- a router (hEX S) , providing connection for a PC and APs
- an AP (connecting wireless devices and wired printer, stereo-receiver, VOIP)
- another 2APs
- a bridge.
I configured everything and it works fine.
Nevertheless, because one of APs might be occassionally used by our neighbours and possibly I would like to have a guest AP, I wanted to setup a VLAN configuration in order to isolate neighbor / guests from our network. I followed mostly example configurations by pcunite (viewtopic.php?t=143620).
However, something is wrong (I am looking for bug for three days). It concerns the router configuration. Symptoms are following:
- my PC does not receive IP
- the router becomes inaccessible via Winbox from my PC
- of course, no internet connection...
Please, can somebody hint me, what is wrong?
Thank you.
Code: Select all
###############################################################################
# Router: router obyvak (RB760iGS - hEX S)
# S/N: XXXXXXXXX
# Source: https://forum.mikrotik.com/viewtopic.php?t=143620
# Notes: Start with a reset (/system reset-configuration)
# RouterOS: 6.47
###############################################################################
###########################
# initial settings
###########################
/delay delay-time=5s
# system settings
/system clock set time-zone-name=Europe/XXXXXXXXX
/system identity set name=ROUTER_hEX_VLAN
/system routerboard settings set auto-upgrade=yes
###########################
# VLAN Overview
###########################
# 61 = BASE_VLAN (management VLAN, trunk, BridgeNet)
# 62 = HOME_VLAN (SvistNet, GardenNet)
# 70 = GUEST_VLAN (BetaNet)
#
# Port assignment:
# ROUTER_hEX_VLAN:
# WAN: ether1
# VLAN62: ether2,ether3
# trunk61: ether4,ether5
# unused: sfp1 (assigned to VLAN62)
# WIFI1_hAPac2:
# VLAN62: ether2,ether3,ether4,ether5,wlan_SvistNet,wlan_SvistNet_5GHz_B
# trunk61: ether1,wlan_Bridge
# WIFI2_hAPacLite:
# VLAN62: ether2,ether3,ether4,ether5,wlan2GHz,wlan5GHz
# trunk61: ether1
# WBRIDGE_mAP2nD:
# VLAN62: ether1
# trunk61: ether2,wlan_Bridge
# WIFI3_951G2HnD:
# VLAN62: ether2,ether3,ether4,ether5,wlan_GardenNet
# VLAN70: wlan_BetaNet
# trunk61: ether1
###########################
# WAN access
###########################
/interface pppoe-client
add name=pppoe_WAN \
interface=ether1 \
service-name=knvnet user="XXXXXXX" password="XXXXXXX" \
add-default-route=yes disabled=no use-peer-dns=yes
###########################
# Bridge
###########################
/interface bridge
add name=bridge1 protocol-mode=none vlan-filtering=no
###########################
# -- Access Ports --
###########################
# ingress behavior
/interface bridge port
# Local ports to VLAN
add bridge=bridge1 interface=ether2 pvid=62
add bridge=bridge1 interface=ether3 pvid=62
add bridge=bridge1 interface=sfp1 pvid=62
# egress behavior - DONE LATER TOGETHER WITH TRUNK
# /interface bridge vlan add bridge=bridge1 untagged=ether2,ether3,sfp1 vlan-ids=62
###########################
# -- Trunk Ports --
###########################
# ingress behavior
/interface bridge port
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
# egress behavior
/interface bridge vlan
add vlan-ids=61 bridge=bridge1 tagged=bridge1,ether4,ether5
add vlan-ids=62 bridge=bridge1 tagged=ether4,ether5 untagged=ether2,ether3,sfp1
add vlan-ids=70 bridge=bridge1 tagged=ether4,ether5
###########################
# IP Addressing & Routing
###########################
# LAN facing router's IP address on the BASE_VLAN
/interface vlan
add name=BASE_VLAN interface=bridge1 vlan-id=61
/ip address
add address=192.168.61.1/24 interface=BASE_VLAN
# DNS server, set to cache for LAN
/ip dns
set servers=1.1.1.1,8.8.8.8 allow-remote-requests=yes
# WAN port ip address from DHCP
/ip dhcp-client add interface=ether1
###########################
# IP Services
###########################
# BASE_VLAN
/ip pool add name=ippool_BASE ranges=192.168.61.10-192.168.61.254
/ip dhcp-server add name=dhcp_BASE address-pool=ippool_BASE interface=BASE_VLAN disabled=no
/ip dhcp-server network add address=192.168.61.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.61.1 ntp-server=217.31.202.100
# HOME_VLAN
/interface vlan
add name=HOME_VLAN interface=bridge1 vlan-id=62
/ip address add interface=HOME_VLAN address=192.168.62.1/24
/ip pool add name=ippool_SVIST ranges=192.168.62.51-192.168.62.254
/ip dhcp-server add name=dhcp_SVIST address-pool=ippool_SVIST interface=HOME_VLAN disabled=no
/ip dhcp-server network add address=192.168.62.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.62.1 ntp-server=217.31.202.100
# GUEST_VLAN
/interface vlan
add name=GUEST_VLAN interface=bridge1 vlan-id=70
/ip address add interface=GUEST_VLAN address=192.168.70.1/24
/ip pool add name=ippool_BETA ranges=192.168.70.51-192.168.70.254
/ip dhcp-server add name=dhcp_BETA address-pool=ippool_BETA interface=GUEST_VLAN disabled=no
/ip dhcp-server network add address=192.168.70.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.70.1 ntp-server=217.31.202.100
###########################
# Firewalling & NAT
###########################
# Use MikroTik's "list" feature for easy rule matchmaking.
/interface list add name=WAN
/interface list add name=VLAN
/interface list add name=HOME
/interface list add name=BASE
/interface list member
add interface=pppoe_WAN list=WAN
add interface=BASE_VLAN list=VLAN
add interface=HOME_VLAN list=VLAN
add interface=GUEST_VLAN list=VLAN
add interface=HOME_VLAN list=HOME
add interface=BASE_VLAN list=BASE
# VLAN aware firewall. Order is important.
/ip firewall filter
##################
# INPUT CHAIN
##################
# established and related connections
add chain=input action=accept connection-state=established,related comment="Allow Estab & Related"
# Allow VLANs to access router services like DNS, Winbox.
add chain=input action=accept in-interface-list=VLAN comment="Allow VLAN"
# Allow BASE_VLAN full access to the device for Winbox, etc.
add chain=input action=accept in-interface=BASE_VLAN comment="Allow Base_Vlan Full Access"
### !!! DEBUG ONLY - SECURITY RISK !!! - (Un)comment lines below
add chain=input action=drop comment="Drop"
# add chain=input action=accept comment="!!! DEBUG ONLY !!!"
##################
# FORWARD CHAIN
##################
add chain=forward action=accept connection-state=established,related comment="Allow Estab & Related"
# Allow all VLANs to access the Internet only, NOT each other
add chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=WAN comment="Allow VLAN Internet Access"
# Allow home VLANs to access the other VLANs, but not for guest VLANs
add chain=forward action=accept connection-state=new in-interface-list=HOME out-interface-list=VLAN comment="Allow HOME VLANs to other VLANs"
### !!! DEBUG ONLY - SECURITY RISK !!! - (Un)comment lines below
add chain=forward action=drop comment="Drop everything else"
# add chain=forward action=accept comment="!!! DEBUG ONLY !!!"
##################
# NAT
##################
/ip firewall nat add chain=srcnat action=masquerade out-interface-list=WAN comment="Default masquerade"
###########################
# VLAN Security
###########################
# Only allow ingress packets without tags on Access Ports
/interface bridge port
set bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether2]
set bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether3]
set bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=sfp1]
# Only allow packets with tags over the Trunk Ports
/interface bridge port
set bridge=bridge1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether4]
set bridge=bridge1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether5]
###########################
# MAC Server settings
###########################
# Ensure only visibility and availability from BASE_VLAN, the MGMT network
/ip neighbor discovery-settings set discover-interface-list=HOME
/tool mac-server mac-winbox set allowed-interface-list=HOME
/tool mac-server set allowed-interface-list=HOME
### !!! DEBUG ONLY - SECURITY RISK !!! change "all" to "HOME" above (3 times) !!!
###########################
# Turn on VLAN mode
###########################
/interface bridge set bridge1 vlan-filtering=yes
###########################
# DHCP Server - static IPs
###########################
/ip dhcp-server lease
add address=192.168.62.21 mac-address=00:xx:xx:xx:xx:xx server=dhcp_SVIST comment="VOIP XXXXXXXXX"
add address=192.168.62.22 mac-address=00:xx:xx:xx:xx:xx server=dhcp_SVIST comment="receiver XXXXX"
add address=192.168.62.23 mac-address=F4:xx:xx:xx:xx:xx server=dhcp_SVIST comment="Printer XXXXXXXXX"
add address=192.168.62.24 mac-address=30:xx:xx:xx:xx:xx server=dhcp_SVIST comment="pocitac XXXXXXXXX"
###########################
# Other
###########################
# password
/user set password=XXXXXXX [find name=admin]
