Tag Archives: mikrotik

Mikrotik Wifi, 80386 and Lilygo streaming

Quiet days, I working on some art.

But here are the last ‘prutsen’

My current Wifi setup

I’ve got a Wifi outside of my network for guest and emergency. ( 2 SSIDs)

Then a main Wifi router in my livingroom, one in my workshop/studio and one in the Attic (Electronics Lab)

So three main Wifi AccessPoints. These all have the same SSID’s but on different frequencies. That way i’ve got roaming in and outside my house.
Also some virtual accesspoints are configured.
I’ve got a main, folkband, IOT, guest-inside all on 2.4Ghz and 5Ghz.

I watched a lot of YT presentations about Mikrotik Wifi.

So I ended up with DFS safe channels 20Mhz for 2.4 and 20/40Mhz Ce for 5Ghz. (subchannels for each after some frequency scanning)
(2.4 does a failback to 20Mhz whenever there is even one client detected which connects only on this band. Such as some old IOT stuff)
2.4 in only 1,6 and 11 no overlap, each on another device.
300Mbps is sufficient for my wifi 🙂

I’ve got accesslists in place and i’m going to read into kicking a client when the signal strenght is below -50dB

80386 (DX) Computer

Besides my 8088 and 8086 machines I needed a machine which could run our old demo’s. So I bought a new toy.

It has 8Mb Ram and runs at 40Mhz.

I’ve noticed that many of my VGA register manipulation code, can’t be run on a modern VGA monitor, I need to use a CRT for that .. Another thing to buy

Lilygo T-Display S3 Streaming

Not my code: https://github.com/Steve5451/esp32-stream-desktop
A very cool project!

Needed to fix arduino code, due to the TFT_eSPI library issues.
And I’ve got a S3 with another resolution, but that was an easy fix.
Then needed to reinstall nodejs with another version.
Had to modify the code because the tcp server would not start.
Weird errors logging, but in the end fixed … very cool

I probably end up designing a 3D printed case that looks like a monitor or tv.

Mikrotik day (dhcp and thedude)

Moving dhcp from isc-dhcp-server to Mikrotik.
And playing with theDude and speedtesting.

I got an old linux gateway which only runs a dhcp server.
Time to move this to a Mikrotik router.

The config on this isc-dhcp-server is huge!
So i was planning to migrate some one by one by hand.
Maybe writing a script to do this automatically later on.

I’ve got loads of static configured hosts, so I change these

  • Change static entry in dhcp to a deny booting entry
  • Add a static lease to the Mikrotik
  • Restart dhcp service

Example host

#                # kodiserver
#                host kodi.example.com {
#                fixed-address;
#                hardware ethernet ae:ae:ae:ae:ae:ea;
#                }

host movekodito4011 {
   hardware ethernet ae:ae:ae:ae:ae:ea;
   deny booting;

Mikrotik config (static single entry config)
See other post about dhcp config

/ip dhcp-server lease
add address= mac-address=EA:EA:EA:EA:EA:EA:EA

The Dude

The dude is a cool tool which connects to your MT and generates all kinds of cool info.
I was trying to get the frequency spectral scan working.
But it generates a nice network map also.

Easy to install under linux

  • Install wine
  • Download thedude from the MT website
  • start “wine dude_install.exe”
  • cd ” /home/$USER/.wine/drive_c/Program Files (x86)/Dude”
  • wine dude.exe

While moving a lot from my gateway to Mikrotik, I still have to come up with a plan to migrate my netboot.xyz PXE server to TFTP/ipxe using a migrated dhcpd server.
I probably end up using a separate dhcp instance which handles only the PXE requests.

Mikrotik RB4011 Vlan Guest Wifi (IOT) devices

See inline comments:

# Add vlan bridge
/interface bridge
add name=bridge_vlan5

# add security profile for wifi
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=iot supplicant-identity=""

# add virtual wifi to 2.4G and 5G APs
/interface wireless
set [ find default-name=wlan2 ] band=2ghz-g/n country=netherlands disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge security-profile=xxxxxxxxxxx ssid=MYSSID station-roaming=enabled wireless-protocol=802.11 wps-mode=\
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=20/40mhz-Ce country=netherlands disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge name=wlan5 security-profile=xxxxxxxxxxxxx skip-dfs-channels=all ssid=\
    MYSSID station-roaming=enabled wireless-protocol=802.11 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=4A:8F:5A:48:A4:69 master-interface=wlan2 multicast-buffering=disabled name=wlan_iot2 security-profile=iot ssid=IOT vlan-id=5 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 \
add disabled=no keepalive-frames=disabled mac-address=4A:8F:5A:80:CE:1D master-interface=wlan5 multicast-buffering=disabled name=wlan_iot5 security-profile=iot ssid=IOT vlan-id=5 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 \

# Add vlans to virtual Wifi
/interface vlan
add interface=wlan_iot2 name=vlan5_iot-2 vlan-id=5
add interface=wlan_iot5 name=vlan5_iot-5 vlan-id=5

# add ip range for dhcp
/ip pool
add name=dhcp_pool5_iot ranges=

# add dhcp server with above range
/ip dhcp-server
add address-pool=dhcp_pool5_iot interface=bridge_vlan5 name=dhcpiot

# add vlans and interfaces to vlan  bridge
/interface bridge port
add bridge=bridge interface=wlan_iot2
add bridge=bridge interface=wlan_iot5
add bridge=bridge_vlan5 interface=vlan5_iot-5
add bridge=bridge_vlan5 interface=vlan5_iot-2

# add vlan to existing bridge (Not really needed) is for inter vlan traffic
/interface bridge vlan
add bridge=bridge_vlan5 vlan-ids=5

# add interfaces to LAN list (firewall needs this)
/interface list member
add interface=vlan5_iot-2 list=LAN
add interface=bridge_vlan5 list=LAN
add interface=vlan5_iot-5 list=LAN

# Add gateway/dhcpserver ip address
/ip address
add address= comment="IOT (vlan5)" interface=bridge_vlan5 network=

# dhcp server network
/ip dhcp-server network
add address= dns-server= gateway= netmask=24

# generic NAT rule
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

Mikrotik Plug Alarm

When plugging an ethernet cable in port one, the alarm will sound.
And a mqtt message is being send

I need to dust my desk in the Attic I know!

In the script is a little sound effect loop, maybe I’m going to write a ABC musicnotation / BagpipeMusicWriter to beep commands.


:do {
	:local broker "NR"
        :local topic "crs109/ether1/alarm"
        :local int1 ether1;
	:foreach a in=[/interface find name=$int1] do={
		:local status [/interface get $a running];
		:if ($status=true) do={
                     :for t1 from=1 to=8 step=1 do={
                     :for t2 from=600 to=750 step=8 do={
                     :beep frequency=$t2 length=11ms;
                     :delay 11ms;
                /iot mqtt publish broker=$broker topic=$topic message="{\"ether1\":\"connected\"}"


/system scheduler
add interval=5s name=schedule1 on-event=script1 policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=may/14/2023 start-time=23:25:36

Wifi monitoring with Mikrotik Mqtt Nodered and Pushover

I’ve made a arpscanner in the past
But i’m going to migrate the server this is running on.

So I played with ssh commands using ssh connections with a ssh-key, also using Ansible is possible.

ssh user@mikrotik /interface wireless registration-table print

But I didn’t like the continuous logins with automated logins.

So below solution is what i’ve implemented for now.

I’ve installed the IOT extra package from Mikrotik, now I can send MQTT messages from my Wifi enabled Mikrotiks to my Mosquitto broker.
(Download extra package zip, extract iot-7.x-arm.npk, upload this to your mikrotik files folder, and reboot)
The script I’m running on my Mikrotik, sends the active wifi connections with the comments. ( When a comment is set in the Access List, then it’s a know connection )

[admin@RB40111] /iot/mqtt> export
# may/15/2023 21:45:12 by RouterOS 7.9
# software id = xxxx-xxxx
# model = RB4011iGS+5HacQ2HnD
# serial number = xxxxxxxxxxxxxxxxx
/iot mqtt brokers
add address=10.1.x.y client-id=rb4011 name=NR

I made the following script on my MT named mqtt

:local broker "NR"

# MQTT topic where the message should be published
:local topic "rb4011/mac"

:foreach i in=[/interface wireless registration-table print proplist=mac-address as-value] do={
:local message "$i"

/iot mqtt publish broker=$broker topic=$topic message=$message

A schedule is needed to run this script every 15 minutes

[admin@RB40111] /system/scheduler> export
# may/15/2023 21:48:14 by RouterOS 7.9
# software id = xxxx-xxx
# model = RB4011iGS+5HacQ2HnD
# serial number = xxxxxxxxxxx
/system scheduler
add interval=15m name=mqtt on-event=mqtt policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=may/15/2023 start-time=13:30:54

Now all wifi connections will be send to topic rb4011/mac.

# Example
.id=*6a;comment=Mobile Henri wlan2;mac-address=44:46:87:xx:xx:xx

Using NodeRed I can make filters and notifications

Below function: get Mac and Comment from payload, if the comment is empty then it is a unknown connection … so send me a warning using Pushover.

// filter function
var output = msg.payload.split(";");

var comment = (output[1].split("="));
var mac = (output[2].split("="));

msg.payload = mac[1];
if (comment[1] == "") {
return msg;

// is xx:xx:xx:xx:xx:xx online? example
var output = msg.payload.split(";");

var comment = (output[1].split("="));
var mac = (output[2].split("="));

msg.payload = mac[1];
if (mac[1] == "xx:xx:xx:xx:xx:xx") {
return msg;

Now i’m getting a notification when an unknown wifi connection is made on my Access Point.
( I going to implement the Access List from MT at a later point. No access when not in the Access List)

Mikrotik todo

My work document for my Mikrotiks
(Also for my friend Vincent, with a similar setup.)

I’m going to collect information on this page for below changes.


  • Access list connections only
  • Default forward – only certain clients
  • Guest network – better setup.
    I’ve got a folkband guest network right now and
    a captive portal AP on my internet router. (Outside my network)
    This is for colleagues of Coline.
  • Vlan for certain clients


  • Network routing
  • Security


Move all clients to own vlan
New or better VLAN setup

  • Redo Guest network
  • IOT Vlan
  • Manage Vlan better setup
  • Lab – a redo because of changes in DMZ


YT : https://www.youtube.com/watch?v=Hqu8JlieSq4

Mikrotik and Zerotier

Today i’ve upgraded one of my Mikrotiks to 7.8.

And installed the zerotier extra package!
I’m not going to explain what zerotier is .. read it here:

I already did some tests using my phone and a linux server.

  1. Upgrade to the latest stable version (at this time : 7.8)
  2. Install from the extra packages zerotier-7.8.arm.npk
    upload to the files folder and reboot your MT

Add zerotier network

Allow connection in the Zerotier Gui

Mikrotik changes from ACCESS_DENIED to OK

Ping test from MT to my Phone !

Maybe we could setup a adhoc zerotier network with some of my friends to do some remote assisting when needed!

Mikrotik and Home Assistant

A friend of mine remembered me of the Mikrotik addons in HA.
I forgot all about this.

I’ve got two integrations running. (Installed via HACS)

Don´t forget to enable the API on your devices.

/ip services
set api disabled=no port=8728

The addons/integrations extract a lot of information from the MT devices.

This integration will also let you know that your MT Router can be updated.

This is part if the presence detector/Device locator.
My roaming wifi network will give false locations. My laptop never left the same spot!

I will add to this page, after testing for a while


Today i’ve migrated my DNS/DHCP to a Mikrotik router.
See post

I’m planning to replace my main firewall/dhcp/dns/web/irc/mail/ids whatever more .. to virtual machines and a mikrotik router.

Having used bind and isc-dhcp-server for many years, i had to try some alternatives.

  • DNS in FreeIPA
  • Unbound with zone/dns
  • Phpipam with powerdns

And now DNS/DHCP in a Mikrotik router!

I still use Phpipam as cmdb.
So i’m planning to use ansible to synchronize phpipam and the mikrotik.

Nice .. no seach domain needed …
nslookup webserver, resolves webserver.dmz
If there are 2 hosts with the same hostname, you have to add a domain.

Mikrotik Vlan network with DMZ

UPDATE: 20230227 Static ip script

Example network with DMZ part, using VLANs and trunks.
Tested in my network, but not my current setup.

VLAN 10 – Homenetwork
VLAN 128 – MGT

Modem : fritzbox, is dhcp server for network
CRS: is dhcp server for wlan, home network, management, Also a firewall with NAT is configured here. ( No block examples below, only NAT )
RB: (Routerboard 2011) has no IPs except for a management IP (not in config below)
Server and Reverse proxy are in the network.
(dhcp requests in a dmz vlan (3) get their IP from the modem DHCP pool.

Example ip’s server and PC

server: gets dhcp from modem, gateway DNS
PC: gets dhcp from CRS, gateway DNS

Config CRS

# feb/04/2023 14:55:22 by RouterOS 6.49.5
# software id = xxxx-xxxx
# model = CRS125-24G-1S
# serial number = xxxxxxxxxxxx
/interface bridge
add admin-mac=4C:5E:0C:xx:xx:xx auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=trunk
set [ find default-name=ether3 ] comment=trunk
set [ find default-name=ether9 ] comment=vlan3
set [ find default-name=ether10 ] comment=vlan10
set [ find default-name=ether24 ] comment="MGMT - untagged"
/interface vlan
add interface=bridge name=vlan3 vlan-id=3
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan128 vlan-id=128
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=vlan128-pool ranges=
add name=vlan10-pool ranges=
/ip dhcp-server
add address-pool=vlan128-pool disabled=no interface=vlan128 name=mgt-dhcp
add address-pool=vlan10-pool disabled=no interface=vlan10 name=gen-dhcp
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether1
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether2
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=ether11
add bridge=bridge comment=defconf interface=ether12
add bridge=bridge comment=defconf interface=ether13
add bridge=bridge comment=defconf interface=ether14
add bridge=bridge comment=defconf interface=ether15
add bridge=bridge comment=defconf interface=ether16
add bridge=bridge comment=defconf interface=ether17
add bridge=bridge comment=defconf interface=ether18
add bridge=bridge comment=defconf interface=ether19
add bridge=bridge comment=defconf interface=ether20
add bridge=bridge comment=defconf interface=ether21
add bridge=bridge comment=defconf interface=ether22
add bridge=bridge comment=defconf interface=ether23
add bridge=bridge comment=defconf interface=ether24
add bridge=bridge comment=defconf interface=sfp1
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether2,ether3,switch1-cpu vlan-id=128
add tagged-ports=ether2,ether3,switch1-cpu vlan-id=10
add tagged-ports=ether2,ether3,switch1-cpu vlan-id=3
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=128 ports=ether2,ether3,ether24
add customer-vid=0 new-customer-vid=3 ports=ether1,ether2,ether3,ether9
add customer-vid=0 new-customer-vid=10 ports=ether10,ether2,ether3
/interface ethernet switch vlan
add ports=ether2,ether3,ether24,switch1-cpu vlan-id=128
add ports=ether2,ether3,ether10,switch1-cpu vlan-id=10
add ports=ether1,ether2,ether3,ether9,switch1-cpu vlan-id=3
/interface list member
add interface=ether1 list=WAN
add interface=bridge list=LAN
/ip address
add address= comment=defconf interface=vlan3 network=
add address= interface=vlan128 network=
add address= interface=vlan10 network=
/ip dhcp-server network
add address= dns-server= gateway=
add address= dns-server= gateway=
add address= gateway= netmask=24
/ip dns
set servers=
/ip firewall nat
add action=masquerade chain=srcnat src-address=
add action=masquerade chain=srcnat src-address= src-address-list=""
/ip route
add distance=1 gateway=
/ip service
set telnet disabled=yes
set ftp disabled=yes
set time-interval=hour
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name=crs125
/system ntp client
set enabled=yes primary-ntp= secondary-ntp=

RB2011 config

# software id = xxxx-xxxx
# model = 2011iL
# serial number = xxxxxxxxxxxx
/interface bridge
add name=bridge1
/interface ethernet switch port
set 1 vlan-header=add-if-missing vlan-mode=secure
set 2 default-vlan-id=3 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 4 default-vlan-id=128 vlan-header=always-strip vlan-mode=secure
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface ethernet switch vlan
add independent-learning=yes ports=ether2,ether3 switch=switch1 vlan-id=3
add independent-learning=yes ports=ether2,ether4 switch=switch1 vlan-id=10
add independent-learning=yes ports=ether2,ether5 switch=switch1 vlan-id=128

Additional info

Create a static dhcp entry :  IP->DHCP Server->Leases->Make Static
add address= mac-address=00:1E:EC:xx:xx:xx server=gen-dhcp comment=”laptop”

Connected device gets ip from pool
Change into static
Waiting until lease expires
D – Dynamic flag is gone, now also comments are enabled

Converting above from a dhcpd.conf file

cat dhcpd.conf | egrep "host|fixed-address|hardware" | grep -v \# | grep -A1 -B1 fixed-address |  sed -e 'N;N;s/\n/ /g' | awk '{ print $5" "$8" "$2 }' | tr -d ';' | cut -f-4 -d. | awk '{ print "add address="$1" mac-address="$2" server=gen-dhcp comment=\""$3"\"" }'

will give you:
add address= mac-address=2C:F4:32:xx:xx:xx server=gen-dhcp comment="tasmotawifiusb"
add address= mac-address=b8:27:eb:xx:xx:xx server=gen-dhcp comment="ledserver"
add address= mac-address=CC:50:E3:xx:xx:xx server=gen-dhcp comment="kliko"

Static DNS

/ip dns static
add address= name=brewpi.example.com

from the dhcpd.conf static entries
cat dhcpd.conf | egrep "host|fixed-address|hardware" | grep -v \# | grep -A1 -B1 fixed-address |  sed -e 'N;N;s/\n/ /g' | awk '{ print $5" "$8" "$2 }' | tr -d ';' | awk '{ print "add address="$1" name="$3 }'

from bind service
cat zonefile | grep "10.1" | awk '{ print "add address="$3" name="$1".example.com" }'


ipa dnsrecord-find exampel.lab | grep -B1 "A rec" | grep -v "\-\-" | sed 'N;s/\n//' | awk '{ print "add address="$6" name="$3".example.lab" }'

Faster DNS
Add 2 firewall rules
forward chain, udp 53 action fasttrack
forward chain, tcp 53 action fasttrack