan-ids=10
add bridge=bridge-trunk comment=LAB tagged=bridge-trunk,ether5,ether3 vlan-ids=20
add bridge=bridge-trunk comment=IoT tagged=bridge-trunk,ether5 vlan-ids=40
add bridge=bridge-trunk comment=CCTV tagged=bridge-trunk,ether5 vlan-ids=50
add bridge=bridge-trunk comment=MGMT tagged=bridge-trunk,ether5 untagged=ether2 vlan-ids=99
add bridge=bridge-trunk comment="ISP VoIP VLAN 300 to Proxmox" tagged=bridge-trunk,sfp1,ether5 vlan-ids=300
add bridge=bridge-trunk untagged=sfp1,bridge-trunk vlan-ids=1

/interface list member
add interface=vlan-home list=LAN
add interface=vlan-lab list=LAN
add interface=vlan-iot list=LAN
add interface=vlan-cctv list=LAN
add interface=vlan-mgmt list=LAN
add interface=pppoe-out1 list=WAN

/ip address
add address=10.0.99.1/24 comment="MGMT gateway" interface=vlan-mgmt network=10.0.99.0
add address=10.0.10.1/24 comment="HOME gateway" interface=vlan-home network=10.0.10.0
add address=10.0.20.1/24 comment="LAB gateway" interface=vlan-lab network=10.0.20.0
add address=10.0.40.1/24 comment="IoT gateway" interface=vlan-iot network=10.0.40.0
add address=10.0.50.1/24 comment="CCTV gateway" interface=vlan-cctv network=10.0.50.0
add address=172.31.255.1/24 interface=containers network=172.31.255.0
add address=192.168.1.2/24 comment="ONT access" interface=sfp1 network=192.168.1.0

/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes ddns-update-interval=10m

/ip cloud back-to-home-user
add allow-lan=yes comment="R1 | hAP ax S" name="iPhone 15 Pro" public-key="<peer-public-key>"

/ip dhcp-server lease
add address=10.0.99.2 comment="hAP ac2" mac-address=18:FD:74:1C:B5:75

/ip dhcp-server network
add address=10.0.10.0/24 comment=HOME dns-server=10.0.10.1 gateway=10.0.10.1
add address=10.0.20.0/24 comment=LAB dns-server=10.0.20.1 gateway=10.0.20.1
add address=10.0.40.0/24 comment=IoT dns-server=10.0.40.1 gateway=10.0.40.1
add address=10.0.50.0/24 comment=CCTV dns-server=10.0.50.1 gateway=10.0.50.1
add address=10.0.60.0/24 comment=DEV dns-server=10.0.60.1 gateway=10.0.60.1
add address=10.0.99.0/24 comment=MGMT dns-server=10.0.99.1 gateway=10.0.99.1 next-server=10.0.99.249

/ip dns
set allow-remote-requests=yes cache-max-ttl=1d cache-size=8192KiB max-udp-packet-size=1232 servers=1.1.1.1,8.8.8.8

/ip dns static
add address=10.97.50.62 name=ims.claro.com.do type=A
add address=10.97.51.62 name=ims.claro.com.do type=A

/ip firewall address-list
add address=10.0.99.2-10.0.99.10 comment="MGMT hosts allowed from containers" list=cloudflared-mgmt-allowed

/ip firewall filter
add action=accept chain=forward comment="Allow established/related" connection-state=established,related
add action=accept chain=input comment="Allow established/related" connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=forward comment="Containers to Internet" in-interface=containers out-interface-list=WAN
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input comment="Allow DHCP" dst-port=67 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow DNS UDP" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow DNS TCP" dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="MGMT access to router" in-interface=vlan-mgmt
add action=drop chain=input comment="Drop from WAN" in-interface-list=WAN
add action=drop chain=input comment="Block IoT to router" in-interface=vlan-iot
add action=drop chain=input comment="Drop everything else"
add action=accept chain=forward comment="HOME to Internet" in-interface=vlan-home out-interface-list=WAN
add action=accept chain=forward comment="LAB to Internet" in-interface=vlan-lab out-interface-list=WAN
add action=accept chain=forward comment="IoT to Internet" in-interface=vlan-iot out-interface-list=WAN
add action=accept chain=forward comment="CCTV to Internet" in-interface=vlan-cctv out-interface-list=WAN
add action=accept chain=forward comment="MGMT to Internet" in-interface=vlan-mgmt out-interface-list=WAN
add action=accept chain=forward comment="MGMT to all VLANs" in-interface=vlan-mgmt out-interface-list=LAN
add action=accept chain=forward comment="Allow all VLANs to server 10.0.20.10" dst-address=10.0.20.10
add action=accept chain=forward comment="Allow all VLANs to server 10.0.20.30" dst-address=10.0.20.30
add action=accept chain=forward comment="Allow Frigate host to CCTV VLAN" dst-address=10.0.50.0/24 src-address=10.0.20.15
add action=accept chain=forward comment="Allow Frigate host to CCTV VLAN" dst-address=10.0.50.0/24 src-address=10.0.20.30
add action=accept chain=forward comment="VPN to Internet" in-interface=back-to-home-vpn out-interface-list=WAN
add action=accept chain=forward comment="VPN to LAN" in-interface=back-to-home-vpn out-interface-list=LAN
add action=accept chain=forward comment="Allow DNS UDP to Internet" dst-port=53 out-interface-list=WAN protocol=udp
add action=accept chain=forward comment="Allow DNS TCP to Internet" dst-port=53 out-interface-list=WAN protocol=tcp
add action=accept chain=forward comment="LAN to containers" dst-address=172.31.255.0/24 in-interface-list=LAN
add action=accept chain=forward comment="MGMT to Asterisk SIP" dst-address=10.0.20.25 dst-port=5160 in-interface=vlan-mgmt protocol=udp
add action=accept chain=forward comment="MGMT to Asterisk RTP" dst-address=10.0.20.25 dst-port=10000-20000 in-interface=vlan-mgmt protocol=udp
add action=accept chain=forward comment="HOME to Asterisk SIP" dst-address=10.0.20.25 dst-port=5160 in-interface=vlan-home protocol=udp
add action=accept chain=forward comment="HOME to Asterisk RTP" dst-address=10.0.20.25 dst-port=10000-20000 in-interface=vlan-home protocol=udp
add action=accept chain=forward comment="Asterisk SIP to MGMT" out-interface=vlan-mgmt protocol=udp src-address=10.0.20.25 src-port=5160
add action=accept chain=forward comment="Asterisk RTP to MGMT" out-interface=vlan-mgmt protocol=udp src-address=10.0.20.25 src-port=10000-20000
add action=accept chain=forward comment="Asterisk SIP to HOME" out-interface=vlan-home protocol=udp src-address=10.0.20.25 src-port=5160
add action=accept chain=forward comment="Asterisk RTP to HOME" out-interface=vlan-home protocol=udp src-address=10.0.20.25 src-port=10000-20000
add action=accept chain=forward comment="Allow PBX to Zoiper" dst-address=10.0.99.250 src-address=10.0.20.25
add action=accept chain=forward comment="Allow Zoiper to PBX" dst-address=10.0.20.25 src-address=10.0.99.250
add action=accept chain=forward comment="Allow MicroSIP MGMT to Asterisk" dst-address=10.0.20.25 src-address=10.0.99.250
add action=accept chain=forward comment="Allow Asterisk to MicroSIP MGMT" dst-address=10.0.99.250 src-address=10.0.20.25
add action=accept chain=forward comment="Access ONT" dst-address=192.168.1.0/24 src-address=10.0.99.0/24
add action=reject chain=forward comment="Block DoT from LAN" dst-port=853 in-interface-list=LAN protocol=tcp
add action=accept chain=forward comment="Allow containers to LAB" in-interface=containers out-interface=vlan-lab
add action=accept chain=forward comment="Containers to selected MGMT hosts" dst-address-list=cloudflared-mgmt-allowed src-address=172.31.255.0/24
add action=drop chain=forward comment="Drop other inter-VLAN"

/ip firewall nat
add action=masquerade chain=srcnat comment="MGMT to ONT" dst-address=192.168.1.0/24 src-address=10.0.99.0/24
add action=masquerade chain=srcnat comment="NAT via WAN" out-interface-list=WAN

/ip service
set ftp disabled=yes
set ssh address=10.0.99.0/24
set telnet disabled=yes
set www-ssl address=10.0.99.0/24,172.31.255.2/32 disabled=no
set www address=10.0.99.0/24,172.31.255.2/32 port=8080
set winbox address=10.0.99.0/24
set api disabled=yes
set api-ssl disabled=yes

/ipv6 address
add from-pool=ipv6-pd interface=vlan-home
add from-pool=ipv6-pd interface=vlan-lab
add from-pool=ipv6-pd interface=vlan-iot
add from-pool=ipv6-pd interface=vlan-cctv
add from-pool=ipv6-pd interface=vlan-mgmt

/ipv6 dhcp-client
add add-default-route=yes interface=pppoe-out1 pool-name=ipv6-pd request=prefix

/ipv6 firewall filter
add action=accept chain=input comment="Allow established/related" connection-state=established,related
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment="Allow ICMPv6" protocol=icmpv6
add action=accept chain=input comment="Allow DHCPv6 client" dst-port=546 protocol=udp
add action=accept chain=input comment="Allow DNS UDP" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow DNS TCP" dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="MGMT access to router" in-interface=vlan-mgmt
add action=drop chain=input comment="Drop from WAN" in-interface-list=WAN
add action=drop chain=input comment="Drop everything else"
add action=accept chain=forward comment="Allow established/related" connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=accept chain=forward comment="Allow ICMPv6 forward" protocol=icmpv6
add action=accept chain=forward comment="HOME to Internet" in-interface=vlan-home out-interface=pppoe-out1
add action=accept chain=forward comment="LAB to Internet" in-interface=vlan-lab out-interface=pppoe-out1
add action=accept chain=forward comment="IoT to Internet" in-interface=vlan-iot out-interface=pppoe-out1
add action=accept chain=forward comment="CCTV to Internet" in-interface=vlan-cctv out-interface=pppoe-out1
add action=accept chain=forward comment="MGMT to Internet" in-interface=vlan-mgmt out-interface=pppoe-out1
add action=accept chain=forward comment="MGMT to all VLANs" in-interface=vlan-mgmt out-interface-list=LAN
add action=drop chain=forward comment="Drop other inter-VLAN"

/ipv6 nd
add interface=vlan-home
add interface=vlan-lab
add interface=vlan-iot
add interface=vlan-cctv
add interface=vlan-mgmt

/system clock
set time-zone-name=America/Santo_Domingo

/system identity
set name=R1

/system leds
set 0 disabled=yes interface=ether5 leds=ether5-led type=interface-status
set 1 disabled=yes interface=ether5 leds=poe-led type=interface-status

/system leds settings
set all-leds-off=immediate