# nov/30/2017 14:01:27 by RouterOS 6.40.5 # reference = https://jcutrer.com/howto/networking/mikrotik/mikrotik-rbcapl-…e-config-home-ap # revision = 1.0 # model = RouterBOARD cAP L-2nD /interface bridge add comment="LAN Bridge" name=bridge /interface wireless set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce comment=Wifi \ country="united states" disabled=no distance=indoors frequency=auto mode=ap-bridge \ rx-chains=0,1 ssid="MikroTik" tx-chains=0,1 wireless-protocol=802.11 /interface wireless manual-tx-power-table set wlan1 comment=Wifi /interface wireless nstreme set wlan1 comment=Wifi /ip neighbor discovery set ether1 discover=no # Wifi Security Settings /interface wireless security-profiles set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=\ dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=mywifisecret \ wpa2-pre-shared-key=mywifisecret # Guest Wifi Security Settings add authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=dynamic-keys name=profile-guest \ supplicant-identity=MikroTik wpa-pre-shared-key=guestpassword wpa2-pre-shared-key=\ guestpassword # Guest Wifi Interface /interface wireless add comment="Guest Wifi" disabled=no master-interface=wlan1 \ name=wlan2 security-profile=profile-guest ssid="MikroTik-Guest" /interface wireless manual-tx-power-table set wlan2 comment="Guest Wifi" /interface wireless nstreme set wlan2 comment="Guest Wifi" /ip hotspot profile set [ find default=yes ] html-directory=flash/hotspot /ip pool add name=dhcp ranges=192.168.1.100-192.168.1.254 add name=vpn ranges=192.168.89.100-192.168.89.254 /ip dhcp-server add address-pool=dhcp disabled=no interface=bridge name=dhcp1 /ppp profile set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn /interface bridge filter add action=drop chain=forward comment="Isolate Guest Wifi" in-interface=wlan2 add action=drop chain=forward comment="Isolate Guest Wifi" out-interface=wlan2 /interface bridge port add bridge=bridge comment=defconf disabled=yes interface=ether1 add bridge=bridge comment=defconf interface=wlan1 add bridge=bridge interface=wlan2 /ip firewall connection tracking set tcp-established-timeout=5h # Enable L2TP Server and Set PreShared Key /interface l2tp-server server set enabled=yes ipsec-secret=myvpnsecret use-ipsec=yes /ip address add address=192.168.1.1/24 interface=wlan1 network=192.168.1.0 /ip cloud set ddns-enabled=yes /ip dhcp-client add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1 /ip dhcp-server network add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24 # Begin Firewall Rules /ip firewall filter add action=accept chain=input comment="Allow Ping (icmp)" protocol=icmp add action=accept chain=input comment="Allow established" connection-state=established add action=accept chain=input comment="Allow related" connection-state=related add action=accept chain=input comment="allow L2TP VPN (ipsec-esp)" protocol=ipsec-esp add action=accept chain=input comment="allow L2TP VPN (1701/udp)" dst-port=1701 protocol=udp add action=accept chain=input comment="allow L2TP VPN (4500/udp)" dst-port=4500 protocol=udp add action=accept chain=input comment="allow L2TP VPN (500/udp)" dst-port=500 protocol=udp add action=drop chain=input comment="Deny All from WAN" in-interface=ether1 add action=drop chain=forward comment="deny new,invalid,untracked connections" \ connection-state=invalid,new,untracked in-interface=ether1 add action=accept chain=forward comment="allow established,related connections" \ connection-state=established,related in-interface=ether1 add action=drop chain=forward comment="deny All forward from WAN" in-interface=ether1 # Begin NAT Rules /ip firewall nat add action=masquerade chain=srcnat out-interface=ether1 add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24 # Disable Unneeded IP Services /ip service set telnet disabled=yes set ftp disabled=yes set api disabled=yes set api-ssl disabled=yes # VPN User Account /ppp secret add name=vpnuser password=vpnpass /system clock set time-zone-name=America/New_York /tool mac-server set [ find default=yes ] disabled=yes add interface=wlan1 add interface=wlan2 /tool mac-server mac-winbox set [ find default=yes ] disabled=yes add interface=wlan1 add interface=wlan2