CPU VLAN on RB750GR3 WebFig

gazingbazooka · Mon Apr 06, 2020 3:35 am

This is a follow up to my previous post here: viewtopic.php?f=13&t=159532

I'm attempting to setup a CPU VLAN for Ubiquiti WAP. This is my lab setup that I'm trying out before applying to my RB2011 but I just realized that these two will take different approaches to VLANs. Guest VLAN is 200 which is specified on the WAP, everything else untagged should be VLAN 100.

1. RB750GR3 uses the CPU for VLANs but I noticed that in the default config when adding ports ether2 .. 5 it has hw offload on. To enable VLANs here I had to turn it off. How does the router works with this on? Shouldn't it error out?

2. One side effect that I didn't think through is how do I access the WebFig now which I assume is in VLAN 1? I seem to be locked out of the config. Do I setup a management VLAN? I would prefer to access it from VLAN 100. Not sure what the normal approach here is.

3. Does the configuration below look sane? I combined the MikroTik online Manual with various posts from the forum.

Configuration:

# model = RB750Gr3
/interface bridge
add admin-mac=B8:69:F4:AB:32:8A auto-mac=no comment=defconf name=bridge
/interface vlan
add interface=bridge name=vlan100 vlan-id=100
add interface=bridge name=vlan200 vlan-id=200
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=10.1.100.100-10.1.100.199
add name=dhcp_pool2 ranges=10.1.200.200-10.1.200.250
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool1 disabled=no interface=vlan100 name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=vlan200 name=dhcp2
/interface bridge port
add bridge=bridge comment=defconf hw=no interface=ether2 pvid=100
add bridge=bridge comment=defconf hw=no interface=ether3 pvid=100
add bridge=bridge comment=defconf hw=no interface=ether4 pvid=100
add bridge=bridge comment=defconf hw=no interface=ether5 pvid=100
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether3 vlan-ids=200
add bridge=bridge tagged=bridge untagged=ether2,ether3,ether4,ether5 vlan-ids=100
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=10.1.100.1/24 interface=vlan100 network=10.1.100.0
add address=10.1.200.1/24 interface=vlan200 network=10.1.200.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=10.1.100.0/24 gateway=10.1.100.1
add address=10.1.200.0/24 gateway=10.1.200.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/interface bridge set bridge vlan-filtering=yes

anav · Mon Apr 06, 2020 5:29 am

Since you are dealing with non MT devices, keeping it all vlans and not using the bridge as well for dhcp may be easier.
Additions to current setup in blue etc.
What I dont understand is where your 192.168.88 network needs access to??? What do you use it for since its not on any ports?????
I will assume it is required on all trunk ports.............. and since all the access ports are configured with specific vlans already they do not use 192.168.88.1

/interface vlan
add interface=bridge name=base_vlan10 vlan-id=10
/ip pool
add name=dhcp-base ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp-base disabled=no interface=base_vlan10 name=base
/interface bridge port
add bridge=bridge comment=defconf hw=no interface=ether3 pvid=100 (should be 200??)
/interface bridge vlan
add bridge=bridge tagged=bridge,ether3 vlan-ids=200
add bridge=bridge tagged=bridge untagged=ether2,ether3,ether4,ether5 vlan-ids=100

There is a problem eth3 cannot both be a trunk port and access port ........so either its going to devices that are not vlan aware and thus only able to accept one vlanID, or its going to a device that is vlan aware and thus is a trunk port. I am going to assume that this is also a mis-numbering on the bridge port and it should be 200 for eth3.

Lets say that ether 3 is supposed to be on vlan200

Then if its an access port.
/interface bridge port
add bridge=bridge comment=defconf hw=no interface=ether3 pvid=200
interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether3 vlan-ids=200

Then if its a trunk port.
/interface bridge port
add bridge=bridge comment=defconf hw=no interface=ether3
interface bridge vlan
add bridge=bridge tagged=bridge,ether3 vlan-ids=200

/ip address
add address=192.168.88.1/24 comment=defconf interface=base_vlan10 network=192.168.88.0
/ip dns
set allow-remote-requests=yes servers=\
8.8.8.8,1.1.1.1,9.9.9.9
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan (this is a left over from the default router setup and can be removed.)

/ip firewall filter
Missing blocking vlans from each other as I expect that is desired ??????????

gazingbazooka · Mon Apr 06, 2020 5:43 am

I truly appreciate the time you put into this.

To clarify, I'm still learning. The 192.168.X.X network was just something I thought the two VLANs would route through, I didn't realize it would be dead in the water and not needed.

Further clarification on ether3. It's a PoE Switch that's actually plugged in there. One of the devices is WAP which is VLAN aware and serving Home SSID (VLAN 100) and Guest SSID (VLAN 200). However there are other home devices attached to the PoE switch as well which are not smart enough to attach themselves to VLAN 100 by default.

In your updated config below how would I access WebFig for changes?

I also assumed that blocking access from the VLANs to each other would be by default, I was clearly wrong. I see what I’m missing now:

 add action=drop chain=forward in-interface=vlan100 out-interface=vlan200
add action=drop chain=forward in-interface=vlan200 out-interface=vlan100

anav · Mon Apr 06, 2020 3:18 pm

That is very helpful to know 100 = home and 200 = guest.

In which case your config should look like this........ Will deal with firewall config separately.

# model = RB750Gr3
/interface bridge
add admin-mac=B8:69:F4:AB:32:8A auto-mac=no comment=defconf name=bridge
/interface vlan
add interface=bridge name=vlan100 vlan-id=100
add interface=bridge name=vlan200 vlan-id=200
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp_pool1 ranges=10.1.100.100-10.1.100.199
add name=dhcp_pool2 ranges=10.1.200.200-10.1.200.250
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=vlan100 name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=vlan200 name=dhcp2
/interface bridge port
add bridge=bridge comment=defconf hw=no interface=ether2 pvid=100
add bridge=bridge comment=defconf hw=no interface=ether3
add bridge=bridge comment=defconf hw=no interface=ether4 pvid=100
add bridge=bridge comment=defconf hw=no interface=ether5 pvid=100
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether3 vlan-ids=200
add bridge=bridge tagged=bridge,ether3 untagged=ether2,ether4,ether5 vlan-ids=100
/interface list member
add comment=defconf interface=vlan100 list=LAN
add interface=vlan200 list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=10.1.100.1/24 interface=vlan100 network=10.1.100.0
add address=10.1.200.1/24 interface=vlan200 network=10.1.200.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=10.1.100.0/24 gateway=10.1.100.1
add address=10.1.200.0/24 gateway=10.1.200.1
/ip dns
set allow-remote-requests=yes servers=\
9.9.9.9, 1.1.1.1, 8.8.8.8
/tool mac-server
set allowed-interface-list=vlan100
/tool mac-server mac-winbox
set allowed-interface-list=vlan100
/interface bridge set bridge vlan-filtering=yes

anav · Mon Apr 06, 2020 3:50 pm

Okay, we are going to modify/replace one rule in the input chain in order to make it more secure and in the forward chain lock it down better and block the vlan200 to vlan100 efficiently.

(1) Input Chain: The rule I am getting rid of: add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
Which basically says drop anything coming into the router not coming from the LAN.
This is a great starter default rule however it lets anybody on your lan talk to the router where we only want the admin to talk to the router.
Why do we need to talk to the router. Two reasons, to use services the router provides (and why the default rule leaves this open from the LAN) AND for the admin to access and change router config.
So we will replace the rule with 3 rules. One to allow the admin to access the router and two/three to allow users to access router dns services.
Finally we are going to add in a drop all else rule at the very end when everything else is working fine on both input and forward chains.
GO TO THE FIRST HALF BELOW................. before reading next para.

(2) Forward Chain: What we are going to do here is take one rule and replace it .........
Do you know what this rule says or does?
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
Its another great default rule to keep the config safe for new users. Its saying drop all from WAN (incoming unsolicited (originating) from the WAN unless it has a destination port that matches a destination nat rule you have on the router. Bit confusing to read that line and quickly make sense of it for the uninitiated (anytime you use the ! symbol, tread carefully)
So we will replace that rule with a clearer rule. We will also block unwanted traffic and any vlan to vlan traffic by simply as in the input chain, add a last rule to block all other traffic.
The premise here is that if we don't specifically that specific traffic flow is permitted it will get dropped by the router. Clean and simple.
The obvious traffic we wish to permit is both home and guest access to the internet.
The not so obvious, for example I created a rule to allow admin access to the guest vlan
Lets say you want to give access just to the home printer 10.1.100.115 to guests if they wish to print something.

/ip firewall filter
{input chain}
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Admin Access" in-interface=vlan100 src-address-list=adminaccess
add action=accept chain=input comment="Allow LAN DNS queries-TCP" \
protocol=tcp dst-port=53 in-interface-list=LAN
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
protocol=ucp dst-port=53 in-interface-list=LAN
add action=drop chain=input comment="Drop all else"
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
{forward chain}
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="Allow home-guest access to internet" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Admin Access to Guest VLAN" in-interface=vlan100 src-address-list=adminaccess out-interface=vlan200
add action=accept chain=forward comment="Guest Access to Printer" in-interface=vlan200 dst-address=10.1.100.115
add action=accept chain=forward comment= "Allow Port Forwarding - DSTNAT" \
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Drop all else"
/ip firewall address-list
add address=ipaddress1 list=adminaccess {for example your desktop)
add address=ipaddress2 list=adminaccess {for example your laptop or ipad}

Note: If you dont do any port forwarding and dont want guest access to printer you can just not include those lines.

gazingbazooka · Mon Apr 06, 2020 5:57 pm

Thanks so much. Let me digest this and combine the two threads to see what I get. Also appreciate you going heavy on the firewall as that's not my strong suit.

In your config what is the IP of the router?

gazingbazooka · Mon Apr 06, 2020 6:17 pm

I think I found it, it's likely at the end here:

/tool mac-server
set allowed-interface-list=vlan100
/tool mac-server mac-winbox
set allowed-interface-list=vlan100

anav · Mon Apr 06, 2020 10:20 pm

What is the IP of the router??
Its a vague question.
What is the wanip of the router........... that is decided by your ISP.

gazingbazooka · Tue Apr 07, 2020 2:22 am

It looks like my immediate problem when trying out this config is in the allowed interfaces in the tooling:

[admin@MikroTik] > /tool mac-server
[admin@MikroTik] /tool mac-server> set allowed-interface-list=vlan100
input does not match any value of allowed-interface-list

Not sure if I messed anything up but I see the vlan100|200 interfaces but when I check these settings from the GUI the only options are coming from here:

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

anav · Tue Apr 07, 2020 3:43 am

It appears you never added the interface list members.
On the interface list sub menu (under interfaces) one has to select the box to the right called LISTS............

gazingbazooka · Wed Apr 08, 2020 5:52 am

I tried out the config and most of the things are working, except there is some weirdness around ether3 which has the switch connected to it with the WAP. It looks like this:

mikrotik ether3 -> unmanaged poe switch -> (wap [home vlan100 | guest vlan200], device1, device2, device3)

ether2, ether4 and ether5 gets the IP from vlan100 - good
ether3 through the poe switch the wap on home vlan100 gets the IP from vlan100 - good
ether3 through the poe switch the wap on home vlan200 gets the IP from vlan200 - good
ether3 through the poe switch for device1 .. 3 gets really confused since these devices are not sending back the explicit vlan100 tag. It doesn't work till I put this mess back in:

/interface bridge port
add bridge=bridge comment=defconf hw=no interface=ether3 pvid=100
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether2,ether3,ether4,ether5 vlan-ids=100

Any suggestions?

anav · Wed Apr 08, 2020 3:10 pm

Again, I dont comment on snippets as the config is integrated, please post the entire config...........

Remember if port 3 is carrying a number of vlans (aka a trunk port), the device it attaches too must also be vlan aware (trunk to trunk).

It seems you are attaching ether3 to an unmanaged switch??

gazingbazooka · Wed Apr 08, 2020 3:23 pm

The snippet is the only difference between the config you posted. Here is the full thing:

The way I made this work is having the guest (VLAN 200) show up as tagged traffic on ether3 and assuming everything else, even the home WiFi is untagged as VLAN 100. I looked here: https://wiki.mikrotik.com/wiki/Manual:I ... _Filtering under "VLAN Example #2 (Trunk and Hybrid Ports)".

# model = RB750Gr3
/interface bridge
add admin-mac=B8:69:F4:AB:32:8A auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan100 vlan-id=100
add interface=bridge name=vlan200 vlan-id=200
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp_pool1 ranges=10.1.100.100-10.1.100.199
add name=dhcp_pool2 ranges=10.1.200.200-10.1.200.250
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=vlan100 name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=vlan200 name=dhcp2
/interface bridge port
add bridge=bridge comment=defconf hw=no interface=ether2 pvid=100
add bridge=bridge comment=defconf hw=no interface=ether3 pvid=100
add bridge=bridge comment=defconf hw=no interface=ether4 pvid=100
add bridge=bridge comment=defconf hw=no interface=ether5 pvid=100
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether3 vlan-ids=200
add bridge=bridge tagged=bridge untagged=ether2,ether4,ether5,ether3 vlan-ids=100
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=vlan200 list=LAN
add interface=vlan100 list=LAN
/ip address
add address=10.1.100.1/24 interface=vlan100 network=10.1.100.0
add address=10.1.200.1/24 interface=vlan200 network=10.1.200.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=10.1.100.0/24 gateway=10.1.100.1
add address=10.1.200.0/24 gateway=10.1.200.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=America/Toronto
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[code]

anav · Wed Apr 08, 2020 3:37 pm

Okay but you didnt answer my questions about ether3?
(1) Is it going to a managed switch or unmanaged switch.
(2) Is the switch connected to any devices which recognize vlans or just PCs, printers etc......
(3) Is the switch connected to a WAP and if so what is the make model?

gazingbazooka · Wed Apr 08, 2020 4:00 pm

It’s an unmanaged switch. “TL-SG1005P is a 5 10/100/ 1000Mbps ports unmanaged switch.“ The devices connected currently are printer, camera, Xbox and the WAP.

anav · Wed Apr 08, 2020 4:19 pm

Going to the dentist is easier then getting answers LOL..

Okay but you didnt answer my questions about ether3?
(1) Is it going to a managed switch or unmanaged switch. (answered - good)
(2) Is the switch connected to any devices which recognize vlans or just PCs, printers etc...... (partial answer)
(3) Is the switch connected to a WAP and if so what is the make model of the WAP? (partial answer)

gazingbazooka · Wed Apr 08, 2020 4:26 pm

(1) Is it going to a managed switch or unmanaged switch. (answered - good)

It's unmanaged

(2) Is the switch connected to any devices which recognize vlans or just PCs, printers etc...... (partial answer)

The devices here are random but they are not smart enough to specify the VLAN in the configuration if that's what you mean. For example the Xbox.

(3) Is the switch connected to a WAP and if so what is the make model of the WAP? (partial answer)

The setup is Mikrotik -> TP-Link TL-SG1005P -> Devices

anav · Wed Apr 08, 2020 4:41 pm

What is the make and model of the wifi access point, attached to the unmanaged switch, which is giving out wifi on vlan100 and vlan200?

gazingbazooka · Wed Apr 08, 2020 4:58 pm

The WAP is: https://www.ui.com/unifi/unifi-ap-ac-lr/

This is what I get for answering questions before waking up

anav · Wed Apr 08, 2020 6:18 pm

Nice AP!, Is there any way to get a direct link to the router via ethernet to the AP, or change the switch to a managed switch or add a small managed switch such that. Meanwhile will see if there are any other alternative approaches.

Ex.
router ---> MS
MS---> AP
MS---->UMS
UMS--->Devices

gazingbazooka · Wed Apr 08, 2020 6:49 pm

I already tried thinking about that. The issue is the Switch and the devices connected to it are at the other end of the house. The MikroTik is supporting 3 devices at one end and there is a patch link across the house to the PoE switch which supports the other 3 devices on the other end. Total of 6 devices on two ends of the house.

anav · Thu Apr 09, 2020 12:43 am

Okay, this is the setup that should work...........
If there are still issues then we have to look more closely at your firewall rules.

/interface bridge port
add bridge=bridge comment=defconf hw=no interface=ether2 pvid=100 (to local pc)
add bridge=bridge comment=defconf hw=no interface=ether3 pvid=100 (to unmanaged switch)
add bridge=bridge comment=defconf hw=no interface=ether4 pvid=100 (to local pc)
add bridge=bridge comment=defconf hw=no interface=ether5 pvid=100 (to local pc)

/interface bridge vlan
add bridge=bridge tagged=bridge,ether3 vlan-ids=200
add bridge=bridge untagged=ether2,ether3,ether4,ether5, vlan-ids=100

gazingbazooka · Thu Apr 09, 2020 3:39 am

Success! Complete config for anyone looking in the future. Not sure if you have time to spot check the Firewall rules but I followed what you had less the printer access.

# model = RB750Gr3
/interface bridge
add admin-mac=B8:69:F4:AB:32:8A auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan100 vlan-id=100
add interface=bridge name=vlan200 vlan-id=200
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp_pool1 ranges=10.1.100.100-10.1.100.199
add name=dhcp_pool2 ranges=10.1.200.200-10.1.200.250
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=vlan100 name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=vlan200 name=dhcp2
/interface bridge port
add bridge=bridge comment=defconf hw=no interface=ether2 pvid=100
add bridge=bridge comment=defconf hw=no interface=ether3 pvid=100
add bridge=bridge comment=defconf hw=no interface=ether4 pvid=100
add bridge=bridge comment=defconf hw=no interface=ether5 pvid=100
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether3 vlan-ids=200
add bridge=bridge tagged=bridge untagged=ether2,ether4,ether5,ether3 vlan-ids=100
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=vlan200 list=LAN
add interface=vlan100 list=LAN
/ip address
add address=10.1.100.1/24 interface=vlan100 network=10.1.100.0
add address=10.1.200.1/24 interface=vlan200 network=10.1.200.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=10.1.100.0/24 gateway=10.1.100.1
add address=10.1.200.0/24 gateway=10.1.200.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9
/ip firewall address-list
add address=10.1.100.199 list=adminaccess
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Admin Access" in-interface=vlan100 src-address-list=adminaccess
add action=accept chain=input comment="Allow LAN DNS queries-TCP" dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="Drop all else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="Allow home-guest access to internet" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Admin Access to Guest VLAN" in-interface=vlan100 out-interface=vlan200 src-address-list=adminaccess
add action=accept chain=forward comment="Allow Port Forwarding - DSTNAT" connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=America/Toronto
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

anav · Thu Apr 09, 2020 2:15 pm

All looks good from what I can see.

gazingbazooka · Thu Apr 09, 2020 3:02 pm

Thanks for your help. I'm going to try to figure this out now on the RB2011.

ma678 · Mon Apr 13, 2020 5:13 pm

I have the similar use case to OP's.

There are three EAP's connected to an unmanaged switch on eth2 on RB750GR3. Is there a way to route traffic for certain devices via VPN under a vlan, for example, vlan 300? I am very newbie to this router. Any advice would be much appreciated.

EAP model Tp-link EAD245 v3
Asus RT-AC68U running as an AP
Switch model: Netgear GS308

Thank you!

CPU VLAN on RB750GR3 WebFig [SOLVED]

CPU VLAN on RB750GR3 WebFig

Re: CPU VLAN on RB750GR3 WebFig

Re: CPU VLAN on RB750GR3 WebFig

Re: CPU VLAN on RB750GR3 WebFig

Re: CPU VLAN on RB750GR3 WebFig

Re: CPU VLAN on RB750GR3 WebFig

Re: CPU VLAN on RB750GR3 WebFig

Re: CPU VLAN on RB750GR3 WebFig

Re: CPU VLAN on RB750GR3 WebFig

Re: CPU VLAN on RB750GR3 WebFig

Re: CPU VLAN on RB750GR3 WebFig

Re: CPU VLAN on RB750GR3 WebFig

Re: CPU VLAN on RB750GR3 WebFig

Re: CPU VLAN on RB750GR3 WebFig

Re: CPU VLAN on RB750GR3 WebFig

Re: CPU VLAN on RB750GR3 WebFig

Re: CPU VLAN on RB750GR3 WebFig

Re: CPU VLAN on RB750GR3 WebFig

Re: CPU VLAN on RB750GR3 WebFig

Re: CPU VLAN on RB750GR3 WebFig

Re: CPU VLAN on RB750GR3 WebFig

Re: CPU VLAN on RB750GR3 WebFig [SOLVED]

Re: CPU VLAN on RB750GR3 WebFig

Re: CPU VLAN on RB750GR3 WebFig

Re: CPU VLAN on RB750GR3 WebFig

Re: CPU VLAN on RB750GR3 WebFig