(yes, I've googled, and also read The VLAN Tutorial on this forum. I'm still somewhat confused and, more importantly, extremely apprehensive).
So I have a nicely functioning home network setup, consisting of a hAP ac2 and a CAP ac (I think? Been a while since I bought/installed/configured all that, Mikrotik does make some nice hardware). There is one internal network (10.0.5.0/24), all wireless is managed through CapsMan (with the hAP as the, um, "manager" I think is the term?), no VLANs are explicitly configured. There are some fancy-ish firewall rules, but it's totally on me to either accomodate or just flush them, so let's pretend they are not there.
Given the above setup, there are 2 requirements:
- Segregate the "IoT" home-phoning hacker-magnet additions to the gadget zoo (thanks, Xiaomi!) into their own subnet, from which the normal internal network must not be accessible. All those are wireless, which should simplify things (right?).
- Proceed in a way that doesn't, at any point, involve me taking the router off the wall in its closet. Because that would be _super_ inconvenient, for starters.
So a fresh from-zero VLAN-aware configuration is right out, I think?
I guess I need to define a new VLAN (the manual devolves into the "add interface to interface" fnords right off the bat, my poor brain can't handle that I'm not a network guy), add a new ("virtual"? "slave"?) SSID in CapsMan such that everything connected to it is magically in that VLAN, add a firewall filter rule (or rules) to keep Xiaomi's paws off the main subnet, and, most importantly, not botch my existing connectivity at any point in the process. Please help?
Re: VLAN'ising an existing configuration without disrupting service
A network diagram would be really helpful to see which ports should be configured as access ones and which should stay out of the business
Re: VLAN'ising an existing configuration without disrupting service
Adding:
Whatever way you set it up, since you will be applying vlan with each time separate subnet, dhcp, etc etc, there WILL be some disruption for devices moving into the new vlan context.
Order of some minutes in order to allow all devices to get a new network lease depending on the vlan they are supposed to be in if all is well prepared before flipping the switch or some hours if you are less prepared.
But disruption will happen.
Whatever way you set it up, since you will be applying vlan with each time separate subnet, dhcp, etc etc, there WILL be some disruption for devices moving into the new vlan context.
Order of some minutes in order to allow all devices to get a new network lease depending on the vlan they are supposed to be in if all is well prepared before flipping the switch or some hours if you are less prepared.
But disruption will happen.
Re: VLAN'ising an existing configuration without disrupting service
Basically what I have is a bog-simple single-subnet home networking setup, plus Capsman for wireless. I'd like the Xiaomi robotic vacuum cleaner to not be able to access anything inside the internal network, because the thing has to be connected to the internets (you have to use their app just to stop it from saying out loud that it is charging) but I don't trust it.A network diagram would be really helpful to see which ports should be configured as access ones and which should stay out of the business
I imagine there are plenty of people with the same predicament. I'm frankly baffled there's no simple guide for this case.
(I'm not totally sure what "ports" means here and what "the business" is).
Re: VLAN'ising an existing configuration without disrupting service
Aren't already-connected devices already in some default VLAN? I'd be fine with things getting disconnected for a minute or two, obviously. As long as I don't mess the setup to the point of having to get the router off its wall and remembering what "netboot" is or whatever....Adding:
Whatever way you set it up, since you will be applying vlan with each time separate subnet, dhcp, etc etc, there WILL be some disruption for devices moving into the new vlan context.
Re: VLAN'ising an existing configuration without disrupting service
"Port" is the physical interface on which the cAP is connected and "out of the business" means not to be involved in the VLAN configuration
Also highly recommend you to watch this video with subtitles to be able to fully grasp the concept:
https://youtu.be/IUu_5wODp44?si=R_qJhYhIxAYSRHvG
Also highly recommend you to watch this video with subtitles to be able to fully grasp the concept:
https://youtu.be/IUu_5wODp44?si=R_qJhYhIxAYSRHvG
Re: VLAN'ising an existing configuration without disrupting service
Thank you, but I neither read nor speak UkranianAlso highly recommend you to watch this video with subtitles to be able to fully grasp the concept:
https://youtu.be/IUu_5wODp44?si=R_qJhYhIxAYSRHvG
Re: VLAN'ising an existing configuration without disrupting service
That's why I suggested you using subtitles (forgot to mention with the option "Auto-translate" 
)
)Re: VLAN'ising an existing configuration without disrupting service
Yeah, that option exists but causes no CC at all (for me, anyway).That's why I suggested you using subtitles (forgot to mention with the option "Auto-translate"
Re: VLAN'ising an existing configuration without disrupting service
Could you look in IP/Neighbors and tell me on which interface is the cAP ac discovered? Also an exported config would be nice:
export file=anynameyouwish
export file=anynameyouwish
Re: VLAN'ising an existing configuration without disrupting service
Post both configs please
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.)
Not much more can be provided without evidence (fact).
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.)
Not much more can be provided without evidence (fact).
Re: VLAN'ising an existing configuration without disrupting service
Precisely. Without at least a port to which the cAP ac is connected we're with tied hands
Re: VLAN'ising an existing configuration without disrupting service
/ip/neighbor/print shows empty.
here's the exported config:
here's the exported config:
Code: Select all
# 2024-03-29 11:18:42 by RouterOS 7.14.1
#
# model = RBD52G-5HacD2HnD
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled name=2.4ghz reselect-interval=30m save-selected=yes tx-power=17
add band=5ghz-n/ac control-channel-width=20mhz extension-channel=XXXX name=5ghz reselect-interval=30m save-selected=yes
/interface bridge
add admin-mac=48:8F:5A:4F:18:FB arp=proxy-arp auto-mac=no comment=defconf name=bridge port-cost-mode=short
/interface wireless
# managed by CAPsMAN
# channel: 2447/20-Ce/gn(14dBm), SSID: al, CAPsMAN forwarding
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX country=israel distance=indoors frequency=auto installation=indoor keepalive-frames=disabled mode=ap-bridge multicast-buffering=disabled multicast-helper=disabled ssid=al-router-2.4G wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
# managed by CAPsMAN
# channel: 5260/20-Ceee/ac/DP(17dBm), SSID: al, CAPsMAN forwarding
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=israel distance=indoors frequency=auto installation=indoor keepalive-frames=disabled mode=ap-bridge multicast-buffering=disabled multicast-helper=disabled ssid=al-router-5G wireless-protocol=802.11 wmm-support=enabled
/caps-man datapath
add bridge=bridge name=common
/caps-man rates
add basic=12Mbps name="no b" supported=12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
/caps-man security
add authentication-types=wpa2-psk disable-pmkid=yes encryption=aes-ccm group-encryption=aes-ccm group-key-update=1h name=common
/caps-man configuration
add channel=2.4ghz country=israel datapath=common distance=indoors hw-protection-mode=rts-cts installation=any name=2.4ghz rates="no b" security=common ssid=al
add channel=5ghz country=israel datapath=common distance=indoors hw-protection-mode=rts-cts installation=any name=5ghz rates="no b" security=common ssid=al
add channel=2.4ghz country=israel datapath=common distance=indoors hw-protection-mode=rts-cts installation=indoor name="2.4ghz: slave" rates="no b" security=common ssid=al-2.4
/caps-man interface
add channel.extension-channel=XX .frequency=2412,2437,2462 configuration=2.4ghz disabled=no l2mtu=1600 mac-address=08:55:31:45:83:D8 master-interface=none name=2.4-cap-1 radio-mac=08:55:31:45:83:D8 radio-name=0855314583D8
add configuration="2.4ghz: slave" configuration.installation=any disabled=no l2mtu=1600 mac-address=0A:55:31:45:83:D8 master-interface=2.4-cap-1 name=2.4-cap-1-1 radio-mac=00:00:00:00:00:00 radio-name=0A55314583D8
add channel.extension-channel=Ce .frequency=2422,2447 configuration=2.4ghz disabled=no l2mtu=1600 mac-address=48:8F:5A:4F:18:FF master-interface=none name=2.4-router-1 radio-mac=48:8F:5A:4F:18:FF radio-name=488F5A4F18FF
add configuration="2.4ghz: slave" configuration.installation=any disabled=no l2mtu=1600 mac-address=4A:8F:5A:4F:18:FF master-interface=2.4-router-1 name=2.4-router-1-1 radio-mac=00:00:00:00:00:00 radio-name=4A8F5A4F18FF
add channel.control-channel-width=20mhz .extension-channel=Ceee .frequency=5180 .tx-power=25 configuration=5ghz disabled=no l2mtu=1600 mac-address=08:55:31:45:83:D9 master-interface=none name=5-cap-1 radio-mac=08:55:31:45:83:D9 radio-name=0855314583D9
add channel.extension-channel=Ceee .frequency=5260 configuration=5ghz disabled=no l2mtu=1600 mac-address=48:8F:5A:4F:19:00 master-interface=none name=5-router-1 radio-mac=48:8F:5A:4F:19:00 radio-name=488F5A4F1900
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=5ghz
add name=2.4ghz
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk group-key-update=1h mode=dynamic-keys supplicant-identity=MikroTik
/ip ipsec peer
add name=l2tpserver passive=yes
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=3des
/ip pool
add name=dhcp ranges=10.0.5.25-10.0.5.254
add name=ovpn ranges=10.0.5.18-10.0.5.24
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-script=":local scriptName \"dhcp2dns\"\n:do {\n :local scriptSrc [ /system script get [ find name=\$scriptName ] source ]\n :local scriptObj [ :parse \$scriptSrc ]\n \$scriptObj leaseBound=\$leaseBound leaseServerName=\$leaseServerName\_leaseActIP=\$leaseActIP leaseActMAC=\$leaseActMAC\n} on-error={ :log warning \"DHCP server '\$leaseServerName' lease script\_error\" };" lease-time=10m name=defconf
/ip smb users
set [ find default=yes ] disabled=yes
/ppp profile
add dns-server=10.0.5.17 interface-list=LAN local-address=10.0.5.17 name=ovpn remote-address=ovpn use-encryption=yes
/queue tree
add comment="Uplink QoS" max-limit=105M name=QoS_ether1 parent=ether1 queue=wireless-default
add comment="Queue Priority 1" name="IP Precedence 7. Network Control (Top Priority) - ether1" packet-mark=ip_precedence_7 parent=QoS_ether1 priority=1 queue=wireless-default
add comment="Queue Priority 2" name="IP Precedence 6. Internetwork Control (High Priority) - ether1" packet-mark=ip_precedence_6 parent=QoS_ether1 priority=2 queue=wireless-default
add comment="Queue Priority 3" name="IP Precedence 5. Voice (Medium-High Priority) - ether1" packet-mark=ip_precedence_5 parent=QoS_ether1 priority=3 queue=wireless-default
add comment="Queue Priority 4" name="IP Precedence 4. Interactive Video (Medium Priority) - ether1" packet-mark=ip_precedence_4 parent=QoS_ether1 priority=4 queue=wireless-default
add comment="Queue Priority 5" name="IP Precedence 3. Critical Data or Call Signaling (Medium-Low Priority) - ether1" packet-mark=ip_precedence_3 parent=QoS_ether1 priority=5 queue=wireless-default
add comment="Queue Priority 6" name="IP Precedence 0. Best Effort (Low Priority) - ether1" packet-mark=no-mark parent=QoS_ether1 priority=6 queue=wireless-default
add comment="Queue Priority 7" name="IP Precedence 2. Background (Very Low Priority) - ether1" packet-mark=ip_precedence_2 parent=QoS_ether1 priority=7 queue=wireless-default
add comment="Queue Priority 8" name="IP Precedence 1. Scavenger (Bottom Priority) - ether1" packet-mark=ip_precedence_1 parent=QoS_ether1 queue=wireless-default
add comment="Downlink QoS" max-limit=990M name=QoS_bridge parent=bridge queue=wireless-default
add comment="Queue Priority 1" name="IP Precedence 7. Network Control (Top Priority) - bridge" packet-mark=ip_precedence_7 parent=QoS_bridge priority=1 queue=wireless-default
add comment="Queue Priority 2" name="IP Precedence 6. Internetwork Control (High Priority) - bridge" packet-mark=ip_precedence_6 parent=QoS_bridge priority=2 queue=wireless-default
add comment="Queue Priority 3" name="IP Precedence 5. Voice (Medium-High Priority) - bridge" packet-mark=ip_precedence_5 parent=QoS_bridge priority=3 queue=wireless-default
add comment="Queue Priority 4" name="IP Precedence 4. Interactive Video (Medium Priority) - bridge" packet-mark=ip_precedence_4 parent=QoS_bridge priority=4 queue=wireless-default
add comment="Queue Priority 5" name="IP Precedence 3. Critical Data or Call Signaling (Medium-Low Priority) - bridge" packet-mark=ip_precedence_3 parent=QoS_bridge priority=5 queue=wireless-default
add comment="Queue Priority 6" name="IP Precedence 0. Best Effort (Low Priority) - bridge" packet-mark=no-mark parent=QoS_bridge priority=6 queue=wireless-default
add comment="Queue Priority 7" name="IP Precedence 2. Background (Very Low Priority) - bridge" packet-mark=ip_precedence_2 parent=QoS_bridge priority=7 queue=wireless-default
add comment="Queue Priority 8" name="IP Precedence 1. Scavenger (Bottom Priority) - bridge" packet-mark=ip_precedence_1 parent=QoS_bridge queue=wireless-default
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/caps-man access-list
add action=accept allow-signal-out-of-range=3s comment="5ghz: nice strong signal" disabled=no interface=5ghz signal-range=-76..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat
add action=accept allow-signal-out-of-range=10s comment="2.4ghz: client specifically wants 2.4ghz" disabled=no signal-range=-76..120 ssid-regexp=al-2.4 time=0s-1d,sun,mon,tue,wed,thu,fri,sat
add action=accept allow-signal-out-of-range=3s comment="2.4ghz: client is probably too far for 5ghz" disabled=no interface=2.4ghz signal-range=-76..-56 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat
add action=accept allow-signal-out-of-range=3s comment="2.4ghz: client should know better" disabled=no interface=2.4ghz signal-range=-76..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat
add action=reject allow-signal-out-of-range=10s disabled=no signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat
/caps-man manager
set ca-certificate=CAPsMAN-CA-488F5A4F18FA certificate=CAPsMAN-488F5A4F18FA enabled=yes require-peer-certificate=yes upgrade-policy=require-same-version
/caps-man manager interface
add disabled=no interface=bridge
/caps-man provisioning
add action=create-enabled hw-supported-modes=g master-configuration=2.4ghz name-format=prefix-identity name-prefix=2.4 slave-configurations="2.4ghz: slave"
add action=create-enabled hw-supported-modes=ac master-configuration=5ghz name-format=prefix-identity name-prefix=5
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=default use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=2.4-cap-1 list=2.4ghz
add interface=5-cap-1 list=5ghz
add interface=2.4-router-1 list=2.4ghz
add interface=5-router-1 list=5ghz
/interface ovpn-server server
set auth=sha1 certificate=server cipher=blowfish128,aes128-cbc,aes192-cbc,aes256-cbc default-profile=ovpn enabled=yes port=443
/interface wireless cap
#
set bridge=bridge caps-man-addresses=127.0.0.1 certificate=CAPsMAN-488F5A4F18FA discovery-interfaces=bridge enabled=yes interfaces=wlan2,wlan1 lock-to-caps-man=yes
/ip address
add address=10.0.5.1/24 comment=defconf interface=ether2 network=10.0.5.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.0.5.0/24 comment=defconf domain=lan gateway=10.0.5.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.0.5.1 comment=defconf name=router.lan
add address=10.0.5.4 name=printer.lan
add address=10.0.5.3 name=sip.lan
add address=10.0.5.5 name=nas.lan
add address=10.0.5.46 comment=defconf-08:55:31:45:83:D6 name=cap.lan ttl=10m
/ip firewall address-list
add address=10.0.5.4 list=lan-only
/ip firewall filter
add action=accept chain=input comment="Allow OpenVPN" dst-port=443 protocol=tcp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=drop chain=forward comment="block untrusted local clients from accessing WAN" out-interface-list=WAN src-address-list=lan-only
add action=drop chain=forward comment="block the printer by MAC too, just in case" out-interface-list=WAN src-mac-address=30:CD:A7:1E:63:02
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="bypass fasttrack for non-zero DSCP" connection-state=established,related dscp=!0
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=set-priority chain=postrouting comment="respect DSCP tagging" new-priority=from-dscp-high-3-bits passthrough=yes
add action=set-priority chain=postrouting comment="prioritize ACKs" new-priority=6 packet-size=0-123 passthrough=yes protocol=tcp tcp-flags=ack
add action=accept chain=postrouting comment="precedence 0 - best effort (low priority) (default)" priority=0
add action=mark-packet chain=postrouting comment="IP Precedence (aka Packet Priority) 6 - Internetwork Control (High Priority) (apply packet mark ip_precedence_6)" new-packet-mark=ip_precedence_6 passthrough=no priority=6
add action=mark-packet chain=postrouting comment="IP Precedence (aka Packet Priority) 1 - Scavenger (Bottom Priority) (apply packet mark ip_precedence_1)" new-packet-mark=ip_precedence_1 passthrough=no priority=1
add action=mark-packet chain=postrouting comment="IP Precedence (aka Packet Priority) 2 - Background (Very Low Priority) (apply packet mark ip_precedence_2)" new-packet-mark=ip_precedence_2 passthrough=no priority=2
add action=mark-packet chain=postrouting comment="IP Precedence (aka Packet Priority) 3 - Critical Data or Call Signaling (Medium-Low Priority) (apply packet mark ip_precedence_3)" new-packet-mark=ip_precedence_3 passthrough=no priority=3
add action=mark-packet chain=postrouting comment="IP Precedence (aka Packet Priority) 4 - Interactive Video (Medium Priority) (apply packet mark ip_precedence_4)" new-packet-mark=ip_precedence_4 passthrough=no priority=4
add action=mark-packet chain=postrouting comment="IP Precedence (aka Packet Priority) 5 - Voice (Medium-High Priority) (apply packet mark ip_precedence_5)" new-packet-mark=ip_precedence_5 passthrough=no priority=5
add action=mark-packet chain=postrouting comment="IP Precedence (aka Packet Priority) 7 - Network Control (Top Priority) (apply packet mark ip_precedence_7)" new-packet-mark=ip_precedence_7 passthrough=no priority=7
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set sip ports=5060,5061,5065
/ip ipsec identity
add generate-policy=port-override peer=l2tpserver
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=webfig disabled=no port=444
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/ip ssh
set strong-crypto=yes
/ip traffic-flow
set enabled=yes
/ip traffic-flow target
add dst-address=0.0.0.0 port=1234 version=5
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ppp secret
add name=admin profile=ovpn
add name=admin profile=*2 remote-address=10.0.9.1 service=l2tp
/routing bfd configuration
add disabled=no
/system clock
set time-zone-name=Asia/Jerusalem
/system identity
set name=router
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=pool.ntp.org
/system script
add comment="reflect dhcp leases in dns" dont-require-permissions=no name=dhcp2dns owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="###\
\n# Script entry point\
\n#\
\n# Expected environment variables:\
\n# leaseBound 1 = lease bound, 0 = lease removed\
\n# leaseServerName Name of DHCP server\
\n# leaseActIP IP address of DHCP client\
\n# leaseActMAC MAC address of DHCP client\
\n###\
\n\
\n:local LogPrefix \"DHCP2DNS (\$leaseServerName)\"\
\n\
\n# \"a.b.c.d\" -> \"a-b-c-d\" for IP addresses used as replacement for missing host names\
\n:local ip2Host do={\
\n :local outStr\
\n :for i from=0 to=([:len \$inStr] - 1) do={\
\n :local tmp [:pick \$inStr \$i];\
\n :if (\$tmp =\".\") do={\
\n :set tmp \"-\"\
\n }\
\n :set outStr (\$outStr . \$tmp)\
\n }\
\n :return \$outStr\
\n}\
\n\
\n:local mapHostName do={\
\n# param: name\
\n# max length = 63\
\n# allowed chars a-z,0-9,-\
\n :local allowedChars \"abcdefghijklmnopqrstuvwxyz0123456789-\";\
\n :local numChars [:len \$name];\
\n :if (\$numChars > 63) do={:set numChars 63};\
\n :local result \"\";\
\n\
\n :for i from=0 to=(\$numChars - 1) do={\
\n :local char [:pick \$name \$i];\
\n :if ([:find \$allowedChars \$char] < 0) do={:set char \"-\"};\
\n :set result (\$result . \$char);\
\n }\
\n :return \$result;\
\n}\
\n\
\n:local lowerCase do={\
\n# param: entry\
\n :local lower \"abcdefghijklmnopqrstuvwxyz\";\
\n :local upper \"ABCDEFGHIJKLMNOPQRSTUVWXYZ\";\
\n :local result \"\";\
\n :for i from=0 to=([:len \$entry] - 1) do={\
\n :local char [:pick \$entry \$i];\
\n :local pos [:find \$upper \$char];\
\n :if (\$pos > -1) do={:set char [:pick \$lower \$pos]};\
\n :set result (\$result . \$char);\
\n }\
\n :return \$result;\
\n}\
\n\
\n:local token \"\$leaseServerName-\$leaseActMAC\";\
\n\
\n:if ( [ :len \$leaseActIP ] <= 0 ) do={\
\n :log error \"\$LogPrefix: empty lease address\"\
\n :error \"empty lease address\"\
\n}\
\n\
\n:if ( \$leaseBound = 1 ) do={\
\n\
\n# new DHCP lease added\
\n# :log info \"\$LogPrefix: new lease for \$token\"\
\n /ip dhcp-server\
\n :local dnsttl [ get [ find name=\$leaseServerName ] lease-time ]\
\n network\
\n :local domain [ get [ find \$leaseActIP in address ] domain ]\
\n :if ( [ :len \$domain ] <= 0 ) do={ :set domain \"lan\" }\
\n# :log info \"\$LogPrefix: DNS domain is \$domain\"\
\n\
\n :local hostname \"\"\
\n :do {\
\n :set hostname [/ip dhcp-server lease get value-name=host-name [find mac-address=\$leaseActMAC and server=\$leaseServerName]]\
\n } on-error={ :log warning \"\$LogPrefix: failed to retrieve hostname for \$token\" }\
\n# :log info \"\$LogPrefix: DHCP hostname is \$hostname\"\
\n\
\n#Hostname cleanup\
\n :if ( [ :len \$hostname ] <= 0 ) do={\
\n :set hostname [ \$ip2Host inStr=\$leaseActIP ]\
\n :log info \"\$LogPrefix: Empty hostname for '\$leaseActIP', using generated host name '\$hostname'\"\
\n }\
\n :set hostname [\$lowerCase entry=\$hostname]\
\n :set hostname [\$mapHostName name=\$hostname]\
\n# :log info \"\$LogPrefix: Clean hostname for FQDN is \$hostname\";\
\n\
\n :if ( [ :len \$domain ] <= 0 ) do={\
\n :log warning \"\$LogPrefix: Empty domainname for '\$leaseActIP', cannot create static DNS name\"\
\n :error \"Empty domainname for '\$leaseActIP'\"\
\n }\
\n\
\n :local fqdn (\$hostname . \".\" . \$domain)\
\n# :log info \"\$LogPrefix: FQDN for DNS is \$fqdn\"\
\n\
\n :if ([/ip dhcp-server lease get [find mac-address=\$leaseActMAC and server=\$leaseServerName]]) do={\
\n :log info message=\"\$LogPrefix: \$leaseActMAC -> \$hostname\"\
\n :do {\
\n :local old [/ip dns static find name=\$fqdn comment~\"^\$leaseServerName-\"]\
\n :if ( \$old != \"\" ) do {\
\n :log info \"\$logPrefix: removing existing record \$old\"\
\n /ip dns static remove \$old\
\n :log info \"\$logPrefix: done\"\
\n }\
\n /ip dns static add address=\$leaseActIP name=\$fqdn ttl=\$dnsttl comment=\$token;\
\n } on-error={:log error message=\"\$LogPrefix: Failure during dns registration of \$fqdn with \$leaseActIP\"}\
\n }\
\n\
\n} else={\
\n\
\n# DHCP lease removed\
\n :local record [/ip dns static find comment=\$token]\
\n :if ( \$record != \"\" ) do={\
\n :log info \"\$logPrefix: removing \$record\"\
\n /ip dns static remove \$record\
\n :log info \"\$logPrefix: done\"\
\n }\
\n}\
\n"
/tool bandwidth-server
set enabled=no
/tool graphing interface
add interface=ether1
add allow-address=10.0.5.110/32 interface=bridge
/tool graphing queue
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
Last edited by cmmike on Fri Mar 29, 2024 10:54 am, edited 2 times in total.
Re: VLAN'ising an existing configuration without disrupting service
I didn't know there was an auto-translate feature until @TheCat12 mentioned it. To get it to work you must do several things: Turn on CC which will show in Ukranian, then in Settings, click on auto-translate and select language you want it translated to.Yeah, that option exists but causes no CC at all (for me, anyway).That's why I suggested you using subtitles (forgot to mention with the option "Auto-translate"
You do not have the required permissions to view the files attached to this post.
Re: VLAN'ising an existing configuration without disrupting service
I did all that. Could be the ad-blocking in my browser that kills it -- but frankly I can't digest video tutorials even in languages I understand.To get it to work you must do several things:
Re: VLAN'ising an existing configuration without disrupting service
I use uBlock Origin and auto-translated subtitles works for me with Chrome on Win 10. Do you get subtitles in Ukranian if you don't turn on auto-translate?I did all that. Could be the ad-blocking in my browser that kills it -- but frankly I can't digest video tutorials even in languages I understand.
Having to read subtitles while also watching what is happening in the video is hard. At least you can rewind.
What is your favorite way to learn?
Re: VLAN'ising an existing configuration without disrupting service
Yes.I use uBlock Origin and auto-translated subtitles works for me with Chrome on Win 10. Do you get subtitles in Ukranian if you don't turn on auto-translate?
Favorite: one-on-one interaction with an expert. Second-best: well-written text (optionally with pictures). Least favorite: podcasts & youtube videos.What is your favorite way to learn?
Really though, I'm trying to avoid diving too deep into this right now because the task at hand ("modify existing working home config to segregate untrusted internet-connected hardware") seems like it _should_ be nearly-trivial to either just perform or at least to explain how to perform, because I think it's an increasingly common need and my config is not very involved. Maybe there's a business opportunity for an expert with some time on their hands: write up something actually intelligible on Substack or Patreon or whatever, charge people money to read it, charge some more for an opportunity to ask follow-up questions. But I'm keeping an open mind.
Re: VLAN'ising an existing configuration without disrupting service
Ok, so far this is being extremely helpful /s.
I wonder if there's some workflow involving safe mode and/or a timed saved config restore script that would let me make progress without having to take a week off my life to internalize all the Extremely Important Concepts by way of sitting through Youtube videos in exotic languages?
I wonder if there's some workflow involving safe mode and/or a timed saved config restore script that would let me make progress without having to take a week off my life to internalize all the Extremely Important Concepts by way of sitting through Youtube videos in exotic languages?
Re: VLAN'ising an existing configuration without disrupting service
Yes buy a plugnPlay Asus router LOL
Re: VLAN'ising an existing configuration without disrupting service
I realize you are trying to insult me (that's totally fine, I started it), but changing the router setup to another vendor is definitely a possibility I'm considering. Thing is, I initially went with Mikrotik becase it's nice hardware at non-enterprise prices that is configured with text. This is very important for me. The current config that I posted above is something I fully inderstood at the time of writing it (kinda less so now, but I know I can refresh my understanding within an hour or so). I'd like things to stay that way, so Asus or Google or w/e are not viable possibilities.Yes buy a plugnPlay Asus router LOL
Was just hoping for some shortcuts here, is all. Not the end of the world if there are none available after all.
Re: VLAN'ising an existing configuration without disrupting service
Was just hoping for some shortcuts here, is all.
No, there are no shortcuts. Adding VLANs is the same as building a completely new physical network (including laying cables and adding switches). Even worse, you have to break things "to make space" for new setup.
When doing that, it's hard to keep things working without disruptions. I'm not saying it's impossible, but it's very hard and one has to know both current and new layout to tiniest details. So I wouldn't expect anybody on this forum to provide extensive help free of charge.
Re: VLAN'ising an existing configuration without disrupting service
Understood! How about another tack: I may have jumped to conclusions re: VLANs. Perhaps it's possible to just add a new virtual/slave AP for the Internet Of Shit critters and fence that off the main subnet with a few firewall rules?Adding VLANs is the same as building a completely new physical network (including laying cables and adding switches). Even worse, you have to break things "to make space" for new setup.
When doing that, it's hard to keep things working without disruptions. I'm not saying it's impossible, but it's very hard and one has to know both current and new layout to tiniest details. So I wouldn't expect anybody on this forum to provide extensive help free of charge.
Re: VLAN'ising an existing configuration without disrupting service
Like you, I have something of an aversion to videos, but 2 of the most important issues I have confronted with Mikrotik have been resolved by videos. I think that what you are looking for for your IoT stuff is effectively equivalent to a wireless guest network. This was solved for me with this video from Cat5tv: https://www.youtube.com/watch?v=gcwbhncwPug which I condensed into notes as I was watching. So here are my notes, which don't explain the things I don't need explained:Understood! How about another tack: I may have jumped to conclusions re: VLANs. Perhaps it's possible to just add a new virtual/slave AP for the Internet Of Shit critters and fence that off the main subnet with a few firewall rules?
- [Wireless → Security Profile] Add new Guest security profile and set password.
- [Wireless → WiFi interfaces] Add new virtual wifi interface, set SSID and security profile.
- [Bridge → Add Bridge] Add a new bridge.
- •[Bridge → Ports] Assign ports to new bridge. Associate virtual wifi interface with new bridge, both created above.
- [IP → Addresses] Set up Guest IP address block assigned to new bridge
This sets up a named block of IP addresses in IP →Pool, which can be appropriately renamed. - [IP → DHCP Server] Rename defconf server and disable or remove if necessary. Add new DHCP server
To this stage should be sufficient to get an IP address - [IP → Firewall] Add {Forward → Drop} rule to prevent Guest Network accessing Local Network. Set this ahead of all {Forward} rules
Re: VLAN'ising an existing configuration without disrupting service
FTR, I just went with this: https://tangentsoft.com/mikrotik/wiki?n ... ns%20VLANs, specifically the "Quick Set Alternative" using bridge filtering (modulo Capsman and not actually using Quick Set, of course).
At least one niggle remains: IoT devices can still connect to the router itself. EDIT: akshuelly not quite, it's still possible to lock things down somewhat. On the "input" bridge filtering chain, accept from the guest interface(s):
- ARP
- DHCP (UDP 67)
- DNS (UDP 53), if your router advertises itself via DHCP as the DNS server
- TCP 443, for whatever reason (otherwise clients will decide they are not connected to the Internet)
Drop everything else.
At least one niggle remains: IoT devices can still connect to the router itself. EDIT: akshuelly not quite, it's still possible to lock things down somewhat. On the "input" bridge filtering chain, accept from the guest interface(s):
- ARP
- DHCP (UDP 67)
- DNS (UDP 53), if your router advertises itself via DHCP as the DNS server
- TCP 443, for whatever reason (otherwise clients will decide they are not connected to the Internet)
Drop everything else.