Also, on my bridge if I have "IP firewall" enabled it seems that the two switches connected to port #2 and #3 on the MIkroTik can't talk to each other. I wasn't sure what rules I should be putting into the bridge or do most people just leave that disabled and use the IP firewall filter? Is there a sample set of rules for this? Similarly when do you using it for VLAN or PPPoE (as our FTTH provider uses PPPoE for authentication instead of DHCP MAC binding).
Why is my bridge not working correctly? Why can't I ping the IPs of the bridge or VLAN interfaces from the router? Should the VLANs be under the Bridge? I had to change some of the rules to specific to the VLAN subnets to match as it seems the Bridge takes precedence and still permits the traffic regardless of the VLAN interface.
Should I have a bridge for each VLAN as I had that before and then I was reading in these forums about one bridge. Should I have the WAN interface in its own bridge? can you combine the WAN and LAN bridges? I changed the FW rules to reference WAN instead of ether1 (in preparation to possibly changing to a FTTH provider that using SFP connections)
I basically want to have these VLANs
VLAN10 - LAN (internal computers, NAS, etc)
VLAN20 - KIDS
VLAN30 - IoT (Smart devices, Internet devices like my thermostat, HD Homerun, etc)
VLAN50 - Guest (for my friends and my work devices)
I have these all working with the UniFi APs handing out the 4 SSIDs.
I have the mgmt network (192.168.88.0/24) running on PVID1 on my switch and that's what provides the IPs to the rest of my mgmt devices like the switches (.2 and .3) and my NAS (.5) and my Unifi AP (.10, .11 and soon .12 for a third AP). I have an explicit rule to forward to 192.168.100.1 for my cable modem from the VLANs and the MGMT (lan-bridge) but had to explicitly put the source network in the rules as it seems the VLANs will match the lan-bridge rule otherwise (due to the hierarchy??). I put this rule in place before I start blacklisting other address space on my local interfaces, etc.
I was reading through Using RouterOS to VLAN your network and I got the impression we should be avoiding using the PVID1 and put the mgmt traffic on a dedicated VLAN and provide access with firewall rules appropriately. So I guess we would need to set all the default ports PVID to something else than 1 then? I am using a TP Link TL-SG1024DE on ether2 and a TL-SG108DE on ether3 and would like to bridge them together via the MikroTik hEX (RB750GR3) - that's what I'm attempting to do.
I'd like to move to a FTTH connection in the future possibly and would like to clean up the WAN from ether1 to a bridge if that's appropriate or use the WAN instead so when I upgrade to a MikroTik device with SFP or SFP+ ports I can easily swap over the config.
From reading through DSL reports people are replacing their telco provided modem with a MikroTik device like CRS125-24G-1S-2HnD-IN (or CRS125-24G-1S-IN without WiFi) with an SFP port and getting up to 1Gbps (although my provider can do 1.5Gbps apparently because they are using an adapter than can do up to 2.5Gbps). I'm not sure if this HomeHub3000 is using an SFP or SFP+ GPON but I guess they must be different since the RB4011iGS+RM mentions on the page "The RB4011 does not support Passive DAC modules and SFP GPON modules" so perhaps SFP can support up to 2.5Gbps then? From what i can see most router/switch combos are really expensive devices for home use and 1Gbps would be more than adequate for me as I'm currently on a 30/5 cable connection but the ILECs have been really competitive with the 1Gbps packages. I'd like to get something that is a router/switch with ability to do up to 10Gbps with PoE if possible - perhaps you guys can point me to an appropriate MikroTik devices.
Trying to clean up the configuration and simplify it so would like input into it as well as would be step in right direction.
I've included an export of my config currently (minus my static DHCP leases and static DNS entries as that is extraneous info manually removed) below
Ping from router...
Code: Select all
[admin@MikroTik] > /ping 192.168.88.1
SEQ HOST SIZE TTL TIME STATUS
0 192.168.88.1 timeout
1 192.168.88.1 timeout
sent=2 received=0 packet-loss=100%
[admin@MikroTik] > /ping 192.168.88.2
SEQ HOST SIZE TTL TIME STATUS
0 192.168.88.2 56 64 4ms
1 192.168.88.2 56 64 2ms
sent=2 received=2 packet-loss=0% min-rtt=2ms avg-rtt=3ms max-rtt=4ms
[admin@MikroTik] > /ping 192.168.88.3
SEQ HOST SIZE TTL TIME STATUS
0 192.168.88.3 56 64 3ms
1 192.168.88.3 56 64 1ms
sent=2 received=2 packet-loss=0% min-rtt=1ms avg-rtt=2ms max-rtt=3ms
[admin@MikroTik] > /ping 192.168.88.5
SEQ HOST SIZE TTL TIME STATUS
0 192.168.88.5 56 64 0ms
1 192.168.88.5 56 64 0ms
sent=2 received=2 packet-loss=0% min-rtt=0ms avg-rtt=0ms max-rtt=0ms
[admin@MikroTik] >
[admin@MikroTik] > /ping 192.168.88.10
SEQ HOST SIZE TTL TIME STATUS
0 192.168.88.10 56 64 0ms
1 192.168.88.10 56 64 0ms
sent=2 received=2 packet-loss=0% min-rtt=0ms avg-rtt=0ms max-rtt=0ms
[admin@MikroTik] > /ping 192.168.88.11
SEQ HOST SIZE TTL TIME STATUS
0 192.168.88.11 56 64 6ms
1 192.168.88.11 56 64 0ms
sent=2 received=2 packet-loss=0% min-rtt=0ms avg-rtt=3ms max-rtt=6ms
[admin@MikroTik] >
[admin@MikroTik] > /ping 192.168.10.1
SEQ HOST SIZE TTL TIME STATUS
0 192.168.10.1 timeout
1 192.168.10.1 timeout
sent=2 received=0 packet-loss=100%
[admin@MikroTik] > /ping 192.168.10.5
SEQ HOST SIZE TTL TIME STATUS
0 192.168.10.5 56 64 0ms
1 192.168.10.5 56 64 0ms
2 192.168.10.5 56 64 0ms
sent=3 received=3 packet-loss=0% min-rtt=0ms avg-rtt=0ms max-rtt=0ms
[admin@MikroTik] > /ping 192.168.20.1
SEQ HOST SIZE TTL TIME STATUS
0 192.168.20.1 timeout
1 192.168.20.1 timeout
sent=2 received=0 packet-loss=100%
[admin@MikroTik] > /ping 192.168.20.5
SEQ HOST SIZE TTL TIME STATUS
0 192.168.20.5 56 64 0ms
1 192.168.20.5 56 64 0ms
sent=2 received=2 packet-loss=0% min-rtt=0ms avg-rtt=0ms max-rtt=0ms
[admin@MikroTik] > /ping 192.168.30.1
SEQ HOST SIZE TTL TIME STATUS
0 192.168.30.1 timeout
sent=1 received=0 packet-loss=100%
[admin@MikroTik] > /ping 192.168.30.5
SEQ HOST SIZE TTL TIME STATUS
0 192.168.30.5 56 64 14ms
1 192.168.30.5 56 64 0ms
sent=2 received=2 packet-loss=0% min-rtt=0ms avg-rtt=7ms max-rtt=14ms
[admin@MikroTik] > /ping 192.168.50.1
SEQ HOST SIZE TTL TIME STATUS
0 192.168.50.1 timeout
1 192.168.50.1 timeout
sent=2 received=0 packet-loss=100%
Ping from a computer....
Code: Select all
macbookpro-ether-mgmt:~ brian$ ping 192.168.88.1
PING 192.168.88.1 (192.168.88.1): 56 data bytes
64 bytes from 192.168.88.1: icmp_seq=0 ttl=64 time=0.715 ms
64 bytes from 192.168.88.1: icmp_seq=1 ttl=64 time=0.390 ms
64 bytes from 192.168.88.1: icmp_seq=2 ttl=64 time=0.378 ms
^C
--- 192.168.88.1 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.378/0.494/0.715/0.156 ms
macbookpro-ether-mgmt:~ brian$ ping 192.168.88.2
PING 192.168.88.2 (192.168.88.2): 56 data bytes
64 bytes from 192.168.88.2: icmp_seq=0 ttl=64 time=4.009 ms
64 bytes from 192.168.88.2: icmp_seq=1 ttl=64 time=1.995 ms
64 bytes from 192.168.88.2: icmp_seq=2 ttl=64 time=1.985 ms
^C
--- 192.168.88.2 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 1.985/2.663/4.009/0.952 ms
macbookpro-ether-mgmt:~ brian$ ping 192.168.88.3
PING 192.168.88.3 (192.168.88.3): 56 data bytes
64 bytes from 192.168.88.3: icmp_seq=0 ttl=64 time=3.934 ms
64 bytes from 192.168.88.3: icmp_seq=1 ttl=64 time=2.173 ms
64 bytes from 192.168.88.3: icmp_seq=2 ttl=64 time=2.232 ms
^C
--- 192.168.88.3 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 2.173/2.780/3.934/0.817 ms
macbookpro-ether-mgmt:~ brian$
macbookpro-ether-mgmt:~ brian$
macbookpro-ether-mgmt:~ brian$ ping 192.168.88.5
PING 192.168.88.5 (192.168.88.5): 56 data bytes
64 bytes from 192.168.88.5: icmp_seq=0 ttl=64 time=0.269 ms
64 bytes from 192.168.88.5: icmp_seq=1 ttl=64 time=0.233 ms
^C
--- 192.168.88.5 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.233/0.251/0.269/0.018 ms
macbookpro-ether-mgmt:~ brian$ ping 192.168.88.10
PING 192.168.88.10 (192.168.88.10): 56 data bytes
64 bytes from 192.168.88.10: icmp_seq=0 ttl=64 time=0.595 ms
64 bytes from 192.168.88.10: icmp_seq=1 ttl=64 time=0.328 ms
^C
--- 192.168.88.10 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.328/0.462/0.595/0.133 ms
macbookpro-ether-mgmt:~ brian$ ping 192.168.88.11
PING 192.168.88.11 (192.168.88.11): 56 data bytes
64 bytes from 192.168.88.11: icmp_seq=0 ttl=64 time=0.521 ms
64 bytes from 192.168.88.11: icmp_seq=1 ttl=64 time=0.317 ms
^C
--- 192.168.88.11 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.317/0.419/0.521/0.102 ms
macbookpro-ether-mgmt:~ brian$
macbookpro-ether-mgmt:~ brian$ ping 192.168.10.1
PING 192.168.10.1 (192.168.10.1): 56 data bytes
64 bytes from 192.168.10.1: icmp_seq=0 ttl=64 time=0.832 ms
64 bytes from 192.168.10.1: icmp_seq=1 ttl=64 time=0.774 ms
^C
--- 192.168.10.1 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.774/0.803/0.832/0.029 ms
macbookpro-ether-mgmt:~ brian$ ping 192.168.10.5
PING 192.168.10.5 (192.168.10.5): 56 data bytes
64 bytes from 192.168.10.5: icmp_seq=0 ttl=64 time=0.267 ms
^C
--- 192.168.10.5 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.267/0.267/0.267/0.000 ms
macbookpro-ether-mgmt:~ brian$ ping 192.168.30.1
PING 192.168.30.1 (192.168.30.1): 56 data bytes
64 bytes from 192.168.30.1: icmp_seq=0 ttl=64 time=80.688 ms
64 bytes from 192.168.30.1: icmp_seq=1 ttl=64 time=4.220 ms
^C
--- 192.168.30.1 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 4.220/42.454/80.688/38.234 ms
macbookpro-ether-mgmt:~ brian$ ping 192.168.30.5
PING 192.168.30.5 (192.168.30.5): 56 data bytes
64 bytes from 192.168.30.5: icmp_seq=0 ttl=64 time=2.505 ms
64 bytes from 192.168.30.5: icmp_seq=1 ttl=64 time=2.483 ms
^C
--- 192.168.30.5 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 2.483/2.494/2.505/0.011 ms
macbookpro-ether-mgmt:~ brian$ ping 192.168.50.1
PING 192.168.50.1 (192.168.50.1): 56 data bytes
64 bytes from 192.168.50.1: icmp_seq=0 ttl=64 time=0.703 ms
64 bytes from 192.168.50.1: icmp_seq=1 ttl=64 time=0.341 ms
^C
--- 192.168.50.1 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.341/0.522/0.703/0.181 ms
You have new mail in /var/mail/brian
macbookpro-ether-mgmt:~ brian$
Router config....
Code: Select all
# aug/17/2019 23:26:46 by RouterOS 6.45.3
# software id = 7Y7Z-F63C
#
# model = RouterBOARD 750G r3
# serial number = 6F38073BFB41
/interface bridge
add admin-mac=64:D1:54:54:CC:3F auto-mac=no name=lan-bridge
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
/interface vlan
add interface=lan-bridge name=vlan10-LAN vlan-id=10
add interface=lan-bridge name=vlan20-KIDS vlan-id=20
add interface=lan-bridge name=vlan30-IoT vlan-id=30
add interface=lan-bridge name=vlan50-Guest vlan-id=50
/interface list
add comment=defconf name=WAN
add comment="LAN Ethernet Interface" name=LAN
add comment="VLAN10 - LAN Network Segment" name=vlan10_LAN
add comment="VLAN20 - KIDS Network Segment" name=vlan20_KIDS
add comment="VLAN30 - Internet of Things (IoT) Network Segment" name=vlan30_IoT
add comment="VLAN50 - Guest Network Segment" name=vlan50_Guest
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=43 name=unifi value=0x0104c0a8580f
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp_pool_MGMT ranges=192.168.88.100-192.168.88.254
add name=dhcp_pool_vlan10-LAN ranges=192.168.10.100-192.168.10.254
add name=dhcp_pool_vlan20-KIDS ranges=192.168.20.100-192.168.20.254
add name=dhcp_pool_vlan30-IoT ranges=192.168.30.100-192.168.30.254
add name=dhcp_pool_vlan50-Guest ranges=192.168.50.100-192.168.50.254
/ip dhcp-server
add address-pool=dhcp_pool_MGMT disabled=no interface=lan-bridge name=dhcp_MGMT
add address-pool=dhcp_pool_vlan10-LAN disabled=no interface=vlan10-LAN name=dhcp_vlan10-LAN
add address-pool=dhcp_pool_vlan20-KIDS disabled=no interface=vlan20-KIDS name=dhcp_vlan20-KIDS
add address-pool=dhcp_pool_vlan30-IoT disabled=no interface=vlan30-IoT name=dhcp_vlan30-IoT
add address-pool=dhcp_pool_vlan50-Guest disabled=no interface=vlan50-Guest name=dhcp_vlan50-Guest
/queue simple
add max-limit=2M/5M name="All bandwidth - VLAN10" target=192.168.10.0/24
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
set 3 remote=192.168.88.5 src-address=192.168.88.1
/interface bridge filter
add action=accept chain=input dst-port=67-68 in-bridge=lan-bridge ip-protocol=udp mac-protocol=ip
add action=accept chain=forward dst-port=67-68 in-bridge=lan-bridge ip-protocol=udp mac-protocol=ip
/interface bridge port
add bridge=lan-bridge interface=ether2
add bridge=lan-bridge interface=ether3
add bridge=lan-bridge interface=ether4
add bridge=lan-bridge interface=ether5
/interface bridge settings
set use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface bridge vlan
add bridge=lan-bridge tagged=lan-bridge,ether2,ether3,vlan10-LAN vlan-ids=10
add bridge=lan-bridge tagged=lan-bridge,ether2,ether3,vlan20-KIDS vlan-ids=20
add bridge=lan-bridge tagged=lan-bridge,ether2,ether3,vlan30-IoT vlan-ids=30
add bridge=lan-bridge tagged=lan-bridge,ether2,ether3,vlan50-Guest vlan-ids=50
add bridge=lan-bridge untagged=lan-bridge,ether2,ether3 vlan-ids=1
/interface list member
add comment=defconf interface=ether2 list=LAN
add comment=defconf interface=ether1 list=WAN
add comment=vlan10_LAN interface=vlan10-LAN list=vlan10_LAN
add comment=vlan20_KIDS interface=vlan20-KIDS list=vlan20_KIDS
add comment=vlan30_IoT interface=vlan30-IoT list=vlan30_IoT
add comment=vlan50_Guest interface=vlan50-Guest list=vlan50_Guest
add interface=ether2 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=lan-bridge list=discover
add list=discover
add list=discover
add list=discover
add list=discover
add interface=vlan10-LAN list=discover
add interface=vlan20-KIDS list=discover
add interface=vlan30-IoT list=discover
add interface=vlan50-Guest list=discover
add interface=ether2 list=mactel
add interface=ether2 list=mac-winbox
/ip address
add address=192.168.88.1/24 comment=MGMT interface=lan-bridge network=192.168.88.0
add address=192.168.10.1/24 comment=vlan10-LAN interface=vlan10-LAN network=192.168.10.0
add address=192.168.20.1/24 comment=vlan20-KIDS interface=vlan20-KIDS network=192.168.20.0
add address=192.168.30.1/24 comment=vlan30-IoT interface=vlan30-IoT network=192.168.30.0
add address=192.168.50.1/24 comment=vlan50-Guest interface=vlan50-Guest network=192.168.50.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.10.0/24 comment=vlan10-LAN dhcp-option=unifi dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.20.0/24 comment=vlan20-KIDS dhcp-option=unifi dns-server=192.168.20.1 gateway=192.168.20.1
add address=192.168.30.0/24 comment=vlan30-IoT dhcp-option=unifi dns-server=192.168.30.1 gateway=192.168.30.1
add address=192.168.50.0/24 comment=vlan50-Guest dhcp-option=unifi dns-server=192.168.50.1 gateway=192.168.50.1
add address=192.168.88.0/24 comment="MGMT network" dhcp-option=unifi dns-server=192.168.88.1 gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=192.168.1.11 comment=new_test_host list=hosts-who-may-knock
add address=xx.xx.xx.0/24 list=hosts-who-may-knock
add address=0.0.0.0/8 comment=RFC6890 list=NotPublic
add address=10.0.0.0/8 comment=RFC6890 list=NotPublic
add address=100.64.0.0/10 comment=RFC6890 list=NotPublic
add address=127.0.0.0/8 comment=RFC6890 list=NotPublic
add address=169.254.0.0/16 comment=RFC6890 list=NotPublic
add address=172.16.0.0/12 comment=RFC6890 list=NotPublic
add address=192.0.0.0/24 comment=RFC6890 list=NotPublic
add address=192.0.2.0/24 comment=RFC6890 list=NotPublic
add address=192.168.0.0/16 comment=RFC6890 list=NotPublic
add address=192.88.99.0/24 comment=RFC3068 list=NotPublic
add address=198.18.0.0/15 comment=RFC6890 list=NotPublic
add address=198.51.100.0/24 comment=RFC6890 list=NotPublic
add address=203.0.113.0/24 comment=RFC6890 list=NotPublic
add address=224.0.0.0/4 comment=RFC4601 list=NotPublic
add address=240.0.0.0/4 comment=RFC6890 list=NotPublic
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input comment="Drop all packets which are not destined to routes IP address" dst-address-type=!local
add action=drop chain=input comment="Drop all packets which does not have unicast source IP address" src-address-type=!unicast
add action=drop chain=input comment="Drop all packets from public internet which should not exist in public network" in-interface-list=WAN \
src-address-list=NotPublic
add action=jump chain=input comment=\
"jump to port knocking chain 'input-knock' for port-knocking validation provided source address is in address list 'hosts-who-may-knock'" \
in-interface-list=WAN jump-target=input-knock src-address-list=hosts-who-may-knock
add action=accept chain=input comment="accept ICMP - MGMT" dst-address=192.168.88.1 in-interface=lan-bridge log=yes log-prefix=\
"ICMP - MGMT to MikroTik RTR" protocol=icmp src-address=192.168.88.0/24
add action=accept chain=input comment="accept ICMP - vlan10-LAN to Mikrotik RTR" dst-address=192.168.10.1 in-interface=vlan10-LAN log=yes log-prefix=\
"ICMP - vlan10-LAN" protocol=icmp src-address=192.168.10.0/24
add action=accept chain=input comment="accept ICMP - vlan20-KIDS to Mikrotik RTR" dst-address=192.168.20.1 in-interface=vlan20-KIDS log=yes log-prefix=\
"ICMP -vlan20-KIDS" protocol=icmp src-address=192.168.20.0/24
add action=accept chain=input comment="accept ICMP - vlan30-IoT to Mikrotik RTR" dst-address=192.168.30.1 in-interface=vlan30-IoT log=yes log-prefix=\
"ICMP - vlan30-IoT" protocol=icmp src-address=192.168.30.0/24
add action=accept chain=input comment="accept ICMP - vlan50-Guest to Mikrotik RTR" dst-address=192.168.50.1 in-interface=vlan50-Guest log=yes log-prefix=\
"ICMP - vlan50-Guest" protocol=icmp src-address=192.168.50.0/24
add action=accept chain=input comment="DHCP requests - MGMT" dst-port=67-68 in-interface=lan-bridge log=yes log-prefix="DHCP - MGMT" protocol=udp
add action=accept chain=input comment="DHCP requests - vlan10-LAN" dst-port=67-68 in-interface=vlan10-LAN log=yes log-prefix="DHCP - vlan10-LAN" \
protocol=udp
add action=accept chain=input comment="DHCP requests -vlan20-KIDS" dst-port=67-68 in-interface=vlan20-KIDS log=yes log-prefix="DHCP - vlan20-KIDS" \
protocol=udp
add action=accept chain=input comment="DHCP requests - vlan30-IoT" dst-port=67-68 in-interface=vlan30-IoT log=yes log-prefix="DHCP - vlan30-IoT" \
protocol=udp
add action=accept chain=input comment="DHCP requests - vlan50-Guest" dst-port=67-68 in-interface=vlan50-Guest log=yes log-prefix="DHCP - vlan50-Guest" \
protocol=udp
add action=accept chain=input comment="DNS lookups to router DNS server MGMT UDP" dst-port=53 in-interface=lan-bridge log=yes log-prefix="DNS - MGMT UDP" \
protocol=udp
add action=accept chain=input comment="DNS lookups to router DNS server MGMT TCP" dst-port=53 in-interface=lan-bridge log=yes log-prefix="DNS - MGMT TCP" \
protocol=tcp
add action=accept chain=input comment="DNS lookups to router DNS server vlan10-LAN UDP" dst-port=53 in-interface=vlan10-LAN log=yes log-prefix=\
"DNS- vlan10-LAN UDP" protocol=udp
add action=accept chain=input comment="DNS lookups to router DNS server - vlan10-LAN TCP" dst-port=53 in-interface=vlan10-LAN log=yes log-prefix=\
"DNS - vlan10-LAN TCP" protocol=tcp
add action=accept chain=input comment="DNS lookups to router DNS server vlan20-KIDS UDP" dst-port=53 in-interface=vlan20-KIDS log=yes log-prefix=\
"DNS - vlan20-KIDS UDP" protocol=udp
add action=accept chain=input comment="DNS lookups to router DNS server vlan20-KIDS TCP" dst-port=53 in-interface=vlan20-KIDS log=yes log-prefix=\
"DNS - vlan20-KIDS TCP" protocol=tcp
add action=accept chain=input comment="DNS lookups to router DNS server vlan30-IoT UDP" dst-port=53 in-interface=vlan30-IoT log=yes log-prefix=\
"DNS - vlan30-IoT UDP" protocol=udp
add action=accept chain=input comment="DNS lookups to router DNS server vlan30-IoT TCP" dst-port=53 in-interface=vlan30-IoT log=yes log-prefix=\
"DNS - vlan30-IoT TCP" protocol=tcp
add action=accept chain=input comment="DNS lookups to router DNS server vlan50-Guest UDP" dst-port=53 in-interface=vlan50-Guest log=yes log-prefix=\
"DNS - vlan50-Guest UDP" protocol=udp
add action=accept chain=input comment="DNS lookups to router DNS server vlan50-Guest TCP" dst-port=53 in-interface=vlan50-Guest log=yes log-prefix=\
"DNS - vlan50-Guest TCP" protocol=tcp
add action=accept chain=input comment="accept MGMT traffic to MikroTik router from MGMT - ssh(22)" connection-state=new dst-port=22 in-interface=\
lan-bridge protocol=tcp src-port=""
add action=accept chain=input comment="accept MGMT traffic to MikroTik router from vlan10-LAN - ssh(22)" connection-state=new dst-port=22 in-interface=\
vlan10-LAN protocol=tcp
add action=accept chain=input comment="accept MGMT traffic to MikroTik router from vlan30-IoT - ssh(22)" connection-state=new dst-port=22 in-interface=\
vlan30-IoT protocol=tcp
add action=accept chain=input comment="accept MGMT traffic to MikroTik router from MGMT - WinBox" connection-state=new dst-port=8291 in-interface=\
lan-bridge log=yes log-prefix="Mikrotik WinBox" protocol=tcp
add action=accept chain=input comment="accept MGMT trafic to MikroTik router from vlan10-LAN - WinBox" connection-state=new dst-port=8291 in-interface=\
vlan10-LAN log=yes log-prefix="IN FROM vlan10" protocol=tcp
add action=accept chain=input comment="accept MGMT traffic to MikroTik router from vlan30-IoT - WinBox" connection-state=new dst-port=8291 in-interface=\
vlan30-IoT log=yes log-prefix="IN FROM vlan30" protocol=tcp
add action=drop chain=input comment="DROP all other inbound traffic on lan-bridge" in-interface=lan-bridge log=yes log-prefix="DROP ALL - MGMT"
add action=drop chain=input comment="DROP all other inbound trafice on vlan10-LAN" in-interface=vlan10-LAN log=yes log-prefix="DROP ALL - vlan10-LAN"
add action=drop chain=input comment="DROP all other inbound traffic on vlan20-KIDS" in-interface=vlan20-KIDS log=yes log-prefix="DROP ALL - vlan20-KIDS"
add action=drop chain=input comment="DROP all other inbound traffic on vlan30-IoT" in-interface=vlan30-IoT log=yes log-prefix="DROP ALL - vlan30-IoT"
add action=drop chain=input comment="DROP all other inbound traffic on vlan50-Guest" in-interface=vlan50-Guest log=yes log-prefix=\
"DROP ALL - vlan50-Guest"
add action=drop chain=input comment="drop all other LAN connections inbound to MikroTik RTR on LAN interfaces (!WAN)" in-interface-list=!WAN log=yes \
log-prefix="LOG ALL DROPS LAN"
add action=drop chain=input comment="drop all other WAN connections inbound to MikroTik RTR on WAN port (ether1)" in-interface-list=WAN log=yes \
log-prefix="DROP - INBOUND - INTERNET WAN"
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="Permit access to Thomson DCM476 Cable Modem on 192.168.100.1 address space) from internal networks" dst-address=\
192.168.100.1 in-interface=lan-bridge src-address=192.168.88.0/24
add action=accept chain=forward comment="Permit access to Thomson DCM476 Cable Modem on 192.168.100.1 address space) from internal networks" dst-address=\
192.168.100.1 in-interface=vlan10-LAN
add action=accept chain=forward comment="Permit access to Thomson DCM476 Cable Modem on 192.168.100.1 address space) from internal networks" dst-address=\
192.168.100.1 in-interface=vlan20-KIDS
add action=accept chain=forward comment="Permit access to Thomson DCM476 Cable Modem on 192.168.100.1 address space) from internal networks" dst-address=\
192.168.100.1 in-interface=vlan30-IoT src-address=192.168.30.0/24
add action=accept chain=forward comment="Permit access to Thomson DCM476 Cable Modem on 192.168.100.1 address space) from internal networks" dst-address=\
192.168.100.1 in-interface=vlan50-Guest
add action=drop chain=forward comment="Drop all packets from public internet which should not exist in public network" in-interface-list=WAN \
src-address-list=NotPublic
add action=drop chain=forward comment="Drop all packets from local network to internet which should not exist in public network" dst-address-list=\
NotPublic in-interface=lan-bridge
add action=drop chain=forward comment="Drop all packets from local network to internet which should not exist in public network" dst-address-list=\
NotPublic in-interface=vlan10-LAN
add action=drop chain=forward comment="Drop all packets from local network to internet which should not exist in public network" dst-address-list=\
NotPublic in-interface=vlan20-KIDS
add action=drop chain=forward comment="Drop all packets from local network to internet which should not exist in public network" dst-address-list=\
NotPublic in-interface=vlan30-IoT
add action=drop chain=forward comment="Drop all packets from local network to internet which should not exist in public network" dst-address-list=\
NotPublic in-interface=vlan50-Guest
add action=drop chain=forward comment="Drop all packets in local network which does not have local network address" in-interface=lan-bridge src-address=\
!192.168.88.0/24
add action=drop chain=forward comment="Drop all packets in local network which does not have local network address" in-interface=vlan10-LAN src-address=\
!192.168.10.0/24
add action=drop chain=forward comment="Drop all packets in local network which does not have local network address" in-interface=vlan20-KIDS src-address=\
!192.168.20.0/24
add action=drop chain=forward comment="Drop all packets in local network which does not have local network address" in-interface=vlan30-IoT src-address=\
!192.168.30.0/24
add action=drop chain=forward comment="Drop all packets in local network which does not have local network address" in-interface=vlan50-Guest \
src-address=!192.168.50.0/24
add action=accept chain=forward comment="DST-NAT FORWARDING: Forward ssh (22) connections to MacMini-eth-MGMT (192.168.88.15) if source address is in PORT\
KNOCK_ALLOWED (successful port knock occured via chain input-knock to build up PORTKNOCK_ALLOWED) - inbound on external interface ether1" \
dst-address=192.168.88.15 dst-port=22 in-interface-list=WAN protocol=tcp src-address-list=PORTKNOCK_ALLOWED
add action=drop chain=forward comment="DST-NAT FORWARDING: drop all other dst-nat forwarding" connection-nat-state=dstnat connection-state=new \
in-interface-list=WAN
add action=drop chain=forward comment="drop traffic from MGMT to vlan10-LAN" in-interface=lan-bridge log=yes log-prefix=\
"DROP Forwarding from MGMT to VLAN10" out-interface=vlan10-LAN
add action=drop chain=forward comment="drop traffic from MGMT to vlan20-KIDS" in-interface=lan-bridge log=yes log-prefix=\
"DROP Forwarding from MGMT to VLAN20" out-interface=vlan20-KIDS
add action=drop chain=forward comment="drop traffic from MGMT to vlan30-IoT" in-interface=lan-bridge log=yes log-prefix=\
"DROP Forwarding from MGMT to VLAN30" out-interface=vlan30-IoT
add action=drop chain=forward comment="drop traffic from MGMT to vlan50-Guest" in-interface=lan-bridge log=yes log-prefix=\
"DROP Forwarding from MGMT to VLAN50" out-interface=vlan50-Guest
add action=drop chain=forward comment="drop traffic from VLAN10-LAN to MGMT " in-interface=vlan10-LAN log=yes log-prefix=\
"DROP Forwarding from VLAN10 to MGMT" out-interface=lan-bridge
add action=drop chain=forward comment="drop traffic from vlan10-LAN to vlan20-KIDS" in-interface=vlan10-LAN log=yes log-prefix=\
"DROP Forwarding from VLAN10 to VLAN20" out-interface=vlan20-KIDS
add action=drop chain=forward comment="drop traffic from vlan10-LAN to vlan30-IoT" in-interface=vlan10-LAN log=yes log-prefix=\
"DROP Forwarding from VLAN10 to VLAN30" out-interface=vlan30-IoT
add action=drop chain=forward comment="drop traffic from vlan10-LAN to vlan50-Guest" in-interface=vlan10-LAN log=yes log-prefix=\
"DROP Forwarding from VLAN10 to VLAN50" out-interface=vlan50-Guest
add action=drop chain=forward comment="dtop traffic from vlan20-KIDS to MGMT" in-interface=vlan20-KIDS log=yes log-prefix=\
"DROP Forwarding from VLAN20 to MGMT" out-interface=lan-bridge
add action=drop chain=forward comment="drop traffic from vlan20-KIDS to vlan10-LAN" in-interface=vlan20-KIDS log=yes log-prefix=\
"DROP Forwarding from VLAN20 to VLAN10" out-interface=vlan10-LAN
add action=drop chain=forward comment="drop traffic from vlan20-KIDS to vlan30-IoT" in-interface=vlan20-KIDS log=yes log-prefix=\
"DROP Forwarding from VLAN20 to VLAN30" out-interface=vlan30-IoT
add action=drop chain=forward comment="drop traffic from vlan20-KIDS to vlan50-Guest" in-interface=vlan20-KIDS log=yes log-prefix=\
"DROP Forwarding from VLAN20 to VLAN50" out-interface=vlan50-Guest
add action=drop chain=forward comment="drop traffic from vlan30-IoT to MGMT" in-interface=vlan30-IoT log=yes log-prefix=\
"DROP Forwarding from VLAN30 to MGMT" out-interface=lan-bridge
add action=drop chain=forward comment="drop traffic from vlan30-IoT to vlan10-LAN" in-interface=vlan30-IoT log=yes log-prefix=\
"DROP Forwarding from VLAN30 to VLAN10" out-interface=vlan10-LAN
add action=drop chain=forward comment="drop traffic from vlan30-IoT to vlan20-KIDS" in-interface=vlan30-IoT log=yes log-prefix=\
"DROP Forwarding from VLAN30 to VLAN20" out-interface=vlan20-KIDS
add action=drop chain=forward comment="drop traffic from vlan30-IoT to vlan50-Guest" in-interface=vlan30-IoT log=yes log-prefix=\
"DROP Forwarding from VLAN30 to VLAN50" out-interface=vlan50-Guest
add action=drop chain=forward comment="drop traffic from vlan50-Guest to MGMT" in-interface=vlan50-Guest log=yes log-prefix=\
"DROP Forwarding from VLAN50 to MGMT" out-interface=lan-bridge
add action=drop chain=forward comment="drop traffic from vlan50-Guest to vlan10-LAN" in-interface=vlan50-Guest log=yes log-prefix=\
"DROP Forwarding from VLAN50 to VLAN10" out-interface=vlan10-LAN
add action=drop chain=forward comment="drop traffic from vlan50-Guest to vlan20-KIDS" in-interface=vlan50-Guest log=yes log-prefix=\
"DROP Forwarding from VLAN50 to VLAN20" out-interface=vlan20-KIDS
add action=drop chain=forward comment="drop traffic from vlan50-Guest to vlan30-IoT" in-interface=vlan50-Guest log=yes log-prefix=\
"DROP Forwarding from VLAN50 to VLAN30" out-interface=vlan30-IoT
add action=accept chain=input-knock comment="INPUT-KNOCK: accept WAN connections inbound on port 2222 to Mikrotik RTR destined for MacBookPro on port 22" \
connection-state=new dst-port=2222 in-interface-list=WAN protocol=tcp src-address-list=PORTKNOCK_ALLOWED
add action=accept chain=input-knock connection-state=established
add action=add-src-to-address-list address-list=PORTKNOCK_ALLOWED address-list-timeout=15m chain=input-knock connection-state=new dst-port=7890 \
in-interface-list=WAN protocol=tcp src-address-list=PORTKNOCK_STAGE_2
add action=add-src-to-address-list address-list=PORTKNOCK_STAGE_2 address-list-timeout=20s chain=input-knock connection-state=new dst-port=123 \
in-interface-list=WAN protocol=tcp src-address-list=PORTKNOCK_STAGE_1
add action=add-src-to-address-list address-list=PORTKNOCK_STAGE_1 address-list-timeout=20s chain=input-knock connection-state=new dst-port=456 \
in-interface-list=WAN protocol=tcp
add action=drop chain=input-knock comment="drop all other WAN connections inbound to MikroTik RTR on WAN port (ether1)" in-interface-list=WAN
add action=return chain=input-knock comment=\
"INPUT-KNOCK: return back to calling chain (input) that initiate jump based on matching source-address 'hosts-who-may-knock'"
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN src-address=192.168.10.0/24
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN src-address=192.168.20.0/24
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN src-address=192.168.30.0/24
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN src-address=192.168.50.0/24
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN src-address=192.168.88.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes dst-port=2222 in-interface-list=WAN protocol=tcp src-address-list=PORTKNOCK_ALLOWED to-addresses=\
192.168.88.254 to-ports=22
add action=dst-nat chain=dstnat dst-port=2222 in-interface-list=WAN protocol=tcp to-addresses=192.168.88.15 to-ports=22
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set winbox address=192.168.88.0/24,192.168.10.0/24,192.168.20.0/24,192.168.30.0/24,192.168.50.0/24
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=remote strong-crypto=yes
/ip upnp interfaces
add type=internal
add type=internal
add type=internal
add type=internal
add interface=lan-bridge type=internal
/system clock
set time-zone-name=America/Toronto
/system logging
add action=remote topics=critical
add action=remote topics=error
add action=remote topics=info
add action=remote topics=warning
add disabled=yes prefix=dhcp topics=debug
/system ntp client
set enabled=yes primary-ntp=206.108.0.134 secondary-ntp=138.197.135.239 server-dns-names=0.ca.pool.ntp.org,3.ca.pool.ntp.org
/system resource irq rps
set ether1 disabled=no
set ether2 disabled=no
set ether3 disabled=no
set ether4 disabled=no
set ether5 disabled=no
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool sms
set allowed-number=""
