Author: itdhivii

This is one of the most powerful features of centralized RADIUS authentication.

Key Concept

┌─────────────────────────────────────────────────────────────────┐
│  Different NAS devices (routers) = Different SECRETS            │
│  Same RADCHECK users = Work on ALL routers                      │
└─────────────────────────────────────────────────────────────────┘

Visual Example

                    ┌──────────────────────┐
                    │  RADIUS SERVER       │
                    │  (192.168.0.100)     │
                    │                      │
                    │  User Database:      │
                    │  ┌────────────────┐  │
                    │  │  john / Pass1  │  │
                    │  │  jane / Pass2  │  │
                    │  │  admin / Pass3 │  │
                    │  └────────────────┘  │
                    └──────────────────────┘
                             ▲
                ┌────────────┼────────────┐
                │            │            │
        Secret: "ABC123"     │    Secret: "XYZ789"
                │            │            │
    ┌───────────▼──┐    ┌───▼──────────┐ ┌────▼─────────┐
    │ Router A     │    │ Router B     │ │ Router C     │
    │ 192.168.1.1  │    │ 192.168.2.1  │ │ 192.168.3.1  │
    │ (Branch 1)   │    │ (Branch 2)   │ │ (Branch 3)   │
    └──────────────┘    └──────────────┘ └──────────────┘
         ▲                   ▲                 ▲
         │                   │                 │
    User: john          User: john        User: admin
    Pass: Pass1         Pass: Pass1       Pass: Pass3
         ✓                   ✓                 ✓
    SUCCESS!            SUCCESS!          SUCCESS!

Real-World Example

-- Setup NAS table with different secrets per location
INSERT INTO nas (nasname, shortname, type, secret, description) VALUES
('192.168.1.1', 'bangkok-office', 'mikrotik', 'Bangkok@Secret2025', 'Bangkok Branch'),
('192.168.2.1', 'chiangmai-office', 'mikrotik', 'ChiangMai@Secret2025', 'Chiang Mai Branch'),
('192.168.3.1', 'phuket-office', 'mikrotik', 'Phuket@Secret2025', 'Phuket Branch'),
('192.168.4.1', 'pattaya-office', 'mikrotik', 'Pattaya@Secret2025', 'Pattaya Branch');

-- Create ONE user that works on ALL routers
INSERT INTO radcheck (username, attribute, op, value) VALUES
('john_admin', 'Cleartext-Password', ':=', 'Admin@Pass123');

INSERT INTO radusergroup (username, groupname, priority) VALUES
('john_admin', 'admin_users', 1);

INSERT INTO radgroupreply (groupname, attribute, op, value) VALUES
('admin_users', 'Mikrotik-Rate-Limit', ':=', '50M/50M'),
('admin_users', 'Session-Timeout', ':=', '86400');

Result:

• User john_admin can login from Bangkok router (secret: Bangkok@Secret2025)
• User john_admin can login from Chiang Mai router (secret: ChiangMai@Secret2025)
• User john_admin can login from Phuket router (secret: Phuket@Secret2025)
• User john_admin can login from Pattaya router (secret: Pattaya@Secret2025)

Same username/password everywhere!

Complete Multi-Location Example

USE radius;

-- ============================================
-- STEP 1: Setup NAS devices (different secrets)
-- ============================================
DELETE FROM nas;

INSERT INTO nas (nasname, shortname, type, secret, description) VALUES
-- Head Office
('10.10.1.1', 'hq-router', 'mikrotik', 'HQ@Secure!2025', 'Head Office Router'),

-- Regional Offices
('10.20.1.1', 'region1-router', 'mikrotik', 'Region1@Secure!2025', 'Region 1 Office'),
('10.30.1.1', 'region2-router', 'mikrotik', 'Region2@Secure!2025', 'Region 2 Office'),

-- Branches
('10.40.1.1', 'branch1-router', 'mikrotik', 'Branch1@Secure!2025', 'Branch 1'),
('10.40.2.1', 'branch2-router', 'mikrotik', 'Branch2@Secure!2025', 'Branch 2'),
('10.40.3.1', 'branch3-router', 'mikrotik', 'Branch3@Secure!2025', 'Branch 3'),

-- Hotels
('172.16.1.1', 'hotel-bangkok', 'mikrotik', 'HotelBKK@2025', 'Hotel Bangkok'),
('172.16.2.1', 'hotel-phuket', 'mikrotik', 'HotelPhuket@2025', 'Hotel Phuket'),

-- Cafes
('172.17.1.1', 'cafe-central', 'mikrotik', 'CafeCentral@2025', 'Cafe Central Plaza'),
('172.17.2.1', 'cafe-airport', 'mikrotik', 'CafeAirport@2025', 'Cafe Airport');

-- ============================================
-- STEP 2: Create user groups
-- ============================================
DELETE FROM radgroupreply WHERE groupname IN ('company_admin', 'company_staff', 'hotel_guest', 'cafe_customer');
DELETE FROM radgroupcheck WHERE groupname IN ('company_admin', 'company_staff', 'hotel_guest', 'cafe_customer');

-- Admin users (work everywhere)
INSERT INTO radgroupreply (groupname, attribute, op, value) VALUES
('company_admin', 'Mikrotik-Rate-Limit', ':=', '100M/100M'),
('company_admin', 'Session-Timeout', ':=', '86400'),
('company_admin', 'Acct-Interim-Interval', ':=', '300');

INSERT INTO radgroupcheck (groupname, attribute, op, value) VALUES
('company_admin', 'Simultaneous-Use', ':=', '10');

-- Staff users (work at all company locations)
INSERT INTO radgroupreply (groupname, attribute, op, value) VALUES
('company_staff', 'Mikrotik-Rate-Limit', ':=', '20M/20M'),
('company_staff', 'Session-Timeout', ':=', '28800'),
('company_staff', 'Idle-Timeout', ':=', '3600');

INSERT INTO radgroupcheck (groupname, attribute, op, value) VALUES
('company_staff', 'Simultaneous-Use', ':=', '3'),
('company_staff', 'Login-Time', ':=', 'Al0700-2000');

-- Hotel guests (work at all hotels)
INSERT INTO radgroupreply (groupname, attribute, op, value) VALUES
('hotel_guest', 'Mikrotik-Rate-Limit', ':=', '5M/5M'),
('hotel_guest', 'Session-Timeout', ':=', '86400'),
('hotel_guest', 'Idle-Timeout', ':=', '1800'),
('hotel_guest', 'Mikrotik-Recv-Limit', ':=', '3221225472'),  -- 3GB
('hotel_guest', 'Mikrotik-Xmit-Limit', ':=', '3221225472');

INSERT INTO radgroupcheck (groupname, attribute, op, value) VALUES
('hotel_guest', 'Simultaneous-Use', ':=', '3');

-- Cafe customers (work at all cafes)
INSERT INTO radgroupreply (groupname, attribute, op, value) VALUES
('cafe_customer', 'Mikrotik-Rate-Limit', ':=', '10M/10M'),
('cafe_customer', 'Session-Timeout', ':=', '14400'),  -- 4 hours
('cafe_customer', 'Idle-Timeout', ':=', '1800'),
('cafe_customer', 'Mikrotik-Recv-Limit', ':=', '2147483648'),  -- 2GB
('cafe_customer', 'Mikrotik-Xmit-Limit', ':=', '2147483648');

INSERT INTO radgroupcheck (groupname, attribute, op, value) VALUES
('cafe_customer', 'Simultaneous-Use', ':=', '2');

-- ============================================
-- STEP 3: Create users (work on ALL locations)
-- ============================================
DELETE FROM radcheck WHERE username IN ('ceo', 'manager_john', 'staff_alice', 'staff_bob', 'room101', 'room201', 'cafe_daily001');
DELETE FROM radusergroup WHERE username IN ('ceo', 'manager_john', 'staff_alice', 'staff_bob', 'room101', 'room201', 'cafe_daily001');

-- Company Admin (can use ANY company router)
INSERT INTO radcheck (username, attribute, op, value) VALUES
('ceo', 'Cleartext-Password', ':=', 'CEO@Secure2025!');

INSERT INTO radusergroup (username, groupname, priority) VALUES
('ceo', 'company_admin', 1);

-- Company Manager (can use ANY company router)
INSERT INTO radcheck (username, attribute, op, value) VALUES
('manager_john', 'Cleartext-Password', ':=', 'Manager@John2025');

INSERT INTO radusergroup (username, groupname, priority) VALUES
('manager_john', 'company_admin', 1);

-- Company Staff (can use ANY company router)
INSERT INTO radcheck (username, attribute, op, value) VALUES
('staff_alice', 'Cleartext-Password', ':=', 'Staff@Alice2025'),
('staff_bob', 'Cleartext-Password', ':=', 'Staff@Bob2025');

INSERT INTO radusergroup (username, groupname, priority) VALUES
('staff_alice', 'company_staff', 1),
('staff_bob', 'company_staff', 1);

-- Hotel Guest (can use ANY hotel router)
INSERT INTO radcheck (username, attribute, op, value) VALUES
('room101', 'Cleartext-Password', ':=', 'Room-101-WiFi'),
('room201', 'Cleartext-Password', ':=', 'Room-201-WiFi');

INSERT INTO radusergroup (username, groupname, priority) VALUES
('room101', 'hotel_guest', 1),
('room201', 'hotel_guest', 1);

-- Cafe Customer (can use ANY cafe router)
INSERT INTO radcheck (username, attribute, op, value) VALUES
('cafe_daily001', 'Cleartext-Password', ':=', 'Cafe@Daily001');

INSERT INTO radusergroup (username, groupname, priority) VALUES
('cafe_daily001', 'cafe_customer', 1);

-- ============================================
-- VERIFICATION
-- ============================================
SELECT '=== NAS DEVICES ===' as info;
SELECT nasname, shortname, LEFT(secret, 10) as secret_preview, description FROM nas;

SELECT '' as '';
SELECT '=== USERS ===' as info;
SELECT c.username, LEFT(c.value, 10) as pass_preview, g.groupname 
FROM radcheck c 
LEFT JOIN radusergroup g ON c.username = g.username 
WHERE c.attribute = 'Cleartext-Password'
ORDER BY g.groupname, c.username;

Testing Script

#!/bin/bash
# test_multi_location.sh

echo "=== Testing Multi-Location RADIUS Setup ==="
echo ""

# Test company admin on different routers
echo "1. Testing CEO on HQ Router:"
radtest ceo 'CEO@Secure2025!' localhost 0 'HQ@Secure!2025' | grep -E "Access-Accept|Access-Reject"

echo ""
echo "2. Testing CEO on Region 1 Router (different secret):"
radtest ceo 'CEO@Secure2025!' localhost 0 'Region1@Secure!2025' | grep -E "Access-Accept|Access-Reject"

echo ""
echo "3. Testing Staff on Branch 1:"
radtest staff_alice 'Staff@Alice2025' localhost 0 'Branch1@Secure!2025' | grep -E "Access-Accept|Access-Reject"

echo ""
echo "4. Testing Staff on Branch 2 (different secret):"
radtest staff_alice 'Staff@Alice2025' localhost 0 'Branch2@Secure!2025' | grep -E "Access-Accept|Access-Reject"

echo ""
echo "5. Testing Hotel Guest on Bangkok Hotel:"
radtest room101 'Room-101-WiFi' localhost 0 'HotelBKK@2025' | grep -E "Access-Accept|Access-Reject"

echo ""
echo "6. Testing Hotel Guest on Phuket Hotel (different secret):"
radtest room101 'Room-101-WiFi' localhost 0 'HotelPhuket@2025' | grep -E "Access-Accept|Access-Reject"

echo ""
echo "7. Testing Cafe Customer on Central Cafe:"
radtest cafe_daily001 'Cafe@Daily001' localhost 0 'CafeCentral@2025' | grep -E "Access-Accept|Access-Reject"

echo ""
echo "8. Testing Cafe Customer on Airport Cafe (different secret):"
radtest cafe_daily001 'Cafe@Daily001' localhost 0 'CafeAirport@2025' | grep -E "Access-Accept|Access-Reject"

echo ""
echo "=== All Tests Complete ==="

Benefits of This Architecture

✅ Centralized User Management

• Add user ONCE → Works everywhere
• Change password ONCE → Updated everywhere
• Disable user ONCE → Blocked everywhere

✅ Security Per Location

• Each location has unique secret
• If one secret is compromised, others are safe
• Can revoke access per location by removing NAS entry

✅ Flexibility

• Roaming users (staff travel between branches)
• Same credentials everywhere
• Easy to add new locations

✅ Simplified Management

-- Add new location (just add NAS)
INSERT INTO nas (nasname, shortname, type, secret, description) VALUES
('10.50.1.1', 'new-branch', 'mikrotik', 'NewBranch@2025', 'New Branch Office');

-- All existing users automatically work there!

Location-Specific Users (If Needed)

Sometimes you want users that ONLY work at specific locations:

-- Create location-specific user
INSERT INTO radcheck (username, attribute, op, value) VALUES
('guest_bangkok_only', 'Cleartext-Password', ':=', 'Bangkok@Guest'),
('guest_bangkok_only', 'NAS-IP-Address', '==', '172.16.1.1');  -- Only this NAS

-- This user can ONLY login from Bangkok hotel (172.16.1.1)

Query to See Where User Can Login

-- See which routers a user can access
SELECT 
    c.username,
    'ALL LOCATIONS' as access,
    GROUP_CONCAT(n.shortname SEPARATOR ', ') as available_routers
FROM radcheck c
CROSS JOIN nas n
WHERE c.username = 'staff_alice'
  AND c.attribute = 'Cleartext-Password'
GROUP BY c.username;

Summary

Component	Uniqueness	Shared?
NAS Secret	Different per router	❌ NO (unique)
User Credentials	Same everywhere	✅ YES (shared)
User Groups	Same everywhere	✅ YES (shared)
Group Attributes	Same everywhere	✅ YES (shared)

The Power:

10 Routers × 1000 Users = Only 1000 user accounts to manage!
(Not 10,000 separate accounts)

This is centralized authentication at its best! 🎉

Does this clarify the relationship? Any other questions about how the tables work together?

To completely remove the UniFi Controller and all related services from your UniFi Cloud Key Gen2 Plus (which is running Debian 11 underneath), and leave it as a clean Debian 11 system, follow these step-by-step instructions carefully. ⚠️ This process is advanced and may void your Ubiquiti warranty. Also, data will be lost, so make backups if needed.

---

⚠️ WARNING: Are you sure?

The UniFi Cloud Key Gen2 Plus is not a general-purpose Debian server. It is an embedded appliance made to run UniFi software. While it uses Debian 11 underneath, removing UniFi services and using it like a regular Debian box may break features like:

• OLED screen display
• Cooling/fan management
• Cloud management
• Automatic updates
• HDD usage in Protect

If you’re sure you want to turn it into a plain Debian 11 device:

---

🧼 Steps to Remove UniFi Software from Cloud Key Gen2+

1. Access the System

SSH into your Cloud Key Gen2 Plus:

ssh root@<cloud-key-ip>

---

2. Stop All UniFi Services

systemctl stop unifi
systemctl stop unifi-core
systemctl stop mongodb

---

3. Uninstall UniFi Controller

apt remove --purge unifi unifi-core unifi-video -y

Also uninstall MongoDB (UniFi requires it):

apt remove --purge mongodb-org* -y

---

4. Remove Leftover Files

rm -rf /usr/lib/unifi
rm -rf /usr/lib/unifi-core
rm -rf /var/lib/unifi
rm -rf /var/lib/mongodb
rm -rf /etc/init.d/unifi
rm -rf /etc/unifi
rm -rf /etc/systemd/system/unifi*

---

5. Autoclean and Autoremove Unused Packages

apt autoremove --purge -y
apt clean

---

6. Check Services

systemctl list-units --type=service | grep unifi

Make sure nothing related to UniFi or MongoDB is running.

---

7. Optional: Clean OLED Display

The front panel OLED might still try to show UniFi status. You can disable its daemon:

systemctl stop cloudkey-oled
systemctl disable cloudkey-oled

Or completely remove it:

apt remove --purge cloudkey-oled -y

---

✅ Now you have a clean Debian 11 system

You can now install other apps like:

• VitalPBX
• Docker
• Apache/Nginx
• Any other Debian-compatible software

---

❓ Do You Want to Reclaim HDD Storage?

If you want to use the internal hard drive (for Protect) for general storage:

1. Check partitions: lsblk
2. Identify the Protect partition (usually /dev/sda), then unmount and reformat: umount /dev/sda1 mkfs.ext4 /dev/sda1 mkdir /mnt/data mount /dev/sda1 /mnt/data

To auto-mount on reboot, add to /etc/fstab:

/dev/sda1  /mnt/data  ext4  defaults  0  2

---

If you’d like help installing something else (e.g., VitalPBX), let me know and I can guide you step-by-step.

Thanks for sharing the df -h output. Here’s a quick breakdown of what it shows and what it means in the context of cleaning UniFi from your UniFi Cloud Key Gen2 Plus (UCK-G2-Plus):

---

🧠 Understanding Your System Layout:

Mount Point	Device	Use
/	overlayfs-root	Your main writable system, overlay over RO FS
/mnt/.rwfs	/dev/mmcblk0p46	Read-write lower layer for overlayfs
/mnt/.rofs	/dev/disk/by-partlabel/rootfs	Read-only root image
/persistent	/dev/mmcblk0p45	Holds settings and persistent system config
/data	/dev/mmcblk0p47	Data partition (used by UniFi Controller)
/volume1	/dev/md3	Internal HDD, used by UniFi Protect for video

---

⚠️ Important Things to Know Before Removing UniFi:

• The root filesystem is read-only (/mnt/.rofs) with an overlayfs writable layer. This means:
  • You cannot directly modify the base OS unless you remove/modify overlay configuration.
  • This is intentional by Ubiquiti to prevent corruption during updates.
• /data and /volume1 are the main areas used by the UniFi Controller and UniFi Protect.
• UniFi software is installed in /usr/lib/unifi, configs in /etc/unifi, and data in /data.

---

✅ What You Can Safely Do:

1. Clear UniFi Data and Configuration

systemctl stop unifi
systemctl stop mongodb
rm -rf /usr/lib/unifi
rm -rf /etc/unifi
rm -rf /data/unifi
rm -rf /persistent/system.cfg
rm -rf /etc/init.d/unifi

Also clear MongoDB and other UniFi apps:

apt remove --purge unifi mongodb-org* -y

---

2. Optional: Reclaim /volume1 HDD Space (used by UniFi Protect)

If you’re not using UniFi Protect anymore, and want the 900GB+ HDD for your own use:

umount /volume1
mkfs.ext4 /dev/md3
mkdir /mnt/hdd
mount /dev/md3 /mnt/hdd

To mount it automatically:

echo "/dev/md3 /mnt/hdd ext4 defaults 0 2" >> /etc/fstab

---

3. Disable UniFi Boot Behavior

To prevent the system from booting into UniFi environment again:

systemctl disable unifi
systemctl disable cloudkey-oled
systemctl disable unifi-core

---

❗ Optional: Remove Ubiquiti Overlay + Convert to True Debian 11

⚠️ This is risky and only for advanced users.

If you want a fully clean Debian 11 system without Ubiquiti overlays:

1. Backup everything.
2. Boot from another OS (via USB or PXE).
3. Wipe /dev/mmcblk0 partitions.
4. Install clean Debian 11 (ARM64) using debootstrap or another method.

---

🔚 Summary

You can remove UniFi apps and reclaim the storage, but because UCK-G2-Plus is built with a read-only root + overlay, it’s not meant to be a regular Debian box. If you want to repurpose it long-term, it’s better to wipe and install a custom Debian image — but that’s risky and not officially supported.

---

Would you like a full script to clean everything up? Or are you planning to install another service like VitalPBX, Docker, or Nextcloud on this box?

To remove Nginx from your UniFi Cloud Key Gen2 Plus (or any Debian 11 system), follow these steps via SSH as root:

---

✅ Step-by-Step: Remove Nginx on Debian 11

1. Stop the Nginx Service

systemctl stop nginx

---

2. Disable Nginx on Boot

systemctl disable nginx

---

3. Uninstall Nginx Packages

To completely remove Nginx and its dependencies:

apt remove --purge nginx nginx-common nginx-full -y

If you’re unsure which variant is installed (e.g., nginx-light, nginx-core), run:

dpkg -l | grep nginx

Then remove any remaining variants, for example:

apt remove --purge nginx-light nginx-core -y

---

4. Remove Configuration and Leftover Files

rm -rf /etc/nginx
rm -rf /var/www/html
rm -rf /var/log/nginx

---

5. Clean Up Unused Packages

apt autoremove --purge -y
apt clean

---

✅ Verify It’s Gone

Check that nothing is listening on port 80 or 443:

ss -tuln | grep ':80\|:443'

If no output appears, Nginx has been successfully removed.

---

Let me know if you want to replace Nginx with something else (like Apache, Caddy, or a reverse proxy like Traefik).

Thanks! Based on your df -h output, you’ve done a great job so far — Nginx is likely removed, and it looks like:

• You’ve mounted your HDD at /mnt/hdd (formerly used by UniFi Protect).
• Your system root (/) is still an overlay filesystem, backed by:
  • /mnt/.rofs (read-only base OS image – full)
  • /mnt/.rwfs (read-write overlay)

Now, if your goal is to:

1. Completely remove all UniFi software ✅
2. Free space or reclaim partitions ✅ (seems done)
3. Turn Cloud Key Gen2 Plus into a general-purpose Debian system 🔄 (currently not fully done)

Then the next decision is:

---

❓What Do You Want to Do Next?

Here are your options, based on your current state:

---

✅ If you just want to keep using it as a Debian system (with existing overlay):

You’re already done, but note:

• The root filesystem (/) will always be limited by the 5.9 GB /mnt/.rwfs.
• You can use /mnt/hdd (900 GB+) for apps, logs, Docker, databases, etc.

🟢 Tip: If you install anything big (e.g., databases), install them to /mnt/hdd and symlink or configure paths to store data there.

Example:

mkdir /mnt/hdd/myapps
ln -s /mnt/hdd/myapps /opt/myapps

---

🔥 If you want to completely erase Ubiquiti’s OS and turn this into a normal Debian 11 system:

⚠️ WARNING: Risky, advanced, and may brick your Cloud Key if something goes wrong.

Steps (overview):

1. Boot into Debian via USB or UART (requires hardware access).
2. Use debootstrap or similar to install a clean ARM64 Debian system on /dev/mmcblk0.
3. Replace Ubiquiti’s bootloader and partitions (dangerous).
4. Manually configure kernel/initramfs/network.

Let me know if you’re seriously interested in this path and I’ll guide you step-by-step — but again: not officially supported by Ubiquiti.

---

💡 Summary

Goal	Status	Notes
UniFi & Nginx removed	✅ Done	System clean
HDD reclaimed and usable	✅ Done	Mounted at /mnt/hdd
Still running Ubiquiti OS overlay	⚠️ Yes	5.9 GB limit for root
Full Debian system (no overlay)	❌ Not yet	Requires manual install

---

Let me know what you’d like to do next:

• Keep it like this and install new software?
• Mount external storage for apps?
• Wipe everything and install clean Debian?

I’m happy to guide any of those paths.

Yes, you can absolutely install Nginx and MySQL (or MariaDB) on your UniFi Cloud Key Gen2 Plus Debian-based system, and you can store large data like MySQL databases on the internal 900 GB HDD (/mnt/hdd). You just need to manage where things are stored, because:

• The system root (/) is limited to 5.9 GB (/mnt/.rwfs).
• The HDD (/mnt/hdd, 900 GB) is available for large files, apps, and databases.

---

✅ Summary of What You Can Do

Task	Possible?	Notes
Install Nginx	✅ Yes	Lightweight, fits in /
Install MySQL/MariaDB	✅ Yes	But configure data dir to use /mnt/hdd
Store website files	✅ Yes	Store under /mnt/hdd/www and point Nginx there
Store large DB data	✅ Yes	Set MySQL to use /mnt/hdd/mysql

---

✅ How to Do It Properly (Step-by-Step)

🔧 1. Install Nginx and MySQL (or MariaDB)

apt update
apt install nginx mariadb-server -y

✅ Installs to /usr, which is inside your limited / — but they’re small enough.

---

🗂️ 2. Prepare HDD for Storage

Assuming your HDD is already mounted at /mnt/hdd:

mkdir -p /mnt/hdd/mysql
mkdir -p /mnt/hdd/www
chown -R mysql:mysql /mnt/hdd/mysql

---

⚙️ 3. Move MySQL Data Directory to HDD

🔸 Stop MySQL

systemctl stop mariadb

🔸 Copy Existing Data

cp -av /var/lib/mysql/* /mnt/hdd/mysql/

🔸 Backup & Replace Old Folder

mv /var/lib/mysql /var/lib/mysql.bak
ln -s /mnt/hdd/mysql /var/lib/mysql

🔸 Fix Permissions Again

chown -R mysql:mysql /mnt/hdd/mysql

---

🔁 4. Start MySQL and Verify

systemctl start mariadb

If no error:

mysql -u root

✅ Your MySQL now uses the HDD!

---

🌐 5. Configure Nginx to Use /mnt/hdd/www

1. Set up site directory:

mkdir -p /mnt/hdd/www/myapp

2. Edit or create Nginx config:

nano /etc/nginx/sites-available/myapp

server {
    listen 80;
    server_name localhost;

    root /mnt/hdd/www/myapp;
    index index.html index.php;

    location / {
        try_files $uri $uri/ =404;
    }
}

3. Enable the site:

ln -s /etc/nginx/sites-available/myapp /etc/nginx/sites-enabled/
nginx -t && systemctl reload nginx

---

✅ Result

You now have:

• Nginx installed ✅
• MySQL installed and using HDD ✅
• Plenty of space for web files and databases ✅

---

🧠 Pro Tips

• Monitor root space with df -h often — keep / under 80%.
• Log files can fill up space; configure MySQL/Nginx logs to write to /mnt/hdd/logs if needed.
• You can install PHP (apt install php-fpm) to support dynamic sites.

---

Let me know if you want a full script or want to run apps like WordPress, Laravel, or VitalPBX on this system.

Thanks for the update. The 404 Not Found error from Nginx means:

✅ Nginx is running and serving the domain/path,
❌ But it can’t find the file or directory it was told to serve.

---

✅ Let’s Fix It Step-by-Step

We’ll verify:

1. Your folder exists at the correct path.
2. Your Nginx config is correct.
3. File permissions are okay.
4. The site is enabled and reloaded.

---

🔍 Step 1: Check the Folder and Test File

Let’s make sure /mnt/hdd/www/myapp/index.html exists:

mkdir -p /mnt/hdd/www/myapp
echo "<h1>It works!</h1>" > /mnt/hdd/www/myapp/index.html

---

🔧 Step 2: Confirm Nginx Config

Open your Nginx config:

nano /etc/nginx/sites-available/myapp

Make sure it looks like this:

server {
    listen 80;
    server_name _;

    root /mnt/hdd/www/myapp;
    index index.html index.htm;

    location / {
        try_files $uri $uri/ =404;
    }
}

Save and exit.

---

🔗 Step 3: Enable the Site

If not yet enabled:

ln -sf /etc/nginx/sites-available/myapp /etc/nginx/sites-enabled/myapp

(Optional: remove default site)

rm /etc/nginx/sites-enabled/default

---

🔄 Step 4: Reload Nginx

nginx -t && systemctl reload nginx

---

✅ Step 5: Test Again

Go to:

http://<your-ip>/

Or:

http://<your-ip>/index.html

You should see:

It works!

---

🧠 Extra: Permissions

Ensure Nginx can read the files:

chown -R www-data:www-data /mnt/hdd/www
chmod -R 755 /mnt/hdd/www

---

Let me know if you’re serving PHP, WordPress, or Laravel — the config will need php-fpm settings too.

To install PHP on your Debian-based UniFi Cloud Key Gen2 Plus system and use it with Nginx, follow these steps:

---

✅ Step-by-Step: Install PHP (with PHP-FPM) for Nginx

⚠️ Nginx does not use mod_php like Apache. It uses PHP-FPM to process PHP scripts.

---

🔧 1. Install PHP and PHP-FPM

apt update
apt install php php-fpm -y

Optionally install common modules:

apt install php-mysql php-cli php-curl php-mbstring php-xml php-zip php-gd -y

---

🔍 2. Verify PHP-FPM Is Running

systemctl status php*-fpm

You should see something like:

Active: active (running)

---

🧪 3. Create a PHP Test Page

echo "<?php phpinfo(); ?>" > /mnt/hdd/www/myapp/info.php

---

⚙️ 4. Edit Your Nginx Config to Support PHP

Edit your site’s config:

nano /etc/nginx/sites-available/myapp

Update it to include PHP handling:

server {
    listen 80;
    server_name _;

    root /mnt/hdd/www/myapp;
    index index.php index.html index.htm;

    location / {
        try_files $uri $uri/ =404;
    }

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php7.4-fpm.sock;  # ← Adjust version if needed
    }

    location ~ /\.ht {
        deny all;
    }
}

📝 If you installed a different PHP version, check the socket with:

ls /run/php/

Examples:

• PHP 7.4 → /run/php/php7.4-fpm.sock
• PHP 8.1 → /run/php/php8.1-fpm.sock

Change the fastcgi_pass line to match your version.

---

🔄 5. Restart Nginx

nginx -t && systemctl reload nginx

---

✅ 6. Test It

Visit:

http://<your-ip>/info.php

You should see the PHP Info page.

---

🧹 7. (Optional) Delete the Test File After Testing

rm /mnt/hdd/www/myapp/info.php

---

🧠 Ready for WordPress, Laravel, etc.

You’re now fully ready to:

• Host PHP sites
• Use MySQL (or MariaDB)
• Store large data on /mnt/hdd

Let me know if you want help setting up WordPress or Laravel next!

As of July 2025, PHP 8.4 is still in pre-release / alpha/beta.
If you want PHP 8.3 (latest stable) or a newer version (like 8.4 for testing), you’ll need to add an external repo, because Debian 11 defaults to PHP 7.4.

---

⚠️ Summary

Version	Status	Available via
PHP 7.4	✅ Default	Debian 11 repo
PHP 8.3	✅ Stable	Sury PPA
PHP 8.4	⚠️ Pre-release	Sury testing repo (only for dev use)

---

✅ Recommended: Install PHP 8.3 via Sury (Stable)

🔧 1. Remove PHP 7.4

apt remove --purge 'php7.4*' -y
apt autoremove --purge -y

---

🧱 2. Add SURY PHP Repo (Official for Debian)

apt install apt-transport-https lsb-release ca-certificates curl gnupg -y
curl -fsSL https://packages.sury.org/php/apt.gpg | gpg --dearmor -o /etc/apt/trusted.gpg.d/php.gpg
echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list
apt update

---

📦 3. Install PHP 8.3 and FPM

apt install php8.3 php8.3-fpm php8.3-cli php8.3-common php8.3-mysql php8.3-curl php8.3-xml php8.3-mbstring php8.3-zip php8.3-gd -y

---

🔍 4. Verify Installed Version

php -v

Should output something like:

PHP 8.3.x (cli)

---

⚙️ 5. Update Nginx Config

Edit Nginx to point to the new PHP-FPM socket:

nano /etc/nginx/sites-available/myapp

Update this line:

fastcgi_pass unix:/run/php/php8.3-fpm.sock;

Then reload:

nginx -t && systemctl reload nginx

---

🔄 Optional: Use PHP 8.4 (Pre-release)

Only if you’re a developer/testing:

apt install php8.4 php8.4-fpm php8.4-cli ...

And update Nginx to:

fastcgi_pass unix:/run/php/php8.4-fpm.sock;

❗PHP 8.4 is not stable yet. Not recommended for production.

---

✅ Done!

You now have:

• ❌ Removed PHP 7.4
• ✅ Installed PHP 8.3 (or 8.4)
• ✅ Nginx configured properly
• ✅ Using your HDD for web hosting

Let me know if you want to set up Laravel, WordPress, or run multiple PHP versions side-by-side!

MQ4 Expert Advisor (EA) for the gold trading system described requires coding the rules in MetaEditor (MQL4). Below is a step-by-step breakdown of how to build the EA, including key logic, entry/exit conditions, and risk management.

---

Step 1: Define EA Parameters (Input Variables)

These are adjustable in the MT4 settings:

// Input parameters
input double LotSize = 0.1;          // Fixed lot size
input int StopLoss = 30;            // SL in pips
input int TakeProfit = 60;          // TP in pips (1:2 risk ratio)
input int EMA_Fast_Period = 9;      // Fast EMA
input int EMA_Medium_Period = 21;   // Medium EMA
input int EMA_Slow_Period = 50;     // Slow EMA (trend filter)
input int MinCandleSize = 10;       // Min candle size (pips) to avoid noise
input bool UseCandlePatterns = true;// Enable candlestick patterns
input string TradeSession = "08:00-17:00"; // London/NY session

---

Step 2: Trend Filter (EMA Alignment)

Check if EMAs are aligned for uptrend (buy) or downtrend (sell):

bool IsUptrend() {
   double emaFast = iMA(NULL, 0, EMA_Fast_Period, 0, MODE_EMA, PRICE_CLOSE, 1);
   double emaMedium = iMA(NULL, 0, EMA_Medium_Period, 0, MODE_EMA, PRICE_CLOSE, 1);
   double emaSlow = iMA(NULL, 0, EMA_Slow_Period, 0, MODE_EMA, PRICE_CLOSE, 1);
   return (emaFast > emaMedium && emaMedium > emaSlow && Close[1] > emaSlow);
}

bool IsDowntrend() {
   double emaFast = iMA(NULL, 0, EMA_Fast_Period, 0, MODE_EMA, PRICE_CLOSE, 1);
   double emaMedium = iMA(NULL, 0, EMA_Medium_Period, 0, MODE_EMA, PRICE_CLOSE, 1);
   double emaSlow = iMA(NULL, 0, EMA_Slow_Period, 0, MODE_EMA, PRICE_CLOSE, 1);
   return (emaFast < emaMedium && emaMedium < emaSlow && Close[1] < emaSlow);
}

---

Step 3: Candlestick Pattern Detection

Detect bullish/bearish reversal patterns (e.g., engulfing, pin bars):

bool IsBullishEngulfing() {
   if (Close[1] > Open[1] && Open[2] > Close[2] && Close[1] > Open[2] && Open[1] < Close[2]) 
      return true;
   return false;
}

bool IsBearishEngulfing() {
   if (Close[1] < Open[1] && Open[2] < Close[2] && Close[1] < Open[2] && Open[1] > Close[2]) 
      return true;
   return false;
}

---

Step 4: Entry Logic

Combine trend + pullback + candlestick signal:

void CheckEntries() {
   // Check if in trading session (optional)
   if (!IsTradingSession()) return;

   // Long entry (Buy)
   if (IsUptrend() && IsPullbackToEMA21() && (IsBullishEngulfing() || !UseCandlePatterns)) {
      double sl = Bid - StopLoss * Point;
      double tp = Bid + TakeProfit * Point;
      OrderSend(Symbol(), OP_BUY, LotSize, Ask, 3, sl, tp, "Gold EA Buy", 0, 0, Green);
   }

   // Short entry (Sell)
   if (IsDowntrend() && IsPullbackToEMA21() && (IsBearishEngulfing() || !UseCandlePatterns)) {
      double sl = Ask + StopLoss * Point;
      double tp = Ask - TakeProfit * Point;
      OrderSend(Symbol(), OP_SELL, LotSize, Bid, 3, sl, tp, "Gold EA Sell", 0, 0, Red);
   }
}

---

Step 5: Exit Logic

Close trades when TP/SL is hit or trend reverses:

void CheckExits() {
   for (int i = OrdersTotal() - 1; i >= 0; i--) {
      if (OrderSelect(i, SELECT_BY_POS, MODE_TRADES)) {
         // Close if trend reverses
         if ((OrderType() == OP_BUY && IsDowntrend()) || (OrderType() == OP_SELL && IsUptrend())) {
            OrderClose(OrderTicket(), OrderLots(), OrderType() == OP_BUY ? Bid : Ask, 3, Red);
         }
      }
   }
}

---

Step 6: Full EA Structure

int OnInit() { return INIT_SUCCEEDED; }

void OnTick() {
   CheckExits();  // Close trades if needed
   CheckEntries(); // Open new trades
}

---

How to Use the EA

1. Copy the code into MetaEditor (File → New → Expert Advisor).
2. Compile (F7) and attach to an MT4 chart (XAU/USD M15/H1).
3. Adjust parameters (e.g., lot size, SL/TP, EMAs).
4. Backtest in Strategy Tester (Ctrl+R) to verify the 70%+ win rate.

---

Optimization Tips

• Test different EMA periods (e.g., 5-9-21 vs. 9-21-50).
• Adjust TP/SL ratios (e.g., 1:1.5 vs. 1:2).
• Add trailing stops to maximize profits.

Would you like me to add additional features (e.g., news filter, trailing stop)? Let me know! 🚀

The error message:

Could not create directory.: /var/www/mikrotikscript.com/public_html/wp-content/upgrade
Installation failed.

means WordPress cannot write to the wp-content/upgrade directory due to file permission or ownership issues.

---

✅ Fix It in 3 Simple Steps:

---

1. Ensure Correct Ownership

Make sure the web server user (typically www-data for Nginx/Apache on Ubuntu/Debian) owns all WordPress files:

sudo chown -R www-data:www-data /var/www/mikrotikscript.com/public_html

Use apache:apache on CentOS/RHEL if you’re using Apache.

---

2. Set Correct Permissions

Ensure folders and files have proper permissions:

# Directories: 755
sudo find /var/www/mikrotikscript.com/public_html -type d -exec chmod 755 {} \;

# Files: 644
sudo find /var/www/mikrotikscript.com/public_html -type f -exec chmod 644 {} \;

---

3. Ensure WordPress Uses Direct File Access

Add this to wp-config.php, above the /* That's all, stop editing! */ line:

define('FS_METHOD', 'direct');

---

🧪 Optional: Create the upgrade Directory Manually

Sometimes the upgrade folder doesn’t exist. Create it manually:

mkdir -p /var/www/mikrotikscript.com/public_html/wp-content/upgrade
chown www-data:www-data /var/www/mikrotikscript.com/public_html/wp-content/upgrade
chmod 755 /var/www/mikrotikscript.com/public_html/wp-content/upgrade

---

🔁 Then Try Again

Now go back to WordPress Dashboard → Updates and try updating again.

---

การตั้งค่า MikroTik เบื้องต้น

เหมาะสำหรับผู้เริ่มต้นใช้งาน RouterOS เพื่อตั้งค่าเร้าเตอร์ MikroTik ให้ทำงานพื้นฐาน เช่น เชื่อมต่ออินเทอร์เน็ต, ตั้งค่า LAN, DHCP, Firewall และ NAT

---

ขั้นตอนการตั้งค่าเบื้องต้น

1. เข้าสู่ระบบ (Login)

• เชื่อมต่อสาย Ethernet จากคอมพิวเตอร์ไปยัง Port ether1 (หรือใช้ WiFi หากรองรับ)
• เปิดเบราว์เซอร์แล้วเข้า http://192.168.88.1 (หรือใช้ Winbox ดาวน์โหลดได้จาก MikroTik)
• เข้าสู่ระบบด้วย:

  Username: admin
  Password: (เว้นว่างไว้หรือลอง admin)

---

2. ตั้งค่าภาษาภายใน (LAN)

2.1 กำหนด IP ให้ LAN

/ip address add address=192.168.1.1/24 interface=bridge-lan

• 192.168.1.1 = IP เร้าเตอร์
• /24 = Subnet Mask (255.255.255.0)
• bridge-lan = Interface ของ LAN (สร้าง Bridge ก่อนถ้าจำเป็น)

2.2 สร้าง Bridge (ถ้ามีหลายพอร์ต LAN)

/interface bridge add name=bridge-lan
/interface bridge port add bridge=bridge-lan interface=ether2
/interface bridge port add bridge=bridge-lan interface=ether3

---

3. ตั้งค่า DHCP Server

3.1 สร้าง IP Pool (ช่วง IP ที่จะแจก)

/ip pool add name=dhcp-pool ranges=192.168.1.100-192.168.1.200

3.2 ตั้งค่า DHCP Server

/ip dhcp-server add interface=bridge-lan address-pool=dhcp-pool disabled=no
/ip dhcp-server network add address=192.168.1.0/24 gateway=192.168.1.1 dns-server=8.8.8.8,1.1.1.1

• gateway=192.168.1.1 = กำหนดให้ใช้เร้าเตอร์เป็น Gateway
• dns-server=8.8.8.8,1.1.1.1 = DNS ของ Google และ Cloudflare

---

4. ตั้งค่าอินเทอร์เน็ต (WAN)

4.1 สำหรับ PPPoE (เช่น TOT, AIS Fiber)

/interface pppoe-client add name=pppoe-out interface=ether1 user=username password=password

• ether1 = พอร์ต WAN (ต่อสายจาก ONT/โมเด็ม)
• user และ password = ข้อมูลที่ ISP ให้มา

4.2 สำหรับ Dynamic IP (เช่น True, 3BB)

/ip dhcp-client add interface=ether1

---

5. ตั้งค่า NAT (ให้เครือข่าย LAN ออกอินเทอร์เน็ตได้)

/ip firewall nat add chain=srcnat out-interface=pppoe-out action=masquerade

• pppoe-out = ชื่ออินเทอร์เฟส WAN (เปลี่ยนเป็น ether1 ถ้าใช้ Dynamic IP)

---

6. ตั้งค่า Firewall พื้นฐาน

6.1 ป้องกันการเข้าถึงจากภายนอก

/ip firewall filter add chain=input action=drop connection-state=invalid
/ip firewall filter add chain=input action=accept connection-state=established,related
/ip firewall filter add chain=input action=drop in-interface=pppoe-out protocol=tcp dst-port=23,8291

• ปิด Telnet (port 23) และ Winbox (port 8291) จากอินเทอร์เน็ต

6.2 อนุญาต Traffic จาก LAN ไปอินเทอร์เน็ต

/ip firewall filter add chain=forward action=accept src-address=192.168.1.0/24

---

7. บันทึกการตั้งค่า

/system backup save name=initial-config

เพื่อป้องกันการสูญเสียการตั้งค่าเมื่อรีเซ็ต

---

สรุปการตั้งค่าเบื้องต้น

การตั้งค่า	คำสั่ง/ค่าที่ใช้
IP LAN	192.168.1.1/24
DHCP Pool	192.168.1.100-192.168.1.200
PPPoE	/interface pppoe-client add...
NAT	chain=srcnat action=masquerade
Firewall	drop invalid, allow LAN traffic

⚠️ หมายเหตุ:

• เปลี่ยน ether1, pppoe-out, และช่วง IP ตามการใช้งานจริง
• ใช้ Winbox หรือ WebFig สำหรับการตั้งค่าที่ง่ายกว่า

หากต้องการตั้งค่าเพิ่มเติม เช่น Load Balancing, VPN, QoS สามารถสอบถามได้! 🚀ที่ 099-3988-999

สรุปเปรียบเทียบ WiFi 7 (802.11be) vs. WiFi 6 (802.11ax)

จุดเด่นของ WiFi 7 ที่เหนือกว่า WiFi 6

คุณสมบัติ	WiFi 6 (802.11ax)	WiFi 7 (802.11be)	ผลลัพธ์ที่ได้
ความเร็วสูงสุด	สูงสุด ~9.6 Gbps	สูงสุด ~46 Gbps (理論値)	เร็วขึ้น ~4.8 เท่า
ช่องสัญญาณ (Channel Width)	สูงสุด 160 MHz	320 MHz (ใช้คลื่น 6 GHz เต็มพิกัด)	เพิ่มแบนด์วิธ 2 เท่า
Modulation (QAM)	1024-QAM	4096-QAM	ส่งข้อมูลได้มากขึ้นต่อสัญญาณ
Multi-Link Operation (MLO)	ไม่มี	รวมหลายช่องสัญญาณ (2.4/5/6 GHz) พร้อมกัน	ลด Latency, รับส่งข้อมูลเสถียร
Multi-RU (Resource Units)	กำหนด RU แบบตายตัว	แบ่งสัญญาณย่อย (RU) ยืดหยุ่นกว่า	ประสิทธิภาพในพื้นที่คลื่นแออัดดีขึ้น
Latency	~10 ms	ต่ำกว่า 5 ms (เหมาะกับเกม/VR)	การตอบสนองเร็วขึ้น
จำนวน Spatial Streams	สูงสุด 8 streams	สูงสุด 16 streams (ใน enterprise)	รองรับอุปกรณ์พร้อมกันมากขึ้น

---

เงื่อนไขการใช้งานที่ WiFi 7 ดีกว่า WiFi 6

1. พื้นที่ที่มีอุปกรณ์หนาแน่น

• WiFi 7 จัดการความแออัดได้ดีกว่า (ด้วย MLO และ Multi-RU) เหมาะสำหรับออฟฟิศ, ห้างสรรพสินค้า

1. แอปพลิเคชันที่ต้องการความเร็วสูง

• 4K/8K Streaming, VR, Cloud Gaming (WiFi 7 ลดกระตุกได้ดีกว่า)

1. ลด Ping สำหรับเกมเมอร์

• MLO ช่วยลด latency ได้ถึง 50% เมื่อเทียบกับ WiFi 6

1. ใช้งานคลื่น 6 GHz เต็มประสิทธิภาพ

• WiFi 7 ใช้ 320 MHz channel ในคลื่น 6 GHz ได้ (WiFi 6 จำกัดที่ 160 MHz)

---

ข้อจำกัดของ WiFi 7

• ต้องใช้อุปกรณ์รองรับ (มือถือ/แล็ปท็อป WiFi 7)
• ราคาแพงกว่า (Router WiFi 7 ยังมีราคาสูง)
• คลื่น 6 GHz อาจถูกจำกัดในบางประเทศ

---

สรุป: เลือก WiFi 7 เมื่อไหร่?

• ถ้าต้องการ ความเร็วสุดขีด, latency ต่ำ (เกม/VR)
• มี อุปกรณ์รองรับ WiFi 7 และงบประมาณเพียงพอ
• ใช้งานในพื้นที่ที่ คลื่น WiFi แออัดมาก

หากไม่ต้องการความเร็วสูงมาก WiFi 6 ก็ยังเพียงพอ สำหรับการใช้งานทั่วไป (เช่น บ้านทั่วไป, ออฟฟิศเล็ก)

⚠️ หมายเหตุ: WiFi 7 ยังใหม่มาก (เริ่มใช้งานปี 2024) ดังนั้นควรตรวจสอบความเข้ากันได้ของอุปกรณ์ก่อนอัปเกรด

Here’s a complete MikroTik RouterOS script for your requirements:

• 2 WAN PPPoE connections (load-balanced with NTH + failover)
• LAN IP 172.23.34.0/24
• Bandwidth limit (50Mbps per LAN client)
• Basic firewall rules (security + NAT)

---

Script

/interface pppoe-client
add name=pppoe-wan1 interface=ether1 user=user1 password=pass1 add-default-route=no
add name=pppoe-wan2 interface=ether2 user=user2 password=pass2 add-default-route=no

/ip pool
add name=lan-pool ranges=172.23.34.100-172.23.34.200

/ip dhcp-server
add address-pool=lan-pool interface=bridge-lan disabled=no name=dhcp-lan

/interface bridge
add name=bridge-lan
/interface bridge port
add bridge=bridge-lan interface=ether3
add bridge=bridge-lan interface=ether4
# Add more LAN ports if needed

/ip address
add address=172.23.34.1/24 interface=bridge-lan network=172.23.34.0

/ip dhcp-server network
add address=172.23.34.0/24 gateway=172.23.34.1 dns-server=8.8.8.8,1.1.1.1

/ip firewall mangle
add chain=prerouting connection-state=new nth=2,1 action=mark-connection new-connection-mark=wan1_conn passthrough=yes
add chain=prerouting connection-mark=wan1_conn action=mark-routing new-routing-mark=to_wan1 passthrough=no
add chain=prerouting connection-state=new nth=2,2 action=mark-connection new-connection-mark=wan2_conn passthrough=yes
add chain=prerouting connection-mark=wan2_conn action=mark-routing new-routing-mark=to_wan2 passthrough=no

/ip route
add dst-address=0.0.0.0/0 gateway=pppoe-wan1 routing-mark=to_wan1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=pppoe-wan2 routing-mark=to_wan2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=pppoe-wan1 distance=3
add dst-address=0.0.0.0/0 gateway=pppoe-wan2 distance=4

/ip firewall nat
add chain=srcnat out-interface=pppoe-wan1 action=masquerade
add chain=srcnat out-interface=pppoe-wan2 action=masquerade

# Bandwidth limit (50Mbps per LAN client)
/queue simple
add name=limit-lan target=172.23.34.0/24 max-limit=50M/50M

# Basic firewall rules
/ip firewall filter
add chain=input action=drop connection-state=invalid
add chain=input action=accept connection-state=established,related
add chain=input action=drop in-interface=pppoe-wan1 protocol=tcp dst-port=23,80,443,8291
add chain=input action=drop in-interface=pppoe-wan2 protocol=tcp dst-port=23,80,443,8291
add chain=forward action=fasttrack-connection connection-state=established,related
add chain=forward action=accept connection-state=established,related
add chain=forward action=drop connection-state=invalid

---

Key Features:

1. Dual WAN PPPoE Load Balancing

• Uses NTH (every 2nd connection alternates between WAN1/WAN2).
• Failover: If one PPPoE fails, traffic auto-switches.

1. LAN Setup

• DHCP server for 172.23.34.0/24.
• Clients get IPs from 172.23.34.100-172.23.34.200.

1. Bandwidth Limiting

• Each LAN client restricted to 50Mbps up/down.

1. Basic Firewall

• Blocks invalid packets, protects RouterOS ports (Winbox/WebFig).
• NAT for outbound traffic.

---

How to Apply:

1. Copy the script to Winbox Terminal (or SSH).
2. Adjust:

• pppoe-wan1/wan2 credentials.
• LAN interfaces (ether3, ether4, etc.).

1. Test failover by unplugging one PPPoE.