I think i need a nudge forward

steamy · Wed Oct 16, 2024 6:07 pm

I tried to follow the guide but wanted to add another VLAN. I wanted each VLAN untagged as an access port on ether2-ether6 for testing. I wanted to leave ether7, ether8, and the sfp port as trunks for testing to my switches. Another change from the guide is that I wanted "work_VLAN" to be able to manage the router, for now. When I feel comfortable with my understanding I don't intend to leave it that way.
I expected that connecting a Windows laptop to ether2-ether6 would get me a DHCP assigned address in the range of the VLAN I set as "untagged" for that respective port. As of now I am not getting a response from DHCP.
Edited. Work in progress...

# 1970-01-02 01:05:29 by RouterOS 7.16.1
# software id = 5Z7V-M9DI
#
# model = RB5009UG+S+
# serial number = xxxxxxxxxxxxx
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=home_VLAN vlan-id=11
add interface=BR1 name=printers_VLAN vlan-id=77
add interface=BR1 name=untrusted_VLAN vlan-id=22
add interface=BR1 name=work_VLAN vlan-id=88
/interface list
add name=WAN
add name=VLAN
add name=BASE
add name=WORK
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=home_POOL ranges=10.3.11.2-10.3.11.254
add name=untrusted_POOL ranges=10.3.22.2-10.3.22.254
add name=printers_POOL ranges=10.3.77.2-10.3.77.254
add name=work_POOL ranges=10.3.88.2-10.3.88.254
/ip dhcp-server
add address-pool=home_POOL interface=home_VLAN name=home_DHCP
add address-pool=untrusted_POOL interface=untrusted_VLAN name=untrusted_DHCP
add address-pool=printers_POOL interface=printers_VLAN name=printers_DHCP
add address-pool=work_POOL interface=work_VLAN name=work_DHCP
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether2 pvid=11
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether3 pvid=22
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether4 pvid=77
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether5 pvid=88
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether6 pvid=99
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether7
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=WORK
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether7,sfp-sfpplus1 untagged=ether2 vlan-ids=11
add bridge=BR1 tagged=BR1,ether7,sfp-sfpplus1 untagged=ether3 vlan-ids=22
add bridge=BR1 tagged=BR1,ether7,sfp-sfpplus1 untagged=ether4 vlan-ids=77
add bridge=BR1 tagged=BR1,ether7,sfp-sfpplus1 untagged=ether5 vlan-ids=88
add bridge=BR1 tagged=BR1,ether7,sfp-sfpplus1 untagged=ether6 vlan-ids=99
/interface list member
add interface=ether1 list=WAN
add interface=BASE_VLAN list=VLAN
add interface=home_VLAN list=VLAN
add interface=untrusted_VLAN list=VLAN
add interface=printers_VLAN list=VLAN
add interface=work_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
/ip address
add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0
add address=10.3.11.1/24 interface=home_VLAN network=10.3.11.0
add address=10.3.22.1/24 interface=untrusted_VLAN network=10.3.22.0
add address=10.3.77.1/24 interface=printers_VLAN network=10.3.77.0
add address=10.3.88.1/24 interface=work_VLAN network=10.3.88.0
/ip dhcp-client
# Interface not active
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.3.11.0/24 dns-server=192.168.0.1 gateway=10.3.11.1
add address=10.3.22.0/24 dns-server=192.168.0.1 gateway=10.3.22.1
add address=10.3.77.0/24 dns-server=192.168.0.1 gateway=10.3.77.1
add address=10.3.88.0/24 dns-server=192.168.0.1 gateway=10.3.88.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" connection-state=\
    established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
    in-interface=BASE_VLAN
add action=accept chain=input comment="Allow work_Vlan Full Access" \
    in-interface=work_VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "Allow printers_VLAN to be the Public VLAN" connection-state=new \
    in-interface-list=VLAN out-interface=printers_VLAN
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
/system identity
set name=hs-router
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=WORK
/tool mac-server mac-winbox
set allowed-interface-list=WORK

Thanks!

steamy · Wed Oct 16, 2024 10:42 pm

I realize I've missed a section from the guide. I'm starting over... again.

I think i need a nudge forward

I think i need a nudge forward

Re: I think i need a nudge forward