Auteur Sujet: La fibre Orange à 2Gbps, sur un routeur MikroTik 10Gbps CCR2004, via un ONT SFP+ (Lu 1448757 fois)

ablyes · « **Réponse #4692 le:** 04 juillet 2023 à 18:33:37 »

Ok, je suis vos recommandations.

cp /etc/mibs/data_1g_8q.ini /etc/mibs/data_1g_8q.ini.ORG
vi /etc/mibs/data_1g_8q.ini
rempalcer =>
# ONT-G
256 0 HWTC 0000000000000 00000000 2 0 0 0 0 #0
PAR
256 0 SMBS SMBS03xxxxxA\0 00000000 2 0 0 0 0 #0

Mon serial est sur 12 chars. Je suppose que c'est pour cela qu'il faut ajouter le "\0" à la fin ?
Je vois pas de changement après un reboot et attente de quelques minutes, de la commande gtop c+v ou c+y
Ai-je oublié quelque chose ?

yeocti · « **Réponse #4693 le:** 04 juillet 2023 à 18:56:44 »

Dans /etc/mibs/data_1g_8q.ini, ce n'est pas le serial mais le Hardware version qu'il faut indiquer.

ablyes · « **Réponse #4694 le:** 04 juillet 2023 à 19:55:52 »

Ah ben voilà, ça marche !

Code: [Sélectionner]

GPE VLAN

Name:        ONU_GPE_VLAN_TABLE
ID:          18
no;pcp;dei;vid;vlan_meter_enable;vlan_meter_id;end
32; ; ;2800; ; ; 
33; ; ; ; ; ;1
36; ; ;835; ; ; 
37; ; ;852; ; ; 
38; ; ;2800; ; ; 
39; ; ; ; ; ;1
40; ; ;852; ; ; 
41; ; ; ; ; ;1
44; ; ;835; ; ; 
45; ; ; ; ; ;1

Je n'ai pas internet mais le VLAN fonctionne.
J'imagine que la suite c'est la configuration du routeur ?
J'avais mis une page plus tôt la configuration actuelle, que je remets ici :

Code: [Sélectionner]

/interface ethernet
set [ find default-name=ether8 ] name=ether8-ONT-OUT
set [ find default-name=sfp-sfpplus1 ] advertise=1000M-full,2500M-full arp=disabled mac-address=<MAC_ADDRESS_LIVEBOX_V5> name=sfp-ONT-IN rx-flow-control=on speed=2.5Gbps tx-flow-control=on

/interface vlan
add interface=sfp-ONT-IN name=Orange832 vlan-id=832

/ip dhcp-client option
add code=77 name="User Class Information" value=\
    "0x2b'FSVDSL_livebox.Internet.softathome.Livebox5'"
add code=90 name=Authentication value="0x<CREDENTIALS_HASH>"
add code=61 name=MAC value=<MAC_ADDRESS_LIVEBOX_V5> # J'ai des doutes ici, pourquoi diable mettre deux fois la meme adresse mac ?
add code=60 name=class-identifier value="'sagem'"

/ip dhcp-client
add dhcp-options=userclass,authsend,MAC interface=Orange832

/system clock
set time-zone-name=Europe/Paris

/tool graphing interface
add interface=sfp-ONT-IN

/ip pool
add name=dhcp ranges=192.168.1.11-192.168.1.254 # je laisse le .10 libre pour le GPON

Mais je me rappelle que l'un de vous a vu une anomalie déjà.

Asclèpios · « **Réponse #4695 le:** 04 juillet 2023 à 20:05:36 »

Citation de: ablyes le 04 juillet 2023 à 19:55:52

Ah ben voilà, ça marche !

Code: [Sélectionner]
GPE VLAN Name: ONU_GPE_VLAN_TABLE ID: 18 no;pcp;dei;vid;vlan_meter_enable;vlan_meter_id;end 32; ; ;2800; ; ; 33; ; ; ; ; ;1 36; ; ;835; ; ; 37; ; ;852; ; ; 38; ; ;2800; ; ; 39; ; ; ; ; ;1 40; ; ;852; ; ; 41; ; ; ; ; ;1 44; ; ;835; ; ; 45; ; ; ; ; ;1
Je n'ai pas internet mais le VLAN fonctionne.
J'imagine que la suite c'est la configuration du routeur ?
J'avais mis une page plus tôt la configuration actuelle, que je remets ici :

Code: [Sélectionner]
/interface ethernet set [ find default-name=ether8 ] name=ether8-ONT-OUT set [ find default-name=sfp-sfpplus1 ] advertise=1000M-full,2500M-full arp=disabled mac-address=<MAC_ADDRESS_LIVEBOX_V5> name=sfp-ONT-IN rx-flow-control=on speed=2.5Gbps tx-flow-control=on /interface vlan add interface=sfp-ONT-IN name=Orange832 vlan-id=832 /ip dhcp-client option add code=77 name="User Class Information" value=\ "0x2b'FSVDSL_livebox.Internet.softathome.Livebox5'" add code=90 name=Authentication value="0x<CREDENTIALS_HASH>" add code=61 name=MAC value=<MAC_ADDRESS_LIVEBOX_V5> # J'ai des doutes ici, pourquoi diable mettre deux fois la meme adresse mac ? add code=60 name=class-identifier value="'sagem'" /ip dhcp-client add dhcp-options=userclass,authsend,MAC interface=Orange832 /system clock set time-zone-name=Europe/Paris /tool graphing interface add interface=sfp-ONT-IN /ip pool add name=dhcp ranges=192.168.1.11-192.168.1.254 # je laisse le .10 libre pour le GPON
Mais je me rappelle que l'un de vous a vu une anomalie déjà.

En effet VLAN OK il Ne te restera que la configuration du routeur

yeocti · « **Réponse #4696 le:** 04 juillet 2023 à 20:07:59 »

Citation de: ablyes le 04 juillet 2023 à 19:55:52

Ah ben voilà, ça marche !

Impec'

ablyes · « **Réponse #4697 le:** 04 juillet 2023 à 21:47:17 »

Citation de: yeocti le 04 juillet 2023 à 20:07:59

Impec'

Merci à tous.

Bon, j'ai relu le poste, la partie ipv6 est obligatoire et il faut aussi qu'elle soit cohérence avec la partie ipv4.
Il doit me manquer pas mal de commandes.

yeocti · « **Réponse #4698 le:** 04 juillet 2023 à 22:08:58 »

Hmmm, tu peux faire IPv4 seul dans un premier temps normalement (ou même IPv6 seul)
Par contre, si tu configure IPv6, il faudra effectivement que ce soit cohérent.

N'hésite pas à utiliser Winbox également pour configurer ton RB5009. C'est plutôt pratique.
Les commandes sont suffisamment explicites pour que tu retrouves tes petits dans l'interface.

Asclèpios · « **Réponse #4699 le:** 05 juillet 2023 à 11:12:53 »

Citation de: ablyes le 04 juillet 2023 à 21:47:17

Merci à tous.

Bon, j'ai relu le poste, la partie ipv6 est obligatoire et il faut aussi qu'elle soit cohérence avec la partie ipv4.
Il doit me manquer pas mal de commandes.

Non, pas obligatoire, fortement conseillé mais dans un second temps si tu souhaites activer l’ipv6 tu devras faire attention.

Mon conseil : préoccupe toi dans un premier temps uniquement de l’ipv4

ablyes · « **Réponse #4700 le:** 05 juillet 2023 à 12:09:45 »

J'ai pas mal bossé.
Je vous mets ici ma configuration, je suis comme dirait-on bloqué, parce que je ne sais pas où regarder.
J'ai l'impression que la partie ipv4 et ipv6 sont bien configurées.
Merci d'avance pour vos conseils.

Code: [Sélectionner]

# 2023-07-05 12:02:52 by RouterOS 7.10.1
# software id = FVJY-YJ61
#
# model = RB5009UG+S+
# serial number = HEH0XXXXXXX
/interface bridge
add admin-mac=48:A9:8A:D2:8A:69 auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-client option
add code=77 name=user-class value=0x2B46535644534C5F6C697665626F782E496E7465726E65742E736F66746174686F6D652E4C697665626F7835
add code=90 name=authentication value=0x00000000000000000000001aXXXXXXXXXXXXXX......XXXXXXXXX
add code=60 name=vendor-class value=0x736167656d
/ip pool
add name=dhcp ranges=192.168.1.11-192.168.1.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/ipv6 dhcp-client option
add code=15 name=userclass value=0x2B46535644534C5F6C697665626F782E496E7465726E65742E736F66746174686F6D652E4C697665626F7835
add code=11 name=authsend value=0x00000000000000000000001aXXXXXXXXXXXXXXXXXXXX....XXXXXX
add code=1 name=DUID value=0x00030001209A7D31C6C0
add code=16 name=vendor-class value=0x0000040e0005736167656d
add code=17 name=vendor-infos value=0x000005580006000e495056365f524551554553544544
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set accept-router-advertisements=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=192.168.1.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Paris
/system identity
set name=Troll
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Asclèpios · « **Réponse #4701 le:** 05 juillet 2023 à 12:19:38 »

Citation de: ablyes le 05 juillet 2023 à 12:09:45

J'ai pas mal bossé.
Je vous mets ici ma configuration, je suis comme dirait-on bloqué, parce que je ne sais pas où regarder.
J'ai l'impression que la partie ipv4 et ipv6 sont bien configurées.
Merci d'avance pour vos conseils.

Code: [Sélectionner]
# 2023-07-05 12:02:52 by RouterOS 7.10.1 # software id = FVJY-YJ61 # # model = RB5009UG+S+ # serial number = HEH0XXXXXXX /interface bridge add admin-mac=48:A9:8A:D2:8A:69 auto-mac=no comment=defconf name=bridge /interface list add comment=defconf name=WAN add comment=defconf name=LAN /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /ip dhcp-client option add code=77 name=user-class value=0x2B46535644534C5F6C697665626F782E496E7465726E65742E736F66746174686F6D652E4C697665626F7835 add code=90 name=authentication value=0x00000000000000000000001aXXXXXXXXXXXXXX......XXXXXXXXX add code=60 name=vendor-class value=0x736167656d /ip pool add name=dhcp ranges=192.168.1.11-192.168.1.254 /ip dhcp-server add address-pool=dhcp interface=bridge lease-time=10m name=defconf /ipv6 dhcp-client option add code=15 name=userclass value=0x2B46535644534C5F6C697665626F782E496E7465726E65742E736F66746174686F6D652E4C697665626F7835 add code=11 name=authsend value=0x00000000000000000000001aXXXXXXXXXXXXXXXXXXXX....XXXXXX add code=1 name=DUID value=0x00030001209A7D31C6C0 add code=16 name=vendor-class value=0x0000040e0005736167656d add code=17 name=vendor-infos value=0x000005580006000e495056365f524551554553544544 /interface bridge port add bridge=bridge comment=defconf interface=ether2 add bridge=bridge comment=defconf interface=ether3 add bridge=bridge comment=defconf interface=ether4 add bridge=bridge comment=defconf interface=ether5 add bridge=bridge comment=defconf interface=ether6 add bridge=bridge comment=defconf interface=ether7 add bridge=bridge comment=defconf interface=ether8 add bridge=bridge comment=defconf interface=sfp-sfpplus1 /ip neighbor discovery-settings set discover-interface-list=LAN /ipv6 settings set accept-router-advertisements=yes /interface list member add comment=defconf interface=bridge list=LAN add comment=defconf interface=ether1 list=WAN /interface ovpn-server server set auth=sha1,md5 /ip address add address=192.168.1.1/24 comment=defconf interface=bridge network=192.168.1.0 /ip dhcp-client add comment=defconf interface=ether1 /ip dhcp-server network add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=192.168.1.1 netmask=24 /ip dns set allow-remote-requests=yes /ip dns static add address=192.168.1.1 comment=defconf name=router.lan /ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN /ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN /ipv6 firewall address-list add address=::/128 comment="defconf: unspecified address" list=bad_ipv6 add address=::1/128 comment="defconf: lo" list=bad_ipv6 add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6 add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6 add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6 add address=100::/64 comment="defconf: discard only " list=bad_ipv6 add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6 add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6 add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6 /ipv6 firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6 add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10 add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6 add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6 add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6 add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6 add action=accept chain=forward comment="defconf: accept HIP" protocol=139 add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN /system clock set time-zone-name=Europe/Paris /system identity set name=Troll /system note set show-at-login=no /tool mac-server set allowed-interface-list=LAN /tool mac-server mac-winbox set allowed-interface-list=LAN

Pourquoi ne pas essayer avec Winbox ?

yeocti · « **Réponse #4702 le:** 05 juillet 2023 à 12:19:56 »

Il ne me semble pas voir la configuration de ton DHCP Client.
Tu as bien défini les options. Maintenant, il faut configurer le client lui même (tu l'avais pourtant fait dans la précédente configuration que tu avais posté 🤔)

Il te manque les bridge filters pour mettre la CoS à 6.

Édit : il y a semble t'il une configuration par défaut du DHCP client. Ce n'est pas bon.
Il n'y a pas d'interface pour récupérer le VLAN 832 d'Orange.

Reprends le tuto de la première page depuis le début pour la partie configuration Mikrotik. Concentre toi sur l'IPv4.
Une fois que tu maitriseras IPv4, tu pourras passer à IPv6.

ablyes · « **Réponse #4703 le:** 05 juillet 2023 à 12:44:02 »

J'ai ajouté les bridges filters.
Mais, ça ne prend pas cette commande, je ne comprends pas pourquoi.

Code: [Sélectionner]

/ip/dhcp-client> add dhcp-options=authsend,clientid,hostname,userclass interface=orange-832
input does not match any value of option

Config actuelle, après quelques ajouts.

Code: [Sélectionner]

# 2023-07-05 12:02:52 by RouterOS 7.10.1
# software id = FVJY-YJ61
#
# model = RB5009UG+S+
# serial number = HEH0XXXXXXX
/interface bridge
add admin-mac=48:A9:8A:D2:8A:69 auto-mac=no comment=defconf name=bridge
add fast-forward=no name=orange-832 protocol-mode=none
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] advertise=1000M-full,2500M-full arp=disabled mac-address=20:9A:7D:31:C6:C0 name=sfp-ONT-IN rx-flow-control=on tx-flow-control=on
/interface vlan
add interface=sfp-ONT-IN name=Orange832 vlan-id=832
add interface=ether1 name=VLAN832 vlan-id=832
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-client option
add code=77 name=user-class value=0x2B46535644534C5F6C697665626F782E496E7465726E65742E736F66746174686F6D652E4C697665626F7835
add code=90 name=authentication value=0x00000000000000000000001aXXXXXXXXXXXXXX......XXXXXXXXX
add code=60 name=vendor-class value=0x736167656d
/ip pool
add name=dhcp ranges=192.168.1.11-192.168.1.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/ipv6 dhcp-client option
add code=15 name=userclass value=0x2B46535644534C5F6C697665626F782E496E7465726E65742E736F66746174686F6D652E4C697665626F7835
add code=11 name=authsend value=0x00000000000000000000001aXXXXXXXXXXXXXXXXXXXX....XXXXXX
add code=1 name=DUID value=0x00030001209A7D31C6C0
add code=16 name=vendor-class value=0x0000040e0005736167656d
add code=17 name=vendor-infos value=0x000005580006000e495056365f524551554553544544
/interface bridge filter
add action=set-priority chain=output dst-port=67 ip-protocol=udp log=yes log-prefix="Set CoS6 on DHCP IPv4 request" mac-protocol=ip new-priority=6 out-interface=VLAN832 passthrough=yes
add action=set-priority chain=output dst-port=67 ip-protocol=udp mac-protocol=ip new-priority=6 out-interface=VLAN832 passthrough=yes src-port=68
add action=set-priority chain=output disabled=yes mac-protocol=ipv6 new-priority=6 out-interface=VLAN832 passthrough=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-ONT-IN
add bridge=orange-832 interface=VLAN832
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set accept-router-advertisements=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=192.168.1.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Paris
/system identity
set name=Troll
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN