Community discussions

MikroTik App
 
User avatar
quotengrote
newbie
Topic Author
Posts: 33
Joined: Sun May 16, 2021 1:20 pm

VLAN Check

Wed Oct 06, 2021 10:06 am

Hi,

im just switching from my hEX to a RB5009 and want to use VLANs.

VLAN 2 - for almost anything
VLAN10 - for Work
VLAN20 - for Guests

At the moment my Network is ike this:

Image

On the RB5009
eth1 goes to the crs309
eth2 to wan
eth3 is a port for a end-device(access-port)
eth4 goes to a unifi ap
eth8 is outside the bridge as a emergency port

eth1 and eth4 need all 3 vlans
eth3 only need vlan2

my current router config:
[admin@rb5009] > exp
# jan/01/2002 06:34:05 by RouterOS 7.0.5
# software id = 56R5-PRTF
#
# model = RB5009UG+S+
# serial number = EC190E3732EA
/interface bridge
add name=bridge1 protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=bridge1 name=vlan2 vlan-id=2
add interface=bridge1 name=vlan10 vlan-id=10
add interface=bridge1 name=vlan20 vlan-id=20
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether4
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether1,ether4 vlan-ids=10
add bridge=bridge1 tagged=bridge1,ether1,ether4 vlan-ids=20
add bridge=bridge1 tagged=bridge1 vlan-ids=2
/interface list member
add interface=ether1 list=LAN
add interface=ether2 list=WAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
/ip address
add address=192.168.55.1/24 interface=ether8 network=192.168.55.0
add address=192.168.2.1/24 interface=vlan2 network=192.168.2.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system identity
set name=rb5009
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.2.43
add address=176.9.157.155
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
my current switch config:
# oct/02/2021 18:39:34 by RouterOS 6.48.4
# software id = 5F4H-LU84
#
# model = CRS309-1G-8S+
# serial number = D8480D98FA47
/interface ethernet
set [ find default-name=ether1 ] comment=arbeitszimmer l2mtu=1592
set [ find default-name=sfp-sfpplus1 ] l2mtu=1592
set [ find default-name=sfp-sfpplus2 ] l2mtu=1592
set [ find default-name=sfp-sfpplus3 ] comment=pve2-sfp l2mtu=1592
set [ find default-name=sfp-sfpplus4 ] advertise=1000M-half,1000M-full auto-negotiation=no comment=pve2-ipmi l2mtu=1592
set [ find default-name=sfp-sfpplus5 ] auto-negotiation=no comment="zum hEX" l2mtu=1592
set [ find default-name=sfp-sfpplus6 ] l2mtu=1592
set [ find default-name=sfp-sfpplus7 ] l2mtu=1592
set [ find default-name=sfp-sfpplus8 ] l2mtu=1592
/interface bridge
add dhcp-snooping=yes name=bridge1
/interface vlan
add interface=bridge1 name=vlan2 vlan-id=2
/interface list
add name=LAN
/system logging action
set 3 target=memory
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/interface bridge port
add bridge=bridge1 interface=ether1 pvid=2
add bridge=bridge1 interface=sfp-sfpplus1
add bridge=bridge1 interface=sfp-sfpplus2
add bridge=bridge1 interface=sfp-sfpplus3 pvid=2
add bridge=bridge1 interface=sfp-sfpplus4 pvid=2
add bridge=bridge1 comment="\"trusted\" fur dhcp-snooping" interface=sfp-sfpplus5 trusted=yes
add bridge=bridge1 interface=sfp-sfpplus6
add bridge=bridge1 interface=sfp-sfpplus7
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge1 tagged=sfp-sfpplus5 vlan-ids=2
add bridge=bridge1 tagged=sfp-sfpplus5 vlan-ids=10
add bridge=bridge1 tagged=sfp-sfpplus5 vlan-ids=20
/interface list member
add interface=ether1 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
add interface=sfp-sfpplus3 list=LAN
add interface=sfp-sfpplus4 list=LAN
add interface=sfp-sfpplus5 list=LAN
add interface=sfp-sfpplus6 list=LAN
add interface=sfp-sfpplus7 list=LAN
add interface=sfp-sfpplus8 list=LAN
/ip address
add address=192.168.2.223/24 interface=bridge1 network=192.168.2.0
add address=192.168.55.3/24 interface=sfp-sfpplus8 network=192.168.55.0
add address=192.168.2.224 interface=vlan2 network=192.168.2.224
/ip cloud
set update-time=no
/ip dns
set servers=192.168.2.1
/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=accept chain=input dst-port=8291 protocol=tcp src-address=192.168.2.0/24
add action=accept chain=input dst-port=22 protocol=tcp src-address=192.168.2.0/24
add action=drop chain=input
/ip route
add distance=1 gateway=192.168.2.1
/ip service
set ftp disabled=yes
set www disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=crs309
/system ntp client
set enabled=yes primary-ntp=192.168.2.43
/system routerboard settings
set boot-os=router-os
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Does this all look ok, or do i have a error in that? Tried my best after the guides from pcunite.
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 725
Joined: Tue Dec 17, 2019 1:08 pm

Re: VLAN Check

Wed Oct 06, 2021 11:09 am

Guten Morgen,

I wouldn't set the ether8(Aka. emergency port) as a Interface-List-Member of "LAN"
If you ever make a mistake in your Firewall you may lock yourself out incl. ether8
 
User avatar
quotengrote
newbie
Topic Author
Posts: 33
Joined: Sun May 16, 2021 1:20 pm

Re: VLAN Check

Wed Oct 06, 2021 11:25 am

Should i make a extra rule always allowing ether8 mgmt-access then?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21360
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN Check

Wed Oct 06, 2021 2:07 pm

I fail to see any firewall rules on your router and then you put some on the switch??
The config is flawed thus in many ways

In terms of the router
I am not sure of what you are trying to overall but a management interface is a good idea and keep spf+8 as part of LAN interface for all the rules it covers.
Disagree with connny on this one but will explain further *****

But
/interface list
add name=manage

/interface list members
add interface=subnetA list=manage
add interface=sfp8 list=manage

such that subnetA (could be bridge, etcc) describes where the admin will be coming from to configure the router.
We add sfp+8 so you can access the router if the bridge is not working.

Note; Dont forget to change tools -- mac ---winmac server interface to "manage"

**** Now what I do on the input chain is get rid of the default OKAY but not good enough rule, the one that blocks traffic !LAN

to
add chain=input action=accept in-interface-list=manage ( plus an optional --> src-address-list=adminaccess )

where adminaccess is a firewall address list based on static dhcp leases etc.
/firewall address list
add IPofadmin desktop list=adminaccess
add IPofaddmin laptop list=adminaccess
add IPofadmin ipad list=adminaccess
add IPofadmin smartphone list=adminaccess
add IPofether8 list=adminaccess

So in other words, only admin needs full access to the router not everyone on the LAN!
You will need to add DNS services in the input chain as the last step is adding a drop all else rule at the end of the input chain.
 
User avatar
quotengrote
newbie
Topic Author
Posts: 33
Joined: Sun May 16, 2021 1:20 pm

Re: VLAN Check

Wed Oct 06, 2021 2:41 pm

I fail to see any firewall rules on your router and then you put some on the switch??
The config is flawed thus i
The router is new, i havent done anything besides that config.

The Switch is already(but not the vlans) configured.


my normal router config looks like that:
[admin@rb5009] > export hide-sensitiv 
# oct/06/2021 13:39:28 by RouterOS 7.0.5
# software id = 56R5-PRTF
#
# model = RB5009UG+S+
# serial number = EC190E3732EA
/interface bridge
add name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] comment=CRS309
set [ find default-name=ether2 ] comment=FritzBox
set [ find default-name=ether3 ] comment=Unifi
set [ find default-name=ether4 ] comment=FireTV
set [ find default-name=ether5 ] comment=Mango01
set [ find default-name=ether8 ] comment="nicht in bridge1, emergency-port"
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard_clients
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool_subnet2 ranges=192.168.2.35-192.168.2.200
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool_subnet2 interface=bridge1 lease-script=":local DHCPtag\r\
    \n:set DHCPtag \"#DHCP\"\r\
    \n\r\
    \n:if ( [ :len \$leaseActIP ] <= 0 ) do={ :error \"empty lease address\" }\r\
    \n\r\
    \n:if ( \$leaseBound = 1 ) do=\\\r\
    \n{\r\
    \n    :local ttl\r\
    \n    :local domain\r\
    \n    :local hostname\r\
    \n    :local fqdn\r\
    \n    :local leaseId\r\
    \n    :local comment\r\
    \n\r\
    \n    /ip dhcp-server\r\
    \n    :set ttl [ get [ find name=\$leaseServerName ] lease-time ]\r\
    \n    network\r\
    \n    :set domain [ get [ find \$leaseActIP in address ] domain ]\r\
    \n\r\
    \n    .. lease\r\
    \n    :set leaseId [ find address=\$leaseActIP ]\r\
    \n\r\
    \n    # Check for multiple active leases for the same IP address. It's weird and it shouldn't be, but just in case.\r\
    \n\r\
    \n    :if ( [ :len \$leaseId ] != 1) do={\r\
    \n        :log info \"DHCP2DNS: not registering domain name for address \$leaseActIP because of multiple active leases for \$leaseActIP\"\r\
    \n        :error \"multiple active leases for \$leaseActIP\"\r\
    \n    }\r\
    \n\r\
    \n    :set hostname [ get \$leaseId host-name ]\r\
    \n    :set comment [ get \$leaseId comment ]\r\
    \n    /\r\
    \n\r\
    \n    :if ( [ :len \$hostname ] <= 0 ) do={ :set hostname \$comment }\r\
    \n\r\
    \n    :if ( [ :len \$hostname ] <= 0 ) do={\r\
    \n        :log error \"DHCP2DNS: not registering domain name for address \$leaseActIP because of empty lease host-name or comment\"\r\
    \n        :error \"empty lease host-name or comment\"\r\
    \n    }\r\
    \n    :if ( [ :len \$domain ] <= 0 ) do={\r\
    \n        :log error \"DHCP2DNS: not registering domain name for address \$leaseActIP because of empty network domain name\"\r\
    \n        :error \"empty network domain name\"\r\
    \n    }\r\
    \n\r\
    \n    :set fqdn \"\$hostname.\$domain\"\r\
    \n\r\
    \n    /ip dns static\r\
    \n    :if ( [ :len [ find name=\$fqdn and address=\$leaseActIP and disabled=no ] ] = 0 ) do={\r\
    \n        add address=\$leaseActIP name=\$fqdn ttl=\$ttl comment=\$DHCPtag disabled=no\r\
    \n    } else={\r\
    \n        :log error \"DHCP2DNS: not registering domain name \$fqdn for address \$leaseActIP because of existing active static DNS entry with this name or address\"\r\
    \n    }\r\
    \n    /\r\
    \n} else={\r\
    \n    /ip dns static\r\
    \n    :local dnsDhcpId\r\
    \n    :set dnsDhcpId [ find address=\$leaseActIP and comment=\$DHCPtag ]\r\
    \n    :if ( [ :len \$dnsDhcpId ] > 0 ) do={\r\
    \n        remove \$dnsDhcpId\r\
    \n    }\r\
    \n    /\r\
    \n}\r\
    \n" lease-time=4h name=dhcp_server_subnet2
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set tcp-syncookies=yes
/interface list member
add interface=ether1 list=LAN
add interface=ether2 list=WAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=wireguard_clients list=LAN
/interface wireguard peers
add allowed-address=192.168.66.2/32 comment=mg_ipad interface=wireguard_clients public-key="eFoY0xXXXb940WY="
add allowed-address=192.168.66.3/32 comment=mg_iphone interface=wireguard_clients public-key="qUxvXXXXdWxuRk="
add allowed-address=192.168.66.4/32 comment=mg_laptop interface=wireguard_clients public-key="siaaex6zPXXXCOFY/D8="
/ip address
add address=192.168.2.2/24 interface=ether8 network=192.168.2.0
add address=192.168.2.1/24 interface=bridge1 network=192.168.2.0
add address=192.168.66.1/24 interface=wireguard_clients network=192.168.66.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=10m update-time=no
/ip dhcp-client
add interface=ether2 script="remove [find where list=wan_ip]\r\
    \nadd list=wan_ip address=[/ip/cloud/get public-address]\r\
    \n" use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.2.147 comment=ads2700w mac-address=00:0E:C6:ED:4E:3A server=dhcp_server_subnet2
add address=192.168.2.188 comment=mango01 mac-address=94:83:C4:07:A8:7E server=dhcp_server_subnet2
add address=192.168.2.60 comment=nano-hd mac-address=24:5A:4C:62:E6:37 server=dhcp_server_subnet2
add address=192.168.2.46 mac-address=9A:13:1C:FF:CD:87 server=dhcp_server_subnet2
add address=192.168.2.59 mac-address=06:85:EC:82:2E:2D server=dhcp_server_subnet2
add address=192.168.2.44 mac-address=12:06:EF:E5:0C:E5 server=dhcp_server_subnet2
add address=192.168.2.36 mac-address=42:51:EE:46:EA:24 server=dhcp_server_subnet2
add address=192.168.2.43 mac-address=06:35:CC:ED:1D:EE
add address=192.168.2.68 client-id=ff:ca:53:9:5a:0:2:0:0:ab:11:25:2c:9a:f8:31:a4:d8:2e mac-address=C6:72:DD:03:41:55 server=dhcp_server_subnet2
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.2.1 domain=grote.lan gateway=192.168.2.1 ntp-server=192.168.2.43
/ip dns
set allow-remote-requests=yes cache-max-ttl=1h cache-size=4096KiB max-concurrent-queries=1000 servers=192.168.2.3
/ip dns static
add address=192.168.2.188 name=mango01.grote.lan
/ip firewall address-list
add address=192.168.2.0/24 list=subnet2
add address=1.0.0.1 list=DOH-Server
add address=1.0.0.2 list=DOH-Server
add address=1.0.0.3 list=DOH-Server
add address=101.101.101.101 list=DOH-Server
add address=101.102.103.104 list=DOH-Server
[...]
add address=96.113.151.149 list=DOH-Server
add address=96.113.151.150 list=DOH-Server
add address=9.9.9.10 list=DOH-Server
add address=9.9.9.11 list=DOH-Server
add address=9.9.9.12 list=DOH-Server
add address=9.9.9.9 list=DOH-Server
add address=192.168.66.0/24 list=subnet66_wg
add address=192.168.2.0/24 list=mgmt_access
add address=192.168.66.0/24 list=mgmt_access
add address=91.XX.XXX.XX list=wan_ip1
/ip firewall filter
add action=accept chain=input comment="Established, Related" connection-state=established,related
add action=accept chain=input comment=Wireguard dst-port=13231 log-prefix="WG Accept:" protocol=udp
add action=accept chain=input comment=ICMP in-interface-list=!WAN protocol=icmp
add action=accept chain=input comment=SSH dst-port=22 in-interface-list=!WAN protocol=tcp src-address-list=mgmt_access
add action=accept chain=input comment=WINBOX dst-port=8291 in-interface-list=!WAN protocol=tcp src-address-list=mgmt_access
add action=accept chain=input comment=DNS dst-port=53 in-interface-list=!WAN log-prefix="DNS ACCEPT:" protocol=udp
add action=accept chain=input comment=DNS dst-port=53 in-interface-list=!WAN log-prefix="DNS ACCEPT(tcp):" protocol=tcp
add action=drop chain=input
add action=jump chain=forward comment=DDoS connection-state=new in-interface-list=WAN jump-target=detect-ddos log-prefix="Detect DDoS: "
add action=accept chain=forward comment="Established, Related" connection-state=established,related
add action=drop chain=forward comment="Drop DNS-over-HTTPS" dst-address-list=DOH-Server log=yes log-prefix="Drop DoH: " port=443 protocol=tcp
add action=drop chain=forward comment="Drop DNS-over-HTTPS" dst-address-list=DOH-Server log=yes log-prefix="Drop DoH: " port=443 protocol=udp
add action=drop chain=forward comment="Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward connection-state=invalid
add action=return chain=detect-ddos comment=DDoS dst-limit=32,32,src-and-dst-addresses/10s log-prefix="Return: "
add action=add-dst-to-address-list address-list=ddos-targets address-list-timeout=10m chain=detect-ddos comment=DDoS
add action=add-src-to-address-list address-list=ddos-attackers address-list-timeout=10m chain=detect-ddos comment=DDoS
/ip firewall nat
add action=masquerade chain=srcnat comment=srcnat-masquerade out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Portweiterleitung Traefik" in-interface-list=WAN log-prefix="portweiterleitung_traefik: " port=80 protocol=tcp to-addresses=192.168.2.68 to-ports=80
add action=dst-nat chain=dstnat comment="Portweiterleitung Traefik" in-interface-list=WAN log-prefix="portweiterleitung_traefik: " port=443 protocol=tcp to-addresses=192.168.2.68 to-ports=443
add action=dst-nat chain=dstnat comment="Portweiterleitung Mango" in-interface-list=WAN log-prefix="portweiterleitung_mango: " port=51820 protocol=udp to-addresses=192.168.2.188 to-ports=51820
add action=masquerade chain=srcnat comment=Hairpin-NAT dst-address-list=wan_ip1 dst-port=80 log=yes log-prefix="Hairpin-NAT: " out-interface-list=LAN protocol=tcp src-address-list=subnet2
add action=masquerade chain=srcnat comment=Hairpin-NAT dst-address-list=wan_ip1 dst-port=443 log=yes log-prefix="Hairpin-NAT: " out-interface-list=LAN protocol=tcp src-address-list=subnet2
add action=dst-nat chain=dstnat comment=DNS-Redirect: dst-address=!192.168.2.1 dst-port=53 log=yes log-prefix="DNS-Redirect:: " protocol=udp src-address=!192.168.2.3 to-addresses=192.168.2.1 to-ports=53
add action=dst-nat chain=dstnat comment=DNS-Redirect: dst-address=!192.168.2.1 dst-port=53 log=yes log-prefix="DNS-Redirect:: " protocol=tcp src-address=!192.168.2.3 to-addresses=192.168.2.1 to-ports=53
/ip firewall raw
add action=drop chain=prerouting comment="DDoS; Targets deaktiviert da von au\DFen die externe IP angesprochen wir und nicht die interne" log=yes log-prefix="Drop DDoS: " src-address-list=ddos-attackers
/ip route
add comment="route fuer fritzbox-mgmt" distance=1 dst-address=192.168.5.1/32 gateway=ether2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.2.0/24,192.168.66.0/24
set api disabled=yes
set winbox address=192.168.2.0/24,192.168.66.0/24
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=rb5009
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.2.43
add address=ptbtime1.ptb.de
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
/tool netwatch
add comment="pr\FCft ob PiHole erreichbar ist" down-script="# set variables\r\
    \n:local piholeIP 192.168.2.3\r\
    \n:local fallbackDNS 9.9.9.9;\r\
    \n:local normalDNS 192.168.2.3;\r\
    \n:local currentDNS\r\
    \n\r\
    \n:set \$currentDNS [/ip dns get servers];\r\
    \n\r\
    \n:do {\r\
    \n  :put [resolve google.com server=\$piholeIP];\r\
    \n  if (\$currentDNS!=normalDNS) do={\r\
    \n    :log info \"DNS Failover: Switching to Pi-Hole\";\r\
    \n    ip dns set servers \$normalDNS\r\
    \n    ip dns cache flush\r\
    \n  } else={}\r\
    \n} on-error={ :set \$currentDNS [/ip dns get servers];\r\
    \n  if (\$currentDNS!=\$fallbackDNS) do={\r\
    \n    :log error \"DNS Failover: Switching to FallbackDNS\";\r\
    \n    ip dns set servers \$fallbackDNS;\r\
    \n    ip dns cache flush\r\
    \n  } else={:log info \"DNS Failover: Pi-Hole Unavailable\"}\r\
    \n}\r\
    \n\r\
    \n#try to reach google through the pi-hole\r\
    \n#if it works and we are on a different DNS, set the DNS server to the pi-hole\r\
    \n#if it works and we are already on the pi-hole, do nothing\r\
    \n#if we can't reach google and we aren't already on our FallbackDNS, switch to fallback\r\
    \n#if we can't reach google through pi-hole and we are on the fallback, log that pi-hole is unavailable\r\
    \n" host=192.168.2.3 interval=5s up-script="# set variables\r\
    \n:local piholeIP 192.168.2.3\r\
    \n:local fallbackDNS 9.9.9.9;\r\
    \n:local normalDNS 192.168.2.3;\r\
    \n:local currentDNS\r\
    \n\r\
    \n:set \$currentDNS [/ip dns get servers];\r\
    \n\r\
    \n:do {\r\
    \n  :put [resolve google.com server=\$piholeIP];\r\
    \n  if (\$currentDNS!=normalDNS) do={\r\
    \n    :log info \"DNS Failover: Switching to Pi-Hole\";\r\
    \n    ip dns set servers \$normalDNS\r\
    \n    ip dns cache flush\r\
    \n  } else={}\r\
    \n} on-error={ :set \$currentDNS [/ip dns get servers];\r\
    \n  if (\$currentDNS!=\$fallbackDNS) do={\r\
    \n    :log error \"DNS Failover: Switching to FallbackDNS\";\r\
    \n    ip dns set servers \$fallbackDNS;\r\
    \n    ip dns cache flush\r\
    \n  } else={:log info \"DNS Failover: Pi-Hole Unavailable\"}\r\
    \n}\r\
    \n\r\
    \n#try to reach google through the pi-hole\r\
    \n#if it works and we are on a different DNS, set the DNS server to the pi-hole\r\
    \n#if it works and we are already on the pi-hole, do nothing\r\
    \n#if we can't reach google and we aren't already on our FallbackDNS, switch to fallback\r\
    \n#if we can't reach google through pi-hole and we are on the fallback, log that pi-hole is unavailable\r\
    \n"
add comment="setze wan_ip1" down-script=":if ([:len [/ip fire address-list find address=[/ip/cloud/get public-address]]] > 0) do={} else={:log info \"write wan_ip1 to address-list\"; /ip firewall address-list remove [find where list=wan_ip1];\r\
    \n/ip firewall address-list add list=wan_ip1 address=[/ip/cloud/get public-address]}\r\
    \n\r\
    \n# pruefe ob wan ip in address-liste vorhanden ist\r\
    \n# wenn ja, dann tue nichts\r\
    \n# wenn nein, frage ip von mikroptik-cloud ab\r\
    \n# und schreibe in address-liste\r\
    \n" host=91.52.162.231 up-script=":if ([:len [/ip fire address-list find address=[/ip/cloud/get public-address]]] > 0) do={} else={:log info \"write wan_ip1 to address-list\"; /ip firewall address-list remove [find where list=wan_ip1];\r\
    \n/ip firewall address-list add list=wan_ip1 address=[/ip/cloud/get public-address]}\r\
    \n\r\
    \n# pruefe ob wan ip in address-liste vorhanden ist\r\
    \n# wenn ja, dann tue nichts\r\
    \n# wenn nein, frage ip von mikroptik-cloud ab\r\
    \n# und schreibe in address-liste\r\
    \n"
[admin@rb5009] > 

 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21360
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN Check

Wed Oct 06, 2021 3:09 pm

These three rules dont make sense to me...........
add action=accept chain=input comment=ICMP in-interface-list=!WAN protocol=icmp
add action=accept chain=input comment=SSH dst-port=22 in-interface-list=!WAN protocol=tcp src-address-list=mgmt_access
add action=accept chain=input comment=WINBOX dst-port=8291 in-interface-list=!WAN protocol=tcp src-address-list=mgmt_access


Why block ICMP from external, its very useful for testing and poses not threat.
As for the other two rules, its narrowed down to who has access to the router...... only need one rule!
add action=accept chain=input in-interface-list=-manage src-address-list=mgmt_access

Where interface list encompasses all interfaces that the admin would come in on..........
/interface list
add name=manage
/interface list members
add interface=subnetA list=manage
add interface=subnetB list=manage
add interface=sfp8 list=manage

Personally, I would not post my ssh port or my winbox port on a config either :-) (very few use the default ports from my understanding as well)
 
User avatar
quotengrote
newbie
Topic Author
Posts: 33
Joined: Sun May 16, 2021 1:20 pm

Re: VLAN Check

Wed Oct 06, 2021 3:14 pm

As for the other two rules, its narrowed down to who has access to the router...... only need one rule!
add action=accept chain=input in-interface-list=-manage src-address-list=mgmt_access
Yep, i will change it.
Personally, I would not post my ssh port or my winbox port on a config either :-) (very few use the default ports from my understanding as well)
Its only avaible from inside, so nobody should use that.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21360
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN Check

Wed Oct 06, 2021 8:45 pm

As for the other two rules, its narrowed down to who has access to the router...... only need one rule!
add action=accept chain=input in-interface-list=-manage src-address-list=mgmt_access
Yep, i will change it.
Personally, I would not post my ssh port or my winbox port on a config either :-) (very few use the default ports from my understanding as well)
Its only avaible from inside, so nobody should use that.
I am just saying unless those were fake numbers.............. then its information that is not required by anyone other than the admin.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21360
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN Check

Wed Oct 06, 2021 11:27 pm

Generalized Approach (understand this excellent article - viewtopic.php?t=143620 )

ROUTERS< SWITCHES< ACCESS POINTS (all connected smart devices)

COMMON ENTRIES
1. Define vlans (interface is bridge)
2. /ip neighbor discovery-settings
set discover-interface-list=MANAGE
3. TOOLS MAC - WINMAC SERVER INTERFACE = MANAGE
4. ONE BRIDGE
5. ADD APPLICABLE BRIDGE PORTS (trunk and access and hybrid)
6. ADD APPLICABLE BRIDGE VLAN INTERFACES - should map to bridge ports (easy to read)

ROUTER
7. Define vlan subnet structure (ip pool, ip address, dhcp-server, dhcp-server network)
8. Define interface list (router)
-WAN
-LAN
-INTERNET OUT (just an example)
-MANAGE (for admin config purposes )
9. Define interface list members
WAN --> ether1, (or whatever is the proper etherport.
[ NOTE: PLUS -----> if using pppoe include pppoe interface name + if using vlans include vlan name. ]
LAN - if no vlans use bridge, with vlans dont use bridge state all vlans separately.
MANAGE- ALL vlans or subnet that the admin will use to access the config of the router (from where!!).
(Include an etherport if you have a spare one, for emergency access, only need to config an IP address on this port (this port is not on the bridge).

SWITCHES / ACCESS POINTS (smart devices)
10. Define vlans (interface is bridge)
11. Define interface list
-MANAGE (for admin config purposes).
12. Define interface list members
MANAGE --> management vlan or subnet that the admin will use to access the config of the device
(Include an etherport if you have a spare one, for emergency access, only need to config an IP address on the port (this port is not on the bridge).
13. IP address of device is set as an IP on the management VLAN or subnet.
14. IP route to the gateway of the management VLAN or subnet.
 
User avatar
quotengrote
newbie
Topic Author
Posts: 33
Joined: Sun May 16, 2021 1:20 pm

Re: VLAN Check

Mon Jan 03, 2022 3:26 pm

After a long long time... i have finished the vlan project. May it be helpful for others...

Network

Image

Router
[admin@rb5009] > export hide-sensitive 
# jan/03/2022 14:19:17 by RouterOS 7.1.1
# software id = 56R5-PRTF
#
# model = RB5009UG+S+
# serial number = EC190E3732EA
/interface bridge
add name=bridge1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=crs309
set [ find default-name=ether2 ] comment=FritzBox
set [ find default-name=ether3 ] comment=Unifi
set [ find default-name=ether4 ] comment=FireTV
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] comment=Notfall-Port
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface vlan
add interface=bridge1 name=vlan2 vlan-id=2
add interface=bridge1 name=vlan10 vlan-id=10
add interface=bridge1 name=vlan20 vlan-id=20
/interface list
add name=LAN
add name=WAN
add name=VPN
add name=VLAN
add name=winbox-access
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool_subnet2 ranges=192.168.2.35-192.168.2.200
add name=pool_subnet10 ranges=192.168.10.35-192.168.10.200
add name=pool_subnet20 ranges=192.168.20.35-192.168.20.200
/ip dhcp-server
add add-arp=yes address-pool=pool_subnet2 interface=vlan2 lease-script=":local DHCPtag\r\
    \n:set DHCPtag \"#DHCP\"\r\
    \n\r\
    \n:if ( [ :len \$leaseActIP ] <= 0 ) do={ :error \"empty lease address\" }\r\
    \n\r\
    \n:if ( \$leaseBound = 1 ) do=\\\r\
    \n{\r\
    \n    :local ttl\r\
    \n    :local domain\r\
    \n    :local hostname\r\
    \n    :local fqdn\r\
    \n    :local leaseId\r\
    \n    :local comment\r\
    \n\r\
    \n    /ip dhcp-server\r\
    \n    :set ttl [ get [ find name=\$leaseServerName ] lease-time ]\r\
    \n    network\r\
    \n    :set domain [ get [ find \$leaseActIP in address ] domain ]\r\
    \n\r\
    \n    .. lease\r\
    \n    :set leaseId [ find address=\$leaseActIP ]\r\
    \n\r\
    \n    # Check for multiple active leases for the same IP address. It's weird and it shouldn't be, but just in case.\r\
    \n\r\
    \n    :if ( [ :len \$leaseId ] != 1) do={\r\
    \n        :log info \"DHCP2DNS: not registering domain name for address \$leaseActIP because of multiple active leases for \$leaseActIP\"\r\
    \n        :error \"multiple active leases for \$leaseActIP\"\r\
    \n    }\r\
    \n\r\
    \n    :set hostname [ get \$leaseId host-name ]\r\
    \n    :set comment [ get \$leaseId comment ]\r\
    \n    /\r\
    \n\r\
    \n    :if ( [ :len \$hostname ] <= 0 ) do={ :set hostname \$comment }\r\
    \n\r\
    \n    :if ( [ :len \$hostname ] <= 0 ) do={\r\
    \n        :log error \"DHCP2DNS: not registering domain name for address \$leaseActIP because of empty lease host-name or comment\"\r\
    \n        :error \"empty lease host-name or comment\"\r\
    \n    }\r\
    \n    :if ( [ :len \$domain ] <= 0 ) do={\r\
    \n        :log error \"DHCP2DNS: not registering domain name for address \$leaseActIP because of empty network domain name\"\r\
    \n        :error \"empty network domain name\"\r\
    \n    }\r\
    \n\r\
    \n    :set fqdn \"\$hostname.\$domain\"\r\
    \n\r\
    \n    /ip dns static\r\
    \n    :if ( [ :len [ find name=\$fqdn and address=\$leaseActIP and disabled=no ] ] = 0 ) do={\r\
    \n        add address=\$leaseActIP name=\$fqdn ttl=\$ttl comment=\$DHCPtag disabled=no\r\
    \n    } else={\r\
    \n        :log error \"DHCP2DNS: not registering domain name \$fqdn for address \$leaseActIP because of existing active static DNS entry with this name or address\"\r\
    \n    }\r\
    \n    /\r\
    \n} else={\r\
    \n    /ip dns static\r\
    \n    :local dnsDhcpId\r\
    \n    :set dnsDhcpId [ find address=\$leaseActIP and comment=\$DHCPtag ]\r\
    \n    :if ( [ :len \$dnsDhcpId ] > 0 ) do={\r\
    \n        remove \$dnsDhcpId\r\
    \n    }\r\
    \n    /\r\
    \n}\r\
    \n" lease-time=4h name=dhcp_server_subnet2_vlan2
add add-arp=yes address-pool=pool_subnet10 interface=vlan10 lease-time=4h name=dhcp_server_subnet10_vlan10
add add-arp=yes address-pool=pool_subnet20 interface=vlan20 lease-time=4h name=dhcp_server_subnet20_vlan20
/port
set 0 baud-rate=115200 data-bits=8 flow-control=none name=usb1 parity=none stop-bits=1
/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridge1 ingress-filtering=no interface=ether3
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=2
/ip neighbor discovery-settings
set discover-interface-list=!WAN
/ip settings
set max-neighbor-entries=8192 tcp-syncookies=yes
/ipv6 settings
set max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge1 tagged=ether3,bridge1,ether1 untagged=ether4 vlan-ids=2
add bridge=bridge1 tagged=ether3,bridge1,ether1 vlan-ids=10
add bridge=bridge1 tagged=ether3,bridge1,ether1 vlan-ids=20
/interface list member
add interface=ether1 list=LAN
add interface=ether2 list=WAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=wireguard_clients list=LAN
add interface=wireguard_clients list=VPN
add interface=wireguard_s2s_ag list=VPN
add interface=vlan10 list=VLAN
add interface=vlan2 list=VLAN
add interface=vlan20 list=VLAN
add interface=ether1 list=winbox-access
add interface=ether3 list=winbox-access
add interface=vlan2 list=winbox-access

/ip address
add address=192.168.2.1/24 interface=vlan2 network=192.168.2.0
add address=192.168.66.1/24 interface=wireguard_clients network=192.168.66.0
add address=10.0.0.6 interface=wireguard_s2s_ag network=10.0.0.6
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=10m update-time=no
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.2.1 domain=grote.lan gateway=192.168.2.1 ntp-server=192.168.2.43
add address=192.168.10.0/24 dns-server=9.9.9.9 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=9.9.9.9 gateway=192.168.20.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1h cache-size=4096KiB max-concurrent-queries=1000 servers=192.168.2.3
/ip firewall address-list
add address=192.168.2.0/24 list=subnet2
add address=192.168.66.0/24 list=subnet66
add address=192.168.2.0/24 list=mgmt_access
add address=192.168.66.0/24 list=mgmt_access
add address=192.168.3.0/24 list=subnet3
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
add list=DOH-Server
add address=1.0.0.1 list=DOH-Server
[...]
add address=96.113.151.149 list=DOH-Server
add address=96.113.151.150 list=DOH-Server
add address=9.9.9.10 list=DOH-Server
add address=9.9.9.11 list=DOH-Server
add address=9.9.9.12 list=DOH-Server
add address=9.9.9.13 list=DOH-Server
add address=9.9.9.9 list=DOH-Server
add address=192.168.10.0/24 comment=VLAN10 list=subnet10
add address=192.168.2.40 list=subnet3_access
add address=192.168.2.65 list=subnet3_access
add address=192.168.2.180 list=subnet3_access
add address=192.168.20.0/24 comment=VLAN20 list=subnet20
/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=accept chain=input comment=Wireguard dst-port=13231 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="SSH, winbox" dst-port=22,8291 in-interface-list=!WAN protocol=tcp
add action=accept chain=input comment=DNS dst-port=53 in-interface-list=!WAN protocol=udp
add action=accept chain=input comment=DNS dst-port=53 in-interface-list=!WAN protocol=tcp
add action=drop chain=input
add action=accept chain=forward comment="Established, Related" connection-state=established,related
add action=jump chain=forward comment=DDoS connection-state=new in-interface-list=WAN jump-target=detect-ddos
add action=drop chain=forward comment="Drop Traffic between VLANs" in-interface-list=VLAN log=yes log-prefix="Drop VLAN-->VLAN" out-interface-list=VLAN
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface-list=WAN src-address-list=not_in_internet
add action=drop chain=forward comment="Drop Zugriff subnet3 ausser von irantu und win3" dst-address-list=subnet3 log=yes log-prefix="Drop Access SN3" out-interface=wireguard_s2s_ag src-address-list=!subnet3_access
add action=drop chain=forward comment="Drop DNS-over-HTTPS" dst-address-list=DOH-Server log-prefix="Drop DoH: " port=443 protocol=tcp
add action=drop chain=forward comment="Drop DNS-over-HTTPS" dst-address-list=DOH-Server log-prefix="Drop DoH: " port=443 protocol=udp
add action=drop chain=forward comment="Drop Invalid" connection-state=invalid
add action=drop chain=forward comment="Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=return chain=detect-ddos comment=DDoS dst-limit=32,32,src-and-dst-addresses/10s
add action=add-src-to-address-list address-list=ddos-attackers address-list-timeout=10m chain=detect-ddos comment=DDoS log=yes log-prefix="Detect DDoS: "
/ip firewall nat
add action=masquerade chain=srcnat comment=srcnat-masquerade out-interface-list=WAN
add action=masquerade chain=srcnat comment="srcnat-masquerade, damit immer die Router IP beim mango02 sichtbar ist, und nicht die einzelnen Clients aus meinem Netz" out-interface=wireguard_s2s_ag
add action=dst-nat chain=dstnat comment="Portweiterleitung Traefik" in-interface-list=WAN log-prefix="portweiterleitung_traefik: " port=443,80 protocol=tcp to-addresses=192.168.2.68 to-ports=443
add action=dst-nat chain=dstnat comment="Portweiterleitung gitea_ssh" in-interface-list=WAN log-prefix="portweiterleitung_gitea_ssh: " port=2222 protocol=tcp to-addresses=192.168.2.44 to-ports=2222
add action=masquerade chain=srcnat comment=Hairpin-NAT dst-address-list=wan_ip1 dst-port=443,80 log=yes log-prefix="Hairpin-NAT: " out-interface-list=LAN protocol=tcp src-address-list=subnet2
add action=dst-nat chain=dstnat comment=DNS-Redirect: dst-address=!192.168.2.1 dst-port=53 in-interface-list=!WAN log-prefix="DNS-Redirect:: " protocol=udp src-address=!192.168.2.3 src-address-list=subnet2 to-addresses=192.168.2.1 to-ports=53
add action=dst-nat chain=dstnat comment=DNS-Redirect: dst-address=!192.168.2.1 dst-port=53 in-interface-list=!WAN log-prefix="DNS-Redirect:: " protocol=tcp src-address=!192.168.2.3 src-address-list=subnet2 to-addresses=192.168.2.1 to-ports=53
/ip firewall raw
add action=drop chain=prerouting comment=DDoS log-prefix="Drop DDoS: " src-address-list=ddos-attackers
/ip route
add comment="route fuer fritzbox-mgmt" distance=1 dst-address=192.168.5.1/32 gateway=ether2
add disabled=no distance=1 dst-address=192.168.3.0/24 gateway=wireguard_s2s_ag pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10

Switch1
[admin@crs309] > export hide-sensitive 
# jan/03/2022 14:18:34 by RouterOS 6.49.2
# software id = 5F4H-LU84
#
# model = CRS309-1G-8S+
# serial number = D8480D98FA47
/interface ethernet
set [ find default-name=ether1 ] comment=Notfall-Port l2mtu=1592
set [ find default-name=sfp-sfpplus1 ] comment=rb5009 l2mtu=1592
set [ find default-name=sfp-sfpplus2 ] disabled=yes l2mtu=1592
set [ find default-name=sfp-sfpplus3 ] comment=pve2-sfp l2mtu=1592
set [ find default-name=sfp-sfpplus4 ] advertise=1000M-half,1000M-full auto-negotiation=no comment=pve2-ipmi l2mtu=1592
set [ find default-name=sfp-sfpplus5 ] auto-negotiation=no comment=hex l2mtu=1592
set [ find default-name=sfp-sfpplus6 ] disabled=yes l2mtu=1592
set [ find default-name=sfp-sfpplus7 ] disabled=yes l2mtu=1592
set [ find default-name=sfp-sfpplus8 ] disabled=yes l2mtu=1592
/interface bridge
add dhcp-snooping=yes ingress-filtering=yes name=bridge1 vlan-filtering=yes
/interface vlan
add interface=bridge1 name=vlan2 vlan-id=2
/interface list
add name=LAN
add name=VLAN
add name=winbox-access
/system logging action
set 3 target=memory
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/interface bridge port
add bridge=bridge1 comment="\"trusted\" fur dhcp-snooping" frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=sfp-sfpplus1 trusted=yes
add bridge=bridge1 interface=sfp-sfpplus2
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp-sfpplus3 pvid=2
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp-sfpplus4 pvid=2
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=sfp-sfpplus5
add bridge=bridge1 interface=sfp-sfpplus6
add bridge=bridge1 interface=sfp-sfpplus7
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge1 tagged=sfp-sfpplus1,bridge1,sfp-sfpplus5 untagged=sfp-sfpplus3,sfp-sfpplus4 vlan-ids=2
add bridge=bridge1 tagged=sfp-sfpplus1,bridge1,sfp-sfpplus5 vlan-ids=10
add bridge=bridge1 tagged=sfp-sfpplus5,bridge1,sfp-sfpplus1 vlan-ids=20
/interface list member
add interface=ether1 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
add interface=sfp-sfpplus3 list=LAN
add interface=sfp-sfpplus4 list=LAN
add interface=sfp-sfpplus5 list=LAN
add interface=sfp-sfpplus6 list=LAN
add interface=sfp-sfpplus7 list=LAN
add interface=sfp-sfpplus8 list=LAN
add interface=vlan2 list=VLAN
add interface=sfp-sfpplus1 list=winbox-access
add interface=sfp-sfpplus3 list=winbox-access
add interface=sfp-sfpplus5 list=winbox-access
add interface=sfp-sfpplus8 list=winbox-access
/ip address
add address=192.168.2.224/24 interface=vlan2 network=192.168.2.0
/ip cloud
set update-time=no
/ip dns
set servers=192.168.2.1
/ip firewall address-list
add address=192.168.2.0/24 list=subnet2
add address=192.168.66.0/24 list=mgmt_access
add address=192.168.2.0/24 list=mgmt_access
add address=192.168.66.0/24 list=subnet66
add address=192.168.3.0/24 list=subnet3
add address=192.168.10.0/24 comment=VLAN10 list=subnet10
add address=192.168.20.0/24 comment=VLAN20 list=subnet20
/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=accept chain=input dst-port=22,8291 protocol=tcp src-address-list=mgmt_access
add action=drop chain=input
Switch2
[admin@hex] > exp hide-sensitive 
# jan/03/2022 14:16:30 by RouterOS 6.49.2
# software id = NPZE-DVQU
#
# model = RB750Gr3
# serial number = CC210C7265A3
/interface ethernet
set [ find default-name=ether1 ] comment=Notfall-Port
set [ find default-name=ether2 ] comment=CRS309
set [ find default-name=ether3 ] comment=Laptop
set [ find default-name=ether4 ] comment=Dataport
set [ find default-name=ether5 ] comment=Scanner
/interface bridge
add dhcp-snooping=yes ingress-filtering=yes name=bridge1 vlan-filtering=yes
/interface vlan
add interface=bridge1 name=vlan2 vlan-id=2
/interface list
add name=VLAN
add name=LAN
add name=winbox-access
/port
set 0 name=usb1
/interface bridge port
add bridge=bridge1 comment="trusted f\FCr dhcp-snooping" frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether2 trusted=yes
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 pvid=2
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5 pvid=2
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether2 untagged=ether3,ether5 vlan-ids=2
add bridge=bridge1 tagged=bridge1,ether2 untagged=ether4 vlan-ids=10
add bridge=bridge1 tagged=bridge1,ether2 vlan-ids=20
/interface list member
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=vlan2 list=VLAN
add interface=ether1 list=LAN
add interface=ether2 list=winbox-access
add interface=ether3 list=winbox-access
add interface=vlan2 list=winbox-access
/ip address
add address=192.168.2.225/24 interface=vlan2 network=192.168.2.0
/ip cloud
set update-time=no
/ip dhcp-client
add interface=ether5
/ip dns
set servers=192.168.2.1
/ip firewall address-list
add address=192.168.2.0/24 list=subnet2
add address=192.168.66.0/24 list=mgmt_access
add address=192.168.2.0/24 list=mgmt_access
add address=192.168.66.0/24 list=subnet66
add address=192.168.3.0/24 list=subnet3
add address=192.168.10.0/24 comment=VLAN10 list=subnet10
add address=192.168.20.0/24 comment=VLAN20 list=subnet20
/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=accept chain=input dst-port=22,8291 protocol=tcp src-address-list=mgmt_access
add action=drop chain=input

Who is online

Users browsing this forum: benonet, mkx and 22 guests